3 files changed, 48 insertions, 30 deletions

diff --git a/modules/pam/manifests/base.pp b/modules/pam/manifests/base.pp
new file mode 100644
index 00000000..e29c8555
--- /dev/null
+++ b/modules/pam/manifests/base.pp
@@ -0,0 +1,32 @@
+class pam::base {
+    include pam::multiple_ldap_access
+    package { ['nscd', 'nss-pam-ldapd']: }
+
+    # This needs configuration or it generates an error every hour.
+    # If it's ever enabled, make sure restrict permissions on
+    # /var/db/passwd.db and /var/db/group.db at the same time.
+    package { 'nss_updatedb':
+        ensure => 'absent',
+    }
+
+    service { 'nscd':
+        require => Package['nscd'],
+    }
+
+    file {
+        '/etc/pam.d/system-auth':
+            content => template('pam/system-auth');
+        '/etc/nsswitch.conf':
+            content => template('pam/nsswitch.conf');
+        '/etc/ldap.conf':
+            content => template('pam/ldap.conf');
+        '/etc/openldap/ldap.conf':
+            content => template('pam/openldap.ldap.conf');
+    }
+
+    $ldap_password = extlookup("${::fqdn}_ldap_password",'x')
+    file { '/etc/ldap.secret':
+        mode    => '0600',
+        content => $ldap_password
+    }
+}
diff --git a/modules/pam/manifests/init.pp b/modules/pam/manifests/init.pp
index 8d25d056..180ad852 100644
--- a/modules/pam/manifests/init.pp
+++ b/modules/pam/manifests/init.pp
@@ -1,30 +1 @@
-class pam {
-    class base {
-        package { ["pam_ldap","nss_ldap","nscd"]: }
-
-        service { nscd:
-            require => Package['nscd'],
-        }
-
-        file {
-            "/etc/pam.d/system-auth": content => template("pam/system-auth");
-            "/etc/nsswitch.conf": content => template("pam/nsswitch.conf");
-            "/etc/ldap.conf": content => template("pam/ldap.conf");
-            "/etc/openldap/ldap.conf": content => template("pam/openldap.ldap.conf");
-        }
-
-        $ldap_password = extlookup("${fqdn}_ldap_password",'x')
-        file { "ldap.secret":
-            path => "/etc/ldap.secret",
-            mode => 600,
-            content => $ldap_password
-        }
-    }
-
-    define multiple_ldap_access($access_classes,$restricted_shell = false) {
-        if $restricted_shell {
-            include restrictshell
-        }
-        include base
-    }
-}
+class pam { }
diff --git a/modules/pam/manifests/multiple_ldap_access.pp b/modules/pam/manifests/multiple_ldap_access.pp
new file mode 100644
index 00000000..1c5a391f
--- /dev/null
+++ b/modules/pam/manifests/multiple_ldap_access.pp
@@ -0,0 +1,15 @@
+class pam::multiple_ldap_access($access_classes, $restricted_shell = false) {
+    include stdlib
+
+    $default_access_classes = [ 'mga-sysadmin', 'mga-unrestricted_shell_access' ]
+    if empty($access_classes) {
+        $allowed_access_classes = $default_access_classes
+    } else {
+        $allowed_access_classes = concat($default_access_classes, $access_classes)
+    }
+
+    if $restricted_shell {
+        include restrictshell
+    }
+    include pam::base
+}