Locking User Accounts


#1
I'm working on making the users cookbook work for doing more general user management.  I've created a default recipe and I've got it now adding users defined in a data bag (even if they aren't in the sysadmin group).  I want to be able to lock accounts, so I've added a "locked" attribute to the data bag entries.  I also added the following to my recipe:

Lock or unlock the account

user u[‘id’] do
if u[‘locked’] then
action :lock
else
action :unlock
end
end

I'm not getting any errors, but when I set the lock attribute to true on an entry and run chef-client in debug mode it reports:

[Mon, 01 Nov 2010 12:20:30 -0700] DEBUG: No need to lock user[jvanderdray]

Any pointers appreciated.

Thanks,
JAke.


#2

Yo,

On 1 November 2010 12:41, Jacob Vanderdray jvanderdray@customink.comwrote:

   I'm working on making the users cookbook work for doing more general

user management. I’ve created a default recipe and I’ve got it now adding
users defined in a data bag (even if they aren’t in the sysadmin group). I
want to be able to lock accounts, so I’ve added a “locked” attribute to the
data bag entries. I also added the following to my recipe:

Lock or unlock the account

user u[‘id’] do
if u[‘locked’] then
action :lock
else
action :unlock
end
end

   I'm not getting any errors, but when I set the lock attribute to

true on an entry and run chef-client in debug mode it reports:

[Mon, 01 Nov 2010 12:20:30 -0700] DEBUG: No need to lock user[jvanderdray]

It’s (supposed to be) idempotent, so you’d only receive this error when
jvanderdray was locked already. What platform are you on? What does the
output of passwd -S jvanderdray say?

Regards,

AJ


#3
Yeah, that was my problem.  I'd never actually set a password for the account so it was effectively locked already.  Sorry for the extra email.  Once I set a password, I was able to lock/unlock the account by updating the data bag entry.

Thanks,
Jake.

On Nov 1, 2010, at 4:17 PM, AJ Christensen wrote:

Yo,

On 1 November 2010 12:41, Jacob Vanderdray jvanderdray@customink.com wrote:

   I'm working on making the users cookbook work for doing more general user management.  I've created a default recipe and I've got it now adding users defined in a data bag (even if they aren't in the sysadmin group).  I want to be able to lock accounts, so I've added a "locked" attribute to the data bag entries.  I also added the following to my recipe:

Lock or unlock the account

user u[‘id’] do
if u[‘locked’] then
action :lock
else
action :unlock
end
end

   I'm not getting any errors, but when I set the lock attribute to true on an entry and run chef-client in debug mode it reports:

[Mon, 01 Nov 2010 12:20:30 -0700] DEBUG: No need to lock user[jvanderdray]

It’s (supposed to be) idempotent, so you’d only receive this error when jvanderdray was locked already. What platform are you on? What does the output of passwd -S jvanderdray say?

Regards,

AJ


#4

Yo,

On 1 November 2010 13:20, Jacob Vanderdray jvanderdray@customink.comwrote:

   Yeah, that was my problem.  I'd never actually set a password for

the account so it was effectively locked already. Sorry for the extra
email. Once I set a password, I was able to lock/unlock the account by
updating the data bag entry.

Dope on a rope. Perhaps quantify the user resource / provider documentation
on the wiki?

Regards,

AJ

Thanks,
Jake.

On Nov 1, 2010, at 4:17 PM, AJ Christensen wrote:

Yo,

On 1 November 2010 12:41, Jacob Vanderdray jvanderdray@customink.com
wrote:

   I'm working on making the users cookbook work for doing more

general user management. I’ve created a default recipe and I’ve got it now
adding users defined in a data bag (even if they aren’t in the sysadmin
group). I want to be able to lock accounts, so I’ve added a "locked"
attribute to the data bag entries. I also added the following to my recipe:

Lock or unlock the account

user u[‘id’] do
if u[‘locked’] then
action :lock
else
action :unlock
end
end

   I'm not getting any errors, but when I set the lock attribute to

true on an entry and run chef-client in debug mode it reports:

[Mon, 01 Nov 2010 12:20:30 -0700] DEBUG: No need to lock
user[jvanderdray]

It’s (supposed to be) idempotent, so you’d only receive this error when
jvanderdray was locked already. What platform are you on? What does the
output of passwd -S jvanderdray say?

Regards,

AJ