Hi Andrew,
> > "IF homedir exists => deploy .ssh/authorized_keys , else do nothing"
> > As far as I know this is not possible with puppet.
>
> Marcello, I want to understand your use case. AD and LDAP seem to be
> fairly common in Puppet installations, and I'd like for ssh::auth to
> work well with them. But I'm not that familiar with them.
>
> Are you saying that once a user is authorized for a host (or the whole
> domain), the user exists on that host, but his/her home directory
> doesn't, until they first log in?
The user doesn't exactly "exist" on that host. The user and his group
membership are 'visible' (via AD/ldap) and he might be authorized to login
to that host. His homedir doesn't exist initially indeed.
> When the user logs in, is his/her home directory automounted from a
network share?
No, although this might be possible.
But this is not default and is not what I want now.
> In that case, the place to deploy the ssh keys would be in the
> user's home directory on the file server. Or, is the home directory
> created locally on the host the first time the user logs in?
Exactly.
> It would seem to me that once a user is authorized for a host, you'd
> want to create his/her ~/.ssh/authorized_keys right away, so they can log
in
> by ssh.
> If you can explain the sequence of how users get created and
> authorized and when their home directories get created, it would help
> me to address the need.
>
> Andrew.
Let me try to explain that:
Based on a AD group membership I allow the users to login or not. If you
don't configure that parameter on lwopen(Likewise-open) client ("require
membership of") all domain users are allowed to login.
Next to that Likewise-open uses a hash of your ActiveDirectory-UID/GID to
generate your unix UID/GID.
Once you login to the machine for the first time lwopen will create your
homedir with the proper rights (proper hashed UID/GID and optionally
domainname). For example and "ls -ln" would show some info like:
drwxr-xr-x 953680985 953680385 /home/mydomain/myusername
Next to that lwopen would create a .k5login on that directory to allow
single sign on via Kerberos. That's one more reason I need lwopen doing that
and not puppet.
My whole lwopen configuration is deployed via puppet. On the machines that I
login, after my homedir is properly created, I would like to be able to
deploy my .ssh/authorized_keys as an alternative to Kerberos SSO. Btw,
that's because Kerberos SSO has some issues, but that's off-topic. :)
So what I need looks simple but surprisingly difficult to achieve:
> > "IF homedir exists => deploy .ssh/authorized_keys , else do nothing"
Is this enough info about the use case ? Ideas anyone ?
Gr,
Marcello
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
