#compdef ldap

local -a commands scopes
commands=(
  search:'search a directory'
)
scopes=(
  base:'base object only'
  one:'one level'
  sub:subtree
)

_ldap_url() {
  local -a expl protocols tags
  protocols=(
    ldap:'TCP in plaintext'
    ldaps:'TLS'
    ldap+tls:'TCP and use StartTLS'
    ldapi:'connect to a socket'
  )

  # [protocol://]host[:port][/basedn[?[attribute,...][?[scope][?[filter]]]]]
  if ! compset -P '*://'; then
    tags=(protocol)
  fi

  if ! compset -P '*/'; then
    if compset -P '*:'; then
      tags=(port)
    else
      tags+=(host)
    fi
  else
    case $PREFIX in
      *\?*\?*\?*) tags=(filter);;
      *\?*\?*) tags=(scope);;
      *\?*) tags=(attribute);;
      *) tags=(basedn);;
    esac
    compset -P '*\?'
  fi

  _tags $tags
  while _tags; do
    _requested protocol && _describe -t protocol protocol protocols -I ://
    _requested host && _hosts -S ''
    _requested port && _guard '|<1-65535>' port
    _requested basedn expl 'base DN'
    _requested attribute expl attribute
    _requested scope && _describe -t scope scope scopes
    _requested filter expl filter
  done
}

if (( CURRENT == 2 )); then
  _describe command commands
else
  shift words; (( CURRENT-- ))
  case $words[1] in
    search)
      _arguments -s -S -A '-*' \
        '-b+[specify base DN]:base DN:' \
        '-c+[specify CA file]:CA file:' \
        '-D+[specify bind DN]:bind DN:' \
        '-H+[specify URL]: :_ldap_url' \
        '-L[output in LDIF]' \
        '-l+[specify time limit or 0 for no limit]:time limit [0]:' \
        '-s+[specify scope]:scope [sub]:(($scopes))' \
        '-v[be verbose]' \
        '-W[prompt for bind secret]' \
        '-w+[specify bind secret]:bind secret:' \
        '-x[use simple authentication]' \
        '-Z[use StartTLS]' \
        '-z+[specify maximum number of results or 0 for no limit]:size limit [0]:' \
        ':: :_guard "*=*" "filter"' \
        '*:attribute:'
      ;;
  esac
fi