For many years I struggled with this question: “How do I effectively manage access control to Linux servers?” There are many options, including LDAP, Kerberos KDC, and the like, but I disliked each of them for one reason or another. Centralized auth is prone to failure and proper redundancy is painful to manage. Often password auth is well managed, but key distribution is difficult, or vice versa. With Puppet, I found a beautiful alternative. We can use Puppet to manage users and groups and distribute public keys. It can even enforce file and directory permissions and set password hashes. Gone are the days of writing big ugly scripts to push users and keys out to your whole farm of servers. We’ll see how to accomplish this in a less painful manner using Puppet.
First, we’ll need a framework that can build user accounts in a repeatable fashion given a set of user attributes. We’ll use a definition to make a reusable structure that can implement the user type repeatedly with different inputs.
There is a lot going on in this snippet, so I’ll step through it point by point:
We’ve set up a class called
declares a package resource to install
for Ruby. This is a prerequisite that Puppet will need before it can
manage passwords in the user type.
Next we declare a define that takes a bunch of arguments
describing our user and set a custom variable
$username to the name of the resource, for
Then a user type ...