Issue #14269 has been updated by Thomas Kishel.
Status changed from Rejected to Re-opened
Correcting duplicate records is outside the scope of what I am asking Puppet to
do, configured via membership => minimum, as in "whether specified groups
should be considered the complete list (inclusive) or the minimum list
(minimum) of groups to which the user belongs."
See also: #14245 and #14454.
Something bothers me about changing `groups.join(",")` to
`groups.uniq.join(",")` in Puppet::Provider::NameService in nameservice.rb, but
it works. I'd rather solve this where Puppet is doing the set mathematics
between the current list of groups and the requested list of groups.
----------------------------------------
Bug #14269: Duplicate Group Membership with LDAP
https://projects.puppetlabs.com/issues/14269#change-62809
Author: Thomas Kishel
Status: Re-opened
Priority: Normal
Assignee:
Category: user
Target version:
Affected Puppet version: 2.7.1
Keywords: Groups LDAP
Branch:
User accounts are stored in LDAP, but we also implement local accounts. Once
bound to LDAP, Puppet misinterprets local group membership for local accounts,
reconfiguring group membership every time.
Prior to binding to LDAP
# id webadm
uid=1001(webadm) gid=1001(webadm) groups=1001(webadm),27(sudo)
# groups webadm
webadm : webadm sudo
# id www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data),1001(webadm)
# groups www-data
www-data : www-data webadm
After binding to LDAP
# id webadm
uid=1001(webadm) gid=1001(webadm) groups=1001(webadm),27(sudo)
# groups webadm
webadm : webadm sudo
# id www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data),1001(webadm)
# groups www-data
www-data : www-data webadm
Note, they remain the same. Yet, every run ...
puppet-agent[8818]: (/Stage[main]/Users::Www_data/User[www-data]/groups)
groups changed 'webadm,webadm' to 'webadm'
puppet-agent[8818]: (/Stage[main]/Users::Webadm/User[webadm]/groups) groups
changed 'sudo,sudo,www_edit,www_images' to 'sudo,www_edit,www_images'
The relevant manifest follows.
<pre><code class="ruby">
class users::webadm {
user { 'webadm':
ensure => present,
uid => 1001,
gid => 'webadm',
groups => ['sudo'],
membership => minimum,
}
}
class users::www_data {
user { 'www-data':
membership => minimum,
groups => 'webadm',
}
}
</code></pre>
This is related to Issue #3748 and Issue #3159 but the provider is (and should
be) useradd, not ldap.
--
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://projects.puppetlabs.com/my/account
--
You received this message because you are subscribed to the Google Groups
"Puppet Bugs" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-bugs?hl=en.
