[chef] Re: RE: ohai, number ldap accounts


Chronological Thread 
  • From: Peter Struijk < >
  • To:
  • Cc: , ,
  • Subject: [chef] Re: RE: ohai, number ldap accounts
  • Date: Wed, 28 Mar 2012 14:09:44 -0700

An alternative approach we used is to edit /etc/logins.defs (on debian based systems anyway) . And lower UID_MAX below where your ldap range starts. That way you keep the local users in ohai.

On Wed, Mar 28, 2012 at 8:25 AM, < "> > wrote:
Hi Randy,

We are experiencing this very same issue and were recently looking for a solution. We use centrify to pull in AD accounts for authorization. The nodes are pulling in tons of data for all of these user groups and accounts.

If we're not doing anything with specific user accounts in recipes/templates, should we be safe to just disable the Ohai plugin that pulls in the user accounts from AD?

Ian D. Rossi
CD - Server Infrastructure
Phone 23834

From: Van Fossan,Randy [ " target="_blank"> ]
Sent: Wednesday, March 28, 2012 11:10 AM
To: " target="_blank">
Subject: [chef] ohai, number ldap accounts

Fellow chef’s,

 

I have a question about ldap accounts that ohai pulls down.   We are a large shop with thousands of servers and we have a large number of ldap accounts (only a few are currently managed by chef).    As per the issue in OHAI-165, I believe it may be affecting performance on our chef server.    

 

One solution proffered is to place Ohai::Config[:disabled_plugins] = [ "passwd" ] in the client config to disable this.   However, if we do this, won’t the ldap accounts be unavailable in resources?   Meaning, If I assign the ownership of a file to an ldap account in a file resource, won’t that cause a failure.   This since chef will not know anything about that account..

 

file “/tmp/myfile” do

  owner  “ldapacct1”

  group  “ldapgroup1”

  mode "0600"

end

 

http://tickets.opscode.com/browse/OHAI-165

 

Anyone have any guidance on this issue?   I would like to keep all the ldap info out of ohai, but still be able to use ldap accounts in a resource.

 

Thanks

  Randy

 





Archive powered by MHonArc 2.6.16.

§