xref: /titanic_52/usr/src/cmd/ldap/ns_ldap/idsconfig.sh (revision 0a0e9771ca0211c15f3ac4466b661c145feeb9e4)
1#!/bin/sh
2#
3# CDDL HEADER START
4#
5# The contents of this file are subject to the terms of the
6# Common Development and Distribution License (the "License").
7# You may not use this file except in compliance with the License.
8#
9# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10# or http://www.opensolaris.org/os/licensing.
11# See the License for the specific language governing permissions
12# and limitations under the License.
13#
14# When distributing Covered Code, include this CDDL HEADER in each
15# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16# If applicable, add the following below this CDDL HEADER, with the
17# fields enclosed by brackets "[]" replaced with your own identifying
18# information: Portions Copyright [yyyy] [name of copyright owner]
19#
20# CDDL HEADER END
21#
22#
23# idsconfig -- script to setup iDS 5.x/6.x for Native LDAP II.
24#
25# Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
26# Use is subject to license terms.
27#
28
29#
30# display_msg(): Displays message corresponding to the tag passed in.
31#
32display_msg()
33{
34    case "$1" in
35    usage) cat <<EOF
36 $PROG: [ -v ] [ -i input file ] [ -o output file ]
37   i <input file>     Get setup info from input file.
38   o <output file>    Generate a server configuration output file.
39   v                  Verbose mode
40EOF
41    ;;
42    backup_server) cat <<EOF
43It is strongly recommended that you BACKUP the directory server
44before running $PROG.
45
46Hit Ctrl-C at any time before the final confirmation to exit.
47
48EOF
49    ;;
50    setup_complete) cat <<EOF
51
52$PROG: Setup of iDS server ${IDS_SERVER} is complete.
53
54EOF
55    ;;
56    display_vlv_list) cat <<EOF
57
58Note: idsconfig has created entries for VLV indexes. 
59
60      For DS5.x, use the directoryserver(1m) script on ${IDS_SERVER}
61      to stop the server.  Then, using directoryserver, follow the
62      directoryserver examples below to create the actual VLV indexes.
63
64      For DS6.x, use dsadm command delivered with DS6.x on ${IDS_SERVER}
65      to stop the server.  Then, using dsadm, follow the
66      dsadm examples below to create the actual VLV indexes.
67
68EOF
69    ;;
70    cred_level_menu) cat <<EOF
71The following are the supported credential levels:
72  1  anonymous
73  2  proxy
74  3  proxy anonymous
75  4  self
76  5  self proxy
77  6  self proxy anonymous
78EOF
79    ;;
80    auth_method_menu) cat <<EOF
81The following are the supported Authentication Methods:
82  1  none
83  2  simple
84  3  sasl/DIGEST-MD5
85  4  tls:simple
86  5  tls:sasl/DIGEST-MD5
87  6  sasl/GSSAPI
88EOF
89    ;;
90    srvauth_method_menu) cat <<EOF
91The following are the supported Authentication Methods:
92  1  simple
93  2  sasl/DIGEST-MD5
94  3  tls:simple
95  4  tls:sasl/DIGEST-MD5
96  5  sasl/GSSAPI
97EOF
98    ;;
99    prompt_ssd_menu) cat <<EOF
100  A  Add a Service Search Descriptor
101  D  Delete a SSD
102  M  Modify a SSD
103  P  Display all SSD's
104  H  Help
105  X  Clear all SSD's
106
107  Q  Exit menu
108EOF
109    ;;
110    summary_menu)
111
112	SUFFIX_INFO=
113	DB_INFO=
114
115	[ -n "${NEED_CREATE_SUFFIX}" ] &&
116	{
117		SUFFIX_INFO=`cat <<EOF
118
119         Suffix to create          : $LDAP_SUFFIX
120EOF
121`
122		[ -n "${NEED_CREATE_BACKEND}" ] &&
123			DB_INFO=`cat <<EOF
124
125         Database to create        : $IDS_DATABASE
126EOF
127`
128	}
129
130	cat <<EOF
131              Summary of Configuration
132
133  1  Domain to serve               : $LDAP_DOMAIN
134  2  Base DN to setup              : $LDAP_BASEDN$SUFFIX_INFO$DB_INFO
135  3  Profile name to create        : $LDAP_PROFILE_NAME
136  4  Default Server List           : $LDAP_SERVER_LIST
137  5  Preferred Server List         : $LDAP_PREF_SRVLIST
138  6  Default Search Scope          : $LDAP_SEARCH_SCOPE
139  7  Credential Level              : $LDAP_CRED_LEVEL
140  8  Authentication Method         : $LDAP_AUTHMETHOD
141  9  Enable Follow Referrals       : $LDAP_FOLLOWREF
142 10  iDS Time Limit                : $IDS_TIMELIMIT
143 11  iDS Size Limit                : $IDS_SIZELIMIT
144 12  Enable crypt password storage : $NEED_CRYPT
145 13  Service Auth Method pam_ldap  : $LDAP_SRV_AUTHMETHOD_PAM
146 14  Service Auth Method keyserv   : $LDAP_SRV_AUTHMETHOD_KEY
147 15  Service Auth Method passwd-cmd: $LDAP_SRV_AUTHMETHOD_CMD
148 16  Search Time Limit             : $LDAP_SEARCH_TIME_LIMIT
149 17  Profile Time to Live          : $LDAP_PROFILE_TTL
150 18  Bind Limit                    : $LDAP_BIND_LIMIT
151 19  Enable shadow update          : $LDAP_ENABLE_SHADOW_UPDATE
152 20  Service Search Descriptors Menu
153
154EOF
155    ;;
156    sfx_not_suitable) cat <<EOF
157
158Sorry, suffix ${LDAP_SUFFIX} is not suitable for Base DN ${LDAP_BASEDN}
159
160EOF
161    ;;
162    obj_not_found) cat <<EOF
163
164Sorry, ${PROG} can't find an objectclass for "$_ATT" attribute
165
166EOF
167    ;;
168    sfx_config_incons) cat <<EOF
169
170Sorry, there is no suffix mapping for ${LDAP_SUFFIX},
171while ldbm database exists, server configuration needs to be fixed manually,
172look at cn=mapping tree,cn=config and cn=ldbm database,cn=plugins,cn=config
173
174EOF
175    ;;
176    ldbm_db_exist) cat <<EOF
177
178Database "${IDS_DATABASE}" already exists,
179however "${IDS_DATABASE_AVAIL}" name is available
180
181EOF
182    ;;
183    unable_find_db_name) cat <<EOF
184    
185Unable to find any available database name close to "${IDS_DATABASE}"
186
187EOF
188    ;;
189    create_ldbm_db_error) cat <<EOF
190
191ERROR: unable to create suffix ${LDAP_SUFFIX}
192       due to server error that occurred during creation of ldbm database
193
194EOF
195    ;;
196    create_suffix_entry_error) cat <<EOF
197
198ERROR: unable to create entry ${LDAP_SUFFIX} of ${LDAP_SUFFIX_OBJ} class
199
200EOF
201    ;;
202    ldap_suffix_list) cat <<EOF
203
204No valid suffixes (naming contexts) were found for LDAP base DN:
205${LDAP_BASEDN}
206
207Available suffixes are:
208${LDAP_SUFFIX_LIST}
209
210EOF
211    ;;
212    sorry) cat <<EOF
213
214HELP - No help is available for this topic.
215
216EOF
217    ;;
218    create_suffix_help) cat <<EOF
219
220HELP - Our Base DN is ${LDAP_BASEDN}
221       and we need to create a Directory Suffix,
222       which can be equal to Base DN itself or be any of Base DN parents.
223       All intermediate entries up to suffix will be created on demand.
224
225EOF
226    ;;
227    enter_ldbm_db_help) cat <<EOF
228
229HELP - ldbm database is an internal database for storage of our suffix data.
230       Database name must be alphanumeric due to Directory Server restriction.
231
232EOF
233    ;;
234    backup_help) cat <<EOF
235
236HELP - Since idsconfig modifies the directory server configuration,
237       it is strongly recommended that you backup the server prior
238       to running this utility.  This is especially true if the server
239       being configured is a production server.
240
241EOF
242    ;;
243    port_help) cat <<EOF
244
245HELP - Enter the port number the directory server is configured to
246       use for LDAP.
247
248EOF
249    ;;
250    domain_help) cat <<EOF
251
252HELP - This is the DNS domain name this server will be serving.  You
253       must provide this name even if the server is not going to be populated
254       with hostnames.  Any unqualified hostname stored in the directory
255       will be fully qualified using this DNS domain name.
256
257EOF
258    ;;
259    basedn_help) cat <<EOF
260
261HELP - This parameter defines the default location in the directory tree for
262       the naming services entries.  You can override this default by using 
263       serviceSearchDescriptors (SSD). You will be given the option to set up 
264       an SSD later on in the setup.
265
266EOF
267    ;;
268    profile_help) cat <<EOF
269
270HELP - Name of the configuration profile with which the clients will be
271       configured. A directory server can store various profiles for multiple 
272       groups of clients.  The initialization tool, (ldapclient(1M)), assumes 
273       "default" unless another is specified.
274
275EOF
276    ;;
277    def_srvlist_help) cat <<EOF
278
279HELP - Provide a list of directory servers to serve clients using this profile.
280       All these servers should contain consistent data and provide similar 
281       functionality.  This list is not ordered, and clients might change the 
282       order given in this list. Note that this is a space separated list of 
283       *IP addresses* (not host names).  Providing port numbers is optional.
284
285EOF
286    ;;
287    pref_srvlist_help) cat <<EOF
288
289HELP - Provide a list of directory servers to serve this client profile. 
290       Unlike the default server list, which is not ordered, the preferred 
291       servers must be entered IN THE ORDER you wish to have them contacted. 
292       If you do specify a preferred server list, clients will always contact 
293       them before attempting to contact any of the servers on the default 
294       server list. Note that you must enter the preferred server list as a 
295       space-separated list of *IP addresses* (not host names).  Providing port 
296       numbers is optional.
297
298EOF
299    ;;
300    srch_scope_help) cat <<EOF
301
302HELP - Default search scope to be used for all searches unless they are
303       overwritten using serviceSearchDescriptors.  The valid options
304       are "one", which would specify the search will only be performed 
305       at the base DN for the given service, or "sub", which would specify 
306       the search will be performed through *all* levels below the base DN 
307       for the given service.
308
309EOF
310    ;;
311    cred_lvl_help) cat <<EOF
312
313HELP - This parameter defines what credentials the clients use to
314       authenticate to the directory server.  This list might contain
315       multiple credential levels and is ordered.  If a proxy level
316       is configured, you will also be prompted to enter a bind DN
317       for the proxy agent along with a password.  This proxy agent
318       will be created if it does not exist.
319
320EOF
321    ;;
322    auth_help) cat <<EOF
323
324HELP - The default authentication method(s) to be used by all services
325       in the client using this profile.  This is a ordered list of
326       authentication methods separated by a ';'.  The supported methods
327       are provided in a menu.  Note that sasl/DIGEST-MD5 binds require
328       passwords to be stored un-encrypted on the server.
329
330EOF
331    ;;
332    srvauth_help) cat <<EOF
333
334HELP - The authentication methods to be used by a given service.  Currently
335       3 services support this feature: pam_ldap, keyserv, and passwd-cmd.
336       The authentication method specified in this attribute overrides
337       the default authentication method defined in the profile.  This
338       feature can be used to select stronger authentication methods for
339       services which require increased security.
340
341EOF
342    ;;
343    pam_ldap_help) cat <<EOF
344
345HELP - The authentication method(s) to be used by pam_ldap when contacting
346       the directory server.  This is a ordered list, and, if provided, will
347       override the default authentication method parameter.
348
349EOF
350    ;;
351    keyserv_help) cat <<EOF
352
353HELP - The authentication method(s) to be used by newkey(1M) and chkey(1)
354       when contacting the directory server.  This is a ordered list and
355       if provided will override the default authentication method
356       parameter.
357
358EOF
359    ;;
360    passwd-cmd_help) cat <<EOF
361
362HELP - The authentication method(s) to be used by passwd(1) command when
363       contacting the directory server.  This is a ordered list and if
364       provided will override the default authentication method parameter.
365
366EOF
367    ;;
368    referrals_help) cat <<EOF
369
370HELP - This parameter indicates whether the client should follow
371       ldap referrals if it encounters one during naming lookups.
372
373EOF
374    ;;
375    tlim_help) cat <<EOF
376
377HELP - The server time limit value indicates the maximum amount of time the
378       server would spend on a query from the client before abandoning it.
379       A value of '-1' indicates no limit.
380
381EOF
382    ;;
383    slim_help) cat <<EOF
384
385HELP - The server sizelimit value indicates the maximum number of entries
386       the server would return in respond to a query from the client.  A
387       value of '-1' indicates no limit.
388
389EOF
390    ;;
391    crypt_help) cat <<EOF
392
393HELP - By default iDS does not store userPassword attribute values using
394       unix "crypt" format.  If you need to keep your passwords in the crypt
395       format for NIS/NIS+ and pam_unix compatibility, choose 'yes'.  If
396       passwords are stored using any other format than crypt, pam_ldap
397       MUST be used by clients to authenticate users to the system. Note 
398       that if you wish to use sasl/DIGEST-MD5 in conjunction with pam_ldap,
399       user passwords must be stored in the clear format.
400
401EOF
402    ;;
403    srchtime_help) cat <<EOF
404
405HELP - The search time limit the client will enforce for directory
406       lookups.
407
408EOF
409    ;;
410    profttl_help) cat <<EOF
411
412HELP - The time to live value for profile.  The client will refresh its
413       cached version of the configuration profile at this TTL interval.
414
415EOF
416    ;;
417    bindlim_help) cat <<EOF
418
419HELP - The time limit for the bind operation to the directory.  This
420       value controls the responsiveness of the client in case a server
421       becomes unavailable.  The smallest timeout value for a given
422       network architecture/conditions would work best.  This is very
423       similar to setting TCP timeout, but only for LDAP bind operation.
424
425EOF
426    ;;
427    ssd_help) cat <<EOF
428
429HELP - Using Service Search Descriptors (SSD), you can override the
430       default configuration for a given service.  The SSD can be
431       used to override the default search base DN, the default search
432       scope, and the default search filter to be used for directory
433       lookups.  SSD are supported for all services (databases)
434       defined in nsswitch.conf(4).  The default base DN is defined
435       in ldap(1).
436
437       Note: SSD are powerful tools in defining configuration profiles
438             and provide a great deal of flexibility.  However, care
439             must be taken in creating them.  If you decide to make use
440             of SSDs, consult the documentation first.
441
442EOF
443    ;;
444    ssd_menu_help) cat <<EOF
445
446HELP - Using this menu SSD can be added, updated, or deleted from
447       the profile.
448
449       A - This option creates a new SSD by prompting for the
450           service name, base DN, and scope.  Service name is
451           any valid service as defined in ldap(1).  base is
452           either the distinguished name to the container where
453           this service will use, or a relative DN followed
454           by a ','.
455       D - Delete a previously created SSD.
456       M - Modify a previously created SSD.
457       P - Display a list of all the previously created SSD.
458       X - Delete all of the previously created SSD.
459
460       Q - Exit the menu and continue with the server configuration.
461
462EOF
463    ;;
464    ldap_suffix_list_help) cat <<EOF
465
466HELP - No valid suffixes (naming contexts) are available on server 
467       ${IDS_SERVER}:${IDS_PORT}.
468       You must set an LDAP Base DN that can be contained in 
469       an existing suffix.
470
471EOF
472    ;;
473    enable_shadow_update_help) cat <<EOF
474
475HELP - Enter 'y' to set up the LDAP server for shadow update.
476       The setup will add an administrator identity/credential
477       and modify the necessary access controls for the client
478       to update shadow(4) data on the LDAP server. If sasl/GSSAPI
479       is in use, the Kerberos host principal will be used as the
480       administrator identity.
481
482       Shadow data is used for password aging and account locking.
483       Please refer to the shadow(4) manual page for details.
484
485EOF
486    ;;
487    add_admin_cred_help) cat <<EOF
488
489HELP - Start the setup to add an administrator identity/credential
490       and to modify access controls for the client to update
491       shadow(4) data on the LDAP server.
492
493       Shadow data is used for password aging and account locking.
494       Please refer to the shadow(4) manual page for details.
495
496EOF
497    ;;
498    use_host_principal_help) cat <<EOF
499
500HELP - A profile with a 'sasl/GSSAPI' authentication method and a 'self'
501       credential level is detected, enter 'y' to modify the necessary
502       access controls for allowing the client to update shadow(4) data
503       on the LDAP server.
504
505       Shadow data is used for password aging and account locking.
506       Please refer to the shadow(4) manual page for details.
507
508EOF
509    ;;
510    esac
511}
512
513
514#
515# get_ans(): gets an answer from the user.
516#		$1  instruction/comment/description/question
517#		$2  default value
518#
519get_ans()
520{
521    if [ -z "$2" ]
522    then
523	${ECHO} "$1 \c"
524    else
525	${ECHO} "$1 [$2] \c"
526    fi
527
528    read ANS
529    if [ -z "$ANS" ]
530    then
531	ANS=$2
532    fi
533}
534
535
536#
537# get_ans_req(): gets an answer (required) from the user, NULL value not allowed.
538#		$@  instruction/comment/description/question
539#
540get_ans_req()
541{
542    ANS=""                  # Set ANS to NULL.
543    while [ "$ANS" = "" ]
544    do
545	get_ans "$@"
546	[ "$ANS" = "" ] && ${ECHO} "NULL value not allowed!"
547    done
548}
549
550
551#
552# get_number(): Querys and verifies that number entered is numeric.
553#               Function will repeat prompt user for number value.
554#               $1  Message text.
555#		$2  default value.
556#               $3  Help argument.
557#
558get_number()
559{
560    ANS=""                  # Set ANS to NULL.
561    NUM=""
562
563    get_ans "$1" "$2"
564
565    # Verify that value is numeric.
566    while not_numeric $ANS
567    do
568	case "$ANS" in
569	    [Hh] | help | Help | \?) display_msg ${3:-sorry} ;;
570	    * ) ${ECHO} "Invalid value: \"${ANS}\". \c"
571	     ;;
572	esac
573	# Get a new value.
574	get_ans "Enter a numeric value:" "$2"
575    done
576    NUM=$ANS
577}
578
579
580#
581# get_negone_num(): Only allows a -1 or positive integer.
582#                   Used for values where -1 has special meaning.
583#
584#                   $1 - Prompt message.
585#                   $2 - Default value (require).
586#                   $3 - Optional help argument.
587get_negone_num()
588{
589    while :
590    do
591	get_number "$1" "$2" "$3"
592	if is_negative $ANS
593	then
594	    if [ "$ANS" = "-1" ]; then
595		break  # -1 is OK, so break.
596	    else       # Need to re-enter number.
597		${ECHO} "Invalid number: please enter -1 or positive number."
598	    fi
599	else
600	    break      # Positive number
601	fi
602    done
603}
604
605
606#
607# get_passwd(): Reads a password from the user and verify with second.
608#		$@  instruction/comment/description/question
609#
610get_passwd()
611{
612    [ $DEBUG -eq 1 ] && ${ECHO} "In get_passwd()"
613
614    # Temporary PASSWD variables
615    _PASS1=""
616    _PASS2=""
617
618    /usr/bin/stty -echo     # Turn echo OFF
619
620    # Endless loop that continues until passwd and re-entered passwd
621    # match.
622    while :
623    do
624	ANS=""                  # Set ANS to NULL.
625
626	# Don't allow NULL for first try.
627	while [ "$ANS" = "" ]
628	do
629	    get_ans "$@"
630	    [ "$ANS" = "" ] && ${ECHO} "" && ${ECHO} "NULL passwd not allowed!"
631	done
632	_PASS1=$ANS         # Store first try.
633
634	# Get second try.
635	${ECHO} ""
636	get_ans "Re-enter passwd:"
637	_PASS2=$ANS
638
639	# Test if passwords are identical.
640	if [ "$_PASS1" = "$_PASS2" ]; then
641	    break
642	fi
643
644	# Move cursor down to next line and print ERROR message.
645	${ECHO} ""
646	${ECHO} "ERROR: passwords don't match; try again."
647    done
648
649    /usr/bin/stty echo      # Turn echo ON
650
651    ${ECHO} ""
652}
653
654
655#
656# get_passwd_nochk(): Reads a password from the user w/o check.
657#		$@  instruction/comment/description/question
658#
659get_passwd_nochk()
660{
661    [ $DEBUG -eq 1 ] && ${ECHO} "In get_passwd_nochk()"
662
663    /usr/bin/stty -echo     # Turn echo OFF
664
665    get_ans "$@"
666
667    /usr/bin/stty echo      # Turn echo ON
668
669    ${ECHO} ""
670}
671
672
673#
674# get_menu_choice(): Get a menu choice from user.  Continue prompting
675#                    till the choice is in required range.
676#   $1 .. Message text.
677#   $2 .. min value
678#   $3 .. max value
679#   $4 .. OPTIONAL: default value
680#
681#   Return value:
682#     MN_CH will contain the value selected.
683#
684get_menu_choice()
685{
686    # Check for req parameter.
687    if [ $# -lt 3 ]; then
688	${ECHO} "get_menu_choice(): Did not get required parameters."
689	return 1
690    fi
691
692    while :
693    do
694	get_ans "$1" "$4"
695	MN_CH=$ANS
696	is_negative $MN_CH
697	if [ $? -eq 1 ]; then
698	    if [ $MN_CH -ge $2 ]; then
699		if [ $MN_CH -le $3 ]; then
700		    return
701		fi
702	    fi
703	fi
704	${ECHO} "Invalid choice: $MN_CH"
705    done
706}
707
708
709#
710# get_confirm(): Get confirmation from the user. (Y/Yes or N/No)
711#                $1 - Message
712#                $2 - default value.
713#
714get_confirm()
715{
716    _ANSWER=
717
718    while :
719    do
720	# Display Internal ERROR if $2 not set.
721	if [ -z "$2" ]
722	then
723	    ${ECHO} "INTERNAL ERROR: get_confirm requires 2 args, 3rd is optional."
724	    exit 2
725	fi
726
727	# Display prompt.
728	${ECHO} "$1 [$2] \c"
729
730	# Get the ANSWER.
731	read _ANSWER
732	if [ "$_ANSWER" = "" ] && [ -n "$2" ] ; then
733	    _ANSWER=$2
734	fi
735	case "$_ANSWER" in
736	    [Yy] | yes | Yes | YES) return 1 ;;
737	    [Nn] | no  | No  | NO)  return 0 ;;
738	    [Hh] | help | Help | \?) display_msg ${3:-sorry};;
739	    * ) ${ECHO} "Please enter y or n."  ;;
740	esac
741    done
742}
743
744
745#
746# get_confirm_nodef(): Get confirmation from the user. (Y/Yes or N/No)
747#                      No default value supported.
748#
749get_confirm_nodef()
750{
751    _ANSWER=
752
753    while :
754    do
755	${ECHO} "$@ \c"
756	read _ANSWER
757	case "$_ANSWER" in
758	    [Yy] | yes | Yes | YES) return 1 ;;
759	    [Nn] | no  | No  | NO)  return 0 ;;
760	    * ) ${ECHO} "Please enter y or n."  ;;
761	esac
762    done
763}
764
765
766#
767# is_numeric(): Tells is a string is numeric.
768#    0 = Numeric
769#    1 = NOT Numeric
770#
771is_numeric()
772{
773    # Check for parameter.
774    if [ $# -ne 1 ]; then
775	return 1
776    fi
777
778    # Determine if numeric.
779    expr "$1" + 1 > /dev/null 2>&1
780    if [ $? -ge 2 ]; then
781	return 1
782    fi
783
784    # Made it here, it's Numeric.
785    return 0
786}
787
788
789#
790# not_numeric(): Reverses the return values of is_numeric.  Useful
791#                 for if and while statements that want to test for
792#                 non-numeric data.
793#    0 = NOT Numeric
794#    1 = Numeric
795#
796not_numeric()
797{
798    is_numeric $1
799    if [ $? -eq 0 ]; then
800       return 1
801    else
802       return 0
803    fi
804}
805
806
807#
808# is_negative(): Tells is a Numeric value is less than zero.
809#    0 = Negative Numeric
810#    1 = Positive Numeric
811#    2 = NOT Numeric
812#
813is_negative()
814{
815    # Check for parameter.
816    if [ $# -ne 1 ]; then
817	return 1
818    fi
819
820    # Determine if numeric.  Can't use expr because -0 is
821    # considered positive??
822    if is_numeric $1; then
823	case "$1" in
824	    -*)  return 0 ;;   # Negative Numeric
825	    *)   return 1 ;;   # Positive Numeric
826	esac
827    else
828	return 2
829    fi
830}
831
832
833#
834# check_domainname(): check validity of a domain name.  Currently we check
835#                     that it has at least two components.
836#		$1  the domain name to be checked
837#
838check_domainname()
839{
840    if [ ! -z "$1" ]
841    then
842	t=`expr "$1" : '[^.]\{1,\}[.][^.]\{1,\}'`
843	if [ "$t" = 0 ]
844	then
845	    return 1
846	fi
847    fi
848    return 0
849}
850
851
852#
853# check_baseDN(): check validity of the baseDN name.
854#		$1  the baseDN name to be checked
855#
856#     NOTE: The check_baseDN function does not catch all invalid DN's.
857#           Its purpose is to reduce the number of invalid DN's to
858#           get past the input routine.  The invalid DN's will be
859#           caught by the LDAP server when they are attempted to be
860#           created.
861#
862check_baseDN()
863{
864    ck_DN=$1
865    ${ECHO} "  Checking LDAP Base DN ..."
866    if [ ! -z "$ck_DN" ]; then
867        [ $DEBUG -eq 1 ] && ${ECHO} "Checking baseDN: $ck_DN"
868        # Check for = (assignment operator)
869        ${ECHO} "$ck_DN" | ${GREP} "=" > /dev/null 2>&1
870        if [ $? -ne 0 ]; then
871            [ $DEBUG -eq 1 ] && ${ECHO} "check_baseDN: No '=' in baseDN."
872            return 1
873        fi
874
875        # Check all keys.
876        while :
877        do
878            # Get first key.
879            dkey=`${ECHO} $ck_DN | cut -d'=' -f1`
880
881            # Check that the key string is valid
882	    check_attrName $dkey
883	    if [ $? -ne 0 ]; then
884                [ $DEBUG -eq 1 ] && ${ECHO} "check_baseDN: invalid key=${dkey}"
885                return 1
886            fi
887
888            [ $DEBUG -eq 1 ] && ${ECHO} "check_baseDN: valid key=${dkey}"
889
890            # Remove first key from DN
891            ck_DN=`${ECHO} $ck_DN | cut -s -d',' -f2-`
892
893            # Break loop if nothing left.
894            if [ "$ck_DN" = "" ]; then
895                break
896            fi
897        done
898    fi
899    return 0
900}
901
902
903#
904# domain_2_dc(): Convert a domain name into dc string.
905#    $1  .. Domain name.
906#
907domain_2_dc()
908{
909    _DOM=$1           # Domain parameter.
910    _DOM_2_DC=""      # Return value from function.
911    _FIRST=1          # Flag for first time.
912
913    export _DOM_2_DC  # Make visible for others.
914
915    # Convert "."'s to spaces for "for" loop.
916    domtmp="`${ECHO} ${_DOM} | tr '.' ' '`"
917    for i in $domtmp; do
918	if [ $_FIRST -eq 1 ]; then
919	    _DOM_2_DC="dc=${i}"
920	    _FIRST=0
921	else
922	    _DOM_2_DC="${_DOM_2_DC},dc=${i}"
923	fi
924    done
925}
926
927
928#
929# is_root_user(): Check to see if logged in as root user.
930#
931is_root_user()
932{
933    case `id` in
934	uid=0\(root\)*) return 0 ;;
935	* )             return 1 ;;
936    esac
937}
938
939
940#
941# parse_arg(): Parses the command line arguments and sets the
942#              appropriate variables.
943#
944parse_arg()
945{
946    while getopts "dvhi:o:" ARG
947    do
948	case $ARG in
949	    d)      DEBUG=1;;
950	    v)      VERB="";;
951	    i)      INPUT_FILE=$OPTARG;;
952	    o)      OUTPUT_FILE=$OPTARG;;
953	    \?)	display_msg usage
954		    exit 1;;
955	    *)	${ECHO} "**ERROR: Supported option missing handler!"
956		    display_msg usage
957		    exit 1;;
958	esac
959    done
960    return `expr $OPTIND - 1`
961}
962
963
964#
965# init(): initializes variables and options
966#
967init()
968{
969    # General variables.
970    PROG=`basename $0`	# Program name
971    PID=$$              # Program ID
972    VERB='> /dev/null 2>&1'	# NULL or "> /dev/null"
973    ECHO="/bin/echo"	# print message on screen
974    EVAL="eval"		# eval or echo
975    EGREP="/usr/bin/egrep"
976    GREP="/usr/bin/grep"
977    DEBUG=0             # Set Debug OFF
978    BACKUP=no_ldap	# backup suffix
979    HOST=""		# NULL or <hostname>
980    NAWK="/usr/bin/nawk"
981    RM="/usr/bin/rm"
982    WC="/usr/bin/wc"
983    CAT="/usr/bin/cat"
984    SED="/usr/bin/sed"
985    MV="/usr/bin/mv"
986
987    DOM=""              # Set to NULL
988    # If DNS domain (resolv.conf) exists use that, otherwise use domainname.
989    if [ -f /etc/resolv.conf ]; then
990        DOM=`/usr/xpg4/bin/grep -i -E '^domain|^search' /etc/resolv.conf \
991	    | awk '{ print $2 }' | tail -1`
992    fi
993
994    # If for any reason the DOM did not get set (error'd resolv.conf) set
995    # DOM to the domainname command's output.
996    if [ "$DOM" = "" ]; then
997        DOM=`domainname`	# domain from domainname command.
998    fi
999
1000    STEP=1
1001    INTERACTIVE=1       # 0 = on, 1 = off (For input file mode)
1002    DEL_OLD_PROFILE=0   # 0 (default), 1 = delete old profile.
1003
1004    # idsconfig specific variables.
1005    INPUT_FILE=""
1006    OUTPUT_FILE=""
1007    LDAP_ENABLE_SHADOW_UPDATE="FALSE"
1008    NEED_PROXY=0        # 0 = No Proxy,    1 = Create Proxy.
1009    NEED_ADMIN=0        # 0 = No Admin,    1 = Create Admin.
1010    NEED_HOSTACL=0      # 0 = No Host ACL, 1 = Create Host ACL.
1011    EXISTING_PROFILE=0
1012    LDAP_PROXYAGENT=""
1013    LDAP_ADMINDN=""
1014    LDAP_SUFFIX=""
1015    LDAP_DOMAIN=$DOM	# domainname on Server (default value)
1016    GEN_CMD=""
1017    PROXY_ACI_NAME="LDAP_Naming_Services_proxy_password_read"
1018
1019    # LDAP COMMANDS
1020    LDAPSEARCH="/bin/ldapsearch -r"
1021    LDAPMODIFY=/bin/ldapmodify
1022    LDAPADD=/bin/ldapadd
1023    LDAPDELETE=/bin/ldapdelete
1024    LDAP_GEN_PROFILE=/usr/sbin/ldap_gen_profile
1025
1026    # iDS specific information
1027    IDS_SERVER=""
1028    IDS_PORT=389
1029    NEED_TIME=0
1030    NEED_SIZE=0
1031    NEED_SRVAUTH_PAM=0
1032    NEED_SRVAUTH_KEY=0
1033    NEED_SRVAUTH_CMD=0
1034    IDS_TIMELIMIT=""
1035    IDS_SIZELIMIT=""
1036
1037    # LDAP PROFILE related defaults
1038    LDAP_ROOTDN="cn=Directory Manager"   # Provide common default.
1039    LDAP_ROOTPWD=""                      # NULL passwd as default (i.e. invalid)
1040    LDAP_PROFILE_NAME="default"
1041    LDAP_BASEDN=""
1042    LDAP_SERVER_LIST=""
1043    LDAP_AUTHMETHOD=""
1044    LDAP_FOLLOWREF="FALSE"
1045    NEED_CRYPT=""
1046    LDAP_SEARCH_SCOPE="one"
1047    LDAP_SRV_AUTHMETHOD_PAM=""
1048    LDAP_SRV_AUTHMETHOD_KEY=""
1049    LDAP_SRV_AUTHMETHOD_CMD=""
1050    LDAP_SEARCH_TIME_LIMIT=30
1051    LDAP_PREF_SRVLIST=""
1052    LDAP_PROFILE_TTL=43200
1053    LDAP_CRED_LEVEL="proxy"
1054    LDAP_BIND_LIMIT=10
1055
1056    # Prevent new files from being read by group or others.
1057    umask 077
1058
1059    # Service Search Descriptors
1060    LDAP_SERV_SRCH_DES=""
1061
1062    # Set and create TMPDIR.
1063    TMPDIR="/tmp/idsconfig.${PID}"
1064    if mkdir -m 700 ${TMPDIR}
1065    then
1066	# Cleanup on exit.
1067	trap 'rm -rf ${TMPDIR}; /usr/bin/stty echo; exit' 1 2 3 6 15
1068    else
1069	echo "ERROR: unable to create a safe temporary directory."
1070	exit 1
1071    fi
1072    LDAP_ROOTPWF=${TMPDIR}/rootPWD
1073
1074    # Set the SSD file name after setting TMPDIR.
1075    SSD_FILE=${TMPDIR}/ssd_list
1076
1077    # GSSAPI setup
1078    LDAP_KRB_REALM=""
1079    LDAP_GSSAPI_PROFILE=""
1080    SCHEMA_UPDATED=0
1081
1082    export DEBUG VERB ECHO EVAL EGREP GREP STEP TMPDIR
1083    export IDS_SERVER IDS_PORT LDAP_ROOTDN LDAP_ROOTPWD LDAP_SERVER_LIST
1084    export LDAP_BASEDN LDAP_ROOTPWF
1085    export LDAP_DOMAIN LDAP_SUFFIX LDAP_PROXYAGENT LDAP_PROXYAGENT_CRED
1086    export NEED_PROXY
1087    export LDAP_ENABLE_SHADOW_UPDATE LDAP_ADMINDN LDAP_ADMIN_CRED
1088    export NEED_ADMIN NEED_HOSTACL EXISTING_PROFILE
1089    export LDAP_PROFILE_NAME LDAP_BASEDN LDAP_SERVER_LIST
1090    export LDAP_AUTHMETHOD LDAP_FOLLOWREF LDAP_SEARCH_SCOPE LDAP_SEARCH_TIME_LIMIT
1091    export LDAP_PREF_SRVLIST LDAP_PROFILE_TTL LDAP_CRED_LEVEL LDAP_BIND_LIMIT
1092    export NEED_SRVAUTH_PAM NEED_SRVAUTH_KEY NEED_SRVAUTH_CMD
1093    export LDAP_SRV_AUTHMETHOD_PAM LDAP_SRV_AUTHMETHOD_KEY LDAP_SRV_AUTHMETHOD_CMD
1094    export LDAP_SERV_SRCH_DES SSD_FILE
1095    export GEN_CMD LDAP_KRB_REALM LDAP_GSSAPI_PROFILE SCHEMA_UPDATED
1096}
1097
1098
1099#
1100# disp_full_debug(): List of all debug variables usually interested in.
1101#                    Grouped to avoid MASSIVE code duplication.
1102#
1103disp_full_debug()
1104{
1105    [ $DEBUG -eq 1 ] && ${ECHO} "  IDS_SERVER = $IDS_SERVER"
1106    [ $DEBUG -eq 1 ] && ${ECHO} "  IDS_PORT = $IDS_PORT"
1107    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_ROOTDN = $LDAP_ROOTDN"
1108    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_ROOTPWD = $LDAP_ROOTPWD"
1109    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_DOMAIN = $LDAP_DOMAIN"
1110    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_SUFFIX = $LDAP_SUFFIX"
1111    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_BASEDN = $LDAP_BASEDN"
1112    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_PROFILE_NAME = $LDAP_PROFILE_NAME"
1113    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_SERVER_LIST = $LDAP_SERVER_LIST"
1114    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_PREF_SRVLIST = $LDAP_PREF_SRVLIST"
1115    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_SEARCH_SCOPE = $LDAP_SEARCH_SCOPE"
1116    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_CRED_LEVEL = $LDAP_CRED_LEVEL"
1117    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_AUTHMETHOD = $LDAP_AUTHMETHOD"
1118    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_FOLLOWREF = $LDAP_FOLLOWREF"
1119    [ $DEBUG -eq 1 ] && ${ECHO} "  IDS_TIMELIMIT = $IDS_TIMELIMIT"
1120    [ $DEBUG -eq 1 ] && ${ECHO} "  IDS_SIZELIMIT = $IDS_SIZELIMIT"
1121    [ $DEBUG -eq 1 ] && ${ECHO} "  NEED_CRYPT = $NEED_CRYPT"
1122    [ $DEBUG -eq 1 ] && ${ECHO} "  NEED_SRVAUTH_PAM = $NEED_SRVAUTH_PAM"
1123    [ $DEBUG -eq 1 ] && ${ECHO} "  NEED_SRVAUTH_KEY = $NEED_SRVAUTH_KEY"
1124    [ $DEBUG -eq 1 ] && ${ECHO} "  NEED_SRVAUTH_CMD = $NEED_SRVAUTH_CMD"
1125    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_SRV_AUTHMETHOD_PAM = $LDAP_SRV_AUTHMETHOD_PAM"
1126    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_SRV_AUTHMETHOD_KEY = $LDAP_SRV_AUTHMETHOD_KEY"
1127    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_SRV_AUTHMETHOD_CMD = $LDAP_SRV_AUTHMETHOD_CMD"
1128    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_SEARCH_TIME_LIMIT = $LDAP_SEARCH_TIME_LIMIT"
1129    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_PROFILE_TTL = $LDAP_PROFILE_TTL"
1130    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_BIND_LIMIT = $LDAP_BIND_LIMIT"
1131    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_ENABLE_SHADOW_UPDATE = $LDAP_ENABLE_SHADOW_UPDATE"
1132
1133    # Only display proxy stuff if needed.
1134    [ $DEBUG -eq 1 ] && ${ECHO} "  NEED_PROXY = $NEED_PROXY"
1135    if [ $NEED_PROXY -eq  1 ]; then
1136	[ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_PROXYAGENT = $LDAP_PROXYAGENT"
1137	[ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_PROXYAGENT_CRED = $LDAP_PROXYAGENT_CRED"
1138    fi
1139
1140    # Only display admin credential if needed.
1141    [ $DEBUG -eq 1 ] && ${ECHO} "  NEED_ADMIN = $NEED_ADMIN"
1142    [ $DEBUG -eq 1 ] && ${ECHO} "  NEED_HOSTACL = $NEED_HOSTACL"
1143    if [ $NEED_ADMIN -eq  1 ]; then
1144	[ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_ADMINDN = $LDAP_ADMINDN"
1145	[ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_ADMIN_CRED = $LDAP_ADMIN_CRED"
1146    fi
1147
1148    # Service Search Descriptors are a special case.
1149    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_SERV_SRCH_DES = $LDAP_SERV_SRCH_DES"
1150}
1151
1152
1153#
1154# load_config_file(): Loads the config file.
1155#
1156load_config_file()
1157{
1158    [ $DEBUG -eq 1 ] && ${ECHO} "In load_config_file()"
1159
1160    # Remove SSD lines from input file before sourcing.
1161    # The SSD lines must be removed because some forms of the
1162    # data could cause SHELL errors.
1163    ${GREP} -v "LDAP_SERV_SRCH_DES=" ${INPUT_FILE} > ${TMPDIR}/inputfile.noSSD
1164
1165    # Source the input file.
1166    . ${TMPDIR}/inputfile.noSSD
1167
1168    # If LDAP_SUFFIX is no set, try to utilize LDAP_TREETOP since older
1169    # config files use LDAP_TREETOP
1170    LDAP_SUFFIX="${LDAP_SUFFIX:-$LDAP_TREETOP}"
1171
1172    # Save password to temporary file.
1173    save_password
1174
1175    # Create the SSD file.
1176    create_ssd_file
1177
1178    # Display FULL debugging info.
1179    disp_full_debug
1180}
1181
1182#
1183# save_password(): Save password to temporary file.
1184#
1185save_password()
1186{
1187    cat > ${LDAP_ROOTPWF} <<EOF
1188${LDAP_ROOTPWD}
1189EOF
1190}
1191
1192######################################################################
1193# FUNCTIONS  FOR prompt_config_info() START HERE.
1194######################################################################
1195
1196#
1197# get_ids_server(): Prompt for iDS server name.
1198#
1199get_ids_server()
1200{
1201    while :
1202    do
1203	# Prompt for server name.
1204	get_ans "Enter the JES Directory Server's  hostname to setup:" "$IDS_SERVER"
1205	IDS_SERVER="$ANS"
1206
1207	# Ping server to see if live.  If valid break out of loop.
1208	ping $IDS_SERVER > /dev/null 2>&1
1209	if [ $? -eq 0 ]; then
1210	    break
1211	fi
1212
1213	# Invalid server, enter a new name.
1214	${ECHO} "ERROR: Server '${IDS_SERVER}' is invalid or unreachable."
1215	IDS_SERVER=""
1216    done
1217
1218    # Set SERVER_ARGS and LDAP_ARGS since values might of changed.
1219    SERVER_ARGS="-h ${IDS_SERVER} -p ${IDS_PORT}"
1220    LDAP_ARGS="${SERVER_ARGS} ${AUTH_ARGS}"
1221    export SERVER_ARGS
1222
1223}
1224
1225#
1226# get_ids_port(): Prompt for iDS port number.
1227#
1228get_ids_port()
1229{
1230    # Get a valid iDS port number.
1231    while :
1232    do
1233	# Enter port number.
1234	get_number "Enter the port number for iDS (h=help):" "$IDS_PORT" "port_help"
1235	IDS_PORT=$ANS
1236	# Do a simple search to check hostname and port number.
1237	# If search returns SUCCESS, break out, host and port must
1238	# be valid.
1239	${LDAPSEARCH} -h ${IDS_SERVER} -p ${IDS_PORT} -b "" -s base "objectclass=*" > /dev/null 2>&1
1240	if [ $? -eq 0 ]; then
1241	    break
1242	fi
1243
1244	# Invalid host/port pair, Re-enter.
1245	${ECHO} "ERROR: Invalid host or port: ${IDS_SERVER}:${IDS_PORT}, Please re-enter!"
1246	get_ids_server
1247    done
1248
1249    # Set SERVER_ARGS and LDAP_ARGS since values might of changed.
1250    SERVER_ARGS="-h ${IDS_SERVER} -p ${IDS_PORT}"
1251    LDAP_ARGS="${SERVER_ARGS} ${AUTH_ARGS}"
1252    export SERVER_ARGS
1253}
1254
1255
1256#
1257# chk_ids_version(): Read the slapd config file and set variables
1258#
1259chk_ids_version()
1260{
1261    [ $DEBUG -eq 1 ] && ${ECHO} "In chk_ids_version()"
1262
1263    # check iDS version number.
1264    eval "${LDAPSEARCH} ${SERVER_ARGS} -b cn=monitor -s base \"objectclass=*\" version | ${GREP} \"^version=\" | cut -f2 -d'/' | cut -f1 -d' ' > ${TMPDIR}/checkDSver 2>&1"
1265    if [ $? -ne 0 ]; then
1266	${ECHO} "ERROR: Can not determine the version number of iDS!"
1267	exit 1
1268    fi
1269    IDS_VER=`cat ${TMPDIR}/checkDSver`
1270    IDS_MAJVER=`${ECHO} ${IDS_VER} | cut -f1 -d.`
1271    IDS_MINVER=`${ECHO} ${IDS_VER} | cut -f2 -d.`
1272    if [ "${IDS_MAJVER}" != "5" ] && [ "${IDS_MAJVER}" != "6" ]; then
1273	${ECHO} "ERROR: $PROG only works with JES DS version 5.x and 6.x, not ${IDS_VER}."
1274    	exit 1
1275    fi
1276    if [ $DEBUG -eq 1 ]; then
1277	${ECHO} "  IDS_MAJVER = $IDS_MAJVER"
1278	${ECHO} "  IDS_MINVER = $IDS_MINVER"
1279    fi
1280}
1281
1282
1283#
1284# get_dirmgr_dn(): Get the directory manger DN.
1285#
1286get_dirmgr_dn()
1287{
1288    get_ans "Enter the directory manager DN:" "$LDAP_ROOTDN"
1289    LDAP_ROOTDN=$ANS
1290
1291    # Update ENV variables using DN.
1292    AUTH_ARGS="-D \"${LDAP_ROOTDN}\" -j ${LDAP_ROOTPWF}"
1293    LDAP_ARGS="${SERVER_ARGS} ${AUTH_ARGS}"
1294    export AUTH_ARGS LDAP_ARGS
1295}
1296
1297
1298#
1299# get_dirmgr_pw(): Get the Root DN passwd. (Root DN found in slapd.conf)
1300#
1301get_dirmgr_pw()
1302{
1303    while :
1304    do
1305	# Get passwd.
1306	get_passwd_nochk "Enter passwd for ${LDAP_ROOTDN} :"
1307	LDAP_ROOTPWD=$ANS
1308
1309	# Store password in file.
1310	save_password
1311
1312	# Update ENV variables using DN's PW.
1313	AUTH_ARGS="-D \"${LDAP_ROOTDN}\" -j ${LDAP_ROOTPWF}"
1314	LDAP_ARGS="${SERVER_ARGS} ${AUTH_ARGS}"
1315	export AUTH_ARGS LDAP_ARGS
1316
1317	# Verify that ROOTDN and ROOTPWD are valid.
1318	eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"\" -s base \"objectclass=*\" > ${TMPDIR}/checkDN 2>&1"
1319	if [ $? -ne 0 ]; then
1320	    eval "${GREP} credential ${TMPDIR}/checkDN ${VERB}"
1321	    if [ $? -eq 0 ]; then
1322		${ECHO} "ERROR: Root DN passwd is invalid."
1323	    else
1324		${ECHO} "ERROR: Invalid Root DN <${LDAP_ROOTDN}>."
1325		get_dirmgr_dn
1326	    fi
1327	else
1328	    break         # Both are valid.
1329	fi
1330    done
1331
1332
1333}
1334
1335
1336#
1337# get_domain(): Get the Domain that will be served by the LDAP server.
1338#               $1 - Help argument.
1339#
1340get_domain()
1341{
1342    # Use LDAP_DOMAIN as default.
1343    get_ans "Enter the domainname to be served (h=help):" $LDAP_DOMAIN
1344
1345    # Check domainname, and have user re-enter if not valid.
1346    check_domainname $ANS
1347    while [ $? -ne 0 ]
1348    do
1349	case "$ANS" in
1350	    [Hh] | help | Help | \?) display_msg ${1:-sorry} ;;
1351	    * ) ${ECHO} "Invalid domainname: \"${ANS}\"."
1352	     ;;
1353	esac
1354	get_ans "Enter domainname to be served (h=help):" $DOM
1355
1356	check_domainname $ANS
1357    done
1358
1359    # Set the domainname to valid name.
1360    LDAP_DOMAIN=$ANS
1361}
1362
1363
1364#
1365# get_basedn(): Query for the Base DN.
1366#
1367get_basedn()
1368{
1369    # Set the $_DOM_2_DC and assign to LDAP_BASEDN as default.
1370    # Then call get_basedn().  This method remakes the default
1371    # each time just in case the domain changed.
1372    domain_2_dc $LDAP_DOMAIN
1373    LDAP_BASEDN=$_DOM_2_DC
1374
1375    # Get Base DN.
1376    while :
1377    do
1378	get_ans_req "Enter LDAP Base DN (h=help):" "${_DOM_2_DC}"
1379	check_baseDN "$ANS"
1380	while [ $? -ne 0 ]
1381	do
1382	    case "$ANS" in
1383		[Hh] | help | Help | \?) display_msg basedn_help ;;
1384		* ) ${ECHO} "Invalid base DN: \"${ANS}\"."
1385		;;
1386	    esac
1387
1388	    # Re-Enter the BaseDN
1389	    get_ans_req "Enter LDAP Base DN (h=help):" "${_DOM_2_DC}"
1390	    check_baseDN "$ANS"
1391	done
1392
1393	# Set base DN and check its suffix
1394	LDAP_BASEDN=${ANS}
1395	check_basedn_suffix ||
1396	{
1397		cleanup
1398		exit 1
1399	}
1400
1401	# suffix may need to be created, in that case get suffix from user
1402	[ -n "${NEED_CREATE_SUFFIX}" ] &&
1403	{
1404		get_suffix || continue
1405	}
1406
1407	# suffix is ok, break out of the base dn inquire loop
1408	break
1409    done
1410}
1411
1412#
1413# get_want_shadow_update(): Ask user if want to enable shadow update?
1414#
1415get_want_shadow_update()
1416{
1417    MSG="Do you want to enable shadow update (y/n/h)?"
1418    get_confirm "$MSG" "n" "enable_shadow_update_help"
1419    if [ $? -eq 1 ]; then
1420	LDAP_ENABLE_SHADOW_UPDATE="TRUE"
1421    else
1422	LDAP_ENABLE_SHADOW_UPDATE="FALSE"
1423    fi
1424}
1425
1426get_krb_realm() {
1427
1428    # To upper cases
1429    LDAP_KRB_REALM=`${ECHO} ${LDAP_DOMAIN} | ${NAWK} '{ print toupper($0) }'`
1430    get_ans_req "Enter Kerberos Realm:" "$LDAP_KRB_REALM"
1431    # To upper cases
1432    LDAP_KRB_REALM=`${ECHO} ${ANS} | ${NAWK} '{ print toupper($0) }'`
1433}
1434
1435# $1: DN
1436# $2: ldif file
1437add_entry_by_DN() {
1438
1439    ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"${1}\" -s base \"objectclass=*\" ${VERB}"
1440    if [ $? -eq 0 ]; then
1441	    ${ECHO} "  ${1} already exists"
1442	    return 0
1443    else
1444	${EVAL} "${LDAPADD} ${LDAP_ARGS} -f ${2} ${VERB}"
1445	if [ $? -eq 0 ]; then
1446		${ECHO} "  ${1} is added"
1447	    	return 0
1448	else
1449		${ECHO} "  ERROR: failed to add ${1}"
1450		return 1
1451	fi
1452    fi
1453
1454}
1455#
1456# Kerberos princiapl to DN mapping rules
1457#
1458# Add rules for host credentails and user credentials
1459#
1460add_id_mapping_rules() {
1461
1462    ${ECHO} "  Adding Kerberos principal to DN mapping rules..."
1463
1464    _C_DN="cn=GSSAPI,cn=identity mapping,cn=config"
1465    ( cat << EOF
1466dn: cn=GSSAPI,cn=identity mapping,cn=config
1467objectClass: top
1468objectClass: nsContainer
1469cn: GSSAPI
1470EOF
1471) > ${TMPDIR}/GSSAPI_container.ldif
1472
1473    add_entry_by_DN "${_C_DN}" "${TMPDIR}/GSSAPI_container.ldif"
1474    if [ $? -ne 0 ];
1475    then
1476    	${RM} ${TMPDIR}/GSSAPI_container.ldif
1477	return
1478    fi
1479
1480    _H_CN="host_auth_${LDAP_KRB_REALM}"
1481    _H_DN="cn=${_H_CN}, ${_C_DN}"
1482    ( cat << EOF
1483dn: ${_H_DN}
1484objectClass: top
1485objectClass: nsContainer
1486objectClass: dsIdentityMapping
1487objectClass: dsPatternMatching
1488cn: ${_H_CN}
1489dsMatching-pattern: \${Principal}
1490dsMatching-regexp: host\/(.*).${LDAP_DOMAIN}@${LDAP_KRB_REALM}
1491dsSearchBaseDN: ou=hosts,${LDAP_BASEDN}
1492dsSearchFilter: (&(objectClass=ipHost)(cn=\$1))
1493dsSearchScope: one
1494
1495EOF
1496) > ${TMPDIR}/${_H_CN}.ldif
1497
1498    add_entry_by_DN "${_H_DN}" "${TMPDIR}/${_H_CN}.ldif"
1499
1500    _U_CN="user_auth_${LDAP_KRB_REALM}"
1501    _U_DN="cn=${_U_CN}, ${_C_DN}"
1502    ( cat << EOF
1503dn: ${_U_DN}
1504objectClass: top
1505objectClass: nsContainer
1506objectClass: dsIdentityMapping
1507objectClass: dsPatternMatching
1508cn: ${_U_CN}
1509dsMatching-pattern: \${Principal}
1510dsMatching-regexp: (.*)@${LDAP_KRB_REALM}
1511dsMappedDN: uid=\$1,ou=People,${LDAP_BASEDN}
1512
1513EOF
1514) > ${TMPDIR}/${_U_CN}.ldif
1515
1516    add_entry_by_DN "${_U_DN}" "${TMPDIR}/${_U_CN}.ldif"
1517
1518}
1519
1520
1521#
1522# Modify ACL to allow root to read all the password and only self can read
1523# its own password when sasl/GSSAPI bind is used
1524#
1525modify_userpassword_acl_for_gssapi() {
1526
1527    _P_DN="ou=People,${LDAP_BASEDN}"
1528    _H_DN="ou=Hosts,${LDAP_BASEDN}"
1529    _P_ACI="self-read-pwd"
1530
1531    ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"${_P_DN}\" -s base \"objectclass=*\" > /dev/null 2>&1"
1532    if [ $? -ne 0 ]; then
1533	    ${ECHO} "  ${_P_DN} does not exist"
1534	# Not Found. Create a new entry
1535	( cat << EOF
1536dn: ${_P_DN}
1537ou: People
1538objectClass: top
1539objectClass: organizationalUnit
1540EOF
1541) > ${TMPDIR}/gssapi_people.ldif
1542
1543	add_entry_by_DN "${_P_DN}" "${TMPDIR}/gssapi_people.ldif"
1544    else
1545	${ECHO} "  ${_P_DN} already exists"
1546    fi
1547
1548    ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"${_P_DN}\" -s base \"objectclass=*\" aci > ${TMPDIR}/chk_gssapi_aci 2>&1"
1549
1550    if [ $? -eq 0 ]; then
1551	    ${EVAL} "${GREP} ${_P_ACI} ${TMPDIR}/chk_gssapi_aci > /dev/null 2>&1"
1552	    if [ $? -eq 0 ]; then
1553		${ECHO} "  userpassword ACL ${_P_ACI} already exists."
1554		return
1555	    else
1556		${ECHO} "  userpassword ACL ${_P_ACI} not found. Create a new one."
1557	    fi
1558    else
1559	${ECHO} "  Error searching aci for ${_P_DN}"
1560	cat ${TMPDIR}/chk_gssapi_aci
1561	cleanup
1562	exit 1
1563    fi
1564    ( cat << EOF
1565dn: ${_P_DN}
1566changetype: modify
1567add: aci
1568aci: (targetattr="userPassword")(version 3.0; acl self-read-pwd; allow (read,search) userdn="ldap:///self" and authmethod="sasl GSSAPI";)
1569-
1570add: aci
1571aci: (targetattr="userPassword")(version 3.0; acl host-read-pwd; allow (read,search) userdn="ldap:///cn=*+ipHostNumber=*,ou=Hosts,${LDAP_BASEDN}" and authmethod="sasl GSSAPI";)
1572EOF
1573) > ${TMPDIR}/user_gssapi.ldif
1574    LDAP_TYPE_OR_VALUE_EXISTS=20
1575    ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/user_gssapi.ldif ${VERB}"
1576
1577    case $? in
1578    0)
1579	${ECHO} "  ${_P_DN} uaserpassword ACL is updated."
1580	;;
1581    20)
1582	${ECHO} "  ${_P_DN} uaserpassword ACL already exists."
1583	;;
1584    *)
1585	${ECHO} "  ERROR: update of userpassword ACL for ${_P_DN} failed!"
1586	cleanup
1587	exit 1
1588	;;
1589    esac
1590}
1591#
1592# $1: objectclass or attributetyp
1593# $2: name
1594search_update_schema() {
1595
1596    ATTR="${1}es"
1597
1598    ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b cn=schema -s base \"objectclass=*\" ${ATTR} | ${GREP} -i \"${2}\" ${VERB}"
1599    if [ $? -ne 0 ]; then
1600	${ECHO} "${1} ${2} does not exist."
1601        update_schema_attr
1602        update_schema_obj
1603	SCHEMA_UPDATED=1
1604    else
1605	${ECHO} "${1} ${2} already exists. Schema has been updated"
1606    fi
1607}
1608
1609#
1610# $1: 1 - interactive, 0 - no
1611#
1612create_gssapi_profile() {
1613
1614
1615    if [ ${1} -eq 1 ]; then
1616        echo
1617        echo "You can create a sasl/GSSAPI enabled profile with default values now."
1618        get_confirm "Do you want to create a sasl/GSSAPI default profile ?" "n"
1619
1620        if [ $? -eq 0 ]; then
1621	    return
1622        fi
1623    fi
1624
1625    # Add profile container if it does not exist
1626    eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"ou=profile,${LDAP_BASEDN}\" -s base \"objectclass=*\" > /dev/null 2>&1"
1627    if [ $? -ne 0 ]; then
1628	( cat << EOF
1629dn: ou=profile,${LDAP_BASEDN}
1630ou: profile
1631objectClass: top
1632objectClass: organizationalUnit
1633EOF
1634) > ${TMPDIR}/profile_people.ldif
1635
1636        add_entry_by_DN "ou=profile,${LDAP_BASEDN}" "${TMPDIR}/profile_people.ldif"
1637
1638    fi
1639
1640    search_update_schema "objectclass" "DUAConfigProfile"
1641
1642    _P_NAME="gssapi_${LDAP_KRB_REALM}"
1643    if [ ${1} -eq 1 ]; then
1644    	_P_TMP=${LDAP_PROFILE_NAME}
1645    	LDAP_PROFILE_NAME=${_P_NAME}
1646   	get_profile_name
1647        LDAP_GSSAPI_PROFILE=${LDAP_PROFILE_NAME}
1648    	LDAP_PROFILE_NAME=${_P_TMP}
1649    fi
1650
1651    _P_DN="cn=${LDAP_GSSAPI_PROFILE},ou=profile,${LDAP_BASEDN}"
1652    if [ ${DEL_OLD_PROFILE} -eq 1 ]; then
1653	    DEL_OLD_PROFILE=0
1654	    ${EVAL} "${LDAPDELETE} ${LDAP_ARGS} ${_P_DN} ${VERB}"
1655    fi
1656
1657    _SVR=`getent hosts ${IDS_SERVER} | ${NAWK} '{ print $1 }'`
1658    if [ ${IDS_PORT} -ne 389 ]; then
1659	    _SVR="${_SVR}:${IDS_PORT}"
1660    fi
1661
1662    (cat << EOF
1663dn: ${_P_DN}
1664objectClass: top
1665objectClass: DUAConfigProfile
1666defaultServerList: ${_SVR}
1667defaultSearchBase: ${LDAP_BASEDN}
1668authenticationMethod: sasl/GSSAPI
1669followReferrals: ${LDAP_FOLLOWREF}
1670defaultSearchScope: ${LDAP_SEARCH_SCOPE}
1671searchTimeLimit: ${LDAP_SEARCH_TIME_LIMIT}
1672profileTTL: ${LDAP_PROFILE_TTL}
1673cn: ${LDAP_GSSAPI_PROFILE}
1674credentialLevel: self
1675bindTimeLimit: ${LDAP_BIND_LIMIT}
1676EOF
1677) > ${TMPDIR}/gssapi_profile.ldif
1678
1679    add_entry_by_DN "${_P_DN}" "${TMPDIR}/gssapi_profile.ldif"
1680
1681}
1682#
1683# Set up GSSAPI if necessary
1684#
1685gssapi_setup() {
1686
1687	# assume sasl/GSSAPI is supported by the ldap server and may be used
1688	GSSAPI_AUTH_MAY_BE_USED=1
1689	${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"\" -s base \"objectclass=*\" supportedSASLMechanisms | ${GREP} GSSAPI ${VERB}"
1690	if [ $? -ne 0 ]; then
1691		GSSAPI_AUTH_MAY_BE_USED=0
1692		${ECHO} "  sasl/GSSAPI is not supported by this LDAP server"
1693		return
1694	fi
1695
1696	get_confirm "GSSAPI is supported. Do you want to set up gssapi:(y/n)" "n"
1697	if [ $? -eq 0 ]; then
1698		${ECHO}
1699		${ECHO} "GSSAPI is not set up."
1700		${ECHO} "sasl/GSSAPI bind may not work if it's not set up first."
1701	else
1702		get_krb_realm
1703		add_id_mapping_rules
1704		modify_userpassword_acl_for_gssapi
1705		create_gssapi_profile 1
1706		${ECHO}
1707		${ECHO} "GSSAPI setup is done."
1708	fi
1709
1710	cat << EOF
1711
1712You can continue to create a profile and
1713configure the LDAP server.
1714Or you can stop now.
1715
1716EOF
1717	get_confirm "Do you want to stop:(y/n)" "n"
1718	if [ $? -eq 1 ]; then
1719		cleanup
1720		exit
1721	fi
1722
1723}
1724gssapi_setup_auto() {
1725	GSSAPI_AUTH_MAY_BE_USED=0
1726	${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"\" -s base \"objectclass=*\" supportedSASLMechanisms | ${GREP} GSSAPI ${VERB}"
1727	if [ $? -ne 0 ]; then
1728		${ECHO}
1729		${ECHO} "sasl/GSSAPI is not supported by this LDAP server"
1730		${ECHO}
1731		return
1732	fi
1733	if [ -z "${LDAP_KRB_REALM}" ]; then
1734		${ECHO}
1735		${ECHO} "LDAP_KRB_REALM is not set. Skip gssapi setup."
1736		${ECHO} "sasl/GSSAPI bind won't work properly."
1737		${ECHO}
1738		return
1739	fi
1740	GSSAPI_AUTH_MAY_BE_USED=1
1741	if [ -z "${LDAP_GSSAPI_PROFILE}" ]; then
1742		${ECHO}
1743		${ECHO} "LDAP_GSSAPI_PROFILE is not set. Default is gssapi_${LDAP_KRB_REALM}"
1744		${ECHO}
1745		LDAP_GSSAPI_PROFILE="gssapi_${LDAP_KRB_REALM}"
1746	fi
1747	add_id_mapping_rules
1748	modify_userpassword_acl_for_gssapi
1749	create_gssapi_profile 0
1750}
1751# get_profile_name(): Enter the profile name.
1752#
1753get_profile_name()
1754{
1755    # Reset Delete Old Profile since getting new profile name.
1756    DEL_OLD_PROFILE=0
1757
1758    # Loop until valid profile name, or replace.
1759    while :
1760    do
1761	# Prompt for profile name.
1762	get_ans "Enter the profile name (h=help):" "$LDAP_PROFILE_NAME"
1763
1764	# Check for Help.
1765	case "$ANS" in
1766	    [Hh] | help | Help | \?) display_msg profile_help
1767				     continue ;;
1768	    * )  ;;
1769	esac
1770
1771	# Search to see if profile name already exists.
1772	eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=${ANS},ou=profile,${LDAP_BASEDN}\" -s base \"objectclass=*\" ${VERB}"
1773	if [ $? -eq 0 ]; then
1774
1775	    cat << EOF
1776
1777Profile '${ANS}' already exists, it is possible to enable
1778shadow update now. idsconfig will exit after shadow update
1779is enabled. You can also continue to overwrite the profile 
1780or create a new one and be given the chance to enable
1781shadow update later.
1782
1783EOF
1784
1785	    MSG="Just enable shadow update (y/n/h)?"
1786	    get_confirm "$MSG" "n" "enable_shadow_update_help"
1787	    if [ $? -eq 1 ]; then
1788	        [ $DEBUG -eq 1 ] && ${ECHO} "set up shadow update"
1789	        LDAP_ENABLE_SHADOW_UPDATE=TRUE
1790		# display alternate messages
1791		EXISTING_PROFILE=1
1792	        # Set Profile Name.
1793	        LDAP_PROFILE_NAME=$ANS
1794	        return 0  # set up credentials for shadow update.
1795	    fi
1796
1797	    get_confirm_nodef "Are you sure you want to overwrite profile cn=${ANS}?"
1798	    if [ $? -eq 1 ]; then
1799		DEL_OLD_PROFILE=1
1800		return 0  # Replace old profile name.
1801	    else
1802		${ECHO} "Please re-enter a new profile name."
1803	    fi
1804	else
1805	    break  # Unique profile name.
1806	fi
1807    done
1808
1809    # Set Profile Name.
1810    LDAP_PROFILE_NAME=$ANS
1811}
1812
1813
1814#
1815# get_srv_list(): Get the default server list.
1816#
1817get_srv_list()
1818{
1819    # If LDAP_SERVER_LIST is NULL, then set, otherwise leave alone.
1820    if [ -z "${LDAP_SERVER_LIST}" ]; then
1821	LDAP_SERVER_LIST=`getent hosts ${IDS_SERVER} | awk '{print $1}'`
1822        if [ ${IDS_PORT} -ne 389 ]; then
1823	    LDAP_SERVER_LIST="${LDAP_SERVER_LIST}:${IDS_PORT}"
1824	fi
1825    fi
1826
1827    # Prompt for new LDAP_SERVER_LIST.
1828    while :
1829    do
1830	get_ans "Default server list (h=help):" $LDAP_SERVER_LIST
1831
1832	# If help continue, otherwise break.
1833	case "$ANS" in
1834	    [Hh] | help | Help | \?) display_msg def_srvlist_help ;;
1835	    * ) break ;;
1836	esac
1837    done
1838    LDAP_SERVER_LIST=$ANS
1839}
1840
1841
1842#
1843# get_pref_srv(): The preferred server list (Overrides the server list)
1844#
1845get_pref_srv()
1846{
1847    while :
1848    do
1849	get_ans "Preferred server list (h=help):" $LDAP_PREF_SRVLIST
1850
1851	# If help continue, otherwise break.
1852	case "$ANS" in
1853	    [Hh] | help | Help | \?) display_msg pref_srvlist_help ;;
1854	    * ) break ;;
1855	esac
1856    done
1857    LDAP_PREF_SRVLIST=$ANS
1858}
1859
1860
1861#
1862# get_search_scope(): Get the search scope from the user.
1863#
1864get_search_scope()
1865{
1866    [ $DEBUG -eq 1 ] && ${ECHO} "In get_search_scope()"
1867
1868    _MENU_CHOICE=0
1869    while :
1870    do
1871	get_ans "Choose desired search scope (one, sub, h=help): " "one"
1872	_MENU_CHOICE=$ANS
1873	case "$_MENU_CHOICE" in
1874	    one) LDAP_SEARCH_SCOPE="one"
1875	       return 1 ;;
1876	    sub) LDAP_SEARCH_SCOPE="sub"
1877	       return 2 ;;
1878	    h) display_msg srch_scope_help ;;
1879	    *) ${ECHO} "Please enter \"one\", \"sub\", or \"h\"." ;;
1880	esac
1881    done
1882
1883}
1884
1885
1886#
1887# get_cred_level(): Function to display menu to user and get the
1888#                  credential level.
1889#
1890get_cred_level()
1891{
1892    [ $DEBUG -eq 1 ] && ${ECHO} "In get_cred_level()"
1893
1894    _MENU_CHOICE=0
1895    display_msg cred_level_menu
1896    while :
1897    do
1898	get_ans "Choose Credential level [h=help]:" "1"
1899	_MENU_CHOICE=$ANS
1900	case "$_MENU_CHOICE" in
1901	    1) LDAP_CRED_LEVEL="anonymous"
1902	       return 1 ;;
1903	    2) LDAP_CRED_LEVEL="proxy"
1904	       return 2 ;;
1905	    3) LDAP_CRED_LEVEL="proxy anonymous"
1906	       return 3 ;;
1907	    4) LDAP_CRED_LEVEL="self"
1908	       SELF_GSSAPI=1
1909	       return 4 ;;
1910	    5) LDAP_CRED_LEVEL="self proxy"
1911	       SELF_GSSAPI=1
1912	       return 5 ;;
1913	    6) LDAP_CRED_LEVEL="self proxy anonymous"
1914	       SELF_GSSAPI=1
1915	       return 6 ;;
1916	    h) display_msg cred_lvl_help ;;
1917	    *) ${ECHO} "Please enter 1, 2, 3, 4, 5 or 6." ;;
1918	esac
1919    done
1920}
1921
1922
1923#
1924# srvauth_menu_handler(): Enter the Service Authentication method.
1925#
1926srvauth_menu_handler()
1927{
1928    # Display Auth menu
1929    display_msg srvauth_method_menu
1930
1931    # Get a Valid choice.
1932    while :
1933    do
1934	# Display appropriate prompt and get answer.
1935	if [ $_FIRST -eq 1 ]; then
1936	    get_ans "Choose Service Authentication Method:" "1"
1937	else
1938	    get_ans "Choose Service Authentication Method (0=reset):"
1939	fi
1940
1941	# Determine choice.
1942	_MENU_CHOICE=$ANS
1943	case "$_MENU_CHOICE" in
1944	    1) _AUTHMETHOD="simple"
1945		break ;;
1946	    2) _AUTHMETHOD="sasl/DIGEST-MD5"
1947		break ;;
1948	    3) _AUTHMETHOD="tls:simple"
1949		break ;;
1950	    4) _AUTHMETHOD="tls:sasl/DIGEST-MD5"
1951		break ;;
1952	    5) _AUTHMETHOD="sasl/GSSAPI"
1953		break ;;
1954	    0) _AUTHMETHOD=""
1955		_FIRST=1
1956		break ;;
1957	    *) ${ECHO} "Please enter 1-5 or 0 to reset." ;;
1958	esac
1959    done
1960}
1961
1962
1963#
1964# auth_menu_handler(): Enter the Authentication method.
1965#
1966auth_menu_handler()
1967{
1968    # Display Auth menu
1969    display_msg auth_method_menu
1970
1971    # Get a Valid choice.
1972    while :
1973    do
1974	# Display appropriate prompt and get answer.
1975	if [ $_FIRST -eq 1 ]; then
1976	    get_ans "Choose Authentication Method (h=help):" "1"
1977	else
1978	    get_ans "Choose Authentication Method (0=reset, h=help):"
1979	fi
1980
1981	# Determine choice.
1982	_MENU_CHOICE=$ANS
1983	case "$_MENU_CHOICE" in
1984	    1) _AUTHMETHOD="none"
1985		break ;;
1986	    2) _AUTHMETHOD="simple"
1987		break ;;
1988	    3) _AUTHMETHOD="sasl/DIGEST-MD5"
1989		break ;;
1990	    4) _AUTHMETHOD="tls:simple"
1991		break ;;
1992	    5) _AUTHMETHOD="tls:sasl/DIGEST-MD5"
1993		break ;;
1994	    6) _AUTHMETHOD="sasl/GSSAPI"
1995		break ;;
1996	    0) _AUTHMETHOD=""
1997		_FIRST=1
1998		break ;;
1999	    h) display_msg auth_help ;;
2000	    *) ${ECHO} "Please enter 1-6, 0=reset, or h=help." ;;
2001	esac
2002    done
2003}
2004
2005
2006#
2007# get_auth(): Enter the Authentication method.
2008#
2009get_auth()
2010{
2011    [ $DEBUG -eq 1 ] && ${ECHO} "In get_auth()"
2012
2013    _FIRST=1          # Flag for first time.
2014    _MENU_CHOICE=0
2015    _AUTHMETHOD=""    # Tmp method.
2016
2017    while :
2018    do
2019	# Call Menu handler
2020	auth_menu_handler
2021
2022	# Add Auth Method to list.
2023        if [ $_FIRST -eq 1 ]; then
2024	    LDAP_AUTHMETHOD="${_AUTHMETHOD}"
2025	    _FIRST=0
2026	else
2027	    LDAP_AUTHMETHOD="${LDAP_AUTHMETHOD};${_AUTHMETHOD}"
2028	fi
2029
2030	# Display current Authentication Method.
2031	${ECHO} ""
2032	${ECHO} "Current authenticationMethod: ${LDAP_AUTHMETHOD}"
2033	${ECHO} ""
2034
2035	# Prompt for another Auth Method, or break out.
2036	get_confirm_nodef "Do you want to add another Authentication Method?"
2037	if [ $? -eq 0 ]; then
2038	    break;
2039	fi
2040    done
2041}
2042
2043
2044#
2045# get_followref(): Whether or not to follow referrals.
2046#
2047get_followref()
2048{
2049    get_confirm "Do you want the clients to follow referrals (y/n/h)?" "n" "referrals_help"
2050    if [ $? -eq 1 ]; then
2051	LDAP_FOLLOWREF="TRUE"
2052    else
2053	LDAP_FOLLOWREF="FALSE"
2054    fi
2055}
2056
2057
2058#
2059# get_timelimit(): Set the time limit. -1 is max time.
2060#
2061get_timelimit()
2062{
2063    # Get current timeout value from cn=config.
2064    eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=config\" -s base \"objectclass=*\" nsslapd-timelimit > ${TMPDIR}/chk_timeout 2>&1"
2065    if [ $? -ne 0 ]; then
2066	${ECHO} "  ERROR: Could not reach LDAP server to check current timeout!"
2067	cleanup
2068	exit 1
2069    fi
2070    CURR_TIMELIMIT=`${GREP} timelimit ${TMPDIR}/chk_timeout | cut -f2 -d=`
2071
2072    get_negone_num "Enter the time limit for iDS (current=${CURR_TIMELIMIT}):" "-1"
2073    IDS_TIMELIMIT=$NUM
2074}
2075
2076
2077#
2078# get_sizelimit(): Set the size limit. -1 is max size.
2079#
2080get_sizelimit()
2081{
2082    # Get current sizelimit value from cn=config.
2083    eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=config\" -s base \"objectclass=*\" nsslapd-sizelimit > ${TMPDIR}/chk_sizelimit 2>&1"
2084    if [ $? -ne 0 ]; then
2085	${ECHO} "  ERROR: Could not reach LDAP server to check current sizelimit!"
2086	cleanup
2087	exit 1
2088    fi
2089    CURR_SIZELIMIT=`${GREP} sizelimit ${TMPDIR}/chk_sizelimit | cut -f2 -d=`
2090
2091    get_negone_num "Enter the size limit for iDS (current=${CURR_SIZELIMIT}):" "-1"
2092    IDS_SIZELIMIT=$NUM
2093}
2094
2095
2096#
2097# get_want_crypt(): Ask user if want to store passwords in crypt?
2098#
2099get_want_crypt()
2100{
2101    get_confirm "Do you want to store passwords in \"crypt\" format (y/n/h)?" "n" "crypt_help"
2102    if [ $? -eq 1 ]; then
2103	NEED_CRYPT="TRUE"
2104    else
2105	NEED_CRYPT="FALSE"
2106    fi
2107}
2108
2109
2110#
2111# get_srv_authMethod_pam(): Get the Service Auth Method for pam_ldap from user.
2112#
2113#  NOTE: This function is base on get_auth().
2114#
2115get_srv_authMethod_pam()
2116{
2117    [ $DEBUG -eq 1 ] && ${ECHO} "In get_srv_authMethod_pam()"
2118
2119    _FIRST=1          # Flag for first time.
2120    _MENU_CHOICE=0
2121    _AUTHMETHOD=""    # Tmp method.
2122
2123    while :
2124    do
2125	# Call Menu handler
2126	srvauth_menu_handler
2127
2128	# Add Auth Method to list.
2129        if [ $_FIRST -eq 1 ]; then
2130	    if [ "$_AUTHMETHOD" = "" ]; then
2131		LDAP_SRV_AUTHMETHOD_PAM=""
2132	    else
2133		LDAP_SRV_AUTHMETHOD_PAM="pam_ldap:${_AUTHMETHOD}"
2134	    fi
2135	    _FIRST=0
2136	else
2137	    LDAP_SRV_AUTHMETHOD_PAM="${LDAP_SRV_AUTHMETHOD_PAM};${_AUTHMETHOD}"
2138	fi
2139
2140	# Display current Authentication Method.
2141	${ECHO} ""
2142	${ECHO} "Current authenticationMethod: ${LDAP_SRV_AUTHMETHOD_PAM}"
2143	${ECHO} ""
2144
2145	# Prompt for another Auth Method, or break out.
2146	get_confirm_nodef "Do you want to add another Authentication Method?"
2147	if [ $? -eq 0 ]; then
2148	    break;
2149	fi
2150    done
2151
2152    # Check in case user reset string and exited loop.
2153    if [ "$LDAP_SRV_AUTHMETHOD_PAM" = "" ]; then
2154	NEED_SRVAUTH_PAM=0
2155    fi
2156}
2157
2158
2159#
2160# get_srv_authMethod_key(): Get the Service Auth Method for keyserv from user.
2161#
2162#  NOTE: This function is base on get_auth().
2163#
2164get_srv_authMethod_key()
2165{
2166    [ $DEBUG -eq 1 ] && ${ECHO} "In get_srv_authMethod_key()"
2167
2168    _FIRST=1          # Flag for first time.
2169    _MENU_CHOICE=0
2170    _AUTHMETHOD=""    # Tmp method.
2171
2172    while :
2173    do
2174	# Call Menu handler
2175	srvauth_menu_handler
2176
2177	# Add Auth Method to list.
2178        if [ $_FIRST -eq 1 ]; then
2179	    if [ "$_AUTHMETHOD" = "" ]; then
2180		LDAP_SRV_AUTHMETHOD_KEY=""
2181	    else
2182		LDAP_SRV_AUTHMETHOD_KEY="keyserv:${_AUTHMETHOD}"
2183	    fi
2184	    _FIRST=0
2185	else
2186	    LDAP_SRV_AUTHMETHOD_KEY="${LDAP_SRV_AUTHMETHOD_KEY};${_AUTHMETHOD}"
2187	fi
2188
2189	# Display current Authentication Method.
2190	${ECHO} ""
2191	${ECHO} "Current authenticationMethod: ${LDAP_SRV_AUTHMETHOD_KEY}"
2192	${ECHO} ""
2193
2194	# Prompt for another Auth Method, or break out.
2195	get_confirm_nodef "Do you want to add another Authentication Method?"
2196	if [ $? -eq 0 ]; then
2197	    break;
2198	fi
2199    done
2200
2201    # Check in case user reset string and exited loop.
2202    if [ "$LDAP_SRV_AUTHMETHOD_KEY" = "" ]; then
2203	NEED_SRVAUTH_KEY=0
2204    fi
2205}
2206
2207
2208#
2209# get_srv_authMethod_cmd(): Get the Service Auth Method for passwd-cmd from user.
2210#
2211#  NOTE: This function is base on get_auth().
2212#
2213get_srv_authMethod_cmd()
2214{
2215    [ $DEBUG -eq 1 ] && ${ECHO} "In get_srv_authMethod_cmd()"
2216
2217    _FIRST=1          # Flag for first time.
2218    _MENU_CHOICE=0
2219    _AUTHMETHOD=""    # Tmp method.
2220
2221    while :
2222    do
2223	# Call Menu handler
2224	srvauth_menu_handler
2225
2226	# Add Auth Method to list.
2227        if [ $_FIRST -eq 1 ]; then
2228	    if [ "$_AUTHMETHOD" = "" ]; then
2229		LDAP_SRV_AUTHMETHOD_CMD=""
2230	    else
2231		LDAP_SRV_AUTHMETHOD_CMD="passwd-cmd:${_AUTHMETHOD}"
2232	    fi
2233	    _FIRST=0
2234	else
2235	    LDAP_SRV_AUTHMETHOD_CMD="${LDAP_SRV_AUTHMETHOD_CMD};${_AUTHMETHOD}"
2236	fi
2237
2238	# Display current Authentication Method.
2239	${ECHO} ""
2240	${ECHO} "Current authenticationMethod: ${LDAP_SRV_AUTHMETHOD_CMD}"
2241	${ECHO} ""
2242
2243	# Prompt for another Auth Method, or break out.
2244	get_confirm_nodef "Do you want to add another Authentication Method?"
2245	if [ $? -eq 0 ]; then
2246	    break;
2247	fi
2248    done
2249
2250    # Check in case user reset string and exited loop.
2251    if [ "$LDAP_SRV_AUTHMETHOD_CMD" = "" ]; then
2252	NEED_SRVAUTH_CMD=0
2253    fi
2254}
2255
2256
2257#
2258# get_srch_time(): Amount of time to search.
2259#
2260get_srch_time()
2261{
2262    get_negone_num "Client search time limit in seconds (h=help):" "$LDAP_SEARCH_TIME_LIMIT" "srchtime_help"
2263    LDAP_SEARCH_TIME_LIMIT=$NUM
2264}
2265
2266
2267#
2268# get_prof_ttl(): The profile time to live (TTL)
2269#
2270get_prof_ttl()
2271{
2272    get_negone_num "Profile Time To Live in seconds (h=help):" "$LDAP_PROFILE_TTL" "profttl_help"
2273    LDAP_PROFILE_TTL=$NUM
2274}
2275
2276
2277#
2278# get_bind_limit(): Bind time limit
2279#
2280get_bind_limit()
2281{
2282    get_negone_num "Bind time limit in seconds (h=help):" "$LDAP_BIND_LIMIT" "bindlim_help"
2283    LDAP_BIND_LIMIT=$NUM
2284}
2285
2286
2287######################################################################
2288# FUNCTIONS  FOR Service Search Descriptor's START HERE.
2289######################################################################
2290
2291
2292#
2293# add_ssd(): Get SSD's from user and add to file.
2294#
2295add_ssd()
2296{
2297    [ $DEBUG -eq 1 ] && ${ECHO} "In add_ssd()"
2298
2299    # Enter the service id.  Loop til unique.
2300    while :
2301    do
2302	get_ans "Enter the service id:"
2303	_SERV_ID=$ANS
2304
2305	# Grep for name existing.
2306	${GREP} -i "^$ANS:" ${SSD_FILE} > /dev/null 2>&1
2307	if [ $? -eq 1 ]; then
2308	    break
2309	fi
2310
2311	# Name exists, print message, let user decide.
2312	${ECHO} "ERROR: Service id ${ANS} already exists."
2313    done
2314
2315    get_ans "Enter the base:"
2316    _BASE=$ANS
2317
2318    # Get the scope and verify that its one or sub.
2319    while :
2320    do
2321	get_ans "Enter the scope:"
2322	_SCOPE=$ANS
2323	case `${ECHO} ${_SCOPE} | tr '[A-Z]' '[a-z]'` in
2324	    one) break ;;
2325	    sub) break ;;
2326	    *)   ${ECHO} "${_SCOPE} is Not valid - Enter 'one' or 'sub'" ;;
2327	esac
2328    done
2329
2330    # Build SSD to add to file.
2331    _SSD="${_SERV_ID}:${_BASE}?${_SCOPE}"
2332
2333    # Add the SSD to the file.
2334    ${ECHO} "${_SSD}" >> ${SSD_FILE}
2335}
2336
2337
2338#
2339# delete_ssd(): Delete a SSD from the list.
2340#
2341delete_ssd()
2342{
2343    [ $DEBUG -eq 1 ] && ${ECHO} "In delete_ssd()"
2344
2345    # Get service id name from user for SSD to delete.
2346    get_ans_req "Enter service id to delete:"
2347
2348    # Make sure service id exists.
2349    ${GREP} "$ANS" ${SSD_FILE} > /dev/null 2>&1
2350    if [ $? -eq 1 ]; then
2351	${ECHO} "Invalid service id: $ANS not present in list."
2352	return
2353    fi
2354
2355    # Create temporary back SSD file.
2356    cp ${SSD_FILE} ${SSD_FILE}.bak
2357    if [ $? -eq 1 ]; then
2358	${ECHO} "ERROR: could not create file: ${SSD_FILE}.bak"
2359	exit 1
2360    fi
2361
2362    # Use ${GREP} to remove the SSD.  Read from temp file
2363    # and write to the orig file.
2364    ${GREP} -v "$ANS" ${SSD_FILE}.bak > ${SSD_FILE}
2365}
2366
2367
2368#
2369# modify_ssd(): Allow user to modify a SSD.
2370#
2371modify_ssd()
2372{
2373    [ $DEBUG -eq 1 ] && ${ECHO} "In modify_ssd()"
2374
2375    # Prompt user for service id.
2376    get_ans_req "Enter service id to modify:"
2377
2378    # Put into temp _LINE.
2379    _LINE=`${GREP} "^$ANS:" ${SSD_FILE}`
2380    if [ "$_LINE" = "" ]; then
2381	${ECHO} "Invalid service id: $ANS"
2382	return
2383    fi
2384
2385    # Display current filter for user to see.
2386    ${ECHO} ""
2387    ${ECHO} "Current SSD: $_LINE"
2388    ${ECHO} ""
2389
2390    # Get the defaults.
2391    _CURR_BASE=`${ECHO} $_LINE | cut -d: -f2 | cut -d'?' -f 1`
2392    _CURR_SCOPE=`${ECHO} $_LINE | cut -d: -f2 | cut -d'?' -f 2`
2393
2394    # Create temporary back SSD file.
2395    cp ${SSD_FILE} ${SSD_FILE}.bak
2396    if [ $? -eq 1 ]; then
2397	${ECHO} "ERROR: could not create file: ${SSD_FILE}.bak"
2398	cleanup
2399	exit 1
2400    fi
2401
2402    # Removed the old line.
2403    ${GREP} -v "^$ANS:" ${SSD_FILE}.bak > ${SSD_FILE} 2>&1
2404
2405    # New Entry
2406    _SERV_ID=$ANS
2407    get_ans_req "Enter the base:" "$_CURR_BASE"
2408    _BASE=$ANS
2409    get_ans_req "Enter the scope:" "$_CURR_SCOPE"
2410    _SCOPE=$ANS
2411
2412    # Build the new SSD.
2413    _SSD="${_SERV_ID}:${_BASE}?${_SCOPE}"
2414
2415    # Add the SSD to the file.
2416    ${ECHO} "${_SSD}" >> ${SSD_FILE}
2417}
2418
2419
2420#
2421# display_ssd(): Display the current SSD list.
2422#
2423display_ssd()
2424{
2425    [ $DEBUG -eq 1 ] && ${ECHO} "In display_ssd()"
2426
2427    ${ECHO} ""
2428    ${ECHO} "Current Service Search Descriptors:"
2429    ${ECHO} "=================================="
2430    cat ${SSD_FILE}
2431    ${ECHO} ""
2432    ${ECHO} "Hit return to continue."
2433    read __A
2434}
2435
2436
2437#
2438# prompt_ssd(): Get SSD's from user.
2439#
2440prompt_ssd()
2441{
2442    [ $DEBUG -eq 1 ] && ${ECHO} "In prompt_ssd()"
2443    # See if user wants SSD's?
2444    get_confirm "Do you wish to setup Service Search Descriptors (y/n/h)?" "n" "ssd_help"
2445    [ "$?" -eq 0 ] && return
2446
2447    # Display menu for SSD choices.
2448    while :
2449    do
2450	display_msg prompt_ssd_menu
2451	get_ans "Enter menu choice:" "Quit"
2452	case "$ANS" in
2453	    [Aa] | add) add_ssd ;;
2454	    [Dd] | delete) delete_ssd ;;
2455	    [Mm] | modify) modify_ssd ;;
2456	    [Pp] | print | display) display_ssd ;;
2457	    [Xx] | reset | clear) reset_ssd_file ;;
2458	    [Hh] | Help | help)	display_msg ssd_menu_help
2459				${ECHO} " Press return to continue."
2460				read __A ;;
2461	    [Qq] | Quit | quit)	return ;;
2462	    *)    ${ECHO} "Invalid choice: $ANS please re-enter from menu." ;;
2463	esac
2464    done
2465}
2466
2467
2468#
2469# reset_ssd_file(): Blank out current SSD file.
2470#
2471reset_ssd_file()
2472{
2473    [ $DEBUG -eq 1 ] && ${ECHO} "In reset_ssd_file()"
2474
2475    rm -f ${SSD_FILE}
2476    touch ${SSD_FILE}
2477}
2478
2479
2480#
2481# create_ssd_file(): Create a temporary file for SSD's.
2482#
2483create_ssd_file()
2484{
2485    [ $DEBUG -eq 1 ] && ${ECHO} "In create_ssd_file()"
2486
2487    # Build a list of SSD's and store in temp file.
2488    ${GREP} "LDAP_SERV_SRCH_DES=" ${INPUT_FILE} | \
2489	sed 's/LDAP_SERV_SRCH_DES=//' \
2490	> ${SSD_FILE}
2491}
2492
2493
2494#
2495# ssd_2_config(): Append the SSD file to the output file.
2496#
2497ssd_2_config()
2498{
2499    [ $DEBUG -eq 1 ] && ${ECHO} "In ssd_2_config()"
2500
2501    # Convert to config file format using sed.
2502    sed -e "s/^/LDAP_SERV_SRCH_DES=/" ${SSD_FILE} >> ${OUTPUT_FILE}
2503}
2504
2505
2506#
2507# ssd_2_profile(): Add SSD's to the GEN_CMD string.
2508#
2509ssd_2_profile()
2510{
2511    [ $DEBUG -eq 1 ] && ${ECHO} "In ssd_2_profile()"
2512
2513    GEN_TMPFILE=${TMPDIR}/ssd_tmpfile
2514    touch ${GEN_TMPFILE}
2515
2516    # Add and convert each SSD to string.
2517    while read SSD_LINE
2518    do
2519	${ECHO} " -a \"serviceSearchDescriptor=${SSD_LINE}\"\c" >> ${GEN_TMPFILE}
2520    done <${SSD_FILE}
2521
2522    # Add SSD's to GEN_CMD.
2523    GEN_CMD="${GEN_CMD} `cat ${GEN_TMPFILE}`"
2524}
2525
2526#
2527# get_adminDN(): Get the admin DN.
2528#
2529get_adminDN()
2530{
2531    LDAP_ADMINDN="cn=admin,ou=profile,${LDAP_BASEDN}"  # default
2532    get_ans "Enter DN for the administrator:" "$LDAP_ADMINDN"
2533    LDAP_ADMINDN=$ANS
2534    [ $DEBUG -eq 1 ] && ${ECHO} "LDAP_ADMINDN = $LDAP_ADMINDN"
2535}
2536
2537#
2538# get_admin_pw(): Get the admin passwd.
2539#
2540get_admin_pw()
2541{
2542    get_passwd "Enter passwd for the administrator:"
2543    LDAP_ADMIN_CRED=$ANS
2544    [ $DEBUG -eq 1 ] && ${ECHO} "LDAP_ADMIN_CRED = $LDAP_ADMIN_CRED"
2545}
2546
2547#
2548# add_admin(): Add an admin entry for nameservice for updating shadow data.
2549#
2550add_admin()
2551{
2552    [ $DEBUG -eq 1 ] && ${ECHO} "In add_admin()"
2553
2554    # Check if the admin user already exists.
2555    eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_ADMINDN}\" -s base \"objectclass=*\" ${VERB}"
2556    if [ $? -eq 0 ]; then
2557	MSG="Administrator ${LDAP_ADMINDN} already exists."
2558	if [ $EXISTING_PROFILE -eq 1 ]; then
2559	    ${ECHO} "  NOT ADDED: $MSG"
2560	else
2561	    ${ECHO} "  ${STEP}. $MSG"
2562	    STEP=`expr $STEP + 1`
2563	fi
2564	return 0
2565    fi
2566
2567    # Get cn and sn names from LDAP_ADMINDN.
2568    cn_tmp=`${ECHO} ${LDAP_ADMINDN} | cut -f1 -d, | cut -f2 -d=`
2569
2570    # Create the tmp file to add.
2571    ( cat <<EOF
2572dn: ${LDAP_ADMINDN}
2573cn: ${cn_tmp}
2574sn: ${cn_tmp}
2575objectclass: top
2576objectclass: person
2577userpassword: ${LDAP_ADMIN_CRED}
2578EOF
2579) > ${TMPDIR}/admin
2580
2581    # Add the entry.
2582    ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/admin ${VERB}"
2583    if [ $? -ne 0 ]; then
2584	${ECHO} "  ERROR: Adding administrator identity failed!"
2585	cleanup
2586	exit 1
2587    fi
2588
2589    ${RM} -f ${TMPDIR}/admin
2590
2591    # Display message that the administrator identity is added.
2592    MSG="Administrator identity ${LDAP_ADMINDN}"
2593    if [ $EXISTING_PROFILE -eq 1 ]; then
2594	${ECHO} "  ADDED: $MSG."
2595    else
2596	${ECHO} "  ${STEP}. $MSG added."
2597	STEP=`expr $STEP + 1`
2598    fi
2599}
2600
2601#
2602# allow_admin_read_write_shadow(): Give Admin read/write permission
2603# to shadow data.
2604#
2605allow_admin_read_write_shadow()
2606{
2607    [ $DEBUG -eq 1 ] && ${ECHO} "In allow_admin_read_write_shadow()"
2608
2609    # Set ACI Name
2610    ADMIN_ACI_NAME="LDAP_Naming_Services_admin_shadow_write"
2611
2612    # Search for ACI_NAME
2613    eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_BASEDN}\" \
2614    -s base objectclass=* aci > ${TMPDIR}/chk_adminwrite_aci 2>&1"
2615
2616    # if an ACI with ${ADMIN_ACI_NAME} and "write,compare,read,search"
2617    # and ${LDAP_ADMINDN} already exists, we are done
2618    ${EGREP} ".*${ADMIN_ACI_NAME}.*write,compare,read,search.*${LDAP_ADMINDN}.*" \
2619    	${TMPDIR}/chk_adminwrite_aci 2>&1 > /dev/null
2620    if [ $? -eq 0 ]; then
2621	MSG="Admin ACI ${ADMIN_ACI_NAME} already exists for ${LDAP_BASEDN}."
2622	if [ $EXISTING_PROFILE -eq 1 ]; then
2623	    ${ECHO} "  NOT SET: $MSG"
2624	else
2625	    ${ECHO} "  ${STEP}. $MSG"
2626	    STEP=`expr $STEP + 1`
2627	fi
2628	return 0
2629    fi
2630
2631    # If an ACI with ${ADMIN_ACI_NAME} and "(write)" and ${LDAP_ADMINDN}
2632    # already exists, delete it first.
2633    find_and_delete_ACI ".*${ADMIN_ACI_NAME}.*(write).*${LDAP_ADMINDN}.*" \
2634	${TMPDIR}/chk_adminwrite_aci ${ADMIN_ACI_NAME}
2635
2636    # Create the tmp file to add.
2637    ( cat <<EOF
2638dn: ${LDAP_BASEDN}
2639changetype: modify
2640add: aci
2641aci: (target="ldap:///${LDAP_BASEDN}")(targetattr="shadowLastChange
2642 ||shadowMin||shadowMax||shadowWarning||shadowInactive||shadowExpire
2643 ||shadowFlag||userPassword||loginShell||homeDirectory||gecos")
2644  (version 3.0; acl ${ADMIN_ACI_NAME}; allow (write,compare,read,search)
2645  userdn = "ldap:///${LDAP_ADMINDN}";)
2646EOF
2647) > ${TMPDIR}/admin_write
2648
2649    # Add the entry.
2650    ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/admin_write ${VERB}"
2651    if [ $? -ne 0 ]; then
2652	${ECHO} "  ERROR: Allow ${LDAP_ADMINDN} read/write access to shadow data failed!"
2653	cleanup
2654	exit 1
2655    fi
2656
2657    ${RM} -f ${TMPDIR}/admin_write
2658    # Display message that the administrator ACL is set.
2659    MSG="Give ${LDAP_ADMINDN} read/write access to shadow data."
2660    if [ $EXISTING_PROFILE -eq 1 ]; then
2661	${ECHO} "  ACI SET: $MSG"
2662    else
2663	${ECHO} "  ${STEP}. $MSG"
2664	STEP=`expr $STEP + 1`
2665    fi
2666}
2667
2668#
2669# allow_host_read_write_shadow(): Give host principal read/write permission
2670# for shadow data.
2671#
2672allow_host_read_write_shadow()
2673{
2674    [ $DEBUG -eq 1 ] && ${ECHO} "In allow_host_read_write_shadow()"
2675
2676    # Set ACI Name
2677    HOST_ACI_NAME="LDAP_Naming_Services_host_shadow_write"
2678
2679    # Search for ACI_NAME
2680    eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_BASEDN}\" -s base objectclass=* aci > ${TMPDIR}/chk_hostwrite_aci 2>&1"
2681    ${GREP} "${HOST_ACI_NAME}" ${TMPDIR}/chk_hostwrite_aci > /dev/null 2>&1
2682    if [ $? -eq 0 ]; then
2683	MSG="Host ACI ${HOST_ACI_NAME} already exists for ${LDAP_BASEDN}."
2684	if [ $EXISTING_PROFILE -eq 1 ]; then
2685	    ${ECHO} "  NOT ADDED: $MSG"
2686	else
2687	    ${ECHO} "  ${STEP}. $MSG"
2688	    STEP=`expr $STEP + 1`
2689	fi
2690	return 0
2691    fi
2692
2693    # Create the tmp file to add.
2694    ( cat <<EOF
2695dn: ${LDAP_BASEDN}
2696changetype: modify
2697add: aci
2698aci: (target="ldap:///${LDAP_BASEDN}")(targetattr="shadowLastChange||shadowMin||shadowMax||shadowWarning||shadowInactive||shadowExpire||shadowFlag||userPassword||loginShell||homeDirectory||gecos")(version 3.0; acl ${HOST_ACI_NAME}; allow (write,compare,read,search) authmethod="sasl GSSAPI" and userdn = "ldap:///cn=*+ipHostNumber=*,ou=Hosts,${LDAP_BASEDN}";)
2699EOF
2700) > ${TMPDIR}/host_read_write
2701
2702    # Add the entry.
2703    ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/host_read_write ${VERB}"
2704    if [ $? -ne 0 ]; then
2705	${ECHO} "  ERROR: Allow Host Principal to write shadow data failed!"
2706	cleanup
2707	exit 1
2708    fi
2709
2710    ${RM} -f ${TMPDIR}/host_read_write
2711    MSG="Give host principal read/write permission for shadow."
2712    if [ $EXISTING_PROFILE -eq 1 ]; then
2713	${ECHO} "  ACI SET: $MSG"
2714    else
2715	${ECHO} "  ${STEP}. $MSG"
2716	STEP=`expr $STEP + 1`
2717    fi
2718}
2719
2720#
2721# Set up shadow update
2722#
2723setup_shadow_update() {
2724    [ $DEBUG -eq 1 ] && ${ECHO} "In setup_shadow_update()"
2725
2726    # get content of the profile
2727    PROFILE_OUT=${TMPDIR}/prof_tmpfile
2728    ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=${LDAP_PROFILE_NAME},ou=profile,${LDAP_BASEDN}\" -s base \"objectclass=*\" > $PROFILE_OUT 2>&1"
2729    ${GREP} -i cn $PROFILE_OUT >/dev/null 2>&1
2730    if [ $? -ne 0 ]; then
2731	[ $DEBUG -eq 1 ] && ${ECHO} "Profile ${LDAP_PROFILE_NAME} does not exist"
2732	${RM} ${PROFILE_OUT}
2733	return
2734    fi
2735
2736    # Search to see if authenticationMethod has 'GSSAPI' and
2737    # credentialLevel has 'self'. If so, ask to use the
2738    # host principal for shadow update
2739    if [ $GSSAPI_AUTH_MAY_BE_USED -eq 1 ]; then
2740	if ${GREP} authenticationMethod $PROFILE_OUT | ${GREP} GSSAPI >/dev/null 2>&1
2741	then
2742	    if ${GREP} credentialLevel $PROFILE_OUT | ${GREP} self >/dev/null 2>&1
2743	    then
2744		NEED_HOSTACL=1
2745	    fi
2746	fi
2747	${RM} ${PROFILE_OUT}
2748	[ $DEBUG -eq 1 ] && ${ECHO} "NEED_HOSTACL = $NEED_HOSTACL"
2749
2750	if [ $NEED_HOSTACL -eq 1 ]; then
2751	    MSG="Use host principal for shadow data update (y/n/h)?"
2752	    get_confirm "$MSG" "y" "use_host_principal_help"
2753	    if [ $? -eq 1 ]; then
2754		delete_proxy_read_pw
2755		allow_host_read_write_shadow
2756		deny_non_host_shadow_access
2757	        ${ECHO} ""
2758		${ECHO} "  Shadow update has been enabled."
2759	    else
2760	        ${ECHO} ""
2761    		${ECHO} "  Shadow update may not work."
2762	    fi
2763	    return
2764	fi
2765    fi
2766
2767    MSG="Add the administrator identity (y/n/h)?"
2768    get_confirm "$MSG" "y" "add_admin_cred_help"
2769    if [ $? -eq 1 ]; then
2770	get_adminDN
2771	get_admin_pw
2772	add_admin
2773	delete_proxy_read_pw
2774	allow_admin_read_write_shadow
2775	deny_non_admin_shadow_access
2776        ${ECHO} ""
2777	${ECHO} "  Shadow update has been enabled."
2778	return
2779    fi
2780
2781    ${ECHO} "  No administrator identity specified, shadow update may not work."
2782}
2783
2784
2785#
2786# prompt_config_info(): This function prompts the user for the config
2787# info that is not specified in the input file.
2788#
2789prompt_config_info()
2790{
2791    [ $DEBUG -eq 1 ] && ${ECHO} "In prompt_config_info()"
2792
2793    # Prompt for iDS server name.
2794    get_ids_server
2795
2796    # Prompt for iDS port number.
2797    get_ids_port
2798
2799    # Check iDS version for compatibility.
2800    chk_ids_version
2801
2802    # Check if the server supports the VLV.
2803    chk_vlv_indexes
2804
2805    # Get the Directory manager DN and passwd.
2806    get_dirmgr_dn
2807    get_dirmgr_pw
2808
2809    #
2810    # LDAP CLIENT PROFILE SPECIFIC INFORMATION.
2811    #   (i.e. The fields that show up in the profile.)
2812    #
2813    get_domain "domain_help"
2814
2815    get_basedn
2816
2817    gssapi_setup
2818
2819    get_profile_name
2820
2821    if [ "$LDAP_ENABLE_SHADOW_UPDATE" = "TRUE" ];then
2822	setup_shadow_update
2823	cleanup
2824	exit 0
2825    fi
2826
2827    get_srv_list
2828    get_pref_srv
2829    get_search_scope
2830
2831    # If cred is "anonymous", make auth == "none"
2832    get_cred_level
2833    if [ "$LDAP_CRED_LEVEL" != "anonymous" ]; then
2834	get_auth
2835    fi
2836
2837    get_followref
2838
2839    # Query user about timelimt.
2840    get_confirm "Do you want to modify the server timelimit value (y/n/h)?" "n" "tlim_help"
2841    NEED_TIME=$?
2842    [ $NEED_TIME -eq 1 ] && get_timelimit
2843
2844    # Query user about sizelimit.
2845    get_confirm "Do you want to modify the server sizelimit value (y/n/h)?" "n" "slim_help"
2846    NEED_SIZE=$?
2847    [ $NEED_SIZE -eq 1 ] && get_sizelimit
2848
2849    # Does the user want to store passwords in crypt format?
2850    get_want_crypt
2851
2852    # Prompt for any Service Authentication Methods?
2853    get_confirm "Do you want to setup a Service Authentication Methods (y/n/h)?" "n" "srvauth_help"
2854    if [ $? -eq 1 ]; then
2855	# Does the user want to set Service Authentication Method for pam_ldap?
2856	get_confirm "Do you want to setup a Service Auth. Method for \"pam_ldap\" (y/n/h)?" "n" "pam_ldap_help"
2857	NEED_SRVAUTH_PAM=$?
2858	[ $NEED_SRVAUTH_PAM -eq 1 ] && get_srv_authMethod_pam
2859
2860	# Does the user want to set Service Authentication Method for keyserv?
2861	get_confirm "Do you want to setup a Service Auth. Method for \"keyserv\" (y/n/h)?" "n" "keyserv_help"
2862	NEED_SRVAUTH_KEY=$?
2863	[ $NEED_SRVAUTH_KEY -eq 1 ] && get_srv_authMethod_key
2864
2865	# Does the user want to set Service Authentication Method for passwd-cmd?
2866	get_confirm "Do you want to setup a Service Auth. Method for \"passwd-cmd\" (y/n/h)?" "n" "passwd-cmd_help"
2867	NEED_SRVAUTH_CMD=$?
2868	[ $NEED_SRVAUTH_CMD -eq 1 ] && get_srv_authMethod_cmd
2869    fi
2870
2871
2872    # Get Timeouts
2873    get_srch_time
2874    get_prof_ttl
2875    get_bind_limit
2876
2877    # Ask whether to enable shadow update
2878    get_want_shadow_update
2879
2880    # Reset the sdd_file and prompt user for SSD.  Will use menus
2881    # to build an SSD File.
2882    reset_ssd_file
2883    prompt_ssd
2884
2885    # Display FULL debugging info.
2886    disp_full_debug
2887
2888    # Extra blank line to separate prompt lines from steps.
2889    ${ECHO} " "
2890}
2891
2892
2893######################################################################
2894# FUNCTIONS  FOR display_summary() START HERE.
2895######################################################################
2896
2897
2898#
2899# get_proxyagent(): Get the proxyagent DN.
2900#
2901get_proxyagent()
2902{
2903    LDAP_PROXYAGENT="cn=proxyagent,ou=profile,${LDAP_BASEDN}"  # default
2904    get_ans "Enter DN for proxy agent:" "$LDAP_PROXYAGENT"
2905    LDAP_PROXYAGENT=$ANS
2906}
2907
2908
2909#
2910# get_proxy_pw(): Get the proxyagent passwd.
2911#
2912get_proxy_pw()
2913{
2914    get_passwd "Enter passwd for proxyagent:"
2915    LDAP_PROXYAGENT_CRED=$ANS
2916}
2917
2918#
2919# display_summary(): Display a summary of values entered and let the
2920#                    user modify values at will.
2921#
2922display_summary()
2923{
2924    [ $DEBUG -eq 1 ] && ${ECHO} "In display_summary()"
2925
2926    # Create lookup table for function names.  First entry is dummy for
2927    # shift.
2928    TBL1="dummy"
2929    TBL2="get_domain get_basedn get_profile_name"
2930    TBL3="get_srv_list get_pref_srv get_search_scope get_cred_level"
2931    TBL4="get_auth get_followref"
2932    TBL5="get_timelimit get_sizelimit get_want_crypt"
2933    TBL6="get_srv_authMethod_pam get_srv_authMethod_key get_srv_authMethod_cmd"
2934    TBL7="get_srch_time get_prof_ttl get_bind_limit"
2935    TBL8="get_want_shadow_update"
2936    TBL9="prompt_ssd"
2937    FUNC_TBL="$TBL1 $TBL2 $TBL3 $TBL4 $TBL5 $TBL6 $TBL7 $TBL8 $TBL9"
2938
2939    # Since menu prompt string is long, set here.
2940    _MENU_PROMPT="Enter config value to change: (1-20 0=commit changes)"
2941
2942    # Infinite loop.  Test for 0, and break in loop.
2943    while :
2944    do
2945	# Display menu and get value in range.
2946	display_msg summary_menu
2947	get_menu_choice "${_MENU_PROMPT}" "0" "20" "0"
2948	_CH=$MN_CH
2949
2950	# Make sure where not exiting.
2951	if [ $_CH -eq 0 ]; then
2952	    break       # Break out of loop if 0 selected.
2953	fi
2954
2955	# Call appropriate function from function table.
2956	set $FUNC_TBL
2957	shift $_CH
2958	$1          # Call the appropriate function.
2959    done
2960
2961    # If cred level is still see if user wants a change?
2962    if ${ECHO} "$LDAP_CRED_LEVEL" | ${GREP} "proxy" > /dev/null 2>&1
2963    then
2964	if [ "$LDAP_AUTHMETHOD" != "none" ]; then
2965	    NEED_PROXY=1    # I assume integer test is faster?
2966	    get_proxyagent
2967	    get_proxy_pw
2968	else
2969	    ${ECHO} "WARNING: Since Authentication method is 'none'."
2970	    ${ECHO} "         Credential level will be set to 'anonymous'."
2971	    LDAP_CRED_LEVEL="anonymous"
2972	fi
2973    fi
2974
2975    # If shadow update is enabled, set up administrator credential
2976    if [ "$LDAP_ENABLE_SHADOW_UPDATE" = "TRUE" ]; then
2977	NEED_ADMIN=1
2978	if ${ECHO} "$LDAP_CRED_LEVEL" | ${GREP} "self" > /dev/null 2>&1; then
2979	    if ${ECHO} "$LDAP_AUTHMETHOD" | ${GREP} "GSSAPI" > /dev/null 2>&1; then
2980		NEED_HOSTACL=1
2981		NEED_ADMIN=0
2982	    fi
2983	fi
2984        [ $DEBUG -eq 1 ] && ${ECHO} "NEED_HOSTACL = $NEED_HOSTACL"
2985        [ $DEBUG -eq 1 ] && ${ECHO} "NEED_ADMIN   = $NEED_ADMIN"
2986	if [ $NEED_ADMIN -eq 1 ]; then
2987	    get_adminDN
2988	    get_admin_pw
2989	fi
2990    fi
2991
2992    # Display FULL debugging info.
2993    disp_full_debug
2994
2995    # Final confirmation message. (ARE YOU SURE!)
2996    ${ECHO} " "
2997    get_confirm_nodef "WARNING: About to start committing changes. (y=continue, n=EXIT)"
2998    if [ $? -eq 0 ]; then
2999	${ECHO} "Terminating setup without making changes at users request."
3000	cleanup
3001	exit 1
3002    fi
3003
3004    # Print newline
3005    ${ECHO} " "
3006}
3007
3008
3009#
3010# create_config_file(): Write config data to config file specified.
3011#
3012create_config_file()
3013{
3014    [ $DEBUG -eq 1 ] && ${ECHO} "In create_config_file()"
3015
3016    # If output file exists, delete it.
3017    [ -f $OUTPUT_FILE ] && rm $OUTPUT_FILE
3018
3019    # Create output file.
3020    cat > $OUTPUT_FILE <<EOF
3021#!/bin/sh
3022# $OUTPUT_FILE - This file contains configuration information for
3023#                Native LDAP.  Use the idsconfig tool to load it.
3024#
3025# WARNING: This file was generated by idsconfig, and is intended to
3026#          be loaded by idsconfig as is.  DO NOT EDIT THIS FILE!
3027#
3028IDS_SERVER="$IDS_SERVER"
3029IDS_PORT=$IDS_PORT
3030IDS_TIMELIMIT=$IDS_TIMELIMIT
3031IDS_SIZELIMIT=$IDS_SIZELIMIT
3032LDAP_ROOTDN="$LDAP_ROOTDN"
3033LDAP_ROOTPWD=$LDAP_ROOTPWD
3034LDAP_DOMAIN="$LDAP_DOMAIN"
3035LDAP_SUFFIX="$LDAP_SUFFIX"
3036LDAP_KRB_REALM="$LDAP_KRB_REALM"
3037LDAP_GSSAPI_PROFILE="$LDAP_GSSAPI_PROFILE"
3038
3039# Internal program variables that need to be set.
3040NEED_PROXY=$NEED_PROXY
3041NEED_TIME=$NEED_TIME
3042NEED_SIZE=$NEED_SIZE
3043NEED_CRYPT=$NEED_CRYPT
3044NEED_ADMIN=$NEED_ADMIN
3045NEED_HOSTACL=$NEED_HOSTACL
3046EXISTING_PROFILE=$EXISTING_PROFILE
3047
3048# LDAP PROFILE related defaults
3049LDAP_PROFILE_NAME="$LDAP_PROFILE_NAME"
3050DEL_OLD_PROFILE=1
3051LDAP_BASEDN="$LDAP_BASEDN"
3052LDAP_SERVER_LIST="$LDAP_SERVER_LIST"
3053LDAP_AUTHMETHOD="$LDAP_AUTHMETHOD"
3054LDAP_FOLLOWREF=$LDAP_FOLLOWREF
3055LDAP_SEARCH_SCOPE="$LDAP_SEARCH_SCOPE"
3056NEED_SRVAUTH_PAM=$NEED_SRVAUTH_PAM
3057NEED_SRVAUTH_KEY=$NEED_SRVAUTH_KEY
3058NEED_SRVAUTH_CMD=$NEED_SRVAUTH_CMD
3059LDAP_SRV_AUTHMETHOD_PAM="$LDAP_SRV_AUTHMETHOD_PAM"
3060LDAP_SRV_AUTHMETHOD_KEY="$LDAP_SRV_AUTHMETHOD_KEY"
3061LDAP_SRV_AUTHMETHOD_CMD="$LDAP_SRV_AUTHMETHOD_CMD"
3062LDAP_SEARCH_TIME_LIMIT=$LDAP_SEARCH_TIME_LIMIT
3063LDAP_PREF_SRVLIST="$LDAP_PREF_SRVLIST"
3064LDAP_PROFILE_TTL=$LDAP_PROFILE_TTL
3065LDAP_CRED_LEVEL="$LDAP_CRED_LEVEL"
3066LDAP_BIND_LIMIT=$LDAP_BIND_LIMIT
3067
3068# Proxy Agent
3069LDAP_PROXYAGENT="$LDAP_PROXYAGENT"
3070LDAP_PROXYAGENT_CRED=$LDAP_PROXYAGENT_CRED
3071
3072# enableShadowUpdate flag and Administrator credential
3073LDAP_ENABLE_SHADOW_UPDATE=$LDAP_ENABLE_SHADOW_UPDATE
3074LDAP_ADMINDN="$LDAP_ADMINDN"
3075LDAP_ADMIN_CRED=$LDAP_ADMIN_CRED
3076
3077# Export all the variables (just in case)
3078export IDS_HOME IDS_PORT LDAP_ROOTDN LDAP_ROOTPWD LDAP_SERVER_LIST LDAP_BASEDN
3079export LDAP_DOMAIN LDAP_SUFFIX LDAP_PROXYAGENT LDAP_PROXYAGENT_CRED
3080export NEED_PROXY
3081export LDAP_ENABLE_SHADOW_UPDATE LDAP_ADMINDN LDAP_ADMIN_CRED
3082export NEED_ADMIN NEED_HOSTACL EXISTING_PROFILE
3083export LDAP_PROFILE_NAME LDAP_BASEDN LDAP_SERVER_LIST 
3084export LDAP_AUTHMETHOD LDAP_FOLLOWREF LDAP_SEARCH_SCOPE LDAP_SEARCH_TIME_LIMIT
3085export LDAP_PREF_SRVLIST LDAP_PROFILE_TTL LDAP_CRED_LEVEL LDAP_BIND_LIMIT
3086export NEED_SRVAUTH_PAM NEED_SRVAUTH_KEY NEED_SRVAUTH_CMD
3087export LDAP_SRV_AUTHMETHOD_PAM LDAP_SRV_AUTHMETHOD_KEY LDAP_SRV_AUTHMETHOD_CMD
3088export LDAP_SERV_SRCH_DES SSD_FILE LDAP_KRB_REALM LDAP_GSSAPI_PROFILE
3089
3090# Service Search Descriptors start here if present:
3091EOF
3092    # Add service search descriptors.
3093    ssd_2_config "${OUTPUT_FILE}"
3094
3095    # Add LDAP suffix preferences
3096    print_suffix_config >> "${OUTPUT_FILE}"
3097
3098    # Add the end of FILE tag.
3099    ${ECHO} "" >> ${OUTPUT_FILE}
3100    ${ECHO} "# End of $OUTPUT_FILE" >> ${OUTPUT_FILE}
3101}
3102
3103
3104#
3105# chk_vlv_indexes(): Do ldapsearch to see if server supports VLV.
3106#
3107chk_vlv_indexes()
3108{
3109    # Do ldapsearch to see if server supports VLV.
3110    ${LDAPSEARCH} ${SERVER_ARGS} -b "" -s base "objectclass=*" > ${TMPDIR}/checkVLV 2>&1
3111    eval "${GREP} 2.16.840.1.113730.3.4.9 ${TMPDIR}/checkVLV ${VERB}"
3112    if [ $? -ne 0 ]; then
3113	${ECHO} "ERROR: VLV is not supported on LDAP server!"
3114	cleanup
3115	exit 1
3116    fi
3117    [ $DEBUG -eq 1 ] && ${ECHO} "  VLV controls found on LDAP server."
3118}
3119
3120#
3121# get_backend(): this function gets the relevant backend
3122#                (database) for LDAP_BASED.
3123#                Description: set IDS_DATABASE; exit on failure.
3124#                Prerequisite: LDAP_BASEDN and LDAP_SUFFIX are
3125#                valid.
3126#
3127#                backend is retrieved from suffixes and subsuffixes
3128#                defined under "cn=mapping tree,cn=config". The
3129#                nsslapd-state attribute of these suffixes entries
3130#                is filled with either Backend, Disabled or referrals
3131#                related values. We only want those that have a true
3132#                backend database to select the relevant backend.
3133#
3134get_backend()
3135{
3136    [ $DEBUG -eq 1 ] && ${ECHO} "In get_backend()"
3137
3138    cur_suffix=${LDAP_BASEDN}
3139    prev_suffix=
3140    IDS_DATABASE=
3141    while [ "${cur_suffix}" != "${prev_suffix}" ]
3142    do
3143	[ $DEBUG -eq 1 ] && ${ECHO} "testing LDAP suffix: ${cur_suffix}"
3144	eval "${LDAPSEARCH} ${LDAP_ARGS} " \
3145		"-b \"cn=\\\"${cur_suffix}\\\",cn=mapping tree,cn=config\" " \
3146		"-s base nsslapd-state=Backend nsslapd-backend 2>&1 " \
3147		"| ${GREP} 'nsslapd-backend=' " \
3148		"> ${TMPDIR}/ids_database_name 2>&1"
3149	NUM_DBS=`wc -l ${TMPDIR}/ids_database_name | awk '{print $1}'`
3150	case ${NUM_DBS} in
3151	0) # not a suffix, or suffix not activated; try next
3152	    prev_suffix=${cur_suffix}
3153	    cur_suffix=`${ECHO} ${cur_suffix} | cut -f2- -d','`
3154	    ;;
3155	1) # suffix found; get database name
3156	    IDS_DATABASE=`cat ${TMPDIR}/ids_database_name | cut -d= -f2`
3157	    ;;
3158	*) # can not handle more than one database per suffix
3159	    ${ECHO} "ERROR: More than one database is configured "
3160	    ${ECHO} "       for $LDAP_SUFFIX!"
3161	    ${ECHO} "       $PROG can not configure suffixes where "
3162	    ${ECHO} "       more than one database is used for one suffix."
3163	    cleanup
3164	    exit 1
3165	    ;;
3166	esac
3167	if [ -n "${IDS_DATABASE}" ]; then
3168	    break
3169	fi
3170    done
3171
3172    if [ -z "${IDS_DATABASE}" ]; then
3173	# should not happen, since LDAP_BASEDN is supposed to be valid
3174	${ECHO} "Could not find a valid backend for ${LDAP_BASEDN}."
3175	${ECHO} "Exiting."
3176	cleanup
3177	exit 1
3178    fi
3179
3180    [ $DEBUG -eq 1 ] && ${ECHO} "IDS_DATABASE: ${IDS_DATABASE}"
3181}
3182
3183#
3184# validate_suffix(): This function validates ${LDAP_SUFFIX}
3185#                  THIS FUNCTION IS FOR THE LOAD CONFIG FILE OPTION.
3186#
3187validate_suffix()
3188{
3189    [ $DEBUG -eq 1 ] && ${ECHO} "In validate_suffix()"
3190
3191    # Check LDAP_SUFFIX is not null
3192    if [ -z "${LDAP_SUFFIX}" ]; then
3193	${ECHO} "Invalid suffix (null suffix)"
3194	cleanup
3195	exit 1
3196    fi
3197
3198    # Check LDAP_SUFFIX and LDAP_BASEDN are consistent
3199    # Convert to lower case for basename.
3200    format_string "${LDAP_BASEDN}"
3201    LOWER_BASEDN="${FMT_STR}"
3202    format_string "${LDAP_SUFFIX}"
3203    LOWER_SUFFIX="${FMT_STR}"
3204
3205    [ $DEBUG -eq 1 ] && ${ECHO} "LOWER_BASEDN: ${LOWER_BASEDN}"
3206    [ $DEBUG -eq 1 ] && ${ECHO} "LOWER_SUFFIX: ${LOWER_SUFFIX}"
3207
3208    if [ "${LOWER_BASEDN}" != "${LOWER_SUFFIX}" ]; then
3209    	sub_basedn=`basename "${LOWER_BASEDN}" "${LOWER_SUFFIX}"`
3210    	if [ "$sub_basedn" = "${LOWER_BASEDN}" ]; then
3211	    ${ECHO} "Invalid suffix ${LOWER_SUFFIX}"
3212	    ${ECHO} "for Base DN ${LOWER_BASEDN}"
3213	    cleanup
3214	    exit 1
3215	fi
3216    fi
3217
3218    # Check LDAP_SUFFIX does exist
3219    ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_SUFFIX}\" -s base \"objectclass=*\" > ${TMPDIR}/checkSuffix 2>&1" && return 0
3220
3221    # Well, suffix does not exist, try to prepare create it ...
3222    NEED_CREATE_SUFFIX=1
3223    prep_create_sfx_entry ||
3224    {
3225	cleanup
3226	exit 1
3227    }
3228    [ -n "${NEED_CREATE_BACKEND}" ] &&
3229    {
3230	# try to use id attr value of the suffix as a database name
3231	IDS_DATABASE=${_VAL}
3232	prep_create_sfx_backend
3233	case $? in
3234	1)	# cann't use the name we want, so we can either exit or use
3235		# some another available name - doing the last ...
3236		IDS_DATABASE=${IDS_DATABASE_AVAIL}
3237		;;
3238	2)	# unable to determine database name
3239		cleanup
3240		exit 1
3241		;;
3242	esac
3243    }
3244
3245    [ $DEBUG -eq 1 ] && ${ECHO} "Suffix $LDAP_SUFFIX, Database $IDS_DATABASE"
3246}
3247
3248#
3249# validate_info(): This function validates the basic info collected
3250#                  So that some problems are caught right away.
3251#                  THIS FUNCTION IS FOR THE LOAD CONFIG FILE OPTION.
3252#
3253validate_info()
3254{
3255    [ $DEBUG -eq 1 ] && ${ECHO} "In validate_info()"
3256
3257    # Set SERVER_ARGS, AUTH_ARGS, and LDAP_ARGS for the config file.
3258    SERVER_ARGS="-h ${IDS_SERVER} -p ${IDS_PORT}"
3259    AUTH_ARGS="-D \"${LDAP_ROOTDN}\" -j ${LDAP_ROOTPWF}"
3260    LDAP_ARGS="${SERVER_ARGS} ${AUTH_ARGS}"
3261    export SERVER_ARGS
3262
3263    # Check the Root DN and Root DN passwd.
3264    # Use eval instead of $EVAL because not part of setup. (validate)
3265    eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"\" -s base \"objectclass=*\" > ${TMPDIR}/checkDN 2>&1"
3266    if [ $? -ne 0 ]; then
3267	eval "${GREP} credential ${TMPDIR}/checkDN ${VERB}"
3268	if [ $? -eq 0 ]; then
3269	    ${ECHO} "ERROR: Root DN passwd is invalid."
3270	else
3271	    ${ECHO} "ERROR2: Invalid Root DN <${LDAP_ROOTDN}>."
3272	fi
3273	cleanup
3274	exit 1
3275    fi
3276    [ $DEBUG -eq 1 ] && ${ECHO} "  RootDN ... OK"
3277    [ $DEBUG -eq 1 ] && ${ECHO} "  RootDN passwd ... OK"
3278
3279    # Check if the server supports the VLV.
3280    chk_vlv_indexes
3281    [ $DEBUG -eq 1 ] && ${ECHO} "  VLV indexes ... OK"
3282
3283    # Check LDAP suffix
3284    validate_suffix
3285    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP suffix ... OK"
3286}
3287
3288#
3289# format_string(): take a string as argument and set FMT_STR
3290# to be the same string formatted as follow:
3291# - only lower case characters
3292# - no unnecessary spaces around , and =
3293#
3294format_string()
3295{
3296    FMT_STR=`${ECHO} "$1" | tr '[A-Z]' '[a-z]' |
3297	sed -e 's/[ ]*,[ ]*/,/g' -e 's/[ ]*=[ ]*/=/g'`
3298}
3299
3300#
3301# prepare for the suffix entry creation
3302#
3303# input  : LDAP_BASEDN, LDAP_SUFFIX - base dn and suffix;
3304# in/out : LDAP_SUFFIX_OBJ, LDAP_SUFFIX_ACI - initially may come from config.
3305# output : NEED_CREATE_BACKEND - backend for this suffix needs to be created;
3306#          _RDN, _ATT, _VAL - suffix's RDN, id attribute name and its value.
3307# return : 0 - success, otherwise error.
3308#
3309prep_create_sfx_entry()
3310{
3311    [ $DEBUG -eq 1 ] && ${ECHO} "In prep_create_sfx_entry()"
3312
3313    # check whether suffix corresponds to base dn
3314    format_string "${LDAP_BASEDN}"
3315    ${ECHO} ",${FMT_STR}" | ${GREP} ",${LDAP_SUFFIX}$" >/dev/null 2>&1 ||
3316    {
3317	display_msg sfx_not_suitable
3318	return 1
3319    }
3320
3321    # parse LDAP_SUFFIX
3322    _RDN=`${ECHO} "${LDAP_SUFFIX}" | cut -d, -f1`
3323    _ATT=`${ECHO} "${_RDN}" | cut -d= -f1`
3324    _VAL=`${ECHO} "${_RDN}" | cut -d= -f2-`
3325
3326    # find out an objectclass for suffix entry if it is not defined yet
3327    [ -z "${LDAP_SUFFIX_OBJ}" ] &&
3328    {
3329	get_objectclass ${_ATT}
3330	[ -z "${_ATTR_NAME}" ] &&
3331	{
3332		display_msg obj_not_found
3333		return 1
3334	}
3335	LDAP_SUFFIX_OBJ=${_ATTR_NAME}
3336    }
3337    [ $DEBUG -eq 1 ] && ${ECHO} "Suffix entry object is ${LDAP_SUFFIX_OBJ}"
3338
3339    # find out an aci for suffix entry if it is not defined yet
3340    [ -z "${LDAP_SUFFIX_ACI}" ] &&
3341    {
3342	# set Directory Server default aci
3343	LDAP_SUFFIX_ACI=`cat <<EOF
3344aci: (targetattr != "userPassword || passwordHistory || passwordExpirationTime
3345 || passwordExpWarned || passwordRetryCount || retryCountResetTime ||
3346 accountUnlockTime || passwordAllowChangeTime")
3347 (
3348   version 3.0;
3349   acl "Anonymous access";
3350   allow (read, search, compare) userdn = "ldap:///anyone";
3351 )
3352aci: (targetattr != "nsroledn || aci || nsLookThroughLimit || nsSizeLimit ||
3353 nsTimeLimit || nsIdleTimeout || passwordPolicySubentry ||
3354 passwordExpirationTime || passwordExpWarned || passwordRetryCount ||
3355 retryCountResetTime || accountUnlockTime || passwordHistory ||
3356 passwordAllowChangeTime")
3357 (
3358   version 3.0;
3359   acl "Allow self entry modification except for some attributes";
3360   allow (write) userdn = "ldap:///self";
3361 )
3362aci: (targetattr = "*")
3363 (
3364   version 3.0;
3365   acl "Configuration Administrator";
3366   allow (all) userdn = "ldap:///uid=admin,ou=Administrators,
3367                         ou=TopologyManagement,o=NetscapeRoot";
3368 )
3369aci: (targetattr ="*")
3370 (
3371   version 3.0;
3372   acl "Configuration Administrators Group";
3373   allow (all) groupdn = "ldap:///cn=Configuration Administrators,
3374                          ou=Groups,ou=TopologyManagement,o=NetscapeRoot";
3375 )
3376EOF
3377`
3378    }
3379    [ $DEBUG -eq 1 ] && cat <<EOF
3380DEBUG: ACI for ${LDAP_SUFFIX} is
3381${LDAP_SUFFIX_ACI}
3382EOF
3383
3384    NEED_CREATE_BACKEND=
3385
3386    # check the suffix mapping tree ...
3387    # if mapping exists, suffix should work, otherwise DS inconsistent
3388    # NOTE: -b 'cn=mapping tree,cn=config' -s one 'cn=\"$1\"' won't work
3389    #       in case of 'cn' value in LDAP is not quoted by '"',
3390    #       -b 'cn=\"$1\",cn=mapping tree,cn=config' works in all cases
3391    ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} \
3392	-b 'cn=\"${LDAP_SUFFIX}\",cn=mapping tree,cn=config' \
3393	-s base 'objectclass=*' dn ${VERB}" &&
3394    {
3395	[ $DEBUG -eq 1 ] && ${ECHO} "Suffix mapping already exists"
3396	# get_backend() either gets IDS_DATABASE or exits
3397	get_backend
3398	return 0
3399    }
3400
3401    # no suffix mapping, just in case check ldbm backends consistency -
3402    # there are must be NO any databases pointing to LDAP_SUFFIX
3403    [ -n "`${EVAL} \"${LDAPSEARCH} ${LDAP_ARGS} \
3404	-b 'cn=ldbm database,cn=plugins,cn=config' \
3405	-s one 'nsslapd-suffix=${LDAP_SUFFIX}' dn\" 2>/dev/null`" ] &&
3406    {
3407	display_msg sfx_config_incons
3408	return 1
3409    }
3410
3411    # ok, no suffix mapping, no ldbm database
3412    [ $DEBUG -eq 1 ] && ${ECHO} "DEBUG: backend needs to be created ..."
3413    NEED_CREATE_BACKEND=1
3414    return 0
3415}
3416
3417#
3418# prepare for the suffix backend creation
3419#
3420# input  : IDS_DATABASE - requested ldbm db name (must be not null)
3421# in/out : IDS_DATABASE_AVAIL - available ldbm db name
3422# return : 0 - ldbm db name ok
3423#          1 - IDS_DATABASE exists,
3424#              so IDS_DATABASE_AVAIL contains available name
3425#          2 - unable to find any available name
3426#
3427prep_create_sfx_backend()
3428{
3429    [ $DEBUG -eq 1 ] && ${ECHO} "In prep_create_sfx_backend()"
3430
3431    # check if requested name available
3432    [ "${IDS_DATABASE}" = "${IDS_DATABASE_AVAIL}" ] && return 0
3433
3434    # get the list of database names start with a requested name
3435    _LDBM_DBS=`${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} \
3436	-b 'cn=ldbm database,cn=plugins,cn=config' \
3437	-s one 'cn=${IDS_DATABASE}*' cn"` 2>/dev/null
3438
3439    # find available db name based on a requested name
3440    _i=""; _i_MAX=10
3441    while [ ${_i:-0} -lt ${_i_MAX} ]
3442    do
3443	_name="${IDS_DATABASE}${_i}"
3444	${ECHO} "${_LDBM_DBS}" | ${GREP} -i "^cn=${_name}$" >/dev/null 2>&1 ||
3445	{
3446		IDS_DATABASE_AVAIL="${_name}"
3447		break
3448	}
3449	_i=`expr ${_i:-0} + 1`
3450    done
3451
3452    [ "${IDS_DATABASE}" = "${IDS_DATABASE_AVAIL}" ] && return 0
3453
3454    [ -n "${IDS_DATABASE_AVAIL}" ] &&
3455    {
3456	display_msg ldbm_db_exist
3457	return 1
3458    }
3459
3460    display_msg unable_find_db_name
3461    return 2
3462}
3463
3464#
3465# add suffix if needed,
3466#     suffix entry and backend MUST be prepared by
3467#     prep_create_sfx_entry and prep_create_sfx_backend correspondingly
3468#
3469# input  : NEED_CREATE_SUFFIX, LDAP_SUFFIX, LDAP_SUFFIX_OBJ, _ATT, _VAL
3470#          LDAP_SUFFIX_ACI, NEED_CREATE_BACKEND, IDS_DATABASE
3471# return : 0 - suffix successfully created, otherwise error occured
3472#
3473add_suffix()
3474{
3475    [ $DEBUG -eq 1 ] && ${ECHO} "In add_suffix()"
3476
3477    [ -n "${NEED_CREATE_SUFFIX}" ] || return 0
3478
3479    [ -n "${NEED_CREATE_BACKEND}" ] &&
3480    {
3481	${EVAL} "${LDAPADD} ${LDAP_ARGS} ${VERB}" <<EOF
3482dn: cn="${LDAP_SUFFIX}",cn=mapping tree,cn=config
3483objectclass: top
3484objectclass: extensibleObject
3485objectclass: nsMappingTree
3486cn: ${LDAP_SUFFIX}
3487nsslapd-state: backend
3488nsslapd-backend: ${IDS_DATABASE}
3489
3490dn: cn=${IDS_DATABASE},cn=ldbm database,cn=plugins,cn=config
3491objectclass: top
3492objectclass: extensibleObject
3493objectclass: nsBackendInstance
3494cn: ${IDS_DATABASE}
3495nsslapd-suffix: ${LDAP_SUFFIX}
3496EOF
3497	[ $? -ne 0 ] &&
3498	{
3499		display_msg create_ldbm_db_error
3500		return 1
3501	}
3502
3503	${ECHO} "  ${STEP}. Database ${IDS_DATABASE} successfully created"
3504	STEP=`expr $STEP + 1`
3505    }
3506
3507    ${EVAL} "${LDAPADD} ${LDAP_ARGS} ${VERB}" <<EOF
3508dn: ${LDAP_SUFFIX}
3509objectclass: ${LDAP_SUFFIX_OBJ}
3510${_ATT}: ${_VAL}
3511${LDAP_SUFFIX_ACI}
3512EOF
3513    [ $? -ne 0 ] &&
3514    {
3515	display_msg create_suffix_entry_error
3516	return 1
3517    }
3518
3519    ${ECHO} "  ${STEP}. Suffix ${LDAP_SUFFIX} successfully created"
3520    STEP=`expr $STEP + 1`
3521    return 0
3522}
3523
3524#
3525# interactively get suffix and related info from a user
3526#
3527# input  : LDAP_BASEDN - Base DN
3528# output : LDAP_SUFFIX - Suffix, _ATT, _VAL - id attribute and its value;
3529#          LDAP_SUFFIX_OBJ, LDAP_SUFFIX_ACI - objectclass and aci;
3530#          NEED_CREATE_BACKEND - tells whether backend needs to be created;
3531#          IDS_DATABASE - prepared ldbm db name
3532# return : 0 - user gave a correct suffix
3533#          1 - suffix given by user cann't be created
3534#
3535get_suffix()
3536{
3537    [ $DEBUG -eq 1 ] && ${ECHO} "In get_suffix()"
3538
3539    while :
3540    do
3541	get_ans "Enter suffix to be created (b=back/h=help):" ${LDAP_BASEDN}
3542	case "${ANS}" in
3543	[Hh] | Help | help | \? ) display_msg create_suffix_help ;;
3544	[Bb] | Back | back | \< ) return 1 ;;
3545	* )
3546		format_string "${ANS}"
3547		LDAP_SUFFIX=${FMT_STR}
3548		prep_create_sfx_entry || continue
3549
3550		[ -n "${NEED_CREATE_BACKEND}" ] &&
3551		{
3552		    IDS_DATABASE_AVAIL= # reset the available db name
3553
3554		    reenter_suffix=
3555		    while :
3556		    do
3557			get_ans "Enter ldbm database name (b=back/h=help):" \
3558				${IDS_DATABASE_AVAIL:-${_VAL}}
3559			case "${ANS}" in
3560			[Hh] | \? ) display_msg enter_ldbm_db_help ;;
3561			[Bb] | \< ) reenter_suffix=1; break ;;
3562			* )
3563				IDS_DATABASE="${ANS}"
3564				prep_create_sfx_backend && break
3565			esac
3566		    done
3567		    [ -n "${reenter_suffix}" ] && continue
3568
3569		    [ $DEBUG -eq 1 ] && cat <<EOF
3570DEBUG: backend name for suffix ${LDAP_SUFFIX} will be ${IDS_DATABASE}
3571EOF
3572		}
3573
3574		# eventually everything is prepared
3575		return 0
3576		;;
3577	esac
3578    done
3579}
3580
3581#
3582# print out a script which sets LDAP suffix related preferences
3583#
3584print_suffix_config()
3585{
3586    cat <<EOF2
3587# LDAP suffix related preferences used only if needed
3588IDS_DATABASE="${IDS_DATABASE}"
3589LDAP_SUFFIX_OBJ="$LDAP_SUFFIX_OBJ"
3590LDAP_SUFFIX_ACI=\`cat <<EOF
3591${LDAP_SUFFIX_ACI}
3592EOF
3593\`
3594export IDS_DATABASE LDAP_SUFFIX_OBJ LDAP_SUFFIX_ACI
3595EOF2
3596}
3597
3598#
3599# check_basedn_suffix(): check that there is an existing
3600# valid suffix to hold current base DN
3601# return:
3602#   0: valid suffix found or new one should be created,
3603#      NEED_CREATE_SUFFIX flag actually indicates that
3604#   1: some error occures
3605#
3606check_basedn_suffix()
3607{
3608    [ $DEBUG -eq 1 ] && ${ECHO} "In check_basedn_suffix()"
3609
3610    NEED_CREATE_SUFFIX=
3611
3612    # find out existing suffixes
3613    discover_serv_suffix
3614
3615    ${ECHO} "  Validating LDAP Base DN and Suffix ..."
3616
3617    # check that LDAP Base DN might be added
3618    cur_ldap_entry=${LDAP_BASEDN}
3619    prev_ldap_entry=
3620    while [ "${cur_ldap_entry}" != "${prev_ldap_entry}" ]
3621    do
3622	[ $DEBUG -eq 1 ] && ${ECHO} "testing LDAP entry: ${cur_ldap_entry}"
3623	${LDAPSEARCH} ${SERVER_ARGS} -b "${cur_ldap_entry}" \
3624		-s one "objectclass=*" > /dev/null 2>&1
3625	if [ $? -eq 0 ]; then
3626	    break
3627	else
3628	    prev_ldap_entry=${cur_ldap_entry}
3629	    cur_ldap_entry=`${ECHO} ${cur_ldap_entry} | cut -f2- -d','`
3630	fi
3631    done
3632
3633    if [ "${cur_ldap_entry}" = "${prev_ldap_entry}" ]; then
3634	${ECHO} "  No valid suffixes were found for Base DN ${LDAP_BASEDN}"
3635
3636	NEED_CREATE_SUFFIX=1
3637	return 0
3638
3639    else
3640	[ $DEBUG -eq 1 ] && ${ECHO} "found valid LDAP entry: ${cur_ldap_entry}"
3641
3642	# Now looking for relevant suffix for this entry.
3643	# LDAP_SUFFIX will then be used to add necessary
3644	# base objects. See add_base_objects().
3645	format_string "${cur_ldap_entry}"
3646	lower_entry="${FMT_STR}"
3647	[ $DEBUG -eq 1 ] && ${ECHO} "final suffix list: ${LDAP_SUFFIX_LIST}"
3648	oIFS=$IFS
3649	[ $DEBUG -eq 1 ] && ${ECHO} "setting IFS to new line"
3650	IFS='
3651'
3652	for suff in ${LDAP_SUFFIX_LIST}
3653	do
3654	    [ $DEBUG -eq 1 ] && ${ECHO} "testing suffix: ${suff}"
3655	    format_string "${suff}"
3656	    lower_suff="${FMT_STR}"
3657	    if [ "${lower_entry}" = "${lower_suff}" ]; then
3658		LDAP_SUFFIX="${suff}"
3659		break
3660	    else
3661		dcstmp=`basename "${lower_entry}" "${lower_suff}"`
3662		if [ "${dcstmp}" = "${lower_entry}" ]; then
3663		    # invalid suffix, try next one
3664		    continue
3665		else
3666		    # valid suffix found
3667		    LDAP_SUFFIX="${suff}"
3668		    break
3669		fi
3670	    fi
3671	done
3672	[ $DEBUG -eq 1 ] && ${ECHO} "setting IFS to original value"
3673	IFS=$oIFS
3674
3675	[ $DEBUG -eq 1 ] && ${ECHO} "LDAP_SUFFIX: ${LDAP_SUFFIX}"
3676
3677	if [ -z "${LDAP_SUFFIX}" ]; then
3678	    # should not happen, since we found the entry
3679	    ${ECHO} "Could not find a valid suffix for ${LDAP_BASEDN}."
3680	    ${ECHO} "Exiting."
3681	    return 1
3682	fi
3683
3684	# Getting relevant database (backend)
3685	# IDS_DATABASE will then be used to create indexes.
3686	get_backend
3687
3688	return 0
3689    fi
3690}
3691
3692#
3693# discover_serv_suffix(): This function queries the server to find
3694#    suffixes available
3695#  return: 0: OK, suffix found
3696#          1: suffix not determined
3697discover_serv_suffix()
3698{
3699    [ $DEBUG -eq 1 ] && ${ECHO} "In discover_serv_suffix()"
3700
3701    # Search the server for the TOP of the TREE.
3702    ${LDAPSEARCH} ${SERVER_ARGS} -b "" -s base "objectclass=*" > ${TMPDIR}/checkTOP 2>&1
3703    ${GREP} -i namingcontexts ${TMPDIR}/checkTOP | \
3704	${GREP} -i -v NetscapeRoot > ${TMPDIR}/treeTOP
3705    NUM_TOP=`wc -l ${TMPDIR}/treeTOP | awk '{print $1}'`
3706    case $NUM_TOP in
3707	0)
3708	    [ $DEBUG -eq 1 ] && ${ECHO} "DEBUG: No suffix found in LDAP tree"
3709	    return 1
3710	    ;;
3711	*)  # build the list of suffixes; take out 'namingContexts=' in
3712	    # each line of ${TMPDIR}/treeTOP
3713	    LDAP_SUFFIX_LIST=`cat ${TMPDIR}/treeTOP |
3714		awk '{ printf("%s\n",substr($0,16,length-15)) }'`
3715	    ;;
3716    esac
3717
3718    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_SUFFIX_LIST = $LDAP_SUFFIX_LIST"
3719    return 0
3720}
3721
3722
3723#
3724# modify_cn(): Change the cn from MUST to MAY in ipNetwork.
3725#
3726modify_cn()
3727{
3728    [ $DEBUG -eq 1 ] && ${ECHO} "In modify_cn()"
3729
3730    ( cat <<EOF
3731dn: cn=schema
3732changetype: modify
3733add: objectclasses
3734objectclasses: ( 1.3.6.1.1.1.2.7 NAME 'ipNetwork' DESC 'Standard LDAP objectclass' SUP top STRUCTURAL MUST ipNetworkNumber MAY ( ipNetmaskNumber $ manager $ cn $ l $ description ) X-ORIGIN 'RFC 2307' )
3735EOF
3736) > ${TMPDIR}/ipNetwork_cn
3737
3738    # Modify the cn for ipNetwork.
3739    ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/ipNetwork_cn ${VERB}"
3740    if [ $? -ne 0 ]; then
3741	${ECHO} "  ERROR: update of cn for ipNetwork failed!"
3742	cleanup
3743	exit 1
3744    fi
3745}
3746
3747
3748# modify_timelimit(): Modify timelimit to user value.
3749modify_timelimit()
3750{
3751    [ $DEBUG -eq 1 ] && ${ECHO} "In modify_timelimit()"
3752
3753    # Here doc to modify timelimit.
3754    ( cat <<EOF
3755dn: cn=config
3756changetype: modify
3757replace: nsslapd-timelimit
3758nsslapd-timelimit: ${IDS_TIMELIMIT}
3759EOF
3760) > ${TMPDIR}/ids_timelimit
3761
3762    # Add the entry.
3763    ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/ids_timelimit ${VERB}"
3764    if [ $? -ne 0 ]; then
3765	${ECHO} "  ERROR: update of nsslapd-timelimit failed!"
3766	cleanup
3767	exit 1
3768    fi
3769
3770    # Display messages for modifications made in patch.
3771    ${ECHO} "  ${STEP}. Changed timelimit to ${IDS_TIMELIMIT} in cn=config."
3772    STEP=`expr $STEP + 1`
3773}
3774
3775
3776# modify_sizelimit(): Modify sizelimit to user value.
3777modify_sizelimit()
3778{
3779    [ $DEBUG -eq 1 ] && ${ECHO} "In modify_sizelimit()"
3780
3781    # Here doc to modify sizelimit.
3782    ( cat <<EOF
3783dn: cn=config
3784changetype: modify
3785replace: nsslapd-sizelimit
3786nsslapd-sizelimit: ${IDS_SIZELIMIT}
3787EOF
3788) > ${TMPDIR}/ids_sizelimit
3789
3790    # Add the entry.
3791    ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/ids_sizelimit ${VERB}"
3792    if [ $? -ne 0 ]; then
3793	${ECHO} "  ERROR: update of nsslapd-sizelimit failed!"
3794	cleanup
3795	exit 1
3796    fi
3797
3798    # Display messages for modifications made in patch.
3799    ${ECHO} "  ${STEP}. Changed sizelimit to ${IDS_SIZELIMIT} in cn=config."
3800    STEP=`expr $STEP + 1`
3801}
3802
3803
3804# modify_pwd_crypt(): Modify the passwd storage scheme to support CRYPT.
3805modify_pwd_crypt()
3806{
3807    [ $DEBUG -eq 1 ] && ${ECHO} "In modify_pwd_crypt()"
3808
3809    # Here doc to modify passwordstoragescheme.
3810    # IDS 5.2 moved passwordchangesceme off to a new data structure.
3811    if [ $IDS_MAJVER -le 5 ] && [ $IDS_MINVER -le 1 ]; then
3812	( cat <<EOF
3813dn: cn=config
3814changetype: modify
3815replace: passwordstoragescheme
3816passwordstoragescheme: crypt
3817EOF
3818	) > ${TMPDIR}/ids_crypt
3819    else
3820	( cat <<EOF
3821dn: cn=Password Policy,cn=config
3822changetype: modify
3823replace: passwordstoragescheme
3824passwordstoragescheme: crypt
3825EOF
3826	) > ${TMPDIR}/ids_crypt
3827    fi
3828
3829    # Add the entry.
3830    ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/ids_crypt ${VERB}"
3831    if [ $? -ne 0 ]; then
3832	${ECHO} "  ERROR: update of passwordstoragescheme failed!"
3833	cleanup
3834	exit 1
3835    fi
3836
3837    # Display messages for modifications made in patch.
3838    ${ECHO} "  ${STEP}. Changed passwordstoragescheme to \"crypt\" in cn=config."
3839    STEP=`expr $STEP + 1`
3840}
3841
3842
3843#
3844# add_eq_indexes(): Add indexes to improve search performance.
3845#
3846add_eq_indexes()
3847{
3848    [ $DEBUG -eq 1 ] && ${ECHO} "In add_eq_indexes()"
3849
3850    # Set eq indexes to add.
3851    _INDEXES="uidNumber ipNetworkNumber gidnumber oncrpcnumber automountKey"
3852
3853    if [ -z "${IDS_DATABASE}" ]; then
3854	get_backend
3855    fi
3856
3857    # Set _EXT to use as shortcut.
3858    _EXT="cn=index,cn=${IDS_DATABASE},cn=ldbm database,cn=plugins,cn=config"
3859
3860    # Display message to id current step.
3861    ${ECHO} "  ${STEP}. Processing eq,pres indexes:"
3862    STEP=`expr $STEP + 1`
3863
3864    # For loop to create indexes.
3865    for i in ${_INDEXES}; do
3866	[ $DEBUG -eq 1 ] && ${ECHO} "  Adding index for ${i}"
3867
3868	# Check if entry exists first, if so, skip to next.
3869	${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=${i},${_EXT}\" -s base \
3870	    \"objectclass=*\" > /dev/null 2>&1"
3871	if [ $? -eq 0 ]; then
3872	    # Display index skipped.
3873	    ${ECHO} "      ${i} (eq,pres) skipped already exists"
3874	    continue
3875	fi
3876
3877	# Here doc to create LDIF.
3878	( cat <<EOF
3879dn: cn=${i},${_EXT}
3880objectClass: top
3881objectClass: nsIndex
3882cn: ${i}
3883nsSystemIndex: false
3884nsIndexType: pres
3885nsIndexType: eq
3886EOF
3887) > ${TMPDIR}/index_${i}
3888
3889	# Add the index.
3890	${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/index_${i} ${VERB}"
3891	if [ $? -ne 0 ]; then
3892	    ${ECHO} "  ERROR: Adding EQ,PRES index for ${i} failed!"
3893	    cleanup
3894	    exit 1
3895	fi
3896
3897	# Build date for task name.
3898	_YR=`date '+%y'`
3899	_MN=`date '+%m'`
3900	_DY=`date '+%d'`
3901	_H=`date '+%H'`
3902	_M=`date '+%M'`
3903	_S=`date '+%S'`
3904
3905	# Build task name
3906	TASKNAME="${i}_${_YR}_${_MN}_${_DY}_${_H}_${_M}_${_S}"
3907
3908	# Build the task entry to add.
3909	( cat <<EOF
3910dn: cn=${TASKNAME}, cn=index, cn=tasks, cn=config
3911changetype: add
3912objectclass: top
3913objectclass: extensibleObject
3914cn: ${TASKNAME}
3915nsInstance: ${IDS_DATABASE}
3916nsIndexAttribute: ${i}
3917EOF
3918) > ${TMPDIR}/task_${i}
3919
3920	# Add the task.
3921	${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/task_${i} ${VERB}"
3922	if [ $? -ne 0 ]; then
3923	    ${ECHO} "  ERROR: Adding task for ${i} failed!"
3924	    cleanup
3925	    exit 1
3926	fi
3927
3928	# Wait for task to finish, display current status.
3929	while :
3930	do
3931	    ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} \
3932	        -b \"cn=${TASKNAME}, cn=index, cn=tasks, cn=config\" -s base \
3933	        \"objectclass=*\" nstaskstatus > \"${TMPDIR}/istask_${i}\" 2>&1"
3934	    ${GREP} "${TASKNAME}" "${TMPDIR}/istask_${i}" > /dev/null 2>&1
3935	    if [ $? -ne 0 ]; then
3936		break
3937	    fi
3938	    TASK_STATUS=`${GREP} -i nstaskstatus "${TMPDIR}/istask_${i}" |
3939	        head -1 | cut -d: -f2`
3940	    ${ECHO} "      ${i} (eq,pres)  $TASK_STATUS                  \r\c"
3941	    ${ECHO} "$TASK_STATUS" | ${GREP} "Finished" > /dev/null 2>&1
3942	    if [ $? -eq 0 ]; then
3943		break
3944	    fi
3945	    sleep 2
3946	done
3947
3948	# Print newline because of \c.
3949	${ECHO} " "
3950    done
3951}
3952
3953
3954#
3955# add_sub_indexes(): Add indexes to improve search performance.
3956#
3957add_sub_indexes()
3958{
3959    [ $DEBUG -eq 1 ] && ${ECHO} "In add_sub_indexes()"
3960
3961    # Set eq indexes to add.
3962    _INDEXES="ipHostNumber membernisnetgroup nisnetgrouptriple"
3963
3964    # Set _EXT to use as shortcut.
3965    _EXT="cn=index,cn=${IDS_DATABASE},cn=ldbm database,cn=plugins,cn=config"
3966
3967
3968    # Display message to id current step.
3969    ${ECHO} "  ${STEP}. Processing eq,pres,sub indexes:"
3970    STEP=`expr $STEP + 1`
3971
3972    # For loop to create indexes.
3973    for i in ${_INDEXES}; do
3974	[ $DEBUG -eq 1 ] && ${ECHO} "  Adding index for ${i}"
3975
3976	# Check if entry exists first, if so, skip to next.
3977	${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=${i},${_EXT}\" \
3978	    -s base \"objectclass=*\" > /dev/null 2>&1"
3979	if [ $? -eq 0 ]; then
3980	    # Display index skipped.
3981	    ${ECHO} "      ${i} (eq,pres,sub) skipped already exists"
3982	    continue
3983	fi
3984
3985	# Here doc to create LDIF.
3986	( cat <<EOF
3987dn: cn=${i},${_EXT}
3988objectClass: top
3989objectClass: nsIndex
3990cn: ${i}
3991nsSystemIndex: false
3992nsIndexType: pres
3993nsIndexType: eq
3994nsIndexType: sub
3995EOF
3996) > ${TMPDIR}/index_${i}
3997
3998	# Add the index.
3999	${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/index_${i} ${VERB}"
4000	if [ $? -ne 0 ]; then
4001	    ${ECHO} "  ERROR: Adding EQ,PRES,SUB index for ${i} failed!"
4002	    cleanup
4003	    exit 1
4004	fi
4005
4006	# Build date for task name.
4007	_YR=`date '+%y'`
4008	_MN=`date '+%m'`
4009	_DY=`date '+%d'`
4010	_H=`date '+%H'`
4011	_M=`date '+%M'`
4012	_S=`date '+%S'`
4013
4014	# Build task name
4015	TASKNAME="${i}_${_YR}_${_MN}_${_DY}_${_H}_${_M}_${_S}"
4016
4017	# Build the task entry to add.
4018	( cat <<EOF
4019dn: cn=${TASKNAME}, cn=index, cn=tasks, cn=config
4020changetype: add
4021objectclass: top
4022objectclass: extensibleObject
4023cn: ${TASKNAME}
4024nsInstance: ${IDS_DATABASE}
4025nsIndexAttribute: ${i}
4026EOF
4027) > ${TMPDIR}/task_${i}
4028
4029	# Add the task.
4030	${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/task_${i} ${VERB}"
4031	if [ $? -ne 0 ]; then
4032	    ${ECHO} "  ERROR: Adding task for ${i} failed!"
4033	    cleanup
4034	    exit 1
4035	fi
4036
4037	# Wait for task to finish, display current status.
4038	while :
4039	do
4040	    ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} \
4041	        -b \"cn=${TASKNAME}, cn=index, cn=tasks, cn=config\" -s base \
4042	        \"objectclass=*\" nstaskstatus > \"${TMPDIR}/istask_${i}\" 2>&1"
4043	    ${GREP} "${TASKNAME}" "${TMPDIR}/istask_${i}" > /dev/null 2>&1
4044	    if [ $? -ne 0 ]; then
4045		break
4046	    fi
4047	    TASK_STATUS=`${GREP} -i nstaskstatus "${TMPDIR}/istask_${i}" |
4048	        head -1 | cut -d: -f2`
4049	    ${ECHO} "      ${i} (eq,pres,sub)  $TASK_STATUS                  \r\c"
4050	    ${ECHO} "$TASK_STATUS" | ${GREP} "Finished" > /dev/null 2>&1
4051	    if [ $? -eq 0 ]; then
4052		break
4053	    fi
4054	    sleep 2
4055	done
4056
4057	# Print newline because of \c.
4058	${ECHO} " "
4059    done
4060}
4061
4062
4063#
4064# add_vlv_indexes(): Add VLV indexes to improve search performance.
4065#
4066add_vlv_indexes()
4067{
4068    [ $DEBUG -eq 1 ] && ${ECHO} "In add_vlv_indexes()"
4069
4070    # Set eq indexes to add.
4071    # Note semi colon separators because some filters contain colons
4072    _INDEX1="${LDAP_DOMAIN}.getgrent;${LDAP_DOMAIN}_group_vlv_index;ou=group;objectClass=posixGroup"
4073    _INDEX2="${LDAP_DOMAIN}.gethostent;${LDAP_DOMAIN}_hosts_vlv_index;ou=hosts;objectClass=ipHost"
4074    _INDEX3="${LDAP_DOMAIN}.getnetent;${LDAP_DOMAIN}_networks_vlv_index;ou=networks;objectClass=ipNetwork"
4075    _INDEX4="${LDAP_DOMAIN}.getpwent;${LDAP_DOMAIN}_passwd_vlv_index;ou=people;objectClass=posixAccount"
4076    _INDEX5="${LDAP_DOMAIN}.getrpcent;${LDAP_DOMAIN}_rpc_vlv_index;ou=rpc;objectClass=oncRpc"
4077    _INDEX6="${LDAP_DOMAIN}.getspent;${LDAP_DOMAIN}_shadow_vlv_index;ou=people;objectClass=shadowAccount"
4078
4079    # Indexes added during NIS to LDAP transition
4080    _INDEX7="${LDAP_DOMAIN}.getauhoent;${LDAP_DOMAIN}_auho_vlv_index;automountmapname=auto_home;objectClass=automount"
4081    _INDEX8="${LDAP_DOMAIN}.getsoluent;${LDAP_DOMAIN}_solu_vlv_index;ou=people;objectClass=SolarisUserAttr"
4082    _INDEX9="${LDAP_DOMAIN}.getauduent;${LDAP_DOMAIN}_audu_vlv_index;ou=people;objectClass=SolarisAuditUser"
4083    _INDEX10="${LDAP_DOMAIN}.getauthent;${LDAP_DOMAIN}_auth_vlv_index;ou=SolarisAuthAttr;objectClass=SolarisAuthAttr"
4084    _INDEX11="${LDAP_DOMAIN}.getexecent;${LDAP_DOMAIN}_exec_vlv_index;ou=SolarisProfAttr;&(objectClass=SolarisExecAttr)(SolarisKernelSecurityPolicy=*)"
4085    _INDEX12="${LDAP_DOMAIN}.getprofent;${LDAP_DOMAIN}_prof_vlv_index;ou=SolarisProfAttr;&(objectClass=SolarisProfAttr)(SolarisAttrLongDesc=*)"
4086    _INDEX13="${LDAP_DOMAIN}.getmailent;${LDAP_DOMAIN}_mail_vlv_index;ou=aliases;objectClass=mailGroup"
4087    _INDEX14="${LDAP_DOMAIN}.getbootent;${LDAP_DOMAIN}__boot_vlv_index;ou=ethers;&(objectClass=bootableDevice)(bootParameter=*)"
4088    _INDEX15="${LDAP_DOMAIN}.getethent;${LDAP_DOMAIN}_ethers_vlv_index;ou=ethers;&(objectClass=ieee802Device)(macAddress=*)"
4089    _INDEX16="${LDAP_DOMAIN}.getngrpent;${LDAP_DOMAIN}_netgroup_vlv_index;ou=netgroup;objectClass=nisNetgroup"
4090    _INDEX17="${LDAP_DOMAIN}.getipnent;${LDAP_DOMAIN}_ipn_vlv_index;ou=networks;&(objectClass=ipNetwork)(cn=*)"
4091    _INDEX18="${LDAP_DOMAIN}.getmaskent;${LDAP_DOMAIN}_mask_vlv_index;ou=networks;&(objectClass=ipNetwork)(ipNetmaskNumber=*)"
4092    _INDEX19="${LDAP_DOMAIN}.getprent;${LDAP_DOMAIN}_pr_vlv_index;ou=printers;objectClass=printerService"
4093    _INDEX20="${LDAP_DOMAIN}.getip4ent;${LDAP_DOMAIN}_ip4_vlv_index;ou=hosts;&(objectClass=ipHost)(ipHostNumber=*.*)"
4094    _INDEX21="${LDAP_DOMAIN}.getip6ent;${LDAP_DOMAIN}_ip6_vlv_index;ou=hosts;&(objectClass=ipHost)(ipHostNumber=*:*)"
4095
4096    _INDEXES="$_INDEX1 $_INDEX2 $_INDEX3 $_INDEX4 $_INDEX5 $_INDEX6 $_INDEX7 $_INDEX8 $_INDEX9 $_INDEX10 $_INDEX11 $_INDEX12 $_INDEX13 $_INDEX14 $_INDEX15 $_INDEX16 $_INDEX17 $_INDEX18 $_INDEX19 $_INDEX20 $_INDEX21 "
4097
4098
4099    # Set _EXT to use as shortcut.
4100    _EXT="cn=${IDS_DATABASE},cn=ldbm database,cn=plugins,cn=config"
4101
4102
4103    # Display message to id current step.
4104    ${ECHO} "  ${STEP}. Processing VLV indexes:"
4105    STEP=`expr $STEP + 1`
4106
4107    # Reset temp file for vlvindex commands.
4108    [ -f ${TMPDIR}/ds5_vlvindex_list ] &&  rm ${TMPDIR}/ds5_vlvindex_list
4109    touch ${TMPDIR}/ds5_vlvindex_list
4110    [ -f ${TMPDIR}/ds6_vlvindex_list ] &&  rm ${TMPDIR}/ds6_vlvindex_list
4111    touch ${TMPDIR}/ds6_vlvindex_list
4112
4113    # Get the instance name from iDS server.
4114    _INSTANCE="<server-instance>"    # Default to old output.
4115
4116    eval "${LDAPSEARCH} -v ${LDAP_ARGS} -b \"cn=config\" -s base \"objectclass=*\" nsslapd-instancedir | ${GREP} 'nsslapd-instancedir=' | cut -d'=' -f2- > ${TMPDIR}/instance_name 2>&1"
4117
4118    ${GREP} "slapd-" ${TMPDIR}/instance_name > /dev/null 2>&1 # Check if seems right?
4119    if [ $? -eq 0 ]; then # If success, grab name after "slapd-".
4120	_INST_DIR=`cat ${TMPDIR}/instance_name`
4121	_INSTANCE=`basename "${_INST_DIR}" | cut -d'-' -f2-`
4122    fi
4123
4124    # For loop to create indexes.
4125    for p in ${_INDEXES}; do
4126	[ $DEBUG -eq 1 ] && ${ECHO} "  Adding index for ${i}"
4127
4128	# Break p (pair) into i and j parts.
4129        i=`${ECHO} $p | cut -d';' -f1`
4130        j=`${ECHO} $p | cut -d';' -f2`
4131        k=`${ECHO} $p | cut -d';' -f3`
4132        m=`${ECHO} $p | cut -d';' -f4`
4133
4134	# Set _jEXT to use as shortcut.
4135	_jEXT="cn=${j},${_EXT}"
4136
4137	# Check if entry exists first, if so, skip to next.
4138	${LDAPSEARCH} ${SERVER_ARGS} -b "cn=${i},${_jEXT}" -s base "objectclass=*" > /dev/null 2>&1
4139	if [ $? -eq 0 ]; then
4140	    # Display index skipped.
4141	    ${ECHO} "      ${i} vlv_index skipped already exists"
4142	    continue
4143	fi
4144
4145	# Compute the VLV Scope from the LDAP_SEARCH_SCOPE.
4146	# NOTE: A value of "base (0)" does not make sense.
4147        case "$LDAP_SEARCH_SCOPE" in
4148            sub) VLV_SCOPE="2" ;;
4149            *)   VLV_SCOPE="1" ;;
4150        esac
4151
4152	# Here doc to create LDIF.
4153	( cat <<EOF
4154dn: ${_jEXT}
4155objectClass: top
4156objectClass: vlvSearch
4157cn: ${j}
4158vlvbase: ${k},${LDAP_BASEDN}
4159vlvscope: ${VLV_SCOPE}
4160vlvfilter: (${m})
4161aci: (target="ldap:///${_jEXT}")(targetattr="*")(version 3.0; acl "Config";allow(read,search,compare)userdn="ldap:///anyone";)
4162
4163dn: cn=${i},${_jEXT}
4164cn: ${i}
4165vlvSort: cn uid
4166objectclass: top
4167objectclass: vlvIndex
4168EOF
4169) > ${TMPDIR}/vlv_index_${i}
4170
4171	# Add the index.
4172	${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/vlv_index_${i} ${VERB}"
4173	if [ $? -ne 0 ]; then
4174	    ${ECHO} "  ERROR: Adding VLV index for ${i} failed!"
4175	    cleanup
4176	    exit 1
4177	fi
4178
4179	# Print message that index was created.
4180	${ECHO} "      ${i} vlv_index   Entry created"
4181
4182	# Add command to list of vlvindex commands to run.
4183	${ECHO} "  directoryserver -s ${_INSTANCE} vlvindex -n ${IDS_DATABASE} -T ${i}" >> ${TMPDIR}/ds5_vlvindex_list
4184	${ECHO} "  <install-path>/bin/dsadm reindex -l -t ${i} <directory-instance-path> ${LDAP_SUFFIX}" >> ${TMPDIR}/ds6_vlvindex_list
4185    done
4186}
4187
4188
4189#
4190# display_vlv_cmds(): Display VLV index commands to run on server.
4191#
4192display_vlv_cmds()
4193{
4194    if [ -s "${TMPDIR}/ds5_vlvindex_list" -o \
4195	 -s "${TMPDIR}/ds6_vlvindex_list" ]; then
4196	display_msg display_vlv_list
4197    fi
4198
4199    if [ -s "${TMPDIR}/ds5_vlvindex_list" ]; then
4200	cat ${TMPDIR}/ds5_vlvindex_list
4201    fi
4202
4203    cat << EOF
4204
4205
4206EOF
4207
4208    if [ -s "${TMPDIR}/ds6_vlvindex_list" ]; then
4209	cat ${TMPDIR}/ds6_vlvindex_list
4210    fi
4211}
4212
4213#
4214# keep_backward_compatibility(): Modify schema for the backward compatibility if
4215# there are the incompatible attributes already
4216#
4217keep_backward_compatibility()
4218{
4219    ${EVAL} "${LDAPSEARCH} ${SERVER_ARGS} -b cn=schema -s base \
4220        \"objectclass=*\" attributeTypes | ${GREP} -i memberGid-oid ${VERB}"
4221    if [ $? -eq 0 ]; then
4222        ${SED} -e 's/1\.3\.6\.1\.4\.1\.42\.2\.27\.5\.1\.30\ /memberGid-oid\ /' \
4223            ${TMPDIR}/schema_attr > ${TMPDIR}/schema_attr.new
4224        ${MV} ${TMPDIR}/schema_attr.new ${TMPDIR}/schema_attr
4225    fi
4226
4227    ${EVAL} "${LDAPSEARCH} ${SERVER_ARGS} -b cn=schema -s base \
4228        \"objectclass=*\" attributeTypes | ${GREP} -i rfc822mailMember-oid \
4229        ${VERB}"
4230    if [ $? -eq 0 ]; then
4231        ${SED} -e \
4232            's/1\.3\.6\.1\.4\.1\.42\.2\.27\.2\.1\.15\ /rfc822mailMember-oid\ /' \
4233            ${TMPDIR}/schema_attr > ${TMPDIR}/schema_attr.new
4234        ${MV} ${TMPDIR}/schema_attr.new ${TMPDIR}/schema_attr
4235    fi
4236}
4237
4238#
4239# update_schema_attr(): Update Schema to support Naming.
4240#
4241update_schema_attr()
4242{
4243    [ $DEBUG -eq 1 ] && ${ECHO} "In update_schema_attr()"
4244
4245    ( cat <<EOF
4246dn: cn=schema
4247changetype: modify
4248add: attributetypes
4249attributetypes: ( 1.3.6.1.1.1.1.28 NAME 'nisPublickey' DESC 'NIS public key' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
4250attributetypes: ( 1.3.6.1.1.1.1.29 NAME 'nisSecretkey' DESC 'NIS secret key' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
4251attributetypes: ( 1.3.6.1.1.1.1.30 NAME 'nisDomain' DESC 'NIS domain' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
4252attributetypes: ( 1.3.6.1.1.1.1.31 NAME 'automountMapName' DESC 'automount Map Name' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
4253attributetypes: ( 1.3.6.1.1.1.1.32 NAME 'automountKey' DESC 'automount Key Value' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
4254attributetypes: ( 1.3.6.1.1.1.1.33 NAME 'automountInformation' DESC 'automount information' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
4255attributetypes: ( 1.3.6.1.4.1.42.2.27.1.1.12 NAME 'nisNetIdUser' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
4256attributetypes: ( 1.3.6.1.4.1.42.2.27.1.1.13 NAME 'nisNetIdGroup' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
4257attributetypes: ( 1.3.6.1.4.1.42.2.27.1.1.14 NAME 'nisNetIdHost' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
4258attributetypes: ( 1.3.6.1.4.1.42.2.27.2.1.15 NAME 'rfc822mailMember' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
4259attributetypes: ( 2.16.840.1.113730.3.1.30 NAME 'mgrpRFC822MailMember' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
4260attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.15 NAME 'SolarisLDAPServers' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
4261attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.16 NAME 'SolarisSearchBaseDN' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE )
4262attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.17 NAME 'SolarisCacheTTL' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
4263attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.18 NAME 'SolarisBindDN' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE )
4264attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.19 NAME 'SolarisBindPassword' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
4265attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.20 NAME 'SolarisAuthMethod' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
4266attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.21 NAME 'SolarisTransportSecurity' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
4267attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.22 NAME 'SolarisCertificatePath' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
4268attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.23 NAME 'SolarisCertificatePassword' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
4269attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.24 NAME 'SolarisDataSearchDN' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
4270attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.25 NAME 'SolarisSearchScope' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
4271attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.26 NAME 'SolarisSearchTimeLimit' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
4272attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.27 NAME 'SolarisPreferredServer' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
4273attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.28 NAME 'SolarisPreferredServerOnly' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
4274attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.29 NAME 'SolarisSearchReferral' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
4275attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.4 NAME 'SolarisAttrKeyValue' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
4276attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.5 NAME 'SolarisAuditAlways' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
4277attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.6 NAME 'SolarisAuditNever' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
4278attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.7 NAME 'SolarisAttrShortDesc' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
4279attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.8 NAME 'SolarisAttrLongDesc' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
4280attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.9 NAME 'SolarisKernelSecurityPolicy' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
4281attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.10 NAME 'SolarisProfileType' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
4282attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.11 NAME 'SolarisProfileId' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
4283attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.12 NAME 'SolarisUserQualifier' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
4284attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.13 NAME 'SolarisAttrReserved1' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
4285attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.14 NAME 'SolarisAttrReserved2' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
4286attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.1 NAME 'SolarisProjectID' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
4287attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.2 NAME 'SolarisProjectName' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
4288attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.3 NAME 'SolarisProjectAttr' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
4289attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.30 NAME 'memberGid' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
4290attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.0 NAME 'defaultServerList' DESC 'Default LDAP server host address used by a DUA' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
4291attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.1 NAME 'defaultSearchBase' DESC 'Default LDAP base DN used by a DUA' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE )
4292attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.2 NAME 'preferredServerList' DESC 'Preferred LDAP server host addresses to be used by a DUA' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
4293attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.3 NAME 'searchTimeLimit' DESC 'Maximum time in seconds a DUA should allow for a search to complete' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
4294attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.4 NAME 'bindTimeLimit' DESC 'Maximum time in seconds a DUA should allow for the bind operation to complete' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
4295attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.5 NAME 'followReferrals' DESC 'Tells DUA if it should follow referrals returned by a DSA search result' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
4296attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.6 NAME 'authenticationMethod' DESC 'A keystring which identifies the type of authentication method used to contact the DSA' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
4297attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.7 NAME 'profileTTL' DESC 'Time to live before a client DUA should re-read this configuration profile' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
4298attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.14 NAME 'serviceSearchDescriptor' DESC 'LDAP search descriptor list used by Naming-DUA' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
4299attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.9 NAME 'attributeMap' DESC 'Attribute mappings used by a Naming-DUA' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
4300attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.10 NAME 'credentialLevel' DESC 'Identifies type of credentials a DUA should use when binding to the LDAP server' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
4301attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.11 NAME 'objectclassMap' DESC 'Objectclass mappings used by a Naming-DUA' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
4302attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.12 NAME 'defaultSearchScope' DESC 'Default search scope used by a DUA' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
4303attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.13 NAME 'serviceCredentialLevel' DESC 'Search scope used by a service of the DUA' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
4304attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.15 NAME 'serviceAuthenticationMethod' DESC 'Authentication Method used by a service of the DUA' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
4305attributetypes: ( 1.3.18.0.2.4.1140 NAME 'printer-uri' DESC 'A URI supported by this printer.  This URI SHOULD be used as a relative distinguished name (RDN).  If printer-xri-supported is implemented, then this URI value MUST be listed in a member value of printer-xri-supported.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
4306attributetypes: ( 1.3.18.0.2.4.1107 NAME 'printer-xri-supported' DESC 'The unordered list of XRI (extended resource identifiers) supported by this printer.  Each member of the list consists of a URI (uniform resource identifier) followed by optional authentication and security metaparameters.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
4307attributetypes: ( 1.3.18.0.2.4.1135 NAME 'printer-name' DESC 'The site-specific administrative name of this printer, more end-user friendly than a URI.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{127}  SINGLE-VALUE )
4308attributetypes: ( 1.3.18.0.2.4.1119 NAME 'printer-natural-language-configured' DESC 'The configured language in which error and status messages will be generated (by default) by this printer.  Also, a possible language for printer string attributes set by operator, system administrator, or manufacturer.  Also, the (declared) language of the "printer-name", "printer-location", "printer-info", and "printer-make-and-model" attributes of this printer. For example: "en-us" (US English) or "fr-fr" (French in France) Legal values of language tags conform to [RFC3066] "Tags for the Identification of Languages".' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{127}  SINGLE-VALUE )
4309attributetypes: ( 1.3.18.0.2.4.1136 NAME 'printer-location' DESC 'Identifies the location of the printer. This could include things like: "in Room 123A", "second floor of building XYZ".' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{127} SINGLE-VALUE )
4310attributetypes: ( 1.3.18.0.2.4.1139 NAME 'printer-info' DESC 'Identifies the descriptive information about this printer.  This could include things like: "This printer can be used for printing color transparencies for HR presentations", or "Out of courtesy for others, please print only small (1-5 page) jobs at this printer", or even "This printer is going away on July 1, 1997, please find a new printer".' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{127} SINGLE-VALUE )
4311attributetypes: ( 1.3.18.0.2.4.1134 NAME 'printer-more-info' DESC 'A URI used to obtain more information about this specific printer.  For example, this could be an HTTP type URI referencing an HTML page accessible to a Web Browser.  The information obtained from this URI is intended for end user consumption.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
4312attributetypes: ( 1.3.18.0.2.4.1138 NAME 'printer-make-and-model' DESC 'Identifies the make and model of the device.  The device manufacturer MAY initially populate this attribute.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127}  SINGLE-VALUE )
4313attributetypes: ( 1.3.18.0.2.4.1133 NAME 'printer-ipp-versions-supported' DESC 'Identifies the IPP protocol version(s) that this printer supports, including major and minor versions, i.e., the version numbers for which this Printer implementation meets the conformance requirements.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{127} )
4314attributetypes: ( 1.3.18.0.2.4.1132 NAME 'printer-multiple-document-jobs-supported' DESC 'Indicates whether or not the printer supports more than one document per job, i.e., more than one Send-Document or Send-Data operation with document data.' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
4315attributetypes: ( 1.3.18.0.2.4.1109 NAME 'printer-charset-configured' DESC 'The configured charset in which error and status messages will be generated (by default) by this printer.  Also, a possible charset for printer string attributes set by operator, system administrator, or manufacturer.  For example: "utf-8" (ISO 10646/Unicode) or "iso-8859-1" (Latin1).  Legal values are defined by the IANA Registry of Coded Character Sets and the "(preferred MIME name)" SHALL be used as the tag.  For coherence with IPP Model, charset tags in this attribute SHALL be lowercase normalized.  This attribute SHOULD be static (time of registration) and SHOULD NOT be dynamically refreshed attributetypes: (subsequently).' EQUALITY caseIgnoreMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{63} SINGLE-VALUE )
4316attributetypes: ( 1.3.18.0.2.4.1131 NAME 'printer-charset-supported' DESC 'Identifies the set of charsets supported for attribute type values of type Directory String for this directory entry.  For example: "utf-8" (ISO 10646/Unicode) or "iso-8859-1" (Latin1).  Legal values are defined by the IANA Registry of Coded Character Sets and the preferred MIME name.' EQUALITY caseIgnoreMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{63} )
4317attributetypes: ( 1.3.18.0.2.4.1137 NAME 'printer-generated-natural-language-supported' DESC 'Identifies the natural language(s) supported for this directory entry.  For example: "en-us" (US English) or "fr-fr" (French in France).  Legal values conform to [RFC3066], Tags for the Identification of Languages.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{63} )
4318attributetypes: ( 1.3.18.0.2.4.1130 NAME 'printer-document-format-supported' DESC 'The possible document formats in which data may be interpreted and printed by this printer.  Legal values are MIME types come from the IANA Registry of Internet Media Types.' EQUALITY caseIgnoreMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{127} )
4319attributetypes: ( 1.3.18.0.2.4.1129 NAME 'printer-color-supported' DESC 'Indicates whether this printer is capable of any type of color printing at all, including highlight color.' EQUALITY booleanMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
4320attributetypes: ( 1.3.18.0.2.4.1128 NAME 'printer-compression-supported' DESC 'Compression algorithms supported by this printer.  For example: "deflate, gzip".  Legal values include; "none", "deflate" attributetypes: (public domain ZIP), "gzip" (GNU ZIP), "compress" (UNIX).' EQUALITY caseIgnoreMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{255} )
4321attributetypes: ( 1.3.18.0.2.4.1127 NAME 'printer-pages-per-minute' DESC 'The nominal number of pages per minute which may be output by this printer (e.g., a simplex or black-and-white printer).  This attribute is informative, NOT a service guarantee.  Typically, it is the value used in marketing literature to describe this printer.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
4322attributetypes: ( 1.3.18.0.2.4.1126 NAME 'printer-pages-per-minute-color' DESC 'The nominal number of color pages per minute which may be output by this printer (e.g., a simplex or color printer).  This attribute is informative, NOT a service guarantee.  Typically, it is the value used in marketing literature to describe this printer.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
4323attributetypes: ( 1.3.18.0.2.4.1125 NAME 'printer-finishings-supported' DESC 'The possible finishing operations supported by this printer. Legal values include; "none", "staple", "punch", "cover", "bind", "saddle-stitch", "edge-stitch", "staple-top-left", "staple-bottom-left", "staple-top-right", "staple-bottom-right", "edge-stitch-left", "edge-stitch-top", "edge-stitch-right", "edge-stitch-bottom", "staple-dual-left", "staple-dual-top", "staple-dual-right", "staple-dual-bottom".' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{255} )
4324attributetypes: ( 1.3.18.0.2.4.1124 NAME 'printer-number-up-supported' DESC 'The possible numbers of print-stream pages to impose upon a single side of an instance of a selected medium. Legal values include; 1, 2, and 4.  Implementations may support other values.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.27 )
4325attributetypes: ( 1.3.18.0.2.4.1123 NAME 'printer-sides-supported' DESC 'The number of impression sides (one or two) and the two-sided impression rotations supported by this printer.  Legal values include; "one-sided", "two-sided-long-edge", "two-sided-short-edge".' EQUALITY caseIgnoreMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{127} )
4326attributetypes: ( 1.3.18.0.2.4.1122 NAME 'printer-media-supported' DESC 'The standard names/types/sizes (and optional color suffixes) of the media supported by this printer.  For example: "iso-a4",  "envelope", or "na-letter-white".  Legal values  conform to ISO 10175, Document Printing Application (DPA), and any IANA registered extensions.' EQUALITY caseIgnoreMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{255} )
4327attributetypes: ( 1.3.18.0.2.4.1117 NAME 'printer-media-local-supported' DESC 'Site-specific names of media supported by this printer, in the language in "printer-natural-language-configured".  For example: "purchasing-form" (site-specific name) as opposed to (in "printer-media-supported"): "na-letter" (standard keyword from ISO 10175).' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{255} )
4328attributetypes: ( 1.3.18.0.2.4.1121 NAME 'printer-resolution-supported' DESC 'List of resolutions supported for printing documents by this printer.  Each resolution value is a string with 3 fields:  1) Cross feed direction resolution (positive integer), 2) Feed direction resolution (positive integer), 3) Resolution unit.  Legal values are "dpi" (dots per inch) and "dpcm" (dots per centimeter).  Each resolution field is delimited by ">".  For example:  "300> 300> dpi>".' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{255} )
4329attributetypes: ( 1.3.18.0.2.4.1120 NAME 'printer-print-quality-supported' DESC 'List of print qualities supported for printing documents on this printer.  For example: "draft, normal".  Legal values include; "unknown", "draft", "normal", "high".' EQUALITY caseIgnoreMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{127} )
4330attributetypes: ( 1.3.18.0.2.4.1110 NAME 'printer-job-priority-supported' DESC 'Indicates the number of job priority levels supported.  An IPP conformant printer which supports job priority must always support a full range of priorities from "1" to "100" (to ensure consistent behavior), therefore this attribute describes the "granularity".  Legal values of this attribute are from "1" to "100".' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
4331attributetypes: ( 1.3.18.0.2.4.1118 NAME 'printer-copies-supported' DESC 'The maximum number of copies of a document that may be printed as a single job.  A value of "0" indicates no maximum limit.  A value of "-1" indicates unknown.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
4332attributetypes: ( 1.3.18.0.2.4.1111 NAME 'printer-job-k-octets-supported' DESC 'The maximum size in kilobytes (1,024 octets actually) incoming print job that this printer will accept.  A value of "0" indicates no maximum limit.  A value of "-1" indicates unknown.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
4333attributetypes: ( 1.3.18.0.2.4.1112 NAME 'printer-current-operator' DESC 'The name of the current human operator responsible for operating this printer.  It is suggested that this string include information that would enable other humans to reach the operator, such as a phone number.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{127} SINGLE-VALUE )
4334attributetypes: ( 1.3.18.0.2.4.1113 NAME 'printer-service-person' DESC 'The name of the current human service person responsible for servicing this printer.  It is suggested that this string include information that would enable other humans to reach the service person, such as a phone number.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{127}  SINGLE-VALUE )
4335attributetypes: ( 1.3.18.0.2.4.1114 NAME 'printer-delivery-orientation-supported' DESC 'The possible delivery orientations of pages as they are printed and ejected from this printer.  Legal values include; "unknown", "face-up", and "face-down".' EQUALITY caseIgnoreMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{127} )
4336attributetypes: ( 1.3.18.0.2.4.1115 NAME 'printer-stacking-order-supported' DESC 'The possible stacking order of pages as they are printed and ejected from this printer. Legal values include; "unknown", "first-to-last", "last-to-first".' EQUALITY caseIgnoreMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{127} )
4337attributetypes: ( 1.3.18.0.2.4.1116 NAME 'printer-output-features-supported' DESC 'The possible output features supported by this printer. Legal values include; "unknown", "bursting", "decollating", "page-collating", "offset-stacking".' EQUALITY caseIgnoreMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{127} )
4338attributetypes: ( 1.3.18.0.2.4.1108 NAME 'printer-aliases' DESC 'Site-specific administrative names of this printer in addition the printer name specified for printer-name.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{127} )
4339attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.63 NAME 'sun-printer-bsdaddr' DESC 'Sets the server, print queue destination name and whether the client generates protocol extensions. "Solaris" specifies a Solaris print server extension. The value is represented by the following value: server "," destination ", Solaris".' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
4340attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.64 NAME 'sun-printer-kvp' DESC 'This attribute contains a set of key value pairs which may have meaning to the print subsystem or may be user defined. Each value is represented by the following: key "=" value.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
4341attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.57 NAME 'nisplusTimeZone' DESC 'tzone column from NIS+ timezone table' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
4342attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.67 NAME 'ipTnetTemplateName' DESC 'Trusted Solaris network template template_name' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
4343attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.68 NAME 'ipTnetNumber' DESC 'Trusted Solaris network template ip_address' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
4344EOF
4345) > ${TMPDIR}/schema_attr
4346
4347    keep_backward_compatibility
4348
4349    # Add the entry.
4350    ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/schema_attr ${VERB}"
4351    if [ $? -ne 0 ]; then
4352	${ECHO} "  ERROR: update of schema attributes failed!"
4353	cleanup
4354	exit 1
4355    fi
4356
4357    # Display message that schema is updated.
4358    ${ECHO} "  ${STEP}. Schema attributes have been updated."
4359    STEP=`expr $STEP + 1`
4360}
4361
4362
4363#
4364# update_schema_obj(): Update the schema objectclass definitions.
4365#
4366update_schema_obj()
4367{
4368    [ $DEBUG -eq 1 ] && ${ECHO} "In update_schema_obj()"
4369
4370    # Add the objectclass definitions.
4371    ( cat <<EOF
4372dn: cn=schema
4373changetype: modify
4374add: objectclasses
4375objectclasses: ( 1.3.6.1.1.1.2.14 NAME 'NisKeyObject' SUP top MUST ( cn $ nisPublickey $ nisSecretkey ) MAY ( uidNumber $ description ) )
4376
4377dn: cn=schema
4378changetype: modify
4379add: objectclasses
4380objectclasses: ( 1.3.6.1.1.1.2.15 NAME 'nisDomainObject' SUP top MUST nisDomain )
4381
4382dn: cn=schema
4383changetype: modify
4384add: objectclasses
4385objectclasses: ( 1.3.6.1.1.1.2.16 NAME 'automountMap' SUP top MUST automountMapName MAY description )
4386
4387dn: cn=schema
4388changetype: modify
4389add: objectclasses
4390objectclasses: ( 1.3.6.1.1.1.2.17 NAME 'automount' SUP top MUST ( automountKey $ automountInformation ) MAY description )
4391
4392dn: cn=schema
4393changetype: modify
4394add: objectclasses
4395objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.7 NAME 'SolarisNamingProfile' SUP top MUST ( cn $ SolarisLDAPservers $ SolarisSearchBaseDN ) MAY ( SolarisBindDN $ SolarisBindPassword $ SolarisAuthMethod $ SolarisTransportSecurity $ SolarisCertificatePath $ SolarisCertificatePassword $ SolarisDataSearchDN $ SolarisSearchScope $ SolarisSearchTimeLimit $ SolarisPreferredServer $ SolarisPreferredServerOnly $ SolarisCacheTTL $ SolarisSearchReferral ) )
4396
4397dn: cn=schema
4398changetype: modify
4399add: objectclasses
4400objectclasses: ( 2.16.840.1.113730.3.2.4 NAME 'mailGroup' SUP top MUST mail MAY ( cn $ mgrpRFC822MailMember ) )
4401
4402dn: cn=schema
4403changetype: modify
4404add: objectclasses
4405objectclasses: ( 1.3.6.1.4.1.42.2.27.1.2.5 NAME 'nisMailAlias' SUP top MUST cn MAY rfc822mailMember )
4406
4407dn: cn=schema
4408changetype: modify
4409add: objectclasses
4410objectclasses: ( 1.3.6.1.4.1.42.2.27.1.2.6 NAME 'nisNetId' SUP top MUST cn MAY ( nisNetIdUser $ nisNetIdGroup $ nisNetIdHost ) )
4411
4412dn: cn=schema
4413changetype: modify
4414add: objectclasses
4415objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.2 NAME 'SolarisAuditUser' SUP top AUXILIARY MAY ( SolarisAuditAlways $ SolarisAuditNever ) )
4416
4417dn: cn=schema
4418changetype: modify
4419add: objectclasses
4420objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.3 NAME 'SolarisUserAttr' SUP top AUXILIARY MAY ( SolarisUserQualifier $ SolarisAttrReserved1 $ SolarisAttrReserved2 $ SolarisAttrKeyValue ) )
4421
4422dn: cn=schema
4423changetype: modify
4424add: objectclasses
4425objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.4 NAME 'SolarisAuthAttr' SUP top MUST cn MAY ( SolarisAttrReserved1 $ SolarisAttrReserved2 $ SolarisAttrShortDesc $ SolarisAttrLongDesc $ SolarisAttrKeyValue ) )
4426
4427dn: cn=schema
4428changetype: modify
4429add: objectclasses
4430objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.5 NAME 'SolarisProfAttr' SUP top MUST cn MAY ( SolarisAttrReserved1 $ SolarisAttrReserved2 $ SolarisAttrLongDesc $ SolarisAttrKeyValue ) )
4431
4432dn: cn=schema
4433changetype: modify
4434add: objectclasses
4435objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.6 NAME 'SolarisExecAttr' SUP top AUXILIARY MAY ( SolarisKernelSecurityPolicy $ SolarisProfileType $ SolarisAttrReserved1 $ SolarisAttrReserved2 $ SolarisProfileID $ SolarisAttrKeyValue ) )
4436
4437dn: cn=schema
4438changetype: modify
4439add: objectclasses
4440objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.1 NAME 'SolarisProject' SUP top MUST ( SolarisProjectID $ SolarisProjectName ) MAY ( memberUid $ memberGid $ description $ SolarisProjectAttr ) )
4441
4442dn: cn=schema
4443changetype: modify
4444add: objectclasses
4445objectclasses: ( 1.3.6.1.4.1.11.1.3.1.2.4 NAME 'DUAConfigProfile' SUP top DESC 'Abstraction of a base configuration for a DUA' MUST cn MAY ( defaultServerList $ preferredServerList $ defaultSearchBase $ defaultSearchScope $ searchTimeLimit $ bindTimeLimit $ credentialLevel $ authenticationMethod $ followReferrals $ serviceSearchDescriptor $ serviceCredentialLevel $ serviceAuthenticationMethod $ objectclassMap $ attributeMap $ profileTTL ) )
4446
4447dn: cn=schema
4448changetype: modify
4449add: objectclasses
4450objectclasses: ( 1.3.18.0.2.6.2549 NAME 'slpService' DESC 'DUMMY definition' SUP top MUST objectclass )
4451
4452dn: cn=schema
4453changetype: modify
4454add: objectclasses
4455objectclasses: ( 1.3.18.0.2.6.254 NAME 'slpServicePrinter' DESC 'Service Location Protocol (SLP) information.' SUP slpService AUXILIARY )
4456
4457dn: cn=schema
4458changetype: modify
4459add: objectclasses
4460objectclasses: ( 1.3.18.0.2.6.258 NAME 'printerAbstract' DESC 'Printer related information.' SUP top ABSTRACT MAY ( printer-name $ printer-natural-language-configured $ printer-location $ printer-info $ printer-more-info $ printer-make-and-model $ printer-multiple-document-jobs-supported $ printer-charset-configured $ printer-charset-supported $ printer-generated-natural-language-supported $ printer-document-format-supported $ printer-color-supported $ printer-compression-supported $ printer-pages-per-minute $ printer-pages-per-minute-color $ printer-finishings-supported $ printer-number-up-supported $ printer-sides-supported $ printer-media-supported $ printer-media-local-supported $ printer-resolution-supported $ printer-print-quality-supported $ printer-job-priority-supported $ printer-copies-supported $ printer-job-k-octets-supported $ printer-current-operator $ printer-service-person $ printer-delivery-orientation-supported $ printer-stacking-order-supported $ printer-output-features-supported ) )
4461
4462dn: cn=schema
4463changetype: modify
4464add: objectclasses
4465objectclasses: ( 1.3.18.0.2.6.255 NAME 'printerService' DESC 'Printer information.' SUP printerAbstract STRUCTURAL MAY ( printer-uri $ printer-xri-supported ) )
4466
4467dn: cn=schema
4468changetype: modify
4469add: objectclasses
4470objectclasses: ( 1.3.18.0.2.6.257 NAME 'printerServiceAuxClass' DESC 'Printer information.' SUP printerAbstract AUXILIARY MAY ( printer-uri $ printer-xri-supported ) )
4471
4472dn: cn=schema
4473changetype: modify
4474add: objectclasses
4475objectclasses: ( 1.3.18.0.2.6.256 NAME 'printerIPP' DESC 'Internet Printing Protocol (IPP) information.' SUP top AUXILIARY MAY ( printer-ipp-versions-supported $ printer-multiple-document-jobs-supported ) )
4476
4477dn: cn=schema
4478changetype: modify
4479add: objectclasses
4480objectclasses: ( 1.3.18.0.2.6.253 NAME 'printerLPR' DESC 'LPR information.' SUP top AUXILIARY MUST printer-name MAY printer-aliases )
4481
4482dn: cn=schema
4483changetype: modify
4484add: objectclasses
4485objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.14 NAME 'sunPrinter' DESC 'Sun printer information' SUP top AUXILIARY MUST printer-name MAY ( sun-printer-bsdaddr $ sun-printer-kvp ) )
4486
4487dn: cn=schema
4488changetype: modify
4489add: objectclasses
4490objectclasses:	( 1.3.6.1.4.1.42.2.27.5.2.12 NAME 'nisplusTimeZoneData' DESC 'NIS+ timezone table data' SUP top STRUCTURAL MUST cn MAY ( nisplusTimeZone $ description ) )
4491
4492dn: cn=schema
4493changetype: modify
4494add: objectclasses
4495objectclasses:  ( 1.3.6.1.4.1.42.2.27.5.2.8 NAME 'ipTnetTemplate' DESC 'Object class for TSOL network templates' SUP top MUST ipTnetTemplateName MAY SolarisAttrKeyValue )
4496
4497dn: cn=schema
4498changetype: modify
4499add: objectclasses
4500objectclasses:	( 1.3.6.1.4.1.42.2.27.5.2.9 NAME 'ipTnetHost' DESC 'Associates an IP address or wildcard with a TSOL template_name' SUP top AUXILIARY MUST ipTnetNumber )
4501EOF
4502) > ${TMPDIR}/schema_obj
4503
4504    # Add the entry.
4505    ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/schema_obj ${VERB}"
4506    if [ $? -ne 0 ]; then
4507	${ECHO} "  ERROR: update of schema objectclass definitions failed!"
4508	cleanup
4509	exit 1
4510    fi
4511
4512    # Display message that schema is updated.
4513    ${ECHO} "  ${STEP}. Schema objectclass definitions have been added."
4514    STEP=`expr $STEP + 1`
4515}
4516
4517#
4518# modify_top_aci(): Modify the ACI for the top entry to disable self modify
4519#                   of user attributes.
4520#
4521modify_top_aci()
4522{
4523    [ $DEBUG -eq 1 ] && ${ECHO} "In modify_top_aci()"
4524
4525    # Set ACI Name
4526    ACI_NAME="LDAP_Naming_Services_deny_write_access"
4527
4528    # Search for ACI_NAME
4529    eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_BASEDN}\" -s base objectclass=* aci > ${TMPDIR}/chk_top_aci 2>&1"
4530    if [ $? -ne 0 ]; then
4531	${ECHO} "Error searching aci for ${LDAP_BASEDN}"
4532	cat ${TMPDIR}/chk_top_aci
4533	cleanup
4534	exit 1
4535    fi
4536    ${GREP} "${ACI_NAME}" ${TMPDIR}/chk_top_aci > /dev/null 2>&1
4537    if [ $? -eq 0 ]; then
4538	${ECHO} "  ${STEP}. Top level ACI ${ACI_NAME} already exists for ${LDAP_BASEDN}."
4539	STEP=`expr $STEP + 1`
4540	return 0
4541    fi
4542
4543    # Crate LDIF for top level ACI.
4544    ( cat <<EOF
4545dn: ${LDAP_BASEDN}
4546changetype: modify
4547add: aci
4548aci: (targetattr = "cn||uid||uidNumber||gidNumber||homeDirectory||shadowLastChange||shadowMin||shadowMax||shadowWarning||shadowInactive||shadowExpire||shadowFlag||memberUid||SolarisAuditAlways||SolarisAuditNever||SolarisAttrKeyValue||SolarisAttrReserved1||SolarisAttrReserved2||SolarisUserQualifier")(version 3.0; acl ${ACI_NAME}; deny (write) userdn = "ldap:///self";)
4549-
4550EOF
4551) > ${TMPDIR}/top_aci
4552
4553    # Add the entry.
4554    ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/top_aci ${VERB}"
4555    if [ $? -ne 0 ]; then
4556	${ECHO} "  ERROR: Modify of top level ACI failed! (restricts self modify)"
4557	cleanup
4558	exit 1
4559    fi
4560
4561    # Display message that ACI is updated.
4562    MSG="ACI for ${LDAP_BASEDN} modified to disable self modify."
4563    if [ $EXISTING_PROFILE -eq 1 ];then
4564	${ECHO} "  ACI SET: $MSG"
4565    else
4566	${ECHO} "  ${STEP}. $MSG"
4567	STEP=`expr $STEP + 1`
4568    fi
4569}
4570
4571#
4572# find_and_delete_ACI(): Find an ACI in file $2 with a matching pattern $1.
4573# Delete the ACI and print a message using $3 as the ACI name. $3 is needed
4574# because it could have a different value than that of $1.
4575find_and_delete_ACI()
4576{
4577    [ $DEBUG -eq 1 ] && ${ECHO} "In find_and_delete_ACI"
4578
4579    # if an ACI with pattern $1 exists in file $2, delete it from ${LDAP_BASEDN}
4580    ${EGREP} $1 $2 | ${SED} -e 's/aci=//' > ${TMPDIR}/grep_find_delete_aci 2>&1
4581    if [ -s ${TMPDIR}/grep_find_delete_aci ]; then
4582	aci_to_delete=`${CAT} ${TMPDIR}/grep_find_delete_aci`
4583
4584	# Create the tmp file to delete the ACI.
4585	( cat <<EOF
4586dn: ${LDAP_BASEDN}
4587changetype: modify
4588delete: aci
4589aci: ${aci_to_delete}
4590EOF
4591	) > ${TMPDIR}/find_delete_aci
4592
4593	# Delete the ACI
4594	${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/find_delete_aci ${VERB}"
4595	if [ $? -ne 0 ]; then
4596	    ${ECHO} "  ERROR: Remove of $3 ACI failed!"
4597	    cleanup
4598	    exit 1
4599	fi
4600
4601	${RM} -f ${TMPDIR}/find_delete_aci
4602	# Display message that an ACL is deleted.
4603	MSG="ACI $3 deleted."
4604	if [ $EXISTING_PROFILE -eq 1 ]; then
4605	    ${ECHO} "  ACI DELETED: $MSG"
4606	else
4607	    ${ECHO} "  ${STEP}. $MSG"
4608	    STEP=`expr $STEP + 1`
4609	fi
4610    fi
4611}
4612
4613#
4614# Add an ACI to deny non-admin access to shadow data when
4615# shadow update is enabled.
4616#
4617deny_non_admin_shadow_access()
4618{
4619    [ $DEBUG -eq 1 ] && ${ECHO} "In deny_non_admin_shadow_access()"
4620
4621    # Set ACI Names
4622    ACI_TO_ADD="LDAP_Naming_Services_deny_non_admin_shadow_access"
4623    ACI_TO_DEL="LDAP_Naming_Services_deny_non_host_shadow_access"
4624
4625    # Search for ACI_TO_ADD
4626    eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_BASEDN}\" -s base objectclass=* aci > ${TMPDIR}/chk_aci_non_admin 2>&1"
4627    if [ $? -ne 0 ]; then
4628	${ECHO} "Error searching aci for ${LDAP_BASEDN}"
4629	cleanup
4630	exit 1
4631    fi
4632
4633    # If an ACI with ${ACI_TO_ADD} already exists, we are done.
4634    ${EGREP} ${ACI_TO_ADD} ${TMPDIR}/chk_aci_non_admin 2>&1 > /dev/null
4635    if [ $? -eq 0 ]; then
4636	MSG="ACI ${ACI_TO_ADD} already set for ${LDAP_BASEDN}."
4637	if [ $EXISTING_PROFILE -eq 1 ]; then
4638	    ${ECHO} "  NOT SET: $MSG"
4639	else
4640	    ${ECHO} "  ${STEP}. $MSG"
4641	    STEP=`expr $STEP + 1`
4642	fi
4643	return 0
4644    fi
4645
4646    # The deny_non_admin_shadow_access and deny_non_host_shadow_access ACIs
4647    # should be mutually exclusive, so if the latter exists, delete it.
4648    find_and_delete_ACI ${ACI_TO_DEL} ${TMPDIR}/chk_aci_non_admin ${ACI_TO_DEL}
4649
4650    # Create the tmp file to add.
4651    ( cat <<EOF
4652dn: ${LDAP_BASEDN}
4653changetype: modify
4654add: aci
4655aci: (target="ldap:///${LDAP_BASEDN}")(targetattr = "shadowLastChange||
4656 shadowMin|| shadowMax||shadowWarning||shadowInactive||shadowExpire||
4657 shadowFlag||userPassword") (version 3.0; acl ${ACI_TO_ADD};
4658 deny (write,read,search,compare) userdn != "ldap:///${LDAP_ADMINDN}";)
4659EOF
4660) > ${TMPDIR}/non_admin_aci_write
4661
4662    # Add the entry.
4663    ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/non_admin_aci_write ${VERB}"
4664    if [ $? -ne 0 ]; then
4665	${ECHO} "  ERROR: Adding ACI ${ACI_TO_ADD} failed!"
4666	${CAT} ${TMPDIR}/non_admin_aci_write
4667	cleanup
4668	exit 1
4669    fi
4670
4671    ${RM} -f ${TMPDIR}/non_admin_aci_write
4672    # Display message that the non-admin access to shadow data is denied.
4673    MSG="Non-Admin access to shadow data denied."
4674    if [ $EXISTING_PROFILE -eq 1 ]; then
4675	${ECHO} "  ACI SET: $MSG"
4676    else
4677	${ECHO} "  ${STEP}. $MSG"
4678	STEP=`expr $STEP + 1`
4679    fi
4680}
4681
4682#
4683# Add an ACI to deny non-host access to shadow data when
4684# shadow update is enabled and auth Method if gssapi.
4685#
4686deny_non_host_shadow_access()
4687{
4688    [ $DEBUG -eq 1 ] && ${ECHO} "In deny_non_host_shadow_access()"
4689
4690    # Set ACI Names
4691    ACI_TO_ADD="LDAP_Naming_Services_deny_non_host_shadow_access"
4692    ACI_TO_DEL="LDAP_Naming_Services_deny_non_admin_shadow_access"
4693
4694    # Search for ACI_TO_ADD
4695    eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_BASEDN}\" -s base objectclass=* aci > ${TMPDIR}/chk_aci_non_host 2>&1"
4696    if [ $? -ne 0 ]; then
4697	${ECHO} "Error searching aci for ${LDAP_BASEDN}"
4698	cleanup
4699	exit 1
4700    fi
4701
4702    # If an ACI with ${ACI_TO_ADD} already exists, we are done.
4703    ${EGREP} ${ACI_TO_ADD} ${TMPDIR}/chk_aci_non_host 2>&1 > /dev/null
4704    if [ $? -eq 0 ]; then
4705	MSG="ACI ${ACI_TO_ADD} already set for ${LDAP_BASEDN}."
4706	if [ $EXISTING_PROFILE -eq 1 ]; then
4707	    ${ECHO} "  NOT SET: $MSG"
4708	else
4709	    ${ECHO} "  ${STEP}. $MSG"
4710	    STEP=`expr $STEP + 1`
4711	fi
4712	return 0
4713    fi
4714
4715    # The deny_non_admin_shadow_access and deny_non_host_shadow_access ACIs
4716    # should be mutually exclusive, so if the former exists, delete it.
4717    find_and_delete_ACI ${ACI_TO_DEL} ${TMPDIR}/chk_aci_non_host ${ACI_TO_DEL}
4718
4719    # Create the tmp file to add.
4720    ( cat <<EOF
4721dn: ${LDAP_BASEDN}
4722changetype: modify
4723add: aci
4724aci: (target="ldap:///${LDAP_BASEDN}")(targetattr = "shadowLastChange||
4725 shadowMin|| shadowMax||shadowWarning||shadowInactive||shadowExpire||
4726 shadowFlag||userPassword") (version 3.0; acl ${ACI_TO_ADD};
4727  deny (write,read,search,compare)
4728  userdn != "ldap:///cn=*+ipHostNumber=*,ou=Hosts,${LDAP_BASEDN}";)
4729EOF
4730) > ${TMPDIR}/non_host_aci_write
4731
4732    # Add the entry.
4733    ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/non_host_aci_write ${VERB}"
4734    if [ $? -ne 0 ]; then
4735	${ECHO} "  ERROR: Adding ACI ${ACI_TO_ADD} failed!"
4736	${CAT} ${TMPDIR}/non_host_aci_write
4737	cleanup
4738	exit 1
4739    fi
4740
4741    ${RM} -f ${TMPDIR}/non_host_aci_write
4742    # Display message that the non-host access to shadow data is denied.
4743    MSG="Non-host access to shadow data is denied."
4744    if [ $EXISTING_PROFILE -eq 1 ]; then
4745	${ECHO} "  ACI SET: $MSG"
4746    else
4747	${ECHO} "  ${STEP}. $MSG"
4748	STEP=`expr $STEP + 1`
4749    fi
4750}
4751
4752#
4753# add_vlv_aci(): Add access control information (aci) for VLV.
4754#
4755add_vlv_aci()
4756{
4757    [ $DEBUG -eq 1 ] && ${ECHO} "In add_vlv_aci()"
4758
4759    # Add the VLV ACI.
4760    ( cat <<EOF
4761dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
4762changetype: modify
4763replace: aci
4764aci: (targetattr != "aci") (version 3.0; acl "VLV Request Control"; allow(read,search,compare) userdn = "ldap:///anyone";)
4765EOF
4766) > ${TMPDIR}/vlv_aci
4767
4768    # Add the entry.
4769    ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/vlv_aci ${VERB}"
4770    if [ $? -ne 0 ]; then
4771	${ECHO} "  ERROR: Add of VLV ACI failed!"
4772	cleanup
4773	exit 1
4774    fi
4775
4776    # Display message that schema is updated.
4777    ${ECHO} "  ${STEP}. Add of VLV Access Control Information (ACI)."
4778    STEP=`expr $STEP + 1`
4779}
4780
4781
4782#
4783# set_nisdomain(): Add the NisDomainObject to the Base DN.
4784#
4785set_nisdomain()
4786{
4787    [ $DEBUG -eq 1 ] && ${ECHO} "In set_nisdomain()"
4788
4789    # Check if nisDomain is already set.
4790    ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_BASEDN}\" -s base \
4791	\"objectclass=*\"" > ${TMPDIR}/chk_nisdomain 2>&1
4792    ${EVAL} "${GREP} -i nisDomain ${TMPDIR}/chk_nisdomain ${VERB}"
4793    if [ $? -eq 0 ]; then
4794	${ECHO} "  ${STEP}. NisDomainObject for ${LDAP_BASEDN} was already set."
4795	STEP=`expr $STEP + 1`
4796	return 0
4797    fi
4798
4799    # Add the new top level containers.
4800    ( cat <<EOF
4801dn: ${LDAP_BASEDN}
4802changetype: modify
4803objectclass: nisDomainObject
4804nisdomain: ${LDAP_DOMAIN}
4805EOF
4806) > ${TMPDIR}/nis_domain
4807
4808    # Add the entry.
4809    ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/nis_domain ${VERB}"
4810    if [ $? -ne 0 ]; then
4811	${ECHO} "  ERROR: update of NisDomainObject in ${LDAP_BASEDN} failed."
4812	cleanup
4813	exit 1
4814    fi
4815
4816    # Display message that schema is updated.
4817    ${ECHO} "  ${STEP}. NisDomainObject added to ${LDAP_BASEDN}."
4818    STEP=`expr $STEP + 1`
4819}
4820
4821
4822#
4823# check_attrName(): Check that the attribute name is valid.
4824#              $1   Key to check.
4825#         Returns   0 : valid name	1 : invalid name
4826#
4827check_attrName()
4828{
4829    [ $DEBUG -eq 1 ] && ${ECHO} "In check_attrName()"
4830    [ $DEBUG -eq 1 ] && ${ECHO} "check_attrName: Input Param = $1"
4831
4832    ${ECHO} $1 | ${EGREP} '^[0-9]+(\.[0-9]+)*$' > /dev/null 2>&1
4833    if [ $? -eq 0 ]; then
4834	${EVAL} "${LDAPSEARCH} ${SERVER_ARGS} -b cn=schema -s base \"objectclass=*\" \
4835			attributeTypes | ${EGREP} -i '^attributetypes[ ]*=[ ]*\([ ]*$1 ' ${VERB}"
4836    else
4837	${EVAL} "${LDAPSEARCH} ${SERVER_ARGS} -b cn=schema -s base \"objectclass=*\" \
4838			attributeTypes | ${EGREP} -i \"'$1'\" ${VERB}"
4839    fi
4840
4841    if [ $? -ne 0 ]; then
4842	return 1
4843    else
4844	return 0
4845    fi
4846}
4847
4848
4849#
4850# get_objectclass():   Determine the objectclass for the given attribute name
4851#              $1   Attribute name to check.
4852#      _ATTR_NAME   Return value, Object Name or NULL if unknown to idsconfig.
4853#
4854#      NOTE: An attribute name can be valid but still we might not be able
4855#            to determine the objectclass from the table.
4856#            In such cases, the user needs to create the necessary object(s).
4857#
4858get_objectclass()
4859{
4860    [ $DEBUG -eq 1 ] && ${ECHO} "In get_objectclass()"
4861    [ $DEBUG -eq 1 ] && ${ECHO} "get_objectclass: Input Param = $1"
4862
4863    # Set return value to NULL string.
4864    _ATTR_NAME=""
4865
4866    # Test key for type:
4867    case `${ECHO} ${1} | tr '[A-Z]' '[a-z]'` in
4868	ou | organizationalunitname | 2.5.4.11) _ATTR_NAME="organizationalUnit" ;;
4869	dc | domaincomponent | 0.9.2342.19200300.100.1.25) _ATTR_NAME="domain" ;;
4870	 o | organizationname | 2.5.4.10) _ATTR_NAME="organization" ;;
4871	 c | countryname | 2.5.4.6) _ATTR_NAME="country" ;;
4872	 *)  _ATTR_NAME="" ;;
4873    esac
4874
4875    [ $DEBUG -eq 1 ] && ${ECHO} "get_objectclass: _ATTR_NAME = $_ATTR_NAME"
4876}
4877
4878
4879#
4880# add_base_objects(): Add any necessary base objects.
4881#
4882add_base_objects()
4883{
4884    [ $DEBUG -eq 1 ] && ${ECHO} "In add_base_objects()"
4885
4886    # Convert to lower case for basename.
4887    format_string "${LDAP_BASEDN}"
4888    LOWER_BASEDN="${FMT_STR}"
4889    format_string "${LDAP_SUFFIX}"
4890    LOWER_SUFFIX="${FMT_STR}"
4891
4892    [ $DEBUG -eq 1 ] && ${ECHO} "LOWER_BASEDN: ${LOWER_BASEDN}"
4893    [ $DEBUG -eq 1 ] && ${ECHO} "LOWER_SUFFIX: ${LOWER_SUFFIX}"
4894
4895    # Create additional components.
4896    if [ "${LOWER_BASEDN}" = "${LOWER_SUFFIX}" ]; then
4897	[ $DEBUG -eq 1 ] && ${ECHO} "Base DN and Suffix equivalent"
4898    else
4899	# first, test that the suffix is valid
4900	dcstmp=`basename "${LOWER_BASEDN}" "${LOWER_SUFFIX}"`
4901	if [ "$dcstmp" = "${LOWER_BASEDN}" ]; then
4902	    # should not happen since check_basedn_suffix() succeeded
4903	    ${ECHO} "Invalid suffix ${LOWER_SUFFIX}"
4904	    ${ECHO} "for Base DN ${LOWER_BASEDN}"
4905	    cleanup
4906	    exit 1
4907	fi
4908	# OK, suffix is valid, start working with LDAP_BASEDN
4909	# field separator is ',' (i.e., space is a valid character)
4910	dcstmp2="`${ECHO} ${LDAP_BASEDN} |
4911		sed -e 's/[ ]*,[ ]*/,/g' -e 's/[ ]*=[ ]*/=/g'`"
4912	dcs=""
4913	# use dcstmp to count the loop, and dcstmp2 to get the correct
4914	# string case
4915	# dcs should be in reverse order, only for these components
4916	# that need to be added
4917	while [ -n "${dcstmp}" ]
4918	do
4919	    i2=`${ECHO} "$dcstmp2" | cut -f1 -d','`
4920	    dk=`${ECHO} $i2 | awk -F= '{print $1}'`
4921	    dc=`${ECHO} $i2 | awk -F= '{print $2}'`
4922	    dcs="$dk=$dc,$dcs";
4923	    dcstmp2=`${ECHO} "$dcstmp2" | cut -f2- -d','`
4924	    dcstmp=`${ECHO} "$dcstmp" | cut -f2- -d','`
4925	    [ $DEBUG -eq 1 ] && \
4926		${ECHO} "dcs: ${dcs}\ndcstmp: ${dcstmp}\ndcstmp2: ${dcstmp2}\n"
4927	done
4928
4929
4930
4931	lastdc=${LDAP_SUFFIX}
4932	dc=`${ECHO} "${dcs}" | cut -f1 -d','`
4933	dcstmp=`${ECHO} "${dcs}" | cut -f2- -d','`
4934	while [ -n "${dc}" ]; do
4935	    # Get Key and component from $dc.
4936	    dk2=`${ECHO} $dc | awk -F= '{print $1}'`
4937	    dc2=`${ECHO} $dc | awk -F= '{print $2}'`
4938
4939	    # At this point, ${dk2} is a valid attribute name
4940
4941	    # Check if entry exists first, if so, skip to next.
4942	    ${LDAPSEARCH} ${SERVER_ARGS} -b "${dk2}=${dc2},$lastdc" -s base "objectclass=*" > /dev/null 2>&1
4943	    if [ $? -eq 0 ]; then
4944	        # Set the $lastdc to new dc.
4945	        lastdc="${dk2}=${dc2},$lastdc"
4946
4947		# Process next component.
4948		dc=`${ECHO} "${dcstmp}" | cut -f1 -d','`
4949		dcstmp=`${ECHO} "${dcstmp}" | cut -f2- -d','`
4950		continue
4951
4952	    fi
4953
4954	    # Determine the objectclass for the entry.
4955            get_objectclass $dk2
4956	    OBJ_Name=${_ATTR_NAME}
4957	    if [ "${OBJ_Name}" = "" ]; then
4958	        ${ECHO} "Cannot determine objectclass for $dk2"
4959	        ${ECHO} "Please create ${dk2}=${dc2},$lastdc entry and rerun idsconfig"
4960	        exit 1
4961	    fi
4962
4963	    # Add the new container.
4964	    ( cat <<EOF
4965dn: ${dk2}=${dc2},$lastdc
4966${dk2}: $dc2
4967objectClass: top
4968objectClass: ${OBJ_Name}
4969EOF
4970) > ${TMPDIR}/base_objects
4971
4972
4973	    # Set the $lastdc to new dc.
4974	    lastdc="${dk2}=${dc2},$lastdc"
4975
4976	    # Add the entry.
4977	    ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/base_objects ${VERB}"
4978	    if [ $? -ne 0 ]; then
4979		${ECHO} "  ERROR: update of base objects ${dc} failed."
4980		cleanup
4981		exit 1
4982	    fi
4983
4984	    # Display message that schema is updated.
4985	    ${ECHO} "  ${STEP}. Created DN component ${dc}."
4986	    STEP=`expr $STEP + 1`
4987
4988	    # Process next component.
4989	    dc=`${ECHO} "${dcstmp}" | cut -f1 -d','`
4990	    dcstmp=`${ECHO} "${dcstmp}" | cut -f2- -d','`
4991	done
4992    fi
4993}
4994
4995
4996#
4997# add_new_containers(): Add the top level classes.
4998#
4999#    $1 = Base DN
5000#
5001add_new_containers()
5002{
5003    [ $DEBUG -eq 1 ] && ${ECHO} "In add_new_containers()"
5004
5005    for ou in people group rpc protocols networks netgroup \
5006	aliases hosts services ethers profile printers projects \
5007	SolarisAuthAttr SolarisProfAttr Timezone ipTnet ; do
5008
5009	# Check if nismaps already exist.
5010	eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"ou=${ou},${LDAP_BASEDN}\" -s base \"objectclass=*\" ${VERB}"
5011	if [ $? -eq 0 ]; then
5012	    continue
5013	fi
5014
5015	# Create TMP file to add.
5016	( cat <<EOF
5017dn: ou=${ou},${LDAP_BASEDN}
5018ou: ${ou}
5019objectClass: top
5020objectClass: organizationalUnit
5021EOF
5022) > ${TMPDIR}/toplevel.${ou}
5023
5024	# Add the entry.
5025	${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/toplevel.${ou} ${VERB}"
5026	if [ $? -ne 0 ]; then
5027	    ${ECHO} "  ERROR: Add of ou=${ou} container failed!"
5028	    cleanup
5029	    exit 1
5030	fi
5031    done
5032
5033    # Display message that top level OU containers complete.
5034    ${ECHO} "  ${STEP}. Top level \"ou\" containers complete."
5035    STEP=`expr $STEP + 1`
5036}
5037
5038
5039#
5040# add_auto_maps(): Add the automount map entries.
5041#
5042# auto_home, auto_direct, auto_master, auto_shared
5043#
5044add_auto_maps()
5045{
5046    [ $DEBUG -eq 1 ] && ${ECHO} "In add_auto_maps()"
5047
5048    # Set AUTO_MAPS for maps to create.
5049    AUTO_MAPS="auto_home auto_direct auto_master auto_shared"
5050
5051    for automap in $AUTO_MAPS; do
5052	# Check if automaps already exist.
5053	eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"automountMapName=${automap},${LDAP_BASEDN}\" -s base \"objectclass=*\" ${VERB}"
5054	if [ $? -eq 0 ]; then
5055	    continue
5056	fi
5057
5058	# Create the tmp file to add.
5059	( cat <<EOF
5060dn: automountMapName=${automap},${LDAP_BASEDN}
5061automountMapName: ${automap}
5062objectClass: top
5063objectClass: automountMap
5064EOF
5065) > ${TMPDIR}/automap.${automap}
5066
5067	# Add the entry.
5068	${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/automap.${automap} ${VERB}"
5069	if [ $? -ne 0 ]; then
5070	    ${ECHO} "  ERROR: Add of automap ${automap} failed!"
5071	    cleanup
5072	    exit 1
5073	fi
5074    done
5075
5076    # Display message that automount entries are updated.
5077    ${ECHO} "  ${STEP}. automount maps: $AUTO_MAPS processed."
5078    STEP=`expr $STEP + 1`
5079}
5080
5081
5082#
5083# add_proxyagent(): Add entry for nameservice to use to access server.
5084#
5085add_proxyagent()
5086{
5087    [ $DEBUG -eq 1 ] && ${ECHO} "In add_proxyagent()"
5088
5089    # Check if proxy agent already exists.
5090    eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_PROXYAGENT}\" -s base \"objectclass=*\" ${VERB}"
5091    if [ $? -eq 0 ]; then
5092	${ECHO} "  ${STEP}. Proxy Agent ${LDAP_PROXYAGENT} already exists."
5093	STEP=`expr $STEP + 1`
5094	return 0
5095    fi
5096
5097    # Get cn and sn names from LDAP_PROXYAGENT.
5098    cn_tmp=`${ECHO} ${LDAP_PROXYAGENT} | cut -f1 -d, | cut -f2 -d=`
5099
5100    # Create the tmp file to add.
5101    ( cat <<EOF
5102dn: ${LDAP_PROXYAGENT}
5103cn: ${cn_tmp}
5104sn: ${cn_tmp}
5105objectclass: top
5106objectclass: person
5107userpassword: ${LDAP_PROXYAGENT_CRED}
5108EOF
5109) > ${TMPDIR}/proxyagent
5110
5111    # Add the entry.
5112    ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/proxyagent ${VERB}"
5113    if [ $? -ne 0 ]; then
5114	${ECHO} "  ERROR: Adding proxyagent failed!"
5115	cleanup
5116	exit 1
5117    fi
5118
5119    # Display message that schema is updated.
5120    ${ECHO} "  ${STEP}. Proxy Agent ${LDAP_PROXYAGENT} added."
5121    STEP=`expr $STEP + 1`
5122}
5123
5124#
5125# allow_proxy_read_pw(): Give Proxy Agent read permission for password.
5126#
5127allow_proxy_read_pw()
5128{
5129    [ $DEBUG -eq 1 ] && ${ECHO} "In allow_proxy_read_pw()"
5130
5131    # Search for ACI_NAME
5132    eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_BASEDN}\" -s base objectclass=* aci > ${TMPDIR}/chk_proxyread_aci 2>&1"
5133    ${GREP} "${PROXY_ACI_NAME}" ${TMPDIR}/chk_proxyread_aci > /dev/null 2>&1
5134    if [ $? -eq 0 ]; then
5135	${ECHO} "  ${STEP}. Proxy ACI ${PROXY_ACI_NAME=} already exists for ${LDAP_BASEDN}."
5136	STEP=`expr $STEP + 1`
5137	return 0
5138    fi
5139
5140    # Create the tmp file to add.
5141    ( cat <<EOF
5142dn: ${LDAP_BASEDN}
5143changetype: modify
5144add: aci
5145aci: (target="ldap:///${LDAP_BASEDN}")(targetattr="userPassword")
5146  (version 3.0; acl ${PROXY_ACI_NAME}; allow (compare,read,search)
5147  userdn = "ldap:///${LDAP_PROXYAGENT}";)
5148EOF
5149) > ${TMPDIR}/proxy_read
5150
5151    # Add the entry.
5152    ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/proxy_read ${VERB}"
5153    if [ $? -ne 0 ]; then
5154	${ECHO} "  ERROR: Allow ${LDAP_PROXYAGENT} to read password failed!"
5155	cleanup
5156	exit 1
5157    fi
5158
5159    # Display message that schema is updated.
5160    ${ECHO} "  ${STEP}. Give ${LDAP_PROXYAGENT} read permission for password."
5161    STEP=`expr $STEP + 1`
5162}
5163
5164#  Delete Proxy Agent read permission for password.
5165delete_proxy_read_pw()
5166{
5167    [ $DEBUG -eq 1 ] && ${ECHO} "In delete_proxy_read_pw()"
5168
5169    # Search for ACI_NAME
5170    eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_BASEDN}\" -s base objectclass=* aci > ${TMPDIR}/chk_proxyread_aci 2>&1"
5171    ${GREP} "${PROXY_ACI_NAME}" ${TMPDIR}/chk_proxyread_aci | \
5172	${SED} -e 's/aci=//' > ${TMPDIR}/grep_proxyread_aci 2>&1
5173    if [ $? -ne 0 ]; then
5174	${ECHO} "Proxy ACI ${PROXY_ACI_NAME} does not exist for ${LDAP_BASEDN}."
5175	return 0
5176    fi
5177
5178    # We need to remove proxy agent's read access to user passwords,
5179    # but We do not know the value of the ${LDAP_PROXYAGENT} here, so
5180    # 1. if only one match found, delete it
5181    # 2. if more than one matches found, ask the user which one to delete
5182    HOWMANY=`${WC} -l ${TMPDIR}/grep_proxyread_aci | ${NAWK} '{print $1}'`
5183    if [ $HOWMANY -eq 0 ]; then
5184	${ECHO} "Proxy ACI ${PROXY_ACI_NAME} does not exist for ${LDAP_BASEDN}."
5185	return 0
5186    fi
5187    if [ $HOWMANY -eq 1 ];then
5188	proxy_aci=`${CAT} ${TMPDIR}/grep_proxyread_aci`
5189    else
5190	    ${CAT} << EOF
5191
5192Proxy agent is not allowed to read user passwords when shadow
5193update is enabled. There are more than one proxy agents found.
5194Please select the currently proxy agent being used, so that
5195idsconfig can remove its read access to user passwords.
5196
5197The proxy agents are:
5198
5199EOF
5200	    # generate the proxy agent list
5201    	    ${SED} -e "s/.*ldap:\/\/\/.*ldap:\/\/\///" \
5202	    ${TMPDIR}/grep_proxyread_aci | ${SED} -e "s/\";)//" > \
5203	    	${TMPDIR}/proxy_agent_list
5204
5205	    # print the proxy agent list
5206	    ${NAWK} '{print NR ": " $0}' ${TMPDIR}/proxy_agent_list
5207
5208	    # ask the user to pick one
5209	    _MENU_PROMPT="Select the proxy agent (1-$HOWMANY): "
5210	    get_menu_choice "${_MENU_PROMPT}" "0" "$HOWMANY"
5211	    _CH=$MN_CH
5212	    proxy_aci=`${SED} -n "$_CH p" ${TMPDIR}/grep_proxyread_aci`
5213    fi
5214
5215    # Create the tmp file to delete the ACI.
5216    ( cat <<EOF
5217dn: ${LDAP_BASEDN}
5218changetype: modify
5219delete: aci
5220aci: ${proxy_aci}
5221EOF
5222    ) > ${TMPDIR}/proxy_delete
5223
5224    # Delete the ACI
5225    ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/proxy_delete ${VERB}"
5226    if [ $? -ne 0 ]; then
5227	${ECHO} "  ERROR: Remove of ${PROXY_ACI_NAME} ACI failed!"
5228	cat ${TMPDIR}/proxy_delete
5229	cleanup
5230	exit 1
5231    fi
5232
5233    # Display message that ACI is updated.
5234    MSG="Removed ${PROXY_ACI_NAME} ACI for proxyagent read permission for password."
5235    ${ECHO} " "
5236    ${ECHO} "  ACI REMOVED: $MSG"
5237    ${ECHO} "  The ACI removed is $proxy_aci"
5238    ${ECHO} " "
5239}
5240
5241#
5242# add_profile(): Add client profile to server.
5243#
5244add_profile()
5245{
5246    [ $DEBUG -eq 1 ] && ${ECHO} "In add_profile()"
5247
5248    # If profile name already exists, DELETE it, and add new one.
5249    eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=${LDAP_PROFILE_NAME},ou=profile,${LDAP_BASEDN}\" -s base \"objectclass=*\" ${VERB}"
5250    if [ $? -eq 0 ]; then
5251	# Create Delete file.
5252	( cat <<EOF
5253cn=${LDAP_PROFILE_NAME},ou=profile,${LDAP_BASEDN}
5254EOF
5255) > ${TMPDIR}/del_profile
5256
5257	# Check if DEL_OLD_PROFILE is set.  (If not ERROR)
5258	if [ $DEL_OLD_PROFILE -eq 0 ]; then
5259	    ${ECHO} "ERROR: Profile name ${LDAP_PROFILE_NAME} exists! Add failed!"
5260	    exit 1
5261	fi
5262
5263	# Delete the OLD profile.
5264	${EVAL} "${LDAPDELETE} ${LDAP_ARGS} -f ${TMPDIR}/del_profile ${VERB}"
5265	if [ $? -ne 0 ]; then
5266	    ${ECHO} "  ERROR: Attempt to DELETE profile failed!"
5267	    cleanup
5268	    exit 1
5269	fi
5270    fi
5271
5272    # Build the "ldapclient genprofile" command string to execute.
5273    GEN_CMD="ldapclient genprofile -a \"profileName=${LDAP_PROFILE_NAME}\""
5274
5275    # Add required argument defaultSearchBase.
5276    GEN_CMD="${GEN_CMD} -a \"defaultSearchBase=${LDAP_BASEDN}\""
5277
5278    # Add optional parameters.
5279    [ -n "$LDAP_SERVER_LIST" ] && \
5280	GEN_CMD="${GEN_CMD} -a \"defaultServerList=${LDAP_SERVER_LIST}\""
5281    [ -n "$LDAP_SEARCH_SCOPE" ] && \
5282	GEN_CMD="${GEN_CMD} -a \"defaultSearchScope=${LDAP_SEARCH_SCOPE}\""
5283    [ -n "$LDAP_CRED_LEVEL" ] && \
5284	GEN_CMD="${GEN_CMD} -a \"credentialLevel=${LDAP_CRED_LEVEL}\""
5285    [ -n "$LDAP_AUTHMETHOD" ] && \
5286	GEN_CMD="${GEN_CMD} -a \"authenticationMethod=${LDAP_AUTHMETHOD}\""
5287    [ -n "$LDAP_FOLLOWREF" ] && \
5288	GEN_CMD="${GEN_CMD} -a \"followReferrals=${LDAP_FOLLOWREF}\""
5289    [ -n "$LDAP_SEARCH_TIME_LIMIT" ] && \
5290	GEN_CMD="${GEN_CMD} -a \"searchTimeLimit=${LDAP_SEARCH_TIME_LIMIT}\""
5291    [ -n "$LDAP_PROFILE_TTL" ] && \
5292	GEN_CMD="${GEN_CMD} -a \"profileTTL=${LDAP_PROFILE_TTL}\""
5293    [ -n "$LDAP_BIND_LIMIT" ] && \
5294	GEN_CMD="${GEN_CMD} -a \"bindTimeLimit=${LDAP_BIND_LIMIT}\""
5295    [ -n "$LDAP_PREF_SRVLIST" ] && \
5296	GEN_CMD="${GEN_CMD} -a \"preferredServerList=${LDAP_PREF_SRVLIST}\""
5297    [ -n "$LDAP_SRV_AUTHMETHOD_PAM" ] && \
5298	GEN_CMD="${GEN_CMD} -a \"serviceAuthenticationMethod=${LDAP_SRV_AUTHMETHOD_PAM}\""
5299    [ -n "$LDAP_SRV_AUTHMETHOD_KEY" ] && \
5300	GEN_CMD="${GEN_CMD} -a \"serviceAuthenticationMethod=${LDAP_SRV_AUTHMETHOD_KEY}\""
5301    [ -n "$LDAP_SRV_AUTHMETHOD_CMD" ] && \
5302	GEN_CMD="${GEN_CMD} -a \"serviceAuthenticationMethod=${LDAP_SRV_AUTHMETHOD_CMD}\""
5303
5304    # Check if there are any service search descriptors to ad.
5305    if [ -s "${SSD_FILE}" ]; then
5306	ssd_2_profile
5307    fi
5308
5309    # Execute "ldapclient genprofile" to create profile.
5310    eval ${GEN_CMD} > ${TMPDIR}/gen_profile 2> ${TMPDIR}/gen_profile_ERR
5311    if [ $? -ne 0 ]; then
5312	${ECHO} "  ERROR: ldapclient genprofile failed!"
5313	cleanup
5314	exit 1
5315    fi
5316
5317    # Add the generated profile..
5318    ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/gen_profile ${VERB}"
5319    if [ $? -ne 0 ]; then
5320	${ECHO} "  ERROR: Attempt to add profile failed!"
5321	cleanup
5322	exit 1
5323    fi
5324
5325    # Display message that schema is updated.
5326    ${ECHO} "  ${STEP}. Generated client profile and loaded on server."
5327    STEP=`expr $STEP + 1`
5328}
5329
5330
5331#
5332# cleanup(): Remove the TMPDIR and all files in it.
5333#
5334cleanup()
5335{
5336    [ $DEBUG -eq 1 ] && ${ECHO} "In cleanup()"
5337
5338    rm -fr ${TMPDIR}
5339}
5340
5341
5342#
5343# 			* * * MAIN * * *
5344#
5345# Description:
5346# This script assumes that the iPlanet Directory Server (iDS) is
5347# installed and that setup has been run.  This script takes the
5348# iDS server from that point and sets up the infrastructure for
5349# LDAP Naming Services.  After running this script, ldapaddent(1M)
5350# or some other tools can be used to populate data.
5351
5352# Initialize the variables that need to be set to NULL, or some
5353# other initial value before the rest of the functions can be called.
5354init
5355
5356# Parse command line arguments.
5357parse_arg $*
5358shift $?
5359
5360# Print extra line to separate from prompt.
5361${ECHO} " "
5362
5363# Either Load the user specified config file
5364# or prompt user for config info.
5365if [ -n "$INPUT_FILE" ]
5366then
5367    load_config_file
5368    INTERACTIVE=0      # Turns off prompts that occur later.
5369    validate_info      # Validate basic info in file.
5370    chk_ids_version    # Check iDS version for compatibility.
5371    gssapi_setup_auto
5372else
5373    # Display BACKUP warning to user.
5374    display_msg backup_server
5375    get_confirm "Do you wish to continue with server setup (y/n/h)?" "n" "backup_help"
5376    if [ $? -eq 0 ]; then    # if No, cleanup and exit.
5377	cleanup ; exit 1
5378    fi
5379
5380    # Prompt for values.
5381    prompt_config_info
5382    display_summary    # Allow user to modify results.
5383    INTERACTIVE=1      # Insures future prompting.
5384fi
5385
5386# Modify slapd.oc.conf to ALLOW cn instead of REQUIRE.
5387modify_cn
5388
5389# Modify timelimit to user value.
5390[ $NEED_TIME -eq 1 ] && modify_timelimit
5391
5392# Modify sizelimit to user value.
5393[ $NEED_SIZE -eq 1 ] && modify_sizelimit
5394
5395# Modify the password storage scheme to support CRYPT.
5396if [ "$NEED_CRYPT" = "TRUE" ]; then
5397    modify_pwd_crypt
5398fi
5399
5400# Update the schema (Attributes, Objectclass Definitions)
5401if [ ${SCHEMA_UPDATED} -eq 0 ]; then
5402        update_schema_attr
5403        update_schema_obj
5404fi
5405
5406# Add suffix together with its root entry (if needed)
5407add_suffix ||
5408{
5409	cleanup
5410	exit 1
5411}
5412
5413# Add base objects (if needed)
5414add_base_objects
5415
5416# Update the NisDomainObject.
5417#   The Base DN might of just been created, so this MUST happen after
5418#   the base objects have been added!
5419set_nisdomain
5420
5421# Add top level classes (new containers)
5422add_new_containers
5423
5424# Add common nismaps.
5425add_auto_maps
5426
5427# Modify top ACI.
5428modify_top_aci
5429
5430# Add Access Control Information for VLV.
5431add_vlv_aci
5432
5433# if Proxy needed, Add Proxy Agent and give read permission for password.
5434if [ $NEED_PROXY -eq 1 ]; then
5435    add_proxyagent
5436    if [ "$LDAP_ENABLE_SHADOW_UPDATE" != "TRUE" ]; then
5437	allow_proxy_read_pw
5438    fi
5439fi
5440
5441# If admin needed for shadow update, Add the administrator identity and
5442# give read/write permission for shadow, and deny all others read/write
5443# access to it.
5444if [ $NEED_ADMIN -eq 1 ]; then
5445    add_admin
5446    allow_admin_read_write_shadow
5447    # deny non-admin access to shadow data
5448    deny_non_admin_shadow_access
5449fi
5450
5451# If use host principal for shadow update, give read/write permission for
5452# shadow, and deny all others' read/write access to it.
5453if [ $NEED_HOSTACL -eq 1 ]; then
5454    allow_host_read_write_shadow
5455    # deny non-host access to shadow data
5456    deny_non_host_shadow_access
5457fi
5458
5459
5460# Generate client profile and add it to the server.
5461add_profile
5462
5463# Add Indexes to improve Search Performance.
5464add_eq_indexes
5465add_sub_indexes
5466add_vlv_indexes
5467
5468# Display setup complete message
5469display_msg setup_complete
5470
5471# Display VLV index commands to be executed on server.
5472display_vlv_cmds
5473
5474# Create config file if requested.
5475[ -n "$OUTPUT_FILE" ] && create_config_file
5476
5477# Removed the TMPDIR and all files in it.
5478cleanup
5479
5480exit 0
5481# end of MAIN.
5482