Just thinking.... could the password change use notify of a "usermod -e new-yyyy-dd-mm" command?
On Thu, Aug 27, 2009 at 2:05 PM, Kyle Mallory <jesuswasir...@gmail.com>wrote: > > We have a policy that requires all user passwords to expire after 90 > days. We also use puppet for managing all users on our machines. Our > hope was, when our passwords expire, we could update the puppet > manifest which would propogate to all our servers, thus updating all > our passwords. > > The problem is, the User type (w/ manage_passwords enabled and ruby- > shadow installed) will only set the password in /etc/shadow, but it > doesn't manage any of the other shadow parameters, namely the > sp_lstchg parameter). As a result, after our 90-day period, all of > our passwords have updated, but the individual machines still think > that the passwords have expired, and refuses to let us log in. > > This seems a bug in the User type, in that if the password changes > from the previous password, it should also reset the last-changed > field as well. Ideally, if the User type is supporting passwords, it > would be nice if there were properties to also specify the other > shadow parameters, such as min, max, warn, expire, etc. > > I looked into the puppet provider code for User, but I couldn't make > sense of how to fix. Could someone point me to the right place so I > can try and change this behavior (or maybe someone from Reductive Labs > can fix it in an immediately upcoming update)? > > Thanks, > > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
