Skip to content

Latest commit

 

History

History
186 lines (125 loc) · 5.34 KB

README.mkd

File metadata and controls

186 lines (125 loc) · 5.34 KB

users puppet module

Manages user configuration.

Supported corrective actions under: Debian.

Classes

  • users

users

Realize all useraccount, massuseraccount and lookup defines tagged with 'administrators'. Also, realize User, Group, File and Exec likewise tagged, to handle exceptional cases.

Definitions

  • users::account
  • users::gidsanity
  • users::lookup
  • users::lookupkey
  • users::masskeys
  • users::massuseraccount
  • users::uidsanity

users::account

Create a user account with a primary group of the same name. If uid is provided and the client supports the custom facts provided with this module, do some sanity checking beforehand, moving users and groups with conflicting guids to the same guids + 10000.

Note that just like user name and primary group name are kept the same, uid and gid are kept equal.

Also copy a tree of files in one of two ways:

  1. If there's a "managed" directory from one of the options below, use it and control file content. The file paths checked for are absolute, so it may need changing if the default file server path is different. Also, it uses a script at /etc/puppet/modules/users/scripts to check for these files, which may also need changing depending on the module path and module name.

    • /etc/puppet/files/users/home/managed/host/${username}.$fqdn
    • /etc/puppet/files/users/home/managed/host/${username}.$hostname
    • /etc/puppet/files/users/home/managed/domain/${username}.$domain
    • /etc/puppet/files/users/home/managed/env/${username}.$environment
    • /etc/puppet/files/users/home/managed/user/${username}
    • /etc/puppet/files/users/home/managed/skel
  2. Otherwise, use one of the directories below as a default (modified files do not get replaced).

    • puppet:///files/users/home/default/host/${username}.$fqdn
    • puppet:///files/users/home/default/host/${username}.$hostname
    • puppet:///files/users/home/default/domain/${username}.$domain
    • puppet:///files/users/home/default/env/${username}.$environment
    • puppet:///files/users/home/default/user/${username}
    • puppet:///files/users/home/default/skel
    • puppet:///files/users/home/default/skel
    • puppet:///users/home/default/skel

In neither case will other files be purged. Also, there is no mode control, though all files will be created with user and group onwership.

Also ensures that the .ssh directory and .bash_history will be kept with appropriate permissions.

Example:

@users::useraccount { "bob":
    ensure   => present,
    fullname => "Uncle Bob",
    uid      => 1000,
    groups   => [ "wheel" ], # Extra groups, defaults to none
    shell    => '/bin/bash', # default value
    password => 'hash',
}

users::gidsanity

Checks that no other group is using this gid, and, if it is, moves it up 10000.

Also, if the group exists but doesn't presently have this gid, pre-emptively change group owner ship of all files in the home directory with the current gid, so that they'll be correct after the group id was corrected (elsewhere).

users::lookup

Add a user through extdata lookup. The user is added with the extra groups provided, but name, uid and password come from the csv file.

Example:

@users::lookup { 'username':
    ensure => present, # default value
    groups => [], # default value
}

CSV file:

username_account,uid,Full Name,hashed password

users::lookupkey

Add a key to a user's authorized_keys file through extdata lookup. It supports arbitrary number of options, and //requires// a comment field, which will be prepended with the username to avoid problems with it being used as primary key on ssh_authorized_keys when multiple users are using the same key.

Options containing double quotes should be enclosed in double quotes themselves, and its own double quotes doubled (see example).

The CSV format was designed to be almost equal to authorized_keys itself, with just the need to replace spaces separating options, key type, key and comment with commas, plus the above mentioned double quote handling.

Example:

@users::lookupkey { 'username':
    ensure => present, # default value
}

CSV file:

username_sshkey,"from=""a.b.c.d""",no-port-forwarding,ssh-dss,key,comment

users::userkey###

Add a key to user's authorized keys file through direct passing. Default comment on key is "default-key" and default type is "ssh-rsa".

Example:

@users::userkey { 'username':
    ensure => present,
    key    => "key",
}

users::masskeys

Add keys to user's authorized_keys files through extdata lookup. See users::lookupkey for more details.

Example:

@users::masskeys { 'group':
    ensure => present, # default value
}

CSV file:

group_sshkeys,username
username_sshkey,"from=""a.b.c.d""",no-port-forwarding,ssh-dss,key,comment

users::massuseraccount

Adds users through extdata lookup. The users are added with the extra groups provided, but name, uid and password come from the csv files, as well as the list of users.

Example:

@users::massuseraccount { 'group':
    ensure => present, # default value
    groups => [], # default value
}

CSV file:

group_accounts,username
username_account,uid,Full Name,hashed password

users::uidsanity

Checks that no other user is using this uid, and, if it is, moves it up 10000.