Skip to content

Commit

Permalink
Merge pull request #262 from treydock/manage-accesslogin
Browse files Browse the repository at this point in the history
add parameter to control manamgent of access.conf
  • Loading branch information
ghoneycutt authored Jul 17, 2023
2 parents a808372 + e036a37 commit 97777c8
Show file tree
Hide file tree
Showing 3 changed files with 18 additions and 1 deletion.
3 changes: 3 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,9 @@ though generally include things such as the following.
* `/etc/security/limits.conf`
* `/etc/security/limits.d`

The management of `/etc/security/access.conf` can be controlled by the
`pam::manage_accesslogin` parameter (enabled by default).

### Setup requirements
This module requires `stdlib`. When deployed by default it will require
`nsswitch`. See below for more information.
Expand Down
10 changes: 9 additions & 1 deletion manifests/init.pp
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,11 @@
# origins in access.conf. The default allows the root user/group from origin
# 'ALL'.
#
# @param manage_accesslogin
# Boolean to manage the inclusion of the pam::accesslogin class.
# Can be useful if /etc/security/access.conf is managed externally.
# Defaults to true.
#
# @param login_pam_access
# Control module to be used for pam_access.so for login. Valid values are
# 'required', 'requisite', 'sufficient', 'optional' and 'absent'.
Expand Down Expand Up @@ -188,6 +193,7 @@
#
class pam (
Variant[Array, Hash, String] $allowed_users = 'root',
Boolean $manage_accesslogin = true,
Enum['absent', 'optional', 'required', 'requisite', 'sufficient']
$login_pam_access = 'required',
Enum['absent', 'optional', 'required', 'requisite', 'sufficient']
Expand Down Expand Up @@ -277,7 +283,9 @@
}

if ($facts['os']['family'] in ['RedHat','Suse','Debian']) {
include pam::accesslogin
if $manage_accesslogin {
include pam::accesslogin
}
include pam::limits

package { $package_name:
Expand Down
6 changes: 6 additions & 0 deletions spec/classes/init_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -261,6 +261,12 @@
it { is_expected.not_to contain_class('nsswitch') }
end

context 'with manage_accesslogin parameter set to false' do
let(:params) { { manage_accesslogin: false } }

it { is_expected.not_to contain_class('pam::accesslogin') }
end

[true, false].each do |value|
context "with limits_fragments_hiera_merge parameter specified as a valid value: #{value}" do
let(:params) { { limits_fragments_hiera_merge: value } }
Expand Down

0 comments on commit 97777c8

Please sign in to comment.