Revision bcb23d35
Added by Nicolas CHARLES over 6 years ago
maintained-techniques | ||
---|---|---|
systemSettings/userManagement/userManagement/6.0
|
||
systemSettings/userManagement/userManagement/7.0
|
||
systemSettings/userManagement/userManagement/7.1
|
||
systemSettings/userManagement/userManagement/7.2
|
techniques/systemSettings/userManagement/userManagement/7.2/changelog | ||
---|---|---|
-- Benoit PECCATTE <benoit.peccatte@normation.com> Tue Sep 9 08:17:55 CEST 2014
|
||
* Version 4.0
|
||
** Rewrite with normal ordering and {}
|
||
-- Benoît Peccatte <benoit.peccatte@normation.com> Thu Oct 2 10:00:32 CEST 2014
|
||
* Version 5.0
|
||
** Handle gid/uid at user creation
|
||
-- Benoît Peccatte <benoit.peccatte@normation.com> Fri Oct 17 14:10:43 CEST 2014
|
||
* Version 6.0
|
||
** Use rudder_common_report instead of reports:
|
||
-- Nicolas Charles <nicolas.charles@normation.com> Fri Jul 15 15:50:00 CEST 2016
|
||
* Version 7.0
|
||
** Add AIX support
|
||
-- Nicolas Charles <nicolas.charles@normation.com> Fri Jul 22 15:41:00 CEST 2016
|
||
* Version 7.1
|
||
** Add an option to move the home directory
|
||
|
||
-- Nicolas Charles <nicolas.charles@normation.com> Wed Oct 11 17:29:38 2017
|
||
* Version 7.2
|
||
** Add an option to force gid
|
techniques/systemSettings/userManagement/userManagement/7.2/metadata.xml | ||
---|---|---|
<!--
|
||
Copyright 2017 Normation SAS
|
||
|
||
This program is free software: you can redistribute it and/or modify
|
||
it under the terms of the GNU General Public License as published by
|
||
the Free Software Foundation, Version 3.
|
||
|
||
This program is distributed in the hope that it will be useful,
|
||
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||
GNU General Public License for more details.
|
||
|
||
You should have received a copy of the GNU General Public License
|
||
along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||
|
||
This is the userManagement Technique.
|
||
Compatibility : Linux like, Windows like, AIX like
|
||
|
||
It is intended to check the user parameters on the target host.
|
||
-->
|
||
<TECHNIQUE name="User management">
|
||
<DESCRIPTION>This technique manages the target host(s) users.
|
||
|
||
It will ensure that the defined users are present on the system.</DESCRIPTION>
|
||
<MULTIINSTANCE>true</MULTIINSTANCE>
|
||
<COMPATIBLE>
|
||
<OS version=">= 4 (Etch)">Debian</OS>
|
||
<OS version=">= 4 (Nahant)">RHEL / CentOS</OS>
|
||
<OS version=">= 10 SP1 (Agama Lizard)">SuSE LES / DES / OpenSuSE</OS>
|
||
<OS version=">= 2008">Windows</OS>
|
||
<OS version=">= 5.3">AIX</OS>
|
||
<AGENT version=">= 3.6.0">cfengine-community</AGENT>
|
||
</COMPATIBLE>
|
||
|
||
<BUNDLES>
|
||
<NAME>check_usergroup_user_parameters</NAME>
|
||
</BUNDLES>
|
||
|
||
<TMLS>
|
||
<TML name="userManagement"/>
|
||
</TMLS>
|
||
|
||
<SYSTEMVARS>
|
||
<NAME>NOVA</NAME>
|
||
</SYSTEMVARS>
|
||
|
||
<TRACKINGVARIABLE>
|
||
<SAMESIZEAS>USERGROUP_USER_LOGIN</SAMESIZEAS>
|
||
</TRACKINGVARIABLE>
|
||
|
||
<SECTIONS>
|
||
<!-- users section , index 1 -->
|
||
<SECTION name="Users" multivalued="true" component="true" componentKey="USERGROUP_USER_LOGIN">
|
||
<INPUT>
|
||
<NAME>USERGROUP_USER_LOGIN</NAME>
|
||
<DESCRIPTION>Login name for this account</DESCRIPTION>
|
||
</INPUT>
|
||
<INPUT>
|
||
<NAME>USERGROUP_USER_GROUP</NAME>
|
||
<DESCRIPTION>Primary group for this user (name or number)</DESCRIPTION>
|
||
<LONGDESCRIPTION>On UNIX systems, this group will be applied on this user as the primary group (at creation only)</LONGDESCRIPTION>
|
||
<CONSTRAINT>
|
||
<MAYBEEMPTY>true</MAYBEEMPTY>
|
||
</CONSTRAINT>
|
||
</INPUT>
|
||
<INPUT>
|
||
<NAME>USERGROUP_USER_NAME</NAME>
|
||
<DESCRIPTION>Full name for this account</DESCRIPTION>
|
||
<CONSTRAINT>
|
||
<MAYBEEMPTY>true</MAYBEEMPTY>
|
||
</CONSTRAINT>
|
||
</INPUT>
|
||
<SELECT1>
|
||
<NAME>USERGROUP_USER_ACTION</NAME>
|
||
<DESCRIPTION>Policy to apply on this account</DESCRIPTION>
|
||
<ITEM>
|
||
<LABEL>Create / update</LABEL>
|
||
<VALUE>add</VALUE>
|
||
</ITEM>
|
||
<ITEM>
|
||
<LABEL>Remove</LABEL>
|
||
<VALUE>remove</VALUE>
|
||
</ITEM>
|
||
<ITEM>
|
||
<LABEL>Check only (account should exist)</LABEL>
|
||
<VALUE>checkhere</VALUE>
|
||
</ITEM>
|
||
<ITEM>
|
||
<LABEL>Check only (account should not exist)</LABEL>
|
||
<VALUE>checknothere</VALUE>
|
||
</ITEM>
|
||
<CONSTRAINT>
|
||
<DEFAULT>add</DEFAULT>
|
||
</CONSTRAINT>
|
||
</SELECT1>
|
||
<SELECT1>
|
||
<NAME>USERGROUP_USER_PASSWORD_POLICY</NAME>
|
||
<DESCRIPTION>How often do you want to want to check the password</DESCRIPTION>
|
||
<ITEM>
|
||
<LABEL>At account creation</LABEL>
|
||
<VALUE>oneshot</VALUE>
|
||
</ITEM>
|
||
<ITEM>
|
||
<LABEL>Everytime</LABEL>
|
||
<VALUE>everytime</VALUE>
|
||
</ITEM>
|
||
<CONSTRAINT>
|
||
<DEFAULT>everytime</DEFAULT>
|
||
</CONSTRAINT>
|
||
</SELECT1>
|
||
<INPUT>
|
||
<NAME>USERGROUP_USER_SHELL</NAME>
|
||
<DESCRIPTION>Shell for this account</DESCRIPTION>
|
||
<LONGDESCRIPTION>Will be used only on UNIX systems</LONGDESCRIPTION>
|
||
<CONSTRAINT>
|
||
<DEFAULT>/bin/bash</DEFAULT>
|
||
</CONSTRAINT>
|
||
</INPUT>
|
||
<INPUT>
|
||
<NAME>USERGROUP_USER_UID</NAME>
|
||
<DESCRIPTION>User ID (enforced at user creation only)</DESCRIPTION>
|
||
<LONGDESCRIPTION>Numeric user id, only on UNIX systems</LONGDESCRIPTION>
|
||
<CONSTRAINT>
|
||
<MAYBEEMPTY>true</MAYBEEMPTY>
|
||
</CONSTRAINT>
|
||
</INPUT>
|
||
<SECTION name="Home directory" component="true" componentKey="USERGROUP_USER_LOGIN">
|
||
<INPUT>
|
||
<NAME>USERGROUP_USER_HOME_PERSONNALIZE</NAME>
|
||
<DESCRIPTION>Use the default home directory</DESCRIPTION>
|
||
<LONGDESCRIPTION>If not checked, it will set the defined home directory if "Policy to apply to this acocunt" if "Create/Update"</LONGDESCRIPTION>
|
||
<CONSTRAINT>
|
||
<TYPE>boolean</TYPE>
|
||
<DEFAULT>true</DEFAULT>
|
||
</CONSTRAINT>
|
||
</INPUT>
|
||
<INPUT>
|
||
<NAME>USERGROUP_USER_HOME_MOVE</NAME>
|
||
<DESCRIPTION>Move the content of previous home directory to the defined one</DESCRIPTION>
|
||
<LONGDESCRIPTION>If checked, it will move the existing home directory to the defined one if they don't match</LONGDESCRIPTION>
|
||
<CONSTRAINT>
|
||
<TYPE>boolean</TYPE>
|
||
<DEFAULT>false</DEFAULT>
|
||
</CONSTRAINT>
|
||
</INPUT>
|
||
<INPUT>
|
||
<NAME>USERGROUP_USER_HOME</NAME>
|
||
<DESCRIPTION>Home directory, if not default</DESCRIPTION>
|
||
<CONSTRAINT>
|
||
<MAYBEEMPTY>true</MAYBEEMPTY>
|
||
</CONSTRAINT>
|
||
</INPUT>
|
||
</SECTION>
|
||
<SECTION name="Password" component="true" componentKey="USERGROUP_USER_LOGIN">
|
||
<INPUT>
|
||
<NAME>USERGROUP_USER_PASSWORD</NAME>
|
||
<DESCRIPTION>Password for this account</DESCRIPTION>
|
||
<CONSTRAINT>
|
||
<MAYBEEMPTY>true</MAYBEEMPTY>
|
||
<TYPE>masterPassword</TYPE>
|
||
<PASSWORDHASH>linux-shadow-md5,linux-shadow-sha256,linux-shadow-sha512,plain</PASSWORDHASH>
|
||
<!--
|
||
Tell that master password must create other variables derived from the user input from
|
||
that one. The master variable will be created using the hashes defined here, and the derived
|
||
variable(s) will be automatically created using other equivalent hashes for the target OS.
|
||
The accepted values for now are "AIX" and "LINUX" (or both, comma separated). The derived variable name will be the current name
|
||
postfixed with _AIX (or _LINUX)
|
||
|
||
A correspondance is made between hash algo listed above and the matching one on target OS:
|
||
Linux md5 crypt is mapped to AIX "smd5" version, Linux Sha-Crypt-256 is
|
||
mapped to AIX ssha256, and Linux Sha-Crypt-512 to AIX ssha512.
|
||
AIX ssha256 and ssha512 need the JCE PBKDF2WithHmacSHA256 / PBKDF2WithHmacSHA512.
|
||
|
||
Caution:
|
||
They are provided on Oracle Java 8 JVM standard installation, but NOT in Java 7 and some
|
||
other vendor versions.
|
||
In case these algo are not available, a fallback to AIX ssha1 (which uses
|
||
PBKDF2WithHmacSHA1) will be done. This hash scheme is also quite robust, but
|
||
if you want maximum security, you must use for Rudder a JVM which provides the higher
|
||
level algo, like Open JDK 8
|
||
-->
|
||
<AUTOSUBVARIABLES>AIX</AUTOSUBVARIABLES>
|
||
</CONSTRAINT>
|
||
</INPUT>
|
||
</SECTION>
|
||
</SECTION>
|
||
</SECTIONS>
|
||
|
||
</TECHNIQUE>
|
techniques/systemSettings/userManagement/userManagement/7.2/userManagement.st | ||
---|---|---|
#####################################################################################
|
||
# Copyright 2011-2016 Normation SAS
|
||
#####################################################################################
|
||
#
|
||
# This program is free software: you can redistribute it and/or modify
|
||
# it under the terms of the GNU General Public License as published by
|
||
# the Free Software Foundation, Version 3.
|
||
#
|
||
# This program is distributed in the hope that it will be useful,
|
||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||
# GNU General Public License for more details.
|
||
#
|
||
# You should have received a copy of the GNU General Public License
|
||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||
#
|
||
#####################################################################################
|
||
|
||
##########################################################################
|
||
# User management Technique #
|
||
# #
|
||
# Objective : Apply user/group policies on the target host #
|
||
##########################################################################
|
||
|
||
bundle agent check_usergroup_user_parameters
|
||
{
|
||
|
||
vars:
|
||
|
||
&USERGROUP_USER_LOGIN:{login |"usergroup_user_login[&i&]" string => "&login&";
|
||
}&
|
||
|
||
&USERGROUP_USER_GROUP:{group |"usergroup_user_groupname[&i&]" string => "&group&";
|
||
}&
|
||
|
||
&USERGROUP_USER_NAME:{name |"usergroup_user_fullname[&i&]" string => "&name&";
|
||
}&
|
||
|
||
&USERGROUP_USER_PASSWORD:{password |"usergroup_user_password[&i&]" string => "&password&";
|
||
}&
|
||
|
||
&USERGROUP_USER_PASSWORD_AIX:{password |"usergroup_user_password_aix[&i&]" string => "&password&";
|
||
}&
|
||
|
||
&USERGROUP_USER_PASSWORD_POLICY:{passwordpol |"usergroup_user_password_policy[&i&]" string => "&passwordpol&";
|
||
}&
|
||
|
||
&USERGROUP_USER_ACTION:{action |"usergroup_user_action[&i&]" string => "&action&";
|
||
}&
|
||
|
||
&USERGROUP_USER_UID:{uid |"usergroup_user_uid[&i&]" string => "&uid&";
|
||
}&
|
||
|
||
&USERGROUP_USER_HOME_PERSONNALIZE:{homeperso |"usergroup_user_home_perso[&i&]" string => "&homeperso&";
|
||
}&
|
||
|
||
&USERGROUP_USER_HOME_MOVE:{homemove |"usergroup_user_home_move[&i&]" string => "&homemove&";
|
||
}&
|
||
|
||
&USERGROUP_USER_HOME:{home |"usergroup_user_home[&i&]" string => "&home&";
|
||
}&
|
||
|
||
&USERGROUP_USER_SHELL:{shell |"usergroup_user_shell[&i&]" string => "&shell&";
|
||
}&
|
||
|
||
&TRACKINGKEY:{directiveId |"usergroup_directive_id[&i&]" string => "&directiveId&";
|
||
}&
|
||
|
||
"usergroup_user_index" slist => getindices("usergroup_user_login");
|
||
|
||
|
||
any_2nd_pass::
|
||
|
||
# 1 - Options to use whether Fullname is defined or not
|
||
"nameopt[${usergroup_user_index}]"
|
||
string => "",
|
||
ifvarclass => "usermanagement_user_nameempty_${usergroup_user_index}";
|
||
|
||
## On UNIX
|
||
"nameopt[${usergroup_user_index}]"
|
||
string => "-c \"${usergroup_user_fullname[${usergroup_user_index}]}\"",
|
||
ifvarclass => "!usermanagement_user_nameempty_${usergroup_user_index}.!windows";
|
||
|
||
## On Windows
|
||
"nameopt[${usergroup_user_index}]"
|
||
string => "/FULLNAME:\"${usergroup_user_fullname[${usergroup_user_index}]}\"",
|
||
ifvarclass => "!usermanagement_user_nameempty_${usergroup_user_index}.windows";
|
||
|
||
## Part of reports to return whether Fullname is defined or not
|
||
"repname[${usergroup_user_index}]"
|
||
string => "Without any defined full name",
|
||
ifvarclass => "usermanagement_user_nameempty_${usergroup_user_index}";
|
||
|
||
"repname[${usergroup_user_index}]"
|
||
string => "${usergroup_user_fullname[${usergroup_user_index}]}",
|
||
ifvarclass => "!usermanagement_user_nameempty_${usergroup_user_index}";
|
||
|
||
# 2 - On UNIX, choose between using no group name or using a custom one
|
||
"groupopt[${usergroup_user_index}]"
|
||
string => "",
|
||
ifvarclass => "usermanagement_user_groupempty_${usergroup_user_index}.!usermanagement_user_force_user_in_group_${usergroup_user_index}";
|
||
|
||
"groupopt[${usergroup_user_index}]"
|
||
string => "-g ${usergroup_user_groupname[${usergroup_user_index}]}",
|
||
ifvarclass => "!usermanagement_user_groupempty_${usergroup_user_index}.!usermanagement_user_force_user_in_group_${usergroup_user_index}";
|
||
|
||
"groupopt[${usergroup_user_index}]"
|
||
string => "-g ${usergroup_user_login[${usergroup_user_index}]}",
|
||
ifvarclass => "usermanagement_user_force_user_in_group_${usergroup_user_index}";
|
||
|
||
# 3 - on UNIX force user id if provided
|
||
"useropt[${usergroup_user_index}]"
|
||
string => "",
|
||
ifvarclass => "usermanagement_user_uid_empty_${usergroup_user_index}";
|
||
|
||
"useropt[${usergroup_user_index}]"
|
||
string => "-u ${usergroup_user_uid[${usergroup_user_index}]}",
|
||
ifvarclass => "!usermanagement_user_uid_empty_${usergroup_user_index}";
|
||
|
||
any_2nd_pass.!pass2.!windows::
|
||
|
||
|
||
"usermanagement_user_move_home_dir_from[${usergroup_user_index}]" string => execresult("${paths.grep} '^${usergroup_user_login[${usergroup_user_index}]}:' /etc/passwd | ${paths.cut} -d: -f6", "useshell"),
|
||
ifvarclass => "usermanagement_user_exists_${usergroup_user_index}";
|
||
|
||
|
||
classes:
|
||
|
||
# Actions
|
||
|
||
"usermanagement_user_update_${usergroup_user_index}" expression => strcmp("${usergroup_user_action[${usergroup_user_index}]}","add");
|
||
|
||
"usermanagement_user_remove_${usergroup_user_index}" expression => strcmp("${usergroup_user_action[${usergroup_user_index}]}","remove");
|
||
|
||
"usermanagement_user_checkpres_${usergroup_user_index}" expression => strcmp("${usergroup_user_action[${usergroup_user_index}]}","checkhere");
|
||
|
||
"usermanagement_user_checkabs_${usergroup_user_index}" expression => strcmp("${usergroup_user_action[${usergroup_user_index}]}","checknothere");
|
||
|
||
"usermanagement_user_pershome_${usergroup_user_index}" not => strcmp("${usergroup_user_home_perso[${usergroup_user_index}]}","true");
|
||
|
||
"usermanagement_user_custom_home_no_variable_${usergroup_user_index}" not => isvariable("usergroup_user_home[${usergroup_user_index}]");
|
||
"usermanagement_user_custom_home_no_value_${usergroup_user_index}" expression => strcmp("", "usergroup_user_home[${usergroup_user_index}]");
|
||
"usermanagement_user_custom_home_defined_${usergroup_user_index}" expression => "!usermanagement_user_custom_home_no_variable_${usergroup_user_index}.!usermanagement_user_custom_home_no_value_${usergroup_user_index}";
|
||
|
||
# If we ask to personnalize home, but not define it, it is invalid
|
||
"usermanagement_user_home_pershome_invalid_${usergroup_user_index}" expression => "usermanagement_user_pershome_${usergroup_user_index}.!usermanagement_user_custom_home_defined_${usergroup_user_index}";
|
||
|
||
# Asked to move the home directory
|
||
"usermanagement_user_custom_home_move_${usergroup_user_index}" expression => strcmp("${usergroup_user_home_move[${usergroup_user_index}]}","true");
|
||
|
||
# The request to move home is valid: the path to move to is defined, and we asked to personalize
|
||
"usermanagement_user_custom_home_move_valid_${usergroup_user_index}" expression => "usermanagement_user_custom_home_move_${usergroup_user_index}.usermanagement_user_custom_home_defined_${usergroup_user_index}.usermanagement_user_pershome_${usergroup_user_index}";
|
||
|
||
"usermanagement_user_exists_${usergroup_user_index}" expression => userexists("${usergroup_user_login[${usergroup_user_index}]}");
|
||
|
||
"usermanagement_group_exists_${usergroup_user_index}" expression => groupexists("${usergroup_user_groupname[${usergroup_user_index}]}");
|
||
|
||
"usermanagement_user_pwoneshot_${usergroup_user_index}" expression => strcmp("${usergroup_user_password_policy[${usergroup_user_index}]}","oneshot");
|
||
|
||
"usermanagement_user_pweverytime_${usergroup_user_index}" expression => strcmp("${usergroup_user_password_policy[${usergroup_user_index}]}","everytime");
|
||
|
||
# with variables that are not unique, the emptyness detection is quite tricky
|
||
# either the variable is not defined, or the variable value is ""
|
||
"usermanagement_user_pw_no_variable_${usergroup_user_index}" not => isvariable("usergroup_user_password[${usergroup_user_index}]");
|
||
"usermanagement_user_pw_no_value_${usergroup_user_index}" expression => strcmp("", "${usergroup_user_password[${usergroup_user_index}]}");
|
||
"usermanagement_user_pwempty_${usergroup_user_index}" expression => "usermanagement_user_pw_no_variable_${usergroup_user_index}|usermanagement_user_pw_no_value_${usergroup_user_index}";
|
||
|
||
"usermanagement_user_name_no_variable_${usergroup_user_index}" not => isvariable("usergroup_user_fullname[${usergroup_user_index}]");
|
||
"usermanagement_user_name_no_value_${usergroup_user_index}" expression => strcmp("", "${usergroup_user_fullname[${usergroup_user_index}]}");
|
||
"usermanagement_user_nameempty_${usergroup_user_index}" expression => "usermanagement_user_name_no_variable_${usergroup_user_index}|usermanagement_user_name_no_value_${usergroup_user_index}";
|
||
|
||
"usermanagement_user_group_no_variable_${usergroup_user_index}" not => isvariable("usergroup_user_groupname[${usergroup_user_index}]");
|
||
"usermanagement_user_group_no_value_${usergroup_user_index}" expression => strcmp("", "${usergroup_user_groupname[${usergroup_user_index}]}");
|
||
"usermanagement_user_groupempty_${usergroup_user_index}" expression => "usermanagement_user_group_no_variable_${usergroup_user_index}|usermanagement_user_group_no_value_${usergroup_user_index}";
|
||
|
||
"usermanagement_user_uid_no_variable_${usergroup_user_index}" not => isvariable("usergroup_user_uid[${usergroup_user_index}]");
|
||
"usermanagement_user_uid_no_value_${usergroup_user_index}" expression => strcmp("", "${usergroup_user_uid[${usergroup_user_index}]}");
|
||
"usermanagement_user_uid_empty_${usergroup_user_index}" expression => "usermanagement_user_uid_no_variable_${usergroup_user_index}|usermanagement_user_uid_no_value_${usergroup_user_index}";
|
||
|
||
"usermanagement_user_groupmatchesname_${usergroup_user_index}" expression => strcmp("${usergroup_user_login[${usergroup_user_index}]}", "${usergroup_user_groupname[${usergroup_user_index}]}");
|
||
|
||
# Group doesn't exist and group name is defined
|
||
"usermanagement_user_group_definition_error_${usergroup_user_index}" expression => "(!usermanagement_group_exists_${usergroup_user_index}.usermanagement_user_groupmatchesname_${usergroup_user_index})|(!usermanagement_user_groupempty_${usergroup_user_index}.!usermanagement_group_exists_${usergroup_user_index})";
|
||
|
||
# check if user exists when enforcing ids
|
||
"usermanagement_uid_exists_${usergroup_user_index}" expression => userexists("${usergroup_user_uid[${usergroup_user_index}]}"),
|
||
ifvarclass => "!usermanagement_user_uid_empty_${usergroup_user_index}";
|
||
|
||
# UID is defined and already exists
|
||
"usermanagement_user_uid_definition_error_${usergroup_user_index}" expression => "!usermanagement_user_uid_empty_${usergroup_user_index}.usermanagement_uid_exists_${usergroup_user_index}";
|
||
|
||
# if we want to create a user, and a group with the username exists (no group name defined),then we need to force addition of user to that group (mandatory for debian and redhat, non mandatory for SLES)
|
||
"usermanagement_user_force_user_in_group_${usergroup_user_index}" expression => groupexists("${usergroup_user_login[${usergroup_user_index}]}"),
|
||
ifvarclass => "usermanagement_user_groupempty_${usergroup_user_index}.!usermanagement_user_nameempty_${usergroup_user_index}";
|
||
|
||
# Class 'any' is executed before others classes defined.
|
||
# Same as 'any' but execution will be after all classes defined
|
||
"any_2nd_pass" expression => "any";
|
||
|
||
"showtime" expression => isvariable("nameopt[1]");
|
||
|
||
showtime::
|
||
# if defined, we can move the user home (because we know the previous value)
|
||
"usermanagement_user_current_home_defined_${usergroup_user_index}" expression => isvariable("usermanagement_user_move_home_dir_from[${usergroup_user_index}]");
|
||
|
||
# Must move the home if:
|
||
# - home is not the same as the defined home on the node for user
|
||
# - we asked to personnalize, and the values are valid
|
||
"usermanagement_user_current_home_is_invalid_${usergroup_user_index}" not => strcmp("${usermanagement_user_move_home_dir_from[${usergroup_user_index}]}", "${usergroup_user_home[${usergroup_user_index}]}"),
|
||
ifvarclass => "usermanagement_user_current_home_defined_${usergroup_user_index}.usermanagement_user_pershome_${usergroup_user_index}.!usermanagement_user_home_pershome_invalid_${usergroup_user_index}";
|
||
|
||
|
||
any::
|
||
"pass3" expression => "pass2";
|
||
"pass2" expression => "pass1";
|
||
"pass1" expression => "any";
|
||
|
||
files:
|
||
!windows::
|
||
"/etc/passwd"
|
||
create => "false",
|
||
edit_line => set_user_fullname("${usergroup_user_login[${usergroup_user_index}]}","${usergroup_user_index}","${usergroup_user_fullname[${usergroup_user_index}]}"),
|
||
edit_defaults => noempty_backup,
|
||
ifvarclass => "usermanagement_user_update_${usergroup_user_index}.!usermanagement_user_nameempty_${usergroup_user_index}";
|
||
|
||
"/etc/passwd"
|
||
create => "false",
|
||
edit_line => set_user_fullname("${usergroup_user_login[${usergroup_user_index}]}","${usergroup_user_index}","${usergroup_user_fullname[${usergroup_user_index}]}"),
|
||
edit_defaults => noempty_backup,
|
||
action => WarnOnly,
|
||
ifvarclass => "usermanagement_user_checkpres_${usergroup_user_index}.!usermanagement_user_nameempty_${usergroup_user_index}";
|
||
|
||
aix::
|
||
# On AIX, if password is supplied and user must exist, then the second field needs to be a ! to allow login
|
||
"/etc/passwd"
|
||
create => "false",
|
||
edit_line => set_colon_field("${usergroup_user_login[${usergroup_user_index}]}", "2", "!"),
|
||
edit_defaults => noempty_backup,
|
||
classes => classes_generic("usermanagement_user_password_${usergroup_user_index}"),
|
||
ifvarclass => "(usermanagement_login_add_${usergroup_user_index}_repaired.usermanagement_user_pwoneshot_${usergroup_user_index}.!usermanagement_user_pwempty_${usergroup_user_index})|(usermanagement_user_update_${usergroup_user_index}.usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_pweverytime_${usergroup_user_index}.!usermanagement_user_pwempty_${usergroup_user_index})";
|
||
|
||
!windows.!aix::
|
||
# Define password when user has already been created
|
||
"/etc/shadow"
|
||
create => "false",
|
||
edit_line => set_user_field("${usergroup_user_login[${usergroup_user_index}]}", 2, "${usergroup_user_password[${usergroup_user_index}]}"),
|
||
edit_defaults => noempty_backup,
|
||
classes => classes_generic("usermanagement_user_password_${usergroup_user_index}"),
|
||
ifvarclass => "(usermanagement_login_add_${usergroup_user_index}_repaired.usermanagement_user_pwoneshot_${usergroup_user_index}.!usermanagement_user_pwempty_${usergroup_user_index})|(usermanagement_user_update_${usergroup_user_index}.usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_pweverytime_${usergroup_user_index}.!usermanagement_user_pwempty_${usergroup_user_index})";
|
||
|
||
# Check password if we are in "check only (account should exist)
|
||
# Due to https://tracker.mender.io/browse/CFE-2424, if password is correct, no class is defined. Waiting for fix in the agent
|
||
"/etc/shadow"
|
||
create => "false",
|
||
edit_line => set_user_field("${usergroup_user_login[${usergroup_user_index}]}", 2, "${usergroup_user_password[${usergroup_user_index}]}"),
|
||
edit_defaults => noempty_backup,
|
||
action => WarnOnly,
|
||
classes => classes_generic("usermanagement_user_password_${usergroup_user_index}"),
|
||
ifvarclass => "!usermanagement_user_pwempty_${usergroup_user_index}.usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_pweverytime_${usergroup_user_index}.usermanagement_user_checkpres_${usergroup_user_index}";
|
||
|
||
aix::
|
||
"/etc/security/passwd"
|
||
create => "false",
|
||
edit_line => ncf_ensure_AIX_password("${usergroup_user_login[${usergroup_user_index}]}", "${usergroup_user_password_aix[${usergroup_user_index}]}"),
|
||
edit_defaults => noempty_backup,
|
||
classes => classes_generic("usermanagement_user_password_${usergroup_user_index}"),
|
||
ifvarclass => "(usermanagement_login_add_${usergroup_user_index}_repaired.usermanagement_user_pwoneshot_${usergroup_user_index}.!usermanagement_user_pwempty_${usergroup_user_index})|(usermanagement_user_update_${usergroup_user_index}.usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_pweverytime_${usergroup_user_index}.!usermanagement_user_pwempty_${usergroup_user_index})";
|
||
|
||
# set the last update date if password has been updated
|
||
"/etc/security/passwd"
|
||
create => "false",
|
||
edit_line => ncf_edit_lastupdate_AIX_password("${usergroup_user_login[${usergroup_user_index}]}"),
|
||
edit_defaults => noempty_backup,
|
||
ifvarclass => "usermanagement_user_password_${usergroup_user_index}_repaired.((usermanagement_login_add_${usergroup_user_index}_repaired.usermanagement_user_pwoneshot_${usergroup_user_index}.!usermanagement_user_pwempty_${usergroup_user_index})|(usermanagement_user_update_${usergroup_user_index}.usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_pweverytime_${usergroup_user_index}.!usermanagement_user_pwempty_${usergroup_user_index}))";
|
||
|
||
|
||
"/etc/security/passwd"
|
||
create => "false",
|
||
edit_line => ncf_ensure_AIX_password("${usergroup_user_login[${usergroup_user_index}]}", "${usergroup_user_password_aix[${usergroup_user_index}]}"),
|
||
edit_defaults => noempty_backup,
|
||
action => WarnOnly,
|
||
classes => classes_generic("usermanagement_user_password_${usergroup_user_index}"),
|
||
ifvarclass => "!usermanagement_user_pwempty_${usergroup_user_index}.usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_pweverytime_${usergroup_user_index}.usermanagement_user_checkpres_${usergroup_user_index}";
|
||
|
||
|
||
methods:
|
||
windows::
|
||
# check user password
|
||
"check_user_password" usebundle => check_usergroup_user_parameters_windows_password("${usergroup_user_login[${usergroup_user_index}]}", "${usergroup_user_password[${usergroup_user_index}]}", "${usergroup_user_index}"),
|
||
ifvarclass => "(usermanagement_login_add_${usergroup_user_index}_repaired.usermanagement_user_pwoneshot_${usergroup_user_index}.!usermanagement_user_pwempty_${usergroup_user_index})|(usermanagement_user_update_${usergroup_user_index}.usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_pweverytime_${usergroup_user_index}.!usermanagement_user_pwempty_${usergroup_user_index})";
|
||
|
||
# check user fullname
|
||
"check_user_fullname" usebundle => check_usergroup_user_parameters_windows_fullname("${usergroup_user_login[${usergroup_user_index}]}", "${usergroup_user_fullname[${usergroup_user_index}]}", "${usergroup_user_action[${usergroup_user_index}]}", "${nameopt[${usergroup_user_index}]}", "${usergroup_user_index}"),
|
||
ifvarclass => "(usermanagement_user_update_${usergroup_user_index}|usermanagement_user_checkpres_${usergroup_user_index}).!usermanagement_user_nameempty_${usergroup_user_index}";
|
||
|
||
pass3.showtime::
|
||
|
||
# Add user
|
||
## Does exist (Success)
|
||
"any" usebundle => rudder_common_report("userGroupManagement", "result_success", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) is already present on the system"),
|
||
ifvarclass => "usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_update_${usergroup_user_index}.!usermanagement_login_add_${usergroup_user_index}_repaired.(usermanagement_user_nameempty_${usergroup_user_index}|usermanagement_fullname_edit_${usergroup_user_index}_kept)";
|
||
|
||
## Seems to exist with a wrong Full Name (Repaired)
|
||
"any" usebundle => rudder_common_report("userGroupManagement", "result_repaired", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) had a wrong fullname"),
|
||
ifvarclass => "usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_update_${usergroup_user_index}.!usermanagement_user_nameempty_${usergroup_user_index}.(usermanagement_fullname_edit_${usergroup_user_index}_repaired|usermanagement_fullname_edit_${usergroup_user_index}_error)";
|
||
|
||
## Added (Repaired)
|
||
"any" usebundle => rudder_common_report("userGroupManagement", "result_repaired", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) has been added to the system"),
|
||
ifvarclass => "usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_update_${usergroup_user_index}.usermanagement_login_add_${usergroup_user_index}_repaired";
|
||
|
||
## Error
|
||
"any" usebundle => rudder_common_report("userGroupManagement", "result_error", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) could not be added to the system"),
|
||
ifvarclass => "!usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_update_${usergroup_user_index}.usermanagement_login_add_${usergroup_user_index}_error";
|
||
|
||
## Could not be added, for the default path was not selected, but the custom one was not defined
|
||
"any" usebundle => rudder_common_report("userGroupManagement", "result_error", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) could not be added to the system because the default home directory was not selected, but the custom path was not specified"),
|
||
ifvarclass => "!usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_update_${usergroup_user_index}.usermanagement_user_pershome_${usergroup_user_index}.!usermanagement_user_custom_home_defined_${usergroup_user_index}";
|
||
|
||
## Could not be added, as a custom group was asked for and did not exist on the system
|
||
"any" usebundle => rudder_common_report("userGroupManagement", "result_error", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) could not be added to the system because the custom group \"${usergroup_user_groupname[${usergroup_user_index}]}\" does not exist"),
|
||
ifvarclass => "usermanagement_user_update_${usergroup_user_index}.!usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_group_definition_error_${usergroup_user_index}";
|
||
|
||
## Could not be added, as a custom uid was asked for and did exist on the system
|
||
"any" usebundle => rudder_common_report("userGroupManagement", "result_error", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) could not be added to the system because the custom uid \"${usergroup_user_uid[${usergroup_user_index}]}\" already exists"),
|
||
ifvarclass => "usermanagement_user_update_${usergroup_user_index}.!usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_uid_definition_error_${usergroup_user_index}";
|
||
|
||
# Remove user
|
||
## Does not exist (Success)
|
||
"any" usebundle => rudder_common_report("userGroupManagement", "result_success", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) does not exist, as required"),
|
||
ifvarclass => "!usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_remove_${usergroup_user_index}";
|
||
|
||
## Removed (Repaired)
|
||
"any" usebundle => rudder_common_report("userGroupManagement", "result_repaired", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) has been removed from the system"),
|
||
ifvarclass => "usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_remove_${usergroup_user_index}.usermanagement_login_remove_${usergroup_user_index}_repaired";
|
||
|
||
## Error
|
||
"any" usebundle => rudder_common_report("userGroupManagement", "result_error", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) could not be removed from the system"),
|
||
ifvarclass => "usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_remove_${usergroup_user_index}.usermanagement_login_remove_${usergroup_user_index}_error";
|
||
|
||
# Check user not exists
|
||
## Does not exist (Success)
|
||
"any" usebundle => rudder_common_report("userGroupManagement", "result_success", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) is not present on the system, which is in accordance with the non presence policy"),
|
||
ifvarclass => "!usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_checkabs_${usergroup_user_index}";
|
||
|
||
## Does exist (Error)
|
||
"any" usebundle => rudder_common_report("userGroupManagement", "result_error", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) is present on the system, which violates the non presence policy"),
|
||
ifvarclass => "usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_checkabs_${usergroup_user_index}";
|
||
|
||
# Check user exists
|
||
## Does exist (Success)
|
||
"any" usebundle => rudder_common_report("userGroupManagement", "result_success", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) is present on the system, which is in conformance with the presence policy"),
|
||
ifvarclass => "usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_checkpres_${usergroup_user_index}.(usermanagement_user_nameempty_${usergroup_user_index}|usermanagement_fullname_edit_${usergroup_user_index}_kept)";
|
||
|
||
## Seems to exist with a wrong Full Name (Error)
|
||
"any" usebundle => rudder_common_report("userGroupManagement", "result_error", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) is present on the system, but does not have the right fullname"),
|
||
ifvarclass => "usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_checkpres_${usergroup_user_index}.!usermanagement_user_nameempty_${usergroup_user_index}.(usermanagement_fullname_edit_${usergroup_user_index}_repaired|usermanagement_fullname_edit_${usergroup_user_index}_error)";
|
||
|
||
## Does not exist (Error)
|
||
"any" usebundle => rudder_common_report("userGroupManagement", "result_error", "${usergroup_directive_id[${usergroup_user_index}]}", "Users", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) is not present on the system, which violates the presence policy"),
|
||
ifvarclass => "!usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_checkpres_${usergroup_user_index}";
|
||
|
||
# Password handling
|
||
"any" usebundle => rudder_common_reports_generic_index("userGroupManagement", "usermanagement_user_password_${usergroup_user_index}", "${usergroup_directive_id[${usergroup_user_index}]}", "Password", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) password", "${usergroup_user_index}"),
|
||
ifvarclass => "!usermanagement_user_checkpres_${usergroup_user_index}";
|
||
|
||
# Password handling in check only
|
||
"any" usebundle => rudder_common_reports_generic_index("userGroupManagement", "usermanagement_user_password_${usergroup_user_index}", "${usergroup_directive_id[${usergroup_user_index}]}", "Password", "${usergroup_user_login[${usergroup_user_index}]}", "The check of password for user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) ", "${usergroup_user_index}"),
|
||
ifvarclass => "usermanagement_user_checkpres_${usergroup_user_index}";
|
||
|
||
## Change not needed (Success)
|
||
"any" usebundle => rudder_common_report("userGroupManagement", "result_success", "${usergroup_directive_id[${usergroup_user_index}]}", "Password", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) password change is not required"),
|
||
ifvarclass => "((!usermanagement_user_password_${usergroup_user_index}_kept.!usermanagement_user_password_${usergroup_user_index}_repaired.!usermanagement_user_password_${usergroup_user_index}_error).((usermanagement_user_pwoneshot_${usergroup_user_index}.usermanagement_user_exists_${usergroup_user_index})|usermanagement_user_pwempty_${usergroup_user_index}|(usermanagement_user_update_${usergroup_user_index}.!usermanagement_user_exists_${usergroup_user_index}.(usermanagement_user_group_definition_error_${usergroup_user_index}|usermanagement_user_uid_definition_error_${usergroup_user_index}))))|usermanagement_user_remove_${usergroup_user_index}";
|
||
|
||
## Change not needed (N/A)
|
||
"any" usebundle => rudder_common_report("userGroupManagement", "result_na", "${usergroup_directive_id[${usergroup_user_index}]}", "Password", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} ( ${repname[${usergroup_user_index}]} ) password change is not required"),
|
||
ifvarclass => "(!usermanagement_user_password_${usergroup_user_index}_kept.!usermanagement_user_password_${usergroup_user_index}_repaired.!usermanagement_user_password_${usergroup_user_index}_error).((usermanagement_user_checkpres_${usergroup_user_index}.usermanagement_user_pwoneshot_${usergroup_user_index})|(usermanagement_user_checkpres_${usergroup_user_index}.!usermanagement_user_exists_${usergroup_user_index}))|usermanagement_user_checkabs_${usergroup_user_index}";
|
||
|
||
|
||
# Homedir management
|
||
## On Windows, we don't do the home part
|
||
"any" usebundle => rudder_common_report("userGroupManagement", "result_na", "${usergroup_directive_id[${usergroup_user_index}]}", "Home directory", "${usergroup_user_login[${usergroup_user_index}]}", "Home directory are not enforced on Windows"),
|
||
ifvarclass => "windows";
|
||
|
||
## In case of user to remove or to check absent, this is a result_na
|
||
"any" usebundle => rudder_common_report("userGroupManagement", "result_na", "${usergroup_directive_id[${usergroup_user_index}]}", "Home directory", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} should not be present, it doesn't need to have its home directory checked"),
|
||
ifvarclass => "!windows.(usermanagement_user_remove_${usergroup_user_index}|usermanagement_user_checkabs_${usergroup_user_index})";
|
||
|
||
## In case of check user present or update, but with default home, this is result_na
|
||
"any" usebundle => rudder_common_report("userGroupManagement", "result_na", "${usergroup_directive_id[${usergroup_user_index}]}", "Home directory", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} doesn't need to have its home directory checked"),
|
||
ifvarclass => "!windows.(!usermanagement_user_pershome_${usergroup_user_index}.(usermanagement_user_update_${usergroup_user_index}|usermanagement_user_checkpres_${usergroup_user_index}))";
|
||
|
||
## In case of check user present or update, but the home is already correct, this is success
|
||
"any" usebundle => rudder_common_report("userGroupManagement", "result_success", "${usergroup_directive_id[${usergroup_user_index}]}", "Home directory", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} home directory is valid"),
|
||
ifvarclass => "!windows.(usermanagement_user_pershome_${usergroup_user_index}.!usermanagement_user_current_home_is_invalid_${usergroup_user_index}.(usermanagement_user_update_${usergroup_user_index}|usermanagement_user_checkpres_${usergroup_user_index}))";
|
||
|
||
## In case of update, but the home was not correct, and could be changed, this is repaired
|
||
"any" usebundle => rudder_common_report("userGroupManagement", "result_repaired", "${usergroup_directive_id[${usergroup_user_index}]}", "Home directory", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} home directory was changed (but not moved)"),
|
||
ifvarclass => "!windows.(usermanagement_user_pershome_${usergroup_user_index}.(usermanagement_login_home_change_${usergroup_user_index}_repaired.!usermanagement_login_home_change_${usergroup_user_index}_error).usermanagement_user_current_home_is_invalid_${usergroup_user_index}.usermanagement_user_update_${usergroup_user_index})";
|
||
|
||
## In case of update, but the home was not correct, and could not be changed, this is error
|
||
"any" usebundle => rudder_common_report("userGroupManagement", "result_error", "${usergroup_directive_id[${usergroup_user_index}]}", "Home directory", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} home directory could not be changed"),
|
||
ifvarclass => "!windows.(usermanagement_user_pershome_${usergroup_user_index}.usermanagement_login_home_change_${usergroup_user_index}_error.usermanagement_user_current_home_is_invalid_${usergroup_user_index}.usermanagement_user_update_${usergroup_user_index})";
|
||
|
||
## In case of update, but the home was not correct, and could be moved, this is repaired
|
||
"any" usebundle => rudder_common_report("userGroupManagement", "result_repaired", "${usergroup_directive_id[${usergroup_user_index}]}", "Home directory", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} home directory was moved"),
|
||
ifvarclass => "!windows.(usermanagement_user_pershome_${usergroup_user_index}.(usermanagement_login_home_move_${usergroup_user_index}_repaired.!usermanagement_login_home_move_${usergroup_user_index}_error).usermanagement_user_current_home_is_invalid_${usergroup_user_index}.usermanagement_user_update_${usergroup_user_index})";
|
||
|
||
## In case of update, but the home was not correct, and could not be moved, this is error
|
||
"any" usebundle => rudder_common_report("userGroupManagement", "result_error", "${usergroup_directive_id[${usergroup_user_index}]}", "Home directory", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} home directory could not be moved"),
|
||
ifvarclass => "!windows.(usermanagement_user_pershome_${usergroup_user_index}.usermanagement_login_home_move_${usergroup_user_index}_error.usermanagement_user_current_home_is_invalid_${usergroup_user_index}.usermanagement_user_update_${usergroup_user_index})";
|
||
|
||
## In case of check only, and the home was not correct, this is error
|
||
"any" usebundle => rudder_common_report("userGroupManagement", "result_error", "${usergroup_directive_id[${usergroup_user_index}]}", "Home directory", "${usergroup_user_login[${usergroup_user_index}]}", "The user ${usergroup_user_login[${usergroup_user_index}]} home directory was invalid"),
|
||
ifvarclass => "!windows.usermanagement_user_pershome_${usergroup_user_index}.usermanagement_user_current_home_is_invalid_${usergroup_user_index}.usermanagement_user_checkpres_${usergroup_user_index}";
|
||
|
||
commands:
|
||
|
||
&if(NOVA)&
|
||
windows.showtime::
|
||
|
||
"\"${sys.winsysdir}\net.exe\""
|
||
args => "USER ${usergroup_user_login[${usergroup_user_index}]} ${usergroup_user_password[${usergroup_user_index}]} /ADD ${nameopt[${usergroup_user_index}]}",
|
||
classes => cf2_if_else("usermanagement_login_add_${usergroup_user_index}_repaired", "usermanagement_login_add_${usergroup_user_index}_error"),
|
||
comment => "Create the user ${usergroup_user_login[${usergroup_user_index}]}",
|
||
ifvarclass => "!usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_update_${usergroup_user_index}";
|
||
|
||
"\"${sys.winsysdir}\net.exe\""
|
||
args => "USER ${usergroup_user_login[${usergroup_user_index}]} /DELETE",
|
||
classes => cf2_if_else("usermanagement_login_remove_${usergroup_user_index}_repaired", "usermanagement_login_remove_${usergroup_user_index}_error"),
|
||
comment => "Delete the user ${usergroup_user_login[${usergroup_user_index}]}",
|
||
ifvarclass => "usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_remove_${usergroup_user_index}";
|
||
|
||
&endif&
|
||
|
||
!windows.showtime::
|
||
|
||
"/usr/sbin/useradd"
|
||
args => "${useropt[${usergroup_user_index}]} ${groupopt[${usergroup_user_index}]} -m ${nameopt[${usergroup_user_index}]} -s ${usergroup_user_shell[${usergroup_user_index}]} ${usergroup_user_login[${usergroup_user_index}]}",
|
||
classes => cf2_if_else("usermanagement_login_add_${usergroup_user_index}_repaired", "usermanagement_login_add_${usergroup_user_index}_error"),
|
||
comment => "Create the user",
|
||
ifvarclass => "!usermanagement_user_uid_definition_error_${usergroup_user_index}.!usermanagement_user_group_definition_error_${usergroup_user_index}.!usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_update_${usergroup_user_index}.!usermanagement_user_pershome_${usergroup_user_index}";
|
||
|
||
"/usr/sbin/useradd"
|
||
args => "${useropt[${usergroup_user_index}]} ${groupopt[${usergroup_user_index}]} -m ${nameopt[${usergroup_user_index}]} -s ${usergroup_user_shell[${usergroup_user_index}]} -d ${usergroup_user_home[${usergroup_user_index}]} ${usergroup_user_login[${usergroup_user_index}]}",
|
||
classes => cf2_if_else("usermanagement_login_add_${usergroup_user_index}_repaired", "usermanagement_login_add_${usergroup_user_index}_error"),
|
||
comment => "Create the user with a custom home directory",
|
||
ifvarclass => "!usermanagement_user_uid_definition_error_${usergroup_user_index}.!usermanagement_user_group_definition_error_${usergroup_user_index}.!usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_update_${usergroup_user_index}.usermanagement_user_pershome_${usergroup_user_index}.usermanagement_user_custom_home_defined_${usergroup_user_index}";
|
||
|
||
"/usr/sbin/userdel"
|
||
args => "${usergroup_user_login[${usergroup_user_index}]}",
|
||
classes => cf2_if_else("usermanagement_login_remove_${usergroup_user_index}_repaired", "usermanagement_login_remove_${usergroup_user_index}_error"),
|
||
comment => "Delete the user ${usergroup_user_login[${usergroup_user_index}]}",
|
||
ifvarclass => "usermanagement_user_exists_${usergroup_user_index}.usermanagement_user_remove_${usergroup_user_index}";
|
||
|
||
# Change user home dir
|
||
## Move the home dir
|
||
"/usr/sbin/usermod"
|
||
args => "-d ${usergroup_user_home[${usergroup_user_index}]} -m ${usergroup_user_login[${usergroup_user_index}]}",
|
||
classes => cf2_if_else("usermanagement_login_home_move_${usergroup_user_index}_repaired", "usermanagement_home_move_${usergroup_user_index}_error"),
|
||
comment => "Change home directory (move it)",
|
||
ifvarclass => "usermanagement_user_update_${usergroup_user_index}.usermanagement_user_current_home_is_invalid_${usergroup_user_index}.usermanagement_user_custom_home_move_valid_${usergroup_user_index}";
|
||
|
||
## Doesn't move the home dir
|
||
"/usr/sbin/usermod"
|
||
args => "-d ${usergroup_user_home[${usergroup_user_index}]} ${usergroup_user_login[${usergroup_user_index}]}",
|
||
classes => cf2_if_else("usermanagement_login_home_change_${usergroup_user_index}_repaired", "usermanagement_home_change_${usergroup_user_index}_error"),
|
||
comment => "Change home directory definition for user (doesn't move files)",
|
||
ifvarclass => "usermanagement_user_update_${usergroup_user_index}.usermanagement_user_current_home_is_invalid_${usergroup_user_index}.!usermanagement_user_custom_home_move_${usergroup_user_index}";
|
||
|
||
|
||
}
|
||
|
||
bundle edit_line set_user_fullname(user,user_index,fullname)
|
||
{
|
||
field_edits:
|
||
"${user}:.*"
|
||
# Edit GECOS on /etc/passwd
|
||
edit_field => col(":", "5", "${fullname}", "set"),
|
||
classes => classes_generic("usermanagement_fullname_edit_${user_index}");
|
||
|
||
}
|
||
|
||
# Bundle to check the full name of a user on windows
|
||
# Takes the user login, the expected fullname, the action (checkhere for not editing), the FULLNAME set attribute for net.exe and the index for reporting
|
||
bundle agent check_usergroup_user_parameters_windows_fullname(user, fullname, usergroup_user_action, nameopt, usergroup_user_index) {
|
||
vars:
|
||
"current_fullname" string => execresult("Get-WMIObject Win32_UserAccount | where Name -eq '${user}' | ForEach { write-host $_.FullName }", "powershell");
|
||
|
||
classes:
|
||
"usermanagement_user_checkpres" expression => strcmp("${usergroup_user_action}","checkhere");
|
||
"user_valid" expression => strcmp("${current_fullname}", "${fullname}");
|
||
|
||
methods:
|
||
user_valid::
|
||
"already_correct" usebundle => _classes_success("usermanagement_fullname_edit_${usergroup_user_index}");
|
||
|
||
!user_valid.usermanagement_user_checkpres::
|
||
# fullname is not valid, but don't request to change it
|
||
"invalid_user" usebundle => _classes_failure("usermanagement_fullname_edit_${usergroup_user_index}");
|
||
|
||
commands:
|
||
# if user is invalid, and we want to enforce fullname:
|
||
!user_valid.!usermanagement_user_checkpres::
|
||
"\"${sys.winsysdir}\net.exe\""
|
||
args => "USER ${user} ${nameopt}",
|
||
classes => classes_generic("usermanagement_fullname_edit_${usergroup_user_index}");
|
||
}
|
||
|
||
# Enforce user password
|
||
# takes the user login, the expected password (clear text), and the index for reports
|
||
bundle agent check_usergroup_user_parameters_windows_password(user, password, usergroup_user_index) {
|
||
vars:
|
||
"password_valid" string => execresult("Add-Type -AssemblyName System.DirectoryServices.AccountManagement; $DS = New-Object System.DirectoryServices.AccountManagement.PrincipalContext('machine', $env:COMPUTERNAME); $DS.ValidateCredentials('${user}', '${password}')", "powershell");
|
||
|
||
|
||
classes:
|
||
"usermanagement_user_password_${usergroup_user_index}_kept" expression => strcmp("True", "${password_valid}"),
|
||
scope => "namespace";
|
||
|
||
commands:
|
||
"\"${sys.winsysdir}\net.exe\""
|
||
args => "USER ${user} ${password}",
|
||
classes => classes_generic("usermanagement_user_password_${usergroup_user_index}"),
|
||
ifvarclass => "!usermanagement_user_password_${usergroup_user_index}_kept";
|
||
|
||
}
|
Also available in: Unified diff
Refs #11596: Creation of userManagement version 7.2 from 7.1