Thanks, will give this a try :-D
On August 20, 2018 8:43:41 PM GMT+02:00, David Lutterkort <[email protected]> wrote: >Hi, > >yes, what you need to do is possible. See below > >On Friday, August 17, 2018 at 3:39:44 AM UTC-7, T-Bear wrote: >> >> Hello, I'm trying this group to get help with the syntax for >> augeasproviders_pam and the position paramter. >> Yes, I did try google (for several days now), and the Puppet IRC >channel >> twice (which was pretty much as typing to /dev/null) >> I cannot find out how to write a bit more complex xpath expressions >for >> augeasproviders_pam. >> >> >> Hopefully someone with some knowledge of augeasproviders_pam can >help. >> >> >> The case is that need to add a pam entry to system-auth and place it >> before one or more other entries. >> >> Placing the new 'pam_xxx' before one spesific entry is easy, and >google >> helps a lot on how to do this: >> >> pam { 'Add pam_xxxx to system-auth': >> ensure => positioned, >> service => 'system-auth', >> type => 'auth', >> control => 'requisite', >> module => 'pam_xxxx.so', >> arguments => ['arg1=value1','arg2=value2'], >> position => 'before *[type="auth" and module="pam_unix.so"]', >> } >> >> But how would one go about when what you really want is before module > >> pam_unix.so and.. if it exist this other module also.. and if there >was a >> third optional module.. then also add it before that... >> >> The xpath syntax for that is not clear to me, does anyone know if >this is >> possible? >> >> >> Something like this doesn't work: >> position => 'before *[type="auth" and module="pam_unix.so" and >> module="secondoptionalmodule" and module="thirdoptionalmodule"]', >> >> >> Neither does this: >> position => 'before *[type="auth" and module="pam_unix.so" and * >> [module="secondoptionalmodule" and module="thirdoptionalmodule"]]', >> >> >> >> So the question is, is it possible to do something like this: >> >> In section Auth >> Put new entry above modules: >> pam_unix >> pam_optional_1 >> pam_optional_2 >> >> or is my only option to always put it after pam_env.so.. resulting >that it >> may be put to high up in the pam file? >> > >The trick is that you want to do this in two steps: first, pick out all >the >possible places where it could go, and second, tell the provider to use >the >first of those. This will look something like 'before *[complicated >condition to find all possible places][1]' - you can string predicates >enclosed in '[..]' together and they apply to whatever was found in the > >previous predicates; the way path expressions get evaluated is that we >first collect all matching nodes and then filter them by the conditions >in >the first '[..]', then filter that by the conditions in the second >'[..]' >etc. The nodes in that set are kept in the order in which they were >initially found, which means that the '[1]' at the end means 'the first >one >of the possibilities as it appears in the file' > >In your case, what should work is 'before *[type = "auth" and (module = > >"pam_unix.so" or module = "pam_optional_1.so" or module = >"pam_optional_2.so")][1]' > >David > >-- >You received this message because you are subscribed to the Google >Groups "Puppet Users" group. >To unsubscribe from this group and stop receiving emails from it, send >an email to [email protected]. >To view this discussion on the web visit >https://groups.google.com/d/msgid/puppet-users/1fae2b8f-bd2a-4850-a924-4bf73c9418ec%40googlegroups.com. >For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/3225C3FE-9483-4C96-B342-C1C771B6EFAB%40gmail.com. For more options, visit https://groups.google.com/d/optout.
