--- /dev/null
+class hgr::slapd {
+
+ # first define a admin password for LDAP
+
+ package {
+ "slapd" : ensure => installed;
+ "ldapscripts" : ensure => installed;
+ }
+
+ service {
+ "slapd":
+ ensure => running,
+ enable => true,
+ require => [Package["slapd"],File["/etc/default/slapd"]];
+ }
+
+ file {
+ "/etc/default/slapd":
+ ensure => present,
+ source => "puppet:///modules/hgr/slapd/slapd.default",
+ owner => "root",
+ group => "root",
+ mode => "0644",
+ require => Package["slapd"];
+
+ "/etc/ldap/slapd.d/tls-config.ldif":
+ ensure => present,
+ contents => template("hgr/slapd/tls-config.ldif.erb"),
+ owner => "root",
+ group => "root",
+ mode => "0644",
+ require => Package["slapd"];
+ }
+
+ exec {
+ "tls-config.ldif":
+ command => "/usr/bin/ldapmodify -QY EXTERNAL -H ldapi:/// -f /etc/ldap/slapd.d/tls-config.ldif",
+ unless => "/bin/grep olcTLS 'cn=config.ldif'",
+ logoutput => true,
+ refreshonly => true,
+ subscribe => File["/etc/ldap/slapd.d/tls-config.ldif"],
+ timeout => 5,
+ require => [Service["slapd"],File["/etc/ldap/slapd.d/tls-config.ldif"]];
+ }
+
+ # add openldap to the ssl-cert group
+ # (usermod -a -G ssl-cert openldap)
+ # unless 'groups openldap | grep ssl-cert'
+
+ # Need to ensure /etc/ssl/private is group-readable
+
+ # Need to open 636 on /etc/iptables/rules.v4
+
+
+}