# $auth_gssapi: if true support GSSAPI authentication.

# $auth_simple: if true support simple-bind authentication.

# The default is to install both, tehn control simple binds by 
# two methods: iptables access to 636, and whether the saslauthd
# service is actually running

class su_ldap::authentication (
  $auth_gssapi = true,
  $auth_simple = true,
) {

  # saslauthd package
  package { 'sasl2-bin': ensure => installed }

  # TODO: commit files and fix path names
  # note: the file slapd.conf-saslauthd permits both sasl and gssapi auth
  file {
    '/etc/default/saslauthd':
      ensure  => present,
      source  => 'puppet:///modules/s_ldap/etc/default/saslauthd',
      require => Package['sasl2-bin'];
    '/etc/ldap/sasl2/slapd.conf':
      ensure  => present,
      source  => 'puppet:///modules/s_ldap/etc/ldap/sasl2/slapd.conf-saslauthd',
      require => Package['slapd'];
  }

  # Make sure the saslauthd service, the service that allows "simple"
  # binds to work, is running.
  # TODO: see if we can specify this at run time, especially for containers
  service { 'saslauthd':
    ensure    => running,
    require   => Package['sasl2-bin'],
    hasstatus => false,
    status    => 'test -f /etc/nosaslauthd || pidof saslauthd',
  }

  ## Do the iptables dance elsewhere, because it's different depending on what 
  ## type of server or location is used, and this module is generic for building 
  ## the auth part

}