1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
|
class pam {
class base {
package { ["pam_ldap","nss_ldap","nscd"]:
ensure => installed,
}
service { nscd:
ensure => running,
path => '/etc/init.d/nscd',
}
file { "system-auth":
path => "/etc/pam.d/system-auth",
owner => root,
group => root,
mode => 644,
content => template("pam/system-auth")
}
file { "nsswitch.conf":
path => "/etc/nsswitch.conf",
owner => root,
group => root,
mode => 644,
content => template("pam/nsswitch.conf")
}
$ldap_password = extlookup("${fqdn}_ldap_password",'x')
file { "ldap.secret":
path => "/etc/ldap.secret",
owner => root,
group => root,
mode => 600,
content => $ldap_password
}
file { "ldap.conf":
path => "/etc/ldap.conf",
owner => root,
group => root,
mode => 644,
content => template("pam/ldap.conf")
}
}
# beware , this two classes are exclusive
# for server where only admins can connect
class admin_access {
$access_class = "admin"
include base
}
# for server where people can connect with ssh ( git, svn )
class committers_access {
# this is required, as we force the shell to be the restricted one
# openssh will detect if the file do not exist and while refuse to log the
# user, and erase the password ( see pam_auth.c in openssh code, seek badpw )
# so the file must exist
# permission to use svn, git, etc must be added separatly
include restrictshell::shell
$access_class = "committers"
include base
}
}
|
