Modified: puppet/modules/pam/manifests/init.pp
===================================================================
--- puppet/modules/pam/manifests/init.pp 2010-11-24 02:08:32 UTC (rev 450)
+++ puppet/modules/pam/manifests/init.pp 2010-11-24 02:50:45 UTC (rev 451)
@@ -43,14 +43,17 @@
content => template("pam/ldap.conf")
}
}
-
+
+ # beware , this two classes are exclusive
+
# for server where only admins can connect
- class admin_access inherits base {
+ class admin_access {
$access_class = "admin"
+ include base
}
# for server where people can connect with ssh ( git, svn )
- class committers_access inherits base {
+ class committers_access {
# this is required, as we force the shell to be the restricted one
# openssh will detect if the file do not exist and while refuse to log the
# user, and erase the password ( see pam_auth.c in openssh code, seek badpw )
@@ -58,5 +61,6 @@
# permission to use svn, git, etc must be added separatly
include restrictshell::shell
$access_class = "committers"
+ include base
}
}
Modified: puppet/modules/pam/templates/system-auth
===================================================================
--- puppet/modules/pam/templates/system-auth 2010-11-24 02:08:32 UTC (rev 450)
+++ puppet/modules/pam/templates/system-auth 2010-11-24 02:50:45 UTC (rev 451)
@@ -1,10 +1,4 @@
auth required pam_env.so
-<%- if access_class = 'admin' -%>
-auth required pam_succeed_if.so quiet user ingroup mga-sysadmin
-<%- end -%>
-<%- if access_class = 'committers' -%>
-auth required pam_succeed_if.so quiet user ingroup mga-committers
-<%- end -%>
# this part is here if the module don't exist
# basically, the idea is to copy the exact detail of sufficient,
# and add abort=ignore
@@ -15,6 +9,12 @@
account sufficient pam_localuser.so
+<%- if access_class == 'admin' -%>
+account required pam_succeed_if.so quiet user ingroup mga-sysadmin
+<%- end -%>
+<%- if access_class == 'committers' -%>
+account required pam_succeed_if.so quiet user ingroup mga-committers
+<%- end -%>
account sufficient pam_ldap.so
account required pam_deny.so