From d3afcb16658f3486a4a41fcd57a2b067e4848ce7 Mon Sep 17 00:00:00 2001
From: Michael Scherer <misc@mageia.org>
Date: Thu, 13 Jan 2011 18:12:31 +0000
Subject: allow to use multiple group for the access with pam

---
 modules/pam/manifests/init.pp     | 20 +++++++++++++++-----
 modules/pam/templates/system-auth | 12 ++++++------
 2 files changed, 21 insertions(+), 11 deletions(-)

(limited to 'modules/pam')

diff --git a/modules/pam/manifests/init.pp b/modules/pam/manifests/init.pp
index e6e37bb8..732957c4 100644
--- a/modules/pam/manifests/init.pp
+++ b/modules/pam/manifests/init.pp
@@ -43,13 +43,20 @@ class pam {
          content => template("pam/ldap.conf")
       }
   } 
+
+  define multiple_ldap_access($access_classes) {
+    include base
+  }
  
-  # beware , this two classes are exclusive
+  # beware , this two classes are exclusives
+  # if you need multiple group access, you need to define you own class
+  # of access  
  
   # for server where only admins can connect
   class admin_access {
-    $access_class = "admin"
-    include base
+    multiple_ldap_access { "admin_access":
+        access_classes => ['mga-sysadmin']
+    }
   }
 
   # for server where people can connect with ssh ( git, svn )
@@ -59,8 +66,11 @@ class pam {
     # user, and erase the password ( see pam_auth.c in openssh code, seek badpw )
     # so the file must exist
     # permission to use svn, git, etc must be added separatly
+     
     include restrictshell::shell
-    $access_class = "committers"
-    include base
+
+    multiple_ldap_access { "committers_access":
+        access_classes => ['mga-commiters']
+    }
   }
 }
diff --git a/modules/pam/templates/system-auth b/modules/pam/templates/system-auth
index 79c95264..4df9555e 100644
--- a/modules/pam/templates/system-auth
+++ b/modules/pam/templates/system-auth
@@ -9,13 +9,13 @@ auth    required     pam_deny.so
 
 
 account sufficient  pam_localuser.so
-<%- if access_class == 'admin' -%>
-account required    pam_succeed_if.so quiet user ingroup mga-sysadmin
+# not sure if the following bring something useful
+account required  pam_ldap.so
+<%- if access_classes -%>
+<%- access_classes.each { |ldap_group| -%>
+account sufficient   pam_succeed_if.so quiet user ingroup <%= ldap_group %>
+<%- } -%>
 <%- end -%>
-<%- if access_class == 'committers' -%>
-account required    pam_succeed_if.so quiet user ingroup mga-committers
-<%- end -%>
-account sufficient  pam_ldap.so
 account required    pam_deny.so
 
 
-- 
cgit v1.2.1