Revert "Use @ when accessing variables in templates"

Variables defined within a template can't be accessed with @.  This
change needs to be reworked to eliminate those cases.
This reverts commits 2c7da665 and ae197622.

5 files changed, 89 insertions, 89 deletions

diff --git a/modules/openldap/templates/init_ldap.sh b/modules/openldap/templates/init_ldap.sh
index 01ab00bb..dfcaf236 100644
--- a/modules/openldap/templates/init_ldap.sh
+++ b/modules/openldap/templates/init_ldap.sh
@@ -1,27 +1,27 @@
 #!/bin/bash
 
 ldapadd -Y EXTERNAL -H ldapi:/// <<EOF
-dn: <%= @dc_suffix %>
-dc: <%= @dc_suffix.split(',')[0].split('=')[1] %>
+dn: <%= dc_suffix %>
+dc: <%= dc_suffix.split(',')[0].split('=')[1] %>
 objectClass: domain
 objectClass: domainRelatedObject
-associatedDomain: <%= @domain %>
+associatedDomain: <%= domain %>
 
 <% for g in ['People','Group','Hosts'] %>
-dn: ou=<%= @g %>,<%= @dc_suffix %>
-ou: <%= @g %>
+dn: ou=<%= g%>,<%= dc_suffix %>
+ou: <%= g %>
 objectClass: organizationalUnit
 <% end %>
 
 <%
 gid = 5000
 for g in ['packagers','web','sysadmin','packagers-committers','forum-developers'] %>
-dn: cn=mga-<%= @g %>,ou=Group,<%= @dc_suffix %>
+dn: cn=mga-<%= g %>,ou=Group,<%= dc_suffix %>
 objectClass: groupOfNames
 objectClass: posixGroup
-cn: mga-<%= @g %>
-gidNumber: <%= @gid %>
-member: cn=manager,<%= @dc_suffix %>
+cn: mga-<%= g %>
+gidNumber: <%= gid %>
+member: cn=manager,<%= dc_suffix %>
 <%-
 gid+=1 
 end -%>
@@ -29,10 +29,10 @@ end -%>
 
 <% # FIXME automatically get the list of servers
 for g in ['duvel','alamut'] %>
-dn: cn=<%= @g %>.<%= @domain %>,ou=Hosts,<%= @dc_suffix %>
+dn: cn=<%= g%>.<%= domain %>,ou=Hosts,<%= dc_suffix %>
 objectClass: device
 objectClass: simpleSecurityObject
-cn: <%= @g %>.<%= @domain %>
+cn: <%= g%>.<%= domain %>
 userPassword: x
 <% end %>
 
diff --git a/modules/openldap/templates/mandriva-dit-access.conf b/modules/openldap/templates/mandriva-dit-access.conf
index 8cf2a404..361d956b 100644
--- a/modules/openldap/templates/mandriva-dit-access.conf
+++ b/modules/openldap/templates/mandriva-dit-access.conf
@@ -1,195 +1,195 @@
 # mandriva-dit-access.conf
 
-limits group="cn=LDAP Replicators,ou=System Groups,<%= @dc_suffix %>"
+limits group="cn=LDAP Replicators,ou=System Groups,<%= dc_suffix %>"
 	limit size=unlimited
 	limit time=unlimited
 
-limits group="cn=LDAP Admins,ou=System Groups,<%= @dc_suffix %>"
+limits group="cn=LDAP Admins,ou=System Groups,<%= dc_suffix %>"
 	limit size=unlimited
 	limit time=unlimited
 
-limits group="cn=Account Admins,ou=System Groups,<%= @dc_suffix %>"
+limits group="cn=Account Admins,ou=System Groups,<%= dc_suffix %>"
 	limit size=unlimited
 	limit time=unlimited
 
 # so we don't have to add these to every other acl down there
-access to dn.subtree="<%= @dc_suffix %>"
-	by group.exact="cn=LDAP Admins,ou=System Groups,<%= @dc_suffix %>" write
-	by group.exact="cn=LDAP Replicators,ou=System Groups,<%= @dc_suffix %>" read
+access to dn.subtree="<%= dc_suffix %>"
+	by group.exact="cn=LDAP Admins,ou=System Groups,<%= dc_suffix %>" write
+	by group.exact="cn=LDAP Replicators,ou=System Groups,<%= dc_suffix %>" read
 	by * break
 
 # userPassword access
 # Allow account registration to write userPassword of unprivileged users accounts
-access to dn.subtree="ou=People,<%= @dc_suffix %>" 
+access to dn.subtree="ou=People,<%= dc_suffix %>" 
 	filter="(&(objectclass=inetOrgPerson)(!(objectclass=posixAccount)))"
 	attrs=userPassword
-	by group/groupOfNames/member.exact="cn=registrars,ou=system groups,<%= @dc_suffix %>" +w
+	by group/groupOfNames/member.exact="cn=registrars,ou=system groups,<%= dc_suffix %>" +w
 	by * +0 break
 
 # shadowLastChange is here because it needs to be writable by the user because
 # of pam_ldap, which will update this attr whenever the password is changed.
 # And this is done with the user's credentials
-access to dn.subtree="<%= @dc_suffix %>"
+access to dn.subtree="<%= dc_suffix %>"
         attrs=shadowLastChange
         by self write
-        by group.exact="cn=Account Admins,ou=System Groups,<%= @dc_suffix %>" write
+        by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
         by users read
-access to dn.subtree="<%= @dc_suffix %>"
+access to dn.subtree="<%= dc_suffix %>"
 	attrs=userPassword
-	by group.exact="cn=Account Admins,ou=System Groups,<%= @dc_suffix %>" write
+	by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
 	by self write
 	by anonymous auth
 	by * none
 
 # kerberos key access
 # "by auth" just in case...
-access to dn.subtree="<%= @dc_suffix %>"
+access to dn.subtree="<%= dc_suffix %>"
         attrs=krb5Key
         by self write
-        by group.exact="cn=Account Admins,ou=System Groups,<%= @dc_suffix %>" write
+        by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
         by anonymous auth
         by * none
 
 # password policies
-access to dn.subtree="ou=Password Policies,<%= @dc_suffix %>"
-	by group.exact="cn=Account Admins,ou=System Groups,<%= @dc_suffix %>" write
+access to dn.subtree="ou=Password Policies,<%= dc_suffix %>"
+	by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
 	by users read
 
 # samba password attributes
 # by self not strictly necessary, because samba uses its own admin user to
 # change the password on the user's behalf
 # openldap also doesn't auth on these attributes, but maybe some day it will
-access to dn.subtree="<%= @dc_suffix %>"
+access to dn.subtree="<%= dc_suffix %>"
 	attrs=sambaLMPassword,sambaNTPassword
-	by group.exact="cn=Account Admins,ou=System Groups,<%= @dc_suffix %>" write
+	by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
 	by anonymous auth
 	by self write
 	by * none
 # password history attribute
 # pwdHistory is read-only, but ACL is simpler with it here
-access to dn.subtree="<%= @dc_suffix %>"
+access to dn.subtree="<%= dc_suffix %>"
 	attrs=sambaPasswordHistory,pwdHistory
 	by self read
-	by group.exact="cn=Account Admins,ou=System Groups,<%= @dc_suffix %>" write
+	by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
 	by * none
 
 # pwdReset, so the admin can force an user to change a password
-access to dn.subtree="<%= @dc_suffix %>"
+access to dn.subtree="<%= dc_suffix %>"
 	attrs=pwdReset,pwdAccountLockedTime
-	by group.exact="cn=Account Admins,ou=System Groups,<%= @dc_suffix %>" write
+	by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
 	by self read
 
 # group owner can add/remove/edit members to groups
-access to dn.regex="^cn=[^,]+,ou=(System Groups|Group),<%= @dc_suffix %>$"
+access to dn.regex="^cn=[^,]+,ou=(System Groups|Group),<%= dc_suffix %>$"
 	attrs=member,owner
 	by dnattr=owner write
-	by group.exact="cn=Account Admins,ou=System Groups,<%= @dc_suffix %>" write
+	by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
 	by users +scrx
 
-access to dn.regex="^cn=[^,]+,ou=(System Groups|Group),<%= @dc_suffix %>$"
+access to dn.regex="^cn=[^,]+,ou=(System Groups|Group),<%= dc_suffix %>$"
 	attrs=cn,description,objectClass,gidNumber
-	by group.exact="cn=Account Admins,ou=System Groups,<%= @dc_suffix %>" write
+	by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
 	by users read
 
 # registration - allow registrar group to create basic unprivileged accounts
-access to dn.subtree="ou=People,<%= @dc_suffix %>" 
+access to dn.subtree="ou=People,<%= dc_suffix %>" 
 	attrs="objectClass" 
 	val="inetOrgperson" 
-	by group/groupOfNames/member.exact="cn=registrars,ou=system groups,<%= @dc_suffix %>" =asrx
+	by group/groupOfNames/member.exact="cn=registrars,ou=system groups,<%= dc_suffix %>" =asrx
 	by * +0 break
 
-access to dn.subtree="ou=People,<%= @dc_suffix %>" 
+access to dn.subtree="ou=People,<%= dc_suffix %>" 
 	filter="(!(objectclass=posixAccount))"
 	attrs=cn,sn,gn,mail,entry,children,preferredLanguage
-	by group/groupOfNames/member.exact="cn=registrars,ou=system groups,<%= @dc_suffix %>" =asrx
+	by group/groupOfNames/member.exact="cn=registrars,ou=system groups,<%= dc_suffix %>" =asrx
 	by * +0 break
 
 # TODO maybe we should use a group instead of a user here
-access to dn.subtree="ou=People,<%= @dc_suffix %>" 
+access to dn.subtree="ou=People,<%= dc_suffix %>" 
 	filter="(objectclass=posixAccount)"
 	attrs=homeDirectory,cn,uid,loginShell,gidNumber,uidNumber
-	by dn.one="ou=Hosts,<%= @dc_suffix %>" read
+	by dn.one="ou=Hosts,<%= dc_suffix %>" read
 	by * +0 break
 
 # let the user change some of his/her attributes
-access to dn.subtree="ou=People,<%= @dc_suffix %>"
+access to dn.subtree="ou=People,<%= dc_suffix %>"
 	attrs=cn,sn,givenName,carLicense,drink,homePhone,homePostalAddress,mobile,pager,telephoneNumber,mail,preferredLanguage,sshPublicKey
 	by self write
 	by users read
 
-access to dn.subtree="ou=People,<%= @dc_suffix %>"
+access to dn.subtree="ou=People,<%= dc_suffix %>"
 	attrs=memberOf
 	by users read
 
 
 # create new accounts
-access to dn.regex="^([^,]+,)?ou=(People|Group|Hosts),<%= @dc_suffix %>$"
+access to dn.regex="^([^,]+,)?ou=(People|Group|Hosts),<%= dc_suffix %>$"
 	attrs=children,entry
-	by group.exact="cn=Account Admins,ou=System Groups,<%= @dc_suffix %>" write
+	by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
 	by * break
 # access to existing entries
-access to dn.regex="^[^,]+,ou=(People|Hosts|Group),<%= @dc_suffix %>$"
-	by group.exact="cn=Account Admins,ou=System Groups,<%= @dc_suffix %>" write
+access to dn.regex="^[^,]+,ou=(People|Hosts|Group),<%= dc_suffix %>$"
+	by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
 	by * break
 
 # sambaDomainName entry
-access to dn.regex="^(sambaDomainName=[^,]+,)?<%= @dc_suffix %>$"
+access to dn.regex="^(sambaDomainName=[^,]+,)?<%= dc_suffix %>$"
 	attrs=children,entry,@sambaDomain,@sambaUnixIdPool
-	by group.exact="cn=Account Admins,ou=System Groups,<%= @dc_suffix %>" write
+	by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
 	by users read
 
 # samba ID mapping
-access to dn.regex="^(sambaSID=[^,]+,)?ou=Idmap,<%= @dc_suffix %>$"
+access to dn.regex="^(sambaSID=[^,]+,)?ou=Idmap,<%= dc_suffix %>$"
 	attrs=children,entry,@sambaIdmapEntry
-	by group.exact="cn=Account Admins,ou=System Groups,<%= @dc_suffix %>" write
-	by group.exact="cn=IDMAP Admins,ou=System Groups,<%= @dc_suffix %>" write
+	by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
+	by group.exact="cn=IDMAP Admins,ou=System Groups,<%= dc_suffix %>" write
 	by users read
 
 # global address book
 # XXX - which class(es) to use?
-access to dn.regex="^(.*,)?ou=Address Book,<%= @dc_suffix %>"
+access to dn.regex="^(.*,)?ou=Address Book,<%= dc_suffix %>"
 	attrs=children,entry,@inetOrgPerson,@evolutionPerson,@evolutionPersonList
-	by group.exact="cn=Address Book Admins,ou=System Groups,<%= @dc_suffix %>" write
+	by group.exact="cn=Address Book Admins,ou=System Groups,<%= dc_suffix %>" write
 	by users read
 
 # dhcp entries
 # XXX - open up read access to anybody?
-access to dn.sub="ou=dhcp,<%= @dc_suffix %>"
+access to dn.sub="ou=dhcp,<%= dc_suffix %>"
 	attrs=children,entry,@dhcpService,@dhcpServer,@dhcpSharedNetwork,@dhcpSubnet,@dhcpPool,@dhcpGroup,@dhcpHost,@dhcpClass,@dhcpSubClass,@dhcpOptions,@dhcpLeases,@dhcpLog
-	by group.exact="cn=DHCP Admins,ou=System Groups,<%= @dc_suffix %>" write
-	by group.exact="cn=DHCP Readers,ou=System Groups,<%= @dc_suffix %>" read
+	by group.exact="cn=DHCP Admins,ou=System Groups,<%= dc_suffix %>" write
+	by group.exact="cn=DHCP Readers,ou=System Groups,<%= dc_suffix %>" read
 	by * read
 
 # sudoers
-access to dn.regex="^([^,]+,)?ou=sudoers,<%= @dc_suffix %>$"
+access to dn.regex="^([^,]+,)?ou=sudoers,<%= dc_suffix %>$"
 	attrs=children,entry,@sudoRole
-	by group.exact="cn=Sudo Admins,ou=System Groups,<%= @dc_suffix %>" write
+	by group.exact="cn=Sudo Admins,ou=System Groups,<%= dc_suffix %>" write
 	by users read
 
 # dns
-access to dn="ou=dns,<%= @dc_suffix %>"
+access to dn="ou=dns,<%= dc_suffix %>"
 	attrs=entry,@extensibleObject
-	by group.exact="cn=DNS Admins,ou=System Groups,<%= @dc_suffix %>" write
+	by group.exact="cn=DNS Admins,ou=System Groups,<%= dc_suffix %>" write
 	by users read
-access to dn.sub="ou=dns,<%= @dc_suffix %>"
+access to dn.sub="ou=dns,<%= dc_suffix %>"
 	attrs=children,entry,@dNSZone
-	by group.exact="cn=DNS Admins,ou=System Groups,<%= @dc_suffix %>" write
-	by group.exact="cn=DNS Readers,ou=System Groups,<%= @dc_suffix %>" read
+	by group.exact="cn=DNS Admins,ou=System Groups,<%= dc_suffix %>" write
+	by group.exact="cn=DNS Readers,ou=System Groups,<%= dc_suffix %>" read
 	by * none
 
 
 # MTA
 # XXX - what else can we add here? Virtual Domains? With which schema?
-access to dn.one="ou=People,<%= @dc_suffix %>"
+access to dn.one="ou=People,<%= dc_suffix %>"
 	attrs=@inetLocalMailRecipient,mail
-	by group.exact="cn=MTA Admins,ou=System Groups,<%= @dc_suffix %>" write
+	by group.exact="cn=MTA Admins,ou=System Groups,<%= dc_suffix %>" write
 	by users read
 
 # KDE Configuration
-access to dn.sub="ou=KDEConfig,<%= @dc_suffix %>"
-	by group.exact="cn=KDEConfig Admins,ou=System Groups,<%= @dc_suffix %>" write
+access to dn.sub="ou=KDEConfig,<%= dc_suffix %>"
+	by group.exact="cn=KDEConfig Admins,ou=System Groups,<%= dc_suffix %>" write
 	by * read
 
 # last one
-access to dn.subtree="<%= @dc_suffix %>" attrs=entry,uid,cn
+access to dn.subtree="<%= dc_suffix %>" attrs=entry,uid,cn
 	by users read
diff --git a/modules/openldap/templates/slapd.conf b/modules/openldap/templates/slapd.conf
index 542e54fa..d82fe088 100644
--- a/modules/openldap/templates/slapd.conf
+++ b/modules/openldap/templates/slapd.conf
@@ -29,7 +29,7 @@ include /usr/share/openldap/schema/openssh-lpk_openldap.schema
 pidfile		/var/run/ldap/slapd.pid
 argsfile	/var/run/ldap/slapd.args
 
-modulepath	<%= @lib_dir %>/openldap
+modulepath	<%= lib_dir %>/openldap
 <% if @hostname == 'duvel' then %>
 moduleload	back_bdb.la
 <% else %>
@@ -44,9 +44,9 @@ moduleload  unique.la
 moduleload  dynlist.la
 moduleload  constraint.la
 
-TLSCertificateFile      /etc/ssl/openldap/ldap.<%= @domain %>.pem
-TLSCertificateKeyFile   /etc/ssl/openldap/ldap.<%= @domain %>.pem
-TLSCACertificateFile    /etc/ssl/openldap/ldap.<%= @domain %>.pem
+TLSCertificateFile      /etc/ssl/openldap/ldap.<%= domain %>.pem
+TLSCertificateKeyFile   /etc/ssl/openldap/ldap.<%= domain %>.pem
+TLSCACertificateFile    /etc/ssl/openldap/ldap.<%= domain %>.pem
 
 # Give ldapi connection some security
 localSSF 56
@@ -60,8 +60,8 @@ loglevel 256
 
 database monitor
 access to dn.subtree="cn=Monitor"
-	by group.exact="cn=LDAP Monitors,ou=System Groups,<%= @dc_suffix %>" read
-	by group.exact="cn=LDAP Admins,ou=System Groups,<%= @dc_suffix %>" read
+	by group.exact="cn=LDAP Monitors,ou=System Groups,<%= dc_suffix %>" read
+	by group.exact="cn=LDAP Admins,ou=System Groups,<%= dc_suffix %>" read
 	by * none
 
 <% if @hostname == 'duvel' then %>
@@ -71,9 +71,9 @@ database	mdb
 # mdb defaults to 10MB max DB, so we need to hardcode some better value :(
 maxsize         500000000
 <% end %>
-suffix		"<%= @dc_suffix %>"
+suffix		"<%= dc_suffix %>"
 directory	/var/lib/ldap
-rootdn		"cn=manager,<%= @dc_suffix %>"
+rootdn		"cn=manager,<%= dc_suffix %>"
 
 checkpoint 256 5
 <% if @hostname == 'duvel' then %>
@@ -105,7 +105,7 @@ syncprov-checkpoint 100 10
 syncprov-sessionlog 100
 
 overlay ppolicy
-ppolicy_default "cn=default,ou=Password Policies,<%= @dc_suffix %>"
+ppolicy_default "cn=default,ou=Password Policies,<%= dc_suffix %>"
 ppolicy_hash_cleartext yes
 ppolicy_use_lockout yes
 
@@ -128,8 +128,8 @@ constraint_attribute sshPublicKey regex "^ssh-(rsa|dss|ed25519) [[:graph:]]+ [[:
 
 <% if environment == "test" %>
 authz-regexp "gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth"
-	"cn=manager,<%= @dc_suffix %>"
-authz-regexp ^uid=([^,]+),cn=[^,]+,cn=auth$ uid=$1,ou=People,<%= @dc_suffix %>
+	"cn=manager,<%= dc_suffix %>"
+authz-regexp ^uid=([^,]+),cn=[^,]+,cn=auth$ uid=$1,ou=People,<%= dc_suffix %>
 <% end %>
 
 include /etc/openldap/mandriva-dit-access.conf
diff --git a/modules/openldap/templates/slapd.syncrepl.conf b/modules/openldap/templates/slapd.syncrepl.conf
index 4c69a56e..2bfe7d50 100644
--- a/modules/openldap/templates/slapd.syncrepl.conf
+++ b/modules/openldap/templates/slapd.syncrepl.conf
@@ -1,11 +1,11 @@
-syncrepl rid=<%= @rid %>
-    provider=ldaps://ldap-master.<%= @domain %>:636
+syncrepl rid=<%= rid %>
+    provider=ldaps://ldap-master.<%= domain %>:636
     type=refreshAndPersist
-    searchbase="<%= @dc_suffix %>"
+    searchbase="<%= dc_suffix %>"
     schemachecking=off
     bindmethod=simple
-    binddn="cn=syncuser-<%= @hostname %>,ou=System Accounts,<%= @dc_suffix %>"
-    credentials=<%= @sync_password %>
+    binddn="cn=syncuser-<%= hostname%>,ou=System Accounts,<%= dc_suffix %>"
+    credentials=<%= sync_password %>
     tls_reqcert=never
 
-updateref ldaps://ldap-master.<%= @domain %>:636
+updateref ldaps://ldap-master.<%= domain %>:636
diff --git a/modules/openldap/templates/slapd.test.conf b/modules/openldap/templates/slapd.test.conf
index a492acd7..8befa55a 100644
--- a/modules/openldap/templates/slapd.test.conf
+++ b/modules/openldap/templates/slapd.test.conf
@@ -2,7 +2,7 @@ database bdb
 suffix		"dc=test_ldap"
 directory	/var/lib/ldap/test
 rootdn		"cn=manager,dc=test_ldap"
-rootpw      "<%= @ldap_test_password %>"
+rootpw      "<%= ldap_test_password %>"
 authz-regexp "gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth"
 	"cn=manager,dc=test_ldap"
 # force ssl