Puppet: System Administration Automated

Support

Password Management

User management is done with the underlying subsystem, but there are many systems that do not support password management. I made some definitions using a method I'd found that ensures a key/value pair from http://mail.madstop.com/pipermail/puppet-users/2007-August/004043.html :

definitions/basic.pp 

define ensure_key_value($file, $key, $value, $delimiter = " ") {

  # append line if "$key" not in "$file"
  exec { "echo '$key$delimiter$value' >> $file":
    unless => "grep -qe '^$key[[:space:]]*$delimiter' -- $file",
    path => "/bin:/usr/bin"
  }

  # update it if it already exists...
  exec { "sed -i 's/^$key$delimiter.*$/$key$delimiter$value/g' $file":
    unless => "grep -xqe '$key[[:space:]]*$delimiter[[:space:]]*$value' --
$file",
    path => "/bin:/usr/bin"
  }
}

And the 2nd definition:

definitions/setpass.pp: 

define setpass($hash) {
  ensure_key_value{ "set_pass_$name":
    file      => '/etc/shadow',
    key       => $name,
    value     => "$hash:13572:0:99999:7:::",
    delimiter => ':'
    }
}

I hard-coded some numbers into the value, as you can see, which you may want to make into variables. Those numbers have to deal with password locking, and may or may not be relevant to your system. Then, my user classes look like this:

users/realize_users.pp: 

class admin_users {
  realize(  
    User["root"],
    User["awfief"]
  ) 

setpass { "root": hash => 'q1w2e3r4t5y6u7i8o9p0' }
setpass { "awfief": hash     => 'a1s2d3f4g5h6j7k8l9!0'}
    
}   
    
class not_users {
  realize(
    User["bad"],
    User["evil"], 
 ) 
setpass { "bad": hash  => '!!' }
setpass { "evil": hash  => '!!' }
}

Assuming, of course, you've set up your users: users/standard_users.pp: 

  @user { "root":
    ensure      =>  "present",
    uid         =>  "0",
    gid         =>  "wheel",
    comment     =>  "root",
    home        =>  "/root",
    shell       =>  "/bin/sh",
    managehome  =>  "true"
  } 

  @user { "awfief":
    ensure      =>  "present", 
    uid         =>  "10001", 
    gid         =>  "wheel",
    comment     =>  "Sheeri Kritzer",
    home        =>  "/home/awfief",
    shell       =>  "/bin/bash",
    managehome  =>  "true"
  }

and users/absent_users.pp: 

class absent_users {
  @user { "bad":
    ensure     => "absent",
    uid        => "502",
    gid        => "wheel",
    comment    => "bad user no biscuit",
    home       => "/home/bad",
    shell      => "/bin/bash",
    managehome =>  "true"
    }

  @user { "evil":
    ensure     => "absent",
    uid        => "503",
    gid        => "wheel",
    comment    => "evil",
    home       => "/home/evil",
    shell      => "/bin/bash",
    managehome =>  "true"
    }