1 |
class access_class { |
2 |
|
3 |
# beware , theses classes are exclusives |
4 |
# if you need multiple group access, you need to define you own class |
5 |
# of access |
6 |
|
7 |
# for server where only admins can connect |
8 |
class admin { |
9 |
pam::multiple_ldap_access { "admin": |
10 |
access_classes => ['mga-sysadmin'] |
11 |
} |
12 |
} |
13 |
|
14 |
# for server where people can connect with ssh ( git, svn ) |
15 |
class committers { |
16 |
# this is required, as we force the shell to be the restricted one |
17 |
# openssh will detect if the file do not exist and while refuse to log the |
18 |
# user, and erase the password ( see pam_auth.c in openssh code, seek badpw ) |
19 |
# so the file must exist |
20 |
# permission to use svn, git, etc must be added separatly |
21 |
|
22 |
pam::multiple_ldap_access { "committers": |
23 |
access_classes => ['mga-committers'], |
24 |
restricted_shell => true, |
25 |
} |
26 |
} |
27 |
|
28 |
class iso_makers { |
29 |
pam::multiple_ldap_access { "iso_makers": |
30 |
access_classes => ['mga-iso_makers','mga-sysadmin'] |
31 |
} |
32 |
} |
33 |
} |