Environment from ldap not used/set.

asked 2017-11-28 06:53:59 -0600

PvdM gravatar image

I want to migrate/rebuild our exisiting puppet 3.8 environment to be more up-to-date and have it more structured without too much impact on the existing environment. This old environment uses ldap-stored environment settings, and for some machines also some puppetclasses. However getting ldap to work within the new setup is challenging as the official documentation (link:here) is limited and basicly incorrect. The old version works with the current ldap data, and according to various other resources that data is complete. No doubt to question that, as I checked it with ldapsearch.

I installed puppetserver 5.1.4 and the agent 5.3.3 onto a fresh machine. And made the following changes:
* pointed the cert.pem to the system one as it also contains the certificate for our proxy, otherwise module-actions would be impossible.
* installed jruby-ldap-patched (puppetserver gem install jruby-ldap-patched) The documentation refers to the 12 year old ruby-ldap, which won't work with the java based puppetserver. The jruby-ldap is able to query the ldapserver, but can't handle the results properly. (I saw the query in the ldap logs, but didn't get a sensible response)

What I do expect to see is: (old client to old server)

# puppet agent -t --noop
Warning: Local environment: "production" doesn't match server specified node environment "lab", switching agent to "lab".
Info: Retrieving pluginfacts
Info: Retrieving plugin
...

What I see: (new server and agent)

# puppet agent -t --noop 
Info: Using configured environment 'production' 
Info: Retrieving pluginfacts 
Info: Retrieving plugin 
Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Cannot reassign variable '$environment' on node myhost.mydomain.lab 
Warning: Not using cache on failed catalog Error: Could not retrieve catalog; skipping run

I'm testing my agent on the same machine as my puppetserver, so the config is combined:

# cat puppet.conf
[master]
        vardir = /opt/puppetlabs/server/data/puppetserver
        logdir = /var/log/puppetlabs/puppetserver
        rundir = /var/run/puppetlabs/puppetserver
        pidfile = /var/run/puppetlabs/puppetserver/puppetserver.pid
        codedir = /etc/puppetlabs/code

        autosign = true
        pluginsync = true

        # ldap config
        node_terminus = ldap
        ldapserver = ldap.mydomain.lab
        ldapbase = ou=Servers,dc=my-securedomain,dc=net
        ldapstring = (&(objectclass=puppetClient)(cn=%s))
        ldapclassattrs = puppetClass
        ldapattrs = all

[main]
        certname = myhost.mydomain.lab
        dns_alt_names = puppet,puppet.mydomain.lab,myhost.mydomain.lab,myhost
        run_interval = 3600

[agent]
        pluginsync=true
        server = myhost.mydomain.lab

What did I miss, or did I stumble upon a bug?
Any good links on how to accomplish this task using an hiera-ldap ENC are also welcomed.

edit retag flag offensive close merge delete