Puppet Class: central_auth::pam
- Defined in:
- manifests/pam.pp
Overview
Class: central_auth::pam
Class to manage PAM for CrackLib and SSSD
5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 |
# File 'manifests/pam.pp', line 5
class central_auth::pam (
# Class parameters are populated from External(hiera)/Defaults/Fail
Integer $min_user_id,
String $access_conf,
Integer $dcredit = -1,
Integer $difok = 5,
Integer $lcredit = -1,
Integer $ucredit = -1,
Integer $ocredit = -1,
Integer $minlen = 17,
Boolean $enable_sssd = $central_auth::enable_sssd,
Boolean $enable_pam_access = $central_auth::enable_pam_access,
Boolean $manage_pam_files = $central_auth::manage_pam_files,
){
File {
owner => 'root',
group => 'root',
mode => '0644',
}
$allowed_groups = lookup('central_auth::pam::allowed_groups', Any, deep, {})
$allowed_users = lookup('central_auth::pam::allowed_users', Any, deep, {})
#notify { "allowed_groups: $allowed_groups": }
#notify { "allowed_users: $allowed_users": }
#class { 'authconfig': }
if $facts['kernel'] == 'Linux' {
if $enable_pam_access {
file { $access_conf:
ensure => file,
content => epp('central_auth/access.conf', { allowed_groups => $allowed_groups, allowed_users => $allowed_users } ),
}
}
}
if $manage_pam_files {
if $facts['osfamily'] == 'RedHat' {
file { [ '/etc/pam.d/system-auth', '/etc/pam.d/password-auth' ] :
ensure => file,
content => epp('central_auth/rhel-pam-auth', {
enable_pam_access => $enable_pam_access,
enable_sssd => $enable_sssd,
dcredit => $dcredit,
difok => $difok,
lcredit => $lcredit,
ucredit => $ucredit,
ocredit => $ocredit,
minlen => $minlen,
min_user_id => $min_user_id,
} ),
}
} elsif $facts['osfamily'] == 'Suse' {
file { '/etc/pam.d/common-password':
ensure => file,
content => epp('central_auth/suse-pam-password', {
enable_sssd => $enable_sssd,
dcredit => $dcredit,
difok => $difok,
lcredit => $lcredit,
ucredit => $ucredit,
ocredit => $ocredit,
minlen => $minlen,
} ),
}
file { '/etc/pam.d/common-auth':
ensure => file,
content => epp('central_auth/suse-pam-auth', {
enable_sssd => $enable_sssd,
dcredit => $dcredit,
difok => $difok,
lcredit => $lcredit,
ucredit => $ucredit,
ocredit => $ocredit,
minlen => $minlen,
min_user_id => $min_user_id,
} ),
}
file { '/etc/pam.d/common-account':
ensure => file,
content => epp('central_auth/suse-pam-account', {
enable_sssd => $enable_sssd,
dcredit => $dcredit,
difok => $difok,
lcredit => $lcredit,
ucredit => $ucredit,
ocredit => $ocredit,
minlen => $minlen,
min_user_id => $min_user_id,
} ),
}
file { '/etc/pam.d/common-session':
ensure => file,
content => epp('central_auth/suse-pam-session', {
enable_sssd => $enable_sssd,
dcredit => $dcredit,
difok => $difok,
lcredit => $lcredit,
ucredit => $ucredit,
ocredit => $ocredit,
minlen => $minlen,
} ),
}
} elsif $facts['osfamily'] == 'Debian' {
file { '/etc/pam.d/login':
ensure => file,
content => epp('central_auth/debian-pam-login', {} ),
}
file { '/etc/pam.d/sshd':
ensure => file,
content => epp('central_auth/debian-pam-sshd', {} ),
}
file { '/etc/pam.d/common-password':
ensure => file,
content => epp('central_auth/debian-pam-password', { enable_sssd => $enable_sssd } ),
}
file { '/etc/pam.d/common-auth':
ensure => file,
content => epp('central_auth/debian-pam-auth', { enable_sssd => $enable_sssd } ),
}
file { '/etc/pam.d/common-account':
ensure => file,
content => epp('central_auth/debian-pam-account', { enable_sssd => $enable_sssd } ),
}
file { '/etc/pam.d/common-session':
ensure => file,
content => epp('central_auth/debian-pam-session', { enable_sssd => $enable_sssd } ),
}
file { '/etc/pam.d/common-session-noninteractive':
ensure => file,
content => epp('central_auth/debian-pam-session-noninteractive', { enable_sssd => $enable_sssd } ),
}
}
}
}
|