We store our host information in ldap. Previously using ldap for host lookups was done by adding the appropriate entries to /etc/ldap.conf and changing nsswitch.conf.
With 6, nss_ldap has been replaced by nslcd, so I needed to change our setup a little.
I put the following into nslcd.conf
uid nslcd
gid ldap
uri ldap://ldap2.example.com
uri ldap://ldap.example.com
base dc=example,dc=com
# this is only host information, no need to use ssl
#ssl start_tls
#tls_cacertfile /etc/pki/tls/certs/ca-bundle.crt
base hosts ou=hosts,dc=example,dc=com
scope hosts sub
We use scope hosts sub because we take advantage of the hierarchy of ldap and organise our hosts into different subou's within the hosts ou.
Next update nsswitch.conf to use ldap
passwd: files sss
shadow: files sss
group: files ssshosts: files ldap dns [NOTFOUND=return]
Next restart nslcd to see the change.
[root@host ~]# getent hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
127.0.0.1 localhost localhost.localdomain localhost6 localhost6.localdomain6
[root@host ~]# service nslcd start
Starting nslcd: [ OK ]
[root@host ~]# getent hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
127.0.0.1 localhost localhost.localdomain localhost6 localhost6.localdomain6
172.16.1.200 fs.example.com fs
172.16.1.181 ldap ldap.example.com
172.16.1.12 ldap2 ldap2.example.com
The ldap entry (ldif) for one of these hosts would look like this:
# fs.example.com, hardware, hosts, example.com
dn: cn=fs.example.com,ou=hardware,ou=hosts,dc=example,dc=com
objectClass: top
objectClass: iphost
cn: fs.example.com
cn: fs
ipHostNumber: 172.16.1.200
I configure nsswitch.conf with augeas, the augtool lines to do this and the corresponding puppet config are below.
augtool> set /files/etc/nsswitch.conf/*[self::database = 'hosts']/service[1] files
augtool> set /files/etc/nsswitch.conf/*[self::database = 'hosts']/service[2] ldap
augtool> set /files/etc/nsswitch.conf/*[self::database = 'hosts']/service[3] dns
augtool> set /files/etc/nsswitch.conf/*[self::database = 'hosts']/reaction/status NOTFOUND
augtool> set /files/etc/nsswitch.conf/*[self::database = 'hosts']/reaction/status/action return
puppet
augeas {"nsswitch ldap first":
context => "/files/etc/nsswitch.conf",
changes => [
"set *[self::database = 'hosts']/service[1] files",
"set *[self::database = 'hosts']/service[2] ldap",
"set *[self::database = 'hosts']/service[3] dns",
"set *[self::database = 'hosts']/reaction/status NOTFOUND",
"set *[self::database = 'hosts']/reaction/status/action return"
],
notify => Service["nslcd"]
}