shadow: Specifically change uid/gid max instead of copying custom login.defs

Copying a custom login.defs file is not really a good option, since we
have to manage many distribution versions, which do not necessarily
have the same login.defs settings.

Instead, we now only change the UID_MAX and GID_MAX values to 2000
(from an initial value of 60000). This is done so that locally created
accounts do not overlap LDAP-managed accounts, which starts at 5000.

This uses the file_line helper from the puppetlabs-stdlib module.
It means the puppet-stdlib package now needs to be installed on the
puppet master node.

1 files changed, 17 insertions, 2 deletions

diff --git a/deployment/shadow/manifests/init.pp b/deployment/shadow/manifests/init.pp
index 083f86ba..c24c36bf 100644
--- a/deployment/shadow/manifests/init.pp
+++ b/deployment/shadow/manifests/init.pp
@@ -1,8 +1,23 @@
 class shadow {
-    file { '/etc/login.defs':
+    include stdlib
+
+    $login_defs = '/etc/login.defs'
+
+    file { $login_defs:
         owner  => 'root',
         group  => 'shadow',
         mode   => '0640',
-        source => 'puppet:///modules/shadow/login.defs',
+    }
+
+    file_line { 'uid_max':
+        path  => $login_defs,
+       line  => 'UID_MAX                 2000',
+       match => '^UID_MAX\s+',
+    }
+
+    file_line { 'gid_max':
+        path  => $login_defs,
+       line  => 'GID_MAX                 2000',
+       match => '^GID_MAX\s+',
     }
 }