canmove, Confirmed users
1,394
edits
ReleaseEngineering/PuppetAgain/Extsync: Difference between revisions
ReleaseEngineering/PuppetAgain/Extsync (view source)
Revision as of 13:00, 12 August 2014
, 12 August 2014no edit summary
No edit summary |
No edit summary |
||
| Line 8: | Line 8: | ||
$puppetmaster_extsyncs = { | $puppetmaster_extsyncs = { | ||
masters_json => { | masters_json => { | ||
masters_json_url => "..", | masters_json_url => "..", | ||
| Line 37: | Line 33: | ||
This is like slavealloc, but does no actual syncing; add data to `/etc/hiera/fake_slavealloc.yml`. | This is like slavealloc, but does no actual syncing; add data to `/etc/hiera/fake_slavealloc.yml`. | ||
= moco_ldap = | |||
This sync pulls SSH keys and group membership from an LDAP directory. It works great with Mozilla's LDAP directory, and may also work with others. | |||
It uses the following LDAP attributes: | |||
* sshPublicKey (in the posixAccount class) | |||
* uid (in the posixAccount class) | |||
* member (for groups) | |||
== Parameters: == | |||
;moco_ldap_uri:LDAP URL from which to pull the data | |||
;moco_ldap_root:Root DN at which to begin searches | |||
;moco_ldap_dn:DN of the bind user to use for authentication | |||
;moco_ldap_pass:password for the bind user | |||
;users_in_groups:groups to synchronize. This is a hash, where the values are lists of groups to combine, and the keys give a name to the resulting combination. | |||
For example: | |||
users_in_groups => | |||
editors => ['operators', 'vouched_contributors'] | |||
would combine the operators and vouched_contributors LDAP groups into a list of userids named editors. | |||
== Result: == | |||
;hiera('ssh-keys'): a hash of SSH keys by userid, with values being a list of SSH keys | |||
;hiera($result_name): a list of userids accumulated from LDAP groups; in the example above you would use hiera('editors') to get the userids of all operators and vouched_contributors | |||
The former is automatically invoked in ssh::keys, combined with the $extra_user_ssh_keys config, so it is unlikely you will use it directly. | |||
The latter is best used with a backup, e.g., | |||
$admin_users = hiera('ldap_admin_users', | |||
# backup to ensure access in case the sync fails: | |||
['arr', 'dmitchell', 'jwatkins']) | |||
== Caution == | |||
There is a "chicken and egg" problem when setting up a new organization with this feature: if $admin_users is based on LDAP groups and keys, those keys will not be synchronized yet. To fix this, use the backup trick above with a small, static $admin_users with keys in $extra_user_ssh_keys, then set up the extsync, and once it is synchronized, switch to using it. | |||