Here's how we generate access.conf. We define a type that adds and removes
access.conf entries and use this type in the node that we need a
particular group to be able to login to.
class pam {
$access = "/etc/security/access.conf"
exec {"prep access.conf":
command => "echo - : ALL : ALL > $access",
unless => "tail -n 1 $access | grep '^\\- : ALL : ALL'",
}
define accesslogin($origins = "ALL", $ensure = "present") {
case $ensure {
present: {
exec {"$ensure : $name : $origins":
command => "sed -i '\$i+ : $name : $origins' ${pam::access}",
unless => "grep '$perm : $name : $origins' ${pam::access}",
require => Exec["prep access.conf"],
}
}
default: {
exec {"$ensure : $name : $origins":
command => "sed -i '/+ : $name : $origins/d' ${pam::access}",
onlyif => "grep '$perm : $name : $origins' ${pam::access}",
require => Exec["prep access.conf"],
}
}
}
}
# defaults
accesslogin { ["root", "backup"]: ; }
}
node 'node1' {
include pam
pam::accesslogin { "group1": }
}
node 'node2' {
include pam
# let the apache user run cron jobs but not login
pam::accesslogin { "apache":
origins => "cron",
}
}
-Eric
On Wed, 11 Feb 2009, Michael Conigliaro wrote:
>
> Hello,
>
> Sorry if this ends up getting posted twice. I originally sent this
> about 3 hours ago, and I never saw it get posted, so I'm trying again.
>
> I want to use Puppet to manage /etc/access.conf on our managed Linux
> servers. The problem is that the servers on our network will be
> accessed by different groups of users, so I will need slightly different
> configurations for each server. My first impression is that I probably
> don't want to create completely different access.conf files for each
> server, so I thought I might try using template conditionals for this.
> I'm just not sure if what I'm trying to do is possible, or if there's a
> better way. I've pasted my basic idea below. The part I'm not sure
> about is the "if $hostname in [server1, server2, server3]" part. I
> didn't see anything in the documentation about checking if a value
> exists in an array, but I assume this is possible. Any thoughts?
>
> #
> # etc/access.conf controls access to this machine #
>
> # User "root" can only log in locally and from trusted network subnets
> - : root : ALL EXCEPT LOCAL 192.168.0.0/16
>
> # Tech support users can log in from all sources.
> + : @support : ALL
>
> <% if $hostname in [server1, server2, server3] %> # group1 can log into
> this server
> + : @group1 : ALL
> <% end %>
>
> <% if $hostname in [server4, server5, server6] %> # group2 can log into
> this server
> + : @group2 : ALL
> <% end %>
>
> All other users should be denied to get access from all sources.
> - : ALL : ALL
>
> --
> Michael Conigliaro
> Computer Analyst
> Fuss & O'Neill Technologies
> www.fandotech.com
>
>
>
> >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---
