Romeo Theriault
2012-Feb-23 03:49 UTC
[Puppet Users] Change user password only on systems where they exist
Hi, We''re just getting started with puppet and one of the things
we''d
like to automate across a mix of Solaris and RHEL boxes is resetting a
users password. But we only want to reset the users password on the
boxes they already exist on. We don''t want to have their account
created on all the boxes. We also don''t want to modify any of their
settings like shells, etc...
I''ve used puppet to create users across all our boxes and that was
straight forward but I''m not sure the best way to conditionally change
a users password is. If it was just RHEL I''d be tempted to check for
the users homedir and then do an exec { " usermod -p...." }, but
solaris doesn''t support the usermod -p (for password) option. Is there
a more "puppet" way to pull this off?
Thank you,
Any suggestions would be appreciated.
--
Romeo
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Steve Shipway
2012-Feb-23 07:30 UTC
RE: [Puppet Users] Change user password only on systems where they exist
We have a system here that automatically resets the root password (amongst
others) when they are >60 days old, and stores the new password in a central
encrypted location. To do this, we have a custom fact that identifies the age
of users, and a custom function that returns if a user exists and, if so, the
age of their password. Another custom function creates a new passowrd, and a
final one does the update i nthe central encrypted database. An Exec resource
takes care of the actual password change on the puppet agent.
Is this similar to what you''re looking for? If you take a look in the
Puppet Forge website for the ''ss'' module then you can see how
we do it there, else contact me off-list.
Steve
Steve Shipway
University of Auckland ITS
UNIX Systems Design Lead
s.shipway@auckland.ac.nz
Ph: +64 9 373 7599 ext 86487
________________________________________
From: puppet-users@googlegroups.com [puppet-users@googlegroups.com] on behalf of
Romeo Theriault [romeo.theriault@maine.edu]
Sent: Thursday, 23 February 2012 4:49 p.m.
To: puppet-users@googlegroups.com
Subject: [Puppet Users] Change user password only on systems where they exist
Hi, We''re just getting started with puppet and one of the things
we''d
like to automate across a mix of Solaris and RHEL boxes is resetting a
users password. But we only want to reset the users password on the
boxes they already exist on. We don''t want to have their account
created on all the boxes. We also don''t want to modify any of their
settings like shells, etc...
I''ve used puppet to create users across all our boxes and that was
straight forward but I''m not sure the best way to conditionally change
a users password is. If it was just RHEL I''d be tempted to check for
the users homedir and then do an exec { " usermod -p...." }, but
solaris doesn''t support the usermod -p (for password) option. Is there
a more "puppet" way to pull this off?
Thank you,
Any suggestions would be appreciated.
--
Romeo
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
jcbollinger
2012-Feb-23 14:04 UTC
[Puppet Users] Re: Change user password only on systems where they exist
On Feb 22, 9:49 pm, Romeo Theriault <romeo.theria...@maine.edu> wrote:> Hi, We''re just getting started with puppet and one of the things we''d > like to automate across a mix of Solaris and RHEL boxes is resetting a > users password. But we only want to reset the users password on the > boxes they already exist on. We don''t want to have their account > created on all the boxes. We also don''t want to modify any of their > settings like shells, etc...Have you considered using a centralized account service such as LDAP or even NIS? It is much more robust to use a single central authority than to try to synchonize data across many individual machines.> I''ve used puppet to create users across all our boxes and that was > straight forward but I''m not sure the best way to conditionally change > a users password is. If it was just RHEL I''d be tempted to check for > the users homedir and then do an exec { " usermod -p...." }, but > solaris doesn''t support the usermod -p (for password) option. Is there > a more "puppet" way to pull this off?Do you want merely to reset the password and then ignore subsequent changes, or do you intend to keep the password fixed to the new value? If the former then Puppet isn''t the right tool for the job. Instead, you want MCollective or another product in that vein. On the other hand, if you are set on synchronizing user information across multiple machines, and you want to manage user passwords centrally, then the most Puppetly way to approach it is to manage users via the User resource. That does not require all machines to have the same users, but it does require Puppet to know which users each machine should have. I consider that a good result, in fact, but if you have many machines with many distinct user lists then it could be a lot of work to get there. Managing users also does not require you to manage every property (e.g. default shell). John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Romeo Theriault
2012-Feb-25 22:19 UTC
Re: [Puppet Users] Change user password only on systems where they exist
On Wed, Feb 22, 2012 at 21:30, Steve Shipway <s.shipway@auckland.ac.nz> wrote:> We have a system here that automatically resets the root password (amongst others) when they are >60 days old, and stores the >new password in a central encrypted location. To do this, we have a custom fact that identifies the age of users, and a custom >function that returns if a user exists and, if so, the age of their password. Another custom function creates a new passowrd, and a >final one does the update i nthe central encrypted database. An Exec resource takes care of the actual password change on the >puppet agent. > > Is this similar to what you''re looking for? If you take a look in the Puppet Forge website for the ''ss'' module then you can see how > we do it there, else contact me off-list.Hi, thanks for the reply. At this point we''re looking for something much more simple. We basically want to be able to change a users password across all of the systems that they currently exist on. I took a look at your ''ss'' module (thanks for pointing it out) and found your Exec which does the actual password changing. I kinda wanted to stay away from having to install the chgpasswd utility across all of our Solaris boxes though, so I sat on it a while longer, thinking about it and came up with this Exec which seems to do what I want with puppet itself. I''ve got to test it a bit more first though. define change_passwd($user,$passwd) { exec { "/usr/bin/puppet apply -v -e \''user { \"${user}\": password => \"${passwd}\" }\''": onlyif => "/bin/grep -c ^${user} /etc/shadow" } } -- Romeo -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Romeo Theriault
2012-Feb-25 22:30 UTC
Re: [Puppet Users] Re: Change user password only on systems where they exist
On Thu, Feb 23, 2012 at 04:04, jcbollinger <John.Bollinger@stjude.org> wrote:> Do you want merely to reset the password and then ignore subsequent > changes, or do you intend to keep the password fixed to the new > value? If the former then Puppet isn''t the right tool for the job. > Instead, you want MCollective or another product in that vein.Hi John, thanks for the reply. Yes we just want to reset it and ignore it. I realize this isn''t the best (or intended) way of using puppet but it works :) and we don''t have mcollective right now. Hopefully someday will have mcollective but from what I''ve read Solaris support is still weak and I don''t have the time at the moment into trying to get it working on solaris. I also realize that solaris support is in the PE version of puppet/mcollective but I''ve first got to "sell" puppet to management before we start talking about purchasing PE. Also, point well taken on the NIS/LDAP central authentication, but at this point that big of an infrastructure change is not in the cards. -- Romeo -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
bel
2012-Feb-26 15:05 UTC
[Puppet Users] Re: Change user password only on systems where they exist
You might want to change the regex used in the grep line to:
''^${user}:'' # Adding the colon
This would prevent false-positives when, for e.g., you are looking for
user "joe" in a system where it doesn''t exist but
"joep" does.
On Feb 25, 5:19 pm, Romeo Theriault <romeo.theria...@maine.edu>
wrote:> On Wed, Feb 22, 2012 at 21:30, Steve Shipway
<s.ship...@auckland.ac.nz> wrote:
> > We have a system here that automatically resets the root password
(amongst others) when they are >60 days old, and stores the >new password
in a central encrypted location. To do this, we have a custom fact that
identifies the age of users, and a custom >function that returns if a user
exists and, if so, the age of their password. Another custom function creates a
new passowrd, and a >final one does the update i nthe central encrypted
database. An Exec resource takes care of the actual password change on the
>puppet agent.
>
> > Is this similar to what you''re looking for? If you take a
look in the Puppet Forge website for the ''ss'' module then you
can see how > we do it there, else contact me off-list.
>
> Hi, thanks for the reply. At this point we''re looking for
something
> much more simple. We basically want to be able to change a users
> password across all of the systems that they currently exist on. I
> took a look at your ''ss'' module (thanks for pointing it
out) and found
> your Exec which does the actual password changing. I kinda wanted to
> stay away from having to install the chgpasswd utility across all of
> our Solaris boxes though, so I sat on it a while longer, thinking
> about it and came up with this Exec which seems to do what I want with
> puppet itself. I''ve got to test it a bit more first though.
>
> define change_passwd($user,$passwd) {
> exec { "/usr/bin/puppet apply -v -e \''user {
\"${user}\": password
> => \"${passwd}\" }\''":
> onlyif => "/bin/grep -c ^${user} /etc/shadow"
> }
>
> }
>
> --
> Romeo
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Romeo Theriault
2012-Feb-26 20:21 UTC
Re: [Puppet Users] Re: Change user password only on systems where they exist
On Sun, Feb 26, 2012 at 05:05, bel <belminf@gmail.com> wrote:> You might want to change the regex used in the grep line to: > > ''^${user}:'' # Adding the colon > > This would prevent false-positives when, for e.g., you are looking for > user "joe" in a system where it doesn''t exist but "joep" does.Thanks! Good point, I''ll definitely do that. -- Romeo -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.