According to the documentation, the following is not convergent:
bundle agent ensure_pam_passwords_clear {
files:
"/etc/ldap.conf"
edit_line => pam_password("clear");
}
bundle edit_line pam_password(method) {
replace_patterns:
# haven't tested whether PCRE zero-width negative lookahead
assertions work in Nova
"(pam_password (?!$(method)))" replace_with =>
comment_lines_matching; # in cfengine_stdlib.cf
replace_patterns:
"#\s*(pam_password\s+$(method))\b.*" replace_with =>
uncomment_first_occurrence;
}
body replace_with uncomment_first_occurrence {
replace_with => "$(match.1)";
occurrences => "first"; # NOT CONVERGENT!
}
Multiple applications of the uncomment_first_occurrence body could match
a different line in the file each time. So here's my problem.
[r...@gdcscf3lgmt01 masterfiles.devel]# grep pam_password /etc/ldap.conf
#pam_password clear
#pam_password crypt
#pam_password clear_remove_old
#pam_password nds
#pam_password racf
#pam_password ad
#pam_password exop
#pam_password_prohibit_message Please visit http://internal to change
your password.
#pam_password ad
#pam_password ad
#pam_password ad
#pam_password clear
pam_password clear
[r...@gdcscf3lgmt01 masterfiles.devel]#
This /etc/ldap.conf file is correct for our environment since it has a
"pam_password clear" line uncommented, and that is the only pam_password
line that is uncommented. However, not all systems, especially new ones,
will have this correct configuration. Many will have "pam_password md5"
uncommented by default. (In fact, the line that is uncommented used to
say md5 but we had a script edit the line.)
So how do I implement a convergent policy to ensure a single
pam_password line is uncommented and reads "pam_password clear"? My
preference is to just modify the standard file as little as needed since
I prefer to avoid fully controlling files in order to stay with defaults
where possible, and we never know when a vendor will make important
changes to a file that we could wipe out unintentionally.
--
Justin C. Lloyd
Unix Infrastructure Engineer
DigitalGlobe, An Imaging and Information Company
This electronic communication and any attachments may contain confidential and
proprietary
information of DigitalGlobe, Inc. If you are not the intended recipient, or an
agent or employee
responsible for delivering this communication to the intended recipient, or if
you have received
this communication in error, please do not print, copy, retransmit, disseminate
or
otherwise use the information. Please indicate to the sender that you have
received this
communication in error, and delete the copy you received. DigitalGlobe reserves
the
right to monitor any electronic communication sent or received by its
employees, agents
or representatives.
_______________________________________________
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
