Hi,
yes, what you need to do is possible. See below
On Friday, August 17, 2018 at 3:39:44 AM UTC-7, T-Bear wrote:
>
> Hello, I'm trying this group to get help with the syntax for
> augeasproviders_pam and the position paramter.
> Yes, I did try google (for several days now), and the Puppet IRC channel
> twice (which was pretty much as typing to /dev/null)
> I cannot find out how to write a bit more complex xpath expressions for
> augeasproviders_pam.
>
>
> Hopefully someone with some knowledge of augeasproviders_pam can help.
>
>
> The case is that need to add a pam entry to system-auth and place it
> before one or more other entries.
>
> Placing the new 'pam_xxx' before one spesific entry is easy, and google
> helps a lot on how to do this:
>
> pam { 'Add pam_xxxx to system-auth':
> ensure => positioned,
> service => 'system-auth',
> type => 'auth',
> control => 'requisite',
> module => 'pam_xxxx.so',
> arguments => ['arg1=value1','arg2=value2'],
> position => 'before *[type="auth" and module="pam_unix.so"]',
> }
>
> But how would one go about when what you really want is before module
> pam_unix.so and.. if it exist this other module also.. and if there was a
> third optional module.. then also add it before that...
>
> The xpath syntax for that is not clear to me, does anyone know if this is
> possible?
>
>
> Something like this doesn't work:
> position => 'before *[type="auth" and module="pam_unix.so" and
> module="secondoptionalmodule" and module="thirdoptionalmodule"]',
>
>
> Neither does this:
> position => 'before *[type="auth" and module="pam_unix.so" and *
> [module="secondoptionalmodule" and module="thirdoptionalmodule"]]',
>
>
>
> So the question is, is it possible to do something like this:
>
> In section Auth
> Put new entry above modules:
> pam_unix
> pam_optional_1
> pam_optional_2
>
> or is my only option to always put it after pam_env.so.. resulting that it
> may be put to high up in the pam file?
>
The trick is that you want to do this in two steps: first, pick out all the
possible places where it could go, and second, tell the provider to use the
first of those. This will look something like 'before *[complicated
condition to find all possible places][1]' - you can string predicates
enclosed in '[..]' together and they apply to whatever was found in the
previous predicates; the way path expressions get evaluated is that we
first collect all matching nodes and then filter them by the conditions in
the first '[..]', then filter that by the conditions in the second '[..]'
etc. The nodes in that set are kept in the order in which they were
initially found, which means that the '[1]' at the end means 'the first one
of the possibilities as it appears in the file'
In your case, what should work is 'before *[type = "auth" and (module =
"pam_unix.so" or module = "pam_optional_1.so" or module =
"pam_optional_2.so")][1]'
David
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/1fae2b8f-bd2a-4850-a924-4bf73c9418ec%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
