base::pam::workgroup: Documentation fix and minor code cleanup

Update comment documentation in base::pam::workgroup. Remove unused parameter and variables.

base::pam::workgroup: Documentation fix and minor code cleanup
cef1593c · Bill MacAllister · 27d0a674 · cef1593c
Commit cef1593c authored 11 years ago by Bill MacAllister
--- a/manifests/pam/workgroup.pp
+++ b/manifests/pam/workgroup.pp
-# Configure PAM to allow the control of access to a system using
-# Stanford Workgroups.  This module installs a local LDAP proxy
-# server that uses a Kerberos bind to the central service and
-# allows anonymous local access to the directory information.
+##############################################################################
+# Using Stanford Workgroups with PAM
+##############################################################################
+#
+# This module Configures PAM to allow the control of access to a
+# system using Stanford Workgroups.  For Debian/Ubuntu systems this
+# module installs and configures nslcd.  For Redhat this module
+# installs a local LDAP proxy server that uses a Kerberos bind to the
+# central service and allows anonymous local access to the directory
+# information.
 #
 # There are two steps require to implement Workgroup control:
 #
-#   1. Request access to the directory data using the form at
-#      http://tools.stanford.edu/dataowner.  The request is
-#      for access to the suPrivilegGroup attribute.  The request
-#      description should be similar to:
+#   1. The LDAP directory ACLs must be updated to grant access to
+#      the Workgroup or Workgroup stem.  If the requestor is also
+#      the administrator of the Workgroup or stem then Data Owner
+#      approval is _not_ required.  Just send a HelpSU required to
+#      the directory team with the kerberos principals that will be
+#      used to access the directory.  It is simplest to just use the
+#      host principals.
+#
+#      If the requestor is not the administrator of the Workgroup or
+#      stem then Data Owner Approval is required.  Request access to
+#      the directory data using the form at
+#      http://tools.stanford.edu/dataowner.  The request is for access
+#      to the suPrivilegGroup attribute.  The request description
+#      should be similar to:
 #
 #         The XYZ department would like to use Workgroup membership to
 #         control access to a set of Linux systems and requests access
 #         to the suPrivilegeGroup attribute for users in the ABC
 #         Workgroup stem.
 #
-#      The default principal name used to access the LDAP directory is
-#      the host principal.
-#
-#   2. Configure any hosts that need the access control with either:
-#      1) ldap proxy server and pam/nss ldap packages or 2) pam/nss
-#      ldap packages that support kerberos binds to the directory.
-#      This module will perform the required tasks.  In general,
-#      systems should use kerberos bind packages where they are
-#      available which current means newer debian or ubuntu systems.
-#      RedHat systems require a slapd proxy.
+#   2. Update the puppet model of any hosts that will use this control.
 #
 # Examples:
 #
@@ -63,16 +70,9 @@ define base::pam::workgroup (
  $ldap_filter    = '(objectclass=posixAccount)',
  $ldap_proxy     = 'NONE',
  $ldap_base      = 'cn=Accounts,dc=stanford,dc=edu',
-  $principal      = 'HOST',
-  $workgroup_stem = 'NONE'
+  $principal      = 'HOST'
 ) {

-  # Nice default for the stem
-  case $workgroup_stem {
-    'NONE':  { $stem = $name           }
-    default: { $stem = $workgroup_stem }
-  }
-
  # When the nslcd.conf file changes reload the changes.
  exec {'nslcd refresh':
    command     => '/etc/init.d/nslcd force-reload',
@@ -214,4 +214,4 @@ class base::pam::workgroup_redhat inherits base::pam::redhat {
      mode   => 644,
      source => 'puppet:///modules/base/pam/etc/pam.d/system-auth-ldap',
  }
-}
\ No newline at end of file
+}