I am trying to build a puppet manifest to add an ldap user profile to a local machine on the domain.
After spending some time looking through Google and various sites all I am seeing is examples of local users only and I wonder if it is even possible?
Currently I have to logon onto the computer, which creates the user profile folder under (c:\Users{username}). I need to add 3-5 profiles to every machine, but I don't want to go through the whole LOGIN > LOGOUT > LOGIN > LOGOUT process for each user on each machine.
I am new to puppet and just not sure if this is possible in puppet or if I need to figure out a different method?
Related
I have a puppet module that is deploying a standalone nifi instance. It's all working and it will deploy the application with an initial admin user etc via authorizers.conf.
But in order to configure additional users and groups there is a long process of creating policies and adding users and groups via the gui. I want to automate some of this in my puppet module.
It would be good to be able to automatically create an admin group which is already assigned to a load of policies.
It doesn't seem like this is possible though as the best-practice is to only edit authorizers.xml and allow that to create the resulting authorisations.xml and users.xml, and there is no setting within authorizers.xml to create initial groups or initial policies.
My only idea at the moment is to use something like the nipyapi python module to create users and groups via the api during the initial install.
Or perhaps ignoring the authorisers.xml and just deploy a pre-configured authorizations.xml and users.xml.
Am I missing any other simple or better options?
I'd like to enable guest access to our TeamCity server so that our operations team can see if a deployment build is currently underway, as they do testing and during a deployment the environment becomes unstable.
It looks like the very base View Projects role assigned to guest still allows users to download artifacts, see the build log and unit test results. Since the artifacts are the software we develop, which is commercial, we can't have anonymous access allowing downloading of our code.
How can I further restrict the guest account to only be able to see if a build is running? If its not possible, I'll accept that as well, and will probably just make a shared logon for them, but it'd be nicer just to enable guest.
We're using TC 2017.1.3.
you cannot do that. Give access for guest user is bad idea.
You have to create other user and give special rights.
I have been tasked with developing a service that takes requests for admin access to a windows server, receives approval from management, grants access, and then automatically revokes access after an hour.
I am required to do all deployments through Octopus Deploy.
I cannot store the super user password within the service, since all developers have read access to our SVN.
I was planning on storing the password within a secure variable in Octopus Deploy, but then realized that anyone with modification permissions on the project could add a powershell script to send themselves the variable values.
Is there any way to secure a variable within Octopus Deploy that can be used to install a windows service with super user access, but cannot be retrieved by any means?
How I have this setup uses a combination of roles and environments to limit access to sensitive variables such as prod passwords.
You need two roles:
1) is a project editor role that allows developers to do everything but only for Dev/UAT environments. This allows them to get everything ready and tested without access to the prod environment.
2) a production editor role which only a few people have access to. Production password variables are scoped to the Prod environment so developers can't access them.
I want to create a user in Heroku and want to give specific permission to this user to certain folder.
I've logged into heroku bash but I'm not able to create a user. It's giving me permission denied error. sudo also not working. I can't install anything in it.
Organisation admin user also not able to create a user.
Heroku will not allow you to do that.
Running heroku run bash is not the same as connecting to an SSH server.
When you build a new version of your application, Heroku will create a new container (much like Docker. It's LXC). Any instance of your application will run that container.
When you run a bash instance, a new instance of that container is created. You are not running on the same server as your app serves requests on.
That means the only moment when disk changes can be performed is at build time. So even if you could create users in a bash instance, those wouldn't be persisted accross instances.
Heroku will not let you create new linux users at build time anyway.
The only solution to access your app's code in a bash session is to run a one-off dyno. If you need to script that, you can use the platform api to boot a new dyno.
As for adding access, you can use the access:add command (also available as an api endpoint).
All users will be able to access all of your code though. You cannot restrict per folder.
As described in question CLI: Switch keychains in order to sign an xcodebuild I have the problem of having to use two keychains for running xcodebuild. I need this because our enterprise & appstore identities are called the same.
When I try the proposed solution it works fine, if I'm running only one xcodebuildat a time. But I'm using a buildserver (hudson or jenkins) running multiple builds in parallel. Each build job should build the enterprise and the appstore version of an app, therefore it has to use different keychains. When changing the keychain list as proposed, this always affects all running processes of the current user. Therefore parallel builds of different projects would be affected and basically fail or use the wrong keychain.
I've tried several workarounds to open a new security context, which seems to host the keychain information:
I used login -f ... to start a new login session, hoping it will use an independent security context. But when I change the keychain settings in the session it also affects the other login session.
I used ssh localhost ... to start a new login session, but unfortunately with the same result.
It seems, that the security context is bound to the user and not to a dedicated session. Unfortunately I cannot find any information about those security contexts using Google.
Is there any way to run several processes for a dedicated user having different keychains active and unlocked?