Hi,
yes, what you need to do is possible. See below
On Friday, August 17, 2018 at 3:39:44 AM UTC-7, T-Bear wrote:
>
> Hello, I'm trying this group to get help with the syntax for
> augeasproviders_pam and the position paramter.
> Yes, I did try google (for several days now), and the Puppet IRC channel
> twice (which was pretty much as typing to /dev/null)
> I cannot find out how to write a bit more complex xpath expressions for
> augeasproviders_pam.
>
>
> Hopefully someone with some knowledge of augeasproviders_pam can help.
>
>
> The case is that need to add a pam entry to system-auth and place it
> before one or more other entries.
>
> Placing the new 'pam_xxx' before one spesific entry is easy, and google
> helps a lot on how to do this:
>
> pam { 'Add pam_xxxx to system-auth':
> ensure => positioned,
> service => 'system-auth',
> type => 'auth',
> control => 'requisite',
> module => 'pam_xxxx.so',
> arguments => ['arg1=value1','arg2=value2'],
> position => 'before *[type="auth" and module="pam_unix.so"]',
> }
>
> But how would one go about when what you really want is before module
> pam_unix.so and.. if it exist this other module also.. and if there was a
> third optional module.. then also add it before that...
>
> The xpath syntax for that is not clear to me, does anyone know if this is
> possible?
>
>
> Something like this doesn't work:
> position => 'before *[type="auth" and module="pam_unix.so" and
> module="secondoptionalmodule" and module="thirdoptionalmodule"]',
>
>
> Neither does this:
> position => 'before *[type="auth" and module="pam_unix.so" and *
> [module="secondoptionalmodule" and module="thirdoptionalmodule"]]',
>
>
>
> So the question is, is it possible to do something like this:
>
> In section Auth
> Put new entry above modules:
> pam_unix
> pam_optional_1
> pam_optional_2
>
> or is my only option to always put it after pam_env.so.. resulting that it
> may be put to high up in the pam file?
>
The trick is that you want to do this in two steps: first, pick out all the
possible places where it could go, and second, tell the provider to use the
first of those. This will look something like 'before *[complicated
condition to find all possible places][1]' - you can string predicates
enclosed in '[..]' together and they apply to whatever was found in the
previous predicates; the way path expressions get evaluated is that we
first collect all matching nodes and then filter them by the conditions in
the first '[..]', then filter that by the conditions in the second '[..]'
etc. The nodes in that set are kept in the order in which they were
initially found, which means that the '[1]' at the end means 'the first one
of the possibilities as it appears in the file'
In your case, what should work is 'before *[type = "auth" and (module =
"pam_unix.so" or module = "pam_optional_1.so" or module =
"pam_optional_2.so")][1]'
David
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/1fae2b8f-bd2a-4850-a924-4bf73c9418ec%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
