#x

class wmdeit_ldap (
	$log_level = 0,

	$configdn,
	$configpw,
	$syncrepl_providers = [
	],

	$database,
	$rootdn, 
	$rootpw,
	$starttls = "no",

	$serverid, 
	$simple_bind_tls = "128",

	$schema_path = '/etc/ldap/schema',

	$schema = [
		"core",
		"cosine",
		"inetorgperson",
#		"nis",
		"rfc2307bis",
		"krb5-kdc",
		"samba",
		"ppolicy",

#		"samba",
#		"nis",
#		"rfc2307bis",
#		"solaris",
#		"dnszone",
#		"univention",
#		"univention-objecttype",
#		"krb5-kdc",
#		"directory",
#		"policy",
#		"msgpo",
#		"dhcp",
#		"univention-dhcp",
#		"mail",
#		"automount",
#		"user",
#		"self-service-passwordreset",
#		"univention-saml",
#		"univention-virtual-machine-manager",
#		"nagios",
#		"share",
#		"network",
#		"portal",
#		"univention-default",
#		"univention-app",
#		"univention-object-metadata",
#		"univention-ldap-extension",
#		"license",
#		"ppolicy",
#		"template",
#		"lock",
#		"udm-extension",
#		"custom-attribute",
#		"univention-syntax",
#		"openssh",
#		"nextcloud",
#		"openproject",
#		"networkaccess",

	],
	$ssldir = "/etc/ldap/ssl",

	$acl = {
		# Super access to local root user	
		'0 to *' => [
			'by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage',
			'by * break',
		],
		# Admin rights for members of Admin group
		'1 to *' => [
			"by set=\"user & [cn=Administrators,ou=Groups,$database]/member\" write",
			'by * break'
		],
		# System rights for members of Adm group
		'2 to *' => [
			"by set=\"user & [cn=Adm,ou=Groups,ou=System,$database]/member\" write",
			'by * break'
		],
		# System rights for members of Adm group
		'3 to *' => [
			"by set=\"user & [cn=ReadOnlyAdm,ou=Groups,ou=System,$database]/member\" read",
			'by * break'
		],

		# let users modify their passwords, and disable read acess to all others
		'4 to attrs=userPassword filter=(!(memberof=cn=NOLOGIN,ou=Groups,dc=wikimedia,dc=de))' => [
#		'4 to attrs=userPassword' => [
			"by self write",
			"by anonymous auth",
			"by * none",
		],
		# let users read all
		'5 to attr=entry,objectClass,givenName,cn,displayName' => [
		        "by anonymous break",	
			"by * read",
		],
		# let anonymous users list uids
		"6 to dn.subtree=\"$database\" attrs=entry,objectClass,uid" => [
		        "by anonymous read",
			"by * break",
		],
		# deny access to anything else
		'7 to *' => [
		        "by * none",	
		]

	},

){
	$clientcert = $facts[clientcert]

	$pubcert = "$ssldir/cert.pem"
	$privkey = "$ssldir/priv.pem"
	$cacert = "$ssldir/ca.pem"


	# required modules
	openldap::server::module { 'back_mdb':
		ensure => present
	} ->
	openldap::server::module { 'memberof':
		ensure => present,
	} -> 
	openldap::server::module { 'syncprov':
		ensure => present,
	} 
#	openldap::server::module { 'ppolicy':
#		ensure => absent,
#	}  



	package { "heimdal-kdc": 
		ensure => installed,
	}->
	package {"slapd-smbk5pwd":
		ensure => installed,
	} ->
	openldap::server::module { 'smbk5pwd':
		ensure => present,
	}  

	class { 'openldap::server': 
		ssl_ca => "$cacert",
		ssl_cert => "$pubcert",
		ssl_key => "$privkey",
		ldaps_ifs => ['/'],
	} 

	# delete all schema and databases created by default during installation
	# This is some kind of a dirty hack because we use 
	# in "before =>" and "require =>" some internal classes of module openldap 
	exec { 'wmdemanaged':
		before => Class['::openldap::server::config'],
		require => Class['::openldap::server::install'],

		creates => "/etc/ldap/wmde.managed",
		command => @(CMD/L),
			/usr/sbin/service slapd stop &&
			rm -rf '/etc/ldap/slapd.d/cn=config/cn=schema' &&
			rm -rf '/etc/ldap/slapd.d/cn=config/cn=schema.ldif' &&
			rm -rf '/etc/ldap/slapd.d/cn=config/olcDatabase={1}mdb.ldif' &&
			/usr/sbin/service slapd start &&
			touch /etc/ldap/wmde.managed
			| CMD
	} 


	# SSL stuff ... copy CA cert and keys  used by puppet agent to
	# a separate directory and make them accesible by openldap
	file { "$ssldir":
		ensure => directory,
		owner => "openldap",
		group => "openldap",
		mode => "0600",
	} ->
	file { "$cacert":  # copy CA cert
		ensure => file,
		source => "/var/lib/puppet/ssl/certs/ca.pem",
		owner => "openldap",
		group => "openldap",
		mode => "0600",
	} ->
	file { "$pubcert":  # copy public key
		ensure => file,
		source => "/var/lib/puppet/ssl/certs/$clientcert.pem",
		owner => "openldap",
		group => "openldap",
		mode => "0600",
	} ->
	file { "$privkey": # copy private key
		ensure => file,
		source => "/var/lib/puppet/ssl/private_keys/$clientcert.pem",
		owner => "openldap",
		group => "openldap",
		mode => "0600",
	} 
	

#	openldap::server::globalconf { 'TLSCACertificateFile':
#		ensure  => present,
#		value   => { "TLSCACertificateFile"=>"$ssldir/ca.pem" }
#	}

#	openldap::server::globalconf { 'TLSCertificateKeyFile':
#		ensure  => present,
#		value   => { "TLSCertificateKeyFile"=>"$ssldir/privkey.pem" }
#	} 

#	openldap::server::globalconf { 'TLSCertificateFile':
#		ensure  => present,
#		value   => "$ssldir/pubkey.pem" 
#	} 
	
	openldap::server::globalconf { 'LogLevel':
		ensure  => present,
		value   => { "LogLevel"=>"$log_level" }
	} 


	
	openldap::server::globalconf { 'Security':
		ensure  => present,
		value   => { 'Security' => [ "simple_bind=$simple_bind_tls", 'ssf=0', "tls=0" ] },
	} 


	# add schemas
	$schema.each | $s | {	
		$ensure = present		
		file { "$schema_path/$s.schema":
			ensure => file,
			content => file ("wmdeit_ldap/schema/$s.schema"),

		}-> 
		openldap::server::schema { "$s":
			ensure  => $ensure,
			path    => "$schema_path/$s.schema",
		}
	}

	openldap::server::globalconf { 'ServerID':
		ensure  => present,
		value   => { "ServerID"=>"$serverid" }
	} 
	# ensure config database is present and dn and pw are set
	openldap::server::database { 'cn=config':
		ensure => present,
		backend => config,
		rootdn => $configdn,
		rootpw => $configpw
	}


#	class { 'java':
#		distribution => 'jre',
#		version => "8"
#	}
#

#	openldap::server::globalconf { 'TLSVerifyClient':
#		ensure  => present,
#		value   => { "TLSVerifyClient"=>"never" }
#	} 


	
	# Build list of syncrepl-entries, store it in $syncrepl
	if !empty ($syncrepl_providers) {
		$mirrormode=true
		$syncrepl = $syncrepl_providers.map |Integer $index, $provider| {
			$i = $index+1
			"rid=00$i provider=${provider[proto]}://${provider[host]}:${provider[port]} binddn=\"$rootdn\" bindmethod=simple credentials=$rootpw searchbase=\"$database\" scope=sub attrs=\"*,+\" filter=\"(objectClass=*)\" type=refreshAndPersist tls_cacert=$cacert tls_key=$privkey tls_cert=$pubcert starttls=$starttls retry=\"3 60 6 300 30 +\" timeout=1"
		}
		$syncrepl_providers.each |Integer $index, $provider| {
			if $provider[ip] {
				host{"host_$index":
					name => $provider[host],
					ip => $provider[ip],
					ensure => present,
				}
			}
		}

	}

	# create the main database
	openldap::server::database { "$database":
		backend => mdb,
		ensure => present,
		rootdn => $rootdn,
		rootpw => $rootpw,
		syncrepl => $syncrepl,
		mirrormode => $mirrormode,
	} 
	->
	openldap::server::overlay { "memberof on $database":
		ensure => present,
		options => {
			'olcMemberOfGroupOC' => 'groupOfMembers'
		}
	} 
	-> 
	openldap::server::overlay { "syncprov on $database":
		ensure => present,
	} 
	->
#	openldap::server::overlay { "smbk5pwd on $database":
#		ensure => present,
#	} 

#	openldap::server::overlay { "ppolicy on $database":
#		ensure => absent,
#	}


#	$acls.each |Integer $i, $acl | {
#		notify{"Set ACL $i $acl":}
#		openldap::server::access { "{$i}$acl":
#		openldap::server::access { "$i on $database":
#			suffix   => "$database",
#			ensure => present,
#			access => $acl['access'],
#			what => $acl['to'],
#		}
#	}
#

	openldap::server::access_wrapper { $database :
		acl => $acl,
	}



#'''''##################################################################################################
#
#

#	openldap::server::access { '{0}to *  by set="user/uid & [cn=Domain Admins,cn=groups,dc=wikimedia,dc=de]/memberUid" write by * break on $database':
#		suffix   => "$database",
#		access => '{0}to *  by set="user/uid & [cn=Domain Admins,cn=groups,dc=wikimedia,dc=de]/memberUid" write by * break',
#		ensure => present,
#	}
#
#	openldap::server::access { '{1}to *  by set="user/uid & [cn=Administrators,cn=Builtin,dc=wikimedia,dc=de]/memberUid" write by * break':
#		suffix   => "$database",
#		ensure => present,
#	}
#
#	openldap::server::access { '{2}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break':
#		suffix   => "$database",
#		ensure => present,
##	}

#	openldap::server::access { '{3}to attrs=userPassword by self write by anonymous auth by dn="cn=admin,dc=wikimedia,dc=de" write by * none':
#		suffix   => "$database",
##		ensure => present,
#	}

#	openldap::server::access { '{4}to dn.base="" by * read':
#		suffix   => "$database",
#		ensure => present,
#	}
#
#	openldap::server::access { '{5}to * by self write by dn="cn=admin,dc=wikimedia,dc=de" write by * read':
#		suffix   => "$database",
#		ensure => present,
#	}
#
#	openldap::server::dbindex { 'uid pres,eq':
#		ensure => present,
#		suffix => "$database",
#	}  
#	openldap::server::dbindex { 'sn eq,approx,sub':
#		ensure => present,
#		suffix => "$database",
#	}  



}