Custom Password Changers

Custom password changers enable defining a set of commands executed on a remote host in case the built-in password changers cannot handle a specific use case scenario.

Note

In cluster configuration, the node responsible for changing passwords on monitored systems is configured in system settings. For more information refer to Password Changers - Active Cluster Node topic.

Defining a Custom Password Changer


  1. Click + icon in the main menu next to the Password changers tab, or

  2. Select Management > Password changers and click Add password changer.

Note

Alternatively, you can edit existing password changer and click Copy to create a new password changer based on currently opened definition.

../../_images/5-5-copy-pc.png

  1. Define the password changer’s name.

  2. From the Script type drop-down list, select if the script is a password changer or password verifier.

  3. In the Timeout field, define the script’s execution time limit.

  4. In the Connection mode section, click SSH, LDAP, Telnet, or WinRM to select the transport layer.

  5. In the SCRIPT tab, click one of available options to add a command.

../../_images/5-5-add-pc-2.png

Note

Available commands depend on selected transport layer. For more information on connection modes, refer to the Connection Modes topic.

  • +Input - command executed on target host.

  • +Expected - expected result.

  • +Enter

  • +Delay - delay between commands’ execution.

  • DN - directory service DN (Distinguished Name) parameter.

  • Filter - directory service user filter.

Warning

  • To handle a password change, you must use an account (transport_login and transport_secret) that has delegated Reset user passwords and force password change at next logon permissions for the Organizational Unit (OU) containing the users whose passwords will be changed, or the account must be a member of the Account Operators group.

  • To configure WinRM password changers, you need to provide user credentials with the authority to change passwords (typically an admin-level account). However, it’s important to avoid using this account to change its own password, as WinRM will return an error that Fudo Enterprise cannot process. Make sure that the ``account_login`` and ``transport_login`` variables are set to different values.

  1. Enter the command or define action’s parameters.

Note

You can use pre-defined transport layer or user defined variables in commands. To use or define a variable, enclose it in %% characters (e.g. %%transport_host%%, %%custom_variable%%).

  1. Repeat steps 7-8 to add more commands.

  2. In the Variables tab, define variables’ attributes.

Note

  • Variables can be initiated with values referenced from other objects or they can be assigned a constant value.

  • Predefine the property values so that the password changer assigned to the account during the Discovery process will not require any additional configuration.

  1. Click Save.

  1. Define password change policy and assign the password changer to account.


Note

Example

In this password changer example, the password change is triggered with the passwd command executed with sudo privileges on a host running FreeBSD operating system.

Commands list

Action

Content

Comment

1

EXPECTED

Password

Expected terminal output with a ‘Password’ word in it.

2

INPUT

%%transport_secret%%

A value of the transport_secret variable is a secret for authorizing a priveleged account to change the password.

3

EXPECTED

\[newtd_pc@john-laptop.*\]

Expected terminal output within given regular expression.

4

INPUT

sudo passwd %%account_login%%

Change password for account where account_login reflects a login of the user, whose password is being changed.

5

EXPECTED

Password

Expected terminal output with ‘Password’ word in it.

6

INPUT

%%transport_secret%%

A value of the transport_secret variable is a secret for authorizing a priveleged account to change the password.

7

EXPECTED

Changing local password

Expected terminal output with ‘Changing local password’ phrase in it.

8

EXPECTED

New Password

Expected terminal output with ‘New Password’ phrase in it.

9

INPUT

%%account_new_secret%%

A value of the account_new_secret variable would be a new password.

10

EXPECTED

Retype New Password

Expected terminal output with ‘Retype New Password’ phrase in it.

11

INPUT

%%account_new_secret%%

A value of the account_new_secret variable would be a new password.

12

INPUT

echo $?

13

EXPECTED

0

Variables

Variable name

Object type

Object property

Encrypt

transport_method

constant

fail

transport_bind_to

server_property

bind_ip

fail

transport_user

account

login

fail

transport_host

server_address_property

host

fail

transport_port

server_property

port

fail

transport_secret

account

secret

ok

transport_host_public_key

constant

fail

account_login

account

login

fail

Editing a Custom Password Changer


  1. Select Management > Password changers.

  2. Click the name of desired password changer.

  3. In the Script tab, edit selected commands.

  4. Click Delete to remove selected command.

  5. Click Save.


Deleting a Custom Password Changer


  1. Select Management > Password changers.

  2. Select custom password changer and click Delete.

  3. Confirm deleting selected objects.


Related topics: