Optionally enable pam_slurm and pam_access

defaults/main.yml

@@ -4,6 +4,16 @@ pam_enabled: False
 
 pam_use_sssd: False
 
+# Enable the pam_slurm.so module
+pam_enable_slurm: False
+
+# These are allowed in /etc/security/access.conf, set when
+# pam_enable_slurm == True
+slurm_access_groups:
+ - "{{ admingroup | default('admin') }}"
+ - "root"
+ - "wheel"
+
 # Use per-user /tmp, /var/tmp and /dev/shm directories?
 pam_use_namespace: False
 pam_tmp_inst_dir: /l/tmp-inst/

tasks/main.yml

@@ -15,3 +15,18 @@
   template: src=site.conf.j2 dest=/etc/security/namespace.d/site.conf
             owner=root group=root mode=0644
   when: pam_enabled
+
+- name: lineinfile add admin groups to /etc/security/access.conf
+  lineinfile: 'dest="/etc/security/access.conf"
+              regexp="(^\+\:{{ item }}\:ALL$)"
+              line="+:{{ item }}:ALL"'
+  register: reg_slurm_access_conf
+  with_items: slurm_access_groups
+  when: pam_enabled and pam_enable_slurm
+
+- name: lineinfile deny all at the end of /etc/security/access.conf
+  lineinfile: 'dest="/etc/security/access.conf"
+               regexp="(^\-\:ALL\:ALL$)"
+               line="-:ALL:ALL"
+               insertafter="EOF"'
+  when: reg_slurm_access_conf|success and pam_enabled and pam_enable_slurm

templates/system-auth.j2

@@ -15,6 +15,10 @@ account     sufficient    pam_succeed_if.so uid < 1000 quiet
 {% if pam_use_sssd %}
 account     [default=bad success=ok user_unknown=ignore] pam_sss.so
 {% endif %}
+{% if pam_enable_slurm %}
+account     sufficient    pam_access.so
+account     required      pam_slurm.so
+{% endif %}
 account     required      pam_permit.so
 
 password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=