Hi guys, I'm really stumped and looking for a nudge in the right direction for how to utilise the ghoneycutt/pam module in puppet. Relatively new to this but got what I'd like to think as most the...
      Hi guys,
I'm really stumped and looking for a nudge in the right direction for how to utilise the ghoneycutt/pam module in puppet. Relatively new to this but got what I'd like to think as most the basics down.
I've configured a few things using modules such as NTP, SSSD and NSSWITCH but I'm just stuck on how I can use this module and pull info from Hiera into it.
So, lets start with
.yaml file:
        ### nsswitch.conf authentication configuration
        nsswitch::passwd:     'files sss'
        nsswitch::shadow:     'files sss'
And then looking at the nsswitch.pp file:
        ### nsswitch.config setup
        class profile::linux::base::nsswitch {
        # Get heira values
          class { 'nsswitch':
            passwd    => [lookup('nsswitch::passwd')],
            shadow    => [lookup('nsswitch::shadow')],
Simple enough to call the values I want and works how I want, now I'm trying to do the same type of thing for PAM using the ghoneycutt/pam module and there doesn't seem to be much info on how to use it, or it's just not sinking in for me.
Some of my PAM Heira values:
        pam::pam_auth_lines:
          - '# Managed by Hiera key pam::pam_auth_lines'
          - 'auth        required      pam_env.so'
          - 'auth        sufficient    pam_fprintd.so'
          - 'auth        sufficient    pam_unix.so nullok try_first_pass'
          - 'auth        requisite     pam_succeed_if.so uid >= 500 quiet'
          - 'auth        sufficient    pam_sss.so use_first_pass'
          - 'auth        required      pam_deny.so'
        pam::pam_account_lines:
          - '# Managed by Hiera key pam::pam_account_lines'
          - 'account     required      pam_unix.so'
          - 'account     sufficient    pam_localuser.so'
          - 'account     sufficient    pam_succeed_if.so uid < 500 quiet'
          - 'account     [default=bad success=ok user_unknown=ignore] pam_sss.so'
          - 'account     required      pam_permit.so'
        pam::pam_password_lines:
          - '# Managed by Hiera key pam::pam_password_lines'
          - 'password    requisite     pam_cracklib.so try_first_pass retry=3 type='
          - 'password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok'
          - 'password    sufficient    pam_sss.so use_authtok'
          - 'password    required      pam_deny.so'
Some things I've tried:
1:
        class profile::linux::base::pam {
          # resources
          class { 'pam':
            password-auth-ac  => [
              lookup('pam::pam_auth_lines')],
              lookup('pam::pam_account_lines')],
              lookup('pam::pam_password_lines')],
              lookup('pam::pam_session_lines')],
           }
2:
	
	      passwd  => [
	
	      lookup('pam::pam_auth_lines'),
	
	      lookup('pam::pam_account_lines'),
	
	      lookup('pam::pam_password_lines'),
	
	      lookup('pam::pam_session_lines'),
	
	      ],
	
	  }
        include ::pam
	class profile::linux::base::pam {
	
	  # resources
	
	    include ::pam
	         lookup('pam::pam_auth_lines')
	
	}
I've tried a few other ways and can't get it to work as I want it to. Can anyone help?
Thanks