Check if a user exists?


#1

Hello

We’re using an IPA server
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html
to
store user accounts and such and Ubuntu clients with FreeIPA
http://www.freeipa.org/page/Main_Page to access this. I would now like to
do something, based on the existence of a user account in IPA.

How can I check if a user exists?

On Stack Overflow
http://stackoverflow.com/questions/28094558/chef-users-resource-check-if-exists/28094692#28094692,
I found this:

Ohai queries the users on the system for you:

if node[‘etc’][‘passwd’][‘random’]

Do deployend

But this only works with local accounts; it does not work with accounts in
IPA. In our nsswitch.conf, there’s:

$ grep passwd /etc/nsswitch.conf
passwd: files sss

With getent, I can query accounts.

getent passwd ask ask:*:10000:10000:Alexander Skwar:/home/ask:/usr/bin/zsh getent passwd example-does-not-exist
$ getent passwd local
local:x:1000:1000::/home/local:/bin/zsh

“ask” is stored in IPA; “example-does-not-exist” is a non-existant account;
“local” is a user from /etc/passwd.

But “node[‘etc’][‘passwd’][‘ask’]” is “nil”. And “
node[‘etc’][‘passwd’][‘local’]” is not nil.

How can I check if a user exists? Do I really have to resort to calling
getent?

Thanks,
Alexander


#2

Just use ohai !!!

Ohai gather up all system user :

knife search ‘name:my-server’ -a etc.passwd.root.uid -a
etc.passwd.root.gid

my-server:
etc.passwd.root.gid: 0
etc.passwd.root.uid: 0

On Wed, Sep 23, 2015 at 10:15 AM, Alexander Skwar <
alexanders.mailinglists+nospam@gmail.com> wrote:

Hello

We’re using an IPA server
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html to
store user accounts and such and Ubuntu clients with FreeIPA
http://www.freeipa.org/page/Main_Page to access this. I would now like
to do something, based on the existence of a user account in IPA.

How can I check if a user exists?

On Stack Overflow
http://stackoverflow.com/questions/28094558/chef-users-resource-check-if-exists/28094692#28094692,
I found this:

Ohai queries the users on the system for you:

if node[‘etc’][‘passwd’][‘random’]

Do deployend

But this only works with local accounts; it does not work with accounts in
IPA. In our nsswitch.conf, there’s:

$ grep passwd /etc/nsswitch.conf
passwd: files sss

With getent, I can query accounts.

getent passwd ask ask:*:10000:10000:Alexander Skwar:/home/ask:/usr/bin/zsh getent passwd example-does-not-exist
$ getent passwd local
local:x:1000:1000::/home/local:/bin/zsh

“ask” is stored in IPA; “example-does-not-exist” is a non-existant
account; “local” is a user from /etc/passwd.

But “node[‘etc’][‘passwd’][‘ask’]” is “nil”. And “
node[‘etc’][‘passwd’][‘local’]” is not nil.

How can I check if a user exists? Do I really have to resort to calling
getent?

Thanks,
Alexander


Barthélemy Vessemont - bvessemont@gmail.com
Ingénieur en informatique diplômé de l’UTC (Compiègne)
Contributeur Chef (redguide@github)


#3

Hi

I don’t have knife, I’m using chef-solo. Should’ve mentioned this, sorry :confused:

Well, but, no. For local users, ohai seems usable (→ “And “
node[‘etc’][‘passwd’][‘local’]” is not nil.”).
node[‘etc’][‘passwd’][‘root’] returns “something”.

But for not local users (which are in sssd), ohai doesn’t seem to work. As
I said, for users stored in IPA, I get “nil” (→ “But “
node[‘etc’][‘passwd’][‘ask’]” is “nil””), when I check
node[‘etc’][‘passwd’][‘ipa-username’].

What’s the correct way to check if a user exists, if the user isn’t local?

Regards,
Alexander

2015-09-23 14:13 GMT+02:00 Barthélemy Vessemont bvessemont@gmail.com:

Just use ohai !!!

Ohai gather up all system user :

knife search ‘name:my-server’ -a etc.passwd.root.uid -a
etc.passwd.root.gid

my-server:
etc.passwd.root.gid: 0
etc.passwd.root.uid: 0

On Wed, Sep 23, 2015 at 10:15 AM, Alexander Skwar <
alexanders.mailinglists+nospam@gmail.com> wrote:

Hello

We’re using an IPA server
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html to
store user accounts and such and Ubuntu clients with FreeIPA
http://www.freeipa.org/page/Main_Page to access this. I would now like
to do something, based on the existence of a user account in IPA.

How can I check if a user exists?

On Stack Overflow
http://stackoverflow.com/questions/28094558/chef-users-resource-check-if-exists/28094692#28094692,
I found this:

Ohai queries the users on the system for you:

if node[‘etc’][‘passwd’][‘random’]

Do deployend

But this only works with local accounts; it does not work with accounts
in IPA. In our nsswitch.conf, there’s:

$ grep passwd /etc/nsswitch.conf
passwd: files sss

With getent, I can query accounts.

getent passwd ask ask:*:10000:10000:Alexander Skwar:/home/ask:/usr/bin/zsh getent passwd example-does-not-exist
$ getent passwd local
local:x:1000:1000::/home/local:/bin/zsh

“ask” is stored in IPA; “example-does-not-exist” is a non-existant
account; “local” is a user from /etc/passwd.

But “node[‘etc’][‘passwd’][‘ask’]” is “nil”. And “
node[‘etc’][‘passwd’][‘local’]” is not nil.

How can I check if a user exists? Do I really have to resort to calling
getent?

Thanks,
Alexander


Barthélemy Vessemont - bvessemont@gmail.com
Ingénieur en informatique diplômé de l’UTC (Compiègne)
Contributeur Chef (redguide@github)

Alexander

=> Google+ => http://plus.skwar.me <==
=> Chat (Jabber/Google Talk) => a.skwar@gmail.com <==


#4

Ohai uses ruby’s Etc.passwd (
https://github.com/chef/ohai/blob/master/lib/ohai/plugins/passwd.rb) to get
user data which should include other sources that are in nsswitch.

I know that Ohai includes external sources because it’s a very common for
people with LDAP enabled to disable that particular Ohai plugin (since by
default it’ll load your whole directory and store it in the node data).

There is, however, an issue when nsswitch changes after the Chef run has
started. Because of a limitation in the underlying C library, those changes
don’t get picked up by already running processes. (
https://tickets.opscode.com/browse/CHEF-3780) Perhaps that’s your issue
here?

Matt Moretti

On Wed, Sep 23, 2015 at 8:52 AM, Alexander Skwar
alexanders.mailinglists+nospam@gmail.com
http://mailto:[alexanders.mailinglists+nospam@gmail.com](mailto:alexanders.mailinglists+nospam@gmail.com)
wrote:

Hi

I don’t have knife, I’m using chef-solo. Should’ve mentioned this, sorry :confused:

Well, but, no. For local users, ohai seems usable (→ “And “
node[‘etc’][‘passwd’][‘local’]” is not nil.”).
node[‘etc’][‘passwd’][‘root’] returns “something”.

But for not local users (which are in sssd), ohai doesn’t seem to work. As
I said, for users stored in IPA, I get “nil” (→ “But “
node[‘etc’][‘passwd’][‘ask’]” is “nil””), when I check
node[‘etc’][‘passwd’][‘ipa-username’].

What’s the correct way to check if a user exists, if the user isn’t local?

Regards,
Alexander

2015-09-23 14:13 GMT+02:00 Barthélemy Vessemont bvessemont@gmail.com:

Just use ohai !!!

Ohai gather up all system user :

knife search ‘name:my-server’ -a etc.passwd.root.uid -a
etc.passwd.root.gid

my-server:
etc.passwd.root.gid: 0
etc.passwd.root.uid: 0

On Wed, Sep 23, 2015 at 10:15 AM, Alexander Skwar <
alexanders.mailinglists+nospam@gmail.com> wrote:

Hello

We’re using an IPA server
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html to
store user accounts and such and Ubuntu clients with FreeIPA
http://www.freeipa.org/page/Main_Page to access this. I would now
like to do something, based on the existence of a user account in IPA.

How can I check if a user exists?

On Stack Overflow
http://stackoverflow.com/questions/28094558/chef-users-resource-check-if-exists/28094692#28094692,
I found this:

Ohai queries the users on the system for you:

if node[‘etc’][‘passwd’][‘random’]

Do deployend

But this only works with local accounts; it does not work with accounts
in IPA. In our nsswitch.conf, there’s:

$ grep passwd /etc/nsswitch.conf
passwd: files sss

With getent, I can query accounts.

getent passwd ask ask:*:10000:10000:Alexander Skwar:/home/ask:/usr/bin/zsh getent passwd example-does-not-exist
$ getent passwd local
local:x:1000:1000::/home/local:/bin/zsh

“ask” is stored in IPA; “example-does-not-exist” is a non-existant
account; “local” is a user from /etc/passwd.

But “node[‘etc’][‘passwd’][‘ask’]” is “nil”. And “
node[‘etc’][‘passwd’][‘local’]” is not nil.

How can I check if a user exists? Do I really have to resort to calling
getent?

Thanks,
Alexander


Barthélemy Vessemont - bvessemont@gmail.com
Ingénieur en informatique diplômé de l’UTC (Compiègne)
Contributeur Chef (redguide@github)

Alexander

=> Google+ => http://plus.skwar.me <==
=> Chat (Jabber/Google Talk) => a.skwar@gmail.com <==


#5

With LDAP-backed authentication I was able to this with:
if node[“etc”][“passwd”].attribute?(“username”)

Ohai would still list every LDAP user/group in the [‘etc’][‘passwd’]
section. I haven’t used IPA so I’m not sure if it does the same.

If not you could do something like:
*if “getent passwd username” *

  • chef_stuff do*
  •  ...*
    
  • end*
    end
    or really, more correctly:

deploy “code” do

  • some attributes*
  • only_if “getent passwd username”*
    end

On Wed, Sep 23, 2015 at 9:50 AM Matthew Moretti werebus@gmail.com wrote:

Ohai uses ruby’s Etc.passwd (
https://github.com/chef/ohai/blob/master/lib/ohai/plugins/passwd.rb) to
get user data which should include other sources that are in nsswitch.

I know that Ohai includes external sources because it’s a very common for
people with LDAP enabled to disable that particular Ohai plugin (since by
default it’ll load your whole directory and store it in the node data).

There is, however, an issue when nsswitch changes after the Chef run
has started. Because of a limitation in the underlying C library, those
changes don’t get picked up by already running processes. (
https://tickets.opscode.com/browse/CHEF-3780) Perhaps that’s your issue
here?

Matt Moretti

On Wed, Sep 23, 2015 at 8:52 AM, Alexander Skwar
alexanders.mailinglists+nospam@gmail.com
http://mailto:[alexanders.mailinglists+nospam@gmail.com](mailto:alexanders.mailinglists+nospam@gmail.com)
wrote:

Hi

I don’t have knife, I’m using chef-solo. Should’ve mentioned this, sorry
:confused:

Well, but, no. For local users, ohai seems usable (→ “And “
node[‘etc’][‘passwd’][‘local’]” is not nil.”).
node[‘etc’][‘passwd’][‘root’] returns “something”.

But for not local users (which are in sssd), ohai doesn’t seem to work.
As I said, for users stored in IPA, I get “nil” (→ “But “
node[‘etc’][‘passwd’][‘ask’]” is “nil””), when I check
node[‘etc’][‘passwd’][‘ipa-username’].

What’s the correct way to check if a user exists, if the user isn’t local?

Regards,
Alexander

2015-09-23 14:13 GMT+02:00 Barthélemy Vessemont bvessemont@gmail.com:

Just use ohai !!!

Ohai gather up all system user :

knife search ‘name:my-server’ -a etc.passwd.root.uid -a
etc.passwd.root.gid

my-server:
etc.passwd.root.gid: 0
etc.passwd.root.uid: 0

On Wed, Sep 23, 2015 at 10:15 AM, Alexander Skwar <
alexanders.mailinglists+nospam@gmail.com> wrote:

Hello

We’re using an IPA server
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html to
store user accounts and such and Ubuntu clients with FreeIPA
http://www.freeipa.org/page/Main_Page to access this. I would now
like to do something, based on the existence of a user account in IPA.

How can I check if a user exists?

On Stack Overflow
http://stackoverflow.com/questions/28094558/chef-users-resource-check-if-exists/28094692#28094692,
I found this:

Ohai queries the users on the system for you:

if node[‘etc’][‘passwd’][‘random’]

Do deployend

But this only works with local accounts; it does not work with accounts
in IPA. In our nsswitch.conf, there’s:

$ grep passwd /etc/nsswitch.conf
passwd: files sss

With getent, I can query accounts.

getent passwd ask ask:*:10000:10000:Alexander Skwar:/home/ask:/usr/bin/zsh getent passwd example-does-not-exist
$ getent passwd local
local:x:1000:1000::/home/local:/bin/zsh

“ask” is stored in IPA; “example-does-not-exist” is a non-existant
account; “local” is a user from /etc/passwd.

But “node[‘etc’][‘passwd’][‘ask’]” is “nil”. And “
node[‘etc’][‘passwd’][‘local’]” is not nil.

How can I check if a user exists? Do I really have to resort to calling
getent?

Thanks,
Alexander


Barthélemy Vessemont - bvessemont@gmail.com
Ingénieur en informatique diplômé de l’UTC (Compiègne)
Contributeur Chef (redguide@github)

Alexander

=> Google+ => http://plus.skwar.me <==
=> Chat (Jabber/Google Talk) => a.skwar@gmail.com <==


#6

Hi Matthew

Okay, Etc.passwd works:

$ irb
irb(main):001:0> require “etc”
=> true
irb(main):002:0> Etc.getpwnam(“ask”)
=> #<struct Struct::Passwd name=“ask”, passwd="*", uid=10000, gid=10000,
gecos=“Alexander Skwar”, dir="/home/ask", shell="/usr/bin/zsh">

That is from IPA. But Ohai doesn’t. I suppose it is because eg. “getent
passwd” (no further arguments) also doesn’t list ALL accounts. “getent
passwd foo” returns the data for the user “foo”, even if it is in IPA (or
sss, for that matter).

I’m not changing nsswitch after the chef run has started.

Best ergards,
Alexander

2015-09-23 15:49 GMT+02:00 Matthew Moretti werebus@gmail.com:

Ohai uses ruby’s Etc.passwd (
https://github.com/chef/ohai/blob/master/lib/ohai/plugins/passwd.rb) to
get user data which should include other sources that are in nsswitch.

I know that Ohai includes external sources because it’s a very common for
people with LDAP enabled to disable that particular Ohai plugin (since by
default it’ll load your whole directory and store it in the node data).

There is, however, an issue when nsswitch changes after the Chef run
has started. Because of a limitation in the underlying C library, those
changes don’t get picked up by already running processes. (
https://tickets.opscode.com/browse/CHEF-3780) Perhaps that’s your issue
here?

Matt Moretti

On Wed, Sep 23, 2015 at 8:52 AM, Alexander Skwar
alexanders.mailinglists+nospam@gmail.com
http://mailto:[alexanders.mailinglists+nospam@gmail.com](mailto:alexanders.mailinglists+nospam@gmail.com)
wrote:

Hi

I don’t have knife, I’m using chef-solo. Should’ve mentioned this, sorry
:confused:

Well, but, no. For local users, ohai seems usable (→ “And “
node[‘etc’][‘passwd’][‘local’]” is not nil.”).
node[‘etc’][‘passwd’][‘root’] returns “something”.

But for not local users (which are in sssd), ohai doesn’t seem to work.
As I said, for users stored in IPA, I get “nil” (→ “But “
node[‘etc’][‘passwd’][‘ask’]” is “nil””), when I check
node[‘etc’][‘passwd’][‘ipa-username’].

What’s the correct way to check if a user exists, if the user isn’t local?

Regards,
Alexander

2015-09-23 14:13 GMT+02:00 Barthélemy Vessemont bvessemont@gmail.com:

Just use ohai !!!

Ohai gather up all system user :

knife search ‘name:my-server’ -a etc.passwd.root.uid -a
etc.passwd.root.gid

my-server:
etc.passwd.root.gid: 0
etc.passwd.root.uid: 0

On Wed, Sep 23, 2015 at 10:15 AM, Alexander Skwar <
alexanders.mailinglists+nospam@gmail.com> wrote:

Hello

We’re using an IPA server
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html to
store user accounts and such and Ubuntu clients with FreeIPA
http://www.freeipa.org/page/Main_Page to access this. I would now
like to do something, based on the existence of a user account in IPA.

How can I check if a user exists?

On Stack Overflow
http://stackoverflow.com/questions/28094558/chef-users-resource-check-if-exists/28094692#28094692,
I found this:

Ohai queries the users on the system for you:

if node[‘etc’][‘passwd’][‘random’]

Do deployend

But this only works with local accounts; it does not work with accounts
in IPA. In our nsswitch.conf, there’s:

$ grep passwd /etc/nsswitch.conf
passwd: files sss

With getent, I can query accounts.

getent passwd ask ask:*:10000:10000:Alexander Skwar:/home/ask:/usr/bin/zsh getent passwd example-does-not-exist
$ getent passwd local
local:x:1000:1000::/home/local:/bin/zsh

“ask” is stored in IPA; “example-does-not-exist” is a non-existant
account; “local” is a user from /etc/passwd.

But “node[‘etc’][‘passwd’][‘ask’]” is “nil”. And “
node[‘etc’][‘passwd’][‘local’]” is not nil.

How can I check if a user exists? Do I really have to resort to calling
getent?

Thanks,
Alexander


Barthélemy Vessemont - bvessemont@gmail.com
Ingénieur en informatique diplômé de l’UTC (Compiègne)
Contributeur Chef (redguide@github)

Alexander

=> Google+ => http://plus.skwar.me <==
=> Chat (Jabber/Google Talk) => a.skwar@gmail.com <==

Alexander

=> Google+ => http://plus.skwar.me <==
=> Chat (Jabber/Google Talk) => a.skwar@gmail.com <==


#7

Hi John

Ohai does not list every SSS user/group in the [‘etc’][‘passwd’] or
[‘group’] section. That’s why I’m asking :wink: I tried this:

“ask” is stored in IPA; “example-does-not-exist” is a non-existant account;
“local” is a user from /etc/passwd.

But “node[‘etc’][‘passwd’][‘ask’]” is “nil”. And “
node[‘etc’][‘passwd’][‘local’]” is not nil.

I now have it so, that I put all the things which require IPA in "abc-ipa"
recipes. And if IPA isn’t available, I’m removing those recipes from the
run list:

ruby_block ‘Entferne -ipa recipes von der run list, falls IPA noch NICHT
initialisiert wurde’ do
block do
node.run_list.each do |run_list_item|
node.run_list.remove(run_list_item) if run_list_item.end_with?
"-ipa"
end # of node.run_list.each do |run_list_item|
end

# check if a user can be found, which only exists in IPA

not_if "getent passwd _ipa-check"

end # of ruby_block ‘Entferne -ipa recipes von der run list, falls IPA noch
NICHT initialisiert wurde’ do

Not elegant…

Regards
Alexander

2015-09-23 16:09 GMT+02:00 John Rowe jdrowe@gmail.com:

With LDAP-backed authentication I was able to this with:
if node[“etc”][“passwd”].attribute?(“username”)

Ohai would still list every LDAP user/group in the [‘etc’][‘passwd’]
section. I haven’t used IPA so I’m not sure if it does the same.

If not you could do something like:
*if “getent passwd username” *

  • chef_stuff do*
  •  ...*
    
  • end*
    end
    or really, more correctly:

deploy “code” do

  • some attributes*
  • only_if “getent passwd username”*
    end

On Wed, Sep 23, 2015 at 9:50 AM Matthew Moretti werebus@gmail.com wrote:

Ohai uses ruby’s Etc.passwd (
https://github.com/chef/ohai/blob/master/lib/ohai/plugins/passwd.rb) to
get user data which should include other sources that are in nsswitch.

I know that Ohai includes external sources because it’s a very common for
people with LDAP enabled to disable that particular Ohai plugin (since by
default it’ll load your whole directory and store it in the node data).

There is, however, an issue when nsswitch changes after the Chef run
has started. Because of a limitation in the underlying C library, those
changes don’t get picked up by already running processes. (
https://tickets.opscode.com/browse/CHEF-3780) Perhaps that’s your issue
here?

Matt Moretti

On Wed, Sep 23, 2015 at 8:52 AM, Alexander Skwar
alexanders.mailinglists+nospam@gmail.com
http://mailto:[alexanders.mailinglists+nospam@gmail.com](mailto:alexanders.mailinglists+nospam@gmail.com)
wrote:

Hi

I don’t have knife, I’m using chef-solo. Should’ve mentioned this, sorry
:confused:

Well, but, no. For local users, ohai seems usable (→ “And “
node[‘etc’][‘passwd’][‘local’]” is not nil.”).
node[‘etc’][‘passwd’][‘root’] returns “something”.

But for not local users (which are in sssd), ohai doesn’t seem to work.
As I said, for users stored in IPA, I get “nil” (→ “But “
node[‘etc’][‘passwd’][‘ask’]” is “nil””), when I check
node[‘etc’][‘passwd’][‘ipa-username’].

What’s the correct way to check if a user exists, if the user isn’t
local?

Regards,
Alexander

2015-09-23 14:13 GMT+02:00 Barthélemy Vessemont bvessemont@gmail.com:

Just use ohai !!!

Ohai gather up all system user :

knife search ‘name:my-server’ -a etc.passwd.root.uid -a
etc.passwd.root.gid

my-server:
etc.passwd.root.gid: 0
etc.passwd.root.uid: 0

On Wed, Sep 23, 2015 at 10:15 AM, Alexander Skwar <
alexanders.mailinglists+nospam@gmail.com> wrote:

Hello

We’re using an IPA server
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html to
store user accounts and such and Ubuntu clients with FreeIPA
http://www.freeipa.org/page/Main_Page to access this. I would now
like to do something, based on the existence of a user account in IPA.

How can I check if a user exists?

On Stack Overflow
http://stackoverflow.com/questions/28094558/chef-users-resource-check-if-exists/28094692#28094692,
I found this:

Ohai queries the users on the system for you:

if node[‘etc’][‘passwd’][‘random’]

Do deployend

But this only works with local accounts; it does not work with
accounts in IPA. In our nsswitch.conf, there’s:

$ grep passwd /etc/nsswitch.conf
passwd: files sss

With getent, I can query accounts.

getent passwd ask ask:*:10000:10000:Alexander Skwar:/home/ask:/usr/bin/zsh getent passwd example-does-not-exist
$ getent passwd local
local:x:1000:1000::/home/local:/bin/zsh

“ask” is stored in IPA; “example-does-not-exist” is a non-existant
account; “local” is a user from /etc/passwd.

But “node[‘etc’][‘passwd’][‘ask’]” is “nil”. And “
node[‘etc’][‘passwd’][‘local’]” is not nil.

How can I check if a user exists? Do I really have to resort to
calling getent?

Thanks,
Alexander


Barthélemy Vessemont - bvessemont@gmail.com
Ingénieur en informatique diplômé de l’UTC (Compiègne)
Contributeur Chef (redguide@github)

Alexander

=> Google+ => http://plus.skwar.me <==
=> Chat (Jabber/Google Talk) => a.skwar@gmail.com <==

Alexander

=> Google+ => http://plus.skwar.me <==
=> Chat (Jabber/Google Talk) => a.skwar@gmail.com <==