Linux – How to have puppet only set password when creating a user

linuxpuppetuser-management

I want Puppet not to manage a password (i.e., reset it when it's changed) but to set the initial password when Puppet creates the user.

I was thinking of doing a notify to an Exec resource that sets the password but this is triggered when any property that Puppet manages is modified (e.g., group membership, home directory, etc.). I do not want that.

Any ideas?

Best Answer

Puppet itself doesn't natively support "set password at user creation but not otherwise".

One option would be to set up an external auth source, such as LDAP.

Another would be your notify to an Exec idea, but the make the Exec a little smarter.

exec {
  "/usr/sbin/usermod -p '${password}' ${user}":
    onlyif => "/bin/egrep -q '^${user}:[*!]' /etc/shadow",
    require => User[$user];
}

I haven't tested that, but by checking if the password hasn't been set in the Exec resource, you should get the result you were looking for. I think set up that way, the notify/refreshonly stuff isn't necessary, but probably wouldn't hurt.

Related Solutions

Puppet: Running shell command when file (or package) is updated

Use the audit attribute to track the file content or package version number and trigger the change by subscribing to the package resource. A few issues with this, this does not work with --noop because the state.yaml file will update the file md5 checksum/package version in --noop mode. I'm not sure if this is a pending bug since I can't track it down at the moment.

file { '/etc/tzinfo':
  audit => content,
}

exec { '/usr/bin/mysql_tzinfo_to_sql':
  subscribe => File['/etc/tzinfo'],
}

A more reliable method is just to duplicate the file elsewhere and use it to trigger updates (the location isn't important we are just tracking the original tzinfo as source).

file { '/etc/puppet/stage/tzinfo':
  source => '/etc/tzinfo',
}

exec { '/usr/bin/mysql_tzinfo_to_sql':
  subscribe => File['/etc/tzinfo'],
}

The second method of course does not work with packages, but you would avoid the --noop and state.yaml problems.

Regarding the third question, yes, you can use pipe and redirects (use an title and put the command in the command attribute):

exec { 
  '/bin/echo foo | grep foo > /tmp/foo':
}

Security – How to re-enable an sudo lecture, once it’s been seen

On Debian, a user's first use of sudo will create a directory under /var/run/sudo/. The directory is named "username", where "username" is the name of the user which ran sudo.

Removing [or renaming] this directory will cause the lecture to be displayed upon next use of sudo, as well as recreate the directory.

For example, the directory for my user account would be /var/run/sudo/jscott.

Best Answer

Related Solutions

Puppet: Running shell command when file (or package) is updated

Security – How to re-enable an sudo lecture, once it’s been seen

Related Topic