diff options
| author | Michael Scherer <misc@mageia.org> | 2010-11-17 15:35:10 +0000 |
|---|---|---|
| committer | Michael Scherer <misc@mageia.org> | 2010-11-17 15:35:10 +0000 |
| commit | d3918db07bb550d340c95b6ab495a346733c9c25 (patch) | |
| tree | f8f8c07761af82917cad825ee895183e4bc90eda /modules/pam | |
| parent | e3241bb3df3a21e26c077cdcbb559e038fd7388f (diff) | |
| download | puppet-d3918db07bb550d340c95b6ab495a346733c9c25.tar puppet-d3918db07bb550d340c95b6ab495a346733c9c25.tar.gz puppet-d3918db07bb550d340c95b6ab495a346733c9c25.tar.bz2 puppet-d3918db07bb550d340c95b6ab495a346733c9c25.tar.xz puppet-d3918db07bb550d340c95b6ab495a346733c9c25.zip | |
- add a proto module for taking care of pam ( need pam_ldap, etc support, and a review of the pam config file too )
Diffstat (limited to 'modules/pam')
| -rw-r--r-- | modules/pam/manifests/init.pp | 27 | ||||
| -rw-r--r-- | modules/pam/templates/system-auth | 35 |
2 files changed, 62 insertions, 0 deletions
diff --git a/modules/pam/manifests/init.pp b/modules/pam/manifests/init.pp new file mode 100644 index 00000000..4c68a80c --- /dev/null +++ b/modules/pam/manifests/init.pp @@ -0,0 +1,27 @@ +class pam { + + package { ["pam_ldap","nss_ldap", "pam_mkhomedir"]: + ensure => installed, + } + + + file { "system-auth": + path => "/etc/pam.d/system-auth", + owner => root, + group => root, + mode => 644, + content => template("openldap/system-auth") + } + + # for server where only admin can connect + class admin_access { + $access_class = "admin" + file { "system-auth": } + } + + # for server where people can connect with ssh ( git, svn ) + class commiters_access { + $access_class = "commiters" + file { "system-auth": } + } +} diff --git a/modules/pam/templates/system-auth b/modules/pam/templates/system-auth new file mode 100644 index 00000000..b02aec3a --- /dev/null +++ b/modules/pam/templates/system-auth @@ -0,0 +1,35 @@ +auth required pam_env.so +# this part is here if the module don't exist +# basically, the idea is to copy the exact detail of sufficient, +# and add abort=ignore +auth [abort=ignore success=done new_authtok_reqd=done default=ignore] pam_tcb.so shadow fork nullok prefix=$2a$ count=8 +auth sufficient pam_unix.so likeauth nullok +auth sufficient pam_ldap.so use_first_pass +<% if access_class = 'admin' %> +auth required pam_wheel.so group=mga-sysadmin +<% end %> +<% if access_class = 'commiters' %> +auth required pam_wheel.so group=mga-commiters +<% end %> +auth required pam_deny.so + + +account sufficient pam_localuser.so +account sufficient pam_ldap.so +account required pam_deny.so + + +password required pam_cracklib.so retry=3 minlen=8 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 dcredit=0 ucredit=0 ucredit=0 +# TODO check this part too +password sufficient pam_tcb.so use_authtok shadow write_to=shadow fork nullok prefix=$2a$ count=8 abort=ignore +password sufficient pam_ldap.so use_authtok +password sufficient pam_unix.so use_authtok nullok md5 shadow +password required pam_deny.so + +session optional pam_keyinit.so revoke +# optional if there is a problem when creating the account +session optional pam_mkhomedir.so +session required pam_limits.so +session required pam_unix.so +session optional pam_ldap.so + |