aboutsummaryrefslogtreecommitdiffstats
path: root/modules/pam
diff options
context:
space:
mode:
Diffstat (limited to 'modules/pam')
-rw-r--r--modules/pam/templates/ldap.conf5
-rw-r--r--modules/pam/templates/system-auth1
2 files changed, 5 insertions, 1 deletions
diff --git a/modules/pam/templates/ldap.conf b/modules/pam/templates/ldap.conf
index a1d751cf..5e550661 100644
--- a/modules/pam/templates/ldap.conf
+++ b/modules/pam/templates/ldap.conf
@@ -15,7 +15,10 @@ nss_map_attribute uniqueMember member
sudoers_base ou=sudoers,<%= dc_suffix %>
#sudoers_debug 2
-<% if restricted_shell %>
+<%-
+restricted_shell = scope.lookupvar('pam::multiple_ldap_access::restricted_shell')
+if restricted_shell
+-%>
# for restricted access
nss_override_attribute_value loginShell /usr/local/bin/sv_membersh.pl
<% end %>
diff --git a/modules/pam/templates/system-auth b/modules/pam/templates/system-auth
index 4df9555e..de985687 100644
--- a/modules/pam/templates/system-auth
+++ b/modules/pam/templates/system-auth
@@ -11,6 +11,7 @@ auth required pam_deny.so
account sufficient pam_localuser.so
# not sure if the following bring something useful
account required pam_ldap.so
+<%- access_classes = scope.lookupvar('pam::multiple_ldap_access::access_classes') -%>
<%- if access_classes -%>
<%- access_classes.each { |ldap_group| -%>
account sufficient pam_succeed_if.so quiet user ingroup <%= ldap_group %>