On Wednesday, August 14, 2019 at 9:05:24 AM UTC-5, LinuxDan wrote:
> Your response makes perfect sense. I am planning to use FreeIPA/Red Hat > Identity Manager which uses SSSD to do everything you describe for your > house. > > I want to be able to manage aspects of the user home directories for > hardening purposes - permissions, no dot-netrc files, that sort of thing. > > To the best of my knowledge and my ability to interpret the docs, User resources don't provide for any such thing, nor are they a prerequisite for such management. > In your experience, is it possible for an LDAP-authenticating login to > have a user resource at all ? If not, I will have to consider a shotgun > approach to the home-dir management. > It ought to be *possible*, but I don't think it would be *useful* for a system with an effectively read-only user database. If your idea is to have a list of users for each machine under management, then User resources do not advance that objective -- it is easier and better to represent a prescriptive user list in external data, and if you want to expose that for use by multiple classes then a class variable will serve that purpose nicely (and in fact, I do exactly that). If you're looking instead for an adaptive list, of users who are observed to have home directories on the system, say, then a custom fact is definitely the way to go. I note, however, that although I know and manage which users are authorized to log in to each of my machines, I do not manage the permissions on or contents of their home directories. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/cbc79ece-7582-439c-b8b4-1d8be708e2a4%40googlegroups.com.
