From f5b2645d869b76598c18527d388ed76719c06bdd Mon Sep 17 00:00:00 2001 From: Dan Fandrich Date: Fri, 4 Oct 2024 21:44:50 -0700 Subject: Revert "Use @ when accessing variables in templates" Variables defined within a template can't be accessed with @. This change needs to be reworked to eliminate those cases. This reverts commits 2c7da665 and ae197622. --- modules/pam/templates/ldap.conf | 14 +++++++------- modules/pam/templates/openldap.ldap.conf | 2 +- modules/pam/templates/system-auth | 2 +- 3 files changed, 9 insertions(+), 9 deletions(-) (limited to 'modules/pam') diff --git a/modules/pam/templates/ldap.conf b/modules/pam/templates/ldap.conf index 0e8495df..235a6aac 100644 --- a/modules/pam/templates/ldap.conf +++ b/modules/pam/templates/ldap.conf @@ -1,18 +1,18 @@ -rootbinddn cn=<%= @fqdn %>,ou=Hosts,<%= @dc_suffix %> +rootbinddn cn=<%= fqdn %>,ou=Hosts,<%= dc_suffix %> -uri ldaps://ldap.<%= @domain %> -base <%= @dc_suffix %> +uri ldaps://ldap.<%= domain %> +base <%= dc_suffix %> timelimit 4 bind_timelimit 4 pam_lookup_policy yes pam_password exop -nss_base_passwd ou=People,<%= @dc_suffix %>?one -nss_base_shadow ou=People,<%= @dc_suffix %>?one -nss_base_group ou=Group,<%= @dc_suffix %>?one +nss_base_passwd ou=People,<%= dc_suffix %>?one +nss_base_shadow ou=People,<%= dc_suffix %>?one +nss_base_group ou=Group,<%= dc_suffix %>?one nss_schema rfc2307bis nss_map_attribute uniqueMember member -sudoers_base ou=sudoers,<%= @dc_suffix %> +sudoers_base ou=sudoers,<%= dc_suffix %> #sudoers_debug 2 <%- diff --git a/modules/pam/templates/openldap.ldap.conf b/modules/pam/templates/openldap.ldap.conf index a2a3efab..cd6ee640 100644 --- a/modules/pam/templates/openldap.ldap.conf +++ b/modules/pam/templates/openldap.ldap.conf @@ -18,7 +18,7 @@ TLS_REQCERT allow # Use the default self-signed cert generated by openldap-server postinstall # by default #TLS_CACERT /etc/pki/tls/certs/ldap.pem -#TLS_CACERT /etc/ssl/openldap/ldap.<%= @domain %>.pem +#TLS_CACERT /etc/ssl/openldap/ldap.<%= domain %>.pem # If requiring support for certificates signed by all CAs (noting risks # pam_ldap if doing DNS-based suffix lookup etc. diff --git a/modules/pam/templates/system-auth b/modules/pam/templates/system-auth index c6496ba8..37d1da7d 100644 --- a/modules/pam/templates/system-auth +++ b/modules/pam/templates/system-auth @@ -14,7 +14,7 @@ account required pam_ldap.so <%- allowed_access_classes = scope.lookupvar('pam::multiple_ldap_access::allowed_access_classes') -%> <%- if allowed_access_classes -%> <%- allowed_access_classes.each { |ldap_group| -%> -account sufficient pam_succeed_if.so quiet user ingroup <%= @ldap_group %> +account sufficient pam_succeed_if.so quiet user ingroup <%= ldap_group %> <%- } -%> <%- end -%> account required pam_deny.so -- cgit v1.2.1