aboutsummaryrefslogtreecommitdiffstats
path: root/deployment
diff options
context:
space:
mode:
Diffstat (limited to 'deployment')
-rw-r--r--deployment/access_classes/manifests/admin.pp8
-rw-r--r--deployment/access_classes/manifests/committers.pp14
-rw-r--r--deployment/access_classes/manifests/init.pp42
-rw-r--r--deployment/access_classes/manifests/iso_makers.pp5
-rw-r--r--deployment/access_classes/manifests/web.pp5
-rw-r--r--deployment/access_classes/manifests/web_and_artwork.pp5
6 files changed, 38 insertions, 41 deletions
diff --git a/deployment/access_classes/manifests/admin.pp b/deployment/access_classes/manifests/admin.pp
new file mode 100644
index 00000000..4b9c8f87
--- /dev/null
+++ b/deployment/access_classes/manifests/admin.pp
@@ -0,0 +1,8 @@
+# for server where only admins can connect
+class access_classes::admin {
+ pam::multiple_ldap_access { 'admin':
+ access_classes => ['mga-sysadmin']
+ }
+}
+
+
diff --git a/deployment/access_classes/manifests/committers.pp b/deployment/access_classes/manifests/committers.pp
new file mode 100644
index 00000000..81dbdb13
--- /dev/null
+++ b/deployment/access_classes/manifests/committers.pp
@@ -0,0 +1,14 @@
+# for server where people can connect with ssh ( git, svn )
+class access_classes::committers {
+ # this is required, as we force the shell to be the restricted one
+ # openssh will detect if the file do not exist and while refuse to log the
+ # user, and erase the password ( see pam_auth.c in openssh code,
+ # seek badpw )
+ # so the file must exist
+ # permission to use svn, git, etc must be added separatly
+
+ pam::multiple_ldap_access { 'committers':
+ access_classes => ['mga-shell_access'],
+ restricted_shell => true,
+ }
+}
diff --git a/deployment/access_classes/manifests/init.pp b/deployment/access_classes/manifests/init.pp
index 03d48898..a414f3e0 100644
--- a/deployment/access_classes/manifests/init.pp
+++ b/deployment/access_classes/manifests/init.pp
@@ -1,45 +1,5 @@
class access_classes {
-
# beware , theses classes are exclusives
# if you need multiple group access, you need to define you own class
- # of access
-
- # for server where only admins can connect
- class admin {
- pam::multiple_ldap_access { "admin":
- access_classes => ['mga-sysadmin']
- }
- }
-
- # for server where people can connect with ssh ( git, svn )
- class committers {
- # this is required, as we force the shell to be the restricted one
- # openssh will detect if the file do not exist and while refuse to log the
- # user, and erase the password ( see pam_auth.c in openssh code, seek badpw )
- # so the file must exist
- # permission to use svn, git, etc must be added separatly
-
- pam::multiple_ldap_access { "committers":
- access_classes => ['mga-shell_access'],
- restricted_shell => true,
- }
- }
-
- class iso_makers {
- pam::multiple_ldap_access { "iso_makers":
- access_classes => ['mga-iso_makers','mga-sysadmin']
- }
- }
-
- class web {
- pam::multiple_ldap_access { "web":
- access_classes => ['mga-web','mga-sysadmin']
- }
- }
-
- class web_and_artwork {
- pam::multiple_ldap_access { "web_artwork":
- access_classes => ['mga-web','mga-sysadmin','mga-artwork']
- }
- }
+ # of access
}
diff --git a/deployment/access_classes/manifests/iso_makers.pp b/deployment/access_classes/manifests/iso_makers.pp
new file mode 100644
index 00000000..21201587
--- /dev/null
+++ b/deployment/access_classes/manifests/iso_makers.pp
@@ -0,0 +1,5 @@
+class access_classes::iso_makers {
+ pam::multiple_ldap_access { 'iso_makers':
+ access_classes => ['mga-iso_makers','mga-sysadmin']
+ }
+}
diff --git a/deployment/access_classes/manifests/web.pp b/deployment/access_classes/manifests/web.pp
new file mode 100644
index 00000000..45a9992e
--- /dev/null
+++ b/deployment/access_classes/manifests/web.pp
@@ -0,0 +1,5 @@
+class access_classes::web {
+ pam::multiple_ldap_access { 'web':
+ access_classes => ['mga-web','mga-sysadmin']
+ }
+}
diff --git a/deployment/access_classes/manifests/web_and_artwork.pp b/deployment/access_classes/manifests/web_and_artwork.pp
new file mode 100644
index 00000000..9a85bd3d
--- /dev/null
+++ b/deployment/access_classes/manifests/web_and_artwork.pp
@@ -0,0 +1,5 @@
+class access_classes::web_and_artwork {
+ pam::multiple_ldap_access { 'web_artwork':
+ access_classes => ['mga-web','mga-sysadmin','mga-artwork']
+ }
+}