xref: /titanic_51/usr/src/cmd/ldap/ns_ldap/idsconfig.sh (revision 749f21d359d8fbd020c974a1a5227316221bfc9c)
1#!/bin/sh
2#
3# CDDL HEADER START
4#
5# The contents of this file are subject to the terms of the
6# Common Development and Distribution License, Version 1.0 only
7# (the "License").  You may not use this file except in compliance
8# with the License.
9#
10# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
11# or http://www.opensolaris.org/os/licensing.
12# See the License for the specific language governing permissions
13# and limitations under the License.
14#
15# When distributing Covered Code, include this CDDL HEADER in each
16# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
17# If applicable, add the following below this CDDL HEADER, with the
18# fields enclosed by brackets "[]" replaced with your own identifying
19# information: Portions Copyright [yyyy] [name of copyright owner]
20#
21# CDDL HEADER END
22#
23#
24# ident	"%Z%%M%	%I%	%E% SMI"
25#
26# idsconfig -- script to setup iDS 5.x for Native LDAP II.
27#
28# Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
29# Use is subject to license terms.
30#
31
32#
33# display_msg(): Displays message corresponding to the tag passed in.
34#
35display_msg()
36{
37    case "$1" in
38    usage) cat <<EOF
39 $PROG: [ -v ] [ -i input file ] [ -o output file ]
40   i <input file>     Get setup info from input file.
41   o <output file>    Generate a server configuration output file.
42   v                  Verbose mode
43EOF
44    ;;
45    backup_server) cat <<EOF
46It is strongly recommended that you BACKUP the directory server
47before running $PROG.
48
49Hit Ctrl-C at any time before the final confirmation to exit.
50
51EOF
52    ;;
53    setup_complete) cat <<EOF
54
55$PROG: Setup of iDS server ${IDS_SERVER} is complete.
56
57EOF
58    ;;
59    display_vlv_list) cat <<EOF
60
61Note: idsconfig has created entries for VLV indexes.  Use the 
62      directoryserver(1m) script on ${IDS_SERVER} to stop
63      the server and then enter the following vlvindex
64      sub-commands to create the actual VLV indexes:
65
66EOF
67    ;;
68    cred_level_menu) cat <<EOF
69The following are the supported credential levels:
70  1  anonymous
71  2  proxy
72  3  proxy anonymous
73EOF
74    ;;
75    auth_method_menu) cat <<EOF
76The following are the supported Authentication Methods:
77  1  none
78  2  simple
79  3  sasl/DIGEST-MD5
80  4  tls:simple
81  5  tls:sasl/DIGEST-MD5
82EOF
83    ;;
84    srvauth_method_menu) cat <<EOF
85The following are the supported Authentication Methods:
86  1  simple
87  2  sasl/DIGEST-MD5
88  3  tls:simple
89  4  tls:sasl/DIGEST-MD5
90EOF
91    ;;
92    prompt_ssd_menu) cat <<EOF
93  A  Add a Service Search Descriptor
94  D  Delete a SSD
95  M  Modify a SSD
96  P  Display all SSD's
97  H  Help
98  X  Clear all SSD's
99
100  Q  Exit menu
101EOF
102    ;;
103    summary_menu) cat <<EOF
104              Summary of Configuration
105
106  1  Domain to serve               : $LDAP_DOMAIN
107  2  Base DN to setup              : $LDAP_BASEDN
108  3  Profile name to create        : $LDAP_PROFILE_NAME
109  4  Default Server List           : $LDAP_SERVER_LIST
110  5  Preferred Server List         : $LDAP_PREF_SRVLIST
111  6  Default Search Scope          : $LDAP_SEARCH_SCOPE
112  7  Credential Level              : $LDAP_CRED_LEVEL
113  8  Authentication Method         : $LDAP_AUTHMETHOD
114  9  Enable Follow Referrals       : $LDAP_FOLLOWREF
115 10  iDS Time Limit                : $IDS_TIMELIMIT
116 11  iDS Size Limit                : $IDS_SIZELIMIT
117 12  Enable crypt password storage : $NEED_CRYPT
118 13  Service Auth Method pam_ldap  : $LDAP_SRV_AUTHMETHOD_PAM
119 14  Service Auth Method keyserv   : $LDAP_SRV_AUTHMETHOD_KEY
120 15  Service Auth Method passwd-cmd: $LDAP_SRV_AUTHMETHOD_CMD
121 16  Search Time Limit             : $LDAP_SEARCH_TIME_LIMIT
122 17  Profile Time to Live          : $LDAP_PROFILE_TTL
123 18  Bind Limit                    : $LDAP_BIND_LIMIT
124 19  Service Search Descriptors Menu
125
126EOF
127    ;;
128    ldap_suffix_list) cat <<EOF
129
130No valid suffixes (naming contexts) were found for LDAP base DN:
131${LDAP_BASEDN}
132
133Available suffixes are:
134${LDAP_SUFFIX_LIST}
135
136EOF
137    ;;
138    sorry) cat <<EOF
139
140HELP - No help is available for this topic.
141
142EOF
143    ;;
144    backup_help) cat <<EOF
145
146HELP - Since idsconfig modifies the directory server configuration,
147       it is strongly recommended that you backup the server prior
148       to running this utility.  This is especially true if the server
149       being configured is a production server.
150
151EOF
152    ;;
153    port_help) cat <<EOF
154
155HELP - Enter the port number the directory server is configured to
156       use for LDAP.
157
158EOF
159    ;;
160    domain_help) cat <<EOF
161
162HELP - This is the DNS domain name this server will be serving.  You
163       must provide this name even if the server is not going to be populated
164       with hostnames.  Any unqualified hostname stored in the directory
165       will be fully qualified using this DNS domain name.
166
167EOF
168    ;;
169    basedn_help) cat <<EOF
170
171HELP - This parameter defines the default location in the directory tree for
172       the naming services entries.  You can override this default by using 
173       serviceSearchDescriptors (SSD). You will be given the option to set up 
174       an SSD later on in the setup.
175
176EOF
177    ;;
178    profile_help) cat <<EOF
179
180HELP - Name of the configuration profile with which the clients will be
181       configured. A directory server can store various profiles for multiple 
182       groups of clients.  The initialization tool, (ldapclient(1M)), assumes 
183       "default" unless another is specified.
184
185EOF
186    ;;
187    def_srvlist_help) cat <<EOF
188
189HELP - Provide a list of directory servers to serve clients using this profile.
190       All these servers should contain consistent data and provide similar 
191       functionality.  This list is not ordered, and clients might change the 
192       order given in this list. Note that this is a space separated list of 
193       *IP addresses* (not host names).  Providing port numbers is optional.
194
195EOF
196    ;;
197    pref_srvlist_help) cat <<EOF
198
199HELP - Provide a list of directory servers to serve this client profile. 
200       Unlike the default server list, which is not ordered, the preferred 
201       servers must be entered IN THE ORDER you wish to have them contacted. 
202       If you do specify a preferred server list, clients will always contact 
203       them before attempting to contact any of the servers on the default 
204       server list. Note that you must enter the preferred server list as a 
205       space-separated list of *IP addresses* (not host names).  Providing port 
206       numbers is optional.
207
208EOF
209    ;;
210    srch_scope_help) cat <<EOF
211
212HELP - Default search scope to be used for all searches unless they are
213       overwritten using serviceSearchDescriptors.  The valid options
214       are "one", which would specify the search will only be performed 
215       at the base DN for the given service, or "sub", which would specify 
216       the search will be performed through *all* levels below the base DN 
217       for the given service.
218
219EOF
220    ;;
221    cred_lvl_help) cat <<EOF
222
223HELP - This parameter defines what credentials the clients use to
224       authenticate to the directory server.  This list might contain
225       multiple credential levels and is ordered.  If a proxy level
226       is configured, you will also be prompted to enter a bind DN
227       for the proxy agent along with a password.  This proxy agent
228       will be created if it does not exist.
229
230EOF
231    ;;
232    auth_help) cat <<EOF
233
234HELP - The default authentication method(s) to be used by all services
235       in the client using this profile.  This is a ordered list of
236       authentication methods separated by a ';'.  The supported methods
237       are provided in a menu.  Note that sasl/DIGEST-MD5 binds require
238       passwords to be stored un-encrypted on the server.
239
240EOF
241    ;;
242    srvauth_help) cat <<EOF
243
244HELP - The authentication methods to be used by a given service.  Currently
245       3 services support this feature: pam_ldap, keyserv, and passwd-cmd.
246       The authentication method specified in this attribute overrides
247       the default authentication method defined in the profile.  This
248       feature can be used to select stronger authentication methods for
249       services which require increased security.
250
251EOF
252    ;;
253    pam_ldap_help) cat <<EOF
254
255HELP - The authentication method(s) to be used by pam_ldap when contacting
256       the directory server.  This is a ordered list, and, if provided, will
257       override the default authentication method parameter.
258
259EOF
260    ;;
261    keyserv_help) cat <<EOF
262
263HELP - The authentication method(s) to be used by newkey(1M) and chkey(1)
264       when contacting the directory server.  This is a ordered list and
265       if provided will override the default authentication method
266       parameter.
267
268EOF
269    ;;
270    passwd-cmd_help) cat <<EOF
271
272HELP - The authentication method(s) to be used by passwd(1) command when
273       contacting the directory server.  This is a ordered list and if
274       provided will override the default authentication method parameter.
275
276EOF
277    ;;
278    referrals_help) cat <<EOF
279
280HELP - This parameter indicates whether the client should follow
281       ldap referrals if it encounters one during naming lookups.
282
283EOF
284    ;;
285    tlim_help) cat <<EOF
286
287HELP - The server time limit value indicates the maximum amount of time the
288       server would spend on a query from the client before abandoning it.
289       A value of '-1' indicates no limit.
290
291EOF
292    ;;
293    slim_help) cat <<EOF
294
295HELP - The server sizelimit value indicates the maximum number of entries
296       the server would return in respond to a query from the client.  A
297       value of '-1' indicates no limit.
298
299EOF
300    ;;
301    crypt_help) cat <<EOF
302
303HELP - By default iDS does not store userPassword attribute values using
304       unix "crypt" format.  If you need to keep your passwords in the crypt
305       format for NIS/NIS+ and pam_unix compatibility, choose 'yes'.  If
306       passwords are stored using any other format than crypt, pam_ldap
307       MUST be used by clients to authenticate users to the system. Note 
308       that if you wish to use sasl/DIGEST-MD5 in conjunction with pam_ldap,
309       user passwords must be stored in the clear format.
310
311EOF
312    ;;
313    srchtime_help) cat <<EOF
314
315HELP - The search time limit the client will enforce for directory
316       lookups.
317
318EOF
319    ;;
320    profttl_help) cat <<EOF
321
322HELP - The time to live value for profile.  The client will refresh its
323       cached version of the configuration profile at this TTL interval.
324
325EOF
326    ;;
327    bindlim_help) cat <<EOF
328
329HELP - The time limit for the bind operation to the directory.  This
330       value controls the responsiveness of the client in case a server
331       becomes unavailable.  The smallest timeout value for a given
332       network architecture/conditions would work best.  This is very
333       similar to setting TCP timeout, but only for LDAP bind operation.
334
335EOF
336    ;;
337    ssd_help) cat <<EOF
338
339HELP - Using Service Search Descriptors (SSD), you can override the
340       default configuration for a given service.  The SSD can be
341       used to override the default search base DN, the default search
342       scope, and the default search filter to be used for directory
343       lookups.  SSD are supported for all services (databases)
344       defined in nsswitch.conf(4).  The default base DN is defined
345       in ldap(1).
346
347       Note: SSD are powerful tools in defining configuration profiles
348             and provide a great deal of flexibility.  However, care
349             must be taken in creating them.  If you decide to make use
350             of SSDs, consult the documentation first.
351
352EOF
353    ;;
354    ssd_menu_help) cat <<EOF
355
356HELP - Using this menu SSD can be added, updated, or deleted from
357       the profile.
358
359       A - This option creates a new SSD by prompting for the
360           service name, base DN, and scope.  Service name is
361           any valid service as defined in ldap(1).  base is
362           either the distinguished name to the container where
363           this service will use, or a relative DN followed
364           by a ','.
365       D - Delete a previously created SSD.
366       M - Modify a previously created SSD.
367       P - Display a list of all the previously created SSD.
368       X - Delete all of the previously created SSD.
369
370       Q - Exit the menu and continue with the server configuration.
371
372EOF
373    ;;
374    ldap_suffix_list_help) cat <<EOF
375
376HELP - No valid suffixes (naming contexts) are available on server 
377       ${IDS_SERVER}:${IDS_PORT}.
378       You must set an LDAP Base DN that can be contained in 
379       an existing suffix.
380
381EOF
382    ;;
383    esac
384}
385
386
387#
388# get_ans(): gets an answer from the user.
389#		$1  instruction/comment/description/question
390#		$2  default value
391#
392get_ans()
393{
394    if [ -z "$2" ]
395    then
396	${ECHO} "$1 \c"
397    else
398	${ECHO} "$1 [$2] \c"
399    fi
400
401    read ANS
402    if [ -z "$ANS" ]
403    then
404	ANS=$2
405    fi
406}
407
408
409#
410# get_ans_req(): gets an answer (required) from the user, NULL value not allowed.
411#		$@  instruction/comment/description/question
412#
413get_ans_req()
414{
415    ANS=""                  # Set ANS to NULL.
416    while [ "$ANS" = "" ]
417    do
418	get_ans "$@"
419	[ "$ANS" = "" ] && ${ECHO} "NULL value not allowed!"
420    done
421}
422
423
424#
425# get_number(): Querys and verifies that number entered is numeric.
426#               Function will repeat prompt user for number value.
427#               $1  Message text.
428#		$2  default value.
429#               $3  Help argument.
430#
431get_number()
432{
433    ANS=""                  # Set ANS to NULL.
434    NUM=""
435
436    get_ans "$1" "$2"
437
438    # Verify that value is numeric.
439    while not_numeric $ANS
440    do
441	case "$ANS" in
442	    [Hh] | help | Help | \?) display_msg ${3:-sorry} ;;
443	    * ) ${ECHO} "Invalid value: \"${ANS}\". \c"
444	     ;;
445	esac
446	# Get a new value.
447	get_ans "Enter a numeric value:" "$2"
448    done
449    NUM=$ANS
450}
451
452
453#
454# get_negone_num(): Only allows a -1 or positive integer.
455#                   Used for values where -1 has special meaning.
456#
457#                   $1 - Prompt message.
458#                   $2 - Default value (require).
459#                   $3 - Optional help argument.
460get_negone_num()
461{
462    while :
463    do
464	get_number "$1" "$2" "$3"
465	if is_negative $ANS
466	then
467	    if [ "$ANS" = "-1" ]; then
468		break  # -1 is OK, so break.
469	    else       # Need to re-enter number.
470		${ECHO} "Invalid number: please enter -1 or positive number."
471	    fi
472	else
473	    break      # Positive number
474	fi
475    done
476}
477
478
479#
480# get_passwd(): Reads a password from the user and verify with second.
481#		$@  instruction/comment/description/question
482#
483get_passwd()
484{
485    [ $DEBUG -eq 1 ] && ${ECHO} "In get_passwd()"
486
487    # Temporary PASSWD variables
488    _PASS1=""
489    _PASS2=""
490
491    /usr/bin/stty -echo     # Turn echo OFF
492
493    # Endless loop that continues until passwd and re-entered passwd
494    # match.
495    while :
496    do
497	ANS=""                  # Set ANS to NULL.
498
499	# Don't allow NULL for first try.
500	while [ "$ANS" = "" ]
501	do
502	    get_ans "$@"
503	    [ "$ANS" = "" ] && ${ECHO} "" && ${ECHO} "NULL passwd not allowed!"
504	done
505	_PASS1=$ANS         # Store first try.
506
507	# Get second try.
508	${ECHO} ""
509	get_ans "Re-enter passwd:"
510	_PASS2=$ANS
511
512	# Test if passwords are identical.
513	if [ "$_PASS1" = "$_PASS2" ]; then
514	    break
515	fi
516
517	# Move cursor down to next line and print ERROR message.
518	${ECHO} ""
519	${ECHO} "ERROR: passwords don't match; try again."
520    done
521
522    /usr/bin/stty echo      # Turn echo ON
523
524    ${ECHO} ""
525}
526
527
528#
529# get_passwd_nochk(): Reads a password from the user w/o check.
530#		$@  instruction/comment/description/question
531#
532get_passwd_nochk()
533{
534    [ $DEBUG -eq 1 ] && ${ECHO} "In get_passwd_nochk()"
535
536    /usr/bin/stty -echo     # Turn echo OFF
537
538    get_ans "$@"
539
540    /usr/bin/stty echo      # Turn echo ON
541
542    ${ECHO} ""
543}
544
545
546#
547# get_menu_choice(): Get a menu choice from user.  Continue prompting
548#                    till the choice is in required range.
549#   $1 .. Message text.
550#   $2 .. min value
551#   $3 .. max value
552#   $4 .. OPTIONAL: default value
553#
554#   Return value:
555#     MN_CH will contain the value selected.
556#
557get_menu_choice()
558{
559    # Check for req parameter.
560    if [ $# -lt 3 ]; then
561	${ECHO} "get_menu_choice(): Did not get required parameters."
562	return 1
563    fi
564
565    while :
566    do
567	get_ans "$1" "$4"
568	MN_CH=$ANS
569	is_negative $MN_CH
570	if [ $? -eq 1 ]; then
571	    if [ $MN_CH -ge $2 ]; then
572		if [ $MN_CH -le $3 ]; then
573		    return
574		fi
575	    fi
576	fi
577	${ECHO} "Invalid choice: $MN_CH"
578    done
579}
580
581
582#
583# get_confirm(): Get confirmation from the user. (Y/Yes or N/No)
584#                $1 - Message
585#                $2 - default value.
586#
587get_confirm()
588{
589    _ANSWER=
590
591    while :
592    do
593	# Display Internal ERROR if $2 not set.
594	if [ -z "$2" ]
595	then
596	    ${ECHO} "INTERNAL ERROR: get_confirm requires 2 args, 3rd is optional."
597	    exit 2
598	fi
599
600	# Display prompt.
601	${ECHO} "$1 [$2] \c"
602
603	# Get the ANSWER.
604	read _ANSWER
605	if [ "$_ANSWER" = "" ] && [ -n "$2" ] ; then
606	    _ANSWER=$2
607	fi
608	case "$_ANSWER" in
609	    [Yy] | yes | Yes | YES) return 1 ;;
610	    [Nn] | no  | No  | NO)  return 0 ;;
611	    [Hh] | help | Help | \?) display_msg ${3:-sorry};;
612	    * ) ${ECHO} "Please enter y or n."  ;;
613	esac
614    done
615}
616
617
618#
619# get_confirm_nodef(): Get confirmation from the user. (Y/Yes or N/No)
620#                      No default value supported.
621#
622get_confirm_nodef()
623{
624    _ANSWER=
625
626    while :
627    do
628	${ECHO} "$@ \c"
629	read _ANSWER
630	case "$_ANSWER" in
631	    [Yy] | yes | Yes | YES) return 1 ;;
632	    [Nn] | no  | No  | NO)  return 0 ;;
633	    * ) ${ECHO} "Please enter y or n."  ;;
634	esac
635    done
636}
637
638
639#
640# is_numeric(): Tells is a string is numeric.
641#    0 = Numeric
642#    1 = NOT Numeric
643#
644is_numeric()
645{
646    # Check for parameter.
647    if [ $# -ne 1 ]; then
648	return 1
649    fi
650
651    # Determine if numeric.
652    expr "$1" + 1 > /dev/null 2>&1
653    if [ $? -ge 2 ]; then
654	return 1
655    fi
656
657    # Made it here, it's Numeric.
658    return 0
659}
660
661
662#
663# not_numeric(): Reverses the return values of is_numeric.  Useful
664#                 for if and while statements that want to test for
665#                 non-numeric data.
666#    0 = NOT Numeric
667#    1 = Numeric
668#
669not_numeric()
670{
671    is_numeric $1
672    if [ $? -eq 0 ]; then
673       return 1
674    else
675       return 0
676    fi
677}
678
679
680#
681# is_negative(): Tells is a Numeric value is less than zero.
682#    0 = Negative Numeric
683#    1 = Positive Numeric
684#    2 = NOT Numeric
685#
686is_negative()
687{
688    # Check for parameter.
689    if [ $# -ne 1 ]; then
690	return 1
691    fi
692
693    # Determine if numeric.  Can't use expr because -0 is
694    # considered positive??
695    if is_numeric $1; then
696	case "$1" in
697	    -*)  return 0 ;;   # Negative Numeric
698	    *)   return 1 ;;   # Positive Numeric
699	esac
700    else
701	return 2
702    fi
703}
704
705
706#
707# check_domainname(): check validity of a domain name.  Currently we check
708#                     that it has at least two components.
709#		$1  the domain name to be checked
710#
711check_domainname()
712{
713    if [ ! -z "$1" ]
714    then
715	t=`expr "$1" : '[^.]\{1,\}[.][^.]\{1,\}'`
716	if [ "$t" = 0 ]
717	then
718	    return 1
719	fi
720    fi
721    return 0
722}
723
724
725#
726# check_baseDN(): check validity of the baseDN name.
727#		$1  the baseDN name to be checked
728#
729#     NOTE: The check_baseDN function does not catch all invalid DN's.
730#           Its purpose is to reduce the number of invalid DN's to
731#           get past the input routine.  The invalid DN's will be
732#           caught by the LDAP server when they are attempted to be
733#           created.
734#
735check_baseDN()
736{
737    ck_DN=$1
738    ${ECHO} "  Checking LDAP Base DN ..."
739    if [ ! -z "$ck_DN" ]; then
740        [ $DEBUG -eq 1 ] && ${ECHO} "Checking baseDN: $ck_DN"
741        # Check for = (assignment operator)
742        ${ECHO} "$ck_DN" | ${GREP} "=" > /dev/null 2>&1
743        if [ $? -ne 0 ]; then
744            [ $DEBUG -eq 1 ] && ${ECHO} "check_baseDN: No '=' in baseDN."
745            return 1
746        fi
747
748        # Check all keys.
749        while :
750        do
751            # Get first key.
752            dkey=`${ECHO} $ck_DN | cut -d'=' -f1`
753
754            # Check that the key string is valid
755	    check_attrName $dkey
756	    if [ $? -ne 0 ]; then
757                [ $DEBUG -eq 1 ] && ${ECHO} "check_baseDN: invalid key=${dkey}"
758                return 1
759            fi
760
761            [ $DEBUG -eq 1 ] && ${ECHO} "check_baseDN: valid key=${dkey}"
762
763            # Remove first key from DN
764            ck_DN=`${ECHO} $ck_DN | cut -s -d',' -f2-`
765
766            # Break loop if nothing left.
767            if [ "$ck_DN" = "" ]; then
768                break
769            fi
770        done
771    fi
772    return 0
773}
774
775
776#
777# domain_2_dc(): Convert a domain name into dc string.
778#    $1  .. Domain name.
779#
780domain_2_dc()
781{
782    _DOM=$1           # Domain parameter.
783    _DOM_2_DC=""      # Return value from function.
784    _FIRST=1          # Flag for first time.
785
786    export _DOM_2_DC  # Make visible for others.
787
788    # Convert "."'s to spaces for "for" loop.
789    domtmp="`${ECHO} ${_DOM} | tr '.' ' '`"
790    for i in $domtmp; do
791	if [ $_FIRST -eq 1 ]; then
792	    _DOM_2_DC="dc=${i}"
793	    _FIRST=0
794	else
795	    _DOM_2_DC="${_DOM_2_DC},dc=${i}"
796	fi
797    done
798}
799
800
801#
802# is_root_user(): Check to see if logged in as root user.
803#
804is_root_user()
805{
806    case `id` in
807	uid=0\(root\)*) return 0 ;;
808	* )             return 1 ;;
809    esac
810}
811
812
813#
814# parse_arg(): Parses the command line arguments and sets the
815#              appropriate variables.
816#
817parse_arg()
818{
819    while getopts "dvhi:o:" ARG
820    do
821	case $ARG in
822	    d)      DEBUG=1;;
823	    v)      VERB="";;
824	    i)      INPUT_FILE=$OPTARG;;
825	    o)      OUTPUT_FILE=$OPTARG;;
826	    \?)	display_msg usage
827		    exit 1;;
828	    *)	${ECHO} "**ERROR: Supported option missing handler!"
829		    display_msg usage
830		    exit 1;;
831	esac
832    done
833    return `expr $OPTIND - 1`
834}
835
836
837#
838# init(): initializes variables and options
839#
840init()
841{
842    # General variables.
843    PROG=`basename $0`	# Program name
844    PID=$$              # Program ID
845    VERB='> /dev/null 2>&1'	# NULL or "> /dev/null"
846    ECHO="/bin/echo"	# print message on screen
847    EVAL="eval"		# eval or echo
848    EGREP="/usr/bin/egrep"
849    GREP="/usr/bin/grep"
850    DEBUG=0             # Set Debug OFF
851    BACKUP=no_ldap	# backup suffix
852    HOST=""		# NULL or <hostname>
853
854    DOM=""              # Set to NULL
855    # If DNS domain (resolv.conf) exists use that, otherwise use domainname.
856    if [ -f /etc/resolv.conf ]; then
857        DOM=`/usr/xpg4/bin/grep -i -E '^domain|^search' /etc/resolv.conf \
858	    | awk '{ print $2 }' | tail -1`
859    fi
860
861    # If for any reason the DOM did not get set (error'd resolv.conf) set
862    # DOM to the domainname command's output.
863    if [ "$DOM" = "" ]; then
864        DOM=`domainname`	# domain from domainname command.
865    fi
866
867    STEP=1
868    INTERACTIVE=1       # 0 = on, 1 = off (For input file mode)
869    DEL_OLD_PROFILE=0   # 0 (default), 1 = delete old profile.
870
871    # idsconfig specific variables.
872    INPUT_FILE=""
873    OUTPUT_FILE=""
874    NEED_PROXY=0        # 0 = No Proxy, 1 = Create Proxy.
875    LDAP_PROXYAGENT=""
876    LDAP_SUFFIX=""
877    LDAP_DOMAIN=$DOM	# domainname on Server (default value)
878    GEN_CMD=""
879
880    # LDAP COMMANDS
881    LDAPSEARCH="/bin/ldapsearch -r"
882    LDAPMODIFY=/bin/ldapmodify
883    LDAPADD=/bin/ldapadd
884    LDAPDELETE=/bin/ldapdelete
885    LDAP_GEN_PROFILE=/usr/sbin/ldap_gen_profile
886
887    # iDS specific information
888    IDS_SERVER=""
889    IDS_PORT=389
890    NEED_TIME=0
891    NEED_SIZE=0
892    NEED_SRVAUTH_PAM=0
893    NEED_SRVAUTH_KEY=0
894    NEED_SRVAUTH_CMD=0
895    IDS_TIMELIMIT=""
896    IDS_SIZELIMIT=""
897
898    # LDAP PROFILE related defaults
899    LDAP_ROOTDN="cn=Directory Manager"   # Provide common default.
900    LDAP_ROOTPWD=""                      # NULL passwd as default (i.e. invalid)
901    LDAP_PROFILE_NAME="default"
902    LDAP_BASEDN=""
903    LDAP_SERVER_LIST=""
904    LDAP_AUTHMETHOD=""
905    LDAP_FOLLOWREF="FALSE"
906    NEED_CRYPT=""
907    LDAP_SEARCH_SCOPE="one"
908    LDAP_SRV_AUTHMETHOD_PAM=""
909    LDAP_SRV_AUTHMETHOD_KEY=""
910    LDAP_SRV_AUTHMETHOD_CMD=""
911    LDAP_SEARCH_TIME_LIMIT=30
912    LDAP_PREF_SRVLIST=""
913    LDAP_PROFILE_TTL=43200
914    LDAP_CRED_LEVEL="proxy"
915    LDAP_BIND_LIMIT=10
916
917    # Prevent new files from being read by group or others.
918    umask 077
919
920    # Service Search Descriptors
921    LDAP_SERV_SRCH_DES=""
922
923    # Set and create TMPDIR.
924    TMPDIR="/tmp/idsconfig.${PID}"
925    if mkdir -m 700 ${TMPDIR}
926    then
927	# Cleanup on exit.
928	trap 'rm -rf ${TMPDIR}; /usr/bin/stty echo; exit' 1 2 3 6 15
929    else
930	echo "ERROR: unable to create a safe temporary directory."
931	exit 1
932    fi
933    LDAP_ROOTPWF=${TMPDIR}/rootPWD
934
935    # Set the SSD file name after setting TMPDIR.
936    SSD_FILE=${TMPDIR}/ssd_list
937
938    export DEBUG VERB ECHO EVAL EGREP GREP STEP TMPDIR
939    export IDS_SERVER IDS_PORT LDAP_ROOTDN LDAP_ROOTPWD LDAP_SERVER_LIST
940    export LDAP_BASEDN LDAP_ROOTPWF
941    export LDAP_DOMAIN LDAP_SUFFIX LDAP_PROXYAGENT LDAP_PROXYAGENT_CRED
942    export NEED_PROXY
943    export LDAP_PROFILE_NAME LDAP_BASEDN LDAP_SERVER_LIST
944    export LDAP_AUTHMETHOD LDAP_FOLLOWREF LDAP_SEARCH_SCOPE LDAP_SEARCH_TIME_LIMIT
945    export LDAP_PREF_SRVLIST LDAP_PROFILE_TTL LDAP_CRED_LEVEL LDAP_BIND_LIMIT
946    export NEED_SRVAUTH_PAM NEED_SRVAUTH_KEY NEED_SRVAUTH_CMD
947    export LDAP_SRV_AUTHMETHOD_PAM LDAP_SRV_AUTHMETHOD_KEY LDAP_SRV_AUTHMETHOD_CMD
948    export LDAP_SERV_SRCH_DES SSD_FILE
949    export GEN_CMD
950}
951
952
953#
954# disp_full_debug(): List of all debug variables usually interested in.
955#                    Grouped to avoid MASSIVE code duplication.
956#
957disp_full_debug()
958{
959    [ $DEBUG -eq 1 ] && ${ECHO} "  IDS_SERVER = $IDS_SERVER"
960    [ $DEBUG -eq 1 ] && ${ECHO} "  IDS_PORT = $IDS_PORT"
961    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_ROOTDN = $LDAP_ROOTDN"
962    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_ROOTPWD = $LDAP_ROOTPWD"
963    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_DOMAIN = $LDAP_DOMAIN"
964    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_SUFFIX = $LDAP_SUFFIX"
965    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_BASEDN = $LDAP_BASEDN"
966    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_PROFILE_NAME = $LDAP_PROFILE_NAME"
967    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_SERVER_LIST = $LDAP_SERVER_LIST"
968    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_PREF_SRVLIST = $LDAP_PREF_SRVLIST"
969    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_SEARCH_SCOPE = $LDAP_SEARCH_SCOPE"
970    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_CRED_LEVEL = $LDAP_CRED_LEVEL"
971    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_AUTHMETHOD = $LDAP_AUTHMETHOD"
972    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_FOLLOWREF = $LDAP_FOLLOWREF"
973    [ $DEBUG -eq 1 ] && ${ECHO} "  IDS_TIMELIMIT = $IDS_TIMELIMIT"
974    [ $DEBUG -eq 1 ] && ${ECHO} "  IDS_SIZELIMIT = $IDS_SIZELIMIT"
975    [ $DEBUG -eq 1 ] && ${ECHO} "  NEED_CRYPT = $NEED_CRYPT"
976    [ $DEBUG -eq 1 ] && ${ECHO} "  NEED_SRVAUTH_PAM = $NEED_SRVAUTH_PAM"
977    [ $DEBUG -eq 1 ] && ${ECHO} "  NEED_SRVAUTH_KEY = $NEED_SRVAUTH_KEY"
978    [ $DEBUG -eq 1 ] && ${ECHO} "  NEED_SRVAUTH_CMD = $NEED_SRVAUTH_CMD"
979    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_SRV_AUTHMETHOD_PAM = $LDAP_SRV_AUTHMETHOD_PAM"
980    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_SRV_AUTHMETHOD_KEY = $LDAP_SRV_AUTHMETHOD_KEY"
981    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_SRV_AUTHMETHOD_CMD = $LDAP_SRV_AUTHMETHOD_CMD"
982    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_SEARCH_TIME_LIMIT = $LDAP_SEARCH_TIME_LIMIT"
983    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_PROFILE_TTL = $LDAP_PROFILE_TTL"
984    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_BIND_LIMIT = $LDAP_BIND_LIMIT"
985
986    # Only display proxy stuff if needed.
987    if [ $NEED_PROXY -eq  1 ]; then
988	[ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_PROXYAGENT = $LDAP_PROXYAGENT"
989	[ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_PROXYAGENT_CRED = $LDAP_PROXYAGENT_CRED"
990	[ $DEBUG -eq 1 ] && ${ECHO} "  NEED_PROXY = $NEED_PROXY"
991    fi
992
993    # Service Search Descriptors are a special case.
994    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_SERV_SRCH_DES = $LDAP_SERV_SRCH_DES"
995}
996
997
998#
999# load_config_file(): Loads the config file.
1000#
1001load_config_file()
1002{
1003    [ $DEBUG -eq 1 ] && ${ECHO} "In load_config_file()"
1004
1005    # Remove SSD lines from input file before sourcing.
1006    # The SSD lines must be removed because some forms of the
1007    # data could cause SHELL errors.
1008    ${GREP} -v "LDAP_SERV_SRCH_DES=" ${INPUT_FILE} > ${TMPDIR}/inputfile.noSSD
1009
1010    # Source the input file.
1011    . ${TMPDIR}/inputfile.noSSD
1012
1013    # If LDAP_SUFFIX is no set, try to utilize LDAP_TREETOP since older
1014    # config files use LDAP_TREETOP
1015    LDAP_SUFFIX="${LDAP_SUFFIX:-$LDAP_TREETOP}"
1016
1017    # Save password to temporary file.
1018    save_password
1019
1020    # Create the SSD file.
1021    create_ssd_file
1022
1023    # Display FULL debugging info.
1024    disp_full_debug
1025}
1026
1027#
1028# save_password(): Save password to temporary file.
1029#
1030save_password()
1031{
1032    cat > ${LDAP_ROOTPWF} <<EOF
1033${LDAP_ROOTPWD}
1034EOF
1035}
1036
1037######################################################################
1038# FUNCTIONS  FOR prompt_config_info() START HERE.
1039######################################################################
1040
1041#
1042# get_ids_server(): Prompt for iDS server name.
1043#
1044get_ids_server()
1045{
1046    while :
1047    do
1048	# Prompt for server name.
1049	get_ans "Enter the iPlanet Directory Server's (iDS) hostname to setup:" "$IDS_SERVER"
1050	IDS_SERVER=$ANS
1051
1052	# Ping server to see if live.  If valid break out of loop.
1053	ping $IDS_SERVER > /dev/null 2>&1
1054	if [ $? -eq 0 ]; then
1055	    break
1056	fi
1057
1058	# Invalid server, enter a new name.
1059	${ECHO} "ERROR: Server '${IDS_SERVER}' is invalid or unreachable."
1060	IDS_SERVER=""
1061    done
1062
1063    # Set SERVER_ARGS and LDAP_ARGS since values might of changed.
1064    SERVER_ARGS="-h ${IDS_SERVER} -p ${IDS_PORT}"
1065    LDAP_ARGS="${SERVER_ARGS} ${AUTH_ARGS}"
1066    export SERVER_ARGS
1067
1068}
1069
1070#
1071# get_ids_port(): Prompt for iDS port number.
1072#
1073get_ids_port()
1074{
1075    # Get a valid iDS port number.
1076    while :
1077    do
1078	# Enter port number.
1079	get_number "Enter the port number for iDS (h=help):" "$IDS_PORT" "port_help"
1080	IDS_PORT=$ANS
1081
1082	# Do a simple search to check hostname and port number.
1083	# If search returns SUCCESS, break out, host and port must
1084	# be valid.
1085	${LDAPSEARCH} -h ${IDS_SERVER} -p ${IDS_PORT} -b "" -s base "objectclass=*" > /dev/null 2>&1
1086	if [ $? -eq 0 ]; then
1087	    break
1088	fi
1089
1090	# Invalid host/port pair, Re-enter.
1091	${ECHO} "ERROR: Invalid host or port: ${IDS_SERVER}:${IDS_PORT}, Please re-enter!"
1092	get_ids_server
1093    done
1094
1095    # Set SERVER_ARGS and LDAP_ARGS since values might of changed.
1096    SERVER_ARGS="-h ${IDS_SERVER} -p ${IDS_PORT}"
1097    LDAP_ARGS="${SERVER_ARGS} ${AUTH_ARGS}"
1098    export SERVER_ARGS
1099}
1100
1101
1102#
1103# chk_ids_version(): Read the slapd config file and set variables
1104#
1105chk_ids_version()
1106{
1107    [ $DEBUG -eq 1 ] && ${ECHO} "In chk_ids_version()"
1108
1109    # check iDS version number.
1110    eval "${LDAPSEARCH} ${SERVER_ARGS} -b cn=monitor -s base \"objectclass=*\" version | ${GREP} \"^version=\" | cut -f2 -d'/' | cut -f1 -d' ' > ${TMPDIR}/checkDSver 2>&1"
1111    if [ $? -ne 0 ]; then
1112	${ECHO} "ERROR: Can not determine the version number of iDS!"
1113	exit 1
1114    fi
1115    IDS_VER=`cat ${TMPDIR}/checkDSver`
1116    IDS_MAJVER=`${ECHO} ${IDS_VER} | cut -f1 -d.`
1117    IDS_MINVER=`${ECHO} ${IDS_VER} | cut -f2 -d.`
1118    if [ "${IDS_MAJVER}" != "5" ]; then
1119	${ECHO} "ERROR: $PROG only works with iDS version 5.x, not ${IDS_VER}."
1120    	exit 1
1121    fi
1122    if [ $DEBUG -eq 1 ]; then
1123	${ECHO} "  IDS_MAJVER = $IDS_MAJVER"
1124	${ECHO} "  IDS_MINVER = $IDS_MINVER"
1125    fi
1126}
1127
1128
1129#
1130# get_dirmgr_dn(): Get the directory manger DN.
1131#
1132get_dirmgr_dn()
1133{
1134    get_ans "Enter the directory manager DN:" "$LDAP_ROOTDN"
1135    LDAP_ROOTDN=$ANS
1136
1137    # Update ENV variables using DN.
1138    AUTH_ARGS="-D \"${LDAP_ROOTDN}\" -j ${LDAP_ROOTPWF}"
1139    LDAP_ARGS="${SERVER_ARGS} ${AUTH_ARGS}"
1140    export AUTH_ARGS LDAP_ARGS
1141}
1142
1143
1144#
1145# get_dirmgr_pw(): Get the Root DN passwd. (Root DN found in slapd.conf)
1146#
1147get_dirmgr_pw()
1148{
1149    while :
1150    do
1151	# Get passwd.
1152	get_passwd_nochk "Enter passwd for ${LDAP_ROOTDN} :"
1153	LDAP_ROOTPWD=$ANS
1154
1155	# Store password in file.
1156	save_password
1157
1158	# Update ENV variables using DN's PW.
1159	AUTH_ARGS="-D \"${LDAP_ROOTDN}\" -j ${LDAP_ROOTPWF}"
1160	LDAP_ARGS="${SERVER_ARGS} ${AUTH_ARGS}"
1161	export AUTH_ARGS LDAP_ARGS
1162
1163	# Verify that ROOTDN and ROOTPWD are valid.
1164	eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"\" -s base \"objectclass=*\" > ${TMPDIR}/checkDN 2>&1"
1165	if [ $? -ne 0 ]; then
1166	    eval "${GREP} credential ${TMPDIR}/checkDN ${VERB}"
1167	    if [ $? -eq 0 ]; then
1168		${ECHO} "ERROR: Root DN passwd is invalid."
1169	    else
1170		${ECHO} "ERROR: Invalid Root DN <${LDAP_ROOTDN}>."
1171		get_dirmgr_dn
1172	    fi
1173	else
1174	    break         # Both are valid.
1175	fi
1176    done
1177
1178
1179}
1180
1181
1182#
1183# get_domain(): Get the Domain that will be served by the LDAP server.
1184#               $1 - Help argument.
1185#
1186get_domain()
1187{
1188    # Use LDAP_DOMAIN as default.
1189    get_ans "Enter the domainname to be served (h=help):" $LDAP_DOMAIN
1190
1191    # Check domainname, and have user re-enter if not valid.
1192    check_domainname $ANS
1193    while [ $? -ne 0 ]
1194    do
1195	case "$ANS" in
1196	    [Hh] | help | Help | \?) display_msg ${1:-sorry} ;;
1197	    * ) ${ECHO} "Invalid domainname: \"${ANS}\"."
1198	     ;;
1199	esac
1200	get_ans "Enter domainname to be served (h=help):" $DOM
1201
1202	check_domainname $ANS
1203    done
1204
1205    # Set the domainname to valid name.
1206    LDAP_DOMAIN=$ANS
1207}
1208
1209
1210#
1211# get_basedn(): Query for the Base DN.
1212#
1213get_basedn()
1214{
1215    # Set the $_DOM_2_DC and assign to LDAP_BASEDN as default.
1216    # Then call get_basedn().  This method remakes the default
1217    # each time just in case the domain changed.
1218    domain_2_dc $LDAP_DOMAIN
1219    LDAP_BASEDN=$_DOM_2_DC
1220
1221    # Get Base DN.
1222    while :
1223    do
1224	get_ans_req "Enter LDAP Base DN (h=help):" "$LDAP_BASEDN"
1225	check_baseDN "$ANS"
1226	while [ $? -ne 0 ]
1227	do
1228	    case "$ANS" in
1229		[Hh] | help | Help | \?) display_msg basedn_help ;;
1230		* ) ${ECHO} "Invalid base DN: \"${ANS}\"."
1231		;;
1232	    esac
1233
1234	    # Re-Enter the BaseDN
1235	    get_ans_req "Enter LDAP Base DN (h=help):" "$LDAP_BASEDN"
1236	    check_baseDN "$ANS"
1237	done
1238
1239	# Set base DN.
1240	LDAP_BASEDN=${ANS}
1241
1242	check_basedn_suffix
1243	case $? in
1244	    0) break ;;
1245	    1) cleanup; exit 1 ;;
1246	    2) continue ;;
1247	esac
1248    done
1249}
1250
1251
1252#
1253# get_profile_name(): Enter the profile name.
1254#
1255get_profile_name()
1256{
1257    # Reset Delete Old Profile since getting new profile name.
1258    DEL_OLD_PROFILE=0
1259
1260    # Loop until valid profile name, or replace.
1261    while :
1262    do
1263	# Prompt for profile name.
1264	get_ans "Enter the profile name (h=help):" "$LDAP_PROFILE_NAME"
1265
1266	# Check for Help.
1267	case "$ANS" in
1268	    [Hh] | help | Help | \?) display_msg profile_help
1269				     continue ;;
1270	    * )  ;;
1271	esac
1272
1273	# Search to see if profile name already exists.
1274	eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=${ANS},ou=profile,${LDAP_BASEDN}\" -s base \"objectclass=*\" ${VERB}"
1275	if [ $? -eq 0 ]; then
1276	    get_confirm_nodef "Are you sure you want to overwire profile cn=${ANS}?"
1277	    if [ $? -eq 1 ]; then
1278		DEL_OLD_PROFILE=1
1279		return 0  # Replace old profile name.
1280	    else
1281		${ECHO} "Please re-enter a new profile name."
1282	    fi
1283	else
1284	    break  # Unique profile name.
1285	fi
1286    done
1287
1288    # Set Profile Name.
1289    LDAP_PROFILE_NAME=$ANS
1290}
1291
1292
1293#
1294# get_srv_list(): Get the default server list.
1295#
1296get_srv_list()
1297{
1298    # If LDAP_SERVER_LIST is NULL, then set, otherwise leave alone.
1299    if [ -z "${LDAP_SERVER_LIST}" ]; then
1300	LDAP_SERVER_LIST=`getent hosts ${IDS_SERVER} | awk '{print $1}'`
1301        if [ ${IDS_PORT} -ne 389 ]; then
1302	    LDAP_SERVER_LIST="${LDAP_SERVER_LIST}:${IDS_PORT}"
1303	fi
1304    fi
1305
1306    # Prompt for new LDAP_SERVER_LIST.
1307    while :
1308    do
1309	get_ans "Default server list (h=help):" $LDAP_SERVER_LIST
1310
1311	# If help continue, otherwise break.
1312	case "$ANS" in
1313	    [Hh] | help | Help | \?) display_msg def_srvlist_help ;;
1314	    * ) break ;;
1315	esac
1316    done
1317    LDAP_SERVER_LIST=$ANS
1318}
1319
1320
1321#
1322# get_pref_srv(): The preferred server list (Overrides the server list)
1323#
1324get_pref_srv()
1325{
1326    while :
1327    do
1328	get_ans "Preferred server list (h=help):" $LDAP_PREF_SRVLIST
1329
1330	# If help continue, otherwise break.
1331	case "$ANS" in
1332	    [Hh] | help | Help | \?) display_msg pref_srvlist_help ;;
1333	    * ) break ;;
1334	esac
1335    done
1336    LDAP_PREF_SRVLIST=$ANS
1337}
1338
1339
1340#
1341# get_search_scope(): Get the search scope from the user.
1342#
1343get_search_scope()
1344{
1345    [ $DEBUG -eq 1 ] && ${ECHO} "In get_search_scope()"
1346
1347    _MENU_CHOICE=0
1348    while :
1349    do
1350	get_ans "Choose desired search scope (one, sub, h=help): " "one"
1351	_MENU_CHOICE=$ANS
1352	case "$_MENU_CHOICE" in
1353	    one) LDAP_SEARCH_SCOPE="one"
1354	       return 1 ;;
1355	    sub) LDAP_SEARCH_SCOPE="sub"
1356	       return 2 ;;
1357	    h) display_msg srch_scope_help ;;
1358	    *) ${ECHO} "Please enter \"one\", \"sub\", or \"h\"." ;;
1359	esac
1360    done
1361
1362}
1363
1364
1365#
1366# get_cred_level(): Function to display menu to user and get the
1367#                  credential level.
1368#
1369get_cred_level()
1370{
1371    [ $DEBUG -eq 1 ] && ${ECHO} "In get_cred_level()"
1372
1373    _MENU_CHOICE=0
1374    display_msg cred_level_menu
1375    while :
1376    do
1377	get_ans "Choose Credential level [h=help]:" "1"
1378	_MENU_CHOICE=$ANS
1379	case "$_MENU_CHOICE" in
1380	    1) LDAP_CRED_LEVEL="anonymous"
1381	       return 1 ;;
1382	    2) LDAP_CRED_LEVEL="proxy"
1383	       return 2 ;;
1384	    3) LDAP_CRED_LEVEL="proxy anonymous"
1385	       return 3 ;;
1386	    h) display_msg cred_lvl_help ;;
1387	    *) ${ECHO} "Please enter 1, 2 or 3." ;;
1388	esac
1389    done
1390}
1391
1392
1393#
1394# srvauth_menu_handler(): Enter the Service Authentication method.
1395#
1396srvauth_menu_handler()
1397{
1398    # Display Auth menu
1399    display_msg srvauth_method_menu
1400
1401    # Get a Valid choice.
1402    while :
1403    do
1404	# Display appropriate prompt and get answer.
1405	if [ $_FIRST -eq 1 ]; then
1406	    get_ans "Choose Service Authentication Method:" "1"
1407	else
1408	    get_ans "Choose Service Authentication Method (0=reset):"
1409	fi
1410
1411	# Determine choice.
1412	_MENU_CHOICE=$ANS
1413	case "$_MENU_CHOICE" in
1414	    1) _AUTHMETHOD="simple"
1415		break ;;
1416	    2) _AUTHMETHOD="sasl/DIGEST-MD5"
1417		break ;;
1418	    3) _AUTHMETHOD="tls:simple"
1419		break ;;
1420	    4) _AUTHMETHOD="tls:sasl/DIGEST-MD5"
1421		break ;;
1422	    0) _AUTHMETHOD=""
1423		_FIRST=1
1424		break ;;
1425	    *) ${ECHO} "Please enter 1-4 or 0 to reset." ;;
1426	esac
1427    done
1428}
1429
1430
1431#
1432# auth_menu_handler(): Enter the Authentication method.
1433#
1434auth_menu_handler()
1435{
1436    # Display Auth menu
1437    display_msg auth_method_menu
1438
1439    # Get a Valid choice.
1440    while :
1441    do
1442	# Display appropriate prompt and get answer.
1443	if [ $_FIRST -eq 1 ]; then
1444	    get_ans "Choose Authentication Method (h=help):" "1"
1445	else
1446	    get_ans "Choose Authentication Method (0=reset, h=help):"
1447	fi
1448
1449	# Determine choice.
1450	_MENU_CHOICE=$ANS
1451	case "$_MENU_CHOICE" in
1452	    1) _AUTHMETHOD="none"
1453		break ;;
1454	    2) _AUTHMETHOD="simple"
1455		break ;;
1456	    3) _AUTHMETHOD="sasl/DIGEST-MD5"
1457		break ;;
1458	    4) _AUTHMETHOD="tls:simple"
1459		break ;;
1460	    5) _AUTHMETHOD="tls:sasl/DIGEST-MD5"
1461		break ;;
1462	    0) _AUTHMETHOD=""
1463		_FIRST=1
1464		break ;;
1465	    h) display_msg auth_help ;;
1466	    *) ${ECHO} "Please enter 1-5, 0=reset, or h=help." ;;
1467	esac
1468    done
1469}
1470
1471
1472#
1473# get_auth(): Enter the Authentication method.
1474#
1475get_auth()
1476{
1477    [ $DEBUG -eq 1 ] && ${ECHO} "In get_auth()"
1478
1479    _FIRST=1          # Flag for first time.
1480    _MENU_CHOICE=0
1481    _AUTHMETHOD=""    # Tmp method.
1482
1483    while :
1484    do
1485	# Call Menu handler
1486	auth_menu_handler
1487
1488	# Add Auth Method to list.
1489        if [ $_FIRST -eq 1 ]; then
1490	    LDAP_AUTHMETHOD="${_AUTHMETHOD}"
1491	    _FIRST=0
1492	else
1493	    LDAP_AUTHMETHOD="${LDAP_AUTHMETHOD};${_AUTHMETHOD}"
1494	fi
1495
1496	# Display current Authentication Method.
1497	${ECHO} ""
1498	${ECHO} "Current authenticationMethod: ${LDAP_AUTHMETHOD}"
1499	${ECHO} ""
1500
1501	# Prompt for another Auth Method, or break out.
1502	get_confirm_nodef "Do you want to add another Authentication Method?"
1503	if [ $? -eq 0 ]; then
1504	    break;
1505	fi
1506    done
1507}
1508
1509
1510#
1511# get_followref(): Whether or not to follow referrals.
1512#
1513get_followref()
1514{
1515    get_confirm "Do you want the clients to follow referrals (y/n/h)?" "n" "referrals_help"
1516    if [ $? -eq 1 ]; then
1517	LDAP_FOLLOWREF="TRUE"
1518    else
1519	LDAP_FOLLOWREF="FALSE"
1520    fi
1521}
1522
1523
1524#
1525# get_timelimit(): Set the time limit. -1 is max time.
1526#
1527get_timelimit()
1528{
1529    # Get current timeout value from cn=config.
1530    eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=config\" -s base \"objectclass=*\" nsslapd-timelimit > ${TMPDIR}/chk_timeout 2>&1"
1531    if [ $? -ne 0 ]; then
1532	${ECHO} "  ERROR: Could not reach LDAP server to check current timeout!"
1533	cleanup
1534	exit 1
1535    fi
1536    CURR_TIMELIMIT=`${GREP} timelimit ${TMPDIR}/chk_timeout | cut -f2 -d=`
1537
1538    get_negone_num "Enter the time limit for iDS (current=${CURR_TIMELIMIT}):" "-1"
1539    IDS_TIMELIMIT=$NUM
1540}
1541
1542
1543#
1544# get_sizelimit(): Set the size limit. -1 is max size.
1545#
1546get_sizelimit()
1547{
1548    # Get current sizelimit value from cn=config.
1549    eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=config\" -s base \"objectclass=*\" nsslapd-sizelimit > ${TMPDIR}/chk_sizelimit 2>&1"
1550    if [ $? -ne 0 ]; then
1551	${ECHO} "  ERROR: Could not reach LDAP server to check current sizelimit!"
1552	cleanup
1553	exit 1
1554    fi
1555    CURR_SIZELIMIT=`${GREP} sizelimit ${TMPDIR}/chk_sizelimit | cut -f2 -d=`
1556
1557    get_negone_num "Enter the size limit for iDS (current=${CURR_SIZELIMIT}):" "-1"
1558    IDS_SIZELIMIT=$NUM
1559}
1560
1561
1562#
1563# get_want_crypt(): Ask user if want to store passwords in crypt?
1564#
1565get_want_crypt()
1566{
1567    get_confirm "Do you want to store passwords in \"crypt\" format (y/n/h)?" "n" "crypt_help"
1568    if [ $? -eq 1 ]; then
1569	NEED_CRYPT="TRUE"
1570    else
1571	NEED_CRYPT="FALSE"
1572    fi
1573}
1574
1575
1576#
1577# get_srv_authMethod_pam(): Get the Service Auth Method for pam_ldap from user.
1578#
1579#  NOTE: This function is base on get_auth().
1580#
1581get_srv_authMethod_pam()
1582{
1583    [ $DEBUG -eq 1 ] && ${ECHO} "In get_srv_authMethod_pam()"
1584
1585    _FIRST=1          # Flag for first time.
1586    _MENU_CHOICE=0
1587    _AUTHMETHOD=""    # Tmp method.
1588
1589    while :
1590    do
1591	# Call Menu handler
1592	srvauth_menu_handler
1593
1594	# Add Auth Method to list.
1595        if [ $_FIRST -eq 1 ]; then
1596	    if [ "$_AUTHMETHOD" = "" ]; then
1597		LDAP_SRV_AUTHMETHOD_PAM=""
1598	    else
1599		LDAP_SRV_AUTHMETHOD_PAM="pam_ldap:${_AUTHMETHOD}"
1600	    fi
1601	    _FIRST=0
1602	else
1603	    LDAP_SRV_AUTHMETHOD_PAM="${LDAP_SRV_AUTHMETHOD_PAM};${_AUTHMETHOD}"
1604	fi
1605
1606	# Display current Authentication Method.
1607	${ECHO} ""
1608	${ECHO} "Current authenticationMethod: ${LDAP_SRV_AUTHMETHOD_PAM}"
1609	${ECHO} ""
1610
1611	# Prompt for another Auth Method, or break out.
1612	get_confirm_nodef "Do you want to add another Authentication Method?"
1613	if [ $? -eq 0 ]; then
1614	    break;
1615	fi
1616    done
1617
1618    # Check in case user reset string and exited loop.
1619    if [ "$LDAP_SRV_AUTHMETHOD_PAM" = "" ]; then
1620	NEED_SRVAUTH_PAM=0
1621    fi
1622}
1623
1624
1625#
1626# get_srv_authMethod_key(): Get the Service Auth Method for keyserv from user.
1627#
1628#  NOTE: This function is base on get_auth().
1629#
1630get_srv_authMethod_key()
1631{
1632    [ $DEBUG -eq 1 ] && ${ECHO} "In get_srv_authMethod_key()"
1633
1634    _FIRST=1          # Flag for first time.
1635    _MENU_CHOICE=0
1636    _AUTHMETHOD=""    # Tmp method.
1637
1638    while :
1639    do
1640	# Call Menu handler
1641	srvauth_menu_handler
1642
1643	# Add Auth Method to list.
1644        if [ $_FIRST -eq 1 ]; then
1645	    if [ "$_AUTHMETHOD" = "" ]; then
1646		LDAP_SRV_AUTHMETHOD_KEY=""
1647	    else
1648		LDAP_SRV_AUTHMETHOD_KEY="keyserv:${_AUTHMETHOD}"
1649	    fi
1650	    _FIRST=0
1651	else
1652	    LDAP_SRV_AUTHMETHOD_KEY="${LDAP_SRV_AUTHMETHOD_KEY};${_AUTHMETHOD}"
1653	fi
1654
1655	# Display current Authentication Method.
1656	${ECHO} ""
1657	${ECHO} "Current authenticationMethod: ${LDAP_SRV_AUTHMETHOD_KEY}"
1658	${ECHO} ""
1659
1660	# Prompt for another Auth Method, or break out.
1661	get_confirm_nodef "Do you want to add another Authentication Method?"
1662	if [ $? -eq 0 ]; then
1663	    break;
1664	fi
1665    done
1666
1667    # Check in case user reset string and exited loop.
1668    if [ "$LDAP_SRV_AUTHMETHOD_KEY" = "" ]; then
1669	NEED_SRVAUTH_KEY=0
1670    fi
1671}
1672
1673
1674#
1675# get_srv_authMethod_cmd(): Get the Service Auth Method for passwd-cmd from user.
1676#
1677#  NOTE: This function is base on get_auth().
1678#
1679get_srv_authMethod_cmd()
1680{
1681    [ $DEBUG -eq 1 ] && ${ECHO} "In get_srv_authMethod_cmd()"
1682
1683    _FIRST=1          # Flag for first time.
1684    _MENU_CHOICE=0
1685    _AUTHMETHOD=""    # Tmp method.
1686
1687    while :
1688    do
1689	# Call Menu handler
1690	srvauth_menu_handler
1691
1692	# Add Auth Method to list.
1693        if [ $_FIRST -eq 1 ]; then
1694	    if [ "$_AUTHMETHOD" = "" ]; then
1695		LDAP_SRV_AUTHMETHOD_CMD=""
1696	    else
1697		LDAP_SRV_AUTHMETHOD_CMD="passwd-cmd:${_AUTHMETHOD}"
1698	    fi
1699	    _FIRST=0
1700	else
1701	    LDAP_SRV_AUTHMETHOD_CMD="${LDAP_SRV_AUTHMETHOD_CMD};${_AUTHMETHOD}"
1702	fi
1703
1704	# Display current Authentication Method.
1705	${ECHO} ""
1706	${ECHO} "Current authenticationMethod: ${LDAP_SRV_AUTHMETHOD_CMD}"
1707	${ECHO} ""
1708
1709	# Prompt for another Auth Method, or break out.
1710	get_confirm_nodef "Do you want to add another Authentication Method?"
1711	if [ $? -eq 0 ]; then
1712	    break;
1713	fi
1714    done
1715
1716    # Check in case user reset string and exited loop.
1717    if [ "$LDAP_SRV_AUTHMETHOD_CMD" = "" ]; then
1718	NEED_SRVAUTH_CMD=0
1719    fi
1720}
1721
1722
1723#
1724# get_srch_time(): Amount of time to search.
1725#
1726get_srch_time()
1727{
1728    get_negone_num "Client search time limit in seconds (h=help):" "$LDAP_SEARCH_TIME_LIMIT" "srchtime_help"
1729    LDAP_SEARCH_TIME_LIMIT=$NUM
1730}
1731
1732
1733#
1734# get_prof_ttl(): The profile time to live (TTL)
1735#
1736get_prof_ttl()
1737{
1738    get_negone_num "Profile Time To Live in seconds (h=help):" "$LDAP_PROFILE_TTL" "profttl_help"
1739    LDAP_PROFILE_TTL=$NUM
1740}
1741
1742
1743#
1744# get_bind_limit(): Bind time limit
1745#
1746get_bind_limit()
1747{
1748    get_negone_num "Bind time limit in seconds (h=help):" "$LDAP_BIND_LIMIT" "bindlim_help"
1749    LDAP_BIND_LIMIT=$NUM
1750}
1751
1752
1753######################################################################
1754# FUNCTIONS  FOR Service Search Descriptor's START HERE.
1755######################################################################
1756
1757
1758#
1759# add_ssd(): Get SSD's from user and add to file.
1760#
1761add_ssd()
1762{
1763    [ $DEBUG -eq 1 ] && ${ECHO} "In add_ssd()"
1764
1765    # Enter the service id.  Loop til unique.
1766    while :
1767    do
1768	get_ans "Enter the service id:"
1769	_SERV_ID=$ANS
1770
1771	# Grep for name existing.
1772	${GREP} -i "^$ANS:" ${SSD_FILE} > /dev/null 2>&1
1773	if [ $? -eq 1 ]; then
1774	    break
1775	fi
1776
1777	# Name exists, print message, let user decide.
1778	${ECHO} "ERROR: Service id ${ANS} already exists."
1779    done
1780
1781    get_ans "Enter the base:"
1782    _BASE=$ANS
1783
1784    # Get the scope and verify that its one or sub.
1785    while :
1786    do
1787	get_ans "Enter the scope:"
1788	_SCOPE=$ANS
1789	case `${ECHO} ${_SCOPE} | tr '[A-Z]' '[a-z]'` in
1790	    one) break ;;
1791	    sub) break ;;
1792	    *)   ${ECHO} "${_SCOPE} is Not valid - Enter 'one' or 'sub'" ;;
1793	esac
1794    done
1795
1796    # Build SSD to add to file.
1797    _SSD="${_SERV_ID}:${_BASE}?${_SCOPE}"
1798
1799    # Add the SSD to the file.
1800    ${ECHO} "${_SSD}" >> ${SSD_FILE}
1801}
1802
1803
1804#
1805# delete_ssd(): Delete a SSD from the list.
1806#
1807delete_ssd()
1808{
1809    [ $DEBUG -eq 1 ] && ${ECHO} "In delete_ssd()"
1810
1811    # Get service id name from user for SSD to delete.
1812    get_ans_req "Enter service id to delete:"
1813
1814    # Make sure service id exists.
1815    ${GREP} "$ANS" ${SSD_FILE} > /dev/null 2>&1
1816    if [ $? -eq 1 ]; then
1817	${ECHO} "Invalid service id: $ANS not present in list."
1818	return
1819    fi
1820
1821    # Create temporary back SSD file.
1822    cp ${SSD_FILE} ${SSD_FILE}.bak
1823    if [ $? -eq 1 ]; then
1824	${ECHO} "ERROR: could not create file: ${SSD_FILE}.bak"
1825	exit 1
1826    fi
1827
1828    # Use ${GREP} to remove the SSD.  Read from temp file
1829    # and write to the orig file.
1830    ${GREP} -v "$ANS" ${SSD_FILE}.bak > ${SSD_FILE}
1831}
1832
1833
1834#
1835# modify_ssd(): Allow user to modify a SSD.
1836#
1837modify_ssd()
1838{
1839    [ $DEBUG -eq 1 ] && ${ECHO} "In modify_ssd()"
1840
1841    # Prompt user for service id.
1842    get_ans_req "Enter service id to modify:"
1843
1844    # Put into temp _LINE.
1845    _LINE=`${GREP} "^$ANS:" ${SSD_FILE}`
1846    if [ "$_LINE" = "" ]; then
1847	${ECHO} "Invalid service id: $ANS"
1848	return
1849    fi
1850
1851    # Display current filter for user to see.
1852    ${ECHO} ""
1853    ${ECHO} "Current SSD: $_LINE"
1854    ${ECHO} ""
1855
1856    # Get the defaults.
1857    _CURR_BASE=`${ECHO} $_LINE | cut -d: -f2 | cut -d'?' -f 1`
1858    _CURR_SCOPE=`${ECHO} $_LINE | cut -d: -f2 | cut -d'?' -f 2`
1859
1860    # Create temporary back SSD file.
1861    cp ${SSD_FILE} ${SSD_FILE}.bak
1862    if [ $? -eq 1 ]; then
1863	${ECHO} "ERROR: could not create file: ${SSD_FILE}.bak"
1864	cleanup
1865	exit 1
1866    fi
1867
1868    # Removed the old line.
1869    ${GREP} -v "^$ANS:" ${SSD_FILE}.bak > ${SSD_FILE} 2>&1
1870
1871    # New Entry
1872    _SERV_ID=$ANS
1873    get_ans_req "Enter the base:" "$_CURR_BASE"
1874    _BASE=$ANS
1875    get_ans_req "Enter the scope:" "$_CURR_SCOPE"
1876    _SCOPE=$ANS
1877
1878    # Build the new SSD.
1879    _SSD="${_SERV_ID}:${_BASE}?${_SCOPE}"
1880
1881    # Add the SSD to the file.
1882    ${ECHO} "${_SSD}" >> ${SSD_FILE}
1883}
1884
1885
1886#
1887# display_ssd(): Display the current SSD list.
1888#
1889display_ssd()
1890{
1891    [ $DEBUG -eq 1 ] && ${ECHO} "In display_ssd()"
1892
1893    ${ECHO} ""
1894    ${ECHO} "Current Service Search Descriptors:"
1895    ${ECHO} "=================================="
1896    cat ${SSD_FILE}
1897    ${ECHO} ""
1898    ${ECHO} "Hit return to continue."
1899    read __A
1900}
1901
1902
1903#
1904# prompt_ssd(): Get SSD's from user.
1905#
1906prompt_ssd()
1907{
1908    [ $DEBUG -eq 1 ] && ${ECHO} "In prompt_ssd()"
1909    # See if user wants SSD's?
1910    get_confirm "Do you wish to setup Service Search Descriptors (y/n/h)?" "n" "ssd_help"
1911    [ "$?" -eq 0 ] && return
1912
1913    # Display menu for SSD choices.
1914    while :
1915    do
1916	display_msg prompt_ssd_menu
1917	get_ans "Enter menu choice:" "Quit"
1918	case "$ANS" in
1919	    [Aa] | add) add_ssd ;;
1920	    [Dd] | delete) delete_ssd ;;
1921	    [Mm] | modify) modify_ssd ;;
1922	    [Pp] | print | display) display_ssd ;;
1923	    [Xx] | reset | clear) reset_ssd_file ;;
1924	    [Hh] | Help | help)	display_msg ssd_menu_help
1925				${ECHO} " Press return to continue."
1926				read __A ;;
1927	    [Qq] | Quit | quit)	return ;;
1928	    *)    ${ECHO} "Invalid choice: $ANS please re-enter from menu." ;;
1929	esac
1930    done
1931}
1932
1933
1934#
1935# reset_ssd_file(): Blank out current SSD file.
1936#
1937reset_ssd_file()
1938{
1939    [ $DEBUG -eq 1 ] && ${ECHO} "In reset_ssd_file()"
1940
1941    rm -f ${SSD_FILE}
1942    touch ${SSD_FILE}
1943}
1944
1945
1946#
1947# create_ssd_file(): Create a temporary file for SSD's.
1948#
1949create_ssd_file()
1950{
1951    [ $DEBUG -eq 1 ] && ${ECHO} "In create_ssd_file()"
1952
1953    # Build a list of SSD's and store in temp file.
1954    ${GREP} "LDAP_SERV_SRCH_DES=" ${INPUT_FILE} | \
1955	sed 's/LDAP_SERV_SRCH_DES=//' \
1956	> ${SSD_FILE}
1957}
1958
1959
1960#
1961# ssd_2_config(): Append the SSD file to the output file.
1962#
1963ssd_2_config()
1964{
1965    [ $DEBUG -eq 1 ] && ${ECHO} "In ssd_2_config()"
1966
1967    # Convert to config file format using sed.
1968    sed -e "s/^/LDAP_SERV_SRCH_DES=/" ${SSD_FILE} >> ${OUTPUT_FILE}
1969}
1970
1971
1972#
1973# ssd_2_profile(): Add SSD's to the GEN_CMD string.
1974#
1975ssd_2_profile()
1976{
1977    [ $DEBUG -eq 1 ] && ${ECHO} "In ssd_2_profile()"
1978
1979    GEN_TMPFILE=${TMPDIR}/ssd_tmpfile
1980    touch ${GEN_TMPFILE}
1981
1982    # Add and convert each SSD to string.
1983    while read SSD_LINE
1984    do
1985	${ECHO} " -a \"serviceSearchDescriptor=${SSD_LINE}\"\c" >> ${GEN_TMPFILE}
1986    done <${SSD_FILE}
1987
1988    # Add SSD's to GEN_CMD.
1989    GEN_CMD="${GEN_CMD} `cat ${GEN_TMPFILE}`"
1990}
1991
1992
1993#
1994# prompt_config_info(): This function prompts the user for the config
1995# info that is not specified in the input file.
1996#
1997prompt_config_info()
1998{
1999    [ $DEBUG -eq 1 ] && ${ECHO} "In prompt_config_info()"
2000
2001    # Prompt for iDS server name.
2002    get_ids_server
2003
2004    # Prompt for iDS port number.
2005    get_ids_port
2006
2007    # Check iDS version for compatibility.
2008    chk_ids_version
2009
2010    # Check if the server supports the VLV.
2011    chk_vlv_indexes
2012
2013    # Get the Directory manager DN and passwd.
2014    get_dirmgr_dn
2015    get_dirmgr_pw
2016
2017    #
2018    # LDAP CLIENT PROFILE SPECIFIC INFORMATION.
2019    #   (i.e. The fields that show up in the profile.)
2020    #
2021    get_domain "domain_help"
2022
2023    get_basedn
2024
2025    get_profile_name
2026    get_srv_list
2027    get_pref_srv
2028    get_search_scope
2029
2030    # If cred is "anonymous", make auth == "none"
2031    get_cred_level
2032    if [ "$LDAP_CRED_LEVEL" != "anonymous" ]; then
2033	get_auth
2034    fi
2035
2036    get_followref
2037
2038    # Query user about timelimt.
2039    get_confirm "Do you want to modify the server timelimit value (y/n/h)?" "n" "tlim_help"
2040    NEED_TIME=$?
2041    [ $NEED_TIME -eq 1 ] && get_timelimit
2042
2043    # Query user about sizelimit.
2044    get_confirm "Do you want to modify the server sizelimit value (y/n/h)?" "n" "slim_help"
2045    NEED_SIZE=$?
2046    [ $NEED_SIZE -eq 1 ] && get_sizelimit
2047
2048    # Does the user want to store passwords in crypt format?
2049    get_want_crypt
2050
2051    # Prompt for any Service Authentication Methods?
2052    get_confirm "Do you want to setup a Service Authentication Methods (y/n/h)?" "n" "srvauth_help"
2053    if [ $? -eq 1 ]; then
2054	# Does the user want to set Service Authentication Method for pam_ldap?
2055	get_confirm "Do you want to setup a Service Auth. Method for \"pam_ldap\" (y/n/h)?" "n" "pam_ldap_help"
2056	NEED_SRVAUTH_PAM=$?
2057	[ $NEED_SRVAUTH_PAM -eq 1 ] && get_srv_authMethod_pam
2058
2059	# Does the user want to set Service Authentication Method for keyserv?
2060	get_confirm "Do you want to setup a Service Auth. Method for \"keyserv\" (y/n/h)?" "n" "keyserv_help"
2061	NEED_SRVAUTH_KEY=$?
2062	[ $NEED_SRVAUTH_KEY -eq 1 ] && get_srv_authMethod_key
2063
2064	# Does the user want to set Service Authentication Method for passwd-cmd?
2065	get_confirm "Do you want to setup a Service Auth. Method for \"passwd-cmd\" (y/n/h)?" "n" "passwd-cmd_help"
2066	NEED_SRVAUTH_CMD=$?
2067	[ $NEED_SRVAUTH_CMD -eq 1 ] && get_srv_authMethod_cmd
2068    fi
2069
2070    # Get Timeouts
2071    get_srch_time
2072    get_prof_ttl
2073    get_bind_limit
2074
2075    # Reset the sdd_file and prompt user for SSD.  Will use menus
2076    # to build an SSD File.
2077    reset_ssd_file
2078    prompt_ssd
2079
2080    # Display FULL debugging info.
2081    disp_full_debug
2082
2083    # Extra blank line to separate prompt lines from steps.
2084    ${ECHO} " "
2085}
2086
2087
2088######################################################################
2089# FUNCTIONS  FOR display_summary() START HERE.
2090######################################################################
2091
2092
2093#
2094# get_proxyagent(): Get the proxyagent DN.
2095#
2096get_proxyagent()
2097{
2098    LDAP_PROXYAGENT="cn=proxyagent,ou=profile,${LDAP_BASEDN}"  # default
2099    get_ans "Enter DN for proxy agent:" "$LDAP_PROXYAGENT"
2100    LDAP_PROXYAGENT=$ANS
2101}
2102
2103
2104#
2105# get_proxy_pw(): Get the proxyagent passwd.
2106#
2107get_proxy_pw()
2108{
2109    get_passwd "Enter passwd for proxyagent:"
2110    LDAP_PROXYAGENT_CRED=$ANS
2111}
2112
2113
2114#
2115# display_summary(): Display a summary of values entered and let the
2116#                    user modify values at will.
2117#
2118display_summary()
2119{
2120    [ $DEBUG -eq 1 ] && ${ECHO} "In display_summary()"
2121
2122    # Create lookup table for function names.  First entry is dummy for
2123    # shift.
2124    TBL1="dummy"
2125    TBL2="get_domain get_basedn get_profile_name"
2126    TBL3="get_srv_list get_pref_srv get_search_scope get_cred_level"
2127    TBL4="get_auth get_followref"
2128    TBL5="get_timelimit get_sizelimit get_want_crypt"
2129    TBL6="get_srv_authMethod_pam get_srv_authMethod_key get_srv_authMethod_cmd"
2130    TBL7="get_srch_time get_prof_ttl get_bind_limit"
2131    TBL8="prompt_ssd"
2132    FUNC_TBL="$TBL1 $TBL2 $TBL3 $TBL4 $TBL5 $TBL6 $TBL7 $TBL8"
2133
2134    # Since menu prompt string is long, set here.
2135    _MENU_PROMPT="Enter config value to change: (1-19 0=commit changes)"
2136
2137    # Infinite loop.  Test for 0, and break in loop.
2138    while :
2139    do
2140	# Display menu and get value in range.
2141	display_msg summary_menu
2142	get_menu_choice "${_MENU_PROMPT}" "0" "19" "0"
2143	_CH=$MN_CH
2144
2145	# Make sure where not exiting.
2146	if [ $_CH -eq 0 ]; then
2147	    break       # Break out of loop if 0 selected.
2148	fi
2149
2150	# Call appropriate function from function table.
2151	set $FUNC_TBL
2152	shift $_CH
2153	$1          # Call the appropriate function.
2154    done
2155
2156    # If cred level is still see if user wants a change?
2157    if ${ECHO} "$LDAP_CRED_LEVEL" | ${GREP} "proxy" > /dev/null 2>&1
2158    then
2159	if [ "$LDAP_AUTHMETHOD" != "none" ]; then
2160	    NEED_PROXY=1    # I assume integer test is faster?
2161	    get_proxyagent
2162	    get_proxy_pw
2163	else
2164	    ${ECHO} "WARNING: Since Authentication method is 'none'."
2165	    ${ECHO} "         Credential level will be set to 'anonymous'."
2166	    LDAP_CRED_LEVEL="anonymous"
2167	fi
2168    fi
2169
2170    # Display FULL debugging info.
2171    disp_full_debug
2172
2173    # Final confirmation message. (ARE YOU SURE!)
2174    ${ECHO} " "
2175    get_confirm_nodef "WARNING: About to start committing changes. (y=continue, n=EXIT)"
2176    if [ $? -eq 0 ]; then
2177	${ECHO} "Terminating setup without making changes at users request."
2178	exit 1
2179    fi
2180
2181    # Print newline
2182    ${ECHO} " "
2183}
2184
2185
2186#
2187# create_config_file(): Write config data to config file specified.
2188#
2189create_config_file()
2190{
2191    [ $DEBUG -eq 1 ] && ${ECHO} "In create_config_file()"
2192
2193    # If output file exists, delete it.
2194    [ -f $OUTPUT_FILE ] && rm $OUTPUT_FILE
2195
2196    # Create output file.
2197    cat > $OUTPUT_FILE <<EOF
2198#!/bin/sh
2199# $OUTPUT_FILE - This file contains configuration information for
2200#                Native LDAP.  Use the idsconfig tool to load it.
2201#
2202# WARNING: This file was generated by idsconfig, and is intended to
2203#          be loaded by idsconfig as is.  DO NOT EDIT THIS FILE!
2204#
2205IDS_SERVER="$IDS_SERVER"
2206IDS_PORT=$IDS_PORT
2207IDS_TIMELIMIT=$IDS_TIMELIMIT
2208IDS_SIZELIMIT=$IDS_SIZELIMIT
2209LDAP_ROOTDN="$LDAP_ROOTDN"
2210LDAP_ROOTPWD=$LDAP_ROOTPWD
2211LDAP_DOMAIN="$LDAP_DOMAIN"
2212LDAP_SUFFIX="$LDAP_SUFFIX"
2213
2214# Internal program variables that need to be set.
2215NEED_PROXY=$NEED_PROXY
2216NEED_TIME=$NEED_TIME
2217NEED_SIZE=$NEED_SIZE
2218NEED_CRYPT=$NEED_CRYPT
2219
2220# LDAP PROFILE related defaults
2221LDAP_PROFILE_NAME="$LDAP_PROFILE_NAME"
2222DEL_OLD_PROFILE=1
2223LDAP_BASEDN="$LDAP_BASEDN"
2224LDAP_SERVER_LIST="$LDAP_SERVER_LIST"
2225LDAP_AUTHMETHOD="$LDAP_AUTHMETHOD"
2226LDAP_FOLLOWREF=$LDAP_FOLLOWREF
2227LDAP_SEARCH_SCOPE="$LDAP_SEARCH_SCOPE"
2228NEED_SRVAUTH_PAM=$NEED_SRVAUTH_PAM
2229NEED_SRVAUTH_KEY=$NEED_SRVAUTH_KEY
2230NEED_SRVAUTH_CMD=$NEED_SRVAUTH_CMD
2231LDAP_SRV_AUTHMETHOD_PAM="$LDAP_SRV_AUTHMETHOD_PAM"
2232LDAP_SRV_AUTHMETHOD_KEY="$LDAP_SRV_AUTHMETHOD_KEY"
2233LDAP_SRV_AUTHMETHOD_CMD="$LDAP_SRV_AUTHMETHOD_CMD"
2234LDAP_SEARCH_TIME_LIMIT=$LDAP_SEARCH_TIME_LIMIT
2235LDAP_PREF_SRVLIST="$LDAP_PREF_SRVLIST"
2236LDAP_PROFILE_TTL=$LDAP_PROFILE_TTL
2237LDAP_CRED_LEVEL="$LDAP_CRED_LEVEL"
2238LDAP_BIND_LIMIT=$LDAP_BIND_LIMIT
2239
2240# Proxy Agent
2241LDAP_PROXYAGENT="$LDAP_PROXYAGENT"
2242LDAP_PROXYAGENT_CRED=$LDAP_PROXYAGENT_CRED
2243
2244# Export all the variables (just in case)
2245export IDS_HOME IDS_PORT LDAP_ROOTDN LDAP_ROOTPWD LDAP_SERVER_LIST LDAP_BASEDN
2246export LDAP_DOMAIN LDAP_SUFFIX LDAP_PROXYAGENT LDAP_PROXYAGENT_CRED
2247export NEED_PROXY
2248export LDAP_PROFILE_NAME LDAP_BASEDN LDAP_SERVER_LIST 
2249export LDAP_AUTHMETHOD LDAP_FOLLOWREF LDAP_SEARCH_SCOPE LDAP_SEARCH_TIME_LIMIT
2250export LDAP_PREF_SRVLIST LDAP_PROFILE_TTL LDAP_CRED_LEVEL LDAP_BIND_LIMIT
2251export NEED_SRVAUTH_PAM NEED_SRVAUTH_KEY NEED_SRVAUTH_CMD
2252export LDAP_SRV_AUTHMETHOD_PAM LDAP_SRV_AUTHMETHOD_KEY LDAP_SRV_AUTHMETHOD_CMD
2253export LDAP_SERV_SRCH_DES SSD_FILE
2254
2255# Service Search Descriptors start here if present:
2256EOF
2257    # Add service search descriptors.
2258    ssd_2_config "${OUTPUT_FILE}"
2259
2260    # Add the end of FILE tag.
2261    ${ECHO} "" >> ${OUTPUT_FILE}
2262    ${ECHO} "# End of $OUTPUT_FILE" >> ${OUTPUT_FILE}
2263}
2264
2265
2266#
2267# chk_vlv_indexes(): Do ldapsearch to see if server supports VLV.
2268#
2269chk_vlv_indexes()
2270{
2271    # Do ldapsearch to see if server supports VLV.
2272    ${LDAPSEARCH} ${SERVER_ARGS} -b "" -s base "objectclass=*" > ${TMPDIR}/checkVLV 2>&1
2273    eval "${GREP} 2.16.840.1.113730.3.4.9 ${TMPDIR}/checkVLV ${VERB}"
2274    if [ $? -ne 0 ]; then
2275	${ECHO} "ERROR: VLV is not supported on LDAP server!"
2276	cleanup
2277	exit 1
2278    fi
2279    [ $DEBUG -eq 1 ] && ${ECHO} "  VLV controls found on LDAP server."
2280}
2281
2282#
2283# get_backend(): this function gets the relevant backend
2284#                (database) for LDAP_BASED.
2285#                Description: set IDS_DATABASE; exit on failure.
2286#                Prerequisite: LDAP_BASEDN and LDAP_SUFFIX are
2287#                valid.
2288#
2289#                backend is retrieved from suffixes and subsuffixes
2290#                defined under "cn=mapping tree,cn=config". The
2291#                nsslapd-state attribute of these suffixes entries
2292#                is filled with either Backend, Disabled or referrals
2293#                related values. We only want those that have a true
2294#                backend database to select the relevant backend.
2295#
2296get_backend()
2297{
2298    [ $DEBUG -eq 1 ] && ${ECHO} "In get_backend()"
2299
2300    cur_suffix=${LDAP_BASEDN}
2301    prev_suffix=
2302    IDS_DATABASE=
2303    while [ "${cur_suffix}" != "${prev_suffix}" ]
2304    do
2305	[ $DEBUG -eq 1 ] && ${ECHO} "testing LDAP suffix: ${cur_suffix}"
2306	eval "${LDAPSEARCH} ${LDAP_ARGS} " \
2307		"-b \"cn=\\\"${cur_suffix}\\\",cn=mapping tree,cn=config\" " \
2308		"-s base nsslapd-state=Backend nsslapd-backend 2>&1 " \
2309		"| ${GREP} 'nsslapd-backend=' " \
2310		"> ${TMPDIR}/ids_database_name 2>&1"
2311	NUM_DBS=`wc -l ${TMPDIR}/ids_database_name | awk '{print $1}'`
2312	case ${NUM_DBS} in
2313	0) # not a suffix, or suffix not activated; try next
2314	    prev_suffix=${cur_suffix}
2315	    cur_suffix=`${ECHO} ${cur_suffix} | cut -f2- -d','`
2316	    ;;
2317	1) # suffix found; get database name
2318	    IDS_DATABASE=`cat ${TMPDIR}/ids_database_name | cut -d= -f2`
2319	    ;;
2320	*) # can not handle more than one database per suffix
2321	    ${ECHO} "ERROR: More than one database is configured "
2322	    ${ECHO} "       for $LDAP_SUFFIX!"
2323	    ${ECHO} "       $PROG can not configure suffixes where "
2324	    ${ECHO} "       more than one database is used for one suffix."
2325	    cleanup
2326	    exit 1
2327	    ;;
2328	esac
2329	if [ -n "${IDS_DATABASE}" ]; then
2330	    break
2331	fi
2332    done
2333
2334    if [ -z "${IDS_DATABASE}" ]; then
2335	# should not happen, since LDAP_BASEDN is supposed to be valid
2336	${ECHO} "Could not find a valid backend for ${LDAP_BASEDN}."
2337	${ECHO} "Exiting."
2338	cleanup
2339	exit 1
2340    fi
2341
2342    [ $DEBUG -eq 1 ] && ${ECHO} "IDS_DATABASE: ${IDS_DATABASE}"
2343}
2344
2345#
2346# validate_suffix(): This function validates ${LDAP_SUFFIX}
2347#                  THIS FUNCTION IS FOR THE LOAD CONFIG FILE OPTION.
2348#
2349validate_suffix()
2350{
2351    [ $DEBUG -eq 1 ] && ${ECHO} "In validate_suffix()"
2352
2353    # Check LDAP_SUFFIX is not null
2354    if [ -z "${LDAP_SUFFIX}" ]; then
2355	${ECHO} "Invalid suffix (null suffix)"
2356	cleanup
2357	exit 1
2358    fi
2359
2360    # Check LDAP_SUFFIX does exist
2361    eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_SUFFIX}\" -s base \"objectclass=*\" > ${TMPDIR}/checkSuffix 2>&1"
2362    if [ $? -ne 0 ]; then
2363	${ECHO} "Invalid suffix ${LDAP_SUFFIX}"
2364	cleanup
2365	exit 1
2366    fi
2367
2368    # Check LDAP_SUFFIX and LDAP_BASEDN are consistent
2369    # Convert to lower case for basename.
2370    format_string "${LDAP_BASEDN}"
2371    LOWER_BASEDN="${FMT_STR}"
2372    format_string "${LDAP_SUFFIX}"
2373    LOWER_SUFFIX="${FMT_STR}"
2374
2375    [ $DEBUG -eq 1 ] && ${ECHO} "LOWER_BASEDN: ${LOWER_BASEDN}"
2376    [ $DEBUG -eq 1 ] && ${ECHO} "LOWER_SUFFIX: ${LOWER_SUFFIX}"
2377
2378    if [ "${LOWER_BASEDN}" != "${LOWER_SUFFIX}" ]; then
2379    	sub_basedn=`basename "${LOWER_BASEDN}" "${LOWER_SUFFIX}"`
2380    	if [ "$sub_basedn" = "${LOWER_BASEDN}" ]; then
2381	    ${ECHO} "Invalid suffix ${LOWER_SUFFIX}"
2382	    ${ECHO} "for Base DN ${LOWER_BASEDN}"
2383	    cleanup
2384	    exit 1
2385	fi
2386    fi
2387}
2388
2389#
2390# validate_info(): This function validates the basic info collected
2391#                  So that some problems are caught right away.
2392#                  THIS FUNCTION IS FOR THE LOAD CONFIG FILE OPTION.
2393#
2394validate_info()
2395{
2396    [ $DEBUG -eq 1 ] && ${ECHO} "In validate_info()"
2397
2398    # Set SERVER_ARGS, AUTH_ARGS, and LDAP_ARGS for the config file.
2399    SERVER_ARGS="-h ${IDS_SERVER} -p ${IDS_PORT}"
2400    AUTH_ARGS="-D \"${LDAP_ROOTDN}\" -j ${LDAP_ROOTPWF}"
2401    LDAP_ARGS="${SERVER_ARGS} ${AUTH_ARGS}"
2402    export SERVER_ARGS
2403
2404    # Check the Root DN and Root DN passwd.
2405    # Use eval instead of $EVAL because not part of setup. (validate)
2406    eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"\" -s base \"objectclass=*\" > ${TMPDIR}/checkDN 2>&1"
2407    if [ $? -ne 0 ]; then
2408	eval "${GREP} credential ${TMPDIR}/checkDN ${VERB}"
2409	if [ $? -eq 0 ]; then
2410	    ${ECHO} "ERROR: Root DN passwd is invalid."
2411	else
2412	    ${ECHO} "ERROR2: Invalid Root DN <${LDAP_ROOTDN}>."
2413	fi
2414	cleanup
2415	exit 1
2416    fi
2417    [ $DEBUG -eq 1 ] && ${ECHO} "  RootDN ... OK"
2418    [ $DEBUG -eq 1 ] && ${ECHO} "  RootDN passwd ... OK"
2419
2420    # Check if the server supports the VLV.
2421    chk_vlv_indexes
2422    [ $DEBUG -eq 1 ] && ${ECHO} "  VLV indexes ... OK"
2423
2424    # Check LDAP suffix
2425    validate_suffix
2426    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP suffix ... OK"
2427
2428    # Get backend
2429    get_backend
2430    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP backend ... OK"
2431
2432}
2433
2434#
2435# format_string(): take a string as argument and set FMT_STR
2436# to be the same string formatted as follow:
2437# - only lower case characters
2438# - no unnecessary spaces around , and =
2439#
2440format_string()
2441{
2442    FMT_STR=`${ECHO} "$1" | tr '[A-Z]' '[a-z]' |
2443	sed -e 's/[ ]*,[ ]*/,/g' -e 's/[ ]*=[ ]*/=/g'`
2444}
2445
2446#
2447# check_basedn_suffix(): check that there is an existing
2448# valid suffix to hold current base DN
2449# return:
2450#   0: valid suffix found
2451#   1: no valid suffix found, or user gives up
2452#   2: give it another try
2453#
2454check_basedn_suffix()
2455{
2456    [ $DEBUG -eq 1 ] && ${ECHO} "In check_basedn_suffix()"
2457
2458    # find out existing suffixes
2459    discover_serv_suffix
2460    if [ $? -ne 0 ]; then
2461	${ECHO} "No suffixes found. Exiting."
2462	return 1
2463    fi
2464
2465    ${ECHO} "  Validating LDAP Base DN and Suffix ..."
2466
2467    # check that LDAP Base DN might be added
2468    cur_ldap_entry=${LDAP_BASEDN}
2469    prev_ldap_entry=
2470    while [ "${cur_ldap_entry}" != "${prev_ldap_entry}" ]
2471    do
2472	[ $DEBUG -eq 1 ] && ${ECHO} "testing LDAP entry: ${cur_ldap_entry}"
2473	${LDAPSEARCH} ${SERVER_ARGS} -b "${cur_ldap_entry}" \
2474		-s one "objectclass=*" > /dev/null 2>&1
2475	if [ $? -eq 0 ]; then
2476	    break
2477	else
2478	    prev_ldap_entry=${cur_ldap_entry}
2479	    cur_ldap_entry=`${ECHO} ${cur_ldap_entry} | cut -f2- -d','`
2480	fi
2481    done
2482
2483    if [ "${cur_ldap_entry}" = "${prev_ldap_entry}" ]; then
2484	[ $DEBUG -eq 1 ] && ${ECHO} "No valid LDAP suffix found"
2485	display_msg ldap_suffix_list
2486	get_confirm "Do you want to continue (h=help):" \
2487	    "y" ldap_suffix_list_help
2488	if [ $? -eq 0 ]; then
2489	    return 1 # users gives up
2490	else
2491	    return 2 # continue
2492	fi
2493    else
2494	[ $DEBUG -eq 1 ] && ${ECHO} "found valid LDAP entry: ${cur_ldap_entry}"
2495
2496	# Now looking for relevant suffix for this entry.
2497	# LDAP_SUFFIX will then be used to add necessary
2498	# base objects. See add_base_objects().
2499	format_string "${cur_ldap_entry}"
2500	lower_entry="${FMT_STR}"
2501	[ $DEBUG -eq 1 ] && ${ECHO} "final suffix list: ${LDAP_SUFFIX_LIST}"
2502	oIFS=$IFS
2503	[ $DEBUG -eq 1 ] && ${ECHO} "setting IFS to new line"
2504	IFS='
2505'
2506	for suff in ${LDAP_SUFFIX_LIST}
2507	do
2508	    [ $DEBUG -eq 1 ] && ${ECHO} "testing suffix: ${suff}"
2509	    format_string "${suff}"
2510	    lower_suff="${FMT_STR}"
2511	    if [ "${lower_entry}" = "${lower_suff}" ]; then
2512		LDAP_SUFFIX="${suff}"
2513		break
2514	    else
2515		dcstmp=`basename "${lower_entry}" "${lower_suff}"`
2516		if [ "${dcstmp}" = "${lower_entry}" ]; then
2517		    # invalid suffix, try next one
2518		    continue
2519		else
2520		    # valid suffix found
2521		    LDAP_SUFFIX="${suff}"
2522		    break
2523		fi
2524	    fi
2525	done
2526	[ $DEBUG -eq 1 ] && ${ECHO} "setting IFS to original value"
2527	IFS=$oIFS
2528
2529	[ $DEBUG -eq 1 ] && ${ECHO} "LDAP_SUFFIX: ${LDAP_SUFFIX}"
2530
2531	if [ -z "${LDAP_SUFFIX}" ]; then
2532	    # should not happen, since we found the entry
2533	    ${ECHO} "Could not find a valid suffix for ${LDAP_BASEDN}."
2534	    ${ECHO} "Exiting."
2535	    return 1
2536	fi
2537
2538	# Getting relevant database (backend)
2539	# IDS_DATABASE will then be used to create indexes.
2540	get_backend
2541
2542	return 0
2543    fi
2544}
2545
2546#
2547# discover_serv_suffix(): This function queries the server to find
2548#    suffixes available
2549#  return: 0: OK, suffix found
2550#          1: suffix not determined
2551discover_serv_suffix()
2552{
2553    [ $DEBUG -eq 1 ] && ${ECHO} "In discover_serv_suffix()"
2554
2555    # Search the server for the TOP of the TREE.
2556    ${LDAPSEARCH} ${SERVER_ARGS} -b "" -s base "objectclass=*" > ${TMPDIR}/checkTOP 2>&1
2557    ${GREP} -i namingcontexts ${TMPDIR}/checkTOP | \
2558	${GREP} -i -v NetscapeRoot > ${TMPDIR}/treeTOP
2559    NUM_TOP=`wc -l ${TMPDIR}/treeTOP | awk '{print $1}'`
2560    case $NUM_TOP in
2561	0)
2562	    ${ECHO} "ERROR: No suffix found in LDAP tree"
2563	    return 1
2564	    ;;
2565	*)  # build the list of suffixes; take out 'namingContexts=' in
2566	    # each line of ${TMPDIR}/treeTOP
2567	    LDAP_SUFFIX_LIST=`cat ${TMPDIR}/treeTOP |
2568		awk '{ printf("%s\n",substr($0,16,length-15)) }'`
2569	    [ $DEBUG -eq 1 ] && ${ECHO} "final list: ${LDAP_SUFFIX_LIST}"
2570
2571	    ;;
2572    esac
2573
2574    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_SUFFIX_LIST = $LDAP_SUFFIX_LIST"
2575    return 0
2576}
2577
2578
2579#
2580# modify_cn(): Change the cn from MUST to MAY in ipNetwork.
2581#
2582modify_cn()
2583{
2584    [ $DEBUG -eq 1 ] && ${ECHO} "In modify_cn()"
2585
2586    ( cat <<EOF
2587dn: cn=schema
2588changetype: modify
2589add: objectclasses
2590objectclasses: ( 1.3.6.1.1.1.2.7 NAME 'ipNetwork' DESC 'Standard LDAP objectclass' SUP top STRUCTURAL MUST ( ipNetworkNumber ) MAY ( ipNetmaskNumber $ manager $ cn $ l $ description ) X-ORIGIN 'RFC 2307' ))
2591EOF
2592) > ${TMPDIR}/ipNetwork_cn
2593
2594    # Modify the cn for ipNetwork.
2595    ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/ipNetwork_cn ${VERB}"
2596    if [ $? -ne 0 ]; then
2597	${ECHO} "  ERROR: update of cn for ipNetwork failed!"
2598	cleanup
2599	exit 1
2600    fi
2601}
2602
2603
2604# modify_timelimit(): Modify timelimit to user value.
2605modify_timelimit()
2606{
2607    [ $DEBUG -eq 1 ] && ${ECHO} "In modify_timelimit()"
2608
2609    # Here doc to modify timelimit.
2610    ( cat <<EOF
2611dn: cn=config
2612changetype: modify
2613replace: nsslapd-timelimit
2614nsslapd-timelimit: ${IDS_TIMELIMIT}
2615EOF
2616) > ${TMPDIR}/ids_timelimit
2617
2618    # Add the entry.
2619    ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/ids_timelimit ${VERB}"
2620    if [ $? -ne 0 ]; then
2621	${ECHO} "  ERROR: update of nsslapd-timelimit failed!"
2622	cleanup
2623	exit 1
2624    fi
2625
2626    # Display messages for modifications made in patch.
2627    ${ECHO} "  ${STEP}. Changed timelimit to ${IDS_TIMELIMIT} in cn=config."
2628    STEP=`expr $STEP + 1`
2629}
2630
2631
2632# modify_sizelimit(): Modify sizelimit to user value.
2633modify_sizelimit()
2634{
2635    [ $DEBUG -eq 1 ] && ${ECHO} "In modify_sizelimit()"
2636
2637    # Here doc to modify sizelimit.
2638    ( cat <<EOF
2639dn: cn=config
2640changetype: modify
2641replace: nsslapd-sizelimit
2642nsslapd-sizelimit: ${IDS_SIZELIMIT}
2643EOF
2644) > ${TMPDIR}/ids_sizelimit
2645
2646    # Add the entry.
2647    ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/ids_sizelimit ${VERB}"
2648    if [ $? -ne 0 ]; then
2649	${ECHO} "  ERROR: update of nsslapd-sizelimit failed!"
2650	cleanup
2651	exit 1
2652    fi
2653
2654    # Display messages for modifications made in patch.
2655    ${ECHO} "  ${STEP}. Changed sizelimit to ${IDS_SIZELIMIT} in cn=config."
2656    STEP=`expr $STEP + 1`
2657}
2658
2659
2660# modify_pwd_crypt(): Modify the passwd storage scheme to support CRYPT.
2661modify_pwd_crypt()
2662{
2663    [ $DEBUG -eq 1 ] && ${ECHO} "In modify_pwd_crypt()"
2664
2665    # Here doc to modify passwordstoragescheme.
2666    # IDS 5.2 moved passwordchangesceme off to a new data structure.
2667    if [ $IDS_MAJVER -le 5 ] && [ $IDS_MINVER -le 1 ]; then
2668	( cat <<EOF
2669dn: cn=config
2670changetype: modify
2671replace: passwordstoragescheme
2672passwordstoragescheme: crypt
2673EOF
2674	) > ${TMPDIR}/ids_crypt
2675    else
2676	( cat <<EOF
2677dn: cn=Password Policy,cn=config
2678changetype: modify
2679replace: passwordstoragescheme
2680passwordstoragescheme: crypt
2681EOF
2682	) > ${TMPDIR}/ids_crypt
2683    fi
2684
2685    # Add the entry.
2686    ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/ids_crypt ${VERB}"
2687    if [ $? -ne 0 ]; then
2688	${ECHO} "  ERROR: update of passwordstoragescheme failed!"
2689	cleanup
2690	exit 1
2691    fi
2692
2693    # Display messages for modifications made in patch.
2694    ${ECHO} "  ${STEP}. Changed passwordstoragescheme to \"crypt\" in cn=config."
2695    STEP=`expr $STEP + 1`
2696}
2697
2698
2699#
2700# add_eq_indexes(): Add indexes to improve search performance.
2701#
2702add_eq_indexes()
2703{
2704    [ $DEBUG -eq 1 ] && ${ECHO} "In add_eq_indexes()"
2705
2706    # Set eq indexes to add.
2707    _INDEXES="uidNumber ipNetworkNumber gidnumber oncrpcnumber automountKey"
2708
2709    # Set _EXT to use as shortcut.
2710    _EXT="cn=index,cn=${IDS_DATABASE},cn=ldbm database,cn=plugins,cn=config"
2711
2712
2713    # Display message to id current step.
2714    ${ECHO} "  ${STEP}. Processing eq,pres indexes:"
2715    STEP=`expr $STEP + 1`
2716
2717    # For loop to create indexes.
2718    for i in ${_INDEXES}; do
2719	[ $DEBUG -eq 1 ] && ${ECHO} "  Adding index for ${i}"
2720
2721	# Check if entry exists first, if so, skip to next.
2722	${LDAPSEARCH} ${SERVER_ARGS} -b "cn=${i},${_EXT}" -s base "objectclass=*" > /dev/null 2>&1
2723	if [ $? -eq 0 ]; then
2724	    # Display index skipped.
2725	    ${ECHO} "      ${i} (eq,pres) skipped already exists"
2726	    continue
2727	fi
2728
2729	# Here doc to create LDIF.
2730	( cat <<EOF
2731dn: cn=${i},${_EXT}
2732objectClass: top
2733objectClass: nsIndex
2734cn: ${i}
2735nsSystemIndex: false
2736nsIndexType: pres
2737nsIndexType: eq
2738EOF
2739) > ${TMPDIR}/index_${i}
2740
2741	# Add the index.
2742	${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/index_${i} ${VERB}"
2743	if [ $? -ne 0 ]; then
2744	    ${ECHO} "  ERROR: Adding EQ,PRES index for ${i} failed!"
2745	    cleanup
2746	    exit 1
2747	fi
2748
2749	# Build date for task name.
2750	_YR=`date '+%y'`
2751	_MN=`date '+%m'`
2752	_DY=`date '+%d'`
2753	_H=`date '+%H'`
2754	_M=`date '+%M'`
2755	_S=`date '+%S'`
2756
2757	# Build task name
2758	TASKNAME="${i}_${_YR}_${_MN}_${_DY}_${_H}_${_M}_${_S}"
2759
2760	# Build the task entry to add.
2761	( cat <<EOF
2762dn: cn=${TASKNAME}, cn=index, cn=tasks, cn=config
2763changetype: add
2764objectclass: top
2765objectclass: extensibleObject
2766cn: ${TASKNAME}
2767nsInstance: ${IDS_DATABASE}
2768nsIndexAttribute: ${i}
2769EOF
2770) > ${TMPDIR}/task_${i}
2771
2772	# Add the task.
2773	${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/task_${i} ${VERB}"
2774	if [ $? -ne 0 ]; then
2775	    ${ECHO} "  ERROR: Adding task for ${i} failed!"
2776	    cleanup
2777	    exit 1
2778	fi
2779
2780	# Wait for task to finish, display current status.
2781	while :
2782	do
2783	    eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=index, cn=tasks, cn=config\" -s sub \"objectclass=*\" > ${TMPDIR}/istask_${i} 2>&1"
2784	    ${GREP} ${TASKNAME} ${TMPDIR}/istask_${i} > /dev/null 2>&1
2785	    if [ $? -ne 0 ]; then
2786		break
2787	    fi
2788	    eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=index,cn=tasks,cn=config\" -s one \"objectclass=*\" nstaskstatus | ${GREP} -i nstaskstatus | cut -d\":\" -f2 > ${TMPDIR}/wait_task_${i}"
2789	    TASK_STATUS=`head -1 ${TMPDIR}/wait_task_${i}`
2790	    ${ECHO} "      ${i} (eq,pres)  $TASK_STATUS                  \r\c"
2791	    ${ECHO} "$TASK_STATUS" | ${GREP} "Finished" > /dev/null 2>&1
2792	    if [ $? -eq 0 ]; then
2793		break
2794	    fi
2795	    sleep 2
2796	done
2797
2798	# Print newline because of \c.
2799	${ECHO} " "
2800    done
2801}
2802
2803
2804#
2805# add_sub_indexes(): Add indexes to improve search performance.
2806#
2807add_sub_indexes()
2808{
2809    [ $DEBUG -eq 1 ] && ${ECHO} "In add_sub_indexes()"
2810
2811    # Set eq indexes to add.
2812    _INDEXES="ipHostNumber membernisnetgroup nisnetgrouptriple"
2813
2814    # Set _EXT to use as shortcut.
2815    _EXT="cn=index,cn=${IDS_DATABASE},cn=ldbm database,cn=plugins,cn=config"
2816
2817
2818    # Display message to id current step.
2819    ${ECHO} "  ${STEP}. Processing eq,pres,sub indexes:"
2820    STEP=`expr $STEP + 1`
2821
2822    # For loop to create indexes.
2823    for i in ${_INDEXES}; do
2824	[ $DEBUG -eq 1 ] && ${ECHO} "  Adding index for ${i}"
2825
2826	# Check if entry exists first, if so, skip to next.
2827	${LDAPSEARCH} ${SERVER_ARGS} -b "cn=${i},${_EXT}" -s base "objectclass=*" > /dev/null 2>&1
2828	if [ $? -eq 0 ]; then
2829	    # Display index skipped.
2830	    ${ECHO} "      ${i} (eq,pres,sub) skipped already exists"
2831	    continue
2832	fi
2833
2834	# Here doc to create LDIF.
2835	( cat <<EOF
2836dn: cn=${i},${_EXT}
2837objectClass: top
2838objectClass: nsIndex
2839cn: ${i}
2840nsSystemIndex: false
2841nsIndexType: pres
2842nsIndexType: eq
2843nsIndexType: sub
2844EOF
2845) > ${TMPDIR}/index_${i}
2846
2847	# Add the index.
2848	${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/index_${i} ${VERB}"
2849	if [ $? -ne 0 ]; then
2850	    ${ECHO} "  ERROR: Adding EQ,PRES,SUB index for ${i} failed!"
2851	    cleanup
2852	    exit 1
2853	fi
2854
2855	# Build date for task name.
2856	_YR=`date '+%y'`
2857	_MN=`date '+%m'`
2858	_DY=`date '+%d'`
2859	_H=`date '+%H'`
2860	_M=`date '+%M'`
2861	_S=`date '+%S'`
2862
2863	# Build task name
2864	TASKNAME="${i}_${_YR}_${_MN}_${_DY}_${_H}_${_M}_${_S}"
2865
2866	# Build the task entry to add.
2867	( cat <<EOF
2868dn: cn=${TASKNAME}, cn=index, cn=tasks, cn=config
2869changetype: add
2870objectclass: top
2871objectclass: extensibleObject
2872cn: ${TASKNAME}
2873nsInstance: ${IDS_DATABASE}
2874nsIndexAttribute: ${i}
2875EOF
2876) > ${TMPDIR}/task_${i}
2877
2878	# Add the task.
2879	${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/task_${i} ${VERB}"
2880	if [ $? -ne 0 ]; then
2881	    ${ECHO} "  ERROR: Adding task for ${i} failed!"
2882	    cleanup
2883	    exit 1
2884	fi
2885
2886	# Wait for task to finish, display current status.
2887	while :
2888	do
2889	    eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=index, cn=tasks, cn=config\" -s sub \"objectclass=*\" > ${TMPDIR}/istask_${i} 2>&1"
2890	    ${GREP} ${TASKNAME} ${TMPDIR}/istask_${i} > /dev/null 2>&1
2891	    if [ $? -ne 0 ]; then
2892		break
2893	    fi
2894	    eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=index,cn=tasks,cn=config\" -s one \"objectclass=*\" nstaskstatus | ${GREP} -i nstaskstatus | cut -d\":\" -f2 > ${TMPDIR}/wait_task_${i}"
2895	    TASK_STATUS=`head -1 ${TMPDIR}/wait_task_${i}`
2896	    ${ECHO} "      ${i} (eq,pres,sub)  $TASK_STATUS                  \r\c"
2897	    ${ECHO} "$TASK_STATUS" | ${GREP} "Finished" > /dev/null 2>&1
2898	    if [ $? -eq 0 ]; then
2899		break
2900	    fi
2901	    sleep 2
2902	done
2903
2904	# Print newline because of \c.
2905	${ECHO} " "
2906    done
2907}
2908
2909
2910#
2911# add_vlv_indexes(): Add VLV indexes to improve search performance.
2912#
2913add_vlv_indexes()
2914{
2915    [ $DEBUG -eq 1 ] && ${ECHO} "In add_vlv_indexes()"
2916
2917    # Set eq indexes to add.
2918    # Note semi colon separators because some filters contain colons
2919    _INDEX1="${LDAP_DOMAIN}.getgrent;${LDAP_DOMAIN}_group_vlv_index;ou=group;objectClass=posixGroup"
2920    _INDEX2="${LDAP_DOMAIN}.gethostent;${LDAP_DOMAIN}_hosts_vlv_index;ou=hosts;objectClass=ipHost"
2921    _INDEX3="${LDAP_DOMAIN}.getnetent;${LDAP_DOMAIN}_networks_vlv_index;ou=networks;objectClass=ipNetwork"
2922    _INDEX4="${LDAP_DOMAIN}.getpwent;${LDAP_DOMAIN}_passwd_vlv_index;ou=people;objectClass=posixAccount"
2923    _INDEX5="${LDAP_DOMAIN}.getrpcent;${LDAP_DOMAIN}_rpc_vlv_index;ou=rpc;objectClass=oncRpc"
2924    _INDEX6="${LDAP_DOMAIN}.getspent;${LDAP_DOMAIN}_shadow_vlv_index;ou=people;objectClass=shadowAccount"
2925
2926    # Indexes added during NIS to LDAP transition
2927    _INDEX7="${LDAP_DOMAIN}.getauhoent;${LDAP_DOMAIN}_auho_vlv_index;automountmapname=auto_home;objectClass=automount"
2928    _INDEX8="${LDAP_DOMAIN}.getsoluent;${LDAP_DOMAIN}_solu_vlv_index;ou=people;objectClass=SolarisUserAttr"
2929    _INDEX9="${LDAP_DOMAIN}.getauduent;${LDAP_DOMAIN}_audu_vlv_index;ou=people;objectClass=SolarisAuditUser"
2930    _INDEX10="${LDAP_DOMAIN}.getauthent;${LDAP_DOMAIN}_auth_vlv_index;ou=SolarisAuthAttr;objectClass=SolarisAuthAttr"
2931    _INDEX11="${LDAP_DOMAIN}.getexecent;${LDAP_DOMAIN}_exec_vlv_index;ou=SolarisProfAttr;&(objectClass=SolarisExecAttr)(SolarisKernelSecurityPolicy=*)"
2932    _INDEX12="${LDAP_DOMAIN}.getprofent;${LDAP_DOMAIN}_prof_vlv_index;ou=SolarisProfAttr;&(objectClass=SolarisProfAttr)(SolarisAttrLongDesc=*)"
2933    _INDEX13="${LDAP_DOMAIN}.getmailent;${LDAP_DOMAIN}_mail_vlv_index;ou=aliases;objectClass=mailGroup"
2934    _INDEX14="${LDAP_DOMAIN}.getbootent;${LDAP_DOMAIN}__boot_vlv_index;ou=ethers;&(objectClass=bootableDevice)(bootParameter=*)"
2935    _INDEX15="${LDAP_DOMAIN}.getethent;${LDAP_DOMAIN}_ethers_vlv_index;ou=ethers;&(objectClass=ieee802Device)(macAddress=*)"
2936    _INDEX16="${LDAP_DOMAIN}.getngrpent;${LDAP_DOMAIN}_netgroup_vlv_index;ou=netgroup;objectClass=nisNetgroup"
2937    _INDEX17="${LDAP_DOMAIN}.getipnent;${LDAP_DOMAIN}_ipn_vlv_index;ou=networks;&(objectClass=ipNetwork)(cn=*)"
2938    _INDEX18="${LDAP_DOMAIN}.getmaskent;${LDAP_DOMAIN}_mask_vlv_index;ou=networks;&(objectClass=ipNetwork)(ipNetmaskNumber=*)"
2939    _INDEX19="${LDAP_DOMAIN}.getprent;${LDAP_DOMAIN}_pr_vlv_index;ou=printers;objectClass=printerService"
2940    _INDEX20="${LDAP_DOMAIN}.getip4ent;${LDAP_DOMAIN}_ip4_vlv_index;ou=hosts;&(objectClass=ipHost)(ipHostNumber=*.*)"
2941    _INDEX21="${LDAP_DOMAIN}.getip6ent;${LDAP_DOMAIN}_ip6_vlv_index;ou=hosts;&(objectClass=ipHost)(ipHostNumber=*:*)"
2942
2943    _INDEXES="$_INDEX1 $_INDEX2 $_INDEX3 $_INDEX4 $_INDEX5 $_INDEX6 $_INDEX7 $_INDEX8 $_INDEX9 $_INDEX10 $_INDEX11 $_INDEX12 $_INDEX13 $_INDEX14 $_INDEX15 $_INDEX16 $_INDEX17 $_INDEX18 $_INDEX19 $_INDEX20 $_INDEX21 "
2944
2945
2946    # Set _EXT to use as shortcut.
2947    _EXT="cn=${IDS_DATABASE},cn=ldbm database,cn=plugins,cn=config"
2948
2949
2950    # Display message to id current step.
2951    ${ECHO} "  ${STEP}. Processing VLV indexes:"
2952    STEP=`expr $STEP + 1`
2953
2954    # Reset temp file for vlvindex commands.
2955    [ -f ${TMPDIR}/vlvindex_list ] &&  rm ${TMPDIR}/vlvindex_list
2956    touch ${TMPDIR}/vlvindex_list
2957
2958    # Get the instance name from iDS server.
2959    _INSTANCE="<server-instance>"    # Default to old output.
2960
2961    eval "${LDAPSEARCH} -v ${LDAP_ARGS} -b \"cn=config\" -s base \"objectclass=*\" nsslapd-instancedir | ${GREP} 'nsslapd-instancedir=' | cut -d'=' -f2- > ${TMPDIR}/instance_name 2>&1"
2962
2963    ${GREP} "slapd-" ${TMPDIR}/instance_name > /dev/null 2>&1 # Check if seems right?
2964    if [ $? -eq 0 ]; then # If success, grab name after "slapd-".
2965	_INST_DIR=`cat ${TMPDIR}/instance_name`
2966	_INSTANCE=`basename "${_INST_DIR}" | cut -d'-' -f2-`
2967    fi
2968
2969    # For loop to create indexes.
2970    for p in ${_INDEXES}; do
2971	[ $DEBUG -eq 1 ] && ${ECHO} "  Adding index for ${i}"
2972
2973	# Break p (pair) into i and j parts.
2974        i=`${ECHO} $p | cut -d';' -f1`
2975        j=`${ECHO} $p | cut -d';' -f2`
2976        k=`${ECHO} $p | cut -d';' -f3`
2977        m=`${ECHO} $p | cut -d';' -f4`
2978
2979	# Set _jEXT to use as shortcut.
2980	_jEXT="cn=${j},${_EXT}"
2981
2982	# Check if entry exists first, if so, skip to next.
2983	${LDAPSEARCH} ${SERVER_ARGS} -b "cn=${i},${_jEXT}" -s base "objectclass=*" > /dev/null 2>&1
2984	if [ $? -eq 0 ]; then
2985	    # Display index skipped.
2986	    ${ECHO} "      ${i} vlv_index skipped already exists"
2987	    continue
2988	fi
2989
2990	# Compute the VLV Scope from the LDAP_SEARCH_SCOPE.
2991	# NOTE: A value of "base (0)" does not make sense.
2992        case "$LDAP_SEARCH_SCOPE" in
2993            sub) VLV_SCOPE="2" ;;
2994            *)   VLV_SCOPE="1" ;;
2995        esac
2996
2997	# Here doc to create LDIF.
2998	( cat <<EOF
2999dn: ${_jEXT}
3000objectClass: top
3001objectClass: vlvSearch
3002cn: ${j}
3003vlvbase: ${k},${LDAP_BASEDN}
3004vlvscope: ${VLV_SCOPE}
3005vlvfilter: (${m})
3006aci: (target="ldap:///${_jEXT}")(targetattr="*")(version 3.0; acl "Config";allow(read,search,compare)userdn="ldap:///anyone";)
3007
3008dn: cn=${i},${_jEXT}
3009cn: ${i}
3010vlvSort: cn uid
3011objectclass: top
3012objectclass: vlvIndex
3013EOF
3014) > ${TMPDIR}/vlv_index_${i}
3015
3016	# Add the index.
3017	${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/vlv_index_${i} ${VERB}"
3018	if [ $? -ne 0 ]; then
3019	    ${ECHO} "  ERROR: Adding VLV index for ${i} failed!"
3020	    cleanup
3021	    exit 1
3022	fi
3023
3024	# Print message that index was created.
3025	${ECHO} "      ${i} vlv_index   Entry created"
3026
3027	# Add command to list of vlvindex commands to run.
3028	${ECHO} "  directoryserver -s ${_INSTANCE} vlvindex -n ${IDS_DATABASE} -T ${i}" >> ${TMPDIR}/vlvindex_list
3029    done
3030}
3031
3032
3033#
3034# display_vlv_cmds(): Display VLV index commands to run on server.
3035#
3036display_vlv_cmds()
3037{
3038    if [ -s "${TMPDIR}/vlvindex_list" ]; then
3039	display_msg display_vlv_list
3040	cat ${TMPDIR}/vlvindex_list
3041    fi
3042}
3043
3044
3045#
3046# update_schema_attr(): Update Schema to support Naming.
3047#
3048update_schema_attr()
3049{
3050    [ $DEBUG -eq 1 ] && ${ECHO} "In update_schema_attr()"
3051
3052    ( cat <<EOF
3053dn: cn=schema
3054changetype: modify
3055add: attributetypes
3056attributetypes: ( 1.3.6.1.1.1.1.28 NAME 'nisPublickey' DESC 'NIS public key' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )
3057attributetypes: ( 1.3.6.1.1.1.1.29 NAME 'nisSecretkey' DESC 'NIS secret key' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )
3058attributetypes: ( 1.3.6.1.1.1.1.30 NAME 'nisDomain' DESC 'NIS domain' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )
3059attributetypes: ( 1.3.6.1.1.1.1.31 NAME 'automountMapName' DESC 'automount Map Name' EQUALITY caseExactIA5Match SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' SINGLE-VALUE )
3060attributetypes: ( 1.3.6.1.1.1.1.32 NAME 'automountKey' DESC 'automount Key Value' EQUALITY caseExactIA5Match SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' SINGLE-VALUE )
3061attributetypes: ( 1.3.6.1.1.1.1.33 NAME 'automountInformation' DESC 'automount information' EQUALITY caseExactIA5Match SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' SINGLE-VALUE )
3062attributetypes: ( 1.3.6.1.4.1.42.2.27.1.1.12 NAME 'nisNetIdUser' SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' )
3063attributetypes: ( 1.3.6.1.4.1.42.2.27.1.1.13 NAME 'nisNetIdGroup' SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' )
3064attributetypes: ( 1.3.6.1.4.1.42.2.27.1.1.14 NAME 'nisNetIdHost' SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' )
3065attributetypes: ( rfc822mailMember-oid NAME 'rfc822mailMember' SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' )
3066attributetypes: ( 2.16.840.1.113730.3.1.30 NAME 'mgrpRFC822MailMember' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )
3067attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.15 NAME 'SolarisLDAPServers' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )
3068attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.16 NAME 'SolarisSearchBaseDN' SYNTAX '1.3.6.1.4.1.1466.115.121.1.12' SINGLE-VALUE )
3069attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.17 NAME 'SolarisCacheTTL' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
3070attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.18 NAME 'SolarisBindDN' SYNTAX '1.3.6.1.4.1.1466.115.121.1.12' SINGLE-VALUE )
3071attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.19 NAME 'SolarisBindPassword' SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' SINGLE-VALUE )
3072attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.20 NAME 'SolarisAuthMethod' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15')
3073attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.21 NAME 'SolarisTransportSecurity' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15')
3074attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.22 NAME 'SolarisCertificatePath' SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' SINGLE-VALUE )
3075attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.23 NAME 'SolarisCertificatePassword' SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' SINGLE-VALUE )
3076attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.24 NAME 'SolarisDataSearchDN' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15')
3077attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.25 NAME 'SolarisSearchScope' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
3078attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.26 NAME 'SolarisSearchTimeLimit' SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' SINGLE-VALUE )
3079attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.27 NAME 'SolarisPreferredServer' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15')
3080attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.28 NAME 'SolarisPreferredServerOnly' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
3081attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.29 NAME 'SolarisSearchReferral' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
3082attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.4 NAME 'SolarisAttrKeyValue' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
3083attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.5 NAME 'SolarisAuditAlways' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
3084attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.6 NAME 'SolarisAuditNever' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
3085attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.7 NAME 'SolarisAttrShortDesc' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
3086attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.8 NAME 'SolarisAttrLongDesc' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
3087attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.9 NAME 'SolarisKernelSecurityPolicy' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
3088attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.10 NAME 'SolarisProfileType' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
3089attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.11 NAME 'SolarisProfileId' SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' SINGLE-VALUE )
3090attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.12 NAME 'SolarisUserQualifier' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
3091attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.13 NAME 'SolarisAttrReserved1' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
3092attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.14 NAME 'SolarisAttrReserved2' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
3093attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.1 NAME 'SolarisProjectID' SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' SINGLE-VALUE )
3094attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.2 NAME 'SolarisProjectName' SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' SINGLE-VALUE )
3095attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.3 NAME 'SolarisProjectAttr' SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' )
3096attributetypes: ( memberGid-oid NAME 'memberGid' SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' )
3097attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.0 NAME 'defaultServerList' DESC 'Default LDAP server host address used by a DUA' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
3098attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.1 NAME 'defaultSearchBase' DESC 'Default LDAP base DN used by a DUA' SYNTAX '1.3.6.1.4.1.1466.115.121.1.12' SINGLE-VALUE )
3099attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.2 NAME 'preferredServerList' DESC 'Preferred LDAP server host addresses to be used by a DUA' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
3100attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.3 NAME 'searchTimeLimit' DESC 'Maximum time in seconds a DUA should allow for a search to complete' SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' SINGLE-VALUE )
3101attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.4 NAME 'bindTimeLimit' DESC 'Maximum time in seconds a DUA should allow for the bind operation to complete' SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' SINGLE-VALUE )
3102attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.5 NAME 'followReferrals' DESC 'Tells DUA if it should follow referrals returned by a DSA search result' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
3103attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.6 NAME 'authenticationMethod' DESC 'A keystring which identifies the type of authentication method used to contact the DSA' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
3104attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.7 NAME 'profileTTL' DESC 'Time to live before a client DUA should re-read this configuration profile' SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' SINGLE-VALUE )
3105attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.14 NAME 'serviceSearchDescriptor' DESC 'LDAP search descriptor list used by Naming-DUA' SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' )
3106attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.9 NAME 'attributeMap' DESC 'Attribute mappings used by a Naming-DUA' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )
3107attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.10 NAME 'credentialLevel' DESC 'Identifies type of credentials a DUA should use when binding to the LDAP server' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
3108attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.11 NAME 'objectclassMap' DESC 'Objectclass mappings used by a Naming-DUA' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )
3109attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.12 NAME 'defaultSearchScope' DESC 'Default search scope used by a DUA' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
3110attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.13 NAME 'serviceCredentialLevel' DESC 'Search scope used by a service of the DUA' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
3111attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.15 NAME 'serviceAuthenticationMethod' DESC 'Authentication Method used by a service of the DUA' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
3112attributetypes:( 1.3.18.0.2.4.1140 NAME 'printer-uri' DESC 'A URI supported by this printer.  This URI SHOULD be used as a relative distinguished name (RDN).  If printer-xri-supported is implemented, then this URI value MUST be listed in a member value of printer-xri-supported.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
3113attributetypes:( 1.3.18.0.2.4.1107 NAME 'printer-xri-supported' DESC 'The unordered list of XRI (extended resource identifiers) supported by this printer.  Each member of the list consists of a URI (uniform resource identifier) followed by optional authentication and security metaparameters.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
3114attributetypes:( 1.3.18.0.2.4.1135 NAME 'printer-name' DESC 'The site-specific administrative name of this printer, more end-user friendly than a URI.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{127}  SINGLE-VALUE )
3115attributetypes:( 1.3.18.0.2.4.1119 NAME 'printer-natural-language-configured' DESC 'The configured language in which error and status messages will be generated (by default) by this printer.  Also, a possible language for printer string attributes set by operator, system administrator, or manufacturer.  Also, the (declared) language of the "printer-name", "printer-location", "printer-info", and "printer-make-and-model" attributes of this printer. For example: "en-us" (US English) or "fr-fr" (French in France) Legal values of language tags conform to [RFC3066] "Tags for the Identification of Languages".' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{127}  SINGLE-VALUE )
3116attributetypes:( 1.3.18.0.2.4.1136 NAME 'printer-location' DESC 'Identifies the location of the printer. This could include things like: "in Room 123A", "second floor of building XYZ".' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{127} SINGLE-VALUE )
3117attributetypes:( 1.3.18.0.2.4.1139 NAME 'printer-info' DESC 'Identifies the descriptive information about this printer.  This could include things like: "This printer can be used for printing color transparencies for HR presentations", or "Out of courtesy for others, please print only small (1-5 page) jobs at this printer", or even "This printer is going away on July 1, 1997, please find a new printer".' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{127} SINGLE-VALUE )
3118attributetypes:( 1.3.18.0.2.4.1134 NAME 'printer-more-info' DESC 'A URI used to obtain more information about this specific printer.  For example, this could be an HTTP type URI referencing an HTML page accessible to a Web Browser.  The information obtained from this URI is intended for end user consumption.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
3119attributetypes:( 1.3.18.0.2.4.1138 NAME 'printer-make-and-model' DESC 'Identifies the make and model of the device.  The device manufacturer MAY initially populate this attribute.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127}  SINGLE-VALUE )
3120attributetypes:( 1.3.18.0.2.4.1133 NAME 'printer-ipp-versions-supported' DESC 'Identifies the IPP protocol version(s) that this printer supports, including major and minor versions, i.e., the version numbers for which this Printer implementation meets the conformance requirements.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{127} )
3121attributetypes:( 1.3.18.0.2.4.1132 NAME 'printer-multiple-document-jobs-supported' DESC 'Indicates whether or not the printer supports more than one document per job, i.e., more than one Send-Document or Send-Data operation with document data.' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
3122attributetypes:( 1.3.18.0.2.4.1109 NAME 'printer-charset-configured' DESC 'The configured charset in which error and status messages will be generated (by default) by this printer.  Also, a possible charset for printer string attributes set by operator, system administrator, or manufacturer.  For example: "utf-8" (ISO 10646/Unicode) or "iso-8859-1" (Latin1).  Legal values are defined by the IANA Registry of Coded Character Sets and the "(preferred MIME name)" SHALL be used as the tag.  For coherence with IPP Model, charset tags in this attribute SHALL be lowercase normalized.  This attribute SHOULD be static (time of registration) and SHOULD NOT be dynamically refreshed attributetypes: (subsequently).' EQUALITY caseIgnoreMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{63} SINGLE-VALUE )
3123attributetypes:( 1.3.18.0.2.4.1131 NAME 'printer-charset-supported' DESC 'Identifies the set of charsets supported for attribute type values of type Directory String for this directory entry.  For example: "utf-8" (ISO 10646/Unicode) or "iso-8859-1" (Latin1).  Legal values are defined by the IANA Registry of Coded Character Sets and the preferred MIME name.' EQUALITY caseIgnoreMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{63} )
3124attributetypes:( 1.3.18.0.2.4.1137 NAME 'printer-generated-natural-language-supported' DESC 'Identifies the natural language(s) supported for this directory entry.  For example: "en-us" (US English) or "fr-fr" (French in France).  Legal values conform to [RFC3066], Tags for the Identification of Languages.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{63} )
3125attributetypes:( 1.3.18.0.2.4.1130 NAME 'printer-document-format-supported' DESC 'The possible document formats in which data may be interpreted and printed by this printer.  Legal values are MIME types come from the IANA Registry of Internet Media Types.' EQUALITY caseIgnoreMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{127} )
3126attributetypes:( 1.3.18.0.2.4.1129 NAME 'printer-color-supported' DESC 'Indicates whether this printer is capable of any type of color printing at all, including highlight color.' EQUALITY booleanMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.7  SINGLE-VALUE )
3127attributetypes:( 1.3.18.0.2.4.1128 NAME 'printer-compression-supported' DESC 'Compression algorithms supported by this printer.  For example: "deflate, gzip".  Legal values include; "none", "deflate" attributetypes: (public domain ZIP), "gzip" (GNU ZIP), "compress" (UNIX).' EQUALITY caseIgnoreMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{255} )
3128attributetypes:( 1.3.18.0.2.4.1127 NAME 'printer-pages-per-minute' DESC 'The nominal number of pages per minute which may be output by this printer (e.g., a simplex or black-and-white printer).  This attribute is informative, NOT a service guarantee.  Typically, it is the value used in marketing literature to describe this printer.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.27  SINGLE-VALUE )
3129attributetypes:( 1.3.18.0.2.4.1126 NAME 'printer-pages-per-minute-color' DESC 'The nominal number of color pages per minute which may be output by this printer (e.g., a simplex or color printer).  This attribute is informative, NOT a service guarantee.  Typically, it is the value used in marketing literature to describe this printer.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.27  SINGLE-VALUE )
3130attributetypes:( 1.3.18.0.2.4.1125 NAME 'printer-finishings-supported' DESC 'The possible finishing operations supported by this printer. Legal values include; "none", "staple", "punch", "cover", "bind", "saddle-stitch", "edge-stitch", "staple-top-left", "staple-bottom-left", "staple-top-right", "staple-bottom-right", "edge-stitch-left", "edge-stitch-top", "edge-stitch-right", "edge-stitch-bottom", "staple-dual-left", "staple-dual-top", "staple-dual-right", "staple-dual-bottom".' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{255} )
3131attributetypes:( 1.3.18.0.2.4.1124 NAME 'printer-number-up-supported' DESC 'The possible numbers of print-stream pages to impose upon a single side of an instance of a selected medium. Legal values include; 1, 2, and 4.  Implementations may support other values.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.27 )
3132attributetypes:( 1.3.18.0.2.4.1123 NAME 'printer-sides-supported' DESC 'The number of impression sides (one or two) and the two-sided impression rotations supported by this printer.  Legal values include; "one-sided", "two-sided-long-edge", "two-sided-short-edge".' EQUALITY caseIgnoreMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{127} )
3133attributetypes:( 1.3.18.0.2.4.1122 NAME 'printer-media-supported' DESC 'The standard names/types/sizes (and optional color suffixes) of the media supported by this printer.  For example: "iso-a4",  "envelope", or "na-letter-white".  Legal values  conform to ISO 10175, Document Printing Application (DPA), and any IANA registered extensions.' EQUALITY caseIgnoreMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{255} )
3134attributetypes:( 1.3.18.0.2.4.1117 NAME 'printer-media-local-supported' DESC 'Site-specific names of media supported by this printer, in the language in "printer-natural-language-configured".  For example: "purchasing-form" (site-specific name) as opposed to (in "printer-media-supported"): "na-letter" (standard keyword from ISO 10175).' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{255} )
3135attributetypes:( 1.3.18.0.2.4.1121 NAME 'printer-resolution-supported' DESC 'List of resolutions supported for printing documents by this printer.  Each resolution value is a string with 3 fields:  1) Cross feed direction resolution (positive integer), 2) Feed direction resolution (positive integer), 3) Resolution unit.  Legal values are "dpi" (dots per inch) and "dpcm" (dots per centimeter).  Each resolution field is delimited by ">".  For example:  "300> 300> dpi>".' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{255} )
3136attributetypes:( 1.3.18.0.2.4.1120 NAME 'printer-print-quality-supported' DESC 'List of print qualities supported for printing documents on this printer.  For example: "draft, normal".  Legal values include; "unknown", "draft", "normal", "high".' EQUALITY caseIgnoreMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{127} )
3137attributetypes:( 1.3.18.0.2.4.1110 NAME 'printer-job-priority-supported' DESC 'Indicates the number of job priority levels supported.  An IPP conformant printer which supports job priority must always support a full range of priorities from "1" to "100" (to ensure consistent behavior), therefore this attribute describes the "granularity".  Legal values of this attribute are from "1" to "100".' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.27  SINGLE-VALUE )
3138attributetypes:( 1.3.18.0.2.4.1118 NAME 'printer-copies-supported' DESC 'The maximum number of copies of a document that may be printed as a single job.  A value of "0" indicates no maximum limit.  A value of "-1" indicates unknown.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.27  SINGLE-VALUE )
3139attributetypes:( 1.3.18.0.2.4.1111 NAME 'printer-job-k-octets-supported' DESC 'The maximum size in kilobytes (1,024 octets actually) incoming print job that this printer will accept.  A value of "0" indicates no maximum limit.  A value of "-1" indicates unknown.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.27  SINGLE-VALUE )
3140attributetypes:( 1.3.18.0.2.4.1112 NAME 'printer-current-operator' DESC 'The name of the current human operator responsible for operating this printer.  It is suggested that this string include information that would enable other humans to reach the operator, such as a phone number.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{127} SINGLE-VALUE )
3141attributetypes:( 1.3.18.0.2.4.1113 NAME 'printer-service-person' DESC 'The name of the current human service person responsible for servicing this printer.  It is suggested that this string include information that would enable other humans to reach the service person, such as a phone number.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{127}  SINGLE-VALUE )
3142attributetypes:( 1.3.18.0.2.4.1114 NAME 'printer-delivery-orientation-supported' DESC 'The possible delivery orientations of pages as they are printed and ejected from this printer.  Legal values include; "unknown", "face-up", and "face-down".' EQUALITY caseIgnoreMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{127} )
3143attributetypes:( 1.3.18.0.2.4.1115 NAME 'printer-stacking-order-supported' DESC 'The possible stacking order of pages as they are printed and ejected from this printer. Legal values include; "unknown", "first-to-last", "last-to-first".' EQUALITY caseIgnoreMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{127} )
3144attributetypes:( 1.3.18.0.2.4.1116 NAME 'printer-output-features-supported' DESC 'The possible output features supported by this printer. Legal values include; "unknown", "bursting", "decollating", "page-collating", "offset-stacking".' EQUALITY caseIgnoreMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{127} )
3145attributetypes:( 1.3.18.0.2.4.1108 NAME 'printer-aliases' DESC 'Site-specific administrative names of this printer in addition the printer name specified for printer-name.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{127} )
3146attributetypes:( 1.3.6.1.4.1.42.2.27.5.1.63 NAME 'sun-printer-bsdaddr' DESC 'Sets the server, print queue destination name and whether the client generates protocol extensions. "Solaris" specifies a Solaris print server extension. The value is represented by the following value: server "," destination ", Solaris".' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
3147attributetypes:( 1.3.6.1.4.1.42.2.27.5.1.64 NAME 'sun-printer-kvp' DESC 'This attribute contains a set of key value pairs which may have meaning to the print subsystem or may be user defined. Each value is represented by the following: key "=" value.' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )
3148attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.57 NAME 'nisplusTimeZone' DESC 'tzone column from NIS+ timezone table' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
3149EOF
3150) > ${TMPDIR}/schema_attr
3151
3152    # Add the entry.
3153    ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/schema_attr ${VERB}"
3154    if [ $? -ne 0 ]; then
3155	${ECHO} "  ERROR: update of schema attributes failed!"
3156	cleanup
3157	exit 1
3158    fi
3159
3160    # Display message that schema is updated.
3161    ${ECHO} "  ${STEP}. Schema attributes have been updated."
3162    STEP=`expr $STEP + 1`
3163}
3164
3165
3166#
3167# update_schema_obj(): Update the schema objectclass definitions.
3168#
3169update_schema_obj()
3170{
3171    [ $DEBUG -eq 1 ] && ${ECHO} "In update_schema_obj()"
3172
3173    # Add the objectclass definitions.
3174    ( cat <<EOF
3175dn: cn=schema
3176changetype: modify
3177add: objectclasses
3178objectclasses: ( 1.3.6.1.1.1.2.14 NAME 'NisKeyObject' SUP 'top' MUST (objectclass $ cn $ nisPublickey $ nisSecretkey) MAY (uidNumber $ description))
3179
3180dn: cn=schema
3181changetype: modify
3182add: objectclasses
3183objectclasses: ( 1.3.6.1.1.1.2.15 NAME 'nisDomainObject' SUP 'top' MUST (objectclass $ nisDomain) MAY ())
3184
3185dn: cn=schema
3186changetype: modify
3187add: objectclasses
3188objectclasses: ( 1.3.6.1.1.1.2.16 NAME 'automountMap' SUP 'top' MUST (objectclass $ automountMapName) MAY (description))
3189
3190dn: cn=schema
3191changetype: modify
3192add: objectclasses
3193objectclasses: ( 1.3.6.1.1.1.2.17 NAME 'automount' SUP 'top' MUST (objectclass $ automountKey $ automountInformation ) MAY (description))
3194
3195dn: cn=schema
3196changetype: modify
3197add: objectclasses
3198objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.7 NAME 'SolarisNamingProfile' SUP 'top' MUST (objectclass $ cn $ SolarisLDAPservers $ SolarisSearchBaseDN) MAY (SolarisBindDN $ SolarisBindPassword $ SolarisAuthMethod $ SolarisTransportSecurity $ SolarisCertificatePath $ SolarisCertificatePassword $ SolarisDataSearchDN $ SolarisSearchScope $ SolarisSearchTimeLimit $ SolarisPreferredServer $ SolarisPreferredServerOnly $ SolarisCacheTTL $ SolarisSearchReferral))
3199
3200dn: cn=schema
3201changetype: modify
3202add: objectclasses
3203objectclasses: ( 2.16.840.1.113730.3.2.4 NAME 'mailGroup' SUP 'top' MUST (objectclass $ mail) MAY (cn $ mgrpRFC822MailMember))
3204
3205dn: cn=schema
3206changetype: modify
3207add: objectclasses
3208objectclasses: ( 1.3.6.1.4.1.42.2.27.1.2.5 NAME 'nisMailAlias' SUP 'top' MUST (objectclass $ cn) MAY (rfc822mailMember))
3209
3210dn: cn=schema
3211changetype: modify
3212add: objectclasses
3213objectclasses: ( 1.3.6.1.4.1.42.2.27.1.2.6 NAME 'nisNetId' SUP 'top' MUST (objectclass $ cn) MAY (nisNetIdUser $ nisNetIdGroup $ nisNetIdHost))
3214
3215dn: cn=schema
3216changetype: modify
3217add: objectclasses
3218objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.2 NAME 'SolarisAuditUser' SUP 'top' AUXILIARY MUST (objectclass) MAY (SolarisAuditAlways $ SolarisAuditNever))
3219
3220dn: cn=schema
3221changetype: modify
3222add: objectclasses
3223objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.3 NAME 'SolarisUserAttr' SUP 'top' AUXILIARY MUST (objectclass) MAY (SolarisUserQualifier $ SolarisAttrReserved1 $ SolarisAttrReserved2 $ SolarisAttrKeyValue))
3224
3225dn: cn=schema
3226changetype: modify
3227add: objectclasses
3228objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.4 NAME 'SolarisAuthAttr' SUP 'top' MUST (objectclass $ cn) MAY (SolarisAttrReserved1 $ SolarisAttrReserved2 $ SolarisAttrShortDesc $ SolarisAttrLongDesc $ SolarisAttrKeyValue))
3229
3230dn: cn=schema
3231changetype: modify
3232add: objectclasses
3233objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.5 NAME 'SolarisProfAttr' SUP 'top' MUST (objectclass $ cn) MAY (SolarisAttrReserved1 $ SolarisAttrReserved2 $ SolarisAttrLongDesc $ SolarisAttrKeyValue))
3234
3235dn: cn=schema
3236changetype: modify
3237add: objectclasses
3238objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.6 NAME 'SolarisExecAttr' SUP 'top' AUXILIARY MUST (objectclass) MAY (SolarisKernelSecurityPolicy $ SolarisProfileType $ SolarisAttrReserved1 $ SolarisAttrReserved2 $ SolarisProfileID $ SolarisAttrKeyValue))
3239
3240dn: cn=schema
3241changetype: modify
3242add: objectclasses
3243objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.1 NAME 'SolarisProject' SUP 'top' MUST (objectclass $ SolarisProjectID $ SolarisProjectName) MAY (memberUid $ memberGid $ description $ SolarisProjectAttr))
3244
3245dn: cn=schema
3246changetype: modify
3247add: objectclasses
3248objectclasses: ( 1.3.6.1.4.1.11.1.3.1.2.4 NAME 'DUAConfigProfile' SUP 'top' DESC 'Abstraction of a base configuration for a DUA' MUST (cn) MAY (defaultServerList $ preferredServerList $ defaultSearchBase $ defaultSearchScope $ searchTimeLimit $ bindTimeLimit $ credentialLevel $ authenticationMethod $ followReferrals $ serviceSearchDescriptor $ serviceCredentialLevel $ serviceAuthenticationMethod $ objectclassMap $ attributeMap $ profileTTL))
3249
3250dn: cn=schema
3251changetype: modify
3252add: objectclasses
3253objectclasses: ( 1.3.18.0.2.6.2549 NAME 'slpService' DESC 'DUMMY definition' SUP 'top' MUST (objectclass) MAY ())
3254
3255dn: cn=schema
3256changetype: modify
3257add: objectclasses
3258objectclasses: ( 1.3.18.0.2.6.254 NAME 'slpServicePrinter' DESC 'Service Location Protocol (SLP) information.' AUXILIARY SUP 'slpService')
3259
3260dn: cn=schema
3261changetype: modify
3262add: objectclasses
3263objectclasses: ( 1.3.18.0.2.6.258 NAME 'printerAbstract' DESC 'Printer related information.' ABSTRACT SUP 'top' MAY ( printer-name $ printer-natural-language-configured $ printer-location $ printer-info $ printer-more-info $ printer-make-and-model $ printer-multiple-document-jobs-supported $ printer-charset-configured $ printer-charset-supported $ printer-generated-natural-language-supported $ printer-document-format-supported $ printer-color-supported $ printer-compression-supported $ printer-pages-per-minute $ printer-pages-per-minute-color $ printer-finishings-supported $ printer-number-up-supported $ printer-sides-supported $ printer-media-supported $ printer-media-local-supported $ printer-resolution-supported $ printer-print-quality-supported $ printer-job-priority-supported $ printer-copies-supported $ printer-job-k-octets-supported $ printer-current-operator $ printer-service-person $ printer-delivery-orientation-supported $ printer-stacking-order-supported $ printer-output-features-supported ))
3264
3265dn: cn=schema
3266changetype: modify
3267add: objectclasses
3268objectclasses: ( 1.3.18.0.2.6.255 NAME 'printerService' DESC 'Printer information.' STRUCTURAL SUP 'printerAbstract' MAY ( printer-uri $ printer-xri-supported ))
3269
3270dn: cn=schema
3271changetype: modify
3272add: objectclasses
3273objectclasses: ( 1.3.18.0.2.6.257 NAME 'printerServiceAuxClass' DESC 'Printer information.' AUXILIARY SUP 'printerAbstract' MAY ( printer-uri $ printer-xri-supported ))
3274
3275dn: cn=schema
3276changetype: modify
3277add: objectclasses
3278objectclasses: ( 1.3.18.0.2.6.256 NAME 'printerIPP' DESC 'Internet Printing Protocol (IPP) information.' AUXILIARY SUP 'top' MAY   ( printer-ipp-versions-supported $ printer-multiple-document-jobs-supported ))
3279
3280dn: cn=schema
3281changetype: modify
3282add: objectclasses
3283objectclasses: ( 1.3.18.0.2.6.253 NAME 'printerLPR' DESC 'LPR information.' AUXILIARY SUP 'top' MUST ( printer-name ) MAY ( printer-aliases))
3284
3285dn: cn=schema
3286changetype: modify
3287add: objectclasses
3288objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.14 NAME 'sunPrinter' DESC 'Sun printer information' SUP 'top' AUXILIARY MUST (objectclass $ printer-name)  MAY (sun-printer-bsdaddr $ sun-printer-kvp))
3289
3290dn: cn=schema
3291changetype: modify
3292add: objectclasses
3293objectclasses:	( 1.3.6.1.4.1.42.2.27.5.2.12 NAME 'nisplusTimeZoneData' DESC 'NIS+ timezone table data' SUP top STRUCTURAL MUST ( cn ) MAY ( nisplusTimeZone $ description ) )
3294EOF
3295) > ${TMPDIR}/schema_obj
3296
3297    # Add the entry.
3298    ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/schema_obj ${VERB}"
3299    if [ $? -ne 0 ]; then
3300	${ECHO} "  ERROR: update of schema objectclass definitions failed!"
3301	cleanup
3302	exit 1
3303    fi
3304
3305    # Display message that schema is updated.
3306    ${ECHO} "  ${STEP}. Schema objectclass definitions have been added."
3307    STEP=`expr $STEP + 1`
3308}
3309
3310
3311#
3312# modify_top_aci(): Modify the ACI for the top entry to disable self modify
3313#                   of user attributes.
3314#
3315modify_top_aci()
3316{
3317    [ $DEBUG -eq 1 ] && ${ECHO} "In modify_top_aci()"
3318
3319    # Set ACI Name
3320    ACI_NAME="LDAP_Naming_Services_deny_write_access"
3321
3322    # Search for ACI_NAME
3323    eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_BASEDN}\" -s base objectclass=* aci > ${TMPDIR}/chk_top_aci 2>&1"
3324    if [ $? -ne 0 ]; then
3325	${ECHO} "Error searching aci for ${LDAP_BASEDN}"
3326	cat ${TMPDIR}/chk_top_aci
3327	cleanup
3328	exit 1
3329    fi
3330    ${GREP} "${ACI_NAME}" ${TMPDIR}/chk_top_aci > /dev/null 2>&1
3331    if [ $? -eq 0 ]; then
3332	${ECHO} "  ${STEP}. Top level ACI ${ACI_NAME} already exists for ${LDAP_BASEDN}."
3333	STEP=`expr $STEP + 1`
3334	return 0
3335    fi
3336
3337    # Crate LDIF for top level ACI.
3338    ( cat <<EOF
3339dn: ${LDAP_BASEDN}
3340changetype: modify
3341add: aci
3342aci: (targetattr = "cn||uid||uidNumber||gidNumber||homeDirectory||shadowLastChange||shadowMin||shadowMax||shadowWarning||shadowInactive||shadowExpire||shadowFlag||memberUid")(version 3.0; acl ${ACI_NAME}; deny (write) userdn = "ldap:///self";)
3343-
3344EOF
3345) > ${TMPDIR}/top_aci
3346
3347    # Add the entry.
3348    ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/top_aci ${VERB}"
3349    if [ $? -ne 0 ]; then
3350	${ECHO} "  ERROR: Modify of top level ACI failed! (restricts self modify)"
3351	cleanup
3352	exit 1
3353    fi
3354
3355    # Display message that schema is updated.
3356    ${ECHO} "  ${STEP}. ACI for ${LDAP_BASEDN} modified to disable self modify."
3357    STEP=`expr $STEP + 1`
3358}
3359
3360
3361#
3362# add_vlv_aci(): Add access control information (aci) for VLV.
3363#
3364add_vlv_aci()
3365{
3366    [ $DEBUG -eq 1 ] && ${ECHO} "In add_vlv_aci()"
3367
3368    # Add the VLV ACI.
3369    ( cat <<EOF
3370dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
3371changetype: modify
3372replace: aci
3373aci: (targetattr != "aci") (version 3.0; acl "VLV Request Control"; allow(read,search,compare) userdn = "ldap:///anyone";)
3374EOF
3375) > ${TMPDIR}/vlv_aci
3376
3377    # Add the entry.
3378    ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/vlv_aci ${VERB}"
3379    if [ $? -ne 0 ]; then
3380	${ECHO} "  ERROR: Add of VLV ACI failed!"
3381	cleanup
3382	exit 1
3383    fi
3384
3385    # Display message that schema is updated.
3386    ${ECHO} "  ${STEP}. Add of VLV Access Control Information (ACI)."
3387    STEP=`expr $STEP + 1`
3388}
3389
3390
3391#
3392# set_nisdomain(): Add the NisDomainObject to the Base DN.
3393#
3394set_nisdomain()
3395{
3396    [ $DEBUG -eq 1 ] && ${ECHO} "In set_nisdomain()"
3397
3398    # Check if nisDomain is already set.
3399    ${LDAPSEARCH} ${SERVER_ARGS} -b "${LDAP_BASEDN}" -s base "objectclass=*" > ${TMPDIR}/chk_nisdomain 2>&1
3400    eval "${GREP} -i nisDomain ${TMPDIR}/chk_nisdomain ${VERB}"
3401    if [ $? -eq 0 ]; then
3402	${ECHO} "  ${STEP}. NisDomainObject for ${LDAP_BASEDN} was already set."
3403	STEP=`expr $STEP + 1`
3404	return 0
3405    fi
3406
3407    # Add the new top level containers.
3408    ( cat <<EOF
3409dn: ${LDAP_BASEDN}
3410changetype: modify
3411objectclass: nisDomainObject
3412nisdomain: ${LDAP_DOMAIN}
3413EOF
3414) > ${TMPDIR}/nis_domain
3415
3416    # Add the entry.
3417    ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/nis_domain ${VERB}"
3418    if [ $? -ne 0 ]; then
3419	${ECHO} "  ERROR: update of NisDomainObject in ${LDAP_BASEDN} failed."
3420	cleanup
3421	exit 1
3422    fi
3423
3424    # Display message that schema is updated.
3425    ${ECHO} "  ${STEP}. NisDomainObject added to ${LDAP_BASEDN}."
3426    STEP=`expr $STEP + 1`
3427}
3428
3429
3430#
3431# check_attrName(): Check that the attribute name is valid.
3432#              $1   Key to check.
3433#         Returns   0 : valid name	1 : invalid name
3434#
3435check_attrName()
3436{
3437    [ $DEBUG -eq 1 ] && ${ECHO} "In check_attrName()"
3438    [ $DEBUG -eq 1 ] && ${ECHO} "check_attrName: Input Param = $1"
3439
3440    ${ECHO} $1 | ${EGREP} '^[0-9]+(\.[0-9]+)*$' > /dev/null 2>&1
3441    if [ $? -eq 0 ]; then
3442	${EVAL} "${LDAPSEARCH} ${SERVER_ARGS} -b cn=schema -s base \"objectclass=*\" \
3443			attributeTypes | ${EGREP} -i '^attributetypes[ ]*=[ ]*\([ ]*$1 ' ${VERB}"
3444    else
3445	${EVAL} "${LDAPSEARCH} ${SERVER_ARGS} -b cn=schema -s base \"objectclass=*\" \
3446			attributeTypes | ${EGREP} -i \"'$1'\" ${VERB}"
3447    fi
3448
3449    if [ $? -ne 0 ]; then
3450	return 1
3451    else
3452	return 0
3453    fi
3454}
3455
3456
3457#
3458# get_objectclass():   Determine the objectclass for the given attribute name
3459#              $1   Attribute name to check.
3460#      _ATTR_NAME   Return value, Object Name or NULL if unknown to idsconfig.
3461#
3462#      NOTE: An attribute name can be valid but still we might not be able
3463#            to determine the objectclass from the table.
3464#            In such cases, the user needs to create the necessary object(s).
3465#
3466get_objectclass()
3467{
3468    [ $DEBUG -eq 1 ] && ${ECHO} "In get_objectclass()"
3469    [ $DEBUG -eq 1 ] && ${ECHO} "get_objectclass: Input Param = $1"
3470
3471    # Set return value to NULL string.
3472    _ATTR_NAME=""
3473
3474    # Test key for type:
3475    case `${ECHO} ${1} | tr '[A-Z]' '[a-z]'` in
3476	ou | organizationalunitname | 2.5.4.11) _ATTR_NAME="organizationalUnit" ;;
3477	dc | domaincomponent | 0.9.2342.19200300.100.1.25) _ATTR_NAME="domain" ;;
3478	 o | organizationname | 2.5.4.10) _ATTR_NAME="organization" ;;
3479	 c | countryname | 2.5.4.6) _ATTR_NAME="country" ;;
3480	 *)  _ATTR_NAME="" ;;
3481    esac
3482
3483    [ $DEBUG -eq 1 ] && ${ECHO} "get_objectclass: _ATTR_NAME = $_ATTR_NAME"
3484}
3485
3486
3487#
3488# add_base_objects(): Add any necessary base objects.
3489#
3490add_base_objects()
3491{
3492    [ $DEBUG -eq 1 ] && ${ECHO} "In add_base_objects()"
3493
3494    # Convert to lower case for basename.
3495    format_string "${LDAP_BASEDN}"
3496    LOWER_BASEDN="${FMT_STR}"
3497    format_string "${LDAP_SUFFIX}"
3498    LOWER_SUFFIX="${FMT_STR}"
3499
3500    [ $DEBUG -eq 1 ] && ${ECHO} "LOWER_BASEDN: ${LOWER_BASEDN}"
3501    [ $DEBUG -eq 1 ] && ${ECHO} "LOWER_SUFFIX: ${LOWER_SUFFIX}"
3502
3503    # Create additional components.
3504    if [ "${LOWER_BASEDN}" = "${LOWER_SUFFIX}" ]; then
3505	[ $DEBUG -eq 1 ] && ${ECHO} "Base DN and Suffix equivalent"
3506    else
3507	# first, test that the suffix is valid
3508	dcstmp=`basename "${LOWER_BASEDN}" "${LOWER_SUFFIX}"`
3509	if [ "$dcstmp" = "${LOWER_BASEDN}" ]; then
3510	    # should not happen since check_basedn_suffix() succeeded
3511	    ${ECHO} "Invalid suffix ${LOWER_SUFFIX}"
3512	    ${ECHO} "for Base DN ${LOWER_BASEDN}"
3513	    cleanup
3514	    exit 1
3515	fi
3516	# OK, suffix is valid, start working with LDAP_BASEDN
3517	# field separator is ',' (i.e., space is a valid character)
3518	dcstmp2="`${ECHO} ${LDAP_BASEDN} |
3519		sed -e 's/[ ]*,[ ]*/,/g' -e 's/[ ]*=[ ]*/=/g'`"
3520	dcs=""
3521	# use dcstmp to count the loop, and dcstmp2 to get the correct
3522	# string case
3523	# dcs should be in reverse order, only for these components
3524	# that need to be added
3525	while [ -n "${dcstmp}" ]
3526	do
3527	    i2=`${ECHO} "$dcstmp2" | cut -f1 -d','`
3528	    dk=`${ECHO} $i2 | awk -F= '{print $1}'`
3529	    dc=`${ECHO} $i2 | awk -F= '{print $2}'`
3530	    dcs="$dk=$dc,$dcs";
3531	    dcstmp2=`${ECHO} "$dcstmp2" | cut -f2- -d','`
3532	    dcstmp=`${ECHO} "$dcstmp" | cut -f2- -d','`
3533	    [ $DEBUG -eq 1 ] && \
3534		${ECHO} "dcs: ${dcs}\ndcstmp: ${dcstmp}\ndcstmp2: ${dcstmp2}\n"
3535	done
3536
3537
3538
3539	lastdc=${LDAP_SUFFIX}
3540	dc=`${ECHO} "${dcs}" | cut -f1 -d','`
3541	dcstmp=`${ECHO} "${dcs}" | cut -f2- -d','`
3542	while [ -n "${dc}" ]; do
3543	    # Get Key and component from $dc.
3544	    dk2=`${ECHO} $dc | awk -F= '{print $1}'`
3545	    dc2=`${ECHO} $dc | awk -F= '{print $2}'`
3546
3547	    # At this point, ${dk2} is a valid attribute name
3548
3549	    # Check if entry exists first, if so, skip to next.
3550	    ${LDAPSEARCH} ${SERVER_ARGS} -b "${dk2}=${dc2},$lastdc" -s base "objectclass=*" > /dev/null 2>&1
3551	    if [ $? -eq 0 ]; then
3552	        # Set the $lastdc to new dc.
3553	        lastdc="${dk2}=${dc2},$lastdc"
3554
3555		# Process next component.
3556		dc=`${ECHO} "${dcstmp}" | cut -f1 -d','`
3557		dcstmp=`${ECHO} "${dcstmp}" | cut -f2- -d','`
3558		continue
3559
3560	    fi
3561
3562	    # Determine the objectclass for the entry.
3563            get_objectclass $dk2
3564	    OBJ_Name=${_ATTR_NAME}
3565	    if [ "${OBJ_Name}" = "" ]; then
3566	        ${ECHO} "Cannot determine objectclass for $dk2"
3567	        ${ECHO} "Please create ${dk2}=${dc2},$lastdc entry and rerun idsconfig"
3568	        exit 1
3569	    fi
3570
3571	    # Add the new container.
3572	    ( cat <<EOF
3573dn: ${dk2}=${dc2},$lastdc
3574${dk2}: $dc2
3575objectClass: top
3576objectClass: ${OBJ_Name}
3577EOF
3578) > ${TMPDIR}/base_objects
3579
3580
3581	    # Set the $lastdc to new dc.
3582	    lastdc="${dk2}=${dc2},$lastdc"
3583
3584	    # Add the entry.
3585	    ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/base_objects ${VERB}"
3586	    if [ $? -ne 0 ]; then
3587		${ECHO} "  ERROR: update of base objects ${dc} failed."
3588		cleanup
3589		exit 1
3590	    fi
3591
3592	    # Display message that schema is updated.
3593	    ${ECHO} "  ${STEP}. Created DN component ${dc}."
3594	    STEP=`expr $STEP + 1`
3595
3596	    # Process next component.
3597	    dc=`${ECHO} "${dcstmp}" | cut -f1 -d','`
3598	    dcstmp=`${ECHO} "${dcstmp}" | cut -f2- -d','`
3599	done
3600    fi
3601}
3602
3603
3604#
3605# add_new_containers(): Add the top level classes.
3606#
3607#    $1 = Base DN
3608#
3609add_new_containers()
3610{
3611    [ $DEBUG -eq 1 ] && ${ECHO} "In add_new_containers()"
3612
3613    for ou in people group rpc protocols networks netgroup \
3614	aliases hosts services ethers profile printers \
3615	SolarisAuthAttr SolarisProfAttr Timezone ; do
3616
3617	# Check if nismaps already exist.
3618	eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"ou=${ou},${LDAP_BASEDN}\" -s base \"objectclass=*\" ${VERB}"
3619	if [ $? -eq 0 ]; then
3620	    continue
3621	fi
3622
3623	# Create TMP file to add.
3624	( cat <<EOF
3625dn: ou=${ou},${LDAP_BASEDN}
3626ou: ${ou}
3627objectClass: top
3628objectClass: organizationalUnit
3629EOF
3630) > ${TMPDIR}/toplevel.${ou}
3631
3632	# Add the entry.
3633	${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/toplevel.${ou} ${VERB}"
3634	if [ $? -ne 0 ]; then
3635	    ${ECHO} "  ERROR: Add of ou=${ou} container failed!"
3636	    cleanup
3637	    exit 1
3638	fi
3639    done
3640
3641    # Display message that top level OU containers complete.
3642    ${ECHO} "  ${STEP}. Top level \"ou\" containers complete."
3643    STEP=`expr $STEP + 1`
3644}
3645
3646
3647#
3648# add_auto_maps(): Add the automount map entries.
3649#
3650# auto_home, auto_direct, auto_master, auto_shared
3651#
3652add_auto_maps()
3653{
3654    [ $DEBUG -eq 1 ] && ${ECHO} "In add_auto_maps()"
3655
3656    # Set AUTO_MAPS for maps to create.
3657    AUTO_MAPS="auto_home auto_direct auto_master auto_shared"
3658
3659    for automap in $AUTO_MAPS; do
3660	# Check if automaps already exist.
3661	eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"automountMapName=${automap},${LDAP_BASEDN}\" -s base \"objectclass=*\" ${VERB}"
3662	if [ $? -eq 0 ]; then
3663	    continue
3664	fi
3665
3666	# Create the tmp file to add.
3667	( cat <<EOF
3668dn: automountMapName=${automap},${LDAP_BASEDN}
3669automountMapName: ${automap}
3670objectClass: top
3671objectClass: automountMap
3672EOF
3673) > ${TMPDIR}/automap.${automap}
3674
3675	# Add the entry.
3676	${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/automap.${automap} ${VERB}"
3677	if [ $? -ne 0 ]; then
3678	    ${ECHO} "  ERROR: Add of automap ${automap} failed!"
3679	    cleanup
3680	    exit 1
3681	fi
3682    done
3683
3684    # Display message that automount entries are updated.
3685    ${ECHO} "  ${STEP}. automount maps: $AUTO_MAPS processed."
3686    STEP=`expr $STEP + 1`
3687}
3688
3689
3690#
3691# add_proxyagent(): Add entry for nameservice to use to access server.
3692#
3693add_proxyagent()
3694{
3695    [ $DEBUG -eq 1 ] && ${ECHO} "In add_proxyagent()"
3696
3697    # Check if nismaps already exist.
3698    eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_PROXYAGENT}\" -s base \"objectclass=*\" ${VERB}"
3699    if [ $? -eq 0 ]; then
3700	${ECHO} "  ${STEP}. Proxy Agent ${LDAP_PROXYAGENT} already exists."
3701	STEP=`expr $STEP + 1`
3702	return 0
3703    fi
3704
3705    # Get cn and sn names from LDAP_PROXYAGENT.
3706    cn_tmp=`${ECHO} ${LDAP_PROXYAGENT} | cut -f1 -d, | cut -f2 -d=`
3707
3708    # Create the tmp file to add.
3709    ( cat <<EOF
3710dn: ${LDAP_PROXYAGENT}
3711cn: ${cn_tmp}
3712sn: ${cn_tmp}
3713objectclass: top
3714objectclass: person
3715userpassword: ${LDAP_PROXYAGENT_CRED}
3716EOF
3717) > ${TMPDIR}/proxyagent
3718
3719    # Add the entry.
3720    ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/proxyagent ${VERB}"
3721    if [ $? -ne 0 ]; then
3722	${ECHO} "  ERROR: Adding proxyagent failed!"
3723	cleanup
3724	exit 1
3725    fi
3726
3727    # Display message that schema is updated.
3728    ${ECHO} "  ${STEP}. Proxy Agent ${LDAP_PROXYAGENT} added."
3729    STEP=`expr $STEP + 1`
3730}
3731
3732
3733#
3734# allow_proxy_read_pw(): Give Proxy Agent read permission for password.
3735#
3736allow_proxy_read_pw()
3737{
3738    [ $DEBUG -eq 1 ] && ${ECHO} "In allow_proxy_read_pw()"
3739
3740    # Set ACI Name
3741    PROXY_ACI_NAME="LDAP_Naming_Services_proxy_password_read"
3742
3743    # Search for ACI_NAME
3744    eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_BASEDN}\" -s base objectclass=* aci > ${TMPDIR}/chk_proxyread_aci 2>&1"
3745    ${GREP} "${PROXY_ACI_NAME}" ${TMPDIR}/chk_proxyread_aci > /dev/null 2>&1
3746    if [ $? -eq 0 ]; then
3747	${ECHO} "  ${STEP}. Proxy ACI ${PROXY_ACI_NAME=} already exists for ${LDAP_BASEDN}."
3748	STEP=`expr $STEP + 1`
3749	return 0
3750    fi
3751
3752    # Create the tmp file to add.
3753    ( cat <<EOF
3754dn: ${LDAP_BASEDN}
3755changetype: modify
3756add: aci
3757aci: (target="ldap:///${LDAP_BASEDN}")(targetattr="userPassword")(version 3.0; acl ${PROXY_ACI_NAME}; allow (compare,read,search) userdn = "ldap:///${LDAP_PROXYAGENT}";)
3758EOF
3759) > ${TMPDIR}/proxy_read
3760
3761    # Add the entry.
3762    ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/proxy_read ${VERB}"
3763    if [ $? -ne 0 ]; then
3764	${ECHO} "  ERROR: Allow ${LDAP_PROXYAGENT} to read password failed!"
3765	cleanup
3766	exit 1
3767    fi
3768
3769    # Display message that schema is updated.
3770    ${ECHO} "  ${STEP}. Give ${LDAP_PROXYAGENT} read permission for password."
3771    STEP=`expr $STEP + 1`
3772}
3773
3774
3775#
3776# add_profile(): Add client profile to server.
3777#
3778add_profile()
3779{
3780    [ $DEBUG -eq 1 ] && ${ECHO} "In add_profile()"
3781
3782    # If profile name already exists, DELETE it, and add new one.
3783    eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=${LDAP_PROFILE_NAME},ou=profile,${LDAP_BASEDN}\" -s base \"objectclass=*\" ${VERB}"
3784    if [ $? -eq 0 ]; then
3785	# Create Delete file.
3786	( cat <<EOF
3787cn=${LDAP_PROFILE_NAME},ou=profile,${LDAP_BASEDN}
3788EOF
3789) > ${TMPDIR}/del_profile
3790
3791	# Check if DEL_OLD_PROFILE is set.  (If not ERROR)
3792	if [ $DEL_OLD_PROFILE -eq 0 ]; then
3793	    ${ECHO} "ERROR: Profile name ${LDAP_PROFILE_NAME} exists! Add failed!"
3794	    exit 1
3795	fi
3796
3797	# Delete the OLD profile.
3798	${EVAL} "${LDAPDELETE} ${LDAP_ARGS} -f ${TMPDIR}/del_profile ${VERB}"
3799	if [ $? -ne 0 ]; then
3800	    ${ECHO} "  ERROR: Attempt to DELETE profile failed!"
3801	    cleanup
3802	    exit 1
3803	fi
3804    fi
3805
3806    # Build the "ldapclient genprofile" command string to execute.
3807    GEN_CMD="ldapclient genprofile -a \"profileName=${LDAP_PROFILE_NAME}\""
3808
3809    # Add required argument defaultSearchBase.
3810    GEN_CMD="${GEN_CMD} -a \"defaultSearchBase=${LDAP_BASEDN}\""
3811
3812    # Add optional parameters.
3813    [ -n "$LDAP_SERVER_LIST" ] && \
3814	GEN_CMD="${GEN_CMD} -a \"defaultServerList=${LDAP_SERVER_LIST}\""
3815    [ -n "$LDAP_SEARCH_SCOPE" ] && \
3816	GEN_CMD="${GEN_CMD} -a \"defaultSearchScope=${LDAP_SEARCH_SCOPE}\""
3817    [ -n "$LDAP_CRED_LEVEL" ] && \
3818	GEN_CMD="${GEN_CMD} -a \"credentialLevel=${LDAP_CRED_LEVEL}\""
3819    [ -n "$LDAP_AUTHMETHOD" ] && \
3820	GEN_CMD="${GEN_CMD} -a \"authenticationMethod=${LDAP_AUTHMETHOD}\""
3821    [ -n "$LDAP_FOLLOWREF" ] && \
3822	GEN_CMD="${GEN_CMD} -a \"followReferrals=${LDAP_FOLLOWREF}\""
3823    [ -n "$LDAP_SEARCH_TIME_LIMIT" ] && \
3824	GEN_CMD="${GEN_CMD} -a \"searchTimeLimit=${LDAP_SEARCH_TIME_LIMIT}\""
3825    [ -n "$LDAP_PROFILE_TTL" ] && \
3826	GEN_CMD="${GEN_CMD} -a \"profileTTL=${LDAP_PROFILE_TTL}\""
3827    [ -n "$LDAP_BIND_LIMIT" ] && \
3828	GEN_CMD="${GEN_CMD} -a \"bindTimeLimit=${LDAP_BIND_LIMIT}\""
3829    [ -n "$LDAP_PREF_SRVLIST" ] && \
3830	GEN_CMD="${GEN_CMD} -a \"preferredServerList=${LDAP_PREF_SRVLIST}\""
3831    [ -n "$LDAP_SRV_AUTHMETHOD_PAM" ] && \
3832	GEN_CMD="${GEN_CMD} -a \"serviceAuthenticationMethod=${LDAP_SRV_AUTHMETHOD_PAM}\""
3833    [ -n "$LDAP_SRV_AUTHMETHOD_KEY" ] && \
3834	GEN_CMD="${GEN_CMD} -a \"serviceAuthenticationMethod=${LDAP_SRV_AUTHMETHOD_KEY}\""
3835    [ -n "$LDAP_SRV_AUTHMETHOD_CMD" ] && \
3836	GEN_CMD="${GEN_CMD} -a \"serviceAuthenticationMethod=${LDAP_SRV_AUTHMETHOD_CMD}\""
3837
3838    # Check if there are any service search descriptors to ad.
3839    if [ -s "${SSD_FILE}" ]; then
3840	ssd_2_profile
3841    fi
3842
3843    # Execute "ldapclient genprofile" to create profile.
3844    eval ${GEN_CMD} > ${TMPDIR}/gen_profile 2> ${TMPDIR}/gen_profile_ERR
3845    if [ $? -ne 0 ]; then
3846	${ECHO} "  ERROR: ldapclient genprofile failed!"
3847	cleanup
3848	exit 1
3849    fi
3850
3851    # Add the generated profile..
3852    ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/gen_profile ${VERB}"
3853    if [ $? -ne 0 ]; then
3854	${ECHO} "  ERROR: Attempt to add profile failed!"
3855	cleanup
3856	exit 1
3857    fi
3858
3859    # Display message that schema is updated.
3860    ${ECHO} "  ${STEP}. Generated client profile and loaded on server."
3861    STEP=`expr $STEP + 1`
3862}
3863
3864
3865#
3866# cleanup(): Remove the TMPDIR and all files in it.
3867#
3868cleanup()
3869{
3870    [ $DEBUG -eq 1 ] && ${ECHO} "In cleanup()"
3871
3872    rm -fr ${TMPDIR}
3873}
3874
3875
3876#
3877# 			* * * MAIN * * *
3878#
3879# Description:
3880# This script assumes that the iPlanet Directory Server (iDS) is
3881# installed and that setup has been run.  This script takes the
3882# iDS server from that point and sets up the infrastructure for
3883# LDAP Naming Services.  After running this script, ldapaddent(1M)
3884# or some other tools can be used to populate data.
3885
3886# Initialize the variables that need to be set to NULL, or some
3887# other initial value before the rest of the functions can be called.
3888init
3889
3890# Parse command line arguments.
3891parse_arg $*
3892shift $?
3893
3894# Print extra line to separate from prompt.
3895${ECHO} " "
3896
3897# Either Load the user specified config file
3898# or prompt user for config info.
3899if [ -n "$INPUT_FILE" ]
3900then
3901    load_config_file
3902    INTERACTIVE=0      # Turns off prompts that occur later.
3903    validate_info      # Validate basic info in file.
3904    chk_ids_version    # Check iDS version for compatibility.
3905else
3906    # Display BACKUP warning to user.
3907    display_msg backup_server
3908    get_confirm "Do you wish to continue with server setup (y/n/h)?" "n" "backup_help"
3909    if [ $? -eq 0 ]; then    # if No, cleanup and exit.
3910	cleanup ; exit 1
3911    fi
3912
3913    # Prompt for values.
3914    prompt_config_info
3915    display_summary    # Allow user to modify results.
3916    INTERACTIVE=1      # Insures future prompting.
3917fi
3918
3919# Modify slapd.oc.conf to ALLOW cn instead of REQUIRE.
3920modify_cn
3921
3922# Modify timelimit to user value.
3923[ $NEED_TIME -eq 1 ] && modify_timelimit
3924
3925# Modify sizelimit to user value.
3926[ $NEED_SIZE -eq 1 ] && modify_sizelimit
3927
3928# Modify the password storage scheme to support CRYPT.
3929if [ "$NEED_CRYPT" = "TRUE" ]; then
3930    modify_pwd_crypt
3931fi
3932
3933# Update the schema (Attributes, Objectclass Definitions)
3934update_schema_attr
3935update_schema_obj
3936
3937# Add base objects (if needed)
3938add_base_objects
3939
3940# Update the NisDomainObject.
3941#   The Base DN might of just been created, so this MUST happen after
3942#   the base objects have been added!
3943set_nisdomain
3944
3945# Add top level classes (new containers)
3946add_new_containers
3947
3948# Add common nismaps.
3949add_auto_maps
3950
3951# Modify top ACI.
3952modify_top_aci
3953
3954# Add Access Control Information for VLV.
3955add_vlv_aci
3956
3957# if Proxy needed, Add Proxy Agent and give read permission for password.
3958if [ $NEED_PROXY -eq 1 ]; then
3959    add_proxyagent
3960    allow_proxy_read_pw
3961fi
3962
3963# Generate client profile and add it to the server.
3964add_profile
3965
3966# Add Indexes to improve Search Performance.
3967add_eq_indexes
3968add_sub_indexes
3969add_vlv_indexes
3970
3971# Display setup complete message
3972display_msg setup_complete
3973
3974# Display VLV index commands to be executed on server.
3975display_vlv_cmds
3976
3977# Create config file if requested.
3978[ -n "$OUTPUT_FILE" ] && create_config_file
3979
3980# Removed the TMPDIR and all files in it.
3981cleanup
3982
3983exit 0
3984# end of MAIN.
3985