[chef] Re: Re: Re: Re: Re: Check if a user exists?


Chronological Thread 
  • From: Alexander Skwar < >
  • To:
  • Subject: [chef] Re: Re: Re: Re: Re: Check if a user exists?
  • Date: Thu, 24 Sep 2015 09:15:19 +0200

Hi John

Ohai does not list every SSS user/group in the ['etc']['passwd'] or ['group'] section. That's why I'm asking ;) I tried this:


"ask" is stored in IPA; "example-does-not-exist" is a non-existant account; "local" is a user from /etc/passwd.

But "node['etc']['passwd']['ask']" is "nil". And "node['etc']['passwd']['local']" is not nil.



I now have it so, that I put all the things which require IPA in "abc-ipa" recipes. And if IPA isn't available, I'm removing those recipes from the run list:

ruby_block 'Entferne -ipa recipes von der run list, falls IPA noch NICHT initialisiert wurde' do
    block do
        node.run_list.each do |run_list_item|
            node.run_list.remove(run_list_item) if run_list_item.end_with? "-ipa"
        end # of node.run_list.each do |run_list_item|
    end
    # check if a user can be found, which only exists in IPA
    not_if "getent passwd _ipa-check"
end # of ruby_block 'Entferne -ipa recipes von der run list, falls IPA noch NICHT initialisiert wurde' do


Not elegant...

Regards
Alexander


2015-09-23 16:09 GMT+02:00 John Rowe < " target="_blank"> >:
With LDAP-backed authentication I was able to this with:
if node["etc"]["passwd"].attribute?("username")

Ohai would still list every LDAP user/group in the ['etc']['passwd'] section.  I haven't used IPA so I'm not sure if it does the same.

If not you could do something like:
if "getent passwd username" 
   chef_stuff do
      ...
   end
end
or really, more correctly:

deploy "code" do
  some attributes
  only_if "getent passwd username"
end


On Wed, Sep 23, 2015 at 9:50 AM Matthew Moretti < " target="_blank"> > wrote:

Ohai uses ruby’s Etc.passwd (https://github.com/chef/ohai/blob/master/lib/ohai/plugins/passwd.rb) to get user data which should include other sources that are in nsswitch.

I know that Ohai includes external sources because it’s a very common for people with LDAP enabled to disable that particular Ohai plugin (since by default it’ll load your whole directory and store it in the node data).

There is, however, an issue when nsswitch changes after the Chef run has started. Because of a limitation in the underlying C library, those changes don’t get picked up by already running processes. (https://tickets.opscode.com/browse/CHEF-3780) Perhaps that’s your issue here?

Matt Moretti

On Wed, Sep 23, 2015 at 8:52 AM, Alexander Skwar (mailto: )" target="_blank"> (mailto: ) wrote:

Hi

I don't have knife, I'm using chef-solo. Should've mentioned this, sorry :/

Well, but, no. For local users, ohai seems usable (→ "And "node['etc']['passwd']['local']" is not nil."). node['etc']['passwd']['root'] returns "something".

But for not local users (which are in sssd), ohai doesn't seem to work. As I said, for users stored in IPA, I get "nil" (→ "But "node['etc']['passwd']['ask']" is "nil""), when I check node['etc']['passwd']['ipa-username'].

What's the correct way to check if a user exists, if the user isn't local?

Regards,
Alexander

 

2015-09-23 14:13 GMT+02:00 Barthélemy Vessemont < " target="_blank"> >:
Just use ohai !!!

Ohai gather up all system user :

> knife search 'name:my-server' -a etc.passwd.root.uid -a etc.passwd.root.gid

my-server:
  etc.passwd.root.gid: 0
  etc.passwd.root.uid: 0


On Wed, Sep 23, 2015 at 10:15 AM, Alexander Skwar < " target="_blank"> > wrote:
Hello

We're using an IPA server to store user accounts and such and Ubuntu clients with FreeIPA to access this. I would now like to do something, based on the existence of a user account in IPA.

How can I check if a user exists?



On Stack Overflow, I found this:


Ohai queries the users on the system for you:

if node['etc']['passwd']['random']
  # Do deploy
end


But this only works with local accounts; it does not work with accounts in IPA. In our nsswitch.conf, there's:

$ grep passwd /etc/nsswitch.conf 
passwd:         files sss


With getent, I can query accounts.

$ getent passwd ask
ask:*:10000:10000:Alexander Skwar:/home/ask:/usr/bin/zsh
$ getent passwd example-does-not-exist
$ getent passwd local
local:x:1000:1000::/home/local:/bin/zsh

"ask" is stored in IPA; "example-does-not-exist" is a non-existant account; "local" is a user from /etc/passwd.

But "node['etc']['passwd']['ask']" is "nil". And "node['etc']['passwd']['local']" is not nil.

How can I check if a user exists? Do I really have to resort to calling getent?

Thanks,
Alexander



--
Barthélemy Vessemont - " target="_blank">
Ingénieur en informatique diplômé de l'UTC (Compiègne)
Contributeur Chef ( )



--

Alexander --  =>        Google+ => http://plus.skwar.me         <== => Chat (Jabber/Google Talk) =>  " target="_blank">  <==




--

Alexander --  =>        Google+ => http://plus.skwar.me         <== => Chat (Jabber/Google Talk) =>  " target="_blank">  <==




Archive powered by MHonArc 2.6.16.

§