Ticket ID #329 Puppet‐Managed OwnCloud User Creation for Client Onboarding - GriffinKat/group-a GitHub Wiki

Automating OwnCloud User Provisioning for Client Onboarding

Summary

As part of our client onboarding process for asset migration to the OwnCloud platform, we implemented a fully automated solution using Puppet to create user accounts in advance, meeting strict password and security policies.

  • Zero manual user creation across app infrastructure

  • Enforced password policy for all users

  • Password reset required on first login

  • Delivery of login credentials to the manager via CSV

  • Clean integration with OwnCloud’s occ command-line tool

Steps to Automate OwnCloud User Creation

Puppet Module Structure

Create a puppet module owncloud_users with the following directory structure:

owncloud_users/
├── files
│   └── create_oc_users.sh
├── manifests
│   ├── config.pp
│   └── init.pp
└── templates
    └── user_list.csv.erb

image

Create User Provisioning Script

A reusable shell script (create_oc_users.sh) was developed to:

  • Generate users ocuser01 through ocuser20

  • Assign random secure passwords (A-Z, a-z, 0–9, min 10 characters and no special characters)

  • Export results to /var/www/owncloud/user_list.csv

#!/bin/bash

# Path to the CSV file where usernames and passwords will be saved
CSV_OUTPUT="/var/www/owncloud/user_list.csv"

# Write CSV header only if file doesn't exist
if [ ! -f "$CSV_OUTPUT" ]; then
  echo "username,password" > "$CSV_OUTPUT"
fi

# Loop to create 20 users with usernames ocuser01 to ocuser20
for i in $(seq -w 01 20); do

 # Define username for this iteration
 username="ocuser$i"

 # Generate a random 10-character password with uppercase, lowercase, and digits
 password=$(< /dev/urandom tr -dc 'a-zA-Z0-9' | head -c10)

 # Create the OwnCloud user with the specified username and password
 sudo -u www-data env OC_PASS="$password" php /var/www/owncloud/occ user:add --password-from-env "$username"

 # Append the username and password to the CSV file for record-keeping
 echo "$username,$password" >> "$CSV_OUTPUT"

done

# Secure the CSV file by restricting its permissions (read/write only for owner)
chmod 600 "$CSV_OUTPUT"

# Output confirmation message with path to the CSV file
echo "Created users saved in $CSV_OUTPUT"

image

NOTE: The force password reset upon first login was achieved through the WEB UI

  • Login to the web UI using admin account and enable the password policy app.

image

  • Then, under the security tab tick the box to reset the password upon first login.

image

Deploy Script with Puppet

The script is distributed to the OwnCloud app server (apps-a) using a custom Puppet module:

  • Edit the init.pp file to include the following code:
class owncloud_users {
  include owncloud_users::config
}

image

  • Edit the config.pp file to add the following lines of code:
class owncloud_users::config {

   file { '/usr/local/bin/create_oc_users.sh':
     ensure  => file,
     source  => 'puppet:///modules/owncloud_users/create_oc_users.sh',
     mode    => '0755',
     owner   => 'root',
     group   => 'root',
   }

   exec { 'create_owncloud_users':
     command     => '/usr/local/bin/create_oc_users.sh',
     path        => ['/bin', '/usr/bin', '/usr/local/bin'],
     user        => 'root',
     group       => 'root',
     creates     => '/var/www/owncloud/user_list.csv',
     require     => File['/usr/local/bin/create_oc_users.sh'],
   }
}

image

  • Edit the site.pp file in the /etc/puppetlabs/code/environments/production/manifests directory to include the owncloud module in the apps-a node

image

  • Apply the module on the apps-a server using the following command
sudo /opt/puppetlabs/puppet/bin/puppet agent --server=mgmt-a --no-daemonize --verbose --onetime --debug

image

Validate Automation Using ocuser20

Validation Steps:

  • user_list.csv file was created in the /var/www/owncloud/ directory after applying the module

image

image

  • Users verified in the owncloud database

image

  • Attempted login shows a password change prompt(ocuser20)

image

image

  • After resetting password, user gains access

image

Post-Onboarding Notes

  • Client Password Management: After initial provisioning, clients are responsible for managing their own passwords. Upon first login, users will be prompted to change their passwords via the OwnCloud web interface. This ensures that only end users know their final credentials.

  • Automated Password Rotation: To maintain compliance with internal security policies, Puppet will handle automated password rotation every 90 days. This means:

    • A scheduled Puppet job will regenerate secure passwords for each user.

Ticket Reference- https://rt.dataraster.com/Ticket/Display.html?id=329