From fd430eab622206b9a04780ca5fa9d7c807f16c93 Mon Sep 17 00:00:00 2001
From: Evilham <cvs@evilham.com>
Date: Mon, 9 Dec 2019 19:39:43 +0100
Subject: [PATCH] [new-type] __openldap_server: Add a "schema" optional
 parameter.

---
 cdist/conf/type/__openldap_server/man.rst     |  7 +++++
 cdist/conf/type/__openldap_server/manifest    | 29 +++++++------------
 .../parameter/default/schema                  | 12 ++++++++
 .../type/__openldap_server/parameter/optional |  3 +-
 4 files changed, 31 insertions(+), 20 deletions(-)
 create mode 100644 cdist/conf/type/__openldap_server/parameter/default/schema

diff --git a/cdist/conf/type/__openldap_server/man.rst b/cdist/conf/type/__openldap_server/man.rst
index 29bbc231..1fc24eaa 100644
--- a/cdist/conf/type/__openldap_server/man.rst
+++ b/cdist/conf/type/__openldap_server/man.rst
@@ -74,6 +74,13 @@ module
     LDAP module to load. See `slapd.conf(5)`.
     Default value is OS-dependent, see manifest.
 
+schema
+    Name of LDAP schema to load. Must be the name without extension of a
+    `.schema` file in slapd's schema directory (usually `/etc/slapd/schema` or
+    `/usr/local/etc/openldap/schema`).
+    Example value: `inetorgperson`
+    The type user must ensure that the schema file is deployed.
+    This defaults to a sensible subset, for details see the type definition.
 
 BOOLEAN PARAMETERS
 ------------------
diff --git a/cdist/conf/type/__openldap_server/manifest b/cdist/conf/type/__openldap_server/manifest
index 2acaaed5..518edd86 100644
--- a/cdist/conf/type/__openldap_server/manifest
+++ b/cdist/conf/type/__openldap_server/manifest
@@ -6,6 +6,7 @@ manager_password_hash=$(cat "${__object}/parameter/manager-password-hash")
 serverid=$(cat "${__object}/parameter/serverid")
 suffix=$(cat "${__object}/parameter/suffix")
 slapd_modules=$(cat "${__object}/parameter/module" || true)
+schemas=$(cat "${__object}/parameter/schema")
 
 
 OS="$(cat "${__global}/explorer/os")"
@@ -14,8 +15,8 @@ OS="$(cat "${__global}/explorer/os")"
 # TODO: treat other OS better, defaulting to Debian-like
 case "${OS}" in
     freebsd)
-	      PKGS="openldap-server"
-	      ETC="/usr/local/etc"
+        PKGS="openldap-server"
+        ETC="/usr/local/etc"
         SLAPD_DIR="/usr/local/etc/openldap"
         SLAPD_DATA_DIR="/var/db/openldap-data"
         SLAPD_RUN_DIR="/var/run/openldap"
@@ -27,7 +28,7 @@ case "${OS}" in
         ;;
     *)
         PKGS="slapd ldap-utils"
-	      ETC="/etc"
+        ETC="/etc"
         SLAPD_DIR="/etc/ldap"
         SLAPD_DATA_DIR="/var/lib/ldap"
         SLAPD_RUN_DIR="/var/run/slapd"
@@ -39,7 +40,6 @@ case "${OS}" in
 esac
 
 
-
 # Determine if __letsencrypt_cert is to be used and setup vars accordingly
 if [ -f "${__object}/parameter/tls-cert" ]; then
     tls_cert=$(cat "${__object}/parameter/tls-cert")
@@ -161,24 +161,15 @@ TLSCACertificateFile ${tls_ca}
 disallow bind_anon
 require bind
 security tls=1
-
-include ${SLAPD_DIR}/schema/corba.schema
-include ${SLAPD_DIR}/schema/core.schema
-include ${SLAPD_DIR}/schema/cosine.schema
-include ${SLAPD_DIR}/schema/duaconf.schema
-include ${SLAPD_DIR}/schema/dyngroup.schema
-include ${SLAPD_DIR}/schema/inetorgperson.schema
-include ${SLAPD_DIR}/schema/java.schema
-include ${SLAPD_DIR}/schema/misc.schema
-include ${SLAPD_DIR}/schema/nis.schema
-include ${SLAPD_DIR}/schema/openldap.schema
-include ${SLAPD_DIR}/schema/ppolicy.schema
-include ${SLAPD_DIR}/schema/collective.schema
-
-modulepath ${SLAPD_MODULE_PATH}
 EOF
 
+# Add specified schemas
+for schema in ${schemas}; do
+    echo "include ${SLAPD_DIR}/schema/${schema}.schema" >> "${ldapconf}"
+done
+
 # Add specified modules
+echo "modulepath ${SLAPD_MODULE_PATH}" >> "${ldapconf}"
 for module in ${slapd_modules}; do
     echo "moduleload ${module}.la" >> "${ldapconf}"
 done
diff --git a/cdist/conf/type/__openldap_server/parameter/default/schema b/cdist/conf/type/__openldap_server/parameter/default/schema
new file mode 100644
index 00000000..825bdb15
--- /dev/null
+++ b/cdist/conf/type/__openldap_server/parameter/default/schema
@@ -0,0 +1,12 @@
+corba
+core
+cosine
+duaconf
+dyngroup
+inetorgperson
+java
+misc
+nis
+openldap
+ppolicy
+collective
diff --git a/cdist/conf/type/__openldap_server/parameter/optional b/cdist/conf/type/__openldap_server/parameter/optional
index a9a8ab2c..53587c4e 100644
--- a/cdist/conf/type/__openldap_server/parameter/optional
+++ b/cdist/conf/type/__openldap_server/parameter/optional
@@ -1,4 +1,5 @@
-description
 syncrepl-credentials
 syncrepl-searchbase
 tls-cert
+tls-privkey
+tls-ca