Need help with sytnax for augeasproviders_pam and position parameter

[T-Bear]

Hello, I'm trying this group to get help with the syntax for augeasproviders_pam and the position paramter.

Yes, I did try google (for several days now), and the Puppet IRC channel twice (which was pretty much as typing to /dev/null)

I cannot find out how to write a bit more complex xpath expressions for augeasproviders_pam.

Hopefully someone with some knowledge of augeasproviders_pam can help.

The case is that need to add a pam entry to system-auth and place it before one or more other entries.

Placing the new 'pam_xxx' before one spesific entry is easy, and google helps a lot on how to do this:

pam { 'Add pam_xxxx to system-auth':
    ensure    => positioned,
    service   => 'system-auth',
    type      => 'auth',
    control   => 'requisite',
    module    => 'pam_xxxx.so',
    arguments => ['arg1=value1','arg2=value2'],
    position  => 'before *[type="auth" and module="pam_unix.so"]',
  }

But how would one go about when what you really want is before module pam_unix.so and.. if it exist this other module also.. and if there was a third optional module.. then also add it before that...

The xpath syntax for that is not clear to me, does anyone know if this is possible?

Something like this doesn't work:

position => 'before *[type="auth" and module="pam_unix.so" and module="secondoptionalmodule" and module="thirdoptionalmodule"]',

Neither does this:

position => 'before *[type="auth" and module="pam_unix.so" and * [module="secondoptionalmodule" and module="thirdoptionalmodule"]]',

So the question is, is it possible to do something like this:

In section Auth
  Put new entry above modules:
     pam_unix
     pam_optional_1
     pam_optional_2

or is my only option to always put it after pam_env.so.. resulting that it may be put to high up in the pam file?

Regards

T-Bear

[David Lutterkort]

Hi,

yes, what you need to do is possible. See below

The trick is that you want to do this in two steps: first, pick out all the possible places where it could go, and second, tell the provider to use the first of those. This will look something like  'before *[complicated condition to find all possible places][1]' - you can string predicates enclosed in '[..]' together and they apply to whatever was found in the previous predicates; the way path expressions get evaluated is that we first collect all matching nodes and then filter them by the conditions in the first '[..]', then filter that by the conditions in the second '[..]' etc. The nodes in that set are kept in the order in which they were initially found, which means that the '[1]' at the end means 'the first one of the possibilities as it appears in the file'

In your case, what should work is 'before *[type = "auth" and (module = "pam_unix.so" or module = "pam_optional_1.so" or module = "pam_optional_2.so")][1]'


David

[Thorbjørn Skistad]

Thanks, will give this a try :-D