changes to allow absence of base::pam

NEWS

@@ -17,6 +17,11 @@ release/005.010 (2017-10-02)
     off-campus Instead, just have everything go through smtp.stanford.edu
     (which still has an on-campus presence). [akkornel]
 
+    [pam] Add "ensure" parameter to base::pam::debian to allow the
+    non-installation of some Kerberos-related PAM packages in the special
+    case of non-production Kerberos servers not synced with production
+    Kerberos environment. [adamhl]
+
 release/005.009 (2017-07-07)
 
     [ntp] Push "tinker-panic 0" to the top of the ntp.conf file to help

manifests/pam/debian.pp

@@ -2,64 +2,47 @@
 # Sets up basic PAM configuration for Debian, separated out from the original
 # kerberos configuration.
 
-class base::pam::debian {
-  package { 'libpam-krb5': ensure => present }
-  package { 'libpam-afs-session': ensure => present }
-
-  # Starting with Debian jessie, pam-auth-update manages the common PAM files.
-  if ($::lsbmajdistrelease < 8) {
-    file {
-      '/etc/pam.d/common-auth':
-        source  => 'puppet:///modules/base/pam/etc/pam.d/common-auth',
-        require => [ Package['libpam-afs-session'],
-                     Package['libpam-krb5'] ];
-     '/etc/pam.d/common-account':
-        source  => 'puppet:///modules/base/pam/etc/pam.d/common-account',
-        require => [ Package['libpam-krb5'] ];
-     '/etc/pam.d/common-session':
-        source  => 'puppet:///modules/base/pam/etc/pam.d/common-session',
-        require => [ Package['libpam-afs-session'],
-                     Package['libpam-krb5'] ];
+class base::pam::debian(
+  $ensure = 'present',
+){
+  if ($ensure == 'present') {
+    package { 'libpam-krb5': ensure => present }
+    package { 'libpam-afs-session': ensure => present }
+
+    # Starting with Debian jessie, pam-auth-update manages the common PAM files.
+    if ($::lsbmajdistrelease < 8) {
+      file {
+        '/etc/pam.d/common-auth':
+          source  => 'puppet:///modules/base/pam/etc/pam.d/common-auth',
+          require => [ Package['libpam-afs-session'],
+                       Package['libpam-krb5'] ];
+       '/etc/pam.d/common-account':
+          source  => 'puppet:///modules/base/pam/etc/pam.d/common-account',
+          require => [ Package['libpam-krb5'] ];
+       '/etc/pam.d/common-session':
+          source  => 'puppet:///modules/base/pam/etc/pam.d/common-session',
+          require => [ Package['libpam-afs-session'],
+                       Package['libpam-krb5'] ];
+      }
+    }
+  } elsif ($ensure == 'absent') {
+    package { 'libpam-krb5':        ensure => absent }
+    package { 'libpam-afs-session': ensure => absent }
+
+    # Starting with Debian jessie, pam-auth-update manages the common PAM files.
+    if ($::lsbmajdistrelease < 8) {
+      file { '/etc/pam.d/common-auth':
+        ensure => absent
+      }
+      file { '/etc/pam.d/common-account':
+        ensure => absent
+      }
+      file {'/etc/pam.d/common-session':
+        ensure => absent
+      }
     }
+  } else {
+    fail("ensure parameter must be either 'present' or 'absent'")
   }
 }
 
-# FIXME: move libpam-foreground and config (in pam.d/global/common-session)
-# to the timeshare class, or something similar
-
-class base::pam::debian::ldap inherits base::pam::debian {
-  package {
-    'libpam-ldap':             ensure => 'present';
-    'libnss-ldap':             ensure => 'present';
-    'libpam-openafs-kaserver': ensure => 'absent';
-  }
-
-  # A lot of this stuff is taken from s_timeshare, which is where it was
-  # originally implemented.
-  file {
-    '/etc/ldap.conf':
-      source  => 'puppet:///modules/base/pam/etc/ldap.conf';
-    '/etc/libnss-ldap.conf':
-      source  => 'puppet:///modules/base/pam/etc/libnss-ldap.conf';
-    '/etc/nsswitch.conf':
-      source  => 'puppet:///modules/base/pam/etc/nsswitch.conf';
-    '/etc/pam.d/common-password':
-      source  => 'puppet:///modules/base/pam/etc/pam.d/global/common-password',
-      require => [ Package['libpam-krb5'] ];
-    '/etc/pam_ldap.conf':
-      source  => 'puppet:///modules/base/pam/etc/pam_ldap.conf';
-  }
-
-  File['/etc/pam.d/common-account'] {
-    source => 'puppet:///modules/base/pam/etc/pam.d/global/common-account'
-  }
-
-  File['/etc/pam.d/common-auth'] {
-    source => 'puppet:///modules/base/pam/etc/pam.d/global/common-auth'
-  }
-
-  File['/etc/pam.d/common-session'] {
-    source => 'puppet:///modules/base/pam/etc/pam.d/global/common-session'
-  }
-
-}

manifests/pam/debian/ldap.pp

+# FIXME: move libpam-foreground and config (in pam.d/global/common-session)
+# to the timeshare class, or something similar
+
+class base::pam::debian::ldap inherits base::pam::debian {
+  package {
+    'libpam-ldap':             ensure => 'present';
+    'libnss-ldap':             ensure => 'present';
+    'libpam-openafs-kaserver': ensure => 'absent';
+  }
+
+  # A lot of this stuff is taken from s_timeshare, which is where it was
+  # originally implemented.
+  file {
+    '/etc/ldap.conf':
+      source  => 'puppet:///modules/base/pam/etc/ldap.conf';
+    '/etc/libnss-ldap.conf':
+      source  => 'puppet:///modules/base/pam/etc/libnss-ldap.conf';
+    '/etc/nsswitch.conf':
+      source  => 'puppet:///modules/base/pam/etc/nsswitch.conf';
+    '/etc/pam.d/common-password':
+      source  => 'puppet:///modules/base/pam/etc/pam.d/global/common-password',
+      require => [ Package['libpam-krb5'] ];
+    '/etc/pam_ldap.conf':
+      source  => 'puppet:///modules/base/pam/etc/pam_ldap.conf';
+  }
+
+  File['/etc/pam.d/common-account'] {
+    source => 'puppet:///modules/base/pam/etc/pam.d/global/common-account'
+  }
+
+  File['/etc/pam.d/common-auth'] {
+    source => 'puppet:///modules/base/pam/etc/pam.d/global/common-auth'
+  }
+
+  File['/etc/pam.d/common-session'] {
+    source => 'puppet:///modules/base/pam/etc/pam.d/global/common-session'
+  }
+
+}