#!/bin/sh # # CDDL HEADER START # # The contents of this file are subject to the terms of the # Common Development and Distribution License (the "License"). # You may not use this file except in compliance with the License. # # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE # or http://www.opensolaris.org/os/licensing. # See the License for the specific language governing permissions # and limitations under the License. # # When distributing Covered Code, include this CDDL HEADER in each # file and include the License file at usr/src/OPENSOLARIS.LICENSE. # If applicable, add the following below this CDDL HEADER, with the # fields enclosed by brackets "[]" replaced with your own identifying # information: Portions Copyright [yyyy] [name of copyright owner] # # CDDL HEADER END # # # idsconfig -- script to setup iDS 5.x/6.x for Native LDAP II. # # Copyright 2009 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # # # display_msg(): Displays message corresponding to the tag passed in. # display_msg() { case "$1" in usage) cat < Get setup info from input file. o Generate a server configuration output file. v Verbose mode EOF ;; backup_server) cat < /dev/null 2>&1 if [ $? -ge 2 ]; then return 1 fi # Made it here, it's Numeric. return 0 } # # not_numeric(): Reverses the return values of is_numeric. Useful # for if and while statements that want to test for # non-numeric data. # 0 = NOT Numeric # 1 = Numeric # not_numeric() { is_numeric $1 if [ $? -eq 0 ]; then return 1 else return 0 fi } # # is_negative(): Tells is a Numeric value is less than zero. # 0 = Negative Numeric # 1 = Positive Numeric # 2 = NOT Numeric # is_negative() { # Check for parameter. if [ $# -ne 1 ]; then return 1 fi # Determine if numeric. Can't use expr because -0 is # considered positive?? if is_numeric $1; then case "$1" in -*) return 0 ;; # Negative Numeric *) return 1 ;; # Positive Numeric esac else return 2 fi } # # check_domainname(): check validity of a domain name. Currently we check # that it has at least two components. # $1 the domain name to be checked # check_domainname() { if [ ! -z "$1" ] then t=`expr "$1" : '[^.]\{1,\}[.][^.]\{1,\}'` if [ "$t" = 0 ] then return 1 fi fi return 0 } # # check_baseDN(): check validity of the baseDN name. # $1 the baseDN name to be checked # # NOTE: The check_baseDN function does not catch all invalid DN's. # Its purpose is to reduce the number of invalid DN's to # get past the input routine. The invalid DN's will be # caught by the LDAP server when they are attempted to be # created. # check_baseDN() { ck_DN=$1 ${ECHO} " Checking LDAP Base DN ..." if [ ! -z "$ck_DN" ]; then [ $DEBUG -eq 1 ] && ${ECHO} "Checking baseDN: $ck_DN" # Check for = (assignment operator) ${ECHO} "$ck_DN" | ${GREP} "=" > /dev/null 2>&1 if [ $? -ne 0 ]; then [ $DEBUG -eq 1 ] && ${ECHO} "check_baseDN: No '=' in baseDN." return 1 fi # Check all keys. while : do # Get first key. dkey=`${ECHO} $ck_DN | cut -d'=' -f1` # Check that the key string is valid check_attrName $dkey if [ $? -ne 0 ]; then [ $DEBUG -eq 1 ] && ${ECHO} "check_baseDN: invalid key=${dkey}" return 1 fi [ $DEBUG -eq 1 ] && ${ECHO} "check_baseDN: valid key=${dkey}" # Remove first key from DN ck_DN=`${ECHO} $ck_DN | cut -s -d',' -f2-` # Break loop if nothing left. if [ "$ck_DN" = "" ]; then break fi done fi return 0 } # # domain_2_dc(): Convert a domain name into dc string. # $1 .. Domain name. # domain_2_dc() { _DOM=$1 # Domain parameter. _DOM_2_DC="" # Return value from function. _FIRST=1 # Flag for first time. export _DOM_2_DC # Make visible for others. # Convert "."'s to spaces for "for" loop. domtmp="`${ECHO} ${_DOM} | tr '.' ' '`" for i in $domtmp; do if [ $_FIRST -eq 1 ]; then _DOM_2_DC="dc=${i}" _FIRST=0 else _DOM_2_DC="${_DOM_2_DC},dc=${i}" fi done } # # is_root_user(): Check to see if logged in as root user. # is_root_user() { case `id` in uid=0\(root\)*) return 0 ;; * ) return 1 ;; esac } # # parse_arg(): Parses the command line arguments and sets the # appropriate variables. # parse_arg() { while getopts "dvhi:o:" ARG do case $ARG in d) DEBUG=1;; v) VERB="";; i) INPUT_FILE=$OPTARG;; o) OUTPUT_FILE=$OPTARG;; \?) display_msg usage exit 1;; *) ${ECHO} "**ERROR: Supported option missing handler!" display_msg usage exit 1;; esac done return `expr $OPTIND - 1` } # # init(): initializes variables and options # init() { # General variables. PROG=`basename $0` # Program name PID=$$ # Program ID VERB='> /dev/null 2>&1' # NULL or "> /dev/null" ECHO="/bin/echo" # print message on screen EVAL="eval" # eval or echo EGREP="/usr/bin/egrep" GREP="/usr/bin/grep" DEBUG=0 # Set Debug OFF BACKUP=no_ldap # backup suffix HOST="" # NULL or NAWK="/usr/bin/nawk" RM="/usr/bin/rm" WC="/usr/bin/wc" CAT="/usr/bin/cat" SED="/usr/bin/sed" MV="/usr/bin/mv" DOM="" # Set to NULL # If DNS domain (resolv.conf) exists use that, otherwise use domainname. if [ -f /etc/resolv.conf ]; then DOM=`/usr/xpg4/bin/grep -i -E '^domain|^search' /etc/resolv.conf \ | awk '{ print $2 }' | tail -1` fi # If for any reason the DOM did not get set (error'd resolv.conf) set # DOM to the domainname command's output. if [ "$DOM" = "" ]; then DOM=`domainname` # domain from domainname command. fi STEP=1 INTERACTIVE=1 # 0 = on, 1 = off (For input file mode) DEL_OLD_PROFILE=0 # 0 (default), 1 = delete old profile. # idsconfig specific variables. INPUT_FILE="" OUTPUT_FILE="" LDAP_ENABLE_SHADOW_UPDATE="FALSE" NEED_PROXY=0 # 0 = No Proxy, 1 = Create Proxy. NEED_ADMIN=0 # 0 = No Admin, 1 = Create Admin. NEED_HOSTACL=0 # 0 = No Host ACL, 1 = Create Host ACL. EXISTING_PROFILE=0 LDAP_PROXYAGENT="" LDAP_ADMINDN="" LDAP_SUFFIX="" LDAP_DOMAIN=$DOM # domainname on Server (default value) GEN_CMD="" PROXY_ACI_NAME="LDAP_Naming_Services_proxy_password_read" # LDAP COMMANDS LDAPSEARCH="/bin/ldapsearch -r" LDAPMODIFY=/bin/ldapmodify LDAPADD=/bin/ldapadd LDAPDELETE=/bin/ldapdelete LDAP_GEN_PROFILE=/usr/sbin/ldap_gen_profile # iDS specific information IDS_SERVER="" IDS_PORT=389 NEED_TIME=0 NEED_SIZE=0 NEED_SRVAUTH_PAM=0 NEED_SRVAUTH_KEY=0 NEED_SRVAUTH_CMD=0 IDS_TIMELIMIT="" IDS_SIZELIMIT="" # LDAP PROFILE related defaults LDAP_ROOTDN="cn=Directory Manager" # Provide common default. LDAP_ROOTPWD="" # NULL passwd as default (i.e. invalid) LDAP_PROFILE_NAME="default" LDAP_BASEDN="" LDAP_SERVER_LIST="" LDAP_AUTHMETHOD="" LDAP_FOLLOWREF="FALSE" NEED_CRYPT="" LDAP_SEARCH_SCOPE="one" LDAP_SRV_AUTHMETHOD_PAM="" LDAP_SRV_AUTHMETHOD_KEY="" LDAP_SRV_AUTHMETHOD_CMD="" LDAP_SEARCH_TIME_LIMIT=30 LDAP_PREF_SRVLIST="" LDAP_PROFILE_TTL=43200 LDAP_CRED_LEVEL="proxy" LDAP_BIND_LIMIT=10 # Prevent new files from being read by group or others. umask 077 # Service Search Descriptors LDAP_SERV_SRCH_DES="" # Set and create TMPDIR. TMPDIR="/tmp/idsconfig.${PID}" if mkdir -m 700 ${TMPDIR} then # Cleanup on exit. trap 'rm -rf ${TMPDIR}; /usr/bin/stty echo; exit' 1 2 3 6 15 else echo "ERROR: unable to create a safe temporary directory." exit 1 fi LDAP_ROOTPWF=${TMPDIR}/rootPWD # Set the SSD file name after setting TMPDIR. SSD_FILE=${TMPDIR}/ssd_list # GSSAPI setup LDAP_KRB_REALM="" LDAP_GSSAPI_PROFILE="" SCHEMA_UPDATED=0 export DEBUG VERB ECHO EVAL EGREP GREP STEP TMPDIR export IDS_SERVER IDS_PORT LDAP_ROOTDN LDAP_ROOTPWD LDAP_SERVER_LIST export LDAP_BASEDN LDAP_ROOTPWF export LDAP_DOMAIN LDAP_SUFFIX LDAP_PROXYAGENT LDAP_PROXYAGENT_CRED export NEED_PROXY export LDAP_ENABLE_SHADOW_UPDATE LDAP_ADMINDN LDAP_ADMIN_CRED export NEED_ADMIN NEED_HOSTACL EXISTING_PROFILE export LDAP_PROFILE_NAME LDAP_BASEDN LDAP_SERVER_LIST export LDAP_AUTHMETHOD LDAP_FOLLOWREF LDAP_SEARCH_SCOPE LDAP_SEARCH_TIME_LIMIT export LDAP_PREF_SRVLIST LDAP_PROFILE_TTL LDAP_CRED_LEVEL LDAP_BIND_LIMIT export NEED_SRVAUTH_PAM NEED_SRVAUTH_KEY NEED_SRVAUTH_CMD export LDAP_SRV_AUTHMETHOD_PAM LDAP_SRV_AUTHMETHOD_KEY LDAP_SRV_AUTHMETHOD_CMD export LDAP_SERV_SRCH_DES SSD_FILE export GEN_CMD LDAP_KRB_REALM LDAP_GSSAPI_PROFILE SCHEMA_UPDATED } # # disp_full_debug(): List of all debug variables usually interested in. # Grouped to avoid MASSIVE code duplication. # disp_full_debug() { [ $DEBUG -eq 1 ] && ${ECHO} " IDS_SERVER = $IDS_SERVER" [ $DEBUG -eq 1 ] && ${ECHO} " IDS_PORT = $IDS_PORT" [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_ROOTDN = $LDAP_ROOTDN" [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_ROOTPWD = $LDAP_ROOTPWD" [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_DOMAIN = $LDAP_DOMAIN" [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_SUFFIX = $LDAP_SUFFIX" [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_BASEDN = $LDAP_BASEDN" [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_PROFILE_NAME = $LDAP_PROFILE_NAME" [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_SERVER_LIST = $LDAP_SERVER_LIST" [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_PREF_SRVLIST = $LDAP_PREF_SRVLIST" [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_SEARCH_SCOPE = $LDAP_SEARCH_SCOPE" [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_CRED_LEVEL = $LDAP_CRED_LEVEL" [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_AUTHMETHOD = $LDAP_AUTHMETHOD" [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_FOLLOWREF = $LDAP_FOLLOWREF" [ $DEBUG -eq 1 ] && ${ECHO} " IDS_TIMELIMIT = $IDS_TIMELIMIT" [ $DEBUG -eq 1 ] && ${ECHO} " IDS_SIZELIMIT = $IDS_SIZELIMIT" [ $DEBUG -eq 1 ] && ${ECHO} " NEED_CRYPT = $NEED_CRYPT" [ $DEBUG -eq 1 ] && ${ECHO} " NEED_SRVAUTH_PAM = $NEED_SRVAUTH_PAM" [ $DEBUG -eq 1 ] && ${ECHO} " NEED_SRVAUTH_KEY = $NEED_SRVAUTH_KEY" [ $DEBUG -eq 1 ] && ${ECHO} " NEED_SRVAUTH_CMD = $NEED_SRVAUTH_CMD" [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_SRV_AUTHMETHOD_PAM = $LDAP_SRV_AUTHMETHOD_PAM" [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_SRV_AUTHMETHOD_KEY = $LDAP_SRV_AUTHMETHOD_KEY" [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_SRV_AUTHMETHOD_CMD = $LDAP_SRV_AUTHMETHOD_CMD" [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_SEARCH_TIME_LIMIT = $LDAP_SEARCH_TIME_LIMIT" [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_PROFILE_TTL = $LDAP_PROFILE_TTL" [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_BIND_LIMIT = $LDAP_BIND_LIMIT" [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_ENABLE_SHADOW_UPDATE = $LDAP_ENABLE_SHADOW_UPDATE" # Only display proxy stuff if needed. [ $DEBUG -eq 1 ] && ${ECHO} " NEED_PROXY = $NEED_PROXY" if [ $NEED_PROXY -eq 1 ]; then [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_PROXYAGENT = $LDAP_PROXYAGENT" [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_PROXYAGENT_CRED = $LDAP_PROXYAGENT_CRED" fi # Only display admin credential if needed. [ $DEBUG -eq 1 ] && ${ECHO} " NEED_ADMIN = $NEED_ADMIN" [ $DEBUG -eq 1 ] && ${ECHO} " NEED_HOSTACL = $NEED_HOSTACL" if [ $NEED_ADMIN -eq 1 ]; then [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_ADMINDN = $LDAP_ADMINDN" [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_ADMIN_CRED = $LDAP_ADMIN_CRED" fi # Service Search Descriptors are a special case. [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_SERV_SRCH_DES = $LDAP_SERV_SRCH_DES" } # # load_config_file(): Loads the config file. # load_config_file() { [ $DEBUG -eq 1 ] && ${ECHO} "In load_config_file()" # Remove SSD lines from input file before sourcing. # The SSD lines must be removed because some forms of the # data could cause SHELL errors. ${GREP} -v "LDAP_SERV_SRCH_DES=" ${INPUT_FILE} > ${TMPDIR}/inputfile.noSSD # Source the input file. . ${TMPDIR}/inputfile.noSSD # If LDAP_SUFFIX is no set, try to utilize LDAP_TREETOP since older # config files use LDAP_TREETOP LDAP_SUFFIX="${LDAP_SUFFIX:-$LDAP_TREETOP}" # Save password to temporary file. save_password # Create the SSD file. create_ssd_file # Display FULL debugging info. disp_full_debug } # # save_password(): Save password to temporary file. # save_password() { cat > ${LDAP_ROOTPWF} < /dev/null 2>&1 if [ $? -eq 0 ]; then break fi # Invalid server, enter a new name. ${ECHO} "ERROR: Server '${IDS_SERVER}' is invalid or unreachable." IDS_SERVER="" done # Set SERVER_ARGS and LDAP_ARGS since values might of changed. SERVER_ARGS="-h ${IDS_SERVER} -p ${IDS_PORT}" LDAP_ARGS="${SERVER_ARGS} ${AUTH_ARGS}" export SERVER_ARGS } # # get_ids_port(): Prompt for iDS port number. # get_ids_port() { # Get a valid iDS port number. while : do # Enter port number. get_number "Enter the port number for iDS (h=help):" "$IDS_PORT" "port_help" IDS_PORT=$ANS # Do a simple search to check hostname and port number. # If search returns SUCCESS, break out, host and port must # be valid. ${LDAPSEARCH} -h ${IDS_SERVER} -p ${IDS_PORT} -b "" -s base "objectclass=*" > /dev/null 2>&1 if [ $? -eq 0 ]; then break fi # Invalid host/port pair, Re-enter. ${ECHO} "ERROR: Invalid host or port: ${IDS_SERVER}:${IDS_PORT}, Please re-enter!" get_ids_server done # Set SERVER_ARGS and LDAP_ARGS since values might of changed. SERVER_ARGS="-h ${IDS_SERVER} -p ${IDS_PORT}" LDAP_ARGS="${SERVER_ARGS} ${AUTH_ARGS}" export SERVER_ARGS } # # chk_ids_version(): Read the slapd config file and set variables # chk_ids_version() { [ $DEBUG -eq 1 ] && ${ECHO} "In chk_ids_version()" # check iDS version number. eval "${LDAPSEARCH} ${SERVER_ARGS} -b cn=monitor -s base \"objectclass=*\" version | ${GREP} \"^version=\" | cut -f2 -d'/' | cut -f1 -d' ' > ${TMPDIR}/checkDSver 2>&1" if [ $? -ne 0 ]; then ${ECHO} "ERROR: Can not determine the version number of iDS!" exit 1 fi IDS_VER=`cat ${TMPDIR}/checkDSver` IDS_MAJVER=`${ECHO} ${IDS_VER} | cut -f1 -d.` IDS_MINVER=`${ECHO} ${IDS_VER} | cut -f2 -d.` if [ "${IDS_MAJVER}" != "5" ] && [ "${IDS_MAJVER}" != "6" ]; then ${ECHO} "ERROR: $PROG only works with JES DS version 5.x and 6.x, not ${IDS_VER}." exit 1 fi if [ $DEBUG -eq 1 ]; then ${ECHO} " IDS_MAJVER = $IDS_MAJVER" ${ECHO} " IDS_MINVER = $IDS_MINVER" fi } # # get_dirmgr_dn(): Get the directory manger DN. # get_dirmgr_dn() { get_ans "Enter the directory manager DN:" "$LDAP_ROOTDN" LDAP_ROOTDN=$ANS # Update ENV variables using DN. AUTH_ARGS="-D \"${LDAP_ROOTDN}\" -j ${LDAP_ROOTPWF}" LDAP_ARGS="${SERVER_ARGS} ${AUTH_ARGS}" export AUTH_ARGS LDAP_ARGS } # # get_dirmgr_pw(): Get the Root DN passwd. (Root DN found in slapd.conf) # get_dirmgr_pw() { while : do # Get passwd. get_passwd_nochk "Enter passwd for ${LDAP_ROOTDN} :" LDAP_ROOTPWD=$ANS # Store password in file. save_password # Update ENV variables using DN's PW. AUTH_ARGS="-D \"${LDAP_ROOTDN}\" -j ${LDAP_ROOTPWF}" LDAP_ARGS="${SERVER_ARGS} ${AUTH_ARGS}" export AUTH_ARGS LDAP_ARGS # Verify that ROOTDN and ROOTPWD are valid. eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"\" -s base \"objectclass=*\" > ${TMPDIR}/checkDN 2>&1" if [ $? -ne 0 ]; then eval "${GREP} credential ${TMPDIR}/checkDN ${VERB}" if [ $? -eq 0 ]; then ${ECHO} "ERROR: Root DN passwd is invalid." else ${ECHO} "ERROR: Invalid Root DN <${LDAP_ROOTDN}>." get_dirmgr_dn fi else break # Both are valid. fi done } # # get_domain(): Get the Domain that will be served by the LDAP server. # $1 - Help argument. # get_domain() { # Use LDAP_DOMAIN as default. get_ans "Enter the domainname to be served (h=help):" $LDAP_DOMAIN # Check domainname, and have user re-enter if not valid. check_domainname $ANS while [ $? -ne 0 ] do case "$ANS" in [Hh] | help | Help | \?) display_msg ${1:-sorry} ;; * ) ${ECHO} "Invalid domainname: \"${ANS}\"." ;; esac get_ans "Enter domainname to be served (h=help):" $DOM check_domainname $ANS done # Set the domainname to valid name. LDAP_DOMAIN=$ANS } # # get_basedn(): Query for the Base DN. # get_basedn() { # Set the $_DOM_2_DC and assign to LDAP_BASEDN as default. # Then call get_basedn(). This method remakes the default # each time just in case the domain changed. domain_2_dc $LDAP_DOMAIN LDAP_BASEDN=$_DOM_2_DC # Get Base DN. while : do get_ans_req "Enter LDAP Base DN (h=help):" "${_DOM_2_DC}" check_baseDN "$ANS" while [ $? -ne 0 ] do case "$ANS" in [Hh] | help | Help | \?) display_msg basedn_help ;; * ) ${ECHO} "Invalid base DN: \"${ANS}\"." ;; esac # Re-Enter the BaseDN get_ans_req "Enter LDAP Base DN (h=help):" "${_DOM_2_DC}" check_baseDN "$ANS" done # Set base DN and check its suffix LDAP_BASEDN=${ANS} check_basedn_suffix || { cleanup exit 1 } # suffix may need to be created, in that case get suffix from user [ -n "${NEED_CREATE_SUFFIX}" ] && { get_suffix || continue } # suffix is ok, break out of the base dn inquire loop break done } # # get_want_shadow_update(): Ask user if want to enable shadow update? # get_want_shadow_update() { MSG="Do you want to enable shadow update (y/n/h)?" get_confirm "$MSG" "n" "enable_shadow_update_help" if [ $? -eq 1 ]; then LDAP_ENABLE_SHADOW_UPDATE="TRUE" else LDAP_ENABLE_SHADOW_UPDATE="FALSE" fi } get_krb_realm() { # To upper cases LDAP_KRB_REALM=`${ECHO} ${LDAP_DOMAIN} | ${NAWK} '{ print toupper($0) }'` get_ans_req "Enter Kerberos Realm:" "$LDAP_KRB_REALM" # To upper cases LDAP_KRB_REALM=`${ECHO} ${ANS} | ${NAWK} '{ print toupper($0) }'` } # $1: DN # $2: ldif file add_entry_by_DN() { ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"${1}\" -s base \"objectclass=*\" ${VERB}" if [ $? -eq 0 ]; then ${ECHO} " ${1} already exists" return 0 else ${EVAL} "${LDAPADD} ${LDAP_ARGS} -f ${2} ${VERB}" if [ $? -eq 0 ]; then ${ECHO} " ${1} is added" return 0 else ${ECHO} " ERROR: failed to add ${1}" return 1 fi fi } # # Kerberos princiapl to DN mapping rules # # Add rules for host credentails and user credentials # add_id_mapping_rules() { ${ECHO} " Adding Kerberos principal to DN mapping rules..." _C_DN="cn=GSSAPI,cn=identity mapping,cn=config" ( cat << EOF dn: cn=GSSAPI,cn=identity mapping,cn=config objectClass: top objectClass: nsContainer cn: GSSAPI EOF ) > ${TMPDIR}/GSSAPI_container.ldif add_entry_by_DN "${_C_DN}" "${TMPDIR}/GSSAPI_container.ldif" if [ $? -ne 0 ]; then ${RM} ${TMPDIR}/GSSAPI_container.ldif return fi _H_CN="host_auth_${LDAP_KRB_REALM}" _H_DN="cn=${_H_CN}, ${_C_DN}" ( cat << EOF dn: ${_H_DN} objectClass: top objectClass: nsContainer objectClass: dsIdentityMapping objectClass: dsPatternMatching cn: ${_H_CN} dsMatching-pattern: \${Principal} dsMatching-regexp: host\/(.*).${LDAP_DOMAIN}@${LDAP_KRB_REALM} dsSearchBaseDN: ou=hosts,${LDAP_BASEDN} dsSearchFilter: (&(objectClass=ipHost)(cn=\$1)) dsSearchScope: one EOF ) > ${TMPDIR}/${_H_CN}.ldif add_entry_by_DN "${_H_DN}" "${TMPDIR}/${_H_CN}.ldif" _U_CN="user_auth_${LDAP_KRB_REALM}" _U_DN="cn=${_U_CN}, ${_C_DN}" ( cat << EOF dn: ${_U_DN} objectClass: top objectClass: nsContainer objectClass: dsIdentityMapping objectClass: dsPatternMatching cn: ${_U_CN} dsMatching-pattern: \${Principal} dsMatching-regexp: (.*)@${LDAP_KRB_REALM} dsMappedDN: uid=\$1,ou=People,${LDAP_BASEDN} EOF ) > ${TMPDIR}/${_U_CN}.ldif add_entry_by_DN "${_U_DN}" "${TMPDIR}/${_U_CN}.ldif" } # # Modify ACL to allow root to read all the password and only self can read # its own password when sasl/GSSAPI bind is used # modify_userpassword_acl_for_gssapi() { _P_DN="ou=People,${LDAP_BASEDN}" _H_DN="ou=Hosts,${LDAP_BASEDN}" _P_ACI="self-read-pwd" ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"${_P_DN}\" -s base \"objectclass=*\" > /dev/null 2>&1" if [ $? -ne 0 ]; then ${ECHO} " ${_P_DN} does not exist" # Not Found. Create a new entry ( cat << EOF dn: ${_P_DN} ou: People objectClass: top objectClass: organizationalUnit EOF ) > ${TMPDIR}/gssapi_people.ldif add_entry_by_DN "${_P_DN}" "${TMPDIR}/gssapi_people.ldif" else ${ECHO} " ${_P_DN} already exists" fi ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"${_P_DN}\" -s base \"objectclass=*\" aci > ${TMPDIR}/chk_gssapi_aci 2>&1" if [ $? -eq 0 ]; then ${EVAL} "${GREP} ${_P_ACI} ${TMPDIR}/chk_gssapi_aci > /dev/null 2>&1" if [ $? -eq 0 ]; then ${ECHO} " userpassword ACL ${_P_ACI} already exists." return else ${ECHO} " userpassword ACL ${_P_ACI} not found. Create a new one." fi else ${ECHO} " Error searching aci for ${_P_DN}" cat ${TMPDIR}/chk_gssapi_aci cleanup exit 1 fi ( cat << EOF dn: ${_P_DN} changetype: modify add: aci aci: (targetattr="userPassword")(version 3.0; acl self-read-pwd; allow (read,search) userdn="ldap:///self" and authmethod="sasl GSSAPI";) - add: aci aci: (targetattr="userPassword")(version 3.0; acl host-read-pwd; allow (read,search) userdn="ldap:///cn=*+ipHostNumber=*,ou=Hosts,${LDAP_BASEDN}" and authmethod="sasl GSSAPI";) EOF ) > ${TMPDIR}/user_gssapi.ldif LDAP_TYPE_OR_VALUE_EXISTS=20 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/user_gssapi.ldif ${VERB}" case $? in 0) ${ECHO} " ${_P_DN} uaserpassword ACL is updated." ;; 20) ${ECHO} " ${_P_DN} uaserpassword ACL already exists." ;; *) ${ECHO} " ERROR: update of userpassword ACL for ${_P_DN} failed!" cleanup exit 1 ;; esac } # # $1: objectclass or attributetyp # $2: name search_update_schema() { ATTR="${1}es" ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b cn=schema -s base \"objectclass=*\" ${ATTR} | ${GREP} -i \"${2}\" ${VERB}" if [ $? -ne 0 ]; then ${ECHO} "${1} ${2} does not exist." update_schema_attr update_schema_obj SCHEMA_UPDATED=1 else ${ECHO} "${1} ${2} already exists. Schema has been updated" fi } # # $1: 1 - interactive, 0 - no # create_gssapi_profile() { if [ ${1} -eq 1 ]; then echo echo "You can create a sasl/GSSAPI enabled profile with default values now." get_confirm "Do you want to create a sasl/GSSAPI default profile ?" "n" if [ $? -eq 0 ]; then return fi fi # Add profile container if it does not exist eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"ou=profile,${LDAP_BASEDN}\" -s base \"objectclass=*\" > /dev/null 2>&1" if [ $? -ne 0 ]; then ( cat << EOF dn: ou=profile,${LDAP_BASEDN} ou: profile objectClass: top objectClass: organizationalUnit EOF ) > ${TMPDIR}/profile_people.ldif add_entry_by_DN "ou=profile,${LDAP_BASEDN}" "${TMPDIR}/profile_people.ldif" fi search_update_schema "objectclass" "DUAConfigProfile" _P_NAME="gssapi_${LDAP_KRB_REALM}" if [ ${1} -eq 1 ]; then _P_TMP=${LDAP_PROFILE_NAME} LDAP_PROFILE_NAME=${_P_NAME} get_profile_name LDAP_GSSAPI_PROFILE=${LDAP_PROFILE_NAME} LDAP_PROFILE_NAME=${_P_TMP} fi _P_DN="cn=${LDAP_GSSAPI_PROFILE},ou=profile,${LDAP_BASEDN}" if [ ${DEL_OLD_PROFILE} -eq 1 ]; then DEL_OLD_PROFILE=0 ${EVAL} "${LDAPDELETE} ${LDAP_ARGS} ${_P_DN} ${VERB}" fi _SVR=`getent hosts ${IDS_SERVER} | ${NAWK} '{ print $1 }'` if [ ${IDS_PORT} -ne 389 ]; then _SVR="${_SVR}:${IDS_PORT}" fi (cat << EOF dn: ${_P_DN} objectClass: top objectClass: DUAConfigProfile defaultServerList: ${_SVR} defaultSearchBase: ${LDAP_BASEDN} authenticationMethod: sasl/GSSAPI followReferrals: ${LDAP_FOLLOWREF} defaultSearchScope: ${LDAP_SEARCH_SCOPE} searchTimeLimit: ${LDAP_SEARCH_TIME_LIMIT} profileTTL: ${LDAP_PROFILE_TTL} cn: ${LDAP_GSSAPI_PROFILE} credentialLevel: self bindTimeLimit: ${LDAP_BIND_LIMIT} EOF ) > ${TMPDIR}/gssapi_profile.ldif add_entry_by_DN "${_P_DN}" "${TMPDIR}/gssapi_profile.ldif" } # # Set up GSSAPI if necessary # gssapi_setup() { # assume sasl/GSSAPI is supported by the ldap server and may be used GSSAPI_AUTH_MAY_BE_USED=1 ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"\" -s base \"objectclass=*\" supportedSASLMechanisms | ${GREP} GSSAPI ${VERB}" if [ $? -ne 0 ]; then GSSAPI_AUTH_MAY_BE_USED=0 ${ECHO} " sasl/GSSAPI is not supported by this LDAP server" return fi get_confirm "GSSAPI is supported. Do you want to set up gssapi:(y/n)" "n" if [ $? -eq 0 ]; then ${ECHO} ${ECHO} "GSSAPI is not set up." ${ECHO} "sasl/GSSAPI bind may not work if it's not set up first." else get_krb_realm add_id_mapping_rules modify_userpassword_acl_for_gssapi create_gssapi_profile 1 ${ECHO} ${ECHO} "GSSAPI setup is done." fi cat << EOF You can continue to create a profile and configure the LDAP server. Or you can stop now. EOF get_confirm "Do you want to stop:(y/n)" "n" if [ $? -eq 1 ]; then cleanup exit fi } gssapi_setup_auto() { GSSAPI_AUTH_MAY_BE_USED=0 ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"\" -s base \"objectclass=*\" supportedSASLMechanisms | ${GREP} GSSAPI ${VERB}" if [ $? -ne 0 ]; then ${ECHO} ${ECHO} "sasl/GSSAPI is not supported by this LDAP server" ${ECHO} return fi if [ -z "${LDAP_KRB_REALM}" ]; then ${ECHO} ${ECHO} "LDAP_KRB_REALM is not set. Skip gssapi setup." ${ECHO} "sasl/GSSAPI bind won't work properly." ${ECHO} return fi GSSAPI_AUTH_MAY_BE_USED=1 if [ -z "${LDAP_GSSAPI_PROFILE}" ]; then ${ECHO} ${ECHO} "LDAP_GSSAPI_PROFILE is not set. Default is gssapi_${LDAP_KRB_REALM}" ${ECHO} LDAP_GSSAPI_PROFILE="gssapi_${LDAP_KRB_REALM}" fi add_id_mapping_rules modify_userpassword_acl_for_gssapi create_gssapi_profile 0 } # get_profile_name(): Enter the profile name. # get_profile_name() { # Reset Delete Old Profile since getting new profile name. DEL_OLD_PROFILE=0 # Loop until valid profile name, or replace. while : do # Prompt for profile name. get_ans "Enter the profile name (h=help):" "$LDAP_PROFILE_NAME" # Check for Help. case "$ANS" in [Hh] | help | Help | \?) display_msg profile_help continue ;; * ) ;; esac # Search to see if profile name already exists. eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=${ANS},ou=profile,${LDAP_BASEDN}\" -s base \"objectclass=*\" ${VERB}" if [ $? -eq 0 ]; then cat << EOF Profile '${ANS}' already exists, it is possible to enable shadow update now. idsconfig will exit after shadow update is enabled. You can also continue to overwrite the profile or create a new one and be given the chance to enable shadow update later. EOF MSG="Just enable shadow update (y/n/h)?" get_confirm "$MSG" "n" "enable_shadow_update_help" if [ $? -eq 1 ]; then [ $DEBUG -eq 1 ] && ${ECHO} "set up shadow update" LDAP_ENABLE_SHADOW_UPDATE=TRUE # display alternate messages EXISTING_PROFILE=1 # Set Profile Name. LDAP_PROFILE_NAME=$ANS return 0 # set up credentials for shadow update. fi get_confirm_nodef "Are you sure you want to overwrite profile cn=${ANS}?" if [ $? -eq 1 ]; then DEL_OLD_PROFILE=1 return 0 # Replace old profile name. else ${ECHO} "Please re-enter a new profile name." fi else break # Unique profile name. fi done # Set Profile Name. LDAP_PROFILE_NAME=$ANS } # # get_srv_list(): Get the default server list. # get_srv_list() { # If LDAP_SERVER_LIST is NULL, then set, otherwise leave alone. if [ -z "${LDAP_SERVER_LIST}" ]; then LDAP_SERVER_LIST=`getent hosts ${IDS_SERVER} | awk '{print $1}'` if [ ${IDS_PORT} -ne 389 ]; then LDAP_SERVER_LIST="${LDAP_SERVER_LIST}:${IDS_PORT}" fi fi # Prompt for new LDAP_SERVER_LIST. while : do get_ans "Default server list (h=help):" $LDAP_SERVER_LIST # If help continue, otherwise break. case "$ANS" in [Hh] | help | Help | \?) display_msg def_srvlist_help ;; * ) break ;; esac done LDAP_SERVER_LIST=$ANS } # # get_pref_srv(): The preferred server list (Overrides the server list) # get_pref_srv() { while : do get_ans "Preferred server list (h=help):" $LDAP_PREF_SRVLIST # If help continue, otherwise break. case "$ANS" in [Hh] | help | Help | \?) display_msg pref_srvlist_help ;; * ) break ;; esac done LDAP_PREF_SRVLIST=$ANS } # # get_search_scope(): Get the search scope from the user. # get_search_scope() { [ $DEBUG -eq 1 ] && ${ECHO} "In get_search_scope()" _MENU_CHOICE=0 while : do get_ans "Choose desired search scope (one, sub, h=help): " "one" _MENU_CHOICE=$ANS case "$_MENU_CHOICE" in one) LDAP_SEARCH_SCOPE="one" return 1 ;; sub) LDAP_SEARCH_SCOPE="sub" return 2 ;; h) display_msg srch_scope_help ;; *) ${ECHO} "Please enter \"one\", \"sub\", or \"h\"." ;; esac done } # # get_cred_level(): Function to display menu to user and get the # credential level. # get_cred_level() { [ $DEBUG -eq 1 ] && ${ECHO} "In get_cred_level()" _MENU_CHOICE=0 display_msg cred_level_menu while : do get_ans "Choose Credential level [h=help]:" "1" _MENU_CHOICE=$ANS case "$_MENU_CHOICE" in 1) LDAP_CRED_LEVEL="anonymous" return 1 ;; 2) LDAP_CRED_LEVEL="proxy" return 2 ;; 3) LDAP_CRED_LEVEL="proxy anonymous" return 3 ;; 4) LDAP_CRED_LEVEL="self" SELF_GSSAPI=1 return 4 ;; 5) LDAP_CRED_LEVEL="self proxy" SELF_GSSAPI=1 return 5 ;; 6) LDAP_CRED_LEVEL="self proxy anonymous" SELF_GSSAPI=1 return 6 ;; h) display_msg cred_lvl_help ;; *) ${ECHO} "Please enter 1, 2, 3, 4, 5 or 6." ;; esac done } # # srvauth_menu_handler(): Enter the Service Authentication method. # srvauth_menu_handler() { # Display Auth menu display_msg srvauth_method_menu # Get a Valid choice. while : do # Display appropriate prompt and get answer. if [ $_FIRST -eq 1 ]; then get_ans "Choose Service Authentication Method:" "1" else get_ans "Choose Service Authentication Method (0=reset):" fi # Determine choice. _MENU_CHOICE=$ANS case "$_MENU_CHOICE" in 1) _AUTHMETHOD="simple" break ;; 2) _AUTHMETHOD="sasl/DIGEST-MD5" break ;; 3) _AUTHMETHOD="tls:simple" break ;; 4) _AUTHMETHOD="tls:sasl/DIGEST-MD5" break ;; 5) _AUTHMETHOD="sasl/GSSAPI" break ;; 0) _AUTHMETHOD="" _FIRST=1 break ;; *) ${ECHO} "Please enter 1-5 or 0 to reset." ;; esac done } # # auth_menu_handler(): Enter the Authentication method. # auth_menu_handler() { # Display Auth menu display_msg auth_method_menu # Get a Valid choice. while : do # Display appropriate prompt and get answer. if [ $_FIRST -eq 1 ]; then get_ans "Choose Authentication Method (h=help):" "1" else get_ans "Choose Authentication Method (0=reset, h=help):" fi # Determine choice. _MENU_CHOICE=$ANS case "$_MENU_CHOICE" in 1) _AUTHMETHOD="none" break ;; 2) _AUTHMETHOD="simple" break ;; 3) _AUTHMETHOD="sasl/DIGEST-MD5" break ;; 4) _AUTHMETHOD="tls:simple" break ;; 5) _AUTHMETHOD="tls:sasl/DIGEST-MD5" break ;; 6) _AUTHMETHOD="sasl/GSSAPI" break ;; 0) _AUTHMETHOD="" _FIRST=1 break ;; h) display_msg auth_help ;; *) ${ECHO} "Please enter 1-6, 0=reset, or h=help." ;; esac done } # # get_auth(): Enter the Authentication method. # get_auth() { [ $DEBUG -eq 1 ] && ${ECHO} "In get_auth()" _FIRST=1 # Flag for first time. _MENU_CHOICE=0 _AUTHMETHOD="" # Tmp method. while : do # Call Menu handler auth_menu_handler # Add Auth Method to list. if [ $_FIRST -eq 1 ]; then LDAP_AUTHMETHOD="${_AUTHMETHOD}" _FIRST=0 else LDAP_AUTHMETHOD="${LDAP_AUTHMETHOD};${_AUTHMETHOD}" fi # Display current Authentication Method. ${ECHO} "" ${ECHO} "Current authenticationMethod: ${LDAP_AUTHMETHOD}" ${ECHO} "" # Prompt for another Auth Method, or break out. get_confirm_nodef "Do you want to add another Authentication Method?" if [ $? -eq 0 ]; then break; fi done } # # get_followref(): Whether or not to follow referrals. # get_followref() { get_confirm "Do you want the clients to follow referrals (y/n/h)?" "n" "referrals_help" if [ $? -eq 1 ]; then LDAP_FOLLOWREF="TRUE" else LDAP_FOLLOWREF="FALSE" fi } # # get_timelimit(): Set the time limit. -1 is max time. # get_timelimit() { # Get current timeout value from cn=config. eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=config\" -s base \"objectclass=*\" nsslapd-timelimit > ${TMPDIR}/chk_timeout 2>&1" if [ $? -ne 0 ]; then ${ECHO} " ERROR: Could not reach LDAP server to check current timeout!" cleanup exit 1 fi CURR_TIMELIMIT=`${GREP} timelimit ${TMPDIR}/chk_timeout | cut -f2 -d=` get_negone_num "Enter the time limit for iDS (current=${CURR_TIMELIMIT}):" "-1" IDS_TIMELIMIT=$NUM } # # get_sizelimit(): Set the size limit. -1 is max size. # get_sizelimit() { # Get current sizelimit value from cn=config. eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=config\" -s base \"objectclass=*\" nsslapd-sizelimit > ${TMPDIR}/chk_sizelimit 2>&1" if [ $? -ne 0 ]; then ${ECHO} " ERROR: Could not reach LDAP server to check current sizelimit!" cleanup exit 1 fi CURR_SIZELIMIT=`${GREP} sizelimit ${TMPDIR}/chk_sizelimit | cut -f2 -d=` get_negone_num "Enter the size limit for iDS (current=${CURR_SIZELIMIT}):" "-1" IDS_SIZELIMIT=$NUM } # # get_want_crypt(): Ask user if want to store passwords in crypt? # get_want_crypt() { get_confirm "Do you want to store passwords in \"crypt\" format (y/n/h)?" "n" "crypt_help" if [ $? -eq 1 ]; then NEED_CRYPT="TRUE" else NEED_CRYPT="FALSE" fi } # # get_srv_authMethod_pam(): Get the Service Auth Method for pam_ldap from user. # # NOTE: This function is base on get_auth(). # get_srv_authMethod_pam() { [ $DEBUG -eq 1 ] && ${ECHO} "In get_srv_authMethod_pam()" _FIRST=1 # Flag for first time. _MENU_CHOICE=0 _AUTHMETHOD="" # Tmp method. while : do # Call Menu handler srvauth_menu_handler # Add Auth Method to list. if [ $_FIRST -eq 1 ]; then if [ "$_AUTHMETHOD" = "" ]; then LDAP_SRV_AUTHMETHOD_PAM="" else LDAP_SRV_AUTHMETHOD_PAM="pam_ldap:${_AUTHMETHOD}" fi _FIRST=0 else LDAP_SRV_AUTHMETHOD_PAM="${LDAP_SRV_AUTHMETHOD_PAM};${_AUTHMETHOD}" fi # Display current Authentication Method. ${ECHO} "" ${ECHO} "Current authenticationMethod: ${LDAP_SRV_AUTHMETHOD_PAM}" ${ECHO} "" # Prompt for another Auth Method, or break out. get_confirm_nodef "Do you want to add another Authentication Method?" if [ $? -eq 0 ]; then break; fi done # Check in case user reset string and exited loop. if [ "$LDAP_SRV_AUTHMETHOD_PAM" = "" ]; then NEED_SRVAUTH_PAM=0 fi } # # get_srv_authMethod_key(): Get the Service Auth Method for keyserv from user. # # NOTE: This function is base on get_auth(). # get_srv_authMethod_key() { [ $DEBUG -eq 1 ] && ${ECHO} "In get_srv_authMethod_key()" _FIRST=1 # Flag for first time. _MENU_CHOICE=0 _AUTHMETHOD="" # Tmp method. while : do # Call Menu handler srvauth_menu_handler # Add Auth Method to list. if [ $_FIRST -eq 1 ]; then if [ "$_AUTHMETHOD" = "" ]; then LDAP_SRV_AUTHMETHOD_KEY="" else LDAP_SRV_AUTHMETHOD_KEY="keyserv:${_AUTHMETHOD}" fi _FIRST=0 else LDAP_SRV_AUTHMETHOD_KEY="${LDAP_SRV_AUTHMETHOD_KEY};${_AUTHMETHOD}" fi # Display current Authentication Method. ${ECHO} "" ${ECHO} "Current authenticationMethod: ${LDAP_SRV_AUTHMETHOD_KEY}" ${ECHO} "" # Prompt for another Auth Method, or break out. get_confirm_nodef "Do you want to add another Authentication Method?" if [ $? -eq 0 ]; then break; fi done # Check in case user reset string and exited loop. if [ "$LDAP_SRV_AUTHMETHOD_KEY" = "" ]; then NEED_SRVAUTH_KEY=0 fi } # # get_srv_authMethod_cmd(): Get the Service Auth Method for passwd-cmd from user. # # NOTE: This function is base on get_auth(). # get_srv_authMethod_cmd() { [ $DEBUG -eq 1 ] && ${ECHO} "In get_srv_authMethod_cmd()" _FIRST=1 # Flag for first time. _MENU_CHOICE=0 _AUTHMETHOD="" # Tmp method. while : do # Call Menu handler srvauth_menu_handler # Add Auth Method to list. if [ $_FIRST -eq 1 ]; then if [ "$_AUTHMETHOD" = "" ]; then LDAP_SRV_AUTHMETHOD_CMD="" else LDAP_SRV_AUTHMETHOD_CMD="passwd-cmd:${_AUTHMETHOD}" fi _FIRST=0 else LDAP_SRV_AUTHMETHOD_CMD="${LDAP_SRV_AUTHMETHOD_CMD};${_AUTHMETHOD}" fi # Display current Authentication Method. ${ECHO} "" ${ECHO} "Current authenticationMethod: ${LDAP_SRV_AUTHMETHOD_CMD}" ${ECHO} "" # Prompt for another Auth Method, or break out. get_confirm_nodef "Do you want to add another Authentication Method?" if [ $? -eq 0 ]; then break; fi done # Check in case user reset string and exited loop. if [ "$LDAP_SRV_AUTHMETHOD_CMD" = "" ]; then NEED_SRVAUTH_CMD=0 fi } # # get_srch_time(): Amount of time to search. # get_srch_time() { get_negone_num "Client search time limit in seconds (h=help):" "$LDAP_SEARCH_TIME_LIMIT" "srchtime_help" LDAP_SEARCH_TIME_LIMIT=$NUM } # # get_prof_ttl(): The profile time to live (TTL) # get_prof_ttl() { get_negone_num "Profile Time To Live in seconds (h=help):" "$LDAP_PROFILE_TTL" "profttl_help" LDAP_PROFILE_TTL=$NUM } # # get_bind_limit(): Bind time limit # get_bind_limit() { get_negone_num "Bind time limit in seconds (h=help):" "$LDAP_BIND_LIMIT" "bindlim_help" LDAP_BIND_LIMIT=$NUM } ###################################################################### # FUNCTIONS FOR Service Search Descriptor's START HERE. ###################################################################### # # add_ssd(): Get SSD's from user and add to file. # add_ssd() { [ $DEBUG -eq 1 ] && ${ECHO} "In add_ssd()" # Enter the service id. Loop til unique. while : do get_ans "Enter the service id:" _SERV_ID=$ANS # Grep for name existing. ${GREP} -i "^$ANS:" ${SSD_FILE} > /dev/null 2>&1 if [ $? -eq 1 ]; then break fi # Name exists, print message, let user decide. ${ECHO} "ERROR: Service id ${ANS} already exists." done get_ans "Enter the base:" _BASE=$ANS # Get the scope and verify that its one or sub. while : do get_ans "Enter the scope:" _SCOPE=$ANS case `${ECHO} ${_SCOPE} | tr '[A-Z]' '[a-z]'` in one) break ;; sub) break ;; *) ${ECHO} "${_SCOPE} is Not valid - Enter 'one' or 'sub'" ;; esac done # Build SSD to add to file. _SSD="${_SERV_ID}:${_BASE}?${_SCOPE}" # Add the SSD to the file. ${ECHO} "${_SSD}" >> ${SSD_FILE} } # # delete_ssd(): Delete a SSD from the list. # delete_ssd() { [ $DEBUG -eq 1 ] && ${ECHO} "In delete_ssd()" # Get service id name from user for SSD to delete. get_ans_req "Enter service id to delete:" # Make sure service id exists. ${GREP} "$ANS" ${SSD_FILE} > /dev/null 2>&1 if [ $? -eq 1 ]; then ${ECHO} "Invalid service id: $ANS not present in list." return fi # Create temporary back SSD file. cp ${SSD_FILE} ${SSD_FILE}.bak if [ $? -eq 1 ]; then ${ECHO} "ERROR: could not create file: ${SSD_FILE}.bak" exit 1 fi # Use ${GREP} to remove the SSD. Read from temp file # and write to the orig file. ${GREP} -v "$ANS" ${SSD_FILE}.bak > ${SSD_FILE} } # # modify_ssd(): Allow user to modify a SSD. # modify_ssd() { [ $DEBUG -eq 1 ] && ${ECHO} "In modify_ssd()" # Prompt user for service id. get_ans_req "Enter service id to modify:" # Put into temp _LINE. _LINE=`${GREP} "^$ANS:" ${SSD_FILE}` if [ "$_LINE" = "" ]; then ${ECHO} "Invalid service id: $ANS" return fi # Display current filter for user to see. ${ECHO} "" ${ECHO} "Current SSD: $_LINE" ${ECHO} "" # Get the defaults. _CURR_BASE=`${ECHO} $_LINE | cut -d: -f2 | cut -d'?' -f 1` _CURR_SCOPE=`${ECHO} $_LINE | cut -d: -f2 | cut -d'?' -f 2` # Create temporary back SSD file. cp ${SSD_FILE} ${SSD_FILE}.bak if [ $? -eq 1 ]; then ${ECHO} "ERROR: could not create file: ${SSD_FILE}.bak" cleanup exit 1 fi # Removed the old line. ${GREP} -v "^$ANS:" ${SSD_FILE}.bak > ${SSD_FILE} 2>&1 # New Entry _SERV_ID=$ANS get_ans_req "Enter the base:" "$_CURR_BASE" _BASE=$ANS get_ans_req "Enter the scope:" "$_CURR_SCOPE" _SCOPE=$ANS # Build the new SSD. _SSD="${_SERV_ID}:${_BASE}?${_SCOPE}" # Add the SSD to the file. ${ECHO} "${_SSD}" >> ${SSD_FILE} } # # display_ssd(): Display the current SSD list. # display_ssd() { [ $DEBUG -eq 1 ] && ${ECHO} "In display_ssd()" ${ECHO} "" ${ECHO} "Current Service Search Descriptors:" ${ECHO} "==================================" cat ${SSD_FILE} ${ECHO} "" ${ECHO} "Hit return to continue." read __A } # # prompt_ssd(): Get SSD's from user. # prompt_ssd() { [ $DEBUG -eq 1 ] && ${ECHO} "In prompt_ssd()" # See if user wants SSD's? get_confirm "Do you wish to setup Service Search Descriptors (y/n/h)?" "n" "ssd_help" [ "$?" -eq 0 ] && return # Display menu for SSD choices. while : do display_msg prompt_ssd_menu get_ans "Enter menu choice:" "Quit" case "$ANS" in [Aa] | add) add_ssd ;; [Dd] | delete) delete_ssd ;; [Mm] | modify) modify_ssd ;; [Pp] | print | display) display_ssd ;; [Xx] | reset | clear) reset_ssd_file ;; [Hh] | Help | help) display_msg ssd_menu_help ${ECHO} " Press return to continue." read __A ;; [Qq] | Quit | quit) return ;; *) ${ECHO} "Invalid choice: $ANS please re-enter from menu." ;; esac done } # # reset_ssd_file(): Blank out current SSD file. # reset_ssd_file() { [ $DEBUG -eq 1 ] && ${ECHO} "In reset_ssd_file()" rm -f ${SSD_FILE} touch ${SSD_FILE} } # # create_ssd_file(): Create a temporary file for SSD's. # create_ssd_file() { [ $DEBUG -eq 1 ] && ${ECHO} "In create_ssd_file()" # Build a list of SSD's and store in temp file. ${GREP} "LDAP_SERV_SRCH_DES=" ${INPUT_FILE} | \ sed 's/LDAP_SERV_SRCH_DES=//' \ > ${SSD_FILE} } # # ssd_2_config(): Append the SSD file to the output file. # ssd_2_config() { [ $DEBUG -eq 1 ] && ${ECHO} "In ssd_2_config()" # Convert to config file format using sed. sed -e "s/^/LDAP_SERV_SRCH_DES=/" ${SSD_FILE} >> ${OUTPUT_FILE} } # # ssd_2_profile(): Add SSD's to the GEN_CMD string. # ssd_2_profile() { [ $DEBUG -eq 1 ] && ${ECHO} "In ssd_2_profile()" GEN_TMPFILE=${TMPDIR}/ssd_tmpfile touch ${GEN_TMPFILE} # Add and convert each SSD to string. while read SSD_LINE do ${ECHO} " -a \"serviceSearchDescriptor=${SSD_LINE}\"\c" >> ${GEN_TMPFILE} done <${SSD_FILE} # Add SSD's to GEN_CMD. GEN_CMD="${GEN_CMD} `cat ${GEN_TMPFILE}`" } # # get_adminDN(): Get the admin DN. # get_adminDN() { LDAP_ADMINDN="cn=admin,ou=profile,${LDAP_BASEDN}" # default get_ans "Enter DN for the administrator:" "$LDAP_ADMINDN" LDAP_ADMINDN=$ANS [ $DEBUG -eq 1 ] && ${ECHO} "LDAP_ADMINDN = $LDAP_ADMINDN" } # # get_admin_pw(): Get the admin passwd. # get_admin_pw() { get_passwd "Enter passwd for the administrator:" LDAP_ADMIN_CRED=$ANS [ $DEBUG -eq 1 ] && ${ECHO} "LDAP_ADMIN_CRED = $LDAP_ADMIN_CRED" } # # add_admin(): Add an admin entry for nameservice for updating shadow data. # add_admin() { [ $DEBUG -eq 1 ] && ${ECHO} "In add_admin()" # Check if the admin user already exists. eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_ADMINDN}\" -s base \"objectclass=*\" ${VERB}" if [ $? -eq 0 ]; then MSG="Administrator ${LDAP_ADMINDN} already exists." if [ $EXISTING_PROFILE -eq 1 ]; then ${ECHO} " NOT ADDED: $MSG" else ${ECHO} " ${STEP}. $MSG" STEP=`expr $STEP + 1` fi return 0 fi # Get cn and sn names from LDAP_ADMINDN. cn_tmp=`${ECHO} ${LDAP_ADMINDN} | cut -f1 -d, | cut -f2 -d=` # Create the tmp file to add. ( cat < ${TMPDIR}/admin # Add the entry. ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/admin ${VERB}" if [ $? -ne 0 ]; then ${ECHO} " ERROR: Adding administrator identity failed!" cleanup exit 1 fi ${RM} -f ${TMPDIR}/admin # Display message that the administrator identity is added. MSG="Administrator identity ${LDAP_ADMINDN}" if [ $EXISTING_PROFILE -eq 1 ]; then ${ECHO} " ADDED: $MSG." else ${ECHO} " ${STEP}. $MSG added." STEP=`expr $STEP + 1` fi } # # allow_admin_read_write_shadow(): Give Admin read/write permission # to shadow data. # allow_admin_read_write_shadow() { [ $DEBUG -eq 1 ] && ${ECHO} "In allow_admin_read_write_shadow()" # Set ACI Name ADMIN_ACI_NAME="LDAP_Naming_Services_admin_shadow_write" # Search for ACI_NAME eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_BASEDN}\" \ -s base objectclass=* aci > ${TMPDIR}/chk_adminwrite_aci 2>&1" # if an ACI with ${ADMIN_ACI_NAME} and "write,compare,read,search" # and ${LDAP_ADMINDN} already exists, we are done ${EGREP} ".*${ADMIN_ACI_NAME}.*write,compare,read,search.*${LDAP_ADMINDN}.*" \ ${TMPDIR}/chk_adminwrite_aci 2>&1 > /dev/null if [ $? -eq 0 ]; then MSG="Admin ACI ${ADMIN_ACI_NAME} already exists for ${LDAP_BASEDN}." if [ $EXISTING_PROFILE -eq 1 ]; then ${ECHO} " NOT SET: $MSG" else ${ECHO} " ${STEP}. $MSG" STEP=`expr $STEP + 1` fi return 0 fi # If an ACI with ${ADMIN_ACI_NAME} and "(write)" and ${LDAP_ADMINDN} # already exists, delete it first. find_and_delete_ACI ".*${ADMIN_ACI_NAME}.*(write).*${LDAP_ADMINDN}.*" \ ${TMPDIR}/chk_adminwrite_aci ${ADMIN_ACI_NAME} # Create the tmp file to add. ( cat < ${TMPDIR}/admin_write # Add the entry. ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/admin_write ${VERB}" if [ $? -ne 0 ]; then ${ECHO} " ERROR: Allow ${LDAP_ADMINDN} read/write access to shadow data failed!" cleanup exit 1 fi ${RM} -f ${TMPDIR}/admin_write # Display message that the administrator ACL is set. MSG="Give ${LDAP_ADMINDN} read/write access to shadow data." if [ $EXISTING_PROFILE -eq 1 ]; then ${ECHO} " ACI SET: $MSG" else ${ECHO} " ${STEP}. $MSG" STEP=`expr $STEP + 1` fi } # # allow_host_read_write_shadow(): Give host principal read/write permission # for shadow data. # allow_host_read_write_shadow() { [ $DEBUG -eq 1 ] && ${ECHO} "In allow_host_read_write_shadow()" # Set ACI Name HOST_ACI_NAME="LDAP_Naming_Services_host_shadow_write" # Search for ACI_NAME eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_BASEDN}\" -s base objectclass=* aci > ${TMPDIR}/chk_hostwrite_aci 2>&1" ${GREP} "${HOST_ACI_NAME}" ${TMPDIR}/chk_hostwrite_aci > /dev/null 2>&1 if [ $? -eq 0 ]; then MSG="Host ACI ${HOST_ACI_NAME} already exists for ${LDAP_BASEDN}." if [ $EXISTING_PROFILE -eq 1 ]; then ${ECHO} " NOT ADDED: $MSG" else ${ECHO} " ${STEP}. $MSG" STEP=`expr $STEP + 1` fi return 0 fi # Create the tmp file to add. ( cat < ${TMPDIR}/host_read_write # Add the entry. ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/host_read_write ${VERB}" if [ $? -ne 0 ]; then ${ECHO} " ERROR: Allow Host Principal to write shadow data failed!" cleanup exit 1 fi ${RM} -f ${TMPDIR}/host_read_write MSG="Give host principal read/write permission for shadow." if [ $EXISTING_PROFILE -eq 1 ]; then ${ECHO} " ACI SET: $MSG" else ${ECHO} " ${STEP}. $MSG" STEP=`expr $STEP + 1` fi } # # Set up shadow update # setup_shadow_update() { [ $DEBUG -eq 1 ] && ${ECHO} "In setup_shadow_update()" # get content of the profile PROFILE_OUT=${TMPDIR}/prof_tmpfile ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=${LDAP_PROFILE_NAME},ou=profile,${LDAP_BASEDN}\" -s base \"objectclass=*\" > $PROFILE_OUT 2>&1" ${GREP} -i cn $PROFILE_OUT >/dev/null 2>&1 if [ $? -ne 0 ]; then [ $DEBUG -eq 1 ] && ${ECHO} "Profile ${LDAP_PROFILE_NAME} does not exist" ${RM} ${PROFILE_OUT} return fi # Search to see if authenticationMethod has 'GSSAPI' and # credentialLevel has 'self'. If so, ask to use the # host principal for shadow update if [ $GSSAPI_AUTH_MAY_BE_USED -eq 1 ]; then if ${GREP} authenticationMethod $PROFILE_OUT | ${GREP} GSSAPI >/dev/null 2>&1 then if ${GREP} credentialLevel $PROFILE_OUT | ${GREP} self >/dev/null 2>&1 then NEED_HOSTACL=1 fi fi ${RM} ${PROFILE_OUT} [ $DEBUG -eq 1 ] && ${ECHO} "NEED_HOSTACL = $NEED_HOSTACL" if [ $NEED_HOSTACL -eq 1 ]; then MSG="Use host principal for shadow data update (y/n/h)?" get_confirm "$MSG" "y" "use_host_principal_help" if [ $? -eq 1 ]; then delete_proxy_read_pw allow_host_read_write_shadow deny_non_host_shadow_access ${ECHO} "" ${ECHO} " Shadow update has been enabled." else ${ECHO} "" ${ECHO} " Shadow update may not work." fi return fi fi MSG="Add the administrator identity (y/n/h)?" get_confirm "$MSG" "y" "add_admin_cred_help" if [ $? -eq 1 ]; then get_adminDN get_admin_pw add_admin delete_proxy_read_pw allow_admin_read_write_shadow deny_non_admin_shadow_access ${ECHO} "" ${ECHO} " Shadow update has been enabled." return fi ${ECHO} " No administrator identity specified, shadow update may not work." } # # prompt_config_info(): This function prompts the user for the config # info that is not specified in the input file. # prompt_config_info() { [ $DEBUG -eq 1 ] && ${ECHO} "In prompt_config_info()" # Prompt for iDS server name. get_ids_server # Prompt for iDS port number. get_ids_port # Check iDS version for compatibility. chk_ids_version # Check if the server supports the VLV. chk_vlv_indexes # Get the Directory manager DN and passwd. get_dirmgr_dn get_dirmgr_pw # # LDAP CLIENT PROFILE SPECIFIC INFORMATION. # (i.e. The fields that show up in the profile.) # get_domain "domain_help" get_basedn gssapi_setup get_profile_name if [ "$LDAP_ENABLE_SHADOW_UPDATE" = "TRUE" ];then setup_shadow_update cleanup exit 0 fi get_srv_list get_pref_srv get_search_scope # If cred is "anonymous", make auth == "none" get_cred_level if [ "$LDAP_CRED_LEVEL" != "anonymous" ]; then get_auth fi get_followref # Query user about timelimt. get_confirm "Do you want to modify the server timelimit value (y/n/h)?" "n" "tlim_help" NEED_TIME=$? [ $NEED_TIME -eq 1 ] && get_timelimit # Query user about sizelimit. get_confirm "Do you want to modify the server sizelimit value (y/n/h)?" "n" "slim_help" NEED_SIZE=$? [ $NEED_SIZE -eq 1 ] && get_sizelimit # Does the user want to store passwords in crypt format? get_want_crypt # Prompt for any Service Authentication Methods? get_confirm "Do you want to setup a Service Authentication Methods (y/n/h)?" "n" "srvauth_help" if [ $? -eq 1 ]; then # Does the user want to set Service Authentication Method for pam_ldap? get_confirm "Do you want to setup a Service Auth. Method for \"pam_ldap\" (y/n/h)?" "n" "pam_ldap_help" NEED_SRVAUTH_PAM=$? [ $NEED_SRVAUTH_PAM -eq 1 ] && get_srv_authMethod_pam # Does the user want to set Service Authentication Method for keyserv? get_confirm "Do you want to setup a Service Auth. Method for \"keyserv\" (y/n/h)?" "n" "keyserv_help" NEED_SRVAUTH_KEY=$? [ $NEED_SRVAUTH_KEY -eq 1 ] && get_srv_authMethod_key # Does the user want to set Service Authentication Method for passwd-cmd? get_confirm "Do you want to setup a Service Auth. Method for \"passwd-cmd\" (y/n/h)?" "n" "passwd-cmd_help" NEED_SRVAUTH_CMD=$? [ $NEED_SRVAUTH_CMD -eq 1 ] && get_srv_authMethod_cmd fi # Get Timeouts get_srch_time get_prof_ttl get_bind_limit # Ask whether to enable shadow update get_want_shadow_update # Reset the sdd_file and prompt user for SSD. Will use menus # to build an SSD File. reset_ssd_file prompt_ssd # Display FULL debugging info. disp_full_debug # Extra blank line to separate prompt lines from steps. ${ECHO} " " } ###################################################################### # FUNCTIONS FOR display_summary() START HERE. ###################################################################### # # get_proxyagent(): Get the proxyagent DN. # get_proxyagent() { LDAP_PROXYAGENT="cn=proxyagent,ou=profile,${LDAP_BASEDN}" # default get_ans "Enter DN for proxy agent:" "$LDAP_PROXYAGENT" LDAP_PROXYAGENT=$ANS } # # get_proxy_pw(): Get the proxyagent passwd. # get_proxy_pw() { get_passwd "Enter passwd for proxyagent:" LDAP_PROXYAGENT_CRED=$ANS } # # display_summary(): Display a summary of values entered and let the # user modify values at will. # display_summary() { [ $DEBUG -eq 1 ] && ${ECHO} "In display_summary()" # Create lookup table for function names. First entry is dummy for # shift. TBL1="dummy" TBL2="get_domain get_basedn get_profile_name" TBL3="get_srv_list get_pref_srv get_search_scope get_cred_level" TBL4="get_auth get_followref" TBL5="get_timelimit get_sizelimit get_want_crypt" TBL6="get_srv_authMethod_pam get_srv_authMethod_key get_srv_authMethod_cmd" TBL7="get_srch_time get_prof_ttl get_bind_limit" TBL8="get_want_shadow_update" TBL9="prompt_ssd" FUNC_TBL="$TBL1 $TBL2 $TBL3 $TBL4 $TBL5 $TBL6 $TBL7 $TBL8 $TBL9" # Since menu prompt string is long, set here. _MENU_PROMPT="Enter config value to change: (1-20 0=commit changes)" # Infinite loop. Test for 0, and break in loop. while : do # Display menu and get value in range. display_msg summary_menu get_menu_choice "${_MENU_PROMPT}" "0" "20" "0" _CH=$MN_CH # Make sure where not exiting. if [ $_CH -eq 0 ]; then break # Break out of loop if 0 selected. fi # Call appropriate function from function table. set $FUNC_TBL shift $_CH $1 # Call the appropriate function. done # If cred level is still see if user wants a change? if ${ECHO} "$LDAP_CRED_LEVEL" | ${GREP} "proxy" > /dev/null 2>&1 then if [ "$LDAP_AUTHMETHOD" != "none" ]; then NEED_PROXY=1 # I assume integer test is faster? get_proxyagent get_proxy_pw else ${ECHO} "WARNING: Since Authentication method is 'none'." ${ECHO} " Credential level will be set to 'anonymous'." LDAP_CRED_LEVEL="anonymous" fi fi # If shadow update is enabled, set up administrator credential if [ "$LDAP_ENABLE_SHADOW_UPDATE" = "TRUE" ]; then NEED_ADMIN=1 if ${ECHO} "$LDAP_CRED_LEVEL" | ${GREP} "self" > /dev/null 2>&1; then if ${ECHO} "$LDAP_AUTHMETHOD" | ${GREP} "GSSAPI" > /dev/null 2>&1; then NEED_HOSTACL=1 NEED_ADMIN=0 fi fi [ $DEBUG -eq 1 ] && ${ECHO} "NEED_HOSTACL = $NEED_HOSTACL" [ $DEBUG -eq 1 ] && ${ECHO} "NEED_ADMIN = $NEED_ADMIN" if [ $NEED_ADMIN -eq 1 ]; then get_adminDN get_admin_pw fi fi # Display FULL debugging info. disp_full_debug # Final confirmation message. (ARE YOU SURE!) ${ECHO} " " get_confirm_nodef "WARNING: About to start committing changes. (y=continue, n=EXIT)" if [ $? -eq 0 ]; then ${ECHO} "Terminating setup without making changes at users request." cleanup exit 1 fi # Print newline ${ECHO} " " } # # create_config_file(): Write config data to config file specified. # create_config_file() { [ $DEBUG -eq 1 ] && ${ECHO} "In create_config_file()" # If output file exists, delete it. [ -f $OUTPUT_FILE ] && rm $OUTPUT_FILE # Create output file. cat > $OUTPUT_FILE <> "${OUTPUT_FILE}" # Add the end of FILE tag. ${ECHO} "" >> ${OUTPUT_FILE} ${ECHO} "# End of $OUTPUT_FILE" >> ${OUTPUT_FILE} } # # chk_vlv_indexes(): Do ldapsearch to see if server supports VLV. # chk_vlv_indexes() { # Do ldapsearch to see if server supports VLV. ${LDAPSEARCH} ${SERVER_ARGS} -b "" -s base "objectclass=*" > ${TMPDIR}/checkVLV 2>&1 eval "${GREP} 2.16.840.1.113730.3.4.9 ${TMPDIR}/checkVLV ${VERB}" if [ $? -ne 0 ]; then ${ECHO} "ERROR: VLV is not supported on LDAP server!" cleanup exit 1 fi [ $DEBUG -eq 1 ] && ${ECHO} " VLV controls found on LDAP server." } # # get_backend(): this function gets the relevant backend # (database) for LDAP_BASED. # Description: set IDS_DATABASE; exit on failure. # Prerequisite: LDAP_BASEDN and LDAP_SUFFIX are # valid. # # backend is retrieved from suffixes and subsuffixes # defined under "cn=mapping tree,cn=config". The # nsslapd-state attribute of these suffixes entries # is filled with either Backend, Disabled or referrals # related values. We only want those that have a true # backend database to select the relevant backend. # get_backend() { [ $DEBUG -eq 1 ] && ${ECHO} "In get_backend()" cur_suffix=${LDAP_BASEDN} prev_suffix= IDS_DATABASE= while [ "${cur_suffix}" != "${prev_suffix}" ] do [ $DEBUG -eq 1 ] && ${ECHO} "testing LDAP suffix: ${cur_suffix}" eval "${LDAPSEARCH} ${LDAP_ARGS} " \ "-b \"cn=\\\"${cur_suffix}\\\",cn=mapping tree,cn=config\" " \ "-s base nsslapd-state=Backend nsslapd-backend 2>&1 " \ "| ${GREP} 'nsslapd-backend=' " \ "> ${TMPDIR}/ids_database_name 2>&1" NUM_DBS=`wc -l ${TMPDIR}/ids_database_name | awk '{print $1}'` case ${NUM_DBS} in 0) # not a suffix, or suffix not activated; try next prev_suffix=${cur_suffix} cur_suffix=`${ECHO} ${cur_suffix} | cut -f2- -d','` ;; 1) # suffix found; get database name IDS_DATABASE=`cat ${TMPDIR}/ids_database_name | cut -d= -f2` ;; *) # can not handle more than one database per suffix ${ECHO} "ERROR: More than one database is configured " ${ECHO} " for $LDAP_SUFFIX!" ${ECHO} " $PROG can not configure suffixes where " ${ECHO} " more than one database is used for one suffix." cleanup exit 1 ;; esac if [ -n "${IDS_DATABASE}" ]; then break fi done if [ -z "${IDS_DATABASE}" ]; then # should not happen, since LDAP_BASEDN is supposed to be valid ${ECHO} "Could not find a valid backend for ${LDAP_BASEDN}." ${ECHO} "Exiting." cleanup exit 1 fi [ $DEBUG -eq 1 ] && ${ECHO} "IDS_DATABASE: ${IDS_DATABASE}" } # # validate_suffix(): This function validates ${LDAP_SUFFIX} # THIS FUNCTION IS FOR THE LOAD CONFIG FILE OPTION. # validate_suffix() { [ $DEBUG -eq 1 ] && ${ECHO} "In validate_suffix()" # Check LDAP_SUFFIX is not null if [ -z "${LDAP_SUFFIX}" ]; then ${ECHO} "Invalid suffix (null suffix)" cleanup exit 1 fi # Check LDAP_SUFFIX and LDAP_BASEDN are consistent # Convert to lower case for basename. format_string "${LDAP_BASEDN}" LOWER_BASEDN="${FMT_STR}" format_string "${LDAP_SUFFIX}" LOWER_SUFFIX="${FMT_STR}" [ $DEBUG -eq 1 ] && ${ECHO} "LOWER_BASEDN: ${LOWER_BASEDN}" [ $DEBUG -eq 1 ] && ${ECHO} "LOWER_SUFFIX: ${LOWER_SUFFIX}" if [ "${LOWER_BASEDN}" != "${LOWER_SUFFIX}" ]; then sub_basedn=`basename "${LOWER_BASEDN}" "${LOWER_SUFFIX}"` if [ "$sub_basedn" = "${LOWER_BASEDN}" ]; then ${ECHO} "Invalid suffix ${LOWER_SUFFIX}" ${ECHO} "for Base DN ${LOWER_BASEDN}" cleanup exit 1 fi fi # Check LDAP_SUFFIX does exist ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_SUFFIX}\" -s base \"objectclass=*\" > ${TMPDIR}/checkSuffix 2>&1" && return 0 # Well, suffix does not exist, try to prepare create it ... NEED_CREATE_SUFFIX=1 prep_create_sfx_entry || { cleanup exit 1 } [ -n "${NEED_CREATE_BACKEND}" ] && { # try to use id attr value of the suffix as a database name IDS_DATABASE=${_VAL} prep_create_sfx_backend case $? in 1) # cann't use the name we want, so we can either exit or use # some another available name - doing the last ... IDS_DATABASE=${IDS_DATABASE_AVAIL} ;; 2) # unable to determine database name cleanup exit 1 ;; esac } [ $DEBUG -eq 1 ] && ${ECHO} "Suffix $LDAP_SUFFIX, Database $IDS_DATABASE" } # # validate_info(): This function validates the basic info collected # So that some problems are caught right away. # THIS FUNCTION IS FOR THE LOAD CONFIG FILE OPTION. # validate_info() { [ $DEBUG -eq 1 ] && ${ECHO} "In validate_info()" # Set SERVER_ARGS, AUTH_ARGS, and LDAP_ARGS for the config file. SERVER_ARGS="-h ${IDS_SERVER} -p ${IDS_PORT}" AUTH_ARGS="-D \"${LDAP_ROOTDN}\" -j ${LDAP_ROOTPWF}" LDAP_ARGS="${SERVER_ARGS} ${AUTH_ARGS}" export SERVER_ARGS # Check the Root DN and Root DN passwd. # Use eval instead of $EVAL because not part of setup. (validate) eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"\" -s base \"objectclass=*\" > ${TMPDIR}/checkDN 2>&1" if [ $? -ne 0 ]; then eval "${GREP} credential ${TMPDIR}/checkDN ${VERB}" if [ $? -eq 0 ]; then ${ECHO} "ERROR: Root DN passwd is invalid." else ${ECHO} "ERROR2: Invalid Root DN <${LDAP_ROOTDN}>." fi cleanup exit 1 fi [ $DEBUG -eq 1 ] && ${ECHO} " RootDN ... OK" [ $DEBUG -eq 1 ] && ${ECHO} " RootDN passwd ... OK" # Check if the server supports the VLV. chk_vlv_indexes [ $DEBUG -eq 1 ] && ${ECHO} " VLV indexes ... OK" # Check LDAP suffix validate_suffix [ $DEBUG -eq 1 ] && ${ECHO} " LDAP suffix ... OK" } # # format_string(): take a string as argument and set FMT_STR # to be the same string formatted as follow: # - only lower case characters # - no unnecessary spaces around , and = # format_string() { FMT_STR=`${ECHO} "$1" | tr '[A-Z]' '[a-z]' | sed -e 's/[ ]*,[ ]*/,/g' -e 's/[ ]*=[ ]*/=/g'` } # # prepare for the suffix entry creation # # input : LDAP_BASEDN, LDAP_SUFFIX - base dn and suffix; # in/out : LDAP_SUFFIX_OBJ, LDAP_SUFFIX_ACI - initially may come from config. # output : NEED_CREATE_BACKEND - backend for this suffix needs to be created; # _RDN, _ATT, _VAL - suffix's RDN, id attribute name and its value. # return : 0 - success, otherwise error. # prep_create_sfx_entry() { [ $DEBUG -eq 1 ] && ${ECHO} "In prep_create_sfx_entry()" # check whether suffix corresponds to base dn format_string "${LDAP_BASEDN}" ${ECHO} ",${FMT_STR}" | ${GREP} ",${LDAP_SUFFIX}$" >/dev/null 2>&1 || { display_msg sfx_not_suitable return 1 } # parse LDAP_SUFFIX _RDN=`${ECHO} "${LDAP_SUFFIX}" | cut -d, -f1` _ATT=`${ECHO} "${_RDN}" | cut -d= -f1` _VAL=`${ECHO} "${_RDN}" | cut -d= -f2-` # find out an objectclass for suffix entry if it is not defined yet [ -z "${LDAP_SUFFIX_OBJ}" ] && { get_objectclass ${_ATT} [ -z "${_ATTR_NAME}" ] && { display_msg obj_not_found return 1 } LDAP_SUFFIX_OBJ=${_ATTR_NAME} } [ $DEBUG -eq 1 ] && ${ECHO} "Suffix entry object is ${LDAP_SUFFIX_OBJ}" # find out an aci for suffix entry if it is not defined yet [ -z "${LDAP_SUFFIX_ACI}" ] && { # set Directory Server default aci LDAP_SUFFIX_ACI=`cat </dev/null`" ] && { display_msg sfx_config_incons return 1 } # ok, no suffix mapping, no ldbm database [ $DEBUG -eq 1 ] && ${ECHO} "DEBUG: backend needs to be created ..." NEED_CREATE_BACKEND=1 return 0 } # # prepare for the suffix backend creation # # input : IDS_DATABASE - requested ldbm db name (must be not null) # in/out : IDS_DATABASE_AVAIL - available ldbm db name # return : 0 - ldbm db name ok # 1 - IDS_DATABASE exists, # so IDS_DATABASE_AVAIL contains available name # 2 - unable to find any available name # prep_create_sfx_backend() { [ $DEBUG -eq 1 ] && ${ECHO} "In prep_create_sfx_backend()" # check if requested name available [ "${IDS_DATABASE}" = "${IDS_DATABASE_AVAIL}" ] && return 0 # get the list of database names start with a requested name _LDBM_DBS=`${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} \ -b 'cn=ldbm database,cn=plugins,cn=config' \ -s one 'cn=${IDS_DATABASE}*' cn"` 2>/dev/null # find available db name based on a requested name _i=""; _i_MAX=10 while [ ${_i:-0} -lt ${_i_MAX} ] do _name="${IDS_DATABASE}${_i}" ${ECHO} "${_LDBM_DBS}" | ${GREP} -i "^cn=${_name}$" >/dev/null 2>&1 || { IDS_DATABASE_AVAIL="${_name}" break } _i=`expr ${_i:-0} + 1` done [ "${IDS_DATABASE}" = "${IDS_DATABASE_AVAIL}" ] && return 0 [ -n "${IDS_DATABASE_AVAIL}" ] && { display_msg ldbm_db_exist return 1 } display_msg unable_find_db_name return 2 } # # add suffix if needed, # suffix entry and backend MUST be prepared by # prep_create_sfx_entry and prep_create_sfx_backend correspondingly # # input : NEED_CREATE_SUFFIX, LDAP_SUFFIX, LDAP_SUFFIX_OBJ, _ATT, _VAL # LDAP_SUFFIX_ACI, NEED_CREATE_BACKEND, IDS_DATABASE # return : 0 - suffix successfully created, otherwise error occured # add_suffix() { [ $DEBUG -eq 1 ] && ${ECHO} "In add_suffix()" [ -n "${NEED_CREATE_SUFFIX}" ] || return 0 [ -n "${NEED_CREATE_BACKEND}" ] && { ${EVAL} "${LDAPADD} ${LDAP_ARGS} ${VERB}" < /dev/null 2>&1 if [ $? -eq 0 ]; then break else prev_ldap_entry=${cur_ldap_entry} cur_ldap_entry=`${ECHO} ${cur_ldap_entry} | cut -f2- -d','` fi done if [ "${cur_ldap_entry}" = "${prev_ldap_entry}" ]; then ${ECHO} " No valid suffixes were found for Base DN ${LDAP_BASEDN}" NEED_CREATE_SUFFIX=1 return 0 else [ $DEBUG -eq 1 ] && ${ECHO} "found valid LDAP entry: ${cur_ldap_entry}" # Now looking for relevant suffix for this entry. # LDAP_SUFFIX will then be used to add necessary # base objects. See add_base_objects(). format_string "${cur_ldap_entry}" lower_entry="${FMT_STR}" [ $DEBUG -eq 1 ] && ${ECHO} "final suffix list: ${LDAP_SUFFIX_LIST}" oIFS=$IFS [ $DEBUG -eq 1 ] && ${ECHO} "setting IFS to new line" IFS=' ' for suff in ${LDAP_SUFFIX_LIST} do [ $DEBUG -eq 1 ] && ${ECHO} "testing suffix: ${suff}" format_string "${suff}" lower_suff="${FMT_STR}" if [ "${lower_entry}" = "${lower_suff}" ]; then LDAP_SUFFIX="${suff}" break else dcstmp=`basename "${lower_entry}" "${lower_suff}"` if [ "${dcstmp}" = "${lower_entry}" ]; then # invalid suffix, try next one continue else # valid suffix found LDAP_SUFFIX="${suff}" break fi fi done [ $DEBUG -eq 1 ] && ${ECHO} "setting IFS to original value" IFS=$oIFS [ $DEBUG -eq 1 ] && ${ECHO} "LDAP_SUFFIX: ${LDAP_SUFFIX}" if [ -z "${LDAP_SUFFIX}" ]; then # should not happen, since we found the entry ${ECHO} "Could not find a valid suffix for ${LDAP_BASEDN}." ${ECHO} "Exiting." return 1 fi # Getting relevant database (backend) # IDS_DATABASE will then be used to create indexes. get_backend return 0 fi } # # discover_serv_suffix(): This function queries the server to find # suffixes available # return: 0: OK, suffix found # 1: suffix not determined discover_serv_suffix() { [ $DEBUG -eq 1 ] && ${ECHO} "In discover_serv_suffix()" # Search the server for the TOP of the TREE. ${LDAPSEARCH} ${SERVER_ARGS} -b "" -s base "objectclass=*" > ${TMPDIR}/checkTOP 2>&1 ${GREP} -i namingcontexts ${TMPDIR}/checkTOP | \ ${GREP} -i -v NetscapeRoot > ${TMPDIR}/treeTOP NUM_TOP=`wc -l ${TMPDIR}/treeTOP | awk '{print $1}'` case $NUM_TOP in 0) [ $DEBUG -eq 1 ] && ${ECHO} "DEBUG: No suffix found in LDAP tree" return 1 ;; *) # build the list of suffixes; take out 'namingContexts=' in # each line of ${TMPDIR}/treeTOP LDAP_SUFFIX_LIST=`cat ${TMPDIR}/treeTOP | awk '{ printf("%s\n",substr($0,16,length-15)) }'` ;; esac [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_SUFFIX_LIST = $LDAP_SUFFIX_LIST" return 0 } # # modify_cn(): Change the cn from MUST to MAY in ipNetwork. # modify_cn() { [ $DEBUG -eq 1 ] && ${ECHO} "In modify_cn()" ( cat < ${TMPDIR}/ipNetwork_cn # Modify the cn for ipNetwork. ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/ipNetwork_cn ${VERB}" if [ $? -ne 0 ]; then ${ECHO} " ERROR: update of cn for ipNetwork failed!" cleanup exit 1 fi } # modify_timelimit(): Modify timelimit to user value. modify_timelimit() { [ $DEBUG -eq 1 ] && ${ECHO} "In modify_timelimit()" # Here doc to modify timelimit. ( cat < ${TMPDIR}/ids_timelimit # Add the entry. ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/ids_timelimit ${VERB}" if [ $? -ne 0 ]; then ${ECHO} " ERROR: update of nsslapd-timelimit failed!" cleanup exit 1 fi # Display messages for modifications made in patch. ${ECHO} " ${STEP}. Changed timelimit to ${IDS_TIMELIMIT} in cn=config." STEP=`expr $STEP + 1` } # modify_sizelimit(): Modify sizelimit to user value. modify_sizelimit() { [ $DEBUG -eq 1 ] && ${ECHO} "In modify_sizelimit()" # Here doc to modify sizelimit. ( cat < ${TMPDIR}/ids_sizelimit # Add the entry. ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/ids_sizelimit ${VERB}" if [ $? -ne 0 ]; then ${ECHO} " ERROR: update of nsslapd-sizelimit failed!" cleanup exit 1 fi # Display messages for modifications made in patch. ${ECHO} " ${STEP}. Changed sizelimit to ${IDS_SIZELIMIT} in cn=config." STEP=`expr $STEP + 1` } # modify_pwd_crypt(): Modify the passwd storage scheme to support CRYPT. modify_pwd_crypt() { [ $DEBUG -eq 1 ] && ${ECHO} "In modify_pwd_crypt()" # Here doc to modify passwordstoragescheme. # IDS 5.2 moved passwordchangesceme off to a new data structure. if [ $IDS_MAJVER -le 5 ] && [ $IDS_MINVER -le 1 ]; then ( cat < ${TMPDIR}/ids_crypt else ( cat < ${TMPDIR}/ids_crypt fi # Add the entry. ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/ids_crypt ${VERB}" if [ $? -ne 0 ]; then ${ECHO} " ERROR: update of passwordstoragescheme failed!" cleanup exit 1 fi # Display messages for modifications made in patch. ${ECHO} " ${STEP}. Changed passwordstoragescheme to \"crypt\" in cn=config." STEP=`expr $STEP + 1` } # # add_eq_indexes(): Add indexes to improve search performance. # add_eq_indexes() { [ $DEBUG -eq 1 ] && ${ECHO} "In add_eq_indexes()" # Set eq indexes to add. _INDEXES="uidNumber ipNetworkNumber gidnumber oncrpcnumber automountKey" if [ -z "${IDS_DATABASE}" ]; then get_backend fi # Set _EXT to use as shortcut. _EXT="cn=index,cn=${IDS_DATABASE},cn=ldbm database,cn=plugins,cn=config" # Display message to id current step. ${ECHO} " ${STEP}. Processing eq,pres indexes:" STEP=`expr $STEP + 1` # For loop to create indexes. for i in ${_INDEXES}; do [ $DEBUG -eq 1 ] && ${ECHO} " Adding index for ${i}" # Check if entry exists first, if so, skip to next. ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=${i},${_EXT}\" -s base \ \"objectclass=*\" > /dev/null 2>&1" if [ $? -eq 0 ]; then # Display index skipped. ${ECHO} " ${i} (eq,pres) skipped already exists" continue fi # Here doc to create LDIF. ( cat < ${TMPDIR}/index_${i} # Add the index. ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/index_${i} ${VERB}" if [ $? -ne 0 ]; then ${ECHO} " ERROR: Adding EQ,PRES index for ${i} failed!" cleanup exit 1 fi # Build date for task name. _YR=`date '+%y'` _MN=`date '+%m'` _DY=`date '+%d'` _H=`date '+%H'` _M=`date '+%M'` _S=`date '+%S'` # Build task name TASKNAME="${i}_${_YR}_${_MN}_${_DY}_${_H}_${_M}_${_S}" # Build the task entry to add. ( cat < ${TMPDIR}/task_${i} # Add the task. ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/task_${i} ${VERB}" if [ $? -ne 0 ]; then ${ECHO} " ERROR: Adding task for ${i} failed!" cleanup exit 1 fi # Wait for task to finish, display current status. while : do ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} \ -b \"cn=${TASKNAME}, cn=index, cn=tasks, cn=config\" -s base \ \"objectclass=*\" nstaskstatus > \"${TMPDIR}/istask_${i}\" 2>&1" ${GREP} "${TASKNAME}" "${TMPDIR}/istask_${i}" > /dev/null 2>&1 if [ $? -ne 0 ]; then break fi TASK_STATUS=`${GREP} -i nstaskstatus "${TMPDIR}/istask_${i}" | head -1 | cut -d: -f2` ${ECHO} " ${i} (eq,pres) $TASK_STATUS \r\c" ${ECHO} "$TASK_STATUS" | ${GREP} "Finished" > /dev/null 2>&1 if [ $? -eq 0 ]; then break fi sleep 2 done # Print newline because of \c. ${ECHO} " " done } # # add_sub_indexes(): Add indexes to improve search performance. # add_sub_indexes() { [ $DEBUG -eq 1 ] && ${ECHO} "In add_sub_indexes()" # Set eq indexes to add. _INDEXES="ipHostNumber membernisnetgroup nisnetgrouptriple" # Set _EXT to use as shortcut. _EXT="cn=index,cn=${IDS_DATABASE},cn=ldbm database,cn=plugins,cn=config" # Display message to id current step. ${ECHO} " ${STEP}. Processing eq,pres,sub indexes:" STEP=`expr $STEP + 1` # For loop to create indexes. for i in ${_INDEXES}; do [ $DEBUG -eq 1 ] && ${ECHO} " Adding index for ${i}" # Check if entry exists first, if so, skip to next. ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=${i},${_EXT}\" \ -s base \"objectclass=*\" > /dev/null 2>&1" if [ $? -eq 0 ]; then # Display index skipped. ${ECHO} " ${i} (eq,pres,sub) skipped already exists" continue fi # Here doc to create LDIF. ( cat < ${TMPDIR}/index_${i} # Add the index. ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/index_${i} ${VERB}" if [ $? -ne 0 ]; then ${ECHO} " ERROR: Adding EQ,PRES,SUB index for ${i} failed!" cleanup exit 1 fi # Build date for task name. _YR=`date '+%y'` _MN=`date '+%m'` _DY=`date '+%d'` _H=`date '+%H'` _M=`date '+%M'` _S=`date '+%S'` # Build task name TASKNAME="${i}_${_YR}_${_MN}_${_DY}_${_H}_${_M}_${_S}" # Build the task entry to add. ( cat < ${TMPDIR}/task_${i} # Add the task. ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/task_${i} ${VERB}" if [ $? -ne 0 ]; then ${ECHO} " ERROR: Adding task for ${i} failed!" cleanup exit 1 fi # Wait for task to finish, display current status. while : do ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} \ -b \"cn=${TASKNAME}, cn=index, cn=tasks, cn=config\" -s base \ \"objectclass=*\" nstaskstatus > \"${TMPDIR}/istask_${i}\" 2>&1" ${GREP} "${TASKNAME}" "${TMPDIR}/istask_${i}" > /dev/null 2>&1 if [ $? -ne 0 ]; then break fi TASK_STATUS=`${GREP} -i nstaskstatus "${TMPDIR}/istask_${i}" | head -1 | cut -d: -f2` ${ECHO} " ${i} (eq,pres,sub) $TASK_STATUS \r\c" ${ECHO} "$TASK_STATUS" | ${GREP} "Finished" > /dev/null 2>&1 if [ $? -eq 0 ]; then break fi sleep 2 done # Print newline because of \c. ${ECHO} " " done } # # add_vlv_indexes(): Add VLV indexes to improve search performance. # add_vlv_indexes() { [ $DEBUG -eq 1 ] && ${ECHO} "In add_vlv_indexes()" # Set eq indexes to add. # Note semi colon separators because some filters contain colons _INDEX1="${LDAP_DOMAIN}.getgrent;${LDAP_DOMAIN}_group_vlv_index;ou=group;objectClass=posixGroup" _INDEX2="${LDAP_DOMAIN}.gethostent;${LDAP_DOMAIN}_hosts_vlv_index;ou=hosts;objectClass=ipHost" _INDEX3="${LDAP_DOMAIN}.getnetent;${LDAP_DOMAIN}_networks_vlv_index;ou=networks;objectClass=ipNetwork" _INDEX4="${LDAP_DOMAIN}.getpwent;${LDAP_DOMAIN}_passwd_vlv_index;ou=people;objectClass=posixAccount" _INDEX5="${LDAP_DOMAIN}.getrpcent;${LDAP_DOMAIN}_rpc_vlv_index;ou=rpc;objectClass=oncRpc" _INDEX6="${LDAP_DOMAIN}.getspent;${LDAP_DOMAIN}_shadow_vlv_index;ou=people;objectClass=shadowAccount" # Indexes added during NIS to LDAP transition _INDEX7="${LDAP_DOMAIN}.getauhoent;${LDAP_DOMAIN}_auho_vlv_index;automountmapname=auto_home;objectClass=automount" _INDEX8="${LDAP_DOMAIN}.getsoluent;${LDAP_DOMAIN}_solu_vlv_index;ou=people;objectClass=SolarisUserAttr" _INDEX9="${LDAP_DOMAIN}.getauduent;${LDAP_DOMAIN}_audu_vlv_index;ou=people;objectClass=SolarisAuditUser" _INDEX10="${LDAP_DOMAIN}.getauthent;${LDAP_DOMAIN}_auth_vlv_index;ou=SolarisAuthAttr;objectClass=SolarisAuthAttr" _INDEX11="${LDAP_DOMAIN}.getexecent;${LDAP_DOMAIN}_exec_vlv_index;ou=SolarisProfAttr;&(objectClass=SolarisExecAttr)(SolarisKernelSecurityPolicy=*)" _INDEX12="${LDAP_DOMAIN}.getprofent;${LDAP_DOMAIN}_prof_vlv_index;ou=SolarisProfAttr;&(objectClass=SolarisProfAttr)(SolarisAttrLongDesc=*)" _INDEX13="${LDAP_DOMAIN}.getmailent;${LDAP_DOMAIN}_mail_vlv_index;ou=aliases;objectClass=mailGroup" _INDEX14="${LDAP_DOMAIN}.getbootent;${LDAP_DOMAIN}__boot_vlv_index;ou=ethers;&(objectClass=bootableDevice)(bootParameter=*)" _INDEX15="${LDAP_DOMAIN}.getethent;${LDAP_DOMAIN}_ethers_vlv_index;ou=ethers;&(objectClass=ieee802Device)(macAddress=*)" _INDEX16="${LDAP_DOMAIN}.getngrpent;${LDAP_DOMAIN}_netgroup_vlv_index;ou=netgroup;objectClass=nisNetgroup" _INDEX17="${LDAP_DOMAIN}.getipnent;${LDAP_DOMAIN}_ipn_vlv_index;ou=networks;&(objectClass=ipNetwork)(cn=*)" _INDEX18="${LDAP_DOMAIN}.getmaskent;${LDAP_DOMAIN}_mask_vlv_index;ou=networks;&(objectClass=ipNetwork)(ipNetmaskNumber=*)" _INDEX19="${LDAP_DOMAIN}.getprent;${LDAP_DOMAIN}_pr_vlv_index;ou=printers;objectClass=printerService" _INDEX20="${LDAP_DOMAIN}.getip4ent;${LDAP_DOMAIN}_ip4_vlv_index;ou=hosts;&(objectClass=ipHost)(ipHostNumber=*.*)" _INDEX21="${LDAP_DOMAIN}.getip6ent;${LDAP_DOMAIN}_ip6_vlv_index;ou=hosts;&(objectClass=ipHost)(ipHostNumber=*:*)" _INDEXES="$_INDEX1 $_INDEX2 $_INDEX3 $_INDEX4 $_INDEX5 $_INDEX6 $_INDEX7 $_INDEX8 $_INDEX9 $_INDEX10 $_INDEX11 $_INDEX12 $_INDEX13 $_INDEX14 $_INDEX15 $_INDEX16 $_INDEX17 $_INDEX18 $_INDEX19 $_INDEX20 $_INDEX21 " # Set _EXT to use as shortcut. _EXT="cn=${IDS_DATABASE},cn=ldbm database,cn=plugins,cn=config" # Display message to id current step. ${ECHO} " ${STEP}. Processing VLV indexes:" STEP=`expr $STEP + 1` # Reset temp file for vlvindex commands. [ -f ${TMPDIR}/ds5_vlvindex_list ] && rm ${TMPDIR}/ds5_vlvindex_list touch ${TMPDIR}/ds5_vlvindex_list [ -f ${TMPDIR}/ds6_vlvindex_list ] && rm ${TMPDIR}/ds6_vlvindex_list touch ${TMPDIR}/ds6_vlvindex_list # Get the instance name from iDS server. _INSTANCE="" # Default to old output. eval "${LDAPSEARCH} -v ${LDAP_ARGS} -b \"cn=config\" -s base \"objectclass=*\" nsslapd-instancedir | ${GREP} 'nsslapd-instancedir=' | cut -d'=' -f2- > ${TMPDIR}/instance_name 2>&1" ${GREP} "slapd-" ${TMPDIR}/instance_name > /dev/null 2>&1 # Check if seems right? if [ $? -eq 0 ]; then # If success, grab name after "slapd-". _INST_DIR=`cat ${TMPDIR}/instance_name` _INSTANCE=`basename "${_INST_DIR}" | cut -d'-' -f2-` fi # For loop to create indexes. for p in ${_INDEXES}; do [ $DEBUG -eq 1 ] && ${ECHO} " Adding index for ${i}" # Break p (pair) into i and j parts. i=`${ECHO} $p | cut -d';' -f1` j=`${ECHO} $p | cut -d';' -f2` k=`${ECHO} $p | cut -d';' -f3` m=`${ECHO} $p | cut -d';' -f4` # Set _jEXT to use as shortcut. _jEXT="cn=${j},${_EXT}" # Check if entry exists first, if so, skip to next. ${LDAPSEARCH} ${SERVER_ARGS} -b "cn=${i},${_jEXT}" -s base "objectclass=*" > /dev/null 2>&1 if [ $? -eq 0 ]; then # Display index skipped. ${ECHO} " ${i} vlv_index skipped already exists" continue fi # Compute the VLV Scope from the LDAP_SEARCH_SCOPE. # NOTE: A value of "base (0)" does not make sense. case "$LDAP_SEARCH_SCOPE" in sub) VLV_SCOPE="2" ;; *) VLV_SCOPE="1" ;; esac # Here doc to create LDIF. ( cat < ${TMPDIR}/vlv_index_${i} # Add the index. ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/vlv_index_${i} ${VERB}" if [ $? -ne 0 ]; then ${ECHO} " ERROR: Adding VLV index for ${i} failed!" cleanup exit 1 fi # Print message that index was created. ${ECHO} " ${i} vlv_index Entry created" # Add command to list of vlvindex commands to run. ${ECHO} " directoryserver -s ${_INSTANCE} vlvindex -n ${IDS_DATABASE} -T ${i}" >> ${TMPDIR}/ds5_vlvindex_list ${ECHO} " /bin/dsadm reindex -l -t ${i} ${LDAP_SUFFIX}" >> ${TMPDIR}/ds6_vlvindex_list done } # # display_vlv_cmds(): Display VLV index commands to run on server. # display_vlv_cmds() { if [ -s "${TMPDIR}/ds5_vlvindex_list" -o \ -s "${TMPDIR}/ds6_vlvindex_list" ]; then display_msg display_vlv_list fi if [ -s "${TMPDIR}/ds5_vlvindex_list" ]; then cat ${TMPDIR}/ds5_vlvindex_list fi cat << EOF EOF if [ -s "${TMPDIR}/ds6_vlvindex_list" ]; then cat ${TMPDIR}/ds6_vlvindex_list fi } # # keep_backward_compatibility(): Modify schema for the backward compatibility if # there are the incompatible attributes already # keep_backward_compatibility() { ${EVAL} "${LDAPSEARCH} ${SERVER_ARGS} -b cn=schema -s base \ \"objectclass=*\" attributeTypes | ${GREP} -i memberGid-oid ${VERB}" if [ $? -eq 0 ]; then ${SED} -e 's/1\.3\.6\.1\.4\.1\.42\.2\.27\.5\.1\.30\ /memberGid-oid\ /' \ ${TMPDIR}/schema_attr > ${TMPDIR}/schema_attr.new ${MV} ${TMPDIR}/schema_attr.new ${TMPDIR}/schema_attr fi ${EVAL} "${LDAPSEARCH} ${SERVER_ARGS} -b cn=schema -s base \ \"objectclass=*\" attributeTypes | ${GREP} -i rfc822mailMember-oid \ ${VERB}" if [ $? -eq 0 ]; then ${SED} -e \ 's/1\.3\.6\.1\.4\.1\.42\.2\.27\.2\.1\.15\ /rfc822mailMember-oid\ /' \ ${TMPDIR}/schema_attr > ${TMPDIR}/schema_attr.new ${MV} ${TMPDIR}/schema_attr.new ${TMPDIR}/schema_attr fi } # # update_schema_attr(): Update Schema to support Naming. # update_schema_attr() { [ $DEBUG -eq 1 ] && ${ECHO} "In update_schema_attr()" ( cat <". For example: "300> 300> dpi>".' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} ) attributetypes: ( 1.3.18.0.2.4.1120 NAME 'printer-print-quality-supported' DESC 'List of print qualities supported for printing documents on this printer. For example: "draft, normal". Legal values include; "unknown", "draft", "normal", "high".' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} ) attributetypes: ( 1.3.18.0.2.4.1110 NAME 'printer-job-priority-supported' DESC 'Indicates the number of job priority levels supported. An IPP conformant printer which supports job priority must always support a full range of priorities from "1" to "100" (to ensure consistent behavior), therefore this attribute describes the "granularity". Legal values of this attribute are from "1" to "100".' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetypes: ( 1.3.18.0.2.4.1118 NAME 'printer-copies-supported' DESC 'The maximum number of copies of a document that may be printed as a single job. A value of "0" indicates no maximum limit. A value of "-1" indicates unknown.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetypes: ( 1.3.18.0.2.4.1111 NAME 'printer-job-k-octets-supported' DESC 'The maximum size in kilobytes (1,024 octets actually) incoming print job that this printer will accept. A value of "0" indicates no maximum limit. A value of "-1" indicates unknown.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetypes: ( 1.3.18.0.2.4.1112 NAME 'printer-current-operator' DESC 'The name of the current human operator responsible for operating this printer. It is suggested that this string include information that would enable other humans to reach the operator, such as a phone number.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} SINGLE-VALUE ) attributetypes: ( 1.3.18.0.2.4.1113 NAME 'printer-service-person' DESC 'The name of the current human service person responsible for servicing this printer. It is suggested that this string include information that would enable other humans to reach the service person, such as a phone number.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} SINGLE-VALUE ) attributetypes: ( 1.3.18.0.2.4.1114 NAME 'printer-delivery-orientation-supported' DESC 'The possible delivery orientations of pages as they are printed and ejected from this printer. Legal values include; "unknown", "face-up", and "face-down".' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} ) attributetypes: ( 1.3.18.0.2.4.1115 NAME 'printer-stacking-order-supported' DESC 'The possible stacking order of pages as they are printed and ejected from this printer. Legal values include; "unknown", "first-to-last", "last-to-first".' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} ) attributetypes: ( 1.3.18.0.2.4.1116 NAME 'printer-output-features-supported' DESC 'The possible output features supported by this printer. Legal values include; "unknown", "bursting", "decollating", "page-collating", "offset-stacking".' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} ) attributetypes: ( 1.3.18.0.2.4.1108 NAME 'printer-aliases' DESC 'Site-specific administrative names of this printer in addition the printer name specified for printer-name.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} ) attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.63 NAME 'sun-printer-bsdaddr' DESC 'Sets the server, print queue destination name and whether the client generates protocol extensions. "Solaris" specifies a Solaris print server extension. The value is represented by the following value: server "," destination ", Solaris".' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.64 NAME 'sun-printer-kvp' DESC 'This attribute contains a set of key value pairs which may have meaning to the print subsystem or may be user defined. Each value is represented by the following: key "=" value.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.57 NAME 'nisplusTimeZone' DESC 'tzone column from NIS+ timezone table' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.67 NAME 'ipTnetTemplateName' DESC 'Trusted Solaris network template template_name' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.68 NAME 'ipTnetNumber' DESC 'Trusted Solaris network template ip_address' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) EOF ) > ${TMPDIR}/schema_attr keep_backward_compatibility # Add the entry. ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/schema_attr ${VERB}" if [ $? -ne 0 ]; then ${ECHO} " ERROR: update of schema attributes failed!" cleanup exit 1 fi # Display message that schema is updated. ${ECHO} " ${STEP}. Schema attributes have been updated." STEP=`expr $STEP + 1` } # # update_schema_obj(): Update the schema objectclass definitions. # update_schema_obj() { [ $DEBUG -eq 1 ] && ${ECHO} "In update_schema_obj()" # Add the objectclass definitions. ( cat < ${TMPDIR}/schema_obj # Add the entry. ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/schema_obj ${VERB}" if [ $? -ne 0 ]; then ${ECHO} " ERROR: update of schema objectclass definitions failed!" cleanup exit 1 fi # Display message that schema is updated. ${ECHO} " ${STEP}. Schema objectclass definitions have been added." STEP=`expr $STEP + 1` } # # modify_top_aci(): Modify the ACI for the top entry to disable self modify # of user attributes. # modify_top_aci() { [ $DEBUG -eq 1 ] && ${ECHO} "In modify_top_aci()" # Set ACI Name ACI_NAME="LDAP_Naming_Services_deny_write_access" # Search for ACI_NAME eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_BASEDN}\" -s base objectclass=* aci > ${TMPDIR}/chk_top_aci 2>&1" if [ $? -ne 0 ]; then ${ECHO} "Error searching aci for ${LDAP_BASEDN}" cat ${TMPDIR}/chk_top_aci cleanup exit 1 fi ${GREP} "${ACI_NAME}" ${TMPDIR}/chk_top_aci > /dev/null 2>&1 if [ $? -eq 0 ]; then ${ECHO} " ${STEP}. Top level ACI ${ACI_NAME} already exists for ${LDAP_BASEDN}." STEP=`expr $STEP + 1` return 0 fi # Crate LDIF for top level ACI. ( cat < ${TMPDIR}/top_aci # Add the entry. ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/top_aci ${VERB}" if [ $? -ne 0 ]; then ${ECHO} " ERROR: Modify of top level ACI failed! (restricts self modify)" cleanup exit 1 fi # Display message that ACI is updated. MSG="ACI for ${LDAP_BASEDN} modified to disable self modify." if [ $EXISTING_PROFILE -eq 1 ];then ${ECHO} " ACI SET: $MSG" else ${ECHO} " ${STEP}. $MSG" STEP=`expr $STEP + 1` fi } # # find_and_delete_ACI(): Find an ACI in file $2 with a matching pattern $1. # Delete the ACI and print a message using $3 as the ACI name. $3 is needed # because it could have a different value than that of $1. find_and_delete_ACI() { [ $DEBUG -eq 1 ] && ${ECHO} "In find_and_delete_ACI" # if an ACI with pattern $1 exists in file $2, delete it from ${LDAP_BASEDN} ${EGREP} $1 $2 | ${SED} -e 's/aci=//' > ${TMPDIR}/grep_find_delete_aci 2>&1 if [ -s ${TMPDIR}/grep_find_delete_aci ]; then aci_to_delete=`${CAT} ${TMPDIR}/grep_find_delete_aci` # Create the tmp file to delete the ACI. ( cat < ${TMPDIR}/find_delete_aci # Delete the ACI ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/find_delete_aci ${VERB}" if [ $? -ne 0 ]; then ${ECHO} " ERROR: Remove of $3 ACI failed!" cleanup exit 1 fi ${RM} -f ${TMPDIR}/find_delete_aci # Display message that an ACL is deleted. MSG="ACI $3 deleted." if [ $EXISTING_PROFILE -eq 1 ]; then ${ECHO} " ACI DELETED: $MSG" else ${ECHO} " ${STEP}. $MSG" STEP=`expr $STEP + 1` fi fi } # # Add an ACI to deny non-admin access to shadow data when # shadow update is enabled. # deny_non_admin_shadow_access() { [ $DEBUG -eq 1 ] && ${ECHO} "In deny_non_admin_shadow_access()" # Set ACI Names ACI_TO_ADD="LDAP_Naming_Services_deny_non_admin_shadow_access" ACI_TO_DEL="LDAP_Naming_Services_deny_non_host_shadow_access" # Search for ACI_TO_ADD eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_BASEDN}\" -s base objectclass=* aci > ${TMPDIR}/chk_aci_non_admin 2>&1" if [ $? -ne 0 ]; then ${ECHO} "Error searching aci for ${LDAP_BASEDN}" cleanup exit 1 fi # If an ACI with ${ACI_TO_ADD} already exists, we are done. ${EGREP} ${ACI_TO_ADD} ${TMPDIR}/chk_aci_non_admin 2>&1 > /dev/null if [ $? -eq 0 ]; then MSG="ACI ${ACI_TO_ADD} already set for ${LDAP_BASEDN}." if [ $EXISTING_PROFILE -eq 1 ]; then ${ECHO} " NOT SET: $MSG" else ${ECHO} " ${STEP}. $MSG" STEP=`expr $STEP + 1` fi return 0 fi # The deny_non_admin_shadow_access and deny_non_host_shadow_access ACIs # should be mutually exclusive, so if the latter exists, delete it. find_and_delete_ACI ${ACI_TO_DEL} ${TMPDIR}/chk_aci_non_admin ${ACI_TO_DEL} # Create the tmp file to add. ( cat < ${TMPDIR}/non_admin_aci_write # Add the entry. ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/non_admin_aci_write ${VERB}" if [ $? -ne 0 ]; then ${ECHO} " ERROR: Adding ACI ${ACI_TO_ADD} failed!" ${CAT} ${TMPDIR}/non_admin_aci_write cleanup exit 1 fi ${RM} -f ${TMPDIR}/non_admin_aci_write # Display message that the non-admin access to shadow data is denied. MSG="Non-Admin access to shadow data denied." if [ $EXISTING_PROFILE -eq 1 ]; then ${ECHO} " ACI SET: $MSG" else ${ECHO} " ${STEP}. $MSG" STEP=`expr $STEP + 1` fi } # # Add an ACI to deny non-host access to shadow data when # shadow update is enabled and auth Method if gssapi. # deny_non_host_shadow_access() { [ $DEBUG -eq 1 ] && ${ECHO} "In deny_non_host_shadow_access()" # Set ACI Names ACI_TO_ADD="LDAP_Naming_Services_deny_non_host_shadow_access" ACI_TO_DEL="LDAP_Naming_Services_deny_non_admin_shadow_access" # Search for ACI_TO_ADD eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_BASEDN}\" -s base objectclass=* aci > ${TMPDIR}/chk_aci_non_host 2>&1" if [ $? -ne 0 ]; then ${ECHO} "Error searching aci for ${LDAP_BASEDN}" cleanup exit 1 fi # If an ACI with ${ACI_TO_ADD} already exists, we are done. ${EGREP} ${ACI_TO_ADD} ${TMPDIR}/chk_aci_non_host 2>&1 > /dev/null if [ $? -eq 0 ]; then MSG="ACI ${ACI_TO_ADD} already set for ${LDAP_BASEDN}." if [ $EXISTING_PROFILE -eq 1 ]; then ${ECHO} " NOT SET: $MSG" else ${ECHO} " ${STEP}. $MSG" STEP=`expr $STEP + 1` fi return 0 fi # The deny_non_admin_shadow_access and deny_non_host_shadow_access ACIs # should be mutually exclusive, so if the former exists, delete it. find_and_delete_ACI ${ACI_TO_DEL} ${TMPDIR}/chk_aci_non_host ${ACI_TO_DEL} # Create the tmp file to add. ( cat < ${TMPDIR}/non_host_aci_write # Add the entry. ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/non_host_aci_write ${VERB}" if [ $? -ne 0 ]; then ${ECHO} " ERROR: Adding ACI ${ACI_TO_ADD} failed!" ${CAT} ${TMPDIR}/non_host_aci_write cleanup exit 1 fi ${RM} -f ${TMPDIR}/non_host_aci_write # Display message that the non-host access to shadow data is denied. MSG="Non-host access to shadow data is denied." if [ $EXISTING_PROFILE -eq 1 ]; then ${ECHO} " ACI SET: $MSG" else ${ECHO} " ${STEP}. $MSG" STEP=`expr $STEP + 1` fi } # # add_vlv_aci(): Add access control information (aci) for VLV. # add_vlv_aci() { [ $DEBUG -eq 1 ] && ${ECHO} "In add_vlv_aci()" # Add the VLV ACI. ( cat < ${TMPDIR}/vlv_aci # Add the entry. ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/vlv_aci ${VERB}" if [ $? -ne 0 ]; then ${ECHO} " ERROR: Add of VLV ACI failed!" cleanup exit 1 fi # Display message that schema is updated. ${ECHO} " ${STEP}. Add of VLV Access Control Information (ACI)." STEP=`expr $STEP + 1` } # # set_nisdomain(): Add the NisDomainObject to the Base DN. # set_nisdomain() { [ $DEBUG -eq 1 ] && ${ECHO} "In set_nisdomain()" # Check if nisDomain is already set. ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_BASEDN}\" -s base \ \"objectclass=*\"" > ${TMPDIR}/chk_nisdomain 2>&1 ${EVAL} "${GREP} -i nisDomain ${TMPDIR}/chk_nisdomain ${VERB}" if [ $? -eq 0 ]; then ${ECHO} " ${STEP}. NisDomainObject for ${LDAP_BASEDN} was already set." STEP=`expr $STEP + 1` return 0 fi # Add the new top level containers. ( cat < ${TMPDIR}/nis_domain # Add the entry. ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/nis_domain ${VERB}" if [ $? -ne 0 ]; then ${ECHO} " ERROR: update of NisDomainObject in ${LDAP_BASEDN} failed." cleanup exit 1 fi # Display message that schema is updated. ${ECHO} " ${STEP}. NisDomainObject added to ${LDAP_BASEDN}." STEP=`expr $STEP + 1` } # # check_attrName(): Check that the attribute name is valid. # $1 Key to check. # Returns 0 : valid name 1 : invalid name # check_attrName() { [ $DEBUG -eq 1 ] && ${ECHO} "In check_attrName()" [ $DEBUG -eq 1 ] && ${ECHO} "check_attrName: Input Param = $1" ${ECHO} $1 | ${EGREP} '^[0-9]+(\.[0-9]+)*$' > /dev/null 2>&1 if [ $? -eq 0 ]; then ${EVAL} "${LDAPSEARCH} ${SERVER_ARGS} -b cn=schema -s base \"objectclass=*\" \ attributeTypes | ${EGREP} -i '^attributetypes[ ]*=[ ]*\([ ]*$1 ' ${VERB}" else ${EVAL} "${LDAPSEARCH} ${SERVER_ARGS} -b cn=schema -s base \"objectclass=*\" \ attributeTypes | ${EGREP} -i \"'$1'\" ${VERB}" fi if [ $? -ne 0 ]; then return 1 else return 0 fi } # # get_objectclass(): Determine the objectclass for the given attribute name # $1 Attribute name to check. # _ATTR_NAME Return value, Object Name or NULL if unknown to idsconfig. # # NOTE: An attribute name can be valid but still we might not be able # to determine the objectclass from the table. # In such cases, the user needs to create the necessary object(s). # get_objectclass() { [ $DEBUG -eq 1 ] && ${ECHO} "In get_objectclass()" [ $DEBUG -eq 1 ] && ${ECHO} "get_objectclass: Input Param = $1" # Set return value to NULL string. _ATTR_NAME="" # Test key for type: case `${ECHO} ${1} | tr '[A-Z]' '[a-z]'` in ou | organizationalunitname | 2.5.4.11) _ATTR_NAME="organizationalUnit" ;; dc | domaincomponent | 0.9.2342.19200300.100.1.25) _ATTR_NAME="domain" ;; o | organizationname | 2.5.4.10) _ATTR_NAME="organization" ;; c | countryname | 2.5.4.6) _ATTR_NAME="country" ;; *) _ATTR_NAME="" ;; esac [ $DEBUG -eq 1 ] && ${ECHO} "get_objectclass: _ATTR_NAME = $_ATTR_NAME" } # # add_base_objects(): Add any necessary base objects. # add_base_objects() { [ $DEBUG -eq 1 ] && ${ECHO} "In add_base_objects()" # Convert to lower case for basename. format_string "${LDAP_BASEDN}" LOWER_BASEDN="${FMT_STR}" format_string "${LDAP_SUFFIX}" LOWER_SUFFIX="${FMT_STR}" [ $DEBUG -eq 1 ] && ${ECHO} "LOWER_BASEDN: ${LOWER_BASEDN}" [ $DEBUG -eq 1 ] && ${ECHO} "LOWER_SUFFIX: ${LOWER_SUFFIX}" # Create additional components. if [ "${LOWER_BASEDN}" = "${LOWER_SUFFIX}" ]; then [ $DEBUG -eq 1 ] && ${ECHO} "Base DN and Suffix equivalent" else # first, test that the suffix is valid dcstmp=`basename "${LOWER_BASEDN}" "${LOWER_SUFFIX}"` if [ "$dcstmp" = "${LOWER_BASEDN}" ]; then # should not happen since check_basedn_suffix() succeeded ${ECHO} "Invalid suffix ${LOWER_SUFFIX}" ${ECHO} "for Base DN ${LOWER_BASEDN}" cleanup exit 1 fi # OK, suffix is valid, start working with LDAP_BASEDN # field separator is ',' (i.e., space is a valid character) dcstmp2="`${ECHO} ${LDAP_BASEDN} | sed -e 's/[ ]*,[ ]*/,/g' -e 's/[ ]*=[ ]*/=/g'`" dcs="" # use dcstmp to count the loop, and dcstmp2 to get the correct # string case # dcs should be in reverse order, only for these components # that need to be added while [ -n "${dcstmp}" ] do i2=`${ECHO} "$dcstmp2" | cut -f1 -d','` dk=`${ECHO} $i2 | awk -F= '{print $1}'` dc=`${ECHO} $i2 | awk -F= '{print $2}'` dcs="$dk=$dc,$dcs"; dcstmp2=`${ECHO} "$dcstmp2" | cut -f2- -d','` dcstmp=`${ECHO} "$dcstmp" | cut -f2- -d','` [ $DEBUG -eq 1 ] && \ ${ECHO} "dcs: ${dcs}\ndcstmp: ${dcstmp}\ndcstmp2: ${dcstmp2}\n" done lastdc=${LDAP_SUFFIX} dc=`${ECHO} "${dcs}" | cut -f1 -d','` dcstmp=`${ECHO} "${dcs}" | cut -f2- -d','` while [ -n "${dc}" ]; do # Get Key and component from $dc. dk2=`${ECHO} $dc | awk -F= '{print $1}'` dc2=`${ECHO} $dc | awk -F= '{print $2}'` # At this point, ${dk2} is a valid attribute name # Check if entry exists first, if so, skip to next. ${LDAPSEARCH} ${SERVER_ARGS} -b "${dk2}=${dc2},$lastdc" -s base "objectclass=*" > /dev/null 2>&1 if [ $? -eq 0 ]; then # Set the $lastdc to new dc. lastdc="${dk2}=${dc2},$lastdc" # Process next component. dc=`${ECHO} "${dcstmp}" | cut -f1 -d','` dcstmp=`${ECHO} "${dcstmp}" | cut -f2- -d','` continue fi # Determine the objectclass for the entry. get_objectclass $dk2 OBJ_Name=${_ATTR_NAME} if [ "${OBJ_Name}" = "" ]; then ${ECHO} "Cannot determine objectclass for $dk2" ${ECHO} "Please create ${dk2}=${dc2},$lastdc entry and rerun idsconfig" exit 1 fi # Add the new container. ( cat < ${TMPDIR}/base_objects # Set the $lastdc to new dc. lastdc="${dk2}=${dc2},$lastdc" # Add the entry. ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/base_objects ${VERB}" if [ $? -ne 0 ]; then ${ECHO} " ERROR: update of base objects ${dc} failed." cleanup exit 1 fi # Display message that schema is updated. ${ECHO} " ${STEP}. Created DN component ${dc}." STEP=`expr $STEP + 1` # Process next component. dc=`${ECHO} "${dcstmp}" | cut -f1 -d','` dcstmp=`${ECHO} "${dcstmp}" | cut -f2- -d','` done fi } # # add_new_containers(): Add the top level classes. # # $1 = Base DN # add_new_containers() { [ $DEBUG -eq 1 ] && ${ECHO} "In add_new_containers()" for ou in people group rpc protocols networks netgroup \ aliases hosts services ethers profile printers projects \ SolarisAuthAttr SolarisProfAttr Timezone ipTnet ; do # Check if nismaps already exist. eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"ou=${ou},${LDAP_BASEDN}\" -s base \"objectclass=*\" ${VERB}" if [ $? -eq 0 ]; then continue fi # Create TMP file to add. ( cat < ${TMPDIR}/toplevel.${ou} # Add the entry. ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/toplevel.${ou} ${VERB}" if [ $? -ne 0 ]; then ${ECHO} " ERROR: Add of ou=${ou} container failed!" cleanup exit 1 fi done # Display message that top level OU containers complete. ${ECHO} " ${STEP}. Top level \"ou\" containers complete." STEP=`expr $STEP + 1` } # # add_auto_maps(): Add the automount map entries. # # auto_home, auto_direct, auto_master, auto_shared # add_auto_maps() { [ $DEBUG -eq 1 ] && ${ECHO} "In add_auto_maps()" # Set AUTO_MAPS for maps to create. AUTO_MAPS="auto_home auto_direct auto_master auto_shared" for automap in $AUTO_MAPS; do # Check if automaps already exist. eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"automountMapName=${automap},${LDAP_BASEDN}\" -s base \"objectclass=*\" ${VERB}" if [ $? -eq 0 ]; then continue fi # Create the tmp file to add. ( cat < ${TMPDIR}/automap.${automap} # Add the entry. ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/automap.${automap} ${VERB}" if [ $? -ne 0 ]; then ${ECHO} " ERROR: Add of automap ${automap} failed!" cleanup exit 1 fi done # Display message that automount entries are updated. ${ECHO} " ${STEP}. automount maps: $AUTO_MAPS processed." STEP=`expr $STEP + 1` } # # add_proxyagent(): Add entry for nameservice to use to access server. # add_proxyagent() { [ $DEBUG -eq 1 ] && ${ECHO} "In add_proxyagent()" # Check if proxy agent already exists. eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_PROXYAGENT}\" -s base \"objectclass=*\" ${VERB}" if [ $? -eq 0 ]; then ${ECHO} " ${STEP}. Proxy Agent ${LDAP_PROXYAGENT} already exists." STEP=`expr $STEP + 1` return 0 fi # Get cn and sn names from LDAP_PROXYAGENT. cn_tmp=`${ECHO} ${LDAP_PROXYAGENT} | cut -f1 -d, | cut -f2 -d=` # Create the tmp file to add. ( cat < ${TMPDIR}/proxyagent # Add the entry. ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/proxyagent ${VERB}" if [ $? -ne 0 ]; then ${ECHO} " ERROR: Adding proxyagent failed!" cleanup exit 1 fi # Display message that schema is updated. ${ECHO} " ${STEP}. Proxy Agent ${LDAP_PROXYAGENT} added." STEP=`expr $STEP + 1` } # # allow_proxy_read_pw(): Give Proxy Agent read permission for password. # allow_proxy_read_pw() { [ $DEBUG -eq 1 ] && ${ECHO} "In allow_proxy_read_pw()" # Search for ACI_NAME eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_BASEDN}\" -s base objectclass=* aci > ${TMPDIR}/chk_proxyread_aci 2>&1" ${GREP} "${PROXY_ACI_NAME}" ${TMPDIR}/chk_proxyread_aci > /dev/null 2>&1 if [ $? -eq 0 ]; then ${ECHO} " ${STEP}. Proxy ACI ${PROXY_ACI_NAME=} already exists for ${LDAP_BASEDN}." STEP=`expr $STEP + 1` return 0 fi # Create the tmp file to add. ( cat < ${TMPDIR}/proxy_read # Add the entry. ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/proxy_read ${VERB}" if [ $? -ne 0 ]; then ${ECHO} " ERROR: Allow ${LDAP_PROXYAGENT} to read password failed!" cleanup exit 1 fi # Display message that schema is updated. ${ECHO} " ${STEP}. Give ${LDAP_PROXYAGENT} read permission for password." STEP=`expr $STEP + 1` } # Delete Proxy Agent read permission for password. delete_proxy_read_pw() { [ $DEBUG -eq 1 ] && ${ECHO} "In delete_proxy_read_pw()" # Search for ACI_NAME eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_BASEDN}\" -s base objectclass=* aci > ${TMPDIR}/chk_proxyread_aci 2>&1" ${GREP} "${PROXY_ACI_NAME}" ${TMPDIR}/chk_proxyread_aci | \ ${SED} -e 's/aci=//' > ${TMPDIR}/grep_proxyread_aci 2>&1 if [ $? -ne 0 ]; then ${ECHO} "Proxy ACI ${PROXY_ACI_NAME} does not exist for ${LDAP_BASEDN}." return 0 fi # We need to remove proxy agent's read access to user passwords, # but We do not know the value of the ${LDAP_PROXYAGENT} here, so # 1. if only one match found, delete it # 2. if more than one matches found, ask the user which one to delete HOWMANY=`${WC} -l ${TMPDIR}/grep_proxyread_aci | ${NAWK} '{print $1}'` if [ $HOWMANY -eq 0 ]; then ${ECHO} "Proxy ACI ${PROXY_ACI_NAME} does not exist for ${LDAP_BASEDN}." return 0 fi if [ $HOWMANY -eq 1 ];then proxy_aci=`${CAT} ${TMPDIR}/grep_proxyread_aci` else ${CAT} << EOF Proxy agent is not allowed to read user passwords when shadow update is enabled. There are more than one proxy agents found. Please select the currently proxy agent being used, so that idsconfig can remove its read access to user passwords. The proxy agents are: EOF # generate the proxy agent list ${SED} -e "s/.*ldap:\/\/\/.*ldap:\/\/\///" \ ${TMPDIR}/grep_proxyread_aci | ${SED} -e "s/\";)//" > \ ${TMPDIR}/proxy_agent_list # print the proxy agent list ${NAWK} '{print NR ": " $0}' ${TMPDIR}/proxy_agent_list # ask the user to pick one _MENU_PROMPT="Select the proxy agent (1-$HOWMANY): " get_menu_choice "${_MENU_PROMPT}" "0" "$HOWMANY" _CH=$MN_CH proxy_aci=`${SED} -n "$_CH p" ${TMPDIR}/grep_proxyread_aci` fi # Create the tmp file to delete the ACI. ( cat < ${TMPDIR}/proxy_delete # Delete the ACI ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/proxy_delete ${VERB}" if [ $? -ne 0 ]; then ${ECHO} " ERROR: Remove of ${PROXY_ACI_NAME} ACI failed!" cat ${TMPDIR}/proxy_delete cleanup exit 1 fi # Display message that ACI is updated. MSG="Removed ${PROXY_ACI_NAME} ACI for proxyagent read permission for password." ${ECHO} " " ${ECHO} " ACI REMOVED: $MSG" ${ECHO} " The ACI removed is $proxy_aci" ${ECHO} " " } # # add_profile(): Add client profile to server. # add_profile() { [ $DEBUG -eq 1 ] && ${ECHO} "In add_profile()" # If profile name already exists, DELETE it, and add new one. eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=${LDAP_PROFILE_NAME},ou=profile,${LDAP_BASEDN}\" -s base \"objectclass=*\" ${VERB}" if [ $? -eq 0 ]; then # Create Delete file. ( cat < ${TMPDIR}/del_profile # Check if DEL_OLD_PROFILE is set. (If not ERROR) if [ $DEL_OLD_PROFILE -eq 0 ]; then ${ECHO} "ERROR: Profile name ${LDAP_PROFILE_NAME} exists! Add failed!" exit 1 fi # Delete the OLD profile. ${EVAL} "${LDAPDELETE} ${LDAP_ARGS} -f ${TMPDIR}/del_profile ${VERB}" if [ $? -ne 0 ]; then ${ECHO} " ERROR: Attempt to DELETE profile failed!" cleanup exit 1 fi fi # Build the "ldapclient genprofile" command string to execute. GEN_CMD="ldapclient genprofile -a \"profileName=${LDAP_PROFILE_NAME}\"" # Add required argument defaultSearchBase. GEN_CMD="${GEN_CMD} -a \"defaultSearchBase=${LDAP_BASEDN}\"" # Add optional parameters. [ -n "$LDAP_SERVER_LIST" ] && \ GEN_CMD="${GEN_CMD} -a \"defaultServerList=${LDAP_SERVER_LIST}\"" [ -n "$LDAP_SEARCH_SCOPE" ] && \ GEN_CMD="${GEN_CMD} -a \"defaultSearchScope=${LDAP_SEARCH_SCOPE}\"" [ -n "$LDAP_CRED_LEVEL" ] && \ GEN_CMD="${GEN_CMD} -a \"credentialLevel=${LDAP_CRED_LEVEL}\"" [ -n "$LDAP_AUTHMETHOD" ] && \ GEN_CMD="${GEN_CMD} -a \"authenticationMethod=${LDAP_AUTHMETHOD}\"" [ -n "$LDAP_FOLLOWREF" ] && \ GEN_CMD="${GEN_CMD} -a \"followReferrals=${LDAP_FOLLOWREF}\"" [ -n "$LDAP_SEARCH_TIME_LIMIT" ] && \ GEN_CMD="${GEN_CMD} -a \"searchTimeLimit=${LDAP_SEARCH_TIME_LIMIT}\"" [ -n "$LDAP_PROFILE_TTL" ] && \ GEN_CMD="${GEN_CMD} -a \"profileTTL=${LDAP_PROFILE_TTL}\"" [ -n "$LDAP_BIND_LIMIT" ] && \ GEN_CMD="${GEN_CMD} -a \"bindTimeLimit=${LDAP_BIND_LIMIT}\"" [ -n "$LDAP_PREF_SRVLIST" ] && \ GEN_CMD="${GEN_CMD} -a \"preferredServerList=${LDAP_PREF_SRVLIST}\"" [ -n "$LDAP_SRV_AUTHMETHOD_PAM" ] && \ GEN_CMD="${GEN_CMD} -a \"serviceAuthenticationMethod=${LDAP_SRV_AUTHMETHOD_PAM}\"" [ -n "$LDAP_SRV_AUTHMETHOD_KEY" ] && \ GEN_CMD="${GEN_CMD} -a \"serviceAuthenticationMethod=${LDAP_SRV_AUTHMETHOD_KEY}\"" [ -n "$LDAP_SRV_AUTHMETHOD_CMD" ] && \ GEN_CMD="${GEN_CMD} -a \"serviceAuthenticationMethod=${LDAP_SRV_AUTHMETHOD_CMD}\"" # Check if there are any service search descriptors to ad. if [ -s "${SSD_FILE}" ]; then ssd_2_profile fi # Execute "ldapclient genprofile" to create profile. eval ${GEN_CMD} > ${TMPDIR}/gen_profile 2> ${TMPDIR}/gen_profile_ERR if [ $? -ne 0 ]; then ${ECHO} " ERROR: ldapclient genprofile failed!" cleanup exit 1 fi # Add the generated profile.. ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/gen_profile ${VERB}" if [ $? -ne 0 ]; then ${ECHO} " ERROR: Attempt to add profile failed!" cleanup exit 1 fi # Display message that schema is updated. ${ECHO} " ${STEP}. Generated client profile and loaded on server." STEP=`expr $STEP + 1` } # # cleanup(): Remove the TMPDIR and all files in it. # cleanup() { [ $DEBUG -eq 1 ] && ${ECHO} "In cleanup()" rm -fr ${TMPDIR} } # # * * * MAIN * * * # # Description: # This script assumes that the iPlanet Directory Server (iDS) is # installed and that setup has been run. This script takes the # iDS server from that point and sets up the infrastructure for # LDAP Naming Services. After running this script, ldapaddent(1M) # or some other tools can be used to populate data. # Initialize the variables that need to be set to NULL, or some # other initial value before the rest of the functions can be called. init # Parse command line arguments. parse_arg $* shift $? # Print extra line to separate from prompt. ${ECHO} " " # Either Load the user specified config file # or prompt user for config info. if [ -n "$INPUT_FILE" ] then load_config_file INTERACTIVE=0 # Turns off prompts that occur later. validate_info # Validate basic info in file. chk_ids_version # Check iDS version for compatibility. gssapi_setup_auto else # Display BACKUP warning to user. display_msg backup_server get_confirm "Do you wish to continue with server setup (y/n/h)?" "n" "backup_help" if [ $? -eq 0 ]; then # if No, cleanup and exit. cleanup ; exit 1 fi # Prompt for values. prompt_config_info display_summary # Allow user to modify results. INTERACTIVE=1 # Insures future prompting. fi # Modify slapd.oc.conf to ALLOW cn instead of REQUIRE. modify_cn # Modify timelimit to user value. [ $NEED_TIME -eq 1 ] && modify_timelimit # Modify sizelimit to user value. [ $NEED_SIZE -eq 1 ] && modify_sizelimit # Modify the password storage scheme to support CRYPT. if [ "$NEED_CRYPT" = "TRUE" ]; then modify_pwd_crypt fi # Update the schema (Attributes, Objectclass Definitions) if [ ${SCHEMA_UPDATED} -eq 0 ]; then update_schema_attr update_schema_obj fi # Add suffix together with its root entry (if needed) add_suffix || { cleanup exit 1 } # Add base objects (if needed) add_base_objects # Update the NisDomainObject. # The Base DN might of just been created, so this MUST happen after # the base objects have been added! set_nisdomain # Add top level classes (new containers) add_new_containers # Add common nismaps. add_auto_maps # Modify top ACI. modify_top_aci # Add Access Control Information for VLV. add_vlv_aci # if Proxy needed, Add Proxy Agent and give read permission for password. if [ $NEED_PROXY -eq 1 ]; then add_proxyagent if [ "$LDAP_ENABLE_SHADOW_UPDATE" != "TRUE" ]; then allow_proxy_read_pw fi fi # If admin needed for shadow update, Add the administrator identity and # give read/write permission for shadow, and deny all others read/write # access to it. if [ $NEED_ADMIN -eq 1 ]; then add_admin allow_admin_read_write_shadow # deny non-admin access to shadow data deny_non_admin_shadow_access fi # If use host principal for shadow update, give read/write permission for # shadow, and deny all others' read/write access to it. if [ $NEED_HOSTACL -eq 1 ]; then allow_host_read_write_shadow # deny non-host access to shadow data deny_non_host_shadow_access fi # Generate client profile and add it to the server. add_profile # Add Indexes to improve Search Performance. add_eq_indexes add_sub_indexes add_vlv_indexes # Display setup complete message display_msg setup_complete # Display VLV index commands to be executed on server. display_vlv_cmds # Create config file if requested. [ -n "$OUTPUT_FILE" ] && create_config_file # Removed the TMPDIR and all files in it. cleanup exit 0 # end of MAIN.