README

new23d

lpep

LDAP passwd Enumerator for Puppet

Purpose

Add users and groups from Active Directory to your Red Hat 6.x compatible systems

License

Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License

Setup

On Red Hat 6.x compatible systems:

(1) command: yum install pam_ldap
(2) command: authconfig --enableldapauth --ldapserver="ldap://ad.example.com" --ldapbasedn="dc=example,dc=com" --updateall
(3) in /etc/pam_ldap.conf, add the following lines towards the end

binddn cn=foo,ou=bar,dc=example,dc=com
bindpw fubar
pam_login_attribute sAMAccountName

In the lpep module:

(1) edit manifests/lpep.ini to configure ldap settings
(2) ensure bin/lpep.py is executable
(3) ensure manifests/lpep.pp , bin/lpep.db and bin/profiling.log are writable

Usage

(1) include the class lpep in your manifests to have the module query your ldap source and populate its database and manifest files; having done this, you can manually inspect bin/lpep.db using a tool like the sqlite manager extension for firefox, and manifests/lpep.pp for a manifest of users and groups

class {lpep: }

(2) include the class lpep::exec in your manifests to deploy the users and groups generated earlier onto targeted nodes

class {lpep::exec: }

Known Issues

(1) objects are tracked only by their username (or sAMAccountName) and not by SID, therefore if a username were to change, that would generate a new numeric uid
(2) objects are not removed from the target system's local user database, but if the ldap authentication were to fail, the user won't be able to login anyway
(3) limited to upto 1000 objects from active directory

Notes

(1) objects are stored in a local sqlite database, and the numeric uids and gids retained
(2) coded originally for domino ldap, therefore the routines may not be ideal for active directory

Meta

CentOS Linux Integration with Active Directory