Dear fellow linux users,
I have a computer with a local user X that shadows an LDAP user of the same name (and group).
I know I can use: userdel X groupdel X
but how do I make sure that the LDAP is not changed, and only the local user/group is deleted? This is very critical.
Many Thanks and Best Regards,
On Thu, Nov 25, 2021 at 06:36:36PM +0100, Thomas Mueller wrote:
I have a computer with a local user X that shadows an LDAP user of the same name (and group).
I know I can use: userdel X groupdel X
check luserdel and lgroupdel . The prefix l is for local. :-)
Oh, except... it's not. The l is for "libuser" — those tools are samples for the libuser package, https://pagure.io/libuser. And libuser absolutely can affect LDAP, depending on the system configuration.
On 11/26/21 00:13, Matthew Miller wrote:
On Thu, Nov 25, 2021 at 06:36:36PM +0100, Thomas Mueller wrote:
I have a computer with a local user X that shadows an LDAP user of the same name (and group).
I know I can use: userdel X groupdel X
check luserdel and lgroupdel . The prefix l is for local. :-)
Oh, except... it's not. The l is for "libuser" — those tools are samples for the libuser package, https://pagure.io/libuser. And libuser absolutely can affect LDAP, depending on the system configuration.
at least it seems that save, that ansible
* https://github.com/ansible/ansible/blob/devel/lib/ansible/modules/user.py#L6...
* https://github.com/ansible/ansible/blob/devel/lib/ansible/modules/user.py#L6...
and puppet
* https://github.com/puppetlabs/puppet/blob/main/lib/puppet/provider/user/user...
are using it, when you specify "local=yes" or "forcelocal=true".
- Thomas
On 11/25/21 21:24, Thomas Mueller wrote:
at least it seems that save, that ansible
https://github.com/ansible/ansible/blob/devel/lib/ansible/modules/user.py#L6...
https://github.com/ansible/ansible/blob/devel/lib/ansible/modules/user.py#L6...
and puppet
https://github.com/puppetlabs/puppet/blob/main/lib/puppet/provider/user/user...
are using it, when you specify "local=yes" or "forcelocal=true".
I suppose someone should file bug reports. luserdel probably could be used to confine actions to the local host, as long as ansible/puppet provided their own libuser.conf and set the LIBUSER_CONF to the path of that file...
hello fellow linux users,
thank you for your answers.
Gordon Messmer gordon.messmer@gmail.com writes:
On 11/25/21 21:24, Thomas Mueller wrote:
at least it seems that save, that ansible
https://github.com/ansible/ansible/blob/devel/lib/ansible/modules/user.py#L6...
https://github.com/ansible/ansible/blob/devel/lib/ansible/modules/user.py#L6...
and puppet
https://github.com/puppetlabs/puppet/blob/main/lib/puppet/provider/user/user...
are using it, when you specify "local=yes" or "forcelocal=true".
I suppose someone should file bug reports. luserdel probably could be used to confine actions to the local host, as long as ansible/puppet provided their own libuser.conf and set the LIBUSER_CONF to the path of that file...
I attached the /etc/libuser.conf. Is it safe to use luserdel/lgroupdel with these settings (without affecting LDAP)?
modules = files shadow
-> The man page says "A list of module names to use when not creating user or group entries..."
How about if I disable networking so that the LDAP Server is not reachable (pingable) before running luserdel/lgroupdel? Would that be 100% safe?
Many Thanks and Best Regards!
On Fri, Nov 26, 2021 at 08:27:32AM +0100, Felix Natter wrote:
I attached the /etc/libuser.conf. Is it safe to use luserdel/lgroupdel with these settings (without affecting LDAP)?
modules = files shadow
Yeah, it should be. Basically, this is only working because the standard modern tooling just ignores that thing.
On 26/11/21 6:27 pm, Felix Natter wrote:
How about if I disable networking so that the LDAP Server is not reachable (pingable) before running luserdel/lgroupdel? Would that be 100% safe?
Why not create a test user, that has similar settings to the real user account you are trying to affect, and test with it. Is it that hard to do?
On 31/12/21 12:34 am, Anthony K wrote:
On 26/11/21 6:27 pm, Felix Natter wrote:
How about if I disable networking so that the LDAP Server is not reachable (pingable) before running luserdel/lgroupdel? Would that be 100% safe?
Why not create a test user, that has similar settings to the real user account you are trying to affect, and test with it. Is it that hard to do?
Oddly, that was showing up as a recent message in my CentOS list until after I posted. Ignore me if already resolved.
On Thu, Nov 25, 2021 at 10:30:22PM -0800, Gordon Messmer wrote:
I suppose someone should file bug reports. luserdel probably could be used to confine actions to the local host, as long as ansible/puppet provided their own libuser.conf and set the LIBUSER_CONF to the path of that file...
Yeah. But that's kind of silly. There's gotta be a better way.
https://github.com/ansible/ansible/issues/76376
-
Anthony K -
Felix Natter -
Gordon Messmer -
Matthew Miller -
Thomas Mueller