class hgr::slapd {

     # first define a admin password for LDAP

     package {
	"slapd" : ensure => installed;
        "ldapscripts" : ensure => installed;
     }
 
     service {
	"slapd":
	   ensure => running,
           enable => true,
           require => [Package["slapd"],File["/etc/default/slapd"]];
     }

     file {
         "/etc/default/slapd":
             ensure => present,
             source => "puppet:///modules/hgr/slapd/slapd.default",
             owner => "root",
             group => "root",
             mode => "0644",
             require => Package["slapd"];

         "/etc/ldap/slapd.d/tls-config.ldif":
             ensure => present,
             contents => template("hgr/slapd/tls-config.ldif.erb"),
             owner => "root",
             group => "root",
             mode => "0644",
             require => Package["slapd"];
     }

     exec {
	"tls-config.ldif":
            command => "/usr/bin/ldapmodify -QY EXTERNAL -H ldapi:/// -f /etc/ldap/slapd.d/tls-config.ldif",
            unless => "/bin/grep olcTLS 'cn=config.ldif'",
            logoutput => true,
            refreshonly => true,
            subscribe => File["/etc/ldap/slapd.d/tls-config.ldif"],
            timeout => 5,
            require => [Service["slapd"],File["/etc/ldap/slapd.d/tls-config.ldif"]];
     }

     # add openldap to the ssl-cert group
     # (usermod -a -G ssl-cert openldap)
     # unless 'groups openldap | grep ssl-cert'

     # Need to ensure /etc/ssl/private is group-readable
  
     # Need to open 636 on /etc/iptables/rules.v4
     

}