aboutsummaryrefslogtreecommitdiffstats
path: root/modules/pam
diff options
context:
space:
mode:
authorOlivier Blin <dev@blino.org>2017-02-21 02:21:00 +0100
committerOlivier Blin <dev@blino.org>2017-02-21 02:21:00 +0100
commit0f4bc9aa8b7a45015ee54e62c76c62f93d766f9b (patch)
treea0b46762f5f66bbf3728892ac39ac608f6d3fa76 /modules/pam
parent46a24792a42345d11d073137a8665e03ffec2cfc (diff)
downloadpuppet-0f4bc9aa8b7a45015ee54e62c76c62f93d766f9b.tar
puppet-0f4bc9aa8b7a45015ee54e62c76c62f93d766f9b.tar.gz
puppet-0f4bc9aa8b7a45015ee54e62c76c62f93d766f9b.tar.bz2
puppet-0f4bc9aa8b7a45015ee54e62c76c62f93d766f9b.tar.xz
puppet-0f4bc9aa8b7a45015ee54e62c76c62f93d766f9b.zip
Use concat from stdlib to merged admins in access classes
We already use puppet-stdlib for the file_line helper.
Diffstat (limited to 'modules/pam')
-rw-r--r--modules/pam/manifests/multiple_ldap_access.pp9
-rw-r--r--modules/pam/templates/system-auth8
2 files changed, 12 insertions, 5 deletions
diff --git a/modules/pam/manifests/multiple_ldap_access.pp b/modules/pam/manifests/multiple_ldap_access.pp
index d287dfb7..1c5a391f 100644
--- a/modules/pam/manifests/multiple_ldap_access.pp
+++ b/modules/pam/manifests/multiple_ldap_access.pp
@@ -1,4 +1,13 @@
class pam::multiple_ldap_access($access_classes, $restricted_shell = false) {
+ include stdlib
+
+ $default_access_classes = [ 'mga-sysadmin', 'mga-unrestricted_shell_access' ]
+ if empty($access_classes) {
+ $allowed_access_classes = $default_access_classes
+ } else {
+ $allowed_access_classes = concat($default_access_classes, $access_classes)
+ }
+
if $restricted_shell {
include restrictshell
}
diff --git a/modules/pam/templates/system-auth b/modules/pam/templates/system-auth
index 010552cc..37d1da7d 100644
--- a/modules/pam/templates/system-auth
+++ b/modules/pam/templates/system-auth
@@ -11,11 +11,9 @@ auth required pam_deny.so
account sufficient pam_localuser.so
# not sure if the following bring something useful
account required pam_ldap.so
-account sufficient pam_succeed_if.so quiet user ingroup mga-sysadmin
-account sufficient pam_succeed_if.so quiet user ingroup mga-unrestricted_shell_access
-<%- access_classes = scope.lookupvar('pam::multiple_ldap_access::access_classes') -%>
-<%- if access_classes -%>
-<%- access_classes.each { |ldap_group| -%>
+<%- allowed_access_classes = scope.lookupvar('pam::multiple_ldap_access::allowed_access_classes') -%>
+<%- if allowed_access_classes -%>
+<%- allowed_access_classes.each { |ldap_group| -%>
account sufficient pam_succeed_if.so quiet user ingroup <%= ldap_group %>
<%- } -%>
<%- end -%>