Ticket ID #329 Puppet‐Managed OwnCloud User Creation for Client Onboarding - GriffinKat/group-a GitHub Wiki
Automating OwnCloud User Provisioning for Client Onboarding
Summary
As part of our client onboarding process for asset migration to the OwnCloud platform, we implemented a fully automated solution using Puppet to create user accounts in advance, meeting strict password and security policies.
-
Zero manual user creation across app infrastructure
-
Enforced password policy for all users
-
Password reset required on first login
-
Delivery of login credentials to the manager via CSV
-
Clean integration with OwnCloud’s occ command-line tool
Steps to Automate OwnCloud User Creation
Puppet Module Structure
Create a puppet module owncloud_users
with the following directory structure:
owncloud_users/
├── files
│ └── create_oc_users.sh
├── manifests
│ ├── config.pp
│ └── init.pp
└── templates
└── user_list.csv.erb
Create User Provisioning Script
A reusable shell script (create_oc_users.sh
) was developed to:
-
Generate users ocuser01 through ocuser20
-
Assign random secure passwords (A-Z, a-z, 0–9, min 10 characters and no special characters)
-
Export results to
/var/www/owncloud/user_list.csv
#!/bin/bash
# Path to the CSV file where usernames and passwords will be saved
CSV_OUTPUT="/var/www/owncloud/user_list.csv"
# Write CSV header only if file doesn't exist
if [ ! -f "$CSV_OUTPUT" ]; then
echo "username,password" > "$CSV_OUTPUT"
fi
# Loop to create 20 users with usernames ocuser01 to ocuser20
for i in $(seq -w 01 20); do
# Define username for this iteration
username="ocuser$i"
# Generate a random 10-character password with uppercase, lowercase, and digits
password=$(< /dev/urandom tr -dc 'a-zA-Z0-9' | head -c10)
# Create the OwnCloud user with the specified username and password
sudo -u www-data env OC_PASS="$password" php /var/www/owncloud/occ user:add --password-from-env "$username"
# Append the username and password to the CSV file for record-keeping
echo "$username,$password" >> "$CSV_OUTPUT"
done
# Secure the CSV file by restricting its permissions (read/write only for owner)
chmod 600 "$CSV_OUTPUT"
# Output confirmation message with path to the CSV file
echo "Created users saved in $CSV_OUTPUT"
NOTE: The force password reset upon first login was achieved through the WEB UI
- Login to the web UI using admin account and enable the
password policy app
.
- Then, under the
security
tab tick the box to reset the password upon first login.
Deploy Script with Puppet
The script is distributed to the OwnCloud app server (apps-a) using a custom Puppet module:
- Edit the
init.pp
file to include the following code:
class owncloud_users {
include owncloud_users::config
}
- Edit the
config.pp
file to add the following lines of code:
class owncloud_users::config {
file { '/usr/local/bin/create_oc_users.sh':
ensure => file,
source => 'puppet:///modules/owncloud_users/create_oc_users.sh',
mode => '0755',
owner => 'root',
group => 'root',
}
exec { 'create_owncloud_users':
command => '/usr/local/bin/create_oc_users.sh',
path => ['/bin', '/usr/bin', '/usr/local/bin'],
user => 'root',
group => 'root',
creates => '/var/www/owncloud/user_list.csv',
require => File['/usr/local/bin/create_oc_users.sh'],
}
}
- Edit the
site.pp
file in the/etc/puppetlabs/code/environments/production/manifests
directory to include the owncloud module in theapps-a
node
- Apply the module on the
apps-a
server using the following command
sudo /opt/puppetlabs/puppet/bin/puppet agent --server=mgmt-a --no-daemonize --verbose --onetime --debug
Validate Automation Using ocuser20
Validation Steps:
user_list.csv
file was created in the/var/www/owncloud/
directory after applying the module
- Users verified in the owncloud database
- Attempted login shows a password change prompt(ocuser20)
- After resetting password, user gains access
Post-Onboarding Notes
-
Client Password Management: After initial provisioning, clients are responsible for managing their own passwords. Upon first login, users will be prompted to change their passwords via the OwnCloud web interface. This ensures that only end users know their final credentials.
-
Automated Password Rotation: To maintain compliance with internal security policies, Puppet will handle automated password rotation every 90 days. This means:
- A scheduled Puppet job will regenerate secure passwords for each user.