| 1 |
class pam { |
| 2 |
|
| 3 |
class base { |
| 4 |
package { ["pam_ldap","nss_ldap","nscd"]: |
| 5 |
ensure => installed, |
| 6 |
} |
| 7 |
|
| 8 |
service { nscd: |
| 9 |
ensure => running, |
| 10 |
path => '/etc/init.d/nscd', |
| 11 |
} |
| 12 |
|
| 13 |
file { "system-auth": |
| 14 |
path => "/etc/pam.d/system-auth", |
| 15 |
owner => root, |
| 16 |
group => root, |
| 17 |
mode => 644, |
| 18 |
content => template("pam/system-auth") |
| 19 |
} |
| 20 |
|
| 21 |
file { "nsswitch.conf": |
| 22 |
path => "/etc/nsswitch.conf", |
| 23 |
owner => root, |
| 24 |
group => root, |
| 25 |
mode => 644, |
| 26 |
content => template("pam/nsswitch.conf") |
| 27 |
} |
| 28 |
|
| 29 |
$ldap_password = extlookup("${fqdn}_ldap_password",'x') |
| 30 |
file { "ldap.secret": |
| 31 |
path => "/etc/ldap.secret", |
| 32 |
owner => root, |
| 33 |
group => root, |
| 34 |
mode => 600, |
| 35 |
content => $ldap_password |
| 36 |
} |
| 37 |
|
| 38 |
file { "ldap.conf": |
| 39 |
path => "/etc/ldap.conf", |
| 40 |
owner => root, |
| 41 |
group => root, |
| 42 |
mode => 644, |
| 43 |
content => template("pam/ldap.conf") |
| 44 |
} |
| 45 |
} |
| 46 |
|
| 47 |
# for server where only admins can connect |
| 48 |
class admin_access inherits base { |
| 49 |
$access_class = "admin" |
| 50 |
} |
| 51 |
|
| 52 |
# for server where people can connect with ssh ( git, svn ) |
| 53 |
class committers_access inherits base { |
| 54 |
# this is required, as we force the shell to be the restricted one |
| 55 |
# openssh will detect if the file do not exist and while refuse to log the |
| 56 |
# user, and erase the password ( see pam_auth.c in openssh code, seek badpw ) |
| 57 |
# so the file must exist |
| 58 |
# permission to use svn, git, etc must be added separatly |
| 59 |
include restrictshell::shell |
| 60 |
$access_class = "committers" |
| 61 |
} |
| 62 |
} |
Parent Directory
| 
Revision Log