From 46a24792a42345d11d073137a8665e03ffec2cfc Mon Sep 17 00:00:00 2001
From: Olivier Blin <dev@blino.org>
Date: Tue, 21 Feb 2017 01:45:18 +0100
Subject: Implicitely allow mga-sysadmin login for all access classes

Like done already for mga-unrestricted_shell_access.
There is no easy way to concatenate arrays in puppet, the rules are
kept inlined for mga-sysadmin and mga-unrestricted_shell_access.
---
 modules/pam/templates/system-auth | 1 +
 1 file changed, 1 insertion(+)

(limited to 'modules')

diff --git a/modules/pam/templates/system-auth b/modules/pam/templates/system-auth
index 6ce40a9d..010552cc 100644
--- a/modules/pam/templates/system-auth
+++ b/modules/pam/templates/system-auth
@@ -11,6 +11,7 @@ auth    required     pam_deny.so
 account sufficient  pam_localuser.so
 # not sure if the following bring something useful
 account required  pam_ldap.so
+account sufficient  pam_succeed_if.so quiet user ingroup mga-sysadmin
 account sufficient  pam_succeed_if.so quiet user ingroup mga-unrestricted_shell_access
 <%- access_classes = scope.lookupvar('pam::multiple_ldap_access::access_classes') -%>
 <%- if access_classes -%>
-- 
cgit v1.2.1