From e861eb052f9926a2c0a9436b03b367099ef0c6fc Mon Sep 17 00:00:00 2001
From: Daehyung Lee <netman2k@users.noreply.github.com>
Date: Wed, 24 May 2017 15:52:10 +0900
Subject: [PATCH] Supports SHA2 password (#195)

* support sha2 password

* added sha-2 password related example

* Corrected regex which was missing in the previous commit

* removed the SSHA* related conditional logic
---
 README.md                            |  9 +++++++++
 lib/puppet/type/openldap_database.rb | 16 ++++++++++++++--
 2 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index faaf5e17..861c580d 100644
--- a/README.md
+++ b/README.md
@@ -126,6 +126,15 @@ openldap::server::database { 'dc=example,dc=com':
 
 `rootpw` will be automatically converted to a SSHA hash with random salt.
 
+Support SHA-2 password
+```puppet
+openldap::server::database { 'dc=example,dc=com':
+  directory => '/var/lib/ldap',
+  rootdn    => 'cn=admin,dc=example,dc=com',
+  rootpw    => '{SHA384}QZdaK3FnibbilSPbthnf3cO8lBWsRyM9i1MZTUFP21RdBSLSNFgYc2eFFzJG/amX',
+}
+```
+
 ###Configuring modules
 
 ```puppet
diff --git a/lib/puppet/type/openldap_database.rb b/lib/puppet/type/openldap_database.rb
index 49daacd3..20c50f2d 100644
--- a/lib/puppet/type/openldap_database.rb
+++ b/lib/puppet/type/openldap_database.rb
@@ -65,7 +65,7 @@
     desc "Password (or hash of the password) for the rootdn."
 
     def insync?(is)
-      if should =~ /^\{(CRYPT|MD5|SMD5|SSHA|SHA)\}.+/
+      if should =~ /^\{(CRYPT|MD5|SMD5|SSHA|SHA(256|384|512)?)\}.+/
         should == is
       else
         case is
@@ -83,6 +83,18 @@ def insync?(is)
           "{SSHA}" + Base64.encode64("#{Digest::SHA1.digest("#{should}#{salt}")}#{salt}").chomp == is
         when /^\{SHA\}.+/
           "{SHA}" + Digest::SHA1.hexdigest(should) == is
+        when /^\{(SHA(256|384|512))\}/
+          matches = is.match("^\{(SHA[\\d]{,3})\}")
+          raise ArgumentError, "Invalid password format: #{is}" if matches.nil?
+          crypto = matches[1]
+          case crypto
+          when 'SHA256'
+            '{SHA256}' + Digest::SHA256.hexdigest(should) == is
+          when 'SHA384'
+            '{SHA384}' + Digest::SHA384.hexdigest(should) == is
+          when 'SHA512'
+            '{SHA512}' + Digest::SHA512.hexdigest(should) == is
+          end
         else
           false
         end
@@ -92,7 +104,7 @@ def insync?(is)
     def sync
       require 'securerandom'
       salt = SecureRandom.random_bytes(4)
-      if should =~ /^\{(CRYPT|MD5|SMD5|SSHA|SHA)\}.+/
+      if should =~ /^\{(CRYPT|MD5|SMD5|SSHA|SHA(256|384|512)?)\}.+/
         @resource[:rootpw] = should
       else
         @resource[:rootpw] = "{SSHA}" + Base64.encode64("#{Digest::SHA1.digest("#{should}#{salt}")}#{salt}").chomp