[chef] Re: Re: Chef and LDAP Users

[Daniel DeLeo < >]

I don’t recall the details but I vaguely remember this being caused by some 
sort of caching implemented in the library that provides getpwent and such 
functions. One thing you can try is to call `Etc.endpwent` in a ruby_block to 
make sure Chef closes and reopens the password file.  

--  
Daniel DeLeo


On Wednesday, July 30, 2014 at 3:53 PM, Douglas Garstang wrote:

> Replying to myself. :)
>  
> Actually, if I put this, at the very end of the LDAP recipe...
>  
> bash "foo1" do
> user "root"
> code <<-EOF
> getent passwd doug > /tmp/foo1
> EOF
> end
>  
> bash "foo" do
> user "doug"
> code <<-EOF
> touch /tmp/FILE
> EOF
> end
>  
> The contents of the file /tmp/foo1 have:
>  
> 
 
>  tmp]# cat foo1  
> doug:x:1097:2299:Doug Garstang ops team:/home/doug:/bin/bash
>  
> which would tend to indicate to me that LDAP is functional. However, the 
> very next bash block fails. Chef reports:
>  
> "can't find user for doug"
>  
> So, the user seems to exist for the system, but not for chef.
>  
> Thanks,
> Doug.
>  
>  
>  
>  
> On Wed, Jul 30, 2014 at 3:39 PM, Douglas Garstang 
> <
 
>  
> (mailto:
 )>
>  wrote:
> > All,
> >  
> > I have a recipe that configures LDAP, and that's working fine. I have 
> > another recipe that runs afterwards in the run list that tries to 
> > configure individual users authorized_keys file etc.
> >  
> > Chef complains that the user doesn't exist. However, if I log into the VM 
> > where this happens, I can query the user and everything is fine. If I run 
> > the chef client again, the error does not happen.
> >  
> > I initially thought it might have been a sssd/nscd caching issue so I 
> > disabled those. Did not help. I also put a 30 second sleep in. Also did 
> > not help.
> >  
> > I am wondering if this could be some sort of compile/converge issue where 
> > chef is looking at the recipe, and checking if the users exist before it 
> > runs. That could explain why it works a second time, but fails on the 
> > first since LDAP hasn't been configured yet.
> >  
> > Here's the second recipe, the one that tries to perform user operations 
> > after LDAP is configured.
> >  
> > include_recipe "foo-ldap"
> >  
> > bag = data_bag("ssh-keys")
> > for item in bag do
> > user = data_bag_item('ssh-keys', item)
> > user_id = user['id']
> > group_id = user['group']
> >  
> > bash "foo" do
> > user "#{user_id}"
> > code <<-EOF
> > touch /tmp/FILE
> > EOF
> > end
> >  
> > directory "/home/#{user_id}" do
> > action :create
> > owner "#{user_id}"
> > group "#{group_id}"
> > recursive true
> > end
> >  
> > directory "/home/#{user_id}/.ssh" do
> > action :create
> > owner "#{user_id}"
> > group "#{group_id}"
> > recursive true
> > end
> >  
> > end
> >  
> > Unfortunately, I'm pretty sure that Noah Kantrowitz, who seems to have a 
> > rather vehement dislike of me personally will probably find fault with 
> > this question. Apologies in advance to readers of that thread if that 
> > happens. He will probably say that I have already asked this question in 
> > the IRC channel. I asked a similar question. He summarily dismissed me 
> > when I asked again with added information.
> >  
> > Regards,
> > Douglas Garstang
>  
>  
>  
>  
> --  
> Regards,
>  
> Douglas Garstang
> http://www.linkedin.com/in/garstang
> Email: 
> 
 
>  
> (mailto:
 )
> Cell: +1-805-340-5627