From 9a1964c71a60316e81ec81de2c8f860344748d63 Mon Sep 17 00:00:00 2001
From: Timo Makinen <tmakinen@foo.sh>
Date: Tue, 21 Jan 2014 13:18:56 +0200
Subject: [PATCH] ldap: Converted nslcd.conf to template and added support for
 active directory attribute mappings.

---
 ldap/manifests/init.pp        | 53 ++++++++++++++---------------------
 ldap/templates/nslcd.conf.erb | 34 ++++++++++++++++++++++
 2 files changed, 55 insertions(+), 32 deletions(-)
 create mode 100644 ldap/templates/nslcd.conf.erb

diff --git a/ldap/manifests/init.pp b/ldap/manifests/init.pp
index d86ae3a..c2ec216 100644
--- a/ldap/manifests/init.pp
+++ b/ldap/manifests/init.pp
@@ -12,7 +12,12 @@
 #   $ldap_login_umask:
 #       Default umask for LDAP users in OpenBSD, defaults to 077.
 #
-class ldap::auth inherits ldap::client {
+# === Parameters
+#
+#   $mapping:
+#       
+#
+class ldap::auth($mapping="rfc2307") inherits ldap::client {
 
     include pam::common
 
@@ -22,7 +27,7 @@ class ldap::auth inherits ldap::client {
     if regsubst($ldap_uri, "^(ldaps)://.*", "\1") == "ldaps"{
         $ssl = "on"
     } else {
-        $ssl = "no"
+        $ssl = "off"
     }
 
     if $::kernel == "Linux" {
@@ -39,29 +44,19 @@ class ldap::auth inherits ldap::client {
                     exec { "authconfig --enableldap --enableldapauth --ldapserver='${ldap_uri}' --ldapbasedn='${ldap_basedn}' --enableforcelegacy --update":
                         path    => "/bin:/usr/bin:/sbin:/usr/sbin",
                         unless  => 'cat /etc/sysconfig/authconfig | egrep "^USELDAPAUTH=yes$|^USELDAP=yes$" | wc -l | egrep "^2$"',
-                        before  => [ Augeas["nslcd-conf"],
+                        before  => [ File["/etc/nslcd.conf"],
                                      Augeas["pam-ldap-conf"],
                                      File["/etc/openldap/ldap.conf"], ],
                         require => Package["authconfig", "nss-pam-ldapd"],
                     }
-                    augeas { "nslcd-conf":
-                        changes => [ "set pagesize 500",
-                                     "set ssl ${ssl}",
-                                     "set tls_reqcert never",
-                                     "rm tls_cacertdir", ],
-                        incl    => "/etc/nslcd.conf",
-                        lens    => "Spacevars.simple_lns",
+                    file { "/etc/nslcd.conf":
+                        ensure  => present,
+                        content => template("ldap/nslcd.conf.erb"),
+                        mode    => "0600",
+                        owner   => "root",
+                        group   => "root",
                         notify  => Service["nslcd"],
                     }
-                    if $::operatingsystem == "Fedora" {
-                        augeas { "nslcd-conf-groupmap":
-                            changes => "set map 'group member uniqueMember'",
-                            incl    => "/etc/nslcd.conf",
-                            lens    => "Spacevars.simple_lns",
-                            require => Package["nss-pam-ldapd"],
-                            notify  => Service["nslcd"],
-                        }
-                    }
                     augeas { "pam-ldap-conf":
                         changes => [ "set ssl ${ssl}",
                                      "set pam_password exop",
@@ -104,21 +99,15 @@ class ldap::auth inherits ldap::client {
                 path    => "/bin:/usr/bin:/sbin:/usr/sbin",
                 unless  => "auth-client-config -t nss -p ldap_example -s",
                 require => Package["auth-client-config"],
-                before  => Augeas["nslcd-conf"],
+                before  => File["/etc/nslcd.conf"],
             }
-            augeas { "nslcd-conf":
-                changes => [
-                  "set uri '${ldap_uri}'",
-                  "set base ${ldap_basedn}",
-                  "set pagesize 500",
-                  "set ssl ${ssl}",
-                  "set tls_reqcert never",
-                  "set map 'group member uniqueMember'",
-                ],
-                incl    => "/etc/nslcd.conf",
-                lens    => "Spacevars.simple_lns",
+            file { "/etc/nslcd.conf":
+                ensure  => present,
+                content => template("ldap/nslcd.conf.erb"),
+                mode    => "0640",
+                owner   => "root",
+                group   => "nslcd",
                 notify  => Service["nslcd"],
-                before  => File["/etc/openldap/ldap.conf"],
             }
             service { "nslcd":
                 ensure => running,
diff --git a/ldap/templates/nslcd.conf.erb b/ldap/templates/nslcd.conf.erb
new file mode 100644
index 0000000..c2a494b
--- /dev/null
+++ b/ldap/templates/nslcd.conf.erb
@@ -0,0 +1,34 @@
+uid nslcd
+<% if @operatingsystem == "Ubuntu" -%>
+gid nslcd
+<% else -%>
+gid ldap
+<% end -%>
+
+uri <%= @ldap_uri %>
+base <%= @ldap_basedn %>
+
+<% if ['ad','activedirectory'].index(@mapping) -%>
+pagesize 1000
+filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*))
+map    passwd uid              sAMAccountName
+map    passwd gecos            displayName
+map    passwd loginShell       "${loginShell:-/bin/bash}"
+map    passwd homeDirectory    "${unixHomeDirectory:-/home/$sAMAccountName}"
+filter group  (&(objectClass=group)(gidNumber=*))
+<%   if @operatingsystem == "CentOS" -%>
+map group uniqueMember member
+<%   end -%>
+<% else -%>
+pagesize 500
+<%   if @operatingsystem != "CentOS" -%>
+map group member uniqueMember
+<%   end -%>
+<% end -%>
+
+<% if @ldap_uri =~ /^ldaps:/ -%>
+ssl on
+tls_reqcert never
+<% else -%>
+ssl off
+<% end -%>