diff options
Diffstat (limited to 'deployment/access_classes/manifests')
| -rw-r--r-- | deployment/access_classes/manifests/admin.pp | 8 | ||||
| -rw-r--r-- | deployment/access_classes/manifests/committers.pp | 14 | ||||
| -rw-r--r-- | deployment/access_classes/manifests/init.pp | 42 | ||||
| -rw-r--r-- | deployment/access_classes/manifests/iso_makers.pp | 5 | ||||
| -rw-r--r-- | deployment/access_classes/manifests/web.pp | 5 |
5 files changed, 33 insertions, 41 deletions
diff --git a/deployment/access_classes/manifests/admin.pp b/deployment/access_classes/manifests/admin.pp new file mode 100644 index 00000000..186c9c87 --- /dev/null +++ b/deployment/access_classes/manifests/admin.pp @@ -0,0 +1,8 @@ +# for server where only admins can connect (allowed by default) +class access_classes::admin { + class { 'pam::multiple_ldap_access': + access_classes => [] + } +} + + diff --git a/deployment/access_classes/manifests/committers.pp b/deployment/access_classes/manifests/committers.pp new file mode 100644 index 00000000..37c0e266 --- /dev/null +++ b/deployment/access_classes/manifests/committers.pp @@ -0,0 +1,14 @@ +# for server where people can connect with ssh ( git, svn ) +class access_classes::committers { + # this is required, as we force the shell to be the restricted one + # openssh will detect if the file do not exist and while refuse to log the + # user, and erase the password ( see pam_auth.c in openssh code, + # seek badpw ) + # so the file must exist + # permission to use svn, git, etc must be added separately + + class { 'pam::multiple_ldap_access': + access_classes => ['mga-shell_access'], + restricted_shell => true, + } +} diff --git a/deployment/access_classes/manifests/init.pp b/deployment/access_classes/manifests/init.pp index 03d48898..a414f3e0 100644 --- a/deployment/access_classes/manifests/init.pp +++ b/deployment/access_classes/manifests/init.pp @@ -1,45 +1,5 @@ class access_classes { - # beware , theses classes are exclusives # if you need multiple group access, you need to define you own class - # of access - - # for server where only admins can connect - class admin { - pam::multiple_ldap_access { "admin": - access_classes => ['mga-sysadmin'] - } - } - - # for server where people can connect with ssh ( git, svn ) - class committers { - # this is required, as we force the shell to be the restricted one - # openssh will detect if the file do not exist and while refuse to log the - # user, and erase the password ( see pam_auth.c in openssh code, seek badpw ) - # so the file must exist - # permission to use svn, git, etc must be added separatly - - pam::multiple_ldap_access { "committers": - access_classes => ['mga-shell_access'], - restricted_shell => true, - } - } - - class iso_makers { - pam::multiple_ldap_access { "iso_makers": - access_classes => ['mga-iso_makers','mga-sysadmin'] - } - } - - class web { - pam::multiple_ldap_access { "web": - access_classes => ['mga-web','mga-sysadmin'] - } - } - - class web_and_artwork { - pam::multiple_ldap_access { "web_artwork": - access_classes => ['mga-web','mga-sysadmin','mga-artwork'] - } - } + # of access } diff --git a/deployment/access_classes/manifests/iso_makers.pp b/deployment/access_classes/manifests/iso_makers.pp new file mode 100644 index 00000000..c645205e --- /dev/null +++ b/deployment/access_classes/manifests/iso_makers.pp @@ -0,0 +1,5 @@ +class access_classes::iso_makers { + class { 'pam::multiple_ldap_access': + access_classes => ['mga-iso_makers'] + } +} diff --git a/deployment/access_classes/manifests/web.pp b/deployment/access_classes/manifests/web.pp new file mode 100644 index 00000000..fa2c7df5 --- /dev/null +++ b/deployment/access_classes/manifests/web.pp @@ -0,0 +1,5 @@ +class access_classes::web { + class { 'pam::multiple_ldap_access': + access_classes => ['mga-web'] + } +} |