Hello, I am using accounts::user for managing user accounts on my infrastructure. I know that we can set passwords in manifests for the users we are managing. I would like to know if there is way that a user which does not have access to the puppet master, but has access to the puppet clients, can change his password on the client and update the manifests on the master. This is something like LDAP, where each user can change his/her password from any LDAP client to update the LDAP database. I want these users to change their passwords at will and somehow puppet finds that out and updates its manifests. Thanks Sunny -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Hi Sunny, might go into a totally different direction than what you actually anticipated, but you could use something else to do your authentication, like Kerberos (e.g. AD) or RADIUS (e.g. Cisco ACS). Probably not much more difficult to get a properly secure LDAP server in place which contains the hashed passwords ... We only use puppet to roll out panic passwords for emergency accounts that are not supposed to be overwritten. Just my 2 cents Stephan On Nov 15, 10:22 am, Sunny <jaisinghani.su...@gmail.com> wrote:> Hello, > > I am using accounts::user for managing user accounts on my > infrastructure. > I know that we can set passwords in manifests for the users we are > managing. > > I would like to know if there is way that a user which does not have > access to the puppet master, but has access to the puppet clients, can > change his password on the client and update the manifests on the > master. > This is something like LDAP, where each user can change his/her > password from any LDAP client to update the LDAP database. > > I want these users to change their passwords at will and somehow > puppet finds that out and updates its manifests. > > Thanks > Sunny-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Nov 15, 4:22 am, Sunny <jaisinghani.su...@gmail.com> wrote:> Hello, > > I am using accounts::user for managing user accounts on my > infrastructure. > I know that we can set passwords in manifests for the users we are > managing. > > I would like to know if there is way that a user which does not have > access to the puppet master, but has access to the puppet clients, can > change his password on the client and update the manifests on the > master. > This is something like LDAP, where each user can change his/her > password from any LDAP client to update the LDAP database. > > I want these users to change their passwords at will and somehow > puppet finds that out and updates its manifests.Puppet does not provide a mechanism for this sort of thing, and indeed, it goes strongly against Puppet''s grain. When Puppet is managing a property of some resource, then *by definition* the master is authoritative about the proper value, not any of the clients. Moreover, what you ask is inferior to the various standard mechanisms for centralized authentication management. Stephan covered most of the widely used ones, to which I add NIS; I recommend that you use one of those. If you insist on taking the Puppet-managed route then you''re going to have to build your own tools. What exactly you would need depends on the systems under management, but it should grab all the account management hooks so as to catch password chanages via all available mechanisms, and it should immediately update whatever password store you use on the master, failing the change if it cannot update the master. Do not wait for the next Puppet run to sync up, and be prepared to work around some ordering issues for the scenario when a user chanages his password while the Puppet agent is applying a catalog. But really, think again: you don''t want to do this. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.