6 files changed, 27 insertions, 10 deletions

diff --git a/modules/pam/manifests/base.pp b/modules/pam/manifests/base.pp
index df913101..e29c8555 100644
--- a/modules/pam/manifests/base.pp
+++ b/modules/pam/manifests/base.pp
@@ -1,5 +1,13 @@
 class pam::base {
-    package { ['pam_ldap','nss_ldap','nscd']: }
+    include pam::multiple_ldap_access
+    package { ['nscd', 'nss-pam-ldapd']: }
+
+    # This needs configuration or it generates an error every hour.
+    # If it's ever enabled, make sure restrict permissions on
+    # /var/db/passwd.db and /var/db/group.db at the same time.
+    package { 'nss_updatedb':
+        ensure => 'absent',
+    }
 
     service { 'nscd':
         require => Package['nscd'],
diff --git a/modules/pam/manifests/multiple_ldap_access.pp b/modules/pam/manifests/multiple_ldap_access.pp
index ecda7018..1c5a391f 100644
--- a/modules/pam/manifests/multiple_ldap_access.pp
+++ b/modules/pam/manifests/multiple_ldap_access.pp
@@ -1,4 +1,13 @@
-define pam::multiple_ldap_access($access_classes, $restricted_shell = false) {
+class pam::multiple_ldap_access($access_classes, $restricted_shell = false) {
+    include stdlib
+
+    $default_access_classes = [ 'mga-sysadmin', 'mga-unrestricted_shell_access' ]
+    if empty($access_classes) {
+        $allowed_access_classes = $default_access_classes
+    } else {
+        $allowed_access_classes = concat($default_access_classes, $access_classes)
+    }
+
     if $restricted_shell {
         include restrictshell
     }
diff --git a/modules/pam/templates/ldap.conf b/modules/pam/templates/ldap.conf
index a1d751cf..235a6aac 100644
--- a/modules/pam/templates/ldap.conf
+++ b/modules/pam/templates/ldap.conf
@@ -15,8 +15,10 @@ nss_map_attribute uniqueMember member
 sudoers_base ou=sudoers,<%= dc_suffix %>
 #sudoers_debug 2
 
-<% if restricted_shell %>
+<%-
+restricted_shell = scope.lookupvar('pam::multiple_ldap_access::restricted_shell')
+if restricted_shell
+-%>
 # for restricted access
 nss_override_attribute_value loginShell /usr/local/bin/sv_membersh.pl
 <% end %>
-
diff --git a/modules/pam/templates/nsswitch.conf b/modules/pam/templates/nsswitch.conf
index fdd32996..bfd042c1 100644
--- a/modules/pam/templates/nsswitch.conf
+++ b/modules/pam/templates/nsswitch.conf
@@ -13,4 +13,3 @@ netgroup:   files ldap
 publickey:  files
 automount:  files
 aliases:    files
-
diff --git a/modules/pam/templates/openldap.ldap.conf b/modules/pam/templates/openldap.ldap.conf
index 812538be..cd6ee640 100644
--- a/modules/pam/templates/openldap.ldap.conf
+++ b/modules/pam/templates/openldap.ldap.conf
@@ -18,9 +18,8 @@ TLS_REQCERT     allow
 # Use the default self-signed cert generated by openldap-server postinstall
 # by default 
 #TLS_CACERT      /etc/pki/tls/certs/ldap.pem
-#TLS_CACERT     /etc/ssl/openldap/ldap.mageia.org.pem
+#TLS_CACERT     /etc/ssl/openldap/ldap.<%= domain %>.pem
 
 # If requiring support for certificates signed by all CAs (noting risks
 # pam_ldap if doing DNS-based suffix lookup etc.
 #TLS_CACERTDIR  /etc/pki/tls/rootcerts
-
diff --git a/modules/pam/templates/system-auth b/modules/pam/templates/system-auth
index 4df9555e..37d1da7d 100644
--- a/modules/pam/templates/system-auth
+++ b/modules/pam/templates/system-auth
@@ -11,8 +11,9 @@ auth    required     pam_deny.so
 account sufficient  pam_localuser.so
 # not sure if the following bring something useful
 account required  pam_ldap.so
-<%- if access_classes -%>
-<%- access_classes.each { |ldap_group| -%>
+<%- allowed_access_classes = scope.lookupvar('pam::multiple_ldap_access::allowed_access_classes') -%>
+<%- if allowed_access_classes -%>
+<%- allowed_access_classes.each { |ldap_group| -%>
 account sufficient   pam_succeed_if.so quiet user ingroup <%= ldap_group %>
 <%- } -%>
 <%- end -%>
@@ -32,4 +33,3 @@ session optional    pam_mkhomedir.so
 session required    pam_limits.so
 session required    pam_unix.so
 session optional    pam_ldap.so
-