1#!/bin/sh 2# 3# CDDL HEADER START 4# 5# The contents of this file are subject to the terms of the 6# Common Development and Distribution License (the "License"). 7# You may not use this file except in compliance with the License. 8# 9# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10# or http://www.opensolaris.org/os/licensing. 11# See the License for the specific language governing permissions 12# and limitations under the License. 13# 14# When distributing Covered Code, include this CDDL HEADER in each 15# file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16# If applicable, add the following below this CDDL HEADER, with the 17# fields enclosed by brackets "[]" replaced with your own identifying 18# information: Portions Copyright [yyyy] [name of copyright owner] 19# 20# CDDL HEADER END 21# 22# 23# idsconfig -- script to setup iDS 5.x/6.x for Native LDAP II. 24# 25# Copyright 2009 Sun Microsystems, Inc. All rights reserved. 26# Use is subject to license terms. 27# 28 29# 30# display_msg(): Displays message corresponding to the tag passed in. 31# 32display_msg() 33{ 34 case "$1" in 35 usage) cat <<EOF 36 $PROG: [ -v ] [ -i input file ] [ -o output file ] 37 i <input file> Get setup info from input file. 38 o <output file> Generate a server configuration output file. 39 v Verbose mode 40EOF 41 ;; 42 backup_server) cat <<EOF 43It is strongly recommended that you BACKUP the directory server 44before running $PROG. 45 46Hit Ctrl-C at any time before the final confirmation to exit. 47 48EOF 49 ;; 50 setup_complete) cat <<EOF 51 52$PROG: Setup of iDS server ${IDS_SERVER} is complete. 53 54EOF 55 ;; 56 display_vlv_list) cat <<EOF 57 58Note: idsconfig has created entries for VLV indexes. 59 60 For DS5.x, use the directoryserver(1m) script on ${IDS_SERVER} 61 to stop the server. Then, using directoryserver, follow the 62 directoryserver examples below to create the actual VLV indexes. 63 64 For DS6.x, use dsadm command delivered with DS6.x on ${IDS_SERVER} 65 to stop the server. Then, using dsadm, follow the 66 dsadm examples below to create the actual VLV indexes. 67 68EOF 69 ;; 70 cred_level_menu) cat <<EOF 71The following are the supported credential levels: 72 1 anonymous 73 2 proxy 74 3 proxy anonymous 75 4 self 76 5 self proxy 77 6 self proxy anonymous 78EOF 79 ;; 80 auth_method_menu) cat <<EOF 81The following are the supported Authentication Methods: 82 1 none 83 2 simple 84 3 sasl/DIGEST-MD5 85 4 tls:simple 86 5 tls:sasl/DIGEST-MD5 87 6 sasl/GSSAPI 88EOF 89 ;; 90 srvauth_method_menu) cat <<EOF 91The following are the supported Authentication Methods: 92 1 simple 93 2 sasl/DIGEST-MD5 94 3 tls:simple 95 4 tls:sasl/DIGEST-MD5 96 5 sasl/GSSAPI 97EOF 98 ;; 99 prompt_ssd_menu) cat <<EOF 100 A Add a Service Search Descriptor 101 D Delete a SSD 102 M Modify a SSD 103 P Display all SSD's 104 H Help 105 X Clear all SSD's 106 107 Q Exit menu 108EOF 109 ;; 110 summary_menu) 111 112 SUFFIX_INFO= 113 DB_INFO= 114 115 [ -n "${NEED_CREATE_SUFFIX}" ] && 116 { 117 SUFFIX_INFO=`cat <<EOF 118 119 Suffix to create : $LDAP_SUFFIX 120EOF 121` 122 [ -n "${NEED_CREATE_BACKEND}" ] && 123 DB_INFO=`cat <<EOF 124 125 Database to create : $IDS_DATABASE 126EOF 127` 128 } 129 130 cat <<EOF 131 Summary of Configuration 132 133 1 Domain to serve : $LDAP_DOMAIN 134 2 Base DN to setup : $LDAP_BASEDN$SUFFIX_INFO$DB_INFO 135 3 Profile name to create : $LDAP_PROFILE_NAME 136 4 Default Server List : $LDAP_SERVER_LIST 137 5 Preferred Server List : $LDAP_PREF_SRVLIST 138 6 Default Search Scope : $LDAP_SEARCH_SCOPE 139 7 Credential Level : $LDAP_CRED_LEVEL 140 8 Authentication Method : $LDAP_AUTHMETHOD 141 9 Enable Follow Referrals : $LDAP_FOLLOWREF 142 10 iDS Time Limit : $IDS_TIMELIMIT 143 11 iDS Size Limit : $IDS_SIZELIMIT 144 12 Enable crypt password storage : $NEED_CRYPT 145 13 Service Auth Method pam_ldap : $LDAP_SRV_AUTHMETHOD_PAM 146 14 Service Auth Method keyserv : $LDAP_SRV_AUTHMETHOD_KEY 147 15 Service Auth Method passwd-cmd: $LDAP_SRV_AUTHMETHOD_CMD 148 16 Search Time Limit : $LDAP_SEARCH_TIME_LIMIT 149 17 Profile Time to Live : $LDAP_PROFILE_TTL 150 18 Bind Limit : $LDAP_BIND_LIMIT 151 19 Enable shadow update : $LDAP_ENABLE_SHADOW_UPDATE 152 20 Service Search Descriptors Menu 153 154EOF 155 ;; 156 sfx_not_suitable) cat <<EOF 157 158Sorry, suffix ${LDAP_SUFFIX} is not suitable for Base DN ${LDAP_BASEDN} 159 160EOF 161 ;; 162 obj_not_found) cat <<EOF 163 164Sorry, ${PROG} can't find an objectclass for "$_ATT" attribute 165 166EOF 167 ;; 168 sfx_config_incons) cat <<EOF 169 170Sorry, there is no suffix mapping for ${LDAP_SUFFIX}, 171while ldbm database exists, server configuration needs to be fixed manually, 172look at cn=mapping tree,cn=config and cn=ldbm database,cn=plugins,cn=config 173 174EOF 175 ;; 176 ldbm_db_exist) cat <<EOF 177 178Database "${IDS_DATABASE}" already exists, 179however "${IDS_DATABASE_AVAIL}" name is available 180 181EOF 182 ;; 183 unable_find_db_name) cat <<EOF 184 185Unable to find any available database name close to "${IDS_DATABASE}" 186 187EOF 188 ;; 189 create_ldbm_db_error) cat <<EOF 190 191ERROR: unable to create suffix ${LDAP_SUFFIX} 192 due to server error that occurred during creation of ldbm database 193 194EOF 195 ;; 196 create_suffix_entry_error) cat <<EOF 197 198ERROR: unable to create entry ${LDAP_SUFFIX} of ${LDAP_SUFFIX_OBJ} class 199 200EOF 201 ;; 202 ldap_suffix_list) cat <<EOF 203 204No valid suffixes (naming contexts) were found for LDAP base DN: 205${LDAP_BASEDN} 206 207Available suffixes are: 208${LDAP_SUFFIX_LIST} 209 210EOF 211 ;; 212 sorry) cat <<EOF 213 214HELP - No help is available for this topic. 215 216EOF 217 ;; 218 create_suffix_help) cat <<EOF 219 220HELP - Our Base DN is ${LDAP_BASEDN} 221 and we need to create a Directory Suffix, 222 which can be equal to Base DN itself or be any of Base DN parents. 223 All intermediate entries up to suffix will be created on demand. 224 225EOF 226 ;; 227 enter_ldbm_db_help) cat <<EOF 228 229HELP - ldbm database is an internal database for storage of our suffix data. 230 Database name must be alphanumeric due to Directory Server restriction. 231 232EOF 233 ;; 234 backup_help) cat <<EOF 235 236HELP - Since idsconfig modifies the directory server configuration, 237 it is strongly recommended that you backup the server prior 238 to running this utility. This is especially true if the server 239 being configured is a production server. 240 241EOF 242 ;; 243 port_help) cat <<EOF 244 245HELP - Enter the port number the directory server is configured to 246 use for LDAP. 247 248EOF 249 ;; 250 domain_help) cat <<EOF 251 252HELP - This is the DNS domain name this server will be serving. You 253 must provide this name even if the server is not going to be populated 254 with hostnames. Any unqualified hostname stored in the directory 255 will be fully qualified using this DNS domain name. 256 257EOF 258 ;; 259 basedn_help) cat <<EOF 260 261HELP - This parameter defines the default location in the directory tree for 262 the naming services entries. You can override this default by using 263 serviceSearchDescriptors (SSD). You will be given the option to set up 264 an SSD later on in the setup. 265 266EOF 267 ;; 268 profile_help) cat <<EOF 269 270HELP - Name of the configuration profile with which the clients will be 271 configured. A directory server can store various profiles for multiple 272 groups of clients. The initialization tool, (ldapclient(1M)), assumes 273 "default" unless another is specified. 274 275EOF 276 ;; 277 def_srvlist_help) cat <<EOF 278 279HELP - Provide a list of directory servers to serve clients using this profile. 280 All these servers should contain consistent data and provide similar 281 functionality. This list is not ordered, and clients might change the 282 order given in this list. Note that this is a space separated list of 283 *IP addresses* (not host names). Providing port numbers is optional. 284 285EOF 286 ;; 287 pref_srvlist_help) cat <<EOF 288 289HELP - Provide a list of directory servers to serve this client profile. 290 Unlike the default server list, which is not ordered, the preferred 291 servers must be entered IN THE ORDER you wish to have them contacted. 292 If you do specify a preferred server list, clients will always contact 293 them before attempting to contact any of the servers on the default 294 server list. Note that you must enter the preferred server list as a 295 space-separated list of *IP addresses* (not host names). Providing port 296 numbers is optional. 297 298EOF 299 ;; 300 srch_scope_help) cat <<EOF 301 302HELP - Default search scope to be used for all searches unless they are 303 overwritten using serviceSearchDescriptors. The valid options 304 are "one", which would specify the search will only be performed 305 at the base DN for the given service, or "sub", which would specify 306 the search will be performed through *all* levels below the base DN 307 for the given service. 308 309EOF 310 ;; 311 cred_lvl_help) cat <<EOF 312 313HELP - This parameter defines what credentials the clients use to 314 authenticate to the directory server. This list might contain 315 multiple credential levels and is ordered. If a proxy level 316 is configured, you will also be prompted to enter a bind DN 317 for the proxy agent along with a password. This proxy agent 318 will be created if it does not exist. 319 320EOF 321 ;; 322 auth_help) cat <<EOF 323 324HELP - The default authentication method(s) to be used by all services 325 in the client using this profile. This is a ordered list of 326 authentication methods separated by a ';'. The supported methods 327 are provided in a menu. Note that sasl/DIGEST-MD5 binds require 328 passwords to be stored un-encrypted on the server. 329 330EOF 331 ;; 332 srvauth_help) cat <<EOF 333 334HELP - The authentication methods to be used by a given service. Currently 335 3 services support this feature: pam_ldap, keyserv, and passwd-cmd. 336 The authentication method specified in this attribute overrides 337 the default authentication method defined in the profile. This 338 feature can be used to select stronger authentication methods for 339 services which require increased security. 340 341EOF 342 ;; 343 pam_ldap_help) cat <<EOF 344 345HELP - The authentication method(s) to be used by pam_ldap when contacting 346 the directory server. This is a ordered list, and, if provided, will 347 override the default authentication method parameter. 348 349EOF 350 ;; 351 keyserv_help) cat <<EOF 352 353HELP - The authentication method(s) to be used by newkey(1M) and chkey(1) 354 when contacting the directory server. This is a ordered list and 355 if provided will override the default authentication method 356 parameter. 357 358EOF 359 ;; 360 passwd-cmd_help) cat <<EOF 361 362HELP - The authentication method(s) to be used by passwd(1) command when 363 contacting the directory server. This is a ordered list and if 364 provided will override the default authentication method parameter. 365 366EOF 367 ;; 368 referrals_help) cat <<EOF 369 370HELP - This parameter indicates whether the client should follow 371 ldap referrals if it encounters one during naming lookups. 372 373EOF 374 ;; 375 tlim_help) cat <<EOF 376 377HELP - The server time limit value indicates the maximum amount of time the 378 server would spend on a query from the client before abandoning it. 379 A value of '-1' indicates no limit. 380 381EOF 382 ;; 383 slim_help) cat <<EOF 384 385HELP - The server sizelimit value indicates the maximum number of entries 386 the server would return in respond to a query from the client. A 387 value of '-1' indicates no limit. 388 389EOF 390 ;; 391 crypt_help) cat <<EOF 392 393HELP - By default iDS does not store userPassword attribute values using 394 unix "crypt" format. If you need to keep your passwords in the crypt 395 format for NIS/NIS+ and pam_unix compatibility, choose 'yes'. If 396 passwords are stored using any other format than crypt, pam_ldap 397 MUST be used by clients to authenticate users to the system. Note 398 that if you wish to use sasl/DIGEST-MD5 in conjunction with pam_ldap, 399 user passwords must be stored in the clear format. 400 401EOF 402 ;; 403 srchtime_help) cat <<EOF 404 405HELP - The search time limit the client will enforce for directory 406 lookups. 407 408EOF 409 ;; 410 profttl_help) cat <<EOF 411 412HELP - The time to live value for profile. The client will refresh its 413 cached version of the configuration profile at this TTL interval. 414 415EOF 416 ;; 417 bindlim_help) cat <<EOF 418 419HELP - The time limit for the bind operation to the directory. This 420 value controls the responsiveness of the client in case a server 421 becomes unavailable. The smallest timeout value for a given 422 network architecture/conditions would work best. This is very 423 similar to setting TCP timeout, but only for LDAP bind operation. 424 425EOF 426 ;; 427 ssd_help) cat <<EOF 428 429HELP - Using Service Search Descriptors (SSD), you can override the 430 default configuration for a given service. The SSD can be 431 used to override the default search base DN, the default search 432 scope, and the default search filter to be used for directory 433 lookups. SSD are supported for all services (databases) 434 defined in nsswitch.conf(4). The default base DN is defined 435 in ldap(1). 436 437 Note: SSD are powerful tools in defining configuration profiles 438 and provide a great deal of flexibility. However, care 439 must be taken in creating them. If you decide to make use 440 of SSDs, consult the documentation first. 441 442EOF 443 ;; 444 ssd_menu_help) cat <<EOF 445 446HELP - Using this menu SSD can be added, updated, or deleted from 447 the profile. 448 449 A - This option creates a new SSD by prompting for the 450 service name, base DN, and scope. Service name is 451 any valid service as defined in ldap(1). base is 452 either the distinguished name to the container where 453 this service will use, or a relative DN followed 454 by a ','. 455 D - Delete a previously created SSD. 456 M - Modify a previously created SSD. 457 P - Display a list of all the previously created SSD. 458 X - Delete all of the previously created SSD. 459 460 Q - Exit the menu and continue with the server configuration. 461 462EOF 463 ;; 464 ldap_suffix_list_help) cat <<EOF 465 466HELP - No valid suffixes (naming contexts) are available on server 467 ${IDS_SERVER}:${IDS_PORT}. 468 You must set an LDAP Base DN that can be contained in 469 an existing suffix. 470 471EOF 472 ;; 473 enable_shadow_update_help) cat <<EOF 474 475HELP - Enter 'y' to set up the LDAP server for shadow update. 476 The setup will add an administrator identity/credential 477 and modify the necessary access controls for the client 478 to update shadow(4) data on the LDAP server. If sasl/GSSAPI 479 is in use, the Kerberos host principal will be used as the 480 administrator identity. 481 482 Shadow data is used for password aging and account locking. 483 Please refer to the shadow(4) manual page for details. 484 485EOF 486 ;; 487 add_admin_cred_help) cat <<EOF 488 489HELP - Start the setup to add an administrator identity/credential 490 and to modify access controls for the client to update 491 shadow(4) data on the LDAP server. 492 493 Shadow data is used for password aging and account locking. 494 Please refer to the shadow(4) manual page for details. 495 496EOF 497 ;; 498 use_host_principal_help) cat <<EOF 499 500HELP - A profile with a 'sasl/GSSAPI' authentication method and a 'self' 501 credential level is detected, enter 'y' to modify the necessary 502 access controls for allowing the client to update shadow(4) data 503 on the LDAP server. 504 505 Shadow data is used for password aging and account locking. 506 Please refer to the shadow(4) manual page for details. 507 508EOF 509 ;; 510 esac 511} 512 513 514# 515# get_ans(): gets an answer from the user. 516# $1 instruction/comment/description/question 517# $2 default value 518# 519get_ans() 520{ 521 if [ -z "$2" ] 522 then 523 ${ECHO} "$1 \c" 524 else 525 ${ECHO} "$1 [$2] \c" 526 fi 527 528 read ANS 529 if [ -z "$ANS" ] 530 then 531 ANS=$2 532 fi 533} 534 535 536# 537# get_ans_req(): gets an answer (required) from the user, NULL value not allowed. 538# $@ instruction/comment/description/question 539# 540get_ans_req() 541{ 542 ANS="" # Set ANS to NULL. 543 while [ "$ANS" = "" ] 544 do 545 get_ans "$@" 546 [ "$ANS" = "" ] && ${ECHO} "NULL value not allowed!" 547 done 548} 549 550 551# 552# get_number(): Querys and verifies that number entered is numeric. 553# Function will repeat prompt user for number value. 554# $1 Message text. 555# $2 default value. 556# $3 Help argument. 557# 558get_number() 559{ 560 ANS="" # Set ANS to NULL. 561 NUM="" 562 563 get_ans "$1" "$2" 564 565 # Verify that value is numeric. 566 while not_numeric $ANS 567 do 568 case "$ANS" in 569 [Hh] | help | Help | \?) display_msg ${3:-sorry} ;; 570 * ) ${ECHO} "Invalid value: \"${ANS}\". \c" 571 ;; 572 esac 573 # Get a new value. 574 get_ans "Enter a numeric value:" "$2" 575 done 576 NUM=$ANS 577} 578 579 580# 581# get_negone_num(): Only allows a -1 or positive integer. 582# Used for values where -1 has special meaning. 583# 584# $1 - Prompt message. 585# $2 - Default value (require). 586# $3 - Optional help argument. 587get_negone_num() 588{ 589 while : 590 do 591 get_number "$1" "$2" "$3" 592 if is_negative $ANS 593 then 594 if [ "$ANS" = "-1" ]; then 595 break # -1 is OK, so break. 596 else # Need to re-enter number. 597 ${ECHO} "Invalid number: please enter -1 or positive number." 598 fi 599 else 600 break # Positive number 601 fi 602 done 603} 604 605 606# 607# get_passwd(): Reads a password from the user and verify with second. 608# $@ instruction/comment/description/question 609# 610get_passwd() 611{ 612 [ $DEBUG -eq 1 ] && ${ECHO} "In get_passwd()" 613 614 # Temporary PASSWD variables 615 _PASS1="" 616 _PASS2="" 617 618 /usr/bin/stty -echo # Turn echo OFF 619 620 # Endless loop that continues until passwd and re-entered passwd 621 # match. 622 while : 623 do 624 ANS="" # Set ANS to NULL. 625 626 # Don't allow NULL for first try. 627 while [ "$ANS" = "" ] 628 do 629 get_ans "$@" 630 [ "$ANS" = "" ] && ${ECHO} "" && ${ECHO} "NULL passwd not allowed!" 631 done 632 _PASS1=$ANS # Store first try. 633 634 # Get second try. 635 ${ECHO} "" 636 get_ans "Re-enter passwd:" 637 _PASS2=$ANS 638 639 # Test if passwords are identical. 640 if [ "$_PASS1" = "$_PASS2" ]; then 641 break 642 fi 643 644 # Move cursor down to next line and print ERROR message. 645 ${ECHO} "" 646 ${ECHO} "ERROR: passwords don't match; try again." 647 done 648 649 /usr/bin/stty echo # Turn echo ON 650 651 ${ECHO} "" 652} 653 654 655# 656# get_passwd_nochk(): Reads a password from the user w/o check. 657# $@ instruction/comment/description/question 658# 659get_passwd_nochk() 660{ 661 [ $DEBUG -eq 1 ] && ${ECHO} "In get_passwd_nochk()" 662 663 /usr/bin/stty -echo # Turn echo OFF 664 665 get_ans "$@" 666 667 /usr/bin/stty echo # Turn echo ON 668 669 ${ECHO} "" 670} 671 672 673# 674# get_menu_choice(): Get a menu choice from user. Continue prompting 675# till the choice is in required range. 676# $1 .. Message text. 677# $2 .. min value 678# $3 .. max value 679# $4 .. OPTIONAL: default value 680# 681# Return value: 682# MN_CH will contain the value selected. 683# 684get_menu_choice() 685{ 686 # Check for req parameter. 687 if [ $# -lt 3 ]; then 688 ${ECHO} "get_menu_choice(): Did not get required parameters." 689 return 1 690 fi 691 692 while : 693 do 694 get_ans "$1" "$4" 695 MN_CH=$ANS 696 is_negative $MN_CH 697 if [ $? -eq 1 ]; then 698 if [ $MN_CH -ge $2 ]; then 699 if [ $MN_CH -le $3 ]; then 700 return 701 fi 702 fi 703 fi 704 ${ECHO} "Invalid choice: $MN_CH" 705 done 706} 707 708 709# 710# get_confirm(): Get confirmation from the user. (Y/Yes or N/No) 711# $1 - Message 712# $2 - default value. 713# 714get_confirm() 715{ 716 _ANSWER= 717 718 while : 719 do 720 # Display Internal ERROR if $2 not set. 721 if [ -z "$2" ] 722 then 723 ${ECHO} "INTERNAL ERROR: get_confirm requires 2 args, 3rd is optional." 724 exit 2 725 fi 726 727 # Display prompt. 728 ${ECHO} "$1 [$2] \c" 729 730 # Get the ANSWER. 731 read _ANSWER 732 if [ "$_ANSWER" = "" ] && [ -n "$2" ] ; then 733 _ANSWER=$2 734 fi 735 case "$_ANSWER" in 736 [Yy] | yes | Yes | YES) return 1 ;; 737 [Nn] | no | No | NO) return 0 ;; 738 [Hh] | help | Help | \?) display_msg ${3:-sorry};; 739 * ) ${ECHO} "Please enter y or n." ;; 740 esac 741 done 742} 743 744 745# 746# get_confirm_nodef(): Get confirmation from the user. (Y/Yes or N/No) 747# No default value supported. 748# 749get_confirm_nodef() 750{ 751 _ANSWER= 752 753 while : 754 do 755 ${ECHO} "$@ \c" 756 read _ANSWER 757 case "$_ANSWER" in 758 [Yy] | yes | Yes | YES) return 1 ;; 759 [Nn] | no | No | NO) return 0 ;; 760 * ) ${ECHO} "Please enter y or n." ;; 761 esac 762 done 763} 764 765 766# 767# is_numeric(): Tells is a string is numeric. 768# 0 = Numeric 769# 1 = NOT Numeric 770# 771is_numeric() 772{ 773 # Check for parameter. 774 if [ $# -ne 1 ]; then 775 return 1 776 fi 777 778 # Determine if numeric. 779 expr "$1" + 1 > /dev/null 2>&1 780 if [ $? -ge 2 ]; then 781 return 1 782 fi 783 784 # Made it here, it's Numeric. 785 return 0 786} 787 788 789# 790# not_numeric(): Reverses the return values of is_numeric. Useful 791# for if and while statements that want to test for 792# non-numeric data. 793# 0 = NOT Numeric 794# 1 = Numeric 795# 796not_numeric() 797{ 798 is_numeric $1 799 if [ $? -eq 0 ]; then 800 return 1 801 else 802 return 0 803 fi 804} 805 806 807# 808# is_negative(): Tells is a Numeric value is less than zero. 809# 0 = Negative Numeric 810# 1 = Positive Numeric 811# 2 = NOT Numeric 812# 813is_negative() 814{ 815 # Check for parameter. 816 if [ $# -ne 1 ]; then 817 return 1 818 fi 819 820 # Determine if numeric. Can't use expr because -0 is 821 # considered positive?? 822 if is_numeric $1; then 823 case "$1" in 824 -*) return 0 ;; # Negative Numeric 825 *) return 1 ;; # Positive Numeric 826 esac 827 else 828 return 2 829 fi 830} 831 832 833# 834# check_domainname(): check validity of a domain name. Currently we check 835# that it has at least two components. 836# $1 the domain name to be checked 837# 838check_domainname() 839{ 840 if [ ! -z "$1" ] 841 then 842 t=`expr "$1" : '[^.]\{1,\}[.][^.]\{1,\}'` 843 if [ "$t" = 0 ] 844 then 845 return 1 846 fi 847 fi 848 return 0 849} 850 851 852# 853# check_baseDN(): check validity of the baseDN name. 854# $1 the baseDN name to be checked 855# 856# NOTE: The check_baseDN function does not catch all invalid DN's. 857# Its purpose is to reduce the number of invalid DN's to 858# get past the input routine. The invalid DN's will be 859# caught by the LDAP server when they are attempted to be 860# created. 861# 862check_baseDN() 863{ 864 ck_DN=$1 865 ${ECHO} " Checking LDAP Base DN ..." 866 if [ ! -z "$ck_DN" ]; then 867 [ $DEBUG -eq 1 ] && ${ECHO} "Checking baseDN: $ck_DN" 868 # Check for = (assignment operator) 869 ${ECHO} "$ck_DN" | ${GREP} "=" > /dev/null 2>&1 870 if [ $? -ne 0 ]; then 871 [ $DEBUG -eq 1 ] && ${ECHO} "check_baseDN: No '=' in baseDN." 872 return 1 873 fi 874 875 # Check all keys. 876 while : 877 do 878 # Get first key. 879 dkey=`${ECHO} $ck_DN | cut -d'=' -f1` 880 881 # Check that the key string is valid 882 check_attrName $dkey 883 if [ $? -ne 0 ]; then 884 [ $DEBUG -eq 1 ] && ${ECHO} "check_baseDN: invalid key=${dkey}" 885 return 1 886 fi 887 888 [ $DEBUG -eq 1 ] && ${ECHO} "check_baseDN: valid key=${dkey}" 889 890 # Remove first key from DN 891 ck_DN=`${ECHO} $ck_DN | cut -s -d',' -f2-` 892 893 # Break loop if nothing left. 894 if [ "$ck_DN" = "" ]; then 895 break 896 fi 897 done 898 fi 899 return 0 900} 901 902 903# 904# domain_2_dc(): Convert a domain name into dc string. 905# $1 .. Domain name. 906# 907domain_2_dc() 908{ 909 _DOM=$1 # Domain parameter. 910 _DOM_2_DC="" # Return value from function. 911 _FIRST=1 # Flag for first time. 912 913 export _DOM_2_DC # Make visible for others. 914 915 # Convert "."'s to spaces for "for" loop. 916 domtmp="`${ECHO} ${_DOM} | tr '.' ' '`" 917 for i in $domtmp; do 918 if [ $_FIRST -eq 1 ]; then 919 _DOM_2_DC="dc=${i}" 920 _FIRST=0 921 else 922 _DOM_2_DC="${_DOM_2_DC},dc=${i}" 923 fi 924 done 925} 926 927 928# 929# is_root_user(): Check to see if logged in as root user. 930# 931is_root_user() 932{ 933 case `id` in 934 uid=0\(root\)*) return 0 ;; 935 * ) return 1 ;; 936 esac 937} 938 939 940# 941# parse_arg(): Parses the command line arguments and sets the 942# appropriate variables. 943# 944parse_arg() 945{ 946 while getopts "dvhi:o:" ARG 947 do 948 case $ARG in 949 d) DEBUG=1;; 950 v) VERB="";; 951 i) INPUT_FILE=$OPTARG;; 952 o) OUTPUT_FILE=$OPTARG;; 953 \?) display_msg usage 954 exit 1;; 955 *) ${ECHO} "**ERROR: Supported option missing handler!" 956 display_msg usage 957 exit 1;; 958 esac 959 done 960 return `expr $OPTIND - 1` 961} 962 963 964# 965# init(): initializes variables and options 966# 967init() 968{ 969 # General variables. 970 PROG=`basename $0` # Program name 971 PID=$$ # Program ID 972 VERB='> /dev/null 2>&1' # NULL or "> /dev/null" 973 ECHO="/bin/echo" # print message on screen 974 EVAL="eval" # eval or echo 975 EGREP="/usr/bin/egrep" 976 GREP="/usr/bin/grep" 977 DEBUG=0 # Set Debug OFF 978 BACKUP=no_ldap # backup suffix 979 HOST="" # NULL or <hostname> 980 NAWK="/usr/bin/nawk" 981 RM="/usr/bin/rm" 982 WC="/usr/bin/wc" 983 CAT="/usr/bin/cat" 984 SED="/usr/bin/sed" 985 986 DOM="" # Set to NULL 987 # If DNS domain (resolv.conf) exists use that, otherwise use domainname. 988 if [ -f /etc/resolv.conf ]; then 989 DOM=`/usr/xpg4/bin/grep -i -E '^domain|^search' /etc/resolv.conf \ 990 | awk '{ print $2 }' | tail -1` 991 fi 992 993 # If for any reason the DOM did not get set (error'd resolv.conf) set 994 # DOM to the domainname command's output. 995 if [ "$DOM" = "" ]; then 996 DOM=`domainname` # domain from domainname command. 997 fi 998 999 STEP=1 1000 INTERACTIVE=1 # 0 = on, 1 = off (For input file mode) 1001 DEL_OLD_PROFILE=0 # 0 (default), 1 = delete old profile. 1002 1003 # idsconfig specific variables. 1004 INPUT_FILE="" 1005 OUTPUT_FILE="" 1006 LDAP_ENABLE_SHADOW_UPDATE="FALSE" 1007 NEED_PROXY=0 # 0 = No Proxy, 1 = Create Proxy. 1008 NEED_ADMIN=0 # 0 = No Admin, 1 = Create Admin. 1009 NEED_HOSTACL=0 # 0 = No Host ACL, 1 = Create Host ACL. 1010 EXISTING_PROFILE=0 1011 LDAP_PROXYAGENT="" 1012 LDAP_ADMINDN="" 1013 LDAP_SUFFIX="" 1014 LDAP_DOMAIN=$DOM # domainname on Server (default value) 1015 GEN_CMD="" 1016 PROXY_ACI_NAME="LDAP_Naming_Services_proxy_password_read" 1017 1018 # LDAP COMMANDS 1019 LDAPSEARCH="/bin/ldapsearch -r" 1020 LDAPMODIFY=/bin/ldapmodify 1021 LDAPADD=/bin/ldapadd 1022 LDAPDELETE=/bin/ldapdelete 1023 LDAP_GEN_PROFILE=/usr/sbin/ldap_gen_profile 1024 1025 # iDS specific information 1026 IDS_SERVER="" 1027 IDS_PORT=389 1028 NEED_TIME=0 1029 NEED_SIZE=0 1030 NEED_SRVAUTH_PAM=0 1031 NEED_SRVAUTH_KEY=0 1032 NEED_SRVAUTH_CMD=0 1033 IDS_TIMELIMIT="" 1034 IDS_SIZELIMIT="" 1035 1036 # LDAP PROFILE related defaults 1037 LDAP_ROOTDN="cn=Directory Manager" # Provide common default. 1038 LDAP_ROOTPWD="" # NULL passwd as default (i.e. invalid) 1039 LDAP_PROFILE_NAME="default" 1040 LDAP_BASEDN="" 1041 LDAP_SERVER_LIST="" 1042 LDAP_AUTHMETHOD="" 1043 LDAP_FOLLOWREF="FALSE" 1044 NEED_CRYPT="" 1045 LDAP_SEARCH_SCOPE="one" 1046 LDAP_SRV_AUTHMETHOD_PAM="" 1047 LDAP_SRV_AUTHMETHOD_KEY="" 1048 LDAP_SRV_AUTHMETHOD_CMD="" 1049 LDAP_SEARCH_TIME_LIMIT=30 1050 LDAP_PREF_SRVLIST="" 1051 LDAP_PROFILE_TTL=43200 1052 LDAP_CRED_LEVEL="proxy" 1053 LDAP_BIND_LIMIT=10 1054 1055 # Prevent new files from being read by group or others. 1056 umask 077 1057 1058 # Service Search Descriptors 1059 LDAP_SERV_SRCH_DES="" 1060 1061 # Set and create TMPDIR. 1062 TMPDIR="/tmp/idsconfig.${PID}" 1063 if mkdir -m 700 ${TMPDIR} 1064 then 1065 # Cleanup on exit. 1066 trap 'rm -rf ${TMPDIR}; /usr/bin/stty echo; exit' 1 2 3 6 15 1067 else 1068 echo "ERROR: unable to create a safe temporary directory." 1069 exit 1 1070 fi 1071 LDAP_ROOTPWF=${TMPDIR}/rootPWD 1072 1073 # Set the SSD file name after setting TMPDIR. 1074 SSD_FILE=${TMPDIR}/ssd_list 1075 1076 # GSSAPI setup 1077 LDAP_KRB_REALM="" 1078 LDAP_GSSAPI_PROFILE="" 1079 SCHEMA_UPDATED=0 1080 1081 export DEBUG VERB ECHO EVAL EGREP GREP STEP TMPDIR 1082 export IDS_SERVER IDS_PORT LDAP_ROOTDN LDAP_ROOTPWD LDAP_SERVER_LIST 1083 export LDAP_BASEDN LDAP_ROOTPWF 1084 export LDAP_DOMAIN LDAP_SUFFIX LDAP_PROXYAGENT LDAP_PROXYAGENT_CRED 1085 export NEED_PROXY 1086 export LDAP_ENABLE_SHADOW_UPDATE LDAP_ADMINDN LDAP_ADMIN_CRED 1087 export NEED_ADMIN NEED_HOSTACL EXISTING_PROFILE 1088 export LDAP_PROFILE_NAME LDAP_BASEDN LDAP_SERVER_LIST 1089 export LDAP_AUTHMETHOD LDAP_FOLLOWREF LDAP_SEARCH_SCOPE LDAP_SEARCH_TIME_LIMIT 1090 export LDAP_PREF_SRVLIST LDAP_PROFILE_TTL LDAP_CRED_LEVEL LDAP_BIND_LIMIT 1091 export NEED_SRVAUTH_PAM NEED_SRVAUTH_KEY NEED_SRVAUTH_CMD 1092 export LDAP_SRV_AUTHMETHOD_PAM LDAP_SRV_AUTHMETHOD_KEY LDAP_SRV_AUTHMETHOD_CMD 1093 export LDAP_SERV_SRCH_DES SSD_FILE 1094 export GEN_CMD LDAP_KRB_REALM LDAP_GSSAPI_PROFILE SCHEMA_UPDATED 1095} 1096 1097 1098# 1099# disp_full_debug(): List of all debug variables usually interested in. 1100# Grouped to avoid MASSIVE code duplication. 1101# 1102disp_full_debug() 1103{ 1104 [ $DEBUG -eq 1 ] && ${ECHO} " IDS_SERVER = $IDS_SERVER" 1105 [ $DEBUG -eq 1 ] && ${ECHO} " IDS_PORT = $IDS_PORT" 1106 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_ROOTDN = $LDAP_ROOTDN" 1107 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_ROOTPWD = $LDAP_ROOTPWD" 1108 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_DOMAIN = $LDAP_DOMAIN" 1109 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_SUFFIX = $LDAP_SUFFIX" 1110 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_BASEDN = $LDAP_BASEDN" 1111 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_PROFILE_NAME = $LDAP_PROFILE_NAME" 1112 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_SERVER_LIST = $LDAP_SERVER_LIST" 1113 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_PREF_SRVLIST = $LDAP_PREF_SRVLIST" 1114 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_SEARCH_SCOPE = $LDAP_SEARCH_SCOPE" 1115 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_CRED_LEVEL = $LDAP_CRED_LEVEL" 1116 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_AUTHMETHOD = $LDAP_AUTHMETHOD" 1117 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_FOLLOWREF = $LDAP_FOLLOWREF" 1118 [ $DEBUG -eq 1 ] && ${ECHO} " IDS_TIMELIMIT = $IDS_TIMELIMIT" 1119 [ $DEBUG -eq 1 ] && ${ECHO} " IDS_SIZELIMIT = $IDS_SIZELIMIT" 1120 [ $DEBUG -eq 1 ] && ${ECHO} " NEED_CRYPT = $NEED_CRYPT" 1121 [ $DEBUG -eq 1 ] && ${ECHO} " NEED_SRVAUTH_PAM = $NEED_SRVAUTH_PAM" 1122 [ $DEBUG -eq 1 ] && ${ECHO} " NEED_SRVAUTH_KEY = $NEED_SRVAUTH_KEY" 1123 [ $DEBUG -eq 1 ] && ${ECHO} " NEED_SRVAUTH_CMD = $NEED_SRVAUTH_CMD" 1124 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_SRV_AUTHMETHOD_PAM = $LDAP_SRV_AUTHMETHOD_PAM" 1125 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_SRV_AUTHMETHOD_KEY = $LDAP_SRV_AUTHMETHOD_KEY" 1126 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_SRV_AUTHMETHOD_CMD = $LDAP_SRV_AUTHMETHOD_CMD" 1127 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_SEARCH_TIME_LIMIT = $LDAP_SEARCH_TIME_LIMIT" 1128 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_PROFILE_TTL = $LDAP_PROFILE_TTL" 1129 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_BIND_LIMIT = $LDAP_BIND_LIMIT" 1130 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_ENABLE_SHADOW_UPDATE = $LDAP_ENABLE_SHADOW_UPDATE" 1131 1132 # Only display proxy stuff if needed. 1133 [ $DEBUG -eq 1 ] && ${ECHO} " NEED_PROXY = $NEED_PROXY" 1134 if [ $NEED_PROXY -eq 1 ]; then 1135 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_PROXYAGENT = $LDAP_PROXYAGENT" 1136 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_PROXYAGENT_CRED = $LDAP_PROXYAGENT_CRED" 1137 fi 1138 1139 # Only display admin credential if needed. 1140 [ $DEBUG -eq 1 ] && ${ECHO} " NEED_ADMIN = $NEED_ADMIN" 1141 [ $DEBUG -eq 1 ] && ${ECHO} " NEED_HOSTACL = $NEED_HOSTACL" 1142 if [ $NEED_ADMIN -eq 1 ]; then 1143 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_ADMINDN = $LDAP_ADMINDN" 1144 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_ADMIN_CRED = $LDAP_ADMIN_CRED" 1145 fi 1146 1147 # Service Search Descriptors are a special case. 1148 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_SERV_SRCH_DES = $LDAP_SERV_SRCH_DES" 1149} 1150 1151 1152# 1153# load_config_file(): Loads the config file. 1154# 1155load_config_file() 1156{ 1157 [ $DEBUG -eq 1 ] && ${ECHO} "In load_config_file()" 1158 1159 # Remove SSD lines from input file before sourcing. 1160 # The SSD lines must be removed because some forms of the 1161 # data could cause SHELL errors. 1162 ${GREP} -v "LDAP_SERV_SRCH_DES=" ${INPUT_FILE} > ${TMPDIR}/inputfile.noSSD 1163 1164 # Source the input file. 1165 . ${TMPDIR}/inputfile.noSSD 1166 1167 # If LDAP_SUFFIX is no set, try to utilize LDAP_TREETOP since older 1168 # config files use LDAP_TREETOP 1169 LDAP_SUFFIX="${LDAP_SUFFIX:-$LDAP_TREETOP}" 1170 1171 # Save password to temporary file. 1172 save_password 1173 1174 # Create the SSD file. 1175 create_ssd_file 1176 1177 # Display FULL debugging info. 1178 disp_full_debug 1179} 1180 1181# 1182# save_password(): Save password to temporary file. 1183# 1184save_password() 1185{ 1186 cat > ${LDAP_ROOTPWF} <<EOF 1187${LDAP_ROOTPWD} 1188EOF 1189} 1190 1191###################################################################### 1192# FUNCTIONS FOR prompt_config_info() START HERE. 1193###################################################################### 1194 1195# 1196# get_ids_server(): Prompt for iDS server name. 1197# 1198get_ids_server() 1199{ 1200 while : 1201 do 1202 # Prompt for server name. 1203 get_ans "Enter the JES Directory Server's hostname to setup:" "$IDS_SERVER" 1204 IDS_SERVER="$ANS" 1205 1206 # Ping server to see if live. If valid break out of loop. 1207 ping $IDS_SERVER > /dev/null 2>&1 1208 if [ $? -eq 0 ]; then 1209 break 1210 fi 1211 1212 # Invalid server, enter a new name. 1213 ${ECHO} "ERROR: Server '${IDS_SERVER}' is invalid or unreachable." 1214 IDS_SERVER="" 1215 done 1216 1217 # Set SERVER_ARGS and LDAP_ARGS since values might of changed. 1218 SERVER_ARGS="-h ${IDS_SERVER} -p ${IDS_PORT}" 1219 LDAP_ARGS="${SERVER_ARGS} ${AUTH_ARGS}" 1220 export SERVER_ARGS 1221 1222} 1223 1224# 1225# get_ids_port(): Prompt for iDS port number. 1226# 1227get_ids_port() 1228{ 1229 # Get a valid iDS port number. 1230 while : 1231 do 1232 # Enter port number. 1233 get_number "Enter the port number for iDS (h=help):" "$IDS_PORT" "port_help" 1234 IDS_PORT=$ANS 1235 # Do a simple search to check hostname and port number. 1236 # If search returns SUCCESS, break out, host and port must 1237 # be valid. 1238 ${LDAPSEARCH} -h ${IDS_SERVER} -p ${IDS_PORT} -b "" -s base "objectclass=*" > /dev/null 2>&1 1239 if [ $? -eq 0 ]; then 1240 break 1241 fi 1242 1243 # Invalid host/port pair, Re-enter. 1244 ${ECHO} "ERROR: Invalid host or port: ${IDS_SERVER}:${IDS_PORT}, Please re-enter!" 1245 get_ids_server 1246 done 1247 1248 # Set SERVER_ARGS and LDAP_ARGS since values might of changed. 1249 SERVER_ARGS="-h ${IDS_SERVER} -p ${IDS_PORT}" 1250 LDAP_ARGS="${SERVER_ARGS} ${AUTH_ARGS}" 1251 export SERVER_ARGS 1252} 1253 1254 1255# 1256# chk_ids_version(): Read the slapd config file and set variables 1257# 1258chk_ids_version() 1259{ 1260 [ $DEBUG -eq 1 ] && ${ECHO} "In chk_ids_version()" 1261 1262 # check iDS version number. 1263 eval "${LDAPSEARCH} ${SERVER_ARGS} -b cn=monitor -s base \"objectclass=*\" version | ${GREP} \"^version=\" | cut -f2 -d'/' | cut -f1 -d' ' > ${TMPDIR}/checkDSver 2>&1" 1264 if [ $? -ne 0 ]; then 1265 ${ECHO} "ERROR: Can not determine the version number of iDS!" 1266 exit 1 1267 fi 1268 IDS_VER=`cat ${TMPDIR}/checkDSver` 1269 IDS_MAJVER=`${ECHO} ${IDS_VER} | cut -f1 -d.` 1270 IDS_MINVER=`${ECHO} ${IDS_VER} | cut -f2 -d.` 1271 if [ "${IDS_MAJVER}" != "5" ] && [ "${IDS_MAJVER}" != "6" ]; then 1272 ${ECHO} "ERROR: $PROG only works with JES DS version 5.x and 6.x, not ${IDS_VER}." 1273 exit 1 1274 fi 1275 if [ $DEBUG -eq 1 ]; then 1276 ${ECHO} " IDS_MAJVER = $IDS_MAJVER" 1277 ${ECHO} " IDS_MINVER = $IDS_MINVER" 1278 fi 1279} 1280 1281 1282# 1283# get_dirmgr_dn(): Get the directory manger DN. 1284# 1285get_dirmgr_dn() 1286{ 1287 get_ans "Enter the directory manager DN:" "$LDAP_ROOTDN" 1288 LDAP_ROOTDN=$ANS 1289 1290 # Update ENV variables using DN. 1291 AUTH_ARGS="-D \"${LDAP_ROOTDN}\" -j ${LDAP_ROOTPWF}" 1292 LDAP_ARGS="${SERVER_ARGS} ${AUTH_ARGS}" 1293 export AUTH_ARGS LDAP_ARGS 1294} 1295 1296 1297# 1298# get_dirmgr_pw(): Get the Root DN passwd. (Root DN found in slapd.conf) 1299# 1300get_dirmgr_pw() 1301{ 1302 while : 1303 do 1304 # Get passwd. 1305 get_passwd_nochk "Enter passwd for ${LDAP_ROOTDN} :" 1306 LDAP_ROOTPWD=$ANS 1307 1308 # Store password in file. 1309 save_password 1310 1311 # Update ENV variables using DN's PW. 1312 AUTH_ARGS="-D \"${LDAP_ROOTDN}\" -j ${LDAP_ROOTPWF}" 1313 LDAP_ARGS="${SERVER_ARGS} ${AUTH_ARGS}" 1314 export AUTH_ARGS LDAP_ARGS 1315 1316 # Verify that ROOTDN and ROOTPWD are valid. 1317 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"\" -s base \"objectclass=*\" > ${TMPDIR}/checkDN 2>&1" 1318 if [ $? -ne 0 ]; then 1319 eval "${GREP} credential ${TMPDIR}/checkDN ${VERB}" 1320 if [ $? -eq 0 ]; then 1321 ${ECHO} "ERROR: Root DN passwd is invalid." 1322 else 1323 ${ECHO} "ERROR: Invalid Root DN <${LDAP_ROOTDN}>." 1324 get_dirmgr_dn 1325 fi 1326 else 1327 break # Both are valid. 1328 fi 1329 done 1330 1331 1332} 1333 1334 1335# 1336# get_domain(): Get the Domain that will be served by the LDAP server. 1337# $1 - Help argument. 1338# 1339get_domain() 1340{ 1341 # Use LDAP_DOMAIN as default. 1342 get_ans "Enter the domainname to be served (h=help):" $LDAP_DOMAIN 1343 1344 # Check domainname, and have user re-enter if not valid. 1345 check_domainname $ANS 1346 while [ $? -ne 0 ] 1347 do 1348 case "$ANS" in 1349 [Hh] | help | Help | \?) display_msg ${1:-sorry} ;; 1350 * ) ${ECHO} "Invalid domainname: \"${ANS}\"." 1351 ;; 1352 esac 1353 get_ans "Enter domainname to be served (h=help):" $DOM 1354 1355 check_domainname $ANS 1356 done 1357 1358 # Set the domainname to valid name. 1359 LDAP_DOMAIN=$ANS 1360} 1361 1362 1363# 1364# get_basedn(): Query for the Base DN. 1365# 1366get_basedn() 1367{ 1368 # Set the $_DOM_2_DC and assign to LDAP_BASEDN as default. 1369 # Then call get_basedn(). This method remakes the default 1370 # each time just in case the domain changed. 1371 domain_2_dc $LDAP_DOMAIN 1372 LDAP_BASEDN=$_DOM_2_DC 1373 1374 # Get Base DN. 1375 while : 1376 do 1377 get_ans_req "Enter LDAP Base DN (h=help):" "${_DOM_2_DC}" 1378 check_baseDN "$ANS" 1379 while [ $? -ne 0 ] 1380 do 1381 case "$ANS" in 1382 [Hh] | help | Help | \?) display_msg basedn_help ;; 1383 * ) ${ECHO} "Invalid base DN: \"${ANS}\"." 1384 ;; 1385 esac 1386 1387 # Re-Enter the BaseDN 1388 get_ans_req "Enter LDAP Base DN (h=help):" "${_DOM_2_DC}" 1389 check_baseDN "$ANS" 1390 done 1391 1392 # Set base DN and check its suffix 1393 LDAP_BASEDN=${ANS} 1394 check_basedn_suffix || 1395 { 1396 cleanup 1397 exit 1 1398 } 1399 1400 # suffix may need to be created, in that case get suffix from user 1401 [ -n "${NEED_CREATE_SUFFIX}" ] && 1402 { 1403 get_suffix || continue 1404 } 1405 1406 # suffix is ok, break out of the base dn inquire loop 1407 break 1408 done 1409} 1410 1411# 1412# get_want_shadow_update(): Ask user if want to enable shadow update? 1413# 1414get_want_shadow_update() 1415{ 1416 MSG="Do you want to enable shadow update (y/n/h)?" 1417 get_confirm "$MSG" "n" "enable_shadow_update_help" 1418 if [ $? -eq 1 ]; then 1419 LDAP_ENABLE_SHADOW_UPDATE="TRUE" 1420 else 1421 LDAP_ENABLE_SHADOW_UPDATE="FALSE" 1422 fi 1423} 1424 1425get_krb_realm() { 1426 1427 # To upper cases 1428 LDAP_KRB_REALM=`${ECHO} ${LDAP_DOMAIN} | ${NAWK} '{ print toupper($0) }'` 1429 get_ans_req "Enter Kerberos Realm:" "$LDAP_KRB_REALM" 1430 # To upper cases 1431 LDAP_KRB_REALM=`${ECHO} ${ANS} | ${NAWK} '{ print toupper($0) }'` 1432} 1433 1434# $1: DN 1435# $2: ldif file 1436add_entry_by_DN() { 1437 1438 ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"${1}\" -s base \"objectclass=*\" ${VERB}" 1439 if [ $? -eq 0 ]; then 1440 ${ECHO} " ${1} already exists" 1441 return 0 1442 else 1443 ${EVAL} "${LDAPADD} ${LDAP_ARGS} -f ${2} ${VERB}" 1444 if [ $? -eq 0 ]; then 1445 ${ECHO} " ${1} is added" 1446 return 0 1447 else 1448 ${ECHO} " ERROR: failed to add ${1}" 1449 return 1 1450 fi 1451 fi 1452 1453} 1454# 1455# Kerberos princiapl to DN mapping rules 1456# 1457# Add rules for host credentails and user credentials 1458# 1459add_id_mapping_rules() { 1460 1461 ${ECHO} " Adding Kerberos principal to DN mapping rules..." 1462 1463 _C_DN="cn=GSSAPI,cn=identity mapping,cn=config" 1464 ( cat << EOF 1465dn: cn=GSSAPI,cn=identity mapping,cn=config 1466objectClass: top 1467objectClass: nsContainer 1468cn: GSSAPI 1469EOF 1470) > ${TMPDIR}/GSSAPI_container.ldif 1471 1472 add_entry_by_DN "${_C_DN}" "${TMPDIR}/GSSAPI_container.ldif" 1473 if [ $? -ne 0 ]; 1474 then 1475 ${RM} ${TMPDIR}/GSSAPI_container.ldif 1476 return 1477 fi 1478 1479 _H_CN="host_auth_${LDAP_KRB_REALM}" 1480 _H_DN="cn=${_H_CN}, ${_C_DN}" 1481 ( cat << EOF 1482dn: ${_H_DN} 1483objectClass: top 1484objectClass: nsContainer 1485objectClass: dsIdentityMapping 1486objectClass: dsPatternMatching 1487cn: ${_H_CN} 1488dsMatching-pattern: \${Principal} 1489dsMatching-regexp: host\/(.*).${LDAP_DOMAIN}@${LDAP_KRB_REALM} 1490dsSearchBaseDN: ou=hosts,${LDAP_BASEDN} 1491dsSearchFilter: (&(objectClass=ipHost)(cn=\$1)) 1492dsSearchScope: one 1493 1494EOF 1495) > ${TMPDIR}/${_H_CN}.ldif 1496 1497 add_entry_by_DN "${_H_DN}" "${TMPDIR}/${_H_CN}.ldif" 1498 1499 _U_CN="user_auth_${LDAP_KRB_REALM}" 1500 _U_DN="cn=${_U_CN}, ${_C_DN}" 1501 ( cat << EOF 1502dn: ${_U_DN} 1503objectClass: top 1504objectClass: nsContainer 1505objectClass: dsIdentityMapping 1506objectClass: dsPatternMatching 1507cn: ${_U_CN} 1508dsMatching-pattern: \${Principal} 1509dsMatching-regexp: (.*)@${LDAP_KRB_REALM} 1510dsMappedDN: uid=\$1,ou=People,${LDAP_BASEDN} 1511 1512EOF 1513) > ${TMPDIR}/${_U_CN}.ldif 1514 1515 add_entry_by_DN "${_U_DN}" "${TMPDIR}/${_U_CN}.ldif" 1516 1517} 1518 1519 1520# 1521# Modify ACL to allow root to read all the password and only self can read 1522# its own password when sasl/GSSAPI bind is used 1523# 1524modify_userpassword_acl_for_gssapi() { 1525 1526 _P_DN="ou=People,${LDAP_BASEDN}" 1527 _H_DN="ou=Hosts,${LDAP_BASEDN}" 1528 _P_ACI="self-read-pwd" 1529 1530 ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"${_P_DN}\" -s base \"objectclass=*\" > /dev/null 2>&1" 1531 if [ $? -ne 0 ]; then 1532 ${ECHO} " ${_P_DN} does not exist" 1533 # Not Found. Create a new entry 1534 ( cat << EOF 1535dn: ${_P_DN} 1536ou: People 1537objectClass: top 1538objectClass: organizationalUnit 1539EOF 1540) > ${TMPDIR}/gssapi_people.ldif 1541 1542 add_entry_by_DN "${_P_DN}" "${TMPDIR}/gssapi_people.ldif" 1543 else 1544 ${ECHO} " ${_P_DN} already exists" 1545 fi 1546 1547 ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"${_P_DN}\" -s base \"objectclass=*\" aci > ${TMPDIR}/chk_gssapi_aci 2>&1" 1548 1549 if [ $? -eq 0 ]; then 1550 ${EVAL} "${GREP} ${_P_ACI} ${TMPDIR}/chk_gssapi_aci > /dev/null 2>&1" 1551 if [ $? -eq 0 ]; then 1552 ${ECHO} " userpassword ACL ${_P_ACI} already exists." 1553 return 1554 else 1555 ${ECHO} " userpassword ACL ${_P_ACI} not found. Create a new one." 1556 fi 1557 else 1558 ${ECHO} " Error searching aci for ${_P_DN}" 1559 cat ${TMPDIR}/chk_gssapi_aci 1560 cleanup 1561 exit 1 1562 fi 1563 ( cat << EOF 1564dn: ${_P_DN} 1565changetype: modify 1566add: aci 1567aci: (targetattr="userPassword")(version 3.0; acl self-read-pwd; allow (read,search) userdn="ldap:///self" and authmethod="sasl GSSAPI";) 1568- 1569add: aci 1570aci: (targetattr="userPassword")(version 3.0; acl host-read-pwd; allow (read,search) userdn="ldap:///cn=*+ipHostNumber=*,ou=Hosts,${LDAP_BASEDN}" and authmethod="sasl GSSAPI";) 1571EOF 1572) > ${TMPDIR}/user_gssapi.ldif 1573 LDAP_TYPE_OR_VALUE_EXISTS=20 1574 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/user_gssapi.ldif ${VERB}" 1575 1576 case $? in 1577 0) 1578 ${ECHO} " ${_P_DN} uaserpassword ACL is updated." 1579 ;; 1580 20) 1581 ${ECHO} " ${_P_DN} uaserpassword ACL already exists." 1582 ;; 1583 *) 1584 ${ECHO} " ERROR: update of userpassword ACL for ${_P_DN} failed!" 1585 cleanup 1586 exit 1 1587 ;; 1588 esac 1589} 1590# 1591# $1: objectclass or attributetyp 1592# $2: name 1593search_update_schema() { 1594 1595 ATTR="${1}es" 1596 1597 ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b cn=schema -s base \"objectclass=*\" ${ATTR} | ${GREP} -i \"${2}\" ${VERB}" 1598 if [ $? -ne 0 ]; then 1599 ${ECHO} "${1} ${2} does not exist." 1600 update_schema_attr 1601 update_schema_obj 1602 SCHEMA_UPDATED=1 1603 else 1604 ${ECHO} "${1} ${2} already exists. Schema has been updated" 1605 fi 1606} 1607 1608# 1609# $1: 1 - interactive, 0 - no 1610# 1611create_gssapi_profile() { 1612 1613 1614 if [ ${1} -eq 1 ]; then 1615 echo 1616 echo "You can create a sasl/GSSAPI enabled profile with default values now." 1617 get_confirm "Do you want to create a sasl/GSSAPI default profile ?" "n" 1618 1619 if [ $? -eq 0 ]; then 1620 return 1621 fi 1622 fi 1623 1624 # Add profile container if it does not exist 1625 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"ou=profile,${LDAP_BASEDN}\" -s base \"objectclass=*\" > /dev/null 2>&1" 1626 if [ $? -ne 0 ]; then 1627 ( cat << EOF 1628dn: ou=profile,${LDAP_BASEDN} 1629ou: profile 1630objectClass: top 1631objectClass: organizationalUnit 1632EOF 1633) > ${TMPDIR}/profile_people.ldif 1634 1635 add_entry_by_DN "ou=profile,${LDAP_BASEDN}" "${TMPDIR}/profile_people.ldif" 1636 1637 fi 1638 1639 search_update_schema "objectclass" "DUAConfigProfile" 1640 1641 _P_NAME="gssapi_${LDAP_KRB_REALM}" 1642 if [ ${1} -eq 1 ]; then 1643 _P_TMP=${LDAP_PROFILE_NAME} 1644 LDAP_PROFILE_NAME=${_P_NAME} 1645 get_profile_name 1646 LDAP_GSSAPI_PROFILE=${LDAP_PROFILE_NAME} 1647 LDAP_PROFILE_NAME=${_P_TMP} 1648 fi 1649 1650 _P_DN="cn=${LDAP_GSSAPI_PROFILE},ou=profile,${LDAP_BASEDN}" 1651 if [ ${DEL_OLD_PROFILE} -eq 1 ]; then 1652 DEL_OLD_PROFILE=0 1653 ${EVAL} "${LDAPDELETE} ${LDAP_ARGS} ${_P_DN} ${VERB}" 1654 fi 1655 1656 _SVR=`getent hosts ${IDS_SERVER} | ${NAWK} '{ print $1 }'` 1657 if [ ${IDS_PORT} -ne 389 ]; then 1658 _SVR="${_SVR}:${IDS_PORT}" 1659 fi 1660 1661 (cat << EOF 1662dn: ${_P_DN} 1663objectClass: top 1664objectClass: DUAConfigProfile 1665defaultServerList: ${_SVR} 1666defaultSearchBase: ${LDAP_BASEDN} 1667authenticationMethod: sasl/GSSAPI 1668followReferrals: ${LDAP_FOLLOWREF} 1669defaultSearchScope: ${LDAP_SEARCH_SCOPE} 1670searchTimeLimit: ${LDAP_SEARCH_TIME_LIMIT} 1671profileTTL: ${LDAP_PROFILE_TTL} 1672cn: ${LDAP_GSSAPI_PROFILE} 1673credentialLevel: self 1674bindTimeLimit: ${LDAP_BIND_LIMIT} 1675EOF 1676) > ${TMPDIR}/gssapi_profile.ldif 1677 1678 add_entry_by_DN "${_P_DN}" "${TMPDIR}/gssapi_profile.ldif" 1679 1680} 1681# 1682# Set up GSSAPI if necessary 1683# 1684gssapi_setup() { 1685 1686 # assume sasl/GSSAPI is supported by the ldap server and may be used 1687 GSSAPI_AUTH_MAY_BE_USED=1 1688 ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"\" -s base \"objectclass=*\" supportedSASLMechanisms | ${GREP} GSSAPI ${VERB}" 1689 if [ $? -ne 0 ]; then 1690 GSSAPI_AUTH_MAY_BE_USED=0 1691 ${ECHO} " sasl/GSSAPI is not supported by this LDAP server" 1692 return 1693 fi 1694 1695 get_confirm "GSSAPI is supported. Do you want to set up gssapi:(y/n)" "n" 1696 if [ $? -eq 0 ]; then 1697 ${ECHO} 1698 ${ECHO} "GSSAPI is not set up." 1699 ${ECHO} "sasl/GSSAPI bind may not work if it's not set up first." 1700 else 1701 get_krb_realm 1702 add_id_mapping_rules 1703 modify_userpassword_acl_for_gssapi 1704 create_gssapi_profile 1 1705 ${ECHO} 1706 ${ECHO} "GSSAPI setup is done." 1707 fi 1708 1709 cat << EOF 1710 1711You can continue to create a profile and 1712configure the LDAP server. 1713Or you can stop now. 1714 1715EOF 1716 get_confirm "Do you want to stop:(y/n)" "n" 1717 if [ $? -eq 1 ]; then 1718 cleanup 1719 exit 1720 fi 1721 1722} 1723gssapi_setup_auto() { 1724 GSSAPI_AUTH_MAY_BE_USED=0 1725 ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"\" -s base \"objectclass=*\" supportedSASLMechanisms | ${GREP} GSSAPI ${VERB}" 1726 if [ $? -ne 0 ]; then 1727 ${ECHO} 1728 ${ECHO} "sasl/GSSAPI is not supported by this LDAP server" 1729 ${ECHO} 1730 return 1731 fi 1732 if [ -z "${LDAP_KRB_REALM}" ]; then 1733 ${ECHO} 1734 ${ECHO} "LDAP_KRB_REALM is not set. Skip gssapi setup." 1735 ${ECHO} "sasl/GSSAPI bind won't work properly." 1736 ${ECHO} 1737 return 1738 fi 1739 GSSAPI_AUTH_MAY_BE_USED=1 1740 if [ -z "${LDAP_GSSAPI_PROFILE}" ]; then 1741 ${ECHO} 1742 ${ECHO} "LDAP_GSSAPI_PROFILE is not set. Default is gssapi_${LDAP_KRB_REALM}" 1743 ${ECHO} 1744 LDAP_GSSAPI_PROFILE="gssapi_${LDAP_KRB_REALM}" 1745 fi 1746 add_id_mapping_rules 1747 modify_userpassword_acl_for_gssapi 1748 create_gssapi_profile 0 1749} 1750# get_profile_name(): Enter the profile name. 1751# 1752get_profile_name() 1753{ 1754 # Reset Delete Old Profile since getting new profile name. 1755 DEL_OLD_PROFILE=0 1756 1757 # Loop until valid profile name, or replace. 1758 while : 1759 do 1760 # Prompt for profile name. 1761 get_ans "Enter the profile name (h=help):" "$LDAP_PROFILE_NAME" 1762 1763 # Check for Help. 1764 case "$ANS" in 1765 [Hh] | help | Help | \?) display_msg profile_help 1766 continue ;; 1767 * ) ;; 1768 esac 1769 1770 # Search to see if profile name already exists. 1771 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=${ANS},ou=profile,${LDAP_BASEDN}\" -s base \"objectclass=*\" ${VERB}" 1772 if [ $? -eq 0 ]; then 1773 1774 cat << EOF 1775 1776Profile '${ANS}' already exists, it is possible to enable 1777shadow update now. idsconfig will exit after shadow update 1778is enabled. You can also continue to overwrite the profile 1779or create a new one and be given the chance to enable 1780shadow update later. 1781 1782EOF 1783 1784 MSG="Just enable shadow update (y/n/h)?" 1785 get_confirm "$MSG" "n" "enable_shadow_update_help" 1786 if [ $? -eq 1 ]; then 1787 [ $DEBUG -eq 1 ] && ${ECHO} "set up shadow update" 1788 LDAP_ENABLE_SHADOW_UPDATE=TRUE 1789 # display alternate messages 1790 EXISTING_PROFILE=1 1791 # Set Profile Name. 1792 LDAP_PROFILE_NAME=$ANS 1793 return 0 # set up credentials for shadow update. 1794 fi 1795 1796 get_confirm_nodef "Are you sure you want to overwrite profile cn=${ANS}?" 1797 if [ $? -eq 1 ]; then 1798 DEL_OLD_PROFILE=1 1799 return 0 # Replace old profile name. 1800 else 1801 ${ECHO} "Please re-enter a new profile name." 1802 fi 1803 else 1804 break # Unique profile name. 1805 fi 1806 done 1807 1808 # Set Profile Name. 1809 LDAP_PROFILE_NAME=$ANS 1810} 1811 1812 1813# 1814# get_srv_list(): Get the default server list. 1815# 1816get_srv_list() 1817{ 1818 # If LDAP_SERVER_LIST is NULL, then set, otherwise leave alone. 1819 if [ -z "${LDAP_SERVER_LIST}" ]; then 1820 LDAP_SERVER_LIST=`getent hosts ${IDS_SERVER} | awk '{print $1}'` 1821 if [ ${IDS_PORT} -ne 389 ]; then 1822 LDAP_SERVER_LIST="${LDAP_SERVER_LIST}:${IDS_PORT}" 1823 fi 1824 fi 1825 1826 # Prompt for new LDAP_SERVER_LIST. 1827 while : 1828 do 1829 get_ans "Default server list (h=help):" $LDAP_SERVER_LIST 1830 1831 # If help continue, otherwise break. 1832 case "$ANS" in 1833 [Hh] | help | Help | \?) display_msg def_srvlist_help ;; 1834 * ) break ;; 1835 esac 1836 done 1837 LDAP_SERVER_LIST=$ANS 1838} 1839 1840 1841# 1842# get_pref_srv(): The preferred server list (Overrides the server list) 1843# 1844get_pref_srv() 1845{ 1846 while : 1847 do 1848 get_ans "Preferred server list (h=help):" $LDAP_PREF_SRVLIST 1849 1850 # If help continue, otherwise break. 1851 case "$ANS" in 1852 [Hh] | help | Help | \?) display_msg pref_srvlist_help ;; 1853 * ) break ;; 1854 esac 1855 done 1856 LDAP_PREF_SRVLIST=$ANS 1857} 1858 1859 1860# 1861# get_search_scope(): Get the search scope from the user. 1862# 1863get_search_scope() 1864{ 1865 [ $DEBUG -eq 1 ] && ${ECHO} "In get_search_scope()" 1866 1867 _MENU_CHOICE=0 1868 while : 1869 do 1870 get_ans "Choose desired search scope (one, sub, h=help): " "one" 1871 _MENU_CHOICE=$ANS 1872 case "$_MENU_CHOICE" in 1873 one) LDAP_SEARCH_SCOPE="one" 1874 return 1 ;; 1875 sub) LDAP_SEARCH_SCOPE="sub" 1876 return 2 ;; 1877 h) display_msg srch_scope_help ;; 1878 *) ${ECHO} "Please enter \"one\", \"sub\", or \"h\"." ;; 1879 esac 1880 done 1881 1882} 1883 1884 1885# 1886# get_cred_level(): Function to display menu to user and get the 1887# credential level. 1888# 1889get_cred_level() 1890{ 1891 [ $DEBUG -eq 1 ] && ${ECHO} "In get_cred_level()" 1892 1893 _MENU_CHOICE=0 1894 display_msg cred_level_menu 1895 while : 1896 do 1897 get_ans "Choose Credential level [h=help]:" "1" 1898 _MENU_CHOICE=$ANS 1899 case "$_MENU_CHOICE" in 1900 1) LDAP_CRED_LEVEL="anonymous" 1901 return 1 ;; 1902 2) LDAP_CRED_LEVEL="proxy" 1903 return 2 ;; 1904 3) LDAP_CRED_LEVEL="proxy anonymous" 1905 return 3 ;; 1906 4) LDAP_CRED_LEVEL="self" 1907 SELF_GSSAPI=1 1908 return 4 ;; 1909 5) LDAP_CRED_LEVEL="self proxy" 1910 SELF_GSSAPI=1 1911 return 5 ;; 1912 6) LDAP_CRED_LEVEL="self proxy anonymous" 1913 SELF_GSSAPI=1 1914 return 6 ;; 1915 h) display_msg cred_lvl_help ;; 1916 *) ${ECHO} "Please enter 1, 2, 3, 4, 5 or 6." ;; 1917 esac 1918 done 1919} 1920 1921 1922# 1923# srvauth_menu_handler(): Enter the Service Authentication method. 1924# 1925srvauth_menu_handler() 1926{ 1927 # Display Auth menu 1928 display_msg srvauth_method_menu 1929 1930 # Get a Valid choice. 1931 while : 1932 do 1933 # Display appropriate prompt and get answer. 1934 if [ $_FIRST -eq 1 ]; then 1935 get_ans "Choose Service Authentication Method:" "1" 1936 else 1937 get_ans "Choose Service Authentication Method (0=reset):" 1938 fi 1939 1940 # Determine choice. 1941 _MENU_CHOICE=$ANS 1942 case "$_MENU_CHOICE" in 1943 1) _AUTHMETHOD="simple" 1944 break ;; 1945 2) _AUTHMETHOD="sasl/DIGEST-MD5" 1946 break ;; 1947 3) _AUTHMETHOD="tls:simple" 1948 break ;; 1949 4) _AUTHMETHOD="tls:sasl/DIGEST-MD5" 1950 break ;; 1951 5) _AUTHMETHOD="sasl/GSSAPI" 1952 break ;; 1953 0) _AUTHMETHOD="" 1954 _FIRST=1 1955 break ;; 1956 *) ${ECHO} "Please enter 1-5 or 0 to reset." ;; 1957 esac 1958 done 1959} 1960 1961 1962# 1963# auth_menu_handler(): Enter the Authentication method. 1964# 1965auth_menu_handler() 1966{ 1967 # Display Auth menu 1968 display_msg auth_method_menu 1969 1970 # Get a Valid choice. 1971 while : 1972 do 1973 # Display appropriate prompt and get answer. 1974 if [ $_FIRST -eq 1 ]; then 1975 get_ans "Choose Authentication Method (h=help):" "1" 1976 else 1977 get_ans "Choose Authentication Method (0=reset, h=help):" 1978 fi 1979 1980 # Determine choice. 1981 _MENU_CHOICE=$ANS 1982 case "$_MENU_CHOICE" in 1983 1) _AUTHMETHOD="none" 1984 break ;; 1985 2) _AUTHMETHOD="simple" 1986 break ;; 1987 3) _AUTHMETHOD="sasl/DIGEST-MD5" 1988 break ;; 1989 4) _AUTHMETHOD="tls:simple" 1990 break ;; 1991 5) _AUTHMETHOD="tls:sasl/DIGEST-MD5" 1992 break ;; 1993 6) _AUTHMETHOD="sasl/GSSAPI" 1994 break ;; 1995 0) _AUTHMETHOD="" 1996 _FIRST=1 1997 break ;; 1998 h) display_msg auth_help ;; 1999 *) ${ECHO} "Please enter 1-6, 0=reset, or h=help." ;; 2000 esac 2001 done 2002} 2003 2004 2005# 2006# get_auth(): Enter the Authentication method. 2007# 2008get_auth() 2009{ 2010 [ $DEBUG -eq 1 ] && ${ECHO} "In get_auth()" 2011 2012 _FIRST=1 # Flag for first time. 2013 _MENU_CHOICE=0 2014 _AUTHMETHOD="" # Tmp method. 2015 2016 while : 2017 do 2018 # Call Menu handler 2019 auth_menu_handler 2020 2021 # Add Auth Method to list. 2022 if [ $_FIRST -eq 1 ]; then 2023 LDAP_AUTHMETHOD="${_AUTHMETHOD}" 2024 _FIRST=0 2025 else 2026 LDAP_AUTHMETHOD="${LDAP_AUTHMETHOD};${_AUTHMETHOD}" 2027 fi 2028 2029 # Display current Authentication Method. 2030 ${ECHO} "" 2031 ${ECHO} "Current authenticationMethod: ${LDAP_AUTHMETHOD}" 2032 ${ECHO} "" 2033 2034 # Prompt for another Auth Method, or break out. 2035 get_confirm_nodef "Do you want to add another Authentication Method?" 2036 if [ $? -eq 0 ]; then 2037 break; 2038 fi 2039 done 2040} 2041 2042 2043# 2044# get_followref(): Whether or not to follow referrals. 2045# 2046get_followref() 2047{ 2048 get_confirm "Do you want the clients to follow referrals (y/n/h)?" "n" "referrals_help" 2049 if [ $? -eq 1 ]; then 2050 LDAP_FOLLOWREF="TRUE" 2051 else 2052 LDAP_FOLLOWREF="FALSE" 2053 fi 2054} 2055 2056 2057# 2058# get_timelimit(): Set the time limit. -1 is max time. 2059# 2060get_timelimit() 2061{ 2062 # Get current timeout value from cn=config. 2063 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=config\" -s base \"objectclass=*\" nsslapd-timelimit > ${TMPDIR}/chk_timeout 2>&1" 2064 if [ $? -ne 0 ]; then 2065 ${ECHO} " ERROR: Could not reach LDAP server to check current timeout!" 2066 cleanup 2067 exit 1 2068 fi 2069 CURR_TIMELIMIT=`${GREP} timelimit ${TMPDIR}/chk_timeout | cut -f2 -d=` 2070 2071 get_negone_num "Enter the time limit for iDS (current=${CURR_TIMELIMIT}):" "-1" 2072 IDS_TIMELIMIT=$NUM 2073} 2074 2075 2076# 2077# get_sizelimit(): Set the size limit. -1 is max size. 2078# 2079get_sizelimit() 2080{ 2081 # Get current sizelimit value from cn=config. 2082 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=config\" -s base \"objectclass=*\" nsslapd-sizelimit > ${TMPDIR}/chk_sizelimit 2>&1" 2083 if [ $? -ne 0 ]; then 2084 ${ECHO} " ERROR: Could not reach LDAP server to check current sizelimit!" 2085 cleanup 2086 exit 1 2087 fi 2088 CURR_SIZELIMIT=`${GREP} sizelimit ${TMPDIR}/chk_sizelimit | cut -f2 -d=` 2089 2090 get_negone_num "Enter the size limit for iDS (current=${CURR_SIZELIMIT}):" "-1" 2091 IDS_SIZELIMIT=$NUM 2092} 2093 2094 2095# 2096# get_want_crypt(): Ask user if want to store passwords in crypt? 2097# 2098get_want_crypt() 2099{ 2100 get_confirm "Do you want to store passwords in \"crypt\" format (y/n/h)?" "n" "crypt_help" 2101 if [ $? -eq 1 ]; then 2102 NEED_CRYPT="TRUE" 2103 else 2104 NEED_CRYPT="FALSE" 2105 fi 2106} 2107 2108 2109# 2110# get_srv_authMethod_pam(): Get the Service Auth Method for pam_ldap from user. 2111# 2112# NOTE: This function is base on get_auth(). 2113# 2114get_srv_authMethod_pam() 2115{ 2116 [ $DEBUG -eq 1 ] && ${ECHO} "In get_srv_authMethod_pam()" 2117 2118 _FIRST=1 # Flag for first time. 2119 _MENU_CHOICE=0 2120 _AUTHMETHOD="" # Tmp method. 2121 2122 while : 2123 do 2124 # Call Menu handler 2125 srvauth_menu_handler 2126 2127 # Add Auth Method to list. 2128 if [ $_FIRST -eq 1 ]; then 2129 if [ "$_AUTHMETHOD" = "" ]; then 2130 LDAP_SRV_AUTHMETHOD_PAM="" 2131 else 2132 LDAP_SRV_AUTHMETHOD_PAM="pam_ldap:${_AUTHMETHOD}" 2133 fi 2134 _FIRST=0 2135 else 2136 LDAP_SRV_AUTHMETHOD_PAM="${LDAP_SRV_AUTHMETHOD_PAM};${_AUTHMETHOD}" 2137 fi 2138 2139 # Display current Authentication Method. 2140 ${ECHO} "" 2141 ${ECHO} "Current authenticationMethod: ${LDAP_SRV_AUTHMETHOD_PAM}" 2142 ${ECHO} "" 2143 2144 # Prompt for another Auth Method, or break out. 2145 get_confirm_nodef "Do you want to add another Authentication Method?" 2146 if [ $? -eq 0 ]; then 2147 break; 2148 fi 2149 done 2150 2151 # Check in case user reset string and exited loop. 2152 if [ "$LDAP_SRV_AUTHMETHOD_PAM" = "" ]; then 2153 NEED_SRVAUTH_PAM=0 2154 fi 2155} 2156 2157 2158# 2159# get_srv_authMethod_key(): Get the Service Auth Method for keyserv from user. 2160# 2161# NOTE: This function is base on get_auth(). 2162# 2163get_srv_authMethod_key() 2164{ 2165 [ $DEBUG -eq 1 ] && ${ECHO} "In get_srv_authMethod_key()" 2166 2167 _FIRST=1 # Flag for first time. 2168 _MENU_CHOICE=0 2169 _AUTHMETHOD="" # Tmp method. 2170 2171 while : 2172 do 2173 # Call Menu handler 2174 srvauth_menu_handler 2175 2176 # Add Auth Method to list. 2177 if [ $_FIRST -eq 1 ]; then 2178 if [ "$_AUTHMETHOD" = "" ]; then 2179 LDAP_SRV_AUTHMETHOD_KEY="" 2180 else 2181 LDAP_SRV_AUTHMETHOD_KEY="keyserv:${_AUTHMETHOD}" 2182 fi 2183 _FIRST=0 2184 else 2185 LDAP_SRV_AUTHMETHOD_KEY="${LDAP_SRV_AUTHMETHOD_KEY};${_AUTHMETHOD}" 2186 fi 2187 2188 # Display current Authentication Method. 2189 ${ECHO} "" 2190 ${ECHO} "Current authenticationMethod: ${LDAP_SRV_AUTHMETHOD_KEY}" 2191 ${ECHO} "" 2192 2193 # Prompt for another Auth Method, or break out. 2194 get_confirm_nodef "Do you want to add another Authentication Method?" 2195 if [ $? -eq 0 ]; then 2196 break; 2197 fi 2198 done 2199 2200 # Check in case user reset string and exited loop. 2201 if [ "$LDAP_SRV_AUTHMETHOD_KEY" = "" ]; then 2202 NEED_SRVAUTH_KEY=0 2203 fi 2204} 2205 2206 2207# 2208# get_srv_authMethod_cmd(): Get the Service Auth Method for passwd-cmd from user. 2209# 2210# NOTE: This function is base on get_auth(). 2211# 2212get_srv_authMethod_cmd() 2213{ 2214 [ $DEBUG -eq 1 ] && ${ECHO} "In get_srv_authMethod_cmd()" 2215 2216 _FIRST=1 # Flag for first time. 2217 _MENU_CHOICE=0 2218 _AUTHMETHOD="" # Tmp method. 2219 2220 while : 2221 do 2222 # Call Menu handler 2223 srvauth_menu_handler 2224 2225 # Add Auth Method to list. 2226 if [ $_FIRST -eq 1 ]; then 2227 if [ "$_AUTHMETHOD" = "" ]; then 2228 LDAP_SRV_AUTHMETHOD_CMD="" 2229 else 2230 LDAP_SRV_AUTHMETHOD_CMD="passwd-cmd:${_AUTHMETHOD}" 2231 fi 2232 _FIRST=0 2233 else 2234 LDAP_SRV_AUTHMETHOD_CMD="${LDAP_SRV_AUTHMETHOD_CMD};${_AUTHMETHOD}" 2235 fi 2236 2237 # Display current Authentication Method. 2238 ${ECHO} "" 2239 ${ECHO} "Current authenticationMethod: ${LDAP_SRV_AUTHMETHOD_CMD}" 2240 ${ECHO} "" 2241 2242 # Prompt for another Auth Method, or break out. 2243 get_confirm_nodef "Do you want to add another Authentication Method?" 2244 if [ $? -eq 0 ]; then 2245 break; 2246 fi 2247 done 2248 2249 # Check in case user reset string and exited loop. 2250 if [ "$LDAP_SRV_AUTHMETHOD_CMD" = "" ]; then 2251 NEED_SRVAUTH_CMD=0 2252 fi 2253} 2254 2255 2256# 2257# get_srch_time(): Amount of time to search. 2258# 2259get_srch_time() 2260{ 2261 get_negone_num "Client search time limit in seconds (h=help):" "$LDAP_SEARCH_TIME_LIMIT" "srchtime_help" 2262 LDAP_SEARCH_TIME_LIMIT=$NUM 2263} 2264 2265 2266# 2267# get_prof_ttl(): The profile time to live (TTL) 2268# 2269get_prof_ttl() 2270{ 2271 get_negone_num "Profile Time To Live in seconds (h=help):" "$LDAP_PROFILE_TTL" "profttl_help" 2272 LDAP_PROFILE_TTL=$NUM 2273} 2274 2275 2276# 2277# get_bind_limit(): Bind time limit 2278# 2279get_bind_limit() 2280{ 2281 get_negone_num "Bind time limit in seconds (h=help):" "$LDAP_BIND_LIMIT" "bindlim_help" 2282 LDAP_BIND_LIMIT=$NUM 2283} 2284 2285 2286###################################################################### 2287# FUNCTIONS FOR Service Search Descriptor's START HERE. 2288###################################################################### 2289 2290 2291# 2292# add_ssd(): Get SSD's from user and add to file. 2293# 2294add_ssd() 2295{ 2296 [ $DEBUG -eq 1 ] && ${ECHO} "In add_ssd()" 2297 2298 # Enter the service id. Loop til unique. 2299 while : 2300 do 2301 get_ans "Enter the service id:" 2302 _SERV_ID=$ANS 2303 2304 # Grep for name existing. 2305 ${GREP} -i "^$ANS:" ${SSD_FILE} > /dev/null 2>&1 2306 if [ $? -eq 1 ]; then 2307 break 2308 fi 2309 2310 # Name exists, print message, let user decide. 2311 ${ECHO} "ERROR: Service id ${ANS} already exists." 2312 done 2313 2314 get_ans "Enter the base:" 2315 _BASE=$ANS 2316 2317 # Get the scope and verify that its one or sub. 2318 while : 2319 do 2320 get_ans "Enter the scope:" 2321 _SCOPE=$ANS 2322 case `${ECHO} ${_SCOPE} | tr '[A-Z]' '[a-z]'` in 2323 one) break ;; 2324 sub) break ;; 2325 *) ${ECHO} "${_SCOPE} is Not valid - Enter 'one' or 'sub'" ;; 2326 esac 2327 done 2328 2329 # Build SSD to add to file. 2330 _SSD="${_SERV_ID}:${_BASE}?${_SCOPE}" 2331 2332 # Add the SSD to the file. 2333 ${ECHO} "${_SSD}" >> ${SSD_FILE} 2334} 2335 2336 2337# 2338# delete_ssd(): Delete a SSD from the list. 2339# 2340delete_ssd() 2341{ 2342 [ $DEBUG -eq 1 ] && ${ECHO} "In delete_ssd()" 2343 2344 # Get service id name from user for SSD to delete. 2345 get_ans_req "Enter service id to delete:" 2346 2347 # Make sure service id exists. 2348 ${GREP} "$ANS" ${SSD_FILE} > /dev/null 2>&1 2349 if [ $? -eq 1 ]; then 2350 ${ECHO} "Invalid service id: $ANS not present in list." 2351 return 2352 fi 2353 2354 # Create temporary back SSD file. 2355 cp ${SSD_FILE} ${SSD_FILE}.bak 2356 if [ $? -eq 1 ]; then 2357 ${ECHO} "ERROR: could not create file: ${SSD_FILE}.bak" 2358 exit 1 2359 fi 2360 2361 # Use ${GREP} to remove the SSD. Read from temp file 2362 # and write to the orig file. 2363 ${GREP} -v "$ANS" ${SSD_FILE}.bak > ${SSD_FILE} 2364} 2365 2366 2367# 2368# modify_ssd(): Allow user to modify a SSD. 2369# 2370modify_ssd() 2371{ 2372 [ $DEBUG -eq 1 ] && ${ECHO} "In modify_ssd()" 2373 2374 # Prompt user for service id. 2375 get_ans_req "Enter service id to modify:" 2376 2377 # Put into temp _LINE. 2378 _LINE=`${GREP} "^$ANS:" ${SSD_FILE}` 2379 if [ "$_LINE" = "" ]; then 2380 ${ECHO} "Invalid service id: $ANS" 2381 return 2382 fi 2383 2384 # Display current filter for user to see. 2385 ${ECHO} "" 2386 ${ECHO} "Current SSD: $_LINE" 2387 ${ECHO} "" 2388 2389 # Get the defaults. 2390 _CURR_BASE=`${ECHO} $_LINE | cut -d: -f2 | cut -d'?' -f 1` 2391 _CURR_SCOPE=`${ECHO} $_LINE | cut -d: -f2 | cut -d'?' -f 2` 2392 2393 # Create temporary back SSD file. 2394 cp ${SSD_FILE} ${SSD_FILE}.bak 2395 if [ $? -eq 1 ]; then 2396 ${ECHO} "ERROR: could not create file: ${SSD_FILE}.bak" 2397 cleanup 2398 exit 1 2399 fi 2400 2401 # Removed the old line. 2402 ${GREP} -v "^$ANS:" ${SSD_FILE}.bak > ${SSD_FILE} 2>&1 2403 2404 # New Entry 2405 _SERV_ID=$ANS 2406 get_ans_req "Enter the base:" "$_CURR_BASE" 2407 _BASE=$ANS 2408 get_ans_req "Enter the scope:" "$_CURR_SCOPE" 2409 _SCOPE=$ANS 2410 2411 # Build the new SSD. 2412 _SSD="${_SERV_ID}:${_BASE}?${_SCOPE}" 2413 2414 # Add the SSD to the file. 2415 ${ECHO} "${_SSD}" >> ${SSD_FILE} 2416} 2417 2418 2419# 2420# display_ssd(): Display the current SSD list. 2421# 2422display_ssd() 2423{ 2424 [ $DEBUG -eq 1 ] && ${ECHO} "In display_ssd()" 2425 2426 ${ECHO} "" 2427 ${ECHO} "Current Service Search Descriptors:" 2428 ${ECHO} "==================================" 2429 cat ${SSD_FILE} 2430 ${ECHO} "" 2431 ${ECHO} "Hit return to continue." 2432 read __A 2433} 2434 2435 2436# 2437# prompt_ssd(): Get SSD's from user. 2438# 2439prompt_ssd() 2440{ 2441 [ $DEBUG -eq 1 ] && ${ECHO} "In prompt_ssd()" 2442 # See if user wants SSD's? 2443 get_confirm "Do you wish to setup Service Search Descriptors (y/n/h)?" "n" "ssd_help" 2444 [ "$?" -eq 0 ] && return 2445 2446 # Display menu for SSD choices. 2447 while : 2448 do 2449 display_msg prompt_ssd_menu 2450 get_ans "Enter menu choice:" "Quit" 2451 case "$ANS" in 2452 [Aa] | add) add_ssd ;; 2453 [Dd] | delete) delete_ssd ;; 2454 [Mm] | modify) modify_ssd ;; 2455 [Pp] | print | display) display_ssd ;; 2456 [Xx] | reset | clear) reset_ssd_file ;; 2457 [Hh] | Help | help) display_msg ssd_menu_help 2458 ${ECHO} " Press return to continue." 2459 read __A ;; 2460 [Qq] | Quit | quit) return ;; 2461 *) ${ECHO} "Invalid choice: $ANS please re-enter from menu." ;; 2462 esac 2463 done 2464} 2465 2466 2467# 2468# reset_ssd_file(): Blank out current SSD file. 2469# 2470reset_ssd_file() 2471{ 2472 [ $DEBUG -eq 1 ] && ${ECHO} "In reset_ssd_file()" 2473 2474 rm -f ${SSD_FILE} 2475 touch ${SSD_FILE} 2476} 2477 2478 2479# 2480# create_ssd_file(): Create a temporary file for SSD's. 2481# 2482create_ssd_file() 2483{ 2484 [ $DEBUG -eq 1 ] && ${ECHO} "In create_ssd_file()" 2485 2486 # Build a list of SSD's and store in temp file. 2487 ${GREP} "LDAP_SERV_SRCH_DES=" ${INPUT_FILE} | \ 2488 sed 's/LDAP_SERV_SRCH_DES=//' \ 2489 > ${SSD_FILE} 2490} 2491 2492 2493# 2494# ssd_2_config(): Append the SSD file to the output file. 2495# 2496ssd_2_config() 2497{ 2498 [ $DEBUG -eq 1 ] && ${ECHO} "In ssd_2_config()" 2499 2500 # Convert to config file format using sed. 2501 sed -e "s/^/LDAP_SERV_SRCH_DES=/" ${SSD_FILE} >> ${OUTPUT_FILE} 2502} 2503 2504 2505# 2506# ssd_2_profile(): Add SSD's to the GEN_CMD string. 2507# 2508ssd_2_profile() 2509{ 2510 [ $DEBUG -eq 1 ] && ${ECHO} "In ssd_2_profile()" 2511 2512 GEN_TMPFILE=${TMPDIR}/ssd_tmpfile 2513 touch ${GEN_TMPFILE} 2514 2515 # Add and convert each SSD to string. 2516 while read SSD_LINE 2517 do 2518 ${ECHO} " -a \"serviceSearchDescriptor=${SSD_LINE}\"\c" >> ${GEN_TMPFILE} 2519 done <${SSD_FILE} 2520 2521 # Add SSD's to GEN_CMD. 2522 GEN_CMD="${GEN_CMD} `cat ${GEN_TMPFILE}`" 2523} 2524 2525# 2526# get_adminDN(): Get the admin DN. 2527# 2528get_adminDN() 2529{ 2530 LDAP_ADMINDN="cn=admin,ou=profile,${LDAP_BASEDN}" # default 2531 get_ans "Enter DN for the administrator:" "$LDAP_ADMINDN" 2532 LDAP_ADMINDN=$ANS 2533 [ $DEBUG -eq 1 ] && ${ECHO} "LDAP_ADMINDN = $LDAP_ADMINDN" 2534} 2535 2536# 2537# get_admin_pw(): Get the admin passwd. 2538# 2539get_admin_pw() 2540{ 2541 get_passwd "Enter passwd for the administrator:" 2542 LDAP_ADMIN_CRED=$ANS 2543 [ $DEBUG -eq 1 ] && ${ECHO} "LDAP_ADMIN_CRED = $LDAP_ADMIN_CRED" 2544} 2545 2546# 2547# add_admin(): Add an admin entry for nameservice for updating shadow data. 2548# 2549add_admin() 2550{ 2551 [ $DEBUG -eq 1 ] && ${ECHO} "In add_admin()" 2552 2553 # Check if the admin user already exists. 2554 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_ADMINDN}\" -s base \"objectclass=*\" ${VERB}" 2555 if [ $? -eq 0 ]; then 2556 MSG="Administrator ${LDAP_ADMINDN} already exists." 2557 if [ $EXISTING_PROFILE -eq 1 ]; then 2558 ${ECHO} " NOT ADDED: $MSG" 2559 else 2560 ${ECHO} " ${STEP}. $MSG" 2561 STEP=`expr $STEP + 1` 2562 fi 2563 return 0 2564 fi 2565 2566 # Get cn and sn names from LDAP_ADMINDN. 2567 cn_tmp=`${ECHO} ${LDAP_ADMINDN} | cut -f1 -d, | cut -f2 -d=` 2568 2569 # Create the tmp file to add. 2570 ( cat <<EOF 2571dn: ${LDAP_ADMINDN} 2572cn: ${cn_tmp} 2573sn: ${cn_tmp} 2574objectclass: top 2575objectclass: person 2576userpassword: ${LDAP_ADMIN_CRED} 2577EOF 2578) > ${TMPDIR}/admin 2579 2580 # Add the entry. 2581 ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/admin ${VERB}" 2582 if [ $? -ne 0 ]; then 2583 ${ECHO} " ERROR: Adding administrator identity failed!" 2584 cleanup 2585 exit 1 2586 fi 2587 2588 ${RM} -f ${TMPDIR}/admin 2589 2590 # Display message that the administrator identity is added. 2591 MSG="Administrator identity ${LDAP_ADMINDN}" 2592 if [ $EXISTING_PROFILE -eq 1 ]; then 2593 ${ECHO} " ADDED: $MSG." 2594 else 2595 ${ECHO} " ${STEP}. $MSG added." 2596 STEP=`expr $STEP + 1` 2597 fi 2598} 2599 2600# 2601# allow_admin_read_write_shadow(): Give Admin read/write permission 2602# to shadow data. 2603# 2604allow_admin_read_write_shadow() 2605{ 2606 [ $DEBUG -eq 1 ] && ${ECHO} "In allow_admin_read_write_shadow()" 2607 2608 # Set ACI Name 2609 ADMIN_ACI_NAME="LDAP_Naming_Services_admin_shadow_write" 2610 2611 # Search for ACI_NAME 2612 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_BASEDN}\" \ 2613 -s base objectclass=* aci > ${TMPDIR}/chk_adminwrite_aci 2>&1" 2614 2615 # if an ACI with ${ADMIN_ACI_NAME} and "write,compare,read,search" 2616 # and ${LDAP_ADMINDN} already exists, we are done 2617 ${EGREP} ".*${ADMIN_ACI_NAME}.*write,compare,read,search.*${LDAP_ADMINDN}.*" \ 2618 ${TMPDIR}/chk_adminwrite_aci 2>&1 > /dev/null 2619 if [ $? -eq 0 ]; then 2620 MSG="Admin ACI ${ADMIN_ACI_NAME} already exists for ${LDAP_BASEDN}." 2621 if [ $EXISTING_PROFILE -eq 1 ]; then 2622 ${ECHO} " NOT SET: $MSG" 2623 else 2624 ${ECHO} " ${STEP}. $MSG" 2625 STEP=`expr $STEP + 1` 2626 fi 2627 return 0 2628 fi 2629 2630 # If an ACI with ${ADMIN_ACI_NAME} and "(write)" and ${LDAP_ADMINDN} 2631 # already exists, delete it first. 2632 find_and_delete_ACI ".*${ADMIN_ACI_NAME}.*(write).*${LDAP_ADMINDN}.*" \ 2633 ${TMPDIR}/chk_adminwrite_aci ${ADMIN_ACI_NAME} 2634 2635 # Create the tmp file to add. 2636 ( cat <<EOF 2637dn: ${LDAP_BASEDN} 2638changetype: modify 2639add: aci 2640aci: (target="ldap:///${LDAP_BASEDN}")(targetattr="shadowLastChange 2641 ||shadowMin||shadowMax||shadowWarning||shadowInactive||shadowExpire 2642 ||shadowFlag||userPassword||loginShell||homeDirectory||gecos") 2643 (version 3.0; acl ${ADMIN_ACI_NAME}; allow (write,compare,read,search) 2644 userdn = "ldap:///${LDAP_ADMINDN}";) 2645EOF 2646) > ${TMPDIR}/admin_write 2647 2648 # Add the entry. 2649 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/admin_write ${VERB}" 2650 if [ $? -ne 0 ]; then 2651 ${ECHO} " ERROR: Allow ${LDAP_ADMINDN} read/write access to shadow data failed!" 2652 cleanup 2653 exit 1 2654 fi 2655 2656 ${RM} -f ${TMPDIR}/admin_write 2657 # Display message that the administrator ACL is set. 2658 MSG="Give ${LDAP_ADMINDN} read/write access to shadow data." 2659 if [ $EXISTING_PROFILE -eq 1 ]; then 2660 ${ECHO} " ACI SET: $MSG" 2661 else 2662 ${ECHO} " ${STEP}. $MSG" 2663 STEP=`expr $STEP + 1` 2664 fi 2665} 2666 2667# 2668# allow_host_read_write_shadow(): Give host principal read/write permission 2669# for shadow data. 2670# 2671allow_host_read_write_shadow() 2672{ 2673 [ $DEBUG -eq 1 ] && ${ECHO} "In allow_host_read_write_shadow()" 2674 2675 # Set ACI Name 2676 HOST_ACI_NAME="LDAP_Naming_Services_host_shadow_write" 2677 2678 # Search for ACI_NAME 2679 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_BASEDN}\" -s base objectclass=* aci > ${TMPDIR}/chk_hostwrite_aci 2>&1" 2680 ${GREP} "${HOST_ACI_NAME}" ${TMPDIR}/chk_hostwrite_aci > /dev/null 2>&1 2681 if [ $? -eq 0 ]; then 2682 MSG="Host ACI ${HOST_ACI_NAME} already exists for ${LDAP_BASEDN}." 2683 if [ $EXISTING_PROFILE -eq 1 ]; then 2684 ${ECHO} " NOT ADDED: $MSG" 2685 else 2686 ${ECHO} " ${STEP}. $MSG" 2687 STEP=`expr $STEP + 1` 2688 fi 2689 return 0 2690 fi 2691 2692 # Create the tmp file to add. 2693 ( cat <<EOF 2694dn: ${LDAP_BASEDN} 2695changetype: modify 2696add: aci 2697aci: (target="ldap:///${LDAP_BASEDN}")(targetattr="shadowLastChange||shadowMin||shadowMax||shadowWarning||shadowInactive||shadowExpire||shadowFlag||userPassword||loginShell||homeDirectory||gecos")(version 3.0; acl ${HOST_ACI_NAME}; allow (write,compare,read,search) authmethod="sasl GSSAPI" and userdn = "ldap:///cn=*+ipHostNumber=*,ou=Hosts,${LDAP_BASEDN}";) 2698EOF 2699) > ${TMPDIR}/host_read_write 2700 2701 # Add the entry. 2702 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/host_read_write ${VERB}" 2703 if [ $? -ne 0 ]; then 2704 ${ECHO} " ERROR: Allow Host Principal to write shadow data failed!" 2705 cleanup 2706 exit 1 2707 fi 2708 2709 ${RM} -f ${TMPDIR}/host_read_write 2710 MSG="Give host principal read/write permission for shadow." 2711 if [ $EXISTING_PROFILE -eq 1 ]; then 2712 ${ECHO} " ACI SET: $MSG" 2713 else 2714 ${ECHO} " ${STEP}. $MSG" 2715 STEP=`expr $STEP + 1` 2716 fi 2717} 2718 2719# 2720# Set up shadow update 2721# 2722setup_shadow_update() { 2723 [ $DEBUG -eq 1 ] && ${ECHO} "In setup_shadow_update()" 2724 2725 # get content of the profile 2726 PROFILE_OUT=${TMPDIR}/prof_tmpfile 2727 ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=${LDAP_PROFILE_NAME},ou=profile,${LDAP_BASEDN}\" -s base \"objectclass=*\" > $PROFILE_OUT 2>&1" 2728 ${GREP} -i cn $PROFILE_OUT >/dev/null 2>&1 2729 if [ $? -ne 0 ]; then 2730 [ $DEBUG -eq 1 ] && ${ECHO} "Profile ${LDAP_PROFILE_NAME} does not exist" 2731 ${RM} ${PROFILE_OUT} 2732 return 2733 fi 2734 2735 # Search to see if authenticationMethod has 'GSSAPI' and 2736 # credentialLevel has 'self'. If so, ask to use the 2737 # host principal for shadow update 2738 if [ $GSSAPI_AUTH_MAY_BE_USED -eq 1 ]; then 2739 if ${GREP} authenticationMethod $PROFILE_OUT | ${GREP} GSSAPI >/dev/null 2>&1 2740 then 2741 if ${GREP} credentialLevel $PROFILE_OUT | ${GREP} self >/dev/null 2>&1 2742 then 2743 NEED_HOSTACL=1 2744 fi 2745 fi 2746 ${RM} ${PROFILE_OUT} 2747 [ $DEBUG -eq 1 ] && ${ECHO} "NEED_HOSTACL = $NEED_HOSTACL" 2748 2749 if [ $NEED_HOSTACL -eq 1 ]; then 2750 MSG="Use host principal for shadow data update (y/n/h)?" 2751 get_confirm "$MSG" "y" "use_host_principal_help" 2752 if [ $? -eq 1 ]; then 2753 delete_proxy_read_pw 2754 allow_host_read_write_shadow 2755 deny_non_host_shadow_access 2756 ${ECHO} "" 2757 ${ECHO} " Shadow update has been enabled." 2758 else 2759 ${ECHO} "" 2760 ${ECHO} " Shadow update may not work." 2761 fi 2762 return 2763 fi 2764 fi 2765 2766 MSG="Add the administrator identity (y/n/h)?" 2767 get_confirm "$MSG" "y" "add_admin_cred_help" 2768 if [ $? -eq 1 ]; then 2769 get_adminDN 2770 get_admin_pw 2771 add_admin 2772 delete_proxy_read_pw 2773 allow_admin_read_write_shadow 2774 deny_non_admin_shadow_access 2775 ${ECHO} "" 2776 ${ECHO} " Shadow update has been enabled." 2777 return 2778 fi 2779 2780 ${ECHO} " No administrator identity specified, shadow update may not work." 2781} 2782 2783 2784# 2785# prompt_config_info(): This function prompts the user for the config 2786# info that is not specified in the input file. 2787# 2788prompt_config_info() 2789{ 2790 [ $DEBUG -eq 1 ] && ${ECHO} "In prompt_config_info()" 2791 2792 # Prompt for iDS server name. 2793 get_ids_server 2794 2795 # Prompt for iDS port number. 2796 get_ids_port 2797 2798 # Check iDS version for compatibility. 2799 chk_ids_version 2800 2801 # Check if the server supports the VLV. 2802 chk_vlv_indexes 2803 2804 # Get the Directory manager DN and passwd. 2805 get_dirmgr_dn 2806 get_dirmgr_pw 2807 2808 # 2809 # LDAP CLIENT PROFILE SPECIFIC INFORMATION. 2810 # (i.e. The fields that show up in the profile.) 2811 # 2812 get_domain "domain_help" 2813 2814 get_basedn 2815 2816 gssapi_setup 2817 2818 get_profile_name 2819 2820 if [ "$LDAP_ENABLE_SHADOW_UPDATE" = "TRUE" ];then 2821 setup_shadow_update 2822 cleanup 2823 exit 0 2824 fi 2825 2826 get_srv_list 2827 get_pref_srv 2828 get_search_scope 2829 2830 # If cred is "anonymous", make auth == "none" 2831 get_cred_level 2832 if [ "$LDAP_CRED_LEVEL" != "anonymous" ]; then 2833 get_auth 2834 fi 2835 2836 get_followref 2837 2838 # Query user about timelimt. 2839 get_confirm "Do you want to modify the server timelimit value (y/n/h)?" "n" "tlim_help" 2840 NEED_TIME=$? 2841 [ $NEED_TIME -eq 1 ] && get_timelimit 2842 2843 # Query user about sizelimit. 2844 get_confirm "Do you want to modify the server sizelimit value (y/n/h)?" "n" "slim_help" 2845 NEED_SIZE=$? 2846 [ $NEED_SIZE -eq 1 ] && get_sizelimit 2847 2848 # Does the user want to store passwords in crypt format? 2849 get_want_crypt 2850 2851 # Prompt for any Service Authentication Methods? 2852 get_confirm "Do you want to setup a Service Authentication Methods (y/n/h)?" "n" "srvauth_help" 2853 if [ $? -eq 1 ]; then 2854 # Does the user want to set Service Authentication Method for pam_ldap? 2855 get_confirm "Do you want to setup a Service Auth. Method for \"pam_ldap\" (y/n/h)?" "n" "pam_ldap_help" 2856 NEED_SRVAUTH_PAM=$? 2857 [ $NEED_SRVAUTH_PAM -eq 1 ] && get_srv_authMethod_pam 2858 2859 # Does the user want to set Service Authentication Method for keyserv? 2860 get_confirm "Do you want to setup a Service Auth. Method for \"keyserv\" (y/n/h)?" "n" "keyserv_help" 2861 NEED_SRVAUTH_KEY=$? 2862 [ $NEED_SRVAUTH_KEY -eq 1 ] && get_srv_authMethod_key 2863 2864 # Does the user want to set Service Authentication Method for passwd-cmd? 2865 get_confirm "Do you want to setup a Service Auth. Method for \"passwd-cmd\" (y/n/h)?" "n" "passwd-cmd_help" 2866 NEED_SRVAUTH_CMD=$? 2867 [ $NEED_SRVAUTH_CMD -eq 1 ] && get_srv_authMethod_cmd 2868 fi 2869 2870 2871 # Get Timeouts 2872 get_srch_time 2873 get_prof_ttl 2874 get_bind_limit 2875 2876 # Ask whether to enable shadow update 2877 get_want_shadow_update 2878 2879 # Reset the sdd_file and prompt user for SSD. Will use menus 2880 # to build an SSD File. 2881 reset_ssd_file 2882 prompt_ssd 2883 2884 # Display FULL debugging info. 2885 disp_full_debug 2886 2887 # Extra blank line to separate prompt lines from steps. 2888 ${ECHO} " " 2889} 2890 2891 2892###################################################################### 2893# FUNCTIONS FOR display_summary() START HERE. 2894###################################################################### 2895 2896 2897# 2898# get_proxyagent(): Get the proxyagent DN. 2899# 2900get_proxyagent() 2901{ 2902 LDAP_PROXYAGENT="cn=proxyagent,ou=profile,${LDAP_BASEDN}" # default 2903 get_ans "Enter DN for proxy agent:" "$LDAP_PROXYAGENT" 2904 LDAP_PROXYAGENT=$ANS 2905} 2906 2907 2908# 2909# get_proxy_pw(): Get the proxyagent passwd. 2910# 2911get_proxy_pw() 2912{ 2913 get_passwd "Enter passwd for proxyagent:" 2914 LDAP_PROXYAGENT_CRED=$ANS 2915} 2916 2917# 2918# display_summary(): Display a summary of values entered and let the 2919# user modify values at will. 2920# 2921display_summary() 2922{ 2923 [ $DEBUG -eq 1 ] && ${ECHO} "In display_summary()" 2924 2925 # Create lookup table for function names. First entry is dummy for 2926 # shift. 2927 TBL1="dummy" 2928 TBL2="get_domain get_basedn get_profile_name" 2929 TBL3="get_srv_list get_pref_srv get_search_scope get_cred_level" 2930 TBL4="get_auth get_followref" 2931 TBL5="get_timelimit get_sizelimit get_want_crypt" 2932 TBL6="get_srv_authMethod_pam get_srv_authMethod_key get_srv_authMethod_cmd" 2933 TBL7="get_srch_time get_prof_ttl get_bind_limit" 2934 TBL8="get_want_shadow_update" 2935 TBL9="prompt_ssd" 2936 FUNC_TBL="$TBL1 $TBL2 $TBL3 $TBL4 $TBL5 $TBL6 $TBL7 $TBL8 $TBL9" 2937 2938 # Since menu prompt string is long, set here. 2939 _MENU_PROMPT="Enter config value to change: (1-20 0=commit changes)" 2940 2941 # Infinite loop. Test for 0, and break in loop. 2942 while : 2943 do 2944 # Display menu and get value in range. 2945 display_msg summary_menu 2946 get_menu_choice "${_MENU_PROMPT}" "0" "20" "0" 2947 _CH=$MN_CH 2948 2949 # Make sure where not exiting. 2950 if [ $_CH -eq 0 ]; then 2951 break # Break out of loop if 0 selected. 2952 fi 2953 2954 # Call appropriate function from function table. 2955 set $FUNC_TBL 2956 shift $_CH 2957 $1 # Call the appropriate function. 2958 done 2959 2960 # If cred level is still see if user wants a change? 2961 if ${ECHO} "$LDAP_CRED_LEVEL" | ${GREP} "proxy" > /dev/null 2>&1 2962 then 2963 if [ "$LDAP_AUTHMETHOD" != "none" ]; then 2964 NEED_PROXY=1 # I assume integer test is faster? 2965 get_proxyagent 2966 get_proxy_pw 2967 else 2968 ${ECHO} "WARNING: Since Authentication method is 'none'." 2969 ${ECHO} " Credential level will be set to 'anonymous'." 2970 LDAP_CRED_LEVEL="anonymous" 2971 fi 2972 fi 2973 2974 # If shadow update is enabled, set up administrator credential 2975 if [ "$LDAP_ENABLE_SHADOW_UPDATE" = "TRUE" ]; then 2976 NEED_ADMIN=1 2977 if ${ECHO} "$LDAP_CRED_LEVEL" | ${GREP} "self" > /dev/null 2>&1; then 2978 if ${ECHO} "$LDAP_AUTHMETHOD" | ${GREP} "GSSAPI" > /dev/null 2>&1; then 2979 NEED_HOSTACL=1 2980 NEED_ADMIN=0 2981 fi 2982 fi 2983 [ $DEBUG -eq 1 ] && ${ECHO} "NEED_HOSTACL = $NEED_HOSTACL" 2984 [ $DEBUG -eq 1 ] && ${ECHO} "NEED_ADMIN = $NEED_ADMIN" 2985 if [ $NEED_ADMIN -eq 1 ]; then 2986 get_adminDN 2987 get_admin_pw 2988 fi 2989 fi 2990 2991 # Display FULL debugging info. 2992 disp_full_debug 2993 2994 # Final confirmation message. (ARE YOU SURE!) 2995 ${ECHO} " " 2996 get_confirm_nodef "WARNING: About to start committing changes. (y=continue, n=EXIT)" 2997 if [ $? -eq 0 ]; then 2998 ${ECHO} "Terminating setup without making changes at users request." 2999 cleanup 3000 exit 1 3001 fi 3002 3003 # Print newline 3004 ${ECHO} " " 3005} 3006 3007 3008# 3009# create_config_file(): Write config data to config file specified. 3010# 3011create_config_file() 3012{ 3013 [ $DEBUG -eq 1 ] && ${ECHO} "In create_config_file()" 3014 3015 # If output file exists, delete it. 3016 [ -f $OUTPUT_FILE ] && rm $OUTPUT_FILE 3017 3018 # Create output file. 3019 cat > $OUTPUT_FILE <<EOF 3020#!/bin/sh 3021# $OUTPUT_FILE - This file contains configuration information for 3022# Native LDAP. Use the idsconfig tool to load it. 3023# 3024# WARNING: This file was generated by idsconfig, and is intended to 3025# be loaded by idsconfig as is. DO NOT EDIT THIS FILE! 3026# 3027IDS_SERVER="$IDS_SERVER" 3028IDS_PORT=$IDS_PORT 3029IDS_TIMELIMIT=$IDS_TIMELIMIT 3030IDS_SIZELIMIT=$IDS_SIZELIMIT 3031LDAP_ROOTDN="$LDAP_ROOTDN" 3032LDAP_ROOTPWD=$LDAP_ROOTPWD 3033LDAP_DOMAIN="$LDAP_DOMAIN" 3034LDAP_SUFFIX="$LDAP_SUFFIX" 3035LDAP_KRB_REALM="$LDAP_KRB_REALM" 3036LDAP_GSSAPI_PROFILE="$LDAP_GSSAPI_PROFILE" 3037 3038# Internal program variables that need to be set. 3039NEED_PROXY=$NEED_PROXY 3040NEED_TIME=$NEED_TIME 3041NEED_SIZE=$NEED_SIZE 3042NEED_CRYPT=$NEED_CRYPT 3043NEED_ADMIN=$NEED_ADMIN 3044NEED_HOSTACL=$NEED_HOSTACL 3045EXISTING_PROFILE=$EXISTING_PROFILE 3046 3047# LDAP PROFILE related defaults 3048LDAP_PROFILE_NAME="$LDAP_PROFILE_NAME" 3049DEL_OLD_PROFILE=1 3050LDAP_BASEDN="$LDAP_BASEDN" 3051LDAP_SERVER_LIST="$LDAP_SERVER_LIST" 3052LDAP_AUTHMETHOD="$LDAP_AUTHMETHOD" 3053LDAP_FOLLOWREF=$LDAP_FOLLOWREF 3054LDAP_SEARCH_SCOPE="$LDAP_SEARCH_SCOPE" 3055NEED_SRVAUTH_PAM=$NEED_SRVAUTH_PAM 3056NEED_SRVAUTH_KEY=$NEED_SRVAUTH_KEY 3057NEED_SRVAUTH_CMD=$NEED_SRVAUTH_CMD 3058LDAP_SRV_AUTHMETHOD_PAM="$LDAP_SRV_AUTHMETHOD_PAM" 3059LDAP_SRV_AUTHMETHOD_KEY="$LDAP_SRV_AUTHMETHOD_KEY" 3060LDAP_SRV_AUTHMETHOD_CMD="$LDAP_SRV_AUTHMETHOD_CMD" 3061LDAP_SEARCH_TIME_LIMIT=$LDAP_SEARCH_TIME_LIMIT 3062LDAP_PREF_SRVLIST="$LDAP_PREF_SRVLIST" 3063LDAP_PROFILE_TTL=$LDAP_PROFILE_TTL 3064LDAP_CRED_LEVEL="$LDAP_CRED_LEVEL" 3065LDAP_BIND_LIMIT=$LDAP_BIND_LIMIT 3066 3067# Proxy Agent 3068LDAP_PROXYAGENT="$LDAP_PROXYAGENT" 3069LDAP_PROXYAGENT_CRED=$LDAP_PROXYAGENT_CRED 3070 3071# enableShadowUpdate flag and Administrator credential 3072LDAP_ENABLE_SHADOW_UPDATE=$LDAP_ENABLE_SHADOW_UPDATE 3073LDAP_ADMINDN="$LDAP_ADMINDN" 3074LDAP_ADMIN_CRED=$LDAP_ADMIN_CRED 3075 3076# Export all the variables (just in case) 3077export IDS_HOME IDS_PORT LDAP_ROOTDN LDAP_ROOTPWD LDAP_SERVER_LIST LDAP_BASEDN 3078export LDAP_DOMAIN LDAP_SUFFIX LDAP_PROXYAGENT LDAP_PROXYAGENT_CRED 3079export NEED_PROXY 3080export LDAP_ENABLE_SHADOW_UPDATE LDAP_ADMINDN LDAP_ADMIN_CRED 3081export NEED_ADMIN NEED_HOSTACL EXISTING_PROFILE 3082export LDAP_PROFILE_NAME LDAP_BASEDN LDAP_SERVER_LIST 3083export LDAP_AUTHMETHOD LDAP_FOLLOWREF LDAP_SEARCH_SCOPE LDAP_SEARCH_TIME_LIMIT 3084export LDAP_PREF_SRVLIST LDAP_PROFILE_TTL LDAP_CRED_LEVEL LDAP_BIND_LIMIT 3085export NEED_SRVAUTH_PAM NEED_SRVAUTH_KEY NEED_SRVAUTH_CMD 3086export LDAP_SRV_AUTHMETHOD_PAM LDAP_SRV_AUTHMETHOD_KEY LDAP_SRV_AUTHMETHOD_CMD 3087export LDAP_SERV_SRCH_DES SSD_FILE LDAP_KRB_REALM LDAP_GSSAPI_PROFILE 3088 3089# Service Search Descriptors start here if present: 3090EOF 3091 # Add service search descriptors. 3092 ssd_2_config "${OUTPUT_FILE}" 3093 3094 # Add LDAP suffix preferences 3095 print_suffix_config >> "${OUTPUT_FILE}" 3096 3097 # Add the end of FILE tag. 3098 ${ECHO} "" >> ${OUTPUT_FILE} 3099 ${ECHO} "# End of $OUTPUT_FILE" >> ${OUTPUT_FILE} 3100} 3101 3102 3103# 3104# chk_vlv_indexes(): Do ldapsearch to see if server supports VLV. 3105# 3106chk_vlv_indexes() 3107{ 3108 # Do ldapsearch to see if server supports VLV. 3109 ${LDAPSEARCH} ${SERVER_ARGS} -b "" -s base "objectclass=*" > ${TMPDIR}/checkVLV 2>&1 3110 eval "${GREP} 2.16.840.1.113730.3.4.9 ${TMPDIR}/checkVLV ${VERB}" 3111 if [ $? -ne 0 ]; then 3112 ${ECHO} "ERROR: VLV is not supported on LDAP server!" 3113 cleanup 3114 exit 1 3115 fi 3116 [ $DEBUG -eq 1 ] && ${ECHO} " VLV controls found on LDAP server." 3117} 3118 3119# 3120# get_backend(): this function gets the relevant backend 3121# (database) for LDAP_BASED. 3122# Description: set IDS_DATABASE; exit on failure. 3123# Prerequisite: LDAP_BASEDN and LDAP_SUFFIX are 3124# valid. 3125# 3126# backend is retrieved from suffixes and subsuffixes 3127# defined under "cn=mapping tree,cn=config". The 3128# nsslapd-state attribute of these suffixes entries 3129# is filled with either Backend, Disabled or referrals 3130# related values. We only want those that have a true 3131# backend database to select the relevant backend. 3132# 3133get_backend() 3134{ 3135 [ $DEBUG -eq 1 ] && ${ECHO} "In get_backend()" 3136 3137 cur_suffix=${LDAP_BASEDN} 3138 prev_suffix= 3139 IDS_DATABASE= 3140 while [ "${cur_suffix}" != "${prev_suffix}" ] 3141 do 3142 [ $DEBUG -eq 1 ] && ${ECHO} "testing LDAP suffix: ${cur_suffix}" 3143 eval "${LDAPSEARCH} ${LDAP_ARGS} " \ 3144 "-b \"cn=\\\"${cur_suffix}\\\",cn=mapping tree,cn=config\" " \ 3145 "-s base nsslapd-state=Backend nsslapd-backend 2>&1 " \ 3146 "| ${GREP} 'nsslapd-backend=' " \ 3147 "> ${TMPDIR}/ids_database_name 2>&1" 3148 NUM_DBS=`wc -l ${TMPDIR}/ids_database_name | awk '{print $1}'` 3149 case ${NUM_DBS} in 3150 0) # not a suffix, or suffix not activated; try next 3151 prev_suffix=${cur_suffix} 3152 cur_suffix=`${ECHO} ${cur_suffix} | cut -f2- -d','` 3153 ;; 3154 1) # suffix found; get database name 3155 IDS_DATABASE=`cat ${TMPDIR}/ids_database_name | cut -d= -f2` 3156 ;; 3157 *) # can not handle more than one database per suffix 3158 ${ECHO} "ERROR: More than one database is configured " 3159 ${ECHO} " for $LDAP_SUFFIX!" 3160 ${ECHO} " $PROG can not configure suffixes where " 3161 ${ECHO} " more than one database is used for one suffix." 3162 cleanup 3163 exit 1 3164 ;; 3165 esac 3166 if [ -n "${IDS_DATABASE}" ]; then 3167 break 3168 fi 3169 done 3170 3171 if [ -z "${IDS_DATABASE}" ]; then 3172 # should not happen, since LDAP_BASEDN is supposed to be valid 3173 ${ECHO} "Could not find a valid backend for ${LDAP_BASEDN}." 3174 ${ECHO} "Exiting." 3175 cleanup 3176 exit 1 3177 fi 3178 3179 [ $DEBUG -eq 1 ] && ${ECHO} "IDS_DATABASE: ${IDS_DATABASE}" 3180} 3181 3182# 3183# validate_suffix(): This function validates ${LDAP_SUFFIX} 3184# THIS FUNCTION IS FOR THE LOAD CONFIG FILE OPTION. 3185# 3186validate_suffix() 3187{ 3188 [ $DEBUG -eq 1 ] && ${ECHO} "In validate_suffix()" 3189 3190 # Check LDAP_SUFFIX is not null 3191 if [ -z "${LDAP_SUFFIX}" ]; then 3192 ${ECHO} "Invalid suffix (null suffix)" 3193 cleanup 3194 exit 1 3195 fi 3196 3197 # Check LDAP_SUFFIX and LDAP_BASEDN are consistent 3198 # Convert to lower case for basename. 3199 format_string "${LDAP_BASEDN}" 3200 LOWER_BASEDN="${FMT_STR}" 3201 format_string "${LDAP_SUFFIX}" 3202 LOWER_SUFFIX="${FMT_STR}" 3203 3204 [ $DEBUG -eq 1 ] && ${ECHO} "LOWER_BASEDN: ${LOWER_BASEDN}" 3205 [ $DEBUG -eq 1 ] && ${ECHO} "LOWER_SUFFIX: ${LOWER_SUFFIX}" 3206 3207 if [ "${LOWER_BASEDN}" != "${LOWER_SUFFIX}" ]; then 3208 sub_basedn=`basename "${LOWER_BASEDN}" "${LOWER_SUFFIX}"` 3209 if [ "$sub_basedn" = "${LOWER_BASEDN}" ]; then 3210 ${ECHO} "Invalid suffix ${LOWER_SUFFIX}" 3211 ${ECHO} "for Base DN ${LOWER_BASEDN}" 3212 cleanup 3213 exit 1 3214 fi 3215 fi 3216 3217 # Check LDAP_SUFFIX does exist 3218 ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_SUFFIX}\" -s base \"objectclass=*\" > ${TMPDIR}/checkSuffix 2>&1" && return 0 3219 3220 # Well, suffix does not exist, try to prepare create it ... 3221 NEED_CREATE_SUFFIX=1 3222 prep_create_sfx_entry || 3223 { 3224 cleanup 3225 exit 1 3226 } 3227 [ -n "${NEED_CREATE_BACKEND}" ] && 3228 { 3229 # try to use id attr value of the suffix as a database name 3230 IDS_DATABASE=${_VAL} 3231 prep_create_sfx_backend 3232 case $? in 3233 1) # cann't use the name we want, so we can either exit or use 3234 # some another available name - doing the last ... 3235 IDS_DATABASE=${IDS_DATABASE_AVAIL} 3236 ;; 3237 2) # unable to determine database name 3238 cleanup 3239 exit 1 3240 ;; 3241 esac 3242 } 3243 3244 [ $DEBUG -eq 1 ] && ${ECHO} "Suffix $LDAP_SUFFIX, Database $IDS_DATABASE" 3245} 3246 3247# 3248# validate_info(): This function validates the basic info collected 3249# So that some problems are caught right away. 3250# THIS FUNCTION IS FOR THE LOAD CONFIG FILE OPTION. 3251# 3252validate_info() 3253{ 3254 [ $DEBUG -eq 1 ] && ${ECHO} "In validate_info()" 3255 3256 # Set SERVER_ARGS, AUTH_ARGS, and LDAP_ARGS for the config file. 3257 SERVER_ARGS="-h ${IDS_SERVER} -p ${IDS_PORT}" 3258 AUTH_ARGS="-D \"${LDAP_ROOTDN}\" -j ${LDAP_ROOTPWF}" 3259 LDAP_ARGS="${SERVER_ARGS} ${AUTH_ARGS}" 3260 export SERVER_ARGS 3261 3262 # Check the Root DN and Root DN passwd. 3263 # Use eval instead of $EVAL because not part of setup. (validate) 3264 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"\" -s base \"objectclass=*\" > ${TMPDIR}/checkDN 2>&1" 3265 if [ $? -ne 0 ]; then 3266 eval "${GREP} credential ${TMPDIR}/checkDN ${VERB}" 3267 if [ $? -eq 0 ]; then 3268 ${ECHO} "ERROR: Root DN passwd is invalid." 3269 else 3270 ${ECHO} "ERROR2: Invalid Root DN <${LDAP_ROOTDN}>." 3271 fi 3272 cleanup 3273 exit 1 3274 fi 3275 [ $DEBUG -eq 1 ] && ${ECHO} " RootDN ... OK" 3276 [ $DEBUG -eq 1 ] && ${ECHO} " RootDN passwd ... OK" 3277 3278 # Check if the server supports the VLV. 3279 chk_vlv_indexes 3280 [ $DEBUG -eq 1 ] && ${ECHO} " VLV indexes ... OK" 3281 3282 # Check LDAP suffix 3283 validate_suffix 3284 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP suffix ... OK" 3285} 3286 3287# 3288# format_string(): take a string as argument and set FMT_STR 3289# to be the same string formatted as follow: 3290# - only lower case characters 3291# - no unnecessary spaces around , and = 3292# 3293format_string() 3294{ 3295 FMT_STR=`${ECHO} "$1" | tr '[A-Z]' '[a-z]' | 3296 sed -e 's/[ ]*,[ ]*/,/g' -e 's/[ ]*=[ ]*/=/g'` 3297} 3298 3299# 3300# prepare for the suffix entry creation 3301# 3302# input : LDAP_BASEDN, LDAP_SUFFIX - base dn and suffix; 3303# in/out : LDAP_SUFFIX_OBJ, LDAP_SUFFIX_ACI - initially may come from config. 3304# output : NEED_CREATE_BACKEND - backend for this suffix needs to be created; 3305# _RDN, _ATT, _VAL - suffix's RDN, id attribute name and its value. 3306# return : 0 - success, otherwise error. 3307# 3308prep_create_sfx_entry() 3309{ 3310 [ $DEBUG -eq 1 ] && ${ECHO} "In prep_create_sfx_entry()" 3311 3312 # check whether suffix corresponds to base dn 3313 format_string "${LDAP_BASEDN}" 3314 ${ECHO} ",${FMT_STR}" | ${GREP} ",${LDAP_SUFFIX}$" >/dev/null 2>&1 || 3315 { 3316 display_msg sfx_not_suitable 3317 return 1 3318 } 3319 3320 # parse LDAP_SUFFIX 3321 _RDN=`${ECHO} "${LDAP_SUFFIX}" | cut -d, -f1` 3322 _ATT=`${ECHO} "${_RDN}" | cut -d= -f1` 3323 _VAL=`${ECHO} "${_RDN}" | cut -d= -f2-` 3324 3325 # find out an objectclass for suffix entry if it is not defined yet 3326 [ -z "${LDAP_SUFFIX_OBJ}" ] && 3327 { 3328 get_objectclass ${_ATT} 3329 [ -z "${_ATTR_NAME}" ] && 3330 { 3331 display_msg obj_not_found 3332 return 1 3333 } 3334 LDAP_SUFFIX_OBJ=${_ATTR_NAME} 3335 } 3336 [ $DEBUG -eq 1 ] && ${ECHO} "Suffix entry object is ${LDAP_SUFFIX_OBJ}" 3337 3338 # find out an aci for suffix entry if it is not defined yet 3339 [ -z "${LDAP_SUFFIX_ACI}" ] && 3340 { 3341 # set Directory Server default aci 3342 LDAP_SUFFIX_ACI=`cat <<EOF 3343aci: (targetattr != "userPassword || passwordHistory || passwordExpirationTime 3344 || passwordExpWarned || passwordRetryCount || retryCountResetTime || 3345 accountUnlockTime || passwordAllowChangeTime") 3346 ( 3347 version 3.0; 3348 acl "Anonymous access"; 3349 allow (read, search, compare) userdn = "ldap:///anyone"; 3350 ) 3351aci: (targetattr != "nsroledn || aci || nsLookThroughLimit || nsSizeLimit || 3352 nsTimeLimit || nsIdleTimeout || passwordPolicySubentry || 3353 passwordExpirationTime || passwordExpWarned || passwordRetryCount || 3354 retryCountResetTime || accountUnlockTime || passwordHistory || 3355 passwordAllowChangeTime") 3356 ( 3357 version 3.0; 3358 acl "Allow self entry modification except for some attributes"; 3359 allow (write) userdn = "ldap:///self"; 3360 ) 3361aci: (targetattr = "*") 3362 ( 3363 version 3.0; 3364 acl "Configuration Administrator"; 3365 allow (all) userdn = "ldap:///uid=admin,ou=Administrators, 3366 ou=TopologyManagement,o=NetscapeRoot"; 3367 ) 3368aci: (targetattr ="*") 3369 ( 3370 version 3.0; 3371 acl "Configuration Administrators Group"; 3372 allow (all) groupdn = "ldap:///cn=Configuration Administrators, 3373 ou=Groups,ou=TopologyManagement,o=NetscapeRoot"; 3374 ) 3375EOF 3376` 3377 } 3378 [ $DEBUG -eq 1 ] && cat <<EOF 3379DEBUG: ACI for ${LDAP_SUFFIX} is 3380${LDAP_SUFFIX_ACI} 3381EOF 3382 3383 NEED_CREATE_BACKEND= 3384 3385 # check the suffix mapping tree ... 3386 # if mapping exists, suffix should work, otherwise DS inconsistent 3387 # NOTE: -b 'cn=mapping tree,cn=config' -s one 'cn=\"$1\"' won't work 3388 # in case of 'cn' value in LDAP is not quoted by '"', 3389 # -b 'cn=\"$1\",cn=mapping tree,cn=config' works in all cases 3390 ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} \ 3391 -b 'cn=\"${LDAP_SUFFIX}\",cn=mapping tree,cn=config' \ 3392 -s base 'objectclass=*' dn ${VERB}" && 3393 { 3394 [ $DEBUG -eq 1 ] && ${ECHO} "Suffix mapping already exists" 3395 # get_backend() either gets IDS_DATABASE or exits 3396 get_backend 3397 return 0 3398 } 3399 3400 # no suffix mapping, just in case check ldbm backends consistency - 3401 # there are must be NO any databases pointing to LDAP_SUFFIX 3402 [ -n "`${EVAL} \"${LDAPSEARCH} ${LDAP_ARGS} \ 3403 -b 'cn=ldbm database,cn=plugins,cn=config' \ 3404 -s one 'nsslapd-suffix=${LDAP_SUFFIX}' dn\" 2>/dev/null`" ] && 3405 { 3406 display_msg sfx_config_incons 3407 return 1 3408 } 3409 3410 # ok, no suffix mapping, no ldbm database 3411 [ $DEBUG -eq 1 ] && ${ECHO} "DEBUG: backend needs to be created ..." 3412 NEED_CREATE_BACKEND=1 3413 return 0 3414} 3415 3416# 3417# prepare for the suffix backend creation 3418# 3419# input : IDS_DATABASE - requested ldbm db name (must be not null) 3420# in/out : IDS_DATABASE_AVAIL - available ldbm db name 3421# return : 0 - ldbm db name ok 3422# 1 - IDS_DATABASE exists, 3423# so IDS_DATABASE_AVAIL contains available name 3424# 2 - unable to find any available name 3425# 3426prep_create_sfx_backend() 3427{ 3428 [ $DEBUG -eq 1 ] && ${ECHO} "In prep_create_sfx_backend()" 3429 3430 # check if requested name available 3431 [ "${IDS_DATABASE}" = "${IDS_DATABASE_AVAIL}" ] && return 0 3432 3433 # get the list of database names start with a requested name 3434 _LDBM_DBS=`${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} \ 3435 -b 'cn=ldbm database,cn=plugins,cn=config' \ 3436 -s one 'cn=${IDS_DATABASE}*' cn"` 2>/dev/null 3437 3438 # find available db name based on a requested name 3439 _i=""; _i_MAX=10 3440 while [ ${_i:-0} -lt ${_i_MAX} ] 3441 do 3442 _name="${IDS_DATABASE}${_i}" 3443 ${ECHO} "${_LDBM_DBS}" | ${GREP} -i "^cn=${_name}$" >/dev/null 2>&1 || 3444 { 3445 IDS_DATABASE_AVAIL="${_name}" 3446 break 3447 } 3448 _i=`expr ${_i:-0} + 1` 3449 done 3450 3451 [ "${IDS_DATABASE}" = "${IDS_DATABASE_AVAIL}" ] && return 0 3452 3453 [ -n "${IDS_DATABASE_AVAIL}" ] && 3454 { 3455 display_msg ldbm_db_exist 3456 return 1 3457 } 3458 3459 display_msg unable_find_db_name 3460 return 2 3461} 3462 3463# 3464# add suffix if needed, 3465# suffix entry and backend MUST be prepared by 3466# prep_create_sfx_entry and prep_create_sfx_backend correspondingly 3467# 3468# input : NEED_CREATE_SUFFIX, LDAP_SUFFIX, LDAP_SUFFIX_OBJ, _ATT, _VAL 3469# LDAP_SUFFIX_ACI, NEED_CREATE_BACKEND, IDS_DATABASE 3470# return : 0 - suffix successfully created, otherwise error occured 3471# 3472add_suffix() 3473{ 3474 [ $DEBUG -eq 1 ] && ${ECHO} "In add_suffix()" 3475 3476 [ -n "${NEED_CREATE_SUFFIX}" ] || return 0 3477 3478 [ -n "${NEED_CREATE_BACKEND}" ] && 3479 { 3480 ${EVAL} "${LDAPADD} ${LDAP_ARGS} ${VERB}" <<EOF 3481dn: cn="${LDAP_SUFFIX}",cn=mapping tree,cn=config 3482objectclass: top 3483objectclass: extensibleObject 3484objectclass: nsMappingTree 3485cn: ${LDAP_SUFFIX} 3486nsslapd-state: backend 3487nsslapd-backend: ${IDS_DATABASE} 3488 3489dn: cn=${IDS_DATABASE},cn=ldbm database,cn=plugins,cn=config 3490objectclass: top 3491objectclass: extensibleObject 3492objectclass: nsBackendInstance 3493cn: ${IDS_DATABASE} 3494nsslapd-suffix: ${LDAP_SUFFIX} 3495EOF 3496 [ $? -ne 0 ] && 3497 { 3498 display_msg create_ldbm_db_error 3499 return 1 3500 } 3501 3502 ${ECHO} " ${STEP}. Database ${IDS_DATABASE} successfully created" 3503 STEP=`expr $STEP + 1` 3504 } 3505 3506 ${EVAL} "${LDAPADD} ${LDAP_ARGS} ${VERB}" <<EOF 3507dn: ${LDAP_SUFFIX} 3508objectclass: ${LDAP_SUFFIX_OBJ} 3509${_ATT}: ${_VAL} 3510${LDAP_SUFFIX_ACI} 3511EOF 3512 [ $? -ne 0 ] && 3513 { 3514 display_msg create_suffix_entry_error 3515 return 1 3516 } 3517 3518 ${ECHO} " ${STEP}. Suffix ${LDAP_SUFFIX} successfully created" 3519 STEP=`expr $STEP + 1` 3520 return 0 3521} 3522 3523# 3524# interactively get suffix and related info from a user 3525# 3526# input : LDAP_BASEDN - Base DN 3527# output : LDAP_SUFFIX - Suffix, _ATT, _VAL - id attribute and its value; 3528# LDAP_SUFFIX_OBJ, LDAP_SUFFIX_ACI - objectclass and aci; 3529# NEED_CREATE_BACKEND - tells whether backend needs to be created; 3530# IDS_DATABASE - prepared ldbm db name 3531# return : 0 - user gave a correct suffix 3532# 1 - suffix given by user cann't be created 3533# 3534get_suffix() 3535{ 3536 [ $DEBUG -eq 1 ] && ${ECHO} "In get_suffix()" 3537 3538 while : 3539 do 3540 get_ans "Enter suffix to be created (b=back/h=help):" ${LDAP_BASEDN} 3541 case "${ANS}" in 3542 [Hh] | Help | help | \? ) display_msg create_suffix_help ;; 3543 [Bb] | Back | back | \< ) return 1 ;; 3544 * ) 3545 format_string "${ANS}" 3546 LDAP_SUFFIX=${FMT_STR} 3547 prep_create_sfx_entry || continue 3548 3549 [ -n "${NEED_CREATE_BACKEND}" ] && 3550 { 3551 IDS_DATABASE_AVAIL= # reset the available db name 3552 3553 reenter_suffix= 3554 while : 3555 do 3556 get_ans "Enter ldbm database name (b=back/h=help):" \ 3557 ${IDS_DATABASE_AVAIL:-${_VAL}} 3558 case "${ANS}" in 3559 [Hh] | \? ) display_msg enter_ldbm_db_help ;; 3560 [Bb] | \< ) reenter_suffix=1; break ;; 3561 * ) 3562 IDS_DATABASE="${ANS}" 3563 prep_create_sfx_backend && break 3564 esac 3565 done 3566 [ -n "${reenter_suffix}" ] && continue 3567 3568 [ $DEBUG -eq 1 ] && cat <<EOF 3569DEBUG: backend name for suffix ${LDAP_SUFFIX} will be ${IDS_DATABASE} 3570EOF 3571 } 3572 3573 # eventually everything is prepared 3574 return 0 3575 ;; 3576 esac 3577 done 3578} 3579 3580# 3581# print out a script which sets LDAP suffix related preferences 3582# 3583print_suffix_config() 3584{ 3585 cat <<EOF2 3586# LDAP suffix related preferences used only if needed 3587IDS_DATABASE="${IDS_DATABASE}" 3588LDAP_SUFFIX_OBJ="$LDAP_SUFFIX_OBJ" 3589LDAP_SUFFIX_ACI=\`cat <<EOF 3590${LDAP_SUFFIX_ACI} 3591EOF 3592\` 3593export IDS_DATABASE LDAP_SUFFIX_OBJ LDAP_SUFFIX_ACI 3594EOF2 3595} 3596 3597# 3598# check_basedn_suffix(): check that there is an existing 3599# valid suffix to hold current base DN 3600# return: 3601# 0: valid suffix found or new one should be created, 3602# NEED_CREATE_SUFFIX flag actually indicates that 3603# 1: some error occures 3604# 3605check_basedn_suffix() 3606{ 3607 [ $DEBUG -eq 1 ] && ${ECHO} "In check_basedn_suffix()" 3608 3609 NEED_CREATE_SUFFIX= 3610 3611 # find out existing suffixes 3612 discover_serv_suffix 3613 3614 ${ECHO} " Validating LDAP Base DN and Suffix ..." 3615 3616 # check that LDAP Base DN might be added 3617 cur_ldap_entry=${LDAP_BASEDN} 3618 prev_ldap_entry= 3619 while [ "${cur_ldap_entry}" != "${prev_ldap_entry}" ] 3620 do 3621 [ $DEBUG -eq 1 ] && ${ECHO} "testing LDAP entry: ${cur_ldap_entry}" 3622 ${LDAPSEARCH} ${SERVER_ARGS} -b "${cur_ldap_entry}" \ 3623 -s one "objectclass=*" > /dev/null 2>&1 3624 if [ $? -eq 0 ]; then 3625 break 3626 else 3627 prev_ldap_entry=${cur_ldap_entry} 3628 cur_ldap_entry=`${ECHO} ${cur_ldap_entry} | cut -f2- -d','` 3629 fi 3630 done 3631 3632 if [ "${cur_ldap_entry}" = "${prev_ldap_entry}" ]; then 3633 ${ECHO} " No valid suffixes were found for Base DN ${LDAP_BASEDN}" 3634 3635 NEED_CREATE_SUFFIX=1 3636 return 0 3637 3638 else 3639 [ $DEBUG -eq 1 ] && ${ECHO} "found valid LDAP entry: ${cur_ldap_entry}" 3640 3641 # Now looking for relevant suffix for this entry. 3642 # LDAP_SUFFIX will then be used to add necessary 3643 # base objects. See add_base_objects(). 3644 format_string "${cur_ldap_entry}" 3645 lower_entry="${FMT_STR}" 3646 [ $DEBUG -eq 1 ] && ${ECHO} "final suffix list: ${LDAP_SUFFIX_LIST}" 3647 oIFS=$IFS 3648 [ $DEBUG -eq 1 ] && ${ECHO} "setting IFS to new line" 3649 IFS=' 3650' 3651 for suff in ${LDAP_SUFFIX_LIST} 3652 do 3653 [ $DEBUG -eq 1 ] && ${ECHO} "testing suffix: ${suff}" 3654 format_string "${suff}" 3655 lower_suff="${FMT_STR}" 3656 if [ "${lower_entry}" = "${lower_suff}" ]; then 3657 LDAP_SUFFIX="${suff}" 3658 break 3659 else 3660 dcstmp=`basename "${lower_entry}" "${lower_suff}"` 3661 if [ "${dcstmp}" = "${lower_entry}" ]; then 3662 # invalid suffix, try next one 3663 continue 3664 else 3665 # valid suffix found 3666 LDAP_SUFFIX="${suff}" 3667 break 3668 fi 3669 fi 3670 done 3671 [ $DEBUG -eq 1 ] && ${ECHO} "setting IFS to original value" 3672 IFS=$oIFS 3673 3674 [ $DEBUG -eq 1 ] && ${ECHO} "LDAP_SUFFIX: ${LDAP_SUFFIX}" 3675 3676 if [ -z "${LDAP_SUFFIX}" ]; then 3677 # should not happen, since we found the entry 3678 ${ECHO} "Could not find a valid suffix for ${LDAP_BASEDN}." 3679 ${ECHO} "Exiting." 3680 return 1 3681 fi 3682 3683 # Getting relevant database (backend) 3684 # IDS_DATABASE will then be used to create indexes. 3685 get_backend 3686 3687 return 0 3688 fi 3689} 3690 3691# 3692# discover_serv_suffix(): This function queries the server to find 3693# suffixes available 3694# return: 0: OK, suffix found 3695# 1: suffix not determined 3696discover_serv_suffix() 3697{ 3698 [ $DEBUG -eq 1 ] && ${ECHO} "In discover_serv_suffix()" 3699 3700 # Search the server for the TOP of the TREE. 3701 ${LDAPSEARCH} ${SERVER_ARGS} -b "" -s base "objectclass=*" > ${TMPDIR}/checkTOP 2>&1 3702 ${GREP} -i namingcontexts ${TMPDIR}/checkTOP | \ 3703 ${GREP} -i -v NetscapeRoot > ${TMPDIR}/treeTOP 3704 NUM_TOP=`wc -l ${TMPDIR}/treeTOP | awk '{print $1}'` 3705 case $NUM_TOP in 3706 0) 3707 [ $DEBUG -eq 1 ] && ${ECHO} "DEBUG: No suffix found in LDAP tree" 3708 return 1 3709 ;; 3710 *) # build the list of suffixes; take out 'namingContexts=' in 3711 # each line of ${TMPDIR}/treeTOP 3712 LDAP_SUFFIX_LIST=`cat ${TMPDIR}/treeTOP | 3713 awk '{ printf("%s\n",substr($0,16,length-15)) }'` 3714 ;; 3715 esac 3716 3717 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_SUFFIX_LIST = $LDAP_SUFFIX_LIST" 3718 return 0 3719} 3720 3721 3722# 3723# modify_cn(): Change the cn from MUST to MAY in ipNetwork. 3724# 3725modify_cn() 3726{ 3727 [ $DEBUG -eq 1 ] && ${ECHO} "In modify_cn()" 3728 3729 ( cat <<EOF 3730dn: cn=schema 3731changetype: modify 3732add: objectclasses 3733objectclasses: ( 1.3.6.1.1.1.2.7 NAME 'ipNetwork' DESC 'Standard LDAP objectclass' SUP top STRUCTURAL MUST ipNetworkNumber MAY ( ipNetmaskNumber $ manager $ cn $ l $ description ) X-ORIGIN 'RFC 2307' ) 3734EOF 3735) > ${TMPDIR}/ipNetwork_cn 3736 3737 # Modify the cn for ipNetwork. 3738 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/ipNetwork_cn ${VERB}" 3739 if [ $? -ne 0 ]; then 3740 ${ECHO} " ERROR: update of cn for ipNetwork failed!" 3741 cleanup 3742 exit 1 3743 fi 3744} 3745 3746 3747# modify_timelimit(): Modify timelimit to user value. 3748modify_timelimit() 3749{ 3750 [ $DEBUG -eq 1 ] && ${ECHO} "In modify_timelimit()" 3751 3752 # Here doc to modify timelimit. 3753 ( cat <<EOF 3754dn: cn=config 3755changetype: modify 3756replace: nsslapd-timelimit 3757nsslapd-timelimit: ${IDS_TIMELIMIT} 3758EOF 3759) > ${TMPDIR}/ids_timelimit 3760 3761 # Add the entry. 3762 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/ids_timelimit ${VERB}" 3763 if [ $? -ne 0 ]; then 3764 ${ECHO} " ERROR: update of nsslapd-timelimit failed!" 3765 cleanup 3766 exit 1 3767 fi 3768 3769 # Display messages for modifications made in patch. 3770 ${ECHO} " ${STEP}. Changed timelimit to ${IDS_TIMELIMIT} in cn=config." 3771 STEP=`expr $STEP + 1` 3772} 3773 3774 3775# modify_sizelimit(): Modify sizelimit to user value. 3776modify_sizelimit() 3777{ 3778 [ $DEBUG -eq 1 ] && ${ECHO} "In modify_sizelimit()" 3779 3780 # Here doc to modify sizelimit. 3781 ( cat <<EOF 3782dn: cn=config 3783changetype: modify 3784replace: nsslapd-sizelimit 3785nsslapd-sizelimit: ${IDS_SIZELIMIT} 3786EOF 3787) > ${TMPDIR}/ids_sizelimit 3788 3789 # Add the entry. 3790 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/ids_sizelimit ${VERB}" 3791 if [ $? -ne 0 ]; then 3792 ${ECHO} " ERROR: update of nsslapd-sizelimit failed!" 3793 cleanup 3794 exit 1 3795 fi 3796 3797 # Display messages for modifications made in patch. 3798 ${ECHO} " ${STEP}. Changed sizelimit to ${IDS_SIZELIMIT} in cn=config." 3799 STEP=`expr $STEP + 1` 3800} 3801 3802 3803# modify_pwd_crypt(): Modify the passwd storage scheme to support CRYPT. 3804modify_pwd_crypt() 3805{ 3806 [ $DEBUG -eq 1 ] && ${ECHO} "In modify_pwd_crypt()" 3807 3808 # Here doc to modify passwordstoragescheme. 3809 # IDS 5.2 moved passwordchangesceme off to a new data structure. 3810 if [ $IDS_MAJVER -le 5 ] && [ $IDS_MINVER -le 1 ]; then 3811 ( cat <<EOF 3812dn: cn=config 3813changetype: modify 3814replace: passwordstoragescheme 3815passwordstoragescheme: crypt 3816EOF 3817 ) > ${TMPDIR}/ids_crypt 3818 else 3819 ( cat <<EOF 3820dn: cn=Password Policy,cn=config 3821changetype: modify 3822replace: passwordstoragescheme 3823passwordstoragescheme: crypt 3824EOF 3825 ) > ${TMPDIR}/ids_crypt 3826 fi 3827 3828 # Add the entry. 3829 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/ids_crypt ${VERB}" 3830 if [ $? -ne 0 ]; then 3831 ${ECHO} " ERROR: update of passwordstoragescheme failed!" 3832 cleanup 3833 exit 1 3834 fi 3835 3836 # Display messages for modifications made in patch. 3837 ${ECHO} " ${STEP}. Changed passwordstoragescheme to \"crypt\" in cn=config." 3838 STEP=`expr $STEP + 1` 3839} 3840 3841 3842# 3843# add_eq_indexes(): Add indexes to improve search performance. 3844# 3845add_eq_indexes() 3846{ 3847 [ $DEBUG -eq 1 ] && ${ECHO} "In add_eq_indexes()" 3848 3849 # Set eq indexes to add. 3850 _INDEXES="uidNumber ipNetworkNumber gidnumber oncrpcnumber automountKey" 3851 3852 if [ -z "${IDS_DATABASE}" ]; then 3853 get_backend 3854 fi 3855 3856 # Set _EXT to use as shortcut. 3857 _EXT="cn=index,cn=${IDS_DATABASE},cn=ldbm database,cn=plugins,cn=config" 3858 3859 # Display message to id current step. 3860 ${ECHO} " ${STEP}. Processing eq,pres indexes:" 3861 STEP=`expr $STEP + 1` 3862 3863 # For loop to create indexes. 3864 for i in ${_INDEXES}; do 3865 [ $DEBUG -eq 1 ] && ${ECHO} " Adding index for ${i}" 3866 3867 # Check if entry exists first, if so, skip to next. 3868 ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=${i},${_EXT}\" -s base \ 3869 \"objectclass=*\" > /dev/null 2>&1" 3870 if [ $? -eq 0 ]; then 3871 # Display index skipped. 3872 ${ECHO} " ${i} (eq,pres) skipped already exists" 3873 continue 3874 fi 3875 3876 # Here doc to create LDIF. 3877 ( cat <<EOF 3878dn: cn=${i},${_EXT} 3879objectClass: top 3880objectClass: nsIndex 3881cn: ${i} 3882nsSystemIndex: false 3883nsIndexType: pres 3884nsIndexType: eq 3885EOF 3886) > ${TMPDIR}/index_${i} 3887 3888 # Add the index. 3889 ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/index_${i} ${VERB}" 3890 if [ $? -ne 0 ]; then 3891 ${ECHO} " ERROR: Adding EQ,PRES index for ${i} failed!" 3892 cleanup 3893 exit 1 3894 fi 3895 3896 # Build date for task name. 3897 _YR=`date '+%y'` 3898 _MN=`date '+%m'` 3899 _DY=`date '+%d'` 3900 _H=`date '+%H'` 3901 _M=`date '+%M'` 3902 _S=`date '+%S'` 3903 3904 # Build task name 3905 TASKNAME="${i}_${_YR}_${_MN}_${_DY}_${_H}_${_M}_${_S}" 3906 3907 # Build the task entry to add. 3908 ( cat <<EOF 3909dn: cn=${TASKNAME}, cn=index, cn=tasks, cn=config 3910changetype: add 3911objectclass: top 3912objectclass: extensibleObject 3913cn: ${TASKNAME} 3914nsInstance: ${IDS_DATABASE} 3915nsIndexAttribute: ${i} 3916EOF 3917) > ${TMPDIR}/task_${i} 3918 3919 # Add the task. 3920 ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/task_${i} ${VERB}" 3921 if [ $? -ne 0 ]; then 3922 ${ECHO} " ERROR: Adding task for ${i} failed!" 3923 cleanup 3924 exit 1 3925 fi 3926 3927 # Wait for task to finish, display current status. 3928 while : 3929 do 3930 ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} \ 3931 -b \"cn=${TASKNAME}, cn=index, cn=tasks, cn=config\" -s base \ 3932 \"objectclass=*\" nstaskstatus > \"${TMPDIR}/istask_${i}\" 2>&1" 3933 ${GREP} "${TASKNAME}" "${TMPDIR}/istask_${i}" > /dev/null 2>&1 3934 if [ $? -ne 0 ]; then 3935 break 3936 fi 3937 TASK_STATUS=`${GREP} -i nstaskstatus "${TMPDIR}/istask_${i}" | 3938 head -1 | cut -d: -f2` 3939 ${ECHO} " ${i} (eq,pres) $TASK_STATUS \r\c" 3940 ${ECHO} "$TASK_STATUS" | ${GREP} "Finished" > /dev/null 2>&1 3941 if [ $? -eq 0 ]; then 3942 break 3943 fi 3944 sleep 2 3945 done 3946 3947 # Print newline because of \c. 3948 ${ECHO} " " 3949 done 3950} 3951 3952 3953# 3954# add_sub_indexes(): Add indexes to improve search performance. 3955# 3956add_sub_indexes() 3957{ 3958 [ $DEBUG -eq 1 ] && ${ECHO} "In add_sub_indexes()" 3959 3960 # Set eq indexes to add. 3961 _INDEXES="ipHostNumber membernisnetgroup nisnetgrouptriple" 3962 3963 # Set _EXT to use as shortcut. 3964 _EXT="cn=index,cn=${IDS_DATABASE},cn=ldbm database,cn=plugins,cn=config" 3965 3966 3967 # Display message to id current step. 3968 ${ECHO} " ${STEP}. Processing eq,pres,sub indexes:" 3969 STEP=`expr $STEP + 1` 3970 3971 # For loop to create indexes. 3972 for i in ${_INDEXES}; do 3973 [ $DEBUG -eq 1 ] && ${ECHO} " Adding index for ${i}" 3974 3975 # Check if entry exists first, if so, skip to next. 3976 ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=${i},${_EXT}\" \ 3977 -s base \"objectclass=*\" > /dev/null 2>&1" 3978 if [ $? -eq 0 ]; then 3979 # Display index skipped. 3980 ${ECHO} " ${i} (eq,pres,sub) skipped already exists" 3981 continue 3982 fi 3983 3984 # Here doc to create LDIF. 3985 ( cat <<EOF 3986dn: cn=${i},${_EXT} 3987objectClass: top 3988objectClass: nsIndex 3989cn: ${i} 3990nsSystemIndex: false 3991nsIndexType: pres 3992nsIndexType: eq 3993nsIndexType: sub 3994EOF 3995) > ${TMPDIR}/index_${i} 3996 3997 # Add the index. 3998 ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/index_${i} ${VERB}" 3999 if [ $? -ne 0 ]; then 4000 ${ECHO} " ERROR: Adding EQ,PRES,SUB index for ${i} failed!" 4001 cleanup 4002 exit 1 4003 fi 4004 4005 # Build date for task name. 4006 _YR=`date '+%y'` 4007 _MN=`date '+%m'` 4008 _DY=`date '+%d'` 4009 _H=`date '+%H'` 4010 _M=`date '+%M'` 4011 _S=`date '+%S'` 4012 4013 # Build task name 4014 TASKNAME="${i}_${_YR}_${_MN}_${_DY}_${_H}_${_M}_${_S}" 4015 4016 # Build the task entry to add. 4017 ( cat <<EOF 4018dn: cn=${TASKNAME}, cn=index, cn=tasks, cn=config 4019changetype: add 4020objectclass: top 4021objectclass: extensibleObject 4022cn: ${TASKNAME} 4023nsInstance: ${IDS_DATABASE} 4024nsIndexAttribute: ${i} 4025EOF 4026) > ${TMPDIR}/task_${i} 4027 4028 # Add the task. 4029 ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/task_${i} ${VERB}" 4030 if [ $? -ne 0 ]; then 4031 ${ECHO} " ERROR: Adding task for ${i} failed!" 4032 cleanup 4033 exit 1 4034 fi 4035 4036 # Wait for task to finish, display current status. 4037 while : 4038 do 4039 ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} \ 4040 -b \"cn=${TASKNAME}, cn=index, cn=tasks, cn=config\" -s base \ 4041 \"objectclass=*\" nstaskstatus > \"${TMPDIR}/istask_${i}\" 2>&1" 4042 ${GREP} "${TASKNAME}" "${TMPDIR}/istask_${i}" > /dev/null 2>&1 4043 if [ $? -ne 0 ]; then 4044 break 4045 fi 4046 TASK_STATUS=`${GREP} -i nstaskstatus "${TMPDIR}/istask_${i}" | 4047 head -1 | cut -d: -f2` 4048 ${ECHO} " ${i} (eq,pres,sub) $TASK_STATUS \r\c" 4049 ${ECHO} "$TASK_STATUS" | ${GREP} "Finished" > /dev/null 2>&1 4050 if [ $? -eq 0 ]; then 4051 break 4052 fi 4053 sleep 2 4054 done 4055 4056 # Print newline because of \c. 4057 ${ECHO} " " 4058 done 4059} 4060 4061 4062# 4063# add_vlv_indexes(): Add VLV indexes to improve search performance. 4064# 4065add_vlv_indexes() 4066{ 4067 [ $DEBUG -eq 1 ] && ${ECHO} "In add_vlv_indexes()" 4068 4069 # Set eq indexes to add. 4070 # Note semi colon separators because some filters contain colons 4071 _INDEX1="${LDAP_DOMAIN}.getgrent;${LDAP_DOMAIN}_group_vlv_index;ou=group;objectClass=posixGroup" 4072 _INDEX2="${LDAP_DOMAIN}.gethostent;${LDAP_DOMAIN}_hosts_vlv_index;ou=hosts;objectClass=ipHost" 4073 _INDEX3="${LDAP_DOMAIN}.getnetent;${LDAP_DOMAIN}_networks_vlv_index;ou=networks;objectClass=ipNetwork" 4074 _INDEX4="${LDAP_DOMAIN}.getpwent;${LDAP_DOMAIN}_passwd_vlv_index;ou=people;objectClass=posixAccount" 4075 _INDEX5="${LDAP_DOMAIN}.getrpcent;${LDAP_DOMAIN}_rpc_vlv_index;ou=rpc;objectClass=oncRpc" 4076 _INDEX6="${LDAP_DOMAIN}.getspent;${LDAP_DOMAIN}_shadow_vlv_index;ou=people;objectClass=shadowAccount" 4077 4078 # Indexes added during NIS to LDAP transition 4079 _INDEX7="${LDAP_DOMAIN}.getauhoent;${LDAP_DOMAIN}_auho_vlv_index;automountmapname=auto_home;objectClass=automount" 4080 _INDEX8="${LDAP_DOMAIN}.getsoluent;${LDAP_DOMAIN}_solu_vlv_index;ou=people;objectClass=SolarisUserAttr" 4081 _INDEX9="${LDAP_DOMAIN}.getauduent;${LDAP_DOMAIN}_audu_vlv_index;ou=people;objectClass=SolarisAuditUser" 4082 _INDEX10="${LDAP_DOMAIN}.getauthent;${LDAP_DOMAIN}_auth_vlv_index;ou=SolarisAuthAttr;objectClass=SolarisAuthAttr" 4083 _INDEX11="${LDAP_DOMAIN}.getexecent;${LDAP_DOMAIN}_exec_vlv_index;ou=SolarisProfAttr;&(objectClass=SolarisExecAttr)(SolarisKernelSecurityPolicy=*)" 4084 _INDEX12="${LDAP_DOMAIN}.getprofent;${LDAP_DOMAIN}_prof_vlv_index;ou=SolarisProfAttr;&(objectClass=SolarisProfAttr)(SolarisAttrLongDesc=*)" 4085 _INDEX13="${LDAP_DOMAIN}.getmailent;${LDAP_DOMAIN}_mail_vlv_index;ou=aliases;objectClass=mailGroup" 4086 _INDEX14="${LDAP_DOMAIN}.getbootent;${LDAP_DOMAIN}__boot_vlv_index;ou=ethers;&(objectClass=bootableDevice)(bootParameter=*)" 4087 _INDEX15="${LDAP_DOMAIN}.getethent;${LDAP_DOMAIN}_ethers_vlv_index;ou=ethers;&(objectClass=ieee802Device)(macAddress=*)" 4088 _INDEX16="${LDAP_DOMAIN}.getngrpent;${LDAP_DOMAIN}_netgroup_vlv_index;ou=netgroup;objectClass=nisNetgroup" 4089 _INDEX17="${LDAP_DOMAIN}.getipnent;${LDAP_DOMAIN}_ipn_vlv_index;ou=networks;&(objectClass=ipNetwork)(cn=*)" 4090 _INDEX18="${LDAP_DOMAIN}.getmaskent;${LDAP_DOMAIN}_mask_vlv_index;ou=networks;&(objectClass=ipNetwork)(ipNetmaskNumber=*)" 4091 _INDEX19="${LDAP_DOMAIN}.getprent;${LDAP_DOMAIN}_pr_vlv_index;ou=printers;objectClass=printerService" 4092 _INDEX20="${LDAP_DOMAIN}.getip4ent;${LDAP_DOMAIN}_ip4_vlv_index;ou=hosts;&(objectClass=ipHost)(ipHostNumber=*.*)" 4093 _INDEX21="${LDAP_DOMAIN}.getip6ent;${LDAP_DOMAIN}_ip6_vlv_index;ou=hosts;&(objectClass=ipHost)(ipHostNumber=*:*)" 4094 4095 _INDEXES="$_INDEX1 $_INDEX2 $_INDEX3 $_INDEX4 $_INDEX5 $_INDEX6 $_INDEX7 $_INDEX8 $_INDEX9 $_INDEX10 $_INDEX11 $_INDEX12 $_INDEX13 $_INDEX14 $_INDEX15 $_INDEX16 $_INDEX17 $_INDEX18 $_INDEX19 $_INDEX20 $_INDEX21 " 4096 4097 4098 # Set _EXT to use as shortcut. 4099 _EXT="cn=${IDS_DATABASE},cn=ldbm database,cn=plugins,cn=config" 4100 4101 4102 # Display message to id current step. 4103 ${ECHO} " ${STEP}. Processing VLV indexes:" 4104 STEP=`expr $STEP + 1` 4105 4106 # Reset temp file for vlvindex commands. 4107 [ -f ${TMPDIR}/ds5_vlvindex_list ] && rm ${TMPDIR}/ds5_vlvindex_list 4108 touch ${TMPDIR}/ds5_vlvindex_list 4109 [ -f ${TMPDIR}/ds6_vlvindex_list ] && rm ${TMPDIR}/ds6_vlvindex_list 4110 touch ${TMPDIR}/ds6_vlvindex_list 4111 4112 # Get the instance name from iDS server. 4113 _INSTANCE="<server-instance>" # Default to old output. 4114 4115 eval "${LDAPSEARCH} -v ${LDAP_ARGS} -b \"cn=config\" -s base \"objectclass=*\" nsslapd-instancedir | ${GREP} 'nsslapd-instancedir=' | cut -d'=' -f2- > ${TMPDIR}/instance_name 2>&1" 4116 4117 ${GREP} "slapd-" ${TMPDIR}/instance_name > /dev/null 2>&1 # Check if seems right? 4118 if [ $? -eq 0 ]; then # If success, grab name after "slapd-". 4119 _INST_DIR=`cat ${TMPDIR}/instance_name` 4120 _INSTANCE=`basename "${_INST_DIR}" | cut -d'-' -f2-` 4121 fi 4122 4123 # For loop to create indexes. 4124 for p in ${_INDEXES}; do 4125 [ $DEBUG -eq 1 ] && ${ECHO} " Adding index for ${i}" 4126 4127 # Break p (pair) into i and j parts. 4128 i=`${ECHO} $p | cut -d';' -f1` 4129 j=`${ECHO} $p | cut -d';' -f2` 4130 k=`${ECHO} $p | cut -d';' -f3` 4131 m=`${ECHO} $p | cut -d';' -f4` 4132 4133 # Set _jEXT to use as shortcut. 4134 _jEXT="cn=${j},${_EXT}" 4135 4136 # Check if entry exists first, if so, skip to next. 4137 ${LDAPSEARCH} ${SERVER_ARGS} -b "cn=${i},${_jEXT}" -s base "objectclass=*" > /dev/null 2>&1 4138 if [ $? -eq 0 ]; then 4139 # Display index skipped. 4140 ${ECHO} " ${i} vlv_index skipped already exists" 4141 continue 4142 fi 4143 4144 # Compute the VLV Scope from the LDAP_SEARCH_SCOPE. 4145 # NOTE: A value of "base (0)" does not make sense. 4146 case "$LDAP_SEARCH_SCOPE" in 4147 sub) VLV_SCOPE="2" ;; 4148 *) VLV_SCOPE="1" ;; 4149 esac 4150 4151 # Here doc to create LDIF. 4152 ( cat <<EOF 4153dn: ${_jEXT} 4154objectClass: top 4155objectClass: vlvSearch 4156cn: ${j} 4157vlvbase: ${k},${LDAP_BASEDN} 4158vlvscope: ${VLV_SCOPE} 4159vlvfilter: (${m}) 4160aci: (target="ldap:///${_jEXT}")(targetattr="*")(version 3.0; acl "Config";allow(read,search,compare)userdn="ldap:///anyone";) 4161 4162dn: cn=${i},${_jEXT} 4163cn: ${i} 4164vlvSort: cn uid 4165objectclass: top 4166objectclass: vlvIndex 4167EOF 4168) > ${TMPDIR}/vlv_index_${i} 4169 4170 # Add the index. 4171 ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/vlv_index_${i} ${VERB}" 4172 if [ $? -ne 0 ]; then 4173 ${ECHO} " ERROR: Adding VLV index for ${i} failed!" 4174 cleanup 4175 exit 1 4176 fi 4177 4178 # Print message that index was created. 4179 ${ECHO} " ${i} vlv_index Entry created" 4180 4181 # Add command to list of vlvindex commands to run. 4182 ${ECHO} " directoryserver -s ${_INSTANCE} vlvindex -n ${IDS_DATABASE} -T ${i}" >> ${TMPDIR}/ds5_vlvindex_list 4183 ${ECHO} " <install-path>/bin/dsadm reindex -l -t ${i} <directory-instance-path> ${LDAP_SUFFIX}" >> ${TMPDIR}/ds6_vlvindex_list 4184 done 4185} 4186 4187 4188# 4189# display_vlv_cmds(): Display VLV index commands to run on server. 4190# 4191display_vlv_cmds() 4192{ 4193 if [ -s "${TMPDIR}/ds5_vlvindex_list" -o \ 4194 -s "${TMPDIR}/ds6_vlvindex_list" ]; then 4195 display_msg display_vlv_list 4196 fi 4197 4198 if [ -s "${TMPDIR}/ds5_vlvindex_list" ]; then 4199 cat ${TMPDIR}/ds5_vlvindex_list 4200 fi 4201 4202 cat << EOF 4203 4204 4205EOF 4206 4207 if [ -s "${TMPDIR}/ds6_vlvindex_list" ]; then 4208 cat ${TMPDIR}/ds6_vlvindex_list 4209 fi 4210} 4211 4212 4213# 4214# update_schema_attr(): Update Schema to support Naming. 4215# 4216update_schema_attr() 4217{ 4218 [ $DEBUG -eq 1 ] && ${ECHO} "In update_schema_attr()" 4219 4220 ( cat <<EOF 4221dn: cn=schema 4222changetype: modify 4223add: attributetypes 4224attributetypes: ( 1.3.6.1.1.1.1.28 NAME 'nisPublickey' DESC 'NIS public key' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 4225attributetypes: ( 1.3.6.1.1.1.1.29 NAME 'nisSecretkey' DESC 'NIS secret key' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 4226attributetypes: ( 1.3.6.1.1.1.1.30 NAME 'nisDomain' DESC 'NIS domain' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 4227attributetypes: ( 1.3.6.1.1.1.1.31 NAME 'automountMapName' DESC 'automount Map Name' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) 4228attributetypes: ( 1.3.6.1.1.1.1.32 NAME 'automountKey' DESC 'automount Key Value' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) 4229attributetypes: ( 1.3.6.1.1.1.1.33 NAME 'automountInformation' DESC 'automount information' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) 4230attributetypes: ( 1.3.6.1.4.1.42.2.27.1.1.12 NAME 'nisNetIdUser' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) 4231attributetypes: ( 1.3.6.1.4.1.42.2.27.1.1.13 NAME 'nisNetIdGroup' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) 4232attributetypes: ( 1.3.6.1.4.1.42.2.27.1.1.14 NAME 'nisNetIdHost' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) 4233attributetypes: ( 1.3.6.1.4.1.42.2.27.2.1.15 NAME 'rfc822mailMember' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) 4234attributetypes: ( 2.16.840.1.113730.3.1.30 NAME 'mgrpRFC822MailMember' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 4235attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.15 NAME 'SolarisLDAPServers' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 4236attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.16 NAME 'SolarisSearchBaseDN' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ) 4237attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.17 NAME 'SolarisCacheTTL' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 4238attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.18 NAME 'SolarisBindDN' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ) 4239attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.19 NAME 'SolarisBindPassword' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) 4240attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.20 NAME 'SolarisAuthMethod' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 4241attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.21 NAME 'SolarisTransportSecurity' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 4242attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.22 NAME 'SolarisCertificatePath' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) 4243attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.23 NAME 'SolarisCertificatePassword' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) 4244attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.24 NAME 'SolarisDataSearchDN' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 4245attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.25 NAME 'SolarisSearchScope' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 4246attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.26 NAME 'SolarisSearchTimeLimit' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 4247attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.27 NAME 'SolarisPreferredServer' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 4248attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.28 NAME 'SolarisPreferredServerOnly' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 4249attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.29 NAME 'SolarisSearchReferral' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 4250attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.4 NAME 'SolarisAttrKeyValue' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 4251attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.5 NAME 'SolarisAuditAlways' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 4252attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.6 NAME 'SolarisAuditNever' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 4253attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.7 NAME 'SolarisAttrShortDesc' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 4254attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.8 NAME 'SolarisAttrLongDesc' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 4255attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.9 NAME 'SolarisKernelSecurityPolicy' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 4256attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.10 NAME 'SolarisProfileType' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 4257attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.11 NAME 'SolarisProfileId' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) 4258attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.12 NAME 'SolarisUserQualifier' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 4259attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.13 NAME 'SolarisAttrReserved1' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 4260attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.14 NAME 'SolarisAttrReserved2' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 4261attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.1 NAME 'SolarisProjectID' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 4262attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.2 NAME 'SolarisProjectName' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) 4263attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.3 NAME 'SolarisProjectAttr' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) 4264attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.30 NAME 'memberGid' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) 4265attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.0 NAME 'defaultServerList' DESC 'Default LDAP server host address used by a DUA' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 4266attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.1 NAME 'defaultSearchBase' DESC 'Default LDAP base DN used by a DUA' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ) 4267attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.2 NAME 'preferredServerList' DESC 'Preferred LDAP server host addresses to be used by a DUA' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 4268attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.3 NAME 'searchTimeLimit' DESC 'Maximum time in seconds a DUA should allow for a search to complete' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 4269attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.4 NAME 'bindTimeLimit' DESC 'Maximum time in seconds a DUA should allow for the bind operation to complete' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 4270attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.5 NAME 'followReferrals' DESC 'Tells DUA if it should follow referrals returned by a DSA search result' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 4271attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.6 NAME 'authenticationMethod' DESC 'A keystring which identifies the type of authentication method used to contact the DSA' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 4272attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.7 NAME 'profileTTL' DESC 'Time to live before a client DUA should re-read this configuration profile' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 4273attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.14 NAME 'serviceSearchDescriptor' DESC 'LDAP search descriptor list used by Naming-DUA' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) 4274attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.9 NAME 'attributeMap' DESC 'Attribute mappings used by a Naming-DUA' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 4275attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.10 NAME 'credentialLevel' DESC 'Identifies type of credentials a DUA should use when binding to the LDAP server' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 4276attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.11 NAME 'objectclassMap' DESC 'Objectclass mappings used by a Naming-DUA' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 4277attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.12 NAME 'defaultSearchScope' DESC 'Default search scope used by a DUA' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 4278attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.13 NAME 'serviceCredentialLevel' DESC 'Search scope used by a service of the DUA' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) 4279attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.15 NAME 'serviceAuthenticationMethod' DESC 'Authentication Method used by a service of the DUA' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 4280attributetypes: ( 1.3.18.0.2.4.1140 NAME 'printer-uri' DESC 'A URI supported by this printer. This URI SHOULD be used as a relative distinguished name (RDN). If printer-xri-supported is implemented, then this URI value MUST be listed in a member value of printer-xri-supported.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 4281attributetypes: ( 1.3.18.0.2.4.1107 NAME 'printer-xri-supported' DESC 'The unordered list of XRI (extended resource identifiers) supported by this printer. Each member of the list consists of a URI (uniform resource identifier) followed by optional authentication and security metaparameters.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 4282attributetypes: ( 1.3.18.0.2.4.1135 NAME 'printer-name' DESC 'The site-specific administrative name of this printer, more end-user friendly than a URI.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} SINGLE-VALUE ) 4283attributetypes: ( 1.3.18.0.2.4.1119 NAME 'printer-natural-language-configured' DESC 'The configured language in which error and status messages will be generated (by default) by this printer. Also, a possible language for printer string attributes set by operator, system administrator, or manufacturer. Also, the (declared) language of the "printer-name", "printer-location", "printer-info", and "printer-make-and-model" attributes of this printer. For example: "en-us" (US English) or "fr-fr" (French in France) Legal values of language tags conform to [RFC3066] "Tags for the Identification of Languages".' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} SINGLE-VALUE ) 4284attributetypes: ( 1.3.18.0.2.4.1136 NAME 'printer-location' DESC 'Identifies the location of the printer. This could include things like: "in Room 123A", "second floor of building XYZ".' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} SINGLE-VALUE ) 4285attributetypes: ( 1.3.18.0.2.4.1139 NAME 'printer-info' DESC 'Identifies the descriptive information about this printer. This could include things like: "This printer can be used for printing color transparencies for HR presentations", or "Out of courtesy for others, please print only small (1-5 page) jobs at this printer", or even "This printer is going away on July 1, 1997, please find a new printer".' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} SINGLE-VALUE ) 4286attributetypes: ( 1.3.18.0.2.4.1134 NAME 'printer-more-info' DESC 'A URI used to obtain more information about this specific printer. For example, this could be an HTTP type URI referencing an HTML page accessible to a Web Browser. The information obtained from this URI is intended for end user consumption.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 4287attributetypes: ( 1.3.18.0.2.4.1138 NAME 'printer-make-and-model' DESC 'Identifies the make and model of the device. The device manufacturer MAY initially populate this attribute.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} SINGLE-VALUE ) 4288attributetypes: ( 1.3.18.0.2.4.1133 NAME 'printer-ipp-versions-supported' DESC 'Identifies the IPP protocol version(s) that this printer supports, including major and minor versions, i.e., the version numbers for which this Printer implementation meets the conformance requirements.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} ) 4289attributetypes: ( 1.3.18.0.2.4.1132 NAME 'printer-multiple-document-jobs-supported' DESC 'Indicates whether or not the printer supports more than one document per job, i.e., more than one Send-Document or Send-Data operation with document data.' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) 4290attributetypes: ( 1.3.18.0.2.4.1109 NAME 'printer-charset-configured' DESC 'The configured charset in which error and status messages will be generated (by default) by this printer. Also, a possible charset for printer string attributes set by operator, system administrator, or manufacturer. For example: "utf-8" (ISO 10646/Unicode) or "iso-8859-1" (Latin1). Legal values are defined by the IANA Registry of Coded Character Sets and the "(preferred MIME name)" SHALL be used as the tag. For coherence with IPP Model, charset tags in this attribute SHALL be lowercase normalized. This attribute SHOULD be static (time of registration) and SHOULD NOT be dynamically refreshed attributetypes: (subsequently).' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{63} SINGLE-VALUE ) 4291attributetypes: ( 1.3.18.0.2.4.1131 NAME 'printer-charset-supported' DESC 'Identifies the set of charsets supported for attribute type values of type Directory String for this directory entry. For example: "utf-8" (ISO 10646/Unicode) or "iso-8859-1" (Latin1). Legal values are defined by the IANA Registry of Coded Character Sets and the preferred MIME name.' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{63} ) 4292attributetypes: ( 1.3.18.0.2.4.1137 NAME 'printer-generated-natural-language-supported' DESC 'Identifies the natural language(s) supported for this directory entry. For example: "en-us" (US English) or "fr-fr" (French in France). Legal values conform to [RFC3066], Tags for the Identification of Languages.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{63} ) 4293attributetypes: ( 1.3.18.0.2.4.1130 NAME 'printer-document-format-supported' DESC 'The possible document formats in which data may be interpreted and printed by this printer. Legal values are MIME types come from the IANA Registry of Internet Media Types.' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} ) 4294attributetypes: ( 1.3.18.0.2.4.1129 NAME 'printer-color-supported' DESC 'Indicates whether this printer is capable of any type of color printing at all, including highlight color.' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) 4295attributetypes: ( 1.3.18.0.2.4.1128 NAME 'printer-compression-supported' DESC 'Compression algorithms supported by this printer. For example: "deflate, gzip". Legal values include; "none", "deflate" attributetypes: (public domain ZIP), "gzip" (GNU ZIP), "compress" (UNIX).' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} ) 4296attributetypes: ( 1.3.18.0.2.4.1127 NAME 'printer-pages-per-minute' DESC 'The nominal number of pages per minute which may be output by this printer (e.g., a simplex or black-and-white printer). This attribute is informative, NOT a service guarantee. Typically, it is the value used in marketing literature to describe this printer.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 4297attributetypes: ( 1.3.18.0.2.4.1126 NAME 'printer-pages-per-minute-color' DESC 'The nominal number of color pages per minute which may be output by this printer (e.g., a simplex or color printer). This attribute is informative, NOT a service guarantee. Typically, it is the value used in marketing literature to describe this printer.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 4298attributetypes: ( 1.3.18.0.2.4.1125 NAME 'printer-finishings-supported' DESC 'The possible finishing operations supported by this printer. Legal values include; "none", "staple", "punch", "cover", "bind", "saddle-stitch", "edge-stitch", "staple-top-left", "staple-bottom-left", "staple-top-right", "staple-bottom-right", "edge-stitch-left", "edge-stitch-top", "edge-stitch-right", "edge-stitch-bottom", "staple-dual-left", "staple-dual-top", "staple-dual-right", "staple-dual-bottom".' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} ) 4299attributetypes: ( 1.3.18.0.2.4.1124 NAME 'printer-number-up-supported' DESC 'The possible numbers of print-stream pages to impose upon a single side of an instance of a selected medium. Legal values include; 1, 2, and 4. Implementations may support other values.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) 4300attributetypes: ( 1.3.18.0.2.4.1123 NAME 'printer-sides-supported' DESC 'The number of impression sides (one or two) and the two-sided impression rotations supported by this printer. Legal values include; "one-sided", "two-sided-long-edge", "two-sided-short-edge".' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} ) 4301attributetypes: ( 1.3.18.0.2.4.1122 NAME 'printer-media-supported' DESC 'The standard names/types/sizes (and optional color suffixes) of the media supported by this printer. For example: "iso-a4", "envelope", or "na-letter-white". Legal values conform to ISO 10175, Document Printing Application (DPA), and any IANA registered extensions.' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} ) 4302attributetypes: ( 1.3.18.0.2.4.1117 NAME 'printer-media-local-supported' DESC 'Site-specific names of media supported by this printer, in the language in "printer-natural-language-configured". For example: "purchasing-form" (site-specific name) as opposed to (in "printer-media-supported"): "na-letter" (standard keyword from ISO 10175).' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} ) 4303attributetypes: ( 1.3.18.0.2.4.1121 NAME 'printer-resolution-supported' DESC 'List of resolutions supported for printing documents by this printer. Each resolution value is a string with 3 fields: 1) Cross feed direction resolution (positive integer), 2) Feed direction resolution (positive integer), 3) Resolution unit. Legal values are "dpi" (dots per inch) and "dpcm" (dots per centimeter). Each resolution field is delimited by ">". For example: "300> 300> dpi>".' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} ) 4304attributetypes: ( 1.3.18.0.2.4.1120 NAME 'printer-print-quality-supported' DESC 'List of print qualities supported for printing documents on this printer. For example: "draft, normal". Legal values include; "unknown", "draft", "normal", "high".' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} ) 4305attributetypes: ( 1.3.18.0.2.4.1110 NAME 'printer-job-priority-supported' DESC 'Indicates the number of job priority levels supported. An IPP conformant printer which supports job priority must always support a full range of priorities from "1" to "100" (to ensure consistent behavior), therefore this attribute describes the "granularity". Legal values of this attribute are from "1" to "100".' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 4306attributetypes: ( 1.3.18.0.2.4.1118 NAME 'printer-copies-supported' DESC 'The maximum number of copies of a document that may be printed as a single job. A value of "0" indicates no maximum limit. A value of "-1" indicates unknown.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 4307attributetypes: ( 1.3.18.0.2.4.1111 NAME 'printer-job-k-octets-supported' DESC 'The maximum size in kilobytes (1,024 octets actually) incoming print job that this printer will accept. A value of "0" indicates no maximum limit. A value of "-1" indicates unknown.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 4308attributetypes: ( 1.3.18.0.2.4.1112 NAME 'printer-current-operator' DESC 'The name of the current human operator responsible for operating this printer. It is suggested that this string include information that would enable other humans to reach the operator, such as a phone number.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} SINGLE-VALUE ) 4309attributetypes: ( 1.3.18.0.2.4.1113 NAME 'printer-service-person' DESC 'The name of the current human service person responsible for servicing this printer. It is suggested that this string include information that would enable other humans to reach the service person, such as a phone number.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} SINGLE-VALUE ) 4310attributetypes: ( 1.3.18.0.2.4.1114 NAME 'printer-delivery-orientation-supported' DESC 'The possible delivery orientations of pages as they are printed and ejected from this printer. Legal values include; "unknown", "face-up", and "face-down".' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} ) 4311attributetypes: ( 1.3.18.0.2.4.1115 NAME 'printer-stacking-order-supported' DESC 'The possible stacking order of pages as they are printed and ejected from this printer. Legal values include; "unknown", "first-to-last", "last-to-first".' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} ) 4312attributetypes: ( 1.3.18.0.2.4.1116 NAME 'printer-output-features-supported' DESC 'The possible output features supported by this printer. Legal values include; "unknown", "bursting", "decollating", "page-collating", "offset-stacking".' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} ) 4313attributetypes: ( 1.3.18.0.2.4.1108 NAME 'printer-aliases' DESC 'Site-specific administrative names of this printer in addition the printer name specified for printer-name.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} ) 4314attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.63 NAME 'sun-printer-bsdaddr' DESC 'Sets the server, print queue destination name and whether the client generates protocol extensions. "Solaris" specifies a Solaris print server extension. The value is represented by the following value: server "," destination ", Solaris".' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 4315attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.64 NAME 'sun-printer-kvp' DESC 'This attribute contains a set of key value pairs which may have meaning to the print subsystem or may be user defined. Each value is represented by the following: key "=" value.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 4316attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.57 NAME 'nisplusTimeZone' DESC 'tzone column from NIS+ timezone table' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) 4317attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.67 NAME 'ipTnetTemplateName' DESC 'Trusted Solaris network template template_name' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) 4318attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.68 NAME 'ipTnetNumber' DESC 'Trusted Solaris network template ip_address' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) 4319EOF 4320) > ${TMPDIR}/schema_attr 4321 4322 # Add the entry. 4323 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/schema_attr ${VERB}" 4324 if [ $? -ne 0 ]; then 4325 ${ECHO} " ERROR: update of schema attributes failed!" 4326 cleanup 4327 exit 1 4328 fi 4329 4330 # Display message that schema is updated. 4331 ${ECHO} " ${STEP}. Schema attributes have been updated." 4332 STEP=`expr $STEP + 1` 4333} 4334 4335 4336# 4337# update_schema_obj(): Update the schema objectclass definitions. 4338# 4339update_schema_obj() 4340{ 4341 [ $DEBUG -eq 1 ] && ${ECHO} "In update_schema_obj()" 4342 4343 # Add the objectclass definitions. 4344 ( cat <<EOF 4345dn: cn=schema 4346changetype: modify 4347add: objectclasses 4348objectclasses: ( 1.3.6.1.1.1.2.14 NAME 'NisKeyObject' SUP top MUST ( cn $ nisPublickey $ nisSecretkey ) MAY ( uidNumber $ description ) ) 4349 4350dn: cn=schema 4351changetype: modify 4352add: objectclasses 4353objectclasses: ( 1.3.6.1.1.1.2.15 NAME 'nisDomainObject' SUP top MUST nisDomain ) 4354 4355dn: cn=schema 4356changetype: modify 4357add: objectclasses 4358objectclasses: ( 1.3.6.1.1.1.2.16 NAME 'automountMap' SUP top MUST automountMapName MAY description ) 4359 4360dn: cn=schema 4361changetype: modify 4362add: objectclasses 4363objectclasses: ( 1.3.6.1.1.1.2.17 NAME 'automount' SUP top MUST ( automountKey $ automountInformation ) MAY description ) 4364 4365dn: cn=schema 4366changetype: modify 4367add: objectclasses 4368objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.7 NAME 'SolarisNamingProfile' SUP top MUST ( cn $ SolarisLDAPservers $ SolarisSearchBaseDN ) MAY ( SolarisBindDN $ SolarisBindPassword $ SolarisAuthMethod $ SolarisTransportSecurity $ SolarisCertificatePath $ SolarisCertificatePassword $ SolarisDataSearchDN $ SolarisSearchScope $ SolarisSearchTimeLimit $ SolarisPreferredServer $ SolarisPreferredServerOnly $ SolarisCacheTTL $ SolarisSearchReferral ) ) 4369 4370dn: cn=schema 4371changetype: modify 4372add: objectclasses 4373objectclasses: ( 2.16.840.1.113730.3.2.4 NAME 'mailGroup' SUP top MUST mail MAY ( cn $ mgrpRFC822MailMember ) ) 4374 4375dn: cn=schema 4376changetype: modify 4377add: objectclasses 4378objectclasses: ( 1.3.6.1.4.1.42.2.27.1.2.5 NAME 'nisMailAlias' SUP top MUST cn MAY rfc822mailMember ) 4379 4380dn: cn=schema 4381changetype: modify 4382add: objectclasses 4383objectclasses: ( 1.3.6.1.4.1.42.2.27.1.2.6 NAME 'nisNetId' SUP top MUST cn MAY ( nisNetIdUser $ nisNetIdGroup $ nisNetIdHost ) ) 4384 4385dn: cn=schema 4386changetype: modify 4387add: objectclasses 4388objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.2 NAME 'SolarisAuditUser' SUP top AUXILIARY MAY ( SolarisAuditAlways $ SolarisAuditNever ) ) 4389 4390dn: cn=schema 4391changetype: modify 4392add: objectclasses 4393objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.3 NAME 'SolarisUserAttr' SUP top AUXILIARY MAY ( SolarisUserQualifier $ SolarisAttrReserved1 $ SolarisAttrReserved2 $ SolarisAttrKeyValue ) ) 4394 4395dn: cn=schema 4396changetype: modify 4397add: objectclasses 4398objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.4 NAME 'SolarisAuthAttr' SUP top MUST cn MAY ( SolarisAttrReserved1 $ SolarisAttrReserved2 $ SolarisAttrShortDesc $ SolarisAttrLongDesc $ SolarisAttrKeyValue ) ) 4399 4400dn: cn=schema 4401changetype: modify 4402add: objectclasses 4403objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.5 NAME 'SolarisProfAttr' SUP top MUST cn MAY ( SolarisAttrReserved1 $ SolarisAttrReserved2 $ SolarisAttrLongDesc $ SolarisAttrKeyValue ) ) 4404 4405dn: cn=schema 4406changetype: modify 4407add: objectclasses 4408objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.6 NAME 'SolarisExecAttr' SUP top AUXILIARY MAY ( SolarisKernelSecurityPolicy $ SolarisProfileType $ SolarisAttrReserved1 $ SolarisAttrReserved2 $ SolarisProfileID $ SolarisAttrKeyValue ) ) 4409 4410dn: cn=schema 4411changetype: modify 4412add: objectclasses 4413objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.1 NAME 'SolarisProject' SUP top MUST ( SolarisProjectID $ SolarisProjectName ) MAY ( memberUid $ memberGid $ description $ SolarisProjectAttr ) ) 4414 4415dn: cn=schema 4416changetype: modify 4417add: objectclasses 4418objectclasses: ( 1.3.6.1.4.1.11.1.3.1.2.4 NAME 'DUAConfigProfile' SUP top DESC 'Abstraction of a base configuration for a DUA' MUST cn MAY ( defaultServerList $ preferredServerList $ defaultSearchBase $ defaultSearchScope $ searchTimeLimit $ bindTimeLimit $ credentialLevel $ authenticationMethod $ followReferrals $ serviceSearchDescriptor $ serviceCredentialLevel $ serviceAuthenticationMethod $ objectclassMap $ attributeMap $ profileTTL ) ) 4419 4420dn: cn=schema 4421changetype: modify 4422add: objectclasses 4423objectclasses: ( 1.3.18.0.2.6.2549 NAME 'slpService' DESC 'DUMMY definition' SUP top MUST objectclass ) 4424 4425dn: cn=schema 4426changetype: modify 4427add: objectclasses 4428objectclasses: ( 1.3.18.0.2.6.254 NAME 'slpServicePrinter' DESC 'Service Location Protocol (SLP) information.' SUP slpService AUXILIARY ) 4429 4430dn: cn=schema 4431changetype: modify 4432add: objectclasses 4433objectclasses: ( 1.3.18.0.2.6.258 NAME 'printerAbstract' DESC 'Printer related information.' SUP top ABSTRACT MAY ( printer-name $ printer-natural-language-configured $ printer-location $ printer-info $ printer-more-info $ printer-make-and-model $ printer-multiple-document-jobs-supported $ printer-charset-configured $ printer-charset-supported $ printer-generated-natural-language-supported $ printer-document-format-supported $ printer-color-supported $ printer-compression-supported $ printer-pages-per-minute $ printer-pages-per-minute-color $ printer-finishings-supported $ printer-number-up-supported $ printer-sides-supported $ printer-media-supported $ printer-media-local-supported $ printer-resolution-supported $ printer-print-quality-supported $ printer-job-priority-supported $ printer-copies-supported $ printer-job-k-octets-supported $ printer-current-operator $ printer-service-person $ printer-delivery-orientation-supported $ printer-stacking-order-supported $ printer-output-features-supported ) ) 4434 4435dn: cn=schema 4436changetype: modify 4437add: objectclasses 4438objectclasses: ( 1.3.18.0.2.6.255 NAME 'printerService' DESC 'Printer information.' SUP printerAbstract STRUCTURAL MAY ( printer-uri $ printer-xri-supported ) ) 4439 4440dn: cn=schema 4441changetype: modify 4442add: objectclasses 4443objectclasses: ( 1.3.18.0.2.6.257 NAME 'printerServiceAuxClass' DESC 'Printer information.' SUP printerAbstract AUXILIARY MAY ( printer-uri $ printer-xri-supported ) ) 4444 4445dn: cn=schema 4446changetype: modify 4447add: objectclasses 4448objectclasses: ( 1.3.18.0.2.6.256 NAME 'printerIPP' DESC 'Internet Printing Protocol (IPP) information.' SUP top AUXILIARY MAY ( printer-ipp-versions-supported $ printer-multiple-document-jobs-supported ) ) 4449 4450dn: cn=schema 4451changetype: modify 4452add: objectclasses 4453objectclasses: ( 1.3.18.0.2.6.253 NAME 'printerLPR' DESC 'LPR information.' SUP top AUXILIARY MUST printer-name MAY printer-aliases ) 4454 4455dn: cn=schema 4456changetype: modify 4457add: objectclasses 4458objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.14 NAME 'sunPrinter' DESC 'Sun printer information' SUP top AUXILIARY MUST printer-name MAY ( sun-printer-bsdaddr $ sun-printer-kvp ) ) 4459 4460dn: cn=schema 4461changetype: modify 4462add: objectclasses 4463objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.12 NAME 'nisplusTimeZoneData' DESC 'NIS+ timezone table data' SUP top STRUCTURAL MUST cn MAY ( nisplusTimeZone $ description ) ) 4464 4465dn: cn=schema 4466changetype: modify 4467add: objectclasses 4468objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.8 NAME 'ipTnetTemplate' DESC 'Object class for TSOL network templates' SUP top MUST ipTnetTemplateName MAY SolarisAttrKeyValue ) 4469 4470dn: cn=schema 4471changetype: modify 4472add: objectclasses 4473objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.9 NAME 'ipTnetHost' DESC 'Associates an IP address or wildcard with a TSOL template_name' SUP top AUXILIARY MUST ipTnetNumber ) 4474EOF 4475) > ${TMPDIR}/schema_obj 4476 4477 # Add the entry. 4478 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/schema_obj ${VERB}" 4479 if [ $? -ne 0 ]; then 4480 ${ECHO} " ERROR: update of schema objectclass definitions failed!" 4481 cleanup 4482 exit 1 4483 fi 4484 4485 # Display message that schema is updated. 4486 ${ECHO} " ${STEP}. Schema objectclass definitions have been added." 4487 STEP=`expr $STEP + 1` 4488} 4489 4490# 4491# modify_top_aci(): Modify the ACI for the top entry to disable self modify 4492# of user attributes. 4493# 4494modify_top_aci() 4495{ 4496 [ $DEBUG -eq 1 ] && ${ECHO} "In modify_top_aci()" 4497 4498 # Set ACI Name 4499 ACI_NAME="LDAP_Naming_Services_deny_write_access" 4500 4501 # Search for ACI_NAME 4502 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_BASEDN}\" -s base objectclass=* aci > ${TMPDIR}/chk_top_aci 2>&1" 4503 if [ $? -ne 0 ]; then 4504 ${ECHO} "Error searching aci for ${LDAP_BASEDN}" 4505 cat ${TMPDIR}/chk_top_aci 4506 cleanup 4507 exit 1 4508 fi 4509 ${GREP} "${ACI_NAME}" ${TMPDIR}/chk_top_aci > /dev/null 2>&1 4510 if [ $? -eq 0 ]; then 4511 ${ECHO} " ${STEP}. Top level ACI ${ACI_NAME} already exists for ${LDAP_BASEDN}." 4512 STEP=`expr $STEP + 1` 4513 return 0 4514 fi 4515 4516 # Crate LDIF for top level ACI. 4517 ( cat <<EOF 4518dn: ${LDAP_BASEDN} 4519changetype: modify 4520add: aci 4521aci: (targetattr = "cn||uid||uidNumber||gidNumber||homeDirectory||shadowLastChange||shadowMin||shadowMax||shadowWarning||shadowInactive||shadowExpire||shadowFlag||memberUid||SolarisAuditAlways||SolarisAuditNever||SolarisAttrKeyValue||SolarisAttrReserved1||SolarisAttrReserved2||SolarisUserQualifier")(version 3.0; acl ${ACI_NAME}; deny (write) userdn = "ldap:///self";) 4522- 4523EOF 4524) > ${TMPDIR}/top_aci 4525 4526 # Add the entry. 4527 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/top_aci ${VERB}" 4528 if [ $? -ne 0 ]; then 4529 ${ECHO} " ERROR: Modify of top level ACI failed! (restricts self modify)" 4530 cleanup 4531 exit 1 4532 fi 4533 4534 # Display message that ACI is updated. 4535 MSG="ACI for ${LDAP_BASEDN} modified to disable self modify." 4536 if [ $EXISTING_PROFILE -eq 1 ];then 4537 ${ECHO} " ACI SET: $MSG" 4538 else 4539 ${ECHO} " ${STEP}. $MSG" 4540 STEP=`expr $STEP + 1` 4541 fi 4542} 4543 4544# 4545# find_and_delete_ACI(): Find an ACI in file $2 with a matching pattern $1. 4546# Delete the ACI and print a message using $3 as the ACI name. $3 is needed 4547# because it could have a different value than that of $1. 4548find_and_delete_ACI() 4549{ 4550 [ $DEBUG -eq 1 ] && ${ECHO} "In find_and_delete_ACI" 4551 4552 # if an ACI with pattern $1 exists in file $2, delete it from ${LDAP_BASEDN} 4553 ${EGREP} $1 $2 | ${SED} -e 's/aci=//' > ${TMPDIR}/grep_find_delete_aci 2>&1 4554 if [ -s ${TMPDIR}/grep_find_delete_aci ]; then 4555 aci_to_delete=`${CAT} ${TMPDIR}/grep_find_delete_aci` 4556 4557 # Create the tmp file to delete the ACI. 4558 ( cat <<EOF 4559dn: ${LDAP_BASEDN} 4560changetype: modify 4561delete: aci 4562aci: ${aci_to_delete} 4563EOF 4564 ) > ${TMPDIR}/find_delete_aci 4565 4566 # Delete the ACI 4567 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/find_delete_aci ${VERB}" 4568 if [ $? -ne 0 ]; then 4569 ${ECHO} " ERROR: Remove of $3 ACI failed!" 4570 cleanup 4571 exit 1 4572 fi 4573 4574 ${RM} -f ${TMPDIR}/find_delete_aci 4575 # Display message that an ACL is deleted. 4576 MSG="ACI $3 deleted." 4577 if [ $EXISTING_PROFILE -eq 1 ]; then 4578 ${ECHO} " ACI DELETED: $MSG" 4579 else 4580 ${ECHO} " ${STEP}. $MSG" 4581 STEP=`expr $STEP + 1` 4582 fi 4583 fi 4584} 4585 4586# 4587# Add an ACI to deny non-admin access to shadow data when 4588# shadow update is enabled. 4589# 4590deny_non_admin_shadow_access() 4591{ 4592 [ $DEBUG -eq 1 ] && ${ECHO} "In deny_non_admin_shadow_access()" 4593 4594 # Set ACI Names 4595 ACI_TO_ADD="LDAP_Naming_Services_deny_non_admin_shadow_access" 4596 ACI_TO_DEL="LDAP_Naming_Services_deny_non_host_shadow_access" 4597 4598 # Search for ACI_TO_ADD 4599 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_BASEDN}\" -s base objectclass=* aci > ${TMPDIR}/chk_aci_non_admin 2>&1" 4600 if [ $? -ne 0 ]; then 4601 ${ECHO} "Error searching aci for ${LDAP_BASEDN}" 4602 cleanup 4603 exit 1 4604 fi 4605 4606 # If an ACI with ${ACI_TO_ADD} already exists, we are done. 4607 ${EGREP} ${ACI_TO_ADD} ${TMPDIR}/chk_aci_non_admin 2>&1 > /dev/null 4608 if [ $? -eq 0 ]; then 4609 MSG="ACI ${ACI_TO_ADD} already set for ${LDAP_BASEDN}." 4610 if [ $EXISTING_PROFILE -eq 1 ]; then 4611 ${ECHO} " NOT SET: $MSG" 4612 else 4613 ${ECHO} " ${STEP}. $MSG" 4614 STEP=`expr $STEP + 1` 4615 fi 4616 return 0 4617 fi 4618 4619 # The deny_non_admin_shadow_access and deny_non_host_shadow_access ACIs 4620 # should be mutually exclusive, so if the latter exists, delete it. 4621 find_and_delete_ACI ${ACI_TO_DEL} ${TMPDIR}/chk_aci_non_admin ${ACI_TO_DEL} 4622 4623 # Create the tmp file to add. 4624 ( cat <<EOF 4625dn: ${LDAP_BASEDN} 4626changetype: modify 4627add: aci 4628aci: (target="ldap:///${LDAP_BASEDN}")(targetattr = "shadowLastChange|| 4629 shadowMin|| shadowMax||shadowWarning||shadowInactive||shadowExpire|| 4630 shadowFlag||userPassword") (version 3.0; acl ${ACI_TO_ADD}; 4631 deny (write,read,search,compare) userdn != "ldap:///${LDAP_ADMINDN}";) 4632EOF 4633) > ${TMPDIR}/non_admin_aci_write 4634 4635 # Add the entry. 4636 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/non_admin_aci_write ${VERB}" 4637 if [ $? -ne 0 ]; then 4638 ${ECHO} " ERROR: Adding ACI ${ACI_TO_ADD} failed!" 4639 ${CAT} ${TMPDIR}/non_admin_aci_write 4640 cleanup 4641 exit 1 4642 fi 4643 4644 ${RM} -f ${TMPDIR}/non_admin_aci_write 4645 # Display message that the non-admin access to shadow data is denied. 4646 MSG="Non-Admin access to shadow data denied." 4647 if [ $EXISTING_PROFILE -eq 1 ]; then 4648 ${ECHO} " ACI SET: $MSG" 4649 else 4650 ${ECHO} " ${STEP}. $MSG" 4651 STEP=`expr $STEP + 1` 4652 fi 4653} 4654 4655# 4656# Add an ACI to deny non-host access to shadow data when 4657# shadow update is enabled and auth Method if gssapi. 4658# 4659deny_non_host_shadow_access() 4660{ 4661 [ $DEBUG -eq 1 ] && ${ECHO} "In deny_non_host_shadow_access()" 4662 4663 # Set ACI Names 4664 ACI_TO_ADD="LDAP_Naming_Services_deny_non_host_shadow_access" 4665 ACI_TO_DEL="LDAP_Naming_Services_deny_non_admin_shadow_access" 4666 4667 # Search for ACI_TO_ADD 4668 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_BASEDN}\" -s base objectclass=* aci > ${TMPDIR}/chk_aci_non_host 2>&1" 4669 if [ $? -ne 0 ]; then 4670 ${ECHO} "Error searching aci for ${LDAP_BASEDN}" 4671 cleanup 4672 exit 1 4673 fi 4674 4675 # If an ACI with ${ACI_TO_ADD} already exists, we are done. 4676 ${EGREP} ${ACI_TO_ADD} ${TMPDIR}/chk_aci_non_host 2>&1 > /dev/null 4677 if [ $? -eq 0 ]; then 4678 MSG="ACI ${ACI_TO_ADD} already set for ${LDAP_BASEDN}." 4679 if [ $EXISTING_PROFILE -eq 1 ]; then 4680 ${ECHO} " NOT SET: $MSG" 4681 else 4682 ${ECHO} " ${STEP}. $MSG" 4683 STEP=`expr $STEP + 1` 4684 fi 4685 return 0 4686 fi 4687 4688 # The deny_non_admin_shadow_access and deny_non_host_shadow_access ACIs 4689 # should be mutually exclusive, so if the former exists, delete it. 4690 find_and_delete_ACI ${ACI_TO_DEL} ${TMPDIR}/chk_aci_non_host ${ACI_TO_DEL} 4691 4692 # Create the tmp file to add. 4693 ( cat <<EOF 4694dn: ${LDAP_BASEDN} 4695changetype: modify 4696add: aci 4697aci: (target="ldap:///${LDAP_BASEDN}")(targetattr = "shadowLastChange|| 4698 shadowMin|| shadowMax||shadowWarning||shadowInactive||shadowExpire|| 4699 shadowFlag||userPassword") (version 3.0; acl ${ACI_TO_ADD}; 4700 deny (write,read,search,compare) 4701 userdn != "ldap:///cn=*+ipHostNumber=*,ou=Hosts,${LDAP_BASEDN}";) 4702EOF 4703) > ${TMPDIR}/non_host_aci_write 4704 4705 # Add the entry. 4706 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/non_host_aci_write ${VERB}" 4707 if [ $? -ne 0 ]; then 4708 ${ECHO} " ERROR: Adding ACI ${ACI_TO_ADD} failed!" 4709 ${CAT} ${TMPDIR}/non_host_aci_write 4710 cleanup 4711 exit 1 4712 fi 4713 4714 ${RM} -f ${TMPDIR}/non_host_aci_write 4715 # Display message that the non-host access to shadow data is denied. 4716 MSG="Non-host access to shadow data is denied." 4717 if [ $EXISTING_PROFILE -eq 1 ]; then 4718 ${ECHO} " ACI SET: $MSG" 4719 else 4720 ${ECHO} " ${STEP}. $MSG" 4721 STEP=`expr $STEP + 1` 4722 fi 4723} 4724 4725# 4726# add_vlv_aci(): Add access control information (aci) for VLV. 4727# 4728add_vlv_aci() 4729{ 4730 [ $DEBUG -eq 1 ] && ${ECHO} "In add_vlv_aci()" 4731 4732 # Add the VLV ACI. 4733 ( cat <<EOF 4734dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config 4735changetype: modify 4736replace: aci 4737aci: (targetattr != "aci") (version 3.0; acl "VLV Request Control"; allow(read,search,compare) userdn = "ldap:///anyone";) 4738EOF 4739) > ${TMPDIR}/vlv_aci 4740 4741 # Add the entry. 4742 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/vlv_aci ${VERB}" 4743 if [ $? -ne 0 ]; then 4744 ${ECHO} " ERROR: Add of VLV ACI failed!" 4745 cleanup 4746 exit 1 4747 fi 4748 4749 # Display message that schema is updated. 4750 ${ECHO} " ${STEP}. Add of VLV Access Control Information (ACI)." 4751 STEP=`expr $STEP + 1` 4752} 4753 4754 4755# 4756# set_nisdomain(): Add the NisDomainObject to the Base DN. 4757# 4758set_nisdomain() 4759{ 4760 [ $DEBUG -eq 1 ] && ${ECHO} "In set_nisdomain()" 4761 4762 # Check if nisDomain is already set. 4763 ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_BASEDN}\" -s base \ 4764 \"objectclass=*\"" > ${TMPDIR}/chk_nisdomain 2>&1 4765 ${EVAL} "${GREP} -i nisDomain ${TMPDIR}/chk_nisdomain ${VERB}" 4766 if [ $? -eq 0 ]; then 4767 ${ECHO} " ${STEP}. NisDomainObject for ${LDAP_BASEDN} was already set." 4768 STEP=`expr $STEP + 1` 4769 return 0 4770 fi 4771 4772 # Add the new top level containers. 4773 ( cat <<EOF 4774dn: ${LDAP_BASEDN} 4775changetype: modify 4776objectclass: nisDomainObject 4777nisdomain: ${LDAP_DOMAIN} 4778EOF 4779) > ${TMPDIR}/nis_domain 4780 4781 # Add the entry. 4782 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/nis_domain ${VERB}" 4783 if [ $? -ne 0 ]; then 4784 ${ECHO} " ERROR: update of NisDomainObject in ${LDAP_BASEDN} failed." 4785 cleanup 4786 exit 1 4787 fi 4788 4789 # Display message that schema is updated. 4790 ${ECHO} " ${STEP}. NisDomainObject added to ${LDAP_BASEDN}." 4791 STEP=`expr $STEP + 1` 4792} 4793 4794 4795# 4796# check_attrName(): Check that the attribute name is valid. 4797# $1 Key to check. 4798# Returns 0 : valid name 1 : invalid name 4799# 4800check_attrName() 4801{ 4802 [ $DEBUG -eq 1 ] && ${ECHO} "In check_attrName()" 4803 [ $DEBUG -eq 1 ] && ${ECHO} "check_attrName: Input Param = $1" 4804 4805 ${ECHO} $1 | ${EGREP} '^[0-9]+(\.[0-9]+)*$' > /dev/null 2>&1 4806 if [ $? -eq 0 ]; then 4807 ${EVAL} "${LDAPSEARCH} ${SERVER_ARGS} -b cn=schema -s base \"objectclass=*\" \ 4808 attributeTypes | ${EGREP} -i '^attributetypes[ ]*=[ ]*\([ ]*$1 ' ${VERB}" 4809 else 4810 ${EVAL} "${LDAPSEARCH} ${SERVER_ARGS} -b cn=schema -s base \"objectclass=*\" \ 4811 attributeTypes | ${EGREP} -i \"'$1'\" ${VERB}" 4812 fi 4813 4814 if [ $? -ne 0 ]; then 4815 return 1 4816 else 4817 return 0 4818 fi 4819} 4820 4821 4822# 4823# get_objectclass(): Determine the objectclass for the given attribute name 4824# $1 Attribute name to check. 4825# _ATTR_NAME Return value, Object Name or NULL if unknown to idsconfig. 4826# 4827# NOTE: An attribute name can be valid but still we might not be able 4828# to determine the objectclass from the table. 4829# In such cases, the user needs to create the necessary object(s). 4830# 4831get_objectclass() 4832{ 4833 [ $DEBUG -eq 1 ] && ${ECHO} "In get_objectclass()" 4834 [ $DEBUG -eq 1 ] && ${ECHO} "get_objectclass: Input Param = $1" 4835 4836 # Set return value to NULL string. 4837 _ATTR_NAME="" 4838 4839 # Test key for type: 4840 case `${ECHO} ${1} | tr '[A-Z]' '[a-z]'` in 4841 ou | organizationalunitname | 2.5.4.11) _ATTR_NAME="organizationalUnit" ;; 4842 dc | domaincomponent | 0.9.2342.19200300.100.1.25) _ATTR_NAME="domain" ;; 4843 o | organizationname | 2.5.4.10) _ATTR_NAME="organization" ;; 4844 c | countryname | 2.5.4.6) _ATTR_NAME="country" ;; 4845 *) _ATTR_NAME="" ;; 4846 esac 4847 4848 [ $DEBUG -eq 1 ] && ${ECHO} "get_objectclass: _ATTR_NAME = $_ATTR_NAME" 4849} 4850 4851 4852# 4853# add_base_objects(): Add any necessary base objects. 4854# 4855add_base_objects() 4856{ 4857 [ $DEBUG -eq 1 ] && ${ECHO} "In add_base_objects()" 4858 4859 # Convert to lower case for basename. 4860 format_string "${LDAP_BASEDN}" 4861 LOWER_BASEDN="${FMT_STR}" 4862 format_string "${LDAP_SUFFIX}" 4863 LOWER_SUFFIX="${FMT_STR}" 4864 4865 [ $DEBUG -eq 1 ] && ${ECHO} "LOWER_BASEDN: ${LOWER_BASEDN}" 4866 [ $DEBUG -eq 1 ] && ${ECHO} "LOWER_SUFFIX: ${LOWER_SUFFIX}" 4867 4868 # Create additional components. 4869 if [ "${LOWER_BASEDN}" = "${LOWER_SUFFIX}" ]; then 4870 [ $DEBUG -eq 1 ] && ${ECHO} "Base DN and Suffix equivalent" 4871 else 4872 # first, test that the suffix is valid 4873 dcstmp=`basename "${LOWER_BASEDN}" "${LOWER_SUFFIX}"` 4874 if [ "$dcstmp" = "${LOWER_BASEDN}" ]; then 4875 # should not happen since check_basedn_suffix() succeeded 4876 ${ECHO} "Invalid suffix ${LOWER_SUFFIX}" 4877 ${ECHO} "for Base DN ${LOWER_BASEDN}" 4878 cleanup 4879 exit 1 4880 fi 4881 # OK, suffix is valid, start working with LDAP_BASEDN 4882 # field separator is ',' (i.e., space is a valid character) 4883 dcstmp2="`${ECHO} ${LDAP_BASEDN} | 4884 sed -e 's/[ ]*,[ ]*/,/g' -e 's/[ ]*=[ ]*/=/g'`" 4885 dcs="" 4886 # use dcstmp to count the loop, and dcstmp2 to get the correct 4887 # string case 4888 # dcs should be in reverse order, only for these components 4889 # that need to be added 4890 while [ -n "${dcstmp}" ] 4891 do 4892 i2=`${ECHO} "$dcstmp2" | cut -f1 -d','` 4893 dk=`${ECHO} $i2 | awk -F= '{print $1}'` 4894 dc=`${ECHO} $i2 | awk -F= '{print $2}'` 4895 dcs="$dk=$dc,$dcs"; 4896 dcstmp2=`${ECHO} "$dcstmp2" | cut -f2- -d','` 4897 dcstmp=`${ECHO} "$dcstmp" | cut -f2- -d','` 4898 [ $DEBUG -eq 1 ] && \ 4899 ${ECHO} "dcs: ${dcs}\ndcstmp: ${dcstmp}\ndcstmp2: ${dcstmp2}\n" 4900 done 4901 4902 4903 4904 lastdc=${LDAP_SUFFIX} 4905 dc=`${ECHO} "${dcs}" | cut -f1 -d','` 4906 dcstmp=`${ECHO} "${dcs}" | cut -f2- -d','` 4907 while [ -n "${dc}" ]; do 4908 # Get Key and component from $dc. 4909 dk2=`${ECHO} $dc | awk -F= '{print $1}'` 4910 dc2=`${ECHO} $dc | awk -F= '{print $2}'` 4911 4912 # At this point, ${dk2} is a valid attribute name 4913 4914 # Check if entry exists first, if so, skip to next. 4915 ${LDAPSEARCH} ${SERVER_ARGS} -b "${dk2}=${dc2},$lastdc" -s base "objectclass=*" > /dev/null 2>&1 4916 if [ $? -eq 0 ]; then 4917 # Set the $lastdc to new dc. 4918 lastdc="${dk2}=${dc2},$lastdc" 4919 4920 # Process next component. 4921 dc=`${ECHO} "${dcstmp}" | cut -f1 -d','` 4922 dcstmp=`${ECHO} "${dcstmp}" | cut -f2- -d','` 4923 continue 4924 4925 fi 4926 4927 # Determine the objectclass for the entry. 4928 get_objectclass $dk2 4929 OBJ_Name=${_ATTR_NAME} 4930 if [ "${OBJ_Name}" = "" ]; then 4931 ${ECHO} "Cannot determine objectclass for $dk2" 4932 ${ECHO} "Please create ${dk2}=${dc2},$lastdc entry and rerun idsconfig" 4933 exit 1 4934 fi 4935 4936 # Add the new container. 4937 ( cat <<EOF 4938dn: ${dk2}=${dc2},$lastdc 4939${dk2}: $dc2 4940objectClass: top 4941objectClass: ${OBJ_Name} 4942EOF 4943) > ${TMPDIR}/base_objects 4944 4945 4946 # Set the $lastdc to new dc. 4947 lastdc="${dk2}=${dc2},$lastdc" 4948 4949 # Add the entry. 4950 ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/base_objects ${VERB}" 4951 if [ $? -ne 0 ]; then 4952 ${ECHO} " ERROR: update of base objects ${dc} failed." 4953 cleanup 4954 exit 1 4955 fi 4956 4957 # Display message that schema is updated. 4958 ${ECHO} " ${STEP}. Created DN component ${dc}." 4959 STEP=`expr $STEP + 1` 4960 4961 # Process next component. 4962 dc=`${ECHO} "${dcstmp}" | cut -f1 -d','` 4963 dcstmp=`${ECHO} "${dcstmp}" | cut -f2- -d','` 4964 done 4965 fi 4966} 4967 4968 4969# 4970# add_new_containers(): Add the top level classes. 4971# 4972# $1 = Base DN 4973# 4974add_new_containers() 4975{ 4976 [ $DEBUG -eq 1 ] && ${ECHO} "In add_new_containers()" 4977 4978 for ou in people group rpc protocols networks netgroup \ 4979 aliases hosts services ethers profile printers projects \ 4980 SolarisAuthAttr SolarisProfAttr Timezone ipTnet ; do 4981 4982 # Check if nismaps already exist. 4983 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"ou=${ou},${LDAP_BASEDN}\" -s base \"objectclass=*\" ${VERB}" 4984 if [ $? -eq 0 ]; then 4985 continue 4986 fi 4987 4988 # Create TMP file to add. 4989 ( cat <<EOF 4990dn: ou=${ou},${LDAP_BASEDN} 4991ou: ${ou} 4992objectClass: top 4993objectClass: organizationalUnit 4994EOF 4995) > ${TMPDIR}/toplevel.${ou} 4996 4997 # Add the entry. 4998 ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/toplevel.${ou} ${VERB}" 4999 if [ $? -ne 0 ]; then 5000 ${ECHO} " ERROR: Add of ou=${ou} container failed!" 5001 cleanup 5002 exit 1 5003 fi 5004 done 5005 5006 # Display message that top level OU containers complete. 5007 ${ECHO} " ${STEP}. Top level \"ou\" containers complete." 5008 STEP=`expr $STEP + 1` 5009} 5010 5011 5012# 5013# add_auto_maps(): Add the automount map entries. 5014# 5015# auto_home, auto_direct, auto_master, auto_shared 5016# 5017add_auto_maps() 5018{ 5019 [ $DEBUG -eq 1 ] && ${ECHO} "In add_auto_maps()" 5020 5021 # Set AUTO_MAPS for maps to create. 5022 AUTO_MAPS="auto_home auto_direct auto_master auto_shared" 5023 5024 for automap in $AUTO_MAPS; do 5025 # Check if automaps already exist. 5026 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"automountMapName=${automap},${LDAP_BASEDN}\" -s base \"objectclass=*\" ${VERB}" 5027 if [ $? -eq 0 ]; then 5028 continue 5029 fi 5030 5031 # Create the tmp file to add. 5032 ( cat <<EOF 5033dn: automountMapName=${automap},${LDAP_BASEDN} 5034automountMapName: ${automap} 5035objectClass: top 5036objectClass: automountMap 5037EOF 5038) > ${TMPDIR}/automap.${automap} 5039 5040 # Add the entry. 5041 ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/automap.${automap} ${VERB}" 5042 if [ $? -ne 0 ]; then 5043 ${ECHO} " ERROR: Add of automap ${automap} failed!" 5044 cleanup 5045 exit 1 5046 fi 5047 done 5048 5049 # Display message that automount entries are updated. 5050 ${ECHO} " ${STEP}. automount maps: $AUTO_MAPS processed." 5051 STEP=`expr $STEP + 1` 5052} 5053 5054 5055# 5056# add_proxyagent(): Add entry for nameservice to use to access server. 5057# 5058add_proxyagent() 5059{ 5060 [ $DEBUG -eq 1 ] && ${ECHO} "In add_proxyagent()" 5061 5062 # Check if proxy agent already exists. 5063 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_PROXYAGENT}\" -s base \"objectclass=*\" ${VERB}" 5064 if [ $? -eq 0 ]; then 5065 ${ECHO} " ${STEP}. Proxy Agent ${LDAP_PROXYAGENT} already exists." 5066 STEP=`expr $STEP + 1` 5067 return 0 5068 fi 5069 5070 # Get cn and sn names from LDAP_PROXYAGENT. 5071 cn_tmp=`${ECHO} ${LDAP_PROXYAGENT} | cut -f1 -d, | cut -f2 -d=` 5072 5073 # Create the tmp file to add. 5074 ( cat <<EOF 5075dn: ${LDAP_PROXYAGENT} 5076cn: ${cn_tmp} 5077sn: ${cn_tmp} 5078objectclass: top 5079objectclass: person 5080userpassword: ${LDAP_PROXYAGENT_CRED} 5081EOF 5082) > ${TMPDIR}/proxyagent 5083 5084 # Add the entry. 5085 ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/proxyagent ${VERB}" 5086 if [ $? -ne 0 ]; then 5087 ${ECHO} " ERROR: Adding proxyagent failed!" 5088 cleanup 5089 exit 1 5090 fi 5091 5092 # Display message that schema is updated. 5093 ${ECHO} " ${STEP}. Proxy Agent ${LDAP_PROXYAGENT} added." 5094 STEP=`expr $STEP + 1` 5095} 5096 5097# 5098# allow_proxy_read_pw(): Give Proxy Agent read permission for password. 5099# 5100allow_proxy_read_pw() 5101{ 5102 [ $DEBUG -eq 1 ] && ${ECHO} "In allow_proxy_read_pw()" 5103 5104 # Search for ACI_NAME 5105 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_BASEDN}\" -s base objectclass=* aci > ${TMPDIR}/chk_proxyread_aci 2>&1" 5106 ${GREP} "${PROXY_ACI_NAME}" ${TMPDIR}/chk_proxyread_aci > /dev/null 2>&1 5107 if [ $? -eq 0 ]; then 5108 ${ECHO} " ${STEP}. Proxy ACI ${PROXY_ACI_NAME=} already exists for ${LDAP_BASEDN}." 5109 STEP=`expr $STEP + 1` 5110 return 0 5111 fi 5112 5113 # Create the tmp file to add. 5114 ( cat <<EOF 5115dn: ${LDAP_BASEDN} 5116changetype: modify 5117add: aci 5118aci: (target="ldap:///${LDAP_BASEDN}")(targetattr="userPassword") 5119 (version 3.0; acl ${PROXY_ACI_NAME}; allow (compare,read,search) 5120 userdn = "ldap:///${LDAP_PROXYAGENT}";) 5121EOF 5122) > ${TMPDIR}/proxy_read 5123 5124 # Add the entry. 5125 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/proxy_read ${VERB}" 5126 if [ $? -ne 0 ]; then 5127 ${ECHO} " ERROR: Allow ${LDAP_PROXYAGENT} to read password failed!" 5128 cleanup 5129 exit 1 5130 fi 5131 5132 # Display message that schema is updated. 5133 ${ECHO} " ${STEP}. Give ${LDAP_PROXYAGENT} read permission for password." 5134 STEP=`expr $STEP + 1` 5135} 5136 5137# Delete Proxy Agent read permission for password. 5138delete_proxy_read_pw() 5139{ 5140 [ $DEBUG -eq 1 ] && ${ECHO} "In delete_proxy_read_pw()" 5141 5142 # Search for ACI_NAME 5143 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_BASEDN}\" -s base objectclass=* aci > ${TMPDIR}/chk_proxyread_aci 2>&1" 5144 ${GREP} "${PROXY_ACI_NAME}" ${TMPDIR}/chk_proxyread_aci | \ 5145 ${SED} -e 's/aci=//' > ${TMPDIR}/grep_proxyread_aci 2>&1 5146 if [ $? -ne 0 ]; then 5147 ${ECHO} "Proxy ACI ${PROXY_ACI_NAME} does not exist for ${LDAP_BASEDN}." 5148 return 0 5149 fi 5150 5151 # We need to remove proxy agent's read access to user passwords, 5152 # but We do not know the value of the ${LDAP_PROXYAGENT} here, so 5153 # 1. if only one match found, delete it 5154 # 2. if more than one matches found, ask the user which one to delete 5155 HOWMANY=`${WC} -l ${TMPDIR}/grep_proxyread_aci | ${NAWK} '{print $1}'` 5156 if [ $HOWMANY -eq 0 ]; then 5157 ${ECHO} "Proxy ACI ${PROXY_ACI_NAME} does not exist for ${LDAP_BASEDN}." 5158 return 0 5159 fi 5160 if [ $HOWMANY -eq 1 ];then 5161 proxy_aci=`${CAT} ${TMPDIR}/grep_proxyread_aci` 5162 else 5163 ${CAT} << EOF 5164 5165Proxy agent is not allowed to read user passwords when shadow 5166update is enabled. There are more than one proxy agents found. 5167Please select the currently proxy agent being used, so that 5168idsconfig can remove its read access to user passwords. 5169 5170The proxy agents are: 5171 5172EOF 5173 # generate the proxy agent list 5174 ${SED} -e "s/.*ldap:\/\/\/.*ldap:\/\/\///" \ 5175 ${TMPDIR}/grep_proxyread_aci | ${SED} -e "s/\";)//" > \ 5176 ${TMPDIR}/proxy_agent_list 5177 5178 # print the proxy agent list 5179 ${NAWK} '{print NR ": " $0}' ${TMPDIR}/proxy_agent_list 5180 5181 # ask the user to pick one 5182 _MENU_PROMPT="Select the proxy agent (1-$HOWMANY): " 5183 get_menu_choice "${_MENU_PROMPT}" "0" "$HOWMANY" 5184 _CH=$MN_CH 5185 proxy_aci=`${SED} -n "$_CH p" ${TMPDIR}/grep_proxyread_aci` 5186 fi 5187 5188 # Create the tmp file to delete the ACI. 5189 ( cat <<EOF 5190dn: ${LDAP_BASEDN} 5191changetype: modify 5192delete: aci 5193aci: ${proxy_aci} 5194EOF 5195 ) > ${TMPDIR}/proxy_delete 5196 5197 # Delete the ACI 5198 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/proxy_delete ${VERB}" 5199 if [ $? -ne 0 ]; then 5200 ${ECHO} " ERROR: Remove of ${PROXY_ACI_NAME} ACI failed!" 5201 cat ${TMPDIR}/proxy_delete 5202 cleanup 5203 exit 1 5204 fi 5205 5206 # Display message that ACI is updated. 5207 MSG="Removed ${PROXY_ACI_NAME} ACI for proxyagent read permission for password." 5208 ${ECHO} " " 5209 ${ECHO} " ACI REMOVED: $MSG" 5210 ${ECHO} " The ACI removed is $proxy_aci" 5211 ${ECHO} " " 5212} 5213 5214# 5215# add_profile(): Add client profile to server. 5216# 5217add_profile() 5218{ 5219 [ $DEBUG -eq 1 ] && ${ECHO} "In add_profile()" 5220 5221 # If profile name already exists, DELETE it, and add new one. 5222 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=${LDAP_PROFILE_NAME},ou=profile,${LDAP_BASEDN}\" -s base \"objectclass=*\" ${VERB}" 5223 if [ $? -eq 0 ]; then 5224 # Create Delete file. 5225 ( cat <<EOF 5226cn=${LDAP_PROFILE_NAME},ou=profile,${LDAP_BASEDN} 5227EOF 5228) > ${TMPDIR}/del_profile 5229 5230 # Check if DEL_OLD_PROFILE is set. (If not ERROR) 5231 if [ $DEL_OLD_PROFILE -eq 0 ]; then 5232 ${ECHO} "ERROR: Profile name ${LDAP_PROFILE_NAME} exists! Add failed!" 5233 exit 1 5234 fi 5235 5236 # Delete the OLD profile. 5237 ${EVAL} "${LDAPDELETE} ${LDAP_ARGS} -f ${TMPDIR}/del_profile ${VERB}" 5238 if [ $? -ne 0 ]; then 5239 ${ECHO} " ERROR: Attempt to DELETE profile failed!" 5240 cleanup 5241 exit 1 5242 fi 5243 fi 5244 5245 # Build the "ldapclient genprofile" command string to execute. 5246 GEN_CMD="ldapclient genprofile -a \"profileName=${LDAP_PROFILE_NAME}\"" 5247 5248 # Add required argument defaultSearchBase. 5249 GEN_CMD="${GEN_CMD} -a \"defaultSearchBase=${LDAP_BASEDN}\"" 5250 5251 # Add optional parameters. 5252 [ -n "$LDAP_SERVER_LIST" ] && \ 5253 GEN_CMD="${GEN_CMD} -a \"defaultServerList=${LDAP_SERVER_LIST}\"" 5254 [ -n "$LDAP_SEARCH_SCOPE" ] && \ 5255 GEN_CMD="${GEN_CMD} -a \"defaultSearchScope=${LDAP_SEARCH_SCOPE}\"" 5256 [ -n "$LDAP_CRED_LEVEL" ] && \ 5257 GEN_CMD="${GEN_CMD} -a \"credentialLevel=${LDAP_CRED_LEVEL}\"" 5258 [ -n "$LDAP_AUTHMETHOD" ] && \ 5259 GEN_CMD="${GEN_CMD} -a \"authenticationMethod=${LDAP_AUTHMETHOD}\"" 5260 [ -n "$LDAP_FOLLOWREF" ] && \ 5261 GEN_CMD="${GEN_CMD} -a \"followReferrals=${LDAP_FOLLOWREF}\"" 5262 [ -n "$LDAP_SEARCH_TIME_LIMIT" ] && \ 5263 GEN_CMD="${GEN_CMD} -a \"searchTimeLimit=${LDAP_SEARCH_TIME_LIMIT}\"" 5264 [ -n "$LDAP_PROFILE_TTL" ] && \ 5265 GEN_CMD="${GEN_CMD} -a \"profileTTL=${LDAP_PROFILE_TTL}\"" 5266 [ -n "$LDAP_BIND_LIMIT" ] && \ 5267 GEN_CMD="${GEN_CMD} -a \"bindTimeLimit=${LDAP_BIND_LIMIT}\"" 5268 [ -n "$LDAP_PREF_SRVLIST" ] && \ 5269 GEN_CMD="${GEN_CMD} -a \"preferredServerList=${LDAP_PREF_SRVLIST}\"" 5270 [ -n "$LDAP_SRV_AUTHMETHOD_PAM" ] && \ 5271 GEN_CMD="${GEN_CMD} -a \"serviceAuthenticationMethod=${LDAP_SRV_AUTHMETHOD_PAM}\"" 5272 [ -n "$LDAP_SRV_AUTHMETHOD_KEY" ] && \ 5273 GEN_CMD="${GEN_CMD} -a \"serviceAuthenticationMethod=${LDAP_SRV_AUTHMETHOD_KEY}\"" 5274 [ -n "$LDAP_SRV_AUTHMETHOD_CMD" ] && \ 5275 GEN_CMD="${GEN_CMD} -a \"serviceAuthenticationMethod=${LDAP_SRV_AUTHMETHOD_CMD}\"" 5276 5277 # Check if there are any service search descriptors to ad. 5278 if [ -s "${SSD_FILE}" ]; then 5279 ssd_2_profile 5280 fi 5281 5282 # Execute "ldapclient genprofile" to create profile. 5283 eval ${GEN_CMD} > ${TMPDIR}/gen_profile 2> ${TMPDIR}/gen_profile_ERR 5284 if [ $? -ne 0 ]; then 5285 ${ECHO} " ERROR: ldapclient genprofile failed!" 5286 cleanup 5287 exit 1 5288 fi 5289 5290 # Add the generated profile.. 5291 ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/gen_profile ${VERB}" 5292 if [ $? -ne 0 ]; then 5293 ${ECHO} " ERROR: Attempt to add profile failed!" 5294 cleanup 5295 exit 1 5296 fi 5297 5298 # Display message that schema is updated. 5299 ${ECHO} " ${STEP}. Generated client profile and loaded on server." 5300 STEP=`expr $STEP + 1` 5301} 5302 5303 5304# 5305# cleanup(): Remove the TMPDIR and all files in it. 5306# 5307cleanup() 5308{ 5309 [ $DEBUG -eq 1 ] && ${ECHO} "In cleanup()" 5310 5311 rm -fr ${TMPDIR} 5312} 5313 5314 5315# 5316# * * * MAIN * * * 5317# 5318# Description: 5319# This script assumes that the iPlanet Directory Server (iDS) is 5320# installed and that setup has been run. This script takes the 5321# iDS server from that point and sets up the infrastructure for 5322# LDAP Naming Services. After running this script, ldapaddent(1M) 5323# or some other tools can be used to populate data. 5324 5325# Initialize the variables that need to be set to NULL, or some 5326# other initial value before the rest of the functions can be called. 5327init 5328 5329# Parse command line arguments. 5330parse_arg $* 5331shift $? 5332 5333# Print extra line to separate from prompt. 5334${ECHO} " " 5335 5336# Either Load the user specified config file 5337# or prompt user for config info. 5338if [ -n "$INPUT_FILE" ] 5339then 5340 load_config_file 5341 INTERACTIVE=0 # Turns off prompts that occur later. 5342 validate_info # Validate basic info in file. 5343 chk_ids_version # Check iDS version for compatibility. 5344 gssapi_setup_auto 5345else 5346 # Display BACKUP warning to user. 5347 display_msg backup_server 5348 get_confirm "Do you wish to continue with server setup (y/n/h)?" "n" "backup_help" 5349 if [ $? -eq 0 ]; then # if No, cleanup and exit. 5350 cleanup ; exit 1 5351 fi 5352 5353 # Prompt for values. 5354 prompt_config_info 5355 display_summary # Allow user to modify results. 5356 INTERACTIVE=1 # Insures future prompting. 5357fi 5358 5359# Modify slapd.oc.conf to ALLOW cn instead of REQUIRE. 5360modify_cn 5361 5362# Modify timelimit to user value. 5363[ $NEED_TIME -eq 1 ] && modify_timelimit 5364 5365# Modify sizelimit to user value. 5366[ $NEED_SIZE -eq 1 ] && modify_sizelimit 5367 5368# Modify the password storage scheme to support CRYPT. 5369if [ "$NEED_CRYPT" = "TRUE" ]; then 5370 modify_pwd_crypt 5371fi 5372 5373# Update the schema (Attributes, Objectclass Definitions) 5374if [ ${SCHEMA_UPDATED} -eq 0 ]; then 5375 update_schema_attr 5376 update_schema_obj 5377fi 5378 5379# Add suffix together with its root entry (if needed) 5380add_suffix || 5381{ 5382 cleanup 5383 exit 1 5384} 5385 5386# Add base objects (if needed) 5387add_base_objects 5388 5389# Update the NisDomainObject. 5390# The Base DN might of just been created, so this MUST happen after 5391# the base objects have been added! 5392set_nisdomain 5393 5394# Add top level classes (new containers) 5395add_new_containers 5396 5397# Add common nismaps. 5398add_auto_maps 5399 5400# Modify top ACI. 5401modify_top_aci 5402 5403# Add Access Control Information for VLV. 5404add_vlv_aci 5405 5406# if Proxy needed, Add Proxy Agent and give read permission for password. 5407if [ $NEED_PROXY -eq 1 ]; then 5408 add_proxyagent 5409 if [ "$LDAP_ENABLE_SHADOW_UPDATE" != "TRUE" ]; then 5410 allow_proxy_read_pw 5411 fi 5412fi 5413 5414# If admin needed for shadow update, Add the administrator identity and 5415# give read/write permission for shadow, and deny all others read/write 5416# access to it. 5417if [ $NEED_ADMIN -eq 1 ]; then 5418 add_admin 5419 allow_admin_read_write_shadow 5420 # deny non-admin access to shadow data 5421 deny_non_admin_shadow_access 5422fi 5423 5424# If use host principal for shadow update, give read/write permission for 5425# shadow, and deny all others' read/write access to it. 5426if [ $NEED_HOSTACL -eq 1 ]; then 5427 allow_host_read_write_shadow 5428 # deny non-host access to shadow data 5429 deny_non_host_shadow_access 5430fi 5431 5432 5433# Generate client profile and add it to the server. 5434add_profile 5435 5436# Add Indexes to improve Search Performance. 5437add_eq_indexes 5438add_sub_indexes 5439add_vlv_indexes 5440 5441# Display setup complete message 5442display_msg setup_complete 5443 5444# Display VLV index commands to be executed on server. 5445display_vlv_cmds 5446 5447# Create config file if requested. 5448[ -n "$OUTPUT_FILE" ] && create_config_file 5449 5450# Removed the TMPDIR and all files in it. 5451cleanup 5452 5453exit 0 5454# end of MAIN. 5455