Showing with 53 additions and 9 deletions.

+22 −6 CHANGELOG.md

+1 −1 LICENSE

+3 −0 README.md

+11 −0 REFERENCE.md

+9 −1 manifests/init.pp

+1 −1 metadata.json

+6 −0 spec/classes/init_spec.rb
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,14 @@
 
 All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org).
 
+## [v4.1.0](https://github.com/ghoneycutt/puppet-module-pam/tree/v4.1.0) (2023-07-17)
+
+[Full Changelog](https://github.com/ghoneycutt/puppet-module-pam/compare/v4.0.0...v4.1.0)
+
+### Merged pull requests:
+
+- add parameter to control manamgent of access.conf [\#262](https://github.com/ghoneycutt/puppet-module-pam/pull/262) ([treydock](https://github.com/treydock))
+
 ## [v4.0.0](https://github.com/ghoneycutt/puppet-module-pam/tree/v4.0.0) (2023-07-14)
 
 [Full Changelog](https://github.com/ghoneycutt/puppet-module-pam/compare/v3.10.0...v4.0.0)
@@ -31,7 +39,7 @@ All notable changes to this project will be documented in this file. The format
 
 ## [v3.8.0](https://github.com/ghoneycutt/puppet-module-pam/tree/v3.8.0) (2022-12-28)
 
-[Full Changelog](https://github.com/ghoneycutt/puppet-module-pam/compare/v3.7.0...v3.8.0)
+[Full Changelog](https://github.com/ghoneycutt/puppet-module-pam/compare/v3.8.1...v3.8.0)
 
 ### Fixed
 
@@ -46,6 +54,14 @@ All notable changes to this project will be documented in this file. The format
 - Upgrade to GitHub-native Dependabot [\#235](https://github.com/ghoneycutt/puppet-module-pam/pull/235) ([dependabot-preview[bot]](https://github.com/apps/dependabot-preview))
 - Debian8 eol [\#232](https://github.com/ghoneycutt/puppet-module-pam/pull/232) ([ghoneycutt](https://github.com/ghoneycutt))
 
+## [v3.8.1](https://github.com/ghoneycutt/puppet-module-pam/tree/v3.8.1) (2022-11-04)
+
+[Full Changelog](https://github.com/ghoneycutt/puppet-module-pam/compare/v3.7.1...v3.8.1)
+
+## [v3.7.1](https://github.com/ghoneycutt/puppet-module-pam/tree/v3.7.1) (2022-10-18)
+
+[Full Changelog](https://github.com/ghoneycutt/puppet-module-pam/compare/v3.7.0...v3.7.1)
+
 ## [v3.7.0](https://github.com/ghoneycutt/puppet-module-pam/tree/v3.7.0) (2020-11-17)
 
 [Full Changelog](https://github.com/ghoneycutt/puppet-module-pam/compare/v3.6.0...v3.7.0)
@@ -134,7 +150,7 @@ All notable changes to this project will be documented in this file. The format
 
 ## [v3.0.0](https://github.com/ghoneycutt/puppet-module-pam/tree/v3.0.0) (2018-11-09)
 
-[Full Changelog](https://github.com/ghoneycutt/puppet-module-pam/compare/2.34.0...v3.0.0)
+[Full Changelog](https://github.com/ghoneycutt/puppet-module-pam/compare/v2.34.0...v3.0.0)
 
 ### Merged pull requests:
 
@@ -150,13 +166,13 @@ All notable changes to this project will be documented in this file. The format
 - Remove VAS logic and create examples that show old behavior [\#169](https://github.com/ghoneycutt/puppet-module-pam/pull/169) ([treydock](https://github.com/treydock))
 - Add example SSSD integration using hiera [\#143](https://github.com/ghoneycutt/puppet-module-pam/pull/143) ([jeffmccune](https://github.com/jeffmccune))
 
-## [2.34.0](https://github.com/ghoneycutt/puppet-module-pam/tree/2.34.0) (2018-09-18)
+## [v2.34.0](https://github.com/ghoneycutt/puppet-module-pam/tree/v2.34.0) (2018-09-18)
 
-[Full Changelog](https://github.com/ghoneycutt/puppet-module-pam/compare/v2.34.0...2.34.0)
+[Full Changelog](https://github.com/ghoneycutt/puppet-module-pam/compare/2.34.0...v2.34.0)
 
-## [v2.34.0](https://github.com/ghoneycutt/puppet-module-pam/tree/v2.34.0) (2018-09-18)
+## [2.34.0](https://github.com/ghoneycutt/puppet-module-pam/tree/2.34.0) (2018-09-18)
 
-[Full Changelog](https://github.com/ghoneycutt/puppet-module-pam/compare/v2.33.0...v2.34.0)
+[Full Changelog](https://github.com/ghoneycutt/puppet-module-pam/compare/v2.33.0...2.34.0)
 
 ## [v2.33.0](https://github.com/ghoneycutt/puppet-module-pam/tree/v2.33.0) (2017-04-20)
 

diff --git a/LICENSE b/LICENSE
@@ -1,4 +1,4 @@
-Copyright (C) 2010-2020 Garrett Honeycutt <code@garretthoneycutt.com>
+Copyright (C) 2010-2023 Garrett Honeycutt <code@garretthoneycutt.com>
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

diff --git a/README.md b/README.md
@@ -30,6 +30,9 @@ though generally include things such as the following.
 * `/etc/security/limits.conf`
 * `/etc/security/limits.d`
 
+The management of `/etc/security/access.conf` can be controlled by the
+`pam::manage_accesslogin` parameter (enabled by default).
+
 ### Setup requirements
 This module requires `stdlib`. When deployed by default it will require
 `nsswitch`. See below for more information.

diff --git a/REFERENCE.md b/REFERENCE.md
@@ -36,6 +36,7 @@ include pam
 The following parameters are available in the `pam` class:
 
 * [`allowed_users`](#-pam--allowed_users)
+* [`manage_accesslogin`](#-pam--manage_accesslogin)
 * [`login_pam_access`](#-pam--login_pam_access)
 * [`sshd_pam_access`](#-pam--sshd_pam_access)
 * [`limits_fragments`](#-pam--limits_fragments)
@@ -95,6 +96,16 @@ origins in access.conf. The default allows the root user/group from origin
 
 Default value: `'root'`
 
+##### <a name="-pam--manage_accesslogin"></a>`manage_accesslogin`
+
+Data type: `Boolean`
+
+Boolean to manage the inclusion of the pam::accesslogin class.
+Can be useful if /etc/security/access.conf is managed externally.
+Defaults to true.
+
+Default value: `true`
+
 ##### <a name="-pam--login_pam_access"></a>`login_pam_access`
 
 Data type: `Enum['absent', 'optional', 'required', 'requisite', 'sufficient']`

diff --git a/manifests/init.pp b/manifests/init.pp
@@ -8,6 +8,11 @@
 #   origins in access.conf. The default allows the root user/group from origin
 #   'ALL'.
 #
+# @param manage_accesslogin
+#   Boolean to manage the inclusion of the pam::accesslogin class.
+#   Can be useful if /etc/security/access.conf is managed externally.
+#   Defaults to true.
+#
 # @param login_pam_access
 #   Control module to be used for pam_access.so for login. Valid values are
 #   'required', 'requisite', 'sufficient', 'optional' and 'absent'.
@@ -188,6 +193,7 @@
 #
 class pam (
   Variant[Array, Hash, String] $allowed_users               = 'root',
+  Boolean $manage_accesslogin                               = true,
   Enum['absent', 'optional', 'required', 'requisite', 'sufficient']
   $login_pam_access                                       = 'required',
   Enum['absent', 'optional', 'required', 'requisite', 'sufficient']
@@ -277,7 +283,9 @@
   }
 
   if ($facts['os']['family'] in ['RedHat','Suse','Debian']) {
-    include pam::accesslogin
+    if $manage_accesslogin {
+      include pam::accesslogin
+    }
     include pam::limits
 
     package { $package_name:

diff --git a/metadata.json b/metadata.json
@@ -1,6 +1,6 @@
 {
   "name": "ghoneycutt-pam",
-  "version": "4.0.0",
+  "version": "4.1.0",
   "author": "ghoneycutt",
   "summary": "Manage PAM",
   "license": "Apache-2.0",

diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb
@@ -261,6 +261,12 @@
           it { is_expected.not_to contain_class('nsswitch') }
         end
 
+        context 'with manage_accesslogin parameter set to false' do
+          let(:params) { { manage_accesslogin: false } }
+
+          it { is_expected.not_to contain_class('pam::accesslogin') }
+        end
+
         [true, false].each do |value|
           context "with limits_fragments_hiera_merge parameter specified as a valid value: #{value}" do
             let(:params) { { limits_fragments_hiera_merge: value } }