2 files changed, 19 insertions, 2 deletions

diff --git a/modules/pam/manifests/base.pp b/modules/pam/manifests/base.pp
index df913101..e29c8555 100644
--- a/modules/pam/manifests/base.pp
+++ b/modules/pam/manifests/base.pp
@@ -1,5 +1,13 @@
 class pam::base {
-    package { ['pam_ldap','nss_ldap','nscd']: }
+    include pam::multiple_ldap_access
+    package { ['nscd', 'nss-pam-ldapd']: }
+
+    # This needs configuration or it generates an error every hour.
+    # If it's ever enabled, make sure restrict permissions on
+    # /var/db/passwd.db and /var/db/group.db at the same time.
+    package { 'nss_updatedb':
+        ensure => 'absent',
+    }
 
     service { 'nscd':
         require => Package['nscd'],
diff --git a/modules/pam/manifests/multiple_ldap_access.pp b/modules/pam/manifests/multiple_ldap_access.pp
index ecda7018..1c5a391f 100644
--- a/modules/pam/manifests/multiple_ldap_access.pp
+++ b/modules/pam/manifests/multiple_ldap_access.pp
@@ -1,4 +1,13 @@
-define pam::multiple_ldap_access($access_classes, $restricted_shell = false) {
+class pam::multiple_ldap_access($access_classes, $restricted_shell = false) {
+    include stdlib
+
+    $default_access_classes = [ 'mga-sysadmin', 'mga-unrestricted_shell_access' ]
+    if empty($access_classes) {
+        $allowed_access_classes = $default_access_classes
+    } else {
+        $allowed_access_classes = concat($default_access_classes, $access_classes)
+    }
+
     if $restricted_shell {
         include restrictshell
     }