From 88d6d936b8dad436a17a1805442e499c58f26f70 Mon Sep 17 00:00:00 2001
From: Greg Wickham <greg@wickham.me>
Date: Wed, 1 Jun 2022 21:14:06 +0300
Subject: [PATCH 1/2] There was no intrinsic way to store an encrypted bind
 password in heira, so add '$postfix::ldap_bind_pw'.

Converted '$postfix::ldap_options' to be optional or a string
or an array of strings.

Modified the ldap-aliases.cf template so that ldap_options can
be optional / a string / an array of strings, and then rendered
in alphabetical order.
---
 manifests/init.pp                     | 5 ++++-
 manifests/ldap.pp                     | 7 +++++--
 templates/postfix-ldap-aliases.cf.erb | 9 ++++++++-
 3 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/manifests/init.pp b/manifests/init.pp
index 660f0bbb..2c94dd2c 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -32,6 +32,8 @@
 #
 # [*ldap_host*]           - (string)
 #
+# [*ldap_bind_pw*]        - (string)
+#
 # [*ldap_options*]        - (string)
 #
 # [*mail_user*]           - (string) The mail user
@@ -126,7 +128,8 @@
   Boolean                         $ldap                = false,
   Optional[String]                $ldap_base           = undef,
   Optional[String]                $ldap_host           = undef,
-  Optional[String]                $ldap_options        = undef,
+  Optional[String]                $ldap_bind_pw        = undef,
+  Optional[Variant[String,Array[String]]]  $ldap_options        = undef,
   String                          $mail_user           = 'vmail',       # postfix_mail_user
   Boolean                         $mailman             = false,
   String                          $maincf_source       = "puppet:///modules/${module_name}/main.cf",
diff --git a/manifests/ldap.pp b/manifests/ldap.pp
index 165296fb..4614cf39 100644
--- a/manifests/ldap.pp
+++ b/manifests/ldap.pp
@@ -16,9 +16,10 @@
 class postfix::ldap {
   assert_type(String, $postfix::ldap_base)
   assert_type(String, $postfix::ldap_host)
-  assert_type(String, $postfix::ldap_options)
+  assert_type(Optional[String], $postfix::ldap_bind_pw)
+  assert_type(Optional[Variant[String,Array[String]]], $postfix::ldap_options)
 
-  if $facts['os']['family'] == 'Debian' {
+  if $facts['os']['family'] in [ 'Debian', 'RedHat' ] {
     package { 'postfix-ldap':
       before  => File["${postfix::confdir}/ldap-aliases.cf"],
     }
@@ -28,6 +29,8 @@
     fail 'Missing $postfix::ldap_base !'
   }
 
+  $ldap_bind_pw = $postfix::ldap_bind_pw
+
   $ldap_host = $postfix::ldap_host ? {
     undef   => 'localhost',
     default => $postfix::ldap_host,
diff --git a/templates/postfix-ldap-aliases.cf.erb b/templates/postfix-ldap-aliases.cf.erb
index 0864dcdc..86f85701 100644
--- a/templates/postfix-ldap-aliases.cf.erb
+++ b/templates/postfix-ldap-aliases.cf.erb
@@ -3,4 +3,11 @@ server_host = <%= @ldap_host %>
 <% if @ldap_base -%>
 search_base = <%= @ldap_base %>
 <% end -%>
-<%= @ldap_options %>
+<%
+    options = [ @ldap_options ].flatten
+    if @ldap_bind_pw
+        options.append('bind_pw = ' + @ldap_bind_pw )
+    end
+    if options -%>
+<%= options.sort.join("\n") %>
+<% end -%>

From 6c24630c2ae2b4428074c232f8ad2c895116e0bf Mon Sep 17 00:00:00 2001
From: Greg Wickham <greg@wickham.me>
Date: Wed, 1 Jun 2022 21:23:43 +0300
Subject: [PATCH 2/2] there should be no whitespace or a single newline before
 a closing bracket

---
 manifests/ldap.pp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/manifests/ldap.pp b/manifests/ldap.pp
index 4614cf39..48852bf7 100644
--- a/manifests/ldap.pp
+++ b/manifests/ldap.pp
@@ -19,7 +19,7 @@
   assert_type(Optional[String], $postfix::ldap_bind_pw)
   assert_type(Optional[Variant[String,Array[String]]], $postfix::ldap_options)
 
-  if $facts['os']['family'] in [ 'Debian', 'RedHat' ] {
+  if $facts['os']['family'] in ['Debian','RedHat'] {
     package { 'postfix-ldap':
       before  => File["${postfix::confdir}/ldap-aliases.cf"],
     }