# Manage the sync scripts and their configurations.

# the reason that each one is selected seperately is that not all environments get the same sync scripts.
# while these are intended for install on the tools server,
# this is still flexible enough to put it on the master

class su_ldap::sync_scripts (
  $ldap_master_fqdn                   = undef,
  $env                                = undef,
  # select the sync scripts one by one in the hiera file
  $enable_ldap_wg_maint               = false,
  $enable_ldap_group_maint            = false,
  $enable_ldap_sync_sugal_attributes  = false,
  $enable_ldap_sync_suprivilegegroup  = false,
  $enable_ldap_alias_maint            = false,
  $enable_posix_account_sync          = false,
  $enable_ldap_reports                = false,
) {

  # install the sync scripts package first
  package{ 'libstanford-ldap-sync-scripts-perl': ensure => installed }

  # some of the syncs need this
  package{ 'libcrypt-ssleay-perl': ensure => installed }

  ## First, a single ketab for all this stuph
  # this is the sync keytab ticket, for service/ldap-$env
  $k5start_service_name  = "k5start-ldap-sync-$env"
  $keytab_path           = "/etc/ldapadmin/ldap-sync-$env.keytab"
  $ticket_file_path      = "/var/run/ldap-sync-$env.tkt"

  # for debugging
  #notify { "k5start_service_name = k5start-ldap-sync-$env ; keytab_path = /etc/ldapadmin/ldap-sync-$env.keytab ; ticket_file_path = /var/run/ldap-sync-$env.tkt": }

  # A directory where we put any configuration for ldap monitoring.
  file { '/etc/ldapadmin':
    ensure => directory,

  # Set up a krb5 ticket keep-alive service for the above principal.
  systemd_k5start { $k5start_service_name:
    ensure      => present,
    keytab      => $keytab_path,
    ticket_file => $ticket_file_path,
  service { $k5start_service_name:
    ensure  => 'running',
    enable  => true,
    require => Systemd_K5start[$k5start_service_name],

  # Add the service/ldap-$env keytab. This is single env only, with accountsTreeWrite,peopleTreeWrite,groupsTreeWrite.
  base::wallet { "service/ldap-$env":
    path    => $keytab_path,
    primary => false,
    require => Base::Wallet["host/$fqdn"],
    ensure  => present,

  # several things use this, so put it here
  ## Service (listener)
  include s_ldap::base::systemd

  # ldap-wg-maint.service
  if ($enable_ldap_wg_maint) {
    class { 'su_ldap::sync_scripts::ldap_wg_maint':
      ensure => present,
      ldap_master_fqdn => $ldap_master_fqdn,
      ticket_file_path => $ticket_file_path,
      env => $env,

  # ldap-group-maint.service
  if ($enable_ldap_group_maint) {
    class { 'su_ldap::sync_scripts::ldap_group_maint':
      ensure => present,
      env => $env,
      ldap_master_fqdn => $ldap_master_fqdn,
  } else {
    class { 'su_ldap::sync_scripts::ldap_group_maint':
      ensure => absent,

  # ldap-sync-sugal-attributes.service
  if ($enable_ldap_sync_sugal_attributes) {
    class { 'su_ldap::sync_scripts::ldap_sync_sugal_attributes':
      ensure => present,
      env => $env,
      ldap_master_fqdn => $ldap_master_fqdn,
  } else {
    class { 'su_ldap::sync_scripts::ldap_sync_sugal_attributes':
      ensure => absent,

  # ldap-sync-suprivilegegroup.service
  if ($enable_ldap_sync_suprivilegegroup) {
    class { 'su_ldap::sync_scripts::ldap_sync_suprivilegegroup':
      ensure => present,
      env => $env,
      ldap_master_fqdn => $ldap_master_fqdn,
  } else {
    class { 'su_ldap::sync_scripts::ldap_sync_suprivilegegroup':
      ensure => absent,

  # ldap-alias-maint
  if ($enable_ldap_alias_maint) {
    class { 'su_ldap::sync_scripts::ldap_alias_maint':
      ensure => present,
      env => $env,
      ldap_master_fqdn => $ldap_master_fqdn,
  } else {
    class { 'su_ldap::sync_scripts::ldap_alias_maint':
      ensure => absent,

  # posix accounts
  if ($enable_posix_account_sync) {
    su_ldap::sync_scripts::posix_account_sync { 'aeroastroarl': 
      ensure => present,
      env    => $env,
    su_ldap::sync_scripts::posix_account_sync { 'anesthesia':
      ensure => present,
      env    => $env,
    su_ldap::sync_scripts::posix_account_sync { 'statistics':
      ensure => present,
      env    => $env,
  } else {
    su_ldap::sync_scripts::posix_account_sync { 'aeroastroarl':
      ensure => absent,
    su_ldap::sync_scripts::posix_account_sync { 'anesthesia':
      ensure => absent,
    su_ldap::sync_scripts::posix_account_sync { 'statistics':
      ensure => absent,


  ## Note: This won't work without the postfix relay set!!
  ## Where is it?

  # ldap_reports
  if ($enable_ldap_reports) {
    class { 'su_ldap::sync_scripts::ldap_reports':
      ensure => present,
      addresses => $addresses,
      ldap_master_fqdn => $ldap_master_fqdn,
  } else {
    class { 'su_ldap::sync_scripts::ldap_reports':
      ensure => absent,

# end of file