RE: Re: RE: Help..(NOT Fixed!) ohai doesn't reflect ldap users after ldap config in first chef run


#1

I think… The Etc.endgrent and Etc.pwent deal with the /etc/passwd and
/etc/group and does not affect LDAP. So calling the ruby block to
"reset the group list" isn’t helping where the ldap accounts are
concerned.

Anyone have any ideas?
Randy

-----Original Message-----
From: Van Fossan,Randy
Sent: Thursday, March 22, 2012 9:50 AM
To: chef@lists.opscode.com
Subject: RE: [chef] Re: RE: Help…(NOT Fixed!) ohai doesn’t reflect ldap
users after ldap config in first chef run

I tried the solutions referred to in the ticket and it still did not
help. I will keep searching…

I added this to my ldap cookbook
ohai “reload_passwd” do
action :nothing

plugin “passwd”

end

fixes CHEF-1699

ruby_block “reset group list” do
block do
Etc.endgrent
Etc.endpwent
end
action :nothing
end

Install the template

template “/etc/ldap.conf” do
source "ldap.conf.erb"
owner "root"
group "root"
mode 0644
notifies :create, “ruby_block[reset group list]”, :immediately
notifies :reload, resources(:ohai => “reload_passwd”), :immediately
end

In Nagios cookbook… (Still fails on the nagacct) remote_directory
node[‘nagios’][‘plugin_dir’] do
source "plugins"
owner "nagacct"
group "nagacct"
mode 0755
files_mode 0755
purge true
notifies :restart, “service[xinetd]”, :delayed end

-----Original Message-----
From: Joshua Miller [mailto:jassinpain@gmail.com]
Sent: Thursday, March 22, 2012 12:33 AM
To: chef@lists.opscode.com
Cc: chef@lists.opscode.com
Subject: [chef] Re: RE: Help…(NOT Fixed!) ohai doesn’t reflect ldap
users after ldap config in first chef run

Not sure if this helps as your OS is not listed but might want to have a
look.

http://tickets.opscode.com/browse/CHEF-1699?page=com.atlassian.jira.plug
in.system.issuetabpanels:comment-tabpanel&focusedCommentId=16783#comment
-16783

On Mar 21, 2012, at 8:35 PM, “Van Fossan,Randy” vanfossr@oclc.org
wrote:

can’t find user for nagacct


#2

I worked around this by calling getent passwd for specific users in a
ruby block or some such. It’s hacky, but it worked for my particular
scenario.

Yvonne

On Thu, Mar 22, 2012 at 9:08 AM, Van Fossan,Randy vanfossr@oclc.org wrote:

I think… The Etc.endgrent and Etc.pwent deal with the /etc/passwd and
/etc/group and does not affect LDAP. So calling the ruby block to
"reset the group list" isn’t helping where the ldap accounts are
concerned.

Anyone have any ideas?
Randy

-----Original Message-----
From: Van Fossan,Randy
Sent: Thursday, March 22, 2012 9:50 AM
To: chef@lists.opscode.com
Subject: RE: [chef] Re: RE: Help…(NOT Fixed!) ohai doesn’t reflect ldap
users after ldap config in first chef run

I tried the solutions referred to in the ticket and it still did not
help. I will keep searching…

I added this to my ldap cookbook
ohai “reload_passwd” do
action :nothing

plugin “passwd”

end

fixes CHEF-1699

ruby_block “reset group list” do
block do
Etc.endgrent
Etc.endpwent
end
action :nothing
end

Install the template

template “/etc/ldap.conf” do
source "ldap.conf.erb"
owner "root"
group "root"
mode 0644
notifies :create, “ruby_block[reset group list]”, :immediately
notifies :reload, resources(:ohai => “reload_passwd”), :immediately
end

In Nagios cookbook… (Still fails on the nagacct) remote_directory
node[‘nagios’][‘plugin_dir’] do
source "plugins"
owner "nagacct"
group "nagacct"
mode 0755
files_mode 0755
purge true
notifies :restart, “service[xinetd]”, :delayed end

-----Original Message-----
From: Joshua Miller [mailto:jassinpain@gmail.com]
Sent: Thursday, March 22, 2012 12:33 AM
To: chef@lists.opscode.com
Cc: chef@lists.opscode.com
Subject: [chef] Re: RE: Help…(NOT Fixed!) ohai doesn’t reflect ldap
users after ldap config in first chef run

Not sure if this helps as your OS is not listed but might want to have a
look.

http://tickets.opscode.com/browse/CHEF-1699?page=com.atlassian.jira.plug
in.system.issuetabpanels:comment-tabpanel&focusedCommentId=16783#comment
-16783

On Mar 21, 2012, at 8:35 PM, “Van Fossan,Randy” vanfossr@oclc.org
wrote:

can’t find user for nagacct


#3

Hi Yvonne,

On Fri, Mar 23, 2012 at 9:45 AM, Yvonne Lam yvonne.z.lam@gmail.com wrote:

I worked around this by calling getent passwd for specific users in a ruby
block or some such. It’s hacky, but it worked for my particular scenario.

Do you have an example block that works? We’ve had this issue for
awhile and have been living with it by double bootstrapping systems,
but it’s a show stopper when using Vagrant.

-J


#4

Hi Jason,

Sure, here’s a gist: https://gist.github.com/2476162

Because I’m using a data bag for authorized keys, this happens to be a case
where it’s natural to have the username in ldap and in chef. Depending on
how you want to manage system users with respect to ldap, your mileage may
vary.

Relevant to the thread as a whole, but not necessarily to your question: A
colleague who has dealt with this particular issue quite a bit believes
that the behavior of ohai with respect to ldap bootstrap is a *nix-ism, in
that if it were to do otherwise, it would break rules about what one can
and cannot change in a running process, i.e. going from getting user data
from files on local disk to getting it from a service that requires
different libraries and shared objects and so forth requires starting a new
process. I’m mentioning this because if this is indeed true (sounds
plausible, haven’t looked into it, happy to be proven wrong), then we all
probably need to get used to double bootstrap or starting new processes in
shell/ruby blocks or having chef create users in ldap…

Yvonne

On Mon, Apr 23, 2012 at 4:54 PM, Jason J. W. Williams <
jasonjwwilliams@gmail.com> wrote:

Hi Yvonne,

On Fri, Mar 23, 2012 at 9:45 AM, Yvonne Lam yvonne.z.lam@gmail.com
wrote:

I worked around this by calling getent passwd for specific users in a
ruby
block or some such. It’s hacky, but it worked for my particular
scenario.

Do you have an example block that works? We’ve had this issue for
awhile and have been living with it by double bootstrapping systems,
but it’s a show stopper when using Vagrant.

-J