diff options
-rw-r--r-- | deployment/access_class/manifests/init.pp | 28 | ||||
-rw-r--r-- | manifests/nodes.pp | 2 | ||||
-rw-r--r-- | modules/pam/manifests/init.pp | 26 |
3 files changed, 29 insertions, 27 deletions
diff --git a/deployment/access_class/manifests/init.pp b/deployment/access_class/manifests/init.pp new file mode 100644 index 00000000..c2bbd5f8 --- /dev/null +++ b/deployment/access_class/manifests/init.pp @@ -0,0 +1,28 @@ +class access_class { + + # beware , theses classes are exclusives + # if you need multiple group access, you need to define you own class + # of access + + # for server where only admins can connect + class admin { + pam::multiple_ldap_access { "admin": + access_classes => ['mga-sysadmin'] + } + } + + # for server where people can connect with ssh ( git, svn ) + class committers { + # this is required, as we force the shell to be the restricted one + # openssh will detect if the file do not exist and while refuse to log the + # user, and erase the password ( see pam_auth.c in openssh code, seek badpw ) + # so the file must exist + # permission to use svn, git, etc must be added separatly + + include restrictshell::shell + + pam::multiple_ldap_access { "committers": + access_classes => ['mga-commiters'] + } + } +} diff --git a/manifests/nodes.pp b/manifests/nodes.pp index 1850081e..06e4484d 100644 --- a/manifests/nodes.pp +++ b/manifests/nodes.pp @@ -21,7 +21,7 @@ node valstar { include buildsystem::mainnode include buildsystem::mgacreatehome - include pam::committers_access + include access_class::committers include restrictshell::allow_svn include restrictshell::allow_pkgsubmit include openssh::ssh_keys_from_ldap diff --git a/modules/pam/manifests/init.pp b/modules/pam/manifests/init.pp index 732957c4..246bb4f6 100644 --- a/modules/pam/manifests/init.pp +++ b/modules/pam/manifests/init.pp @@ -47,30 +47,4 @@ class pam { define multiple_ldap_access($access_classes) { include base } - - # beware , this two classes are exclusives - # if you need multiple group access, you need to define you own class - # of access - - # for server where only admins can connect - class admin_access { - multiple_ldap_access { "admin_access": - access_classes => ['mga-sysadmin'] - } - } - - # for server where people can connect with ssh ( git, svn ) - class committers_access { - # this is required, as we force the shell to be the restricted one - # openssh will detect if the file do not exist and while refuse to log the - # user, and erase the password ( see pam_auth.c in openssh code, seek badpw ) - # so the file must exist - # permission to use svn, git, etc must be added separatly - - include restrictshell::shell - - multiple_ldap_access { "committers_access": - access_classes => ['mga-commiters'] - } - } } |