Custom password changers

Custom password changers enable defining a set of commands executed on a remote host in case the built-in password changers cannot handle a specific use case scenario.

Note

In cluster configuration, the node responsible for changing passwords on monitored systems is configured in system settings. For more information refer to Password changers - active cluster node topic.

Defining a custom password changer


  1. Click + icon in the main menu next to the Password changers tab, or
  2. Select Management > Password changers and click Add password changer.

Note

Alternatively, you can edit existing password changer and click Copy to create a new password changer based on currently opened definition.

../../_images/5-5-copy-pc.png
  1. Define the password changer’s name.
  2. From the Script type drop-down list, select if the script is a password changer or password verifier.
  3. In the Timeout field, define the script’s execution time limit.
  4. In the Connection mode section, click SSH, LDAP, Telnet, or WinRM to select the transport layer.
  5. In the SCRIPT tab, click one of available options to add a command.
../../_images/5-5-add-pc-2.png

Note

Available commands depend on selected transport layer. For more information on connection modes, refer to the Connection modes topic.

  • +Input - command executed on target host.
  • +Expected - expected result.
  • +Enter
  • +Delay - delay between commands’ execution.
  • DN - directory service DN (Distinguished Name) parameter.
  • Filter - directory service user filter.

Warning

  • To handle a password change, you must use an account (transport_login and transport_secret) that has delegated Reset user passwords and force password change at next logon permissions for the Organizational Unit (OU) containing the users whose passwords will be changed, or the account must be a member of the Account Operators group.
  • To configure WinRM password changers, you need to provide user credentials with the authority to change passwords (typically an admin-level account). However, it’s important to avoid using this account to change its own password, as WinRM will return an error that Fudo Enterprise cannot process. Make sure that the ``account_login`` and ``transport_login`` variables are set to different values.
  1. Enter the command or define action’s parameters.

Note

You can use pre-defined transport layer or user defined variables in commands. To use or define a variable, enclose it in %% characters (e.g. %%transport_host%%, %%custom_variable%%).

  1. Repeat steps 7-8 to add more commands.
  2. In the Variables tab, define variables’ attributes.

Note

  • Variables can be initiated with values referenced from other objects or they can be assigned a constant value.
  • Predefine the property values so that the password changer assigned to the account during the Discovery process will not require any additional configuration.
  1. Click Save.

  1. Define password change policy and assign the password changer to account.


Note

Example

In this password changer example, the password change is triggered with the passwd command executed with sudo privileges on a host running FreeBSD operating system.

Commands list

  Action Content Comment
1 EXPECTED Password Expected terminal output with a ‘Password’ word in it.
2 INPUT %%transport_secret%% A value of the transport_secret variable is a secret for authorizing a priveleged account to change the password.
3 EXPECTED \[newtd_pc@john-laptop.*\] Expected terminal output within given regular expression.
4 INPUT sudo passwd %%account_login%% Change password for account where account_login reflects a login of the user, whose password is being changed.
5 EXPECTED Password Expected terminal output with ‘Password’ word in it.
6 INPUT %%transport_secret%% A value of the transport_secret variable is a secret for authorizing a priveleged account to change the password.
7 EXPECTED Changing local password Expected terminal output with ‘Changing local password’ phrase in it.
8 EXPECTED New Password Expected terminal output with ‘New Password’ phrase in it.
9 INPUT %%account_new_secret%% A value of the account_new_secret variable would be a new password.
10 EXPECTED Retype New Password Expected terminal output with ‘Retype New Password’ phrase in it.
11 INPUT %%account_new_secret%% A value of the account_new_secret variable would be a new password.
12 INPUT echo $?  
13 EXPECTED 0  

Variables

Variable name Object type Object property Encrypt
transport_method constant   fail
transport_bind_to server_property bind_ip fail
transport_user account login fail
transport_host server_address_property host fail
transport_port server_property port fail
transport_secret account secret ok
transport_host_public_key constant   fail
account_login account login fail

Editing a custom password changer


  1. Select Management > Password changers.
  2. Click the name of desired password changer.
  3. In the Script tab, edit selected commands.
  4. Click Delete to remove selected command.
  5. Click Save.

Deleting a custom password changer


  1. Select Management > Password changers.
  2. Select custom password changer and click Delete.
  3. Confirm deleting selected objects.

Related topics: