I am using augeas to update the PAM configuration (ie: to LDAP enable my
systems).
Here is a snippet of what I am doing to add required modules, etc.
"auth-pam_succeed":
context =>
"/files/etc/pam.d/system-auth",
changes => [
"ins 100000 after
*[type=''auth''][module=''pam_unix.so'']",
"set 100000/type auth",
"set 100000/control
requisite",
"set 100000/module
pam_succeed_if.so",
"set 100000/argument[1] uid",
"set 100000/argument[2]
>=",
"set 100000/argument[3] 500",
"set 100000/argument[4]
quiet",
],
onlyif => "match
*[type=''auth''][module=''pam_succeed_if.so'']
size == 0";
"auth-pam_ldap":
context =>
"/files/etc/pam.d/system-auth",
changes => [
"ins 100000 after
*[type=''auth''][module=''pam_succeed_if.so'']",
"set 100000/type auth",
"set 100000/control
sufficient",
"set 100000/module
pam_ldap.so",
"set 100000/argument
use_first_pass"
],
onlyif => "match
*[type=''auth''][module=''pam_ldap.so''] size ==
0",
require => Augeas[
"auth-pam_succeed" ];
"account-pam_access":
context =>
"/files/etc/pam.d/system-auth",
changes => [
"ins 100000 after
*[type=''account''][module=''pam_unix.so'']",
"set 100000/type account",
"set 100000/control required",
"set 100000/module
pam_access.so",
],
onlyif => "match
*[type=''account''][module=''pam_access.so'']
size == 0";
** these augeas calls repeat for each module I need to add **
My question is, is there a simpler way to do what I am doing. Meaning can I
combine all these seperate calls into one? What about the onlyif statements,
is there another way that these can be accomplished. Basically, I need to
insert the module, at a defined place, if needed.
Also would be nice to explicitly set the arguments. Right now the only way I
can think to do that is to add another augeas check to check the options and
update if needed.
Thanks
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
On Jan 27, 2011, at 3:16 PM, Matthew Ceroni wrote:> I am using augeas to update the PAM configuration (ie: to LDAP enable my systems). > > … > > My question is, is there a simpler way to do what I am doing. Meaning can I combine all these seperate calls into one?You didn’t say what OS this is for, but if it happens to be RHEL or CentOS, there’s a much easier way. # configure PAM for LDAP augeas { "authconfig": require => Augeas["ldapauth"], context => "/files/etc/sysconfig/authconfig", changes => [ "set USELDAP yes", "set USELDAPAUTH yes", "set USEMKHOMEDIR yes", "set USELOCAUTHORIZE yes”, ], } exec { "authconfig": path => "/usr/bin:/usr/sbin:/bin", command => "authconfig --updateall", subscribe => Augeas["authconfig"], refreshonly => true, } Of course you need to do a lot of other things as well (install packages, configure /etc/ldap.conf, distribute CA certs), but this covers the PAM stuff. The Augeas[“ldapauth”] line refers to /etc/ldap.conf, which Augeas can also manage. If you’re on a different OS, let me know and I’ll see if there’s a simpler way to do the PAM stuff. -- Rob McBroom <http://www.skurfer.com/> -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.