Major work.

9 files changed, 199 insertions, 99 deletions

diff --git a/files/head.php b/files/head.php
new file mode 100644
index 0000000..1644b01
--- /dev/null
+++ b/files/head.php
@@ -0,0 +1,12 @@
+<?php
+/**
+ * The phpLDAPadmin config file
+ * See: http://phpldapadmin.sourceforge.net/wiki/index.php/Config.php
+ *
+ * DONT change config_default.php, you changes will be lost by the next release
+ * of PLA. Instead change this file - as it will NOT be replaced by a new
+ * version of phpLDAPadmin.
+ *
+ * This file is managed by PUPPET.
+ * Local changes WILL be overwritten.
+ */
diff --git a/files/tail.php b/files/tail.php
new file mode 100644
index 0000000..e11c8ac
--- /dev/null
+++ b/files/tail.php
@@ -0,0 +1 @@
+?>
diff --git a/manifests/auto_number/search.pp b/manifests/auto_number/search.pp
new file mode 100644
index 0000000..2bb5ce8
--- /dev/null
+++ b/manifests/auto_number/search.pp
@@ -0,0 +1,32 @@
+# @summary Enable automatic uid and gid numbers by searching.
+#
+# @param search_base
+#   ou=People,dc=example,dc=com
+#
+# @param uid
+#   Minimum value for user id when searching for next available.
+#
+# @param gid
+#   Minimum value for group id when searching for next available.
+#
+# @param dn
+#   If you set this, then phpldapadmin will bind to LDAP with this user ID when
+#   searching for the uidnumber. The idea is, this user id would have full
+#   (readonly) access to uidnumber in your ldap directory (the logged in user
+#   may not), so that you can be guaranteed to get a unique uidnumber for your
+#   directory.
+# @param pass
+#   The password for the dn above.
+class phpldapadmin::auto_number::search (
+  String $search_base,
+  Integer $uid         = 10000,
+  Integer $gid         = 10000,
+  Optional[String] $dn = undef,
+  Optional[Variant[String, Sensitive[String]]] $pass = undef,
+) {
+  concat::fragment { 'phpLDAPadmin Auto Number':
+    content => epp("${module_name}/auto_number/search.epp"),
+    target  => $phpldapadmin::config_file,
+    order   => $phpldapadmin::base_config_order + 10,
+  }
+}
diff --git a/manifests/auto_number/uidpool.pp b/manifests/auto_number/uidpool.pp
new file mode 100644
index 0000000..813afd0
--- /dev/null
+++ b/manifests/auto_number/uidpool.pp
@@ -0,0 +1,13 @@
+# @summary Enable automatic uid and gid number through a pool.
+#
+# It's unclear if this module works. the documentation mentions a
+# pre-defined uid pool, but no information about how to set it up.
+#
+class phpldapadmin::auto_number::uidpool (
+) {
+  concat::fragment { 'phpLDAPadmin Auto Number':
+    content => epp("${module_name}/auto_number/uidpool.epp"),
+    target  => $phpldapadmin::config_file,
+    order   => $phpldapadmin::base_config_order + 10,
+  }
+}
diff --git a/manifests/init.pp b/manifests/init.pp
index b8be630..736ed79 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -1,19 +1,52 @@
 # @summary Configures PHPLDAPAdmin
 # @param servername
 #   Pretty name for the server
+#
+#   Only used if `$ldap_servers` is unset.
 # @param server_uri
 #   Address of ldap server to connect to
+# /* Examples:
+#    'ldap.example.com',
+#    'ldaps://ldap.example.com/',
+#    'ldapi://%2fusr%local%2fvar%2frun%2fldapi'
+#            (Unix socket at /usr/local/var/run/ldap) */
+#
+#   Only used if `$ldap_servers` is unset.
 # @param port
 #   Port of ldap server to connect to
+#
+#   Only used if `$ldap_servers` is unset.
 # @param debug_mode
 # @param tmpdir
 # @param timezone
 # @param friendly_attrs
 # @param auth_type
+# @param blowfish_secret
+#   phpLDAPadmin can encrypt the content of sensitive cookies if you
+#   set this to a big random string.
+# @param base_dn
+#   Optional list of base DNs of the ldap server. If left blank
+#   then phpLDAPadmin auto-detect it for you
+# @param bind_dn_template
+#   If login_attr was set to 'dn', it is possible to specify a template string to
+#   build the DN from. Use '%s' where user input should be inserted. A user may
+#   still enter the complete DN. In this case the template will not be used.
+#
+#   Example: "cn=%s,ou=people,dc=example,dc=com"
+# @param config_file
+#   Path to the configuration file.
+#   TODO manage the symlink from the webroot to the configuration file.
+# @param ldap_servers
+#   List of configured ldap servers. Defaults to a single server
+#   consisting of $server_uri, $servername, and $port.
+#
+# @param open_tree
+# @param base_config_order
 class phpldapadmin (
   String $servername = 'My LDAP Server',
   String $server_uri = '127.0.0.1',
-  Integer[0, 65535] $port = 389,
+  Optional[Integer[0, 65535]] $port = undef,
+  String $config_file = '/etc/webapps/phpldapadmin/config.php',
   Boolean $debug_mode = false,
   String $tmpdir = '/tmp',
   Optional[String] $timezone = undef,
@@ -26,9 +59,24 @@ class phpldapadmin (
     'userPassword'             => 'Password',
   },
   Enum['cookie', 'session', 'http', 'config', 'sasl', 'sasl_external'] $auth_type = 'session',
+  Array[Struct[{
+        name => Optional[String],
+        host => String,
+        port => Optional[Stdlib::Port],
+  }]] $ldap_servers = [{
+      name => $servername,
+      host => $server_uri,
+      port => $port,
+  }],
+  Optional[Sensitive[String]] $blowfish_secret = undef,
+  Optional[Array[String]] $base_dn = undef,
+  Optional[String] $bind_dn_template = undef,
+  Boolean $open_tree = false,
+  Integer $base_config_order = 10,
 ) {
   ensure_packages(['phpldapadmin'])
 
+  # TODO
   # /etc/php7/php.ini
   # extension=ldap
   # exteniosn
@@ -38,7 +86,23 @@ class phpldapadmin (
     ensure => directory,
   }
 
-  file { '/etc/webapps/phpldapadmin/config.php':
+  concat { $config_file:
+    order => 'numeric',
+  }
+
+  concat::fragment { 'phpLDAPadmin header':
+    order  => 0,
+    source => "puppet:///modules/${module_name}/head.php",
+  }
+
+  concat::fragment { 'phpLDAPadmin trailer':
+    order  => 99,
+    source => "puppet:///modules/${module_name}/tail.php",
+  }
+
+  concat::fragment { 'Base phpLDAPadmin configuration':
     content => epp("${module_name}/config.php.epp"),
+    target  => $config_file,
+    order   => $base_config_order,
   }
 }
diff --git a/metadata.json b/metadata.json
index 2c21089..0e5bb6f 100644
--- a/metadata.json
+++ b/metadata.json
@@ -9,6 +9,10 @@
     {
       "name": "puppetlabs/stdlib",
       "version_requirement": ">= 8.1.0 < 9.0.0"
+    },
+    {
+      "name": "puppetlabs/concat",
+      "version_requirement": ">= 8.0.0 < 9.0.0"
     }
   ],
   "operatingsystem_support": [
diff --git a/templates/auto_number/search.epp b/templates/auto_number/search.epp
new file mode 100644
index 0000000..5817c76
--- /dev/null
+++ b/templates/auto_number/search.epp
@@ -0,0 +1,29 @@
+/* This feature allows phpLDAPadmin to automatically determine the next
+   available uidNumber for a new entry. */
+$servers->setValue('auto_number','enable',true);
+
+/* The mechanism to use when finding the next available uidNumber. Two possible
+   values: 'uidpool' or 'search'.
+   The 'uidpool' mechanism uses an existing uidPool entry in your LDAP server to
+   blindly lookup the next available uidNumber. The 'search' mechanism searches
+   for entries with a uidNumber value and finds the first available uidNumber
+   (slower). */
+$servers->setValue('auto_number', 'mechanism', 'search');
+
+/* The DN of the search base when the 'search' mechanism is used above. */
+
+$servers->setValue('auto_number','search_base','<%= $phpldapadmin::auto_number::search::search_base %>');
+
+/* The minimum number to use when searching for the next available number
+   (only when 'search' is used for auto_number. */
+$servers->setValue('auto_number','min',array(
+  'uidNumber' => <%= $phpldapadmin::auto_number::search::uid %>,
+  'gidNumber' => <%= $phpldapadmin::auto_number::serach::gid %>));
+
+<% if $phpldapadmin::auto_number::search::dn { %>
+$servers->setValue('auto_number', 'dn', '<%= $phpldapadmin::auto_number::search::dn %>');
+<% } %>
+
+<% if $phpldapadmin::auto_number::search::pass { %>
+$servers->setValue('auto_number', 'pass', '<%= $phpldapadmin::auto_number::search::pass %>');
+<% } %>
diff --git a/templates/auto_number/uidpool.epp b/templates/auto_number/uidpool.epp
new file mode 100644
index 0000000..7d608bb
--- /dev/null
+++ b/templates/auto_number/uidpool.epp
@@ -0,0 +1,11 @@
+/* This feature allows phpLDAPadmin to automatically determine the next
+   available uidNumber for a new entry. */
+$servers->setValue('auto_number','enable',true);
+
+/* The mechanism to use when finding the next available uidNumber. Two possible
+   values: 'uidpool' or 'search'.
+   The 'uidpool' mechanism uses an existing uidPool entry in your LDAP server to
+   blindly lookup the next available uidNumber. The 'search' mechanism searches
+   for entries with a uidNumber value and finds the first available uidNumber
+   (slower). */
+$servers->setValue('auto_number','mechanism','uidpool');
diff --git a/templates/config.php.epp b/templates/config.php.epp
index fe09a00..2031945 100644
--- a/templates/config.php.epp
+++ b/templates/config.php.epp
@@ -1,36 +1,3 @@
-<?php
-/**
- * The phpLDAPadmin config file
- * See: http://phpldapadmin.sourceforge.net/wiki/index.php/Config.php
- *
- * This is where you can customise some of the phpLDAPadmin defaults
- * that are defined in config_default.php.
- *
- * To override a default, use the $config->custom variable to do so.
- * For example, the default for defining the language in config_default.php
- *
- * $this->default->appearance['language'] = array(
- *  'desc'=>'Language',
- *  'default'=>'auto');
- *
- * to override this, use $config->custom->appearance['language'] = 'en_EN';
- *
- * This file is also used to configure your LDAP server connections.
- *
- * You must specify at least one LDAP server there. You may add
- * as many as you like. You can also specify your language, and
- * many other options.
- *
- * NOTE: Commented out values in this file prefixed by //, represent the
- * defaults that have been defined in config_default.php.
- * Commented out values prefixed by #, dont reflect their default value, you can
- * check config_default.php if you want to see what the default is.
- *
- * DONT change config_default.php, you changes will be lost by the next release
- * of PLA. Instead change this file - as it will NOT be replaced by a new
- * version of phpLDAPadmin.
- */
-
 /*********************************************
  * Useful important configuration overrides  *
  *********************************************/
@@ -42,9 +9,11 @@ $config->custom->debug['syslog'] = true;
 $config->custom->debug['file'] = '/tmp/pla_debug.log';
 <%- } -%>
 
-/* phpLDAPadmin can encrypt the content of sensitive cookies if you set this
-   to a big random string. */
-// $config->custom->session['blowfish'] = null;
+$config->custom->session['blowfish'] = <% if $phpldapadmin::blowfish_secret { -%>
+"<%= $phpldapadmin::blowfish_secret %>"
+<%- } else { -%>
+null
+<%- } -%>;
 
 /* If your auth_type is http, you can override your HTTP Authentication Realm. */
 // $config->custom->session['http_realm'] = sprintf('%s %s',app_name(),'login');
@@ -259,7 +228,7 @@ $config->custom->appearance['friendly_attrs'] = array(
  *********************************************/
 
 /* Add "modify group members" link to the attribute. */
-// $config->custom->modify_member['groupattr'] = array('member','uniqueMember','memberUid','sudoUser');
+$config->custom->modify_member['groupattr'] = array('member','uniqueMember','memberUid','sudoUser');
 
 /* Configure filter for member search. This only applies to "modify group members" feature */
 // $config->custom->modify_member['filter'] = '(objectclass=Person)';
@@ -268,9 +237,9 @@ $config->custom->appearance['friendly_attrs'] = array(
 // $config->custom->modify_member['attr'] = 'dn';
 
 /* For Posix attributes */
-// $config->custom->modify_member['posixattr'] = 'uid';
-// $config->custom->modify_member['posixfilter'] = '(uid=*)';
-// $config->custom->modify_member['posixgroupattr'] = 'memberUid';
+$config->custom->modify_member['posixattr'] = 'uid';
+$config->custom->modify_member['posixfilter'] = '(uid=*)';
+$config->custom->modify_member['posixgroupattr'] = 'memberUid';
 
 /*********************************************
  * Support for attrs display order           *
@@ -301,28 +270,26 @@ $config->custom->appearance['friendly_attrs'] = array(
 
 $servers = new Datastore();
 
-/* $servers->NewServer('ldap_pla') must be called before each new LDAP server
-   declaration. */
+<%- $phpldapadmin::ldap_servers.each |$server| { -%>
 $servers->newServer('ldap_pla');
+  <%- if $server['name'] { -%>
+    $servers->setValue('server','name','<%= $server['name'] %>');
+  <%- } -%>
+  $servers->setValue('server','host','<%= $server['server'] %>');
+  <%- if $server['port'] { -%>
+    $servers->setValue('server','name','<%= $server['port'] %>');
+  <%- } -%>
+<%- } -%>
 
-/* A convenient name that will appear in the tree viewer and throughout
-   phpLDAPadmin to identify this LDAP server to users. */
-$servers->setValue('server','name','<%= $phpldapadmin::servername %>');
-
-/* Examples:
-   'ldap.example.com',
-   'ldaps://ldap.example.com/',
-   'ldapi://%2fusr%local%2fvar%2frun%2fldapi'
-           (Unix socket at /usr/local/var/run/ldap) */
-$servers->setValue('server','host','<%= $phpldapadmin::server_uri %>');
 
-/* The port your LDAP server listens on (no quotes). 389 is standard. */
-$servers->setValue('server','port',<%= $phpldapadmin::port %>);
+<% unless $phpldapadmin::base_dn =~ Undef { -%>
+$servers->setValue('server','base',array(
+  <%- $phpldapadmin::base_dn.each |$dn| { -%>
+  '<%= $dn %>',
+  <%- } -%>
+));
+<% } -%>
 
-/* Array of base DNs of your LDAP server. Leave this blank to have phpLDAPadmin
-   auto-detect it for you. */
-// TODO
-// $servers->setValue('server','base',array(''));
 
 /* Five options for auth_type:
    1. 'cookie': you will login via a web form, and a client-side cookie will
@@ -450,11 +417,9 @@ $servers->setValue('login','auth_type','<%= $phpldapadmin::auth_type %>');
    setup. */
 // $servers->setValue('login','class',array());
 
-/* If login_attr was set to 'dn', it is possible to specify a template string to
-   build the DN from. Use '%s' where user input should be inserted. A user may
-   still enter the complete DN. In this case the template will not be used. */
-// $servers->setValue('login','bind_dn_template',null);
-#  $servers->setValue('login','bind_dn_template','cn=%s,ou=people,dc=example,dc=com');
+<% if $phpldapadmin::bind_dn_template { -%>
+$servers->setValue('login','bind_dn_template', '<%= $phpldapadmin::bind_dn_template %>');
+<% } %>
 
 /* If you specified something different from 'dn', for example 'uid', as the
    login_attr above, you can optionally specify here to fall back to
@@ -474,40 +439,11 @@ $servers->setValue('login','auth_type','<%= $phpldapadmin::auth_type %>');
 // $servers->setValue('appearance','show_create',true);
 
 /* Set to true if you would like to initially open the first level of each tree. */
-// $servers->setValue('appearance','open_tree',false);
+$servers->setValue('appearance','open_tree',<%= $phpldapadmin::open_tree %>);
 
 /* Set to true to display authorization ID in place of login dn (PHP 7.2+) */
 // $servers->setValue('appearance','show_authz',false);
 
-/* This feature allows phpLDAPadmin to automatically determine the next
-   available uidNumber for a new entry. */
-// $servers->setValue('auto_number','enable',true);
-
-/* The mechanism to use when finding the next available uidNumber. Two possible
-   values: 'uidpool' or 'search'.
-   The 'uidpool' mechanism uses an existing uidPool entry in your LDAP server to
-   blindly lookup the next available uidNumber. The 'search' mechanism searches
-   for entries with a uidNumber value and finds the first available uidNumber
-   (slower). */
-// $servers->setValue('auto_number','mechanism','search');
-
-/* The DN of the search base when the 'search' mechanism is used above. */
-#  $servers->setValue('auto_number','search_base','ou=People,dc=example,dc=com');
-
-/* The minimum number to use when searching for the next available number
-   (only when 'search' is used for auto_number. */
-// $servers->setValue('auto_number','min',array('uidNumber'=>1000,'gidNumber'=>500));
-
-/* If you set this, then phpldapadmin will bind to LDAP with this user ID when
-   searching for the uidnumber. The idea is, this user id would have full
-   (readonly) access to uidnumber in your ldap directory (the logged in user
-   may not), so that you can be guaranteed to get a unique uidnumber for your
-   directory. */
-// $servers->setValue('auto_number','dn',null);
-
-/* The password for the dn above. */
-// $servers->setValue('auto_number','pass',null);
-
 /* Enable anonymous bind login. */
 // $servers->setValue('login','anon_bind',true);
 
@@ -644,7 +580,5 @@ $servers->setValue('server','force_may',array('uidNumber','gidNumber','sambaSID'
 
 
 $config->custom->session['reCAPTCHA-enable'] = false;
-$config->custom->session['reCAPTCHA-key-site'] = '<put-here-key-site>';
-$config->custom->session['reCAPTCHA-key-server'] = '<put-here-key-server>';
-
-?>
+$config->custom->session['reCAPTCHA-key-site'] = 'put-here-key-site';
+$config->custom->session['reCAPTCHA-key-server'] = 'put-here-key-server';