diff options
| -rw-r--r-- | deployment/access_classes/manifests/admin.pp | 4 | ||||
| -rw-r--r-- | deployment/access_classes/manifests/iso_makers.pp | 2 | ||||
| -rw-r--r-- | deployment/access_classes/manifests/web.pp | 2 | ||||
| -rw-r--r-- | modules/pam/templates/system-auth | 1 |
4 files changed, 5 insertions, 4 deletions
diff --git a/deployment/access_classes/manifests/admin.pp b/deployment/access_classes/manifests/admin.pp index e072281f..186c9c87 100644 --- a/deployment/access_classes/manifests/admin.pp +++ b/deployment/access_classes/manifests/admin.pp @@ -1,7 +1,7 @@ -# for server where only admins can connect +# for server where only admins can connect (allowed by default) class access_classes::admin { class { 'pam::multiple_ldap_access': - access_classes => ['mga-sysadmin'] + access_classes => [] } } diff --git a/deployment/access_classes/manifests/iso_makers.pp b/deployment/access_classes/manifests/iso_makers.pp index ee8c02de..c645205e 100644 --- a/deployment/access_classes/manifests/iso_makers.pp +++ b/deployment/access_classes/manifests/iso_makers.pp @@ -1,5 +1,5 @@ class access_classes::iso_makers { class { 'pam::multiple_ldap_access': - access_classes => ['mga-iso_makers','mga-sysadmin'] + access_classes => ['mga-iso_makers'] } } diff --git a/deployment/access_classes/manifests/web.pp b/deployment/access_classes/manifests/web.pp index 78c6d5e1..fa2c7df5 100644 --- a/deployment/access_classes/manifests/web.pp +++ b/deployment/access_classes/manifests/web.pp @@ -1,5 +1,5 @@ class access_classes::web { class { 'pam::multiple_ldap_access': - access_classes => ['mga-web','mga-sysadmin'] + access_classes => ['mga-web'] } } diff --git a/modules/pam/templates/system-auth b/modules/pam/templates/system-auth index 6ce40a9d..010552cc 100644 --- a/modules/pam/templates/system-auth +++ b/modules/pam/templates/system-auth @@ -11,6 +11,7 @@ auth required pam_deny.so account sufficient pam_localuser.so # not sure if the following bring something useful account required pam_ldap.so +account sufficient pam_succeed_if.so quiet user ingroup mga-sysadmin account sufficient pam_succeed_if.so quiet user ingroup mga-unrestricted_shell_access <%- access_classes = scope.lookupvar('pam::multiple_ldap_access::access_classes') -%> <%- if access_classes -%> |