1#!/bin/sh 2# 3# CDDL HEADER START 4# 5# The contents of this file are subject to the terms of the 6# Common Development and Distribution License (the "License"). 7# You may not use this file except in compliance with the License. 8# 9# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10# or http://www.opensolaris.org/os/licensing. 11# See the License for the specific language governing permissions 12# and limitations under the License. 13# 14# When distributing Covered Code, include this CDDL HEADER in each 15# file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16# If applicable, add the following below this CDDL HEADER, with the 17# fields enclosed by brackets "[]" replaced with your own identifying 18# information: Portions Copyright [yyyy] [name of copyright owner] 19# 20# CDDL HEADER END 21# 22# 23# idsconfig -- script to setup iDS 5.x/6.x/7.x for Native LDAP II. 24# 25# Copyright 2009 Sun Microsystems, Inc. All rights reserved. 26# Use is subject to license terms. 27# 28 29# 30# display_msg(): Displays message corresponding to the tag passed in. 31# 32display_msg() 33{ 34 case "$1" in 35 usage) cat <<EOF 36 $PROG: [ -v ] [ -i input file ] [ -o output file ] 37 i <input file> Get setup info from input file. 38 o <output file> Generate a server configuration output file. 39 v Verbose mode 40EOF 41 ;; 42 backup_server) cat <<EOF 43It is strongly recommended that you BACKUP the directory server 44before running $PROG. 45 46Hit Ctrl-C at any time before the final confirmation to exit. 47 48EOF 49 ;; 50 setup_complete) cat <<EOF 51 52$PROG: Setup of iDS server ${IDS_SERVER} is complete. 53 54EOF 55 ;; 56 display_vlv_list) cat <<EOF 57 58Note: idsconfig has created entries for VLV indexes. 59 60 For DS5.x, use the directoryserver(1m) script on ${IDS_SERVER} 61 to stop the server. Then, using directoryserver, follow the 62 directoryserver examples below to create the actual VLV indexes. 63 64 For DS6.x or later, use dsadm command delivered with DS on ${IDS_SERVER} 65 to stop the server. Then, using dsadm, follow the 66 dsadm examples below to create the actual VLV indexes. 67 68EOF 69 ;; 70 cred_level_menu) cat <<EOF 71The following are the supported credential levels: 72 1 anonymous 73 2 proxy 74 3 proxy anonymous 75 4 self 76EOF 77 ;; 78 auth_method_menu) cat <<EOF 79The following are the supported Authentication Methods: 80 1 none 81 2 simple 82 3 sasl/DIGEST-MD5 83 4 tls:simple 84 5 tls:sasl/DIGEST-MD5 85 6 sasl/GSSAPI 86EOF 87 ;; 88 srvauth_method_menu) cat <<EOF 89The following are the supported Authentication Methods: 90 1 simple 91 2 sasl/DIGEST-MD5 92 3 tls:simple 93 4 tls:sasl/DIGEST-MD5 94 5 sasl/GSSAPI 95EOF 96 ;; 97 prompt_ssd_menu) cat <<EOF 98 A Add a Service Search Descriptor 99 D Delete a SSD 100 M Modify a SSD 101 P Display all SSD's 102 H Help 103 X Clear all SSD's 104 105 Q Exit menu 106EOF 107 ;; 108 summary_menu) 109 110 SUFFIX_INFO= 111 DB_INFO= 112 113 [ -n "${NEED_CREATE_SUFFIX}" ] && 114 { 115 SUFFIX_INFO=`cat <<EOF 116 117 Suffix to create : $LDAP_SUFFIX 118EOF 119` 120 [ -n "${NEED_CREATE_BACKEND}" ] && 121 DB_INFO=`cat <<EOF 122 123 Database to create : $IDS_DATABASE 124EOF 125` 126 } 127 128 cat <<EOF 129 Summary of Configuration 130 131 1 Domain to serve : $LDAP_DOMAIN 132 2 Base DN to setup : $LDAP_BASEDN$SUFFIX_INFO$DB_INFO 133 3 Profile name to create : $LDAP_PROFILE_NAME 134 4 Default Server List : $LDAP_SERVER_LIST 135 5 Preferred Server List : $LDAP_PREF_SRVLIST 136 6 Default Search Scope : $LDAP_SEARCH_SCOPE 137 7 Credential Level : $LDAP_CRED_LEVEL 138 8 Authentication Method : $LDAP_AUTHMETHOD 139 9 Enable Follow Referrals : $LDAP_FOLLOWREF 140 10 iDS Time Limit : $IDS_TIMELIMIT 141 11 iDS Size Limit : $IDS_SIZELIMIT 142 12 Enable crypt password storage : $NEED_CRYPT 143 13 Service Auth Method pam_ldap : $LDAP_SRV_AUTHMETHOD_PAM 144 14 Service Auth Method keyserv : $LDAP_SRV_AUTHMETHOD_KEY 145 15 Service Auth Method passwd-cmd: $LDAP_SRV_AUTHMETHOD_CMD 146 16 Search Time Limit : $LDAP_SEARCH_TIME_LIMIT 147 17 Profile Time to Live : $LDAP_PROFILE_TTL 148 18 Bind Limit : $LDAP_BIND_LIMIT 149 19 Enable shadow update : $LDAP_ENABLE_SHADOW_UPDATE 150 20 Service Search Descriptors Menu 151 152EOF 153 ;; 154 sfx_not_suitable) cat <<EOF 155 156Sorry, suffix ${LDAP_SUFFIX} is not suitable for Base DN ${LDAP_BASEDN} 157 158EOF 159 ;; 160 obj_not_found) cat <<EOF 161 162Sorry, ${PROG} can't find an objectclass for "$_ATT" attribute 163 164EOF 165 ;; 166 sfx_config_incons) cat <<EOF 167 168Sorry, there is no suffix mapping for ${LDAP_SUFFIX}, 169while ldbm database exists, server configuration needs to be fixed manually, 170look at cn=mapping tree,cn=config and cn=ldbm database,cn=plugins,cn=config 171 172EOF 173 ;; 174 ldbm_db_exist) cat <<EOF 175 176Database "${IDS_DATABASE}" already exists, 177however "${IDS_DATABASE_AVAIL}" name is available 178 179EOF 180 ;; 181 unable_find_db_name) cat <<EOF 182 183Unable to find any available database name close to "${IDS_DATABASE}" 184 185EOF 186 ;; 187 create_ldbm_db_error) cat <<EOF 188 189ERROR: unable to create suffix ${LDAP_SUFFIX} 190 due to server error that occurred during creation of ldbm database 191 192EOF 193 ;; 194 create_suffix_entry_error) cat <<EOF 195 196ERROR: unable to create entry ${LDAP_SUFFIX} of ${LDAP_SUFFIX_OBJ} class 197 198EOF 199 ;; 200 ldap_suffix_list) cat <<EOF 201 202No valid suffixes (naming contexts) were found for LDAP base DN: 203${LDAP_BASEDN} 204 205Available suffixes are: 206${LDAP_SUFFIX_LIST} 207 208EOF 209 ;; 210 sorry) cat <<EOF 211 212HELP - No help is available for this topic. 213 214EOF 215 ;; 216 create_suffix_help) cat <<EOF 217 218HELP - Our Base DN is ${LDAP_BASEDN} 219 and we need to create a Directory Suffix, 220 which can be equal to Base DN itself or be any of Base DN parents. 221 All intermediate entries up to suffix will be created on demand. 222 223EOF 224 ;; 225 enter_ldbm_db_help) cat <<EOF 226 227HELP - ldbm database is an internal database for storage of our suffix data. 228 Database name must be alphanumeric due to Directory Server restriction. 229 230EOF 231 ;; 232 backup_help) cat <<EOF 233 234HELP - Since idsconfig modifies the directory server configuration, 235 it is strongly recommended that you backup the server prior 236 to running this utility. This is especially true if the server 237 being configured is a production server. 238 239EOF 240 ;; 241 port_help) cat <<EOF 242 243HELP - Enter the port number the directory server is configured to 244 use for LDAP. 245 246EOF 247 ;; 248 domain_help) cat <<EOF 249 250HELP - This is the DNS domain name this server will be serving. You 251 must provide this name even if the server is not going to be populated 252 with hostnames. Any unqualified hostname stored in the directory 253 will be fully qualified using this DNS domain name. 254 255EOF 256 ;; 257 basedn_help) cat <<EOF 258 259HELP - This parameter defines the default location in the directory tree for 260 the naming services entries. You can override this default by using 261 serviceSearchDescriptors (SSD). You will be given the option to set up 262 an SSD later on in the setup. 263 264EOF 265 ;; 266 profile_help) cat <<EOF 267 268HELP - Name of the configuration profile with which the clients will be 269 configured. A directory server can store various profiles for multiple 270 groups of clients. The initialization tool, (ldapclient(1M)), assumes 271 "default" unless another is specified. 272 273EOF 274 ;; 275 def_srvlist_help) cat <<EOF 276 277HELP - Provide a list of directory servers to serve clients using this profile. 278 All these servers should contain consistent data and provide similar 279 functionality. This list is not ordered, and clients might change the 280 order given in this list. Note that this is a space separated list of 281 *IP addresses* (not host names). Providing port numbers is optional. 282 283EOF 284 ;; 285 pref_srvlist_help) cat <<EOF 286 287HELP - Provide a list of directory servers to serve this client profile. 288 Unlike the default server list, which is not ordered, the preferred 289 servers must be entered IN THE ORDER you wish to have them contacted. 290 If you do specify a preferred server list, clients will always contact 291 them before attempting to contact any of the servers on the default 292 server list. Note that you must enter the preferred server list as a 293 space-separated list of *IP addresses* (not host names). Providing port 294 numbers is optional. 295 296EOF 297 ;; 298 srch_scope_help) cat <<EOF 299 300HELP - Default search scope to be used for all searches unless they are 301 overwritten using serviceSearchDescriptors. The valid options 302 are "one", which would specify the search will only be performed 303 at the base DN for the given service, or "sub", which would specify 304 the search will be performed through *all* levels below the base DN 305 for the given service. 306 307EOF 308 ;; 309 cred_lvl_help) cat <<EOF 310 311HELP - This parameter defines what credentials the clients use to 312 authenticate to the directory server. This list might contain 313 multiple credential levels and is ordered. If a proxy level 314 is configured, you will also be prompted to enter a bind DN 315 for the proxy agent along with a password. This proxy agent 316 will be created if it does not exist. 317 318EOF 319 ;; 320 auth_help) cat <<EOF 321 322HELP - The default authentication method(s) to be used by all services 323 in the client using this profile. This is a ordered list of 324 authentication methods separated by a ';'. The supported methods 325 are provided in a menu. Note that sasl/DIGEST-MD5 binds require 326 passwords to be stored un-encrypted on the server. 327 328EOF 329 ;; 330 srvauth_help) cat <<EOF 331 332HELP - The authentication methods to be used by a given service. Currently 333 3 services support this feature: pam_ldap, keyserv, and passwd-cmd. 334 The authentication method specified in this attribute overrides 335 the default authentication method defined in the profile. This 336 feature can be used to select stronger authentication methods for 337 services which require increased security. 338 339EOF 340 ;; 341 pam_ldap_help) cat <<EOF 342 343HELP - The authentication method(s) to be used by pam_ldap when contacting 344 the directory server. This is a ordered list, and, if provided, will 345 override the default authentication method parameter. 346 347EOF 348 ;; 349 keyserv_help) cat <<EOF 350 351HELP - The authentication method(s) to be used by newkey(1M) and chkey(1) 352 when contacting the directory server. This is a ordered list and 353 if provided will override the default authentication method 354 parameter. 355 356EOF 357 ;; 358 passwd-cmd_help) cat <<EOF 359 360HELP - The authentication method(s) to be used by passwd(1) command when 361 contacting the directory server. This is a ordered list and if 362 provided will override the default authentication method parameter. 363 364EOF 365 ;; 366 referrals_help) cat <<EOF 367 368HELP - This parameter indicates whether the client should follow 369 ldap referrals if it encounters one during naming lookups. 370 371EOF 372 ;; 373 tlim_help) cat <<EOF 374 375HELP - The server time limit value indicates the maximum amount of time the 376 server would spend on a query from the client before abandoning it. 377 A value of '-1' indicates no limit. 378 379EOF 380 ;; 381 slim_help) cat <<EOF 382 383HELP - The server sizelimit value indicates the maximum number of entries 384 the server would return in respond to a query from the client. A 385 value of '-1' indicates no limit. 386 387EOF 388 ;; 389 crypt_help) cat <<EOF 390 391HELP - By default iDS does not store userPassword attribute values using 392 unix "crypt" format. If you need to keep your passwords in the crypt 393 format for NIS/NIS+ and pam_unix compatibility, choose 'yes'. If 394 passwords are stored using any other format than crypt, pam_ldap 395 MUST be used by clients to authenticate users to the system. Note 396 that if you wish to use sasl/DIGEST-MD5 in conjunction with pam_ldap, 397 user passwords must be stored in the clear format. 398 399EOF 400 ;; 401 srchtime_help) cat <<EOF 402 403HELP - The search time limit the client will enforce for directory 404 lookups. 405 406EOF 407 ;; 408 profttl_help) cat <<EOF 409 410HELP - The time to live value for profile. The client will refresh its 411 cached version of the configuration profile at this TTL interval. 412 413EOF 414 ;; 415 bindlim_help) cat <<EOF 416 417HELP - The time limit for the bind operation to the directory. This 418 value controls the responsiveness of the client in case a server 419 becomes unavailable. The smallest timeout value for a given 420 network architecture/conditions would work best. This is very 421 similar to setting TCP timeout, but only for LDAP bind operation. 422 423EOF 424 ;; 425 ssd_help) cat <<EOF 426 427HELP - Using Service Search Descriptors (SSD), you can override the 428 default configuration for a given service. The SSD can be 429 used to override the default search base DN, the default search 430 scope, and the default search filter to be used for directory 431 lookups. SSD are supported for all services (databases) 432 defined in nsswitch.conf(4). The default base DN is defined 433 in ldap(1). 434 435 Note: SSD are powerful tools in defining configuration profiles 436 and provide a great deal of flexibility. However, care 437 must be taken in creating them. If you decide to make use 438 of SSDs, consult the documentation first. 439 440EOF 441 ;; 442 ssd_menu_help) cat <<EOF 443 444HELP - Using this menu SSD can be added, updated, or deleted from 445 the profile. 446 447 A - This option creates a new SSD by prompting for the 448 service name, base DN, and scope. Service name is 449 any valid service as defined in ldap(1). base is 450 either the distinguished name to the container where 451 this service will use, or a relative DN followed 452 by a ','. 453 D - Delete a previously created SSD. 454 M - Modify a previously created SSD. 455 P - Display a list of all the previously created SSD. 456 X - Delete all of the previously created SSD. 457 458 Q - Exit the menu and continue with the server configuration. 459 460EOF 461 ;; 462 ldap_suffix_list_help) cat <<EOF 463 464HELP - No valid suffixes (naming contexts) are available on server 465 ${IDS_SERVER}:${IDS_PORT}. 466 You must set an LDAP Base DN that can be contained in 467 an existing suffix. 468 469EOF 470 ;; 471 enable_shadow_update_help) cat <<EOF 472 473HELP - Enter 'y' to set up the LDAP server for shadow update. 474 The setup will add an administrator identity/credential 475 and modify the necessary access controls for the client 476 to update shadow(4) data on the LDAP server. If sasl/GSSAPI 477 is in use, the Kerberos host principal will be used as the 478 administrator identity. 479 480 Shadow data is used for password aging and account locking. 481 Please refer to the shadow(4) manual page for details. 482 483EOF 484 ;; 485 add_admin_cred_help) cat <<EOF 486 487HELP - Start the setup to add an administrator identity/credential 488 and to modify access controls for the client to update 489 shadow(4) data on the LDAP server. 490 491 Shadow data is used for password aging and account locking. 492 Please refer to the shadow(4) manual page for details. 493 494EOF 495 ;; 496 use_host_principal_help) cat <<EOF 497 498HELP - A profile with a 'sasl/GSSAPI' authentication method and a 'self' 499 credential level is detected, enter 'y' to modify the necessary 500 access controls for allowing the client to update shadow(4) data 501 on the LDAP server. 502 503 Shadow data is used for password aging and account locking. 504 Please refer to the shadow(4) manual page for details. 505 506EOF 507 ;; 508 esac 509} 510 511 512# 513# get_ans(): gets an answer from the user. 514# $1 instruction/comment/description/question 515# $2 default value 516# 517get_ans() 518{ 519 if [ -z "$2" ] 520 then 521 ${ECHO} "$1 \c" 522 else 523 ${ECHO} "$1 [$2] \c" 524 fi 525 526 read ANS 527 if [ -z "$ANS" ] 528 then 529 ANS=$2 530 fi 531} 532 533 534# 535# get_ans_req(): gets an answer (required) from the user, NULL value not allowed. 536# $@ instruction/comment/description/question 537# 538get_ans_req() 539{ 540 ANS="" # Set ANS to NULL. 541 while [ "$ANS" = "" ] 542 do 543 get_ans "$@" 544 [ "$ANS" = "" ] && ${ECHO} "NULL value not allowed!" 545 done 546} 547 548 549# 550# get_number(): Querys and verifies that number entered is numeric. 551# Function will repeat prompt user for number value. 552# $1 Message text. 553# $2 default value. 554# $3 Help argument. 555# 556get_number() 557{ 558 ANS="" # Set ANS to NULL. 559 NUM="" 560 561 get_ans "$1" "$2" 562 563 # Verify that value is numeric. 564 while not_numeric $ANS 565 do 566 case "$ANS" in 567 [Hh] | help | Help | \?) display_msg ${3:-sorry} ;; 568 * ) ${ECHO} "Invalid value: \"${ANS}\". \c" 569 ;; 570 esac 571 # Get a new value. 572 get_ans "Enter a numeric value:" "$2" 573 done 574 NUM=$ANS 575} 576 577 578# 579# get_negone_num(): Only allows a -1 or positive integer. 580# Used for values where -1 has special meaning. 581# 582# $1 - Prompt message. 583# $2 - Default value (require). 584# $3 - Optional help argument. 585get_negone_num() 586{ 587 while : 588 do 589 get_number "$1" "$2" "$3" 590 if is_negative $ANS 591 then 592 if [ "$ANS" = "-1" ]; then 593 break # -1 is OK, so break. 594 else # Need to re-enter number. 595 ${ECHO} "Invalid number: please enter -1 or positive number." 596 fi 597 else 598 break # Positive number 599 fi 600 done 601} 602 603 604# 605# get_passwd(): Reads a password from the user and verify with second. 606# $@ instruction/comment/description/question 607# 608get_passwd() 609{ 610 [ $DEBUG -eq 1 ] && ${ECHO} "In get_passwd()" 611 612 # Temporary PASSWD variables 613 _PASS1="" 614 _PASS2="" 615 616 /usr/bin/stty -echo # Turn echo OFF 617 618 # Endless loop that continues until passwd and re-entered passwd 619 # match. 620 while : 621 do 622 ANS="" # Set ANS to NULL. 623 624 # Don't allow NULL for first try. 625 while [ "$ANS" = "" ] 626 do 627 get_ans "$@" 628 [ "$ANS" = "" ] && ${ECHO} "" && ${ECHO} "NULL passwd not allowed!" 629 done 630 _PASS1=$ANS # Store first try. 631 632 # Get second try. 633 ${ECHO} "" 634 get_ans "Re-enter passwd:" 635 _PASS2=$ANS 636 637 # Test if passwords are identical. 638 if [ "$_PASS1" = "$_PASS2" ]; then 639 break 640 fi 641 642 # Move cursor down to next line and print ERROR message. 643 ${ECHO} "" 644 ${ECHO} "ERROR: passwords don't match; try again." 645 done 646 647 /usr/bin/stty echo # Turn echo ON 648 649 ${ECHO} "" 650} 651 652 653# 654# get_passwd_nochk(): Reads a password from the user w/o check. 655# $@ instruction/comment/description/question 656# 657get_passwd_nochk() 658{ 659 [ $DEBUG -eq 1 ] && ${ECHO} "In get_passwd_nochk()" 660 661 /usr/bin/stty -echo # Turn echo OFF 662 663 get_ans "$@" 664 665 /usr/bin/stty echo # Turn echo ON 666 667 ${ECHO} "" 668} 669 670 671# 672# get_menu_choice(): Get a menu choice from user. Continue prompting 673# till the choice is in required range. 674# $1 .. Message text. 675# $2 .. min value 676# $3 .. max value 677# $4 .. OPTIONAL: default value 678# 679# Return value: 680# MN_CH will contain the value selected. 681# 682get_menu_choice() 683{ 684 # Check for req parameter. 685 if [ $# -lt 3 ]; then 686 ${ECHO} "get_menu_choice(): Did not get required parameters." 687 return 1 688 fi 689 690 while : 691 do 692 get_ans "$1" "$4" 693 MN_CH=$ANS 694 is_negative $MN_CH 695 if [ $? -eq 1 ]; then 696 if [ $MN_CH -ge $2 ]; then 697 if [ $MN_CH -le $3 ]; then 698 return 699 fi 700 fi 701 fi 702 ${ECHO} "Invalid choice: $MN_CH" 703 done 704} 705 706 707# 708# get_confirm(): Get confirmation from the user. (Y/Yes or N/No) 709# $1 - Message 710# $2 - default value. 711# 712get_confirm() 713{ 714 _ANSWER= 715 716 while : 717 do 718 # Display Internal ERROR if $2 not set. 719 if [ -z "$2" ] 720 then 721 ${ECHO} "INTERNAL ERROR: get_confirm requires 2 args, 3rd is optional." 722 exit 2 723 fi 724 725 # Display prompt. 726 ${ECHO} "$1 [$2] \c" 727 728 # Get the ANSWER. 729 read _ANSWER 730 if [ "$_ANSWER" = "" ] && [ -n "$2" ] ; then 731 _ANSWER=$2 732 fi 733 case "$_ANSWER" in 734 [Yy] | yes | Yes | YES) return 1 ;; 735 [Nn] | no | No | NO) return 0 ;; 736 [Hh] | help | Help | \?) display_msg ${3:-sorry};; 737 * ) ${ECHO} "Please enter y or n." ;; 738 esac 739 done 740} 741 742 743# 744# get_confirm_nodef(): Get confirmation from the user. (Y/Yes or N/No) 745# No default value supported. 746# 747get_confirm_nodef() 748{ 749 _ANSWER= 750 751 while : 752 do 753 ${ECHO} "$@ \c" 754 read _ANSWER 755 case "$_ANSWER" in 756 [Yy] | yes | Yes | YES) return 1 ;; 757 [Nn] | no | No | NO) return 0 ;; 758 * ) ${ECHO} "Please enter y or n." ;; 759 esac 760 done 761} 762 763 764# 765# is_numeric(): Tells is a string is numeric. 766# 0 = Numeric 767# 1 = NOT Numeric 768# 769is_numeric() 770{ 771 # Check for parameter. 772 if [ $# -ne 1 ]; then 773 return 1 774 fi 775 776 # Determine if numeric. 777 expr "$1" + 1 > /dev/null 2>&1 778 if [ $? -ge 2 ]; then 779 return 1 780 fi 781 782 # Made it here, it's Numeric. 783 return 0 784} 785 786 787# 788# not_numeric(): Reverses the return values of is_numeric. Useful 789# for if and while statements that want to test for 790# non-numeric data. 791# 0 = NOT Numeric 792# 1 = Numeric 793# 794not_numeric() 795{ 796 is_numeric $1 797 if [ $? -eq 0 ]; then 798 return 1 799 else 800 return 0 801 fi 802} 803 804 805# 806# is_negative(): Tells is a Numeric value is less than zero. 807# 0 = Negative Numeric 808# 1 = Positive Numeric 809# 2 = NOT Numeric 810# 811is_negative() 812{ 813 # Check for parameter. 814 if [ $# -ne 1 ]; then 815 return 1 816 fi 817 818 # Determine if numeric. Can't use expr because -0 is 819 # considered positive?? 820 if is_numeric $1; then 821 case "$1" in 822 -*) return 0 ;; # Negative Numeric 823 *) return 1 ;; # Positive Numeric 824 esac 825 else 826 return 2 827 fi 828} 829 830 831# 832# check_domainname(): check validity of a domain name. Currently we check 833# that it has at least two components. 834# $1 the domain name to be checked 835# 836check_domainname() 837{ 838 if [ ! -z "$1" ] 839 then 840 t=`expr "$1" : '[^.]\{1,\}[.][^.]\{1,\}'` 841 if [ "$t" = 0 ] 842 then 843 return 1 844 fi 845 fi 846 return 0 847} 848 849 850# 851# check_baseDN(): check validity of the baseDN name. 852# $1 the baseDN name to be checked 853# 854# NOTE: The check_baseDN function does not catch all invalid DN's. 855# Its purpose is to reduce the number of invalid DN's to 856# get past the input routine. The invalid DN's will be 857# caught by the LDAP server when they are attempted to be 858# created. 859# 860check_baseDN() 861{ 862 ck_DN=$1 863 ${ECHO} " Checking LDAP Base DN ..." 864 if [ ! -z "$ck_DN" ]; then 865 [ $DEBUG -eq 1 ] && ${ECHO} "Checking baseDN: $ck_DN" 866 # Check for = (assignment operator) 867 ${ECHO} "$ck_DN" | ${GREP} "=" > /dev/null 2>&1 868 if [ $? -ne 0 ]; then 869 [ $DEBUG -eq 1 ] && ${ECHO} "check_baseDN: No '=' in baseDN." 870 return 1 871 fi 872 873 # Check all keys. 874 while : 875 do 876 # Get first key. 877 dkey=`${ECHO} $ck_DN | cut -d'=' -f1` 878 879 # Check that the key string is valid 880 check_attrName $dkey 881 if [ $? -ne 0 ]; then 882 [ $DEBUG -eq 1 ] && ${ECHO} "check_baseDN: invalid key=${dkey}" 883 return 1 884 fi 885 886 [ $DEBUG -eq 1 ] && ${ECHO} "check_baseDN: valid key=${dkey}" 887 888 # Remove first key from DN 889 ck_DN=`${ECHO} $ck_DN | cut -s -d',' -f2-` 890 891 # Break loop if nothing left. 892 if [ "$ck_DN" = "" ]; then 893 break 894 fi 895 done 896 fi 897 return 0 898} 899 900 901# 902# domain_2_dc(): Convert a domain name into dc string. 903# $1 .. Domain name. 904# 905domain_2_dc() 906{ 907 _DOM=$1 # Domain parameter. 908 _DOM_2_DC="" # Return value from function. 909 _FIRST=1 # Flag for first time. 910 911 export _DOM_2_DC # Make visible for others. 912 913 # Convert "."'s to spaces for "for" loop. 914 domtmp="`${ECHO} ${_DOM} | tr '.' ' '`" 915 for i in $domtmp; do 916 if [ $_FIRST -eq 1 ]; then 917 _DOM_2_DC="dc=${i}" 918 _FIRST=0 919 else 920 _DOM_2_DC="${_DOM_2_DC},dc=${i}" 921 fi 922 done 923} 924 925 926# 927# is_root_user(): Check to see if logged in as root user. 928# 929is_root_user() 930{ 931 case `id` in 932 uid=0\(root\)*) return 0 ;; 933 * ) return 1 ;; 934 esac 935} 936 937 938# 939# parse_arg(): Parses the command line arguments and sets the 940# appropriate variables. 941# 942parse_arg() 943{ 944 while getopts "dvhi:o:" ARG 945 do 946 case $ARG in 947 d) DEBUG=1;; 948 v) VERB="";; 949 i) INPUT_FILE=$OPTARG;; 950 o) OUTPUT_FILE=$OPTARG;; 951 \?) display_msg usage 952 exit 1;; 953 *) ${ECHO} "**ERROR: Supported option missing handler!" 954 display_msg usage 955 exit 1;; 956 esac 957 done 958 return `expr $OPTIND - 1` 959} 960 961 962# 963# init(): initializes variables and options 964# 965init() 966{ 967 # General variables. 968 PROG=`basename $0` # Program name 969 PID=$$ # Program ID 970 VERB='> /dev/null 2>&1' # NULL or "> /dev/null" 971 ECHO="/bin/echo" # print message on screen 972 EVAL="eval" # eval or echo 973 EGREP="/usr/bin/egrep" 974 GREP="/usr/bin/grep" 975 DEBUG=0 # Set Debug OFF 976 BACKUP=no_ldap # backup suffix 977 HOST="" # NULL or <hostname> 978 NAWK="/usr/bin/nawk" 979 RM="/usr/bin/rm" 980 WC="/usr/bin/wc" 981 CAT="/usr/bin/cat" 982 SED="/usr/bin/sed" 983 MV="/usr/bin/mv" 984 985 DOM="" # Set to NULL 986 # If DNS domain (resolv.conf) exists use that, otherwise use domainname. 987 if [ -f /etc/resolv.conf ]; then 988 DOM=`/usr/xpg4/bin/grep -i -E '^domain|^search' /etc/resolv.conf \ 989 | awk '{ print $2 }' | tail -1` 990 fi 991 992 # If for any reason the DOM did not get set (error'd resolv.conf) set 993 # DOM to the domainname command's output. 994 if [ "$DOM" = "" ]; then 995 DOM=`domainname` # domain from domainname command. 996 fi 997 998 STEP=1 999 INTERACTIVE=1 # 0 = on, 1 = off (For input file mode) 1000 DEL_OLD_PROFILE=0 # 0 (default), 1 = delete old profile. 1001 1002 # idsconfig specific variables. 1003 INPUT_FILE="" 1004 OUTPUT_FILE="" 1005 LDAP_ENABLE_SHADOW_UPDATE="FALSE" 1006 NEED_PROXY=0 # 0 = No Proxy, 1 = Create Proxy. 1007 NEED_ADMIN=0 # 0 = No Admin, 1 = Create Admin. 1008 NEED_HOSTACL=0 # 0 = No Host ACL, 1 = Create Host ACL. 1009 EXISTING_PROFILE=0 1010 LDAP_PROXYAGENT="" 1011 LDAP_ADMINDN="" 1012 LDAP_SUFFIX="" 1013 LDAP_DOMAIN=$DOM # domainname on Server (default value) 1014 GEN_CMD="" 1015 PROXY_ACI_NAME="LDAP_Naming_Services_proxy_password_read" 1016 1017 # LDAP COMMANDS 1018 LDAPSEARCH="/bin/ldapsearch -r" 1019 LDAPMODIFY=/bin/ldapmodify 1020 LDAPADD=/bin/ldapadd 1021 LDAPDELETE=/bin/ldapdelete 1022 LDAP_GEN_PROFILE=/usr/sbin/ldap_gen_profile 1023 1024 # iDS specific information 1025 IDS_SERVER="" 1026 IDS_PORT=389 1027 NEED_TIME=0 1028 NEED_SIZE=0 1029 NEED_SRVAUTH_PAM=0 1030 NEED_SRVAUTH_KEY=0 1031 NEED_SRVAUTH_CMD=0 1032 IDS_TIMELIMIT="" 1033 IDS_SIZELIMIT="" 1034 1035 # LDAP PROFILE related defaults 1036 LDAP_ROOTDN="cn=Directory Manager" # Provide common default. 1037 LDAP_ROOTPWD="" # NULL passwd as default (i.e. invalid) 1038 LDAP_PROFILE_NAME="default" 1039 LDAP_BASEDN="" 1040 LDAP_SERVER_LIST="" 1041 LDAP_AUTHMETHOD="" 1042 LDAP_FOLLOWREF="FALSE" 1043 NEED_CRYPT="" 1044 LDAP_SEARCH_SCOPE="one" 1045 LDAP_SRV_AUTHMETHOD_PAM="" 1046 LDAP_SRV_AUTHMETHOD_KEY="" 1047 LDAP_SRV_AUTHMETHOD_CMD="" 1048 LDAP_SEARCH_TIME_LIMIT=30 1049 LDAP_PREF_SRVLIST="" 1050 LDAP_PROFILE_TTL=43200 1051 LDAP_CRED_LEVEL="proxy" 1052 LDAP_BIND_LIMIT=10 1053 1054 # Prevent new files from being read by group or others. 1055 umask 077 1056 1057 # Service Search Descriptors 1058 LDAP_SERV_SRCH_DES="" 1059 1060 # Set and create TMPDIR. 1061 TMPDIR="/tmp/idsconfig.${PID}" 1062 if mkdir -m 700 ${TMPDIR} 1063 then 1064 # Cleanup on exit. 1065 trap 'rm -rf ${TMPDIR}; /usr/bin/stty echo; exit' 1 2 3 6 15 1066 else 1067 echo "ERROR: unable to create a safe temporary directory." 1068 exit 1 1069 fi 1070 LDAP_ROOTPWF=${TMPDIR}/rootPWD 1071 1072 # Set the SSD file name after setting TMPDIR. 1073 SSD_FILE=${TMPDIR}/ssd_list 1074 1075 # GSSAPI setup 1076 GSSAPI_ENABLE=0 1077 LDAP_KRB_REALM="" 1078 SCHEMA_UPDATED=0 1079 1080 export DEBUG VERB ECHO EVAL EGREP GREP STEP TMPDIR 1081 export IDS_SERVER IDS_PORT LDAP_ROOTDN LDAP_ROOTPWD LDAP_SERVER_LIST 1082 export LDAP_BASEDN LDAP_ROOTPWF 1083 export LDAP_DOMAIN LDAP_SUFFIX LDAP_PROXYAGENT LDAP_PROXYAGENT_CRED 1084 export NEED_PROXY 1085 export LDAP_ENABLE_SHADOW_UPDATE LDAP_ADMINDN LDAP_ADMIN_CRED 1086 export NEED_ADMIN NEED_HOSTACL EXISTING_PROFILE 1087 export LDAP_PROFILE_NAME LDAP_BASEDN LDAP_SERVER_LIST 1088 export LDAP_AUTHMETHOD LDAP_FOLLOWREF LDAP_SEARCH_SCOPE LDAP_SEARCH_TIME_LIMIT 1089 export LDAP_PREF_SRVLIST LDAP_PROFILE_TTL LDAP_CRED_LEVEL LDAP_BIND_LIMIT 1090 export NEED_SRVAUTH_PAM NEED_SRVAUTH_KEY NEED_SRVAUTH_CMD 1091 export LDAP_SRV_AUTHMETHOD_PAM LDAP_SRV_AUTHMETHOD_KEY LDAP_SRV_AUTHMETHOD_CMD 1092 export LDAP_SERV_SRCH_DES SSD_FILE 1093 export GEN_CMD GSSAPI_ENABLE LDAP_KRB_REALM SCHEMA_UPDATED 1094} 1095 1096 1097# 1098# disp_full_debug(): List of all debug variables usually interested in. 1099# Grouped to avoid MASSIVE code duplication. 1100# 1101disp_full_debug() 1102{ 1103 [ $DEBUG -eq 1 ] && ${ECHO} " IDS_SERVER = $IDS_SERVER" 1104 [ $DEBUG -eq 1 ] && ${ECHO} " IDS_PORT = $IDS_PORT" 1105 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_ROOTDN = $LDAP_ROOTDN" 1106 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_ROOTPWD = $LDAP_ROOTPWD" 1107 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_DOMAIN = $LDAP_DOMAIN" 1108 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_SUFFIX = $LDAP_SUFFIX" 1109 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_BASEDN = $LDAP_BASEDN" 1110 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_PROFILE_NAME = $LDAP_PROFILE_NAME" 1111 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_SERVER_LIST = $LDAP_SERVER_LIST" 1112 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_PREF_SRVLIST = $LDAP_PREF_SRVLIST" 1113 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_SEARCH_SCOPE = $LDAP_SEARCH_SCOPE" 1114 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_CRED_LEVEL = $LDAP_CRED_LEVEL" 1115 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_AUTHMETHOD = $LDAP_AUTHMETHOD" 1116 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_FOLLOWREF = $LDAP_FOLLOWREF" 1117 [ $DEBUG -eq 1 ] && ${ECHO} " IDS_TIMELIMIT = $IDS_TIMELIMIT" 1118 [ $DEBUG -eq 1 ] && ${ECHO} " IDS_SIZELIMIT = $IDS_SIZELIMIT" 1119 [ $DEBUG -eq 1 ] && ${ECHO} " NEED_CRYPT = $NEED_CRYPT" 1120 [ $DEBUG -eq 1 ] && ${ECHO} " NEED_SRVAUTH_PAM = $NEED_SRVAUTH_PAM" 1121 [ $DEBUG -eq 1 ] && ${ECHO} " NEED_SRVAUTH_KEY = $NEED_SRVAUTH_KEY" 1122 [ $DEBUG -eq 1 ] && ${ECHO} " NEED_SRVAUTH_CMD = $NEED_SRVAUTH_CMD" 1123 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_SRV_AUTHMETHOD_PAM = $LDAP_SRV_AUTHMETHOD_PAM" 1124 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_SRV_AUTHMETHOD_KEY = $LDAP_SRV_AUTHMETHOD_KEY" 1125 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_SRV_AUTHMETHOD_CMD = $LDAP_SRV_AUTHMETHOD_CMD" 1126 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_SEARCH_TIME_LIMIT = $LDAP_SEARCH_TIME_LIMIT" 1127 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_PROFILE_TTL = $LDAP_PROFILE_TTL" 1128 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_BIND_LIMIT = $LDAP_BIND_LIMIT" 1129 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_ENABLE_SHADOW_UPDATE = $LDAP_ENABLE_SHADOW_UPDATE" 1130 1131 # Only display proxy stuff if needed. 1132 [ $DEBUG -eq 1 ] && ${ECHO} " NEED_PROXY = $NEED_PROXY" 1133 if [ $NEED_PROXY -eq 1 ]; then 1134 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_PROXYAGENT = $LDAP_PROXYAGENT" 1135 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_PROXYAGENT_CRED = $LDAP_PROXYAGENT_CRED" 1136 fi 1137 1138 # Only display admin credential if needed. 1139 [ $DEBUG -eq 1 ] && ${ECHO} " NEED_ADMIN = $NEED_ADMIN" 1140 [ $DEBUG -eq 1 ] && ${ECHO} " NEED_HOSTACL = $NEED_HOSTACL" 1141 if [ $NEED_ADMIN -eq 1 ]; then 1142 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_ADMINDN = $LDAP_ADMINDN" 1143 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_ADMIN_CRED = $LDAP_ADMIN_CRED" 1144 fi 1145 1146 # Service Search Descriptors are a special case. 1147 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_SERV_SRCH_DES = $LDAP_SERV_SRCH_DES" 1148} 1149 1150 1151# 1152# load_config_file(): Loads the config file. 1153# 1154load_config_file() 1155{ 1156 [ $DEBUG -eq 1 ] && ${ECHO} "In load_config_file()" 1157 1158 # Remove SSD lines from input file before sourcing. 1159 # The SSD lines must be removed because some forms of the 1160 # data could cause SHELL errors. 1161 ${GREP} -v "LDAP_SERV_SRCH_DES=" ${INPUT_FILE} > ${TMPDIR}/inputfile.noSSD 1162 1163 # Source the input file. 1164 . ${TMPDIR}/inputfile.noSSD 1165 1166 # If LDAP_SUFFIX is no set, try to utilize LDAP_TREETOP since older 1167 # config files use LDAP_TREETOP 1168 LDAP_SUFFIX="${LDAP_SUFFIX:-$LDAP_TREETOP}" 1169 1170 # Save password to temporary file. 1171 save_password 1172 1173 # Create the SSD file. 1174 create_ssd_file 1175 1176 # Display FULL debugging info. 1177 disp_full_debug 1178} 1179 1180# 1181# save_password(): Save password to temporary file. 1182# 1183save_password() 1184{ 1185 cat > ${LDAP_ROOTPWF} <<EOF 1186${LDAP_ROOTPWD} 1187EOF 1188} 1189 1190###################################################################### 1191# FUNCTIONS FOR prompt_config_info() START HERE. 1192###################################################################### 1193 1194# 1195# get_ids_server(): Prompt for iDS server name. 1196# 1197get_ids_server() 1198{ 1199 while : 1200 do 1201 # Prompt for server name. 1202 get_ans "Enter the JES Directory Server's hostname to setup:" "$IDS_SERVER" 1203 IDS_SERVER="$ANS" 1204 1205 # Ping server to see if live. If valid break out of loop. 1206 ping $IDS_SERVER > /dev/null 2>&1 1207 if [ $? -eq 0 ]; then 1208 break 1209 fi 1210 1211 # Invalid server, enter a new name. 1212 ${ECHO} "ERROR: Server '${IDS_SERVER}' is invalid or unreachable." 1213 IDS_SERVER="" 1214 done 1215 1216 # Set SERVER_ARGS and LDAP_ARGS since values might of changed. 1217 SERVER_ARGS="-h ${IDS_SERVER} -p ${IDS_PORT}" 1218 LDAP_ARGS="${SERVER_ARGS} ${AUTH_ARGS}" 1219 export SERVER_ARGS 1220 1221} 1222 1223# 1224# get_ids_port(): Prompt for iDS port number. 1225# 1226get_ids_port() 1227{ 1228 # Get a valid iDS port number. 1229 while : 1230 do 1231 # Enter port number. 1232 get_number "Enter the port number for iDS (h=help):" "$IDS_PORT" "port_help" 1233 IDS_PORT=$ANS 1234 # Do a simple search to check hostname and port number. 1235 # If search returns SUCCESS, break out, host and port must 1236 # be valid. 1237 ${LDAPSEARCH} -h ${IDS_SERVER} -p ${IDS_PORT} -b "" -s base "objectclass=*" > /dev/null 2>&1 1238 if [ $? -eq 0 ]; then 1239 break 1240 fi 1241 1242 # Invalid host/port pair, Re-enter. 1243 ${ECHO} "ERROR: Invalid host or port: ${IDS_SERVER}:${IDS_PORT}, Please re-enter!" 1244 get_ids_server 1245 done 1246 1247 # Set SERVER_ARGS and LDAP_ARGS since values might of changed. 1248 SERVER_ARGS="-h ${IDS_SERVER} -p ${IDS_PORT}" 1249 LDAP_ARGS="${SERVER_ARGS} ${AUTH_ARGS}" 1250 export SERVER_ARGS 1251} 1252 1253 1254# 1255# chk_ids_version(): Read the slapd config file and set variables 1256# 1257chk_ids_version() 1258{ 1259 [ $DEBUG -eq 1 ] && ${ECHO} "In chk_ids_version()" 1260 1261 # check iDS version number. 1262 eval "${LDAPSEARCH} ${SERVER_ARGS} -b cn=monitor -s base \"objectclass=*\" version | ${GREP} \"^version=\" | cut -f2 -d'/' | cut -f1 -d' ' > ${TMPDIR}/checkDSver 2>&1" 1263 if [ $? -ne 0 ]; then 1264 ${ECHO} "ERROR: Can not determine the version number of iDS!" 1265 exit 1 1266 fi 1267 IDS_VER=`cat ${TMPDIR}/checkDSver` 1268 IDS_MAJVER=`${ECHO} ${IDS_VER} | cut -f1 -d.` 1269 IDS_MINVER=`${ECHO} ${IDS_VER} | cut -f2 -d.` 1270 case "${IDS_MAJVER}" in 1271 5|6|7) : ;; 1272 *) ${ECHO} "ERROR: $PROG only works with JES DS version 5.x, 6.x or 7.x, not ${IDS_VER}."; exit 1;; 1273 esac 1274 1275 if [ $DEBUG -eq 1 ]; then 1276 ${ECHO} " IDS_MAJVER = $IDS_MAJVER" 1277 ${ECHO} " IDS_MINVER = $IDS_MINVER" 1278 fi 1279} 1280 1281 1282# 1283# get_dirmgr_dn(): Get the directory manger DN. 1284# 1285get_dirmgr_dn() 1286{ 1287 get_ans "Enter the directory manager DN:" "$LDAP_ROOTDN" 1288 LDAP_ROOTDN=$ANS 1289 1290 # Update ENV variables using DN. 1291 AUTH_ARGS="-D \"${LDAP_ROOTDN}\" -j ${LDAP_ROOTPWF}" 1292 LDAP_ARGS="${SERVER_ARGS} ${AUTH_ARGS}" 1293 export AUTH_ARGS LDAP_ARGS 1294} 1295 1296 1297# 1298# get_dirmgr_pw(): Get the Root DN passwd. (Root DN found in slapd.conf) 1299# 1300get_dirmgr_pw() 1301{ 1302 while : 1303 do 1304 # Get passwd. 1305 get_passwd_nochk "Enter passwd for ${LDAP_ROOTDN} :" 1306 LDAP_ROOTPWD=$ANS 1307 1308 # Store password in file. 1309 save_password 1310 1311 # Update ENV variables using DN's PW. 1312 AUTH_ARGS="-D \"${LDAP_ROOTDN}\" -j ${LDAP_ROOTPWF}" 1313 LDAP_ARGS="${SERVER_ARGS} ${AUTH_ARGS}" 1314 export AUTH_ARGS LDAP_ARGS 1315 1316 # Verify that ROOTDN and ROOTPWD are valid. 1317 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"\" -s base \"objectclass=*\" > ${TMPDIR}/checkDN 2>&1" 1318 if [ $? -ne 0 ]; then 1319 eval "${GREP} credential ${TMPDIR}/checkDN ${VERB}" 1320 if [ $? -eq 0 ]; then 1321 ${ECHO} "ERROR: Root DN passwd is invalid." 1322 else 1323 ${ECHO} "ERROR: Invalid Root DN <${LDAP_ROOTDN}>." 1324 get_dirmgr_dn 1325 fi 1326 else 1327 break # Both are valid. 1328 fi 1329 done 1330 1331 1332} 1333 1334 1335# 1336# get_domain(): Get the Domain that will be served by the LDAP server. 1337# $1 - Help argument. 1338# 1339get_domain() 1340{ 1341 # Use LDAP_DOMAIN as default. 1342 get_ans "Enter the domainname to be served (h=help):" $LDAP_DOMAIN 1343 1344 # Check domainname, and have user re-enter if not valid. 1345 check_domainname $ANS 1346 while [ $? -ne 0 ] 1347 do 1348 case "$ANS" in 1349 [Hh] | help | Help | \?) display_msg ${1:-sorry} ;; 1350 * ) ${ECHO} "Invalid domainname: \"${ANS}\"." 1351 ;; 1352 esac 1353 get_ans "Enter domainname to be served (h=help):" $DOM 1354 1355 check_domainname $ANS 1356 done 1357 1358 # Set the domainname to valid name. 1359 LDAP_DOMAIN=$ANS 1360} 1361 1362 1363# 1364# get_basedn(): Query for the Base DN. 1365# 1366get_basedn() 1367{ 1368 # Set the $_DOM_2_DC and assign to LDAP_BASEDN as default. 1369 # Then call get_basedn(). This method remakes the default 1370 # each time just in case the domain changed. 1371 domain_2_dc $LDAP_DOMAIN 1372 LDAP_BASEDN=$_DOM_2_DC 1373 1374 # Get Base DN. 1375 while : 1376 do 1377 get_ans_req "Enter LDAP Base DN (h=help):" "${_DOM_2_DC}" 1378 check_baseDN "$ANS" 1379 while [ $? -ne 0 ] 1380 do 1381 case "$ANS" in 1382 [Hh] | help | Help | \?) display_msg basedn_help ;; 1383 * ) ${ECHO} "Invalid base DN: \"${ANS}\"." 1384 ;; 1385 esac 1386 1387 # Re-Enter the BaseDN 1388 get_ans_req "Enter LDAP Base DN (h=help):" "${_DOM_2_DC}" 1389 check_baseDN "$ANS" 1390 done 1391 1392 # Set base DN and check its suffix 1393 LDAP_BASEDN=${ANS} 1394 check_basedn_suffix || 1395 { 1396 cleanup 1397 exit 1 1398 } 1399 1400 # suffix may need to be created, in that case get suffix from user 1401 [ -n "${NEED_CREATE_SUFFIX}" ] && 1402 { 1403 get_suffix || continue 1404 } 1405 1406 # suffix is ok, break out of the base dn inquire loop 1407 break 1408 done 1409} 1410 1411# 1412# get_want_shadow_update(): Ask user if want to enable shadow update? 1413# 1414get_want_shadow_update() 1415{ 1416 MSG="Do you want to enable shadow update (y/n/h)?" 1417 get_confirm "$MSG" "n" "enable_shadow_update_help" 1418 if [ $? -eq 1 ]; then 1419 LDAP_ENABLE_SHADOW_UPDATE="TRUE" 1420 else 1421 LDAP_ENABLE_SHADOW_UPDATE="FALSE" 1422 fi 1423} 1424 1425get_krb_realm() { 1426 1427 # To upper cases 1428 LDAP_KRB_REALM=`${ECHO} ${LDAP_DOMAIN} | ${NAWK} '{ print toupper($0) }'` 1429 get_ans_req "Enter Kerberos Realm:" "$LDAP_KRB_REALM" 1430 # To upper cases 1431 LDAP_KRB_REALM=`${ECHO} ${ANS} | ${NAWK} '{ print toupper($0) }'` 1432} 1433 1434# $1: DN 1435# $2: ldif file 1436add_entry_by_DN() { 1437 1438 ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"${1}\" -s base \"objectclass=*\" ${VERB}" 1439 if [ $? -eq 0 ]; then 1440 ${ECHO} " ${1} already exists" 1441 return 0 1442 else 1443 ${EVAL} "${LDAPADD} ${LDAP_ARGS} -f ${2} ${VERB}" 1444 if [ $? -eq 0 ]; then 1445 ${ECHO} " ${1} is added" 1446 return 0 1447 else 1448 ${ECHO} " ERROR: failed to add ${1}" 1449 return 1 1450 fi 1451 fi 1452 1453} 1454# 1455# Kerberos princiapl to DN mapping rules 1456# 1457# Add rules for host credentails and user credentials 1458# 1459add_id_mapping_rules() { 1460 1461 ${ECHO} " Adding Kerberos principal to DN mapping rules..." 1462 1463 _C_DN="cn=GSSAPI,cn=identity mapping,cn=config" 1464 ( cat << EOF 1465dn: cn=GSSAPI,cn=identity mapping,cn=config 1466objectClass: top 1467objectClass: nsContainer 1468cn: GSSAPI 1469EOF 1470) > ${TMPDIR}/GSSAPI_container.ldif 1471 1472 add_entry_by_DN "${_C_DN}" "${TMPDIR}/GSSAPI_container.ldif" 1473 if [ $? -ne 0 ]; 1474 then 1475 ${RM} ${TMPDIR}/GSSAPI_container.ldif 1476 return 1477 fi 1478 1479 _H_CN="host_auth_${LDAP_KRB_REALM}" 1480 _H_DN="cn=${_H_CN}, ${_C_DN}" 1481 ( cat << EOF 1482dn: ${_H_DN} 1483objectClass: top 1484objectClass: nsContainer 1485objectClass: dsIdentityMapping 1486objectClass: dsPatternMatching 1487cn: ${_H_CN} 1488dsMatching-pattern: \${Principal} 1489dsMatching-regexp: host\/(.*).${LDAP_DOMAIN}@${LDAP_KRB_REALM} 1490dsSearchBaseDN: ou=hosts,${LDAP_BASEDN} 1491dsSearchFilter: (&(objectClass=ipHost)(cn=\$1)) 1492dsSearchScope: one 1493 1494EOF 1495) > ${TMPDIR}/${_H_CN}.ldif 1496 1497 add_entry_by_DN "${_H_DN}" "${TMPDIR}/${_H_CN}.ldif" 1498 1499 _U_CN="user_auth_${LDAP_KRB_REALM}" 1500 _U_DN="cn=${_U_CN}, ${_C_DN}" 1501 ( cat << EOF 1502dn: ${_U_DN} 1503objectClass: top 1504objectClass: nsContainer 1505objectClass: dsIdentityMapping 1506objectClass: dsPatternMatching 1507cn: ${_U_CN} 1508dsMatching-pattern: \${Principal} 1509dsMatching-regexp: (.*)@${LDAP_KRB_REALM} 1510dsMappedDN: uid=\$1,ou=People,${LDAP_BASEDN} 1511 1512EOF 1513) > ${TMPDIR}/${_U_CN}.ldif 1514 1515 add_entry_by_DN "${_U_DN}" "${TMPDIR}/${_U_CN}.ldif" 1516 1517} 1518 1519 1520# 1521# Modify ACL to allow root to read all the password and only self can read 1522# its own password when sasl/GSSAPI bind is used 1523# 1524modify_userpassword_acl_for_gssapi() { 1525 1526 _P_DN="ou=People,${LDAP_BASEDN}" 1527 _H_DN="ou=Hosts,${LDAP_BASEDN}" 1528 _P_ACI="self-read-pwd" 1529 1530 ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"${_P_DN}\" -s base \"objectclass=*\" > /dev/null 2>&1" 1531 if [ $? -ne 0 ]; then 1532 ${ECHO} " ${_P_DN} does not exist" 1533 # Not Found. Create a new entry 1534 ( cat << EOF 1535dn: ${_P_DN} 1536ou: People 1537objectClass: top 1538objectClass: organizationalUnit 1539EOF 1540) > ${TMPDIR}/gssapi_people.ldif 1541 1542 add_entry_by_DN "${_P_DN}" "${TMPDIR}/gssapi_people.ldif" 1543 else 1544 ${ECHO} " ${_P_DN} already exists" 1545 fi 1546 1547 ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"${_P_DN}\" -s base \"objectclass=*\" aci > ${TMPDIR}/chk_gssapi_aci 2>&1" 1548 1549 if [ $? -eq 0 ]; then 1550 ${EVAL} "${GREP} ${_P_ACI} ${TMPDIR}/chk_gssapi_aci > /dev/null 2>&1" 1551 if [ $? -eq 0 ]; then 1552 ${ECHO} " userpassword ACL ${_P_ACI} already exists." 1553 return 1554 else 1555 ${ECHO} " userpassword ACL ${_P_ACI} not found. Create a new one." 1556 fi 1557 else 1558 ${ECHO} " Error searching aci for ${_P_DN}" 1559 cat ${TMPDIR}/chk_gssapi_aci 1560 cleanup 1561 exit 1 1562 fi 1563 ( cat << EOF 1564dn: ${_P_DN} 1565changetype: modify 1566add: aci 1567aci: (targetattr="userPassword")(version 3.0; acl self-read-pwd; allow (read,search) userdn="ldap:///self" and authmethod="sasl GSSAPI";) 1568- 1569add: aci 1570aci: (targetattr="userPassword")(version 3.0; acl host-read-pwd; allow (read,search) userdn="ldap:///cn=*+ipHostNumber=*,ou=Hosts,${LDAP_BASEDN}" and authmethod="sasl GSSAPI";) 1571EOF 1572) > ${TMPDIR}/user_gssapi.ldif 1573 LDAP_TYPE_OR_VALUE_EXISTS=20 1574 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/user_gssapi.ldif ${VERB}" 1575 1576 case $? in 1577 0) 1578 ${ECHO} " ${_P_DN} uaserpassword ACL is updated." 1579 ;; 1580 20) 1581 ${ECHO} " ${_P_DN} uaserpassword ACL already exists." 1582 ;; 1583 *) 1584 ${ECHO} " ERROR: update of userpassword ACL for ${_P_DN} failed!" 1585 cleanup 1586 exit 1 1587 ;; 1588 esac 1589} 1590# 1591# $1: objectclass or attributetyp 1592# $2: name 1593search_update_schema() { 1594 1595 ATTR="${1}es" 1596 1597 ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b cn=schema -s base \"objectclass=*\" ${ATTR} | ${GREP} -i \"${2}\" ${VERB}" 1598 if [ $? -ne 0 ]; then 1599 ${ECHO} "${1} ${2} does not exist." 1600 update_schema_attr 1601 update_schema_obj 1602 SCHEMA_UPDATED=1 1603 else 1604 ${ECHO} "${1} ${2} already exists. Schema has been updated" 1605 fi 1606} 1607 1608# 1609# Set up GSSAPI if necessary 1610# 1611gssapi_setup() { 1612 1613 GSSAPI_ENABLE=0 1614 1615 # assume sasl/GSSAPI is supported by the ldap server and may be used 1616 GSSAPI_AUTH_MAY_BE_USED=1 1617 1618 ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"\" -s base \"objectclass=*\" supportedSASLMechanisms | ${GREP} GSSAPI ${VERB}" 1619 if [ $? -ne 0 ]; then 1620 GSSAPI_AUTH_MAY_BE_USED=0 1621 ${ECHO} " sasl/GSSAPI is not supported by this LDAP server" 1622 return 1623 fi 1624 1625 get_confirm "GSSAPI is supported. Do you want to set up gssapi:(y/n)" "n" 1626 if [ $? -eq 0 ]; then 1627 GSSAPI_ENABLE=0 1628 ${ECHO} 1629 ${ECHO} "GSSAPI is not set up." 1630 ${ECHO} "sasl/GSSAPI bind may not work if it's not set up first." 1631 else 1632 GSSAPI_ENABLE=1 1633 get_krb_realm 1634 fi 1635 1636} 1637# 1638# get_profile_name(): Enter the profile name. 1639# 1640get_profile_name() 1641{ 1642 # Reset Delete Old Profile since getting new profile name. 1643 DEL_OLD_PROFILE=0 1644 1645 # Loop until valid profile name, or replace. 1646 while : 1647 do 1648 # Prompt for profile name. 1649 get_ans "Enter the profile name (h=help):" "$LDAP_PROFILE_NAME" 1650 1651 # Check for Help. 1652 case "$ANS" in 1653 [Hh] | help | Help | \?) display_msg profile_help 1654 continue ;; 1655 * ) ;; 1656 esac 1657 1658 # Search to see if profile name already exists. 1659 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=${ANS},ou=profile,${LDAP_BASEDN}\" -s base \"objectclass=*\" ${VERB}" 1660 if [ $? -eq 0 ]; then 1661 1662 cat << EOF 1663 1664Profile '${ANS}' already exists, it is possible to enable 1665shadow update now. idsconfig will exit after shadow update 1666is enabled. You can also continue to overwrite the profile 1667or create a new one and be given the chance to enable 1668shadow update later. 1669 1670EOF 1671 1672 MSG="Just enable shadow update (y/n/h)?" 1673 get_confirm "$MSG" "n" "enable_shadow_update_help" 1674 if [ $? -eq 1 ]; then 1675 [ $DEBUG -eq 1 ] && ${ECHO} "set up shadow update" 1676 LDAP_ENABLE_SHADOW_UPDATE=TRUE 1677 # display alternate messages 1678 EXISTING_PROFILE=1 1679 # Set Profile Name. 1680 LDAP_PROFILE_NAME=$ANS 1681 return 0 # set up credentials for shadow update. 1682 fi 1683 1684 get_confirm_nodef "Are you sure you want to overwrite profile cn=${ANS}?" 1685 if [ $? -eq 1 ]; then 1686 DEL_OLD_PROFILE=1 1687 return 0 # Replace old profile name. 1688 else 1689 ${ECHO} "Please re-enter a new profile name." 1690 fi 1691 else 1692 break # Unique profile name. 1693 fi 1694 done 1695 1696 # Set Profile Name. 1697 LDAP_PROFILE_NAME=$ANS 1698} 1699 1700 1701# 1702# get_srv_list(): Get the default server list. 1703# 1704get_srv_list() 1705{ 1706 # If LDAP_SERVER_LIST is NULL, then set, otherwise leave alone. 1707 if [ -z "${LDAP_SERVER_LIST}" ]; then 1708 LDAP_SERVER_LIST=`getent hosts ${IDS_SERVER} | awk '{print $1}'` 1709 if [ ${IDS_PORT} -ne 389 ]; then 1710 LDAP_SERVER_LIST="${LDAP_SERVER_LIST}:${IDS_PORT}" 1711 fi 1712 fi 1713 1714 # Prompt for new LDAP_SERVER_LIST. 1715 while : 1716 do 1717 get_ans "Default server list (h=help):" $LDAP_SERVER_LIST 1718 1719 # If help continue, otherwise break. 1720 case "$ANS" in 1721 [Hh] | help | Help | \?) display_msg def_srvlist_help ;; 1722 * ) break ;; 1723 esac 1724 done 1725 LDAP_SERVER_LIST=$ANS 1726} 1727 1728 1729# 1730# get_pref_srv(): The preferred server list (Overrides the server list) 1731# 1732get_pref_srv() 1733{ 1734 while : 1735 do 1736 get_ans "Preferred server list (h=help):" $LDAP_PREF_SRVLIST 1737 1738 # If help continue, otherwise break. 1739 case "$ANS" in 1740 [Hh] | help | Help | \?) display_msg pref_srvlist_help ;; 1741 * ) break ;; 1742 esac 1743 done 1744 LDAP_PREF_SRVLIST=$ANS 1745} 1746 1747 1748# 1749# get_search_scope(): Get the search scope from the user. 1750# 1751get_search_scope() 1752{ 1753 [ $DEBUG -eq 1 ] && ${ECHO} "In get_search_scope()" 1754 1755 _MENU_CHOICE=0 1756 while : 1757 do 1758 get_ans "Choose desired search scope (one, sub, h=help): " "one" 1759 _MENU_CHOICE=$ANS 1760 case "$_MENU_CHOICE" in 1761 one) LDAP_SEARCH_SCOPE="one" 1762 return 1 ;; 1763 sub) LDAP_SEARCH_SCOPE="sub" 1764 return 2 ;; 1765 h) display_msg srch_scope_help ;; 1766 *) ${ECHO} "Please enter \"one\", \"sub\", or \"h\"." ;; 1767 esac 1768 done 1769 1770} 1771 1772 1773# 1774# get_cred_level(): Function to display menu to user and get the 1775# credential level. 1776# 1777get_cred_level() 1778{ 1779 [ $DEBUG -eq 1 ] && ${ECHO} "In get_cred_level()" 1780 1781 _MENU_CHOICE=0 1782 display_msg cred_level_menu 1783 while : 1784 do 1785 if [ $GSSAPI_ENABLE -eq 1 ]; then 1786 ${ECHO} '"self" is needed for GSSAPI profile' 1787 fi 1788 get_ans "Choose Credential level [h=help]:" "1" 1789 _MENU_CHOICE=$ANS 1790 case "$_MENU_CHOICE" in 1791 1) LDAP_CRED_LEVEL="anonymous" 1792 return 1 ;; 1793 2) LDAP_CRED_LEVEL="proxy" 1794 return 2 ;; 1795 3) LDAP_CRED_LEVEL="proxy anonymous" 1796 return 3 ;; 1797 4) LDAP_CRED_LEVEL="self" 1798 return 4 ;; 1799 h) display_msg cred_lvl_help ;; 1800 *) ${ECHO} "Please enter 1, 2, 3 or 4." ;; 1801 esac 1802 done 1803} 1804 1805 1806# 1807# srvauth_menu_handler(): Enter the Service Authentication method. 1808# 1809srvauth_menu_handler() 1810{ 1811 # Display Auth menu 1812 display_msg srvauth_method_menu 1813 1814 # Get a Valid choice. 1815 while : 1816 do 1817 # Display appropriate prompt and get answer. 1818 if [ $_FIRST -eq 1 ]; then 1819 get_ans "Choose Service Authentication Method:" "1" 1820 else 1821 get_ans "Choose Service Authentication Method (0=reset):" 1822 fi 1823 1824 # Determine choice. 1825 _MENU_CHOICE=$ANS 1826 case "$_MENU_CHOICE" in 1827 1) _AUTHMETHOD="simple" 1828 break ;; 1829 2) _AUTHMETHOD="sasl/DIGEST-MD5" 1830 break ;; 1831 3) _AUTHMETHOD="tls:simple" 1832 break ;; 1833 4) _AUTHMETHOD="tls:sasl/DIGEST-MD5" 1834 break ;; 1835 5) _AUTHMETHOD="sasl/GSSAPI" 1836 break ;; 1837 0) _AUTHMETHOD="" 1838 _FIRST=1 1839 break ;; 1840 *) ${ECHO} "Please enter 1-5 or 0 to reset." ;; 1841 esac 1842 done 1843} 1844 1845 1846# 1847# auth_menu_handler(): Enter the Authentication method. 1848# 1849auth_menu_handler() 1850{ 1851 # Display Auth menu 1852 display_msg auth_method_menu 1853 1854 # Get a Valid choice. 1855 while : 1856 do 1857 if [ $GSSAPI_ENABLE -eq 1 ]; then 1858 ${ECHO} '"sasl/GSSAPI" is needed for GSSAPI profile' 1859 fi 1860 # Display appropriate prompt and get answer. 1861 if [ $_FIRST -eq 1 ]; then 1862 get_ans "Choose Authentication Method (h=help):" "1" 1863 else 1864 get_ans "Choose Authentication Method (0=reset, h=help):" 1865 fi 1866 1867 # Determine choice. 1868 _MENU_CHOICE=$ANS 1869 case "$_MENU_CHOICE" in 1870 1) _AUTHMETHOD="none" 1871 break ;; 1872 2) _AUTHMETHOD="simple" 1873 break ;; 1874 3) _AUTHMETHOD="sasl/DIGEST-MD5" 1875 break ;; 1876 4) _AUTHMETHOD="tls:simple" 1877 break ;; 1878 5) _AUTHMETHOD="tls:sasl/DIGEST-MD5" 1879 break ;; 1880 6) _AUTHMETHOD="sasl/GSSAPI" 1881 break ;; 1882 0) _AUTHMETHOD="" 1883 _FIRST=1 1884 break ;; 1885 h) display_msg auth_help ;; 1886 *) ${ECHO} "Please enter 1-6, 0=reset, or h=help." ;; 1887 esac 1888 done 1889} 1890 1891 1892# 1893# get_auth(): Enter the Authentication method. 1894# 1895get_auth() 1896{ 1897 [ $DEBUG -eq 1 ] && ${ECHO} "In get_auth()" 1898 1899 _FIRST=1 # Flag for first time. 1900 _MENU_CHOICE=0 1901 _AUTHMETHOD="" # Tmp method. 1902 1903 while : 1904 do 1905 # Call Menu handler 1906 auth_menu_handler 1907 1908 # Add Auth Method to list. 1909 if [ $_FIRST -eq 1 ]; then 1910 LDAP_AUTHMETHOD="${_AUTHMETHOD}" 1911 _FIRST=0 1912 else 1913 LDAP_AUTHMETHOD="${LDAP_AUTHMETHOD};${_AUTHMETHOD}" 1914 fi 1915 1916 # Display current Authentication Method. 1917 ${ECHO} "" 1918 ${ECHO} "Current authenticationMethod: ${LDAP_AUTHMETHOD}" 1919 ${ECHO} "" 1920 1921 # Prompt for another Auth Method, or break out. 1922 get_confirm_nodef "Do you want to add another Authentication Method?" 1923 if [ $? -eq 0 ]; then 1924 break; 1925 fi 1926 done 1927} 1928 1929 1930# 1931# get_followref(): Whether or not to follow referrals. 1932# 1933get_followref() 1934{ 1935 get_confirm "Do you want the clients to follow referrals (y/n/h)?" "n" "referrals_help" 1936 if [ $? -eq 1 ]; then 1937 LDAP_FOLLOWREF="TRUE" 1938 else 1939 LDAP_FOLLOWREF="FALSE" 1940 fi 1941} 1942 1943 1944# 1945# get_timelimit(): Set the time limit. -1 is max time. 1946# 1947get_timelimit() 1948{ 1949 # Get current timeout value from cn=config. 1950 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=config\" -s base \"objectclass=*\" nsslapd-timelimit > ${TMPDIR}/chk_timeout 2>&1" 1951 if [ $? -ne 0 ]; then 1952 ${ECHO} " ERROR: Could not reach LDAP server to check current timeout!" 1953 cleanup 1954 exit 1 1955 fi 1956 CURR_TIMELIMIT=`${GREP} timelimit ${TMPDIR}/chk_timeout | cut -f2 -d=` 1957 1958 get_negone_num "Enter the time limit for iDS (current=${CURR_TIMELIMIT}):" "-1" 1959 IDS_TIMELIMIT=$NUM 1960} 1961 1962 1963# 1964# get_sizelimit(): Set the size limit. -1 is max size. 1965# 1966get_sizelimit() 1967{ 1968 # Get current sizelimit value from cn=config. 1969 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=config\" -s base \"objectclass=*\" nsslapd-sizelimit > ${TMPDIR}/chk_sizelimit 2>&1" 1970 if [ $? -ne 0 ]; then 1971 ${ECHO} " ERROR: Could not reach LDAP server to check current sizelimit!" 1972 cleanup 1973 exit 1 1974 fi 1975 CURR_SIZELIMIT=`${GREP} sizelimit ${TMPDIR}/chk_sizelimit | cut -f2 -d=` 1976 1977 get_negone_num "Enter the size limit for iDS (current=${CURR_SIZELIMIT}):" "-1" 1978 IDS_SIZELIMIT=$NUM 1979} 1980 1981 1982# 1983# get_want_crypt(): Ask user if want to store passwords in crypt? 1984# 1985get_want_crypt() 1986{ 1987 get_confirm "Do you want to store passwords in \"crypt\" format (y/n/h)?" "n" "crypt_help" 1988 if [ $? -eq 1 ]; then 1989 NEED_CRYPT="TRUE" 1990 else 1991 NEED_CRYPT="FALSE" 1992 fi 1993} 1994 1995 1996# 1997# get_srv_authMethod_pam(): Get the Service Auth Method for pam_ldap from user. 1998# 1999# NOTE: This function is base on get_auth(). 2000# 2001get_srv_authMethod_pam() 2002{ 2003 [ $DEBUG -eq 1 ] && ${ECHO} "In get_srv_authMethod_pam()" 2004 2005 _FIRST=1 # Flag for first time. 2006 _MENU_CHOICE=0 2007 _AUTHMETHOD="" # Tmp method. 2008 2009 while : 2010 do 2011 # Call Menu handler 2012 srvauth_menu_handler 2013 2014 # Add Auth Method to list. 2015 if [ $_FIRST -eq 1 ]; then 2016 if [ "$_AUTHMETHOD" = "" ]; then 2017 LDAP_SRV_AUTHMETHOD_PAM="" 2018 else 2019 LDAP_SRV_AUTHMETHOD_PAM="pam_ldap:${_AUTHMETHOD}" 2020 fi 2021 _FIRST=0 2022 else 2023 LDAP_SRV_AUTHMETHOD_PAM="${LDAP_SRV_AUTHMETHOD_PAM};${_AUTHMETHOD}" 2024 fi 2025 2026 # Display current Authentication Method. 2027 ${ECHO} "" 2028 ${ECHO} "Current authenticationMethod: ${LDAP_SRV_AUTHMETHOD_PAM}" 2029 ${ECHO} "" 2030 2031 # Prompt for another Auth Method, or break out. 2032 get_confirm_nodef "Do you want to add another Authentication Method?" 2033 if [ $? -eq 0 ]; then 2034 break; 2035 fi 2036 done 2037 2038 # Check in case user reset string and exited loop. 2039 if [ "$LDAP_SRV_AUTHMETHOD_PAM" = "" ]; then 2040 NEED_SRVAUTH_PAM=0 2041 fi 2042} 2043 2044 2045# 2046# get_srv_authMethod_key(): Get the Service Auth Method for keyserv from user. 2047# 2048# NOTE: This function is base on get_auth(). 2049# 2050get_srv_authMethod_key() 2051{ 2052 [ $DEBUG -eq 1 ] && ${ECHO} "In get_srv_authMethod_key()" 2053 2054 _FIRST=1 # Flag for first time. 2055 _MENU_CHOICE=0 2056 _AUTHMETHOD="" # Tmp method. 2057 2058 while : 2059 do 2060 # Call Menu handler 2061 srvauth_menu_handler 2062 2063 # Add Auth Method to list. 2064 if [ $_FIRST -eq 1 ]; then 2065 if [ "$_AUTHMETHOD" = "" ]; then 2066 LDAP_SRV_AUTHMETHOD_KEY="" 2067 else 2068 LDAP_SRV_AUTHMETHOD_KEY="keyserv:${_AUTHMETHOD}" 2069 fi 2070 _FIRST=0 2071 else 2072 LDAP_SRV_AUTHMETHOD_KEY="${LDAP_SRV_AUTHMETHOD_KEY};${_AUTHMETHOD}" 2073 fi 2074 2075 # Display current Authentication Method. 2076 ${ECHO} "" 2077 ${ECHO} "Current authenticationMethod: ${LDAP_SRV_AUTHMETHOD_KEY}" 2078 ${ECHO} "" 2079 2080 # Prompt for another Auth Method, or break out. 2081 get_confirm_nodef "Do you want to add another Authentication Method?" 2082 if [ $? -eq 0 ]; then 2083 break; 2084 fi 2085 done 2086 2087 # Check in case user reset string and exited loop. 2088 if [ "$LDAP_SRV_AUTHMETHOD_KEY" = "" ]; then 2089 NEED_SRVAUTH_KEY=0 2090 fi 2091} 2092 2093 2094# 2095# get_srv_authMethod_cmd(): Get the Service Auth Method for passwd-cmd from user. 2096# 2097# NOTE: This function is base on get_auth(). 2098# 2099get_srv_authMethod_cmd() 2100{ 2101 [ $DEBUG -eq 1 ] && ${ECHO} "In get_srv_authMethod_cmd()" 2102 2103 _FIRST=1 # Flag for first time. 2104 _MENU_CHOICE=0 2105 _AUTHMETHOD="" # Tmp method. 2106 2107 while : 2108 do 2109 # Call Menu handler 2110 srvauth_menu_handler 2111 2112 # Add Auth Method to list. 2113 if [ $_FIRST -eq 1 ]; then 2114 if [ "$_AUTHMETHOD" = "" ]; then 2115 LDAP_SRV_AUTHMETHOD_CMD="" 2116 else 2117 LDAP_SRV_AUTHMETHOD_CMD="passwd-cmd:${_AUTHMETHOD}" 2118 fi 2119 _FIRST=0 2120 else 2121 LDAP_SRV_AUTHMETHOD_CMD="${LDAP_SRV_AUTHMETHOD_CMD};${_AUTHMETHOD}" 2122 fi 2123 2124 # Display current Authentication Method. 2125 ${ECHO} "" 2126 ${ECHO} "Current authenticationMethod: ${LDAP_SRV_AUTHMETHOD_CMD}" 2127 ${ECHO} "" 2128 2129 # Prompt for another Auth Method, or break out. 2130 get_confirm_nodef "Do you want to add another Authentication Method?" 2131 if [ $? -eq 0 ]; then 2132 break; 2133 fi 2134 done 2135 2136 # Check in case user reset string and exited loop. 2137 if [ "$LDAP_SRV_AUTHMETHOD_CMD" = "" ]; then 2138 NEED_SRVAUTH_CMD=0 2139 fi 2140} 2141 2142 2143# 2144# get_srch_time(): Amount of time to search. 2145# 2146get_srch_time() 2147{ 2148 get_negone_num "Client search time limit in seconds (h=help):" "$LDAP_SEARCH_TIME_LIMIT" "srchtime_help" 2149 LDAP_SEARCH_TIME_LIMIT=$NUM 2150} 2151 2152 2153# 2154# get_prof_ttl(): The profile time to live (TTL) 2155# 2156get_prof_ttl() 2157{ 2158 get_negone_num "Profile Time To Live in seconds (h=help):" "$LDAP_PROFILE_TTL" "profttl_help" 2159 LDAP_PROFILE_TTL=$NUM 2160} 2161 2162 2163# 2164# get_bind_limit(): Bind time limit 2165# 2166get_bind_limit() 2167{ 2168 get_negone_num "Bind time limit in seconds (h=help):" "$LDAP_BIND_LIMIT" "bindlim_help" 2169 LDAP_BIND_LIMIT=$NUM 2170} 2171 2172 2173###################################################################### 2174# FUNCTIONS FOR Service Search Descriptor's START HERE. 2175###################################################################### 2176 2177 2178# 2179# add_ssd(): Get SSD's from user and add to file. 2180# 2181add_ssd() 2182{ 2183 [ $DEBUG -eq 1 ] && ${ECHO} "In add_ssd()" 2184 2185 # Enter the service id. Loop til unique. 2186 while : 2187 do 2188 get_ans "Enter the service id:" 2189 _SERV_ID=$ANS 2190 2191 # Grep for name existing. 2192 ${GREP} -i "^$ANS:" ${SSD_FILE} > /dev/null 2>&1 2193 if [ $? -eq 1 ]; then 2194 break 2195 fi 2196 2197 # Name exists, print message, let user decide. 2198 ${ECHO} "ERROR: Service id ${ANS} already exists." 2199 done 2200 2201 get_ans "Enter the base:" 2202 _BASE=$ANS 2203 2204 # Get the scope and verify that its one or sub. 2205 while : 2206 do 2207 get_ans "Enter the scope:" 2208 _SCOPE=$ANS 2209 case `${ECHO} ${_SCOPE} | tr '[A-Z]' '[a-z]'` in 2210 one) break ;; 2211 sub) break ;; 2212 *) ${ECHO} "${_SCOPE} is Not valid - Enter 'one' or 'sub'" ;; 2213 esac 2214 done 2215 2216 # Build SSD to add to file. 2217 _SSD="${_SERV_ID}:${_BASE}?${_SCOPE}" 2218 2219 # Add the SSD to the file. 2220 ${ECHO} "${_SSD}" >> ${SSD_FILE} 2221} 2222 2223 2224# 2225# delete_ssd(): Delete a SSD from the list. 2226# 2227delete_ssd() 2228{ 2229 [ $DEBUG -eq 1 ] && ${ECHO} "In delete_ssd()" 2230 2231 # Get service id name from user for SSD to delete. 2232 get_ans_req "Enter service id to delete:" 2233 2234 # Make sure service id exists. 2235 ${GREP} "$ANS" ${SSD_FILE} > /dev/null 2>&1 2236 if [ $? -eq 1 ]; then 2237 ${ECHO} "Invalid service id: $ANS not present in list." 2238 return 2239 fi 2240 2241 # Create temporary back SSD file. 2242 cp ${SSD_FILE} ${SSD_FILE}.bak 2243 if [ $? -eq 1 ]; then 2244 ${ECHO} "ERROR: could not create file: ${SSD_FILE}.bak" 2245 exit 1 2246 fi 2247 2248 # Use ${GREP} to remove the SSD. Read from temp file 2249 # and write to the orig file. 2250 ${GREP} -v "$ANS" ${SSD_FILE}.bak > ${SSD_FILE} 2251} 2252 2253 2254# 2255# modify_ssd(): Allow user to modify a SSD. 2256# 2257modify_ssd() 2258{ 2259 [ $DEBUG -eq 1 ] && ${ECHO} "In modify_ssd()" 2260 2261 # Prompt user for service id. 2262 get_ans_req "Enter service id to modify:" 2263 2264 # Put into temp _LINE. 2265 _LINE=`${GREP} "^$ANS:" ${SSD_FILE}` 2266 if [ "$_LINE" = "" ]; then 2267 ${ECHO} "Invalid service id: $ANS" 2268 return 2269 fi 2270 2271 # Display current filter for user to see. 2272 ${ECHO} "" 2273 ${ECHO} "Current SSD: $_LINE" 2274 ${ECHO} "" 2275 2276 # Get the defaults. 2277 _CURR_BASE=`${ECHO} $_LINE | cut -d: -f2 | cut -d'?' -f 1` 2278 _CURR_SCOPE=`${ECHO} $_LINE | cut -d: -f2 | cut -d'?' -f 2` 2279 2280 # Create temporary back SSD file. 2281 cp ${SSD_FILE} ${SSD_FILE}.bak 2282 if [ $? -eq 1 ]; then 2283 ${ECHO} "ERROR: could not create file: ${SSD_FILE}.bak" 2284 cleanup 2285 exit 1 2286 fi 2287 2288 # Removed the old line. 2289 ${GREP} -v "^$ANS:" ${SSD_FILE}.bak > ${SSD_FILE} 2>&1 2290 2291 # New Entry 2292 _SERV_ID=$ANS 2293 get_ans_req "Enter the base:" "$_CURR_BASE" 2294 _BASE=$ANS 2295 get_ans_req "Enter the scope:" "$_CURR_SCOPE" 2296 _SCOPE=$ANS 2297 2298 # Build the new SSD. 2299 _SSD="${_SERV_ID}:${_BASE}?${_SCOPE}" 2300 2301 # Add the SSD to the file. 2302 ${ECHO} "${_SSD}" >> ${SSD_FILE} 2303} 2304 2305 2306# 2307# display_ssd(): Display the current SSD list. 2308# 2309display_ssd() 2310{ 2311 [ $DEBUG -eq 1 ] && ${ECHO} "In display_ssd()" 2312 2313 ${ECHO} "" 2314 ${ECHO} "Current Service Search Descriptors:" 2315 ${ECHO} "==================================" 2316 cat ${SSD_FILE} 2317 ${ECHO} "" 2318 ${ECHO} "Hit return to continue." 2319 read __A 2320} 2321 2322 2323# 2324# prompt_ssd(): Get SSD's from user. 2325# 2326prompt_ssd() 2327{ 2328 [ $DEBUG -eq 1 ] && ${ECHO} "In prompt_ssd()" 2329 # See if user wants SSD's? 2330 get_confirm "Do you wish to setup Service Search Descriptors (y/n/h)?" "n" "ssd_help" 2331 [ "$?" -eq 0 ] && return 2332 2333 # Display menu for SSD choices. 2334 while : 2335 do 2336 display_msg prompt_ssd_menu 2337 get_ans "Enter menu choice:" "Quit" 2338 case "$ANS" in 2339 [Aa] | add) add_ssd ;; 2340 [Dd] | delete) delete_ssd ;; 2341 [Mm] | modify) modify_ssd ;; 2342 [Pp] | print | display) display_ssd ;; 2343 [Xx] | reset | clear) reset_ssd_file ;; 2344 [Hh] | Help | help) display_msg ssd_menu_help 2345 ${ECHO} " Press return to continue." 2346 read __A ;; 2347 [Qq] | Quit | quit) return ;; 2348 *) ${ECHO} "Invalid choice: $ANS please re-enter from menu." ;; 2349 esac 2350 done 2351} 2352 2353 2354# 2355# reset_ssd_file(): Blank out current SSD file. 2356# 2357reset_ssd_file() 2358{ 2359 [ $DEBUG -eq 1 ] && ${ECHO} "In reset_ssd_file()" 2360 2361 rm -f ${SSD_FILE} 2362 touch ${SSD_FILE} 2363} 2364 2365 2366# 2367# create_ssd_file(): Create a temporary file for SSD's. 2368# 2369create_ssd_file() 2370{ 2371 [ $DEBUG -eq 1 ] && ${ECHO} "In create_ssd_file()" 2372 2373 # Build a list of SSD's and store in temp file. 2374 ${GREP} "LDAP_SERV_SRCH_DES=" ${INPUT_FILE} | \ 2375 sed 's/LDAP_SERV_SRCH_DES=//' \ 2376 > ${SSD_FILE} 2377} 2378 2379 2380# 2381# ssd_2_config(): Append the SSD file to the output file. 2382# 2383ssd_2_config() 2384{ 2385 [ $DEBUG -eq 1 ] && ${ECHO} "In ssd_2_config()" 2386 2387 # Convert to config file format using sed. 2388 sed -e "s/^/LDAP_SERV_SRCH_DES=/" ${SSD_FILE} >> ${OUTPUT_FILE} 2389} 2390 2391 2392# 2393# ssd_2_profile(): Add SSD's to the GEN_CMD string. 2394# 2395ssd_2_profile() 2396{ 2397 [ $DEBUG -eq 1 ] && ${ECHO} "In ssd_2_profile()" 2398 2399 GEN_TMPFILE=${TMPDIR}/ssd_tmpfile 2400 touch ${GEN_TMPFILE} 2401 2402 # Add and convert each SSD to string. 2403 while read SSD_LINE 2404 do 2405 ${ECHO} " -a \"serviceSearchDescriptor=${SSD_LINE}\"\c" >> ${GEN_TMPFILE} 2406 done <${SSD_FILE} 2407 2408 # Add SSD's to GEN_CMD. 2409 GEN_CMD="${GEN_CMD} `cat ${GEN_TMPFILE}`" 2410} 2411 2412# 2413# get_adminDN(): Get the admin DN. 2414# 2415get_adminDN() 2416{ 2417 LDAP_ADMINDN="cn=admin,ou=profile,${LDAP_BASEDN}" # default 2418 get_ans "Enter DN for the administrator:" "$LDAP_ADMINDN" 2419 LDAP_ADMINDN=$ANS 2420 [ $DEBUG -eq 1 ] && ${ECHO} "LDAP_ADMINDN = $LDAP_ADMINDN" 2421} 2422 2423# 2424# get_admin_pw(): Get the admin passwd. 2425# 2426get_admin_pw() 2427{ 2428 get_passwd "Enter passwd for the administrator:" 2429 LDAP_ADMIN_CRED=$ANS 2430 [ $DEBUG -eq 1 ] && ${ECHO} "LDAP_ADMIN_CRED = $LDAP_ADMIN_CRED" 2431} 2432 2433# 2434# add_admin(): Add an admin entry for nameservice for updating shadow data. 2435# 2436add_admin() 2437{ 2438 [ $DEBUG -eq 1 ] && ${ECHO} "In add_admin()" 2439 2440 # Check if the admin user already exists. 2441 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_ADMINDN}\" -s base \"objectclass=*\" ${VERB}" 2442 if [ $? -eq 0 ]; then 2443 MSG="Administrator ${LDAP_ADMINDN} already exists." 2444 if [ $EXISTING_PROFILE -eq 1 ]; then 2445 ${ECHO} " NOT ADDED: $MSG" 2446 else 2447 ${ECHO} " ${STEP}. $MSG" 2448 STEP=`expr $STEP + 1` 2449 fi 2450 return 0 2451 fi 2452 2453 # Get cn and sn names from LDAP_ADMINDN. 2454 cn_tmp=`${ECHO} ${LDAP_ADMINDN} | cut -f1 -d, | cut -f2 -d=` 2455 2456 # Create the tmp file to add. 2457 ( cat <<EOF 2458dn: ${LDAP_ADMINDN} 2459cn: ${cn_tmp} 2460sn: ${cn_tmp} 2461objectclass: top 2462objectclass: person 2463userpassword: ${LDAP_ADMIN_CRED} 2464EOF 2465) > ${TMPDIR}/admin 2466 2467 # Add the entry. 2468 ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/admin ${VERB}" 2469 if [ $? -ne 0 ]; then 2470 ${ECHO} " ERROR: Adding administrator identity failed!" 2471 cleanup 2472 exit 1 2473 fi 2474 2475 ${RM} -f ${TMPDIR}/admin 2476 2477 # Display message that the administrator identity is added. 2478 MSG="Administrator identity ${LDAP_ADMINDN}" 2479 if [ $EXISTING_PROFILE -eq 1 ]; then 2480 ${ECHO} " ADDED: $MSG." 2481 else 2482 ${ECHO} " ${STEP}. $MSG added." 2483 STEP=`expr $STEP + 1` 2484 fi 2485} 2486 2487# 2488# allow_admin_read_write_shadow(): Give Admin read/write permission 2489# to shadow data. 2490# 2491allow_admin_read_write_shadow() 2492{ 2493 [ $DEBUG -eq 1 ] && ${ECHO} "In allow_admin_read_write_shadow()" 2494 2495 # Set ACI Name 2496 ADMIN_ACI_NAME="LDAP_Naming_Services_admin_shadow_write" 2497 2498 # Search for ACI_NAME 2499 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_BASEDN}\" \ 2500 -s base objectclass=* aci > ${TMPDIR}/chk_adminwrite_aci 2>&1" 2501 2502 # if an ACI with ${ADMIN_ACI_NAME} and "write,compare,read,search" 2503 # and ${LDAP_ADMINDN} already exists, we are done 2504 ${EGREP} ".*${ADMIN_ACI_NAME}.*write,compare,read,search.*${LDAP_ADMINDN}.*" \ 2505 ${TMPDIR}/chk_adminwrite_aci 2>&1 > /dev/null 2506 if [ $? -eq 0 ]; then 2507 MSG="Admin ACI ${ADMIN_ACI_NAME} already exists for ${LDAP_BASEDN}." 2508 if [ $EXISTING_PROFILE -eq 1 ]; then 2509 ${ECHO} " NOT SET: $MSG" 2510 else 2511 ${ECHO} " ${STEP}. $MSG" 2512 STEP=`expr $STEP + 1` 2513 fi 2514 return 0 2515 fi 2516 2517 # If an ACI with ${ADMIN_ACI_NAME} and "(write)" and ${LDAP_ADMINDN} 2518 # already exists, delete it first. 2519 find_and_delete_ACI ".*${ADMIN_ACI_NAME}.*(write).*${LDAP_ADMINDN}.*" \ 2520 ${TMPDIR}/chk_adminwrite_aci ${ADMIN_ACI_NAME} 2521 2522 # Create the tmp file to add. 2523 ( cat <<EOF 2524dn: ${LDAP_BASEDN} 2525changetype: modify 2526add: aci 2527aci: (target="ldap:///${LDAP_BASEDN}")(targetattr="shadowLastChange 2528 ||shadowMin||shadowMax||shadowWarning||shadowInactive||shadowExpire 2529 ||shadowFlag||userPassword||loginShell||homeDirectory||gecos") 2530 (version 3.0; acl ${ADMIN_ACI_NAME}; allow (write,compare,read,search) 2531 userdn = "ldap:///${LDAP_ADMINDN}";) 2532EOF 2533) > ${TMPDIR}/admin_write 2534 2535 # Add the entry. 2536 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/admin_write ${VERB}" 2537 if [ $? -ne 0 ]; then 2538 ${ECHO} " ERROR: Allow ${LDAP_ADMINDN} read/write access to shadow data failed!" 2539 cleanup 2540 exit 1 2541 fi 2542 2543 ${RM} -f ${TMPDIR}/admin_write 2544 # Display message that the administrator ACL is set. 2545 MSG="Give ${LDAP_ADMINDN} read/write access to shadow data." 2546 if [ $EXISTING_PROFILE -eq 1 ]; then 2547 ${ECHO} " ACI SET: $MSG" 2548 else 2549 ${ECHO} " ${STEP}. $MSG" 2550 STEP=`expr $STEP + 1` 2551 fi 2552} 2553 2554# 2555# allow_host_read_write_shadow(): Give host principal read/write permission 2556# for shadow data. 2557# 2558allow_host_read_write_shadow() 2559{ 2560 [ $DEBUG -eq 1 ] && ${ECHO} "In allow_host_read_write_shadow()" 2561 2562 # Set ACI Name 2563 HOST_ACI_NAME="LDAP_Naming_Services_host_shadow_write" 2564 2565 # Search for ACI_NAME 2566 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_BASEDN}\" -s base objectclass=* aci > ${TMPDIR}/chk_hostwrite_aci 2>&1" 2567 ${GREP} "${HOST_ACI_NAME}" ${TMPDIR}/chk_hostwrite_aci > /dev/null 2>&1 2568 if [ $? -eq 0 ]; then 2569 MSG="Host ACI ${HOST_ACI_NAME} already exists for ${LDAP_BASEDN}." 2570 if [ $EXISTING_PROFILE -eq 1 ]; then 2571 ${ECHO} " NOT ADDED: $MSG" 2572 else 2573 ${ECHO} " ${STEP}. $MSG" 2574 STEP=`expr $STEP + 1` 2575 fi 2576 return 0 2577 fi 2578 2579 # Create the tmp file to add. 2580 ( cat <<EOF 2581dn: ${LDAP_BASEDN} 2582changetype: modify 2583add: aci 2584aci: (target="ldap:///${LDAP_BASEDN}")(targetattr="shadowLastChange||shadowMin||shadowMax||shadowWarning||shadowInactive||shadowExpire||shadowFlag||userPassword||loginShell||homeDirectory||gecos")(version 3.0; acl ${HOST_ACI_NAME}; allow (write,compare,read,search) authmethod="sasl GSSAPI" and userdn = "ldap:///cn=*+ipHostNumber=*,ou=Hosts,${LDAP_BASEDN}";) 2585EOF 2586) > ${TMPDIR}/host_read_write 2587 2588 # Add the entry. 2589 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/host_read_write ${VERB}" 2590 if [ $? -ne 0 ]; then 2591 ${ECHO} " ERROR: Allow Host Principal to write shadow data failed!" 2592 cleanup 2593 exit 1 2594 fi 2595 2596 ${RM} -f ${TMPDIR}/host_read_write 2597 MSG="Give host principal read/write permission for shadow." 2598 if [ $EXISTING_PROFILE -eq 1 ]; then 2599 ${ECHO} " ACI SET: $MSG" 2600 else 2601 ${ECHO} " ${STEP}. $MSG" 2602 STEP=`expr $STEP + 1` 2603 fi 2604} 2605 2606# 2607# Set up shadow update 2608# 2609setup_shadow_update() { 2610 [ $DEBUG -eq 1 ] && ${ECHO} "In setup_shadow_update()" 2611 2612 # get content of the profile 2613 PROFILE_OUT=${TMPDIR}/prof_tmpfile 2614 ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=${LDAP_PROFILE_NAME},ou=profile,${LDAP_BASEDN}\" -s base \"objectclass=*\" > $PROFILE_OUT 2>&1" 2615 ${GREP} -i cn $PROFILE_OUT >/dev/null 2>&1 2616 if [ $? -ne 0 ]; then 2617 [ $DEBUG -eq 1 ] && ${ECHO} "Profile ${LDAP_PROFILE_NAME} does not exist" 2618 ${RM} ${PROFILE_OUT} 2619 return 2620 fi 2621 2622 # Search to see if authenticationMethod has 'GSSAPI' and 2623 # credentialLevel has 'self'. If so, ask to use the 2624 # host principal for shadow update 2625 if [ $GSSAPI_AUTH_MAY_BE_USED -eq 1 ]; then 2626 if ${GREP} authenticationMethod $PROFILE_OUT | ${GREP} GSSAPI >/dev/null 2>&1 2627 then 2628 if ${GREP} credentialLevel $PROFILE_OUT | ${GREP} self >/dev/null 2>&1 2629 then 2630 NEED_HOSTACL=1 2631 fi 2632 fi 2633 ${RM} ${PROFILE_OUT} 2634 [ $DEBUG -eq 1 ] && ${ECHO} "NEED_HOSTACL = $NEED_HOSTACL" 2635 2636 if [ $NEED_HOSTACL -eq 1 ]; then 2637 MSG="Use host principal for shadow data update (y/n/h)?" 2638 get_confirm "$MSG" "y" "use_host_principal_help" 2639 if [ $? -eq 1 ]; then 2640 delete_proxy_read_pw 2641 allow_host_read_write_shadow 2642 deny_non_host_shadow_access 2643 ${ECHO} "" 2644 ${ECHO} " Shadow update has been enabled." 2645 else 2646 ${ECHO} "" 2647 ${ECHO} " Shadow update may not work." 2648 fi 2649 return 2650 fi 2651 fi 2652 2653 MSG="Add the administrator identity (y/n/h)?" 2654 get_confirm "$MSG" "y" "add_admin_cred_help" 2655 if [ $? -eq 1 ]; then 2656 get_adminDN 2657 get_admin_pw 2658 add_admin 2659 delete_proxy_read_pw 2660 allow_admin_read_write_shadow 2661 deny_non_admin_shadow_access 2662 ${ECHO} "" 2663 ${ECHO} " Shadow update has been enabled." 2664 return 2665 fi 2666 2667 ${ECHO} " No administrator identity specified, shadow update may not work." 2668} 2669 2670 2671# 2672# prompt_config_info(): This function prompts the user for the config 2673# info that is not specified in the input file. 2674# 2675prompt_config_info() 2676{ 2677 [ $DEBUG -eq 1 ] && ${ECHO} "In prompt_config_info()" 2678 2679 # Prompt for iDS server name. 2680 get_ids_server 2681 2682 # Prompt for iDS port number. 2683 get_ids_port 2684 2685 # Check iDS version for compatibility. 2686 chk_ids_version 2687 2688 # Check if the server supports the VLV. 2689 chk_vlv_indexes 2690 2691 # Get the Directory manager DN and passwd. 2692 get_dirmgr_dn 2693 get_dirmgr_pw 2694 2695 # 2696 # LDAP CLIENT PROFILE SPECIFIC INFORMATION. 2697 # (i.e. The fields that show up in the profile.) 2698 # 2699 get_domain "domain_help" 2700 2701 get_basedn 2702 2703 gssapi_setup 2704 2705 get_profile_name 2706 2707 if [ "$LDAP_ENABLE_SHADOW_UPDATE" = "TRUE" ];then 2708 setup_shadow_update 2709 cleanup 2710 exit 0 2711 fi 2712 2713 get_srv_list 2714 get_pref_srv 2715 get_search_scope 2716 2717 # If cred is "anonymous", make auth == "none" 2718 get_cred_level 2719 if [ "$LDAP_CRED_LEVEL" != "anonymous" ]; then 2720 get_auth 2721 fi 2722 2723 get_followref 2724 2725 # Query user about timelimt. 2726 get_confirm "Do you want to modify the server timelimit value (y/n/h)?" "n" "tlim_help" 2727 NEED_TIME=$? 2728 [ $NEED_TIME -eq 1 ] && get_timelimit 2729 2730 # Query user about sizelimit. 2731 get_confirm "Do you want to modify the server sizelimit value (y/n/h)?" "n" "slim_help" 2732 NEED_SIZE=$? 2733 [ $NEED_SIZE -eq 1 ] && get_sizelimit 2734 2735 # Does the user want to store passwords in crypt format? 2736 get_want_crypt 2737 2738 # Prompt for any Service Authentication Methods? 2739 get_confirm "Do you want to setup a Service Authentication Methods (y/n/h)?" "n" "srvauth_help" 2740 if [ $? -eq 1 ]; then 2741 # Does the user want to set Service Authentication Method for pam_ldap? 2742 get_confirm "Do you want to setup a Service Auth. Method for \"pam_ldap\" (y/n/h)?" "n" "pam_ldap_help" 2743 NEED_SRVAUTH_PAM=$? 2744 [ $NEED_SRVAUTH_PAM -eq 1 ] && get_srv_authMethod_pam 2745 2746 # Does the user want to set Service Authentication Method for keyserv? 2747 get_confirm "Do you want to setup a Service Auth. Method for \"keyserv\" (y/n/h)?" "n" "keyserv_help" 2748 NEED_SRVAUTH_KEY=$? 2749 [ $NEED_SRVAUTH_KEY -eq 1 ] && get_srv_authMethod_key 2750 2751 # Does the user want to set Service Authentication Method for passwd-cmd? 2752 get_confirm "Do you want to setup a Service Auth. Method for \"passwd-cmd\" (y/n/h)?" "n" "passwd-cmd_help" 2753 NEED_SRVAUTH_CMD=$? 2754 [ $NEED_SRVAUTH_CMD -eq 1 ] && get_srv_authMethod_cmd 2755 fi 2756 2757 2758 # Get Timeouts 2759 get_srch_time 2760 get_prof_ttl 2761 get_bind_limit 2762 2763 # Ask whether to enable shadow update 2764 get_want_shadow_update 2765 2766 # Reset the sdd_file and prompt user for SSD. Will use menus 2767 # to build an SSD File. 2768 reset_ssd_file 2769 prompt_ssd 2770 2771 # Display FULL debugging info. 2772 disp_full_debug 2773 2774 # Extra blank line to separate prompt lines from steps. 2775 ${ECHO} " " 2776} 2777 2778 2779###################################################################### 2780# FUNCTIONS FOR display_summary() START HERE. 2781###################################################################### 2782 2783 2784# 2785# get_proxyagent(): Get the proxyagent DN. 2786# 2787get_proxyagent() 2788{ 2789 LDAP_PROXYAGENT="cn=proxyagent,ou=profile,${LDAP_BASEDN}" # default 2790 get_ans "Enter DN for proxy agent:" "$LDAP_PROXYAGENT" 2791 LDAP_PROXYAGENT=$ANS 2792} 2793 2794 2795# 2796# get_proxy_pw(): Get the proxyagent passwd. 2797# 2798get_proxy_pw() 2799{ 2800 get_passwd "Enter passwd for proxyagent:" 2801 LDAP_PROXYAGENT_CRED=$ANS 2802} 2803 2804# 2805# display_summary(): Display a summary of values entered and let the 2806# user modify values at will. 2807# 2808display_summary() 2809{ 2810 [ $DEBUG -eq 1 ] && ${ECHO} "In display_summary()" 2811 2812 # Create lookup table for function names. First entry is dummy for 2813 # shift. 2814 TBL1="dummy" 2815 TBL2="get_domain get_basedn get_profile_name" 2816 TBL3="get_srv_list get_pref_srv get_search_scope get_cred_level" 2817 TBL4="get_auth get_followref" 2818 TBL5="get_timelimit get_sizelimit get_want_crypt" 2819 TBL6="get_srv_authMethod_pam get_srv_authMethod_key get_srv_authMethod_cmd" 2820 TBL7="get_srch_time get_prof_ttl get_bind_limit" 2821 TBL8="get_want_shadow_update" 2822 TBL9="prompt_ssd" 2823 FUNC_TBL="$TBL1 $TBL2 $TBL3 $TBL4 $TBL5 $TBL6 $TBL7 $TBL8 $TBL9" 2824 2825 # Since menu prompt string is long, set here. 2826 _MENU_PROMPT="Enter config value to change: (1-20 0=commit changes)" 2827 2828 # Infinite loop. Test for 0, and break in loop. 2829 while : 2830 do 2831 # Display menu and get value in range. 2832 display_msg summary_menu 2833 get_menu_choice "${_MENU_PROMPT}" "0" "20" "0" 2834 _CH=$MN_CH 2835 2836 # Make sure where not exiting. 2837 if [ $_CH -eq 0 ]; then 2838 break # Break out of loop if 0 selected. 2839 fi 2840 2841 # Call appropriate function from function table. 2842 set $FUNC_TBL 2843 shift $_CH 2844 $1 # Call the appropriate function. 2845 done 2846 2847 # If cred level is still see if user wants a change? 2848 if ${ECHO} "$LDAP_CRED_LEVEL" | ${GREP} "proxy" > /dev/null 2>&1 2849 then 2850 if [ "$LDAP_AUTHMETHOD" != "none" ]; then 2851 NEED_PROXY=1 # I assume integer test is faster? 2852 get_proxyagent 2853 get_proxy_pw 2854 else 2855 ${ECHO} "WARNING: Since Authentication method is 'none'." 2856 ${ECHO} " Credential level will be set to 'anonymous'." 2857 LDAP_CRED_LEVEL="anonymous" 2858 fi 2859 fi 2860 2861 # If shadow update is enabled, set up administrator credential 2862 if [ "$LDAP_ENABLE_SHADOW_UPDATE" = "TRUE" ]; then 2863 NEED_ADMIN=1 2864 if ${ECHO} "$LDAP_CRED_LEVEL" | ${GREP} "self" > /dev/null 2>&1; then 2865 if ${ECHO} "$LDAP_AUTHMETHOD" | ${GREP} "GSSAPI" > /dev/null 2>&1; then 2866 NEED_HOSTACL=1 2867 NEED_ADMIN=0 2868 fi 2869 fi 2870 [ $DEBUG -eq 1 ] && ${ECHO} "NEED_HOSTACL = $NEED_HOSTACL" 2871 [ $DEBUG -eq 1 ] && ${ECHO} "NEED_ADMIN = $NEED_ADMIN" 2872 if [ $NEED_ADMIN -eq 1 ]; then 2873 get_adminDN 2874 get_admin_pw 2875 fi 2876 fi 2877 2878 # Display FULL debugging info. 2879 disp_full_debug 2880 2881 # Final confirmation message. (ARE YOU SURE!) 2882 ${ECHO} " " 2883 get_confirm_nodef "WARNING: About to start committing changes. (y=continue, n=EXIT)" 2884 if [ $? -eq 0 ]; then 2885 ${ECHO} "Terminating setup without making changes at users request." 2886 cleanup 2887 exit 1 2888 fi 2889 2890 # Print newline 2891 ${ECHO} " " 2892} 2893 2894 2895# 2896# create_config_file(): Write config data to config file specified. 2897# 2898create_config_file() 2899{ 2900 [ $DEBUG -eq 1 ] && ${ECHO} "In create_config_file()" 2901 2902 # If output file exists, delete it. 2903 [ -f $OUTPUT_FILE ] && rm $OUTPUT_FILE 2904 2905 # Create output file. 2906 cat > $OUTPUT_FILE <<EOF 2907#!/bin/sh 2908# $OUTPUT_FILE - This file contains configuration information for 2909# Native LDAP. Use the idsconfig tool to load it. 2910# 2911# WARNING: This file was generated by idsconfig, and is intended to 2912# be loaded by idsconfig as is. DO NOT EDIT THIS FILE! 2913# 2914IDS_SERVER="$IDS_SERVER" 2915IDS_PORT=$IDS_PORT 2916IDS_TIMELIMIT=$IDS_TIMELIMIT 2917IDS_SIZELIMIT=$IDS_SIZELIMIT 2918LDAP_ROOTDN="$LDAP_ROOTDN" 2919LDAP_ROOTPWD=$LDAP_ROOTPWD 2920LDAP_DOMAIN="$LDAP_DOMAIN" 2921LDAP_SUFFIX="$LDAP_SUFFIX" 2922GSSAPI_ENABLE=$GSSAPI_ENABLE 2923LDAP_KRB_REALM="$LDAP_KRB_REALM" 2924 2925# Internal program variables that need to be set. 2926NEED_PROXY=$NEED_PROXY 2927NEED_TIME=$NEED_TIME 2928NEED_SIZE=$NEED_SIZE 2929NEED_CRYPT=$NEED_CRYPT 2930NEED_ADMIN=$NEED_ADMIN 2931NEED_HOSTACL=$NEED_HOSTACL 2932EXISTING_PROFILE=$EXISTING_PROFILE 2933 2934# LDAP PROFILE related defaults 2935LDAP_PROFILE_NAME="$LDAP_PROFILE_NAME" 2936DEL_OLD_PROFILE=1 2937LDAP_BASEDN="$LDAP_BASEDN" 2938LDAP_SERVER_LIST="$LDAP_SERVER_LIST" 2939LDAP_AUTHMETHOD="$LDAP_AUTHMETHOD" 2940LDAP_FOLLOWREF=$LDAP_FOLLOWREF 2941LDAP_SEARCH_SCOPE="$LDAP_SEARCH_SCOPE" 2942NEED_SRVAUTH_PAM=$NEED_SRVAUTH_PAM 2943NEED_SRVAUTH_KEY=$NEED_SRVAUTH_KEY 2944NEED_SRVAUTH_CMD=$NEED_SRVAUTH_CMD 2945LDAP_SRV_AUTHMETHOD_PAM="$LDAP_SRV_AUTHMETHOD_PAM" 2946LDAP_SRV_AUTHMETHOD_KEY="$LDAP_SRV_AUTHMETHOD_KEY" 2947LDAP_SRV_AUTHMETHOD_CMD="$LDAP_SRV_AUTHMETHOD_CMD" 2948LDAP_SEARCH_TIME_LIMIT=$LDAP_SEARCH_TIME_LIMIT 2949LDAP_PREF_SRVLIST="$LDAP_PREF_SRVLIST" 2950LDAP_PROFILE_TTL=$LDAP_PROFILE_TTL 2951LDAP_CRED_LEVEL="$LDAP_CRED_LEVEL" 2952LDAP_BIND_LIMIT=$LDAP_BIND_LIMIT 2953 2954# Proxy Agent 2955LDAP_PROXYAGENT="$LDAP_PROXYAGENT" 2956LDAP_PROXYAGENT_CRED=$LDAP_PROXYAGENT_CRED 2957 2958# enableShadowUpdate flag and Administrator credential 2959LDAP_ENABLE_SHADOW_UPDATE=$LDAP_ENABLE_SHADOW_UPDATE 2960LDAP_ADMINDN="$LDAP_ADMINDN" 2961LDAP_ADMIN_CRED=$LDAP_ADMIN_CRED 2962 2963# Export all the variables (just in case) 2964export IDS_HOME IDS_PORT LDAP_ROOTDN LDAP_ROOTPWD LDAP_SERVER_LIST LDAP_BASEDN 2965export LDAP_DOMAIN LDAP_SUFFIX LDAP_PROXYAGENT LDAP_PROXYAGENT_CRED 2966export NEED_PROXY 2967export LDAP_ENABLE_SHADOW_UPDATE LDAP_ADMINDN LDAP_ADMIN_CRED 2968export NEED_ADMIN NEED_HOSTACL EXISTING_PROFILE 2969export LDAP_PROFILE_NAME LDAP_BASEDN LDAP_SERVER_LIST 2970export LDAP_AUTHMETHOD LDAP_FOLLOWREF LDAP_SEARCH_SCOPE LDAP_SEARCH_TIME_LIMIT 2971export LDAP_PREF_SRVLIST LDAP_PROFILE_TTL LDAP_CRED_LEVEL LDAP_BIND_LIMIT 2972export NEED_SRVAUTH_PAM NEED_SRVAUTH_KEY NEED_SRVAUTH_CMD 2973export LDAP_SRV_AUTHMETHOD_PAM LDAP_SRV_AUTHMETHOD_KEY LDAP_SRV_AUTHMETHOD_CMD 2974export LDAP_SERV_SRCH_DES SSD_FILE GSSAPI_ENABLE LDAP_KRB_REALM 2975 2976# Service Search Descriptors start here if present: 2977EOF 2978 # Add service search descriptors. 2979 ssd_2_config "${OUTPUT_FILE}" 2980 2981 # Add LDAP suffix preferences 2982 print_suffix_config >> "${OUTPUT_FILE}" 2983 2984 # Add the end of FILE tag. 2985 ${ECHO} "" >> ${OUTPUT_FILE} 2986 ${ECHO} "# End of $OUTPUT_FILE" >> ${OUTPUT_FILE} 2987} 2988 2989 2990# 2991# chk_vlv_indexes(): Do ldapsearch to see if server supports VLV. 2992# 2993chk_vlv_indexes() 2994{ 2995 # Do ldapsearch to see if server supports VLV. 2996 ${LDAPSEARCH} ${SERVER_ARGS} -b "" -s base "objectclass=*" > ${TMPDIR}/checkVLV 2>&1 2997 eval "${GREP} 2.16.840.1.113730.3.4.9 ${TMPDIR}/checkVLV ${VERB}" 2998 if [ $? -ne 0 ]; then 2999 ${ECHO} "ERROR: VLV is not supported on LDAP server!" 3000 cleanup 3001 exit 1 3002 fi 3003 [ $DEBUG -eq 1 ] && ${ECHO} " VLV controls found on LDAP server." 3004} 3005 3006# 3007# get_backend(): this function gets the relevant backend 3008# (database) for LDAP_BASED. 3009# Description: set IDS_DATABASE; exit on failure. 3010# Prerequisite: LDAP_BASEDN and LDAP_SUFFIX are 3011# valid. 3012# 3013# backend is retrieved from suffixes and subsuffixes 3014# defined under "cn=mapping tree,cn=config". The 3015# nsslapd-state attribute of these suffixes entries 3016# is filled with either Backend, Disabled or referrals 3017# related values. We only want those that have a true 3018# backend database to select the relevant backend. 3019# 3020get_backend() 3021{ 3022 [ $DEBUG -eq 1 ] && ${ECHO} "In get_backend()" 3023 3024 cur_suffix=${LDAP_BASEDN} 3025 prev_suffix= 3026 IDS_DATABASE= 3027 while [ "${cur_suffix}" != "${prev_suffix}" ] 3028 do 3029 [ $DEBUG -eq 1 ] && ${ECHO} "testing LDAP suffix: ${cur_suffix}" 3030 eval "${LDAPSEARCH} ${LDAP_ARGS} " \ 3031 "-b \"cn=\\\"${cur_suffix}\\\",cn=mapping tree,cn=config\" " \ 3032 "-s base nsslapd-state=Backend nsslapd-backend 2>&1 " \ 3033 "| ${GREP} 'nsslapd-backend=' " \ 3034 "> ${TMPDIR}/ids_database_name 2>&1" 3035 NUM_DBS=`wc -l ${TMPDIR}/ids_database_name | awk '{print $1}'` 3036 case ${NUM_DBS} in 3037 0) # not a suffix, or suffix not activated; try next 3038 prev_suffix=${cur_suffix} 3039 cur_suffix=`${ECHO} ${cur_suffix} | cut -f2- -d','` 3040 ;; 3041 1) # suffix found; get database name 3042 IDS_DATABASE=`cat ${TMPDIR}/ids_database_name | cut -d= -f2` 3043 ;; 3044 *) # can not handle more than one database per suffix 3045 ${ECHO} "ERROR: More than one database is configured " 3046 ${ECHO} " for $LDAP_SUFFIX!" 3047 ${ECHO} " $PROG can not configure suffixes where " 3048 ${ECHO} " more than one database is used for one suffix." 3049 cleanup 3050 exit 1 3051 ;; 3052 esac 3053 if [ -n "${IDS_DATABASE}" ]; then 3054 break 3055 fi 3056 done 3057 3058 if [ -z "${IDS_DATABASE}" ]; then 3059 # should not happen, since LDAP_BASEDN is supposed to be valid 3060 ${ECHO} "Could not find a valid backend for ${LDAP_BASEDN}." 3061 ${ECHO} "Exiting." 3062 cleanup 3063 exit 1 3064 fi 3065 3066 [ $DEBUG -eq 1 ] && ${ECHO} "IDS_DATABASE: ${IDS_DATABASE}" 3067} 3068 3069# 3070# validate_suffix(): This function validates ${LDAP_SUFFIX} 3071# THIS FUNCTION IS FOR THE LOAD CONFIG FILE OPTION. 3072# 3073validate_suffix() 3074{ 3075 [ $DEBUG -eq 1 ] && ${ECHO} "In validate_suffix()" 3076 3077 # Check LDAP_SUFFIX is not null 3078 if [ -z "${LDAP_SUFFIX}" ]; then 3079 ${ECHO} "Invalid suffix (null suffix)" 3080 cleanup 3081 exit 1 3082 fi 3083 3084 # Check LDAP_SUFFIX and LDAP_BASEDN are consistent 3085 # Convert to lower case for basename. 3086 format_string "${LDAP_BASEDN}" 3087 LOWER_BASEDN="${FMT_STR}" 3088 format_string "${LDAP_SUFFIX}" 3089 LOWER_SUFFIX="${FMT_STR}" 3090 3091 [ $DEBUG -eq 1 ] && ${ECHO} "LOWER_BASEDN: ${LOWER_BASEDN}" 3092 [ $DEBUG -eq 1 ] && ${ECHO} "LOWER_SUFFIX: ${LOWER_SUFFIX}" 3093 3094 if [ "${LOWER_BASEDN}" != "${LOWER_SUFFIX}" ]; then 3095 sub_basedn=`basename "${LOWER_BASEDN}" "${LOWER_SUFFIX}"` 3096 if [ "$sub_basedn" = "${LOWER_BASEDN}" ]; then 3097 ${ECHO} "Invalid suffix ${LOWER_SUFFIX}" 3098 ${ECHO} "for Base DN ${LOWER_BASEDN}" 3099 cleanup 3100 exit 1 3101 fi 3102 fi 3103 3104 # Check LDAP_SUFFIX does exist 3105 ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_SUFFIX}\" -s base \"objectclass=*\" > ${TMPDIR}/checkSuffix 2>&1" && return 0 3106 3107 # Well, suffix does not exist, try to prepare create it ... 3108 NEED_CREATE_SUFFIX=1 3109 prep_create_sfx_entry || 3110 { 3111 cleanup 3112 exit 1 3113 } 3114 [ -n "${NEED_CREATE_BACKEND}" ] && 3115 { 3116 # try to use id attr value of the suffix as a database name 3117 IDS_DATABASE=${_VAL} 3118 prep_create_sfx_backend 3119 case $? in 3120 1) # cann't use the name we want, so we can either exit or use 3121 # some another available name - doing the last ... 3122 IDS_DATABASE=${IDS_DATABASE_AVAIL} 3123 ;; 3124 2) # unable to determine database name 3125 cleanup 3126 exit 1 3127 ;; 3128 esac 3129 } 3130 3131 [ $DEBUG -eq 1 ] && ${ECHO} "Suffix $LDAP_SUFFIX, Database $IDS_DATABASE" 3132} 3133 3134# 3135# validate_info(): This function validates the basic info collected 3136# So that some problems are caught right away. 3137# THIS FUNCTION IS FOR THE LOAD CONFIG FILE OPTION. 3138# 3139validate_info() 3140{ 3141 [ $DEBUG -eq 1 ] && ${ECHO} "In validate_info()" 3142 3143 # Set SERVER_ARGS, AUTH_ARGS, and LDAP_ARGS for the config file. 3144 SERVER_ARGS="-h ${IDS_SERVER} -p ${IDS_PORT}" 3145 AUTH_ARGS="-D \"${LDAP_ROOTDN}\" -j ${LDAP_ROOTPWF}" 3146 LDAP_ARGS="${SERVER_ARGS} ${AUTH_ARGS}" 3147 export SERVER_ARGS 3148 3149 # Check the Root DN and Root DN passwd. 3150 # Use eval instead of $EVAL because not part of setup. (validate) 3151 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"\" -s base \"objectclass=*\" > ${TMPDIR}/checkDN 2>&1" 3152 if [ $? -ne 0 ]; then 3153 eval "${GREP} credential ${TMPDIR}/checkDN ${VERB}" 3154 if [ $? -eq 0 ]; then 3155 ${ECHO} "ERROR: Root DN passwd is invalid." 3156 else 3157 ${ECHO} "ERROR2: Invalid Root DN <${LDAP_ROOTDN}>." 3158 fi 3159 cleanup 3160 exit 1 3161 fi 3162 [ $DEBUG -eq 1 ] && ${ECHO} " RootDN ... OK" 3163 [ $DEBUG -eq 1 ] && ${ECHO} " RootDN passwd ... OK" 3164 3165 # Check if the server supports the VLV. 3166 chk_vlv_indexes 3167 [ $DEBUG -eq 1 ] && ${ECHO} " VLV indexes ... OK" 3168 3169 # Check LDAP suffix 3170 validate_suffix 3171 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP suffix ... OK" 3172} 3173 3174# 3175# format_string(): take a string as argument and set FMT_STR 3176# to be the same string formatted as follow: 3177# - only lower case characters 3178# - no unnecessary spaces around , and = 3179# 3180format_string() 3181{ 3182 FMT_STR=`${ECHO} "$1" | tr '[A-Z]' '[a-z]' | 3183 sed -e 's/[ ]*,[ ]*/,/g' -e 's/[ ]*=[ ]*/=/g'` 3184} 3185 3186# 3187# prepare for the suffix entry creation 3188# 3189# input : LDAP_BASEDN, LDAP_SUFFIX - base dn and suffix; 3190# in/out : LDAP_SUFFIX_OBJ, LDAP_SUFFIX_ACI - initially may come from config. 3191# output : NEED_CREATE_BACKEND - backend for this suffix needs to be created; 3192# _RDN, _ATT, _VAL - suffix's RDN, id attribute name and its value. 3193# return : 0 - success, otherwise error. 3194# 3195prep_create_sfx_entry() 3196{ 3197 [ $DEBUG -eq 1 ] && ${ECHO} "In prep_create_sfx_entry()" 3198 3199 # check whether suffix corresponds to base dn 3200 format_string "${LDAP_BASEDN}" 3201 ${ECHO} ",${FMT_STR}" | ${GREP} ",${LDAP_SUFFIX}$" >/dev/null 2>&1 || 3202 { 3203 display_msg sfx_not_suitable 3204 return 1 3205 } 3206 3207 # parse LDAP_SUFFIX 3208 _RDN=`${ECHO} "${LDAP_SUFFIX}" | cut -d, -f1` 3209 _ATT=`${ECHO} "${_RDN}" | cut -d= -f1` 3210 _VAL=`${ECHO} "${_RDN}" | cut -d= -f2-` 3211 3212 # find out an objectclass for suffix entry if it is not defined yet 3213 [ -z "${LDAP_SUFFIX_OBJ}" ] && 3214 { 3215 get_objectclass ${_ATT} 3216 [ -z "${_ATTR_NAME}" ] && 3217 { 3218 display_msg obj_not_found 3219 return 1 3220 } 3221 LDAP_SUFFIX_OBJ=${_ATTR_NAME} 3222 } 3223 [ $DEBUG -eq 1 ] && ${ECHO} "Suffix entry object is ${LDAP_SUFFIX_OBJ}" 3224 3225 # find out an aci for suffix entry if it is not defined yet 3226 [ -z "${LDAP_SUFFIX_ACI}" ] && 3227 { 3228 # set Directory Server default aci 3229 LDAP_SUFFIX_ACI=`cat <<EOF 3230aci: (targetattr != "userPassword || passwordHistory || passwordExpirationTime 3231 || passwordExpWarned || passwordRetryCount || retryCountResetTime || 3232 accountUnlockTime || passwordAllowChangeTime") 3233 ( 3234 version 3.0; 3235 acl "Anonymous access"; 3236 allow (read, search, compare) userdn = "ldap:///anyone"; 3237 ) 3238aci: (targetattr != "nsroledn || aci || nsLookThroughLimit || nsSizeLimit || 3239 nsTimeLimit || nsIdleTimeout || passwordPolicySubentry || 3240 passwordExpirationTime || passwordExpWarned || passwordRetryCount || 3241 retryCountResetTime || accountUnlockTime || passwordHistory || 3242 passwordAllowChangeTime") 3243 ( 3244 version 3.0; 3245 acl "Allow self entry modification except for some attributes"; 3246 allow (write) userdn = "ldap:///self"; 3247 ) 3248aci: (targetattr = "*") 3249 ( 3250 version 3.0; 3251 acl "Configuration Administrator"; 3252 allow (all) userdn = "ldap:///uid=admin,ou=Administrators, 3253 ou=TopologyManagement,o=NetscapeRoot"; 3254 ) 3255aci: (targetattr ="*") 3256 ( 3257 version 3.0; 3258 acl "Configuration Administrators Group"; 3259 allow (all) groupdn = "ldap:///cn=Configuration Administrators, 3260 ou=Groups,ou=TopologyManagement,o=NetscapeRoot"; 3261 ) 3262EOF 3263` 3264 } 3265 [ $DEBUG -eq 1 ] && cat <<EOF 3266DEBUG: ACI for ${LDAP_SUFFIX} is 3267${LDAP_SUFFIX_ACI} 3268EOF 3269 3270 NEED_CREATE_BACKEND= 3271 3272 # check the suffix mapping tree ... 3273 # if mapping exists, suffix should work, otherwise DS inconsistent 3274 # NOTE: -b 'cn=mapping tree,cn=config' -s one 'cn=\"$1\"' won't work 3275 # in case of 'cn' value in LDAP is not quoted by '"', 3276 # -b 'cn=\"$1\",cn=mapping tree,cn=config' works in all cases 3277 ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} \ 3278 -b 'cn=\"${LDAP_SUFFIX}\",cn=mapping tree,cn=config' \ 3279 -s base 'objectclass=*' dn ${VERB}" && 3280 { 3281 [ $DEBUG -eq 1 ] && ${ECHO} "Suffix mapping already exists" 3282 # get_backend() either gets IDS_DATABASE or exits 3283 get_backend 3284 return 0 3285 } 3286 3287 # no suffix mapping, just in case check ldbm backends consistency - 3288 # there are must be NO any databases pointing to LDAP_SUFFIX 3289 [ -n "`${EVAL} \"${LDAPSEARCH} ${LDAP_ARGS} \ 3290 -b 'cn=ldbm database,cn=plugins,cn=config' \ 3291 -s one 'nsslapd-suffix=${LDAP_SUFFIX}' dn\" 2>/dev/null`" ] && 3292 { 3293 display_msg sfx_config_incons 3294 return 1 3295 } 3296 3297 # ok, no suffix mapping, no ldbm database 3298 [ $DEBUG -eq 1 ] && ${ECHO} "DEBUG: backend needs to be created ..." 3299 NEED_CREATE_BACKEND=1 3300 return 0 3301} 3302 3303# 3304# prepare for the suffix backend creation 3305# 3306# input : IDS_DATABASE - requested ldbm db name (must be not null) 3307# in/out : IDS_DATABASE_AVAIL - available ldbm db name 3308# return : 0 - ldbm db name ok 3309# 1 - IDS_DATABASE exists, 3310# so IDS_DATABASE_AVAIL contains available name 3311# 2 - unable to find any available name 3312# 3313prep_create_sfx_backend() 3314{ 3315 [ $DEBUG -eq 1 ] && ${ECHO} "In prep_create_sfx_backend()" 3316 3317 # check if requested name available 3318 [ "${IDS_DATABASE}" = "${IDS_DATABASE_AVAIL}" ] && return 0 3319 3320 # get the list of database names start with a requested name 3321 _LDBM_DBS=`${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} \ 3322 -b 'cn=ldbm database,cn=plugins,cn=config' \ 3323 -s one 'cn=${IDS_DATABASE}*' cn"` 2>/dev/null 3324 3325 # find available db name based on a requested name 3326 _i=""; _i_MAX=10 3327 while [ ${_i:-0} -lt ${_i_MAX} ] 3328 do 3329 _name="${IDS_DATABASE}${_i}" 3330 ${ECHO} "${_LDBM_DBS}" | ${GREP} -i "^cn=${_name}$" >/dev/null 2>&1 || 3331 { 3332 IDS_DATABASE_AVAIL="${_name}" 3333 break 3334 } 3335 _i=`expr ${_i:-0} + 1` 3336 done 3337 3338 [ "${IDS_DATABASE}" = "${IDS_DATABASE_AVAIL}" ] && return 0 3339 3340 [ -n "${IDS_DATABASE_AVAIL}" ] && 3341 { 3342 display_msg ldbm_db_exist 3343 return 1 3344 } 3345 3346 display_msg unable_find_db_name 3347 return 2 3348} 3349 3350# 3351# add suffix if needed, 3352# suffix entry and backend MUST be prepared by 3353# prep_create_sfx_entry and prep_create_sfx_backend correspondingly 3354# 3355# input : NEED_CREATE_SUFFIX, LDAP_SUFFIX, LDAP_SUFFIX_OBJ, _ATT, _VAL 3356# LDAP_SUFFIX_ACI, NEED_CREATE_BACKEND, IDS_DATABASE 3357# return : 0 - suffix successfully created, otherwise error occured 3358# 3359add_suffix() 3360{ 3361 [ $DEBUG -eq 1 ] && ${ECHO} "In add_suffix()" 3362 3363 [ -n "${NEED_CREATE_SUFFIX}" ] || return 0 3364 3365 [ -n "${NEED_CREATE_BACKEND}" ] && 3366 { 3367 ${EVAL} "${LDAPADD} ${LDAP_ARGS} ${VERB}" <<EOF 3368dn: cn="${LDAP_SUFFIX}",cn=mapping tree,cn=config 3369objectclass: top 3370objectclass: extensibleObject 3371objectclass: nsMappingTree 3372cn: ${LDAP_SUFFIX} 3373nsslapd-state: backend 3374nsslapd-backend: ${IDS_DATABASE} 3375 3376dn: cn=${IDS_DATABASE},cn=ldbm database,cn=plugins,cn=config 3377objectclass: top 3378objectclass: extensibleObject 3379objectclass: nsBackendInstance 3380cn: ${IDS_DATABASE} 3381nsslapd-suffix: ${LDAP_SUFFIX} 3382EOF 3383 [ $? -ne 0 ] && 3384 { 3385 display_msg create_ldbm_db_error 3386 return 1 3387 } 3388 3389 ${ECHO} " ${STEP}. Database ${IDS_DATABASE} successfully created" 3390 STEP=`expr $STEP + 1` 3391 } 3392 3393 ${EVAL} "${LDAPADD} ${LDAP_ARGS} ${VERB}" <<EOF 3394dn: ${LDAP_SUFFIX} 3395objectclass: ${LDAP_SUFFIX_OBJ} 3396${_ATT}: ${_VAL} 3397${LDAP_SUFFIX_ACI} 3398EOF 3399 [ $? -ne 0 ] && 3400 { 3401 display_msg create_suffix_entry_error 3402 return 1 3403 } 3404 3405 ${ECHO} " ${STEP}. Suffix ${LDAP_SUFFIX} successfully created" 3406 STEP=`expr $STEP + 1` 3407 return 0 3408} 3409 3410# 3411# interactively get suffix and related info from a user 3412# 3413# input : LDAP_BASEDN - Base DN 3414# output : LDAP_SUFFIX - Suffix, _ATT, _VAL - id attribute and its value; 3415# LDAP_SUFFIX_OBJ, LDAP_SUFFIX_ACI - objectclass and aci; 3416# NEED_CREATE_BACKEND - tells whether backend needs to be created; 3417# IDS_DATABASE - prepared ldbm db name 3418# return : 0 - user gave a correct suffix 3419# 1 - suffix given by user cann't be created 3420# 3421get_suffix() 3422{ 3423 [ $DEBUG -eq 1 ] && ${ECHO} "In get_suffix()" 3424 3425 while : 3426 do 3427 get_ans "Enter suffix to be created (b=back/h=help):" ${LDAP_BASEDN} 3428 case "${ANS}" in 3429 [Hh] | Help | help | \? ) display_msg create_suffix_help ;; 3430 [Bb] | Back | back | \< ) return 1 ;; 3431 * ) 3432 format_string "${ANS}" 3433 LDAP_SUFFIX=${FMT_STR} 3434 prep_create_sfx_entry || continue 3435 3436 [ -n "${NEED_CREATE_BACKEND}" ] && 3437 { 3438 IDS_DATABASE_AVAIL= # reset the available db name 3439 3440 reenter_suffix= 3441 while : 3442 do 3443 get_ans "Enter ldbm database name (b=back/h=help):" \ 3444 ${IDS_DATABASE_AVAIL:-${_VAL}} 3445 case "${ANS}" in 3446 [Hh] | \? ) display_msg enter_ldbm_db_help ;; 3447 [Bb] | \< ) reenter_suffix=1; break ;; 3448 * ) 3449 IDS_DATABASE="${ANS}" 3450 prep_create_sfx_backend && break 3451 esac 3452 done 3453 [ -n "${reenter_suffix}" ] && continue 3454 3455 [ $DEBUG -eq 1 ] && cat <<EOF 3456DEBUG: backend name for suffix ${LDAP_SUFFIX} will be ${IDS_DATABASE} 3457EOF 3458 } 3459 3460 # eventually everything is prepared 3461 return 0 3462 ;; 3463 esac 3464 done 3465} 3466 3467# 3468# print out a script which sets LDAP suffix related preferences 3469# 3470print_suffix_config() 3471{ 3472 cat <<EOF2 3473# LDAP suffix related preferences used only if needed 3474IDS_DATABASE="${IDS_DATABASE}" 3475LDAP_SUFFIX_OBJ="$LDAP_SUFFIX_OBJ" 3476LDAP_SUFFIX_ACI=\`cat <<EOF 3477${LDAP_SUFFIX_ACI} 3478EOF 3479\` 3480export IDS_DATABASE LDAP_SUFFIX_OBJ LDAP_SUFFIX_ACI 3481EOF2 3482} 3483 3484# 3485# check_basedn_suffix(): check that there is an existing 3486# valid suffix to hold current base DN 3487# return: 3488# 0: valid suffix found or new one should be created, 3489# NEED_CREATE_SUFFIX flag actually indicates that 3490# 1: some error occures 3491# 3492check_basedn_suffix() 3493{ 3494 [ $DEBUG -eq 1 ] && ${ECHO} "In check_basedn_suffix()" 3495 3496 NEED_CREATE_SUFFIX= 3497 3498 # find out existing suffixes 3499 discover_serv_suffix 3500 3501 ${ECHO} " Validating LDAP Base DN and Suffix ..." 3502 3503 # check that LDAP Base DN might be added 3504 cur_ldap_entry=${LDAP_BASEDN} 3505 prev_ldap_entry= 3506 while [ "${cur_ldap_entry}" != "${prev_ldap_entry}" ] 3507 do 3508 [ $DEBUG -eq 1 ] && ${ECHO} "testing LDAP entry: ${cur_ldap_entry}" 3509 ${LDAPSEARCH} ${SERVER_ARGS} -b "${cur_ldap_entry}" \ 3510 -s one "objectclass=*" > /dev/null 2>&1 3511 if [ $? -eq 0 ]; then 3512 break 3513 else 3514 prev_ldap_entry=${cur_ldap_entry} 3515 cur_ldap_entry=`${ECHO} ${cur_ldap_entry} | cut -f2- -d','` 3516 fi 3517 done 3518 3519 if [ "${cur_ldap_entry}" = "${prev_ldap_entry}" ]; then 3520 ${ECHO} " No valid suffixes were found for Base DN ${LDAP_BASEDN}" 3521 3522 NEED_CREATE_SUFFIX=1 3523 return 0 3524 3525 else 3526 [ $DEBUG -eq 1 ] && ${ECHO} "found valid LDAP entry: ${cur_ldap_entry}" 3527 3528 # Now looking for relevant suffix for this entry. 3529 # LDAP_SUFFIX will then be used to add necessary 3530 # base objects. See add_base_objects(). 3531 format_string "${cur_ldap_entry}" 3532 lower_entry="${FMT_STR}" 3533 [ $DEBUG -eq 1 ] && ${ECHO} "final suffix list: ${LDAP_SUFFIX_LIST}" 3534 oIFS=$IFS 3535 [ $DEBUG -eq 1 ] && ${ECHO} "setting IFS to new line" 3536 IFS=' 3537' 3538 for suff in ${LDAP_SUFFIX_LIST} 3539 do 3540 [ $DEBUG -eq 1 ] && ${ECHO} "testing suffix: ${suff}" 3541 format_string "${suff}" 3542 lower_suff="${FMT_STR}" 3543 if [ "${lower_entry}" = "${lower_suff}" ]; then 3544 LDAP_SUFFIX="${suff}" 3545 break 3546 else 3547 dcstmp=`basename "${lower_entry}" "${lower_suff}"` 3548 if [ "${dcstmp}" = "${lower_entry}" ]; then 3549 # invalid suffix, try next one 3550 continue 3551 else 3552 # valid suffix found 3553 LDAP_SUFFIX="${suff}" 3554 break 3555 fi 3556 fi 3557 done 3558 [ $DEBUG -eq 1 ] && ${ECHO} "setting IFS to original value" 3559 IFS=$oIFS 3560 3561 [ $DEBUG -eq 1 ] && ${ECHO} "LDAP_SUFFIX: ${LDAP_SUFFIX}" 3562 3563 if [ -z "${LDAP_SUFFIX}" ]; then 3564 # should not happen, since we found the entry 3565 ${ECHO} "Could not find a valid suffix for ${LDAP_BASEDN}." 3566 ${ECHO} "Exiting." 3567 return 1 3568 fi 3569 3570 # Getting relevant database (backend) 3571 # IDS_DATABASE will then be used to create indexes. 3572 get_backend 3573 3574 return 0 3575 fi 3576} 3577 3578# 3579# discover_serv_suffix(): This function queries the server to find 3580# suffixes available 3581# return: 0: OK, suffix found 3582# 1: suffix not determined 3583discover_serv_suffix() 3584{ 3585 [ $DEBUG -eq 1 ] && ${ECHO} "In discover_serv_suffix()" 3586 3587 # Search the server for the TOP of the TREE. 3588 ${LDAPSEARCH} ${SERVER_ARGS} -b "" -s base "objectclass=*" > ${TMPDIR}/checkTOP 2>&1 3589 ${GREP} -i namingcontexts ${TMPDIR}/checkTOP | \ 3590 ${GREP} -i -v NetscapeRoot > ${TMPDIR}/treeTOP 3591 NUM_TOP=`wc -l ${TMPDIR}/treeTOP | awk '{print $1}'` 3592 case $NUM_TOP in 3593 0) 3594 [ $DEBUG -eq 1 ] && ${ECHO} "DEBUG: No suffix found in LDAP tree" 3595 return 1 3596 ;; 3597 *) # build the list of suffixes; take out 'namingContexts=' in 3598 # each line of ${TMPDIR}/treeTOP 3599 LDAP_SUFFIX_LIST=`cat ${TMPDIR}/treeTOP | 3600 awk '{ printf("%s\n",substr($0,16,length-15)) }'` 3601 ;; 3602 esac 3603 3604 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_SUFFIX_LIST = $LDAP_SUFFIX_LIST" 3605 return 0 3606} 3607 3608 3609# 3610# modify_cn(): Change the cn from MUST to MAY in ipNetwork. 3611# 3612modify_cn() 3613{ 3614 [ $DEBUG -eq 1 ] && ${ECHO} "In modify_cn()" 3615 3616 ( cat <<EOF 3617dn: cn=schema 3618changetype: modify 3619add: objectclasses 3620objectclasses: ( 1.3.6.1.1.1.2.7 NAME 'ipNetwork' DESC 'Standard LDAP objectclass' SUP top STRUCTURAL MUST ipNetworkNumber MAY ( ipNetmaskNumber $ manager $ cn $ l $ description ) X-ORIGIN 'RFC 2307' ) 3621EOF 3622) > ${TMPDIR}/ipNetwork_cn 3623 3624 # Modify the cn for ipNetwork. 3625 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/ipNetwork_cn ${VERB}" 3626 if [ $? -ne 0 ]; then 3627 ${ECHO} " ERROR: update of cn for ipNetwork failed!" 3628 cleanup 3629 exit 1 3630 fi 3631} 3632 3633 3634# modify_timelimit(): Modify timelimit to user value. 3635modify_timelimit() 3636{ 3637 [ $DEBUG -eq 1 ] && ${ECHO} "In modify_timelimit()" 3638 3639 # Here doc to modify timelimit. 3640 ( cat <<EOF 3641dn: cn=config 3642changetype: modify 3643replace: nsslapd-timelimit 3644nsslapd-timelimit: ${IDS_TIMELIMIT} 3645EOF 3646) > ${TMPDIR}/ids_timelimit 3647 3648 # Add the entry. 3649 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/ids_timelimit ${VERB}" 3650 if [ $? -ne 0 ]; then 3651 ${ECHO} " ERROR: update of nsslapd-timelimit failed!" 3652 cleanup 3653 exit 1 3654 fi 3655 3656 # Display messages for modifications made in patch. 3657 ${ECHO} " ${STEP}. Changed timelimit to ${IDS_TIMELIMIT} in cn=config." 3658 STEP=`expr $STEP + 1` 3659} 3660 3661 3662# modify_sizelimit(): Modify sizelimit to user value. 3663modify_sizelimit() 3664{ 3665 [ $DEBUG -eq 1 ] && ${ECHO} "In modify_sizelimit()" 3666 3667 # Here doc to modify sizelimit. 3668 ( cat <<EOF 3669dn: cn=config 3670changetype: modify 3671replace: nsslapd-sizelimit 3672nsslapd-sizelimit: ${IDS_SIZELIMIT} 3673EOF 3674) > ${TMPDIR}/ids_sizelimit 3675 3676 # Add the entry. 3677 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/ids_sizelimit ${VERB}" 3678 if [ $? -ne 0 ]; then 3679 ${ECHO} " ERROR: update of nsslapd-sizelimit failed!" 3680 cleanup 3681 exit 1 3682 fi 3683 3684 # Display messages for modifications made in patch. 3685 ${ECHO} " ${STEP}. Changed sizelimit to ${IDS_SIZELIMIT} in cn=config." 3686 STEP=`expr $STEP + 1` 3687} 3688 3689 3690# modify_pwd_crypt(): Modify the passwd storage scheme to support CRYPT. 3691modify_pwd_crypt() 3692{ 3693 [ $DEBUG -eq 1 ] && ${ECHO} "In modify_pwd_crypt()" 3694 3695 # Here doc to modify passwordstoragescheme. 3696 # IDS 5.2 moved passwordchangesceme off to a new data structure. 3697 if [ $IDS_MAJVER -le 5 ] && [ $IDS_MINVER -le 1 ]; then 3698 ( cat <<EOF 3699dn: cn=config 3700changetype: modify 3701replace: passwordstoragescheme 3702passwordstoragescheme: crypt 3703EOF 3704 ) > ${TMPDIR}/ids_crypt 3705 else 3706 ( cat <<EOF 3707dn: cn=Password Policy,cn=config 3708changetype: modify 3709replace: passwordstoragescheme 3710passwordstoragescheme: crypt 3711EOF 3712 ) > ${TMPDIR}/ids_crypt 3713 fi 3714 3715 # Add the entry. 3716 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/ids_crypt ${VERB}" 3717 if [ $? -ne 0 ]; then 3718 ${ECHO} " ERROR: update of passwordstoragescheme failed!" 3719 cleanup 3720 exit 1 3721 fi 3722 3723 # Display messages for modifications made in patch. 3724 ${ECHO} " ${STEP}. Changed passwordstoragescheme to \"crypt\" in cn=config." 3725 STEP=`expr $STEP + 1` 3726} 3727 3728 3729# 3730# add_eq_indexes(): Add indexes to improve search performance. 3731# 3732add_eq_indexes() 3733{ 3734 [ $DEBUG -eq 1 ] && ${ECHO} "In add_eq_indexes()" 3735 3736 # Set eq indexes to add. 3737 _INDEXES="uidNumber ipNetworkNumber gidnumber oncrpcnumber automountKey" 3738 3739 if [ -z "${IDS_DATABASE}" ]; then 3740 get_backend 3741 fi 3742 3743 # Set _EXT to use as shortcut. 3744 _EXT="cn=index,cn=${IDS_DATABASE},cn=ldbm database,cn=plugins,cn=config" 3745 3746 # Display message to id current step. 3747 ${ECHO} " ${STEP}. Processing eq,pres indexes:" 3748 STEP=`expr $STEP + 1` 3749 3750 # For loop to create indexes. 3751 for i in ${_INDEXES}; do 3752 [ $DEBUG -eq 1 ] && ${ECHO} " Adding index for ${i}" 3753 3754 # Check if entry exists first, if so, skip to next. 3755 ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=${i},${_EXT}\" -s base \ 3756 \"objectclass=*\" > /dev/null 2>&1" 3757 if [ $? -eq 0 ]; then 3758 # Display index skipped. 3759 ${ECHO} " ${i} (eq,pres) skipped already exists" 3760 continue 3761 fi 3762 3763 # Here doc to create LDIF. 3764 ( cat <<EOF 3765dn: cn=${i},${_EXT} 3766objectClass: top 3767objectClass: nsIndex 3768cn: ${i} 3769nsSystemIndex: false 3770nsIndexType: pres 3771nsIndexType: eq 3772EOF 3773) > ${TMPDIR}/index_${i} 3774 3775 # Add the index. 3776 ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/index_${i} ${VERB}" 3777 if [ $? -ne 0 ]; then 3778 ${ECHO} " ERROR: Adding EQ,PRES index for ${i} failed!" 3779 cleanup 3780 exit 1 3781 fi 3782 3783 # Build date for task name. 3784 _YR=`date '+%y'` 3785 _MN=`date '+%m'` 3786 _DY=`date '+%d'` 3787 _H=`date '+%H'` 3788 _M=`date '+%M'` 3789 _S=`date '+%S'` 3790 3791 # Build task name 3792 TASKNAME="${i}_${_YR}_${_MN}_${_DY}_${_H}_${_M}_${_S}" 3793 3794 # Build the task entry to add. 3795 ( cat <<EOF 3796dn: cn=${TASKNAME}, cn=index, cn=tasks, cn=config 3797changetype: add 3798objectclass: top 3799objectclass: extensibleObject 3800cn: ${TASKNAME} 3801nsInstance: ${IDS_DATABASE} 3802nsIndexAttribute: ${i} 3803EOF 3804) > ${TMPDIR}/task_${i} 3805 3806 # Add the task. 3807 ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/task_${i} ${VERB}" 3808 if [ $? -ne 0 ]; then 3809 ${ECHO} " ERROR: Adding task for ${i} failed!" 3810 cleanup 3811 exit 1 3812 fi 3813 3814 # Wait for task to finish, display current status. 3815 while : 3816 do 3817 ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} \ 3818 -b \"cn=${TASKNAME}, cn=index, cn=tasks, cn=config\" -s base \ 3819 \"objectclass=*\" nstaskstatus > \"${TMPDIR}/istask_${i}\" 2>&1" 3820 ${GREP} "${TASKNAME}" "${TMPDIR}/istask_${i}" > /dev/null 2>&1 3821 if [ $? -ne 0 ]; then 3822 break 3823 fi 3824 TASK_STATUS=`${GREP} -i nstaskstatus "${TMPDIR}/istask_${i}" | 3825 head -1 | cut -d: -f2` 3826 ${ECHO} " ${i} (eq,pres) $TASK_STATUS \r\c" 3827 ${ECHO} "$TASK_STATUS" | ${GREP} "Finished" > /dev/null 2>&1 3828 if [ $? -eq 0 ]; then 3829 break 3830 fi 3831 sleep 2 3832 done 3833 3834 # Print newline because of \c. 3835 ${ECHO} " " 3836 done 3837} 3838 3839 3840# 3841# add_sub_indexes(): Add indexes to improve search performance. 3842# 3843add_sub_indexes() 3844{ 3845 [ $DEBUG -eq 1 ] && ${ECHO} "In add_sub_indexes()" 3846 3847 # Set eq indexes to add. 3848 _INDEXES="ipHostNumber membernisnetgroup nisnetgrouptriple" 3849 3850 # Set _EXT to use as shortcut. 3851 _EXT="cn=index,cn=${IDS_DATABASE},cn=ldbm database,cn=plugins,cn=config" 3852 3853 3854 # Display message to id current step. 3855 ${ECHO} " ${STEP}. Processing eq,pres,sub indexes:" 3856 STEP=`expr $STEP + 1` 3857 3858 # For loop to create indexes. 3859 for i in ${_INDEXES}; do 3860 [ $DEBUG -eq 1 ] && ${ECHO} " Adding index for ${i}" 3861 3862 # Check if entry exists first, if so, skip to next. 3863 ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=${i},${_EXT}\" \ 3864 -s base \"objectclass=*\" > /dev/null 2>&1" 3865 if [ $? -eq 0 ]; then 3866 # Display index skipped. 3867 ${ECHO} " ${i} (eq,pres,sub) skipped already exists" 3868 continue 3869 fi 3870 3871 # Here doc to create LDIF. 3872 ( cat <<EOF 3873dn: cn=${i},${_EXT} 3874objectClass: top 3875objectClass: nsIndex 3876cn: ${i} 3877nsSystemIndex: false 3878nsIndexType: pres 3879nsIndexType: eq 3880nsIndexType: sub 3881EOF 3882) > ${TMPDIR}/index_${i} 3883 3884 # Add the index. 3885 ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/index_${i} ${VERB}" 3886 if [ $? -ne 0 ]; then 3887 ${ECHO} " ERROR: Adding EQ,PRES,SUB index for ${i} failed!" 3888 cleanup 3889 exit 1 3890 fi 3891 3892 # Build date for task name. 3893 _YR=`date '+%y'` 3894 _MN=`date '+%m'` 3895 _DY=`date '+%d'` 3896 _H=`date '+%H'` 3897 _M=`date '+%M'` 3898 _S=`date '+%S'` 3899 3900 # Build task name 3901 TASKNAME="${i}_${_YR}_${_MN}_${_DY}_${_H}_${_M}_${_S}" 3902 3903 # Build the task entry to add. 3904 ( cat <<EOF 3905dn: cn=${TASKNAME}, cn=index, cn=tasks, cn=config 3906changetype: add 3907objectclass: top 3908objectclass: extensibleObject 3909cn: ${TASKNAME} 3910nsInstance: ${IDS_DATABASE} 3911nsIndexAttribute: ${i} 3912EOF 3913) > ${TMPDIR}/task_${i} 3914 3915 # Add the task. 3916 ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/task_${i} ${VERB}" 3917 if [ $? -ne 0 ]; then 3918 ${ECHO} " ERROR: Adding task for ${i} failed!" 3919 cleanup 3920 exit 1 3921 fi 3922 3923 # Wait for task to finish, display current status. 3924 while : 3925 do 3926 ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} \ 3927 -b \"cn=${TASKNAME}, cn=index, cn=tasks, cn=config\" -s base \ 3928 \"objectclass=*\" nstaskstatus > \"${TMPDIR}/istask_${i}\" 2>&1" 3929 ${GREP} "${TASKNAME}" "${TMPDIR}/istask_${i}" > /dev/null 2>&1 3930 if [ $? -ne 0 ]; then 3931 break 3932 fi 3933 TASK_STATUS=`${GREP} -i nstaskstatus "${TMPDIR}/istask_${i}" | 3934 head -1 | cut -d: -f2` 3935 ${ECHO} " ${i} (eq,pres,sub) $TASK_STATUS \r\c" 3936 ${ECHO} "$TASK_STATUS" | ${GREP} "Finished" > /dev/null 2>&1 3937 if [ $? -eq 0 ]; then 3938 break 3939 fi 3940 sleep 2 3941 done 3942 3943 # Print newline because of \c. 3944 ${ECHO} " " 3945 done 3946} 3947 3948 3949# 3950# add_vlv_indexes(): Add VLV indexes to improve search performance. 3951# 3952add_vlv_indexes() 3953{ 3954 [ $DEBUG -eq 1 ] && ${ECHO} "In add_vlv_indexes()" 3955 3956 # Set eq indexes to add. 3957 # Note semi colon separators because some filters contain colons 3958 _INDEX1="${LDAP_DOMAIN}.getgrent;${LDAP_DOMAIN}_group_vlv_index;ou=group;objectClass=posixGroup" 3959 _INDEX2="${LDAP_DOMAIN}.gethostent;${LDAP_DOMAIN}_hosts_vlv_index;ou=hosts;objectClass=ipHost" 3960 _INDEX3="${LDAP_DOMAIN}.getnetent;${LDAP_DOMAIN}_networks_vlv_index;ou=networks;objectClass=ipNetwork" 3961 _INDEX4="${LDAP_DOMAIN}.getpwent;${LDAP_DOMAIN}_passwd_vlv_index;ou=people;objectClass=posixAccount" 3962 _INDEX5="${LDAP_DOMAIN}.getrpcent;${LDAP_DOMAIN}_rpc_vlv_index;ou=rpc;objectClass=oncRpc" 3963 _INDEX6="${LDAP_DOMAIN}.getspent;${LDAP_DOMAIN}_shadow_vlv_index;ou=people;objectClass=shadowAccount" 3964 3965 # Indexes added during NIS to LDAP transition 3966 _INDEX7="${LDAP_DOMAIN}.getauhoent;${LDAP_DOMAIN}_auho_vlv_index;automountmapname=auto_home;objectClass=automount" 3967 _INDEX8="${LDAP_DOMAIN}.getsoluent;${LDAP_DOMAIN}_solu_vlv_index;ou=people;objectClass=SolarisUserAttr" 3968 _INDEX9="${LDAP_DOMAIN}.getauduent;${LDAP_DOMAIN}_audu_vlv_index;ou=people;objectClass=SolarisAuditUser" 3969 _INDEX10="${LDAP_DOMAIN}.getauthent;${LDAP_DOMAIN}_auth_vlv_index;ou=SolarisAuthAttr;objectClass=SolarisAuthAttr" 3970 _INDEX11="${LDAP_DOMAIN}.getexecent;${LDAP_DOMAIN}_exec_vlv_index;ou=SolarisProfAttr;&(objectClass=SolarisExecAttr)(SolarisKernelSecurityPolicy=*)" 3971 _INDEX12="${LDAP_DOMAIN}.getprofent;${LDAP_DOMAIN}_prof_vlv_index;ou=SolarisProfAttr;&(objectClass=SolarisProfAttr)(SolarisAttrLongDesc=*)" 3972 _INDEX13="${LDAP_DOMAIN}.getmailent;${LDAP_DOMAIN}_mail_vlv_index;ou=aliases;objectClass=mailGroup" 3973 _INDEX14="${LDAP_DOMAIN}.getbootent;${LDAP_DOMAIN}__boot_vlv_index;ou=ethers;&(objectClass=bootableDevice)(bootParameter=*)" 3974 _INDEX15="${LDAP_DOMAIN}.getethent;${LDAP_DOMAIN}_ethers_vlv_index;ou=ethers;&(objectClass=ieee802Device)(macAddress=*)" 3975 _INDEX16="${LDAP_DOMAIN}.getngrpent;${LDAP_DOMAIN}_netgroup_vlv_index;ou=netgroup;objectClass=nisNetgroup" 3976 _INDEX17="${LDAP_DOMAIN}.getipnent;${LDAP_DOMAIN}_ipn_vlv_index;ou=networks;&(objectClass=ipNetwork)(cn=*)" 3977 _INDEX18="${LDAP_DOMAIN}.getmaskent;${LDAP_DOMAIN}_mask_vlv_index;ou=networks;&(objectClass=ipNetwork)(ipNetmaskNumber=*)" 3978 _INDEX19="${LDAP_DOMAIN}.getprent;${LDAP_DOMAIN}_pr_vlv_index;ou=printers;objectClass=printerService" 3979 _INDEX20="${LDAP_DOMAIN}.getip4ent;${LDAP_DOMAIN}_ip4_vlv_index;ou=hosts;&(objectClass=ipHost)(ipHostNumber=*.*)" 3980 _INDEX21="${LDAP_DOMAIN}.getip6ent;${LDAP_DOMAIN}_ip6_vlv_index;ou=hosts;&(objectClass=ipHost)(ipHostNumber=*:*)" 3981 3982 _INDEXES="$_INDEX1 $_INDEX2 $_INDEX3 $_INDEX4 $_INDEX5 $_INDEX6 $_INDEX7 $_INDEX8 $_INDEX9 $_INDEX10 $_INDEX11 $_INDEX12 $_INDEX13 $_INDEX14 $_INDEX15 $_INDEX16 $_INDEX17 $_INDEX18 $_INDEX19 $_INDEX20 $_INDEX21 " 3983 3984 3985 # Set _EXT to use as shortcut. 3986 _EXT="cn=${IDS_DATABASE},cn=ldbm database,cn=plugins,cn=config" 3987 3988 3989 # Display message to id current step. 3990 ${ECHO} " ${STEP}. Processing VLV indexes:" 3991 STEP=`expr $STEP + 1` 3992 3993 # Reset temp file for vlvindex commands. 3994 [ -f ${TMPDIR}/ds5_vlvindex_list ] && rm ${TMPDIR}/ds5_vlvindex_list 3995 touch ${TMPDIR}/ds5_vlvindex_list 3996 [ -f ${TMPDIR}/ds6_vlvindex_list ] && rm ${TMPDIR}/ds6_vlvindex_list 3997 touch ${TMPDIR}/ds6_vlvindex_list 3998 3999 # Get the instance name from iDS server. 4000 _INSTANCE="<server-instance>" # Default to old output. 4001 4002 eval "${LDAPSEARCH} -v ${LDAP_ARGS} -b \"cn=config\" -s base \"objectclass=*\" nsslapd-instancedir | ${GREP} 'nsslapd-instancedir=' | cut -d'=' -f2- > ${TMPDIR}/instance_name 2>&1" 4003 4004 ${GREP} "slapd-" ${TMPDIR}/instance_name > /dev/null 2>&1 # Check if seems right? 4005 if [ $? -eq 0 ]; then # If success, grab name after "slapd-". 4006 _INST_DIR=`cat ${TMPDIR}/instance_name` 4007 _INSTANCE=`basename "${_INST_DIR}" | cut -d'-' -f2-` 4008 fi 4009 4010 # For loop to create indexes. 4011 for p in ${_INDEXES}; do 4012 [ $DEBUG -eq 1 ] && ${ECHO} " Adding index for ${i}" 4013 4014 # Break p (pair) into i and j parts. 4015 i=`${ECHO} $p | cut -d';' -f1` 4016 j=`${ECHO} $p | cut -d';' -f2` 4017 k=`${ECHO} $p | cut -d';' -f3` 4018 m=`${ECHO} $p | cut -d';' -f4` 4019 4020 # Set _jEXT to use as shortcut. 4021 _jEXT="cn=${j},${_EXT}" 4022 4023 # Check if entry exists first, if so, skip to next. 4024 ${LDAPSEARCH} ${SERVER_ARGS} -b "cn=${i},${_jEXT}" -s base "objectclass=*" > /dev/null 2>&1 4025 if [ $? -eq 0 ]; then 4026 # Display index skipped. 4027 ${ECHO} " ${i} vlv_index skipped already exists" 4028 continue 4029 fi 4030 4031 # Compute the VLV Scope from the LDAP_SEARCH_SCOPE. 4032 # NOTE: A value of "base (0)" does not make sense. 4033 case "$LDAP_SEARCH_SCOPE" in 4034 sub) VLV_SCOPE="2" ;; 4035 *) VLV_SCOPE="1" ;; 4036 esac 4037 4038 # Here doc to create LDIF. 4039 ( cat <<EOF 4040dn: ${_jEXT} 4041objectClass: top 4042objectClass: vlvSearch 4043cn: ${j} 4044vlvbase: ${k},${LDAP_BASEDN} 4045vlvscope: ${VLV_SCOPE} 4046vlvfilter: (${m}) 4047aci: (target="ldap:///${_jEXT}")(targetattr="*")(version 3.0; acl "Config";allow(read,search,compare)userdn="ldap:///anyone";) 4048 4049dn: cn=${i},${_jEXT} 4050cn: ${i} 4051vlvSort: cn uid 4052objectclass: top 4053objectclass: vlvIndex 4054EOF 4055) > ${TMPDIR}/vlv_index_${i} 4056 4057 # Add the index. 4058 ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/vlv_index_${i} ${VERB}" 4059 if [ $? -ne 0 ]; then 4060 ${ECHO} " ERROR: Adding VLV index for ${i} failed!" 4061 cleanup 4062 exit 1 4063 fi 4064 4065 # Print message that index was created. 4066 ${ECHO} " ${i} vlv_index Entry created" 4067 4068 # Add command to list of vlvindex commands to run. 4069 ${ECHO} " directoryserver -s ${_INSTANCE} vlvindex -n ${IDS_DATABASE} -T ${i}" >> ${TMPDIR}/ds5_vlvindex_list 4070 ${ECHO} " <install-path>/bin/dsadm reindex -l -t ${i} <directory-instance-path> ${LDAP_SUFFIX}" >> ${TMPDIR}/ds6_vlvindex_list 4071 done 4072} 4073 4074 4075# 4076# display_vlv_cmds(): Display VLV index commands to run on server. 4077# 4078display_vlv_cmds() 4079{ 4080 if [ -s "${TMPDIR}/ds5_vlvindex_list" -o \ 4081 -s "${TMPDIR}/ds6_vlvindex_list" ]; then 4082 display_msg display_vlv_list 4083 fi 4084 4085 if [ -s "${TMPDIR}/ds5_vlvindex_list" ]; then 4086 cat ${TMPDIR}/ds5_vlvindex_list 4087 fi 4088 4089 cat << EOF 4090 4091 4092EOF 4093 4094 if [ -s "${TMPDIR}/ds6_vlvindex_list" ]; then 4095 cat ${TMPDIR}/ds6_vlvindex_list 4096 fi 4097} 4098 4099# 4100# keep_backward_compatibility(): Modify schema for the backward compatibility if 4101# there are the incompatible attributes already 4102# 4103keep_backward_compatibility() 4104{ 4105 ${EVAL} "${LDAPSEARCH} ${SERVER_ARGS} -b cn=schema -s base \ 4106 \"objectclass=*\" attributeTypes | ${GREP} -i memberGid-oid ${VERB}" 4107 if [ $? -eq 0 ]; then 4108 ${SED} -e 's/1\.3\.6\.1\.4\.1\.42\.2\.27\.5\.1\.30\ /memberGid-oid\ /' \ 4109 ${TMPDIR}/schema_attr > ${TMPDIR}/schema_attr.new 4110 ${MV} ${TMPDIR}/schema_attr.new ${TMPDIR}/schema_attr 4111 fi 4112 4113 ${EVAL} "${LDAPSEARCH} ${SERVER_ARGS} -b cn=schema -s base \ 4114 \"objectclass=*\" attributeTypes | ${GREP} -i rfc822mailMember-oid \ 4115 ${VERB}" 4116 if [ $? -eq 0 ]; then 4117 ${SED} -e \ 4118 's/1\.3\.6\.1\.4\.1\.42\.2\.27\.2\.1\.15\ /rfc822mailMember-oid\ /' \ 4119 ${TMPDIR}/schema_attr > ${TMPDIR}/schema_attr.new 4120 ${MV} ${TMPDIR}/schema_attr.new ${TMPDIR}/schema_attr 4121 fi 4122} 4123 4124# 4125# update_schema_attr(): Update Schema to support Naming. 4126# 4127update_schema_attr() 4128{ 4129 [ $DEBUG -eq 1 ] && ${ECHO} "In update_schema_attr()" 4130 4131 ( cat <<EOF 4132dn: cn=schema 4133changetype: modify 4134add: attributetypes 4135attributetypes: ( 1.3.6.1.1.1.1.28 NAME 'nisPublickey' DESC 'NIS public key' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 4136attributetypes: ( 1.3.6.1.1.1.1.29 NAME 'nisSecretkey' DESC 'NIS secret key' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 4137attributetypes: ( 1.3.6.1.1.1.1.30 NAME 'nisDomain' DESC 'NIS domain' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 4138attributetypes: ( 1.3.6.1.1.1.1.31 NAME 'automountMapName' DESC 'automount Map Name' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) 4139attributetypes: ( 1.3.6.1.1.1.1.32 NAME 'automountKey' DESC 'automount Key Value' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) 4140attributetypes: ( 1.3.6.1.1.1.1.33 NAME 'automountInformation' DESC 'automount information' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) 4141attributetypes: ( 1.3.6.1.4.1.42.2.27.1.1.12 NAME 'nisNetIdUser' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) 4142attributetypes: ( 1.3.6.1.4.1.42.2.27.1.1.13 NAME 'nisNetIdGroup' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) 4143attributetypes: ( 1.3.6.1.4.1.42.2.27.1.1.14 NAME 'nisNetIdHost' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) 4144attributetypes: ( 1.3.6.1.4.1.42.2.27.2.1.15 NAME 'rfc822mailMember' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) 4145attributetypes: ( 2.16.840.1.113730.3.1.30 NAME 'mgrpRFC822MailMember' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 4146attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.15 NAME 'SolarisLDAPServers' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 4147attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.16 NAME 'SolarisSearchBaseDN' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ) 4148attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.17 NAME 'SolarisCacheTTL' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 4149attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.18 NAME 'SolarisBindDN' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ) 4150attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.19 NAME 'SolarisBindPassword' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) 4151attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.20 NAME 'SolarisAuthMethod' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 4152attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.21 NAME 'SolarisTransportSecurity' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 4153attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.22 NAME 'SolarisCertificatePath' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) 4154attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.23 NAME 'SolarisCertificatePassword' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) 4155attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.24 NAME 'SolarisDataSearchDN' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 4156attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.25 NAME 'SolarisSearchScope' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 4157attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.26 NAME 'SolarisSearchTimeLimit' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 4158attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.27 NAME 'SolarisPreferredServer' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 4159attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.28 NAME 'SolarisPreferredServerOnly' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 4160attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.29 NAME 'SolarisSearchReferral' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 4161attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.4 NAME 'SolarisAttrKeyValue' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 4162attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.5 NAME 'SolarisAuditAlways' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 4163attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.6 NAME 'SolarisAuditNever' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 4164attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.7 NAME 'SolarisAttrShortDesc' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 4165attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.8 NAME 'SolarisAttrLongDesc' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 4166attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.9 NAME 'SolarisKernelSecurityPolicy' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 4167attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.10 NAME 'SolarisProfileType' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 4168attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.11 NAME 'SolarisProfileId' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) 4169attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.12 NAME 'SolarisUserQualifier' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 4170attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.13 NAME 'SolarisAttrReserved1' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 4171attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.14 NAME 'SolarisAttrReserved2' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 4172attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.1 NAME 'SolarisProjectID' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 4173attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.2 NAME 'SolarisProjectName' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) 4174attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.3 NAME 'SolarisProjectAttr' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) 4175attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.30 NAME 'memberGid' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) 4176attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.0 NAME 'defaultServerList' DESC 'Default LDAP server host address used by a DUA' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 4177attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.1 NAME 'defaultSearchBase' DESC 'Default LDAP base DN used by a DUA' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ) 4178attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.2 NAME 'preferredServerList' DESC 'Preferred LDAP server host addresses to be used by a DUA' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 4179attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.3 NAME 'searchTimeLimit' DESC 'Maximum time in seconds a DUA should allow for a search to complete' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 4180attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.4 NAME 'bindTimeLimit' DESC 'Maximum time in seconds a DUA should allow for the bind operation to complete' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 4181attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.5 NAME 'followReferrals' DESC 'Tells DUA if it should follow referrals returned by a DSA search result' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 4182attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.6 NAME 'authenticationMethod' DESC 'A keystring which identifies the type of authentication method used to contact the DSA' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 4183attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.7 NAME 'profileTTL' DESC 'Time to live before a client DUA should re-read this configuration profile' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 4184attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.14 NAME 'serviceSearchDescriptor' DESC 'LDAP search descriptor list used by Naming-DUA' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) 4185attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.9 NAME 'attributeMap' DESC 'Attribute mappings used by a Naming-DUA' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 4186attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.10 NAME 'credentialLevel' DESC 'Identifies type of credentials a DUA should use when binding to the LDAP server' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 4187attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.11 NAME 'objectclassMap' DESC 'Objectclass mappings used by a Naming-DUA' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 4188attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.12 NAME 'defaultSearchScope' DESC 'Default search scope used by a DUA' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 4189attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.13 NAME 'serviceCredentialLevel' DESC 'Search scope used by a service of the DUA' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) 4190attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.15 NAME 'serviceAuthenticationMethod' DESC 'Authentication Method used by a service of the DUA' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 4191attributetypes: ( 1.3.18.0.2.4.1140 NAME 'printer-uri' DESC 'A URI supported by this printer. This URI SHOULD be used as a relative distinguished name (RDN). If printer-xri-supported is implemented, then this URI value MUST be listed in a member value of printer-xri-supported.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 4192attributetypes: ( 1.3.18.0.2.4.1107 NAME 'printer-xri-supported' DESC 'The unordered list of XRI (extended resource identifiers) supported by this printer. Each member of the list consists of a URI (uniform resource identifier) followed by optional authentication and security metaparameters.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 4193attributetypes: ( 1.3.18.0.2.4.1135 NAME 'printer-name' DESC 'The site-specific administrative name of this printer, more end-user friendly than a URI.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} SINGLE-VALUE ) 4194attributetypes: ( 1.3.18.0.2.4.1119 NAME 'printer-natural-language-configured' DESC 'The configured language in which error and status messages will be generated (by default) by this printer. Also, a possible language for printer string attributes set by operator, system administrator, or manufacturer. Also, the (declared) language of the "printer-name", "printer-location", "printer-info", and "printer-make-and-model" attributes of this printer. For example: "en-us" (US English) or "fr-fr" (French in France) Legal values of language tags conform to [RFC3066] "Tags for the Identification of Languages".' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} SINGLE-VALUE ) 4195attributetypes: ( 1.3.18.0.2.4.1136 NAME 'printer-location' DESC 'Identifies the location of the printer. This could include things like: "in Room 123A", "second floor of building XYZ".' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} SINGLE-VALUE ) 4196attributetypes: ( 1.3.18.0.2.4.1139 NAME 'printer-info' DESC 'Identifies the descriptive information about this printer. This could include things like: "This printer can be used for printing color transparencies for HR presentations", or "Out of courtesy for others, please print only small (1-5 page) jobs at this printer", or even "This printer is going away on July 1, 1997, please find a new printer".' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} SINGLE-VALUE ) 4197attributetypes: ( 1.3.18.0.2.4.1134 NAME 'printer-more-info' DESC 'A URI used to obtain more information about this specific printer. For example, this could be an HTTP type URI referencing an HTML page accessible to a Web Browser. The information obtained from this URI is intended for end user consumption.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 4198attributetypes: ( 1.3.18.0.2.4.1138 NAME 'printer-make-and-model' DESC 'Identifies the make and model of the device. The device manufacturer MAY initially populate this attribute.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} SINGLE-VALUE ) 4199attributetypes: ( 1.3.18.0.2.4.1133 NAME 'printer-ipp-versions-supported' DESC 'Identifies the IPP protocol version(s) that this printer supports, including major and minor versions, i.e., the version numbers for which this Printer implementation meets the conformance requirements.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} ) 4200attributetypes: ( 1.3.18.0.2.4.1132 NAME 'printer-multiple-document-jobs-supported' DESC 'Indicates whether or not the printer supports more than one document per job, i.e., more than one Send-Document or Send-Data operation with document data.' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) 4201attributetypes: ( 1.3.18.0.2.4.1109 NAME 'printer-charset-configured' DESC 'The configured charset in which error and status messages will be generated (by default) by this printer. Also, a possible charset for printer string attributes set by operator, system administrator, or manufacturer. For example: "utf-8" (ISO 10646/Unicode) or "iso-8859-1" (Latin1). Legal values are defined by the IANA Registry of Coded Character Sets and the "(preferred MIME name)" SHALL be used as the tag. For coherence with IPP Model, charset tags in this attribute SHALL be lowercase normalized. This attribute SHOULD be static (time of registration) and SHOULD NOT be dynamically refreshed attributetypes: (subsequently).' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{63} SINGLE-VALUE ) 4202attributetypes: ( 1.3.18.0.2.4.1131 NAME 'printer-charset-supported' DESC 'Identifies the set of charsets supported for attribute type values of type Directory String for this directory entry. For example: "utf-8" (ISO 10646/Unicode) or "iso-8859-1" (Latin1). Legal values are defined by the IANA Registry of Coded Character Sets and the preferred MIME name.' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{63} ) 4203attributetypes: ( 1.3.18.0.2.4.1137 NAME 'printer-generated-natural-language-supported' DESC 'Identifies the natural language(s) supported for this directory entry. For example: "en-us" (US English) or "fr-fr" (French in France). Legal values conform to [RFC3066], Tags for the Identification of Languages.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{63} ) 4204attributetypes: ( 1.3.18.0.2.4.1130 NAME 'printer-document-format-supported' DESC 'The possible document formats in which data may be interpreted and printed by this printer. Legal values are MIME types come from the IANA Registry of Internet Media Types.' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} ) 4205attributetypes: ( 1.3.18.0.2.4.1129 NAME 'printer-color-supported' DESC 'Indicates whether this printer is capable of any type of color printing at all, including highlight color.' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) 4206attributetypes: ( 1.3.18.0.2.4.1128 NAME 'printer-compression-supported' DESC 'Compression algorithms supported by this printer. For example: "deflate, gzip". Legal values include; "none", "deflate" attributetypes: (public domain ZIP), "gzip" (GNU ZIP), "compress" (UNIX).' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} ) 4207attributetypes: ( 1.3.18.0.2.4.1127 NAME 'printer-pages-per-minute' DESC 'The nominal number of pages per minute which may be output by this printer (e.g., a simplex or black-and-white printer). This attribute is informative, NOT a service guarantee. Typically, it is the value used in marketing literature to describe this printer.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 4208attributetypes: ( 1.3.18.0.2.4.1126 NAME 'printer-pages-per-minute-color' DESC 'The nominal number of color pages per minute which may be output by this printer (e.g., a simplex or color printer). This attribute is informative, NOT a service guarantee. Typically, it is the value used in marketing literature to describe this printer.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 4209attributetypes: ( 1.3.18.0.2.4.1125 NAME 'printer-finishings-supported' DESC 'The possible finishing operations supported by this printer. Legal values include; "none", "staple", "punch", "cover", "bind", "saddle-stitch", "edge-stitch", "staple-top-left", "staple-bottom-left", "staple-top-right", "staple-bottom-right", "edge-stitch-left", "edge-stitch-top", "edge-stitch-right", "edge-stitch-bottom", "staple-dual-left", "staple-dual-top", "staple-dual-right", "staple-dual-bottom".' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} ) 4210attributetypes: ( 1.3.18.0.2.4.1124 NAME 'printer-number-up-supported' DESC 'The possible numbers of print-stream pages to impose upon a single side of an instance of a selected medium. Legal values include; 1, 2, and 4. Implementations may support other values.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) 4211attributetypes: ( 1.3.18.0.2.4.1123 NAME 'printer-sides-supported' DESC 'The number of impression sides (one or two) and the two-sided impression rotations supported by this printer. Legal values include; "one-sided", "two-sided-long-edge", "two-sided-short-edge".' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} ) 4212attributetypes: ( 1.3.18.0.2.4.1122 NAME 'printer-media-supported' DESC 'The standard names/types/sizes (and optional color suffixes) of the media supported by this printer. For example: "iso-a4", "envelope", or "na-letter-white". Legal values conform to ISO 10175, Document Printing Application (DPA), and any IANA registered extensions.' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} ) 4213attributetypes: ( 1.3.18.0.2.4.1117 NAME 'printer-media-local-supported' DESC 'Site-specific names of media supported by this printer, in the language in "printer-natural-language-configured". For example: "purchasing-form" (site-specific name) as opposed to (in "printer-media-supported"): "na-letter" (standard keyword from ISO 10175).' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} ) 4214attributetypes: ( 1.3.18.0.2.4.1121 NAME 'printer-resolution-supported' DESC 'List of resolutions supported for printing documents by this printer. Each resolution value is a string with 3 fields: 1) Cross feed direction resolution (positive integer), 2) Feed direction resolution (positive integer), 3) Resolution unit. Legal values are "dpi" (dots per inch) and "dpcm" (dots per centimeter). Each resolution field is delimited by ">". For example: "300> 300> dpi>".' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} ) 4215attributetypes: ( 1.3.18.0.2.4.1120 NAME 'printer-print-quality-supported' DESC 'List of print qualities supported for printing documents on this printer. For example: "draft, normal". Legal values include; "unknown", "draft", "normal", "high".' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} ) 4216attributetypes: ( 1.3.18.0.2.4.1110 NAME 'printer-job-priority-supported' DESC 'Indicates the number of job priority levels supported. An IPP conformant printer which supports job priority must always support a full range of priorities from "1" to "100" (to ensure consistent behavior), therefore this attribute describes the "granularity". Legal values of this attribute are from "1" to "100".' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 4217attributetypes: ( 1.3.18.0.2.4.1118 NAME 'printer-copies-supported' DESC 'The maximum number of copies of a document that may be printed as a single job. A value of "0" indicates no maximum limit. A value of "-1" indicates unknown.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 4218attributetypes: ( 1.3.18.0.2.4.1111 NAME 'printer-job-k-octets-supported' DESC 'The maximum size in kilobytes (1,024 octets actually) incoming print job that this printer will accept. A value of "0" indicates no maximum limit. A value of "-1" indicates unknown.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 4219attributetypes: ( 1.3.18.0.2.4.1112 NAME 'printer-current-operator' DESC 'The name of the current human operator responsible for operating this printer. It is suggested that this string include information that would enable other humans to reach the operator, such as a phone number.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} SINGLE-VALUE ) 4220attributetypes: ( 1.3.18.0.2.4.1113 NAME 'printer-service-person' DESC 'The name of the current human service person responsible for servicing this printer. It is suggested that this string include information that would enable other humans to reach the service person, such as a phone number.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} SINGLE-VALUE ) 4221attributetypes: ( 1.3.18.0.2.4.1114 NAME 'printer-delivery-orientation-supported' DESC 'The possible delivery orientations of pages as they are printed and ejected from this printer. Legal values include; "unknown", "face-up", and "face-down".' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} ) 4222attributetypes: ( 1.3.18.0.2.4.1115 NAME 'printer-stacking-order-supported' DESC 'The possible stacking order of pages as they are printed and ejected from this printer. Legal values include; "unknown", "first-to-last", "last-to-first".' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} ) 4223attributetypes: ( 1.3.18.0.2.4.1116 NAME 'printer-output-features-supported' DESC 'The possible output features supported by this printer. Legal values include; "unknown", "bursting", "decollating", "page-collating", "offset-stacking".' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} ) 4224attributetypes: ( 1.3.18.0.2.4.1108 NAME 'printer-aliases' DESC 'Site-specific administrative names of this printer in addition the printer name specified for printer-name.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} ) 4225attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.63 NAME 'sun-printer-bsdaddr' DESC 'Sets the server, print queue destination name and whether the client generates protocol extensions. "Solaris" specifies a Solaris print server extension. The value is represented by the following value: server "," destination ", Solaris".' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 4226attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.64 NAME 'sun-printer-kvp' DESC 'This attribute contains a set of key value pairs which may have meaning to the print subsystem or may be user defined. Each value is represented by the following: key "=" value.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 4227attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.57 NAME 'nisplusTimeZone' DESC 'tzone column from NIS+ timezone table' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) 4228attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.67 NAME 'ipTnetTemplateName' DESC 'Trusted Solaris network template template_name' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) 4229attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.68 NAME 'ipTnetNumber' DESC 'Trusted Solaris network template ip_address' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) 4230EOF 4231) > ${TMPDIR}/schema_attr 4232 4233 keep_backward_compatibility 4234 4235 # Add the entry. 4236 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/schema_attr ${VERB}" 4237 if [ $? -ne 0 ]; then 4238 ${ECHO} " ERROR: update of schema attributes failed!" 4239 cleanup 4240 exit 1 4241 fi 4242 4243 # Display message that schema is updated. 4244 ${ECHO} " ${STEP}. Schema attributes have been updated." 4245 STEP=`expr $STEP + 1` 4246} 4247 4248 4249# 4250# update_schema_obj(): Update the schema objectclass definitions. 4251# 4252update_schema_obj() 4253{ 4254 [ $DEBUG -eq 1 ] && ${ECHO} "In update_schema_obj()" 4255 4256 # Add the objectclass definitions. 4257 ( cat <<EOF 4258dn: cn=schema 4259changetype: modify 4260add: objectclasses 4261objectclasses: ( 1.3.6.1.1.1.2.14 NAME 'NisKeyObject' SUP top MUST ( cn $ nisPublickey $ nisSecretkey ) MAY ( uidNumber $ description ) ) 4262 4263dn: cn=schema 4264changetype: modify 4265add: objectclasses 4266objectclasses: ( 1.3.6.1.1.1.2.15 NAME 'nisDomainObject' SUP top MUST nisDomain ) 4267 4268dn: cn=schema 4269changetype: modify 4270add: objectclasses 4271objectclasses: ( 1.3.6.1.1.1.2.16 NAME 'automountMap' SUP top MUST automountMapName MAY description ) 4272 4273dn: cn=schema 4274changetype: modify 4275add: objectclasses 4276objectclasses: ( 1.3.6.1.1.1.2.17 NAME 'automount' SUP top MUST ( automountKey $ automountInformation ) MAY description ) 4277 4278dn: cn=schema 4279changetype: modify 4280add: objectclasses 4281objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.7 NAME 'SolarisNamingProfile' SUP top MUST ( cn $ SolarisLDAPservers $ SolarisSearchBaseDN ) MAY ( SolarisBindDN $ SolarisBindPassword $ SolarisAuthMethod $ SolarisTransportSecurity $ SolarisCertificatePath $ SolarisCertificatePassword $ SolarisDataSearchDN $ SolarisSearchScope $ SolarisSearchTimeLimit $ SolarisPreferredServer $ SolarisPreferredServerOnly $ SolarisCacheTTL $ SolarisSearchReferral ) ) 4282 4283dn: cn=schema 4284changetype: modify 4285add: objectclasses 4286objectclasses: ( 2.16.840.1.113730.3.2.4 NAME 'mailGroup' SUP top MUST mail MAY ( cn $ mgrpRFC822MailMember ) ) 4287 4288dn: cn=schema 4289changetype: modify 4290add: objectclasses 4291objectclasses: ( 1.3.6.1.4.1.42.2.27.1.2.5 NAME 'nisMailAlias' SUP top MUST cn MAY rfc822mailMember ) 4292 4293dn: cn=schema 4294changetype: modify 4295add: objectclasses 4296objectclasses: ( 1.3.6.1.4.1.42.2.27.1.2.6 NAME 'nisNetId' SUP top MUST cn MAY ( nisNetIdUser $ nisNetIdGroup $ nisNetIdHost ) ) 4297 4298dn: cn=schema 4299changetype: modify 4300add: objectclasses 4301objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.2 NAME 'SolarisAuditUser' SUP top AUXILIARY MAY ( SolarisAuditAlways $ SolarisAuditNever ) ) 4302 4303dn: cn=schema 4304changetype: modify 4305add: objectclasses 4306objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.3 NAME 'SolarisUserAttr' SUP top AUXILIARY MAY ( SolarisUserQualifier $ SolarisAttrReserved1 $ SolarisAttrReserved2 $ SolarisAttrKeyValue ) ) 4307 4308dn: cn=schema 4309changetype: modify 4310add: objectclasses 4311objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.4 NAME 'SolarisAuthAttr' SUP top MUST cn MAY ( SolarisAttrReserved1 $ SolarisAttrReserved2 $ SolarisAttrShortDesc $ SolarisAttrLongDesc $ SolarisAttrKeyValue ) ) 4312 4313dn: cn=schema 4314changetype: modify 4315add: objectclasses 4316objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.5 NAME 'SolarisProfAttr' SUP top MUST cn MAY ( SolarisAttrReserved1 $ SolarisAttrReserved2 $ SolarisAttrLongDesc $ SolarisAttrKeyValue ) ) 4317 4318dn: cn=schema 4319changetype: modify 4320add: objectclasses 4321objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.6 NAME 'SolarisExecAttr' SUP top AUXILIARY MAY ( SolarisKernelSecurityPolicy $ SolarisProfileType $ SolarisAttrReserved1 $ SolarisAttrReserved2 $ SolarisProfileID $ SolarisAttrKeyValue ) ) 4322 4323dn: cn=schema 4324changetype: modify 4325add: objectclasses 4326objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.1 NAME 'SolarisProject' SUP top MUST ( SolarisProjectID $ SolarisProjectName ) MAY ( memberUid $ memberGid $ description $ SolarisProjectAttr ) ) 4327 4328dn: cn=schema 4329changetype: modify 4330add: objectclasses 4331objectclasses: ( 1.3.6.1.4.1.11.1.3.1.2.4 NAME 'DUAConfigProfile' SUP top DESC 'Abstraction of a base configuration for a DUA' MUST cn MAY ( defaultServerList $ preferredServerList $ defaultSearchBase $ defaultSearchScope $ searchTimeLimit $ bindTimeLimit $ credentialLevel $ authenticationMethod $ followReferrals $ serviceSearchDescriptor $ serviceCredentialLevel $ serviceAuthenticationMethod $ objectclassMap $ attributeMap $ profileTTL ) ) 4332 4333dn: cn=schema 4334changetype: modify 4335add: objectclasses 4336objectclasses: ( 1.3.18.0.2.6.2549 NAME 'slpService' DESC 'DUMMY definition' SUP top MUST objectclass ) 4337 4338dn: cn=schema 4339changetype: modify 4340add: objectclasses 4341objectclasses: ( 1.3.18.0.2.6.254 NAME 'slpServicePrinter' DESC 'Service Location Protocol (SLP) information.' SUP slpService AUXILIARY ) 4342 4343dn: cn=schema 4344changetype: modify 4345add: objectclasses 4346objectclasses: ( 1.3.18.0.2.6.258 NAME 'printerAbstract' DESC 'Printer related information.' SUP top ABSTRACT MAY ( printer-name $ printer-natural-language-configured $ printer-location $ printer-info $ printer-more-info $ printer-make-and-model $ printer-multiple-document-jobs-supported $ printer-charset-configured $ printer-charset-supported $ printer-generated-natural-language-supported $ printer-document-format-supported $ printer-color-supported $ printer-compression-supported $ printer-pages-per-minute $ printer-pages-per-minute-color $ printer-finishings-supported $ printer-number-up-supported $ printer-sides-supported $ printer-media-supported $ printer-media-local-supported $ printer-resolution-supported $ printer-print-quality-supported $ printer-job-priority-supported $ printer-copies-supported $ printer-job-k-octets-supported $ printer-current-operator $ printer-service-person $ printer-delivery-orientation-supported $ printer-stacking-order-supported $ printer-output-features-supported ) ) 4347 4348dn: cn=schema 4349changetype: modify 4350add: objectclasses 4351objectclasses: ( 1.3.18.0.2.6.255 NAME 'printerService' DESC 'Printer information.' SUP printerAbstract STRUCTURAL MAY ( printer-uri $ printer-xri-supported ) ) 4352 4353dn: cn=schema 4354changetype: modify 4355add: objectclasses 4356objectclasses: ( 1.3.18.0.2.6.257 NAME 'printerServiceAuxClass' DESC 'Printer information.' SUP printerAbstract AUXILIARY MAY ( printer-uri $ printer-xri-supported ) ) 4357 4358dn: cn=schema 4359changetype: modify 4360add: objectclasses 4361objectclasses: ( 1.3.18.0.2.6.256 NAME 'printerIPP' DESC 'Internet Printing Protocol (IPP) information.' SUP top AUXILIARY MAY ( printer-ipp-versions-supported $ printer-multiple-document-jobs-supported ) ) 4362 4363dn: cn=schema 4364changetype: modify 4365add: objectclasses 4366objectclasses: ( 1.3.18.0.2.6.253 NAME 'printerLPR' DESC 'LPR information.' SUP top AUXILIARY MUST printer-name MAY printer-aliases ) 4367 4368dn: cn=schema 4369changetype: modify 4370add: objectclasses 4371objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.14 NAME 'sunPrinter' DESC 'Sun printer information' SUP top AUXILIARY MUST printer-name MAY ( sun-printer-bsdaddr $ sun-printer-kvp ) ) 4372 4373dn: cn=schema 4374changetype: modify 4375add: objectclasses 4376objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.12 NAME 'nisplusTimeZoneData' DESC 'NIS+ timezone table data' SUP top STRUCTURAL MUST cn MAY ( nisplusTimeZone $ description ) ) 4377 4378dn: cn=schema 4379changetype: modify 4380add: objectclasses 4381objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.8 NAME 'ipTnetTemplate' DESC 'Object class for TSOL network templates' SUP top MUST ipTnetTemplateName MAY SolarisAttrKeyValue ) 4382 4383dn: cn=schema 4384changetype: modify 4385add: objectclasses 4386objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.9 NAME 'ipTnetHost' DESC 'Associates an IP address or wildcard with a TSOL template_name' SUP top AUXILIARY MUST ipTnetNumber ) 4387EOF 4388) > ${TMPDIR}/schema_obj 4389 4390 # Add the entry. 4391 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/schema_obj ${VERB}" 4392 if [ $? -ne 0 ]; then 4393 ${ECHO} " ERROR: update of schema objectclass definitions failed!" 4394 cleanup 4395 exit 1 4396 fi 4397 4398 # Display message that schema is updated. 4399 ${ECHO} " ${STEP}. Schema objectclass definitions have been added." 4400 STEP=`expr $STEP + 1` 4401} 4402 4403# 4404# modify_top_aci(): Modify the ACI for the top entry to disable self modify 4405# of user attributes. 4406# 4407modify_top_aci() 4408{ 4409 [ $DEBUG -eq 1 ] && ${ECHO} "In modify_top_aci()" 4410 4411 # Set ACI Name 4412 ACI_NAME="LDAP_Naming_Services_deny_write_access" 4413 4414 # Search for ACI_NAME 4415 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_BASEDN}\" -s base objectclass=* aci > ${TMPDIR}/chk_top_aci 2>&1" 4416 if [ $? -ne 0 ]; then 4417 ${ECHO} "Error searching aci for ${LDAP_BASEDN}" 4418 cat ${TMPDIR}/chk_top_aci 4419 cleanup 4420 exit 1 4421 fi 4422 ${GREP} "${ACI_NAME}" ${TMPDIR}/chk_top_aci > /dev/null 2>&1 4423 if [ $? -eq 0 ]; then 4424 ${ECHO} " ${STEP}. Top level ACI ${ACI_NAME} already exists for ${LDAP_BASEDN}." 4425 STEP=`expr $STEP + 1` 4426 return 0 4427 fi 4428 4429 # Crate LDIF for top level ACI. 4430 ( cat <<EOF 4431dn: ${LDAP_BASEDN} 4432changetype: modify 4433add: aci 4434aci: (targetattr = "cn||uid||uidNumber||gidNumber||homeDirectory||shadowLastChange||shadowMin||shadowMax||shadowWarning||shadowInactive||shadowExpire||shadowFlag||memberUid||SolarisAuditAlways||SolarisAuditNever||SolarisAttrKeyValue||SolarisAttrReserved1||SolarisAttrReserved2||SolarisUserQualifier")(version 3.0; acl ${ACI_NAME}; deny (write) userdn = "ldap:///self";) 4435- 4436EOF 4437) > ${TMPDIR}/top_aci 4438 4439 # Add the entry. 4440 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/top_aci ${VERB}" 4441 if [ $? -ne 0 ]; then 4442 ${ECHO} " ERROR: Modify of top level ACI failed! (restricts self modify)" 4443 cleanup 4444 exit 1 4445 fi 4446 4447 # Display message that ACI is updated. 4448 MSG="ACI for ${LDAP_BASEDN} modified to disable self modify." 4449 if [ $EXISTING_PROFILE -eq 1 ];then 4450 ${ECHO} " ACI SET: $MSG" 4451 else 4452 ${ECHO} " ${STEP}. $MSG" 4453 STEP=`expr $STEP + 1` 4454 fi 4455} 4456 4457# 4458# find_and_delete_ACI(): Find an ACI in file $2 with a matching pattern $1. 4459# Delete the ACI and print a message using $3 as the ACI name. $3 is needed 4460# because it could have a different value than that of $1. 4461find_and_delete_ACI() 4462{ 4463 [ $DEBUG -eq 1 ] && ${ECHO} "In find_and_delete_ACI" 4464 4465 # if an ACI with pattern $1 exists in file $2, delete it from ${LDAP_BASEDN} 4466 ${EGREP} $1 $2 | ${SED} -e 's/aci=//' > ${TMPDIR}/grep_find_delete_aci 2>&1 4467 if [ -s ${TMPDIR}/grep_find_delete_aci ]; then 4468 aci_to_delete=`${CAT} ${TMPDIR}/grep_find_delete_aci` 4469 4470 # Create the tmp file to delete the ACI. 4471 ( cat <<EOF 4472dn: ${LDAP_BASEDN} 4473changetype: modify 4474delete: aci 4475aci: ${aci_to_delete} 4476EOF 4477 ) > ${TMPDIR}/find_delete_aci 4478 4479 # Delete the ACI 4480 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/find_delete_aci ${VERB}" 4481 if [ $? -ne 0 ]; then 4482 ${ECHO} " ERROR: Remove of $3 ACI failed!" 4483 cleanup 4484 exit 1 4485 fi 4486 4487 ${RM} -f ${TMPDIR}/find_delete_aci 4488 # Display message that an ACL is deleted. 4489 MSG="ACI $3 deleted." 4490 if [ $EXISTING_PROFILE -eq 1 ]; then 4491 ${ECHO} " ACI DELETED: $MSG" 4492 else 4493 ${ECHO} " ${STEP}. $MSG" 4494 STEP=`expr $STEP + 1` 4495 fi 4496 fi 4497} 4498 4499# 4500# Add an ACI to deny non-admin access to shadow data when 4501# shadow update is enabled. 4502# 4503deny_non_admin_shadow_access() 4504{ 4505 [ $DEBUG -eq 1 ] && ${ECHO} "In deny_non_admin_shadow_access()" 4506 4507 # Set ACI Names 4508 ACI_TO_ADD="LDAP_Naming_Services_deny_non_admin_shadow_access" 4509 ACI_TO_DEL="LDAP_Naming_Services_deny_non_host_shadow_access" 4510 4511 # Search for ACI_TO_ADD 4512 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_BASEDN}\" -s base objectclass=* aci > ${TMPDIR}/chk_aci_non_admin 2>&1" 4513 if [ $? -ne 0 ]; then 4514 ${ECHO} "Error searching aci for ${LDAP_BASEDN}" 4515 cleanup 4516 exit 1 4517 fi 4518 4519 # If an ACI with ${ACI_TO_ADD} already exists, we are done. 4520 ${EGREP} ${ACI_TO_ADD} ${TMPDIR}/chk_aci_non_admin 2>&1 > /dev/null 4521 if [ $? -eq 0 ]; then 4522 MSG="ACI ${ACI_TO_ADD} already set for ${LDAP_BASEDN}." 4523 if [ $EXISTING_PROFILE -eq 1 ]; then 4524 ${ECHO} " NOT SET: $MSG" 4525 else 4526 ${ECHO} " ${STEP}. $MSG" 4527 STEP=`expr $STEP + 1` 4528 fi 4529 return 0 4530 fi 4531 4532 # The deny_non_admin_shadow_access and deny_non_host_shadow_access ACIs 4533 # should be mutually exclusive, so if the latter exists, delete it. 4534 find_and_delete_ACI ${ACI_TO_DEL} ${TMPDIR}/chk_aci_non_admin ${ACI_TO_DEL} 4535 4536 # Create the tmp file to add. 4537 ( cat <<EOF 4538dn: ${LDAP_BASEDN} 4539changetype: modify 4540add: aci 4541aci: (target="ldap:///${LDAP_BASEDN}")(targetattr = "shadowLastChange|| 4542 shadowMin|| shadowMax||shadowWarning||shadowInactive||shadowExpire|| 4543 shadowFlag||userPassword") (version 3.0; acl ${ACI_TO_ADD}; 4544 deny (write,read,search,compare) userdn != "ldap:///${LDAP_ADMINDN}";) 4545EOF 4546) > ${TMPDIR}/non_admin_aci_write 4547 4548 # Add the entry. 4549 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/non_admin_aci_write ${VERB}" 4550 if [ $? -ne 0 ]; then 4551 ${ECHO} " ERROR: Adding ACI ${ACI_TO_ADD} failed!" 4552 ${CAT} ${TMPDIR}/non_admin_aci_write 4553 cleanup 4554 exit 1 4555 fi 4556 4557 ${RM} -f ${TMPDIR}/non_admin_aci_write 4558 # Display message that the non-admin access to shadow data is denied. 4559 MSG="Non-Admin access to shadow data denied." 4560 if [ $EXISTING_PROFILE -eq 1 ]; then 4561 ${ECHO} " ACI SET: $MSG" 4562 else 4563 ${ECHO} " ${STEP}. $MSG" 4564 STEP=`expr $STEP + 1` 4565 fi 4566} 4567 4568# 4569# Add an ACI to deny non-host access to shadow data when 4570# shadow update is enabled and auth Method if gssapi. 4571# 4572deny_non_host_shadow_access() 4573{ 4574 [ $DEBUG -eq 1 ] && ${ECHO} "In deny_non_host_shadow_access()" 4575 4576 # Set ACI Names 4577 ACI_TO_ADD="LDAP_Naming_Services_deny_non_host_shadow_access" 4578 ACI_TO_DEL="LDAP_Naming_Services_deny_non_admin_shadow_access" 4579 4580 # Search for ACI_TO_ADD 4581 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_BASEDN}\" -s base objectclass=* aci > ${TMPDIR}/chk_aci_non_host 2>&1" 4582 if [ $? -ne 0 ]; then 4583 ${ECHO} "Error searching aci for ${LDAP_BASEDN}" 4584 cleanup 4585 exit 1 4586 fi 4587 4588 # If an ACI with ${ACI_TO_ADD} already exists, we are done. 4589 ${EGREP} ${ACI_TO_ADD} ${TMPDIR}/chk_aci_non_host 2>&1 > /dev/null 4590 if [ $? -eq 0 ]; then 4591 MSG="ACI ${ACI_TO_ADD} already set for ${LDAP_BASEDN}." 4592 if [ $EXISTING_PROFILE -eq 1 ]; then 4593 ${ECHO} " NOT SET: $MSG" 4594 else 4595 ${ECHO} " ${STEP}. $MSG" 4596 STEP=`expr $STEP + 1` 4597 fi 4598 return 0 4599 fi 4600 4601 # The deny_non_admin_shadow_access and deny_non_host_shadow_access ACIs 4602 # should be mutually exclusive, so if the former exists, delete it. 4603 find_and_delete_ACI ${ACI_TO_DEL} ${TMPDIR}/chk_aci_non_host ${ACI_TO_DEL} 4604 4605 # Create the tmp file to add. 4606 ( cat <<EOF 4607dn: ${LDAP_BASEDN} 4608changetype: modify 4609add: aci 4610aci: (target="ldap:///${LDAP_BASEDN}")(targetattr = "shadowLastChange|| 4611 shadowMin|| shadowMax||shadowWarning||shadowInactive||shadowExpire|| 4612 shadowFlag||userPassword") (version 3.0; acl ${ACI_TO_ADD}; 4613 deny (write,read,search,compare) 4614 userdn != "ldap:///cn=*+ipHostNumber=*,ou=Hosts,${LDAP_BASEDN}";) 4615EOF 4616) > ${TMPDIR}/non_host_aci_write 4617 4618 # Add the entry. 4619 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/non_host_aci_write ${VERB}" 4620 if [ $? -ne 0 ]; then 4621 ${ECHO} " ERROR: Adding ACI ${ACI_TO_ADD} failed!" 4622 ${CAT} ${TMPDIR}/non_host_aci_write 4623 cleanup 4624 exit 1 4625 fi 4626 4627 ${RM} -f ${TMPDIR}/non_host_aci_write 4628 # Display message that the non-host access to shadow data is denied. 4629 MSG="Non-host access to shadow data is denied." 4630 if [ $EXISTING_PROFILE -eq 1 ]; then 4631 ${ECHO} " ACI SET: $MSG" 4632 else 4633 ${ECHO} " ${STEP}. $MSG" 4634 STEP=`expr $STEP + 1` 4635 fi 4636} 4637 4638# 4639# add_vlv_aci(): Add access control information (aci) for VLV. 4640# 4641add_vlv_aci() 4642{ 4643 [ $DEBUG -eq 1 ] && ${ECHO} "In add_vlv_aci()" 4644 4645 # Add the VLV ACI. 4646 ( cat <<EOF 4647dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config 4648changetype: modify 4649replace: aci 4650aci: (targetattr != "aci") (version 3.0; acl "VLV Request Control"; allow(read,search,compare) userdn = "ldap:///anyone";) 4651EOF 4652) > ${TMPDIR}/vlv_aci 4653 4654 # Add the entry. 4655 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/vlv_aci ${VERB}" 4656 if [ $? -ne 0 ]; then 4657 ${ECHO} " ERROR: Add of VLV ACI failed!" 4658 cleanup 4659 exit 1 4660 fi 4661 4662 # Display message that schema is updated. 4663 ${ECHO} " ${STEP}. Add of VLV Access Control Information (ACI)." 4664 STEP=`expr $STEP + 1` 4665} 4666 4667 4668# 4669# set_nisdomain(): Add the NisDomainObject to the Base DN. 4670# 4671set_nisdomain() 4672{ 4673 [ $DEBUG -eq 1 ] && ${ECHO} "In set_nisdomain()" 4674 4675 # Check if nisDomain is already set. 4676 ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_BASEDN}\" -s base \ 4677 \"objectclass=*\"" > ${TMPDIR}/chk_nisdomain 2>&1 4678 ${EVAL} "${GREP} -i nisDomain ${TMPDIR}/chk_nisdomain ${VERB}" 4679 if [ $? -eq 0 ]; then 4680 ${ECHO} " ${STEP}. NisDomainObject for ${LDAP_BASEDN} was already set." 4681 STEP=`expr $STEP + 1` 4682 return 0 4683 fi 4684 4685 # Add the new top level containers. 4686 ( cat <<EOF 4687dn: ${LDAP_BASEDN} 4688changetype: modify 4689objectclass: nisDomainObject 4690nisdomain: ${LDAP_DOMAIN} 4691EOF 4692) > ${TMPDIR}/nis_domain 4693 4694 # Add the entry. 4695 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/nis_domain ${VERB}" 4696 if [ $? -ne 0 ]; then 4697 ${ECHO} " ERROR: update of NisDomainObject in ${LDAP_BASEDN} failed." 4698 cleanup 4699 exit 1 4700 fi 4701 4702 # Display message that schema is updated. 4703 ${ECHO} " ${STEP}. NisDomainObject added to ${LDAP_BASEDN}." 4704 STEP=`expr $STEP + 1` 4705} 4706 4707 4708# 4709# check_attrName(): Check that the attribute name is valid. 4710# $1 Key to check. 4711# Returns 0 : valid name 1 : invalid name 4712# 4713check_attrName() 4714{ 4715 [ $DEBUG -eq 1 ] && ${ECHO} "In check_attrName()" 4716 [ $DEBUG -eq 1 ] && ${ECHO} "check_attrName: Input Param = $1" 4717 4718 ${ECHO} $1 | ${EGREP} '^[0-9]+(\.[0-9]+)*$' > /dev/null 2>&1 4719 if [ $? -eq 0 ]; then 4720 ${EVAL} "${LDAPSEARCH} ${SERVER_ARGS} -b cn=schema -s base \"objectclass=*\" \ 4721 attributeTypes | ${EGREP} -i '^attributetypes[ ]*=[ ]*\([ ]*$1 ' ${VERB}" 4722 else 4723 ${EVAL} "${LDAPSEARCH} ${SERVER_ARGS} -b cn=schema -s base \"objectclass=*\" \ 4724 attributeTypes | ${EGREP} -i \"'$1'\" ${VERB}" 4725 fi 4726 4727 if [ $? -ne 0 ]; then 4728 return 1 4729 else 4730 return 0 4731 fi 4732} 4733 4734 4735# 4736# get_objectclass(): Determine the objectclass for the given attribute name 4737# $1 Attribute name to check. 4738# _ATTR_NAME Return value, Object Name or NULL if unknown to idsconfig. 4739# 4740# NOTE: An attribute name can be valid but still we might not be able 4741# to determine the objectclass from the table. 4742# In such cases, the user needs to create the necessary object(s). 4743# 4744get_objectclass() 4745{ 4746 [ $DEBUG -eq 1 ] && ${ECHO} "In get_objectclass()" 4747 [ $DEBUG -eq 1 ] && ${ECHO} "get_objectclass: Input Param = $1" 4748 4749 # Set return value to NULL string. 4750 _ATTR_NAME="" 4751 4752 # Test key for type: 4753 case `${ECHO} ${1} | tr '[A-Z]' '[a-z]'` in 4754 ou | organizationalunitname | 2.5.4.11) _ATTR_NAME="organizationalUnit" ;; 4755 dc | domaincomponent | 0.9.2342.19200300.100.1.25) _ATTR_NAME="domain" ;; 4756 o | organizationname | 2.5.4.10) _ATTR_NAME="organization" ;; 4757 c | countryname | 2.5.4.6) _ATTR_NAME="country" ;; 4758 *) _ATTR_NAME="" ;; 4759 esac 4760 4761 [ $DEBUG -eq 1 ] && ${ECHO} "get_objectclass: _ATTR_NAME = $_ATTR_NAME" 4762} 4763 4764 4765# 4766# add_base_objects(): Add any necessary base objects. 4767# 4768add_base_objects() 4769{ 4770 [ $DEBUG -eq 1 ] && ${ECHO} "In add_base_objects()" 4771 4772 # Convert to lower case for basename. 4773 format_string "${LDAP_BASEDN}" 4774 LOWER_BASEDN="${FMT_STR}" 4775 format_string "${LDAP_SUFFIX}" 4776 LOWER_SUFFIX="${FMT_STR}" 4777 4778 [ $DEBUG -eq 1 ] && ${ECHO} "LOWER_BASEDN: ${LOWER_BASEDN}" 4779 [ $DEBUG -eq 1 ] && ${ECHO} "LOWER_SUFFIX: ${LOWER_SUFFIX}" 4780 4781 # Create additional components. 4782 if [ "${LOWER_BASEDN}" = "${LOWER_SUFFIX}" ]; then 4783 [ $DEBUG -eq 1 ] && ${ECHO} "Base DN and Suffix equivalent" 4784 else 4785 # first, test that the suffix is valid 4786 dcstmp=`basename "${LOWER_BASEDN}" "${LOWER_SUFFIX}"` 4787 if [ "$dcstmp" = "${LOWER_BASEDN}" ]; then 4788 # should not happen since check_basedn_suffix() succeeded 4789 ${ECHO} "Invalid suffix ${LOWER_SUFFIX}" 4790 ${ECHO} "for Base DN ${LOWER_BASEDN}" 4791 cleanup 4792 exit 1 4793 fi 4794 # OK, suffix is valid, start working with LDAP_BASEDN 4795 # field separator is ',' (i.e., space is a valid character) 4796 dcstmp2="`${ECHO} ${LDAP_BASEDN} | 4797 sed -e 's/[ ]*,[ ]*/,/g' -e 's/[ ]*=[ ]*/=/g'`" 4798 dcs="" 4799 # use dcstmp to count the loop, and dcstmp2 to get the correct 4800 # string case 4801 # dcs should be in reverse order, only for these components 4802 # that need to be added 4803 while [ -n "${dcstmp}" ] 4804 do 4805 i2=`${ECHO} "$dcstmp2" | cut -f1 -d','` 4806 dk=`${ECHO} $i2 | awk -F= '{print $1}'` 4807 dc=`${ECHO} $i2 | awk -F= '{print $2}'` 4808 dcs="$dk=$dc,$dcs"; 4809 dcstmp2=`${ECHO} "$dcstmp2" | cut -f2- -d','` 4810 dcstmp=`${ECHO} "$dcstmp" | cut -f2- -d','` 4811 [ $DEBUG -eq 1 ] && \ 4812 ${ECHO} "dcs: ${dcs}\ndcstmp: ${dcstmp}\ndcstmp2: ${dcstmp2}\n" 4813 done 4814 4815 4816 4817 lastdc=${LDAP_SUFFIX} 4818 dc=`${ECHO} "${dcs}" | cut -f1 -d','` 4819 dcstmp=`${ECHO} "${dcs}" | cut -f2- -d','` 4820 while [ -n "${dc}" ]; do 4821 # Get Key and component from $dc. 4822 dk2=`${ECHO} $dc | awk -F= '{print $1}'` 4823 dc2=`${ECHO} $dc | awk -F= '{print $2}'` 4824 4825 # At this point, ${dk2} is a valid attribute name 4826 4827 # Check if entry exists first, if so, skip to next. 4828 ${LDAPSEARCH} ${SERVER_ARGS} -b "${dk2}=${dc2},$lastdc" -s base "objectclass=*" > /dev/null 2>&1 4829 if [ $? -eq 0 ]; then 4830 # Set the $lastdc to new dc. 4831 lastdc="${dk2}=${dc2},$lastdc" 4832 4833 # Process next component. 4834 dc=`${ECHO} "${dcstmp}" | cut -f1 -d','` 4835 dcstmp=`${ECHO} "${dcstmp}" | cut -f2- -d','` 4836 continue 4837 4838 fi 4839 4840 # Determine the objectclass for the entry. 4841 get_objectclass $dk2 4842 OBJ_Name=${_ATTR_NAME} 4843 if [ "${OBJ_Name}" = "" ]; then 4844 ${ECHO} "Cannot determine objectclass for $dk2" 4845 ${ECHO} "Please create ${dk2}=${dc2},$lastdc entry and rerun idsconfig" 4846 exit 1 4847 fi 4848 4849 # Add the new container. 4850 ( cat <<EOF 4851dn: ${dk2}=${dc2},$lastdc 4852${dk2}: $dc2 4853objectClass: top 4854objectClass: ${OBJ_Name} 4855EOF 4856) > ${TMPDIR}/base_objects 4857 4858 4859 # Set the $lastdc to new dc. 4860 lastdc="${dk2}=${dc2},$lastdc" 4861 4862 # Add the entry. 4863 ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/base_objects ${VERB}" 4864 if [ $? -ne 0 ]; then 4865 ${ECHO} " ERROR: update of base objects ${dc} failed." 4866 cleanup 4867 exit 1 4868 fi 4869 4870 # Display message that schema is updated. 4871 ${ECHO} " ${STEP}. Created DN component ${dc}." 4872 STEP=`expr $STEP + 1` 4873 4874 # Process next component. 4875 dc=`${ECHO} "${dcstmp}" | cut -f1 -d','` 4876 dcstmp=`${ECHO} "${dcstmp}" | cut -f2- -d','` 4877 done 4878 fi 4879} 4880 4881 4882# 4883# add_new_containers(): Add the top level classes. 4884# 4885# $1 = Base DN 4886# 4887add_new_containers() 4888{ 4889 [ $DEBUG -eq 1 ] && ${ECHO} "In add_new_containers()" 4890 4891 for ou in people group rpc protocols networks netgroup \ 4892 aliases hosts services ethers profile printers projects \ 4893 SolarisAuthAttr SolarisProfAttr Timezone ipTnet ; do 4894 4895 # Check if nismaps already exist. 4896 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"ou=${ou},${LDAP_BASEDN}\" -s base \"objectclass=*\" ${VERB}" 4897 if [ $? -eq 0 ]; then 4898 continue 4899 fi 4900 4901 # Create TMP file to add. 4902 ( cat <<EOF 4903dn: ou=${ou},${LDAP_BASEDN} 4904ou: ${ou} 4905objectClass: top 4906objectClass: organizationalUnit 4907EOF 4908) > ${TMPDIR}/toplevel.${ou} 4909 4910 # Add the entry. 4911 ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/toplevel.${ou} ${VERB}" 4912 if [ $? -ne 0 ]; then 4913 ${ECHO} " ERROR: Add of ou=${ou} container failed!" 4914 cleanup 4915 exit 1 4916 fi 4917 done 4918 4919 # Display message that top level OU containers complete. 4920 ${ECHO} " ${STEP}. Top level \"ou\" containers complete." 4921 STEP=`expr $STEP + 1` 4922} 4923 4924 4925# 4926# add_auto_maps(): Add the automount map entries. 4927# 4928# auto_home, auto_direct, auto_master, auto_shared 4929# 4930add_auto_maps() 4931{ 4932 [ $DEBUG -eq 1 ] && ${ECHO} "In add_auto_maps()" 4933 4934 # Set AUTO_MAPS for maps to create. 4935 AUTO_MAPS="auto_home auto_direct auto_master auto_shared" 4936 4937 for automap in $AUTO_MAPS; do 4938 # Check if automaps already exist. 4939 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"automountMapName=${automap},${LDAP_BASEDN}\" -s base \"objectclass=*\" ${VERB}" 4940 if [ $? -eq 0 ]; then 4941 continue 4942 fi 4943 4944 # Create the tmp file to add. 4945 ( cat <<EOF 4946dn: automountMapName=${automap},${LDAP_BASEDN} 4947automountMapName: ${automap} 4948objectClass: top 4949objectClass: automountMap 4950EOF 4951) > ${TMPDIR}/automap.${automap} 4952 4953 # Add the entry. 4954 ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/automap.${automap} ${VERB}" 4955 if [ $? -ne 0 ]; then 4956 ${ECHO} " ERROR: Add of automap ${automap} failed!" 4957 cleanup 4958 exit 1 4959 fi 4960 done 4961 4962 # Display message that automount entries are updated. 4963 ${ECHO} " ${STEP}. automount maps: $AUTO_MAPS processed." 4964 STEP=`expr $STEP + 1` 4965} 4966 4967 4968# 4969# add_proxyagent(): Add entry for nameservice to use to access server. 4970# 4971add_proxyagent() 4972{ 4973 [ $DEBUG -eq 1 ] && ${ECHO} "In add_proxyagent()" 4974 4975 # Check if proxy agent already exists. 4976 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_PROXYAGENT}\" -s base \"objectclass=*\" ${VERB}" 4977 if [ $? -eq 0 ]; then 4978 ${ECHO} " ${STEP}. Proxy Agent ${LDAP_PROXYAGENT} already exists." 4979 STEP=`expr $STEP + 1` 4980 return 0 4981 fi 4982 4983 # Get cn and sn names from LDAP_PROXYAGENT. 4984 cn_tmp=`${ECHO} ${LDAP_PROXYAGENT} | cut -f1 -d, | cut -f2 -d=` 4985 4986 # Create the tmp file to add. 4987 ( cat <<EOF 4988dn: ${LDAP_PROXYAGENT} 4989cn: ${cn_tmp} 4990sn: ${cn_tmp} 4991objectclass: top 4992objectclass: person 4993userpassword: ${LDAP_PROXYAGENT_CRED} 4994EOF 4995) > ${TMPDIR}/proxyagent 4996 4997 # Add the entry. 4998 ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/proxyagent ${VERB}" 4999 if [ $? -ne 0 ]; then 5000 ${ECHO} " ERROR: Adding proxyagent failed!" 5001 cleanup 5002 exit 1 5003 fi 5004 5005 # Display message that schema is updated. 5006 ${ECHO} " ${STEP}. Proxy Agent ${LDAP_PROXYAGENT} added." 5007 STEP=`expr $STEP + 1` 5008} 5009 5010# 5011# allow_proxy_read_pw(): Give Proxy Agent read permission for password. 5012# 5013allow_proxy_read_pw() 5014{ 5015 [ $DEBUG -eq 1 ] && ${ECHO} "In allow_proxy_read_pw()" 5016 5017 # Search for ACI_NAME 5018 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_BASEDN}\" -s base objectclass=* aci > ${TMPDIR}/chk_proxyread_aci 2>&1" 5019 ${GREP} "${PROXY_ACI_NAME}" ${TMPDIR}/chk_proxyread_aci > /dev/null 2>&1 5020 if [ $? -eq 0 ]; then 5021 ${ECHO} " ${STEP}. Proxy ACI ${PROXY_ACI_NAME=} already exists for ${LDAP_BASEDN}." 5022 STEP=`expr $STEP + 1` 5023 return 0 5024 fi 5025 5026 # Create the tmp file to add. 5027 ( cat <<EOF 5028dn: ${LDAP_BASEDN} 5029changetype: modify 5030add: aci 5031aci: (target="ldap:///${LDAP_BASEDN}")(targetattr="userPassword") 5032 (version 3.0; acl ${PROXY_ACI_NAME}; allow (compare,read,search) 5033 userdn = "ldap:///${LDAP_PROXYAGENT}";) 5034EOF 5035) > ${TMPDIR}/proxy_read 5036 5037 # Add the entry. 5038 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/proxy_read ${VERB}" 5039 if [ $? -ne 0 ]; then 5040 ${ECHO} " ERROR: Allow ${LDAP_PROXYAGENT} to read password failed!" 5041 cleanup 5042 exit 1 5043 fi 5044 5045 # Display message that schema is updated. 5046 ${ECHO} " ${STEP}. Give ${LDAP_PROXYAGENT} read permission for password." 5047 STEP=`expr $STEP + 1` 5048} 5049 5050# Delete Proxy Agent read permission for password. 5051delete_proxy_read_pw() 5052{ 5053 [ $DEBUG -eq 1 ] && ${ECHO} "In delete_proxy_read_pw()" 5054 5055 # Search for ACI_NAME 5056 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_BASEDN}\" -s base objectclass=* aci > ${TMPDIR}/chk_proxyread_aci 2>&1" 5057 ${GREP} "${PROXY_ACI_NAME}" ${TMPDIR}/chk_proxyread_aci | \ 5058 ${SED} -e 's/aci=//' > ${TMPDIR}/grep_proxyread_aci 2>&1 5059 if [ $? -ne 0 ]; then 5060 ${ECHO} "Proxy ACI ${PROXY_ACI_NAME} does not exist for ${LDAP_BASEDN}." 5061 return 0 5062 fi 5063 5064 # We need to remove proxy agent's read access to user passwords, 5065 # but We do not know the value of the ${LDAP_PROXYAGENT} here, so 5066 # 1. if only one match found, delete it 5067 # 2. if more than one matches found, ask the user which one to delete 5068 HOWMANY=`${WC} -l ${TMPDIR}/grep_proxyread_aci | ${NAWK} '{print $1}'` 5069 if [ $HOWMANY -eq 0 ]; then 5070 ${ECHO} "Proxy ACI ${PROXY_ACI_NAME} does not exist for ${LDAP_BASEDN}." 5071 return 0 5072 fi 5073 if [ $HOWMANY -eq 1 ];then 5074 proxy_aci=`${CAT} ${TMPDIR}/grep_proxyread_aci` 5075 else 5076 ${CAT} << EOF 5077 5078Proxy agent is not allowed to read user passwords when shadow 5079update is enabled. There are more than one proxy agents found. 5080Please select the currently proxy agent being used, so that 5081idsconfig can remove its read access to user passwords. 5082 5083The proxy agents are: 5084 5085EOF 5086 # generate the proxy agent list 5087 ${SED} -e "s/.*ldap:\/\/\/.*ldap:\/\/\///" \ 5088 ${TMPDIR}/grep_proxyread_aci | ${SED} -e "s/\";)//" > \ 5089 ${TMPDIR}/proxy_agent_list 5090 5091 # print the proxy agent list 5092 ${NAWK} '{print NR ": " $0}' ${TMPDIR}/proxy_agent_list 5093 5094 # ask the user to pick one 5095 _MENU_PROMPT="Select the proxy agent (1-$HOWMANY): " 5096 get_menu_choice "${_MENU_PROMPT}" "0" "$HOWMANY" 5097 _CH=$MN_CH 5098 proxy_aci=`${SED} -n "$_CH p" ${TMPDIR}/grep_proxyread_aci` 5099 fi 5100 5101 # Create the tmp file to delete the ACI. 5102 ( cat <<EOF 5103dn: ${LDAP_BASEDN} 5104changetype: modify 5105delete: aci 5106aci: ${proxy_aci} 5107EOF 5108 ) > ${TMPDIR}/proxy_delete 5109 5110 # Delete the ACI 5111 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/proxy_delete ${VERB}" 5112 if [ $? -ne 0 ]; then 5113 ${ECHO} " ERROR: Remove of ${PROXY_ACI_NAME} ACI failed!" 5114 cat ${TMPDIR}/proxy_delete 5115 cleanup 5116 exit 1 5117 fi 5118 5119 # Display message that ACI is updated. 5120 MSG="Removed ${PROXY_ACI_NAME} ACI for proxyagent read permission for password." 5121 ${ECHO} " " 5122 ${ECHO} " ACI REMOVED: $MSG" 5123 ${ECHO} " The ACI removed is $proxy_aci" 5124 ${ECHO} " " 5125} 5126 5127# 5128# add_profile(): Add client profile to server. 5129# 5130add_profile() 5131{ 5132 [ $DEBUG -eq 1 ] && ${ECHO} "In add_profile()" 5133 5134 # If profile name already exists, DELETE it, and add new one. 5135 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=${LDAP_PROFILE_NAME},ou=profile,${LDAP_BASEDN}\" -s base \"objectclass=*\" ${VERB}" 5136 if [ $? -eq 0 ]; then 5137 # Create Delete file. 5138 ( cat <<EOF 5139cn=${LDAP_PROFILE_NAME},ou=profile,${LDAP_BASEDN} 5140EOF 5141) > ${TMPDIR}/del_profile 5142 5143 # Check if DEL_OLD_PROFILE is set. (If not ERROR) 5144 if [ $DEL_OLD_PROFILE -eq 0 ]; then 5145 ${ECHO} "ERROR: Profile name ${LDAP_PROFILE_NAME} exists! Add failed!" 5146 exit 1 5147 fi 5148 5149 # Delete the OLD profile. 5150 ${EVAL} "${LDAPDELETE} ${LDAP_ARGS} -f ${TMPDIR}/del_profile ${VERB}" 5151 if [ $? -ne 0 ]; then 5152 ${ECHO} " ERROR: Attempt to DELETE profile failed!" 5153 cleanup 5154 exit 1 5155 fi 5156 fi 5157 5158 # Build the "ldapclient genprofile" command string to execute. 5159 GEN_CMD="ldapclient genprofile -a \"profileName=${LDAP_PROFILE_NAME}\"" 5160 5161 # Add required argument defaultSearchBase. 5162 GEN_CMD="${GEN_CMD} -a \"defaultSearchBase=${LDAP_BASEDN}\"" 5163 5164 # Add optional parameters. 5165 [ -n "$LDAP_SERVER_LIST" ] && \ 5166 GEN_CMD="${GEN_CMD} -a \"defaultServerList=${LDAP_SERVER_LIST}\"" 5167 [ -n "$LDAP_SEARCH_SCOPE" ] && \ 5168 GEN_CMD="${GEN_CMD} -a \"defaultSearchScope=${LDAP_SEARCH_SCOPE}\"" 5169 [ -n "$LDAP_CRED_LEVEL" ] && \ 5170 GEN_CMD="${GEN_CMD} -a \"credentialLevel=${LDAP_CRED_LEVEL}\"" 5171 [ -n "$LDAP_AUTHMETHOD" ] && \ 5172 GEN_CMD="${GEN_CMD} -a \"authenticationMethod=${LDAP_AUTHMETHOD}\"" 5173 [ -n "$LDAP_FOLLOWREF" ] && \ 5174 GEN_CMD="${GEN_CMD} -a \"followReferrals=${LDAP_FOLLOWREF}\"" 5175 [ -n "$LDAP_SEARCH_TIME_LIMIT" ] && \ 5176 GEN_CMD="${GEN_CMD} -a \"searchTimeLimit=${LDAP_SEARCH_TIME_LIMIT}\"" 5177 [ -n "$LDAP_PROFILE_TTL" ] && \ 5178 GEN_CMD="${GEN_CMD} -a \"profileTTL=${LDAP_PROFILE_TTL}\"" 5179 [ -n "$LDAP_BIND_LIMIT" ] && \ 5180 GEN_CMD="${GEN_CMD} -a \"bindTimeLimit=${LDAP_BIND_LIMIT}\"" 5181 [ -n "$LDAP_PREF_SRVLIST" ] && \ 5182 GEN_CMD="${GEN_CMD} -a \"preferredServerList=${LDAP_PREF_SRVLIST}\"" 5183 [ -n "$LDAP_SRV_AUTHMETHOD_PAM" ] && \ 5184 GEN_CMD="${GEN_CMD} -a \"serviceAuthenticationMethod=${LDAP_SRV_AUTHMETHOD_PAM}\"" 5185 [ -n "$LDAP_SRV_AUTHMETHOD_KEY" ] && \ 5186 GEN_CMD="${GEN_CMD} -a \"serviceAuthenticationMethod=${LDAP_SRV_AUTHMETHOD_KEY}\"" 5187 [ -n "$LDAP_SRV_AUTHMETHOD_CMD" ] && \ 5188 GEN_CMD="${GEN_CMD} -a \"serviceAuthenticationMethod=${LDAP_SRV_AUTHMETHOD_CMD}\"" 5189 5190 # Check if there are any service search descriptors to ad. 5191 if [ -s "${SSD_FILE}" ]; then 5192 ssd_2_profile 5193 fi 5194 5195 # Execute "ldapclient genprofile" to create profile. 5196 eval ${GEN_CMD} > ${TMPDIR}/gen_profile 2> ${TMPDIR}/gen_profile_ERR 5197 if [ $? -ne 0 ]; then 5198 ${ECHO} " ERROR: ldapclient genprofile failed!" 5199 cleanup 5200 exit 1 5201 fi 5202 5203 # Add the generated profile.. 5204 ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/gen_profile ${VERB}" 5205 if [ $? -ne 0 ]; then 5206 ${ECHO} " ERROR: Attempt to add profile failed!" 5207 cleanup 5208 exit 1 5209 fi 5210 5211 # Display message that schema is updated. 5212 ${ECHO} " ${STEP}. Generated client profile and loaded on server." 5213 STEP=`expr $STEP + 1` 5214} 5215 5216 5217# 5218# cleanup(): Remove the TMPDIR and all files in it. 5219# 5220cleanup() 5221{ 5222 [ $DEBUG -eq 1 ] && ${ECHO} "In cleanup()" 5223 5224 rm -fr ${TMPDIR} 5225} 5226 5227 5228# 5229# * * * MAIN * * * 5230# 5231# Description: 5232# This script assumes that the iPlanet Directory Server (iDS) is 5233# installed and that setup has been run. This script takes the 5234# iDS server from that point and sets up the infrastructure for 5235# LDAP Naming Services. After running this script, ldapaddent(1M) 5236# or some other tools can be used to populate data. 5237 5238# Initialize the variables that need to be set to NULL, or some 5239# other initial value before the rest of the functions can be called. 5240init 5241 5242# Parse command line arguments. 5243parse_arg $* 5244shift $? 5245 5246# Print extra line to separate from prompt. 5247${ECHO} " " 5248 5249# Either Load the user specified config file 5250# or prompt user for config info. 5251if [ -n "$INPUT_FILE" ] 5252then 5253 load_config_file 5254 INTERACTIVE=0 # Turns off prompts that occur later. 5255 validate_info # Validate basic info in file. 5256 chk_ids_version # Check iDS version for compatibility. 5257else 5258 # Display BACKUP warning to user. 5259 display_msg backup_server 5260 get_confirm "Do you wish to continue with server setup (y/n/h)?" "n" "backup_help" 5261 if [ $? -eq 0 ]; then # if No, cleanup and exit. 5262 cleanup ; exit 1 5263 fi 5264 5265 # Prompt for values. 5266 prompt_config_info 5267 display_summary # Allow user to modify results. 5268 INTERACTIVE=1 # Insures future prompting. 5269fi 5270 5271# Modify slapd.oc.conf to ALLOW cn instead of REQUIRE. 5272modify_cn 5273 5274# Modify timelimit to user value. 5275[ $NEED_TIME -eq 1 ] && modify_timelimit 5276 5277# Modify sizelimit to user value. 5278[ $NEED_SIZE -eq 1 ] && modify_sizelimit 5279 5280# Modify the password storage scheme to support CRYPT. 5281if [ "$NEED_CRYPT" = "TRUE" ]; then 5282 modify_pwd_crypt 5283fi 5284 5285# Update the schema (Attributes, Objectclass Definitions) 5286if [ ${SCHEMA_UPDATED} -eq 0 ]; then 5287 update_schema_attr 5288 update_schema_obj 5289fi 5290 5291# Add suffix together with its root entry (if needed) 5292add_suffix || 5293{ 5294 cleanup 5295 exit 1 5296} 5297 5298# Add base objects (if needed) 5299add_base_objects 5300 5301# Update the NisDomainObject. 5302# The Base DN might of just been created, so this MUST happen after 5303# the base objects have been added! 5304set_nisdomain 5305 5306# Add top level classes (new containers) 5307add_new_containers 5308 5309# Add common nismaps. 5310add_auto_maps 5311 5312# Modify top ACI. 5313modify_top_aci 5314 5315# Add Access Control Information for VLV. 5316add_vlv_aci 5317 5318# if Proxy needed, Add Proxy Agent and give read permission for password. 5319if [ $NEED_PROXY -eq 1 ]; then 5320 add_proxyagent 5321 if [ "$LDAP_ENABLE_SHADOW_UPDATE" != "TRUE" ]; then 5322 allow_proxy_read_pw 5323 fi 5324fi 5325 5326# If admin needed for shadow update, Add the administrator identity and 5327# give read/write permission for shadow, and deny all others read/write 5328# access to it. 5329if [ $NEED_ADMIN -eq 1 ]; then 5330 add_admin 5331 allow_admin_read_write_shadow 5332 # deny non-admin access to shadow data 5333 deny_non_admin_shadow_access 5334fi 5335 5336if [ $GSSAPI_ENABLE -eq 1 ]; then 5337 add_id_mapping_rules 5338 # do not modify ACI if "sasl/GSSAPI" and "self" are not selected 5339 if [ "$LDAP_CRED_LEVEL" = "self" -a "$LDAP_AUTHMETHOD" = "sasl/GSSAPI" ]; then 5340 modify_userpassword_acl_for_gssapi 5341 else 5342 ${ECHO} " ACL for GSSAPI was not set because of incompatibility in profile." 5343 fi 5344fi 5345 5346# If use host principal for shadow update, give read/write permission for 5347# shadow, and deny all others' read/write access to it. 5348if [ $NEED_HOSTACL -eq 1 ]; then 5349 allow_host_read_write_shadow 5350 # deny non-host access to shadow data 5351 deny_non_host_shadow_access 5352fi 5353 5354 5355# Generate client profile and add it to the server. 5356add_profile 5357 5358# Add Indexes to improve Search Performance. 5359add_eq_indexes 5360add_sub_indexes 5361add_vlv_indexes 5362 5363# Display setup complete message 5364display_msg setup_complete 5365 5366# Display VLV index commands to be executed on server. 5367display_vlv_cmds 5368 5369# Create config file if requested. 5370[ -n "$OUTPUT_FILE" ] && create_config_file 5371 5372# Removed the TMPDIR and all files in it. 5373cleanup 5374 5375exit 0 5376# end of MAIN. 5377