This script is idempotent - meaning it won't cause any issues if ran multiple times, or if some users it declares are already present.
Code: Select all
{
:local users {"username1"="passwd1"; "user2"="pwd2"; "mary"="lamb"}
/user
:foreach uname,pwd in=$users do={
:if ([:len [find name=$uname]] = 0) do={
add name=$uname password=$pwd group=full
}
}
}
1) it will not remove users which are no longer specified in the script
2) it will not change passwords for users that already exist
3) it keeps passwords in clear-text as part of the script
Issues 1 and 2 can be solved by removing all non-active users before adding:
Code: Select all
{
/user
:foreach u in=[find] do={
:local shouldRemove true
:foreach au in=[active find] do={
:if ([get $u name] = [active get $au name]) do={
:set shouldRemove false
}
}
:if ($shouldRemove) do={
remove $u
}
}
}
1) host the passwords in a file on a HTTPS (TLS) webserver, pull it and load it in the scripts (this has it's own drawbacks)
2) use SSH keys
As a side-note:
While doing user management this way is entirely functional, if you are doing user management this way on a large network, it would be worth it considering using Radius instead.