Reputation: 5
Adding users in ansible and enforcing password change, resets user's password when adding new user
I am having problems with Ansible and adding new users to servers. Firstly I check if the users are present on the system and if not, then I proceed to create them.
I found a somewhat similar problem here: ansible user module always shows changed and I was able to fix the changed status when adding a new user in the file userlist with adding a simple salt. However, the last part, which is the handler, is always performed.
This is how my playbook looks like:
---
- hosts: all
become: yes
vars_files:
- /home/ansible/userlist
tasks:
# check if user exists in system, using the username
# and trying to search inside passwd file
- name: check user exists
getent:
database: passwd
key: "{{ item }}"
loop: "{{ users }}"
register: userexists
ignore_errors: yes
- name: add user if it does not exit
user:
name: "{{ item }}"
password: "{{ 'password' | password_hash('sha512', 'mysecretsalt') }}"
update_password: on_create
loop: "{{ users }}"
when: userexists is failed
notify: change password
handlers:
- name: change user password upon creation
shell: chage -d 0 "{{ item }}"
loop: "{{ users }}"
listen: change password
And here is the simple file called userlist:
users:
- testuser1
- testuser2
- testuser3
- testuser22
When I am running the playbook without changes to the userlist file, everything is fine. However, if I add a new user to the file, then, when an existing user tries to log in, the system enforces them to change their password, because the handler is always called. Is there any way to alter the code in a way that the enforcing of changing the password immediately is only performed on newly created users?
Upvotes: 0
Views: 5555
Answers (1)
Reputation: 2615
There are 2 main issues in your playbook:
userexistsis registering each result individually, but you are referencing only the overall "failure" result. Use adebugstatement to show the variable to see what I mean- If the handler is notified, you are looping on all users, rather than only those that have "changed" (i.e. have been created)
There's a couple of different approaches to fix this, but I think this might be the most succinct:
tasks:
- name: add user if it does not exist
user:
name: "{{ item }}"
password: "{{ 'password' | password_hash('sha512', 'mysecretsalt') }}"
update_password: on_create
loop: "{{ users }}"
register: useradd
notify: change password
handlers:
- name: change user password upon creation
shell: chage -d 0 {{ item.name }}
loop: "{{ useradd.results }}"
when: item.changed
listen: change password
Upvotes: 2
Related Questions
- Ansible handling password change on first login
- Ansible become_user asks for password even though it is configured passwordless
- Ansible : what is default password for the new user created using Ansible 'user' module
- Setting password idempotently for linux user in ansible
- Ansible update user password
- Allow user to set password after creating account using Ansible
- Can't assign password to user with ansible user module
- Update Password if user exist Ansible
- ansible created password for a user does not work for ssh sessions
- Ansible create user with password, dont change it if user exists