On Monday, May 12, 2014 10:44:09 AM UTC-5, William Thomas wrote:
>
> Is there an issue with using subscribe? So in my virtual resource
> definition I have:
>
> define accounts::virtual ($uid,$realname,$pass) {
>
> user { $title:
> ensure => 'present',
> uid => $uid,
> gid => $title,
> shell => '/bin/bash',
> home => "/home/${title}",
> comment => $realname,
> # password => $pass,
> password_max_age => '90',
> password_min_age => '0',
> groups => ['sudo'],
> managehome => true,
> require => Group[$title],
> }
> group { $title:
> gid => $uid,
> }
>
> exec { "/usr/sbin/usermod -p \'$pass\' $title":
> refreshonly => true,
> subscribe => User[$title],
> # logoutput => true,
> }
> ...
> ...
> ...
>
>
> And this is starting from Scott Lowe's blog:
> http://blog.scottlowe.org/2012/11/25/using-puppet-for-account-management/
>
> I guess the only gotcha I see is if something changes and causing the user
> to get updated, it will reset the password to the "default"
>
Just so. Imagine a user changing their default shell via chsh, and then
not only having it changed back, but also having their password
unexpectedly reset. Or imagine changing the secondary groups or password
aging properties declared in that accounts::virtual definition, and having
*everyone's* password reset. I wouldn't want to be you.
An "initial_password" parameter might be a convenience for some people, and
probably not hard to implement; on that basis I think it could be a worthy
enhancement to Puppet. Nevertheless, I cannot think of a usage mode that
would satisfy any but the most lax security policy. Although I don't think
it's the tool's job to dictate policy to its users, I can understand giving
low priority to a request for such a feature.
Admins looking in this direction would in most cases be better served by a
bona fide centralized user DB, such as LDAP or even NIS.
John
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/814eb433-fc6d-494b-b8a8-bdcefb75ba49%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
