[chef] Re: Re: Re: Re: Re: Nested Databags

[James Light < >]

You should be able to add whatever you want to your LDAP schema, but
sometimes LDAP admins are unwilling to do schema modifications.
I used to do them quite often at my old job and they were a little bit
more complicated than I felt they should be, but it wasn't impossible
and is fairly standard practice if you want to use LDAP as a
customizable data store, which is really convenient. The replication
in openLDAP is so sweet that I found it really begging to be extended
all the time, but, again, there's a learning curve when it comes to
doing schema modifications and there wasn't an overwhelming amount of
documentation on how to do it the last time I checked (about 2 years
ago?).

Anyway, Chef to the rescue as usual. If you get into a situation where
you need to update things based on IP (say it changes) you may want to
take a look at 'knife exec'
(http://wiki.opscode.com/display/chef/Knife+Exec). Seeing as your
databags are based on user name, not IP, you'll have to do a sort of
for loop across each item, which is the kind of thing that I've
started using knife's exec command for.

The DSL is different than the recipe and attributes file DSL, but the
Opscode page I linked to above has some great scripts on that to get
you started. You can try your scripts out in Shef to get an idea of
what syntax and semantics you need to work and then just stick the
code in a ruby script and run via knife exec. Right now I'm using that
to migrate sets of systems between environments (I'm not sure this is
the best way to do it, but it works well for my work-flow..), but I
imagine that changing a set of IPs to another set of IPs wouldn't be
impossible.

Good Luck and happy chefing.

HTH,

     -JL


On Fri, Sep 14, 2012 at 7:12 AM, jfotop 
<
 >
 wrote:
> And that is exactly what I did. One databag/user which describes his IP
> address(es), the groups that he is a member of and his username. Now I can 
> just
> do a search and find all members of the specific group. So I can use the
> databags to add users to a local group and also populate rules for iptables
> with their IP's.
>
> It really is a shame that we can't just add the IP addresses to our LDAP
> directory. :)
> Thanks a lot for your help!!!