We have a policy that requires all user passwords to expire after 90 days. We also use puppet for managing all users on our machines. Our hope was, when our passwords expire, we could update the puppet manifest which would propogate to all our servers, thus updating all our passwords.
The problem is, the User type (w/ manage_passwords enabled and ruby- shadow installed) will only set the password in /etc/shadow, but it doesn't manage any of the other shadow parameters, namely the sp_lstchg parameter). As a result, after our 90-day period, all of our passwords have updated, but the individual machines still think that the passwords have expired, and refuses to let us log in. This seems a bug in the User type, in that if the password changes from the previous password, it should also reset the last-changed field as well. Ideally, if the User type is supporting passwords, it would be nice if there were properties to also specify the other shadow parameters, such as min, max, warn, expire, etc. I looked into the puppet provider code for User, but I couldn't make sense of how to fix. Could someone point me to the right place so I can try and change this behavior (or maybe someone from Reductive Labs can fix it in an immediately upcoming update)? Thanks, --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
