[Mageia-sysadm] [779] allow to use multiple group for the access with pam

root at mageia.org root at mageia.org
Thu Jan 13 19:12:31 CET 2011 

Revision: 779
Author:   misc
Date:     2011-01-13 19:12:31 +0100 (Thu, 13 Jan 2011)
Log Message:
-----------
allow to use multiple group for the access with pam

Modified Paths:
--------------
    puppet/modules/pam/manifests/init.pp
    puppet/modules/pam/templates/system-auth

Modified: puppet/modules/pam/manifests/init.pp
===================================================================
--- puppet/modules/pam/manifests/init.pp	2011-01-13 18:12:29 UTC (rev 778)
+++ puppet/modules/pam/manifests/init.pp	2011-01-13 18:12:31 UTC (rev 779)
@@ -43,13 +43,20 @@
          content => template("pam/ldap.conf")
       }
   } 
+
+  define multiple_ldap_access($access_classes) {
+    include base
+  }
  
-  # beware , this two classes are exclusive
+  # beware , this two classes are exclusives
+  # if you need multiple group access, you need to define you own class
+  # of access  
  
   # for server where only admins can connect
   class admin_access {
-    $access_class = "admin"
-    include base
+    multiple_ldap_access { "admin_access":
+        access_classes => ['mga-sysadmin']
+    }
   }
 
   # for server where people can connect with ssh ( git, svn )
@@ -59,8 +66,11 @@
     # user, and erase the password ( see pam_auth.c in openssh code, seek badpw )
     # so the file must exist
     # permission to use svn, git, etc must be added separatly
+     
     include restrictshell::shell
-    $access_class = "committers"
-    include base
+
+    multiple_ldap_access { "committers_access":
+        access_classes => ['mga-commiters']
+    }
   }
 }

Modified: puppet/modules/pam/templates/system-auth
===================================================================
--- puppet/modules/pam/templates/system-auth	2011-01-13 18:12:29 UTC (rev 778)
+++ puppet/modules/pam/templates/system-auth	2011-01-13 18:12:31 UTC (rev 779)
@@ -9,13 +9,13 @@
 
 
 account sufficient  pam_localuser.so
-<%- if access_class == 'admin' -%>
-account required    pam_succeed_if.so quiet user ingroup mga-sysadmin
+# not sure if the following bring something useful
+account required  pam_ldap.so
+<%- if access_classes -%>
+<%- access_classes.each { |ldap_group| -%>
+account sufficient   pam_succeed_if.so quiet user ingroup <%= ldap_group %>
+<%- } -%>
 <%- end -%>
-<%- if access_class == 'committers' -%>
-account required    pam_succeed_if.so quiet user ingroup mga-committers
-<%- end -%>
-account sufficient  pam_ldap.so
 account required    pam_deny.so
 
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/mageia-sysadm/attachments/20110113/68ffbda3/attachment-0001.html>

More information about the Mageia-sysadm mailing list