2 files changed, 27 insertions, 0 deletions

diff --git a/modules/pam/manifests/init.pp b/modules/pam/manifests/init.pp
index 21059b72..8d25d056 100644
--- a/modules/pam/manifests/init.pp
+++ b/modules/pam/manifests/init.pp
@@ -10,6 +10,7 @@ class pam {
             "/etc/pam.d/system-auth": content => template("pam/system-auth");
             "/etc/nsswitch.conf": content => template("pam/nsswitch.conf");
             "/etc/ldap.conf": content => template("pam/ldap.conf");
+            "/etc/openldap/ldap.conf": content => template("pam/openldap.ldap.conf");
         }
 
         $ldap_password = extlookup("${fqdn}_ldap_password",'x')
diff --git a/modules/pam/templates/openldap.ldap.conf b/modules/pam/templates/openldap.ldap.conf
new file mode 100644
index 00000000..812538be
--- /dev/null
+++ b/modules/pam/templates/openldap.ldap.conf
@@ -0,0 +1,26 @@
+#BASE   dc=example, dc=com 
+#HOST   ldap.example.com ldap-master.example.com
+#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666
+
+#SIZELIMIT      12
+#TIMELIMIT      15 
+#DEREF          never
+
+# SSL/TSL configuration. With CA-signed certs, TLS_REQCERT should be
+# "demand", with the CA certificate accessible 
+#TLS_REQCERT    ([demand],never,allow,try)
+# We ship with allow by default as some LDAP clients (e.g. evolution) have
+# no interactive SSL configuration
+
+TLS_REQCERT     allow
+
+# CA Certificate locations 
+# Use the default self-signed cert generated by openldap-server postinstall
+# by default 
+#TLS_CACERT      /etc/pki/tls/certs/ldap.pem
+#TLS_CACERT     /etc/ssl/openldap/ldap.mageia.org.pem
+
+# If requiring support for certificates signed by all CAs (noting risks
+# pam_ldap if doing DNS-based suffix lookup etc.
+#TLS_CACERTDIR  /etc/pki/tls/rootcerts
+