diff options
-rw-r--r-- | modules/pam/manifests/init.pp | 20 | ||||
-rw-r--r-- | modules/pam/templates/system-auth | 12 |
2 files changed, 21 insertions, 11 deletions
diff --git a/modules/pam/manifests/init.pp b/modules/pam/manifests/init.pp index e6e37bb8..732957c4 100644 --- a/modules/pam/manifests/init.pp +++ b/modules/pam/manifests/init.pp @@ -43,13 +43,20 @@ class pam { content => template("pam/ldap.conf") } } + + define multiple_ldap_access($access_classes) { + include base + } - # beware , this two classes are exclusive + # beware , this two classes are exclusives + # if you need multiple group access, you need to define you own class + # of access # for server where only admins can connect class admin_access { - $access_class = "admin" - include base + multiple_ldap_access { "admin_access": + access_classes => ['mga-sysadmin'] + } } # for server where people can connect with ssh ( git, svn ) @@ -59,8 +66,11 @@ class pam { # user, and erase the password ( see pam_auth.c in openssh code, seek badpw ) # so the file must exist # permission to use svn, git, etc must be added separatly + include restrictshell::shell - $access_class = "committers" - include base + + multiple_ldap_access { "committers_access": + access_classes => ['mga-commiters'] + } } } diff --git a/modules/pam/templates/system-auth b/modules/pam/templates/system-auth index 79c95264..4df9555e 100644 --- a/modules/pam/templates/system-auth +++ b/modules/pam/templates/system-auth @@ -9,13 +9,13 @@ auth required pam_deny.so account sufficient pam_localuser.so -<%- if access_class == 'admin' -%> -account required pam_succeed_if.so quiet user ingroup mga-sysadmin +# not sure if the following bring something useful +account required pam_ldap.so +<%- if access_classes -%> +<%- access_classes.each { |ldap_group| -%> +account sufficient pam_succeed_if.so quiet user ingroup <%= ldap_group %> +<%- } -%> <%- end -%> -<%- if access_class == 'committers' -%> -account required pam_succeed_if.so quiet user ingroup mga-committers -<%- end -%> -account sufficient pam_ldap.so account required pam_deny.so |