-5

I've been assigned to use Puppet to synchronize user passwords across an arbitrary number of servers, so that a user can change their password once and have that change pushed out to an arbitrary number of servers. Most of the advice I've seen has been to use something else, like LDAP, but I've been specifically instructed to use Puppet.

All I have so far is a class that, when run, sets a user's password. It should take the user id from facter to prevent someone from changing someone else's password.

class pwdchange ($newpassword = '') {
  user {"$::id":
    ensure   => present
    password => $encryptednewpassword
  }
}

What I'm looking for is how to take a cleartext argument, check it to make sure it's a good password, and encrypt it with md5. I'll do that to get from newpassword to encryptednewpassword. Do I need to use an exec resource with the md5sum command? Or should I have a template that encrypts the password using ruby code? Or is there an easy, simple way to do this that I'm not seeing?

Seri
  • 133
  • 7
  • 1
    We're happy to help you with troubleshooting *specific problems* that you run into along the way, but SF is not a site intended for end-to-end howto guides. – Andrew B Jul 17 '13 at 20:17
  • Start with some research. Read the documentation (if it's confusing, there are books) and give it a try in a lab. Then, come to us with a specific technical question. As it is, I feel this is too broad of a question. (We can't cover Puppet a->z in one question.) – Aaron Copley Jul 17 '13 at 20:18
  • 3
    This is one of those moments when you need to go to whoever specifically instructed you, and tell them they are *wrong*. Use LDAP. – Sirex Jul 17 '13 at 20:33
  • Sorry! I rewrote the question. Should I leave it up, or should I re-ask it under its own thread? – Seri Jul 17 '13 at 20:38
  • 1
    Puppet is not designed to do what you want. Put simply, you're trying to weld metal using a sponge cake. – Sirex Jul 17 '13 at 20:39
  • 1
    Use some form of centralized authentication database (LDAP, Kerberos, Securid). Managing local shadow databases for your employees is always the option of last resort. – Andrew B Jul 17 '13 at 20:44
  • Of those three, (LDAP, Kerberos, and Securid), which of those would you suggest? – Seri Jul 17 '13 at 20:47
  • @Seri Start with LDAP. LDAP provides both identity management (uid+gid lookups) and authentication services, whereas the latter two only provide authentication. – Andrew B Jul 17 '13 at 20:49
  • if you're dealing soley with linux machines, look into freeIPA. It's basically exactly what you want (and includes an LDAP server within it) – Sirex Jul 17 '13 at 20:50

1 Answers1

1

I know this won't be very helpful to solve your issue but I'd suggest going back to your management team and explain why this is a poor design and why we have already moved away from the old NIS replication of password files across the wire. A couple of things to consider, LDAP will provide one location to manage sudoers, automount, group permissions, user permissions, user access (userX can log into hostX only) and is not difficult to configure. If you have an AD environment, you can authenticate against that.

But if you have to do it, and make it simple. I'd grab a password/shadow/group and use one system to create the user and have puppet make sure that the string exists in the following files, but if I'm not mistaken you will have to use an erb template to add dynamic and static content.

I hope this helps a little bit.

side_control
  • 19
  • 2