class pam::base {
    include pam::multiple_ldap_access
    package { ['nscd', 'nss-pam-ldapd']: }

    # This needs configuration or it generates an error every hour.
    # If it's ever enabled, make sure restrict permissions on
    # /var/db/passwd.db and /var/db/group.db at the same time.
    package { 'nss_updatedb':
        ensure => 'absent',
    }

    service { 'nscd':
        require => Package['nscd'],
    }

    file {
        '/etc/pam.d/system-auth':
            content => template('pam/system-auth');
        '/etc/nsswitch.conf':
            content => template('pam/nsswitch.conf');
        '/etc/ldap.conf':
            content => template('pam/ldap.conf');
        '/etc/openldap/ldap.conf':
            content => template('pam/openldap.ldap.conf');
    }

    $ldap_password = extlookup("${::fqdn}_ldap_password",'x')
    file { '/etc/ldap.secret':
        mode    => '0600',
        content => $ldap_password
    }
}