Re: Does everybody end up writing their own directory management programs?

[John Lewis <oflameo2@gmail.com>]

Right now I think I have a preference to option c.

It is no more difficult than orchestrating a local user account using
the ansible user module with the added benefit that all of the users are
in only one database.

It also reduces everything that can go wrong that is ldap related to one
file and one command. It probably isn't a good idea to reduce it any
further because it probably would have been done already by now.

On 09/18/2016 03:25 PM, John Lewis wrote:
> Right now I am trying to weigh my options for maintaining my POSIX
> accounts on an OpenLDAP tree.
>
> I learned today that ldap templates in ldapscripts really don't work, so
> if I want to go on using ldapscripts, I would have to run ldapmodify
> after every account is created to get the gecos configured properly and
> have a kerberos principal configured.
>
> I could:
>
> a. run ldapmodify after every account is created to get the gecos
> configured properly and have a kerberos principle configured
>
> b. reverse engineer ldapscripts and patch it and then maintain a branch
>
> c. manage users with ldapmodify and have to deal with not having default
> options for either the account creation or the ldapmodify switch statements
>
> d. write and maintain another tool that creates and executes the ldif
> but has options that would be the same for my directory filled in
>
>
> Every single one of these options seem to be pretty time consuming or
> error prone. I don't know which way I should go with this one.
>
>
>