* Splitting pam modules:

- ldap
  - mkhomedir

* Fixing dependency for mkhomedir refresh
* Adding an ability to disable and enable moules

Prod-Related: EME-220

Change-Id: I94feab03cef82c515c9c430b9828653e87100425

README.rst

@@ -1794,6 +1794,9 @@ PAM LDAP integration
         system:
           auth:
             enabled: true
+            mkhomedir:
+              enabled: true
+              umask: 0027
             ldap:
               enabled: true
               binddn: cn=bind,ou=service_users,dc=example,dc=com

linux/files/mkhomedir

@@ -1,6 +1,7 @@
+{%- from "linux/map.jinja" import auth with context %}
 Name: Create home directory during login
 Default: yes
 Priority: 0
 Session-Type: Additional
 Session-Final:
-    required    pam_mkhomedir.so        skel=/etc/skel  umask=0022 silent
+    required    pam_mkhomedir.so        skel=/etc/skel  umask={{ auth.mkhomedir.get('umask', '0022') }} silent

linux/system/auth.sls

@@ -1,11 +1,47 @@
 {%- from "linux/map.jinja" import auth with context %}
 
 {%- if auth.enabled %}
+  {%- set pam_modules_enable = "" %}
+  {%- set pam_modules_disable = "" %}
+  {%- if grains.os_family == 'Debian' %}
+linux_auth_pam_packages:
+  pkg.installed:
+  - pkgs: [ 'libpam-runtime' ]
+
+linux_auth_pam_add_profile:
+  file.managed:
+    - name: /usr/local/bin/pam-add-profile
+    - source: salt://linux/files/pam-add-profile
+    - mode: 755
+    - require:
+      - pkg: linux_auth_pam_packages
+  {%- endif %}
 
-{%- if auth.get('ldap', {}).get('enabled', False) %}
-{%- from "linux/map.jinja" import ldap with context %}
+  {%- if auth.get('mkhomedir', {}).get('enabled', False) %}
+    {%- if grains.os_family == 'Debian' %}
+      {%- set pam_modules_enable = pam_modules_enable + ' mkhomedir' %}
+linux_auth_mkhomedir_debconf_package:
+  pkg.installed:
+  - pkgs: [ 'debconf-utils' ]
 
-{%- if grains.os_family == 'Debian' %}
+linux_auth_mkhomedir_config:
+  file.managed:
+    - name: /usr/share/pam-configs/mkhomedir
+    - source: salt://linux/files/mkhomedir
+    - template: jinja
+
+    {%- endif %}
+  {%- else %}
+    {%- if grains.os_family == 'Debian' %}
+      {%- set pam_modules_disable = pam_modules_disable + ' mkhomedir' %}
+    {%- endif %}
+  {%- endif %}
+
+  {%- if auth.get('ldap', {}).get('enabled', False) %}
+    {%- from "linux/map.jinja" import ldap with context %}
+
+    {%- if grains.os_family == 'Debian' %}
+      {%- set pam_modules_enable = pam_modules_enable + ' ldap' %}
 
 linux_auth_ldap_debconf_package:
   pkg.installed:
@@ -33,44 +69,96 @@ linux_auth_debconf_libpam-ldapd:
         libpam-ldapd/enable_shadow:
           type: 'boolean'
           value: 'true'
-
-{#- Setup mkhomedir and ldap PAM profiles #}
-linux_auth_mkhomedir_config:
-  file.managed:
-    - name: /usr/share/pam-configs/mkhomedir
-    - source: salt://linux/files/mkhomedir
-    - require:
-      - pkg: linux_auth_ldap_packages
-
-linux_auth_pam_add_profile:
-  file.managed:
-    - name: /usr/local/bin/pam-add-profile
-    - source: salt://linux/files/pam-add-profile
-    - mode: 755
-
-linux_auth_pam_add_profiles:
+    {%- endif %}
+  {%- else %}
+    {%- if grains.os_family == 'Debian' %}
+      {%- set pam_modules_disable = pam_modules_disable + ' ldap' %}
+    {%- endif %}
+  {%- endif %}
+
+  {#- Setup PAM profiles #}
+  {%- if grains.os_family == 'Debian' %}
+    {%- if auth.get('mkhomedir', {}).get('enabled', False) %}
+linux_auth_pam_add_profiles_mkhomedir_enable:
   cmd.run:
-    - name: /usr/local/bin/pam-add-profile ldap mkhomedir
-    - unless: "debconf-get-selections | grep libpam-runtime/profiles | grep mkhomedir | grep ldap"
+    - name: /usr/local/bin/pam-add-profile {{ pam_modules_enable }}
+    - unless: "[[ `grep -c pam_mkhomedir.so /etc/pam.d/common-session` -ne 0 ]]"
+    - require:
+      - file: linux_auth_pam_add_profile
+linux_auth_pam_add_profiles_mkhomedir_update:
+  cmd.wait:
+    - name: /usr/local/bin/pam-add-profile {{ pam_modules_enable }}
     - watch:
       - file: linux_auth_mkhomedir_config
     - require:
       - file: linux_auth_pam_add_profile
+      {%- if auth.get('ldap', {}).get('enabled', False) %}
       - pkg: linux_auth_ldap_packages
+      {%- endif %}
+    {%- else %}
+linux_auth_pam_remove_profiles_mkhomedir:
+  cmd.run:
+    - name: /usr/sbin/pam-auth-update --remove {{ pam_modules_disable }}
+    - onlyif: "[[ `grep -c pam_mkhomedir.so /etc/pam.d/common-session` -ne 0 ]]"
+    - require:
+      - pkg: linux_auth_pam_packages
+    {%- endif %}
 
-{%- elif grains.os_family == 'RedHat' %}
+    {%- if auth.get('ldap', {}).get('enabled', False) %}
+linux_auth_pam_add_profiles_ldap:
+  cmd.run:
+    - name: /usr/local/bin/pam-add-profile {{ pam_modules_enable }}
+    - unless: "[[ `debconf-get-selections | grep libpam-runtime/profiles | grep -c ldap` -ne 0 ]]"
+    - require:
+      - file: linux_auth_pam_add_profile
+      - pkg: linux_auth_ldap_packages
+    {%- else %}
+linux_auth_pam_remove_profiles_ldap:
+  cmd.run:
+    - name: /usr/sbin/pam-auth-update --remove {{ pam_modules_disable }}
+    - onlyif: "[[ `debconf-get-selections | grep libpam-runtime/profiles | grep -c ldap` -ne 0 ]]"
+    - require:
+      - pkg: linux_auth_pam_packages
+    {%- endif %}
 
-linux_auth_config:
+  {%- elif grains.os_family == 'RedHat' %}
+    {%- if auth.get('mkhomedir', {}).get('enabled', False) %}
+linux_auth_config_enable_mkhomedir:
+  cmd.run:
+    - name: "authconfig --enablemkhomedir --update"
+    - require:
+      {%- if auth.get('ldap', {}).get('enabled', False) %}
+      - pkg: linux_auth_ldap_packages
+      {%- endif %}
+    {%- else %}
+linux_auth_config_disable_mkhomedir:
+  cmd.run:
+    - name: "authconfig --disablemkhomedir --update"
+    - require:
+      - pkg: linux_auth_ldap_packages
+    {%- endif %}
+    {%- if auth.get('ldap', {}).get('enabled', False) %}
+linux_auth_config_enable_ldap:
   cmd.run:
-    - name: "authconfig --enableldap --enableldapauth --enablemkhomedir --update"
+    - name: "authconfig --enableldap --enableldapauth --update"
     - require:
+      {%- if auth.get('ldap', {}).get('enabled', False) %}
       - pkg: linux_auth_ldap_packages
+      {%- endif %}
+    {%- else %}
+linux_auth_config_disable_ldap:
+  cmd.run:
+    - name: "authconfig --disableldap --disableldapauth --update"
+    - require:
+      - pkg: linux_auth_ldap_packages
+    {%- endif %}
+  {%- endif %}
 
-{%- else %}
+  {%- if auth.get('ldap', {}).get('enabled', False) %}
 
 linux_auth_nsswitch_config_file:
   file.managed:
-- name: /etc/nsswitch.conf
+  - name: /etc/nsswitch.conf
   - source: salt://linux/files/nsswitch.conf
   - template: jinja
   - mode: 644
@@ -79,8 +167,6 @@ linux_auth_nsswitch_config_file:
   - watch_in:
     - service: linux_auth_nslcd_service
 
-{%- endif %}
-
 linux_auth_ldap_packages:
   pkg.installed:
   - pkgs: {{ ldap.pkgs }}
@@ -101,6 +187,6 @@ linux_auth_nslcd_service:
   - enable: true
   - name: nslcd
 
-{%- endif %}
+  {%- endif %}
 
 {%- endif %}

tests/pillar/system_extra.sls

@@ -3,6 +3,9 @@ linux:
   system:
     auth:
       enabled: true
+      mkhomedir:
+        enabled: true
+        umask: 0027
       ldap:
         enabled: true
         binddn: cn=bind,ou=service_users,dc=example,dc=com