aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--modules/pam/manifests/init.pp20
-rw-r--r--modules/pam/templates/system-auth12
2 files changed, 21 insertions, 11 deletions
diff --git a/modules/pam/manifests/init.pp b/modules/pam/manifests/init.pp
index e6e37bb8..732957c4 100644
--- a/modules/pam/manifests/init.pp
+++ b/modules/pam/manifests/init.pp
@@ -43,13 +43,20 @@ class pam {
content => template("pam/ldap.conf")
}
}
+
+ define multiple_ldap_access($access_classes) {
+ include base
+ }
- # beware , this two classes are exclusive
+ # beware , this two classes are exclusives
+ # if you need multiple group access, you need to define you own class
+ # of access
# for server where only admins can connect
class admin_access {
- $access_class = "admin"
- include base
+ multiple_ldap_access { "admin_access":
+ access_classes => ['mga-sysadmin']
+ }
}
# for server where people can connect with ssh ( git, svn )
@@ -59,8 +66,11 @@ class pam {
# user, and erase the password ( see pam_auth.c in openssh code, seek badpw )
# so the file must exist
# permission to use svn, git, etc must be added separatly
+
include restrictshell::shell
- $access_class = "committers"
- include base
+
+ multiple_ldap_access { "committers_access":
+ access_classes => ['mga-commiters']
+ }
}
}
diff --git a/modules/pam/templates/system-auth b/modules/pam/templates/system-auth
index 79c95264..4df9555e 100644
--- a/modules/pam/templates/system-auth
+++ b/modules/pam/templates/system-auth
@@ -9,13 +9,13 @@ auth required pam_deny.so
account sufficient pam_localuser.so
-<%- if access_class == 'admin' -%>
-account required pam_succeed_if.so quiet user ingroup mga-sysadmin
+# not sure if the following bring something useful
+account required pam_ldap.so
+<%- if access_classes -%>
+<%- access_classes.each { |ldap_group| -%>
+account sufficient pam_succeed_if.so quiet user ingroup <%= ldap_group %>
+<%- } -%>
<%- end -%>
-<%- if access_class == 'committers' -%>
-account required pam_succeed_if.so quiet user ingroup mga-committers
-<%- end -%>
-account sufficient pam_ldap.so
account required pam_deny.so