[chef] Re: Re: Re: LDAP user not available after SSSD setup on RHEL


Chronological Thread 
  • From: Matthew Moretti < >
  • To: " " < >
  • Subject: [chef] Re: Re: Re: LDAP user not available after SSSD setup on RHEL
  • Date: Wed, 19 Aug 2015 13:45:20 -0400

I believe this is a longstanding issue that doesn't really have a fix.


Because of limitations in the underlying C libraries, changes to nsswitch.conf won't be available in the current chef-client run.  Error handling followed by a second run is probably what's required here.


Matt Moretti






On Wed, Aug 19, 2015 at 10:58 AM, Alan Thatcher < " target="_blank"> > wrote:
The reload of Ohai did not fix the problem I am seeing.  I do see that there is a cookbook out there to restart chef in the middle of a run (keenlabs/chef-restart).  Does anyone have experience with that method, or is there something else I should do?  Perhaps this is a bug?  I can ignore the file creation, as it will work on the next client run.  However, there are other cookbooks that fail as well (creating mounts that are owned by an LDAP user, for instance).

On Wed, Aug 19, 2015 at 10:01 AM Alan Thatcher < " target="_blank"> > wrote:
Thanks for the quick response.  I found some *old* posts about it, that pointed me in the same direction.  I am trying that now.

I ran into this issue before.  It has to do with ohai needing to be reloaded once LDAP has been configured.  Basically ohai pulls all of the available users, THEN you configure LDAP, so the user list in ohai is out of date.  I never could fix it in Chef10, and by the time we had migrated to Chef11 we had simply baked the LDAP configuration into our Amazon AMI.

A workaround at the time I had come up with just so the initial chef-client run would complete was anything that relied on ldap users I wrapped around an if statement like:
if node["etc"]["passwd"].attribute?("username")
    do stuff
end

I believe the "right" way was to do it like this:

configure ldap
....
ohai "reload_passwd" do
  action :run
end

But like I said in Chef10 I couldn't get that to work and by 11 it was obsoleted so never pursued it more.

Hope this helps.




I am having an issue with my Chef run logic.  As part of the initial build of a system, I install and configure sssd to authenticate to LDAP.  That step works.  Later in the run I start to deploy files with the template LWRP, and some of the owners are LDAP users.  This is where the Chef run fails.

I can confirm, by logging into the server directly after the first chef run fails, that LDAP authentication is working correctly, and I can see the user in question.  If I immediately run chef-client at that point, it finishes correctly.  

Is there some reason that I need to restart the chef run after the initial setup of sssd, or am I missing a step?  




Archive powered by MHonArc 2.6.16.

§