Issue #5608 has been updated by Daniel Pittman.
Jesse Wolfe wrote: […] > 2) There's a design question about whether parsing files in /etc/ is really > "correct" - it might make more sense to supplement the information returned > by getent with metadata about whether the user is locally deletable Other than total guesswork, it isn't actually possible for us to determine that ahead of time, only when we try and perform the operation. For example, it would be possible for some-but-not-all of the Active Directory integrated systems I ran to delete somewhat varying sets of users "remotely" using the appropriate local tools, at a site a few years back. (Specifically, different machines in different "divisions" had different security rules; our adduser and deluser tools were configured appropriately to be able to delete things in the AD data store.) The same is true of LDAP, NIS, and various other unconventional data stores. (eg: pam-mysql could totally replace /etc/passwd, but entirely preserve the ability to delete users using the same API.) So, I would suggest that this is impossible to satisfy except in limited circumstances, and doing so would require bypassing the NSS service entirely to determine that metadata. Plus, on a non-trivial number of platforms we don't even have that rich a view of providers. (eg: Win32). If we do accept something like this, it would need to be done in a way that it was optional, and non-default, to ensure that we don't stop working for configurations that don't match that specific set of assumptions. ---------------------------------------- Bug #5608: Puppet shouldn't enumerate LDAP users for local user unmanaged resource purge https://projects.puppetlabs.com/issues/5608 Author: Sean Millichamp Status: Code Insufficient Priority: Normal Assignee: Sean Millichamp Category: user Target version: 2.6.x Affected Puppet version: 2.6.4 Keywords: Branch: https://github.com/seanmil/puppet/tree/ticket/2.6.x/5608 When using: resources { 'user': purge => true } in a Puppet configuration not setup for LDAP management (intentionally) it is using the system getent functions via listbyname() (inherited from lib/puppet/provider/nameservice.rb) which nevertheless lists all the LDAP users because they show in the getent database via nsswitch. This causes a number of problems in my situation: 1) The LDAP tree is large enough that Puppet can't complete in a reasonable amount of time when it has to list all of the users in LDAP 2) Puppet will see users it can't delete 3) Even if it could delete those users, I only want to use Puppet to manage just the local users Based on my reading of the code, if Puppet is being used to manage LDAP users the ldap.rb provider manages that itself and doesn't require use of getpwent in nameservice.rb The workaround I used is by overriding the listbyname() function in a custom provider (which inherits from useradd) to look for users in /etc/passwd. It seems like it would be safe to just modify the listbyname() function in nameservice.rb to look directly in /etc/passwd but I am not certain what else that might impact. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
