Use concat from stdlib to merged admins in access classes

We already use puppet-stdlib for the file_line helper.

2 files changed, 12 insertions, 5 deletions

diff --git a/modules/pam/manifests/multiple_ldap_access.pp b/modules/pam/manifests/multiple_ldap_access.pp
index d287dfb7..1c5a391f 100644
--- a/modules/pam/manifests/multiple_ldap_access.pp
+++ b/modules/pam/manifests/multiple_ldap_access.pp
@@ -1,4 +1,13 @@
 class pam::multiple_ldap_access($access_classes, $restricted_shell = false) {
+    include stdlib
+
+    $default_access_classes = [ 'mga-sysadmin', 'mga-unrestricted_shell_access' ]
+    if empty($access_classes) {
+        $allowed_access_classes = $default_access_classes
+    } else {
+        $allowed_access_classes = concat($default_access_classes, $access_classes)
+    }
+
     if $restricted_shell {
         include restrictshell
     }
diff --git a/modules/pam/templates/system-auth b/modules/pam/templates/system-auth
index 010552cc..37d1da7d 100644
--- a/modules/pam/templates/system-auth
+++ b/modules/pam/templates/system-auth
@@ -11,11 +11,9 @@ auth    required     pam_deny.so
 account sufficient  pam_localuser.so
 # not sure if the following bring something useful
 account required  pam_ldap.so
-account sufficient  pam_succeed_if.so quiet user ingroup mga-sysadmin
-account sufficient  pam_succeed_if.so quiet user ingroup mga-unrestricted_shell_access
-<%- access_classes = scope.lookupvar('pam::multiple_ldap_access::access_classes') -%>
-<%- if access_classes -%>
-<%- access_classes.each { |ldap_group| -%>
+<%- allowed_access_classes = scope.lookupvar('pam::multiple_ldap_access::allowed_access_classes') -%>
+<%- if allowed_access_classes -%>
+<%- allowed_access_classes.each { |ldap_group| -%>
 account sufficient   pam_succeed_if.so quiet user ingroup <%= ldap_group %>
 <%- } -%>
 <%- end -%>