1#!/bin/sh 2# 3# ident "%Z%%M% %I% %E% SMI" 4# 5# CDDL HEADER START 6# 7# The contents of this file are subject to the terms of the 8# Common Development and Distribution License (the "License"). 9# You may not use this file except in compliance with the License. 10# 11# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 12# or http://www.opensolaris.org/os/licensing. 13# See the License for the specific language governing permissions 14# and limitations under the License. 15# 16# When distributing Covered Code, include this CDDL HEADER in each 17# file and include the License file at usr/src/OPENSOLARIS.LICENSE. 18# If applicable, add the following below this CDDL HEADER, with the 19# fields enclosed by brackets "[]" replaced with your own identifying 20# information: Portions Copyright [yyyy] [name of copyright owner] 21# 22# CDDL HEADER END 23# 24# 25# idsconfig -- script to setup iDS 5.x for Native LDAP II. 26# 27# Copyright 2006 Sun Microsystems, Inc. All rights reserved. 28# Use is subject to license terms. 29# 30 31# 32# display_msg(): Displays message corresponding to the tag passed in. 33# 34display_msg() 35{ 36 case "$1" in 37 usage) cat <<EOF 38 $PROG: [ -v ] [ -i input file ] [ -o output file ] 39 i <input file> Get setup info from input file. 40 o <output file> Generate a server configuration output file. 41 v Verbose mode 42EOF 43 ;; 44 backup_server) cat <<EOF 45It is strongly recommended that you BACKUP the directory server 46before running $PROG. 47 48Hit Ctrl-C at any time before the final confirmation to exit. 49 50EOF 51 ;; 52 setup_complete) cat <<EOF 53 54$PROG: Setup of iDS server ${IDS_SERVER} is complete. 55 56EOF 57 ;; 58 display_vlv_list) cat <<EOF 59 60Note: idsconfig has created entries for VLV indexes. Use the 61 directoryserver(1m) script on ${IDS_SERVER} to stop 62 the server and then enter the following vlvindex 63 sub-commands to create the actual VLV indexes: 64 65EOF 66 ;; 67 cred_level_menu) cat <<EOF 68The following are the supported credential levels: 69 1 anonymous 70 2 proxy 71 3 proxy anonymous 72EOF 73 ;; 74 auth_method_menu) cat <<EOF 75The following are the supported Authentication Methods: 76 1 none 77 2 simple 78 3 sasl/DIGEST-MD5 79 4 tls:simple 80 5 tls:sasl/DIGEST-MD5 81EOF 82 ;; 83 srvauth_method_menu) cat <<EOF 84The following are the supported Authentication Methods: 85 1 simple 86 2 sasl/DIGEST-MD5 87 3 tls:simple 88 4 tls:sasl/DIGEST-MD5 89EOF 90 ;; 91 prompt_ssd_menu) cat <<EOF 92 A Add a Service Search Descriptor 93 D Delete a SSD 94 M Modify a SSD 95 P Display all SSD's 96 H Help 97 X Clear all SSD's 98 99 Q Exit menu 100EOF 101 ;; 102 summary_menu) 103 104 SUFFIX_INFO= 105 DB_INFO= 106 107 [ -n "${NEED_CREATE_SUFFIX}" ] && 108 { 109 SUFFIX_INFO=`cat <<EOF 110 111 Suffix to create : $LDAP_SUFFIX 112EOF 113` 114 [ -n "${NEED_CREATE_BACKEND}" ] && 115 DB_INFO=`cat <<EOF 116 117 Database to create : $IDS_DATABASE 118EOF 119` 120 } 121 122 cat <<EOF 123 Summary of Configuration 124 125 1 Domain to serve : $LDAP_DOMAIN 126 2 Base DN to setup : $LDAP_BASEDN$SUFFIX_INFO$DB_INFO 127 3 Profile name to create : $LDAP_PROFILE_NAME 128 4 Default Server List : $LDAP_SERVER_LIST 129 5 Preferred Server List : $LDAP_PREF_SRVLIST 130 6 Default Search Scope : $LDAP_SEARCH_SCOPE 131 7 Credential Level : $LDAP_CRED_LEVEL 132 8 Authentication Method : $LDAP_AUTHMETHOD 133 9 Enable Follow Referrals : $LDAP_FOLLOWREF 134 10 iDS Time Limit : $IDS_TIMELIMIT 135 11 iDS Size Limit : $IDS_SIZELIMIT 136 12 Enable crypt password storage : $NEED_CRYPT 137 13 Service Auth Method pam_ldap : $LDAP_SRV_AUTHMETHOD_PAM 138 14 Service Auth Method keyserv : $LDAP_SRV_AUTHMETHOD_KEY 139 15 Service Auth Method passwd-cmd: $LDAP_SRV_AUTHMETHOD_CMD 140 16 Search Time Limit : $LDAP_SEARCH_TIME_LIMIT 141 17 Profile Time to Live : $LDAP_PROFILE_TTL 142 18 Bind Limit : $LDAP_BIND_LIMIT 143 19 Service Search Descriptors Menu 144 145EOF 146 ;; 147 sfx_not_suitable) cat <<EOF 148 149Sorry, suffix ${LDAP_SUFFIX} is not suitable for Base DN ${LDAP_BASEDN} 150 151EOF 152 ;; 153 obj_not_found) cat <<EOF 154 155Sorry, ${PROG} can't find an objectclass for "$_ATT" attribute 156 157EOF 158 ;; 159 sfx_config_incons) cat <<EOF 160 161Sorry, there is no suffix mapping for ${LDAP_SUFFIX}, 162while ldbm database exists, server configuration needs to be fixed manually, 163look at cn=mapping tree,cn=config and cn=ldbm database,cn=plugins,cn=config 164 165EOF 166 ;; 167 ldbm_db_exist) cat <<EOF 168 169Database "${IDS_DATABASE}" already exists, 170however "${IDS_DATABASE_AVAIL}" name is available 171 172EOF 173 ;; 174 unable_find_db_name) cat <<EOF 175 176Unable to find any available database name close to "${IDS_DATABASE}" 177 178EOF 179 ;; 180 create_ldbm_db_error) cat <<EOF 181 182ERROR: unable to create suffix ${LDAP_SUFFIX} 183 due to server error that occurred during creation of ldbm database 184 185EOF 186 ;; 187 create_suffix_entry_error) cat <<EOF 188 189ERROR: unable to create entry ${LDAP_SUFFIX} of ${LDAP_SUFFIX_OBJ} class 190 191EOF 192 ;; 193 ldap_suffix_list) cat <<EOF 194 195No valid suffixes (naming contexts) were found for LDAP base DN: 196${LDAP_BASEDN} 197 198Available suffixes are: 199${LDAP_SUFFIX_LIST} 200 201EOF 202 ;; 203 sorry) cat <<EOF 204 205HELP - No help is available for this topic. 206 207EOF 208 ;; 209 create_suffix_help) cat <<EOF 210 211HELP - Our Base DN is ${LDAP_BASEDN} 212 and we need to create a Directory Suffix, 213 which can be equal to Base DN itself or be any of Base DN parents. 214 All intermediate entries up to suffix will be created on demand. 215 216EOF 217 ;; 218 enter_ldbm_db_help) cat <<EOF 219 220HELP - ldbm database is an internal database for storage of our suffix data. 221 Database name must be alphanumeric due to Directory Server restriction. 222 223EOF 224 ;; 225 backup_help) cat <<EOF 226 227HELP - Since idsconfig modifies the directory server configuration, 228 it is strongly recommended that you backup the server prior 229 to running this utility. This is especially true if the server 230 being configured is a production server. 231 232EOF 233 ;; 234 port_help) cat <<EOF 235 236HELP - Enter the port number the directory server is configured to 237 use for LDAP. 238 239EOF 240 ;; 241 domain_help) cat <<EOF 242 243HELP - This is the DNS domain name this server will be serving. You 244 must provide this name even if the server is not going to be populated 245 with hostnames. Any unqualified hostname stored in the directory 246 will be fully qualified using this DNS domain name. 247 248EOF 249 ;; 250 basedn_help) cat <<EOF 251 252HELP - This parameter defines the default location in the directory tree for 253 the naming services entries. You can override this default by using 254 serviceSearchDescriptors (SSD). You will be given the option to set up 255 an SSD later on in the setup. 256 257EOF 258 ;; 259 profile_help) cat <<EOF 260 261HELP - Name of the configuration profile with which the clients will be 262 configured. A directory server can store various profiles for multiple 263 groups of clients. The initialization tool, (ldapclient(1M)), assumes 264 "default" unless another is specified. 265 266EOF 267 ;; 268 def_srvlist_help) cat <<EOF 269 270HELP - Provide a list of directory servers to serve clients using this profile. 271 All these servers should contain consistent data and provide similar 272 functionality. This list is not ordered, and clients might change the 273 order given in this list. Note that this is a space separated list of 274 *IP addresses* (not host names). Providing port numbers is optional. 275 276EOF 277 ;; 278 pref_srvlist_help) cat <<EOF 279 280HELP - Provide a list of directory servers to serve this client profile. 281 Unlike the default server list, which is not ordered, the preferred 282 servers must be entered IN THE ORDER you wish to have them contacted. 283 If you do specify a preferred server list, clients will always contact 284 them before attempting to contact any of the servers on the default 285 server list. Note that you must enter the preferred server list as a 286 space-separated list of *IP addresses* (not host names). Providing port 287 numbers is optional. 288 289EOF 290 ;; 291 srch_scope_help) cat <<EOF 292 293HELP - Default search scope to be used for all searches unless they are 294 overwritten using serviceSearchDescriptors. The valid options 295 are "one", which would specify the search will only be performed 296 at the base DN for the given service, or "sub", which would specify 297 the search will be performed through *all* levels below the base DN 298 for the given service. 299 300EOF 301 ;; 302 cred_lvl_help) cat <<EOF 303 304HELP - This parameter defines what credentials the clients use to 305 authenticate to the directory server. This list might contain 306 multiple credential levels and is ordered. If a proxy level 307 is configured, you will also be prompted to enter a bind DN 308 for the proxy agent along with a password. This proxy agent 309 will be created if it does not exist. 310 311EOF 312 ;; 313 auth_help) cat <<EOF 314 315HELP - The default authentication method(s) to be used by all services 316 in the client using this profile. This is a ordered list of 317 authentication methods separated by a ';'. The supported methods 318 are provided in a menu. Note that sasl/DIGEST-MD5 binds require 319 passwords to be stored un-encrypted on the server. 320 321EOF 322 ;; 323 srvauth_help) cat <<EOF 324 325HELP - The authentication methods to be used by a given service. Currently 326 3 services support this feature: pam_ldap, keyserv, and passwd-cmd. 327 The authentication method specified in this attribute overrides 328 the default authentication method defined in the profile. This 329 feature can be used to select stronger authentication methods for 330 services which require increased security. 331 332EOF 333 ;; 334 pam_ldap_help) cat <<EOF 335 336HELP - The authentication method(s) to be used by pam_ldap when contacting 337 the directory server. This is a ordered list, and, if provided, will 338 override the default authentication method parameter. 339 340EOF 341 ;; 342 keyserv_help) cat <<EOF 343 344HELP - The authentication method(s) to be used by newkey(1M) and chkey(1) 345 when contacting the directory server. This is a ordered list and 346 if provided will override the default authentication method 347 parameter. 348 349EOF 350 ;; 351 passwd-cmd_help) cat <<EOF 352 353HELP - The authentication method(s) to be used by passwd(1) command when 354 contacting the directory server. This is a ordered list and if 355 provided will override the default authentication method parameter. 356 357EOF 358 ;; 359 referrals_help) cat <<EOF 360 361HELP - This parameter indicates whether the client should follow 362 ldap referrals if it encounters one during naming lookups. 363 364EOF 365 ;; 366 tlim_help) cat <<EOF 367 368HELP - The server time limit value indicates the maximum amount of time the 369 server would spend on a query from the client before abandoning it. 370 A value of '-1' indicates no limit. 371 372EOF 373 ;; 374 slim_help) cat <<EOF 375 376HELP - The server sizelimit value indicates the maximum number of entries 377 the server would return in respond to a query from the client. A 378 value of '-1' indicates no limit. 379 380EOF 381 ;; 382 crypt_help) cat <<EOF 383 384HELP - By default iDS does not store userPassword attribute values using 385 unix "crypt" format. If you need to keep your passwords in the crypt 386 format for NIS/NIS+ and pam_unix compatibility, choose 'yes'. If 387 passwords are stored using any other format than crypt, pam_ldap 388 MUST be used by clients to authenticate users to the system. Note 389 that if you wish to use sasl/DIGEST-MD5 in conjunction with pam_ldap, 390 user passwords must be stored in the clear format. 391 392EOF 393 ;; 394 srchtime_help) cat <<EOF 395 396HELP - The search time limit the client will enforce for directory 397 lookups. 398 399EOF 400 ;; 401 profttl_help) cat <<EOF 402 403HELP - The time to live value for profile. The client will refresh its 404 cached version of the configuration profile at this TTL interval. 405 406EOF 407 ;; 408 bindlim_help) cat <<EOF 409 410HELP - The time limit for the bind operation to the directory. This 411 value controls the responsiveness of the client in case a server 412 becomes unavailable. The smallest timeout value for a given 413 network architecture/conditions would work best. This is very 414 similar to setting TCP timeout, but only for LDAP bind operation. 415 416EOF 417 ;; 418 ssd_help) cat <<EOF 419 420HELP - Using Service Search Descriptors (SSD), you can override the 421 default configuration for a given service. The SSD can be 422 used to override the default search base DN, the default search 423 scope, and the default search filter to be used for directory 424 lookups. SSD are supported for all services (databases) 425 defined in nsswitch.conf(4). The default base DN is defined 426 in ldap(1). 427 428 Note: SSD are powerful tools in defining configuration profiles 429 and provide a great deal of flexibility. However, care 430 must be taken in creating them. If you decide to make use 431 of SSDs, consult the documentation first. 432 433EOF 434 ;; 435 ssd_menu_help) cat <<EOF 436 437HELP - Using this menu SSD can be added, updated, or deleted from 438 the profile. 439 440 A - This option creates a new SSD by prompting for the 441 service name, base DN, and scope. Service name is 442 any valid service as defined in ldap(1). base is 443 either the distinguished name to the container where 444 this service will use, or a relative DN followed 445 by a ','. 446 D - Delete a previously created SSD. 447 M - Modify a previously created SSD. 448 P - Display a list of all the previously created SSD. 449 X - Delete all of the previously created SSD. 450 451 Q - Exit the menu and continue with the server configuration. 452 453EOF 454 ;; 455 ldap_suffix_list_help) cat <<EOF 456 457HELP - No valid suffixes (naming contexts) are available on server 458 ${IDS_SERVER}:${IDS_PORT}. 459 You must set an LDAP Base DN that can be contained in 460 an existing suffix. 461 462EOF 463 ;; 464 esac 465} 466 467 468# 469# get_ans(): gets an answer from the user. 470# $1 instruction/comment/description/question 471# $2 default value 472# 473get_ans() 474{ 475 if [ -z "$2" ] 476 then 477 ${ECHO} "$1 \c" 478 else 479 ${ECHO} "$1 [$2] \c" 480 fi 481 482 read ANS 483 if [ -z "$ANS" ] 484 then 485 ANS=$2 486 fi 487} 488 489 490# 491# get_ans_req(): gets an answer (required) from the user, NULL value not allowed. 492# $@ instruction/comment/description/question 493# 494get_ans_req() 495{ 496 ANS="" # Set ANS to NULL. 497 while [ "$ANS" = "" ] 498 do 499 get_ans "$@" 500 [ "$ANS" = "" ] && ${ECHO} "NULL value not allowed!" 501 done 502} 503 504 505# 506# get_number(): Querys and verifies that number entered is numeric. 507# Function will repeat prompt user for number value. 508# $1 Message text. 509# $2 default value. 510# $3 Help argument. 511# 512get_number() 513{ 514 ANS="" # Set ANS to NULL. 515 NUM="" 516 517 get_ans "$1" "$2" 518 519 # Verify that value is numeric. 520 while not_numeric $ANS 521 do 522 case "$ANS" in 523 [Hh] | help | Help | \?) display_msg ${3:-sorry} ;; 524 * ) ${ECHO} "Invalid value: \"${ANS}\". \c" 525 ;; 526 esac 527 # Get a new value. 528 get_ans "Enter a numeric value:" "$2" 529 done 530 NUM=$ANS 531} 532 533 534# 535# get_negone_num(): Only allows a -1 or positive integer. 536# Used for values where -1 has special meaning. 537# 538# $1 - Prompt message. 539# $2 - Default value (require). 540# $3 - Optional help argument. 541get_negone_num() 542{ 543 while : 544 do 545 get_number "$1" "$2" "$3" 546 if is_negative $ANS 547 then 548 if [ "$ANS" = "-1" ]; then 549 break # -1 is OK, so break. 550 else # Need to re-enter number. 551 ${ECHO} "Invalid number: please enter -1 or positive number." 552 fi 553 else 554 break # Positive number 555 fi 556 done 557} 558 559 560# 561# get_passwd(): Reads a password from the user and verify with second. 562# $@ instruction/comment/description/question 563# 564get_passwd() 565{ 566 [ $DEBUG -eq 1 ] && ${ECHO} "In get_passwd()" 567 568 # Temporary PASSWD variables 569 _PASS1="" 570 _PASS2="" 571 572 /usr/bin/stty -echo # Turn echo OFF 573 574 # Endless loop that continues until passwd and re-entered passwd 575 # match. 576 while : 577 do 578 ANS="" # Set ANS to NULL. 579 580 # Don't allow NULL for first try. 581 while [ "$ANS" = "" ] 582 do 583 get_ans "$@" 584 [ "$ANS" = "" ] && ${ECHO} "" && ${ECHO} "NULL passwd not allowed!" 585 done 586 _PASS1=$ANS # Store first try. 587 588 # Get second try. 589 ${ECHO} "" 590 get_ans "Re-enter passwd:" 591 _PASS2=$ANS 592 593 # Test if passwords are identical. 594 if [ "$_PASS1" = "$_PASS2" ]; then 595 break 596 fi 597 598 # Move cursor down to next line and print ERROR message. 599 ${ECHO} "" 600 ${ECHO} "ERROR: passwords don't match; try again." 601 done 602 603 /usr/bin/stty echo # Turn echo ON 604 605 ${ECHO} "" 606} 607 608 609# 610# get_passwd_nochk(): Reads a password from the user w/o check. 611# $@ instruction/comment/description/question 612# 613get_passwd_nochk() 614{ 615 [ $DEBUG -eq 1 ] && ${ECHO} "In get_passwd_nochk()" 616 617 /usr/bin/stty -echo # Turn echo OFF 618 619 get_ans "$@" 620 621 /usr/bin/stty echo # Turn echo ON 622 623 ${ECHO} "" 624} 625 626 627# 628# get_menu_choice(): Get a menu choice from user. Continue prompting 629# till the choice is in required range. 630# $1 .. Message text. 631# $2 .. min value 632# $3 .. max value 633# $4 .. OPTIONAL: default value 634# 635# Return value: 636# MN_CH will contain the value selected. 637# 638get_menu_choice() 639{ 640 # Check for req parameter. 641 if [ $# -lt 3 ]; then 642 ${ECHO} "get_menu_choice(): Did not get required parameters." 643 return 1 644 fi 645 646 while : 647 do 648 get_ans "$1" "$4" 649 MN_CH=$ANS 650 is_negative $MN_CH 651 if [ $? -eq 1 ]; then 652 if [ $MN_CH -ge $2 ]; then 653 if [ $MN_CH -le $3 ]; then 654 return 655 fi 656 fi 657 fi 658 ${ECHO} "Invalid choice: $MN_CH" 659 done 660} 661 662 663# 664# get_confirm(): Get confirmation from the user. (Y/Yes or N/No) 665# $1 - Message 666# $2 - default value. 667# 668get_confirm() 669{ 670 _ANSWER= 671 672 while : 673 do 674 # Display Internal ERROR if $2 not set. 675 if [ -z "$2" ] 676 then 677 ${ECHO} "INTERNAL ERROR: get_confirm requires 2 args, 3rd is optional." 678 exit 2 679 fi 680 681 # Display prompt. 682 ${ECHO} "$1 [$2] \c" 683 684 # Get the ANSWER. 685 read _ANSWER 686 if [ "$_ANSWER" = "" ] && [ -n "$2" ] ; then 687 _ANSWER=$2 688 fi 689 case "$_ANSWER" in 690 [Yy] | yes | Yes | YES) return 1 ;; 691 [Nn] | no | No | NO) return 0 ;; 692 [Hh] | help | Help | \?) display_msg ${3:-sorry};; 693 * ) ${ECHO} "Please enter y or n." ;; 694 esac 695 done 696} 697 698 699# 700# get_confirm_nodef(): Get confirmation from the user. (Y/Yes or N/No) 701# No default value supported. 702# 703get_confirm_nodef() 704{ 705 _ANSWER= 706 707 while : 708 do 709 ${ECHO} "$@ \c" 710 read _ANSWER 711 case "$_ANSWER" in 712 [Yy] | yes | Yes | YES) return 1 ;; 713 [Nn] | no | No | NO) return 0 ;; 714 * ) ${ECHO} "Please enter y or n." ;; 715 esac 716 done 717} 718 719 720# 721# is_numeric(): Tells is a string is numeric. 722# 0 = Numeric 723# 1 = NOT Numeric 724# 725is_numeric() 726{ 727 # Check for parameter. 728 if [ $# -ne 1 ]; then 729 return 1 730 fi 731 732 # Determine if numeric. 733 expr "$1" + 1 > /dev/null 2>&1 734 if [ $? -ge 2 ]; then 735 return 1 736 fi 737 738 # Made it here, it's Numeric. 739 return 0 740} 741 742 743# 744# not_numeric(): Reverses the return values of is_numeric. Useful 745# for if and while statements that want to test for 746# non-numeric data. 747# 0 = NOT Numeric 748# 1 = Numeric 749# 750not_numeric() 751{ 752 is_numeric $1 753 if [ $? -eq 0 ]; then 754 return 1 755 else 756 return 0 757 fi 758} 759 760 761# 762# is_negative(): Tells is a Numeric value is less than zero. 763# 0 = Negative Numeric 764# 1 = Positive Numeric 765# 2 = NOT Numeric 766# 767is_negative() 768{ 769 # Check for parameter. 770 if [ $# -ne 1 ]; then 771 return 1 772 fi 773 774 # Determine if numeric. Can't use expr because -0 is 775 # considered positive?? 776 if is_numeric $1; then 777 case "$1" in 778 -*) return 0 ;; # Negative Numeric 779 *) return 1 ;; # Positive Numeric 780 esac 781 else 782 return 2 783 fi 784} 785 786 787# 788# check_domainname(): check validity of a domain name. Currently we check 789# that it has at least two components. 790# $1 the domain name to be checked 791# 792check_domainname() 793{ 794 if [ ! -z "$1" ] 795 then 796 t=`expr "$1" : '[^.]\{1,\}[.][^.]\{1,\}'` 797 if [ "$t" = 0 ] 798 then 799 return 1 800 fi 801 fi 802 return 0 803} 804 805 806# 807# check_baseDN(): check validity of the baseDN name. 808# $1 the baseDN name to be checked 809# 810# NOTE: The check_baseDN function does not catch all invalid DN's. 811# Its purpose is to reduce the number of invalid DN's to 812# get past the input routine. The invalid DN's will be 813# caught by the LDAP server when they are attempted to be 814# created. 815# 816check_baseDN() 817{ 818 ck_DN=$1 819 ${ECHO} " Checking LDAP Base DN ..." 820 if [ ! -z "$ck_DN" ]; then 821 [ $DEBUG -eq 1 ] && ${ECHO} "Checking baseDN: $ck_DN" 822 # Check for = (assignment operator) 823 ${ECHO} "$ck_DN" | ${GREP} "=" > /dev/null 2>&1 824 if [ $? -ne 0 ]; then 825 [ $DEBUG -eq 1 ] && ${ECHO} "check_baseDN: No '=' in baseDN." 826 return 1 827 fi 828 829 # Check all keys. 830 while : 831 do 832 # Get first key. 833 dkey=`${ECHO} $ck_DN | cut -d'=' -f1` 834 835 # Check that the key string is valid 836 check_attrName $dkey 837 if [ $? -ne 0 ]; then 838 [ $DEBUG -eq 1 ] && ${ECHO} "check_baseDN: invalid key=${dkey}" 839 return 1 840 fi 841 842 [ $DEBUG -eq 1 ] && ${ECHO} "check_baseDN: valid key=${dkey}" 843 844 # Remove first key from DN 845 ck_DN=`${ECHO} $ck_DN | cut -s -d',' -f2-` 846 847 # Break loop if nothing left. 848 if [ "$ck_DN" = "" ]; then 849 break 850 fi 851 done 852 fi 853 return 0 854} 855 856 857# 858# domain_2_dc(): Convert a domain name into dc string. 859# $1 .. Domain name. 860# 861domain_2_dc() 862{ 863 _DOM=$1 # Domain parameter. 864 _DOM_2_DC="" # Return value from function. 865 _FIRST=1 # Flag for first time. 866 867 export _DOM_2_DC # Make visible for others. 868 869 # Convert "."'s to spaces for "for" loop. 870 domtmp="`${ECHO} ${_DOM} | tr '.' ' '`" 871 for i in $domtmp; do 872 if [ $_FIRST -eq 1 ]; then 873 _DOM_2_DC="dc=${i}" 874 _FIRST=0 875 else 876 _DOM_2_DC="${_DOM_2_DC},dc=${i}" 877 fi 878 done 879} 880 881 882# 883# is_root_user(): Check to see if logged in as root user. 884# 885is_root_user() 886{ 887 case `id` in 888 uid=0\(root\)*) return 0 ;; 889 * ) return 1 ;; 890 esac 891} 892 893 894# 895# parse_arg(): Parses the command line arguments and sets the 896# appropriate variables. 897# 898parse_arg() 899{ 900 while getopts "dvhi:o:" ARG 901 do 902 case $ARG in 903 d) DEBUG=1;; 904 v) VERB="";; 905 i) INPUT_FILE=$OPTARG;; 906 o) OUTPUT_FILE=$OPTARG;; 907 \?) display_msg usage 908 exit 1;; 909 *) ${ECHO} "**ERROR: Supported option missing handler!" 910 display_msg usage 911 exit 1;; 912 esac 913 done 914 return `expr $OPTIND - 1` 915} 916 917 918# 919# init(): initializes variables and options 920# 921init() 922{ 923 # General variables. 924 PROG=`basename $0` # Program name 925 PID=$$ # Program ID 926 VERB='> /dev/null 2>&1' # NULL or "> /dev/null" 927 ECHO="/bin/echo" # print message on screen 928 EVAL="eval" # eval or echo 929 EGREP="/usr/bin/egrep" 930 GREP="/usr/bin/grep" 931 DEBUG=0 # Set Debug OFF 932 BACKUP=no_ldap # backup suffix 933 HOST="" # NULL or <hostname> 934 935 DOM="" # Set to NULL 936 # If DNS domain (resolv.conf) exists use that, otherwise use domainname. 937 if [ -f /etc/resolv.conf ]; then 938 DOM=`/usr/xpg4/bin/grep -i -E '^domain|^search' /etc/resolv.conf \ 939 | awk '{ print $2 }' | tail -1` 940 fi 941 942 # If for any reason the DOM did not get set (error'd resolv.conf) set 943 # DOM to the domainname command's output. 944 if [ "$DOM" = "" ]; then 945 DOM=`domainname` # domain from domainname command. 946 fi 947 948 STEP=1 949 INTERACTIVE=1 # 0 = on, 1 = off (For input file mode) 950 DEL_OLD_PROFILE=0 # 0 (default), 1 = delete old profile. 951 952 # idsconfig specific variables. 953 INPUT_FILE="" 954 OUTPUT_FILE="" 955 NEED_PROXY=0 # 0 = No Proxy, 1 = Create Proxy. 956 LDAP_PROXYAGENT="" 957 LDAP_SUFFIX="" 958 LDAP_DOMAIN=$DOM # domainname on Server (default value) 959 GEN_CMD="" 960 961 # LDAP COMMANDS 962 LDAPSEARCH="/bin/ldapsearch -r" 963 LDAPMODIFY=/bin/ldapmodify 964 LDAPADD=/bin/ldapadd 965 LDAPDELETE=/bin/ldapdelete 966 LDAP_GEN_PROFILE=/usr/sbin/ldap_gen_profile 967 968 # iDS specific information 969 IDS_SERVER="" 970 IDS_PORT=389 971 NEED_TIME=0 972 NEED_SIZE=0 973 NEED_SRVAUTH_PAM=0 974 NEED_SRVAUTH_KEY=0 975 NEED_SRVAUTH_CMD=0 976 IDS_TIMELIMIT="" 977 IDS_SIZELIMIT="" 978 979 # LDAP PROFILE related defaults 980 LDAP_ROOTDN="cn=Directory Manager" # Provide common default. 981 LDAP_ROOTPWD="" # NULL passwd as default (i.e. invalid) 982 LDAP_PROFILE_NAME="default" 983 LDAP_BASEDN="" 984 LDAP_SERVER_LIST="" 985 LDAP_AUTHMETHOD="" 986 LDAP_FOLLOWREF="FALSE" 987 NEED_CRYPT="" 988 LDAP_SEARCH_SCOPE="one" 989 LDAP_SRV_AUTHMETHOD_PAM="" 990 LDAP_SRV_AUTHMETHOD_KEY="" 991 LDAP_SRV_AUTHMETHOD_CMD="" 992 LDAP_SEARCH_TIME_LIMIT=30 993 LDAP_PREF_SRVLIST="" 994 LDAP_PROFILE_TTL=43200 995 LDAP_CRED_LEVEL="proxy" 996 LDAP_BIND_LIMIT=10 997 998 # Prevent new files from being read by group or others. 999 umask 077 1000 1001 # Service Search Descriptors 1002 LDAP_SERV_SRCH_DES="" 1003 1004 # Set and create TMPDIR. 1005 TMPDIR="/tmp/idsconfig.${PID}" 1006 if mkdir -m 700 ${TMPDIR} 1007 then 1008 # Cleanup on exit. 1009 trap 'rm -rf ${TMPDIR}; /usr/bin/stty echo; exit' 1 2 3 6 15 1010 else 1011 echo "ERROR: unable to create a safe temporary directory." 1012 exit 1 1013 fi 1014 LDAP_ROOTPWF=${TMPDIR}/rootPWD 1015 1016 # Set the SSD file name after setting TMPDIR. 1017 SSD_FILE=${TMPDIR}/ssd_list 1018 1019 export DEBUG VERB ECHO EVAL EGREP GREP STEP TMPDIR 1020 export IDS_SERVER IDS_PORT LDAP_ROOTDN LDAP_ROOTPWD LDAP_SERVER_LIST 1021 export LDAP_BASEDN LDAP_ROOTPWF 1022 export LDAP_DOMAIN LDAP_SUFFIX LDAP_PROXYAGENT LDAP_PROXYAGENT_CRED 1023 export NEED_PROXY 1024 export LDAP_PROFILE_NAME LDAP_BASEDN LDAP_SERVER_LIST 1025 export LDAP_AUTHMETHOD LDAP_FOLLOWREF LDAP_SEARCH_SCOPE LDAP_SEARCH_TIME_LIMIT 1026 export LDAP_PREF_SRVLIST LDAP_PROFILE_TTL LDAP_CRED_LEVEL LDAP_BIND_LIMIT 1027 export NEED_SRVAUTH_PAM NEED_SRVAUTH_KEY NEED_SRVAUTH_CMD 1028 export LDAP_SRV_AUTHMETHOD_PAM LDAP_SRV_AUTHMETHOD_KEY LDAP_SRV_AUTHMETHOD_CMD 1029 export LDAP_SERV_SRCH_DES SSD_FILE 1030 export GEN_CMD 1031} 1032 1033 1034# 1035# disp_full_debug(): List of all debug variables usually interested in. 1036# Grouped to avoid MASSIVE code duplication. 1037# 1038disp_full_debug() 1039{ 1040 [ $DEBUG -eq 1 ] && ${ECHO} " IDS_SERVER = $IDS_SERVER" 1041 [ $DEBUG -eq 1 ] && ${ECHO} " IDS_PORT = $IDS_PORT" 1042 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_ROOTDN = $LDAP_ROOTDN" 1043 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_ROOTPWD = $LDAP_ROOTPWD" 1044 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_DOMAIN = $LDAP_DOMAIN" 1045 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_SUFFIX = $LDAP_SUFFIX" 1046 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_BASEDN = $LDAP_BASEDN" 1047 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_PROFILE_NAME = $LDAP_PROFILE_NAME" 1048 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_SERVER_LIST = $LDAP_SERVER_LIST" 1049 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_PREF_SRVLIST = $LDAP_PREF_SRVLIST" 1050 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_SEARCH_SCOPE = $LDAP_SEARCH_SCOPE" 1051 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_CRED_LEVEL = $LDAP_CRED_LEVEL" 1052 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_AUTHMETHOD = $LDAP_AUTHMETHOD" 1053 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_FOLLOWREF = $LDAP_FOLLOWREF" 1054 [ $DEBUG -eq 1 ] && ${ECHO} " IDS_TIMELIMIT = $IDS_TIMELIMIT" 1055 [ $DEBUG -eq 1 ] && ${ECHO} " IDS_SIZELIMIT = $IDS_SIZELIMIT" 1056 [ $DEBUG -eq 1 ] && ${ECHO} " NEED_CRYPT = $NEED_CRYPT" 1057 [ $DEBUG -eq 1 ] && ${ECHO} " NEED_SRVAUTH_PAM = $NEED_SRVAUTH_PAM" 1058 [ $DEBUG -eq 1 ] && ${ECHO} " NEED_SRVAUTH_KEY = $NEED_SRVAUTH_KEY" 1059 [ $DEBUG -eq 1 ] && ${ECHO} " NEED_SRVAUTH_CMD = $NEED_SRVAUTH_CMD" 1060 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_SRV_AUTHMETHOD_PAM = $LDAP_SRV_AUTHMETHOD_PAM" 1061 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_SRV_AUTHMETHOD_KEY = $LDAP_SRV_AUTHMETHOD_KEY" 1062 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_SRV_AUTHMETHOD_CMD = $LDAP_SRV_AUTHMETHOD_CMD" 1063 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_SEARCH_TIME_LIMIT = $LDAP_SEARCH_TIME_LIMIT" 1064 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_PROFILE_TTL = $LDAP_PROFILE_TTL" 1065 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_BIND_LIMIT = $LDAP_BIND_LIMIT" 1066 1067 # Only display proxy stuff if needed. 1068 if [ $NEED_PROXY -eq 1 ]; then 1069 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_PROXYAGENT = $LDAP_PROXYAGENT" 1070 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_PROXYAGENT_CRED = $LDAP_PROXYAGENT_CRED" 1071 [ $DEBUG -eq 1 ] && ${ECHO} " NEED_PROXY = $NEED_PROXY" 1072 fi 1073 1074 # Service Search Descriptors are a special case. 1075 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_SERV_SRCH_DES = $LDAP_SERV_SRCH_DES" 1076} 1077 1078 1079# 1080# load_config_file(): Loads the config file. 1081# 1082load_config_file() 1083{ 1084 [ $DEBUG -eq 1 ] && ${ECHO} "In load_config_file()" 1085 1086 # Remove SSD lines from input file before sourcing. 1087 # The SSD lines must be removed because some forms of the 1088 # data could cause SHELL errors. 1089 ${GREP} -v "LDAP_SERV_SRCH_DES=" ${INPUT_FILE} > ${TMPDIR}/inputfile.noSSD 1090 1091 # Source the input file. 1092 . ${TMPDIR}/inputfile.noSSD 1093 1094 # If LDAP_SUFFIX is no set, try to utilize LDAP_TREETOP since older 1095 # config files use LDAP_TREETOP 1096 LDAP_SUFFIX="${LDAP_SUFFIX:-$LDAP_TREETOP}" 1097 1098 # Save password to temporary file. 1099 save_password 1100 1101 # Create the SSD file. 1102 create_ssd_file 1103 1104 # Display FULL debugging info. 1105 disp_full_debug 1106} 1107 1108# 1109# save_password(): Save password to temporary file. 1110# 1111save_password() 1112{ 1113 cat > ${LDAP_ROOTPWF} <<EOF 1114${LDAP_ROOTPWD} 1115EOF 1116} 1117 1118###################################################################### 1119# FUNCTIONS FOR prompt_config_info() START HERE. 1120###################################################################### 1121 1122# 1123# get_ids_server(): Prompt for iDS server name. 1124# 1125get_ids_server() 1126{ 1127 while : 1128 do 1129 # Prompt for server name. 1130 get_ans "Enter the iPlanet Directory Server's (iDS) hostname to setup:" "$IDS_SERVER" 1131 IDS_SERVER=$ANS 1132 1133 # Ping server to see if live. If valid break out of loop. 1134 ping $IDS_SERVER > /dev/null 2>&1 1135 if [ $? -eq 0 ]; then 1136 break 1137 fi 1138 1139 # Invalid server, enter a new name. 1140 ${ECHO} "ERROR: Server '${IDS_SERVER}' is invalid or unreachable." 1141 IDS_SERVER="" 1142 done 1143 1144 # Set SERVER_ARGS and LDAP_ARGS since values might of changed. 1145 SERVER_ARGS="-h ${IDS_SERVER} -p ${IDS_PORT}" 1146 LDAP_ARGS="${SERVER_ARGS} ${AUTH_ARGS}" 1147 export SERVER_ARGS 1148 1149} 1150 1151# 1152# get_ids_port(): Prompt for iDS port number. 1153# 1154get_ids_port() 1155{ 1156 # Get a valid iDS port number. 1157 while : 1158 do 1159 # Enter port number. 1160 get_number "Enter the port number for iDS (h=help):" "$IDS_PORT" "port_help" 1161 IDS_PORT=$ANS 1162 1163 # Do a simple search to check hostname and port number. 1164 # If search returns SUCCESS, break out, host and port must 1165 # be valid. 1166 ${LDAPSEARCH} -h ${IDS_SERVER} -p ${IDS_PORT} -b "" -s base "objectclass=*" > /dev/null 2>&1 1167 if [ $? -eq 0 ]; then 1168 break 1169 fi 1170 1171 # Invalid host/port pair, Re-enter. 1172 ${ECHO} "ERROR: Invalid host or port: ${IDS_SERVER}:${IDS_PORT}, Please re-enter!" 1173 get_ids_server 1174 done 1175 1176 # Set SERVER_ARGS and LDAP_ARGS since values might of changed. 1177 SERVER_ARGS="-h ${IDS_SERVER} -p ${IDS_PORT}" 1178 LDAP_ARGS="${SERVER_ARGS} ${AUTH_ARGS}" 1179 export SERVER_ARGS 1180} 1181 1182 1183# 1184# chk_ids_version(): Read the slapd config file and set variables 1185# 1186chk_ids_version() 1187{ 1188 [ $DEBUG -eq 1 ] && ${ECHO} "In chk_ids_version()" 1189 1190 # check iDS version number. 1191 eval "${LDAPSEARCH} ${SERVER_ARGS} -b cn=monitor -s base \"objectclass=*\" version | ${GREP} \"^version=\" | cut -f2 -d'/' | cut -f1 -d' ' > ${TMPDIR}/checkDSver 2>&1" 1192 if [ $? -ne 0 ]; then 1193 ${ECHO} "ERROR: Can not determine the version number of iDS!" 1194 exit 1 1195 fi 1196 IDS_VER=`cat ${TMPDIR}/checkDSver` 1197 IDS_MAJVER=`${ECHO} ${IDS_VER} | cut -f1 -d.` 1198 IDS_MINVER=`${ECHO} ${IDS_VER} | cut -f2 -d.` 1199 if [ "${IDS_MAJVER}" != "5" ]; then 1200 ${ECHO} "ERROR: $PROG only works with iDS version 5.x, not ${IDS_VER}." 1201 exit 1 1202 fi 1203 if [ $DEBUG -eq 1 ]; then 1204 ${ECHO} " IDS_MAJVER = $IDS_MAJVER" 1205 ${ECHO} " IDS_MINVER = $IDS_MINVER" 1206 fi 1207} 1208 1209 1210# 1211# get_dirmgr_dn(): Get the directory manger DN. 1212# 1213get_dirmgr_dn() 1214{ 1215 get_ans "Enter the directory manager DN:" "$LDAP_ROOTDN" 1216 LDAP_ROOTDN=$ANS 1217 1218 # Update ENV variables using DN. 1219 AUTH_ARGS="-D \"${LDAP_ROOTDN}\" -j ${LDAP_ROOTPWF}" 1220 LDAP_ARGS="${SERVER_ARGS} ${AUTH_ARGS}" 1221 export AUTH_ARGS LDAP_ARGS 1222} 1223 1224 1225# 1226# get_dirmgr_pw(): Get the Root DN passwd. (Root DN found in slapd.conf) 1227# 1228get_dirmgr_pw() 1229{ 1230 while : 1231 do 1232 # Get passwd. 1233 get_passwd_nochk "Enter passwd for ${LDAP_ROOTDN} :" 1234 LDAP_ROOTPWD=$ANS 1235 1236 # Store password in file. 1237 save_password 1238 1239 # Update ENV variables using DN's PW. 1240 AUTH_ARGS="-D \"${LDAP_ROOTDN}\" -j ${LDAP_ROOTPWF}" 1241 LDAP_ARGS="${SERVER_ARGS} ${AUTH_ARGS}" 1242 export AUTH_ARGS LDAP_ARGS 1243 1244 # Verify that ROOTDN and ROOTPWD are valid. 1245 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"\" -s base \"objectclass=*\" > ${TMPDIR}/checkDN 2>&1" 1246 if [ $? -ne 0 ]; then 1247 eval "${GREP} credential ${TMPDIR}/checkDN ${VERB}" 1248 if [ $? -eq 0 ]; then 1249 ${ECHO} "ERROR: Root DN passwd is invalid." 1250 else 1251 ${ECHO} "ERROR: Invalid Root DN <${LDAP_ROOTDN}>." 1252 get_dirmgr_dn 1253 fi 1254 else 1255 break # Both are valid. 1256 fi 1257 done 1258 1259 1260} 1261 1262 1263# 1264# get_domain(): Get the Domain that will be served by the LDAP server. 1265# $1 - Help argument. 1266# 1267get_domain() 1268{ 1269 # Use LDAP_DOMAIN as default. 1270 get_ans "Enter the domainname to be served (h=help):" $LDAP_DOMAIN 1271 1272 # Check domainname, and have user re-enter if not valid. 1273 check_domainname $ANS 1274 while [ $? -ne 0 ] 1275 do 1276 case "$ANS" in 1277 [Hh] | help | Help | \?) display_msg ${1:-sorry} ;; 1278 * ) ${ECHO} "Invalid domainname: \"${ANS}\"." 1279 ;; 1280 esac 1281 get_ans "Enter domainname to be served (h=help):" $DOM 1282 1283 check_domainname $ANS 1284 done 1285 1286 # Set the domainname to valid name. 1287 LDAP_DOMAIN=$ANS 1288} 1289 1290 1291# 1292# get_basedn(): Query for the Base DN. 1293# 1294get_basedn() 1295{ 1296 # Set the $_DOM_2_DC and assign to LDAP_BASEDN as default. 1297 # Then call get_basedn(). This method remakes the default 1298 # each time just in case the domain changed. 1299 domain_2_dc $LDAP_DOMAIN 1300 LDAP_BASEDN=$_DOM_2_DC 1301 1302 # Get Base DN. 1303 while : 1304 do 1305 get_ans_req "Enter LDAP Base DN (h=help):" "${_DOM_2_DC}" 1306 check_baseDN "$ANS" 1307 while [ $? -ne 0 ] 1308 do 1309 case "$ANS" in 1310 [Hh] | help | Help | \?) display_msg basedn_help ;; 1311 * ) ${ECHO} "Invalid base DN: \"${ANS}\"." 1312 ;; 1313 esac 1314 1315 # Re-Enter the BaseDN 1316 get_ans_req "Enter LDAP Base DN (h=help):" "${_DOM_2_DC}" 1317 check_baseDN "$ANS" 1318 done 1319 1320 # Set base DN and check its suffix 1321 LDAP_BASEDN=${ANS} 1322 check_basedn_suffix || 1323 { 1324 cleanup 1325 exit 1 1326 } 1327 1328 # suffix may need to be created, in that case get suffix from user 1329 [ -n "${NEED_CREATE_SUFFIX}" ] && 1330 { 1331 get_suffix || continue 1332 } 1333 1334 # suffix is ok, break out of the base dn inquire loop 1335 break 1336 done 1337} 1338 1339# 1340# get_profile_name(): Enter the profile name. 1341# 1342get_profile_name() 1343{ 1344 # Reset Delete Old Profile since getting new profile name. 1345 DEL_OLD_PROFILE=0 1346 1347 # Loop until valid profile name, or replace. 1348 while : 1349 do 1350 # Prompt for profile name. 1351 get_ans "Enter the profile name (h=help):" "$LDAP_PROFILE_NAME" 1352 1353 # Check for Help. 1354 case "$ANS" in 1355 [Hh] | help | Help | \?) display_msg profile_help 1356 continue ;; 1357 * ) ;; 1358 esac 1359 1360 # Search to see if profile name already exists. 1361 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=${ANS},ou=profile,${LDAP_BASEDN}\" -s base \"objectclass=*\" ${VERB}" 1362 if [ $? -eq 0 ]; then 1363 get_confirm_nodef "Are you sure you want to overwire profile cn=${ANS}?" 1364 if [ $? -eq 1 ]; then 1365 DEL_OLD_PROFILE=1 1366 return 0 # Replace old profile name. 1367 else 1368 ${ECHO} "Please re-enter a new profile name." 1369 fi 1370 else 1371 break # Unique profile name. 1372 fi 1373 done 1374 1375 # Set Profile Name. 1376 LDAP_PROFILE_NAME=$ANS 1377} 1378 1379 1380# 1381# get_srv_list(): Get the default server list. 1382# 1383get_srv_list() 1384{ 1385 # If LDAP_SERVER_LIST is NULL, then set, otherwise leave alone. 1386 if [ -z "${LDAP_SERVER_LIST}" ]; then 1387 LDAP_SERVER_LIST=`getent hosts ${IDS_SERVER} | awk '{print $1}'` 1388 if [ ${IDS_PORT} -ne 389 ]; then 1389 LDAP_SERVER_LIST="${LDAP_SERVER_LIST}:${IDS_PORT}" 1390 fi 1391 fi 1392 1393 # Prompt for new LDAP_SERVER_LIST. 1394 while : 1395 do 1396 get_ans "Default server list (h=help):" $LDAP_SERVER_LIST 1397 1398 # If help continue, otherwise break. 1399 case "$ANS" in 1400 [Hh] | help | Help | \?) display_msg def_srvlist_help ;; 1401 * ) break ;; 1402 esac 1403 done 1404 LDAP_SERVER_LIST=$ANS 1405} 1406 1407 1408# 1409# get_pref_srv(): The preferred server list (Overrides the server list) 1410# 1411get_pref_srv() 1412{ 1413 while : 1414 do 1415 get_ans "Preferred server list (h=help):" $LDAP_PREF_SRVLIST 1416 1417 # If help continue, otherwise break. 1418 case "$ANS" in 1419 [Hh] | help | Help | \?) display_msg pref_srvlist_help ;; 1420 * ) break ;; 1421 esac 1422 done 1423 LDAP_PREF_SRVLIST=$ANS 1424} 1425 1426 1427# 1428# get_search_scope(): Get the search scope from the user. 1429# 1430get_search_scope() 1431{ 1432 [ $DEBUG -eq 1 ] && ${ECHO} "In get_search_scope()" 1433 1434 _MENU_CHOICE=0 1435 while : 1436 do 1437 get_ans "Choose desired search scope (one, sub, h=help): " "one" 1438 _MENU_CHOICE=$ANS 1439 case "$_MENU_CHOICE" in 1440 one) LDAP_SEARCH_SCOPE="one" 1441 return 1 ;; 1442 sub) LDAP_SEARCH_SCOPE="sub" 1443 return 2 ;; 1444 h) display_msg srch_scope_help ;; 1445 *) ${ECHO} "Please enter \"one\", \"sub\", or \"h\"." ;; 1446 esac 1447 done 1448 1449} 1450 1451 1452# 1453# get_cred_level(): Function to display menu to user and get the 1454# credential level. 1455# 1456get_cred_level() 1457{ 1458 [ $DEBUG -eq 1 ] && ${ECHO} "In get_cred_level()" 1459 1460 _MENU_CHOICE=0 1461 display_msg cred_level_menu 1462 while : 1463 do 1464 get_ans "Choose Credential level [h=help]:" "1" 1465 _MENU_CHOICE=$ANS 1466 case "$_MENU_CHOICE" in 1467 1) LDAP_CRED_LEVEL="anonymous" 1468 return 1 ;; 1469 2) LDAP_CRED_LEVEL="proxy" 1470 return 2 ;; 1471 3) LDAP_CRED_LEVEL="proxy anonymous" 1472 return 3 ;; 1473 h) display_msg cred_lvl_help ;; 1474 *) ${ECHO} "Please enter 1, 2 or 3." ;; 1475 esac 1476 done 1477} 1478 1479 1480# 1481# srvauth_menu_handler(): Enter the Service Authentication method. 1482# 1483srvauth_menu_handler() 1484{ 1485 # Display Auth menu 1486 display_msg srvauth_method_menu 1487 1488 # Get a Valid choice. 1489 while : 1490 do 1491 # Display appropriate prompt and get answer. 1492 if [ $_FIRST -eq 1 ]; then 1493 get_ans "Choose Service Authentication Method:" "1" 1494 else 1495 get_ans "Choose Service Authentication Method (0=reset):" 1496 fi 1497 1498 # Determine choice. 1499 _MENU_CHOICE=$ANS 1500 case "$_MENU_CHOICE" in 1501 1) _AUTHMETHOD="simple" 1502 break ;; 1503 2) _AUTHMETHOD="sasl/DIGEST-MD5" 1504 break ;; 1505 3) _AUTHMETHOD="tls:simple" 1506 break ;; 1507 4) _AUTHMETHOD="tls:sasl/DIGEST-MD5" 1508 break ;; 1509 0) _AUTHMETHOD="" 1510 _FIRST=1 1511 break ;; 1512 *) ${ECHO} "Please enter 1-4 or 0 to reset." ;; 1513 esac 1514 done 1515} 1516 1517 1518# 1519# auth_menu_handler(): Enter the Authentication method. 1520# 1521auth_menu_handler() 1522{ 1523 # Display Auth menu 1524 display_msg auth_method_menu 1525 1526 # Get a Valid choice. 1527 while : 1528 do 1529 # Display appropriate prompt and get answer. 1530 if [ $_FIRST -eq 1 ]; then 1531 get_ans "Choose Authentication Method (h=help):" "1" 1532 else 1533 get_ans "Choose Authentication Method (0=reset, h=help):" 1534 fi 1535 1536 # Determine choice. 1537 _MENU_CHOICE=$ANS 1538 case "$_MENU_CHOICE" in 1539 1) _AUTHMETHOD="none" 1540 break ;; 1541 2) _AUTHMETHOD="simple" 1542 break ;; 1543 3) _AUTHMETHOD="sasl/DIGEST-MD5" 1544 break ;; 1545 4) _AUTHMETHOD="tls:simple" 1546 break ;; 1547 5) _AUTHMETHOD="tls:sasl/DIGEST-MD5" 1548 break ;; 1549 0) _AUTHMETHOD="" 1550 _FIRST=1 1551 break ;; 1552 h) display_msg auth_help ;; 1553 *) ${ECHO} "Please enter 1-5, 0=reset, or h=help." ;; 1554 esac 1555 done 1556} 1557 1558 1559# 1560# get_auth(): Enter the Authentication method. 1561# 1562get_auth() 1563{ 1564 [ $DEBUG -eq 1 ] && ${ECHO} "In get_auth()" 1565 1566 _FIRST=1 # Flag for first time. 1567 _MENU_CHOICE=0 1568 _AUTHMETHOD="" # Tmp method. 1569 1570 while : 1571 do 1572 # Call Menu handler 1573 auth_menu_handler 1574 1575 # Add Auth Method to list. 1576 if [ $_FIRST -eq 1 ]; then 1577 LDAP_AUTHMETHOD="${_AUTHMETHOD}" 1578 _FIRST=0 1579 else 1580 LDAP_AUTHMETHOD="${LDAP_AUTHMETHOD};${_AUTHMETHOD}" 1581 fi 1582 1583 # Display current Authentication Method. 1584 ${ECHO} "" 1585 ${ECHO} "Current authenticationMethod: ${LDAP_AUTHMETHOD}" 1586 ${ECHO} "" 1587 1588 # Prompt for another Auth Method, or break out. 1589 get_confirm_nodef "Do you want to add another Authentication Method?" 1590 if [ $? -eq 0 ]; then 1591 break; 1592 fi 1593 done 1594} 1595 1596 1597# 1598# get_followref(): Whether or not to follow referrals. 1599# 1600get_followref() 1601{ 1602 get_confirm "Do you want the clients to follow referrals (y/n/h)?" "n" "referrals_help" 1603 if [ $? -eq 1 ]; then 1604 LDAP_FOLLOWREF="TRUE" 1605 else 1606 LDAP_FOLLOWREF="FALSE" 1607 fi 1608} 1609 1610 1611# 1612# get_timelimit(): Set the time limit. -1 is max time. 1613# 1614get_timelimit() 1615{ 1616 # Get current timeout value from cn=config. 1617 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=config\" -s base \"objectclass=*\" nsslapd-timelimit > ${TMPDIR}/chk_timeout 2>&1" 1618 if [ $? -ne 0 ]; then 1619 ${ECHO} " ERROR: Could not reach LDAP server to check current timeout!" 1620 cleanup 1621 exit 1 1622 fi 1623 CURR_TIMELIMIT=`${GREP} timelimit ${TMPDIR}/chk_timeout | cut -f2 -d=` 1624 1625 get_negone_num "Enter the time limit for iDS (current=${CURR_TIMELIMIT}):" "-1" 1626 IDS_TIMELIMIT=$NUM 1627} 1628 1629 1630# 1631# get_sizelimit(): Set the size limit. -1 is max size. 1632# 1633get_sizelimit() 1634{ 1635 # Get current sizelimit value from cn=config. 1636 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=config\" -s base \"objectclass=*\" nsslapd-sizelimit > ${TMPDIR}/chk_sizelimit 2>&1" 1637 if [ $? -ne 0 ]; then 1638 ${ECHO} " ERROR: Could not reach LDAP server to check current sizelimit!" 1639 cleanup 1640 exit 1 1641 fi 1642 CURR_SIZELIMIT=`${GREP} sizelimit ${TMPDIR}/chk_sizelimit | cut -f2 -d=` 1643 1644 get_negone_num "Enter the size limit for iDS (current=${CURR_SIZELIMIT}):" "-1" 1645 IDS_SIZELIMIT=$NUM 1646} 1647 1648 1649# 1650# get_want_crypt(): Ask user if want to store passwords in crypt? 1651# 1652get_want_crypt() 1653{ 1654 get_confirm "Do you want to store passwords in \"crypt\" format (y/n/h)?" "n" "crypt_help" 1655 if [ $? -eq 1 ]; then 1656 NEED_CRYPT="TRUE" 1657 else 1658 NEED_CRYPT="FALSE" 1659 fi 1660} 1661 1662 1663# 1664# get_srv_authMethod_pam(): Get the Service Auth Method for pam_ldap from user. 1665# 1666# NOTE: This function is base on get_auth(). 1667# 1668get_srv_authMethod_pam() 1669{ 1670 [ $DEBUG -eq 1 ] && ${ECHO} "In get_srv_authMethod_pam()" 1671 1672 _FIRST=1 # Flag for first time. 1673 _MENU_CHOICE=0 1674 _AUTHMETHOD="" # Tmp method. 1675 1676 while : 1677 do 1678 # Call Menu handler 1679 srvauth_menu_handler 1680 1681 # Add Auth Method to list. 1682 if [ $_FIRST -eq 1 ]; then 1683 if [ "$_AUTHMETHOD" = "" ]; then 1684 LDAP_SRV_AUTHMETHOD_PAM="" 1685 else 1686 LDAP_SRV_AUTHMETHOD_PAM="pam_ldap:${_AUTHMETHOD}" 1687 fi 1688 _FIRST=0 1689 else 1690 LDAP_SRV_AUTHMETHOD_PAM="${LDAP_SRV_AUTHMETHOD_PAM};${_AUTHMETHOD}" 1691 fi 1692 1693 # Display current Authentication Method. 1694 ${ECHO} "" 1695 ${ECHO} "Current authenticationMethod: ${LDAP_SRV_AUTHMETHOD_PAM}" 1696 ${ECHO} "" 1697 1698 # Prompt for another Auth Method, or break out. 1699 get_confirm_nodef "Do you want to add another Authentication Method?" 1700 if [ $? -eq 0 ]; then 1701 break; 1702 fi 1703 done 1704 1705 # Check in case user reset string and exited loop. 1706 if [ "$LDAP_SRV_AUTHMETHOD_PAM" = "" ]; then 1707 NEED_SRVAUTH_PAM=0 1708 fi 1709} 1710 1711 1712# 1713# get_srv_authMethod_key(): Get the Service Auth Method for keyserv from user. 1714# 1715# NOTE: This function is base on get_auth(). 1716# 1717get_srv_authMethod_key() 1718{ 1719 [ $DEBUG -eq 1 ] && ${ECHO} "In get_srv_authMethod_key()" 1720 1721 _FIRST=1 # Flag for first time. 1722 _MENU_CHOICE=0 1723 _AUTHMETHOD="" # Tmp method. 1724 1725 while : 1726 do 1727 # Call Menu handler 1728 srvauth_menu_handler 1729 1730 # Add Auth Method to list. 1731 if [ $_FIRST -eq 1 ]; then 1732 if [ "$_AUTHMETHOD" = "" ]; then 1733 LDAP_SRV_AUTHMETHOD_KEY="" 1734 else 1735 LDAP_SRV_AUTHMETHOD_KEY="keyserv:${_AUTHMETHOD}" 1736 fi 1737 _FIRST=0 1738 else 1739 LDAP_SRV_AUTHMETHOD_KEY="${LDAP_SRV_AUTHMETHOD_KEY};${_AUTHMETHOD}" 1740 fi 1741 1742 # Display current Authentication Method. 1743 ${ECHO} "" 1744 ${ECHO} "Current authenticationMethod: ${LDAP_SRV_AUTHMETHOD_KEY}" 1745 ${ECHO} "" 1746 1747 # Prompt for another Auth Method, or break out. 1748 get_confirm_nodef "Do you want to add another Authentication Method?" 1749 if [ $? -eq 0 ]; then 1750 break; 1751 fi 1752 done 1753 1754 # Check in case user reset string and exited loop. 1755 if [ "$LDAP_SRV_AUTHMETHOD_KEY" = "" ]; then 1756 NEED_SRVAUTH_KEY=0 1757 fi 1758} 1759 1760 1761# 1762# get_srv_authMethod_cmd(): Get the Service Auth Method for passwd-cmd from user. 1763# 1764# NOTE: This function is base on get_auth(). 1765# 1766get_srv_authMethod_cmd() 1767{ 1768 [ $DEBUG -eq 1 ] && ${ECHO} "In get_srv_authMethod_cmd()" 1769 1770 _FIRST=1 # Flag for first time. 1771 _MENU_CHOICE=0 1772 _AUTHMETHOD="" # Tmp method. 1773 1774 while : 1775 do 1776 # Call Menu handler 1777 srvauth_menu_handler 1778 1779 # Add Auth Method to list. 1780 if [ $_FIRST -eq 1 ]; then 1781 if [ "$_AUTHMETHOD" = "" ]; then 1782 LDAP_SRV_AUTHMETHOD_CMD="" 1783 else 1784 LDAP_SRV_AUTHMETHOD_CMD="passwd-cmd:${_AUTHMETHOD}" 1785 fi 1786 _FIRST=0 1787 else 1788 LDAP_SRV_AUTHMETHOD_CMD="${LDAP_SRV_AUTHMETHOD_CMD};${_AUTHMETHOD}" 1789 fi 1790 1791 # Display current Authentication Method. 1792 ${ECHO} "" 1793 ${ECHO} "Current authenticationMethod: ${LDAP_SRV_AUTHMETHOD_CMD}" 1794 ${ECHO} "" 1795 1796 # Prompt for another Auth Method, or break out. 1797 get_confirm_nodef "Do you want to add another Authentication Method?" 1798 if [ $? -eq 0 ]; then 1799 break; 1800 fi 1801 done 1802 1803 # Check in case user reset string and exited loop. 1804 if [ "$LDAP_SRV_AUTHMETHOD_CMD" = "" ]; then 1805 NEED_SRVAUTH_CMD=0 1806 fi 1807} 1808 1809 1810# 1811# get_srch_time(): Amount of time to search. 1812# 1813get_srch_time() 1814{ 1815 get_negone_num "Client search time limit in seconds (h=help):" "$LDAP_SEARCH_TIME_LIMIT" "srchtime_help" 1816 LDAP_SEARCH_TIME_LIMIT=$NUM 1817} 1818 1819 1820# 1821# get_prof_ttl(): The profile time to live (TTL) 1822# 1823get_prof_ttl() 1824{ 1825 get_negone_num "Profile Time To Live in seconds (h=help):" "$LDAP_PROFILE_TTL" "profttl_help" 1826 LDAP_PROFILE_TTL=$NUM 1827} 1828 1829 1830# 1831# get_bind_limit(): Bind time limit 1832# 1833get_bind_limit() 1834{ 1835 get_negone_num "Bind time limit in seconds (h=help):" "$LDAP_BIND_LIMIT" "bindlim_help" 1836 LDAP_BIND_LIMIT=$NUM 1837} 1838 1839 1840###################################################################### 1841# FUNCTIONS FOR Service Search Descriptor's START HERE. 1842###################################################################### 1843 1844 1845# 1846# add_ssd(): Get SSD's from user and add to file. 1847# 1848add_ssd() 1849{ 1850 [ $DEBUG -eq 1 ] && ${ECHO} "In add_ssd()" 1851 1852 # Enter the service id. Loop til unique. 1853 while : 1854 do 1855 get_ans "Enter the service id:" 1856 _SERV_ID=$ANS 1857 1858 # Grep for name existing. 1859 ${GREP} -i "^$ANS:" ${SSD_FILE} > /dev/null 2>&1 1860 if [ $? -eq 1 ]; then 1861 break 1862 fi 1863 1864 # Name exists, print message, let user decide. 1865 ${ECHO} "ERROR: Service id ${ANS} already exists." 1866 done 1867 1868 get_ans "Enter the base:" 1869 _BASE=$ANS 1870 1871 # Get the scope and verify that its one or sub. 1872 while : 1873 do 1874 get_ans "Enter the scope:" 1875 _SCOPE=$ANS 1876 case `${ECHO} ${_SCOPE} | tr '[A-Z]' '[a-z]'` in 1877 one) break ;; 1878 sub) break ;; 1879 *) ${ECHO} "${_SCOPE} is Not valid - Enter 'one' or 'sub'" ;; 1880 esac 1881 done 1882 1883 # Build SSD to add to file. 1884 _SSD="${_SERV_ID}:${_BASE}?${_SCOPE}" 1885 1886 # Add the SSD to the file. 1887 ${ECHO} "${_SSD}" >> ${SSD_FILE} 1888} 1889 1890 1891# 1892# delete_ssd(): Delete a SSD from the list. 1893# 1894delete_ssd() 1895{ 1896 [ $DEBUG -eq 1 ] && ${ECHO} "In delete_ssd()" 1897 1898 # Get service id name from user for SSD to delete. 1899 get_ans_req "Enter service id to delete:" 1900 1901 # Make sure service id exists. 1902 ${GREP} "$ANS" ${SSD_FILE} > /dev/null 2>&1 1903 if [ $? -eq 1 ]; then 1904 ${ECHO} "Invalid service id: $ANS not present in list." 1905 return 1906 fi 1907 1908 # Create temporary back SSD file. 1909 cp ${SSD_FILE} ${SSD_FILE}.bak 1910 if [ $? -eq 1 ]; then 1911 ${ECHO} "ERROR: could not create file: ${SSD_FILE}.bak" 1912 exit 1 1913 fi 1914 1915 # Use ${GREP} to remove the SSD. Read from temp file 1916 # and write to the orig file. 1917 ${GREP} -v "$ANS" ${SSD_FILE}.bak > ${SSD_FILE} 1918} 1919 1920 1921# 1922# modify_ssd(): Allow user to modify a SSD. 1923# 1924modify_ssd() 1925{ 1926 [ $DEBUG -eq 1 ] && ${ECHO} "In modify_ssd()" 1927 1928 # Prompt user for service id. 1929 get_ans_req "Enter service id to modify:" 1930 1931 # Put into temp _LINE. 1932 _LINE=`${GREP} "^$ANS:" ${SSD_FILE}` 1933 if [ "$_LINE" = "" ]; then 1934 ${ECHO} "Invalid service id: $ANS" 1935 return 1936 fi 1937 1938 # Display current filter for user to see. 1939 ${ECHO} "" 1940 ${ECHO} "Current SSD: $_LINE" 1941 ${ECHO} "" 1942 1943 # Get the defaults. 1944 _CURR_BASE=`${ECHO} $_LINE | cut -d: -f2 | cut -d'?' -f 1` 1945 _CURR_SCOPE=`${ECHO} $_LINE | cut -d: -f2 | cut -d'?' -f 2` 1946 1947 # Create temporary back SSD file. 1948 cp ${SSD_FILE} ${SSD_FILE}.bak 1949 if [ $? -eq 1 ]; then 1950 ${ECHO} "ERROR: could not create file: ${SSD_FILE}.bak" 1951 cleanup 1952 exit 1 1953 fi 1954 1955 # Removed the old line. 1956 ${GREP} -v "^$ANS:" ${SSD_FILE}.bak > ${SSD_FILE} 2>&1 1957 1958 # New Entry 1959 _SERV_ID=$ANS 1960 get_ans_req "Enter the base:" "$_CURR_BASE" 1961 _BASE=$ANS 1962 get_ans_req "Enter the scope:" "$_CURR_SCOPE" 1963 _SCOPE=$ANS 1964 1965 # Build the new SSD. 1966 _SSD="${_SERV_ID}:${_BASE}?${_SCOPE}" 1967 1968 # Add the SSD to the file. 1969 ${ECHO} "${_SSD}" >> ${SSD_FILE} 1970} 1971 1972 1973# 1974# display_ssd(): Display the current SSD list. 1975# 1976display_ssd() 1977{ 1978 [ $DEBUG -eq 1 ] && ${ECHO} "In display_ssd()" 1979 1980 ${ECHO} "" 1981 ${ECHO} "Current Service Search Descriptors:" 1982 ${ECHO} "==================================" 1983 cat ${SSD_FILE} 1984 ${ECHO} "" 1985 ${ECHO} "Hit return to continue." 1986 read __A 1987} 1988 1989 1990# 1991# prompt_ssd(): Get SSD's from user. 1992# 1993prompt_ssd() 1994{ 1995 [ $DEBUG -eq 1 ] && ${ECHO} "In prompt_ssd()" 1996 # See if user wants SSD's? 1997 get_confirm "Do you wish to setup Service Search Descriptors (y/n/h)?" "n" "ssd_help" 1998 [ "$?" -eq 0 ] && return 1999 2000 # Display menu for SSD choices. 2001 while : 2002 do 2003 display_msg prompt_ssd_menu 2004 get_ans "Enter menu choice:" "Quit" 2005 case "$ANS" in 2006 [Aa] | add) add_ssd ;; 2007 [Dd] | delete) delete_ssd ;; 2008 [Mm] | modify) modify_ssd ;; 2009 [Pp] | print | display) display_ssd ;; 2010 [Xx] | reset | clear) reset_ssd_file ;; 2011 [Hh] | Help | help) display_msg ssd_menu_help 2012 ${ECHO} " Press return to continue." 2013 read __A ;; 2014 [Qq] | Quit | quit) return ;; 2015 *) ${ECHO} "Invalid choice: $ANS please re-enter from menu." ;; 2016 esac 2017 done 2018} 2019 2020 2021# 2022# reset_ssd_file(): Blank out current SSD file. 2023# 2024reset_ssd_file() 2025{ 2026 [ $DEBUG -eq 1 ] && ${ECHO} "In reset_ssd_file()" 2027 2028 rm -f ${SSD_FILE} 2029 touch ${SSD_FILE} 2030} 2031 2032 2033# 2034# create_ssd_file(): Create a temporary file for SSD's. 2035# 2036create_ssd_file() 2037{ 2038 [ $DEBUG -eq 1 ] && ${ECHO} "In create_ssd_file()" 2039 2040 # Build a list of SSD's and store in temp file. 2041 ${GREP} "LDAP_SERV_SRCH_DES=" ${INPUT_FILE} | \ 2042 sed 's/LDAP_SERV_SRCH_DES=//' \ 2043 > ${SSD_FILE} 2044} 2045 2046 2047# 2048# ssd_2_config(): Append the SSD file to the output file. 2049# 2050ssd_2_config() 2051{ 2052 [ $DEBUG -eq 1 ] && ${ECHO} "In ssd_2_config()" 2053 2054 # Convert to config file format using sed. 2055 sed -e "s/^/LDAP_SERV_SRCH_DES=/" ${SSD_FILE} >> ${OUTPUT_FILE} 2056} 2057 2058 2059# 2060# ssd_2_profile(): Add SSD's to the GEN_CMD string. 2061# 2062ssd_2_profile() 2063{ 2064 [ $DEBUG -eq 1 ] && ${ECHO} "In ssd_2_profile()" 2065 2066 GEN_TMPFILE=${TMPDIR}/ssd_tmpfile 2067 touch ${GEN_TMPFILE} 2068 2069 # Add and convert each SSD to string. 2070 while read SSD_LINE 2071 do 2072 ${ECHO} " -a \"serviceSearchDescriptor=${SSD_LINE}\"\c" >> ${GEN_TMPFILE} 2073 done <${SSD_FILE} 2074 2075 # Add SSD's to GEN_CMD. 2076 GEN_CMD="${GEN_CMD} `cat ${GEN_TMPFILE}`" 2077} 2078 2079 2080# 2081# prompt_config_info(): This function prompts the user for the config 2082# info that is not specified in the input file. 2083# 2084prompt_config_info() 2085{ 2086 [ $DEBUG -eq 1 ] && ${ECHO} "In prompt_config_info()" 2087 2088 # Prompt for iDS server name. 2089 get_ids_server 2090 2091 # Prompt for iDS port number. 2092 get_ids_port 2093 2094 # Check iDS version for compatibility. 2095 chk_ids_version 2096 2097 # Check if the server supports the VLV. 2098 chk_vlv_indexes 2099 2100 # Get the Directory manager DN and passwd. 2101 get_dirmgr_dn 2102 get_dirmgr_pw 2103 2104 # 2105 # LDAP CLIENT PROFILE SPECIFIC INFORMATION. 2106 # (i.e. The fields that show up in the profile.) 2107 # 2108 get_domain "domain_help" 2109 2110 get_basedn 2111 2112 get_profile_name 2113 get_srv_list 2114 get_pref_srv 2115 get_search_scope 2116 2117 # If cred is "anonymous", make auth == "none" 2118 get_cred_level 2119 if [ "$LDAP_CRED_LEVEL" != "anonymous" ]; then 2120 get_auth 2121 fi 2122 2123 get_followref 2124 2125 # Query user about timelimt. 2126 get_confirm "Do you want to modify the server timelimit value (y/n/h)?" "n" "tlim_help" 2127 NEED_TIME=$? 2128 [ $NEED_TIME -eq 1 ] && get_timelimit 2129 2130 # Query user about sizelimit. 2131 get_confirm "Do you want to modify the server sizelimit value (y/n/h)?" "n" "slim_help" 2132 NEED_SIZE=$? 2133 [ $NEED_SIZE -eq 1 ] && get_sizelimit 2134 2135 # Does the user want to store passwords in crypt format? 2136 get_want_crypt 2137 2138 # Prompt for any Service Authentication Methods? 2139 get_confirm "Do you want to setup a Service Authentication Methods (y/n/h)?" "n" "srvauth_help" 2140 if [ $? -eq 1 ]; then 2141 # Does the user want to set Service Authentication Method for pam_ldap? 2142 get_confirm "Do you want to setup a Service Auth. Method for \"pam_ldap\" (y/n/h)?" "n" "pam_ldap_help" 2143 NEED_SRVAUTH_PAM=$? 2144 [ $NEED_SRVAUTH_PAM -eq 1 ] && get_srv_authMethod_pam 2145 2146 # Does the user want to set Service Authentication Method for keyserv? 2147 get_confirm "Do you want to setup a Service Auth. Method for \"keyserv\" (y/n/h)?" "n" "keyserv_help" 2148 NEED_SRVAUTH_KEY=$? 2149 [ $NEED_SRVAUTH_KEY -eq 1 ] && get_srv_authMethod_key 2150 2151 # Does the user want to set Service Authentication Method for passwd-cmd? 2152 get_confirm "Do you want to setup a Service Auth. Method for \"passwd-cmd\" (y/n/h)?" "n" "passwd-cmd_help" 2153 NEED_SRVAUTH_CMD=$? 2154 [ $NEED_SRVAUTH_CMD -eq 1 ] && get_srv_authMethod_cmd 2155 fi 2156 2157 # Get Timeouts 2158 get_srch_time 2159 get_prof_ttl 2160 get_bind_limit 2161 2162 # Reset the sdd_file and prompt user for SSD. Will use menus 2163 # to build an SSD File. 2164 reset_ssd_file 2165 prompt_ssd 2166 2167 # Display FULL debugging info. 2168 disp_full_debug 2169 2170 # Extra blank line to separate prompt lines from steps. 2171 ${ECHO} " " 2172} 2173 2174 2175###################################################################### 2176# FUNCTIONS FOR display_summary() START HERE. 2177###################################################################### 2178 2179 2180# 2181# get_proxyagent(): Get the proxyagent DN. 2182# 2183get_proxyagent() 2184{ 2185 LDAP_PROXYAGENT="cn=proxyagent,ou=profile,${LDAP_BASEDN}" # default 2186 get_ans "Enter DN for proxy agent:" "$LDAP_PROXYAGENT" 2187 LDAP_PROXYAGENT=$ANS 2188} 2189 2190 2191# 2192# get_proxy_pw(): Get the proxyagent passwd. 2193# 2194get_proxy_pw() 2195{ 2196 get_passwd "Enter passwd for proxyagent:" 2197 LDAP_PROXYAGENT_CRED=$ANS 2198} 2199 2200 2201# 2202# display_summary(): Display a summary of values entered and let the 2203# user modify values at will. 2204# 2205display_summary() 2206{ 2207 [ $DEBUG -eq 1 ] && ${ECHO} "In display_summary()" 2208 2209 # Create lookup table for function names. First entry is dummy for 2210 # shift. 2211 TBL1="dummy" 2212 TBL2="get_domain get_basedn get_profile_name" 2213 TBL3="get_srv_list get_pref_srv get_search_scope get_cred_level" 2214 TBL4="get_auth get_followref" 2215 TBL5="get_timelimit get_sizelimit get_want_crypt" 2216 TBL6="get_srv_authMethod_pam get_srv_authMethod_key get_srv_authMethod_cmd" 2217 TBL7="get_srch_time get_prof_ttl get_bind_limit" 2218 TBL8="prompt_ssd" 2219 FUNC_TBL="$TBL1 $TBL2 $TBL3 $TBL4 $TBL5 $TBL6 $TBL7 $TBL8" 2220 2221 # Since menu prompt string is long, set here. 2222 _MENU_PROMPT="Enter config value to change: (1-19 0=commit changes)" 2223 2224 # Infinite loop. Test for 0, and break in loop. 2225 while : 2226 do 2227 # Display menu and get value in range. 2228 display_msg summary_menu 2229 get_menu_choice "${_MENU_PROMPT}" "0" "19" "0" 2230 _CH=$MN_CH 2231 2232 # Make sure where not exiting. 2233 if [ $_CH -eq 0 ]; then 2234 break # Break out of loop if 0 selected. 2235 fi 2236 2237 # Call appropriate function from function table. 2238 set $FUNC_TBL 2239 shift $_CH 2240 $1 # Call the appropriate function. 2241 done 2242 2243 # If cred level is still see if user wants a change? 2244 if ${ECHO} "$LDAP_CRED_LEVEL" | ${GREP} "proxy" > /dev/null 2>&1 2245 then 2246 if [ "$LDAP_AUTHMETHOD" != "none" ]; then 2247 NEED_PROXY=1 # I assume integer test is faster? 2248 get_proxyagent 2249 get_proxy_pw 2250 else 2251 ${ECHO} "WARNING: Since Authentication method is 'none'." 2252 ${ECHO} " Credential level will be set to 'anonymous'." 2253 LDAP_CRED_LEVEL="anonymous" 2254 fi 2255 fi 2256 2257 # Display FULL debugging info. 2258 disp_full_debug 2259 2260 # Final confirmation message. (ARE YOU SURE!) 2261 ${ECHO} " " 2262 get_confirm_nodef "WARNING: About to start committing changes. (y=continue, n=EXIT)" 2263 if [ $? -eq 0 ]; then 2264 ${ECHO} "Terminating setup without making changes at users request." 2265 cleanup 2266 exit 1 2267 fi 2268 2269 # Print newline 2270 ${ECHO} " " 2271} 2272 2273 2274# 2275# create_config_file(): Write config data to config file specified. 2276# 2277create_config_file() 2278{ 2279 [ $DEBUG -eq 1 ] && ${ECHO} "In create_config_file()" 2280 2281 # If output file exists, delete it. 2282 [ -f $OUTPUT_FILE ] && rm $OUTPUT_FILE 2283 2284 # Create output file. 2285 cat > $OUTPUT_FILE <<EOF 2286#!/bin/sh 2287# $OUTPUT_FILE - This file contains configuration information for 2288# Native LDAP. Use the idsconfig tool to load it. 2289# 2290# WARNING: This file was generated by idsconfig, and is intended to 2291# be loaded by idsconfig as is. DO NOT EDIT THIS FILE! 2292# 2293IDS_SERVER="$IDS_SERVER" 2294IDS_PORT=$IDS_PORT 2295IDS_TIMELIMIT=$IDS_TIMELIMIT 2296IDS_SIZELIMIT=$IDS_SIZELIMIT 2297LDAP_ROOTDN="$LDAP_ROOTDN" 2298LDAP_ROOTPWD=$LDAP_ROOTPWD 2299LDAP_DOMAIN="$LDAP_DOMAIN" 2300LDAP_SUFFIX="$LDAP_SUFFIX" 2301 2302# Internal program variables that need to be set. 2303NEED_PROXY=$NEED_PROXY 2304NEED_TIME=$NEED_TIME 2305NEED_SIZE=$NEED_SIZE 2306NEED_CRYPT=$NEED_CRYPT 2307 2308# LDAP PROFILE related defaults 2309LDAP_PROFILE_NAME="$LDAP_PROFILE_NAME" 2310DEL_OLD_PROFILE=1 2311LDAP_BASEDN="$LDAP_BASEDN" 2312LDAP_SERVER_LIST="$LDAP_SERVER_LIST" 2313LDAP_AUTHMETHOD="$LDAP_AUTHMETHOD" 2314LDAP_FOLLOWREF=$LDAP_FOLLOWREF 2315LDAP_SEARCH_SCOPE="$LDAP_SEARCH_SCOPE" 2316NEED_SRVAUTH_PAM=$NEED_SRVAUTH_PAM 2317NEED_SRVAUTH_KEY=$NEED_SRVAUTH_KEY 2318NEED_SRVAUTH_CMD=$NEED_SRVAUTH_CMD 2319LDAP_SRV_AUTHMETHOD_PAM="$LDAP_SRV_AUTHMETHOD_PAM" 2320LDAP_SRV_AUTHMETHOD_KEY="$LDAP_SRV_AUTHMETHOD_KEY" 2321LDAP_SRV_AUTHMETHOD_CMD="$LDAP_SRV_AUTHMETHOD_CMD" 2322LDAP_SEARCH_TIME_LIMIT=$LDAP_SEARCH_TIME_LIMIT 2323LDAP_PREF_SRVLIST="$LDAP_PREF_SRVLIST" 2324LDAP_PROFILE_TTL=$LDAP_PROFILE_TTL 2325LDAP_CRED_LEVEL="$LDAP_CRED_LEVEL" 2326LDAP_BIND_LIMIT=$LDAP_BIND_LIMIT 2327 2328# Proxy Agent 2329LDAP_PROXYAGENT="$LDAP_PROXYAGENT" 2330LDAP_PROXYAGENT_CRED=$LDAP_PROXYAGENT_CRED 2331 2332# Export all the variables (just in case) 2333export IDS_HOME IDS_PORT LDAP_ROOTDN LDAP_ROOTPWD LDAP_SERVER_LIST LDAP_BASEDN 2334export LDAP_DOMAIN LDAP_SUFFIX LDAP_PROXYAGENT LDAP_PROXYAGENT_CRED 2335export NEED_PROXY 2336export LDAP_PROFILE_NAME LDAP_BASEDN LDAP_SERVER_LIST 2337export LDAP_AUTHMETHOD LDAP_FOLLOWREF LDAP_SEARCH_SCOPE LDAP_SEARCH_TIME_LIMIT 2338export LDAP_PREF_SRVLIST LDAP_PROFILE_TTL LDAP_CRED_LEVEL LDAP_BIND_LIMIT 2339export NEED_SRVAUTH_PAM NEED_SRVAUTH_KEY NEED_SRVAUTH_CMD 2340export LDAP_SRV_AUTHMETHOD_PAM LDAP_SRV_AUTHMETHOD_KEY LDAP_SRV_AUTHMETHOD_CMD 2341export LDAP_SERV_SRCH_DES SSD_FILE 2342 2343# Service Search Descriptors start here if present: 2344EOF 2345 # Add service search descriptors. 2346 ssd_2_config "${OUTPUT_FILE}" 2347 2348 # Add LDAP suffix preferences 2349 print_suffix_config >> "${OUTPUT_FILE}" 2350 2351 # Add the end of FILE tag. 2352 ${ECHO} "" >> ${OUTPUT_FILE} 2353 ${ECHO} "# End of $OUTPUT_FILE" >> ${OUTPUT_FILE} 2354} 2355 2356 2357# 2358# chk_vlv_indexes(): Do ldapsearch to see if server supports VLV. 2359# 2360chk_vlv_indexes() 2361{ 2362 # Do ldapsearch to see if server supports VLV. 2363 ${LDAPSEARCH} ${SERVER_ARGS} -b "" -s base "objectclass=*" > ${TMPDIR}/checkVLV 2>&1 2364 eval "${GREP} 2.16.840.1.113730.3.4.9 ${TMPDIR}/checkVLV ${VERB}" 2365 if [ $? -ne 0 ]; then 2366 ${ECHO} "ERROR: VLV is not supported on LDAP server!" 2367 cleanup 2368 exit 1 2369 fi 2370 [ $DEBUG -eq 1 ] && ${ECHO} " VLV controls found on LDAP server." 2371} 2372 2373# 2374# get_backend(): this function gets the relevant backend 2375# (database) for LDAP_BASED. 2376# Description: set IDS_DATABASE; exit on failure. 2377# Prerequisite: LDAP_BASEDN and LDAP_SUFFIX are 2378# valid. 2379# 2380# backend is retrieved from suffixes and subsuffixes 2381# defined under "cn=mapping tree,cn=config". The 2382# nsslapd-state attribute of these suffixes entries 2383# is filled with either Backend, Disabled or referrals 2384# related values. We only want those that have a true 2385# backend database to select the relevant backend. 2386# 2387get_backend() 2388{ 2389 [ $DEBUG -eq 1 ] && ${ECHO} "In get_backend()" 2390 2391 cur_suffix=${LDAP_BASEDN} 2392 prev_suffix= 2393 IDS_DATABASE= 2394 while [ "${cur_suffix}" != "${prev_suffix}" ] 2395 do 2396 [ $DEBUG -eq 1 ] && ${ECHO} "testing LDAP suffix: ${cur_suffix}" 2397 eval "${LDAPSEARCH} ${LDAP_ARGS} " \ 2398 "-b \"cn=\\\"${cur_suffix}\\\",cn=mapping tree,cn=config\" " \ 2399 "-s base nsslapd-state=Backend nsslapd-backend 2>&1 " \ 2400 "| ${GREP} 'nsslapd-backend=' " \ 2401 "> ${TMPDIR}/ids_database_name 2>&1" 2402 NUM_DBS=`wc -l ${TMPDIR}/ids_database_name | awk '{print $1}'` 2403 case ${NUM_DBS} in 2404 0) # not a suffix, or suffix not activated; try next 2405 prev_suffix=${cur_suffix} 2406 cur_suffix=`${ECHO} ${cur_suffix} | cut -f2- -d','` 2407 ;; 2408 1) # suffix found; get database name 2409 IDS_DATABASE=`cat ${TMPDIR}/ids_database_name | cut -d= -f2` 2410 ;; 2411 *) # can not handle more than one database per suffix 2412 ${ECHO} "ERROR: More than one database is configured " 2413 ${ECHO} " for $LDAP_SUFFIX!" 2414 ${ECHO} " $PROG can not configure suffixes where " 2415 ${ECHO} " more than one database is used for one suffix." 2416 cleanup 2417 exit 1 2418 ;; 2419 esac 2420 if [ -n "${IDS_DATABASE}" ]; then 2421 break 2422 fi 2423 done 2424 2425 if [ -z "${IDS_DATABASE}" ]; then 2426 # should not happen, since LDAP_BASEDN is supposed to be valid 2427 ${ECHO} "Could not find a valid backend for ${LDAP_BASEDN}." 2428 ${ECHO} "Exiting." 2429 cleanup 2430 exit 1 2431 fi 2432 2433 [ $DEBUG -eq 1 ] && ${ECHO} "IDS_DATABASE: ${IDS_DATABASE}" 2434} 2435 2436# 2437# validate_suffix(): This function validates ${LDAP_SUFFIX} 2438# THIS FUNCTION IS FOR THE LOAD CONFIG FILE OPTION. 2439# 2440validate_suffix() 2441{ 2442 [ $DEBUG -eq 1 ] && ${ECHO} "In validate_suffix()" 2443 2444 # Check LDAP_SUFFIX is not null 2445 if [ -z "${LDAP_SUFFIX}" ]; then 2446 ${ECHO} "Invalid suffix (null suffix)" 2447 cleanup 2448 exit 1 2449 fi 2450 2451 # Check LDAP_SUFFIX and LDAP_BASEDN are consistent 2452 # Convert to lower case for basename. 2453 format_string "${LDAP_BASEDN}" 2454 LOWER_BASEDN="${FMT_STR}" 2455 format_string "${LDAP_SUFFIX}" 2456 LOWER_SUFFIX="${FMT_STR}" 2457 2458 [ $DEBUG -eq 1 ] && ${ECHO} "LOWER_BASEDN: ${LOWER_BASEDN}" 2459 [ $DEBUG -eq 1 ] && ${ECHO} "LOWER_SUFFIX: ${LOWER_SUFFIX}" 2460 2461 if [ "${LOWER_BASEDN}" != "${LOWER_SUFFIX}" ]; then 2462 sub_basedn=`basename "${LOWER_BASEDN}" "${LOWER_SUFFIX}"` 2463 if [ "$sub_basedn" = "${LOWER_BASEDN}" ]; then 2464 ${ECHO} "Invalid suffix ${LOWER_SUFFIX}" 2465 ${ECHO} "for Base DN ${LOWER_BASEDN}" 2466 cleanup 2467 exit 1 2468 fi 2469 fi 2470 2471 # Check LDAP_SUFFIX does exist 2472 ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_SUFFIX}\" -s base \"objectclass=*\" > ${TMPDIR}/checkSuffix 2>&1" && return 0 2473 2474 # Well, suffix does not exist, try to prepare create it ... 2475 NEED_CREATE_SUFFIX=1 2476 prep_create_sfx_entry || 2477 { 2478 cleanup 2479 exit 1 2480 } 2481 [ -n "${NEED_CREATE_BACKEND}" ] && 2482 { 2483 # try to use id attr value of the suffix as a database name 2484 IDS_DATABASE=${_VAL} 2485 prep_create_sfx_backend 2486 case $? in 2487 1) # cann't use the name we want, so we can either exit or use 2488 # some another available name - doing the last ... 2489 IDS_DATABASE=${IDS_DATABASE_AVAIL} 2490 ;; 2491 2) # unable to determine database name 2492 cleanup 2493 exit 1 2494 ;; 2495 esac 2496 } 2497 2498 [ $DEBUG -eq 1 ] && ${ECHO} "Suffix $LDAP_SUFFIX, Database $IDS_DATABASE" 2499} 2500 2501# 2502# validate_info(): This function validates the basic info collected 2503# So that some problems are caught right away. 2504# THIS FUNCTION IS FOR THE LOAD CONFIG FILE OPTION. 2505# 2506validate_info() 2507{ 2508 [ $DEBUG -eq 1 ] && ${ECHO} "In validate_info()" 2509 2510 # Set SERVER_ARGS, AUTH_ARGS, and LDAP_ARGS for the config file. 2511 SERVER_ARGS="-h ${IDS_SERVER} -p ${IDS_PORT}" 2512 AUTH_ARGS="-D \"${LDAP_ROOTDN}\" -j ${LDAP_ROOTPWF}" 2513 LDAP_ARGS="${SERVER_ARGS} ${AUTH_ARGS}" 2514 export SERVER_ARGS 2515 2516 # Check the Root DN and Root DN passwd. 2517 # Use eval instead of $EVAL because not part of setup. (validate) 2518 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"\" -s base \"objectclass=*\" > ${TMPDIR}/checkDN 2>&1" 2519 if [ $? -ne 0 ]; then 2520 eval "${GREP} credential ${TMPDIR}/checkDN ${VERB}" 2521 if [ $? -eq 0 ]; then 2522 ${ECHO} "ERROR: Root DN passwd is invalid." 2523 else 2524 ${ECHO} "ERROR2: Invalid Root DN <${LDAP_ROOTDN}>." 2525 fi 2526 cleanup 2527 exit 1 2528 fi 2529 [ $DEBUG -eq 1 ] && ${ECHO} " RootDN ... OK" 2530 [ $DEBUG -eq 1 ] && ${ECHO} " RootDN passwd ... OK" 2531 2532 # Check if the server supports the VLV. 2533 chk_vlv_indexes 2534 [ $DEBUG -eq 1 ] && ${ECHO} " VLV indexes ... OK" 2535 2536 # Check LDAP suffix 2537 validate_suffix 2538 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP suffix ... OK" 2539} 2540 2541# 2542# format_string(): take a string as argument and set FMT_STR 2543# to be the same string formatted as follow: 2544# - only lower case characters 2545# - no unnecessary spaces around , and = 2546# 2547format_string() 2548{ 2549 FMT_STR=`${ECHO} "$1" | tr '[A-Z]' '[a-z]' | 2550 sed -e 's/[ ]*,[ ]*/,/g' -e 's/[ ]*=[ ]*/=/g'` 2551} 2552 2553# 2554# prepare for the suffix entry creation 2555# 2556# input : LDAP_BASEDN, LDAP_SUFFIX - base dn and suffix; 2557# in/out : LDAP_SUFFIX_OBJ, LDAP_SUFFIX_ACI - initially may come from config. 2558# output : NEED_CREATE_BACKEND - backend for this suffix needs to be created; 2559# _RDN, _ATT, _VAL - suffix's RDN, id attribute name and its value. 2560# return : 0 - success, otherwise error. 2561# 2562prep_create_sfx_entry() 2563{ 2564 [ $DEBUG -eq 1 ] && ${ECHO} "In prep_create_sfx_entry()" 2565 2566 # check whether suffix corresponds to base dn 2567 format_string "${LDAP_BASEDN}" 2568 ${ECHO} ",${FMT_STR}" | ${GREP} ",${LDAP_SUFFIX}$" >/dev/null 2>&1 || 2569 { 2570 display_msg sfx_not_suitable 2571 return 1 2572 } 2573 2574 # parse LDAP_SUFFIX 2575 _RDN=`${ECHO} "${LDAP_SUFFIX}" | cut -d, -f1` 2576 _ATT=`${ECHO} "${_RDN}" | cut -d= -f1` 2577 _VAL=`${ECHO} "${_RDN}" | cut -d= -f2-` 2578 2579 # find out an objectclass for suffix entry if it is not defined yet 2580 [ -z "${LDAP_SUFFIX_OBJ}" ] && 2581 { 2582 get_objectclass ${_ATT} 2583 [ -z "${_ATTR_NAME}" ] && 2584 { 2585 display_msg obj_not_found 2586 return 1 2587 } 2588 LDAP_SUFFIX_OBJ=${_ATTR_NAME} 2589 } 2590 [ $DEBUG -eq 1 ] && ${ECHO} "Suffix entry object is ${LDAP_SUFFIX_OBJ}" 2591 2592 # find out an aci for suffix entry if it is not defined yet 2593 [ -z "${LDAP_SUFFIX_ACI}" ] && 2594 { 2595 # set Directory Server default aci 2596 LDAP_SUFFIX_ACI=`cat <<EOF 2597aci: (targetattr != "userPassword || passwordHistory || passwordExpirationTime 2598 || passwordExpWarned || passwordRetryCount || retryCountResetTime || 2599 accountUnlockTime || passwordAllowChangeTime") 2600 ( 2601 version 3.0; 2602 acl "Anonymous access"; 2603 allow (read, search, compare) userdn = "ldap:///anyone"; 2604 ) 2605aci: (targetattr != "nsroledn || aci || nsLookThroughLimit || nsSizeLimit || 2606 nsTimeLimit || nsIdleTimeout || passwordPolicySubentry || 2607 passwordExpirationTime || passwordExpWarned || passwordRetryCount || 2608 retryCountResetTime || accountUnlockTime || passwordHistory || 2609 passwordAllowChangeTime") 2610 ( 2611 version 3.0; 2612 acl "Allow self entry modification except for some attributes"; 2613 allow (write) userdn = "ldap:///self"; 2614 ) 2615aci: (targetattr = "*") 2616 ( 2617 version 3.0; 2618 acl "Configuration Administrator"; 2619 allow (all) userdn = "ldap:///uid=admin,ou=Administrators, 2620 ou=TopologyManagement,o=NetscapeRoot"; 2621 ) 2622aci: (targetattr ="*") 2623 ( 2624 version 3.0; 2625 acl "Configuration Administrators Group"; 2626 allow (all) groupdn = "ldap:///cn=Configuration Administrators, 2627 ou=Groups,ou=TopologyManagement,o=NetscapeRoot"; 2628 ) 2629EOF 2630` 2631 } 2632 [ $DEBUG -eq 1 ] && cat <<EOF 2633DEBUG: ACI for ${LDAP_SUFFIX} is 2634${LDAP_SUFFIX_ACI} 2635EOF 2636 2637 NEED_CREATE_BACKEND= 2638 2639 # check the suffix mapping tree ... 2640 # if mapping exists, suffix should work, otherwise DS inconsistent 2641 # NOTE: -b 'cn=mapping tree,cn=config' -s one 'cn=\"$1\"' won't work 2642 # in case of 'cn' value in LDAP is not quoted by '"', 2643 # -b 'cn=\"$1\",cn=mapping tree,cn=config' works in all cases 2644 ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} \ 2645 -b 'cn=\"${LDAP_SUFFIX}\",cn=mapping tree,cn=config' \ 2646 -s base 'objectclass=*' dn ${VERB}" && 2647 { 2648 [ $DEBUG -eq 1 ] && ${ECHO} "Suffix mapping already exists" 2649 # get_backend() either gets IDS_DATABASE or exits 2650 get_backend 2651 return 0 2652 } 2653 2654 # no suffix mapping, just in case check ldbm backends consistency - 2655 # there are must be NO any databases pointing to LDAP_SUFFIX 2656 [ -n "`${EVAL} \"${LDAPSEARCH} ${LDAP_ARGS} \ 2657 -b 'cn=ldbm database,cn=plugins,cn=config' \ 2658 -s one 'nsslapd-suffix=${LDAP_SUFFIX}' dn\" 2>/dev/null`" ] && 2659 { 2660 display_msg sfx_config_incons 2661 return 1 2662 } 2663 2664 # ok, no suffix mapping, no ldbm database 2665 [ $DEBUG -eq 1 ] && ${ECHO} "DEBUG: backend needs to be created ..." 2666 NEED_CREATE_BACKEND=1 2667 return 0 2668} 2669 2670# 2671# prepare for the suffix backend creation 2672# 2673# input : IDS_DATABASE - requested ldbm db name (must be not null) 2674# in/out : IDS_DATABASE_AVAIL - available ldbm db name 2675# return : 0 - ldbm db name ok 2676# 1 - IDS_DATABASE exists, 2677# so IDS_DATABASE_AVAIL contains available name 2678# 2 - unable to find any available name 2679# 2680prep_create_sfx_backend() 2681{ 2682 [ $DEBUG -eq 1 ] && ${ECHO} "In prep_create_sfx_backend()" 2683 2684 # check if requested name available 2685 [ "${IDS_DATABASE}" = "${IDS_DATABASE_AVAIL}" ] && return 0 2686 2687 # get the list of database names start with a requested name 2688 _LDBM_DBS=`${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} \ 2689 -b 'cn=ldbm database,cn=plugins,cn=config' \ 2690 -s one 'cn=${IDS_DATABASE}*' cn"` 2>/dev/null 2691 2692 # find available db name based on a requested name 2693 _i=""; _i_MAX=10 2694 while [ ${_i:-0} -lt ${_i_MAX} ] 2695 do 2696 _name="${IDS_DATABASE}${_i}" 2697 ${ECHO} "${_LDBM_DBS}" | ${GREP} -i "^cn=${_name}$" >/dev/null 2>&1 || 2698 { 2699 IDS_DATABASE_AVAIL="${_name}" 2700 break 2701 } 2702 _i=`expr ${_i:-0} + 1` 2703 done 2704 2705 [ "${IDS_DATABASE}" = "${IDS_DATABASE_AVAIL}" ] && return 0 2706 2707 [ -n "${IDS_DATABASE_AVAIL}" ] && 2708 { 2709 display_msg ldbm_db_exist 2710 return 1 2711 } 2712 2713 display_msg unable_find_db_name 2714 return 2 2715} 2716 2717# 2718# add suffix if needed, 2719# suffix entry and backend MUST be prepared by 2720# prep_create_sfx_entry and prep_create_sfx_backend correspondingly 2721# 2722# input : NEED_CREATE_SUFFIX, LDAP_SUFFIX, LDAP_SUFFIX_OBJ, _ATT, _VAL 2723# LDAP_SUFFIX_ACI, NEED_CREATE_BACKEND, IDS_DATABASE 2724# return : 0 - suffix successfully created, otherwise error occured 2725# 2726add_suffix() 2727{ 2728 [ $DEBUG -eq 1 ] && ${ECHO} "In add_suffix()" 2729 2730 [ -n "${NEED_CREATE_SUFFIX}" ] || return 0 2731 2732 [ -n "${NEED_CREATE_BACKEND}" ] && 2733 { 2734 ${EVAL} "${LDAPADD} ${LDAP_ARGS} ${VERB}" <<EOF 2735dn: cn="${LDAP_SUFFIX}",cn=mapping tree,cn=config 2736objectclass: top 2737objectclass: extensibleObject 2738objectclass: nsMappingTree 2739cn: ${LDAP_SUFFIX} 2740nsslapd-state: backend 2741nsslapd-backend: ${IDS_DATABASE} 2742 2743dn: cn=${IDS_DATABASE},cn=ldbm database,cn=plugins,cn=config 2744objectclass: top 2745objectclass: extensibleObject 2746objectclass: nsBackendInstance 2747cn: ${IDS_DATABASE} 2748nsslapd-suffix: ${LDAP_SUFFIX} 2749EOF 2750 [ $? -ne 0 ] && 2751 { 2752 display_msg create_ldbm_db_error 2753 return 1 2754 } 2755 2756 ${ECHO} " ${STEP}. Database ${IDS_DATABASE} successfully created" 2757 STEP=`expr $STEP + 1` 2758 } 2759 2760 ${EVAL} "${LDAPADD} ${LDAP_ARGS} ${VERB}" <<EOF 2761dn: ${LDAP_SUFFIX} 2762objectclass: ${LDAP_SUFFIX_OBJ} 2763${_ATT}: ${_VAL} 2764${LDAP_SUFFIX_ACI} 2765EOF 2766 [ $? -ne 0 ] && 2767 { 2768 display_msg create_suffix_entry_error 2769 return 1 2770 } 2771 2772 ${ECHO} " ${STEP}. Suffix ${LDAP_SUFFIX} successfully created" 2773 STEP=`expr $STEP + 1` 2774 return 0 2775} 2776 2777# 2778# interactively get suffix and related info from a user 2779# 2780# input : LDAP_BASEDN - Base DN 2781# output : LDAP_SUFFIX - Suffix, _ATT, _VAL - id attribute and its value; 2782# LDAP_SUFFIX_OBJ, LDAP_SUFFIX_ACI - objectclass and aci; 2783# NEED_CREATE_BACKEND - tells whether backend needs to be created; 2784# IDS_DATABASE - prepared ldbm db name 2785# return : 0 - user gave a correct suffix 2786# 1 - suffix given by user cann't be created 2787# 2788get_suffix() 2789{ 2790 [ $DEBUG -eq 1 ] && ${ECHO} "In get_suffix()" 2791 2792 while : 2793 do 2794 get_ans "Enter suffix to be created (b=back/h=help):" ${LDAP_BASEDN} 2795 case "${ANS}" in 2796 [Hh] | Help | help | \? ) display_msg create_suffix_help ;; 2797 [Bb] | Back | back | \< ) return 1 ;; 2798 * ) 2799 format_string "${ANS}" 2800 LDAP_SUFFIX=${FMT_STR} 2801 prep_create_sfx_entry || continue 2802 2803 [ -n "${NEED_CREATE_BACKEND}" ] && 2804 { 2805 IDS_DATABASE_AVAIL= # reset the available db name 2806 2807 reenter_suffix= 2808 while : 2809 do 2810 get_ans "Enter ldbm database name (b=back/h=help):" \ 2811 ${IDS_DATABASE_AVAIL:-${_VAL}} 2812 case "${ANS}" in 2813 [Hh] | \? ) display_msg enter_ldbm_db_help ;; 2814 [Bb] | \< ) reenter_suffix=1; break ;; 2815 * ) 2816 IDS_DATABASE="${ANS}" 2817 prep_create_sfx_backend && break 2818 esac 2819 done 2820 [ -n "${reenter_suffix}" ] && continue 2821 2822 [ $DEBUG -eq 1 ] && cat <<EOF 2823DEBUG: backend name for suffix ${LDAP_SUFFIX} will be ${IDS_DATABASE} 2824EOF 2825 } 2826 2827 # eventually everything is prepared 2828 return 0 2829 ;; 2830 esac 2831 done 2832} 2833 2834# 2835# print out a script which sets LDAP suffix related preferences 2836# 2837print_suffix_config() 2838{ 2839 cat <<EOF2 2840# LDAP suffix related preferences used only if needed 2841IDS_DATABASE="${IDS_DATABASE}" 2842LDAP_SUFFIX_OBJ="$LDAP_SUFFIX_OBJ" 2843LDAP_SUFFIX_ACI=\`cat <<EOF 2844${LDAP_SUFFIX_ACI} 2845EOF 2846\` 2847export IDS_DATABASE LDAP_SUFFIX_OBJ LDAP_SUFFIX_ACI 2848EOF2 2849} 2850 2851# 2852# check_basedn_suffix(): check that there is an existing 2853# valid suffix to hold current base DN 2854# return: 2855# 0: valid suffix found or new one should be created, 2856# NEED_CREATE_SUFFIX flag actually indicates that 2857# 1: some error occures 2858# 2859check_basedn_suffix() 2860{ 2861 [ $DEBUG -eq 1 ] && ${ECHO} "In check_basedn_suffix()" 2862 2863 NEED_CREATE_SUFFIX= 2864 2865 # find out existing suffixes 2866 discover_serv_suffix 2867 2868 ${ECHO} " Validating LDAP Base DN and Suffix ..." 2869 2870 # check that LDAP Base DN might be added 2871 cur_ldap_entry=${LDAP_BASEDN} 2872 prev_ldap_entry= 2873 while [ "${cur_ldap_entry}" != "${prev_ldap_entry}" ] 2874 do 2875 [ $DEBUG -eq 1 ] && ${ECHO} "testing LDAP entry: ${cur_ldap_entry}" 2876 ${LDAPSEARCH} ${SERVER_ARGS} -b "${cur_ldap_entry}" \ 2877 -s one "objectclass=*" > /dev/null 2>&1 2878 if [ $? -eq 0 ]; then 2879 break 2880 else 2881 prev_ldap_entry=${cur_ldap_entry} 2882 cur_ldap_entry=`${ECHO} ${cur_ldap_entry} | cut -f2- -d','` 2883 fi 2884 done 2885 2886 if [ "${cur_ldap_entry}" = "${prev_ldap_entry}" ]; then 2887 ${ECHO} " No valid suffixes were found for Base DN ${LDAP_BASEDN}" 2888 2889 NEED_CREATE_SUFFIX=1 2890 return 0 2891 2892 else 2893 [ $DEBUG -eq 1 ] && ${ECHO} "found valid LDAP entry: ${cur_ldap_entry}" 2894 2895 # Now looking for relevant suffix for this entry. 2896 # LDAP_SUFFIX will then be used to add necessary 2897 # base objects. See add_base_objects(). 2898 format_string "${cur_ldap_entry}" 2899 lower_entry="${FMT_STR}" 2900 [ $DEBUG -eq 1 ] && ${ECHO} "final suffix list: ${LDAP_SUFFIX_LIST}" 2901 oIFS=$IFS 2902 [ $DEBUG -eq 1 ] && ${ECHO} "setting IFS to new line" 2903 IFS=' 2904' 2905 for suff in ${LDAP_SUFFIX_LIST} 2906 do 2907 [ $DEBUG -eq 1 ] && ${ECHO} "testing suffix: ${suff}" 2908 format_string "${suff}" 2909 lower_suff="${FMT_STR}" 2910 if [ "${lower_entry}" = "${lower_suff}" ]; then 2911 LDAP_SUFFIX="${suff}" 2912 break 2913 else 2914 dcstmp=`basename "${lower_entry}" "${lower_suff}"` 2915 if [ "${dcstmp}" = "${lower_entry}" ]; then 2916 # invalid suffix, try next one 2917 continue 2918 else 2919 # valid suffix found 2920 LDAP_SUFFIX="${suff}" 2921 break 2922 fi 2923 fi 2924 done 2925 [ $DEBUG -eq 1 ] && ${ECHO} "setting IFS to original value" 2926 IFS=$oIFS 2927 2928 [ $DEBUG -eq 1 ] && ${ECHO} "LDAP_SUFFIX: ${LDAP_SUFFIX}" 2929 2930 if [ -z "${LDAP_SUFFIX}" ]; then 2931 # should not happen, since we found the entry 2932 ${ECHO} "Could not find a valid suffix for ${LDAP_BASEDN}." 2933 ${ECHO} "Exiting." 2934 return 1 2935 fi 2936 2937 # Getting relevant database (backend) 2938 # IDS_DATABASE will then be used to create indexes. 2939 get_backend 2940 2941 return 0 2942 fi 2943} 2944 2945# 2946# discover_serv_suffix(): This function queries the server to find 2947# suffixes available 2948# return: 0: OK, suffix found 2949# 1: suffix not determined 2950discover_serv_suffix() 2951{ 2952 [ $DEBUG -eq 1 ] && ${ECHO} "In discover_serv_suffix()" 2953 2954 # Search the server for the TOP of the TREE. 2955 ${LDAPSEARCH} ${SERVER_ARGS} -b "" -s base "objectclass=*" > ${TMPDIR}/checkTOP 2>&1 2956 ${GREP} -i namingcontexts ${TMPDIR}/checkTOP | \ 2957 ${GREP} -i -v NetscapeRoot > ${TMPDIR}/treeTOP 2958 NUM_TOP=`wc -l ${TMPDIR}/treeTOP | awk '{print $1}'` 2959 case $NUM_TOP in 2960 0) 2961 [ $DEBUG -eq 1 ] && ${ECHO} "DEBUG: No suffix found in LDAP tree" 2962 return 1 2963 ;; 2964 *) # build the list of suffixes; take out 'namingContexts=' in 2965 # each line of ${TMPDIR}/treeTOP 2966 LDAP_SUFFIX_LIST=`cat ${TMPDIR}/treeTOP | 2967 awk '{ printf("%s\n",substr($0,16,length-15)) }'` 2968 ;; 2969 esac 2970 2971 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_SUFFIX_LIST = $LDAP_SUFFIX_LIST" 2972 return 0 2973} 2974 2975 2976# 2977# modify_cn(): Change the cn from MUST to MAY in ipNetwork. 2978# 2979modify_cn() 2980{ 2981 [ $DEBUG -eq 1 ] && ${ECHO} "In modify_cn()" 2982 2983 ( cat <<EOF 2984dn: cn=schema 2985changetype: modify 2986add: objectclasses 2987objectclasses: ( 1.3.6.1.1.1.2.7 NAME 'ipNetwork' DESC 'Standard LDAP objectclass' SUP top STRUCTURAL MUST ( ipNetworkNumber ) MAY ( ipNetmaskNumber $ manager $ cn $ l $ description ) X-ORIGIN 'RFC 2307' )) 2988EOF 2989) > ${TMPDIR}/ipNetwork_cn 2990 2991 # Modify the cn for ipNetwork. 2992 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/ipNetwork_cn ${VERB}" 2993 if [ $? -ne 0 ]; then 2994 ${ECHO} " ERROR: update of cn for ipNetwork failed!" 2995 cleanup 2996 exit 1 2997 fi 2998} 2999 3000 3001# modify_timelimit(): Modify timelimit to user value. 3002modify_timelimit() 3003{ 3004 [ $DEBUG -eq 1 ] && ${ECHO} "In modify_timelimit()" 3005 3006 # Here doc to modify timelimit. 3007 ( cat <<EOF 3008dn: cn=config 3009changetype: modify 3010replace: nsslapd-timelimit 3011nsslapd-timelimit: ${IDS_TIMELIMIT} 3012EOF 3013) > ${TMPDIR}/ids_timelimit 3014 3015 # Add the entry. 3016 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/ids_timelimit ${VERB}" 3017 if [ $? -ne 0 ]; then 3018 ${ECHO} " ERROR: update of nsslapd-timelimit failed!" 3019 cleanup 3020 exit 1 3021 fi 3022 3023 # Display messages for modifications made in patch. 3024 ${ECHO} " ${STEP}. Changed timelimit to ${IDS_TIMELIMIT} in cn=config." 3025 STEP=`expr $STEP + 1` 3026} 3027 3028 3029# modify_sizelimit(): Modify sizelimit to user value. 3030modify_sizelimit() 3031{ 3032 [ $DEBUG -eq 1 ] && ${ECHO} "In modify_sizelimit()" 3033 3034 # Here doc to modify sizelimit. 3035 ( cat <<EOF 3036dn: cn=config 3037changetype: modify 3038replace: nsslapd-sizelimit 3039nsslapd-sizelimit: ${IDS_SIZELIMIT} 3040EOF 3041) > ${TMPDIR}/ids_sizelimit 3042 3043 # Add the entry. 3044 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/ids_sizelimit ${VERB}" 3045 if [ $? -ne 0 ]; then 3046 ${ECHO} " ERROR: update of nsslapd-sizelimit failed!" 3047 cleanup 3048 exit 1 3049 fi 3050 3051 # Display messages for modifications made in patch. 3052 ${ECHO} " ${STEP}. Changed sizelimit to ${IDS_SIZELIMIT} in cn=config." 3053 STEP=`expr $STEP + 1` 3054} 3055 3056 3057# modify_pwd_crypt(): Modify the passwd storage scheme to support CRYPT. 3058modify_pwd_crypt() 3059{ 3060 [ $DEBUG -eq 1 ] && ${ECHO} "In modify_pwd_crypt()" 3061 3062 # Here doc to modify passwordstoragescheme. 3063 # IDS 5.2 moved passwordchangesceme off to a new data structure. 3064 if [ $IDS_MAJVER -le 5 ] && [ $IDS_MINVER -le 1 ]; then 3065 ( cat <<EOF 3066dn: cn=config 3067changetype: modify 3068replace: passwordstoragescheme 3069passwordstoragescheme: crypt 3070EOF 3071 ) > ${TMPDIR}/ids_crypt 3072 else 3073 ( cat <<EOF 3074dn: cn=Password Policy,cn=config 3075changetype: modify 3076replace: passwordstoragescheme 3077passwordstoragescheme: crypt 3078EOF 3079 ) > ${TMPDIR}/ids_crypt 3080 fi 3081 3082 # Add the entry. 3083 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/ids_crypt ${VERB}" 3084 if [ $? -ne 0 ]; then 3085 ${ECHO} " ERROR: update of passwordstoragescheme failed!" 3086 cleanup 3087 exit 1 3088 fi 3089 3090 # Display messages for modifications made in patch. 3091 ${ECHO} " ${STEP}. Changed passwordstoragescheme to \"crypt\" in cn=config." 3092 STEP=`expr $STEP + 1` 3093} 3094 3095 3096# 3097# add_eq_indexes(): Add indexes to improve search performance. 3098# 3099add_eq_indexes() 3100{ 3101 [ $DEBUG -eq 1 ] && ${ECHO} "In add_eq_indexes()" 3102 3103 # Set eq indexes to add. 3104 _INDEXES="uidNumber ipNetworkNumber gidnumber oncrpcnumber automountKey" 3105 3106 # Set _EXT to use as shortcut. 3107 _EXT="cn=index,cn=${IDS_DATABASE},cn=ldbm database,cn=plugins,cn=config" 3108 3109 3110 # Display message to id current step. 3111 ${ECHO} " ${STEP}. Processing eq,pres indexes:" 3112 STEP=`expr $STEP + 1` 3113 3114 # For loop to create indexes. 3115 for i in ${_INDEXES}; do 3116 [ $DEBUG -eq 1 ] && ${ECHO} " Adding index for ${i}" 3117 3118 # Check if entry exists first, if so, skip to next. 3119 ${LDAPSEARCH} ${SERVER_ARGS} -b "cn=${i},${_EXT}" -s base "objectclass=*" > /dev/null 2>&1 3120 if [ $? -eq 0 ]; then 3121 # Display index skipped. 3122 ${ECHO} " ${i} (eq,pres) skipped already exists" 3123 continue 3124 fi 3125 3126 # Here doc to create LDIF. 3127 ( cat <<EOF 3128dn: cn=${i},${_EXT} 3129objectClass: top 3130objectClass: nsIndex 3131cn: ${i} 3132nsSystemIndex: false 3133nsIndexType: pres 3134nsIndexType: eq 3135EOF 3136) > ${TMPDIR}/index_${i} 3137 3138 # Add the index. 3139 ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/index_${i} ${VERB}" 3140 if [ $? -ne 0 ]; then 3141 ${ECHO} " ERROR: Adding EQ,PRES index for ${i} failed!" 3142 cleanup 3143 exit 1 3144 fi 3145 3146 # Build date for task name. 3147 _YR=`date '+%y'` 3148 _MN=`date '+%m'` 3149 _DY=`date '+%d'` 3150 _H=`date '+%H'` 3151 _M=`date '+%M'` 3152 _S=`date '+%S'` 3153 3154 # Build task name 3155 TASKNAME="${i}_${_YR}_${_MN}_${_DY}_${_H}_${_M}_${_S}" 3156 3157 # Build the task entry to add. 3158 ( cat <<EOF 3159dn: cn=${TASKNAME}, cn=index, cn=tasks, cn=config 3160changetype: add 3161objectclass: top 3162objectclass: extensibleObject 3163cn: ${TASKNAME} 3164nsInstance: ${IDS_DATABASE} 3165nsIndexAttribute: ${i} 3166EOF 3167) > ${TMPDIR}/task_${i} 3168 3169 # Add the task. 3170 ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/task_${i} ${VERB}" 3171 if [ $? -ne 0 ]; then 3172 ${ECHO} " ERROR: Adding task for ${i} failed!" 3173 cleanup 3174 exit 1 3175 fi 3176 3177 # Wait for task to finish, display current status. 3178 while : 3179 do 3180 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=index, cn=tasks, cn=config\" -s sub \"objectclass=*\" > ${TMPDIR}/istask_${i} 2>&1" 3181 ${GREP} ${TASKNAME} ${TMPDIR}/istask_${i} > /dev/null 2>&1 3182 if [ $? -ne 0 ]; then 3183 break 3184 fi 3185 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=index,cn=tasks,cn=config\" -s one \"objectclass=*\" nstaskstatus | ${GREP} -i nstaskstatus | cut -d\":\" -f2 > ${TMPDIR}/wait_task_${i}" 3186 TASK_STATUS=`head -1 ${TMPDIR}/wait_task_${i}` 3187 ${ECHO} " ${i} (eq,pres) $TASK_STATUS \r\c" 3188 ${ECHO} "$TASK_STATUS" | ${GREP} "Finished" > /dev/null 2>&1 3189 if [ $? -eq 0 ]; then 3190 break 3191 fi 3192 sleep 2 3193 done 3194 3195 # Print newline because of \c. 3196 ${ECHO} " " 3197 done 3198} 3199 3200 3201# 3202# add_sub_indexes(): Add indexes to improve search performance. 3203# 3204add_sub_indexes() 3205{ 3206 [ $DEBUG -eq 1 ] && ${ECHO} "In add_sub_indexes()" 3207 3208 # Set eq indexes to add. 3209 _INDEXES="ipHostNumber membernisnetgroup nisnetgrouptriple" 3210 3211 # Set _EXT to use as shortcut. 3212 _EXT="cn=index,cn=${IDS_DATABASE},cn=ldbm database,cn=plugins,cn=config" 3213 3214 3215 # Display message to id current step. 3216 ${ECHO} " ${STEP}. Processing eq,pres,sub indexes:" 3217 STEP=`expr $STEP + 1` 3218 3219 # For loop to create indexes. 3220 for i in ${_INDEXES}; do 3221 [ $DEBUG -eq 1 ] && ${ECHO} " Adding index for ${i}" 3222 3223 # Check if entry exists first, if so, skip to next. 3224 ${LDAPSEARCH} ${SERVER_ARGS} -b "cn=${i},${_EXT}" -s base "objectclass=*" > /dev/null 2>&1 3225 if [ $? -eq 0 ]; then 3226 # Display index skipped. 3227 ${ECHO} " ${i} (eq,pres,sub) skipped already exists" 3228 continue 3229 fi 3230 3231 # Here doc to create LDIF. 3232 ( cat <<EOF 3233dn: cn=${i},${_EXT} 3234objectClass: top 3235objectClass: nsIndex 3236cn: ${i} 3237nsSystemIndex: false 3238nsIndexType: pres 3239nsIndexType: eq 3240nsIndexType: sub 3241EOF 3242) > ${TMPDIR}/index_${i} 3243 3244 # Add the index. 3245 ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/index_${i} ${VERB}" 3246 if [ $? -ne 0 ]; then 3247 ${ECHO} " ERROR: Adding EQ,PRES,SUB index for ${i} failed!" 3248 cleanup 3249 exit 1 3250 fi 3251 3252 # Build date for task name. 3253 _YR=`date '+%y'` 3254 _MN=`date '+%m'` 3255 _DY=`date '+%d'` 3256 _H=`date '+%H'` 3257 _M=`date '+%M'` 3258 _S=`date '+%S'` 3259 3260 # Build task name 3261 TASKNAME="${i}_${_YR}_${_MN}_${_DY}_${_H}_${_M}_${_S}" 3262 3263 # Build the task entry to add. 3264 ( cat <<EOF 3265dn: cn=${TASKNAME}, cn=index, cn=tasks, cn=config 3266changetype: add 3267objectclass: top 3268objectclass: extensibleObject 3269cn: ${TASKNAME} 3270nsInstance: ${IDS_DATABASE} 3271nsIndexAttribute: ${i} 3272EOF 3273) > ${TMPDIR}/task_${i} 3274 3275 # Add the task. 3276 ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/task_${i} ${VERB}" 3277 if [ $? -ne 0 ]; then 3278 ${ECHO} " ERROR: Adding task for ${i} failed!" 3279 cleanup 3280 exit 1 3281 fi 3282 3283 # Wait for task to finish, display current status. 3284 while : 3285 do 3286 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=index, cn=tasks, cn=config\" -s sub \"objectclass=*\" > ${TMPDIR}/istask_${i} 2>&1" 3287 ${GREP} ${TASKNAME} ${TMPDIR}/istask_${i} > /dev/null 2>&1 3288 if [ $? -ne 0 ]; then 3289 break 3290 fi 3291 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=index,cn=tasks,cn=config\" -s one \"objectclass=*\" nstaskstatus | ${GREP} -i nstaskstatus | cut -d\":\" -f2 > ${TMPDIR}/wait_task_${i}" 3292 TASK_STATUS=`head -1 ${TMPDIR}/wait_task_${i}` 3293 ${ECHO} " ${i} (eq,pres,sub) $TASK_STATUS \r\c" 3294 ${ECHO} "$TASK_STATUS" | ${GREP} "Finished" > /dev/null 2>&1 3295 if [ $? -eq 0 ]; then 3296 break 3297 fi 3298 sleep 2 3299 done 3300 3301 # Print newline because of \c. 3302 ${ECHO} " " 3303 done 3304} 3305 3306 3307# 3308# add_vlv_indexes(): Add VLV indexes to improve search performance. 3309# 3310add_vlv_indexes() 3311{ 3312 [ $DEBUG -eq 1 ] && ${ECHO} "In add_vlv_indexes()" 3313 3314 # Set eq indexes to add. 3315 # Note semi colon separators because some filters contain colons 3316 _INDEX1="${LDAP_DOMAIN}.getgrent;${LDAP_DOMAIN}_group_vlv_index;ou=group;objectClass=posixGroup" 3317 _INDEX2="${LDAP_DOMAIN}.gethostent;${LDAP_DOMAIN}_hosts_vlv_index;ou=hosts;objectClass=ipHost" 3318 _INDEX3="${LDAP_DOMAIN}.getnetent;${LDAP_DOMAIN}_networks_vlv_index;ou=networks;objectClass=ipNetwork" 3319 _INDEX4="${LDAP_DOMAIN}.getpwent;${LDAP_DOMAIN}_passwd_vlv_index;ou=people;objectClass=posixAccount" 3320 _INDEX5="${LDAP_DOMAIN}.getrpcent;${LDAP_DOMAIN}_rpc_vlv_index;ou=rpc;objectClass=oncRpc" 3321 _INDEX6="${LDAP_DOMAIN}.getspent;${LDAP_DOMAIN}_shadow_vlv_index;ou=people;objectClass=shadowAccount" 3322 3323 # Indexes added during NIS to LDAP transition 3324 _INDEX7="${LDAP_DOMAIN}.getauhoent;${LDAP_DOMAIN}_auho_vlv_index;automountmapname=auto_home;objectClass=automount" 3325 _INDEX8="${LDAP_DOMAIN}.getsoluent;${LDAP_DOMAIN}_solu_vlv_index;ou=people;objectClass=SolarisUserAttr" 3326 _INDEX9="${LDAP_DOMAIN}.getauduent;${LDAP_DOMAIN}_audu_vlv_index;ou=people;objectClass=SolarisAuditUser" 3327 _INDEX10="${LDAP_DOMAIN}.getauthent;${LDAP_DOMAIN}_auth_vlv_index;ou=SolarisAuthAttr;objectClass=SolarisAuthAttr" 3328 _INDEX11="${LDAP_DOMAIN}.getexecent;${LDAP_DOMAIN}_exec_vlv_index;ou=SolarisProfAttr;&(objectClass=SolarisExecAttr)(SolarisKernelSecurityPolicy=*)" 3329 _INDEX12="${LDAP_DOMAIN}.getprofent;${LDAP_DOMAIN}_prof_vlv_index;ou=SolarisProfAttr;&(objectClass=SolarisProfAttr)(SolarisAttrLongDesc=*)" 3330 _INDEX13="${LDAP_DOMAIN}.getmailent;${LDAP_DOMAIN}_mail_vlv_index;ou=aliases;objectClass=mailGroup" 3331 _INDEX14="${LDAP_DOMAIN}.getbootent;${LDAP_DOMAIN}__boot_vlv_index;ou=ethers;&(objectClass=bootableDevice)(bootParameter=*)" 3332 _INDEX15="${LDAP_DOMAIN}.getethent;${LDAP_DOMAIN}_ethers_vlv_index;ou=ethers;&(objectClass=ieee802Device)(macAddress=*)" 3333 _INDEX16="${LDAP_DOMAIN}.getngrpent;${LDAP_DOMAIN}_netgroup_vlv_index;ou=netgroup;objectClass=nisNetgroup" 3334 _INDEX17="${LDAP_DOMAIN}.getipnent;${LDAP_DOMAIN}_ipn_vlv_index;ou=networks;&(objectClass=ipNetwork)(cn=*)" 3335 _INDEX18="${LDAP_DOMAIN}.getmaskent;${LDAP_DOMAIN}_mask_vlv_index;ou=networks;&(objectClass=ipNetwork)(ipNetmaskNumber=*)" 3336 _INDEX19="${LDAP_DOMAIN}.getprent;${LDAP_DOMAIN}_pr_vlv_index;ou=printers;objectClass=printerService" 3337 _INDEX20="${LDAP_DOMAIN}.getip4ent;${LDAP_DOMAIN}_ip4_vlv_index;ou=hosts;&(objectClass=ipHost)(ipHostNumber=*.*)" 3338 _INDEX21="${LDAP_DOMAIN}.getip6ent;${LDAP_DOMAIN}_ip6_vlv_index;ou=hosts;&(objectClass=ipHost)(ipHostNumber=*:*)" 3339 3340 _INDEXES="$_INDEX1 $_INDEX2 $_INDEX3 $_INDEX4 $_INDEX5 $_INDEX6 $_INDEX7 $_INDEX8 $_INDEX9 $_INDEX10 $_INDEX11 $_INDEX12 $_INDEX13 $_INDEX14 $_INDEX15 $_INDEX16 $_INDEX17 $_INDEX18 $_INDEX19 $_INDEX20 $_INDEX21 " 3341 3342 3343 # Set _EXT to use as shortcut. 3344 _EXT="cn=${IDS_DATABASE},cn=ldbm database,cn=plugins,cn=config" 3345 3346 3347 # Display message to id current step. 3348 ${ECHO} " ${STEP}. Processing VLV indexes:" 3349 STEP=`expr $STEP + 1` 3350 3351 # Reset temp file for vlvindex commands. 3352 [ -f ${TMPDIR}/vlvindex_list ] && rm ${TMPDIR}/vlvindex_list 3353 touch ${TMPDIR}/vlvindex_list 3354 3355 # Get the instance name from iDS server. 3356 _INSTANCE="<server-instance>" # Default to old output. 3357 3358 eval "${LDAPSEARCH} -v ${LDAP_ARGS} -b \"cn=config\" -s base \"objectclass=*\" nsslapd-instancedir | ${GREP} 'nsslapd-instancedir=' | cut -d'=' -f2- > ${TMPDIR}/instance_name 2>&1" 3359 3360 ${GREP} "slapd-" ${TMPDIR}/instance_name > /dev/null 2>&1 # Check if seems right? 3361 if [ $? -eq 0 ]; then # If success, grab name after "slapd-". 3362 _INST_DIR=`cat ${TMPDIR}/instance_name` 3363 _INSTANCE=`basename "${_INST_DIR}" | cut -d'-' -f2-` 3364 fi 3365 3366 # For loop to create indexes. 3367 for p in ${_INDEXES}; do 3368 [ $DEBUG -eq 1 ] && ${ECHO} " Adding index for ${i}" 3369 3370 # Break p (pair) into i and j parts. 3371 i=`${ECHO} $p | cut -d';' -f1` 3372 j=`${ECHO} $p | cut -d';' -f2` 3373 k=`${ECHO} $p | cut -d';' -f3` 3374 m=`${ECHO} $p | cut -d';' -f4` 3375 3376 # Set _jEXT to use as shortcut. 3377 _jEXT="cn=${j},${_EXT}" 3378 3379 # Check if entry exists first, if so, skip to next. 3380 ${LDAPSEARCH} ${SERVER_ARGS} -b "cn=${i},${_jEXT}" -s base "objectclass=*" > /dev/null 2>&1 3381 if [ $? -eq 0 ]; then 3382 # Display index skipped. 3383 ${ECHO} " ${i} vlv_index skipped already exists" 3384 continue 3385 fi 3386 3387 # Compute the VLV Scope from the LDAP_SEARCH_SCOPE. 3388 # NOTE: A value of "base (0)" does not make sense. 3389 case "$LDAP_SEARCH_SCOPE" in 3390 sub) VLV_SCOPE="2" ;; 3391 *) VLV_SCOPE="1" ;; 3392 esac 3393 3394 # Here doc to create LDIF. 3395 ( cat <<EOF 3396dn: ${_jEXT} 3397objectClass: top 3398objectClass: vlvSearch 3399cn: ${j} 3400vlvbase: ${k},${LDAP_BASEDN} 3401vlvscope: ${VLV_SCOPE} 3402vlvfilter: (${m}) 3403aci: (target="ldap:///${_jEXT}")(targetattr="*")(version 3.0; acl "Config";allow(read,search,compare)userdn="ldap:///anyone";) 3404 3405dn: cn=${i},${_jEXT} 3406cn: ${i} 3407vlvSort: cn uid 3408objectclass: top 3409objectclass: vlvIndex 3410EOF 3411) > ${TMPDIR}/vlv_index_${i} 3412 3413 # Add the index. 3414 ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/vlv_index_${i} ${VERB}" 3415 if [ $? -ne 0 ]; then 3416 ${ECHO} " ERROR: Adding VLV index for ${i} failed!" 3417 cleanup 3418 exit 1 3419 fi 3420 3421 # Print message that index was created. 3422 ${ECHO} " ${i} vlv_index Entry created" 3423 3424 # Add command to list of vlvindex commands to run. 3425 ${ECHO} " directoryserver -s ${_INSTANCE} vlvindex -n ${IDS_DATABASE} -T ${i}" >> ${TMPDIR}/vlvindex_list 3426 done 3427} 3428 3429 3430# 3431# display_vlv_cmds(): Display VLV index commands to run on server. 3432# 3433display_vlv_cmds() 3434{ 3435 if [ -s "${TMPDIR}/vlvindex_list" ]; then 3436 display_msg display_vlv_list 3437 cat ${TMPDIR}/vlvindex_list 3438 fi 3439} 3440 3441 3442# 3443# update_schema_attr(): Update Schema to support Naming. 3444# 3445update_schema_attr() 3446{ 3447 [ $DEBUG -eq 1 ] && ${ECHO} "In update_schema_attr()" 3448 3449 ( cat <<EOF 3450dn: cn=schema 3451changetype: modify 3452add: attributetypes 3453attributetypes: ( 1.3.6.1.1.1.1.28 NAME 'nisPublickey' DESC 'NIS public key' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' ) 3454attributetypes: ( 1.3.6.1.1.1.1.29 NAME 'nisSecretkey' DESC 'NIS secret key' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' ) 3455attributetypes: ( 1.3.6.1.1.1.1.30 NAME 'nisDomain' DESC 'NIS domain' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' ) 3456attributetypes: ( 1.3.6.1.1.1.1.31 NAME 'automountMapName' DESC 'automount Map Name' EQUALITY caseExactIA5Match SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' SINGLE-VALUE ) 3457attributetypes: ( 1.3.6.1.1.1.1.32 NAME 'automountKey' DESC 'automount Key Value' EQUALITY caseExactIA5Match SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' SINGLE-VALUE ) 3458attributetypes: ( 1.3.6.1.1.1.1.33 NAME 'automountInformation' DESC 'automount information' EQUALITY caseExactIA5Match SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' SINGLE-VALUE ) 3459attributetypes: ( 1.3.6.1.4.1.42.2.27.1.1.12 NAME 'nisNetIdUser' SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' ) 3460attributetypes: ( 1.3.6.1.4.1.42.2.27.1.1.13 NAME 'nisNetIdGroup' SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' ) 3461attributetypes: ( 1.3.6.1.4.1.42.2.27.1.1.14 NAME 'nisNetIdHost' SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' ) 3462attributetypes: ( rfc822mailMember-oid NAME 'rfc822mailMember' SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' ) 3463attributetypes: ( 2.16.840.1.113730.3.1.30 NAME 'mgrpRFC822MailMember' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' ) 3464attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.15 NAME 'SolarisLDAPServers' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' ) 3465attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.16 NAME 'SolarisSearchBaseDN' SYNTAX '1.3.6.1.4.1.1466.115.121.1.12' SINGLE-VALUE ) 3466attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.17 NAME 'SolarisCacheTTL' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE ) 3467attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.18 NAME 'SolarisBindDN' SYNTAX '1.3.6.1.4.1.1466.115.121.1.12' SINGLE-VALUE ) 3468attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.19 NAME 'SolarisBindPassword' SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' SINGLE-VALUE ) 3469attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.20 NAME 'SolarisAuthMethod' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15') 3470attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.21 NAME 'SolarisTransportSecurity' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15') 3471attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.22 NAME 'SolarisCertificatePath' SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' SINGLE-VALUE ) 3472attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.23 NAME 'SolarisCertificatePassword' SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' SINGLE-VALUE ) 3473attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.24 NAME 'SolarisDataSearchDN' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15') 3474attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.25 NAME 'SolarisSearchScope' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE ) 3475attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.26 NAME 'SolarisSearchTimeLimit' SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' SINGLE-VALUE ) 3476attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.27 NAME 'SolarisPreferredServer' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15') 3477attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.28 NAME 'SolarisPreferredServerOnly' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE ) 3478attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.29 NAME 'SolarisSearchReferral' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE ) 3479attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.4 NAME 'SolarisAttrKeyValue' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE ) 3480attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.5 NAME 'SolarisAuditAlways' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE ) 3481attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.6 NAME 'SolarisAuditNever' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE ) 3482attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.7 NAME 'SolarisAttrShortDesc' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE ) 3483attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.8 NAME 'SolarisAttrLongDesc' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE ) 3484attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.9 NAME 'SolarisKernelSecurityPolicy' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE ) 3485attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.10 NAME 'SolarisProfileType' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE ) 3486attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.11 NAME 'SolarisProfileId' SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' SINGLE-VALUE ) 3487attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.12 NAME 'SolarisUserQualifier' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE ) 3488attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.13 NAME 'SolarisAttrReserved1' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE ) 3489attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.14 NAME 'SolarisAttrReserved2' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE ) 3490attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.1 NAME 'SolarisProjectID' SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' SINGLE-VALUE ) 3491attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.2 NAME 'SolarisProjectName' SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' SINGLE-VALUE ) 3492attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.3 NAME 'SolarisProjectAttr' SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' ) 3493attributetypes: ( memberGid-oid NAME 'memberGid' SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' ) 3494attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.0 NAME 'defaultServerList' DESC 'Default LDAP server host address used by a DUA' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE ) 3495attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.1 NAME 'defaultSearchBase' DESC 'Default LDAP base DN used by a DUA' SYNTAX '1.3.6.1.4.1.1466.115.121.1.12' SINGLE-VALUE ) 3496attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.2 NAME 'preferredServerList' DESC 'Preferred LDAP server host addresses to be used by a DUA' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE ) 3497attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.3 NAME 'searchTimeLimit' DESC 'Maximum time in seconds a DUA should allow for a search to complete' SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' SINGLE-VALUE ) 3498attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.4 NAME 'bindTimeLimit' DESC 'Maximum time in seconds a DUA should allow for the bind operation to complete' SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' SINGLE-VALUE ) 3499attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.5 NAME 'followReferrals' DESC 'Tells DUA if it should follow referrals returned by a DSA search result' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE ) 3500attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.6 NAME 'authenticationMethod' DESC 'A keystring which identifies the type of authentication method used to contact the DSA' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE ) 3501attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.7 NAME 'profileTTL' DESC 'Time to live before a client DUA should re-read this configuration profile' SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' SINGLE-VALUE ) 3502attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.14 NAME 'serviceSearchDescriptor' DESC 'LDAP search descriptor list used by Naming-DUA' SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' ) 3503attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.9 NAME 'attributeMap' DESC 'Attribute mappings used by a Naming-DUA' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' ) 3504attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.10 NAME 'credentialLevel' DESC 'Identifies type of credentials a DUA should use when binding to the LDAP server' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE ) 3505attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.11 NAME 'objectclassMap' DESC 'Objectclass mappings used by a Naming-DUA' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' ) 3506attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.12 NAME 'defaultSearchScope' DESC 'Default search scope used by a DUA' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE ) 3507attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.13 NAME 'serviceCredentialLevel' DESC 'Search scope used by a service of the DUA' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) 3508attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.15 NAME 'serviceAuthenticationMethod' DESC 'Authentication Method used by a service of the DUA' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 3509attributetypes:( 1.3.18.0.2.4.1140 NAME 'printer-uri' DESC 'A URI supported by this printer. This URI SHOULD be used as a relative distinguished name (RDN). If printer-xri-supported is implemented, then this URI value MUST be listed in a member value of printer-xri-supported.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 3510attributetypes:( 1.3.18.0.2.4.1107 NAME 'printer-xri-supported' DESC 'The unordered list of XRI (extended resource identifiers) supported by this printer. Each member of the list consists of a URI (uniform resource identifier) followed by optional authentication and security metaparameters.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 3511attributetypes:( 1.3.18.0.2.4.1135 NAME 'printer-name' DESC 'The site-specific administrative name of this printer, more end-user friendly than a URI.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} SINGLE-VALUE ) 3512attributetypes:( 1.3.18.0.2.4.1119 NAME 'printer-natural-language-configured' DESC 'The configured language in which error and status messages will be generated (by default) by this printer. Also, a possible language for printer string attributes set by operator, system administrator, or manufacturer. Also, the (declared) language of the "printer-name", "printer-location", "printer-info", and "printer-make-and-model" attributes of this printer. For example: "en-us" (US English) or "fr-fr" (French in France) Legal values of language tags conform to [RFC3066] "Tags for the Identification of Languages".' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} SINGLE-VALUE ) 3513attributetypes:( 1.3.18.0.2.4.1136 NAME 'printer-location' DESC 'Identifies the location of the printer. This could include things like: "in Room 123A", "second floor of building XYZ".' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} SINGLE-VALUE ) 3514attributetypes:( 1.3.18.0.2.4.1139 NAME 'printer-info' DESC 'Identifies the descriptive information about this printer. This could include things like: "This printer can be used for printing color transparencies for HR presentations", or "Out of courtesy for others, please print only small (1-5 page) jobs at this printer", or even "This printer is going away on July 1, 1997, please find a new printer".' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} SINGLE-VALUE ) 3515attributetypes:( 1.3.18.0.2.4.1134 NAME 'printer-more-info' DESC 'A URI used to obtain more information about this specific printer. For example, this could be an HTTP type URI referencing an HTML page accessible to a Web Browser. The information obtained from this URI is intended for end user consumption.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 3516attributetypes:( 1.3.18.0.2.4.1138 NAME 'printer-make-and-model' DESC 'Identifies the make and model of the device. The device manufacturer MAY initially populate this attribute.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} SINGLE-VALUE ) 3517attributetypes:( 1.3.18.0.2.4.1133 NAME 'printer-ipp-versions-supported' DESC 'Identifies the IPP protocol version(s) that this printer supports, including major and minor versions, i.e., the version numbers for which this Printer implementation meets the conformance requirements.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} ) 3518attributetypes:( 1.3.18.0.2.4.1132 NAME 'printer-multiple-document-jobs-supported' DESC 'Indicates whether or not the printer supports more than one document per job, i.e., more than one Send-Document or Send-Data operation with document data.' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) 3519attributetypes:( 1.3.18.0.2.4.1109 NAME 'printer-charset-configured' DESC 'The configured charset in which error and status messages will be generated (by default) by this printer. Also, a possible charset for printer string attributes set by operator, system administrator, or manufacturer. For example: "utf-8" (ISO 10646/Unicode) or "iso-8859-1" (Latin1). Legal values are defined by the IANA Registry of Coded Character Sets and the "(preferred MIME name)" SHALL be used as the tag. For coherence with IPP Model, charset tags in this attribute SHALL be lowercase normalized. This attribute SHOULD be static (time of registration) and SHOULD NOT be dynamically refreshed attributetypes: (subsequently).' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{63} SINGLE-VALUE ) 3520attributetypes:( 1.3.18.0.2.4.1131 NAME 'printer-charset-supported' DESC 'Identifies the set of charsets supported for attribute type values of type Directory String for this directory entry. For example: "utf-8" (ISO 10646/Unicode) or "iso-8859-1" (Latin1). Legal values are defined by the IANA Registry of Coded Character Sets and the preferred MIME name.' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{63} ) 3521attributetypes:( 1.3.18.0.2.4.1137 NAME 'printer-generated-natural-language-supported' DESC 'Identifies the natural language(s) supported for this directory entry. For example: "en-us" (US English) or "fr-fr" (French in France). Legal values conform to [RFC3066], Tags for the Identification of Languages.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{63} ) 3522attributetypes:( 1.3.18.0.2.4.1130 NAME 'printer-document-format-supported' DESC 'The possible document formats in which data may be interpreted and printed by this printer. Legal values are MIME types come from the IANA Registry of Internet Media Types.' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} ) 3523attributetypes:( 1.3.18.0.2.4.1129 NAME 'printer-color-supported' DESC 'Indicates whether this printer is capable of any type of color printing at all, including highlight color.' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) 3524attributetypes:( 1.3.18.0.2.4.1128 NAME 'printer-compression-supported' DESC 'Compression algorithms supported by this printer. For example: "deflate, gzip". Legal values include; "none", "deflate" attributetypes: (public domain ZIP), "gzip" (GNU ZIP), "compress" (UNIX).' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} ) 3525attributetypes:( 1.3.18.0.2.4.1127 NAME 'printer-pages-per-minute' DESC 'The nominal number of pages per minute which may be output by this printer (e.g., a simplex or black-and-white printer). This attribute is informative, NOT a service guarantee. Typically, it is the value used in marketing literature to describe this printer.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 3526attributetypes:( 1.3.18.0.2.4.1126 NAME 'printer-pages-per-minute-color' DESC 'The nominal number of color pages per minute which may be output by this printer (e.g., a simplex or color printer). This attribute is informative, NOT a service guarantee. Typically, it is the value used in marketing literature to describe this printer.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 3527attributetypes:( 1.3.18.0.2.4.1125 NAME 'printer-finishings-supported' DESC 'The possible finishing operations supported by this printer. Legal values include; "none", "staple", "punch", "cover", "bind", "saddle-stitch", "edge-stitch", "staple-top-left", "staple-bottom-left", "staple-top-right", "staple-bottom-right", "edge-stitch-left", "edge-stitch-top", "edge-stitch-right", "edge-stitch-bottom", "staple-dual-left", "staple-dual-top", "staple-dual-right", "staple-dual-bottom".' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} ) 3528attributetypes:( 1.3.18.0.2.4.1124 NAME 'printer-number-up-supported' DESC 'The possible numbers of print-stream pages to impose upon a single side of an instance of a selected medium. Legal values include; 1, 2, and 4. Implementations may support other values.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) 3529attributetypes:( 1.3.18.0.2.4.1123 NAME 'printer-sides-supported' DESC 'The number of impression sides (one or two) and the two-sided impression rotations supported by this printer. Legal values include; "one-sided", "two-sided-long-edge", "two-sided-short-edge".' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} ) 3530attributetypes:( 1.3.18.0.2.4.1122 NAME 'printer-media-supported' DESC 'The standard names/types/sizes (and optional color suffixes) of the media supported by this printer. For example: "iso-a4", "envelope", or "na-letter-white". Legal values conform to ISO 10175, Document Printing Application (DPA), and any IANA registered extensions.' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} ) 3531attributetypes:( 1.3.18.0.2.4.1117 NAME 'printer-media-local-supported' DESC 'Site-specific names of media supported by this printer, in the language in "printer-natural-language-configured". For example: "purchasing-form" (site-specific name) as opposed to (in "printer-media-supported"): "na-letter" (standard keyword from ISO 10175).' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} ) 3532attributetypes:( 1.3.18.0.2.4.1121 NAME 'printer-resolution-supported' DESC 'List of resolutions supported for printing documents by this printer. Each resolution value is a string with 3 fields: 1) Cross feed direction resolution (positive integer), 2) Feed direction resolution (positive integer), 3) Resolution unit. Legal values are "dpi" (dots per inch) and "dpcm" (dots per centimeter). Each resolution field is delimited by ">". For example: "300> 300> dpi>".' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} ) 3533attributetypes:( 1.3.18.0.2.4.1120 NAME 'printer-print-quality-supported' DESC 'List of print qualities supported for printing documents on this printer. For example: "draft, normal". Legal values include; "unknown", "draft", "normal", "high".' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} ) 3534attributetypes:( 1.3.18.0.2.4.1110 NAME 'printer-job-priority-supported' DESC 'Indicates the number of job priority levels supported. An IPP conformant printer which supports job priority must always support a full range of priorities from "1" to "100" (to ensure consistent behavior), therefore this attribute describes the "granularity". Legal values of this attribute are from "1" to "100".' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 3535attributetypes:( 1.3.18.0.2.4.1118 NAME 'printer-copies-supported' DESC 'The maximum number of copies of a document that may be printed as a single job. A value of "0" indicates no maximum limit. A value of "-1" indicates unknown.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 3536attributetypes:( 1.3.18.0.2.4.1111 NAME 'printer-job-k-octets-supported' DESC 'The maximum size in kilobytes (1,024 octets actually) incoming print job that this printer will accept. A value of "0" indicates no maximum limit. A value of "-1" indicates unknown.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 3537attributetypes:( 1.3.18.0.2.4.1112 NAME 'printer-current-operator' DESC 'The name of the current human operator responsible for operating this printer. It is suggested that this string include information that would enable other humans to reach the operator, such as a phone number.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} SINGLE-VALUE ) 3538attributetypes:( 1.3.18.0.2.4.1113 NAME 'printer-service-person' DESC 'The name of the current human service person responsible for servicing this printer. It is suggested that this string include information that would enable other humans to reach the service person, such as a phone number.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} SINGLE-VALUE ) 3539attributetypes:( 1.3.18.0.2.4.1114 NAME 'printer-delivery-orientation-supported' DESC 'The possible delivery orientations of pages as they are printed and ejected from this printer. Legal values include; "unknown", "face-up", and "face-down".' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} ) 3540attributetypes:( 1.3.18.0.2.4.1115 NAME 'printer-stacking-order-supported' DESC 'The possible stacking order of pages as they are printed and ejected from this printer. Legal values include; "unknown", "first-to-last", "last-to-first".' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} ) 3541attributetypes:( 1.3.18.0.2.4.1116 NAME 'printer-output-features-supported' DESC 'The possible output features supported by this printer. Legal values include; "unknown", "bursting", "decollating", "page-collating", "offset-stacking".' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} ) 3542attributetypes:( 1.3.18.0.2.4.1108 NAME 'printer-aliases' DESC 'Site-specific administrative names of this printer in addition the printer name specified for printer-name.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} ) 3543attributetypes:( 1.3.6.1.4.1.42.2.27.5.1.63 NAME 'sun-printer-bsdaddr' DESC 'Sets the server, print queue destination name and whether the client generates protocol extensions. "Solaris" specifies a Solaris print server extension. The value is represented by the following value: server "," destination ", Solaris".' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE ) 3544attributetypes:( 1.3.6.1.4.1.42.2.27.5.1.64 NAME 'sun-printer-kvp' DESC 'This attribute contains a set of key value pairs which may have meaning to the print subsystem or may be user defined. Each value is represented by the following: key "=" value.' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' ) 3545attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.57 NAME 'nisplusTimeZone' DESC 'tzone column from NIS+ timezone table' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) 3546attributetypes:( 1.3.6.1.4.1.42.2.27.5.1.67 NAME 'ipTnetTemplateName' DESC 'Trusted Solaris network template template_name' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) 3547attributetypes:( 1.3.6.1.4.1.42.2.27.5.1.68 NAME 'ipTnetNumber' DESC 'Trusted Solaris network template ip_address' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) 3548EOF 3549) > ${TMPDIR}/schema_attr 3550 3551 # Add the entry. 3552 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/schema_attr ${VERB}" 3553 if [ $? -ne 0 ]; then 3554 ${ECHO} " ERROR: update of schema attributes failed!" 3555 cleanup 3556 exit 1 3557 fi 3558 3559 # Display message that schema is updated. 3560 ${ECHO} " ${STEP}. Schema attributes have been updated." 3561 STEP=`expr $STEP + 1` 3562} 3563 3564 3565# 3566# update_schema_obj(): Update the schema objectclass definitions. 3567# 3568update_schema_obj() 3569{ 3570 [ $DEBUG -eq 1 ] && ${ECHO} "In update_schema_obj()" 3571 3572 # Add the objectclass definitions. 3573 ( cat <<EOF 3574dn: cn=schema 3575changetype: modify 3576add: objectclasses 3577objectclasses: ( 1.3.6.1.1.1.2.14 NAME 'NisKeyObject' SUP 'top' MUST (objectclass $ cn $ nisPublickey $ nisSecretkey) MAY (uidNumber $ description)) 3578 3579dn: cn=schema 3580changetype: modify 3581add: objectclasses 3582objectclasses: ( 1.3.6.1.1.1.2.15 NAME 'nisDomainObject' SUP 'top' MUST (objectclass $ nisDomain) MAY ()) 3583 3584dn: cn=schema 3585changetype: modify 3586add: objectclasses 3587objectclasses: ( 1.3.6.1.1.1.2.16 NAME 'automountMap' SUP 'top' MUST (objectclass $ automountMapName) MAY (description)) 3588 3589dn: cn=schema 3590changetype: modify 3591add: objectclasses 3592objectclasses: ( 1.3.6.1.1.1.2.17 NAME 'automount' SUP 'top' MUST (objectclass $ automountKey $ automountInformation ) MAY (description)) 3593 3594dn: cn=schema 3595changetype: modify 3596add: objectclasses 3597objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.7 NAME 'SolarisNamingProfile' SUP 'top' MUST (objectclass $ cn $ SolarisLDAPservers $ SolarisSearchBaseDN) MAY (SolarisBindDN $ SolarisBindPassword $ SolarisAuthMethod $ SolarisTransportSecurity $ SolarisCertificatePath $ SolarisCertificatePassword $ SolarisDataSearchDN $ SolarisSearchScope $ SolarisSearchTimeLimit $ SolarisPreferredServer $ SolarisPreferredServerOnly $ SolarisCacheTTL $ SolarisSearchReferral)) 3598 3599dn: cn=schema 3600changetype: modify 3601add: objectclasses 3602objectclasses: ( 2.16.840.1.113730.3.2.4 NAME 'mailGroup' SUP 'top' MUST (objectclass $ mail) MAY (cn $ mgrpRFC822MailMember)) 3603 3604dn: cn=schema 3605changetype: modify 3606add: objectclasses 3607objectclasses: ( 1.3.6.1.4.1.42.2.27.1.2.5 NAME 'nisMailAlias' SUP 'top' MUST (objectclass $ cn) MAY (rfc822mailMember)) 3608 3609dn: cn=schema 3610changetype: modify 3611add: objectclasses 3612objectclasses: ( 1.3.6.1.4.1.42.2.27.1.2.6 NAME 'nisNetId' SUP 'top' MUST (objectclass $ cn) MAY (nisNetIdUser $ nisNetIdGroup $ nisNetIdHost)) 3613 3614dn: cn=schema 3615changetype: modify 3616add: objectclasses 3617objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.2 NAME 'SolarisAuditUser' SUP 'top' AUXILIARY MUST (objectclass) MAY (SolarisAuditAlways $ SolarisAuditNever)) 3618 3619dn: cn=schema 3620changetype: modify 3621add: objectclasses 3622objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.3 NAME 'SolarisUserAttr' SUP 'top' AUXILIARY MUST (objectclass) MAY (SolarisUserQualifier $ SolarisAttrReserved1 $ SolarisAttrReserved2 $ SolarisAttrKeyValue)) 3623 3624dn: cn=schema 3625changetype: modify 3626add: objectclasses 3627objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.4 NAME 'SolarisAuthAttr' SUP 'top' MUST (objectclass $ cn) MAY (SolarisAttrReserved1 $ SolarisAttrReserved2 $ SolarisAttrShortDesc $ SolarisAttrLongDesc $ SolarisAttrKeyValue)) 3628 3629dn: cn=schema 3630changetype: modify 3631add: objectclasses 3632objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.5 NAME 'SolarisProfAttr' SUP 'top' MUST (objectclass $ cn) MAY (SolarisAttrReserved1 $ SolarisAttrReserved2 $ SolarisAttrLongDesc $ SolarisAttrKeyValue)) 3633 3634dn: cn=schema 3635changetype: modify 3636add: objectclasses 3637objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.6 NAME 'SolarisExecAttr' SUP 'top' AUXILIARY MUST (objectclass) MAY (SolarisKernelSecurityPolicy $ SolarisProfileType $ SolarisAttrReserved1 $ SolarisAttrReserved2 $ SolarisProfileID $ SolarisAttrKeyValue)) 3638 3639dn: cn=schema 3640changetype: modify 3641add: objectclasses 3642objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.1 NAME 'SolarisProject' SUP 'top' MUST (objectclass $ SolarisProjectID $ SolarisProjectName) MAY (memberUid $ memberGid $ description $ SolarisProjectAttr)) 3643 3644dn: cn=schema 3645changetype: modify 3646add: objectclasses 3647objectclasses: ( 1.3.6.1.4.1.11.1.3.1.2.4 NAME 'DUAConfigProfile' SUP 'top' DESC 'Abstraction of a base configuration for a DUA' MUST (cn) MAY (defaultServerList $ preferredServerList $ defaultSearchBase $ defaultSearchScope $ searchTimeLimit $ bindTimeLimit $ credentialLevel $ authenticationMethod $ followReferrals $ serviceSearchDescriptor $ serviceCredentialLevel $ serviceAuthenticationMethod $ objectclassMap $ attributeMap $ profileTTL)) 3648 3649dn: cn=schema 3650changetype: modify 3651add: objectclasses 3652objectclasses: ( 1.3.18.0.2.6.2549 NAME 'slpService' DESC 'DUMMY definition' SUP 'top' MUST (objectclass) MAY ()) 3653 3654dn: cn=schema 3655changetype: modify 3656add: objectclasses 3657objectclasses: ( 1.3.18.0.2.6.254 NAME 'slpServicePrinter' DESC 'Service Location Protocol (SLP) information.' AUXILIARY SUP 'slpService') 3658 3659dn: cn=schema 3660changetype: modify 3661add: objectclasses 3662objectclasses: ( 1.3.18.0.2.6.258 NAME 'printerAbstract' DESC 'Printer related information.' ABSTRACT SUP 'top' MAY ( printer-name $ printer-natural-language-configured $ printer-location $ printer-info $ printer-more-info $ printer-make-and-model $ printer-multiple-document-jobs-supported $ printer-charset-configured $ printer-charset-supported $ printer-generated-natural-language-supported $ printer-document-format-supported $ printer-color-supported $ printer-compression-supported $ printer-pages-per-minute $ printer-pages-per-minute-color $ printer-finishings-supported $ printer-number-up-supported $ printer-sides-supported $ printer-media-supported $ printer-media-local-supported $ printer-resolution-supported $ printer-print-quality-supported $ printer-job-priority-supported $ printer-copies-supported $ printer-job-k-octets-supported $ printer-current-operator $ printer-service-person $ printer-delivery-orientation-supported $ printer-stacking-order-supported $ printer-output-features-supported )) 3663 3664dn: cn=schema 3665changetype: modify 3666add: objectclasses 3667objectclasses: ( 1.3.18.0.2.6.255 NAME 'printerService' DESC 'Printer information.' STRUCTURAL SUP 'printerAbstract' MAY ( printer-uri $ printer-xri-supported )) 3668 3669dn: cn=schema 3670changetype: modify 3671add: objectclasses 3672objectclasses: ( 1.3.18.0.2.6.257 NAME 'printerServiceAuxClass' DESC 'Printer information.' AUXILIARY SUP 'printerAbstract' MAY ( printer-uri $ printer-xri-supported )) 3673 3674dn: cn=schema 3675changetype: modify 3676add: objectclasses 3677objectclasses: ( 1.3.18.0.2.6.256 NAME 'printerIPP' DESC 'Internet Printing Protocol (IPP) information.' AUXILIARY SUP 'top' MAY ( printer-ipp-versions-supported $ printer-multiple-document-jobs-supported )) 3678 3679dn: cn=schema 3680changetype: modify 3681add: objectclasses 3682objectclasses: ( 1.3.18.0.2.6.253 NAME 'printerLPR' DESC 'LPR information.' AUXILIARY SUP 'top' MUST ( printer-name ) MAY ( printer-aliases)) 3683 3684dn: cn=schema 3685changetype: modify 3686add: objectclasses 3687objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.14 NAME 'sunPrinter' DESC 'Sun printer information' SUP 'top' AUXILIARY MUST (objectclass $ printer-name) MAY (sun-printer-bsdaddr $ sun-printer-kvp)) 3688 3689dn: cn=schema 3690changetype: modify 3691add: objectclasses 3692objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.12 NAME 'nisplusTimeZoneData' DESC 'NIS+ timezone table data' SUP top STRUCTURAL MUST ( cn ) MAY ( nisplusTimeZone $ description ) ) 3693 3694dn: cn=schema 3695changetype: modify 3696add: objectclasses 3697objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.8 NAME 'ipTnetTemplate' DESC 'Object class for TSOL network templates' SUP 'top' MUST ( objectclass $ ipTnetTemplateName ) MAY ( SolarisAttrKeyValue ) ) 3698 3699dn: cn=schema 3700changetype: modify 3701add: objectclasses 3702objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.9 NAME 'ipTnetHost' DESC 'Associates an IP address or wildcard with a TSOL template_name' SUP 'top' AUXILIARY MUST ( objectclass $ ipTnetNumber ) ) 3703EOF 3704) > ${TMPDIR}/schema_obj 3705 3706 # Add the entry. 3707 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/schema_obj ${VERB}" 3708 if [ $? -ne 0 ]; then 3709 ${ECHO} " ERROR: update of schema objectclass definitions failed!" 3710 cleanup 3711 exit 1 3712 fi 3713 3714 # Display message that schema is updated. 3715 ${ECHO} " ${STEP}. Schema objectclass definitions have been added." 3716 STEP=`expr $STEP + 1` 3717} 3718 3719 3720# 3721# modify_top_aci(): Modify the ACI for the top entry to disable self modify 3722# of user attributes. 3723# 3724modify_top_aci() 3725{ 3726 [ $DEBUG -eq 1 ] && ${ECHO} "In modify_top_aci()" 3727 3728 # Set ACI Name 3729 ACI_NAME="LDAP_Naming_Services_deny_write_access" 3730 3731 # Search for ACI_NAME 3732 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_BASEDN}\" -s base objectclass=* aci > ${TMPDIR}/chk_top_aci 2>&1" 3733 if [ $? -ne 0 ]; then 3734 ${ECHO} "Error searching aci for ${LDAP_BASEDN}" 3735 cat ${TMPDIR}/chk_top_aci 3736 cleanup 3737 exit 1 3738 fi 3739 ${GREP} "${ACI_NAME}" ${TMPDIR}/chk_top_aci > /dev/null 2>&1 3740 if [ $? -eq 0 ]; then 3741 ${ECHO} " ${STEP}. Top level ACI ${ACI_NAME} already exists for ${LDAP_BASEDN}." 3742 STEP=`expr $STEP + 1` 3743 return 0 3744 fi 3745 3746 # Crate LDIF for top level ACI. 3747 ( cat <<EOF 3748dn: ${LDAP_BASEDN} 3749changetype: modify 3750add: aci 3751aci: (targetattr = "cn||uid||uidNumber||gidNumber||homeDirectory||shadowLastChange||shadowMin||shadowMax||shadowWarning||shadowInactive||shadowExpire||shadowFlag||memberUid")(version 3.0; acl ${ACI_NAME}; deny (write) userdn = "ldap:///self";) 3752- 3753EOF 3754) > ${TMPDIR}/top_aci 3755 3756 # Add the entry. 3757 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/top_aci ${VERB}" 3758 if [ $? -ne 0 ]; then 3759 ${ECHO} " ERROR: Modify of top level ACI failed! (restricts self modify)" 3760 cleanup 3761 exit 1 3762 fi 3763 3764 # Display message that schema is updated. 3765 ${ECHO} " ${STEP}. ACI for ${LDAP_BASEDN} modified to disable self modify." 3766 STEP=`expr $STEP + 1` 3767} 3768 3769 3770# 3771# add_vlv_aci(): Add access control information (aci) for VLV. 3772# 3773add_vlv_aci() 3774{ 3775 [ $DEBUG -eq 1 ] && ${ECHO} "In add_vlv_aci()" 3776 3777 # Add the VLV ACI. 3778 ( cat <<EOF 3779dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config 3780changetype: modify 3781replace: aci 3782aci: (targetattr != "aci") (version 3.0; acl "VLV Request Control"; allow(read,search,compare) userdn = "ldap:///anyone";) 3783EOF 3784) > ${TMPDIR}/vlv_aci 3785 3786 # Add the entry. 3787 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/vlv_aci ${VERB}" 3788 if [ $? -ne 0 ]; then 3789 ${ECHO} " ERROR: Add of VLV ACI failed!" 3790 cleanup 3791 exit 1 3792 fi 3793 3794 # Display message that schema is updated. 3795 ${ECHO} " ${STEP}. Add of VLV Access Control Information (ACI)." 3796 STEP=`expr $STEP + 1` 3797} 3798 3799 3800# 3801# set_nisdomain(): Add the NisDomainObject to the Base DN. 3802# 3803set_nisdomain() 3804{ 3805 [ $DEBUG -eq 1 ] && ${ECHO} "In set_nisdomain()" 3806 3807 # Check if nisDomain is already set. 3808 ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_BASEDN}\" -s base \ 3809 \"objectclass=*\"" > ${TMPDIR}/chk_nisdomain 2>&1 3810 ${EVAL} "${GREP} -i nisDomain ${TMPDIR}/chk_nisdomain ${VERB}" 3811 if [ $? -eq 0 ]; then 3812 ${ECHO} " ${STEP}. NisDomainObject for ${LDAP_BASEDN} was already set." 3813 STEP=`expr $STEP + 1` 3814 return 0 3815 fi 3816 3817 # Add the new top level containers. 3818 ( cat <<EOF 3819dn: ${LDAP_BASEDN} 3820changetype: modify 3821objectclass: nisDomainObject 3822nisdomain: ${LDAP_DOMAIN} 3823EOF 3824) > ${TMPDIR}/nis_domain 3825 3826 # Add the entry. 3827 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/nis_domain ${VERB}" 3828 if [ $? -ne 0 ]; then 3829 ${ECHO} " ERROR: update of NisDomainObject in ${LDAP_BASEDN} failed." 3830 cleanup 3831 exit 1 3832 fi 3833 3834 # Display message that schema is updated. 3835 ${ECHO} " ${STEP}. NisDomainObject added to ${LDAP_BASEDN}." 3836 STEP=`expr $STEP + 1` 3837} 3838 3839 3840# 3841# check_attrName(): Check that the attribute name is valid. 3842# $1 Key to check. 3843# Returns 0 : valid name 1 : invalid name 3844# 3845check_attrName() 3846{ 3847 [ $DEBUG -eq 1 ] && ${ECHO} "In check_attrName()" 3848 [ $DEBUG -eq 1 ] && ${ECHO} "check_attrName: Input Param = $1" 3849 3850 ${ECHO} $1 | ${EGREP} '^[0-9]+(\.[0-9]+)*$' > /dev/null 2>&1 3851 if [ $? -eq 0 ]; then 3852 ${EVAL} "${LDAPSEARCH} ${SERVER_ARGS} -b cn=schema -s base \"objectclass=*\" \ 3853 attributeTypes | ${EGREP} -i '^attributetypes[ ]*=[ ]*\([ ]*$1 ' ${VERB}" 3854 else 3855 ${EVAL} "${LDAPSEARCH} ${SERVER_ARGS} -b cn=schema -s base \"objectclass=*\" \ 3856 attributeTypes | ${EGREP} -i \"'$1'\" ${VERB}" 3857 fi 3858 3859 if [ $? -ne 0 ]; then 3860 return 1 3861 else 3862 return 0 3863 fi 3864} 3865 3866 3867# 3868# get_objectclass(): Determine the objectclass for the given attribute name 3869# $1 Attribute name to check. 3870# _ATTR_NAME Return value, Object Name or NULL if unknown to idsconfig. 3871# 3872# NOTE: An attribute name can be valid but still we might not be able 3873# to determine the objectclass from the table. 3874# In such cases, the user needs to create the necessary object(s). 3875# 3876get_objectclass() 3877{ 3878 [ $DEBUG -eq 1 ] && ${ECHO} "In get_objectclass()" 3879 [ $DEBUG -eq 1 ] && ${ECHO} "get_objectclass: Input Param = $1" 3880 3881 # Set return value to NULL string. 3882 _ATTR_NAME="" 3883 3884 # Test key for type: 3885 case `${ECHO} ${1} | tr '[A-Z]' '[a-z]'` in 3886 ou | organizationalunitname | 2.5.4.11) _ATTR_NAME="organizationalUnit" ;; 3887 dc | domaincomponent | 0.9.2342.19200300.100.1.25) _ATTR_NAME="domain" ;; 3888 o | organizationname | 2.5.4.10) _ATTR_NAME="organization" ;; 3889 c | countryname | 2.5.4.6) _ATTR_NAME="country" ;; 3890 *) _ATTR_NAME="" ;; 3891 esac 3892 3893 [ $DEBUG -eq 1 ] && ${ECHO} "get_objectclass: _ATTR_NAME = $_ATTR_NAME" 3894} 3895 3896 3897# 3898# add_base_objects(): Add any necessary base objects. 3899# 3900add_base_objects() 3901{ 3902 [ $DEBUG -eq 1 ] && ${ECHO} "In add_base_objects()" 3903 3904 # Convert to lower case for basename. 3905 format_string "${LDAP_BASEDN}" 3906 LOWER_BASEDN="${FMT_STR}" 3907 format_string "${LDAP_SUFFIX}" 3908 LOWER_SUFFIX="${FMT_STR}" 3909 3910 [ $DEBUG -eq 1 ] && ${ECHO} "LOWER_BASEDN: ${LOWER_BASEDN}" 3911 [ $DEBUG -eq 1 ] && ${ECHO} "LOWER_SUFFIX: ${LOWER_SUFFIX}" 3912 3913 # Create additional components. 3914 if [ "${LOWER_BASEDN}" = "${LOWER_SUFFIX}" ]; then 3915 [ $DEBUG -eq 1 ] && ${ECHO} "Base DN and Suffix equivalent" 3916 else 3917 # first, test that the suffix is valid 3918 dcstmp=`basename "${LOWER_BASEDN}" "${LOWER_SUFFIX}"` 3919 if [ "$dcstmp" = "${LOWER_BASEDN}" ]; then 3920 # should not happen since check_basedn_suffix() succeeded 3921 ${ECHO} "Invalid suffix ${LOWER_SUFFIX}" 3922 ${ECHO} "for Base DN ${LOWER_BASEDN}" 3923 cleanup 3924 exit 1 3925 fi 3926 # OK, suffix is valid, start working with LDAP_BASEDN 3927 # field separator is ',' (i.e., space is a valid character) 3928 dcstmp2="`${ECHO} ${LDAP_BASEDN} | 3929 sed -e 's/[ ]*,[ ]*/,/g' -e 's/[ ]*=[ ]*/=/g'`" 3930 dcs="" 3931 # use dcstmp to count the loop, and dcstmp2 to get the correct 3932 # string case 3933 # dcs should be in reverse order, only for these components 3934 # that need to be added 3935 while [ -n "${dcstmp}" ] 3936 do 3937 i2=`${ECHO} "$dcstmp2" | cut -f1 -d','` 3938 dk=`${ECHO} $i2 | awk -F= '{print $1}'` 3939 dc=`${ECHO} $i2 | awk -F= '{print $2}'` 3940 dcs="$dk=$dc,$dcs"; 3941 dcstmp2=`${ECHO} "$dcstmp2" | cut -f2- -d','` 3942 dcstmp=`${ECHO} "$dcstmp" | cut -f2- -d','` 3943 [ $DEBUG -eq 1 ] && \ 3944 ${ECHO} "dcs: ${dcs}\ndcstmp: ${dcstmp}\ndcstmp2: ${dcstmp2}\n" 3945 done 3946 3947 3948 3949 lastdc=${LDAP_SUFFIX} 3950 dc=`${ECHO} "${dcs}" | cut -f1 -d','` 3951 dcstmp=`${ECHO} "${dcs}" | cut -f2- -d','` 3952 while [ -n "${dc}" ]; do 3953 # Get Key and component from $dc. 3954 dk2=`${ECHO} $dc | awk -F= '{print $1}'` 3955 dc2=`${ECHO} $dc | awk -F= '{print $2}'` 3956 3957 # At this point, ${dk2} is a valid attribute name 3958 3959 # Check if entry exists first, if so, skip to next. 3960 ${LDAPSEARCH} ${SERVER_ARGS} -b "${dk2}=${dc2},$lastdc" -s base "objectclass=*" > /dev/null 2>&1 3961 if [ $? -eq 0 ]; then 3962 # Set the $lastdc to new dc. 3963 lastdc="${dk2}=${dc2},$lastdc" 3964 3965 # Process next component. 3966 dc=`${ECHO} "${dcstmp}" | cut -f1 -d','` 3967 dcstmp=`${ECHO} "${dcstmp}" | cut -f2- -d','` 3968 continue 3969 3970 fi 3971 3972 # Determine the objectclass for the entry. 3973 get_objectclass $dk2 3974 OBJ_Name=${_ATTR_NAME} 3975 if [ "${OBJ_Name}" = "" ]; then 3976 ${ECHO} "Cannot determine objectclass for $dk2" 3977 ${ECHO} "Please create ${dk2}=${dc2},$lastdc entry and rerun idsconfig" 3978 exit 1 3979 fi 3980 3981 # Add the new container. 3982 ( cat <<EOF 3983dn: ${dk2}=${dc2},$lastdc 3984${dk2}: $dc2 3985objectClass: top 3986objectClass: ${OBJ_Name} 3987EOF 3988) > ${TMPDIR}/base_objects 3989 3990 3991 # Set the $lastdc to new dc. 3992 lastdc="${dk2}=${dc2},$lastdc" 3993 3994 # Add the entry. 3995 ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/base_objects ${VERB}" 3996 if [ $? -ne 0 ]; then 3997 ${ECHO} " ERROR: update of base objects ${dc} failed." 3998 cleanup 3999 exit 1 4000 fi 4001 4002 # Display message that schema is updated. 4003 ${ECHO} " ${STEP}. Created DN component ${dc}." 4004 STEP=`expr $STEP + 1` 4005 4006 # Process next component. 4007 dc=`${ECHO} "${dcstmp}" | cut -f1 -d','` 4008 dcstmp=`${ECHO} "${dcstmp}" | cut -f2- -d','` 4009 done 4010 fi 4011} 4012 4013 4014# 4015# add_new_containers(): Add the top level classes. 4016# 4017# $1 = Base DN 4018# 4019add_new_containers() 4020{ 4021 [ $DEBUG -eq 1 ] && ${ECHO} "In add_new_containers()" 4022 4023 for ou in people group rpc protocols networks netgroup \ 4024 aliases hosts services ethers profile printers \ 4025 SolarisAuthAttr SolarisProfAttr Timezone ipTnet ; do 4026 4027 # Check if nismaps already exist. 4028 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"ou=${ou},${LDAP_BASEDN}\" -s base \"objectclass=*\" ${VERB}" 4029 if [ $? -eq 0 ]; then 4030 continue 4031 fi 4032 4033 # Create TMP file to add. 4034 ( cat <<EOF 4035dn: ou=${ou},${LDAP_BASEDN} 4036ou: ${ou} 4037objectClass: top 4038objectClass: organizationalUnit 4039EOF 4040) > ${TMPDIR}/toplevel.${ou} 4041 4042 # Add the entry. 4043 ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/toplevel.${ou} ${VERB}" 4044 if [ $? -ne 0 ]; then 4045 ${ECHO} " ERROR: Add of ou=${ou} container failed!" 4046 cleanup 4047 exit 1 4048 fi 4049 done 4050 4051 # Display message that top level OU containers complete. 4052 ${ECHO} " ${STEP}. Top level \"ou\" containers complete." 4053 STEP=`expr $STEP + 1` 4054} 4055 4056 4057# 4058# add_auto_maps(): Add the automount map entries. 4059# 4060# auto_home, auto_direct, auto_master, auto_shared 4061# 4062add_auto_maps() 4063{ 4064 [ $DEBUG -eq 1 ] && ${ECHO} "In add_auto_maps()" 4065 4066 # Set AUTO_MAPS for maps to create. 4067 AUTO_MAPS="auto_home auto_direct auto_master auto_shared" 4068 4069 for automap in $AUTO_MAPS; do 4070 # Check if automaps already exist. 4071 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"automountMapName=${automap},${LDAP_BASEDN}\" -s base \"objectclass=*\" ${VERB}" 4072 if [ $? -eq 0 ]; then 4073 continue 4074 fi 4075 4076 # Create the tmp file to add. 4077 ( cat <<EOF 4078dn: automountMapName=${automap},${LDAP_BASEDN} 4079automountMapName: ${automap} 4080objectClass: top 4081objectClass: automountMap 4082EOF 4083) > ${TMPDIR}/automap.${automap} 4084 4085 # Add the entry. 4086 ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/automap.${automap} ${VERB}" 4087 if [ $? -ne 0 ]; then 4088 ${ECHO} " ERROR: Add of automap ${automap} failed!" 4089 cleanup 4090 exit 1 4091 fi 4092 done 4093 4094 # Display message that automount entries are updated. 4095 ${ECHO} " ${STEP}. automount maps: $AUTO_MAPS processed." 4096 STEP=`expr $STEP + 1` 4097} 4098 4099 4100# 4101# add_proxyagent(): Add entry for nameservice to use to access server. 4102# 4103add_proxyagent() 4104{ 4105 [ $DEBUG -eq 1 ] && ${ECHO} "In add_proxyagent()" 4106 4107 # Check if nismaps already exist. 4108 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_PROXYAGENT}\" -s base \"objectclass=*\" ${VERB}" 4109 if [ $? -eq 0 ]; then 4110 ${ECHO} " ${STEP}. Proxy Agent ${LDAP_PROXYAGENT} already exists." 4111 STEP=`expr $STEP + 1` 4112 return 0 4113 fi 4114 4115 # Get cn and sn names from LDAP_PROXYAGENT. 4116 cn_tmp=`${ECHO} ${LDAP_PROXYAGENT} | cut -f1 -d, | cut -f2 -d=` 4117 4118 # Create the tmp file to add. 4119 ( cat <<EOF 4120dn: ${LDAP_PROXYAGENT} 4121cn: ${cn_tmp} 4122sn: ${cn_tmp} 4123objectclass: top 4124objectclass: person 4125userpassword: ${LDAP_PROXYAGENT_CRED} 4126EOF 4127) > ${TMPDIR}/proxyagent 4128 4129 # Add the entry. 4130 ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/proxyagent ${VERB}" 4131 if [ $? -ne 0 ]; then 4132 ${ECHO} " ERROR: Adding proxyagent failed!" 4133 cleanup 4134 exit 1 4135 fi 4136 4137 # Display message that schema is updated. 4138 ${ECHO} " ${STEP}. Proxy Agent ${LDAP_PROXYAGENT} added." 4139 STEP=`expr $STEP + 1` 4140} 4141 4142 4143# 4144# allow_proxy_read_pw(): Give Proxy Agent read permission for password. 4145# 4146allow_proxy_read_pw() 4147{ 4148 [ $DEBUG -eq 1 ] && ${ECHO} "In allow_proxy_read_pw()" 4149 4150 # Set ACI Name 4151 PROXY_ACI_NAME="LDAP_Naming_Services_proxy_password_read" 4152 4153 # Search for ACI_NAME 4154 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_BASEDN}\" -s base objectclass=* aci > ${TMPDIR}/chk_proxyread_aci 2>&1" 4155 ${GREP} "${PROXY_ACI_NAME}" ${TMPDIR}/chk_proxyread_aci > /dev/null 2>&1 4156 if [ $? -eq 0 ]; then 4157 ${ECHO} " ${STEP}. Proxy ACI ${PROXY_ACI_NAME=} already exists for ${LDAP_BASEDN}." 4158 STEP=`expr $STEP + 1` 4159 return 0 4160 fi 4161 4162 # Create the tmp file to add. 4163 ( cat <<EOF 4164dn: ${LDAP_BASEDN} 4165changetype: modify 4166add: aci 4167aci: (target="ldap:///${LDAP_BASEDN}")(targetattr="userPassword")(version 3.0; acl ${PROXY_ACI_NAME}; allow (compare,read,search) userdn = "ldap:///${LDAP_PROXYAGENT}";) 4168EOF 4169) > ${TMPDIR}/proxy_read 4170 4171 # Add the entry. 4172 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/proxy_read ${VERB}" 4173 if [ $? -ne 0 ]; then 4174 ${ECHO} " ERROR: Allow ${LDAP_PROXYAGENT} to read password failed!" 4175 cleanup 4176 exit 1 4177 fi 4178 4179 # Display message that schema is updated. 4180 ${ECHO} " ${STEP}. Give ${LDAP_PROXYAGENT} read permission for password." 4181 STEP=`expr $STEP + 1` 4182} 4183 4184 4185# 4186# add_profile(): Add client profile to server. 4187# 4188add_profile() 4189{ 4190 [ $DEBUG -eq 1 ] && ${ECHO} "In add_profile()" 4191 4192 # If profile name already exists, DELETE it, and add new one. 4193 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=${LDAP_PROFILE_NAME},ou=profile,${LDAP_BASEDN}\" -s base \"objectclass=*\" ${VERB}" 4194 if [ $? -eq 0 ]; then 4195 # Create Delete file. 4196 ( cat <<EOF 4197cn=${LDAP_PROFILE_NAME},ou=profile,${LDAP_BASEDN} 4198EOF 4199) > ${TMPDIR}/del_profile 4200 4201 # Check if DEL_OLD_PROFILE is set. (If not ERROR) 4202 if [ $DEL_OLD_PROFILE -eq 0 ]; then 4203 ${ECHO} "ERROR: Profile name ${LDAP_PROFILE_NAME} exists! Add failed!" 4204 exit 1 4205 fi 4206 4207 # Delete the OLD profile. 4208 ${EVAL} "${LDAPDELETE} ${LDAP_ARGS} -f ${TMPDIR}/del_profile ${VERB}" 4209 if [ $? -ne 0 ]; then 4210 ${ECHO} " ERROR: Attempt to DELETE profile failed!" 4211 cleanup 4212 exit 1 4213 fi 4214 fi 4215 4216 # Build the "ldapclient genprofile" command string to execute. 4217 GEN_CMD="ldapclient genprofile -a \"profileName=${LDAP_PROFILE_NAME}\"" 4218 4219 # Add required argument defaultSearchBase. 4220 GEN_CMD="${GEN_CMD} -a \"defaultSearchBase=${LDAP_BASEDN}\"" 4221 4222 # Add optional parameters. 4223 [ -n "$LDAP_SERVER_LIST" ] && \ 4224 GEN_CMD="${GEN_CMD} -a \"defaultServerList=${LDAP_SERVER_LIST}\"" 4225 [ -n "$LDAP_SEARCH_SCOPE" ] && \ 4226 GEN_CMD="${GEN_CMD} -a \"defaultSearchScope=${LDAP_SEARCH_SCOPE}\"" 4227 [ -n "$LDAP_CRED_LEVEL" ] && \ 4228 GEN_CMD="${GEN_CMD} -a \"credentialLevel=${LDAP_CRED_LEVEL}\"" 4229 [ -n "$LDAP_AUTHMETHOD" ] && \ 4230 GEN_CMD="${GEN_CMD} -a \"authenticationMethod=${LDAP_AUTHMETHOD}\"" 4231 [ -n "$LDAP_FOLLOWREF" ] && \ 4232 GEN_CMD="${GEN_CMD} -a \"followReferrals=${LDAP_FOLLOWREF}\"" 4233 [ -n "$LDAP_SEARCH_TIME_LIMIT" ] && \ 4234 GEN_CMD="${GEN_CMD} -a \"searchTimeLimit=${LDAP_SEARCH_TIME_LIMIT}\"" 4235 [ -n "$LDAP_PROFILE_TTL" ] && \ 4236 GEN_CMD="${GEN_CMD} -a \"profileTTL=${LDAP_PROFILE_TTL}\"" 4237 [ -n "$LDAP_BIND_LIMIT" ] && \ 4238 GEN_CMD="${GEN_CMD} -a \"bindTimeLimit=${LDAP_BIND_LIMIT}\"" 4239 [ -n "$LDAP_PREF_SRVLIST" ] && \ 4240 GEN_CMD="${GEN_CMD} -a \"preferredServerList=${LDAP_PREF_SRVLIST}\"" 4241 [ -n "$LDAP_SRV_AUTHMETHOD_PAM" ] && \ 4242 GEN_CMD="${GEN_CMD} -a \"serviceAuthenticationMethod=${LDAP_SRV_AUTHMETHOD_PAM}\"" 4243 [ -n "$LDAP_SRV_AUTHMETHOD_KEY" ] && \ 4244 GEN_CMD="${GEN_CMD} -a \"serviceAuthenticationMethod=${LDAP_SRV_AUTHMETHOD_KEY}\"" 4245 [ -n "$LDAP_SRV_AUTHMETHOD_CMD" ] && \ 4246 GEN_CMD="${GEN_CMD} -a \"serviceAuthenticationMethod=${LDAP_SRV_AUTHMETHOD_CMD}\"" 4247 4248 # Check if there are any service search descriptors to ad. 4249 if [ -s "${SSD_FILE}" ]; then 4250 ssd_2_profile 4251 fi 4252 4253 # Execute "ldapclient genprofile" to create profile. 4254 eval ${GEN_CMD} > ${TMPDIR}/gen_profile 2> ${TMPDIR}/gen_profile_ERR 4255 if [ $? -ne 0 ]; then 4256 ${ECHO} " ERROR: ldapclient genprofile failed!" 4257 cleanup 4258 exit 1 4259 fi 4260 4261 # Add the generated profile.. 4262 ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/gen_profile ${VERB}" 4263 if [ $? -ne 0 ]; then 4264 ${ECHO} " ERROR: Attempt to add profile failed!" 4265 cleanup 4266 exit 1 4267 fi 4268 4269 # Display message that schema is updated. 4270 ${ECHO} " ${STEP}. Generated client profile and loaded on server." 4271 STEP=`expr $STEP + 1` 4272} 4273 4274 4275# 4276# cleanup(): Remove the TMPDIR and all files in it. 4277# 4278cleanup() 4279{ 4280 [ $DEBUG -eq 1 ] && ${ECHO} "In cleanup()" 4281 4282 rm -fr ${TMPDIR} 4283} 4284 4285 4286# 4287# * * * MAIN * * * 4288# 4289# Description: 4290# This script assumes that the iPlanet Directory Server (iDS) is 4291# installed and that setup has been run. This script takes the 4292# iDS server from that point and sets up the infrastructure for 4293# LDAP Naming Services. After running this script, ldapaddent(1M) 4294# or some other tools can be used to populate data. 4295 4296# Initialize the variables that need to be set to NULL, or some 4297# other initial value before the rest of the functions can be called. 4298init 4299 4300# Parse command line arguments. 4301parse_arg $* 4302shift $? 4303 4304# Print extra line to separate from prompt. 4305${ECHO} " " 4306 4307# Either Load the user specified config file 4308# or prompt user for config info. 4309if [ -n "$INPUT_FILE" ] 4310then 4311 load_config_file 4312 INTERACTIVE=0 # Turns off prompts that occur later. 4313 validate_info # Validate basic info in file. 4314 chk_ids_version # Check iDS version for compatibility. 4315else 4316 # Display BACKUP warning to user. 4317 display_msg backup_server 4318 get_confirm "Do you wish to continue with server setup (y/n/h)?" "n" "backup_help" 4319 if [ $? -eq 0 ]; then # if No, cleanup and exit. 4320 cleanup ; exit 1 4321 fi 4322 4323 # Prompt for values. 4324 prompt_config_info 4325 display_summary # Allow user to modify results. 4326 INTERACTIVE=1 # Insures future prompting. 4327fi 4328 4329# Modify slapd.oc.conf to ALLOW cn instead of REQUIRE. 4330modify_cn 4331 4332# Modify timelimit to user value. 4333[ $NEED_TIME -eq 1 ] && modify_timelimit 4334 4335# Modify sizelimit to user value. 4336[ $NEED_SIZE -eq 1 ] && modify_sizelimit 4337 4338# Modify the password storage scheme to support CRYPT. 4339if [ "$NEED_CRYPT" = "TRUE" ]; then 4340 modify_pwd_crypt 4341fi 4342 4343# Update the schema (Attributes, Objectclass Definitions) 4344update_schema_attr 4345update_schema_obj 4346 4347# Add suffix together with its root entry (if needed) 4348add_suffix || 4349{ 4350 cleanup 4351 exit 1 4352} 4353 4354# Add base objects (if needed) 4355add_base_objects 4356 4357# Update the NisDomainObject. 4358# The Base DN might of just been created, so this MUST happen after 4359# the base objects have been added! 4360set_nisdomain 4361 4362# Add top level classes (new containers) 4363add_new_containers 4364 4365# Add common nismaps. 4366add_auto_maps 4367 4368# Modify top ACI. 4369modify_top_aci 4370 4371# Add Access Control Information for VLV. 4372add_vlv_aci 4373 4374# if Proxy needed, Add Proxy Agent and give read permission for password. 4375if [ $NEED_PROXY -eq 1 ]; then 4376 add_proxyagent 4377 allow_proxy_read_pw 4378fi 4379 4380# Generate client profile and add it to the server. 4381add_profile 4382 4383# Add Indexes to improve Search Performance. 4384add_eq_indexes 4385add_sub_indexes 4386add_vlv_indexes 4387 4388# Display setup complete message 4389display_msg setup_complete 4390 4391# Display VLV index commands to be executed on server. 4392display_vlv_cmds 4393 4394# Create config file if requested. 4395[ -n "$OUTPUT_FILE" ] && create_config_file 4396 4397# Removed the TMPDIR and all files in it. 4398cleanup 4399 4400exit 0 4401# end of MAIN. 4402