Lock user if they exist, but don't create them

asked 2018-04-05 20:51:49 -0500

adam.gardner gravatar image

Is there any way, in a Puppet manifest, to specify that a user should be locked if they exist, but if they don't exist, leave them absent rather than creating and then locking them?

user { 'foo':
  ensure => absent,

will delete the specified user account, whereas I just want to lock it.

user { 'foo':
  locked => true,

will lock the account as desired, but on systems where the account doesn't already exist, it'll create it in order to lock it, which isn't what I want at all.

Ideally I'd like to do this without exec, but I don't see that there's really any alternative without patching the the the provider code for user.

edit retag flag offensive close merge delete


As far as I know, this is not possible. Puppet can't manage something without it existing, and puppet doesn't make decisions. So if you say you want it locked then it will make it to lock it. Because it assumes you wouldn't try to manage something unless you wanted it to exist.

ffalor gravatar imageffalor ( 2018-04-10 08:17:57 -0500 )edit

You can make a custom fact to see if this account exists, and if it does set the fact to true. Then do an if on the fact. If true then lock. Else do nothing. I would just do an exec. "Lock this account" Unless "Account doesn't exist"

ffalor gravatar imageffalor ( 2018-04-10 08:18:35 -0500 )edit