install ldap/ keytab

manifests/init.pp

@@ -31,6 +31,8 @@ class su_ldap (
   $debian_distribution = 'stretch',
   $debian_archive      = 'debian-stanford',
   $debian_repository   = undef,
+  #
+  $keytab_path = '/etc/krb5.keytab',
 ){
 
   ## ERROR CHECKING ##
@@ -61,6 +63,7 @@ class su_ldap (
   ## Basic configuration: /etc/ldap/ldap.conf, /etc/default/slapd, et al.
   class { 'su_ldap::config':
     hosting_model => $hosting_model,
+    keytab_path   => $keytab_path,
   }
 
   ## Install sync scripts (call from parent class instead)
@@ -76,9 +79,10 @@ class su_ldap (
     auth_simple => $auth_simple,
   }
 
-#  if ($hosting_model == 'traditional') {
-#    class { 'su_ldap::traditional':
-#    }
-#  }
+  if ($hosting_model == 'traditional') {
+    class { 'su_ldap::traditional':
+      keytab_path => $keytab_path,
+    }
+  }
 
 }

manifests/traditional.pp

-class su_ldap::traditional {
+class su_ldap::traditional (
+  $keytab_path = '/etc/krb5.keytab',
+) {
 
   ## Firewall rules
 
   ## Keytabs
+  # Make sure the keytab for the ldap/hostname service principal is installed.
+  # It is not meant to be primary.
+  #
+  # Note that we require that Base::Wallet["host/${::fqdn}"] already be
+  # installed.
+  base::wallet { "ldap/${::fqdn}":
+    ensure  => present,
+    path    => $keytab_path,
+    primary => false,
+    require => Base::Wallet["host/${::fqdn}"],
+  }
 
   ## Ensure slapd service running