Change user password only on systems where they exist
Romeo Theriault
like to automate across a mix of Solaris and RHEL boxes is resetting a
users password. But we only want to reset the users password on the
boxes they already exist on. We don't want to have their account
created on all the boxes. We also don't want to modify any of their
settings like shells, etc...
I've used puppet to create users across all our boxes and that was
straight forward but I'm not sure the best way to conditionally change
a users password is. If it was just RHEL I'd be tempted to check for
the users homedir and then do an exec { " usermod -p...." }, but
solaris doesn't support the usermod -p (for password) option. Is there
a more "puppet" way to pull this off?
Thank you,
Any suggestions would be appreciated.
--
Romeo
Steve Shipway
Is this similar to what you're looking for? If you take a look in the Puppet Forge website for the 'ss' module then you can see how we do it there, else contact me off-list.
Steve
Steve Shipway
University of Auckland ITS
UNIX Systems Design Lead
s.sh...@auckland.ac.nz
Ph: +64 9 373 7599 ext 86487
________________________________________
From: puppet...@googlegroups.com [puppet...@googlegroups.com] on behalf of Romeo Theriault [romeo.t...@maine.edu]
Sent: Thursday, 23 February 2012 4:49 p.m.
To: puppet...@googlegroups.com
Subject: [Puppet Users] Change user password only on systems where they exist
Thank you,
--
Romeo
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet...@googlegroups.com.
To unsubscribe from this group, send email to puppet-users...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
jcbollinger
On Feb 22, 9:49 pm, Romeo Theriault <romeo.theria...@maine.edu> wrote:
> Hi, We're just getting started with puppet and one of the things we'd
> like to automate across a mix of Solaris and RHEL boxes is resetting a
> users password. But we only want to reset the users password on the
> boxes they already exist on. We don't want to have their account
> created on all the boxes. We also don't want to modify any of their
> settings like shells, etc...
or even NIS? It is much more robust to use a single central authority
than to try to synchonize data across many individual machines.
> I've used puppet to create users across all our boxes and that was
> straight forward but I'm not sure the best way to conditionally change
> a users password is. If it was just RHEL I'd be tempted to check for
> the users homedir and then do an exec { " usermod -p...." }, but
> solaris doesn't support the usermod -p (for password) option. Is there
> a more "puppet" way to pull this off?
changes, or do you intend to keep the password fixed to the new
value? If the former then Puppet isn't the right tool for the job.
Instead, you want MCollective or another product in that vein.
On the other hand, if you are set on synchronizing user information
across multiple machines, and you want to manage user passwords
centrally, then the most Puppetly way to approach it is to manage
users via the User resource. That does not require all machines to
have the same users, but it does require Puppet to know which users
each machine should have. I consider that a good result, in fact, but
if you have many machines with many distinct user lists then it could
be a lot of work to get there. Managing users also does not require
you to manage every property (e.g. default shell).
John
Romeo Theriault
> We have a system here that automatically resets the root password (amongst others) when they are >60 days old, and stores the >new password in a central encrypted location. To do this, we have a custom fact that identifies the age of users, and a custom >function that returns if a user exists and, if so, the age of their password. Another custom function creates a new passowrd, and a >final one does the update i nthe central encrypted database. An Exec resource takes care of the actual password change on the >puppet agent.
>
> Is this similar to what you're looking for? If you take a look in the Puppet Forge website for the 'ss' module then you can see how > we do it there, else contact me off-list.
Hi, thanks for the reply. At this point we're looking for something
much more simple. We basically want to be able to change a users
password across all of the systems that they currently exist on. I
took a look at your 'ss' module (thanks for pointing it out) and found
your Exec which does the actual password changing. I kinda wanted to
stay away from having to install the chgpasswd utility across all of
our Solaris boxes though, so I sat on it a while longer, thinking
about it and came up with this Exec which seems to do what I want with
puppet itself. I've got to test it a bit more first though.
define change_passwd($user,$passwd) {
exec { "/usr/bin/puppet apply -v -e \'user { \"${user}\": password
=> \"${passwd}\" }\'":
onlyif => "/bin/grep -c ^${user} /etc/shadow"
}
}
--
Romeo
Romeo Theriault
> Do you want merely to reset the password and then ignore subsequent
> changes, or do you intend to keep the password fixed to the new
> value? If the former then Puppet isn't the right tool for the job.
> Instead, you want MCollective or another product in that vein.
Hi John, thanks for the reply. Yes we just want to reset it and ignore
it. I realize this isn't the best (or intended) way of using puppet
but it works :) and we don't have mcollective right now. Hopefully
someday will have mcollective but from what I've read Solaris support
is still weak and I don't have the time at the moment into trying to
get it working on solaris. I also realize that solaris support is in
the PE version of puppet/mcollective but I've first got to "sell"
puppet to management before we start talking about purchasing PE.
Also, point well taken on the NIS/LDAP central authentication, but at
this point that big of an infrastructure change is not in the cards.
--
Romeo
bel
'^${user}:' # Adding the colon
This would prevent false-positives when, for e.g., you are looking for
user "joe" in a system where it doesn't exist but "joep" does.
On Feb 25, 5:19 pm, Romeo Theriault <romeo.theria...@maine.edu> wrote:
Romeo Theriault
> You might want to change the regex used in the grep line to:
>
> '^${user}:' # Adding the colon
>
> This would prevent false-positives when, for e.g., you are looking for
> user "joe" in a system where it doesn't exist but "joep" does.
Thanks! Good point, I'll definitely do that.
--
Romeo