From fd22563ee2522d22e877238ecd4996392f543c75 Mon Sep 17 00:00:00 2001
From: Peter Palfrader <peter@palfrader.org>
Date: Mon, 16 Sep 2019 13:39:59 +0200
Subject: [PATCH] Ship an initial ftmg slapd config

---
 modules/roles/files/sso/slapd-ftmg.conf       |  0
 modules/roles/manifests/sso.pp                | 16 +++++++++--
 .../roles/templates/sso/slapd-ftmg.conf.erb   | 27 +++++++++++++++++++
 3 files changed, 41 insertions(+), 2 deletions(-)
 delete mode 100644 modules/roles/files/sso/slapd-ftmg.conf
 create mode 100644 modules/roles/templates/sso/slapd-ftmg.conf.erb

diff --git a/modules/roles/files/sso/slapd-ftmg.conf b/modules/roles/files/sso/slapd-ftmg.conf
deleted file mode 100644
index e69de29bb..000000000
diff --git a/modules/roles/manifests/sso.pp b/modules/roles/manifests/sso.pp
index 052ddc1f5..6a119d4c5 100644
--- a/modules/roles/manifests/sso.pp
+++ b/modules/roles/manifests/sso.pp
@@ -1,3 +1,6 @@
+# Debian SSO class.
+#
+# This sets up the web service as well as the LDAP backend for ftmg
 class roles::sso {
   include apache2
   include roles::sso_rp
@@ -11,6 +14,8 @@ class roles::sso {
     key    => true,
   }
 
+  $ftmg_dsa_root_password = hkdf('/etc/puppet/secret', "roles::sso::slapd-ftmg::${::fqdn}")
+
   ensure_packages ( [
     'slapd',
     ], {
@@ -29,13 +34,20 @@ class roles::sso {
     notify => Service['slapd'],
   }
   file { '/etc/ldap/slapd-ftmg.conf':
-    source => 'puppet:///modules/roles/sso/slapd-ftmg.conf',
-    notify => Service['slapd'],
+    content => template('roles/sso/slapd-ftmg.conf.erb'),
+    notify  => Service['slapd'],
   }
   file { '/etc/default/slapd':
     source => 'puppet:///modules/roles/sso/default-slapd',
     notify => Service['slapd'],
   }
+  file { '/var/lib/ldap-ftmg':
+    ensure => directory,
+    mode   => '0700',
+    owner  => 'openldap',
+    group  => 'openldap',
+    notify => Service['slapd'],
+  }
 
   file { '/etc/ldap/schema/openssh-ldap.schema':
     source => 'puppet:///modules/roles/sso/openssh-ldap.schema',
diff --git a/modules/roles/templates/sso/slapd-ftmg.conf.erb b/modules/roles/templates/sso/slapd-ftmg.conf.erb
new file mode 100644
index 000000000..dd03f10e4
--- /dev/null
+++ b/modules/roles/templates/sso/slapd-ftmg.conf.erb
@@ -0,0 +1,27 @@
+# slapd configuration for SSO's user management DB, ftmg
+
+moduleload      back_mdb
+database   mdb
+directory  "/var/lib/ldap-ftmg"
+suffix     "dc=ftmg,dc=sso,dc=debian,dc=org"
+
+rootdn     "cn=root,dc=ftmg,dc=sso,dc=debian,dc=org"
+rootpw     "<%= @ftmg_dsa_root_password %>"
+
+maxsize    134217728
+checkpoint 131072 5
+
+index cn,sn,uid pres,eq,approx,sub
+index objectClass eq
+
+access to *
+        by dn="cn=admin,dc=ftmg,dc=sso,dc=debian,dc=org" write
+        by * break
+
+access to attrs=userPassword
+        by self write
+        by * break
+
+access to *
+        by anonymous auth
+        by * break
-- 
2.20.1