All-
I've been using puppet (now 2.6.9) and augeas (now 0.7.2 + ruby-augeas 0.3.0)
for a few weeks and I'm a convert.
I'm trying to modify a particular argument to a particular entry in
the RHEL 6.1 /etc/pam.d/password-auth-ac file, and although I've come
up with a way that "works", it's fragile. I'm hoping someone can suggest
a better way.
First, the line in question in /etc/pam.d/password-auth-ac is
auth requisite pam_succeed_if.so uid >= 500 quiet
It's the third line in the "auth" section of that file. The problem
is that we have a few old-timers that have uids in the range 101-499, and
this line causes them problems on login via things like sshd.
In the past we would have scripted something in perl in our kickstart
%post script to switch that particular "500" to be "100".
Using this excellent past thread as a guide:
http://groups.google.com/group/puppet-users/browse_thread/thread/ab96038a5658ec98/cb0c0beb8cd5418b?lnk=gst&q=augeas+%2Bpam#cb0c0beb8cd5418b
I can match the line in question in augtool with:
print /files/etc/pam.d/password-auth-ac/*[type = "auth"][module =
"pam_succeed_if.so"]
/files/etc/pam.d/password-auth-ac/3
/files/etc/pam.d/password-auth-ac/3/type = "auth"
/files/etc/pam.d/password-auth-ac/3/control = "requisite"
/files/etc/pam.d/password-auth-ac/3/module = "pam_succeed_if.so"
/files/etc/pam.d/password-auth-ac/3/argument[1] = "uid"
/files/etc/pam.d/password-auth-ac/3/argument[2] = ">="
/files/etc/pam.d/password-auth-ac/3/argument[3] = "500"
/files/etc/pam.d/password-auth-ac/3/argument[4] = "quiet"
The problem is that 'uid', '>=', and '500' are all separate arguments.
I can get puppet to apply my modification if I use an entry like this:
#
# RHEL 6 has a new PAM file that needs to have the nid for "special
# users" adjusted down from 500 to 100.
#
augeas { "pam.d/password-auth-ac_uidfix":
context => '/files/etc/pam.d/password-auth-ac/*[type = "auth"][module =
"pam_succeed_if.so"]',
changes => [
"set argument[3] 100",
],
onlyif => 'get argument[3] == "500"'
}
But that only works if argument[1]="uid", argument[2]=">=", and
argument[3]="500". Ideally, my rule would find the position of "uid" in
the line, and then match only if position() + 2 = "500". I've tried
things like:
print /files/etc/pam.d/password-auth-ac/*[type = "auth"][module =
"pam_succeed_if.so"][argument[position()] = "uid"]
within augtool and that much works, but as soon as I try something like:
print /files/etc/pam.d/password-auth-ac/*[type = "auth"][module =
"pam_succeed_if.so"][argument[position()] = "uid"][argument[position() + 1] = ">="]
it fails to match.
Anyone have an idea how I can rewrite things so that the match isn't
dependent on the exact current order of arguments, and instead matches
relative to the position of a previous argument (uid) or pair of arguments
(uid and >=)?
Any thoughts appreciated,
Tim
--
Tim Mooney tim.moo...@ndsu.edu
Enterprise Computing & Infrastructure 701-231-1076 (Voice)
Room 242-J6, IACC Building 701-231-8541 (Fax)
North Dakota State University, Fargo, ND 58105-5164
--
You received this message because you are subscribed to the Google Groups "Puppet
Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
