Issue #5608 has been updated by James Turnbull.

Target version set to 2.6.x


----------------------------------------
Bug #5608: Puppet shouldn't enumerate LDAP users for local user unmanaged 
resource purge
https://projects.puppetlabs.com/issues/5608

Author: Sean Millichamp
Status: Ready for Testing
Priority: Normal
Assignee: Sean Millichamp
Category: user
Target version: 2.6.x
Affected Puppet version: 2.6.4
Keywords: 
Branch: https://github.com/seanmil/puppet/tree/ticket/2.6.x/5608


When using:

resources { 'user':
  purge => true
}

in a Puppet configuration not setup for LDAP management (intentionally) it is 
using the system getent functions via listbyname() (inherited from 
lib/puppet/provider/nameservice.rb) which nevertheless lists all the LDAP users 
because they show in the getent database via nsswitch.

This causes a number of problems in my situation:

1) The LDAP tree is large enough that Puppet can't complete in a reasonable 
amount of time when it has to list all of the users in LDAP
2) Puppet will see users it can't delete
3) Even if it could delete those users, I only want to use Puppet to manage 
just the local users

Based on my reading of the code, if Puppet is being used to manage LDAP users 
the ldap.rb provider manages that itself and doesn't require use of getpwent in 
nameservice.rb

The workaround I used is by overriding the listbyname() function in a custom 
provider (which inherits from useradd) to look for users in /etc/passwd. It 
seems like it would be safe to just modify the listbyname() function in 
nameservice.rb to look directly in /etc/passwd but I am not certain what else 
that might impact.


-- 
You have received this notification because you have either subscribed to it, 
or are involved in it.
To change your notification preferences, please click here: 
http://projects.puppetlabs.com/my/account

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Bugs" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to 
[email protected].
For more options, visit this group at 
http://groups.google.com/group/puppet-bugs?hl=en.

Reply via email to