User account managed module for Puppet
Puppet Shell Ruby
Switch branches/tags
Nothing to show
Latest commit 668de34 Dec 28, 2012 @dcsobral Merge pull request #10 from douglas/patch-1
Update manifests/definitions/useraccount.pp
Failed to load latest commit information.
manifests Update manifests/definitions/useraccount.pp Dec 28, 2012
scripts Move script to the module Nov 4, 2010
README.mkd Corrected typo in documentation Nov 11, 2012


users puppet module

Manages user configuration.

Supported corrective actions under: Debian.


  • users


Realize all useraccount, massuseraccount and lookup defines tagged with 'administrators'. Also, realize User, Group, File and Exec likewise tagged, to handle exceptional cases.


  • users::account
  • users::gidsanity
  • users::lookup
  • users::lookupkey
  • users::masskeys
  • users::massuseraccount
  • users::uidsanity


Create a user account with a primary group of the same name. If uid is provided and the client supports the custom facts provided with this module, do some sanity checking beforehand, moving users and groups with conflicting guids to the same guids + 10000.

Note that just like user name and primary group name are kept the same, uid and gid are kept equal.

Also copy a tree of files in one of two ways:

  1. If there's a "managed" directory from one of the options below, use it and control file content. The file paths checked for are absolute, so it may need changing if the default file server path is different. Also, it uses a script at /etc/puppet/modules/users/scripts to check for these files, which may also need changing depending on the module path and module name.

    • /etc/puppet/files/users/home/managed/host/${username}.$fqdn
    • /etc/puppet/files/users/home/managed/host/${username}.$hostname
    • /etc/puppet/files/users/home/managed/domain/${username}.$domain
    • /etc/puppet/files/users/home/managed/env/${username}.$environment
    • /etc/puppet/files/users/home/managed/user/${username}
    • /etc/puppet/files/users/home/managed/skel
  2. Otherwise, use one of the directories below as a default (modified files do not get replaced).

    • puppet:///files/users/home/default/host/${username}.$fqdn
    • puppet:///files/users/home/default/host/${username}.$hostname
    • puppet:///files/users/home/default/domain/${username}.$domain
    • puppet:///files/users/home/default/env/${username}.$environment
    • puppet:///files/users/home/default/user/${username}
    • puppet:///files/users/home/default/skel
    • puppet:///files/users/home/default/skel
    • puppet:///users/home/default/skel

In neither case will other files be purged. Also, there is no mode control, though all files will be created with user and group onwership.

Also ensures that the .ssh directory and .bash_history will be kept with appropriate permissions.


@users::useraccount { "bob":
    ensure   => present,
    fullname => "Uncle Bob",
    uid      => 1000,
    groups   => [ "wheel" ], # Extra groups, defaults to none
    shell    => '/bin/bash', # default value
    password => 'hash',


Checks that no other group is using this gid, and, if it is, moves it up 10000.

Also, if the group exists but doesn't presently have this gid, pre-emptively change group owner ship of all files in the home directory with the current gid, so that they'll be correct after the group id was corrected (elsewhere).


Add a user through extdata lookup. The user is added with the extra groups provided, but name, uid and password come from the csv file.


@users::lookup { 'username':
    ensure => present, # default value
    groups => [], # default value

CSV file:

username_account,uid,Full Name,hashed password


Add a key to a user's authorized_keys file through extdata lookup. It supports arbitrary number of options, and //requires// a comment field, which will be prepended with the username to avoid problems with it being used as primary key on ssh_authorized_keys when multiple users are using the same key.

Options containing double quotes should be enclosed in double quotes themselves, and its own double quotes doubled (see example).

The CSV format was designed to be almost equal to authorized_keys itself, with just the need to replace spaces separating options, key type, key and comment with commas, plus the above mentioned double quote handling.


@users::lookupkey { 'username':
    ensure => present, # default value

CSV file:



Add a key to user's authorized keys file through direct passing. Default comment on key is "default-key" and default type is "ssh-rsa".


@users::userkey { 'username':
    ensure => present,
    key    => "key",


Add keys to user's authorized_keys files through extdata lookup. See users::lookupkey for more details.


@users::masskeys { 'group':
    ensure => present, # default value

CSV file:



Adds users through extdata lookup. The users are added with the extra groups provided, but name, uid and password come from the csv files, as well as the list of users.


@users::massuseraccount { 'group':
    ensure => present, # default value
    groups => [], # default value

CSV file:

username_account,uid,Full Name,hashed password


Checks that no other user is using this uid, and, if it is, moves it up 10000.