* Splitting pam modules:
- ldap
- mkhomedir
* Fixing dependency for mkhomedir refresh
* Adding an ability to disable and enable moules
Prod-Related: EME-220
Change-Id: I94feab03cef82c515c9c430b9828653e87100425
diff --git a/README.rst b/README.rst
index 2246e35..ace428b 100644
--- a/README.rst
+++ b/README.rst
@@ -1794,6 +1794,9 @@
system:
auth:
enabled: true
+ mkhomedir:
+ enabled: true
+ umask: 0027
ldap:
enabled: true
binddn: cn=bind,ou=service_users,dc=example,dc=com
diff --git a/linux/files/mkhomedir b/linux/files/mkhomedir
index 43c6a49..b32caf6 100644
--- a/linux/files/mkhomedir
+++ b/linux/files/mkhomedir
@@ -1,6 +1,7 @@
+{%- from "linux/map.jinja" import auth with context %}
Name: Create home directory during login
Default: yes
Priority: 0
Session-Type: Additional
Session-Final:
- required pam_mkhomedir.so skel=/etc/skel umask=0022 silent
+ required pam_mkhomedir.so skel=/etc/skel umask={{ auth.mkhomedir.get('umask', '0022') }} silent
diff --git a/linux/system/auth.sls b/linux/system/auth.sls
index 817d60e..2de2f6c 100644
--- a/linux/system/auth.sls
+++ b/linux/system/auth.sls
@@ -1,11 +1,47 @@
{%- from "linux/map.jinja" import auth with context %}
{%- if auth.enabled %}
+ {%- set pam_modules_enable = "" %}
+ {%- set pam_modules_disable = "" %}
+ {%- if grains.os_family == 'Debian' %}
+linux_auth_pam_packages:
+ pkg.installed:
+ - pkgs: [ 'libpam-runtime' ]
-{%- if auth.get('ldap', {}).get('enabled', False) %}
-{%- from "linux/map.jinja" import ldap with context %}
+linux_auth_pam_add_profile:
+ file.managed:
+ - name: /usr/local/bin/pam-add-profile
+ - source: salt://linux/files/pam-add-profile
+ - mode: 755
+ - require:
+ - pkg: linux_auth_pam_packages
+ {%- endif %}
-{%- if grains.os_family == 'Debian' %}
+ {%- if auth.get('mkhomedir', {}).get('enabled', False) %}
+ {%- if grains.os_family == 'Debian' %}
+ {%- set pam_modules_enable = pam_modules_enable + ' mkhomedir' %}
+linux_auth_mkhomedir_debconf_package:
+ pkg.installed:
+ - pkgs: [ 'debconf-utils' ]
+
+linux_auth_mkhomedir_config:
+ file.managed:
+ - name: /usr/share/pam-configs/mkhomedir
+ - source: salt://linux/files/mkhomedir
+ - template: jinja
+
+ {%- endif %}
+ {%- else %}
+ {%- if grains.os_family == 'Debian' %}
+ {%- set pam_modules_disable = pam_modules_disable + ' mkhomedir' %}
+ {%- endif %}
+ {%- endif %}
+
+ {%- if auth.get('ldap', {}).get('enabled', False) %}
+ {%- from "linux/map.jinja" import ldap with context %}
+
+ {%- if grains.os_family == 'Debian' %}
+ {%- set pam_modules_enable = pam_modules_enable + ' ldap' %}
linux_auth_ldap_debconf_package:
pkg.installed:
@@ -33,44 +69,96 @@
libpam-ldapd/enable_shadow:
type: 'boolean'
value: 'true'
+ {%- endif %}
+ {%- else %}
+ {%- if grains.os_family == 'Debian' %}
+ {%- set pam_modules_disable = pam_modules_disable + ' ldap' %}
+ {%- endif %}
+ {%- endif %}
-{#- Setup mkhomedir and ldap PAM profiles #}
-linux_auth_mkhomedir_config:
- file.managed:
- - name: /usr/share/pam-configs/mkhomedir
- - source: salt://linux/files/mkhomedir
- - require:
- - pkg: linux_auth_ldap_packages
-
-linux_auth_pam_add_profile:
- file.managed:
- - name: /usr/local/bin/pam-add-profile
- - source: salt://linux/files/pam-add-profile
- - mode: 755
-
-linux_auth_pam_add_profiles:
+ {#- Setup PAM profiles #}
+ {%- if grains.os_family == 'Debian' %}
+ {%- if auth.get('mkhomedir', {}).get('enabled', False) %}
+linux_auth_pam_add_profiles_mkhomedir_enable:
cmd.run:
- - name: /usr/local/bin/pam-add-profile ldap mkhomedir
- - unless: "debconf-get-selections | grep libpam-runtime/profiles | grep mkhomedir | grep ldap"
+ - name: /usr/local/bin/pam-add-profile {{ pam_modules_enable }}
+ - unless: "[[ `grep -c pam_mkhomedir.so /etc/pam.d/common-session` -ne 0 ]]"
+ - require:
+ - file: linux_auth_pam_add_profile
+linux_auth_pam_add_profiles_mkhomedir_update:
+ cmd.wait:
+ - name: /usr/local/bin/pam-add-profile {{ pam_modules_enable }}
- watch:
- file: linux_auth_mkhomedir_config
- require:
- file: linux_auth_pam_add_profile
+ {%- if auth.get('ldap', {}).get('enabled', False) %}
- pkg: linux_auth_ldap_packages
-
-{%- elif grains.os_family == 'RedHat' %}
-
-linux_auth_config:
+ {%- endif %}
+ {%- else %}
+linux_auth_pam_remove_profiles_mkhomedir:
cmd.run:
- - name: "authconfig --enableldap --enableldapauth --enablemkhomedir --update"
+ - name: /usr/sbin/pam-auth-update --remove {{ pam_modules_disable }}
+ - onlyif: "[[ `grep -c pam_mkhomedir.so /etc/pam.d/common-session` -ne 0 ]]"
+ - require:
+ - pkg: linux_auth_pam_packages
+ {%- endif %}
+
+ {%- if auth.get('ldap', {}).get('enabled', False) %}
+linux_auth_pam_add_profiles_ldap:
+ cmd.run:
+ - name: /usr/local/bin/pam-add-profile {{ pam_modules_enable }}
+ - unless: "[[ `debconf-get-selections | grep libpam-runtime/profiles | grep -c ldap` -ne 0 ]]"
+ - require:
+ - file: linux_auth_pam_add_profile
+ - pkg: linux_auth_ldap_packages
+ {%- else %}
+linux_auth_pam_remove_profiles_ldap:
+ cmd.run:
+ - name: /usr/sbin/pam-auth-update --remove {{ pam_modules_disable }}
+ - onlyif: "[[ `debconf-get-selections | grep libpam-runtime/profiles | grep -c ldap` -ne 0 ]]"
+ - require:
+ - pkg: linux_auth_pam_packages
+ {%- endif %}
+
+ {%- elif grains.os_family == 'RedHat' %}
+ {%- if auth.get('mkhomedir', {}).get('enabled', False) %}
+linux_auth_config_enable_mkhomedir:
+ cmd.run:
+ - name: "authconfig --enablemkhomedir --update"
+ - require:
+ {%- if auth.get('ldap', {}).get('enabled', False) %}
+ - pkg: linux_auth_ldap_packages
+ {%- endif %}
+ {%- else %}
+linux_auth_config_disable_mkhomedir:
+ cmd.run:
+ - name: "authconfig --disablemkhomedir --update"
- require:
- pkg: linux_auth_ldap_packages
+ {%- endif %}
+ {%- if auth.get('ldap', {}).get('enabled', False) %}
+linux_auth_config_enable_ldap:
+ cmd.run:
+ - name: "authconfig --enableldap --enableldapauth --update"
+ - require:
+ {%- if auth.get('ldap', {}).get('enabled', False) %}
+ - pkg: linux_auth_ldap_packages
+ {%- endif %}
+ {%- else %}
+linux_auth_config_disable_ldap:
+ cmd.run:
+ - name: "authconfig --disableldap --disableldapauth --update"
+ - require:
+ - pkg: linux_auth_ldap_packages
+ {%- endif %}
+ {%- endif %}
-{%- else %}
+ {%- if auth.get('ldap', {}).get('enabled', False) %}
linux_auth_nsswitch_config_file:
file.managed:
-- name: /etc/nsswitch.conf
+ - name: /etc/nsswitch.conf
- source: salt://linux/files/nsswitch.conf
- template: jinja
- mode: 644
@@ -79,8 +167,6 @@
- watch_in:
- service: linux_auth_nslcd_service
-{%- endif %}
-
linux_auth_ldap_packages:
pkg.installed:
- pkgs: {{ ldap.pkgs }}
@@ -101,6 +187,6 @@
- enable: true
- name: nslcd
-{%- endif %}
+ {%- endif %}
{%- endif %}
diff --git a/tests/pillar/system_extra.sls b/tests/pillar/system_extra.sls
index a425f6a..591e60b 100644
--- a/tests/pillar/system_extra.sls
+++ b/tests/pillar/system_extra.sls
@@ -3,6 +3,9 @@
system:
auth:
enabled: true
+ mkhomedir:
+ enabled: true
+ umask: 0027
ldap:
enabled: true
binddn: cn=bind,ou=service_users,dc=example,dc=com