search

sgnl05 / sgnl05-sssd

Puppet module for SSSD
https://forge.puppet.com/sgnl05/sssd
GNU General Public License v3.0
17 stars 76 forks source link

Add support for pam_access #42

Closed GerbenWelter closed 7 years ago

GerbenWelter commented 7 years ago

This is a rebase of #34 which also fixes the travis builds

edestecd commented 7 years ago

I'm kinda of torn on this. Pam access seems to have nothing to do with sssd, so I kinda think it should be in a separate module. See this module, which does exactly this: https://forge.puppet.com/MiamiOH/pam_access

GerbenWelter commented 7 years ago

I figured authconfig could do everything in one go but I see your point . The pam_access module you mentioned doesn't quite fit our needs so I have added the pam_access stuff to our custom access module.

edestecd commented 7 years ago

Can you help me understand how the pam_access module doesn't fit your needs? The init class only runs the authconfig exec, I believe. We can make a PR to turn off anything you don't need...

GerbenWelter commented 7 years ago

The module has no option for specifying the order of the entries. We use a template that sorts the rules based on a priority.

edestecd commented 7 years ago

The documentation and examples are not clear about the order. I will file an issue to get the doc updated.

You can specify the order. The entries are inserted, with augeas, in the order that puppet runs them. You can choose if they are inserted above or below the previous entry with the position: https://github.com/MiamiOH/puppet-pam_access/blob/master/manifests/entry.pp#L53

So it is as simple as using puppet ordering with require/before etc... In the example below you are guaranteed to get them in order. user1, user2, root

pam_access::entry { 'user1':
  permission => '+',
  user       => 'user1',
  origin     => 'ALL',
  position   => 'after',
}

pam_access::entry { 'user2':
  permission => '+',
  user       => 'user2',
  origin     => 'ALL',
  position   => 'after',
  require    => Pam_access::Entry['user1'],
}

pam_access::entry { 'root':
  permission => '-',
  user       => 'root',
  origin     => 'ALL',
  position   => 'after',
  require    => Pam_access::Entry['user2'],
}

The default for position is before, if the permission is + and after, if the permission is -. Since the deny is usually - and last, it typically works out even if you do not specify any requires or position. It will insert every - last and every + on top. However, you can be as specific as you like about the ordering.

ghoneycutt commented 7 years ago

You can also used the Puppet Approved PAM module - https://forge.puppet.com/ghoneycutt/pam

You can configure the access.conf using a simple array, or a hash if you want to specify the location instead of the default ALL.

https://forge.puppet.com/ghoneycutt/pam#hiera-example-for-allowed_users