Right now I think I have a preference to option c.
It is no more difficult than orchestrating a local user account using the ansible user module with the added benefit that all of the users are in only one database.
It also reduces everything that can go wrong that is ldap related to one file and one command. It probably isn't a good idea to reduce it any further because it probably would have been done already by now.
On 09/18/2016 03:25 PM, John Lewis wrote:
Right now I am trying to weigh my options for maintaining my POSIX accounts on an OpenLDAP tree.
I learned today that ldap templates in ldapscripts really don't work, so if I want to go on using ldapscripts, I would have to run ldapmodify after every account is created to get the gecos configured properly and have a kerberos principal configured.
I could:
a. run ldapmodify after every account is created to get the gecos configured properly and have a kerberos principle configured
b. reverse engineer ldapscripts and patch it and then maintain a branch
c. manage users with ldapmodify and have to deal with not having default options for either the account creation or the ldapmodify switch statements
d. write and maintain another tool that creates and executes the ldif but has options that would be the same for my directory filled in
Every single one of these options seem to be pretty time consuming or error prone. I don't know which way I should go with this one.