[chef] Re: Managing users and groups - Current best practice

[Allan Wind < >]

If your list of users is comprehensive (users).  Then find the 
list of current users (current_users).  users - current_users 
is the new users.   current_users - users is the users that 
should be deleted (where '-' is the set minus operator).

Seems like a general useful thing to diff things in Chef.  I used 
this algorithm to handle munin plugins.

You might need other logic to avoid deleting users installed by 
packages (i.e. if you cannot maintain a comprehensive users 
list), and it may well be that you need to explicitly indicate 
which users to delete either via a data bag as you suggested, or 
my having a status or action per user in the users data bag.  
Unexpected users could then generate warnings/errors.  If you 
have create and modification timestmps (as in LDAP) you can 
reduce the set of data you need to look at.  LDAP also has a 
cn=changelog which you could watch for suitable events.

Debian have a standard for uid ranges, not sure if this goes for 
all distributions, but it would allow you to exclude from 
consideration package created users.


/Allan
-- 
Allan Wind
Life Integrity, LLC
<http://lifeintegrity.com>