blob: 5a3809077d74f670ea06b30ecd8bbf32363cd32c (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
|
class access_classes {
# beware , theses classes are exclusives
# if you need multiple group access, you need to define you own class
# of access
# for server where only admins can connect
class admin {
pam::multiple_ldap_access { "admin":
access_classes => ['mga-sysadmin']
}
}
# for server where people can connect with ssh ( git, svn )
class committers {
# this is required, as we force the shell to be the restricted one
# openssh will detect if the file do not exist and while refuse to log the
# user, and erase the password ( see pam_auth.c in openssh code, seek badpw )
# so the file must exist
# permission to use svn, git, etc must be added separatly
pam::multiple_ldap_access { "committers":
access_classes => ['mga-committers'],
restricted_shell => true,
}
}
class iso_makers {
pam::multiple_ldap_access { "iso_makers":
access_classes => ['mga-iso_makers','mga-sysadmin']
}
}
}
|
