Issue #14269 has been updated by Daniel Pittman. Status changed from Unreviewed to Rejected
Unfortunately, having duplicate records returned by NSS, which is what you have here, is firmly in the realm of "undefined behaviour". Various implementations across platforms will return the first, return the last, or return a merge of data from the various sources. In this case you are seeing the last, and Puppet is correctly working to correct that. We can't fix this. We don't have the visibility inside the NSS abstraction to understand what is wrong, or how to make it better. You will have to either remove the duplicates by hand, or otherwise fix the broken software. Puppet can't be "fixed" in this regard. ---------------------------------------- Bug #14269: Duplicate Group Membership with LDAP https://projects.puppetlabs.com/issues/14269#change-62199 Author: Thomas Kishel Status: Rejected Priority: Normal Assignee: Category: user Target version: Affected Puppet version: 2.7.1 Keywords: Groups LDAP Branch: User accounts are stored in LDAP, but we also implement local accounts. Once bound to LDAP, Puppet misinterprets local group membership for local accounts, reconfiguring group membership every time. Prior to binding to LDAP # id webadm uid=1001(webadm) gid=1001(webadm) groups=1001(webadm),27(sudo) # groups webadm webadm : webadm sudo # id www-data uid=33(www-data) gid=33(www-data) groups=33(www-data),1001(webadm) # groups www-data www-data : www-data webadm After binding to LDAP # id webadm uid=1001(webadm) gid=1001(webadm) groups=1001(webadm),27(sudo) # groups webadm webadm : webadm sudo # id www-data uid=33(www-data) gid=33(www-data) groups=33(www-data),1001(webadm) # groups www-data www-data : www-data webadm Note, they remain the same. Yet, every run ... puppet-agent[8818]: (/Stage[main]/Users::Www_data/User[www-data]/groups) groups changed 'webadm,webadm' to 'webadm' puppet-agent[8818]: (/Stage[main]/Users::Webadm/User[webadm]/groups) groups changed 'sudo,sudo,www_edit,www_images' to 'sudo,www_edit,www_images' The relevant manifest follows. <pre><code class="ruby"> class users::webadm { user { 'webadm': ensure => present, uid => 1001, gid => 'webadm', groups => ['sudo'], membership => minimum, } } class users::www_data { user { 'www-data': membership => minimum, groups => 'webadm', } } </code></pre> This is related to Issue #3748 and Issue #3159 but the provider is (and should be) useradd, not ldap. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
