7 files changed, 56 insertions, 38 deletions
diff --git a/modules/pam/manifests/base.pp b/modules/pam/manifests/base.pp
new file mode 100644
index 00000000..e29c8555
--- /dev/null
+++ b/modules/pam/manifests/base.pp
@@ -0,0 +1,32 @@
+class pam::base {
+    include pam::multiple_ldap_access
+    package { ['nscd', 'nss-pam-ldapd']: }
+
+    # This needs configuration or it generates an error every hour.
+    # If it's ever enabled, make sure restrict permissions on
+    # /var/db/passwd.db and /var/db/group.db at the same time.
+    package { 'nss_updatedb':
+        ensure => 'absent',
+    }
+
+    service { 'nscd':
+        require => Package['nscd'],
+    }
+
+    file {
+        '/etc/pam.d/system-auth':
+            content => template('pam/system-auth');
+        '/etc/nsswitch.conf':
+            content => template('pam/nsswitch.conf');
+        '/etc/ldap.conf':
+            content => template('pam/ldap.conf');
+        '/etc/openldap/ldap.conf':
+            content => template('pam/openldap.ldap.conf');
+    }
+
+    $ldap_password = extlookup("${::fqdn}_ldap_password",'x')
+    file { '/etc/ldap.secret':
+        mode    => '0600',
+        content => $ldap_password
+    }
+}
diff --git a/modules/pam/manifests/init.pp b/modules/pam/manifests/init.pp
index 8d25d056..180ad852 100644
--- a/modules/pam/manifests/init.pp
+++ b/modules/pam/manifests/init.pp
@@ -1,30 +1 @@
-class pam {
-    class base {
-        package { ["pam_ldap","nss_ldap","nscd"]: }
-
-        service { nscd:
-            require => Package['nscd'],
-        }
-
-        file {
-            "/etc/pam.d/system-auth": content => template("pam/system-auth");
-            "/etc/nsswitch.conf": content => template("pam/nsswitch.conf");
-            "/etc/ldap.conf": content => template("pam/ldap.conf");
-            "/etc/openldap/ldap.conf": content => template("pam/openldap.ldap.conf");
-        }
-
-        $ldap_password = extlookup("${fqdn}_ldap_password",'x')
-        file { "ldap.secret":
-            path => "/etc/ldap.secret",
-            mode => 600,
-            content => $ldap_password
-        }
-    }
-
-    define multiple_ldap_access($access_classes,$restricted_shell = false) {
-        if $restricted_shell {
-            include restrictshell
-        }
-        include base
-    }
-}
+class pam { }
diff --git a/modules/pam/manifests/multiple_ldap_access.pp b/modules/pam/manifests/multiple_ldap_access.pp
new file mode 100644
index 00000000..1c5a391f
--- /dev/null
+++ b/modules/pam/manifests/multiple_ldap_access.pp
@@ -0,0 +1,15 @@
+class pam::multiple_ldap_access($access_classes, $restricted_shell = false) {
+    include stdlib
+
+    $default_access_classes = [ 'mga-sysadmin', 'mga-unrestricted_shell_access' ]
+    if empty($access_classes) {
+        $allowed_access_classes = $default_access_classes
+    } else {
+        $allowed_access_classes = concat($default_access_classes, $access_classes)
+    }
+
+    if $restricted_shell {
+        include restrictshell
+    }
+    include pam::base
+}
diff --git a/modules/pam/templates/ldap.conf b/modules/pam/templates/ldap.conf
index a1d751cf..235a6aac 100644
--- a/modules/pam/templates/ldap.conf
+++ b/modules/pam/templates/ldap.conf
@@ -15,8 +15,10 @@ nss_map_attribute uniqueMember member
 sudoers_base ou=sudoers,<%= dc_suffix %>
 #sudoers_debug 2
 
-<% if restricted_shell %>
+<%-
+restricted_shell = scope.lookupvar('pam::multiple_ldap_access::restricted_shell')
+if restricted_shell
+-%>
 # for restricted access
 nss_override_attribute_value loginShell /usr/local/bin/sv_membersh.pl
 <% end %>
-
diff --git a/modules/pam/templates/nsswitch.conf b/modules/pam/templates/nsswitch.conf
index fdd32996..bfd042c1 100644
--- a/modules/pam/templates/nsswitch.conf
+++ b/modules/pam/templates/nsswitch.conf
@@ -13,4 +13,3 @@ netgroup:   files ldap
 publickey:  files
 automount:  files
 aliases:    files
-
diff --git a/modules/pam/templates/openldap.ldap.conf b/modules/pam/templates/openldap.ldap.conf
index 812538be..cd6ee640 100644
--- a/modules/pam/templates/openldap.ldap.conf
+++ b/modules/pam/templates/openldap.ldap.conf
@@ -18,9 +18,8 @@ TLS_REQCERT     allow
 # Use the default self-signed cert generated by openldap-server postinstall
 # by default 
 #TLS_CACERT      /etc/pki/tls/certs/ldap.pem
-#TLS_CACERT     /etc/ssl/openldap/ldap.mageia.org.pem
+#TLS_CACERT     /etc/ssl/openldap/ldap.<%= domain %>.pem
 
 # If requiring support for certificates signed by all CAs (noting risks
 # pam_ldap if doing DNS-based suffix lookup etc.
 #TLS_CACERTDIR  /etc/pki/tls/rootcerts
-
diff --git a/modules/pam/templates/system-auth b/modules/pam/templates/system-auth
index 4df9555e..37d1da7d 100644
--- a/modules/pam/templates/system-auth
+++ b/modules/pam/templates/system-auth
@@ -11,8 +11,9 @@ auth    required     pam_deny.so
 account sufficient  pam_localuser.so
 # not sure if the following bring something useful
 account required  pam_ldap.so
-<%- if access_classes -%>
-<%- access_classes.each { |ldap_group| -%>
+<%- allowed_access_classes = scope.lookupvar('pam::multiple_ldap_access::allowed_access_classes') -%>
+<%- if allowed_access_classes -%>
+<%- allowed_access_classes.each { |ldap_group| -%>
 account sufficient   pam_succeed_if.so quiet user ingroup <%= ldap_group %>
 <%- } -%>
 <%- end -%>
@@ -32,4 +33,3 @@ session optional    pam_mkhomedir.so
 session required    pam_limits.so
 session required    pam_unix.so
 session optional    pam_ldap.so
-