From 46a24792a42345d11d073137a8665e03ffec2cfc Mon Sep 17 00:00:00 2001
From: Olivier Blin <dev@blino.org>
Date: Tue, 21 Feb 2017 01:45:18 +0100
Subject: Implicitely allow mga-sysadmin login for all access classes

Like done already for mga-unrestricted_shell_access.
There is no easy way to concatenate arrays in puppet, the rules are
kept inlined for mga-sysadmin and mga-unrestricted_shell_access.
---
 deployment/access_classes/manifests/admin.pp      | 4 ++--
 deployment/access_classes/manifests/iso_makers.pp | 2 +-
 deployment/access_classes/manifests/web.pp        | 2 +-
 modules/pam/templates/system-auth                 | 1 +
 4 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/deployment/access_classes/manifests/admin.pp b/deployment/access_classes/manifests/admin.pp
index e072281f..186c9c87 100644
--- a/deployment/access_classes/manifests/admin.pp
+++ b/deployment/access_classes/manifests/admin.pp
@@ -1,7 +1,7 @@
-# for server where only admins can connect
+# for server where only admins can connect (allowed by default)
 class access_classes::admin {
     class { 'pam::multiple_ldap_access':
-        access_classes => ['mga-sysadmin']
+        access_classes => []
     }
 }
 
diff --git a/deployment/access_classes/manifests/iso_makers.pp b/deployment/access_classes/manifests/iso_makers.pp
index ee8c02de..c645205e 100644
--- a/deployment/access_classes/manifests/iso_makers.pp
+++ b/deployment/access_classes/manifests/iso_makers.pp
@@ -1,5 +1,5 @@
 class access_classes::iso_makers {
     class { 'pam::multiple_ldap_access':
-        access_classes => ['mga-iso_makers','mga-sysadmin']
+        access_classes => ['mga-iso_makers']
     }
 }
diff --git a/deployment/access_classes/manifests/web.pp b/deployment/access_classes/manifests/web.pp
index 78c6d5e1..fa2c7df5 100644
--- a/deployment/access_classes/manifests/web.pp
+++ b/deployment/access_classes/manifests/web.pp
@@ -1,5 +1,5 @@
 class access_classes::web {
     class { 'pam::multiple_ldap_access':
-        access_classes => ['mga-web','mga-sysadmin']
+        access_classes => ['mga-web']
     }
 }
diff --git a/modules/pam/templates/system-auth b/modules/pam/templates/system-auth
index 6ce40a9d..010552cc 100644
--- a/modules/pam/templates/system-auth
+++ b/modules/pam/templates/system-auth
@@ -11,6 +11,7 @@ auth    required     pam_deny.so
 account sufficient  pam_localuser.so
 # not sure if the following bring something useful
 account required  pam_ldap.so
+account sufficient  pam_succeed_if.so quiet user ingroup mga-sysadmin
 account sufficient  pam_succeed_if.so quiet user ingroup mga-unrestricted_shell_access
 <%- access_classes = scope.lookupvar('pam::multiple_ldap_access::access_classes') -%>
 <%- if access_classes -%>
-- 
cgit v1.2.1