- Description
- Setup - The basics of getting started with accounts
- Usage - Configuration options and additional functionality
- Reference - An under-the-hood peek at what the module is doing and how * Data Types
- Limitations - OS compatibility, etc.
- License
- Development - Guide for contributing to the module
The accounts module manages resources related to login and service accounts.
This module works on many UNIX/Linux operating systems. It does not support configuring accounts on Microsoft Windows platforms.
Declare the accounts::user
defined type for each local user you want to manage:
node default {
accounts::user { 'dan': }
accounts::user { 'morgan': }
}
The above example creates accounts, home directories, and groups for dan
and morgan
in the default node group.
accounts::user { 'bob':
uid => '4001',
gid => '4001',
group => 'staff',
shell => '/bin/bash',
password => '!!',
locked => false,
}
A simple bashrc and bash_profile rc file is managed by Puppet for each account. These rc files add some simple aliases, update the prompt, add ~/bin to the path, and source the following files (which are not managed by this module) in the following order:
/etc/bashrc
/etc/bashrc.puppet
~/.bashrc.custom
Account holders can customize their shells by managing their bashrc.custom files. In addition, the system administrator can make profile changes that affect all accounts with a bash shell by managing the '/etc/bashrc.puppet' file.
To install an email foward, configure the .forward
file by using the forward_content
or forward_source
parameters.
Lock accounts by setting the locked
parameter of an account to true.
For example:
accounts::user { 'villain':
comment => 'Bad Person',
locked => true
}
The accounts module sets the account to an invalid shell appropriate for the system Puppet is managing and displays the following message if a user tries to access the account:
$ ssh villain@centos56
This account is currently not available.
Connection to 172.16.214.129 closed.
Manage SSH keys with the sshkeys
attribute of the accounts::user
defined type. This parameter accepts an array of public key contents as strings.
Example:
accounts::user { 'jeff':
comment => 'Jeff McCune',
groups => [
'admin',
'sudonopw',
],
uid => '1112',
gid => '1112',
sshkeys => [
'ssh-rsa AAAAB3Nza...== [email protected]',
'ssh-dss AAAAB3Nza...== [email protected]',
],
}
The module supports placing sshkeys in a custom location. If you specify a value
for the sshkey_custom_path
attribute of the accounts::user
defined type, the
module will place the keys in the specified file. The module will only manage
the specified file and not the full path. If you set purge_sshkeys
to true, and
you have also set a custom path, it will only purge the ssh keys in the custom path.
Example:
accounts::user { 'gerrard':
sshkey_custom_path => '/var/lib/ssh/gerrard/authorized_keys',
sshkey_group => 'root',
sshkey_owner => 'root',
shell => '/bin/zsh',
comment => 'Gerrard Geldenhuis',
groups => [
'engineering',
'automation',
],
uid => '1117',
gid => '1117',
sshkeys => [
'ssh-rsa AAAAB9Aza...== [email protected]',
'ssh-dss AAAAB9Aza...== [email protected]',
],
password => '!!',
}
Setting sshkey_custom_path
is typically associated with setting AuthorizedKeysFile /var/lib/ssh/%u/authorized_keys
in your sshd config file.
The accounts module supports storing all account data in Hiera.
Example:
accounts::group_defaults:
system: true
accounts::group_list:
admins: {}
users: {}
accounts::user_defaults:
groups: [ 'users' ]
managehome: true
system: false
accounts::user_list:
admin:
groups: ['admins', 'users']
joe:
sshkeys:
- &joe_sshkey 'ssh-rsa ... [email protected]'
sally:
sshkeys:
- &sally_sshkey 'ssh-rsa ... [email protected]'
dba:
sshkeys:
- *joe_sshkey
- *sally_sshkey
system: true
include ::accounts
See REFERENCE.md
A hash of group
data suitable for passing as the second parameter to ensure_resources
.
The allowed values for the provider
attribute. Currently, this is:
aix
directoryservice
groupadd
ldap
pw
windows_adsi
A struct of group
attributes suitable for passing as the third parameter to ensure_resource
.
Allows either 'absent'
or a YYY-MM-DD
datestring.
A hash of user
data suitable for passing as the second parameter to ensure_resources
.
The iterations
attribute allows any positive integer, optionally expressed as a string.
Allows strings up to 32 characters long that begin with a lower case letter or underscore, followed by lower case letters, digits, underscores, or dashes, and optionally ending in a dollar sign. See useradd(8)
Maximum number of days a password may be used before it must be changed. Allows any integer from -1
to 99999
. See user
resource.
A struct of user
attributes suitable for passing as the third parameter to ensure_resource
.
Allows any integer from 0
to 4294967295
(232 - 1), optionally expressed as a string.
For an extensive list of supported operating systems, see metadata.json
The accounts module is designed to take the place of the pe_accounts module that shipped with PE versions 2015.2 and earlier. Some of the changes include the removal of the base class, improving the validation, and allowing more flexibility regarding which files should or should not be managed in a user's home directory.
For example, the .bashrc and .bash_profile files are not managed by default but allow custom content to be passed in using the bashrc_content
and bash_profile_content
parameters. The content for these two files as managed by pe_accounts can continue to be used by passing bashrc_content => file('accounts/shell/bashrc')
and bash_profile_content => file('accounts/shell/bash_profile')
to the accounts::user
defined type.
This codebase is licensed under the Apache2.0 licensing, however due to the nature of the codebase the open source dependencies may also use a combination of AGPL, BSD-2, BSD-3, GPL2.0, LGPL, MIT and MPL Licensing.
Acceptance tests for this module leverage puppet_litmus. To run the acceptance tests follow the instructions here. You can also find a tutorial and walkthrough of using Litmus and the PDK on YouTube.
If you run into an issue with this module, or if you would like to request a feature, please create an issue. Every Tuesday the Puppet Content and Tooling team has office hours in the Puppet Community Slack for about an hour, starting at 1400 (GMT+1).
If you have problems getting this module up and running, please contact Support.
If you submit a change to this module, be sure to regenerate the reference documentation as follows:
puppet strings generate --format markdown --out REFERENCE.md