diff options
Diffstat (limited to 'deployment')
-rw-r--r-- | deployment/access_classes/manifests/admin.pp | 8 | ||||
-rw-r--r-- | deployment/access_classes/manifests/committers.pp | 14 | ||||
-rw-r--r-- | deployment/access_classes/manifests/init.pp | 42 | ||||
-rw-r--r-- | deployment/access_classes/manifests/iso_makers.pp | 5 | ||||
-rw-r--r-- | deployment/access_classes/manifests/web.pp | 5 | ||||
-rw-r--r-- | deployment/access_classes/manifests/web_and_artwork.pp | 5 |
6 files changed, 38 insertions, 41 deletions
diff --git a/deployment/access_classes/manifests/admin.pp b/deployment/access_classes/manifests/admin.pp new file mode 100644 index 00000000..4b9c8f87 --- /dev/null +++ b/deployment/access_classes/manifests/admin.pp @@ -0,0 +1,8 @@ +# for server where only admins can connect +class access_classes::admin { + pam::multiple_ldap_access { 'admin': + access_classes => ['mga-sysadmin'] + } +} + + diff --git a/deployment/access_classes/manifests/committers.pp b/deployment/access_classes/manifests/committers.pp new file mode 100644 index 00000000..81dbdb13 --- /dev/null +++ b/deployment/access_classes/manifests/committers.pp @@ -0,0 +1,14 @@ +# for server where people can connect with ssh ( git, svn ) +class access_classes::committers { + # this is required, as we force the shell to be the restricted one + # openssh will detect if the file do not exist and while refuse to log the + # user, and erase the password ( see pam_auth.c in openssh code, + # seek badpw ) + # so the file must exist + # permission to use svn, git, etc must be added separatly + + pam::multiple_ldap_access { 'committers': + access_classes => ['mga-shell_access'], + restricted_shell => true, + } +} diff --git a/deployment/access_classes/manifests/init.pp b/deployment/access_classes/manifests/init.pp index 03d48898..a414f3e0 100644 --- a/deployment/access_classes/manifests/init.pp +++ b/deployment/access_classes/manifests/init.pp @@ -1,45 +1,5 @@ class access_classes { - # beware , theses classes are exclusives # if you need multiple group access, you need to define you own class - # of access - - # for server where only admins can connect - class admin { - pam::multiple_ldap_access { "admin": - access_classes => ['mga-sysadmin'] - } - } - - # for server where people can connect with ssh ( git, svn ) - class committers { - # this is required, as we force the shell to be the restricted one - # openssh will detect if the file do not exist and while refuse to log the - # user, and erase the password ( see pam_auth.c in openssh code, seek badpw ) - # so the file must exist - # permission to use svn, git, etc must be added separatly - - pam::multiple_ldap_access { "committers": - access_classes => ['mga-shell_access'], - restricted_shell => true, - } - } - - class iso_makers { - pam::multiple_ldap_access { "iso_makers": - access_classes => ['mga-iso_makers','mga-sysadmin'] - } - } - - class web { - pam::multiple_ldap_access { "web": - access_classes => ['mga-web','mga-sysadmin'] - } - } - - class web_and_artwork { - pam::multiple_ldap_access { "web_artwork": - access_classes => ['mga-web','mga-sysadmin','mga-artwork'] - } - } + # of access } diff --git a/deployment/access_classes/manifests/iso_makers.pp b/deployment/access_classes/manifests/iso_makers.pp new file mode 100644 index 00000000..21201587 --- /dev/null +++ b/deployment/access_classes/manifests/iso_makers.pp @@ -0,0 +1,5 @@ +class access_classes::iso_makers { + pam::multiple_ldap_access { 'iso_makers': + access_classes => ['mga-iso_makers','mga-sysadmin'] + } +} diff --git a/deployment/access_classes/manifests/web.pp b/deployment/access_classes/manifests/web.pp new file mode 100644 index 00000000..45a9992e --- /dev/null +++ b/deployment/access_classes/manifests/web.pp @@ -0,0 +1,5 @@ +class access_classes::web { + pam::multiple_ldap_access { 'web': + access_classes => ['mga-web','mga-sysadmin'] + } +} diff --git a/deployment/access_classes/manifests/web_and_artwork.pp b/deployment/access_classes/manifests/web_and_artwork.pp new file mode 100644 index 00000000..9a85bd3d --- /dev/null +++ b/deployment/access_classes/manifests/web_and_artwork.pp @@ -0,0 +1,5 @@ +class access_classes::web_and_artwork { + pam::multiple_ldap_access { 'web_artwork': + access_classes => ['mga-web','mga-sysadmin','mga-artwork'] + } +} |