# -*- mode: python; coding: utf-8 -*-

include("mode/space")
include("secrets")
include("ldap")

header("""
Fichier de configuration de libpam-ldap.

Pour des informations détaillées voir pam_ldap.conf(5)
""")

if has("2B"):
    # Lisible par adm sur vert pour que les nounous puissent locker
    # leur écran
    info['group'] = 'adm'
    info['perms'] |= 0060

@# +----------------------------------------------------+
@# | Configuration de la communiquation avec le serveur |
@# +----------------------------------------------------+

@# The distinguished name of the search base.
%base "dc=crans,dc=org"

@# Base LDAP
%uri "%s" % ldap_socket

@# The LDAP version to use (defaults to 3
@# if supported by client library)
%ldap_version 3

if has("db-main"):
    @# The distinguished name to bind to the server with
    @# if the effective user ID is root. Password is
    @# stored in /etc/ldap.secret (mode 600)
    %rootbinddn secrets.ldap_auth_dn

else:
    @# The distinguished name to bind to the server with.
    @# Optional: default is to bind anonymously.
    %binddn secrets.ldap_readonly_auth_dn

    @# The credentials to bind with.
    @# Optional: default is no credential.
    %bindpw secrets.ldap_readonly_password

@# The port.
@# Optional: default is 389.
@#port 389

@# The search scope.
@#scope sub
%scope "one"
@#scope base

if not has("db-main"):
    @# Search timelimit
    %timelimit 5

    @# Bind timelimit
    %bind_timelimit 5

@# Do not hash the password at all; presume
@# the directory server will do it, if
@# necessary. This is the default.
%pam_password "exop"

@# +------------------+
@# | Bases de données |
@# +------------------+

# On n'utilise ldap pour résoudre les bases de données
# passwd, group et shadow

if ldap_filter:
    passwd_filter = "?%s" % ldap_filter
else:
    passwd_filter = ""

%nss_base_passwd "ou=data,dc=crans,dc=org?one%s" % passwd_filter
%nss_base_shadow "ou=data,dc=crans,dc=org?one"
%nss_base_group "ou=Group,dc=crans,dc=org?one"