Environment from ldap not used/set.
I want to migrate/rebuild our exisiting puppet 3.8 environment to be more up-to-date and have it more structured without too much impact on the existing environment. This old environment uses ldap-stored environment settings, and for some machines also some puppetclasses. However getting ldap to work within the new setup is challenging as the official documentation (link:here) is limited and basicly incorrect. The old version works with the current ldap data, and according to various other resources that data is complete. No doubt to question that, as I checked it with ldapsearch.
I installed puppetserver 5.1.4 and the agent 5.3.3 onto a fresh machine. And made the following changes:
* pointed the cert.pem to the system one as it also contains the certificate for our proxy, otherwise module-actions would be impossible.
* installed jruby-ldap-patched (puppetserver gem install jruby-ldap-patched)
The documentation refers to the 12 year old ruby-ldap, which won't work with the java based puppetserver. The jruby-ldap is able to query the
ldapserver, but can't handle the results properly. (I saw the query in the ldap logs, but didn't get a sensible response)
What I do expect to see is: (old client to old server)
# puppet agent -t --noop
Warning: Local environment: "production" doesn't match server specified node environment "lab", switching agent to "lab".
Info: Retrieving pluginfacts
Info: Retrieving plugin
...
What I see: (new server and agent)
# puppet agent -t --noop
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Cannot reassign variable '$environment' on node myhost.mydomain.lab
Warning: Not using cache on failed catalog Error: Could not retrieve catalog; skipping run
I'm testing my agent on the same machine as my puppetserver, so the config is combined:
# cat puppet.conf
[master]
vardir = /opt/puppetlabs/server/data/puppetserver
logdir = /var/log/puppetlabs/puppetserver
rundir = /var/run/puppetlabs/puppetserver
pidfile = /var/run/puppetlabs/puppetserver/puppetserver.pid
codedir = /etc/puppetlabs/code
autosign = true
pluginsync = true
# ldap config
node_terminus = ldap
ldapserver = ldap.mydomain.lab
ldapbase = ou=Servers,dc=my-securedomain,dc=net
ldapstring = (&(objectclass=puppetClient)(cn=%s))
ldapclassattrs = puppetClass
ldapattrs = all
[main]
certname = myhost.mydomain.lab
dns_alt_names = puppet,puppet.mydomain.lab,myhost.mydomain.lab,myhost
run_interval = 3600
[agent]
pluginsync=true
server = myhost.mydomain.lab
What did I miss, or did I stumble upon a bug?
Any good links on how to accomplish this task using an hiera-ldap ENC are also welcomed.