- fix templates ( again )

- add ldap.conf  

2 files changed, 30 insertions, 1 deletions

diff --git a/modules/pam/manifests/init.pp b/modules/pam/manifests/init.pp
index 0accd63a..a1d2d59c 100644
--- a/modules/pam/manifests/init.pp
+++ b/modules/pam/manifests/init.pp
@@ -18,7 +18,14 @@ class pam {
          owner => root,
          group => root,
          mode => 644,
-         content => template("pam/system-auth")
+         content => template("pam/nsswitch.conf")
+      }
+      file { "ldap.conf":
+         path => "/etc/ldap.conf",
+         owner => root,
+         group => root,
+         mode => 644,
+         content => template("pam/ldap.conf")
       }
   } 
   
diff --git a/modules/pam/templates/ldap.conf b/modules/pam/templates/ldap.conf
new file mode 100644
index 00000000..c614223e
--- /dev/null
+++ b/modules/pam/templates/ldap.conf
@@ -0,0 +1,22 @@
+<%
+dc_suffix = 'dc=' + domain.gsub('.',',dc=')
+%>
+
+uri ldap://ldap.<%= domain %>
+base <%= dc_suffix %>
+pam_lookup_policy no
+pam_password exop
+nss_base_passwd ou=People,<%= dc_suffix %>?one
+nss_base_shadow ou=People,<%= dc_suffix %>?one
+nss_base_group  ou=Group,<%= dc_suffix %>?one
+
+nss_schema rfc2307bis
+nss_map_attribute uniqueMember member
+sudoers_base ou=sudoers,<%= dc_suffix %>
+#sudoers_debug 2
+
+<% if access_class = 'commiters' %>
+# for restricted access
+nss_override_attribute_value loginShell /usr/local/bin/sv_membersh.pl
+<% end %>
+