User Management with Bcfg2
The files in this repository implement basic user management with Bcfg2.
This allows for adding users and groups, modifying their attributes, and
~/.ssh/authorized_keys files according to an XML specification.
Users and groups which exist on the managed Bcfg2 clients but are not
defined in the specification are ignored.
bcfg2-lint(8) tool available in Bcfg2 1.2.0 and newer can be used
to validate the XML specification syntactically.
The Bundler, Properties, and Probes plugins must be enabled in the Bcfg2 server configuration.
The following tools must be available on the managed Bcfg2 clients:
The Bundler/accounts.genshi template expects to find the first four of these commands in the
/usr/sbindirectory of the client. If they are installed to another location, the
<BoundAction>entries in the Bundler/accounts.genshi template must be modified accordingly.
- Copy Bundler/accounts.genshi, Probes/accounts,
Properties/accounts.xsd, and Properties/keys.xsd to your Bcfg2
configuration repository (which is located at
<Bundle name='accounts'/>to the desired group(s) in your Metadata/groups.xml file.
Users and groups are specified in the Properties/accounts.xml file, SSH
public keys are grouped in the Properties/keys.xml file. The content of
both files must be enclosed in
<Properties> root tags.
<Client> tags (and their
negate attribute) can be used as in other
places of the Bcfg2 configuration (see the Bundler documentation for
details on how they are parsed).
This repository includes examples of both files, which should be mostly self-explanatory.
In the Properties/accounts.xml file, the desired users and groups are
<UnixUser> attributes are:
|name||user name (required!)|
|uid||user's UID (required!)|
|group||primary group name (default: user name)|
|gid||group's GID (default: uid)|
|gecos||comment (default: capitalized user name)|
|home||home directory (default: /home/name or /root)|
|shell||login shell (default: specified in Bundler/accounts.genshi)|
|extra_groups||space-separated list of supplementary groups (default: none)|
|key_group||see below (default: don't touch the authorized_keys file)|
<UnixGroup> attributes are:
|name||group name (required!)|
|gid||group's GID (required!)|
Note that the user's primary group will be created automatically if it
doesn't exist on the client, whereas any specified
extra_groups must be
defined explicitly using
<UnixGroup> entries if they don't already exist
on all clients in question.
First of all, the SSH public key files which will be referenced in the
specification must be copied into the directory
change this directory path, the
key_directory setting at the top of the
Bundler/accounts.genshi file must be modified.
In the Properties/keys.xml file, SSH public key files are grouped using
<PubKey file='foo.pub'/> entries within
<KeyGroup name='bar'> tags.
<KeyGroup> tags may also include other
<KeyGroup> tags such as
<KeyGroup name='inherited'/> in order to include the members of the
<KeyGroup> name can then be referenced using the
<UnixUser> tags in the Properties/accounts.xml file.
This adds the content of all
<PubKey> files in this
~/.ssh/authorized_keys file of the
<UnixUser> in question. Any
other data will be removed from the
Copyright and License
Copyright (c) 2011 Freie Universitaet Berlin
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.