15 files changed, 213 insertions, 113 deletions
diff --git a/modules/openldap/lib/puppet/parser/functions/get_ldap_servers.rb b/modules/openldap/lib/puppet/parser/functions/get_ldap_servers.rb
index 204da558..0d620926 100644
--- a/modules/openldap/lib/puppet/parser/functions/get_ldap_servers.rb
+++ b/modules/openldap/lib/puppet/parser/functions/get_ldap_servers.rb
@@ -1,11 +1,11 @@
 # return a list of all ldap servers declared
 module Puppet::Parser::Functions
-    newfunction(:get_ldap_servers, :type => :rvalue) do |args| 
+    newfunction(:get_ldap_servers, :type => :rvalue) do |args|
         Puppet::Parser::Functions.autoloader.loadall
         res = ["master"]
- 
-        function_list_exported_ressources(['Openldap::Exported_slave']).each { |i| 
-              res << "slave-#{i}" 
+
+        function_list_exported_ressources(['Openldap::Exported_slave']).each { |i|
+              res << "slave-#{i}"
         }
         res.map! { |x| "ldap-#{x}." + lookupvar("domain") }
         return res
diff --git a/modules/openldap/manifests/config.pp b/modules/openldap/manifests/config.pp
new file mode 100644
index 00000000..336f8a23
--- /dev/null
+++ b/modules/openldap/manifests/config.pp
@@ -0,0 +1,7 @@
+define openldap::config($content) {
+    file { $name:
+        require => Package['openldap-servers'],
+        content => $content,
+        notify  => Exec["slaptest"],
+    }
+}
diff --git a/modules/openldap/manifests/exported_slave.pp b/modules/openldap/manifests/exported_slave.pp
new file mode 100644
index 00000000..5b9f6b87
--- /dev/null
+++ b/modules/openldap/manifests/exported_slave.pp
@@ -0,0 +1,3 @@
+# this define is here only to be exported by slave
+# and later used by get_ldap_servers
+define openldap::exported_slave { }
diff --git a/modules/openldap/manifests/init.pp b/modules/openldap/manifests/init.pp
index 4f2c2d33..34a214a2 100644
--- a/modules/openldap/manifests/init.pp
+++ b/modules/openldap/manifests/init.pp
@@ -1,114 +1,34 @@
 class openldap {
-    define config($content) {
-        file { $name:
-            require => Package["openldap-servers"],
-            content => $content,
-            notify => Exec["/etc/init.d/ldap check"],
-        }
-    }
-
-    class common {
-        package { 'openldap-servers': }
-
-        service { ldap:
-            subscribe => Package['openldap-servers'],
-            require => Openssl::Self_signed_cert["ldap.$domain"],
-        }
-
-        exec { "/etc/init.d/ldap check":
-            refreshonly => true,
-            notify => Service["ldap"],
-        }
+    include openldap::var
 
-        file {"/etc/ssl/openldap/":
-            ensure => directory,
-        }
+    package { 'openldap-servers': }
 
-        openssl::self_signed_cert{ "ldap.$domain":
-            directory => "/etc/ssl/openldap/"
-        }
-
-        openldap::config {
-            '/etc/openldap/slapd.conf': content => "";
-            '/etc/openldap/mandriva-dit-access.conf': content => "";
-            '/etc/sysconfig/ldap': content => "";
-        } 
+    service { $openldap::var::service:
+        subscribe => Package['openldap-servers'],
+        require   => Openssl::Self_signed_cert["ldap.${::domain}"],
     }
 
-    class master inherits common {
-        Openldap::Config['/etc/openldap/mandriva-dit-access.conf'] {
-            content => template("openldap/mandriva-dit-access.conf"),
-        }
-
-        $ldap_test_password = extlookup("ldap_test_password",'x')
-        $ldap_test_directory = "/var/lib/ldap/test"
-        file { "$ldap_test_directory":
-            ensure => directory,
-            group => ldap,
-            owner => ldap,
-            require => Package["openldap-servers"],
-            before => Service['ldap'],
-        }       
- 
-        Openldap::Config['/etc/openldap/slapd.conf'] {
-            content => template("openldap/slapd.conf", "openldap/slapd.test.conf"),
-        }
-
-        Openldap::Config['/etc/sysconfig/ldap'] {
-            content => template("openldap/ldap.sysconfig"),
-        }
-
-        if $environment == "test" {
-            # if we ae in a test vm, we need to fill the directory
-            # with data
-            package { "openldap-clients": }
-
-            local_script { "init_ldap.sh":
-                content => template('openldap/init_ldap.sh'),
-                require => Package["openldap-clients"],
-            }
-
-            exec { "init_ldap.sh":
-                # taken arbitrary among all possible files
-                creates => "/var/lib/ldap/objectClass.bdb",
-                require => Local_script["init_ldap.sh"],
-            }
-        }
+    exec { "slaptest":
+        refreshonly => true,
+        notify      => Service[$openldap::var::service],
     }
 
-    # this define is here only to be exported by slave
-    # and later used by get_ldap_servers
-    define exported_slave {
-
+    file { '/etc/ssl/openldap/':
+        ensure => directory,
     }
 
-    # TODO create the user for sync in ldap
-    # syntaxic sugar 
-    define slave_instance($rid) {
-        # seems the inheritance do not work as I believe
-        include openldap::common
-        class { 'openldap::slave':
-                    rid => $rid,
-        }
+    openssl::self_signed_cert{ "ldap.${::domain}":
+        directory => '/etc/ssl/openldap/',
     }
 
-    class slave($rid) inherits common {
-
-        @@openldap::exported_slave { $rid: }
-
-        $sync_password = extlookup("ldap_syncuser-$hostname",'x')
-        
-        # same access rights as master
-        Openldap::Config['/etc/openldap/mandriva-dit-access.conf'] {
-            content => template("openldap/mandriva-dit-access.conf"),
-        }
-
-        Openldap::Config['/etc/openldap/slapd.conf'] {
-            content => template("openldap/slapd.conf",'openldap/slapd.syncrepl.conf'),
-        }
-
-        Openldap::Config['/etc/sysconfig/ldap'] {
-            content => template("openldap/ldap.sysconfig"),
-        }
+    openldap::config {
+        '/etc/openldap/slapd.conf':
+            content => '';
+        '/etc/openldap/mandriva-dit-access.conf':
+            content => '';
+        '/etc/sysconfig/ldap':
+            content => '';
+        '/etc/sysconfig/slapd':
+            content => '';
     }
 }
diff --git a/modules/openldap/manifests/master.pp b/modules/openldap/manifests/master.pp
new file mode 100644
index 00000000..53122628
--- /dev/null
+++ b/modules/openldap/manifests/master.pp
@@ -0,0 +1,50 @@
+class openldap::master inherits openldap {
+    include openldap::var
+
+    Openldap::Config['/etc/openldap/mandriva-dit-access.conf'] {
+        content => template('openldap/mandriva-dit-access.conf'),
+    }
+
+    $ldap_test_password = extlookup('ldap_test_password','x')
+    $ldap_test_directory = '/var/lib/ldap/test'
+    file { $ldap_test_directory:
+        ensure  => directory,
+        group   => 'ldap',
+        owner   => 'ldap',
+        require => Package['openldap-servers'],
+        before  => Service[$openldap::var::service],
+    }
+
+    Openldap::Config['/etc/openldap/slapd.conf'] {
+        content => template('openldap/slapd.conf', 'openldap/slapd.test.conf'),
+    }
+
+    Openldap::Config['/etc/sysconfig/ldap'] {
+        content => template('openldap/ldap.sysconfig'),
+    }
+
+    Openldap::Config['/etc/sysconfig/slapd'] {
+        content => template('openldap/slapd.sysconfig'),
+    }
+
+    host { "ldap.${::domain}":
+        ip => '127.0.0.1',
+    }
+
+    if $::environment == 'test' {
+        # if we are in a test vm, we need to fill the directory
+        # with data
+        package { 'openldap-clients': }
+
+        mga_common::local_script { 'init_ldap.sh':
+            content => template('openldap/init_ldap.sh'),
+            require => Package['openldap-clients'],
+        }
+
+        exec { 'init_ldap.sh':
+            # taken arbitrary among all possible files
+            creates => '/var/lib/ldap/objectClass.bdb',
+            require => Mga_common::Local_script['init_ldap.sh'],
+        }
+    }
+}
diff --git a/modules/openldap/manifests/slave.pp b/modules/openldap/manifests/slave.pp
new file mode 100644
index 00000000..ba0cfb9d
--- /dev/null
+++ b/modules/openldap/manifests/slave.pp
@@ -0,0 +1,23 @@
+class openldap::slave($rid) inherits openldap {
+
+    @@openldap::exported_slave { $rid: }
+
+    $sync_password = extlookup("ldap_syncuser-${::hostname}",'x')
+
+    # same access rights as master
+    Openldap::Config['/etc/openldap/mandriva-dit-access.conf'] {
+        content => template('openldap/mandriva-dit-access.conf'),
+    }
+
+    Openldap::Config['/etc/openldap/slapd.conf'] {
+        content => template('openldap/slapd.conf','openldap/slapd.syncrepl.conf'),
+    }
+
+    Openldap::Config['/etc/sysconfig/ldap'] {
+        content => template('openldap/ldap.sysconfig'),
+    }
+
+    Openldap::Config['/etc/sysconfig/slapd'] {
+        content => template('openldap/slapd-slave.sysconfig'),
+    }
+}
diff --git a/modules/openldap/manifests/slave_instance.pp b/modules/openldap/manifests/slave_instance.pp
new file mode 100644
index 00000000..fbf998c6
--- /dev/null
+++ b/modules/openldap/manifests/slave_instance.pp
@@ -0,0 +1,8 @@
+# TODO create the user for sync in ldap
+# this define is mainly syntactic sugar
+define openldap::slave_instance($rid) {
+    include openldap
+    class { 'openldap::slave':
+        rid => $rid,
+    }
+}
diff --git a/modules/openldap/manifests/var.pp b/modules/openldap/manifests/var.pp
new file mode 100644
index 00000000..d6947eb8
--- /dev/null
+++ b/modules/openldap/manifests/var.pp
@@ -0,0 +1,3 @@
+class openldap::var {
+    $service = 'slapd'
+}
diff --git a/modules/openldap/templates/init_ldap.sh b/modules/openldap/templates/init_ldap.sh
index a596cfe7..dfcaf236 100644
--- a/modules/openldap/templates/init_ldap.sh
+++ b/modules/openldap/templates/init_ldap.sh
@@ -28,7 +28,7 @@ end -%>
 
 
 <% # FIXME automatically get the list of servers
-for g in ['valstar','alamut'] %>
+for g in ['duvel','alamut'] %>
 dn: cn=<%= g%>.<%= domain %>,ou=Hosts,<%= dc_suffix %>
 objectClass: device
 objectClass: simpleSecurityObject
diff --git a/modules/openldap/templates/mandriva-dit-access.conf b/modules/openldap/templates/mandriva-dit-access.conf
index 68a2c7f8..361d956b 100644
--- a/modules/openldap/templates/mandriva-dit-access.conf
+++ b/modules/openldap/templates/mandriva-dit-access.conf
@@ -66,7 +66,7 @@ access to dn.subtree="<%= dc_suffix %>"
 	by self write
 	by * none
 # password history attribute
-# pwdHistory is read-only, but ACL is simplier with it here
+# pwdHistory is read-only, but ACL is simpler with it here
 access to dn.subtree="<%= dc_suffix %>"
 	attrs=sambaPasswordHistory,pwdHistory
 	by self read
@@ -113,7 +113,7 @@ access to dn.subtree="ou=People,<%= dc_suffix %>"
 
 # let the user change some of his/her attributes
 access to dn.subtree="ou=People,<%= dc_suffix %>"
-	attrs=cn,sn,givenName,carLicense,homePhone,homePostalAddress,mobile,pager,telephoneNumber,mail,preferredLanguage,sshPublicKey
+	attrs=cn,sn,givenName,carLicense,drink,homePhone,homePostalAddress,mobile,pager,telephoneNumber,mail,preferredLanguage,sshPublicKey
 	by self write
 	by users read
 
@@ -193,4 +193,3 @@ access to dn.sub="ou=KDEConfig,<%= dc_suffix %>"
 # last one
 access to dn.subtree="<%= dc_suffix %>" attrs=entry,uid,cn
 	by users read
-
diff --git a/modules/openldap/templates/slapd-slave.sysconfig b/modules/openldap/templates/slapd-slave.sysconfig
new file mode 100644
index 00000000..9bff24ff
--- /dev/null
+++ b/modules/openldap/templates/slapd-slave.sysconfig
@@ -0,0 +1,38 @@
+# debug level for slapd
+SLAPDSYSLOGLEVEL="0"
+SLAPDSYSLOGLOCALUSER="local4"
+
+# SLAPD URL list
+SLAPDURLLIST="ldap:/// ldaps:/// ldapi:///"
+
+# Config file to use for slapd
+#SLAPDCONF=/etc/openldap/slapd.conf
+
+# Which user to run as
+#LDAPUSER=ldap
+#LDAPGROUP=ldap
+
+# Should file permissions on database files be fixed at startup. Default is yes
+# FIXPERMS=no
+
+# Whether database recovery should be run before starting slapd in start
+# (not strictly be necessary in 2.3). Default is no
+# AUTORECOVER=yes
+
+# At what intervals to run ldap-hot-db-backup from cron, which will
+# do hot database backups for all bdb/hdb databases, and archive
+# unnecessary transaction logs, one of hourly,daily,weekly,monthly,yearly
+# Default is daily
+# Slave does not need a backup
+RUN_DB_BACKUP=never
+
+# How many days to keep archived transaction logs for. This should be just
+# greater than the backup interval on these files. Default is 7
+# KEEP_ARCHIVES_DAYS=7
+
+# How many files slapd should be able to have open. By default, the process
+# will inherit the default per-process limit (usually 1024), which may
+# not be enough, so ulimit -n is run with the value in MAXFILES (which
+# defaults to 1024 as well). 4096 is the maximum OpenLDAP will use without
+# recompiling.
+# MAXFILES=4096
diff --git a/modules/openldap/templates/slapd.conf b/modules/openldap/templates/slapd.conf
index 9451d6cd..d82fe088 100644
--- a/modules/openldap/templates/slapd.conf
+++ b/modules/openldap/templates/slapd.conf
@@ -30,6 +30,11 @@ pidfile		/var/run/ldap/slapd.pid
 argsfile	/var/run/ldap/slapd.args
 
 modulepath	<%= lib_dir %>/openldap
+<% if @hostname == 'duvel' then %>
+moduleload	back_bdb.la
+<% else %>
+moduleload	back_mdb.la
+<% end %>
 moduleload	back_monitor.la
 moduleload	syncprov.la
 moduleload	ppolicy.la
@@ -59,17 +64,25 @@ access to dn.subtree="cn=Monitor"
 	by group.exact="cn=LDAP Admins,ou=System Groups,<%= dc_suffix %>" read
 	by * none
 
+<% if @hostname == 'duvel' then %>
 database	bdb
+<% else %>
+database	mdb
+# mdb defaults to 10MB max DB, so we need to hardcode some better value :(
+maxsize         500000000
+<% end %>
 suffix		"<%= dc_suffix %>"
 directory	/var/lib/ldap
 rootdn		"cn=manager,<%= dc_suffix %>"
 
 checkpoint 256 5
+<% if @hostname == 'duvel' then %>
 # 32Mbytes, can hold about 10k posixAccount entries
 dbconfig set_cachesize 0 33554432 1
 dbconfig set_lg_bsize 2097152
 cachesize 1000
 idlcachesize 3000
+<% end %>
 
 index	objectClass					eq
 index	uidNumber,gidNumber,memberuid,member,owner  	eq
@@ -104,7 +117,7 @@ dynlist-attrset groupOfURLs memberURL member
 
 
 overlay constraint
-constraint_attribute sshPublicKey regex "^ssh-(rsa|dss) [[:graph:]]+ [[:graph:]]+$"
+constraint_attribute sshPublicKey regex "^ssh-(rsa|dss|ed25519) [[:graph:]]+ [[:graph:]]+$"
 
 # uncomment if you want to automatically update group
 # memberships when an user is removed from the tree
diff --git a/modules/openldap/templates/slapd.syncrepl.conf b/modules/openldap/templates/slapd.syncrepl.conf
index d9aa4cfe..2bfe7d50 100644
--- a/modules/openldap/templates/slapd.syncrepl.conf
+++ b/modules/openldap/templates/slapd.syncrepl.conf
@@ -6,6 +6,6 @@ syncrepl rid=<%= rid %>
     bindmethod=simple
     binddn="cn=syncuser-<%= hostname%>,ou=System Accounts,<%= dc_suffix %>"
     credentials=<%= sync_password %>
-   
-updateref ldaps://ldap-master.<%= domain %>:636
+    tls_reqcert=never
 
+updateref ldaps://ldap-master.<%= domain %>:636
diff --git a/modules/openldap/templates/slapd.sysconfig b/modules/openldap/templates/slapd.sysconfig
new file mode 100644
index 00000000..e6ae2e05
--- /dev/null
+++ b/modules/openldap/templates/slapd.sysconfig
@@ -0,0 +1,37 @@
+# debug level for slapd
+SLAPDSYSLOGLEVEL="0"
+SLAPDSYSLOGLOCALUSER="local4"
+
+# SLAPD URL list
+SLAPDURLLIST="ldap:/// ldaps:/// ldapi:///"
+
+# Config file to use for slapd
+#SLAPDCONF=/etc/openldap/slapd.conf
+
+# Which user to run as
+#LDAPUSER=ldap
+#LDAPGROUP=ldap
+
+# Should file permissions on database files be fixed at startup. Default is yes
+# FIXPERMS=no
+
+# Whether database recovery should be run before starting slapd in start
+# (not strictly be necessary in 2.3). Default is no
+# AUTORECOVER=yes
+
+# At what intervals to run ldap-hot-db-backup from cron, which will
+# do hot database backups for all bdb/hdb databases, and archive
+# unnecessary transaction logs, one of hourly,daily,weekly,monthly,yearly
+# Default is daily
+# RUN_DB_BACKUP=daily
+
+# How many days to keep archived transaction logs for. This should be just
+# greater than the backup interval on these files. Default is 7
+# KEEP_ARCHIVES_DAYS=7
+
+# How many files slapd should be able to have open. By default, the process
+# will inherit the default per-process limit (usually 1024), which may
+# not be enough, so ulimit -n is run with the value in MAXFILES (which
+# defaults to 1024 as well). 4096 is the maximum OpenLDAP will use without
+# recompiling.
+# MAXFILES=4096
diff --git a/modules/openldap/templates/slapd.test.conf b/modules/openldap/templates/slapd.test.conf
index 355efb8e..8befa55a 100644
--- a/modules/openldap/templates/slapd.test.conf
+++ b/modules/openldap/templates/slapd.test.conf
@@ -7,4 +7,3 @@ authz-regexp "gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth"
 	"cn=manager,dc=test_ldap"
 # force ssl
 security ssf=56
-