RE: Re: Re: User Management


#1

Just out of curiosity, do you know if ohai actually scans the file, or uses the getpwent utility or API to do it?

The difference is that getpwent would also pick up users coming from Active Directory, LDAP etc., depending on you nssswitch.conf configuration.

Kevin Keane

The NetTech

http://www.4nettech.com

Our values: Privacy, Liberty, Justice

See https://www.4nettech.com/corp/the-nettech-values.html

-----Original message-----
From: Daniel DeLeo dan@kallistec.com
Sent: Wednesday 25th March 2015 10:22
To: chef@lists.opscode.com
Subject: [chef] Re: Re: User Management

On Wednesday, March 25, 2015 at 8:02 AM, ANGELA EBIRIM wrote:

Hi,

Does anyone know how to extract the list of current users on a node?

I’ve been interrogating the OHAI attributes of a node (I’m sure it would be a node attribute) but can’t find it.

Many thanks
Ohai fetches the data as etc/passwd, i.e., it should be under node[“etc”][“passwd”].

BTW, you can just run ohai on the command line to see all the data it produces. It’s quite a lot but you can scan it to find the data you’re looking for. You can also filter the command line output by passing the path to the attributes you want if you know them, e.g., ohai etc/passwd prints just the passwd data.

HTH,


Daniel DeLeo


#2

On Wednesday, March 25, 2015 at 11:49 AM, Kevin Keane Subscription wrote:

RE: [chef] Re: Re: User Management
Just out of curiosity, do you know if ohai actually scans the file, or uses the getpwent utility or API to do it?
The difference is that getpwent would also pick up users coming from Active Directory, LDAP etc., depending on you nssswitch.conf configuration.
Kevin Keane
The NetTech

Uses ruby’s Etc module which uses the system calls to get the data. So it will have AD/LDAP users if those are configured. For this reason, it’s common to disable the plugin in those environments. Ideally we could find a more elegant solution to that but there’s kind of a sharp divide between users who like to have all ohai data available for search, etc. vs. those who’d prefer a more opt-in approach, plus there’s compatibility concerns.


Daniel DeLeo


#3

LDAP issue has been around for a long time:

https://tickets.opscode.com/browse/OHAI-165

Would love to see someone in the community submit an RFC to get everyone
to agree to change the default behavior of the Ohai plugin to only
enumerate the /etc/{passwd,group,shadow} files themselves directly (on
most Unixen that use those files) and to only opt-in to the Etc behavior
of enumerating LDAP. I’m saturated and backed up on RFC TODOs as it is.

On 3/25/15 11:59 AM, Daniel DeLeo wrote:

On Wednesday, March 25, 2015 at 11:49 AM, Kevin Keane Subscription wrote:

RE: [chef] Re: Re: User Management
Just out of curiosity, do you know if ohai actually scans the file, or uses the getpwent utility or API to do it?
The difference is that getpwent would also pick up users coming from Active Directory, LDAP etc., depending on you nssswitch.conf configuration.
Kevin Keane
The NetTech
Uses ruby’s Etc module which uses the system calls to get the data. So it will have AD/LDAP users if those are configured. For this reason, it’s common to disable the plugin in those environments. Ideally we could find a more elegant solution to that but there’s kind of a sharp divide between users who like to have all ohai data available for search, etc. vs. those who’d prefer a more opt-in approach, plus there’s compatibility concerns.


Daniel DeLeo