  Account management


  Creating many user accounts is an annoying and repetitive tasks.  If
  the information needed is available in another file or database it can
  be reused to automate the tasks. The accountbatch module was designed
  to help here.

  [1m1.  Introduction[0m

  The module was created to synchronize the account database with
  another database (a flat file, whatever). This following tasks may be
  done.


  +o  Create accounts when missing.

  +o  Remove old accounts missing in the other database.

  +o  Update various information of existing accounts.

  Each task above is controlled independantly. So it is possible to use
  a file as a reference only to add account. If the file is known to
  hold all accounts, then it can be used as a reference to delete old
  Linux accounts.


  [1m2.  Expected users[0m

  This module was created to help schools technicians. They generally
  have to create a huge number of accounts and delete many old ones.
  Making sure the Linux account database is completed is a tricky
  business.

  Further. schools generally have some databases available for other
  administrative reasons. Using it to update Linux accounts is a fair
  choice.


  [1m3.  The dialog[0m

  The module has a single dialog to handle the process. Here is a
  description of every fields.


  [1m3.1.  Configuration name[0m

  If you update the account database from a given file, you may want to
  remember what you did and the options you selected.  Enter a
  configuration name (a single word, no space), fill the other fields
  and hit the "save configuration" button.

  Later, when you visit the dialog, click on the help list button (right
  next to the field) and pick the configuration name. The dialog will
  reload itself with the configuration you saved.


  [1m3.2.  Base info[0m


  [1m3.2.1.  Data file path[0m

  There are zillions of database out there and Linuxconf can't hope to
  understand them all. Instead, Linuxconf expects a tab delimited file
  containing one account per line. Most database tools can export using
  such a format. The fields in each line generally are:
  +o  The user id.

  +o  The primary group of the user.

  +o  The name of the user. The name may contain spaces since the field
     separator is a tab.

  +o  The shell (generally /bin/sh).

  +o  The password. The password is generally not available in the
     database (the school registry) so an other utility may be used to
     generate them. Some schools use the user id as the original
     password. The student is requested to change it as soon as
     possible.

  Some of the fields may be missing from the file. The module has some
  facility to supply the missing information. See the parsing section
  below.


  [1m3.2.2.  Data command[0m

  Instead of using an intermediate file, you may want to extract the
  account information directly using a command. The command must output
  the account information as a TAB delimited ASCII text (like the data
  file).

  Using this strategy, there is no need to produce an intermediate file:
  The accountbatch module execute the command, which extract the
  information from some database and the module process the output on
  the fly.

  The "data command" can't be used with the "data file path". Use one or
  the other.


  [1m3.2.3.  Operate on groups above[0m

  The Linux account database (/etc/passwd) contains several special user
  accounts. For schools, it may also contain accounts for teachers,
  technicians and so on. You external database may be only authoritative
  for a subset of the Linux accounts (the students).

  When enabling the "Delete old accounts" check box, this field (operate
  on group above) is the key to limit the scope of the process. Every
  Linux account not found in the data file (or produced by the data
  command) will be deleted, if and only if, the account group id is
  greater or equal to the group specified here.

  Note that using this field is seldom practical. In general, one prefer
  to update accounts member of few specific group.


  [1m3.2.4.  Operate only on groups[0m

  Instead of limiting the scope of the deletion process (explained
  above) to group above a certain threshold, you can enumerate the
  groups on which the process must operate. Any user account not member
  of those groups won't be deleted/disabled, even if it is not part of
  the data file.

  You can specify a single star (*) as well. This means the module is
  authoritative on all groups found in the input file.


  [1m3.2.5.  Authorization command[0m

  When attempting to delete or disable accounts, accountbatch may run a
  command operating as a filter. The command reads a list of account
  proposed for deletion on its standard input and produces a result list
  on its standard output. The result simply confirm which accounts may
  be deleted.

  In general, you write a shell to protect some special accounts not
  created by accountbatch (not part of the input file).


  [1m3.2.6.  Log file[0m

  Accountbatch produces extensive statistics about the account it
  created, updated, disabled or deleted. If you specify a log file, all
  the reports will be copied silently (appended) to that file.


  [1m3.3.  Parsing[0m

  The module expect either a file, or the output of a command with a
  specific format. It expects one line per record. The TAB character is
  used as the field separator. We often have an almost suitable file:
  Important fields are available, some are missing and the order is
  wrong. In this section, we can fixe some problems.

  The file normally contains the following fields:


  +o  Login

  +o  Group

  +o  Name

  +o  Shell

  +o  Password

  +o  Home directory>

  +o  Alt. groups


  For every field, there is two input in the parsing section. The first
  is a list box where you can select the following


  +o  1-10: This is the column position in the input file. It tells
     accountbatch where to pick the corresponding information (Login,
     Shell,...) in the input file.

  +o  Not supplied: This tells accountbatch the information is not
     available in the file. An extra input field is available next to
     the list box. You can enter a value. All accounts created or
     modified by accountbatch will share the same value. For example it
     is not uncommon to enter "/bin/false" or "/bin/sh" as the shell,
     since all users will share the same shell.

  +o  Format: This tells accountbatch to pick the value from the extra
     input field, but to apply some formatting. It looks for special
     markers and replace them with the corresponding column in the input
     file. The marker are simply a pound sign followed by a column
     number. For example, if the home directory is missing from the
     input file and you wish to setup the directory path according to
     the login and group, you may enter something like:


                       /home/#3/#1


  where #1 is the login taken from the column number one and #3 is the
  group, taken from column number 3.


  [1m3.3.1.  Login[0m

  The is the login identifier.


  [1m3.3.2.  User ID prefix[0m

  Sometime, we have a user account list where the login is made or only
  numbers. Many linux applications expect a user ID to start with a
  letter. We can specify a prefix.

  One may achieve the same trick more generally using the "format"
  feature explained above.


  [1m3.3.3.  Password[0m

  You specify here which column contains the password. "Not supplied"
  means that the default value will be used. An empty default value
  means no password (the account is disabled). "generate" means the
  module will invent a password and produce a list of password
  assignments.


  [1m3.4.  Task[0m

  The module may be used to perform 3 tasks. You can select which one
  you want independently using 3 check boxes.


  [1m3.4.1.  Add missing accounts[0m

  Any account not found in the Linux account database will be added if
  this check-box is selected.


  [1m3.4.2.  Update existing accounts[0m

  Existing account will be updated according to the selection done in
  the updates section. You must select the various fields you wish to
  update (home,password,shell,name,...).


  [1m3.4.3.  Delete old accounts[0m

  Any Linux account not found in the data file, member of one of the
  specified group, or with a group id above a given threshold will be
  deleted.


  [1m3.4.4.  Disable old accounts[0m

  Instead of deleting accounts, the module may disable them. You must
  use Delete or Disable, not both.


  [1m3.4.5.  Deletion mode[0m

  You may want to preserve the data owned by the account you are
  deleting.  Or you may want to delete it or archive it. You can select
  the behavior.  The account data is the home directory and the mail in-
  box folder.

  Archiving is done by moving all the data in a compress tar file,
  located in the oldaccounts directory. The directory is created as
  needed in the same directory holding the home of the user account.

  Archiving is probably the recommend practice. You may want to clean
  the oldaccounts directory a couple month later, just in case the user
  come back to retrieve some personal documents.


  [1m3.5.  Test[0m

  The test button produce a report of the action done. It will tell you
  which account would be added, deleted and updated. It is a good idea
  to experiment with the module using this button to make sure you
  understand its behavior. Having a good backup of the system is not a
  bad idea either :-)


  [1m3.6.  Preview[0m

  The preview button displays the first 20 account lines. It allows you
  to check the parsing of the input file and see if each field as been
  properly identified.


  [1m3.7.  Accept[0m

  Once you are satisfied, after using the test button a couple time, you
  hit the accept button. Then the real processing goes on. A pop-up
  window shows up, with completion bar. Each one shows the progress of
  the three operation (add, delete, update).

  Note that archiving an account may be a fairly slow process. So if you
  delete many accounts, you may take a coffee ... or two.