From 85a59b4275ad33e47f95a6891bb3aa6c90017de3 Mon Sep 17 00:00:00 2001
From: Adam Henry Lewenberg <adamhl@stanford.edu>
Date: Tue, 24 Oct 2017 09:17:39 -0700
Subject: [PATCH] changes to allow absence of base::pam
---
NEWS | 5 ++
manifests/pam/debian.pp | 97 +++++++++++++++---------------------
manifests/pam/debian/ldap.pp | 39 +++++++++++++++
3 files changed, 84 insertions(+), 57 deletions(-)
create mode 100644 manifests/pam/debian/ldap.pp
diff --git a/NEWS b/NEWS
index 9f59279..47a6c39 100644
--- a/NEWS
+++ b/NEWS
@@ -17,6 +17,11 @@ release/005.010 (2017-10-02)
off-campus Instead, just have everything go through smtp.stanford.edu
(which still has an on-campus presence). [akkornel]
+ [pam] Add "ensure" parameter to base::pam::debian to allow the
+ non-installation of some Kerberos-related PAM packages in the special
+ case of non-production Kerberos servers not synced with production
+ Kerberos environment. [adamhl]
+
release/005.009 (2017-07-07)
[ntp] Push "tinker-panic 0" to the top of the ntp.conf file to help
diff --git a/manifests/pam/debian.pp b/manifests/pam/debian.pp
index 8167259..90f6423 100644
--- a/manifests/pam/debian.pp
+++ b/manifests/pam/debian.pp
@@ -2,64 +2,47 @@
# Sets up basic PAM configuration for Debian, separated out from the original
# kerberos configuration.
-class base::pam::debian {
- package { 'libpam-krb5': ensure => present }
- package { 'libpam-afs-session': ensure => present }
-
- # Starting with Debian jessie, pam-auth-update manages the common PAM files.
- if ($::lsbmajdistrelease < 8) {
- file {
- '/etc/pam.d/common-auth':
- source => 'puppet:///modules/base/pam/etc/pam.d/common-auth',
- require => [ Package['libpam-afs-session'],
- Package['libpam-krb5'] ];
- '/etc/pam.d/common-account':
- source => 'puppet:///modules/base/pam/etc/pam.d/common-account',
- require => [ Package['libpam-krb5'] ];
- '/etc/pam.d/common-session':
- source => 'puppet:///modules/base/pam/etc/pam.d/common-session',
- require => [ Package['libpam-afs-session'],
- Package['libpam-krb5'] ];
+class base::pam::debian(
+ $ensure = 'present',
+){
+ if ($ensure == 'present') {
+ package { 'libpam-krb5': ensure => present }
+ package { 'libpam-afs-session': ensure => present }
+
+ # Starting with Debian jessie, pam-auth-update manages the common PAM files.
+ if ($::lsbmajdistrelease < 8) {
+ file {
+ '/etc/pam.d/common-auth':
+ source => 'puppet:///modules/base/pam/etc/pam.d/common-auth',
+ require => [ Package['libpam-afs-session'],
+ Package['libpam-krb5'] ];
+ '/etc/pam.d/common-account':
+ source => 'puppet:///modules/base/pam/etc/pam.d/common-account',
+ require => [ Package['libpam-krb5'] ];
+ '/etc/pam.d/common-session':
+ source => 'puppet:///modules/base/pam/etc/pam.d/common-session',
+ require => [ Package['libpam-afs-session'],
+ Package['libpam-krb5'] ];
+ }
+ }
+ } elsif ($ensure == 'absent') {
+ package { 'libpam-krb5': ensure => absent }
+ package { 'libpam-afs-session': ensure => absent }
+
+ # Starting with Debian jessie, pam-auth-update manages the common PAM files.
+ if ($::lsbmajdistrelease < 8) {
+ file { '/etc/pam.d/common-auth':
+ ensure => absent
+ }
+ file { '/etc/pam.d/common-account':
+ ensure => absent
+ }
+ file {'/etc/pam.d/common-session':
+ ensure => absent
+ }
}
+ } else {
+ fail("ensure parameter must be either 'present' or 'absent'")
}
}
-# FIXME: move libpam-foreground and config (in pam.d/global/common-session)
-# to the timeshare class, or something similar
-
-class base::pam::debian::ldap inherits base::pam::debian {
- package {
- 'libpam-ldap': ensure => 'present';
- 'libnss-ldap': ensure => 'present';
- 'libpam-openafs-kaserver': ensure => 'absent';
- }
-
- # A lot of this stuff is taken from s_timeshare, which is where it was
- # originally implemented.
- file {
- '/etc/ldap.conf':
- source => 'puppet:///modules/base/pam/etc/ldap.conf';
- '/etc/libnss-ldap.conf':
- source => 'puppet:///modules/base/pam/etc/libnss-ldap.conf';
- '/etc/nsswitch.conf':
- source => 'puppet:///modules/base/pam/etc/nsswitch.conf';
- '/etc/pam.d/common-password':
- source => 'puppet:///modules/base/pam/etc/pam.d/global/common-password',
- require => [ Package['libpam-krb5'] ];
- '/etc/pam_ldap.conf':
- source => 'puppet:///modules/base/pam/etc/pam_ldap.conf';
- }
-
- File['/etc/pam.d/common-account'] {
- source => 'puppet:///modules/base/pam/etc/pam.d/global/common-account'
- }
-
- File['/etc/pam.d/common-auth'] {
- source => 'puppet:///modules/base/pam/etc/pam.d/global/common-auth'
- }
-
- File['/etc/pam.d/common-session'] {
- source => 'puppet:///modules/base/pam/etc/pam.d/global/common-session'
- }
-
-}
diff --git a/manifests/pam/debian/ldap.pp b/manifests/pam/debian/ldap.pp
new file mode 100644
index 0000000..d5cd599
--- /dev/null
+++ b/manifests/pam/debian/ldap.pp
@@ -0,0 +1,39 @@
+# FIXME: move libpam-foreground and config (in pam.d/global/common-session)
+# to the timeshare class, or something similar
+
+class base::pam::debian::ldap inherits base::pam::debian {
+ package {
+ 'libpam-ldap': ensure => 'present';
+ 'libnss-ldap': ensure => 'present';
+ 'libpam-openafs-kaserver': ensure => 'absent';
+ }
+
+ # A lot of this stuff is taken from s_timeshare, which is where it was
+ # originally implemented.
+ file {
+ '/etc/ldap.conf':
+ source => 'puppet:///modules/base/pam/etc/ldap.conf';
+ '/etc/libnss-ldap.conf':
+ source => 'puppet:///modules/base/pam/etc/libnss-ldap.conf';
+ '/etc/nsswitch.conf':
+ source => 'puppet:///modules/base/pam/etc/nsswitch.conf';
+ '/etc/pam.d/common-password':
+ source => 'puppet:///modules/base/pam/etc/pam.d/global/common-password',
+ require => [ Package['libpam-krb5'] ];
+ '/etc/pam_ldap.conf':
+ source => 'puppet:///modules/base/pam/etc/pam_ldap.conf';
+ }
+
+ File['/etc/pam.d/common-account'] {
+ source => 'puppet:///modules/base/pam/etc/pam.d/global/common-account'
+ }
+
+ File['/etc/pam.d/common-auth'] {
+ source => 'puppet:///modules/base/pam/etc/pam.d/global/common-auth'
+ }
+
+ File['/etc/pam.d/common-session'] {
+ source => 'puppet:///modules/base/pam/etc/pam.d/global/common-session'
+ }
+
+}
--
GitLab