Gettings users from ldap instead of databag


#1

Hi all,

this might be a faq, please forgive me.

I do encounter more and more cookbooks which get user-definitions from a
databag. I like the idea of a central user database but I like it so much I
implemented ldap to store users and groups.

Now its not a problem telling a system or a service to use ldap (gotta hack
the munin::server for this:).
But one idea some friends here implement in there system is that
authentications except login happen against ldap while login uses local users.
And these local users are rendered from ldap.

Now I would like to make search(:users,…) search the ldap-repo instead of
the users-databag and provide users-from-ldap as a drop-in replacement. That
way its usable for login-users as well as for apache2/etc authentication…

Is there any way to use an ldap-resource as provider for the databag search?
Or should I just hack a script to create the databag from the ldap repo? How
do you guys manage the users databag?

Thanks for your comments,

Arnold


#2

Is there any way to use an ldap-resource as provider for the databag search?
Or should I just hack a script to create the databag from the ldap repo? How
do you guys manage the users databag?

You’ll need to write an LWRP or similar to read from LDAP
directly (perhaps with the Ruby LDAP module). I don’t recommend
trying to keep a databag in synch with LDAP via some script.