[chef] Re: LDAP user not available after SSSD setup on RHEL


Chronological Thread 
  • From: John Rowe < >
  • To:
  • Subject: [chef] Re: LDAP user not available after SSSD setup on RHEL
  • Date: Wed, 19 Aug 2015 13:48:42 +0000

I ran into this issue before.  It has to do with ohai needing to be reloaded once LDAP has been configured.  Basically ohai pulls all of the available users, THEN you configure LDAP, so the user list in ohai is out of date.  I never could fix it in Chef10, and by the time we had migrated to Chef11 we had simply baked the LDAP configuration into our Amazon AMI.

A workaround at the time I had come up with just so the initial chef-client run would complete was anything that relied on ldap users I wrapped around an if statement like:
if node["etc"]["passwd"].attribute?("username")
    do stuff
end

I believe the "right" way was to do it like this:

configure ldap
....
ohai "reload_passwd" do
  action :run
end

But like I said in Chef10 I couldn't get that to work and by 11 it was obsoleted so never pursued it more.

Hope this helps.




On Wed, Aug 19, 2015 at 9:19 AM Alan Thatcher < "> > wrote:
I am having an issue with my Chef run logic.  As part of the initial build of a system, I install and configure sssd to authenticate to LDAP.  That step works.  Later in the run I start to deploy files with the template LWRP, and some of the owners are LDAP users.  This is where the Chef run fails.

I can confirm, by logging into the server directly after the first chef run fails, that LDAP authentication is working correctly, and I can see the user in question.  If I immediately run chef-client at that point, it finishes correctly.  

Is there some reason that I need to restart the chef run after the initial setup of sssd, or am I missing a step?  



Archive powered by MHonArc 2.6.16.

§