Delete Local User/group But Not LDAP One
Dear fellow linux users,
I have a computer with a local user X that shadows an LDAP user of the same name (and group).
I know I can use:
userdel X
groupdel X
but how do I make sure that the LDAP is not changed, and only the local user/group is deleted? This is very critical.
Many Thanks and Best Regards,
9 thoughts on - Delete Local User/group But Not LDAP One
Hi Felix
check luserdel and lgroupdel . The prefix l is for local. :-)
– Thomas
Oh, except… it’s not. The l is for “libuser” — those tools are samples for the libuser package, https://pagure.io/libuser. And libuser absolutely can affect LDAP, depending on the system configuration.
—
Matthew Miller
Fedora Project Leader
at least it seems that save, that ansible
*
https://github.com/ansible/ansible/blob/devel/lib/ansible/modules/user.py#L625
*
https://github.com/ansible/ansible/blob/devel/lib/ansible/modules/user.py#L640-L643
and puppet
*
https://github.com/puppetlabs/puppet/blob/main/lib/puppet/provider/user/useradd.rb#L12
are using it, when you specify “local=yes” or “forcelocal=true”.
– Thomas
I suppose someone should file bug reports. luserdel probably could be used to confine actions to the local host, as long as ansible/puppet provided their own libuser.conf and set the LIBUSER_CONF to the path of that file…
hello fellow linux users,
thank you for your answers.
Gordon Messmer
writes:
I attached the /etc/libuser.conf. Is it safe to use luserdel/lgroupdel with these settings (without affecting LDAP)?
modules = files shadow
-> The man page says “A list of module names to use when not creating
user or group entries…”
How about if I disable networking so that the LDAP Server is not reachable (pingable) before running luserdel/lgroupdel? Would that be
100% safe?
Many Thanks and Best Regards!
—
Felix Natter
Yeah. But that’s kind of silly. There’s gotta be a better way.
https://github.com/ansible/ansible/issues/76376
Yeah, it should be. Basically, this is only working because the standard modern tooling just ignores that thing.
Why not create a test user, that has similar settings to the real user account you are trying to affect, and test with it. Is it that hard to do?
Oddly, that was showing up as a recent message in my CentOS list until after I posted. Ignore me if already resolved.