#######################################################################
# Database <%= name %> config
#######################################################################

database			hdb
suffix				"<%= name %>"
checkpoint			1024 15
rootdn				"cn=manager,<%= name %>"

<% if has_variable?("ldap_server_modules") -%>
<%   ldap_server_modules.each do |name| -%>
overlay				<%= name %>
<%   end -%>
<% end -%>

<% moduleoptions.each do |name| -%>
<%= name.split("=")[0] %> <%= name.split("=")[1] %>
<% end -%>

overlay				ppolicy
ppolicy_default			cn=pwdPolicy,cn=config,<%= name %>
ppolicy_hash_cleartext
ppolicy_use_lockout
password-hash			{CRYPT}
password-crypt-salt-format	"$6$%.8s"

overlay				syncprov
syncprov-checkpoint		100 10
syncprov-sessionlog		100

# The database directory MUST exist prior to running slapd AND 
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory	/srv/ldap/<%= name %>

<% if master != "" -%>
# replication
syncrepl rid=2
         provider=<%= master %>
         type=refreshAndPersist
         retry="10 10 60 +"
         searchbase="<%= ldap_basedn %>"
         filter="(objectClass=*)"
         scope="sub"
         sizelimit=500000
         timelimit=360000
         schemachecking="off"
         bindmethod="simple"
         tls_reqcert="never"
         binddn="uid=replicator,cn=config,<%= ldap_basedn %>"
         credentials="<%= syncpw %>"
updateref <%= master %>
<% end -%>

# include acl and index configs
include		<%= scope.lookupvar('ldap::server::config') %>/slapd.conf.d/acl.<%= name %>.conf
include		<%= scope.lookupvar('ldap::server::config') %>/slapd.conf.d/index.<%= name %>.conf

# map local users connecting via ldapi:///
sasl-regexp "gidNumber=([\d]+)+uidNumber=0,cn=peercred,cn=external,cn=auth"
	"cn=manager,<%= name %>"
sasl-regexp "gidNumber=([\d]+)+uidNumber=([\d]+),cn=peercred,cn=external,cn=auth"
	ldap:///<%= name %>??sub?(&(uidNumber=$2)(objectClass=posixAccount))

# map sasl authenticated users
sasl-regexp "uid=(.*),cn=plain,cn=auth"
	ldap:///<%= name %>??sub?(&(uid=$1)(objectClass=posixAccount))
sasl-regexp "uid=(.*),cn=login,cn=auth"
	ldap:///<%= name %>??sub?(&(uid=$1)(objectClass=posixAccount))
sasl-regexp "uid=(.*),cn=gssapi,cn=auth"
	ldap:///<%= name %>??sub?(&(uid=$1)(|(objectClass=posixAccount)(objectClass=krb5Principal)))