15 files changed, 383 insertions, 133 deletions

diff --git a/modules/openldap/lib/puppet/parser/functions/get_ldap_servers.rb b/modules/openldap/lib/puppet/parser/functions/get_ldap_servers.rb
new file mode 100644
index 00000000..0d620926
--- /dev/null
+++ b/modules/openldap/lib/puppet/parser/functions/get_ldap_servers.rb
@@ -0,0 +1,13 @@
+# return a list of all ldap servers declared
+module Puppet::Parser::Functions
+    newfunction(:get_ldap_servers, :type => :rvalue) do |args|
+        Puppet::Parser::Functions.autoloader.loadall
+        res = ["master"]
+
+        function_list_exported_ressources(['Openldap::Exported_slave']).each { |i|
+              res << "slave-#{i}"
+        }
+        res.map! { |x| "ldap-#{x}." + lookupvar("domain") }
+        return res
+    end
+end
diff --git a/modules/openldap/manifests/config.pp b/modules/openldap/manifests/config.pp
new file mode 100644
index 00000000..336f8a23
--- /dev/null
+++ b/modules/openldap/manifests/config.pp
@@ -0,0 +1,7 @@
+define openldap::config($content) {
+    file { $name:
+        require => Package['openldap-servers'],
+        content => $content,
+        notify  => Exec["slaptest"],
+    }
+}
diff --git a/modules/openldap/manifests/exported_slave.pp b/modules/openldap/manifests/exported_slave.pp
new file mode 100644
index 00000000..5b9f6b87
--- /dev/null
+++ b/modules/openldap/manifests/exported_slave.pp
@@ -0,0 +1,3 @@
+# this define is here only to be exported by slave
+# and later used by get_ldap_servers
+define openldap::exported_slave { }
diff --git a/modules/openldap/manifests/init.pp b/modules/openldap/manifests/init.pp
index 991aee40..34a214a2 100644
--- a/modules/openldap/manifests/init.pp
+++ b/modules/openldap/manifests/init.pp
@@ -1,71 +1,34 @@
 class openldap {
-    class base {
-        package { 'openldap-servers':
-            ensure => installed 
-        }
+    include openldap::var
 
-        service { ldap:
-            ensure => running,
-            subscribe => [ Package['openldap-servers']],
-            path => "/etc/init.d/ldap"
-        }
+    package { 'openldap-servers': }
 
-        file {"/etc/ssl/openldap/":
-            ensure => directory,
-            owner => root,
-            group => root,
-            mode => 755,
-        }
-
-        openssl::self_signed_cert{ 'ldap':
-            directory => "/etc/ssl/openldap/"
-        }
+    service { $openldap::var::service:
+        subscribe => Package['openldap-servers'],
+        require   => Openssl::Self_signed_cert["ldap.${::domain}"],
     }
 
-    # /etc/
-    # 11:57:48|  blingme> misc: nothing special, just copy slapd.conf, mandriva-dit-access.conf across, slapcat one side, slapadd other side
-
-    file { '/etc/openldap/slapd.conf':
-        ensure => present,
-        owner => root,
-        group => root,
-        mode => 644,
-        require => Package["openldap-servers"],
-        content => "",
-        notify => [Service['ldap']]
+    exec { "slaptest":
+        refreshonly => true,
+        notify      => Service[$openldap::var::service],
     }
 
-    file { '/etc/openldap/mandriva-dit-access.conf':
-        ensure => present,
-        owner => root,
-        group => root,
-        mode => 644,
-        require => Package["openldap-servers"],
-        content => "",
-        notify => [Service['ldap']]
+    file { '/etc/ssl/openldap/':
+        ensure => directory,
     }
 
-    file { '/etc/sysconfig/ldap':
-        ensure => present,
-        owner => root,
-        group => root,
-        mode => 644,
-        require => Package["openldap-servers"],
-        content => "",
-        notify => [Service['ldap']]
-    } 
-
-    class master inherits base {
-        file { '/etc/openldap/mandriva-dit-access.conf':
-            content => template("openldap/mandriva-dit-access.conf"),
-        }
-
-        file { '/etc/openldap/slapd.conf':
-            content => template("openldap/slapd.conf"),
-        }
+    openssl::self_signed_cert{ "ldap.${::domain}":
+        directory => '/etc/ssl/openldap/',
+    }
 
-        file { '/etc/sysconfig/ldap':
-            content => template("openldap/ldap.sysconfig"),
-        }
+    openldap::config {
+        '/etc/openldap/slapd.conf':
+            content => '';
+        '/etc/openldap/mandriva-dit-access.conf':
+            content => '';
+        '/etc/sysconfig/ldap':
+            content => '';
+        '/etc/sysconfig/slapd':
+            content => '';
     }
 }
diff --git a/modules/openldap/manifests/master.pp b/modules/openldap/manifests/master.pp
new file mode 100644
index 00000000..53122628
--- /dev/null
+++ b/modules/openldap/manifests/master.pp
@@ -0,0 +1,50 @@
+class openldap::master inherits openldap {
+    include openldap::var
+
+    Openldap::Config['/etc/openldap/mandriva-dit-access.conf'] {
+        content => template('openldap/mandriva-dit-access.conf'),
+    }
+
+    $ldap_test_password = extlookup('ldap_test_password','x')
+    $ldap_test_directory = '/var/lib/ldap/test'
+    file { $ldap_test_directory:
+        ensure  => directory,
+        group   => 'ldap',
+        owner   => 'ldap',
+        require => Package['openldap-servers'],
+        before  => Service[$openldap::var::service],
+    }
+
+    Openldap::Config['/etc/openldap/slapd.conf'] {
+        content => template('openldap/slapd.conf', 'openldap/slapd.test.conf'),
+    }
+
+    Openldap::Config['/etc/sysconfig/ldap'] {
+        content => template('openldap/ldap.sysconfig'),
+    }
+
+    Openldap::Config['/etc/sysconfig/slapd'] {
+        content => template('openldap/slapd.sysconfig'),
+    }
+
+    host { "ldap.${::domain}":
+        ip => '127.0.0.1',
+    }
+
+    if $::environment == 'test' {
+        # if we are in a test vm, we need to fill the directory
+        # with data
+        package { 'openldap-clients': }
+
+        mga_common::local_script { 'init_ldap.sh':
+            content => template('openldap/init_ldap.sh'),
+            require => Package['openldap-clients'],
+        }
+
+        exec { 'init_ldap.sh':
+            # taken arbitrary among all possible files
+            creates => '/var/lib/ldap/objectClass.bdb',
+            require => Mga_common::Local_script['init_ldap.sh'],
+        }
+    }
+}
diff --git a/modules/openldap/manifests/slave.pp b/modules/openldap/manifests/slave.pp
new file mode 100644
index 00000000..ba0cfb9d
--- /dev/null
+++ b/modules/openldap/manifests/slave.pp
@@ -0,0 +1,23 @@
+class openldap::slave($rid) inherits openldap {
+
+    @@openldap::exported_slave { $rid: }
+
+    $sync_password = extlookup("ldap_syncuser-${::hostname}",'x')
+
+    # same access rights as master
+    Openldap::Config['/etc/openldap/mandriva-dit-access.conf'] {
+        content => template('openldap/mandriva-dit-access.conf'),
+    }
+
+    Openldap::Config['/etc/openldap/slapd.conf'] {
+        content => template('openldap/slapd.conf','openldap/slapd.syncrepl.conf'),
+    }
+
+    Openldap::Config['/etc/sysconfig/ldap'] {
+        content => template('openldap/ldap.sysconfig'),
+    }
+
+    Openldap::Config['/etc/sysconfig/slapd'] {
+        content => template('openldap/slapd-slave.sysconfig'),
+    }
+}
diff --git a/modules/openldap/manifests/slave_instance.pp b/modules/openldap/manifests/slave_instance.pp
new file mode 100644
index 00000000..fbf998c6
--- /dev/null
+++ b/modules/openldap/manifests/slave_instance.pp
@@ -0,0 +1,8 @@
+# TODO create the user for sync in ldap
+# this define is mainly syntactic sugar
+define openldap::slave_instance($rid) {
+    include openldap
+    class { 'openldap::slave':
+        rid => $rid,
+    }
+}
diff --git a/modules/openldap/manifests/var.pp b/modules/openldap/manifests/var.pp
new file mode 100644
index 00000000..d6947eb8
--- /dev/null
+++ b/modules/openldap/manifests/var.pp
@@ -0,0 +1,3 @@
+class openldap::var {
+    $service = 'slapd'
+}
diff --git a/modules/openldap/templates/init_ldap.sh b/modules/openldap/templates/init_ldap.sh
new file mode 100644
index 00000000..dfcaf236
--- /dev/null
+++ b/modules/openldap/templates/init_ldap.sh
@@ -0,0 +1,40 @@
+#!/bin/bash
+
+ldapadd -Y EXTERNAL -H ldapi:/// <<EOF
+dn: <%= dc_suffix %>
+dc: <%= dc_suffix.split(',')[0].split('=')[1] %>
+objectClass: domain
+objectClass: domainRelatedObject
+associatedDomain: <%= domain %>
+
+<% for g in ['People','Group','Hosts'] %>
+dn: ou=<%= g%>,<%= dc_suffix %>
+ou: <%= g %>
+objectClass: organizationalUnit
+<% end %>
+
+<%
+gid = 5000
+for g in ['packagers','web','sysadmin','packagers-committers','forum-developers'] %>
+dn: cn=mga-<%= g %>,ou=Group,<%= dc_suffix %>
+objectClass: groupOfNames
+objectClass: posixGroup
+cn: mga-<%= g %>
+gidNumber: <%= gid %>
+member: cn=manager,<%= dc_suffix %>
+<%-
+gid+=1 
+end -%>
+
+
+<% # FIXME automatically get the list of servers
+for g in ['duvel','alamut'] %>
+dn: cn=<%= g%>.<%= domain %>,ou=Hosts,<%= dc_suffix %>
+objectClass: device
+objectClass: simpleSecurityObject
+cn: <%= g%>.<%= domain %>
+userPassword: x
+<% end %>
+
+
+EOF
diff --git a/modules/openldap/templates/mandriva-dit-access.conf b/modules/openldap/templates/mandriva-dit-access.conf
index a4d9661a..361d956b 100644
--- a/modules/openldap/templates/mandriva-dit-access.conf
+++ b/modules/openldap/templates/mandriva-dit-access.conf
@@ -1,184 +1,195 @@
 # mandriva-dit-access.conf
 
-limits group="cn=LDAP Replicators,ou=System Groups,dc=mageia,dc=org"
+limits group="cn=LDAP Replicators,ou=System Groups,<%= dc_suffix %>"
 	limit size=unlimited
 	limit time=unlimited
 
-limits group="cn=LDAP Admins,ou=System Groups,dc=mageia,dc=org"
+limits group="cn=LDAP Admins,ou=System Groups,<%= dc_suffix %>"
 	limit size=unlimited
 	limit time=unlimited
 
-limits group="cn=Account Admins,ou=System Groups,dc=mageia,dc=org"
+limits group="cn=Account Admins,ou=System Groups,<%= dc_suffix %>"
 	limit size=unlimited
 	limit time=unlimited
 
 # so we don't have to add these to every other acl down there
-access to dn.subtree="dc=mageia,dc=org"
-	by group.exact="cn=LDAP Admins,ou=System Groups,dc=mageia,dc=org" write
-	by group.exact="cn=LDAP Replicators,ou=System Groups,dc=mageia,dc=org" read
+access to dn.subtree="<%= dc_suffix %>"
+	by group.exact="cn=LDAP Admins,ou=System Groups,<%= dc_suffix %>" write
+	by group.exact="cn=LDAP Replicators,ou=System Groups,<%= dc_suffix %>" read
 	by * break
 
 # userPassword access
 # Allow account registration to write userPassword of unprivileged users accounts
-access to dn.subtree="ou=People,dc=mageia,dc=org" 
+access to dn.subtree="ou=People,<%= dc_suffix %>" 
 	filter="(&(objectclass=inetOrgPerson)(!(objectclass=posixAccount)))"
-	attrs=userPassword,pwdReset
-	by group/groupOfNames/member.exact="cn=registrars,ou=system groups,dc=mageia,dc=org" +a
+	attrs=userPassword
+	by group/groupOfNames/member.exact="cn=registrars,ou=system groups,<%= dc_suffix %>" +w
 	by * +0 break
 
 # shadowLastChange is here because it needs to be writable by the user because
 # of pam_ldap, which will update this attr whenever the password is changed.
 # And this is done with the user's credentials
-access to dn.subtree="dc=mageia,dc=org"
+access to dn.subtree="<%= dc_suffix %>"
         attrs=shadowLastChange
         by self write
-        by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
+        by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
         by users read
-access to dn.subtree="dc=mageia,dc=org"
+access to dn.subtree="<%= dc_suffix %>"
 	attrs=userPassword
-	by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
+	by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
 	by self write
 	by anonymous auth
 	by * none
 
 # kerberos key access
 # "by auth" just in case...
-access to dn.subtree="dc=mageia,dc=org"
+access to dn.subtree="<%= dc_suffix %>"
         attrs=krb5Key
         by self write
-        by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
+        by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
         by anonymous auth
         by * none
 
 # password policies
-access to dn.subtree="ou=Password Policies,dc=mageia,dc=org"
-	by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
+access to dn.subtree="ou=Password Policies,<%= dc_suffix %>"
+	by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
 	by users read
 
 # samba password attributes
 # by self not strictly necessary, because samba uses its own admin user to
 # change the password on the user's behalf
 # openldap also doesn't auth on these attributes, but maybe some day it will
-access to dn.subtree="dc=mageia,dc=org"
+access to dn.subtree="<%= dc_suffix %>"
 	attrs=sambaLMPassword,sambaNTPassword
-	by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
+	by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
 	by anonymous auth
 	by self write
 	by * none
 # password history attribute
-# pwdHistory is read-only, but ACL is simplier with it here
-access to dn.subtree="dc=mageia,dc=org"
+# pwdHistory is read-only, but ACL is simpler with it here
+access to dn.subtree="<%= dc_suffix %>"
 	attrs=sambaPasswordHistory,pwdHistory
 	by self read
-	by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
+	by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
 	by * none
 
 # pwdReset, so the admin can force an user to change a password
-access to dn.subtree="dc=mageia,dc=org"
+access to dn.subtree="<%= dc_suffix %>"
 	attrs=pwdReset,pwdAccountLockedTime
-	by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
+	by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
 	by self read
 
 # group owner can add/remove/edit members to groups
-access to dn.regex="^cn=[^,]+,ou=(System Groups|Group),dc=mageia,dc=org$"
-	attrs=member
+access to dn.regex="^cn=[^,]+,ou=(System Groups|Group),<%= dc_suffix %>$"
+	attrs=member,owner
 	by dnattr=owner write
-	by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
-	by users +sx
+	by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
+	by users +scrx
 
-access to dn.regex="^cn=[^,]+,ou=(System Groups|Group),dc=mageia,dc=org$"
+access to dn.regex="^cn=[^,]+,ou=(System Groups|Group),<%= dc_suffix %>$"
 	attrs=cn,description,objectClass,gidNumber
-	by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
+	by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
 	by users read
 
 # registration - allow registrar group to create basic unprivileged accounts
-access to dn.subtree="ou=People,dc=mageia,dc=org" 
+access to dn.subtree="ou=People,<%= dc_suffix %>" 
 	attrs="objectClass" 
 	val="inetOrgperson" 
-	by group/groupOfNames/member.exact="cn=registrars,ou=system groups,dc=mageia,dc=org" =asrx
+	by group/groupOfNames/member.exact="cn=registrars,ou=system groups,<%= dc_suffix %>" =asrx
 	by * +0 break
 
-access to dn.subtree="ou=People,dc=mageia,dc=org" 
+access to dn.subtree="ou=People,<%= dc_suffix %>" 
 	filter="(!(objectclass=posixAccount))"
 	attrs=cn,sn,gn,mail,entry,children,preferredLanguage
-	by group/groupOfNames/member.exact="cn=registrars,ou=system groups,dc=mageia,dc=org" =asrx
+	by group/groupOfNames/member.exact="cn=registrars,ou=system groups,<%= dc_suffix %>" =asrx
+	by * +0 break
+
+# TODO maybe we should use a group instead of a user here
+access to dn.subtree="ou=People,<%= dc_suffix %>" 
+	filter="(objectclass=posixAccount)"
+	attrs=homeDirectory,cn,uid,loginShell,gidNumber,uidNumber
+	by dn.one="ou=Hosts,<%= dc_suffix %>" read
 	by * +0 break
 
 # let the user change some of his/her attributes
-access to dn.subtree="ou=People,dc=mageia,dc=org"
-	attrs=carLicense,homePhone,homePostalAddress,mobile,pager,telephoneNumber,mail,preferredLanguage
+access to dn.subtree="ou=People,<%= dc_suffix %>"
+	attrs=cn,sn,givenName,carLicense,drink,homePhone,homePostalAddress,mobile,pager,telephoneNumber,mail,preferredLanguage,sshPublicKey
 	by self write
 	by users read
 
+access to dn.subtree="ou=People,<%= dc_suffix %>"
+	attrs=memberOf
+	by users read
+
+
 # create new accounts
-access to dn.regex="^([^,]+,)?ou=(People|Group|Hosts),dc=mageia,dc=org$"
+access to dn.regex="^([^,]+,)?ou=(People|Group|Hosts),<%= dc_suffix %>$"
 	attrs=children,entry
-	by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
+	by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
 	by * break
 # access to existing entries
-access to dn.regex="^[^,]+,ou=(People|Hosts|Group),dc=mageia,dc=org$"
-	by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
+access to dn.regex="^[^,]+,ou=(People|Hosts|Group),<%= dc_suffix %>$"
+	by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
 	by * break
 
 # sambaDomainName entry
-access to dn.regex="^(sambaDomainName=[^,]+,)?dc=mageia,dc=org$"
+access to dn.regex="^(sambaDomainName=[^,]+,)?<%= dc_suffix %>$"
 	attrs=children,entry,@sambaDomain,@sambaUnixIdPool
-	by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
+	by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
 	by users read
 
 # samba ID mapping
-access to dn.regex="^(sambaSID=[^,]+,)?ou=Idmap,dc=mageia,dc=org$"
+access to dn.regex="^(sambaSID=[^,]+,)?ou=Idmap,<%= dc_suffix %>$"
 	attrs=children,entry,@sambaIdmapEntry
-	by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
-	by group.exact="cn=IDMAP Admins,ou=System Groups,dc=mageia,dc=org" write
+	by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
+	by group.exact="cn=IDMAP Admins,ou=System Groups,<%= dc_suffix %>" write
 	by users read
 
 # global address book
 # XXX - which class(es) to use?
-access to dn.regex="^(.*,)?ou=Address Book,dc=mageia,dc=org"
+access to dn.regex="^(.*,)?ou=Address Book,<%= dc_suffix %>"
 	attrs=children,entry,@inetOrgPerson,@evolutionPerson,@evolutionPersonList
-	by group.exact="cn=Address Book Admins,ou=System Groups,dc=mageia,dc=org" write
+	by group.exact="cn=Address Book Admins,ou=System Groups,<%= dc_suffix %>" write
 	by users read
 
 # dhcp entries
 # XXX - open up read access to anybody?
-access to dn.sub="ou=dhcp,dc=mageia,dc=org"
+access to dn.sub="ou=dhcp,<%= dc_suffix %>"
 	attrs=children,entry,@dhcpService,@dhcpServer,@dhcpSharedNetwork,@dhcpSubnet,@dhcpPool,@dhcpGroup,@dhcpHost,@dhcpClass,@dhcpSubClass,@dhcpOptions,@dhcpLeases,@dhcpLog
-	by group.exact="cn=DHCP Admins,ou=System Groups,dc=mageia,dc=org" write
-	by group.exact="cn=DHCP Readers,ou=System Groups,dc=mageia,dc=org" read
+	by group.exact="cn=DHCP Admins,ou=System Groups,<%= dc_suffix %>" write
+	by group.exact="cn=DHCP Readers,ou=System Groups,<%= dc_suffix %>" read
 	by * read
 
 # sudoers
-access to dn.regex="^([^,]+,)?ou=sudoers,dc=mageia,dc=org$"
+access to dn.regex="^([^,]+,)?ou=sudoers,<%= dc_suffix %>$"
 	attrs=children,entry,@sudoRole
-	by group.exact="cn=Sudo Admins,ou=System Groups,dc=mageia,dc=org" write
+	by group.exact="cn=Sudo Admins,ou=System Groups,<%= dc_suffix %>" write
 	by users read
 
 # dns
-access to dn="ou=dns,dc=mageia,dc=org"
+access to dn="ou=dns,<%= dc_suffix %>"
 	attrs=entry,@extensibleObject
-	by group.exact="cn=DNS Admins,ou=System Groups,dc=mageia,dc=org" write
+	by group.exact="cn=DNS Admins,ou=System Groups,<%= dc_suffix %>" write
 	by users read
-access to dn.sub="ou=dns,dc=mageia,dc=org"
+access to dn.sub="ou=dns,<%= dc_suffix %>"
 	attrs=children,entry,@dNSZone
-	by group.exact="cn=DNS Admins,ou=System Groups,dc=mageia,dc=org" write
-	by group.exact="cn=DNS Readers,ou=System Groups,dc=mageia,dc=org" read
+	by group.exact="cn=DNS Admins,ou=System Groups,<%= dc_suffix %>" write
+	by group.exact="cn=DNS Readers,ou=System Groups,<%= dc_suffix %>" read
 	by * none
 
 
 # MTA
 # XXX - what else can we add here? Virtual Domains? With which schema?
-access to dn.one="ou=People,dc=mageia,dc=org"
+access to dn.one="ou=People,<%= dc_suffix %>"
 	attrs=@inetLocalMailRecipient,mail
-	by group.exact="cn=MTA Admins,ou=System Groups,dc=mageia,dc=org" write
+	by group.exact="cn=MTA Admins,ou=System Groups,<%= dc_suffix %>" write
 	by users read
 
 # KDE Configuration
-access to dn.sub="ou=KDEConfig,dc=mageia,dc=org"
-	by group.exact="cn=KDEConfig Admins,ou=System Groups,dc=mageia,dc=org" write
+access to dn.sub="ou=KDEConfig,<%= dc_suffix %>"
+	by group.exact="cn=KDEConfig Admins,ou=System Groups,<%= dc_suffix %>" write
 	by * read
 
 # last one
-access to dn.subtree="dc=mageia,dc=org" attrs=entry,uid,cn
+access to dn.subtree="<%= dc_suffix %>" attrs=entry,uid,cn
 	by users read
-
diff --git a/modules/openldap/templates/slapd-slave.sysconfig b/modules/openldap/templates/slapd-slave.sysconfig
new file mode 100644
index 00000000..9bff24ff
--- /dev/null
+++ b/modules/openldap/templates/slapd-slave.sysconfig
@@ -0,0 +1,38 @@
+# debug level for slapd
+SLAPDSYSLOGLEVEL="0"
+SLAPDSYSLOGLOCALUSER="local4"
+
+# SLAPD URL list
+SLAPDURLLIST="ldap:/// ldaps:/// ldapi:///"
+
+# Config file to use for slapd
+#SLAPDCONF=/etc/openldap/slapd.conf
+
+# Which user to run as
+#LDAPUSER=ldap
+#LDAPGROUP=ldap
+
+# Should file permissions on database files be fixed at startup. Default is yes
+# FIXPERMS=no
+
+# Whether database recovery should be run before starting slapd in start
+# (not strictly be necessary in 2.3). Default is no
+# AUTORECOVER=yes
+
+# At what intervals to run ldap-hot-db-backup from cron, which will
+# do hot database backups for all bdb/hdb databases, and archive
+# unnecessary transaction logs, one of hourly,daily,weekly,monthly,yearly
+# Default is daily
+# Slave does not need a backup
+RUN_DB_BACKUP=never
+
+# How many days to keep archived transaction logs for. This should be just
+# greater than the backup interval on these files. Default is 7
+# KEEP_ARCHIVES_DAYS=7
+
+# How many files slapd should be able to have open. By default, the process
+# will inherit the default per-process limit (usually 1024), which may
+# not be enough, so ulimit -n is run with the value in MAXFILES (which
+# defaults to 1024 as well). 4096 is the maximum OpenLDAP will use without
+# recompiling.
+# MAXFILES=4096
diff --git a/modules/openldap/templates/slapd.conf b/modules/openldap/templates/slapd.conf
index 7edab29b..d82fe088 100644
--- a/modules/openldap/templates/slapd.conf
+++ b/modules/openldap/templates/slapd.conf
@@ -11,7 +11,10 @@ include	/usr/share/openldap/schema/rfc2307bis.schema
 include	/usr/share/openldap/schema/openldap.schema 
 #include /usr/share/openldap/schema/autofs.schema
 include /usr/share/openldap/schema/samba.schema
-include /usr/share/openldap/schema/kolab.schema
+# removed as it cause issue on 2010.0 :
+# /usr/share/openldap/schema/kolab.schema: 
+# line 175 objectclass: Duplicate objectClass: "1.3.6.1.4.1.5322.13.1.1"
+#include /usr/share/openldap/schema/kolab.schema
 include /usr/share/openldap/schema/evolutionperson.schema
 include /usr/share/openldap/schema/calendar.schema
 include /usr/share/openldap/schema/sudo.schema
@@ -27,14 +30,23 @@ pidfile		/var/run/ldap/slapd.pid
 argsfile	/var/run/ldap/slapd.args
 
 modulepath	<%= lib_dir %>/openldap
+<% if @hostname == 'duvel' then %>
+moduleload	back_bdb.la
+<% else %>
+moduleload	back_mdb.la
+<% end %>
 moduleload	back_monitor.la
 moduleload	syncprov.la
 moduleload	ppolicy.la
 #moduleload	refint.la
+moduleload  memberof.la
+moduleload  unique.la
+moduleload  dynlist.la
+moduleload  constraint.la
 
-TLSCertificateFile      /etc/ssl/openldap/ldap.pem
-TLSCertificateKeyFile   /etc/ssl/openldap/ldap.pem
-TLSCACertificateFile    /etc/ssl/openldap/ldap.pem
+TLSCertificateFile      /etc/ssl/openldap/ldap.<%= domain %>.pem
+TLSCertificateKeyFile   /etc/ssl/openldap/ldap.<%= domain %>.pem
+TLSCACertificateFile    /etc/ssl/openldap/ldap.<%= domain %>.pem
 
 # Give ldapi connection some security
 localSSF 56
@@ -46,20 +58,34 @@ security ssf=56
 
 loglevel 256
 
+database monitor
+access to dn.subtree="cn=Monitor"
+	by group.exact="cn=LDAP Monitors,ou=System Groups,<%= dc_suffix %>" read
+	by group.exact="cn=LDAP Admins,ou=System Groups,<%= dc_suffix %>" read
+	by * none
+
+<% if @hostname == 'duvel' then %>
 database	bdb
+<% else %>
+database	mdb
+# mdb defaults to 10MB max DB, so we need to hardcode some better value :(
+maxsize         500000000
+<% end %>
 suffix		"<%= dc_suffix %>"
 directory	/var/lib/ldap
 rootdn		"cn=manager,<%= dc_suffix %>"
 
 checkpoint 256 5
+<% if @hostname == 'duvel' then %>
 # 32Mbytes, can hold about 10k posixAccount entries
 dbconfig set_cachesize 0 33554432 1
 dbconfig set_lg_bsize 2097152
 cachesize 1000
 idlcachesize 3000
+<% end %>
 
 index	objectClass					eq
-index	uidNumber,gidNumber,memberuid,member		eq
+index	uidNumber,gidNumber,memberuid,member,owner  	eq
 index	uid						eq,subinitial
 index	cn,mail,surname,givenname			eq,subinitial
 index	sambaSID					eq,sub
@@ -72,6 +98,8 @@ index	sudouser					eq,sub
 index	entryCSN,entryUUID				eq
 index	dhcpHWAddress,dhcpClassData			eq
 
+overlay memberof
+
 overlay syncprov
 syncprov-checkpoint 100 10
 syncprov-sessionlog 100
@@ -81,6 +109,15 @@ ppolicy_default "cn=default,ou=Password Policies,<%= dc_suffix %>"
 ppolicy_hash_cleartext yes
 ppolicy_use_lockout yes
 
+overlay unique
+unique_uri ldap:///?mail?sub?
+
+overlay dynlist
+dynlist-attrset groupOfURLs memberURL member
+
+
+overlay constraint
+constraint_attribute sshPublicKey regex "^ssh-(rsa|dss|ed25519) [[:graph:]]+ [[:graph:]]+$"
 
 # uncomment if you want to automatically update group
 # memberships when an user is removed from the tree
@@ -89,16 +126,13 @@ ppolicy_use_lockout yes
 #refint_attributes member
 #refint_nothing "uid=LDAP Admin,ou=System Accounts,dc=example,dc=com"
 
+<% if environment == "test" %>
 authz-regexp "gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth"
-	"uid=Account Admin,ou=System Accounts,<%= dc_suffix %>"
+	"cn=manager,<%= dc_suffix %>"
 authz-regexp ^uid=([^,]+),cn=[^,]+,cn=auth$ uid=$1,ou=People,<%= dc_suffix %>
+<% end %>
 
 include /etc/openldap/mandriva-dit-access.conf
 
 
-database monitor
-access to dn.subtree="cn=Monitor"
-	by group.exact="cn=LDAP Monitors,ou=System Groups,<%= dc_suffix %>" read
-	by group.exact="cn=LDAP Admins,ou=System Groups,<%= dc_suffix %>" read
-	by * none
 
diff --git a/modules/openldap/templates/slapd.syncrepl.conf b/modules/openldap/templates/slapd.syncrepl.conf
new file mode 100644
index 00000000..2bfe7d50
--- /dev/null
+++ b/modules/openldap/templates/slapd.syncrepl.conf
@@ -0,0 +1,11 @@
+syncrepl rid=<%= rid %>
+    provider=ldaps://ldap-master.<%= domain %>:636
+    type=refreshAndPersist
+    searchbase="<%= dc_suffix %>"
+    schemachecking=off
+    bindmethod=simple
+    binddn="cn=syncuser-<%= hostname%>,ou=System Accounts,<%= dc_suffix %>"
+    credentials=<%= sync_password %>
+    tls_reqcert=never
+
+updateref ldaps://ldap-master.<%= domain %>:636
diff --git a/modules/openldap/templates/slapd.sysconfig b/modules/openldap/templates/slapd.sysconfig
new file mode 100644
index 00000000..e6ae2e05
--- /dev/null
+++ b/modules/openldap/templates/slapd.sysconfig
@@ -0,0 +1,37 @@
+# debug level for slapd
+SLAPDSYSLOGLEVEL="0"
+SLAPDSYSLOGLOCALUSER="local4"
+
+# SLAPD URL list
+SLAPDURLLIST="ldap:/// ldaps:/// ldapi:///"
+
+# Config file to use for slapd
+#SLAPDCONF=/etc/openldap/slapd.conf
+
+# Which user to run as
+#LDAPUSER=ldap
+#LDAPGROUP=ldap
+
+# Should file permissions on database files be fixed at startup. Default is yes
+# FIXPERMS=no
+
+# Whether database recovery should be run before starting slapd in start
+# (not strictly be necessary in 2.3). Default is no
+# AUTORECOVER=yes
+
+# At what intervals to run ldap-hot-db-backup from cron, which will
+# do hot database backups for all bdb/hdb databases, and archive
+# unnecessary transaction logs, one of hourly,daily,weekly,monthly,yearly
+# Default is daily
+# RUN_DB_BACKUP=daily
+
+# How many days to keep archived transaction logs for. This should be just
+# greater than the backup interval on these files. Default is 7
+# KEEP_ARCHIVES_DAYS=7
+
+# How many files slapd should be able to have open. By default, the process
+# will inherit the default per-process limit (usually 1024), which may
+# not be enough, so ulimit -n is run with the value in MAXFILES (which
+# defaults to 1024 as well). 4096 is the maximum OpenLDAP will use without
+# recompiling.
+# MAXFILES=4096
diff --git a/modules/openldap/templates/slapd.test.conf b/modules/openldap/templates/slapd.test.conf
new file mode 100644
index 00000000..8befa55a
--- /dev/null
+++ b/modules/openldap/templates/slapd.test.conf
@@ -0,0 +1,9 @@
+database bdb
+suffix		"dc=test_ldap"
+directory	/var/lib/ldap/test
+rootdn		"cn=manager,dc=test_ldap"
+rootpw      "<%= ldap_test_password %>"
+authz-regexp "gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth"
+	"cn=manager,dc=test_ldap"
+# force ssl
+security ssf=56