---
version: 1.1

ldap:  # OpenLDAP directory

  server:  # Server

    address:
      type: domainname
      hidden: true
      supplier: LDAP

    ip:
      type: ip
      default:
        jinja: >-
          {{ zones | get_ip(_.address) }}
        params:
          zones:
            information: zones
      hidden: true

    port:
      type: port
      default: 636
      hidden: true

    prefix_domain_name:
      hidden: true
      provider: global:prefix_domain_name

  client:  # Client

    family:
      description: Restrict service configuration for a LDAP family
      help: '"all" for all families.'
      type: unix_user
      mandatory: false
      supplier: LDAP:family

    user:
      type: string
      default:
        jinja: |-
          cn={{ _.address }},{{ _.base_dn }}
      hidden: true
      supplier: LDAP:dn

    address:
      default:
        jinja: >-
          {{ __.server.ip |
               get_client_address(domain_name, network) }}
        params:
          network:
            variable: >-
              general.network.interface_{{ suffix }}.network
          domain_name:
            variable: >-
              general.network.interface_{{ suffix }}.domain_name
      hidden: true

    user_password:
      type: secret
      default:
        jinja: >-
          {{ _.user | get_password(server_name=__.server.address,
                                   description="remote account",
                                   type="cleartext",
                                   hide=general.hide_secret,
                                   temporary=true)
            }}
      hidden: true
      supplier: LDAP:password

    base_dn:
      type: string
      validators:
        - jinja: >-
            {%- set var = {'ok': false} -%}
            {%- for att in ['o', 'dc', 'ou'] -%}
              {%- if _.base_dn.startswith(att + '=') -%}
                {%- set var = var.update({'ok': true}) -%}
              {%- endif -%}
            {%- endfor -%}
            {%- if not var.ok -%}
              {%- set e = "the root LDAP base DN must starts with an " -%}
              {%- set e = e + "organisation (o=), a domain componant (dc=) " -%}
              {%- set e = e + "or an organizational unit (ou=)" -%}
              {{ e }}
            {%- endif -%}
          description: >-
            if LDAP base DN starts with an organisation (o=), a domain componant
            (dc=) or an organizational unit (ou=)
      default:
        jinja: >-
          {{ __.server.prefix_domain_name | get_default_base_dn }}
      hidden: true
      supplier: LDAP:base_dn

    search_dn:
      default:
        jinja: >-
          ou=accounts,{{ _.base_dn }}
      hidden: true

    group_dn:
      type: string
      default:
        jinja: >-
          {{ _.base_dn | calc_ldapclient_base_dn(group=true) }}
      hidden: true

    user_dn:
      type: string
      default:
        jinja: >-
          {{ _.base_dn | calc_ldapclient_base_dn }}
      hidden: true

    key_file_owner:
      type: unix_user
      default: root
      hidden: true

    file:
      type: unix_filename
      default:
        jinja: >-
          {%- if general.os_name == 'Debian' -%}
          /etc/ldap/ldap.conf
          {%- else -%}
          /etc/openldap/ldap.conf
          {%- endif -%}
      hidden: true