5.1.6.2. Bulk Password Management

This section provides information on how to enable simultaneous changes to multiple passwords, providing efficiency and convenience in managing password updates.

This process relies on variable configurations and a script execution.

5.1.6.2.1. Configuring the variables

The first step to Bulk edit OpenNAC passwords, is to correctly configure the password variables. This step basically consists on replacing the current password value with the new one.

First, you need to access the /usr/share/opennac/utils/ansible/ directory, in which you will find the variables vars/.

cd /usr/share/opennac/utils/ansible

[root@localhost ansible]# ls -la vars/
 total 16
 -rw-r--r-- 1 apache apache 1164 Mar  5 12:40 vars_analytics.yml
 -rw-r--r-- 1 apache apache 2521 Mar  5 12:40 vars_core.yml
 -rw-r--r-- 1 apache apache  742 Mar  5 12:40 vars_general.yml
 -rw-r--r-- 1 apache apache  247 Mar  5 12:40 vars_migrate_cmix_to_vpngw.yml
 -rw-r--r-- 1 apache apache    0 Mar  5 12:40 vars_vpngw.yml

From the variable files available, you will only need to modify two of them:

  • vars_general.yml

  • vars_core.yml

5.1.6.2.1.1. vars_general.yml

vim vars/vars_general.yml

 ##########
# COMMON #
##########

inventory: 'static'
timezone_custom: 'Europe/Madrid'
# A NTP server where you must get the synchronization. Add or delete lines if necessary.
ntpserv:
- 'hora.roa.es'
- '3.es.pool.ntp.org'


# The version packages that we want to be installed
# It could be the stable version or the testing one
# Change it if necessary
deploy_testing_version: 'no'

# The necessary user:password to access the repository
# Change to the actual repo user
repo_user: 'user'
# Change to the actual repo password
repo_pass: 'password'

# The portal password for the user admin
portal_pass: 'opennac'

# Configure nodes if in deploy
config: 'true'

# Collectd password
collectd_password: "changeMeAsSoonAsPossible"

# Do not touch the following variables
ansible_ssh_timeout: '7200'
ansible_python_interpreter: '/usr/bin/python3'

Introduce the new values in the following variables:

  • portal_pass: The password to access the OpenNAC portal.

  • collectd_password: The CollectD password.

5.1.6.2.1.2. vars_core.yml

vim vars/vars_core.yml

###########################
# COMMON                  #
###########################

# Mail variables
criticalAlertEmail: 'notify1@opennac.org,notify2@opennac.org'
criticalAlertMailTitle: 'openNAC policy message [%MSG%]'
criticalAlertMailContent: 'Alert generated by policy [%RULENAME%], on %DATE%.\n\nData:\nMAC: %MAC%\nUser: %USERID%\nIP Switch: %SWITCHIP%\nPort: %SWITCHPORT% - %SWITCHPORTID%\n'

# CLIENTS.CONF
# Edit the following lines in order to configure /etc/raddb/clients.conf
# You may either need to add new lines or to delete some.
# Follow the structure indicated below:
clients_data:
  -
    ip: '192.168.0.0/16'
    shortname: 'internal192168'
    secret: 'testing123'
  -
    ip: '172.16.0.0/16'
    shortname: 'internal17216'
    secret: 'testing123'

# Variables to configure /etc/postfix/main.cf and /etc/postfix/generic
relayhostName: 'relay.remote.com'
relayhostPort: '25'
mydomain: 'acme.local'
emailAddr: 'openNAC@notifications.mycompany.com'

  • clients_data:: This variable must be correctly configured, since the playbook will be applied again using this variable for configuration.

########################
# MYSQL                #
########################

# mysql passwords
mysql_root_password: "opennac" # Password for mysql root
mysql_healthcheck_password: "Simpl3PaSs"
mysql_replication_password: "opennac"
mysql_opennac_service_password: "opennac"

path: /tmp/ # The path to save the dump .sql file

# Only necessary if you are going to change the mysql password with change_passwords role
# If it is not the case, let it as default
# Is you have a virgin OVA, the old root password will be opennac
# It is important that all the nodes with mysql have the same root password configured
current_mysql_root_password: "opennac"

Introduce the new values in the following variables:

  • mysql_root_password: Password for mysql root user.

  • mysql_healthcheck_password: Password for the healthcheck service.

  • mysql_replication_password: Password for mysql nagios user.

  • mysql_opennac_service_password:: Password for opennac service.

  • current_mysql_root_password: Indicate the current mysql root password (opennac)to permit applying the new changes.

Warning

If the current_mysql_root_password is not correctly configured, the playbook will fail. This is critical for the password update process.

#######################
# PROXY CONFIGURATION #
#######################

proxy_workers_radius_sharedkey: 'CHANGE_ME' # The string to encrypt the packets between the Proxy Servers and Backends

# PROXY.CONF
# Edit the following lines in order to configure /etc/raddb/proxy.conf
# You may either need to add new lines (follow the "-" structure) or to delete some.
pools_data:
  -
    namepool: 'auth'
    namerealm: 'DEFAULT'

# CLIENTS.CONF
# Edit the following lines in order to configure /etc/raddb/clients.conf
# You may either need to add new lines or to delete some.
# Follow the structure indicated below:
clients_data_PROXY:
  -
    ip: '192.168.0.0/16'
    shortname: 'internal192168'
    secret: 'testing123'
  -
    ip: '172.16.0.0/16'
    shortname: 'internal17216'
    secret: 'testing123'

Introduce the new values in the following variable:

  • proxy_workers_radius_sharedkey: The string to encrypt the packets between the Proxy Servers and Backends.

  • pools_data: This variable must be correctly configured, since the playbook will be applied again using this variable for configuration.

5.1.6.2.2. Script Execution

After configuring the new passwords, execute the following command to bulk change the passwords:

ansible-playbook execute_role.yml -e "role=change_passwords"