augeasproviders_pam and some account entries (iteration in puppet 3)

25 views

Skip to first unread message

Arnau

unread,

Nov 23, 2015, 11:01:48 AM11/23/15

to puppet...@googlegroups.com

Hello all,

I'm trying to configure pam.d/password-auth file with the pam augeasprovider from herculesteam . I'm running RH6 system with puppet 3.7 and version 2.1 of augeasprovider.

I'd like to configure pam from a list of groups. Something like:

class::allowed:
-graoupA
-groupB
-groupC

and the result should be:

account [default=ignore success=3] pam_succeed_if.so uid < 1000 quiet

account [default=ignore success=2] pam_succeed_if.so user ingroup groupA

account [default=ignore success=1] pam_succeed_if.so user ingroup groupB

account [default=bad success=ignore] pam_succeed_if.so user ingroup groupC

I should configure some entries like:

'Add account in system-auth 1' :

ensure => present,

service => 'system-auth',

type => 'account',

control => '[default=ignore success=2] ',

control_is_param => true,

module => 'pam_succeed_if.so',

arguments => ['uid < 1000 quiet];

'Add account in system-auth 2' :

ensure => present,

service => 'system-auth',

type => 'account',

control => '[default=ignore success=1] ',

control_is_param => true,

module => 'pam_succeed_if.so',

arguments => ['user ingroup groupA'];

and so on...

I need some iteration when creating the pam entries as the "success" value is based the number of entries in $allowed. And also some case/if for the first/ last entry.

I've looking for away and found something like "recursion in puppet", or even using a file template and add some ruby, but I'm wondering if there is another approach for this problem using augeasproviders_pam . And upgrade to puppet 4 is not an option.

Thanks in advance,

Arnau

Reply all

Reply to author

Forward

0 new messages