The Puppet Labs Issue Tracker has Moved:

This issue tracker is now in read-only archive mode and automatic ticket export has been disabled. Redmine users will need to create a new JIRA account to file tickets using See the following page for information on filing tickets with JIRA:

Feature #15037

ability to set initial user password

Added by Darin Perusich over 3 years ago. Updated almost 2 years ago.

Status:AcceptedStart date:06/14/2012
Priority:NormalDue date:
Assignee:eric sorenson% Done:


Target version:-
Affected Puppet version: Branch:

We've Moved!

Ticket tracking is now hosted in JIRA:

This ticket is now tracked at:


Add functionality to the user type so one can set an initial password to be set upon account creation. Currently when puppet is managing a users password, if said password is changed puppet will reset it to whatever value has been configured.

This is a rehash of


#1 Updated by Patrick Carlisle over 3 years ago

  • Status changed from Unreviewed to Accepted

It’s unlikely we’ll get to this right away, but it makes sense to me and I’d consider a pull request on it.

#2 Updated by Rob Sweet about 3 years ago

  • Assignee set to Rob Sweet

#3 Updated by Nigel Kersten about 3 years ago

Are we sure we want to do this? Are we going to support this sort of functionality for any parameter/property ? Isn’t there a reasonable workaround with a notify to an exec?

user { "foo":
  notify => Exec["set_initial_password"],

exec { "set_initial_password":
  unless => whatever-condition-you-want,

#4 Updated by Rob Sweet about 3 years ago

Sorry, Nigel. This is the first thing I’ve tried to contribute on so maybe I’ve misunderstood the process. I thought that something with status Accepted meant that no further discussion was desired.

Chaining an exec seems messy to me but sure, that’d be a workaround.

In the broader scope, has anyone discussed the concept of passing options to parameters? Seems you could use a construct like this:

user { "foo":
  password => { :value => 'supersecretpassword', :create_only => true },

Supporting something like that would open the door to various kinds of sophisticated property/parameter behavior, which could maybe help slim down manifests a bit.

That said, I definitely don’t know the Puppet codebase well enough yet to attempt coding that kind of broad functionality. And here I thought I’d picked up something relatively easy to start with. ;)

#5 Updated by Nigel Kersten about 3 years ago

  • Assignee changed from Rob Sweet to eric sorenson

No apologies needed Rob, I was arguing against Patrick’s decision to accept it :)

I worry about how this would make the model inconsistent.

Right now, if you set a property/parameter on a resource, that means the resource will change.

This proposed idea would break that model, and I’m not sure the cost is worth it.

I’d be more in favor of a generic solution, rather than one for just the password, but it still concerns me.

Eric? Your thoughts?

#6 Updated by Anonymous almost 2 years ago

Redmine Issue #15037 has been migrated to JIRA:

Also available in: Atom PDF