7 files changed, 93 insertions, 58 deletions
diff --git a/modules/pam/manifests/base.pp b/modules/pam/manifests/base.pp
new file mode 100644
index 00000000..e29c8555
--- /dev/null
+++ b/modules/pam/manifests/base.pp
@@ -0,0 +1,32 @@
+class pam::base {
+    include pam::multiple_ldap_access
+    package { ['nscd', 'nss-pam-ldapd']: }
+
+    # This needs configuration or it generates an error every hour.
+    # If it's ever enabled, make sure restrict permissions on
+    # /var/db/passwd.db and /var/db/group.db at the same time.
+    package { 'nss_updatedb':
+        ensure => 'absent',
+    }
+
+    service { 'nscd':
+        require => Package['nscd'],
+    }
+
+    file {
+        '/etc/pam.d/system-auth':
+            content => template('pam/system-auth');
+        '/etc/nsswitch.conf':
+            content => template('pam/nsswitch.conf');
+        '/etc/ldap.conf':
+            content => template('pam/ldap.conf');
+        '/etc/openldap/ldap.conf':
+            content => template('pam/openldap.ldap.conf');
+    }
+
+    $ldap_password = extlookup("${::fqdn}_ldap_password",'x')
+    file { '/etc/ldap.secret':
+        mode    => '0600',
+        content => $ldap_password
+    }
+}
diff --git a/modules/pam/manifests/init.pp b/modules/pam/manifests/init.pp
index 210526c9..180ad852 100644
--- a/modules/pam/manifests/init.pp
+++ b/modules/pam/manifests/init.pp
@@ -1,42 +1 @@
-class pam {
-
-  class base {
-      package { ["pam_ldap","nss_ldap"]:
-        ensure => installed,  
-      }
-
-      file { "system-auth":
-         path => "/etc/pam.d/system-auth",
-         owner => root,
-         group => root,
-         mode => 644,
-         content => template("pam/system-auth")
-      }
-
-      file { "nsswitch.conf":
-         path => "/etc/nsswitch.conf",
-         owner => root,
-         group => root,
-         mode => 644,
-         content => template("pam/nsswitch.conf")
-      }
-      file { "ldap.conf":
-         path => "/etc/ldap.conf",
-         owner => root,
-         group => root,
-         mode => 644,
-         content => template("pam/ldap.conf")
-      }
-  } 
-  
-  # for server where only admin can connect
-  class admin_access inherits base {
-    $access_class = "admin"
-    # not sure if this line is needed anymore, wil check later
-  }
-
-  # for server where people can connect with ssh ( git, svn )
-  class commiters_access inherits base {
-    $access_class = "commiters"
-  }
-}
+class pam { }
diff --git a/modules/pam/manifests/multiple_ldap_access.pp b/modules/pam/manifests/multiple_ldap_access.pp
new file mode 100644
index 00000000..1c5a391f
--- /dev/null
+++ b/modules/pam/manifests/multiple_ldap_access.pp
@@ -0,0 +1,15 @@
+class pam::multiple_ldap_access($access_classes, $restricted_shell = false) {
+    include stdlib
+
+    $default_access_classes = [ 'mga-sysadmin', 'mga-unrestricted_shell_access' ]
+    if empty($access_classes) {
+        $allowed_access_classes = $default_access_classes
+    } else {
+        $allowed_access_classes = concat($default_access_classes, $access_classes)
+    }
+
+    if $restricted_shell {
+        include restrictshell
+    }
+    include pam::base
+}
diff --git a/modules/pam/templates/ldap.conf b/modules/pam/templates/ldap.conf
index 0b3a19fc..235a6aac 100644
--- a/modules/pam/templates/ldap.conf
+++ b/modules/pam/templates/ldap.conf
@@ -1,7 +1,10 @@
+rootbinddn cn=<%= fqdn %>,ou=Hosts,<%= dc_suffix %>
 
-uri ldap://ldap.<%= domain %>
+uri ldaps://ldap.<%= domain %>
 base <%= dc_suffix %>
-pam_lookup_policy no
+timelimit 4
+bind_timelimit 4
+pam_lookup_policy yes
 pam_password exop
 nss_base_passwd ou=People,<%= dc_suffix %>?one
 nss_base_shadow ou=People,<%= dc_suffix %>?one
@@ -12,8 +15,10 @@ nss_map_attribute uniqueMember member
 sudoers_base ou=sudoers,<%= dc_suffix %>
 #sudoers_debug 2
 
-<% if access_class = 'commiters' %>
+<%-
+restricted_shell = scope.lookupvar('pam::multiple_ldap_access::restricted_shell')
+if restricted_shell
+-%>
 # for restricted access
 nss_override_attribute_value loginShell /usr/local/bin/sv_membersh.pl
 <% end %>
-
diff --git a/modules/pam/templates/nsswitch.conf b/modules/pam/templates/nsswitch.conf
index f797885d..bfd042c1 100644
--- a/modules/pam/templates/nsswitch.conf
+++ b/modules/pam/templates/nsswitch.conf
@@ -1,7 +1,7 @@
 passwd:     files ldap [UNAVAIL=return]
 shadow:     files ldap [UNAVAIL=return]
 group:      files ldap [UNAVAIL=return]
-hosts:      files mdns4_minimal [NOTFOUND=return] dns
+hosts:      files dns
 bootparams: files
 ethers:     files
 netmasks:   files
@@ -13,4 +13,3 @@ netgroup:   files ldap
 publickey:  files
 automount:  files
 aliases:    files
-
diff --git a/modules/pam/templates/openldap.ldap.conf b/modules/pam/templates/openldap.ldap.conf
new file mode 100644
index 00000000..cd6ee640
--- /dev/null
+++ b/modules/pam/templates/openldap.ldap.conf
@@ -0,0 +1,25 @@
+#BASE   dc=example, dc=com 
+#HOST   ldap.example.com ldap-master.example.com
+#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666
+
+#SIZELIMIT      12
+#TIMELIMIT      15 
+#DEREF          never
+
+# SSL/TSL configuration. With CA-signed certs, TLS_REQCERT should be
+# "demand", with the CA certificate accessible 
+#TLS_REQCERT    ([demand],never,allow,try)
+# We ship with allow by default as some LDAP clients (e.g. evolution) have
+# no interactive SSL configuration
+
+TLS_REQCERT     allow
+
+# CA Certificate locations 
+# Use the default self-signed cert generated by openldap-server postinstall
+# by default 
+#TLS_CACERT      /etc/pki/tls/certs/ldap.pem
+#TLS_CACERT     /etc/ssl/openldap/ldap.<%= domain %>.pem
+
+# If requiring support for certificates signed by all CAs (noting risks
+# pam_ldap if doing DNS-based suffix lookup etc.
+#TLS_CACERTDIR  /etc/pki/tls/rootcerts
diff --git a/modules/pam/templates/system-auth b/modules/pam/templates/system-auth
index b02aec3a..37d1da7d 100644
--- a/modules/pam/templates/system-auth
+++ b/modules/pam/templates/system-auth
@@ -1,21 +1,22 @@
-auth    required    pam_env.so
+auth    required     pam_env.so
 # this part is here if the module don't exist
 # basically, the idea is to copy the exact detail of sufficient,
 # and add abort=ignore
 auth    [abort=ignore success=done new_authtok_reqd=done default=ignore]  pam_tcb.so shadow fork nullok prefix=$2a$ count=8
-auth    sufficient   pam_unix.so likeauth nullok
+auth    sufficient   pam_unix.so likeauth nullok try_first_pass
 auth    sufficient   pam_ldap.so use_first_pass
-<% if access_class = 'admin' %>
-auth    required     pam_wheel.so group=mga-sysadmin
-<% end %>
-<% if access_class = 'commiters' %>
-auth    required     pam_wheel.so group=mga-commiters
-<% end %>
 auth    required     pam_deny.so
 
 
 account sufficient  pam_localuser.so
-account sufficient  pam_ldap.so
+# not sure if the following bring something useful
+account required  pam_ldap.so
+<%- allowed_access_classes = scope.lookupvar('pam::multiple_ldap_access::allowed_access_classes') -%>
+<%- if allowed_access_classes -%>
+<%- allowed_access_classes.each { |ldap_group| -%>
+account sufficient   pam_succeed_if.so quiet user ingroup <%= ldap_group %>
+<%- } -%>
+<%- end -%>
 account required    pam_deny.so
 
 
@@ -32,4 +33,3 @@ session optional    pam_mkhomedir.so
 session required    pam_limits.so
 session required    pam_unix.so
 session optional    pam_ldap.so
-