Creating/Managing Unix user accounts using Puppet user resource
Puppet comes with a builtin user resource which installs and manages unix user accounts. More of this resource is available at
https://docs.puppetlabs.com/puppet/latest/reference/types/user.html
A user resource with some of its attributes are
Few of the examples of using user resource are as follows:
Example 1:
user { 'zaman':
ensure => 'present',
comment => 'Zaman's Home',
home => '/home/zaman',
shell => '/bin/bash',
}
}
This creates an unix account 'zaman' as follows:
# grep zaman /etc/passwd
zaman:x:502:502:Zaman Home:/home/zaman:/bin/bash
# id zaman
uid=502(zaman) gid=502(zaman) groups=502(zaman)
Example 2:
node 'node2.example.com','node3.example.com'{
user {
'askar':
ensure => 'present',
managehome => 'true',
comment => 'Zaman Home',
home => '/home/askar',
shell => '/bin/bash',
expiry => '2016-03-22',
password => '$1$cs1j/t.D$4qjZLwFQ2Ocr0pulyNTUx/',
password_min_age => '0',
password_max_age => '60',
}
exec {
'chage':
path => '/usr/bin/',
command => 'chage -d 0 askar',
}
}
This creates an unix account 'askar' as follows.It also adds
additional settings like setting password expiration policies.
The password parameter sets the initial password for user.
To generate the encrypted password for the user, we can use the following command
openssl passwd -1 redhat123
This generates the encrypted password for redhat123 which is then set as value to password parameter in user resource.
The user is created as follows with the below information
#grep askar /etc/passwd
askar:x:506:506:Zaman Home:/home/askar:/bin/bash
#grep askar /etc/shadow
askar:$1$cs1j/t.D$4qjZLwFQ2Ocr0pulyNTUx/:0:0:60:7::16882:
We need to install ruby-shadow package on all client hosts where the user accounts needs to be pushed so that Puppet can update /etc/shadow file . ruby-shadow is available for download from the following location
https://yum.puppetlabs.com/el/6/dependencies/x86_64/
In the second example, I also used the exec resource. This exec resource uses the chage command . The purpose of using the chage command is that it will force the user to change his password after the first login . chage shows the following information after the manifest is executed .
# chage -l askar
Last password change : password must be changed
Password expires : password must be changed
Password inactive : password must be changed
Account expires : Mar 22, 2016
Minimum number of days between password change : 0
Maximum number of days between password change : 60
Number of days of warning before password expires : 7
https://docs.puppetlabs.com/puppet/latest/reference/types/user.html
A user resource with some of its attributes are
user { 'resource title':
name => # (namevar) The user name. While naming limitations vary by...
ensure => # The basic state that the object should be in....
comment => # A description of the user. Generally the user's
expiry => # The expiry date for this user. Must be provided...
gid => # The user's primary group. Can be specified...
groups => # The groups to which the user belongs. The...
home => # The home directory of the user. The directory...
managehome => # Whether to manage the home directory when...
password => # The user's password, in whatever encrypted...
password_max_age => # The maximum number of days a password may be...
password_min_age => # The minimum number of days a password must be...
profile_membership => # Whether specified roles should be treated as the
shell => # The user's login shell. The shell must exist...
system => # Whether the user is a system user, according to...
uid => # The user ID; must be specified numerically. If...
# ...plus any applicable metaparameters.
}Few of the examples of using user resource are as follows:
Example 1:
user { 'zaman':
ensure => 'present',
comment => 'Zaman's Home',
home => '/home/zaman',
shell => '/bin/bash',
}
}
This creates an unix account 'zaman' as follows:
# grep zaman /etc/passwd
zaman:x:502:502:Zaman Home:/home/zaman:/bin/bash
# id zaman
uid=502(zaman) gid=502(zaman) groups=502(zaman)
Example 2:
node 'node2.example.com','node3.example.com'{
user {
'askar':
ensure => 'present',
managehome => 'true',
comment => 'Zaman Home',
home => '/home/askar',
shell => '/bin/bash',
expiry => '2016-03-22',
password => '$1$cs1j/t.D$4qjZLwFQ2Ocr0pulyNTUx/',
password_min_age => '0',
password_max_age => '60',
}
exec {
'chage':
path => '/usr/bin/',
command => 'chage -d 0 askar',
}
}
This creates an unix account 'askar' as follows.It also adds
additional settings like setting password expiration policies.
The password parameter sets the initial password for user.
To generate the encrypted password for the user, we can use the following command
openssl passwd -1 redhat123
This generates the encrypted password for redhat123 which is then set as value to password parameter in user resource.
The user is created as follows with the below information
#grep askar /etc/passwd
askar:x:506:506:Zaman Home:/home/askar:/bin/bash
#grep askar /etc/shadow
askar:$1$cs1j/t.D$4qjZLwFQ2Ocr0pulyNTUx/:0:0:60:7::16882:
We need to install ruby-shadow package on all client hosts where the user accounts needs to be pushed so that Puppet can update /etc/shadow file . ruby-shadow is available for download from the following location
https://yum.puppetlabs.com/el/6/dependencies/x86_64/
In the second example, I also used the exec resource. This exec resource uses the chage command . The purpose of using the chage command is that it will force the user to change his password after the first login . chage shows the following information after the manifest is executed .
# chage -l askar
Last password change : password must be changed
Password expires : password must be changed
Password inactive : password must be changed
Account expires : Mar 22, 2016
Minimum number of days between password change : 0
Maximum number of days between password change : 60
Number of days of warning before password expires : 7
Comments
As we have given the password in encrypted form.