move to squeeze style pam config

Signed-off-by: Stephen Gran <steve@lobefin.net>

diff --git a/modules/debian-org/files/pam.common-session b/modules/debian-org/files/pam.common-session
deleted file mode 100644 (file)
index 9ae4373..0000000
--- a/modules/debian-org/files/pam.common-session
+++ /dev/null
@@ -1,15 +0,0 @@
-##
-## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
-##
-
-#
-# /etc/pam.d/common-session - session-related modules common to all services
-#
-# This file is included from other service-specific PAM config files,
-# and should contain a list of modules that define tasks to be performed
-# at the start and end of sessions of *any* kind (both interactive and
-# non-interactive).  The default is pam_unix.
-#
-session        required        pam_unix.so
-session        optional        pam_mkhomedir.so skel=/etc/skel umask=0022

diff --git a/modules/debian-org/manifests/init.pp b/modules/debian-org/manifests/init.pp
index b19a745..f00880c 100644 (file)
--- a/modules/debian-org/manifests/init.pp
+++ b/modules/debian-org/manifests/init.pp
@@ -89,7 +89,7 @@ class debian-org {
             ;
         "/etc/pam.d/common-session":
             require => Package["libpam-pwdfile"],
-            source => "puppet:///modules/debian-org/pam.common-session",
+            content => template("debian-org/pam.common-session.erb"),
             ;
         "/etc/rc.local":
             mode   => 0755,

diff --git a/modules/debian-org/templates/pam.common-session.erb b/modules/debian-org/templates/pam.common-session.erb
new file mode 100644 (file)
index 0000000..360b09d
--- /dev/null
+++ b/modules/debian-org/templates/pam.common-session.erb
@@ -0,0 +1,44 @@
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
+<% if nodeinfo.has_key?('squeeze') and nodeinfo['squeeze'] %>
+#
+# /etc/pam.d/common-session - session-related modules common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of modules that define tasks to be performed
+# at the start and end of sessions of *any* kind (both interactive and
+# non-interactive).
+#
+# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
+# To take advantage of this, it is recommended that you configure any
+# local modules either before or after the default block, and use
+# pam-auth-update to manage selection of other modules.  See
+# pam-auth-update(8) for details.
+
+# here are the per-package modules (the "Primary" block)
+session        [default=1]                     pam_permit.so
+# here's the fallback if no module succeeds
+session        requisite                       pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+session        required                        pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+session        required        pam_unix.so 
+# end of pam-auth-update config
+session        optional        pam_mkhomedir.so skel=/etc/skel umask=0022
+<% else %>
+#
+# /etc/pam.d/common-session - session-related modules common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of modules that define tasks to be performed
+# at the start and end of sessions of *any* kind (both interactive and
+# non-interactive).  The default is pam_unix.
+#
+session        required        pam_unix.so
+session        optional        pam_mkhomedir.so skel=/etc/skel umask=0022
+<% end %>