Verified Commit 85a59b42 authored by Adam Lewenberg's avatar Adam Lewenberg
Browse files

changes to allow absence of base::pam

parent 42b42808
......@@ -17,6 +17,11 @@ release/005.010 (2017-10-02)
off-campus Instead, just have everything go through smtp.stanford.edu
(which still has an on-campus presence). [akkornel]
[pam] Add "ensure" parameter to base::pam::debian to allow the
non-installation of some Kerberos-related PAM packages in the special
case of non-production Kerberos servers not synced with production
Kerberos environment. [adamhl]
release/005.009 (2017-07-07)
[ntp] Push "tinker-panic 0" to the top of the ntp.conf file to help
......
......@@ -2,64 +2,47 @@
# Sets up basic PAM configuration for Debian, separated out from the original
# kerberos configuration.
class base::pam::debian {
package { 'libpam-krb5': ensure => present }
package { 'libpam-afs-session': ensure => present }
# Starting with Debian jessie, pam-auth-update manages the common PAM files.
if ($::lsbmajdistrelease < 8) {
file {
'/etc/pam.d/common-auth':
source => 'puppet:///modules/base/pam/etc/pam.d/common-auth',
require => [ Package['libpam-afs-session'],
Package['libpam-krb5'] ];
'/etc/pam.d/common-account':
source => 'puppet:///modules/base/pam/etc/pam.d/common-account',
require => [ Package['libpam-krb5'] ];
'/etc/pam.d/common-session':
source => 'puppet:///modules/base/pam/etc/pam.d/common-session',
require => [ Package['libpam-afs-session'],
Package['libpam-krb5'] ];
class base::pam::debian(
$ensure = 'present',
){
if ($ensure == 'present') {
package { 'libpam-krb5': ensure => present }
package { 'libpam-afs-session': ensure => present }
# Starting with Debian jessie, pam-auth-update manages the common PAM files.
if ($::lsbmajdistrelease < 8) {
file {
'/etc/pam.d/common-auth':
source => 'puppet:///modules/base/pam/etc/pam.d/common-auth',
require => [ Package['libpam-afs-session'],
Package['libpam-krb5'] ];
'/etc/pam.d/common-account':
source => 'puppet:///modules/base/pam/etc/pam.d/common-account',
require => [ Package['libpam-krb5'] ];
'/etc/pam.d/common-session':
source => 'puppet:///modules/base/pam/etc/pam.d/common-session',
require => [ Package['libpam-afs-session'],
Package['libpam-krb5'] ];
}
}
} elsif ($ensure == 'absent') {
package { 'libpam-krb5': ensure => absent }
package { 'libpam-afs-session': ensure => absent }
# Starting with Debian jessie, pam-auth-update manages the common PAM files.
if ($::lsbmajdistrelease < 8) {
file { '/etc/pam.d/common-auth':
ensure => absent
}
file { '/etc/pam.d/common-account':
ensure => absent
}
file {'/etc/pam.d/common-session':
ensure => absent
}
}
} else {
fail("ensure parameter must be either 'present' or 'absent'")
}
}
# FIXME: move libpam-foreground and config (in pam.d/global/common-session)
# to the timeshare class, or something similar
class base::pam::debian::ldap inherits base::pam::debian {
package {
'libpam-ldap': ensure => 'present';
'libnss-ldap': ensure => 'present';
'libpam-openafs-kaserver': ensure => 'absent';
}
# A lot of this stuff is taken from s_timeshare, which is where it was
# originally implemented.
file {
'/etc/ldap.conf':
source => 'puppet:///modules/base/pam/etc/ldap.conf';
'/etc/libnss-ldap.conf':
source => 'puppet:///modules/base/pam/etc/libnss-ldap.conf';
'/etc/nsswitch.conf':
source => 'puppet:///modules/base/pam/etc/nsswitch.conf';
'/etc/pam.d/common-password':
source => 'puppet:///modules/base/pam/etc/pam.d/global/common-password',
require => [ Package['libpam-krb5'] ];
'/etc/pam_ldap.conf':
source => 'puppet:///modules/base/pam/etc/pam_ldap.conf';
}
File['/etc/pam.d/common-account'] {
source => 'puppet:///modules/base/pam/etc/pam.d/global/common-account'
}
File['/etc/pam.d/common-auth'] {
source => 'puppet:///modules/base/pam/etc/pam.d/global/common-auth'
}
File['/etc/pam.d/common-session'] {
source => 'puppet:///modules/base/pam/etc/pam.d/global/common-session'
}
}
# FIXME: move libpam-foreground and config (in pam.d/global/common-session)
# to the timeshare class, or something similar
class base::pam::debian::ldap inherits base::pam::debian {
package {
'libpam-ldap': ensure => 'present';
'libnss-ldap': ensure => 'present';
'libpam-openafs-kaserver': ensure => 'absent';
}
# A lot of this stuff is taken from s_timeshare, which is where it was
# originally implemented.
file {
'/etc/ldap.conf':
source => 'puppet:///modules/base/pam/etc/ldap.conf';
'/etc/libnss-ldap.conf':
source => 'puppet:///modules/base/pam/etc/libnss-ldap.conf';
'/etc/nsswitch.conf':
source => 'puppet:///modules/base/pam/etc/nsswitch.conf';
'/etc/pam.d/common-password':
source => 'puppet:///modules/base/pam/etc/pam.d/global/common-password',
require => [ Package['libpam-krb5'] ];
'/etc/pam_ldap.conf':
source => 'puppet:///modules/base/pam/etc/pam_ldap.conf';
}
File['/etc/pam.d/common-account'] {
source => 'puppet:///modules/base/pam/etc/pam.d/global/common-account'
}
File['/etc/pam.d/common-auth'] {
source => 'puppet:///modules/base/pam/etc/pam.d/global/common-auth'
}
File['/etc/pam.d/common-session'] {
source => 'puppet:///modules/base/pam/etc/pam.d/global/common-session'
}
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment