From cef1593cfe3c4703915d1a4efd0faa06695facc7 Mon Sep 17 00:00:00 2001
From: Bill MacAllister <whm@stanford.edu>
Date: Wed, 5 Feb 2014 19:02:42 -0800
Subject: [PATCH] base::pam::workgroup: Documentation fix and minor code
cleanup
Update comment documentation in base::pam::workgroup. Remove unused
parameter and variables.
---
manifests/pam/workgroup.pp | 54 +++++++++++++++++++-------------------
1 file changed, 27 insertions(+), 27 deletions(-)
diff --git a/manifests/pam/workgroup.pp b/manifests/pam/workgroup.pp
index edf97a7..2cc6473 100644
--- a/manifests/pam/workgroup.pp
+++ b/manifests/pam/workgroup.pp
@@ -1,30 +1,37 @@
-# Configure PAM to allow the control of access to a system using
-# Stanford Workgroups. This module installs a local LDAP proxy
-# server that uses a Kerberos bind to the central service and
-# allows anonymous local access to the directory information.
+##############################################################################
+# Using Stanford Workgroups with PAM
+##############################################################################
+#
+# This module Configures PAM to allow the control of access to a
+# system using Stanford Workgroups. For Debian/Ubuntu systems this
+# module installs and configures nslcd. For Redhat this module
+# installs a local LDAP proxy server that uses a Kerberos bind to the
+# central service and allows anonymous local access to the directory
+# information.
#
# There are two steps require to implement Workgroup control:
#
-# 1. Request access to the directory data using the form at
-# http://tools.stanford.edu/dataowner. The request is
-# for access to the suPrivilegGroup attribute. The request
-# description should be similar to:
+# 1. The LDAP directory ACLs must be updated to grant access to
+# the Workgroup or Workgroup stem. If the requestor is also
+# the administrator of the Workgroup or stem then Data Owner
+# approval is _not_ required. Just send a HelpSU required to
+# the directory team with the kerberos principals that will be
+# used to access the directory. It is simplest to just use the
+# host principals.
+#
+# If the requestor is not the administrator of the Workgroup or
+# stem then Data Owner Approval is required. Request access to
+# the directory data using the form at
+# http://tools.stanford.edu/dataowner. The request is for access
+# to the suPrivilegGroup attribute. The request description
+# should be similar to:
#
# The XYZ department would like to use Workgroup membership to
# control access to a set of Linux systems and requests access
# to the suPrivilegeGroup attribute for users in the ABC
# Workgroup stem.
#
-# The default principal name used to access the LDAP directory is
-# the host principal.
-#
-# 2. Configure any hosts that need the access control with either:
-# 1) ldap proxy server and pam/nss ldap packages or 2) pam/nss
-# ldap packages that support kerberos binds to the directory.
-# This module will perform the required tasks. In general,
-# systems should use kerberos bind packages where they are
-# available which current means newer debian or ubuntu systems.
-# RedHat systems require a slapd proxy.
+# 2. Update the puppet model of any hosts that will use this control.
#
# Examples:
#
@@ -63,16 +70,9 @@ define base::pam::workgroup (
$ldap_filter = '(objectclass=posixAccount)',
$ldap_proxy = 'NONE',
$ldap_base = 'cn=Accounts,dc=stanford,dc=edu',
- $principal = 'HOST',
- $workgroup_stem = 'NONE'
+ $principal = 'HOST'
) {
- # Nice default for the stem
- case $workgroup_stem {
- 'NONE': { $stem = $name }
- default: { $stem = $workgroup_stem }
- }
-
# When the nslcd.conf file changes reload the changes.
exec {'nslcd refresh':
command => '/etc/init.d/nslcd force-reload',
@@ -214,4 +214,4 @@ class base::pam::workgroup_redhat inherits base::pam::redhat {
mode => 644,
source => 'puppet:///modules/base/pam/etc/pam.d/system-auth-ldap',
}
-}
\ No newline at end of file
+}
--
GitLab