#
# Sets up basic PAM configuration for Debian, separated out from the original
# kerberos configuration.

class base::pam::debian {
    package { 'libpam-krb5': ensure => present }

    case $::lsbdistcodename {
        'etch': {
            package { 'libpam-openafs-session': ensure => present }
            file {
                '/etc/pam.d/common-auth':
                    source  => 'puppet:///modules/base/pam/etc/pam.d/common-auth',
                    require => [ Package['libpam-openafs-session'],
                                 Package['libpam-krb5'] ];
                '/etc/pam.d/common-session':
                    source  => 'puppet:///modules/base/pam/etc/pam.d/common-session',
                    require => [ Package['libpam-openafs-session'],
                                 Package['libpam-krb5'] ];
            }
        }
        default: {
            package { 'libpam-afs-session': ensure => present }
            file {
                '/etc/pam.d/common-auth':
                    source  => 'puppet:///modules/base/pam/etc/pam.d/common-auth.lenny',
                    require => [ Package['libpam-afs-session'],
                                 Package['libpam-krb5'] ];
                '/etc/pam.d/common-session':
                    source  => 'puppet:///modules/base/pam/etc/pam.d/common-session.lenny',
                    require => [ Package['libpam-afs-session'],
                                 Package['libpam-krb5'] ];
            }
        }
    }

    file { '/etc/pam.d/common-account':
        source  => 'puppet:///modules/base/pam/etc/pam.d/common-account',
        require => [ Package['libpam-krb5'] ];
    }
}

# FIXME: move libpam-foreground and config (in pam.d/global/common-session)
# to the timeshare class, or something similar

class base::pam::debian::ldap inherits base::pam::debian {
    package {
        'libpam-ldap':                     ensure => 'present';
        'libnss-ldap':                     ensure => 'present';
        'libpam-openafs-kaserver':         ensure => 'absent';
    }

    # A lot of this stuff is taken from s_timeshare, which is where it was
    # originally implemented.
    file {
        '/etc/ldap.conf':
            source  => 'puppet:///modules/base/pam/etc/ldap.conf';
        '/etc/libnss-ldap.conf':
            source  => 'puppet:///modules/base/pam/etc/libnss-ldap.conf';
        '/etc/nsswitch.conf':
            source  => 'puppet:///modules/base/pam/etc/nsswitch.conf';
        '/etc/pam.d/common-password':
            source  => 'puppet:///modules/base/pam/etc/pam.d/global/common-password',
            require => [ Package['libpam-krb5'] ];
        '/etc/pam_ldap.conf':
            source  => 'puppet:///modules/base/pam/etc/pam_ldap.conf';
    }

    File['/etc/pam.d/common-account'] {
        source => 'puppet:///modules/base/pam/etc/pam.d/global/common-account'
    }

    File['/etc/pam.d/common-auth'] {
        source => 'puppet:///modules/base/pam/etc/pam.d/global/common-auth'
    }

    File['/etc/pam.d/common-session'] {
        source => 'puppet:///modules/base/pam/etc/pam.d/global/common-session'
    }

}