From 2ca1f702c6122b627553da3ffc98cace5a9e5f7c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timo=20M=E4kinen?= <tmakinen@foo.sh>
Date: Thu, 3 Jan 2013 01:15:43 +0200
Subject: [PATCH 1/7] Fixed ldap::server modules for Ubuntu and Debian.

---
 ldap/manifests/init.pp        | 2 +-
 ldap/templates/slapd.conf.erb | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/ldap/manifests/init.pp b/ldap/manifests/init.pp
index 814fbe0..ac95d96 100644
--- a/ldap/manifests/init.pp
+++ b/ldap/manifests/init.pp
@@ -356,7 +356,7 @@ class ldap::server {
             $package_name = "slapd"
             $service_name = "slapd"
             $config = "/etc/ldap"
-            $modulepath = "/usr/lib/openldap"
+            $modulepath = "/usr/lib/ldap"
         }
         "fedora": {
             $user = "ldap"
diff --git a/ldap/templates/slapd.conf.erb b/ldap/templates/slapd.conf.erb
index 6f47f8e..2519a6e 100644
--- a/ldap/templates/slapd.conf.erb
+++ b/ldap/templates/slapd.conf.erb
@@ -27,6 +27,10 @@ argsfile	/var/run/openldap/slapd.args
 modulepath <%= modulepath %>
 moduleload ppolicy.la
 moduleload syncprov.la
+<%   if ['Ubuntu','Debian'].index(operatingsystem) -%>
+moduleload back_hdb.la
+moduleload back_monitor.la
+<%   end -%>
 <%   if has_variable?('ldap_server_modules') -%>
 <%     ldap_server_modules.each do |name| -%>
 moduleload <%= name %>.la

From 51ca2c8fadb7878b44de753c7689d38df607796c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timo=20M=E4kinen?= <tmakinen@foo.sh>
Date: Thu, 3 Jan 2013 11:11:31 +0200
Subject: [PATCH 2/7] Fixed /etc/ssl/private permissions for Ubuntu.

---
 ssl/manifests/init.pp | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/ssl/manifests/init.pp b/ssl/manifests/init.pp
index 53f42ed..9428d28 100644
--- a/ssl/manifests/init.pp
+++ b/ssl/manifests/init.pp
@@ -12,9 +12,15 @@ class ssl {
             $certs = "/etc/ssl"
             $private = "/etc/ssl/private"
         }
-        default: {
+        "debian","ubuntu": {
             $certs = "/etc/ssl/certs"
             $private = "/etc/ssl/private"
+            package { "ssl-cert":
+                ensure => installed,
+            }
+        }
+        default: {
+            fail("Class ssl not supported on ${::operatingsystem}")
         }
     }
 

From 32c9f9d66747c9f97f9c9f22e34b9784e857f224 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timo=20M=E4kinen?= <tmakinen@foo.sh>
Date: Thu, 3 Jan 2013 11:11:47 +0200
Subject: [PATCH 3/7] Fixed depency error from ldap::server.

---
 ldap/manifests/init.pp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ldap/manifests/init.pp b/ldap/manifests/init.pp
index ac95d96..e479bb2 100644
--- a/ldap/manifests/init.pp
+++ b/ldap/manifests/init.pp
@@ -340,7 +340,7 @@ class ldap::client::ruby {
 #
 class ldap::server {
 
-    include ssl
+    require ssl
 
     if !$ldap_server_key {
         $ldap_server_key = "${puppet_ssldir}/private_keys/${homename}.pem"

From eb423748eebe25330054522ed1221090172b00d5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timo=20M=E4kinen?= <tmakinen@foo.sh>
Date: Thu, 3 Jan 2013 18:48:20 +0200
Subject: [PATCH 4/7] Fixed ldap::server for Ubuntu.

---
 ldap/files/slapd.default      | 45 +++++++++++++++++++++++++++++++++++
 ldap/manifests/init.pp        | 43 ++++++++++++++++++++++++++-------
 ldap/templates/slapd.conf.erb |  4 ++--
 3 files changed, 81 insertions(+), 11 deletions(-)
 create mode 100644 ldap/files/slapd.default

diff --git a/ldap/files/slapd.default b/ldap/files/slapd.default
new file mode 100644
index 0000000..2416fa8
--- /dev/null
+++ b/ldap/files/slapd.default
@@ -0,0 +1,45 @@
+# Default location of the slapd.conf file or slapd.d cn=config directory. If
+# empty, use the compiled-in default (/etc/ldap/slapd.d with a fallback to
+# /etc/ldap/slapd.conf).
+SLAPD_CONF="/etc/ldap/slapd.conf"
+
+# System account to run the slapd server under. If empty the server
+# will run as root.
+SLAPD_USER="openldap"
+
+# System group to run the slapd server under. If empty the server will
+# run in the primary group of its user.
+SLAPD_GROUP="openldap"
+
+# Path to the pid file of the slapd server. If not set the init.d script
+# will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.d by
+# default)
+SLAPD_PIDFILE=
+
+# slapd normally serves ldap only on all TCP-ports 389. slapd can also
+# service requests on TCP-port 636 (ldaps) and requests via unix
+# sockets.
+# Example usage:
+# SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///"
+SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///"
+
+# If SLAPD_NO_START is set, the init script will not start or restart
+# slapd (but stop will still work).  Uncomment this if you are
+# starting slapd via some other means or if you don't want slapd normally
+# started at boot.
+#SLAPD_NO_START=1
+
+# If SLAPD_SENTINEL_FILE is set to path to a file and that file exists,
+# the init script will not start or restart slapd (but stop will still
+# work).  Use this for temporarily disabling startup of slapd (when doing
+# maintenance, for example, or through a configuration management system)
+# when you don't want to edit a configuration file.
+SLAPD_SENTINEL_FILE=/etc/ldap/noslapd
+
+# For Kerberos authentication (via SASL), slapd by default uses the system
+# keytab file (/etc/krb5.keytab).  To use a different keytab file,
+# uncomment this line and change the path.
+#export KRB5_KTNAME=/etc/krb5.keytab
+
+# Additional options to pass to slapd
+SLAPD_OPTIONS=""
diff --git a/ldap/manifests/init.pp b/ldap/manifests/init.pp
index e479bb2..e14c9fc 100644
--- a/ldap/manifests/init.pp
+++ b/ldap/manifests/init.pp
@@ -357,6 +357,14 @@ class ldap::server {
             $service_name = "slapd"
             $config = "/etc/ldap"
             $modulepath = "/usr/lib/ldap"
+            $rundir = "/var/run/slapd"
+            exec { "usermod-openldap":
+                path    => "/bin:/usr/bin:/sbin:/usr/sbin",
+                command => "usermod -a -G ssl-cert openldap",
+                unless  => "id -n -G openldap | grep '\\bssl-cert\\b'",
+                require => Package["openldap-server"],
+                before  => Service["slapd"],
+            }
         }
         "fedora": {
             $user = "ldap"
@@ -368,6 +376,7 @@ class ldap::server {
                 "x86_64" => "/usr/lib64/openldap",
                 default  => "/usr/lib/openldap",
             }
+            $rundir = "/var/run/openldap"
         }
         "centos","redhat": {
             $user = "ldap"
@@ -385,6 +394,7 @@ class ldap::server {
                 "x86_64" => "/usr/lib64/openldap",
                 default  => "/usr/lib/openldap",
             }
+            $rundir = "/var/run/openldap"
         }
         "openbsd": {
             $user = "_openldap"
@@ -393,6 +403,7 @@ class ldap::server {
             $service_name = "slapd"
             $config = "/etc/openldap"
             $modulepath = ""
+            $rundir = "/var/run/openldap"
         }
     }
 
@@ -446,15 +457,29 @@ class ldap::server {
         notify  => Exec["generate-slapd-database-config"],
     }
 
-    if $::operatingsystem in ["CentOS","RedHat"] and $operatinsystemrelease !~ /^5\./ {
-        file { "/etc/sysconfig/ldap":
-            ensure  => present,
-            source  => "puppet:///modules/ldap/ldap.sysconfig",
-            mode    => "0644",
-            owner   => "root",
-            group   => "root",
-            notify  => Service["slapd"],
-            require => Package["openldap-server"],
+    case $::operatingsystem {
+        "centos","redhat": {
+            if $::operatinsystemrelease !~ /^5\./ {
+                file { "/etc/sysconfig/ldap":
+                    ensure  => present,
+                    source  => "puppet:///modules/ldap/ldap.sysconfig",
+                    mode    => "0644",
+                    owner   => "root",
+                    group   => "root",
+                    notify  => Service["slapd"],
+                    require => Package["openldap-server"],
+                }
+            }
+        }
+        "debian","ubuntu": {
+            file { "/etc/default/slapd":
+                source  => "puppet:///modules/ldap/slapd.default",
+                mode    => "0644",
+                owner   => "root",
+                group   => "root",
+                notify  => Service["slapd"],
+                require => Package["openldap-server"],
+            }
         }
     }
 
diff --git a/ldap/templates/slapd.conf.erb b/ldap/templates/slapd.conf.erb
index 2519a6e..ac54d77 100644
--- a/ldap/templates/slapd.conf.erb
+++ b/ldap/templates/slapd.conf.erb
@@ -19,8 +19,8 @@ security simple_bind=128
 sizelimit size.soft=500
 sizelimit size.hard=none
 
-pidfile		/var/run/openldap/slapd.pid
-argsfile	/var/run/openldap/slapd.args
+pidfile		<%= scope.lookupvar('ldap::server::rundir') %>/slapd.pid
+argsfile	<%= scope.lookupvar('ldap::server::rundir') %>/slapd.args
 
 # overlay modules to load
 <% if scope.lookupvar('ldap::server::modulepath') != '' -%>

From 00d5c08f8a1fcc68ae2d8d7d687323e473c60884 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timo=20M=E4kinen?= <tmakinen@foo.sh>
Date: Fri, 4 Jan 2013 00:37:59 +0200
Subject: [PATCH 5/7] Initial version of apparmor fact.

---
 apparmor/lib/facter/apparmor.rb | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)
 create mode 100644 apparmor/lib/facter/apparmor.rb

diff --git a/apparmor/lib/facter/apparmor.rb b/apparmor/lib/facter/apparmor.rb
new file mode 100644
index 0000000..a32738a
--- /dev/null
+++ b/apparmor/lib/facter/apparmor.rb
@@ -0,0 +1,20 @@
+
+Facter.add("apparmor") do
+    setcode do
+        result = false
+        if File.exists?("/sys/module/apparmor")
+            begin
+                f = File.new("/proc/mounts")
+                while (line = f.gets)
+                    if line.split()[2] == "securityfs"
+                        if File.exists?(File.join(line.split()[1], "apparmor"))
+                            result = true
+                        end
+                    end
+                end
+            rescue
+            end
+        end
+        result
+    end
+end

From 2c7c0c0822eb39fa6efc4911d74756a8af2e3cc9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timo=20M=E4kinen?= <tmakinen@foo.sh>
Date: Tue, 8 Jan 2013 14:43:49 +0200
Subject: [PATCH 6/7] Fixed view handling for normal zones in dns::zone.

---
 dns/manifests/init.pp | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/dns/manifests/init.pp b/dns/manifests/init.pp
index ecc373d..9142889 100644
--- a/dns/manifests/init.pp
+++ b/dns/manifests/init.pp
@@ -279,6 +279,11 @@ define dns::zone($role = "master", $master = "", $slaves = [], $forwarders = [],
         $zone     = "$2/$3"
         $zonefile = "$2-$3"
     } else {
+        case dirname($name) {
+            ".":       { $view = "" }
+            "default": { $view = "" }
+            default:   { $view = dirname($name) }
+        }
         $zone     = basename($name)
         $zonefile = $zone
     }
@@ -347,7 +352,7 @@ define dns::zone($role = "master", $master = "", $slaves = [], $forwarders = [],
                 mode   => "0750",
                 owner  => "root",
                 group  => $dns::server::group,
-                before => File["${dns::server::chroot}${dns::server::confdir}/${view}zone.${zonefile}"],
+                before => File["${dns::server::chroot}${dns::server::confdir}/${view}/zone.${zonefile}"],
             }
         }
     }
@@ -370,7 +375,7 @@ define dns::zone($role = "master", $master = "", $slaves = [], $forwarders = [],
         }
     }
 
-    file { "${dns::server::chroot}${dns::server::confdir}/${view}zone.${zonefile}":
+    file { "${dns::server::chroot}${dns::server::confdir}/${view}/zone.${zonefile}":
         ensure  => present,
         content => template("dns/zone.$role.erb"),
         mode    => "0640",

From 3e176d53406dab9e1c7c99bdae9078f40902addd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timo=20M=E4kinen?= <tmakinen@foo.sh>
Date: Wed, 9 Jan 2013 12:06:33 +0200
Subject: [PATCH 7/7] Fixed config directory paths from dns::server when using
 views.

---
 dns/manifests/init.pp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/dns/manifests/init.pp b/dns/manifests/init.pp
index 9142889..0555f1b 100644
--- a/dns/manifests/init.pp
+++ b/dns/manifests/init.pp
@@ -368,7 +368,7 @@ define dns::zone($role = "master", $master = "", $slaves = [], $forwarders = [],
                 owner  => "root",
                 group  => $dns::server::group,
                 before => $role ? {
-                    "master" => File["${dns::server::chroot}${zonedir}db.${zonefile}"],
+                    "master" => File["${dns::server::chroot}${zonedir}/db.${zonefile}"],
                     default  => undef,
                 },
             }
@@ -390,7 +390,7 @@ define dns::zone($role = "master", $master = "", $slaves = [], $forwarders = [],
 
     if $role == "master" and $zone != "." {
         if $source != "AUTO" {
-             file { "${dns::server::chroot}${zonedir}db.${zonefile}":
+             file { "${dns::server::chroot}${zonedir}/db.${zonefile}":
                  ensure  => present,
                  source  => $source,
                  mode    => "0640",