[Puppet - Bug #14269] (Unreviewed) Duplicate Group Membership with LDAP

Tue, 01 May 2012 14:54:31 -0700 

Issue #14269 has been reported by Thomas Kishel.

----------------------------------------
Bug #14269: Duplicate Group Membership with LDAP
https://projects.puppetlabs.com/issues/14269

Author: Thomas Kishel
Status: Unreviewed
Priority: Normal
Assignee: 
Category: user
Target version: 
Affected Puppet version: 2.7.1
Keywords: Groups LDAP
Branch: 


User accounts are stored in LDAP, but we also implement local accounts. Once 
bound to LDAP, Puppet misinterprets local group membership for local accounts, 
reconfiguring group membership every time.

Prior to binding to LDAP

    # id webadm
    uid=1001(webadm) gid=1001(webadm) groups=1001(webadm),27(sudo)

    # groups webadm
    webadm : webadm sudo
 
    # id www-data
    uid=33(www-data) gid=33(www-data) groups=33(www-data),1001(webadm)
 
    # groups www-data
    www-data : www-data webadm

After binding to LDAP

    # id webadm
    uid=1001(webadm) gid=1001(webadm) groups=1001(webadm),27(sudo)

    # groups webadm
    webadm : webadm sudo

    # id www-data
    uid=33(www-data) gid=33(www-data) groups=33(www-data),1001(webadm)

    # groups www-data
    www-data : www-data webadm

Note, they remain the same. Yet, every run ...

    puppet-agent[8818]: (/Stage[main]/Users::Www_data/User[www-data]/groups) 
groups changed 'webadm,webadm' to 'webadm'
    puppet-agent[8818]: (/Stage[main]/Users::Webadm/User[webadm]/groups) groups 
changed 'sudo,sudo,www_edit,www_images' to 'sudo,www_edit,www_images'

The relevant manifest follows.

<pre><code class="ruby">
class users::webadm {
  user { 'webadm':
    ensure      => present,
    uid         => 1001,
    gid         => 'webadm',
    groups      => ['sudo'],
    membership  => minimum,
  }
}

class users::www_data {
  user { 'www-data':
    membership => minimum,
    groups => 'webadm',
  }
}
</code></pre>

This is related to Issue #3748 and Issue #3159 but the provider is (and should 
be) useradd, not ldap. 


-- 
You have received this notification because you have either subscribed to it, 
or are involved in it.
To change your notification preferences, please click here: 
http://projects.puppetlabs.com/my/account

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Bugs" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to 
[email protected].
For more options, visit this group at 
http://groups.google.com/group/puppet-bugs?hl=en.

Reply via email to