Here's how we generate access.conf. We define a type that adds and removes access.conf entries and use this type in the node that we need a particular group to be able to login to.
class pam { $access = "/etc/security/access.conf" exec {"prep access.conf": command => "echo - : ALL : ALL > $access", unless => "tail -n 1 $access | grep '^\\- : ALL : ALL'", } define accesslogin($origins = "ALL", $ensure = "present") { case $ensure { present: { exec {"$ensure : $name : $origins": command => "sed -i '\$i+ : $name : $origins' ${pam::access}", unless => "grep '$perm : $name : $origins' ${pam::access}", require => Exec["prep access.conf"], } } default: { exec {"$ensure : $name : $origins": command => "sed -i '/+ : $name : $origins/d' ${pam::access}", onlyif => "grep '$perm : $name : $origins' ${pam::access}", require => Exec["prep access.conf"], } } } } # defaults accesslogin { ["root", "backup"]: ; } } node 'node1' { include pam pam::accesslogin { "group1": } } node 'node2' { include pam # let the apache user run cron jobs but not login pam::accesslogin { "apache": origins => "cron", } } -Eric On Wed, 11 Feb 2009, Michael Conigliaro wrote: > > Hello, > > Sorry if this ends up getting posted twice. I originally sent this > about 3 hours ago, and I never saw it get posted, so I'm trying again. > > I want to use Puppet to manage /etc/access.conf on our managed Linux > servers. The problem is that the servers on our network will be > accessed by different groups of users, so I will need slightly different > configurations for each server. My first impression is that I probably > don't want to create completely different access.conf files for each > server, so I thought I might try using template conditionals for this. > I'm just not sure if what I'm trying to do is possible, or if there's a > better way. I've pasted my basic idea below. The part I'm not sure > about is the "if $hostname in [server1, server2, server3]" part. I > didn't see anything in the documentation about checking if a value > exists in an array, but I assume this is possible. Any thoughts? > > # > # etc/access.conf controls access to this machine # > > # User "root" can only log in locally and from trusted network subnets > - : root : ALL EXCEPT LOCAL 192.168.0.0/16 > > # Tech support users can log in from all sources. > + : @support : ALL > > <% if $hostname in [server1, server2, server3] %> # group1 can log into > this server > + : @group1 : ALL > <% end %> > > <% if $hostname in [server4, server5, server6] %> # group2 can log into > this server > + : @group2 : ALL > <% end %> > > All other users should be denied to get access from all sources. > - : ALL : ALL > > -- > Michael Conigliaro > Computer Analyst > Fuss & O'Neill Technologies > www.fandotech.com > > > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---