xref: /titanic_52/usr/src/cmd/ldap/ns_ldap/idsconfig.sh (revision 25cf1a301a396c38e8adf52c15f537b80d2483f7)
1#!/bin/sh
2#
3# ident	"%Z%%M%	%I%	%E% SMI"
4#
5# CDDL HEADER START
6#
7# The contents of this file are subject to the terms of the
8# Common Development and Distribution License (the "License").
9# You may not use this file except in compliance with the License.
10#
11# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
12# or http://www.opensolaris.org/os/licensing.
13# See the License for the specific language governing permissions
14# and limitations under the License.
15#
16# When distributing Covered Code, include this CDDL HEADER in each
17# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
18# If applicable, add the following below this CDDL HEADER, with the
19# fields enclosed by brackets "[]" replaced with your own identifying
20# information: Portions Copyright [yyyy] [name of copyright owner]
21#
22# CDDL HEADER END
23#
24#
25# idsconfig -- script to setup iDS 5.x for Native LDAP II.
26#
27# Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
28# Use is subject to license terms.
29#
30
31#
32# display_msg(): Displays message corresponding to the tag passed in.
33#
34display_msg()
35{
36    case "$1" in
37    usage) cat <<EOF
38 $PROG: [ -v ] [ -i input file ] [ -o output file ]
39   i <input file>     Get setup info from input file.
40   o <output file>    Generate a server configuration output file.
41   v                  Verbose mode
42EOF
43    ;;
44    backup_server) cat <<EOF
45It is strongly recommended that you BACKUP the directory server
46before running $PROG.
47
48Hit Ctrl-C at any time before the final confirmation to exit.
49
50EOF
51    ;;
52    setup_complete) cat <<EOF
53
54$PROG: Setup of iDS server ${IDS_SERVER} is complete.
55
56EOF
57    ;;
58    display_vlv_list) cat <<EOF
59
60Note: idsconfig has created entries for VLV indexes.  Use the 
61      directoryserver(1m) script on ${IDS_SERVER} to stop
62      the server and then enter the following vlvindex
63      sub-commands to create the actual VLV indexes:
64
65EOF
66    ;;
67    cred_level_menu) cat <<EOF
68The following are the supported credential levels:
69  1  anonymous
70  2  proxy
71  3  proxy anonymous
72EOF
73    ;;
74    auth_method_menu) cat <<EOF
75The following are the supported Authentication Methods:
76  1  none
77  2  simple
78  3  sasl/DIGEST-MD5
79  4  tls:simple
80  5  tls:sasl/DIGEST-MD5
81EOF
82    ;;
83    srvauth_method_menu) cat <<EOF
84The following are the supported Authentication Methods:
85  1  simple
86  2  sasl/DIGEST-MD5
87  3  tls:simple
88  4  tls:sasl/DIGEST-MD5
89EOF
90    ;;
91    prompt_ssd_menu) cat <<EOF
92  A  Add a Service Search Descriptor
93  D  Delete a SSD
94  M  Modify a SSD
95  P  Display all SSD's
96  H  Help
97  X  Clear all SSD's
98
99  Q  Exit menu
100EOF
101    ;;
102    summary_menu) cat <<EOF
103              Summary of Configuration
104
105  1  Domain to serve               : $LDAP_DOMAIN
106  2  Base DN to setup              : $LDAP_BASEDN
107  3  Profile name to create        : $LDAP_PROFILE_NAME
108  4  Default Server List           : $LDAP_SERVER_LIST
109  5  Preferred Server List         : $LDAP_PREF_SRVLIST
110  6  Default Search Scope          : $LDAP_SEARCH_SCOPE
111  7  Credential Level              : $LDAP_CRED_LEVEL
112  8  Authentication Method         : $LDAP_AUTHMETHOD
113  9  Enable Follow Referrals       : $LDAP_FOLLOWREF
114 10  iDS Time Limit                : $IDS_TIMELIMIT
115 11  iDS Size Limit                : $IDS_SIZELIMIT
116 12  Enable crypt password storage : $NEED_CRYPT
117 13  Service Auth Method pam_ldap  : $LDAP_SRV_AUTHMETHOD_PAM
118 14  Service Auth Method keyserv   : $LDAP_SRV_AUTHMETHOD_KEY
119 15  Service Auth Method passwd-cmd: $LDAP_SRV_AUTHMETHOD_CMD
120 16  Search Time Limit             : $LDAP_SEARCH_TIME_LIMIT
121 17  Profile Time to Live          : $LDAP_PROFILE_TTL
122 18  Bind Limit                    : $LDAP_BIND_LIMIT
123 19  Service Search Descriptors Menu
124
125EOF
126    ;;
127    ldap_suffix_list) cat <<EOF
128
129No valid suffixes (naming contexts) were found for LDAP base DN:
130${LDAP_BASEDN}
131
132Available suffixes are:
133${LDAP_SUFFIX_LIST}
134
135EOF
136    ;;
137    sorry) cat <<EOF
138
139HELP - No help is available for this topic.
140
141EOF
142    ;;
143    backup_help) cat <<EOF
144
145HELP - Since idsconfig modifies the directory server configuration,
146       it is strongly recommended that you backup the server prior
147       to running this utility.  This is especially true if the server
148       being configured is a production server.
149
150EOF
151    ;;
152    port_help) cat <<EOF
153
154HELP - Enter the port number the directory server is configured to
155       use for LDAP.
156
157EOF
158    ;;
159    domain_help) cat <<EOF
160
161HELP - This is the DNS domain name this server will be serving.  You
162       must provide this name even if the server is not going to be populated
163       with hostnames.  Any unqualified hostname stored in the directory
164       will be fully qualified using this DNS domain name.
165
166EOF
167    ;;
168    basedn_help) cat <<EOF
169
170HELP - This parameter defines the default location in the directory tree for
171       the naming services entries.  You can override this default by using 
172       serviceSearchDescriptors (SSD). You will be given the option to set up 
173       an SSD later on in the setup.
174
175EOF
176    ;;
177    profile_help) cat <<EOF
178
179HELP - Name of the configuration profile with which the clients will be
180       configured. A directory server can store various profiles for multiple 
181       groups of clients.  The initialization tool, (ldapclient(1M)), assumes 
182       "default" unless another is specified.
183
184EOF
185    ;;
186    def_srvlist_help) cat <<EOF
187
188HELP - Provide a list of directory servers to serve clients using this profile.
189       All these servers should contain consistent data and provide similar 
190       functionality.  This list is not ordered, and clients might change the 
191       order given in this list. Note that this is a space separated list of 
192       *IP addresses* (not host names).  Providing port numbers is optional.
193
194EOF
195    ;;
196    pref_srvlist_help) cat <<EOF
197
198HELP - Provide a list of directory servers to serve this client profile. 
199       Unlike the default server list, which is not ordered, the preferred 
200       servers must be entered IN THE ORDER you wish to have them contacted. 
201       If you do specify a preferred server list, clients will always contact 
202       them before attempting to contact any of the servers on the default 
203       server list. Note that you must enter the preferred server list as a 
204       space-separated list of *IP addresses* (not host names).  Providing port 
205       numbers is optional.
206
207EOF
208    ;;
209    srch_scope_help) cat <<EOF
210
211HELP - Default search scope to be used for all searches unless they are
212       overwritten using serviceSearchDescriptors.  The valid options
213       are "one", which would specify the search will only be performed 
214       at the base DN for the given service, or "sub", which would specify 
215       the search will be performed through *all* levels below the base DN 
216       for the given service.
217
218EOF
219    ;;
220    cred_lvl_help) cat <<EOF
221
222HELP - This parameter defines what credentials the clients use to
223       authenticate to the directory server.  This list might contain
224       multiple credential levels and is ordered.  If a proxy level
225       is configured, you will also be prompted to enter a bind DN
226       for the proxy agent along with a password.  This proxy agent
227       will be created if it does not exist.
228
229EOF
230    ;;
231    auth_help) cat <<EOF
232
233HELP - The default authentication method(s) to be used by all services
234       in the client using this profile.  This is a ordered list of
235       authentication methods separated by a ';'.  The supported methods
236       are provided in a menu.  Note that sasl/DIGEST-MD5 binds require
237       passwords to be stored un-encrypted on the server.
238
239EOF
240    ;;
241    srvauth_help) cat <<EOF
242
243HELP - The authentication methods to be used by a given service.  Currently
244       3 services support this feature: pam_ldap, keyserv, and passwd-cmd.
245       The authentication method specified in this attribute overrides
246       the default authentication method defined in the profile.  This
247       feature can be used to select stronger authentication methods for
248       services which require increased security.
249
250EOF
251    ;;
252    pam_ldap_help) cat <<EOF
253
254HELP - The authentication method(s) to be used by pam_ldap when contacting
255       the directory server.  This is a ordered list, and, if provided, will
256       override the default authentication method parameter.
257
258EOF
259    ;;
260    keyserv_help) cat <<EOF
261
262HELP - The authentication method(s) to be used by newkey(1M) and chkey(1)
263       when contacting the directory server.  This is a ordered list and
264       if provided will override the default authentication method
265       parameter.
266
267EOF
268    ;;
269    passwd-cmd_help) cat <<EOF
270
271HELP - The authentication method(s) to be used by passwd(1) command when
272       contacting the directory server.  This is a ordered list and if
273       provided will override the default authentication method parameter.
274
275EOF
276    ;;
277    referrals_help) cat <<EOF
278
279HELP - This parameter indicates whether the client should follow
280       ldap referrals if it encounters one during naming lookups.
281
282EOF
283    ;;
284    tlim_help) cat <<EOF
285
286HELP - The server time limit value indicates the maximum amount of time the
287       server would spend on a query from the client before abandoning it.
288       A value of '-1' indicates no limit.
289
290EOF
291    ;;
292    slim_help) cat <<EOF
293
294HELP - The server sizelimit value indicates the maximum number of entries
295       the server would return in respond to a query from the client.  A
296       value of '-1' indicates no limit.
297
298EOF
299    ;;
300    crypt_help) cat <<EOF
301
302HELP - By default iDS does not store userPassword attribute values using
303       unix "crypt" format.  If you need to keep your passwords in the crypt
304       format for NIS/NIS+ and pam_unix compatibility, choose 'yes'.  If
305       passwords are stored using any other format than crypt, pam_ldap
306       MUST be used by clients to authenticate users to the system. Note 
307       that if you wish to use sasl/DIGEST-MD5 in conjunction with pam_ldap,
308       user passwords must be stored in the clear format.
309
310EOF
311    ;;
312    srchtime_help) cat <<EOF
313
314HELP - The search time limit the client will enforce for directory
315       lookups.
316
317EOF
318    ;;
319    profttl_help) cat <<EOF
320
321HELP - The time to live value for profile.  The client will refresh its
322       cached version of the configuration profile at this TTL interval.
323
324EOF
325    ;;
326    bindlim_help) cat <<EOF
327
328HELP - The time limit for the bind operation to the directory.  This
329       value controls the responsiveness of the client in case a server
330       becomes unavailable.  The smallest timeout value for a given
331       network architecture/conditions would work best.  This is very
332       similar to setting TCP timeout, but only for LDAP bind operation.
333
334EOF
335    ;;
336    ssd_help) cat <<EOF
337
338HELP - Using Service Search Descriptors (SSD), you can override the
339       default configuration for a given service.  The SSD can be
340       used to override the default search base DN, the default search
341       scope, and the default search filter to be used for directory
342       lookups.  SSD are supported for all services (databases)
343       defined in nsswitch.conf(4).  The default base DN is defined
344       in ldap(1).
345
346       Note: SSD are powerful tools in defining configuration profiles
347             and provide a great deal of flexibility.  However, care
348             must be taken in creating them.  If you decide to make use
349             of SSDs, consult the documentation first.
350
351EOF
352    ;;
353    ssd_menu_help) cat <<EOF
354
355HELP - Using this menu SSD can be added, updated, or deleted from
356       the profile.
357
358       A - This option creates a new SSD by prompting for the
359           service name, base DN, and scope.  Service name is
360           any valid service as defined in ldap(1).  base is
361           either the distinguished name to the container where
362           this service will use, or a relative DN followed
363           by a ','.
364       D - Delete a previously created SSD.
365       M - Modify a previously created SSD.
366       P - Display a list of all the previously created SSD.
367       X - Delete all of the previously created SSD.
368
369       Q - Exit the menu and continue with the server configuration.
370
371EOF
372    ;;
373    ldap_suffix_list_help) cat <<EOF
374
375HELP - No valid suffixes (naming contexts) are available on server 
376       ${IDS_SERVER}:${IDS_PORT}.
377       You must set an LDAP Base DN that can be contained in 
378       an existing suffix.
379
380EOF
381    ;;
382    esac
383}
384
385
386#
387# get_ans(): gets an answer from the user.
388#		$1  instruction/comment/description/question
389#		$2  default value
390#
391get_ans()
392{
393    if [ -z "$2" ]
394    then
395	${ECHO} "$1 \c"
396    else
397	${ECHO} "$1 [$2] \c"
398    fi
399
400    read ANS
401    if [ -z "$ANS" ]
402    then
403	ANS=$2
404    fi
405}
406
407
408#
409# get_ans_req(): gets an answer (required) from the user, NULL value not allowed.
410#		$@  instruction/comment/description/question
411#
412get_ans_req()
413{
414    ANS=""                  # Set ANS to NULL.
415    while [ "$ANS" = "" ]
416    do
417	get_ans "$@"
418	[ "$ANS" = "" ] && ${ECHO} "NULL value not allowed!"
419    done
420}
421
422
423#
424# get_number(): Querys and verifies that number entered is numeric.
425#               Function will repeat prompt user for number value.
426#               $1  Message text.
427#		$2  default value.
428#               $3  Help argument.
429#
430get_number()
431{
432    ANS=""                  # Set ANS to NULL.
433    NUM=""
434
435    get_ans "$1" "$2"
436
437    # Verify that value is numeric.
438    while not_numeric $ANS
439    do
440	case "$ANS" in
441	    [Hh] | help | Help | \?) display_msg ${3:-sorry} ;;
442	    * ) ${ECHO} "Invalid value: \"${ANS}\". \c"
443	     ;;
444	esac
445	# Get a new value.
446	get_ans "Enter a numeric value:" "$2"
447    done
448    NUM=$ANS
449}
450
451
452#
453# get_negone_num(): Only allows a -1 or positive integer.
454#                   Used for values where -1 has special meaning.
455#
456#                   $1 - Prompt message.
457#                   $2 - Default value (require).
458#                   $3 - Optional help argument.
459get_negone_num()
460{
461    while :
462    do
463	get_number "$1" "$2" "$3"
464	if is_negative $ANS
465	then
466	    if [ "$ANS" = "-1" ]; then
467		break  # -1 is OK, so break.
468	    else       # Need to re-enter number.
469		${ECHO} "Invalid number: please enter -1 or positive number."
470	    fi
471	else
472	    break      # Positive number
473	fi
474    done
475}
476
477
478#
479# get_passwd(): Reads a password from the user and verify with second.
480#		$@  instruction/comment/description/question
481#
482get_passwd()
483{
484    [ $DEBUG -eq 1 ] && ${ECHO} "In get_passwd()"
485
486    # Temporary PASSWD variables
487    _PASS1=""
488    _PASS2=""
489
490    /usr/bin/stty -echo     # Turn echo OFF
491
492    # Endless loop that continues until passwd and re-entered passwd
493    # match.
494    while :
495    do
496	ANS=""                  # Set ANS to NULL.
497
498	# Don't allow NULL for first try.
499	while [ "$ANS" = "" ]
500	do
501	    get_ans "$@"
502	    [ "$ANS" = "" ] && ${ECHO} "" && ${ECHO} "NULL passwd not allowed!"
503	done
504	_PASS1=$ANS         # Store first try.
505
506	# Get second try.
507	${ECHO} ""
508	get_ans "Re-enter passwd:"
509	_PASS2=$ANS
510
511	# Test if passwords are identical.
512	if [ "$_PASS1" = "$_PASS2" ]; then
513	    break
514	fi
515
516	# Move cursor down to next line and print ERROR message.
517	${ECHO} ""
518	${ECHO} "ERROR: passwords don't match; try again."
519    done
520
521    /usr/bin/stty echo      # Turn echo ON
522
523    ${ECHO} ""
524}
525
526
527#
528# get_passwd_nochk(): Reads a password from the user w/o check.
529#		$@  instruction/comment/description/question
530#
531get_passwd_nochk()
532{
533    [ $DEBUG -eq 1 ] && ${ECHO} "In get_passwd_nochk()"
534
535    /usr/bin/stty -echo     # Turn echo OFF
536
537    get_ans "$@"
538
539    /usr/bin/stty echo      # Turn echo ON
540
541    ${ECHO} ""
542}
543
544
545#
546# get_menu_choice(): Get a menu choice from user.  Continue prompting
547#                    till the choice is in required range.
548#   $1 .. Message text.
549#   $2 .. min value
550#   $3 .. max value
551#   $4 .. OPTIONAL: default value
552#
553#   Return value:
554#     MN_CH will contain the value selected.
555#
556get_menu_choice()
557{
558    # Check for req parameter.
559    if [ $# -lt 3 ]; then
560	${ECHO} "get_menu_choice(): Did not get required parameters."
561	return 1
562    fi
563
564    while :
565    do
566	get_ans "$1" "$4"
567	MN_CH=$ANS
568	is_negative $MN_CH
569	if [ $? -eq 1 ]; then
570	    if [ $MN_CH -ge $2 ]; then
571		if [ $MN_CH -le $3 ]; then
572		    return
573		fi
574	    fi
575	fi
576	${ECHO} "Invalid choice: $MN_CH"
577    done
578}
579
580
581#
582# get_confirm(): Get confirmation from the user. (Y/Yes or N/No)
583#                $1 - Message
584#                $2 - default value.
585#
586get_confirm()
587{
588    _ANSWER=
589
590    while :
591    do
592	# Display Internal ERROR if $2 not set.
593	if [ -z "$2" ]
594	then
595	    ${ECHO} "INTERNAL ERROR: get_confirm requires 2 args, 3rd is optional."
596	    exit 2
597	fi
598
599	# Display prompt.
600	${ECHO} "$1 [$2] \c"
601
602	# Get the ANSWER.
603	read _ANSWER
604	if [ "$_ANSWER" = "" ] && [ -n "$2" ] ; then
605	    _ANSWER=$2
606	fi
607	case "$_ANSWER" in
608	    [Yy] | yes | Yes | YES) return 1 ;;
609	    [Nn] | no  | No  | NO)  return 0 ;;
610	    [Hh] | help | Help | \?) display_msg ${3:-sorry};;
611	    * ) ${ECHO} "Please enter y or n."  ;;
612	esac
613    done
614}
615
616
617#
618# get_confirm_nodef(): Get confirmation from the user. (Y/Yes or N/No)
619#                      No default value supported.
620#
621get_confirm_nodef()
622{
623    _ANSWER=
624
625    while :
626    do
627	${ECHO} "$@ \c"
628	read _ANSWER
629	case "$_ANSWER" in
630	    [Yy] | yes | Yes | YES) return 1 ;;
631	    [Nn] | no  | No  | NO)  return 0 ;;
632	    * ) ${ECHO} "Please enter y or n."  ;;
633	esac
634    done
635}
636
637
638#
639# is_numeric(): Tells is a string is numeric.
640#    0 = Numeric
641#    1 = NOT Numeric
642#
643is_numeric()
644{
645    # Check for parameter.
646    if [ $# -ne 1 ]; then
647	return 1
648    fi
649
650    # Determine if numeric.
651    expr "$1" + 1 > /dev/null 2>&1
652    if [ $? -ge 2 ]; then
653	return 1
654    fi
655
656    # Made it here, it's Numeric.
657    return 0
658}
659
660
661#
662# not_numeric(): Reverses the return values of is_numeric.  Useful
663#                 for if and while statements that want to test for
664#                 non-numeric data.
665#    0 = NOT Numeric
666#    1 = Numeric
667#
668not_numeric()
669{
670    is_numeric $1
671    if [ $? -eq 0 ]; then
672       return 1
673    else
674       return 0
675    fi
676}
677
678
679#
680# is_negative(): Tells is a Numeric value is less than zero.
681#    0 = Negative Numeric
682#    1 = Positive Numeric
683#    2 = NOT Numeric
684#
685is_negative()
686{
687    # Check for parameter.
688    if [ $# -ne 1 ]; then
689	return 1
690    fi
691
692    # Determine if numeric.  Can't use expr because -0 is
693    # considered positive??
694    if is_numeric $1; then
695	case "$1" in
696	    -*)  return 0 ;;   # Negative Numeric
697	    *)   return 1 ;;   # Positive Numeric
698	esac
699    else
700	return 2
701    fi
702}
703
704
705#
706# check_domainname(): check validity of a domain name.  Currently we check
707#                     that it has at least two components.
708#		$1  the domain name to be checked
709#
710check_domainname()
711{
712    if [ ! -z "$1" ]
713    then
714	t=`expr "$1" : '[^.]\{1,\}[.][^.]\{1,\}'`
715	if [ "$t" = 0 ]
716	then
717	    return 1
718	fi
719    fi
720    return 0
721}
722
723
724#
725# check_baseDN(): check validity of the baseDN name.
726#		$1  the baseDN name to be checked
727#
728#     NOTE: The check_baseDN function does not catch all invalid DN's.
729#           Its purpose is to reduce the number of invalid DN's to
730#           get past the input routine.  The invalid DN's will be
731#           caught by the LDAP server when they are attempted to be
732#           created.
733#
734check_baseDN()
735{
736    ck_DN=$1
737    ${ECHO} "  Checking LDAP Base DN ..."
738    if [ ! -z "$ck_DN" ]; then
739        [ $DEBUG -eq 1 ] && ${ECHO} "Checking baseDN: $ck_DN"
740        # Check for = (assignment operator)
741        ${ECHO} "$ck_DN" | ${GREP} "=" > /dev/null 2>&1
742        if [ $? -ne 0 ]; then
743            [ $DEBUG -eq 1 ] && ${ECHO} "check_baseDN: No '=' in baseDN."
744            return 1
745        fi
746
747        # Check all keys.
748        while :
749        do
750            # Get first key.
751            dkey=`${ECHO} $ck_DN | cut -d'=' -f1`
752
753            # Check that the key string is valid
754	    check_attrName $dkey
755	    if [ $? -ne 0 ]; then
756                [ $DEBUG -eq 1 ] && ${ECHO} "check_baseDN: invalid key=${dkey}"
757                return 1
758            fi
759
760            [ $DEBUG -eq 1 ] && ${ECHO} "check_baseDN: valid key=${dkey}"
761
762            # Remove first key from DN
763            ck_DN=`${ECHO} $ck_DN | cut -s -d',' -f2-`
764
765            # Break loop if nothing left.
766            if [ "$ck_DN" = "" ]; then
767                break
768            fi
769        done
770    fi
771    return 0
772}
773
774
775#
776# domain_2_dc(): Convert a domain name into dc string.
777#    $1  .. Domain name.
778#
779domain_2_dc()
780{
781    _DOM=$1           # Domain parameter.
782    _DOM_2_DC=""      # Return value from function.
783    _FIRST=1          # Flag for first time.
784
785    export _DOM_2_DC  # Make visible for others.
786
787    # Convert "."'s to spaces for "for" loop.
788    domtmp="`${ECHO} ${_DOM} | tr '.' ' '`"
789    for i in $domtmp; do
790	if [ $_FIRST -eq 1 ]; then
791	    _DOM_2_DC="dc=${i}"
792	    _FIRST=0
793	else
794	    _DOM_2_DC="${_DOM_2_DC},dc=${i}"
795	fi
796    done
797}
798
799
800#
801# is_root_user(): Check to see if logged in as root user.
802#
803is_root_user()
804{
805    case `id` in
806	uid=0\(root\)*) return 0 ;;
807	* )             return 1 ;;
808    esac
809}
810
811
812#
813# parse_arg(): Parses the command line arguments and sets the
814#              appropriate variables.
815#
816parse_arg()
817{
818    while getopts "dvhi:o:" ARG
819    do
820	case $ARG in
821	    d)      DEBUG=1;;
822	    v)      VERB="";;
823	    i)      INPUT_FILE=$OPTARG;;
824	    o)      OUTPUT_FILE=$OPTARG;;
825	    \?)	display_msg usage
826		    exit 1;;
827	    *)	${ECHO} "**ERROR: Supported option missing handler!"
828		    display_msg usage
829		    exit 1;;
830	esac
831    done
832    return `expr $OPTIND - 1`
833}
834
835
836#
837# init(): initializes variables and options
838#
839init()
840{
841    # General variables.
842    PROG=`basename $0`	# Program name
843    PID=$$              # Program ID
844    VERB='> /dev/null 2>&1'	# NULL or "> /dev/null"
845    ECHO="/bin/echo"	# print message on screen
846    EVAL="eval"		# eval or echo
847    EGREP="/usr/bin/egrep"
848    GREP="/usr/bin/grep"
849    DEBUG=0             # Set Debug OFF
850    BACKUP=no_ldap	# backup suffix
851    HOST=""		# NULL or <hostname>
852
853    DOM=""              # Set to NULL
854    # If DNS domain (resolv.conf) exists use that, otherwise use domainname.
855    if [ -f /etc/resolv.conf ]; then
856        DOM=`/usr/xpg4/bin/grep -i -E '^domain|^search' /etc/resolv.conf \
857	    | awk '{ print $2 }' | tail -1`
858    fi
859
860    # If for any reason the DOM did not get set (error'd resolv.conf) set
861    # DOM to the domainname command's output.
862    if [ "$DOM" = "" ]; then
863        DOM=`domainname`	# domain from domainname command.
864    fi
865
866    STEP=1
867    INTERACTIVE=1       # 0 = on, 1 = off (For input file mode)
868    DEL_OLD_PROFILE=0   # 0 (default), 1 = delete old profile.
869
870    # idsconfig specific variables.
871    INPUT_FILE=""
872    OUTPUT_FILE=""
873    NEED_PROXY=0        # 0 = No Proxy, 1 = Create Proxy.
874    LDAP_PROXYAGENT=""
875    LDAP_SUFFIX=""
876    LDAP_DOMAIN=$DOM	# domainname on Server (default value)
877    GEN_CMD=""
878
879    # LDAP COMMANDS
880    LDAPSEARCH="/bin/ldapsearch -r"
881    LDAPMODIFY=/bin/ldapmodify
882    LDAPADD=/bin/ldapadd
883    LDAPDELETE=/bin/ldapdelete
884    LDAP_GEN_PROFILE=/usr/sbin/ldap_gen_profile
885
886    # iDS specific information
887    IDS_SERVER=""
888    IDS_PORT=389
889    NEED_TIME=0
890    NEED_SIZE=0
891    NEED_SRVAUTH_PAM=0
892    NEED_SRVAUTH_KEY=0
893    NEED_SRVAUTH_CMD=0
894    IDS_TIMELIMIT=""
895    IDS_SIZELIMIT=""
896
897    # LDAP PROFILE related defaults
898    LDAP_ROOTDN="cn=Directory Manager"   # Provide common default.
899    LDAP_ROOTPWD=""                      # NULL passwd as default (i.e. invalid)
900    LDAP_PROFILE_NAME="default"
901    LDAP_BASEDN=""
902    LDAP_SERVER_LIST=""
903    LDAP_AUTHMETHOD=""
904    LDAP_FOLLOWREF="FALSE"
905    NEED_CRYPT=""
906    LDAP_SEARCH_SCOPE="one"
907    LDAP_SRV_AUTHMETHOD_PAM=""
908    LDAP_SRV_AUTHMETHOD_KEY=""
909    LDAP_SRV_AUTHMETHOD_CMD=""
910    LDAP_SEARCH_TIME_LIMIT=30
911    LDAP_PREF_SRVLIST=""
912    LDAP_PROFILE_TTL=43200
913    LDAP_CRED_LEVEL="proxy"
914    LDAP_BIND_LIMIT=10
915
916    # Prevent new files from being read by group or others.
917    umask 077
918
919    # Service Search Descriptors
920    LDAP_SERV_SRCH_DES=""
921
922    # Set and create TMPDIR.
923    TMPDIR="/tmp/idsconfig.${PID}"
924    if mkdir -m 700 ${TMPDIR}
925    then
926	# Cleanup on exit.
927	trap 'rm -rf ${TMPDIR}; /usr/bin/stty echo; exit' 1 2 3 6 15
928    else
929	echo "ERROR: unable to create a safe temporary directory."
930	exit 1
931    fi
932    LDAP_ROOTPWF=${TMPDIR}/rootPWD
933
934    # Set the SSD file name after setting TMPDIR.
935    SSD_FILE=${TMPDIR}/ssd_list
936
937    export DEBUG VERB ECHO EVAL EGREP GREP STEP TMPDIR
938    export IDS_SERVER IDS_PORT LDAP_ROOTDN LDAP_ROOTPWD LDAP_SERVER_LIST
939    export LDAP_BASEDN LDAP_ROOTPWF
940    export LDAP_DOMAIN LDAP_SUFFIX LDAP_PROXYAGENT LDAP_PROXYAGENT_CRED
941    export NEED_PROXY
942    export LDAP_PROFILE_NAME LDAP_BASEDN LDAP_SERVER_LIST
943    export LDAP_AUTHMETHOD LDAP_FOLLOWREF LDAP_SEARCH_SCOPE LDAP_SEARCH_TIME_LIMIT
944    export LDAP_PREF_SRVLIST LDAP_PROFILE_TTL LDAP_CRED_LEVEL LDAP_BIND_LIMIT
945    export NEED_SRVAUTH_PAM NEED_SRVAUTH_KEY NEED_SRVAUTH_CMD
946    export LDAP_SRV_AUTHMETHOD_PAM LDAP_SRV_AUTHMETHOD_KEY LDAP_SRV_AUTHMETHOD_CMD
947    export LDAP_SERV_SRCH_DES SSD_FILE
948    export GEN_CMD
949}
950
951
952#
953# disp_full_debug(): List of all debug variables usually interested in.
954#                    Grouped to avoid MASSIVE code duplication.
955#
956disp_full_debug()
957{
958    [ $DEBUG -eq 1 ] && ${ECHO} "  IDS_SERVER = $IDS_SERVER"
959    [ $DEBUG -eq 1 ] && ${ECHO} "  IDS_PORT = $IDS_PORT"
960    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_ROOTDN = $LDAP_ROOTDN"
961    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_ROOTPWD = $LDAP_ROOTPWD"
962    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_DOMAIN = $LDAP_DOMAIN"
963    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_SUFFIX = $LDAP_SUFFIX"
964    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_BASEDN = $LDAP_BASEDN"
965    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_PROFILE_NAME = $LDAP_PROFILE_NAME"
966    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_SERVER_LIST = $LDAP_SERVER_LIST"
967    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_PREF_SRVLIST = $LDAP_PREF_SRVLIST"
968    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_SEARCH_SCOPE = $LDAP_SEARCH_SCOPE"
969    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_CRED_LEVEL = $LDAP_CRED_LEVEL"
970    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_AUTHMETHOD = $LDAP_AUTHMETHOD"
971    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_FOLLOWREF = $LDAP_FOLLOWREF"
972    [ $DEBUG -eq 1 ] && ${ECHO} "  IDS_TIMELIMIT = $IDS_TIMELIMIT"
973    [ $DEBUG -eq 1 ] && ${ECHO} "  IDS_SIZELIMIT = $IDS_SIZELIMIT"
974    [ $DEBUG -eq 1 ] && ${ECHO} "  NEED_CRYPT = $NEED_CRYPT"
975    [ $DEBUG -eq 1 ] && ${ECHO} "  NEED_SRVAUTH_PAM = $NEED_SRVAUTH_PAM"
976    [ $DEBUG -eq 1 ] && ${ECHO} "  NEED_SRVAUTH_KEY = $NEED_SRVAUTH_KEY"
977    [ $DEBUG -eq 1 ] && ${ECHO} "  NEED_SRVAUTH_CMD = $NEED_SRVAUTH_CMD"
978    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_SRV_AUTHMETHOD_PAM = $LDAP_SRV_AUTHMETHOD_PAM"
979    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_SRV_AUTHMETHOD_KEY = $LDAP_SRV_AUTHMETHOD_KEY"
980    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_SRV_AUTHMETHOD_CMD = $LDAP_SRV_AUTHMETHOD_CMD"
981    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_SEARCH_TIME_LIMIT = $LDAP_SEARCH_TIME_LIMIT"
982    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_PROFILE_TTL = $LDAP_PROFILE_TTL"
983    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_BIND_LIMIT = $LDAP_BIND_LIMIT"
984
985    # Only display proxy stuff if needed.
986    if [ $NEED_PROXY -eq  1 ]; then
987	[ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_PROXYAGENT = $LDAP_PROXYAGENT"
988	[ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_PROXYAGENT_CRED = $LDAP_PROXYAGENT_CRED"
989	[ $DEBUG -eq 1 ] && ${ECHO} "  NEED_PROXY = $NEED_PROXY"
990    fi
991
992    # Service Search Descriptors are a special case.
993    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_SERV_SRCH_DES = $LDAP_SERV_SRCH_DES"
994}
995
996
997#
998# load_config_file(): Loads the config file.
999#
1000load_config_file()
1001{
1002    [ $DEBUG -eq 1 ] && ${ECHO} "In load_config_file()"
1003
1004    # Remove SSD lines from input file before sourcing.
1005    # The SSD lines must be removed because some forms of the
1006    # data could cause SHELL errors.
1007    ${GREP} -v "LDAP_SERV_SRCH_DES=" ${INPUT_FILE} > ${TMPDIR}/inputfile.noSSD
1008
1009    # Source the input file.
1010    . ${TMPDIR}/inputfile.noSSD
1011
1012    # If LDAP_SUFFIX is no set, try to utilize LDAP_TREETOP since older
1013    # config files use LDAP_TREETOP
1014    LDAP_SUFFIX="${LDAP_SUFFIX:-$LDAP_TREETOP}"
1015
1016    # Save password to temporary file.
1017    save_password
1018
1019    # Create the SSD file.
1020    create_ssd_file
1021
1022    # Display FULL debugging info.
1023    disp_full_debug
1024}
1025
1026#
1027# save_password(): Save password to temporary file.
1028#
1029save_password()
1030{
1031    cat > ${LDAP_ROOTPWF} <<EOF
1032${LDAP_ROOTPWD}
1033EOF
1034}
1035
1036######################################################################
1037# FUNCTIONS  FOR prompt_config_info() START HERE.
1038######################################################################
1039
1040#
1041# get_ids_server(): Prompt for iDS server name.
1042#
1043get_ids_server()
1044{
1045    while :
1046    do
1047	# Prompt for server name.
1048	get_ans "Enter the iPlanet Directory Server's (iDS) hostname to setup:" "$IDS_SERVER"
1049	IDS_SERVER=$ANS
1050
1051	# Ping server to see if live.  If valid break out of loop.
1052	ping $IDS_SERVER > /dev/null 2>&1
1053	if [ $? -eq 0 ]; then
1054	    break
1055	fi
1056
1057	# Invalid server, enter a new name.
1058	${ECHO} "ERROR: Server '${IDS_SERVER}' is invalid or unreachable."
1059	IDS_SERVER=""
1060    done
1061
1062    # Set SERVER_ARGS and LDAP_ARGS since values might of changed.
1063    SERVER_ARGS="-h ${IDS_SERVER} -p ${IDS_PORT}"
1064    LDAP_ARGS="${SERVER_ARGS} ${AUTH_ARGS}"
1065    export SERVER_ARGS
1066
1067}
1068
1069#
1070# get_ids_port(): Prompt for iDS port number.
1071#
1072get_ids_port()
1073{
1074    # Get a valid iDS port number.
1075    while :
1076    do
1077	# Enter port number.
1078	get_number "Enter the port number for iDS (h=help):" "$IDS_PORT" "port_help"
1079	IDS_PORT=$ANS
1080
1081	# Do a simple search to check hostname and port number.
1082	# If search returns SUCCESS, break out, host and port must
1083	# be valid.
1084	${LDAPSEARCH} -h ${IDS_SERVER} -p ${IDS_PORT} -b "" -s base "objectclass=*" > /dev/null 2>&1
1085	if [ $? -eq 0 ]; then
1086	    break
1087	fi
1088
1089	# Invalid host/port pair, Re-enter.
1090	${ECHO} "ERROR: Invalid host or port: ${IDS_SERVER}:${IDS_PORT}, Please re-enter!"
1091	get_ids_server
1092    done
1093
1094    # Set SERVER_ARGS and LDAP_ARGS since values might of changed.
1095    SERVER_ARGS="-h ${IDS_SERVER} -p ${IDS_PORT}"
1096    LDAP_ARGS="${SERVER_ARGS} ${AUTH_ARGS}"
1097    export SERVER_ARGS
1098}
1099
1100
1101#
1102# chk_ids_version(): Read the slapd config file and set variables
1103#
1104chk_ids_version()
1105{
1106    [ $DEBUG -eq 1 ] && ${ECHO} "In chk_ids_version()"
1107
1108    # check iDS version number.
1109    eval "${LDAPSEARCH} ${SERVER_ARGS} -b cn=monitor -s base \"objectclass=*\" version | ${GREP} \"^version=\" | cut -f2 -d'/' | cut -f1 -d' ' > ${TMPDIR}/checkDSver 2>&1"
1110    if [ $? -ne 0 ]; then
1111	${ECHO} "ERROR: Can not determine the version number of iDS!"
1112	exit 1
1113    fi
1114    IDS_VER=`cat ${TMPDIR}/checkDSver`
1115    IDS_MAJVER=`${ECHO} ${IDS_VER} | cut -f1 -d.`
1116    IDS_MINVER=`${ECHO} ${IDS_VER} | cut -f2 -d.`
1117    if [ "${IDS_MAJVER}" != "5" ]; then
1118	${ECHO} "ERROR: $PROG only works with iDS version 5.x, not ${IDS_VER}."
1119    	exit 1
1120    fi
1121    if [ $DEBUG -eq 1 ]; then
1122	${ECHO} "  IDS_MAJVER = $IDS_MAJVER"
1123	${ECHO} "  IDS_MINVER = $IDS_MINVER"
1124    fi
1125}
1126
1127
1128#
1129# get_dirmgr_dn(): Get the directory manger DN.
1130#
1131get_dirmgr_dn()
1132{
1133    get_ans "Enter the directory manager DN:" "$LDAP_ROOTDN"
1134    LDAP_ROOTDN=$ANS
1135
1136    # Update ENV variables using DN.
1137    AUTH_ARGS="-D \"${LDAP_ROOTDN}\" -j ${LDAP_ROOTPWF}"
1138    LDAP_ARGS="${SERVER_ARGS} ${AUTH_ARGS}"
1139    export AUTH_ARGS LDAP_ARGS
1140}
1141
1142
1143#
1144# get_dirmgr_pw(): Get the Root DN passwd. (Root DN found in slapd.conf)
1145#
1146get_dirmgr_pw()
1147{
1148    while :
1149    do
1150	# Get passwd.
1151	get_passwd_nochk "Enter passwd for ${LDAP_ROOTDN} :"
1152	LDAP_ROOTPWD=$ANS
1153
1154	# Store password in file.
1155	save_password
1156
1157	# Update ENV variables using DN's PW.
1158	AUTH_ARGS="-D \"${LDAP_ROOTDN}\" -j ${LDAP_ROOTPWF}"
1159	LDAP_ARGS="${SERVER_ARGS} ${AUTH_ARGS}"
1160	export AUTH_ARGS LDAP_ARGS
1161
1162	# Verify that ROOTDN and ROOTPWD are valid.
1163	eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"\" -s base \"objectclass=*\" > ${TMPDIR}/checkDN 2>&1"
1164	if [ $? -ne 0 ]; then
1165	    eval "${GREP} credential ${TMPDIR}/checkDN ${VERB}"
1166	    if [ $? -eq 0 ]; then
1167		${ECHO} "ERROR: Root DN passwd is invalid."
1168	    else
1169		${ECHO} "ERROR: Invalid Root DN <${LDAP_ROOTDN}>."
1170		get_dirmgr_dn
1171	    fi
1172	else
1173	    break         # Both are valid.
1174	fi
1175    done
1176
1177
1178}
1179
1180
1181#
1182# get_domain(): Get the Domain that will be served by the LDAP server.
1183#               $1 - Help argument.
1184#
1185get_domain()
1186{
1187    # Use LDAP_DOMAIN as default.
1188    get_ans "Enter the domainname to be served (h=help):" $LDAP_DOMAIN
1189
1190    # Check domainname, and have user re-enter if not valid.
1191    check_domainname $ANS
1192    while [ $? -ne 0 ]
1193    do
1194	case "$ANS" in
1195	    [Hh] | help | Help | \?) display_msg ${1:-sorry} ;;
1196	    * ) ${ECHO} "Invalid domainname: \"${ANS}\"."
1197	     ;;
1198	esac
1199	get_ans "Enter domainname to be served (h=help):" $DOM
1200
1201	check_domainname $ANS
1202    done
1203
1204    # Set the domainname to valid name.
1205    LDAP_DOMAIN=$ANS
1206}
1207
1208
1209#
1210# get_basedn(): Query for the Base DN.
1211#
1212get_basedn()
1213{
1214    # Set the $_DOM_2_DC and assign to LDAP_BASEDN as default.
1215    # Then call get_basedn().  This method remakes the default
1216    # each time just in case the domain changed.
1217    domain_2_dc $LDAP_DOMAIN
1218    LDAP_BASEDN=$_DOM_2_DC
1219
1220    # Get Base DN.
1221    while :
1222    do
1223	get_ans_req "Enter LDAP Base DN (h=help):" "$LDAP_BASEDN"
1224	check_baseDN "$ANS"
1225	while [ $? -ne 0 ]
1226	do
1227	    case "$ANS" in
1228		[Hh] | help | Help | \?) display_msg basedn_help ;;
1229		* ) ${ECHO} "Invalid base DN: \"${ANS}\"."
1230		;;
1231	    esac
1232
1233	    # Re-Enter the BaseDN
1234	    get_ans_req "Enter LDAP Base DN (h=help):" "$LDAP_BASEDN"
1235	    check_baseDN "$ANS"
1236	done
1237
1238	# Set base DN.
1239	LDAP_BASEDN=${ANS}
1240
1241	check_basedn_suffix
1242	case $? in
1243	    0) break ;;
1244	    1) cleanup; exit 1 ;;
1245	    2) continue ;;
1246	esac
1247    done
1248}
1249
1250
1251#
1252# get_profile_name(): Enter the profile name.
1253#
1254get_profile_name()
1255{
1256    # Reset Delete Old Profile since getting new profile name.
1257    DEL_OLD_PROFILE=0
1258
1259    # Loop until valid profile name, or replace.
1260    while :
1261    do
1262	# Prompt for profile name.
1263	get_ans "Enter the profile name (h=help):" "$LDAP_PROFILE_NAME"
1264
1265	# Check for Help.
1266	case "$ANS" in
1267	    [Hh] | help | Help | \?) display_msg profile_help
1268				     continue ;;
1269	    * )  ;;
1270	esac
1271
1272	# Search to see if profile name already exists.
1273	eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=${ANS},ou=profile,${LDAP_BASEDN}\" -s base \"objectclass=*\" ${VERB}"
1274	if [ $? -eq 0 ]; then
1275	    get_confirm_nodef "Are you sure you want to overwire profile cn=${ANS}?"
1276	    if [ $? -eq 1 ]; then
1277		DEL_OLD_PROFILE=1
1278		return 0  # Replace old profile name.
1279	    else
1280		${ECHO} "Please re-enter a new profile name."
1281	    fi
1282	else
1283	    break  # Unique profile name.
1284	fi
1285    done
1286
1287    # Set Profile Name.
1288    LDAP_PROFILE_NAME=$ANS
1289}
1290
1291
1292#
1293# get_srv_list(): Get the default server list.
1294#
1295get_srv_list()
1296{
1297    # If LDAP_SERVER_LIST is NULL, then set, otherwise leave alone.
1298    if [ -z "${LDAP_SERVER_LIST}" ]; then
1299	LDAP_SERVER_LIST=`getent hosts ${IDS_SERVER} | awk '{print $1}'`
1300        if [ ${IDS_PORT} -ne 389 ]; then
1301	    LDAP_SERVER_LIST="${LDAP_SERVER_LIST}:${IDS_PORT}"
1302	fi
1303    fi
1304
1305    # Prompt for new LDAP_SERVER_LIST.
1306    while :
1307    do
1308	get_ans "Default server list (h=help):" $LDAP_SERVER_LIST
1309
1310	# If help continue, otherwise break.
1311	case "$ANS" in
1312	    [Hh] | help | Help | \?) display_msg def_srvlist_help ;;
1313	    * ) break ;;
1314	esac
1315    done
1316    LDAP_SERVER_LIST=$ANS
1317}
1318
1319
1320#
1321# get_pref_srv(): The preferred server list (Overrides the server list)
1322#
1323get_pref_srv()
1324{
1325    while :
1326    do
1327	get_ans "Preferred server list (h=help):" $LDAP_PREF_SRVLIST
1328
1329	# If help continue, otherwise break.
1330	case "$ANS" in
1331	    [Hh] | help | Help | \?) display_msg pref_srvlist_help ;;
1332	    * ) break ;;
1333	esac
1334    done
1335    LDAP_PREF_SRVLIST=$ANS
1336}
1337
1338
1339#
1340# get_search_scope(): Get the search scope from the user.
1341#
1342get_search_scope()
1343{
1344    [ $DEBUG -eq 1 ] && ${ECHO} "In get_search_scope()"
1345
1346    _MENU_CHOICE=0
1347    while :
1348    do
1349	get_ans "Choose desired search scope (one, sub, h=help): " "one"
1350	_MENU_CHOICE=$ANS
1351	case "$_MENU_CHOICE" in
1352	    one) LDAP_SEARCH_SCOPE="one"
1353	       return 1 ;;
1354	    sub) LDAP_SEARCH_SCOPE="sub"
1355	       return 2 ;;
1356	    h) display_msg srch_scope_help ;;
1357	    *) ${ECHO} "Please enter \"one\", \"sub\", or \"h\"." ;;
1358	esac
1359    done
1360
1361}
1362
1363
1364#
1365# get_cred_level(): Function to display menu to user and get the
1366#                  credential level.
1367#
1368get_cred_level()
1369{
1370    [ $DEBUG -eq 1 ] && ${ECHO} "In get_cred_level()"
1371
1372    _MENU_CHOICE=0
1373    display_msg cred_level_menu
1374    while :
1375    do
1376	get_ans "Choose Credential level [h=help]:" "1"
1377	_MENU_CHOICE=$ANS
1378	case "$_MENU_CHOICE" in
1379	    1) LDAP_CRED_LEVEL="anonymous"
1380	       return 1 ;;
1381	    2) LDAP_CRED_LEVEL="proxy"
1382	       return 2 ;;
1383	    3) LDAP_CRED_LEVEL="proxy anonymous"
1384	       return 3 ;;
1385	    h) display_msg cred_lvl_help ;;
1386	    *) ${ECHO} "Please enter 1, 2 or 3." ;;
1387	esac
1388    done
1389}
1390
1391
1392#
1393# srvauth_menu_handler(): Enter the Service Authentication method.
1394#
1395srvauth_menu_handler()
1396{
1397    # Display Auth menu
1398    display_msg srvauth_method_menu
1399
1400    # Get a Valid choice.
1401    while :
1402    do
1403	# Display appropriate prompt and get answer.
1404	if [ $_FIRST -eq 1 ]; then
1405	    get_ans "Choose Service Authentication Method:" "1"
1406	else
1407	    get_ans "Choose Service Authentication Method (0=reset):"
1408	fi
1409
1410	# Determine choice.
1411	_MENU_CHOICE=$ANS
1412	case "$_MENU_CHOICE" in
1413	    1) _AUTHMETHOD="simple"
1414		break ;;
1415	    2) _AUTHMETHOD="sasl/DIGEST-MD5"
1416		break ;;
1417	    3) _AUTHMETHOD="tls:simple"
1418		break ;;
1419	    4) _AUTHMETHOD="tls:sasl/DIGEST-MD5"
1420		break ;;
1421	    0) _AUTHMETHOD=""
1422		_FIRST=1
1423		break ;;
1424	    *) ${ECHO} "Please enter 1-4 or 0 to reset." ;;
1425	esac
1426    done
1427}
1428
1429
1430#
1431# auth_menu_handler(): Enter the Authentication method.
1432#
1433auth_menu_handler()
1434{
1435    # Display Auth menu
1436    display_msg auth_method_menu
1437
1438    # Get a Valid choice.
1439    while :
1440    do
1441	# Display appropriate prompt and get answer.
1442	if [ $_FIRST -eq 1 ]; then
1443	    get_ans "Choose Authentication Method (h=help):" "1"
1444	else
1445	    get_ans "Choose Authentication Method (0=reset, h=help):"
1446	fi
1447
1448	# Determine choice.
1449	_MENU_CHOICE=$ANS
1450	case "$_MENU_CHOICE" in
1451	    1) _AUTHMETHOD="none"
1452		break ;;
1453	    2) _AUTHMETHOD="simple"
1454		break ;;
1455	    3) _AUTHMETHOD="sasl/DIGEST-MD5"
1456		break ;;
1457	    4) _AUTHMETHOD="tls:simple"
1458		break ;;
1459	    5) _AUTHMETHOD="tls:sasl/DIGEST-MD5"
1460		break ;;
1461	    0) _AUTHMETHOD=""
1462		_FIRST=1
1463		break ;;
1464	    h) display_msg auth_help ;;
1465	    *) ${ECHO} "Please enter 1-5, 0=reset, or h=help." ;;
1466	esac
1467    done
1468}
1469
1470
1471#
1472# get_auth(): Enter the Authentication method.
1473#
1474get_auth()
1475{
1476    [ $DEBUG -eq 1 ] && ${ECHO} "In get_auth()"
1477
1478    _FIRST=1          # Flag for first time.
1479    _MENU_CHOICE=0
1480    _AUTHMETHOD=""    # Tmp method.
1481
1482    while :
1483    do
1484	# Call Menu handler
1485	auth_menu_handler
1486
1487	# Add Auth Method to list.
1488        if [ $_FIRST -eq 1 ]; then
1489	    LDAP_AUTHMETHOD="${_AUTHMETHOD}"
1490	    _FIRST=0
1491	else
1492	    LDAP_AUTHMETHOD="${LDAP_AUTHMETHOD};${_AUTHMETHOD}"
1493	fi
1494
1495	# Display current Authentication Method.
1496	${ECHO} ""
1497	${ECHO} "Current authenticationMethod: ${LDAP_AUTHMETHOD}"
1498	${ECHO} ""
1499
1500	# Prompt for another Auth Method, or break out.
1501	get_confirm_nodef "Do you want to add another Authentication Method?"
1502	if [ $? -eq 0 ]; then
1503	    break;
1504	fi
1505    done
1506}
1507
1508
1509#
1510# get_followref(): Whether or not to follow referrals.
1511#
1512get_followref()
1513{
1514    get_confirm "Do you want the clients to follow referrals (y/n/h)?" "n" "referrals_help"
1515    if [ $? -eq 1 ]; then
1516	LDAP_FOLLOWREF="TRUE"
1517    else
1518	LDAP_FOLLOWREF="FALSE"
1519    fi
1520}
1521
1522
1523#
1524# get_timelimit(): Set the time limit. -1 is max time.
1525#
1526get_timelimit()
1527{
1528    # Get current timeout value from cn=config.
1529    eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=config\" -s base \"objectclass=*\" nsslapd-timelimit > ${TMPDIR}/chk_timeout 2>&1"
1530    if [ $? -ne 0 ]; then
1531	${ECHO} "  ERROR: Could not reach LDAP server to check current timeout!"
1532	cleanup
1533	exit 1
1534    fi
1535    CURR_TIMELIMIT=`${GREP} timelimit ${TMPDIR}/chk_timeout | cut -f2 -d=`
1536
1537    get_negone_num "Enter the time limit for iDS (current=${CURR_TIMELIMIT}):" "-1"
1538    IDS_TIMELIMIT=$NUM
1539}
1540
1541
1542#
1543# get_sizelimit(): Set the size limit. -1 is max size.
1544#
1545get_sizelimit()
1546{
1547    # Get current sizelimit value from cn=config.
1548    eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=config\" -s base \"objectclass=*\" nsslapd-sizelimit > ${TMPDIR}/chk_sizelimit 2>&1"
1549    if [ $? -ne 0 ]; then
1550	${ECHO} "  ERROR: Could not reach LDAP server to check current sizelimit!"
1551	cleanup
1552	exit 1
1553    fi
1554    CURR_SIZELIMIT=`${GREP} sizelimit ${TMPDIR}/chk_sizelimit | cut -f2 -d=`
1555
1556    get_negone_num "Enter the size limit for iDS (current=${CURR_SIZELIMIT}):" "-1"
1557    IDS_SIZELIMIT=$NUM
1558}
1559
1560
1561#
1562# get_want_crypt(): Ask user if want to store passwords in crypt?
1563#
1564get_want_crypt()
1565{
1566    get_confirm "Do you want to store passwords in \"crypt\" format (y/n/h)?" "n" "crypt_help"
1567    if [ $? -eq 1 ]; then
1568	NEED_CRYPT="TRUE"
1569    else
1570	NEED_CRYPT="FALSE"
1571    fi
1572}
1573
1574
1575#
1576# get_srv_authMethod_pam(): Get the Service Auth Method for pam_ldap from user.
1577#
1578#  NOTE: This function is base on get_auth().
1579#
1580get_srv_authMethod_pam()
1581{
1582    [ $DEBUG -eq 1 ] && ${ECHO} "In get_srv_authMethod_pam()"
1583
1584    _FIRST=1          # Flag for first time.
1585    _MENU_CHOICE=0
1586    _AUTHMETHOD=""    # Tmp method.
1587
1588    while :
1589    do
1590	# Call Menu handler
1591	srvauth_menu_handler
1592
1593	# Add Auth Method to list.
1594        if [ $_FIRST -eq 1 ]; then
1595	    if [ "$_AUTHMETHOD" = "" ]; then
1596		LDAP_SRV_AUTHMETHOD_PAM=""
1597	    else
1598		LDAP_SRV_AUTHMETHOD_PAM="pam_ldap:${_AUTHMETHOD}"
1599	    fi
1600	    _FIRST=0
1601	else
1602	    LDAP_SRV_AUTHMETHOD_PAM="${LDAP_SRV_AUTHMETHOD_PAM};${_AUTHMETHOD}"
1603	fi
1604
1605	# Display current Authentication Method.
1606	${ECHO} ""
1607	${ECHO} "Current authenticationMethod: ${LDAP_SRV_AUTHMETHOD_PAM}"
1608	${ECHO} ""
1609
1610	# Prompt for another Auth Method, or break out.
1611	get_confirm_nodef "Do you want to add another Authentication Method?"
1612	if [ $? -eq 0 ]; then
1613	    break;
1614	fi
1615    done
1616
1617    # Check in case user reset string and exited loop.
1618    if [ "$LDAP_SRV_AUTHMETHOD_PAM" = "" ]; then
1619	NEED_SRVAUTH_PAM=0
1620    fi
1621}
1622
1623
1624#
1625# get_srv_authMethod_key(): Get the Service Auth Method for keyserv from user.
1626#
1627#  NOTE: This function is base on get_auth().
1628#
1629get_srv_authMethod_key()
1630{
1631    [ $DEBUG -eq 1 ] && ${ECHO} "In get_srv_authMethod_key()"
1632
1633    _FIRST=1          # Flag for first time.
1634    _MENU_CHOICE=0
1635    _AUTHMETHOD=""    # Tmp method.
1636
1637    while :
1638    do
1639	# Call Menu handler
1640	srvauth_menu_handler
1641
1642	# Add Auth Method to list.
1643        if [ $_FIRST -eq 1 ]; then
1644	    if [ "$_AUTHMETHOD" = "" ]; then
1645		LDAP_SRV_AUTHMETHOD_KEY=""
1646	    else
1647		LDAP_SRV_AUTHMETHOD_KEY="keyserv:${_AUTHMETHOD}"
1648	    fi
1649	    _FIRST=0
1650	else
1651	    LDAP_SRV_AUTHMETHOD_KEY="${LDAP_SRV_AUTHMETHOD_KEY};${_AUTHMETHOD}"
1652	fi
1653
1654	# Display current Authentication Method.
1655	${ECHO} ""
1656	${ECHO} "Current authenticationMethod: ${LDAP_SRV_AUTHMETHOD_KEY}"
1657	${ECHO} ""
1658
1659	# Prompt for another Auth Method, or break out.
1660	get_confirm_nodef "Do you want to add another Authentication Method?"
1661	if [ $? -eq 0 ]; then
1662	    break;
1663	fi
1664    done
1665
1666    # Check in case user reset string and exited loop.
1667    if [ "$LDAP_SRV_AUTHMETHOD_KEY" = "" ]; then
1668	NEED_SRVAUTH_KEY=0
1669    fi
1670}
1671
1672
1673#
1674# get_srv_authMethod_cmd(): Get the Service Auth Method for passwd-cmd from user.
1675#
1676#  NOTE: This function is base on get_auth().
1677#
1678get_srv_authMethod_cmd()
1679{
1680    [ $DEBUG -eq 1 ] && ${ECHO} "In get_srv_authMethod_cmd()"
1681
1682    _FIRST=1          # Flag for first time.
1683    _MENU_CHOICE=0
1684    _AUTHMETHOD=""    # Tmp method.
1685
1686    while :
1687    do
1688	# Call Menu handler
1689	srvauth_menu_handler
1690
1691	# Add Auth Method to list.
1692        if [ $_FIRST -eq 1 ]; then
1693	    if [ "$_AUTHMETHOD" = "" ]; then
1694		LDAP_SRV_AUTHMETHOD_CMD=""
1695	    else
1696		LDAP_SRV_AUTHMETHOD_CMD="passwd-cmd:${_AUTHMETHOD}"
1697	    fi
1698	    _FIRST=0
1699	else
1700	    LDAP_SRV_AUTHMETHOD_CMD="${LDAP_SRV_AUTHMETHOD_CMD};${_AUTHMETHOD}"
1701	fi
1702
1703	# Display current Authentication Method.
1704	${ECHO} ""
1705	${ECHO} "Current authenticationMethod: ${LDAP_SRV_AUTHMETHOD_CMD}"
1706	${ECHO} ""
1707
1708	# Prompt for another Auth Method, or break out.
1709	get_confirm_nodef "Do you want to add another Authentication Method?"
1710	if [ $? -eq 0 ]; then
1711	    break;
1712	fi
1713    done
1714
1715    # Check in case user reset string and exited loop.
1716    if [ "$LDAP_SRV_AUTHMETHOD_CMD" = "" ]; then
1717	NEED_SRVAUTH_CMD=0
1718    fi
1719}
1720
1721
1722#
1723# get_srch_time(): Amount of time to search.
1724#
1725get_srch_time()
1726{
1727    get_negone_num "Client search time limit in seconds (h=help):" "$LDAP_SEARCH_TIME_LIMIT" "srchtime_help"
1728    LDAP_SEARCH_TIME_LIMIT=$NUM
1729}
1730
1731
1732#
1733# get_prof_ttl(): The profile time to live (TTL)
1734#
1735get_prof_ttl()
1736{
1737    get_negone_num "Profile Time To Live in seconds (h=help):" "$LDAP_PROFILE_TTL" "profttl_help"
1738    LDAP_PROFILE_TTL=$NUM
1739}
1740
1741
1742#
1743# get_bind_limit(): Bind time limit
1744#
1745get_bind_limit()
1746{
1747    get_negone_num "Bind time limit in seconds (h=help):" "$LDAP_BIND_LIMIT" "bindlim_help"
1748    LDAP_BIND_LIMIT=$NUM
1749}
1750
1751
1752######################################################################
1753# FUNCTIONS  FOR Service Search Descriptor's START HERE.
1754######################################################################
1755
1756
1757#
1758# add_ssd(): Get SSD's from user and add to file.
1759#
1760add_ssd()
1761{
1762    [ $DEBUG -eq 1 ] && ${ECHO} "In add_ssd()"
1763
1764    # Enter the service id.  Loop til unique.
1765    while :
1766    do
1767	get_ans "Enter the service id:"
1768	_SERV_ID=$ANS
1769
1770	# Grep for name existing.
1771	${GREP} -i "^$ANS:" ${SSD_FILE} > /dev/null 2>&1
1772	if [ $? -eq 1 ]; then
1773	    break
1774	fi
1775
1776	# Name exists, print message, let user decide.
1777	${ECHO} "ERROR: Service id ${ANS} already exists."
1778    done
1779
1780    get_ans "Enter the base:"
1781    _BASE=$ANS
1782
1783    # Get the scope and verify that its one or sub.
1784    while :
1785    do
1786	get_ans "Enter the scope:"
1787	_SCOPE=$ANS
1788	case `${ECHO} ${_SCOPE} | tr '[A-Z]' '[a-z]'` in
1789	    one) break ;;
1790	    sub) break ;;
1791	    *)   ${ECHO} "${_SCOPE} is Not valid - Enter 'one' or 'sub'" ;;
1792	esac
1793    done
1794
1795    # Build SSD to add to file.
1796    _SSD="${_SERV_ID}:${_BASE}?${_SCOPE}"
1797
1798    # Add the SSD to the file.
1799    ${ECHO} "${_SSD}" >> ${SSD_FILE}
1800}
1801
1802
1803#
1804# delete_ssd(): Delete a SSD from the list.
1805#
1806delete_ssd()
1807{
1808    [ $DEBUG -eq 1 ] && ${ECHO} "In delete_ssd()"
1809
1810    # Get service id name from user for SSD to delete.
1811    get_ans_req "Enter service id to delete:"
1812
1813    # Make sure service id exists.
1814    ${GREP} "$ANS" ${SSD_FILE} > /dev/null 2>&1
1815    if [ $? -eq 1 ]; then
1816	${ECHO} "Invalid service id: $ANS not present in list."
1817	return
1818    fi
1819
1820    # Create temporary back SSD file.
1821    cp ${SSD_FILE} ${SSD_FILE}.bak
1822    if [ $? -eq 1 ]; then
1823	${ECHO} "ERROR: could not create file: ${SSD_FILE}.bak"
1824	exit 1
1825    fi
1826
1827    # Use ${GREP} to remove the SSD.  Read from temp file
1828    # and write to the orig file.
1829    ${GREP} -v "$ANS" ${SSD_FILE}.bak > ${SSD_FILE}
1830}
1831
1832
1833#
1834# modify_ssd(): Allow user to modify a SSD.
1835#
1836modify_ssd()
1837{
1838    [ $DEBUG -eq 1 ] && ${ECHO} "In modify_ssd()"
1839
1840    # Prompt user for service id.
1841    get_ans_req "Enter service id to modify:"
1842
1843    # Put into temp _LINE.
1844    _LINE=`${GREP} "^$ANS:" ${SSD_FILE}`
1845    if [ "$_LINE" = "" ]; then
1846	${ECHO} "Invalid service id: $ANS"
1847	return
1848    fi
1849
1850    # Display current filter for user to see.
1851    ${ECHO} ""
1852    ${ECHO} "Current SSD: $_LINE"
1853    ${ECHO} ""
1854
1855    # Get the defaults.
1856    _CURR_BASE=`${ECHO} $_LINE | cut -d: -f2 | cut -d'?' -f 1`
1857    _CURR_SCOPE=`${ECHO} $_LINE | cut -d: -f2 | cut -d'?' -f 2`
1858
1859    # Create temporary back SSD file.
1860    cp ${SSD_FILE} ${SSD_FILE}.bak
1861    if [ $? -eq 1 ]; then
1862	${ECHO} "ERROR: could not create file: ${SSD_FILE}.bak"
1863	cleanup
1864	exit 1
1865    fi
1866
1867    # Removed the old line.
1868    ${GREP} -v "^$ANS:" ${SSD_FILE}.bak > ${SSD_FILE} 2>&1
1869
1870    # New Entry
1871    _SERV_ID=$ANS
1872    get_ans_req "Enter the base:" "$_CURR_BASE"
1873    _BASE=$ANS
1874    get_ans_req "Enter the scope:" "$_CURR_SCOPE"
1875    _SCOPE=$ANS
1876
1877    # Build the new SSD.
1878    _SSD="${_SERV_ID}:${_BASE}?${_SCOPE}"
1879
1880    # Add the SSD to the file.
1881    ${ECHO} "${_SSD}" >> ${SSD_FILE}
1882}
1883
1884
1885#
1886# display_ssd(): Display the current SSD list.
1887#
1888display_ssd()
1889{
1890    [ $DEBUG -eq 1 ] && ${ECHO} "In display_ssd()"
1891
1892    ${ECHO} ""
1893    ${ECHO} "Current Service Search Descriptors:"
1894    ${ECHO} "=================================="
1895    cat ${SSD_FILE}
1896    ${ECHO} ""
1897    ${ECHO} "Hit return to continue."
1898    read __A
1899}
1900
1901
1902#
1903# prompt_ssd(): Get SSD's from user.
1904#
1905prompt_ssd()
1906{
1907    [ $DEBUG -eq 1 ] && ${ECHO} "In prompt_ssd()"
1908    # See if user wants SSD's?
1909    get_confirm "Do you wish to setup Service Search Descriptors (y/n/h)?" "n" "ssd_help"
1910    [ "$?" -eq 0 ] && return
1911
1912    # Display menu for SSD choices.
1913    while :
1914    do
1915	display_msg prompt_ssd_menu
1916	get_ans "Enter menu choice:" "Quit"
1917	case "$ANS" in
1918	    [Aa] | add) add_ssd ;;
1919	    [Dd] | delete) delete_ssd ;;
1920	    [Mm] | modify) modify_ssd ;;
1921	    [Pp] | print | display) display_ssd ;;
1922	    [Xx] | reset | clear) reset_ssd_file ;;
1923	    [Hh] | Help | help)	display_msg ssd_menu_help
1924				${ECHO} " Press return to continue."
1925				read __A ;;
1926	    [Qq] | Quit | quit)	return ;;
1927	    *)    ${ECHO} "Invalid choice: $ANS please re-enter from menu." ;;
1928	esac
1929    done
1930}
1931
1932
1933#
1934# reset_ssd_file(): Blank out current SSD file.
1935#
1936reset_ssd_file()
1937{
1938    [ $DEBUG -eq 1 ] && ${ECHO} "In reset_ssd_file()"
1939
1940    rm -f ${SSD_FILE}
1941    touch ${SSD_FILE}
1942}
1943
1944
1945#
1946# create_ssd_file(): Create a temporary file for SSD's.
1947#
1948create_ssd_file()
1949{
1950    [ $DEBUG -eq 1 ] && ${ECHO} "In create_ssd_file()"
1951
1952    # Build a list of SSD's and store in temp file.
1953    ${GREP} "LDAP_SERV_SRCH_DES=" ${INPUT_FILE} | \
1954	sed 's/LDAP_SERV_SRCH_DES=//' \
1955	> ${SSD_FILE}
1956}
1957
1958
1959#
1960# ssd_2_config(): Append the SSD file to the output file.
1961#
1962ssd_2_config()
1963{
1964    [ $DEBUG -eq 1 ] && ${ECHO} "In ssd_2_config()"
1965
1966    # Convert to config file format using sed.
1967    sed -e "s/^/LDAP_SERV_SRCH_DES=/" ${SSD_FILE} >> ${OUTPUT_FILE}
1968}
1969
1970
1971#
1972# ssd_2_profile(): Add SSD's to the GEN_CMD string.
1973#
1974ssd_2_profile()
1975{
1976    [ $DEBUG -eq 1 ] && ${ECHO} "In ssd_2_profile()"
1977
1978    GEN_TMPFILE=${TMPDIR}/ssd_tmpfile
1979    touch ${GEN_TMPFILE}
1980
1981    # Add and convert each SSD to string.
1982    while read SSD_LINE
1983    do
1984	${ECHO} " -a \"serviceSearchDescriptor=${SSD_LINE}\"\c" >> ${GEN_TMPFILE}
1985    done <${SSD_FILE}
1986
1987    # Add SSD's to GEN_CMD.
1988    GEN_CMD="${GEN_CMD} `cat ${GEN_TMPFILE}`"
1989}
1990
1991
1992#
1993# prompt_config_info(): This function prompts the user for the config
1994# info that is not specified in the input file.
1995#
1996prompt_config_info()
1997{
1998    [ $DEBUG -eq 1 ] && ${ECHO} "In prompt_config_info()"
1999
2000    # Prompt for iDS server name.
2001    get_ids_server
2002
2003    # Prompt for iDS port number.
2004    get_ids_port
2005
2006    # Check iDS version for compatibility.
2007    chk_ids_version
2008
2009    # Check if the server supports the VLV.
2010    chk_vlv_indexes
2011
2012    # Get the Directory manager DN and passwd.
2013    get_dirmgr_dn
2014    get_dirmgr_pw
2015
2016    #
2017    # LDAP CLIENT PROFILE SPECIFIC INFORMATION.
2018    #   (i.e. The fields that show up in the profile.)
2019    #
2020    get_domain "domain_help"
2021
2022    get_basedn
2023
2024    get_profile_name
2025    get_srv_list
2026    get_pref_srv
2027    get_search_scope
2028
2029    # If cred is "anonymous", make auth == "none"
2030    get_cred_level
2031    if [ "$LDAP_CRED_LEVEL" != "anonymous" ]; then
2032	get_auth
2033    fi
2034
2035    get_followref
2036
2037    # Query user about timelimt.
2038    get_confirm "Do you want to modify the server timelimit value (y/n/h)?" "n" "tlim_help"
2039    NEED_TIME=$?
2040    [ $NEED_TIME -eq 1 ] && get_timelimit
2041
2042    # Query user about sizelimit.
2043    get_confirm "Do you want to modify the server sizelimit value (y/n/h)?" "n" "slim_help"
2044    NEED_SIZE=$?
2045    [ $NEED_SIZE -eq 1 ] && get_sizelimit
2046
2047    # Does the user want to store passwords in crypt format?
2048    get_want_crypt
2049
2050    # Prompt for any Service Authentication Methods?
2051    get_confirm "Do you want to setup a Service Authentication Methods (y/n/h)?" "n" "srvauth_help"
2052    if [ $? -eq 1 ]; then
2053	# Does the user want to set Service Authentication Method for pam_ldap?
2054	get_confirm "Do you want to setup a Service Auth. Method for \"pam_ldap\" (y/n/h)?" "n" "pam_ldap_help"
2055	NEED_SRVAUTH_PAM=$?
2056	[ $NEED_SRVAUTH_PAM -eq 1 ] && get_srv_authMethod_pam
2057
2058	# Does the user want to set Service Authentication Method for keyserv?
2059	get_confirm "Do you want to setup a Service Auth. Method for \"keyserv\" (y/n/h)?" "n" "keyserv_help"
2060	NEED_SRVAUTH_KEY=$?
2061	[ $NEED_SRVAUTH_KEY -eq 1 ] && get_srv_authMethod_key
2062
2063	# Does the user want to set Service Authentication Method for passwd-cmd?
2064	get_confirm "Do you want to setup a Service Auth. Method for \"passwd-cmd\" (y/n/h)?" "n" "passwd-cmd_help"
2065	NEED_SRVAUTH_CMD=$?
2066	[ $NEED_SRVAUTH_CMD -eq 1 ] && get_srv_authMethod_cmd
2067    fi
2068
2069    # Get Timeouts
2070    get_srch_time
2071    get_prof_ttl
2072    get_bind_limit
2073
2074    # Reset the sdd_file and prompt user for SSD.  Will use menus
2075    # to build an SSD File.
2076    reset_ssd_file
2077    prompt_ssd
2078
2079    # Display FULL debugging info.
2080    disp_full_debug
2081
2082    # Extra blank line to separate prompt lines from steps.
2083    ${ECHO} " "
2084}
2085
2086
2087######################################################################
2088# FUNCTIONS  FOR display_summary() START HERE.
2089######################################################################
2090
2091
2092#
2093# get_proxyagent(): Get the proxyagent DN.
2094#
2095get_proxyagent()
2096{
2097    LDAP_PROXYAGENT="cn=proxyagent,ou=profile,${LDAP_BASEDN}"  # default
2098    get_ans "Enter DN for proxy agent:" "$LDAP_PROXYAGENT"
2099    LDAP_PROXYAGENT=$ANS
2100}
2101
2102
2103#
2104# get_proxy_pw(): Get the proxyagent passwd.
2105#
2106get_proxy_pw()
2107{
2108    get_passwd "Enter passwd for proxyagent:"
2109    LDAP_PROXYAGENT_CRED=$ANS
2110}
2111
2112
2113#
2114# display_summary(): Display a summary of values entered and let the
2115#                    user modify values at will.
2116#
2117display_summary()
2118{
2119    [ $DEBUG -eq 1 ] && ${ECHO} "In display_summary()"
2120
2121    # Create lookup table for function names.  First entry is dummy for
2122    # shift.
2123    TBL1="dummy"
2124    TBL2="get_domain get_basedn get_profile_name"
2125    TBL3="get_srv_list get_pref_srv get_search_scope get_cred_level"
2126    TBL4="get_auth get_followref"
2127    TBL5="get_timelimit get_sizelimit get_want_crypt"
2128    TBL6="get_srv_authMethod_pam get_srv_authMethod_key get_srv_authMethod_cmd"
2129    TBL7="get_srch_time get_prof_ttl get_bind_limit"
2130    TBL8="prompt_ssd"
2131    FUNC_TBL="$TBL1 $TBL2 $TBL3 $TBL4 $TBL5 $TBL6 $TBL7 $TBL8"
2132
2133    # Since menu prompt string is long, set here.
2134    _MENU_PROMPT="Enter config value to change: (1-19 0=commit changes)"
2135
2136    # Infinite loop.  Test for 0, and break in loop.
2137    while :
2138    do
2139	# Display menu and get value in range.
2140	display_msg summary_menu
2141	get_menu_choice "${_MENU_PROMPT}" "0" "19" "0"
2142	_CH=$MN_CH
2143
2144	# Make sure where not exiting.
2145	if [ $_CH -eq 0 ]; then
2146	    break       # Break out of loop if 0 selected.
2147	fi
2148
2149	# Call appropriate function from function table.
2150	set $FUNC_TBL
2151	shift $_CH
2152	$1          # Call the appropriate function.
2153    done
2154
2155    # If cred level is still see if user wants a change?
2156    if ${ECHO} "$LDAP_CRED_LEVEL" | ${GREP} "proxy" > /dev/null 2>&1
2157    then
2158	if [ "$LDAP_AUTHMETHOD" != "none" ]; then
2159	    NEED_PROXY=1    # I assume integer test is faster?
2160	    get_proxyagent
2161	    get_proxy_pw
2162	else
2163	    ${ECHO} "WARNING: Since Authentication method is 'none'."
2164	    ${ECHO} "         Credential level will be set to 'anonymous'."
2165	    LDAP_CRED_LEVEL="anonymous"
2166	fi
2167    fi
2168
2169    # Display FULL debugging info.
2170    disp_full_debug
2171
2172    # Final confirmation message. (ARE YOU SURE!)
2173    ${ECHO} " "
2174    get_confirm_nodef "WARNING: About to start committing changes. (y=continue, n=EXIT)"
2175    if [ $? -eq 0 ]; then
2176	${ECHO} "Terminating setup without making changes at users request."
2177	exit 1
2178    fi
2179
2180    # Print newline
2181    ${ECHO} " "
2182}
2183
2184
2185#
2186# create_config_file(): Write config data to config file specified.
2187#
2188create_config_file()
2189{
2190    [ $DEBUG -eq 1 ] && ${ECHO} "In create_config_file()"
2191
2192    # If output file exists, delete it.
2193    [ -f $OUTPUT_FILE ] && rm $OUTPUT_FILE
2194
2195    # Create output file.
2196    cat > $OUTPUT_FILE <<EOF
2197#!/bin/sh
2198# $OUTPUT_FILE - This file contains configuration information for
2199#                Native LDAP.  Use the idsconfig tool to load it.
2200#
2201# WARNING: This file was generated by idsconfig, and is intended to
2202#          be loaded by idsconfig as is.  DO NOT EDIT THIS FILE!
2203#
2204IDS_SERVER="$IDS_SERVER"
2205IDS_PORT=$IDS_PORT
2206IDS_TIMELIMIT=$IDS_TIMELIMIT
2207IDS_SIZELIMIT=$IDS_SIZELIMIT
2208LDAP_ROOTDN="$LDAP_ROOTDN"
2209LDAP_ROOTPWD=$LDAP_ROOTPWD
2210LDAP_DOMAIN="$LDAP_DOMAIN"
2211LDAP_SUFFIX="$LDAP_SUFFIX"
2212
2213# Internal program variables that need to be set.
2214NEED_PROXY=$NEED_PROXY
2215NEED_TIME=$NEED_TIME
2216NEED_SIZE=$NEED_SIZE
2217NEED_CRYPT=$NEED_CRYPT
2218
2219# LDAP PROFILE related defaults
2220LDAP_PROFILE_NAME="$LDAP_PROFILE_NAME"
2221DEL_OLD_PROFILE=1
2222LDAP_BASEDN="$LDAP_BASEDN"
2223LDAP_SERVER_LIST="$LDAP_SERVER_LIST"
2224LDAP_AUTHMETHOD="$LDAP_AUTHMETHOD"
2225LDAP_FOLLOWREF=$LDAP_FOLLOWREF
2226LDAP_SEARCH_SCOPE="$LDAP_SEARCH_SCOPE"
2227NEED_SRVAUTH_PAM=$NEED_SRVAUTH_PAM
2228NEED_SRVAUTH_KEY=$NEED_SRVAUTH_KEY
2229NEED_SRVAUTH_CMD=$NEED_SRVAUTH_CMD
2230LDAP_SRV_AUTHMETHOD_PAM="$LDAP_SRV_AUTHMETHOD_PAM"
2231LDAP_SRV_AUTHMETHOD_KEY="$LDAP_SRV_AUTHMETHOD_KEY"
2232LDAP_SRV_AUTHMETHOD_CMD="$LDAP_SRV_AUTHMETHOD_CMD"
2233LDAP_SEARCH_TIME_LIMIT=$LDAP_SEARCH_TIME_LIMIT
2234LDAP_PREF_SRVLIST="$LDAP_PREF_SRVLIST"
2235LDAP_PROFILE_TTL=$LDAP_PROFILE_TTL
2236LDAP_CRED_LEVEL="$LDAP_CRED_LEVEL"
2237LDAP_BIND_LIMIT=$LDAP_BIND_LIMIT
2238
2239# Proxy Agent
2240LDAP_PROXYAGENT="$LDAP_PROXYAGENT"
2241LDAP_PROXYAGENT_CRED=$LDAP_PROXYAGENT_CRED
2242
2243# Export all the variables (just in case)
2244export IDS_HOME IDS_PORT LDAP_ROOTDN LDAP_ROOTPWD LDAP_SERVER_LIST LDAP_BASEDN
2245export LDAP_DOMAIN LDAP_SUFFIX LDAP_PROXYAGENT LDAP_PROXYAGENT_CRED
2246export NEED_PROXY
2247export LDAP_PROFILE_NAME LDAP_BASEDN LDAP_SERVER_LIST 
2248export LDAP_AUTHMETHOD LDAP_FOLLOWREF LDAP_SEARCH_SCOPE LDAP_SEARCH_TIME_LIMIT
2249export LDAP_PREF_SRVLIST LDAP_PROFILE_TTL LDAP_CRED_LEVEL LDAP_BIND_LIMIT
2250export NEED_SRVAUTH_PAM NEED_SRVAUTH_KEY NEED_SRVAUTH_CMD
2251export LDAP_SRV_AUTHMETHOD_PAM LDAP_SRV_AUTHMETHOD_KEY LDAP_SRV_AUTHMETHOD_CMD
2252export LDAP_SERV_SRCH_DES SSD_FILE
2253
2254# Service Search Descriptors start here if present:
2255EOF
2256    # Add service search descriptors.
2257    ssd_2_config "${OUTPUT_FILE}"
2258
2259    # Add the end of FILE tag.
2260    ${ECHO} "" >> ${OUTPUT_FILE}
2261    ${ECHO} "# End of $OUTPUT_FILE" >> ${OUTPUT_FILE}
2262}
2263
2264
2265#
2266# chk_vlv_indexes(): Do ldapsearch to see if server supports VLV.
2267#
2268chk_vlv_indexes()
2269{
2270    # Do ldapsearch to see if server supports VLV.
2271    ${LDAPSEARCH} ${SERVER_ARGS} -b "" -s base "objectclass=*" > ${TMPDIR}/checkVLV 2>&1
2272    eval "${GREP} 2.16.840.1.113730.3.4.9 ${TMPDIR}/checkVLV ${VERB}"
2273    if [ $? -ne 0 ]; then
2274	${ECHO} "ERROR: VLV is not supported on LDAP server!"
2275	cleanup
2276	exit 1
2277    fi
2278    [ $DEBUG -eq 1 ] && ${ECHO} "  VLV controls found on LDAP server."
2279}
2280
2281#
2282# get_backend(): this function gets the relevant backend
2283#                (database) for LDAP_BASED.
2284#                Description: set IDS_DATABASE; exit on failure.
2285#                Prerequisite: LDAP_BASEDN and LDAP_SUFFIX are
2286#                valid.
2287#
2288#                backend is retrieved from suffixes and subsuffixes
2289#                defined under "cn=mapping tree,cn=config". The
2290#                nsslapd-state attribute of these suffixes entries
2291#                is filled with either Backend, Disabled or referrals
2292#                related values. We only want those that have a true
2293#                backend database to select the relevant backend.
2294#
2295get_backend()
2296{
2297    [ $DEBUG -eq 1 ] && ${ECHO} "In get_backend()"
2298
2299    cur_suffix=${LDAP_BASEDN}
2300    prev_suffix=
2301    IDS_DATABASE=
2302    while [ "${cur_suffix}" != "${prev_suffix}" ]
2303    do
2304	[ $DEBUG -eq 1 ] && ${ECHO} "testing LDAP suffix: ${cur_suffix}"
2305	eval "${LDAPSEARCH} ${LDAP_ARGS} " \
2306		"-b \"cn=\\\"${cur_suffix}\\\",cn=mapping tree,cn=config\" " \
2307		"-s base nsslapd-state=Backend nsslapd-backend 2>&1 " \
2308		"| ${GREP} 'nsslapd-backend=' " \
2309		"> ${TMPDIR}/ids_database_name 2>&1"
2310	NUM_DBS=`wc -l ${TMPDIR}/ids_database_name | awk '{print $1}'`
2311	case ${NUM_DBS} in
2312	0) # not a suffix, or suffix not activated; try next
2313	    prev_suffix=${cur_suffix}
2314	    cur_suffix=`${ECHO} ${cur_suffix} | cut -f2- -d','`
2315	    ;;
2316	1) # suffix found; get database name
2317	    IDS_DATABASE=`cat ${TMPDIR}/ids_database_name | cut -d= -f2`
2318	    ;;
2319	*) # can not handle more than one database per suffix
2320	    ${ECHO} "ERROR: More than one database is configured "
2321	    ${ECHO} "       for $LDAP_SUFFIX!"
2322	    ${ECHO} "       $PROG can not configure suffixes where "
2323	    ${ECHO} "       more than one database is used for one suffix."
2324	    cleanup
2325	    exit 1
2326	    ;;
2327	esac
2328	if [ -n "${IDS_DATABASE}" ]; then
2329	    break
2330	fi
2331    done
2332
2333    if [ -z "${IDS_DATABASE}" ]; then
2334	# should not happen, since LDAP_BASEDN is supposed to be valid
2335	${ECHO} "Could not find a valid backend for ${LDAP_BASEDN}."
2336	${ECHO} "Exiting."
2337	cleanup
2338	exit 1
2339    fi
2340
2341    [ $DEBUG -eq 1 ] && ${ECHO} "IDS_DATABASE: ${IDS_DATABASE}"
2342}
2343
2344#
2345# validate_suffix(): This function validates ${LDAP_SUFFIX}
2346#                  THIS FUNCTION IS FOR THE LOAD CONFIG FILE OPTION.
2347#
2348validate_suffix()
2349{
2350    [ $DEBUG -eq 1 ] && ${ECHO} "In validate_suffix()"
2351
2352    # Check LDAP_SUFFIX is not null
2353    if [ -z "${LDAP_SUFFIX}" ]; then
2354	${ECHO} "Invalid suffix (null suffix)"
2355	cleanup
2356	exit 1
2357    fi
2358
2359    # Check LDAP_SUFFIX does exist
2360    eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_SUFFIX}\" -s base \"objectclass=*\" > ${TMPDIR}/checkSuffix 2>&1"
2361    if [ $? -ne 0 ]; then
2362	${ECHO} "Invalid suffix ${LDAP_SUFFIX}"
2363	cleanup
2364	exit 1
2365    fi
2366
2367    # Check LDAP_SUFFIX and LDAP_BASEDN are consistent
2368    # Convert to lower case for basename.
2369    format_string "${LDAP_BASEDN}"
2370    LOWER_BASEDN="${FMT_STR}"
2371    format_string "${LDAP_SUFFIX}"
2372    LOWER_SUFFIX="${FMT_STR}"
2373
2374    [ $DEBUG -eq 1 ] && ${ECHO} "LOWER_BASEDN: ${LOWER_BASEDN}"
2375    [ $DEBUG -eq 1 ] && ${ECHO} "LOWER_SUFFIX: ${LOWER_SUFFIX}"
2376
2377    if [ "${LOWER_BASEDN}" != "${LOWER_SUFFIX}" ]; then
2378    	sub_basedn=`basename "${LOWER_BASEDN}" "${LOWER_SUFFIX}"`
2379    	if [ "$sub_basedn" = "${LOWER_BASEDN}" ]; then
2380	    ${ECHO} "Invalid suffix ${LOWER_SUFFIX}"
2381	    ${ECHO} "for Base DN ${LOWER_BASEDN}"
2382	    cleanup
2383	    exit 1
2384	fi
2385    fi
2386}
2387
2388#
2389# validate_info(): This function validates the basic info collected
2390#                  So that some problems are caught right away.
2391#                  THIS FUNCTION IS FOR THE LOAD CONFIG FILE OPTION.
2392#
2393validate_info()
2394{
2395    [ $DEBUG -eq 1 ] && ${ECHO} "In validate_info()"
2396
2397    # Set SERVER_ARGS, AUTH_ARGS, and LDAP_ARGS for the config file.
2398    SERVER_ARGS="-h ${IDS_SERVER} -p ${IDS_PORT}"
2399    AUTH_ARGS="-D \"${LDAP_ROOTDN}\" -j ${LDAP_ROOTPWF}"
2400    LDAP_ARGS="${SERVER_ARGS} ${AUTH_ARGS}"
2401    export SERVER_ARGS
2402
2403    # Check the Root DN and Root DN passwd.
2404    # Use eval instead of $EVAL because not part of setup. (validate)
2405    eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"\" -s base \"objectclass=*\" > ${TMPDIR}/checkDN 2>&1"
2406    if [ $? -ne 0 ]; then
2407	eval "${GREP} credential ${TMPDIR}/checkDN ${VERB}"
2408	if [ $? -eq 0 ]; then
2409	    ${ECHO} "ERROR: Root DN passwd is invalid."
2410	else
2411	    ${ECHO} "ERROR2: Invalid Root DN <${LDAP_ROOTDN}>."
2412	fi
2413	cleanup
2414	exit 1
2415    fi
2416    [ $DEBUG -eq 1 ] && ${ECHO} "  RootDN ... OK"
2417    [ $DEBUG -eq 1 ] && ${ECHO} "  RootDN passwd ... OK"
2418
2419    # Check if the server supports the VLV.
2420    chk_vlv_indexes
2421    [ $DEBUG -eq 1 ] && ${ECHO} "  VLV indexes ... OK"
2422
2423    # Check LDAP suffix
2424    validate_suffix
2425    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP suffix ... OK"
2426
2427    # Get backend
2428    get_backend
2429    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP backend ... OK"
2430
2431}
2432
2433#
2434# format_string(): take a string as argument and set FMT_STR
2435# to be the same string formatted as follow:
2436# - only lower case characters
2437# - no unnecessary spaces around , and =
2438#
2439format_string()
2440{
2441    FMT_STR=`${ECHO} "$1" | tr '[A-Z]' '[a-z]' |
2442	sed -e 's/[ ]*,[ ]*/,/g' -e 's/[ ]*=[ ]*/=/g'`
2443}
2444
2445#
2446# check_basedn_suffix(): check that there is an existing
2447# valid suffix to hold current base DN
2448# return:
2449#   0: valid suffix found
2450#   1: no valid suffix found, or user gives up
2451#   2: give it another try
2452#
2453check_basedn_suffix()
2454{
2455    [ $DEBUG -eq 1 ] && ${ECHO} "In check_basedn_suffix()"
2456
2457    # find out existing suffixes
2458    discover_serv_suffix
2459    if [ $? -ne 0 ]; then
2460	${ECHO} "No suffixes found. Exiting."
2461	return 1
2462    fi
2463
2464    ${ECHO} "  Validating LDAP Base DN and Suffix ..."
2465
2466    # check that LDAP Base DN might be added
2467    cur_ldap_entry=${LDAP_BASEDN}
2468    prev_ldap_entry=
2469    while [ "${cur_ldap_entry}" != "${prev_ldap_entry}" ]
2470    do
2471	[ $DEBUG -eq 1 ] && ${ECHO} "testing LDAP entry: ${cur_ldap_entry}"
2472	${LDAPSEARCH} ${SERVER_ARGS} -b "${cur_ldap_entry}" \
2473		-s one "objectclass=*" > /dev/null 2>&1
2474	if [ $? -eq 0 ]; then
2475	    break
2476	else
2477	    prev_ldap_entry=${cur_ldap_entry}
2478	    cur_ldap_entry=`${ECHO} ${cur_ldap_entry} | cut -f2- -d','`
2479	fi
2480    done
2481
2482    if [ "${cur_ldap_entry}" = "${prev_ldap_entry}" ]; then
2483	[ $DEBUG -eq 1 ] && ${ECHO} "No valid LDAP suffix found"
2484	display_msg ldap_suffix_list
2485	get_confirm "Do you want to continue (h=help):" \
2486	    "y" ldap_suffix_list_help
2487	if [ $? -eq 0 ]; then
2488	    return 1 # users gives up
2489	else
2490	    return 2 # continue
2491	fi
2492    else
2493	[ $DEBUG -eq 1 ] && ${ECHO} "found valid LDAP entry: ${cur_ldap_entry}"
2494
2495	# Now looking for relevant suffix for this entry.
2496	# LDAP_SUFFIX will then be used to add necessary
2497	# base objects. See add_base_objects().
2498	format_string "${cur_ldap_entry}"
2499	lower_entry="${FMT_STR}"
2500	[ $DEBUG -eq 1 ] && ${ECHO} "final suffix list: ${LDAP_SUFFIX_LIST}"
2501	oIFS=$IFS
2502	[ $DEBUG -eq 1 ] && ${ECHO} "setting IFS to new line"
2503	IFS='
2504'
2505	for suff in ${LDAP_SUFFIX_LIST}
2506	do
2507	    [ $DEBUG -eq 1 ] && ${ECHO} "testing suffix: ${suff}"
2508	    format_string "${suff}"
2509	    lower_suff="${FMT_STR}"
2510	    if [ "${lower_entry}" = "${lower_suff}" ]; then
2511		LDAP_SUFFIX="${suff}"
2512		break
2513	    else
2514		dcstmp=`basename "${lower_entry}" "${lower_suff}"`
2515		if [ "${dcstmp}" = "${lower_entry}" ]; then
2516		    # invalid suffix, try next one
2517		    continue
2518		else
2519		    # valid suffix found
2520		    LDAP_SUFFIX="${suff}"
2521		    break
2522		fi
2523	    fi
2524	done
2525	[ $DEBUG -eq 1 ] && ${ECHO} "setting IFS to original value"
2526	IFS=$oIFS
2527
2528	[ $DEBUG -eq 1 ] && ${ECHO} "LDAP_SUFFIX: ${LDAP_SUFFIX}"
2529
2530	if [ -z "${LDAP_SUFFIX}" ]; then
2531	    # should not happen, since we found the entry
2532	    ${ECHO} "Could not find a valid suffix for ${LDAP_BASEDN}."
2533	    ${ECHO} "Exiting."
2534	    return 1
2535	fi
2536
2537	# Getting relevant database (backend)
2538	# IDS_DATABASE will then be used to create indexes.
2539	get_backend
2540
2541	return 0
2542    fi
2543}
2544
2545#
2546# discover_serv_suffix(): This function queries the server to find
2547#    suffixes available
2548#  return: 0: OK, suffix found
2549#          1: suffix not determined
2550discover_serv_suffix()
2551{
2552    [ $DEBUG -eq 1 ] && ${ECHO} "In discover_serv_suffix()"
2553
2554    # Search the server for the TOP of the TREE.
2555    ${LDAPSEARCH} ${SERVER_ARGS} -b "" -s base "objectclass=*" > ${TMPDIR}/checkTOP 2>&1
2556    ${GREP} -i namingcontexts ${TMPDIR}/checkTOP | \
2557	${GREP} -i -v NetscapeRoot > ${TMPDIR}/treeTOP
2558    NUM_TOP=`wc -l ${TMPDIR}/treeTOP | awk '{print $1}'`
2559    case $NUM_TOP in
2560	0)
2561	    ${ECHO} "ERROR: No suffix found in LDAP tree"
2562	    return 1
2563	    ;;
2564	*)  # build the list of suffixes; take out 'namingContexts=' in
2565	    # each line of ${TMPDIR}/treeTOP
2566	    LDAP_SUFFIX_LIST=`cat ${TMPDIR}/treeTOP |
2567		awk '{ printf("%s\n",substr($0,16,length-15)) }'`
2568	    [ $DEBUG -eq 1 ] && ${ECHO} "final list: ${LDAP_SUFFIX_LIST}"
2569
2570	    ;;
2571    esac
2572
2573    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_SUFFIX_LIST = $LDAP_SUFFIX_LIST"
2574    return 0
2575}
2576
2577
2578#
2579# modify_cn(): Change the cn from MUST to MAY in ipNetwork.
2580#
2581modify_cn()
2582{
2583    [ $DEBUG -eq 1 ] && ${ECHO} "In modify_cn()"
2584
2585    ( cat <<EOF
2586dn: cn=schema
2587changetype: modify
2588add: objectclasses
2589objectclasses: ( 1.3.6.1.1.1.2.7 NAME 'ipNetwork' DESC 'Standard LDAP objectclass' SUP top STRUCTURAL MUST ( ipNetworkNumber ) MAY ( ipNetmaskNumber $ manager $ cn $ l $ description ) X-ORIGIN 'RFC 2307' ))
2590EOF
2591) > ${TMPDIR}/ipNetwork_cn
2592
2593    # Modify the cn for ipNetwork.
2594    ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/ipNetwork_cn ${VERB}"
2595    if [ $? -ne 0 ]; then
2596	${ECHO} "  ERROR: update of cn for ipNetwork failed!"
2597	cleanup
2598	exit 1
2599    fi
2600}
2601
2602
2603# modify_timelimit(): Modify timelimit to user value.
2604modify_timelimit()
2605{
2606    [ $DEBUG -eq 1 ] && ${ECHO} "In modify_timelimit()"
2607
2608    # Here doc to modify timelimit.
2609    ( cat <<EOF
2610dn: cn=config
2611changetype: modify
2612replace: nsslapd-timelimit
2613nsslapd-timelimit: ${IDS_TIMELIMIT}
2614EOF
2615) > ${TMPDIR}/ids_timelimit
2616
2617    # Add the entry.
2618    ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/ids_timelimit ${VERB}"
2619    if [ $? -ne 0 ]; then
2620	${ECHO} "  ERROR: update of nsslapd-timelimit failed!"
2621	cleanup
2622	exit 1
2623    fi
2624
2625    # Display messages for modifications made in patch.
2626    ${ECHO} "  ${STEP}. Changed timelimit to ${IDS_TIMELIMIT} in cn=config."
2627    STEP=`expr $STEP + 1`
2628}
2629
2630
2631# modify_sizelimit(): Modify sizelimit to user value.
2632modify_sizelimit()
2633{
2634    [ $DEBUG -eq 1 ] && ${ECHO} "In modify_sizelimit()"
2635
2636    # Here doc to modify sizelimit.
2637    ( cat <<EOF
2638dn: cn=config
2639changetype: modify
2640replace: nsslapd-sizelimit
2641nsslapd-sizelimit: ${IDS_SIZELIMIT}
2642EOF
2643) > ${TMPDIR}/ids_sizelimit
2644
2645    # Add the entry.
2646    ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/ids_sizelimit ${VERB}"
2647    if [ $? -ne 0 ]; then
2648	${ECHO} "  ERROR: update of nsslapd-sizelimit failed!"
2649	cleanup
2650	exit 1
2651    fi
2652
2653    # Display messages for modifications made in patch.
2654    ${ECHO} "  ${STEP}. Changed sizelimit to ${IDS_SIZELIMIT} in cn=config."
2655    STEP=`expr $STEP + 1`
2656}
2657
2658
2659# modify_pwd_crypt(): Modify the passwd storage scheme to support CRYPT.
2660modify_pwd_crypt()
2661{
2662    [ $DEBUG -eq 1 ] && ${ECHO} "In modify_pwd_crypt()"
2663
2664    # Here doc to modify passwordstoragescheme.
2665    # IDS 5.2 moved passwordchangesceme off to a new data structure.
2666    if [ $IDS_MAJVER -le 5 ] && [ $IDS_MINVER -le 1 ]; then
2667	( cat <<EOF
2668dn: cn=config
2669changetype: modify
2670replace: passwordstoragescheme
2671passwordstoragescheme: crypt
2672EOF
2673	) > ${TMPDIR}/ids_crypt
2674    else
2675	( cat <<EOF
2676dn: cn=Password Policy,cn=config
2677changetype: modify
2678replace: passwordstoragescheme
2679passwordstoragescheme: crypt
2680EOF
2681	) > ${TMPDIR}/ids_crypt
2682    fi
2683
2684    # Add the entry.
2685    ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/ids_crypt ${VERB}"
2686    if [ $? -ne 0 ]; then
2687	${ECHO} "  ERROR: update of passwordstoragescheme failed!"
2688	cleanup
2689	exit 1
2690    fi
2691
2692    # Display messages for modifications made in patch.
2693    ${ECHO} "  ${STEP}. Changed passwordstoragescheme to \"crypt\" in cn=config."
2694    STEP=`expr $STEP + 1`
2695}
2696
2697
2698#
2699# add_eq_indexes(): Add indexes to improve search performance.
2700#
2701add_eq_indexes()
2702{
2703    [ $DEBUG -eq 1 ] && ${ECHO} "In add_eq_indexes()"
2704
2705    # Set eq indexes to add.
2706    _INDEXES="uidNumber ipNetworkNumber gidnumber oncrpcnumber automountKey"
2707
2708    # Set _EXT to use as shortcut.
2709    _EXT="cn=index,cn=${IDS_DATABASE},cn=ldbm database,cn=plugins,cn=config"
2710
2711
2712    # Display message to id current step.
2713    ${ECHO} "  ${STEP}. Processing eq,pres indexes:"
2714    STEP=`expr $STEP + 1`
2715
2716    # For loop to create indexes.
2717    for i in ${_INDEXES}; do
2718	[ $DEBUG -eq 1 ] && ${ECHO} "  Adding index for ${i}"
2719
2720	# Check if entry exists first, if so, skip to next.
2721	${LDAPSEARCH} ${SERVER_ARGS} -b "cn=${i},${_EXT}" -s base "objectclass=*" > /dev/null 2>&1
2722	if [ $? -eq 0 ]; then
2723	    # Display index skipped.
2724	    ${ECHO} "      ${i} (eq,pres) skipped already exists"
2725	    continue
2726	fi
2727
2728	# Here doc to create LDIF.
2729	( cat <<EOF
2730dn: cn=${i},${_EXT}
2731objectClass: top
2732objectClass: nsIndex
2733cn: ${i}
2734nsSystemIndex: false
2735nsIndexType: pres
2736nsIndexType: eq
2737EOF
2738) > ${TMPDIR}/index_${i}
2739
2740	# Add the index.
2741	${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/index_${i} ${VERB}"
2742	if [ $? -ne 0 ]; then
2743	    ${ECHO} "  ERROR: Adding EQ,PRES index for ${i} failed!"
2744	    cleanup
2745	    exit 1
2746	fi
2747
2748	# Build date for task name.
2749	_YR=`date '+%y'`
2750	_MN=`date '+%m'`
2751	_DY=`date '+%d'`
2752	_H=`date '+%H'`
2753	_M=`date '+%M'`
2754	_S=`date '+%S'`
2755
2756	# Build task name
2757	TASKNAME="${i}_${_YR}_${_MN}_${_DY}_${_H}_${_M}_${_S}"
2758
2759	# Build the task entry to add.
2760	( cat <<EOF
2761dn: cn=${TASKNAME}, cn=index, cn=tasks, cn=config
2762changetype: add
2763objectclass: top
2764objectclass: extensibleObject
2765cn: ${TASKNAME}
2766nsInstance: ${IDS_DATABASE}
2767nsIndexAttribute: ${i}
2768EOF
2769) > ${TMPDIR}/task_${i}
2770
2771	# Add the task.
2772	${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/task_${i} ${VERB}"
2773	if [ $? -ne 0 ]; then
2774	    ${ECHO} "  ERROR: Adding task for ${i} failed!"
2775	    cleanup
2776	    exit 1
2777	fi
2778
2779	# Wait for task to finish, display current status.
2780	while :
2781	do
2782	    eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=index, cn=tasks, cn=config\" -s sub \"objectclass=*\" > ${TMPDIR}/istask_${i} 2>&1"
2783	    ${GREP} ${TASKNAME} ${TMPDIR}/istask_${i} > /dev/null 2>&1
2784	    if [ $? -ne 0 ]; then
2785		break
2786	    fi
2787	    eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=index,cn=tasks,cn=config\" -s one \"objectclass=*\" nstaskstatus | ${GREP} -i nstaskstatus | cut -d\":\" -f2 > ${TMPDIR}/wait_task_${i}"
2788	    TASK_STATUS=`head -1 ${TMPDIR}/wait_task_${i}`
2789	    ${ECHO} "      ${i} (eq,pres)  $TASK_STATUS                  \r\c"
2790	    ${ECHO} "$TASK_STATUS" | ${GREP} "Finished" > /dev/null 2>&1
2791	    if [ $? -eq 0 ]; then
2792		break
2793	    fi
2794	    sleep 2
2795	done
2796
2797	# Print newline because of \c.
2798	${ECHO} " "
2799    done
2800}
2801
2802
2803#
2804# add_sub_indexes(): Add indexes to improve search performance.
2805#
2806add_sub_indexes()
2807{
2808    [ $DEBUG -eq 1 ] && ${ECHO} "In add_sub_indexes()"
2809
2810    # Set eq indexes to add.
2811    _INDEXES="ipHostNumber membernisnetgroup nisnetgrouptriple"
2812
2813    # Set _EXT to use as shortcut.
2814    _EXT="cn=index,cn=${IDS_DATABASE},cn=ldbm database,cn=plugins,cn=config"
2815
2816
2817    # Display message to id current step.
2818    ${ECHO} "  ${STEP}. Processing eq,pres,sub indexes:"
2819    STEP=`expr $STEP + 1`
2820
2821    # For loop to create indexes.
2822    for i in ${_INDEXES}; do
2823	[ $DEBUG -eq 1 ] && ${ECHO} "  Adding index for ${i}"
2824
2825	# Check if entry exists first, if so, skip to next.
2826	${LDAPSEARCH} ${SERVER_ARGS} -b "cn=${i},${_EXT}" -s base "objectclass=*" > /dev/null 2>&1
2827	if [ $? -eq 0 ]; then
2828	    # Display index skipped.
2829	    ${ECHO} "      ${i} (eq,pres,sub) skipped already exists"
2830	    continue
2831	fi
2832
2833	# Here doc to create LDIF.
2834	( cat <<EOF
2835dn: cn=${i},${_EXT}
2836objectClass: top
2837objectClass: nsIndex
2838cn: ${i}
2839nsSystemIndex: false
2840nsIndexType: pres
2841nsIndexType: eq
2842nsIndexType: sub
2843EOF
2844) > ${TMPDIR}/index_${i}
2845
2846	# Add the index.
2847	${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/index_${i} ${VERB}"
2848	if [ $? -ne 0 ]; then
2849	    ${ECHO} "  ERROR: Adding EQ,PRES,SUB index for ${i} failed!"
2850	    cleanup
2851	    exit 1
2852	fi
2853
2854	# Build date for task name.
2855	_YR=`date '+%y'`
2856	_MN=`date '+%m'`
2857	_DY=`date '+%d'`
2858	_H=`date '+%H'`
2859	_M=`date '+%M'`
2860	_S=`date '+%S'`
2861
2862	# Build task name
2863	TASKNAME="${i}_${_YR}_${_MN}_${_DY}_${_H}_${_M}_${_S}"
2864
2865	# Build the task entry to add.
2866	( cat <<EOF
2867dn: cn=${TASKNAME}, cn=index, cn=tasks, cn=config
2868changetype: add
2869objectclass: top
2870objectclass: extensibleObject
2871cn: ${TASKNAME}
2872nsInstance: ${IDS_DATABASE}
2873nsIndexAttribute: ${i}
2874EOF
2875) > ${TMPDIR}/task_${i}
2876
2877	# Add the task.
2878	${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/task_${i} ${VERB}"
2879	if [ $? -ne 0 ]; then
2880	    ${ECHO} "  ERROR: Adding task for ${i} failed!"
2881	    cleanup
2882	    exit 1
2883	fi
2884
2885	# Wait for task to finish, display current status.
2886	while :
2887	do
2888	    eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=index, cn=tasks, cn=config\" -s sub \"objectclass=*\" > ${TMPDIR}/istask_${i} 2>&1"
2889	    ${GREP} ${TASKNAME} ${TMPDIR}/istask_${i} > /dev/null 2>&1
2890	    if [ $? -ne 0 ]; then
2891		break
2892	    fi
2893	    eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=index,cn=tasks,cn=config\" -s one \"objectclass=*\" nstaskstatus | ${GREP} -i nstaskstatus | cut -d\":\" -f2 > ${TMPDIR}/wait_task_${i}"
2894	    TASK_STATUS=`head -1 ${TMPDIR}/wait_task_${i}`
2895	    ${ECHO} "      ${i} (eq,pres,sub)  $TASK_STATUS                  \r\c"
2896	    ${ECHO} "$TASK_STATUS" | ${GREP} "Finished" > /dev/null 2>&1
2897	    if [ $? -eq 0 ]; then
2898		break
2899	    fi
2900	    sleep 2
2901	done
2902
2903	# Print newline because of \c.
2904	${ECHO} " "
2905    done
2906}
2907
2908
2909#
2910# add_vlv_indexes(): Add VLV indexes to improve search performance.
2911#
2912add_vlv_indexes()
2913{
2914    [ $DEBUG -eq 1 ] && ${ECHO} "In add_vlv_indexes()"
2915
2916    # Set eq indexes to add.
2917    # Note semi colon separators because some filters contain colons
2918    _INDEX1="${LDAP_DOMAIN}.getgrent;${LDAP_DOMAIN}_group_vlv_index;ou=group;objectClass=posixGroup"
2919    _INDEX2="${LDAP_DOMAIN}.gethostent;${LDAP_DOMAIN}_hosts_vlv_index;ou=hosts;objectClass=ipHost"
2920    _INDEX3="${LDAP_DOMAIN}.getnetent;${LDAP_DOMAIN}_networks_vlv_index;ou=networks;objectClass=ipNetwork"
2921    _INDEX4="${LDAP_DOMAIN}.getpwent;${LDAP_DOMAIN}_passwd_vlv_index;ou=people;objectClass=posixAccount"
2922    _INDEX5="${LDAP_DOMAIN}.getrpcent;${LDAP_DOMAIN}_rpc_vlv_index;ou=rpc;objectClass=oncRpc"
2923    _INDEX6="${LDAP_DOMAIN}.getspent;${LDAP_DOMAIN}_shadow_vlv_index;ou=people;objectClass=shadowAccount"
2924
2925    # Indexes added during NIS to LDAP transition
2926    _INDEX7="${LDAP_DOMAIN}.getauhoent;${LDAP_DOMAIN}_auho_vlv_index;automountmapname=auto_home;objectClass=automount"
2927    _INDEX8="${LDAP_DOMAIN}.getsoluent;${LDAP_DOMAIN}_solu_vlv_index;ou=people;objectClass=SolarisUserAttr"
2928    _INDEX9="${LDAP_DOMAIN}.getauduent;${LDAP_DOMAIN}_audu_vlv_index;ou=people;objectClass=SolarisAuditUser"
2929    _INDEX10="${LDAP_DOMAIN}.getauthent;${LDAP_DOMAIN}_auth_vlv_index;ou=SolarisAuthAttr;objectClass=SolarisAuthAttr"
2930    _INDEX11="${LDAP_DOMAIN}.getexecent;${LDAP_DOMAIN}_exec_vlv_index;ou=SolarisProfAttr;&(objectClass=SolarisExecAttr)(SolarisKernelSecurityPolicy=*)"
2931    _INDEX12="${LDAP_DOMAIN}.getprofent;${LDAP_DOMAIN}_prof_vlv_index;ou=SolarisProfAttr;&(objectClass=SolarisProfAttr)(SolarisAttrLongDesc=*)"
2932    _INDEX13="${LDAP_DOMAIN}.getmailent;${LDAP_DOMAIN}_mail_vlv_index;ou=aliases;objectClass=mailGroup"
2933    _INDEX14="${LDAP_DOMAIN}.getbootent;${LDAP_DOMAIN}__boot_vlv_index;ou=ethers;&(objectClass=bootableDevice)(bootParameter=*)"
2934    _INDEX15="${LDAP_DOMAIN}.getethent;${LDAP_DOMAIN}_ethers_vlv_index;ou=ethers;&(objectClass=ieee802Device)(macAddress=*)"
2935    _INDEX16="${LDAP_DOMAIN}.getngrpent;${LDAP_DOMAIN}_netgroup_vlv_index;ou=netgroup;objectClass=nisNetgroup"
2936    _INDEX17="${LDAP_DOMAIN}.getipnent;${LDAP_DOMAIN}_ipn_vlv_index;ou=networks;&(objectClass=ipNetwork)(cn=*)"
2937    _INDEX18="${LDAP_DOMAIN}.getmaskent;${LDAP_DOMAIN}_mask_vlv_index;ou=networks;&(objectClass=ipNetwork)(ipNetmaskNumber=*)"
2938    _INDEX19="${LDAP_DOMAIN}.getprent;${LDAP_DOMAIN}_pr_vlv_index;ou=printers;objectClass=printerService"
2939    _INDEX20="${LDAP_DOMAIN}.getip4ent;${LDAP_DOMAIN}_ip4_vlv_index;ou=hosts;&(objectClass=ipHost)(ipHostNumber=*.*)"
2940    _INDEX21="${LDAP_DOMAIN}.getip6ent;${LDAP_DOMAIN}_ip6_vlv_index;ou=hosts;&(objectClass=ipHost)(ipHostNumber=*:*)"
2941
2942    _INDEXES="$_INDEX1 $_INDEX2 $_INDEX3 $_INDEX4 $_INDEX5 $_INDEX6 $_INDEX7 $_INDEX8 $_INDEX9 $_INDEX10 $_INDEX11 $_INDEX12 $_INDEX13 $_INDEX14 $_INDEX15 $_INDEX16 $_INDEX17 $_INDEX18 $_INDEX19 $_INDEX20 $_INDEX21 "
2943
2944
2945    # Set _EXT to use as shortcut.
2946    _EXT="cn=${IDS_DATABASE},cn=ldbm database,cn=plugins,cn=config"
2947
2948
2949    # Display message to id current step.
2950    ${ECHO} "  ${STEP}. Processing VLV indexes:"
2951    STEP=`expr $STEP + 1`
2952
2953    # Reset temp file for vlvindex commands.
2954    [ -f ${TMPDIR}/vlvindex_list ] &&  rm ${TMPDIR}/vlvindex_list
2955    touch ${TMPDIR}/vlvindex_list
2956
2957    # Get the instance name from iDS server.
2958    _INSTANCE="<server-instance>"    # Default to old output.
2959
2960    eval "${LDAPSEARCH} -v ${LDAP_ARGS} -b \"cn=config\" -s base \"objectclass=*\" nsslapd-instancedir | ${GREP} 'nsslapd-instancedir=' | cut -d'=' -f2- > ${TMPDIR}/instance_name 2>&1"
2961
2962    ${GREP} "slapd-" ${TMPDIR}/instance_name > /dev/null 2>&1 # Check if seems right?
2963    if [ $? -eq 0 ]; then # If success, grab name after "slapd-".
2964	_INST_DIR=`cat ${TMPDIR}/instance_name`
2965	_INSTANCE=`basename "${_INST_DIR}" | cut -d'-' -f2-`
2966    fi
2967
2968    # For loop to create indexes.
2969    for p in ${_INDEXES}; do
2970	[ $DEBUG -eq 1 ] && ${ECHO} "  Adding index for ${i}"
2971
2972	# Break p (pair) into i and j parts.
2973        i=`${ECHO} $p | cut -d';' -f1`
2974        j=`${ECHO} $p | cut -d';' -f2`
2975        k=`${ECHO} $p | cut -d';' -f3`
2976        m=`${ECHO} $p | cut -d';' -f4`
2977
2978	# Set _jEXT to use as shortcut.
2979	_jEXT="cn=${j},${_EXT}"
2980
2981	# Check if entry exists first, if so, skip to next.
2982	${LDAPSEARCH} ${SERVER_ARGS} -b "cn=${i},${_jEXT}" -s base "objectclass=*" > /dev/null 2>&1
2983	if [ $? -eq 0 ]; then
2984	    # Display index skipped.
2985	    ${ECHO} "      ${i} vlv_index skipped already exists"
2986	    continue
2987	fi
2988
2989	# Compute the VLV Scope from the LDAP_SEARCH_SCOPE.
2990	# NOTE: A value of "base (0)" does not make sense.
2991        case "$LDAP_SEARCH_SCOPE" in
2992            sub) VLV_SCOPE="2" ;;
2993            *)   VLV_SCOPE="1" ;;
2994        esac
2995
2996	# Here doc to create LDIF.
2997	( cat <<EOF
2998dn: ${_jEXT}
2999objectClass: top
3000objectClass: vlvSearch
3001cn: ${j}
3002vlvbase: ${k},${LDAP_BASEDN}
3003vlvscope: ${VLV_SCOPE}
3004vlvfilter: (${m})
3005aci: (target="ldap:///${_jEXT}")(targetattr="*")(version 3.0; acl "Config";allow(read,search,compare)userdn="ldap:///anyone";)
3006
3007dn: cn=${i},${_jEXT}
3008cn: ${i}
3009vlvSort: cn uid
3010objectclass: top
3011objectclass: vlvIndex
3012EOF
3013) > ${TMPDIR}/vlv_index_${i}
3014
3015	# Add the index.
3016	${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/vlv_index_${i} ${VERB}"
3017	if [ $? -ne 0 ]; then
3018	    ${ECHO} "  ERROR: Adding VLV index for ${i} failed!"
3019	    cleanup
3020	    exit 1
3021	fi
3022
3023	# Print message that index was created.
3024	${ECHO} "      ${i} vlv_index   Entry created"
3025
3026	# Add command to list of vlvindex commands to run.
3027	${ECHO} "  directoryserver -s ${_INSTANCE} vlvindex -n ${IDS_DATABASE} -T ${i}" >> ${TMPDIR}/vlvindex_list
3028    done
3029}
3030
3031
3032#
3033# display_vlv_cmds(): Display VLV index commands to run on server.
3034#
3035display_vlv_cmds()
3036{
3037    if [ -s "${TMPDIR}/vlvindex_list" ]; then
3038	display_msg display_vlv_list
3039	cat ${TMPDIR}/vlvindex_list
3040    fi
3041}
3042
3043
3044#
3045# update_schema_attr(): Update Schema to support Naming.
3046#
3047update_schema_attr()
3048{
3049    [ $DEBUG -eq 1 ] && ${ECHO} "In update_schema_attr()"
3050
3051    ( cat <<EOF
3052dn: cn=schema
3053changetype: modify
3054add: attributetypes
3055attributetypes: ( 1.3.6.1.1.1.1.28 NAME 'nisPublickey' DESC 'NIS public key' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )
3056attributetypes: ( 1.3.6.1.1.1.1.29 NAME 'nisSecretkey' DESC 'NIS secret key' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )
3057attributetypes: ( 1.3.6.1.1.1.1.30 NAME 'nisDomain' DESC 'NIS domain' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )
3058attributetypes: ( 1.3.6.1.1.1.1.31 NAME 'automountMapName' DESC 'automount Map Name' EQUALITY caseExactIA5Match SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' SINGLE-VALUE )
3059attributetypes: ( 1.3.6.1.1.1.1.32 NAME 'automountKey' DESC 'automount Key Value' EQUALITY caseExactIA5Match SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' SINGLE-VALUE )
3060attributetypes: ( 1.3.6.1.1.1.1.33 NAME 'automountInformation' DESC 'automount information' EQUALITY caseExactIA5Match SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' SINGLE-VALUE )
3061attributetypes: ( 1.3.6.1.4.1.42.2.27.1.1.12 NAME 'nisNetIdUser' SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' )
3062attributetypes: ( 1.3.6.1.4.1.42.2.27.1.1.13 NAME 'nisNetIdGroup' SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' )
3063attributetypes: ( 1.3.6.1.4.1.42.2.27.1.1.14 NAME 'nisNetIdHost' SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' )
3064attributetypes: ( rfc822mailMember-oid NAME 'rfc822mailMember' SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' )
3065attributetypes: ( 2.16.840.1.113730.3.1.30 NAME 'mgrpRFC822MailMember' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )
3066attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.15 NAME 'SolarisLDAPServers' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )
3067attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.16 NAME 'SolarisSearchBaseDN' SYNTAX '1.3.6.1.4.1.1466.115.121.1.12' SINGLE-VALUE )
3068attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.17 NAME 'SolarisCacheTTL' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
3069attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.18 NAME 'SolarisBindDN' SYNTAX '1.3.6.1.4.1.1466.115.121.1.12' SINGLE-VALUE )
3070attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.19 NAME 'SolarisBindPassword' SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' SINGLE-VALUE )
3071attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.20 NAME 'SolarisAuthMethod' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15')
3072attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.21 NAME 'SolarisTransportSecurity' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15')
3073attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.22 NAME 'SolarisCertificatePath' SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' SINGLE-VALUE )
3074attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.23 NAME 'SolarisCertificatePassword' SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' SINGLE-VALUE )
3075attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.24 NAME 'SolarisDataSearchDN' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15')
3076attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.25 NAME 'SolarisSearchScope' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
3077attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.26 NAME 'SolarisSearchTimeLimit' SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' SINGLE-VALUE )
3078attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.27 NAME 'SolarisPreferredServer' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15')
3079attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.28 NAME 'SolarisPreferredServerOnly' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
3080attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.29 NAME 'SolarisSearchReferral' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
3081attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.4 NAME 'SolarisAttrKeyValue' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
3082attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.5 NAME 'SolarisAuditAlways' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
3083attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.6 NAME 'SolarisAuditNever' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
3084attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.7 NAME 'SolarisAttrShortDesc' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
3085attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.8 NAME 'SolarisAttrLongDesc' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
3086attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.9 NAME 'SolarisKernelSecurityPolicy' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
3087attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.10 NAME 'SolarisProfileType' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
3088attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.11 NAME 'SolarisProfileId' SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' SINGLE-VALUE )
3089attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.12 NAME 'SolarisUserQualifier' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
3090attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.13 NAME 'SolarisAttrReserved1' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
3091attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.14 NAME 'SolarisAttrReserved2' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
3092attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.1 NAME 'SolarisProjectID' SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' SINGLE-VALUE )
3093attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.2 NAME 'SolarisProjectName' SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' SINGLE-VALUE )
3094attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.3 NAME 'SolarisProjectAttr' SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' )
3095attributetypes: ( memberGid-oid NAME 'memberGid' SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' )
3096attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.0 NAME 'defaultServerList' DESC 'Default LDAP server host address used by a DUA' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
3097attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.1 NAME 'defaultSearchBase' DESC 'Default LDAP base DN used by a DUA' SYNTAX '1.3.6.1.4.1.1466.115.121.1.12' SINGLE-VALUE )
3098attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.2 NAME 'preferredServerList' DESC 'Preferred LDAP server host addresses to be used by a DUA' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
3099attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.3 NAME 'searchTimeLimit' DESC 'Maximum time in seconds a DUA should allow for a search to complete' SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' SINGLE-VALUE )
3100attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.4 NAME 'bindTimeLimit' DESC 'Maximum time in seconds a DUA should allow for the bind operation to complete' SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' SINGLE-VALUE )
3101attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.5 NAME 'followReferrals' DESC 'Tells DUA if it should follow referrals returned by a DSA search result' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
3102attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.6 NAME 'authenticationMethod' DESC 'A keystring which identifies the type of authentication method used to contact the DSA' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
3103attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.7 NAME 'profileTTL' DESC 'Time to live before a client DUA should re-read this configuration profile' SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' SINGLE-VALUE )
3104attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.14 NAME 'serviceSearchDescriptor' DESC 'LDAP search descriptor list used by Naming-DUA' SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' )
3105attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.9 NAME 'attributeMap' DESC 'Attribute mappings used by a Naming-DUA' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )
3106attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.10 NAME 'credentialLevel' DESC 'Identifies type of credentials a DUA should use when binding to the LDAP server' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
3107attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.11 NAME 'objectclassMap' DESC 'Objectclass mappings used by a Naming-DUA' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )
3108attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.12 NAME 'defaultSearchScope' DESC 'Default search scope used by a DUA' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
3109attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.13 NAME 'serviceCredentialLevel' DESC 'Search scope used by a service of the DUA' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
3110attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.15 NAME 'serviceAuthenticationMethod' DESC 'Authentication Method used by a service of the DUA' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
3111attributetypes:( 1.3.18.0.2.4.1140 NAME 'printer-uri' DESC 'A URI supported by this printer.  This URI SHOULD be used as a relative distinguished name (RDN).  If printer-xri-supported is implemented, then this URI value MUST be listed in a member value of printer-xri-supported.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
3112attributetypes:( 1.3.18.0.2.4.1107 NAME 'printer-xri-supported' DESC 'The unordered list of XRI (extended resource identifiers) supported by this printer.  Each member of the list consists of a URI (uniform resource identifier) followed by optional authentication and security metaparameters.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
3113attributetypes:( 1.3.18.0.2.4.1135 NAME 'printer-name' DESC 'The site-specific administrative name of this printer, more end-user friendly than a URI.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{127}  SINGLE-VALUE )
3114attributetypes:( 1.3.18.0.2.4.1119 NAME 'printer-natural-language-configured' DESC 'The configured language in which error and status messages will be generated (by default) by this printer.  Also, a possible language for printer string attributes set by operator, system administrator, or manufacturer.  Also, the (declared) language of the "printer-name", "printer-location", "printer-info", and "printer-make-and-model" attributes of this printer. For example: "en-us" (US English) or "fr-fr" (French in France) Legal values of language tags conform to [RFC3066] "Tags for the Identification of Languages".' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{127}  SINGLE-VALUE )
3115attributetypes:( 1.3.18.0.2.4.1136 NAME 'printer-location' DESC 'Identifies the location of the printer. This could include things like: "in Room 123A", "second floor of building XYZ".' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{127} SINGLE-VALUE )
3116attributetypes:( 1.3.18.0.2.4.1139 NAME 'printer-info' DESC 'Identifies the descriptive information about this printer.  This could include things like: "This printer can be used for printing color transparencies for HR presentations", or "Out of courtesy for others, please print only small (1-5 page) jobs at this printer", or even "This printer is going away on July 1, 1997, please find a new printer".' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{127} SINGLE-VALUE )
3117attributetypes:( 1.3.18.0.2.4.1134 NAME 'printer-more-info' DESC 'A URI used to obtain more information about this specific printer.  For example, this could be an HTTP type URI referencing an HTML page accessible to a Web Browser.  The information obtained from this URI is intended for end user consumption.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
3118attributetypes:( 1.3.18.0.2.4.1138 NAME 'printer-make-and-model' DESC 'Identifies the make and model of the device.  The device manufacturer MAY initially populate this attribute.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127}  SINGLE-VALUE )
3119attributetypes:( 1.3.18.0.2.4.1133 NAME 'printer-ipp-versions-supported' DESC 'Identifies the IPP protocol version(s) that this printer supports, including major and minor versions, i.e., the version numbers for which this Printer implementation meets the conformance requirements.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{127} )
3120attributetypes:( 1.3.18.0.2.4.1132 NAME 'printer-multiple-document-jobs-supported' DESC 'Indicates whether or not the printer supports more than one document per job, i.e., more than one Send-Document or Send-Data operation with document data.' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
3121attributetypes:( 1.3.18.0.2.4.1109 NAME 'printer-charset-configured' DESC 'The configured charset in which error and status messages will be generated (by default) by this printer.  Also, a possible charset for printer string attributes set by operator, system administrator, or manufacturer.  For example: "utf-8" (ISO 10646/Unicode) or "iso-8859-1" (Latin1).  Legal values are defined by the IANA Registry of Coded Character Sets and the "(preferred MIME name)" SHALL be used as the tag.  For coherence with IPP Model, charset tags in this attribute SHALL be lowercase normalized.  This attribute SHOULD be static (time of registration) and SHOULD NOT be dynamically refreshed attributetypes: (subsequently).' EQUALITY caseIgnoreMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{63} SINGLE-VALUE )
3122attributetypes:( 1.3.18.0.2.4.1131 NAME 'printer-charset-supported' DESC 'Identifies the set of charsets supported for attribute type values of type Directory String for this directory entry.  For example: "utf-8" (ISO 10646/Unicode) or "iso-8859-1" (Latin1).  Legal values are defined by the IANA Registry of Coded Character Sets and the preferred MIME name.' EQUALITY caseIgnoreMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{63} )
3123attributetypes:( 1.3.18.0.2.4.1137 NAME 'printer-generated-natural-language-supported' DESC 'Identifies the natural language(s) supported for this directory entry.  For example: "en-us" (US English) or "fr-fr" (French in France).  Legal values conform to [RFC3066], Tags for the Identification of Languages.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{63} )
3124attributetypes:( 1.3.18.0.2.4.1130 NAME 'printer-document-format-supported' DESC 'The possible document formats in which data may be interpreted and printed by this printer.  Legal values are MIME types come from the IANA Registry of Internet Media Types.' EQUALITY caseIgnoreMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{127} )
3125attributetypes:( 1.3.18.0.2.4.1129 NAME 'printer-color-supported' DESC 'Indicates whether this printer is capable of any type of color printing at all, including highlight color.' EQUALITY booleanMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.7  SINGLE-VALUE )
3126attributetypes:( 1.3.18.0.2.4.1128 NAME 'printer-compression-supported' DESC 'Compression algorithms supported by this printer.  For example: "deflate, gzip".  Legal values include; "none", "deflate" attributetypes: (public domain ZIP), "gzip" (GNU ZIP), "compress" (UNIX).' EQUALITY caseIgnoreMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{255} )
3127attributetypes:( 1.3.18.0.2.4.1127 NAME 'printer-pages-per-minute' DESC 'The nominal number of pages per minute which may be output by this printer (e.g., a simplex or black-and-white printer).  This attribute is informative, NOT a service guarantee.  Typically, it is the value used in marketing literature to describe this printer.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.27  SINGLE-VALUE )
3128attributetypes:( 1.3.18.0.2.4.1126 NAME 'printer-pages-per-minute-color' DESC 'The nominal number of color pages per minute which may be output by this printer (e.g., a simplex or color printer).  This attribute is informative, NOT a service guarantee.  Typically, it is the value used in marketing literature to describe this printer.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.27  SINGLE-VALUE )
3129attributetypes:( 1.3.18.0.2.4.1125 NAME 'printer-finishings-supported' DESC 'The possible finishing operations supported by this printer. Legal values include; "none", "staple", "punch", "cover", "bind", "saddle-stitch", "edge-stitch", "staple-top-left", "staple-bottom-left", "staple-top-right", "staple-bottom-right", "edge-stitch-left", "edge-stitch-top", "edge-stitch-right", "edge-stitch-bottom", "staple-dual-left", "staple-dual-top", "staple-dual-right", "staple-dual-bottom".' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{255} )
3130attributetypes:( 1.3.18.0.2.4.1124 NAME 'printer-number-up-supported' DESC 'The possible numbers of print-stream pages to impose upon a single side of an instance of a selected medium. Legal values include; 1, 2, and 4.  Implementations may support other values.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.27 )
3131attributetypes:( 1.3.18.0.2.4.1123 NAME 'printer-sides-supported' DESC 'The number of impression sides (one or two) and the two-sided impression rotations supported by this printer.  Legal values include; "one-sided", "two-sided-long-edge", "two-sided-short-edge".' EQUALITY caseIgnoreMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{127} )
3132attributetypes:( 1.3.18.0.2.4.1122 NAME 'printer-media-supported' DESC 'The standard names/types/sizes (and optional color suffixes) of the media supported by this printer.  For example: "iso-a4",  "envelope", or "na-letter-white".  Legal values  conform to ISO 10175, Document Printing Application (DPA), and any IANA registered extensions.' EQUALITY caseIgnoreMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{255} )
3133attributetypes:( 1.3.18.0.2.4.1117 NAME 'printer-media-local-supported' DESC 'Site-specific names of media supported by this printer, in the language in "printer-natural-language-configured".  For example: "purchasing-form" (site-specific name) as opposed to (in "printer-media-supported"): "na-letter" (standard keyword from ISO 10175).' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{255} )
3134attributetypes:( 1.3.18.0.2.4.1121 NAME 'printer-resolution-supported' DESC 'List of resolutions supported for printing documents by this printer.  Each resolution value is a string with 3 fields:  1) Cross feed direction resolution (positive integer), 2) Feed direction resolution (positive integer), 3) Resolution unit.  Legal values are "dpi" (dots per inch) and "dpcm" (dots per centimeter).  Each resolution field is delimited by ">".  For example:  "300> 300> dpi>".' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{255} )
3135attributetypes:( 1.3.18.0.2.4.1120 NAME 'printer-print-quality-supported' DESC 'List of print qualities supported for printing documents on this printer.  For example: "draft, normal".  Legal values include; "unknown", "draft", "normal", "high".' EQUALITY caseIgnoreMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{127} )
3136attributetypes:( 1.3.18.0.2.4.1110 NAME 'printer-job-priority-supported' DESC 'Indicates the number of job priority levels supported.  An IPP conformant printer which supports job priority must always support a full range of priorities from "1" to "100" (to ensure consistent behavior), therefore this attribute describes the "granularity".  Legal values of this attribute are from "1" to "100".' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.27  SINGLE-VALUE )
3137attributetypes:( 1.3.18.0.2.4.1118 NAME 'printer-copies-supported' DESC 'The maximum number of copies of a document that may be printed as a single job.  A value of "0" indicates no maximum limit.  A value of "-1" indicates unknown.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.27  SINGLE-VALUE )
3138attributetypes:( 1.3.18.0.2.4.1111 NAME 'printer-job-k-octets-supported' DESC 'The maximum size in kilobytes (1,024 octets actually) incoming print job that this printer will accept.  A value of "0" indicates no maximum limit.  A value of "-1" indicates unknown.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.27  SINGLE-VALUE )
3139attributetypes:( 1.3.18.0.2.4.1112 NAME 'printer-current-operator' DESC 'The name of the current human operator responsible for operating this printer.  It is suggested that this string include information that would enable other humans to reach the operator, such as a phone number.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{127} SINGLE-VALUE )
3140attributetypes:( 1.3.18.0.2.4.1113 NAME 'printer-service-person' DESC 'The name of the current human service person responsible for servicing this printer.  It is suggested that this string include information that would enable other humans to reach the service person, such as a phone number.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{127}  SINGLE-VALUE )
3141attributetypes:( 1.3.18.0.2.4.1114 NAME 'printer-delivery-orientation-supported' DESC 'The possible delivery orientations of pages as they are printed and ejected from this printer.  Legal values include; "unknown", "face-up", and "face-down".' EQUALITY caseIgnoreMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{127} )
3142attributetypes:( 1.3.18.0.2.4.1115 NAME 'printer-stacking-order-supported' DESC 'The possible stacking order of pages as they are printed and ejected from this printer. Legal values include; "unknown", "first-to-last", "last-to-first".' EQUALITY caseIgnoreMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{127} )
3143attributetypes:( 1.3.18.0.2.4.1116 NAME 'printer-output-features-supported' DESC 'The possible output features supported by this printer. Legal values include; "unknown", "bursting", "decollating", "page-collating", "offset-stacking".' EQUALITY caseIgnoreMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{127} )
3144attributetypes:( 1.3.18.0.2.4.1108 NAME 'printer-aliases' DESC 'Site-specific administrative names of this printer in addition the printer name specified for printer-name.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{127} )
3145attributetypes:( 1.3.6.1.4.1.42.2.27.5.1.63 NAME 'sun-printer-bsdaddr' DESC 'Sets the server, print queue destination name and whether the client generates protocol extensions. "Solaris" specifies a Solaris print server extension. The value is represented by the following value: server "," destination ", Solaris".' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
3146attributetypes:( 1.3.6.1.4.1.42.2.27.5.1.64 NAME 'sun-printer-kvp' DESC 'This attribute contains a set of key value pairs which may have meaning to the print subsystem or may be user defined. Each value is represented by the following: key "=" value.' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )
3147attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.57 NAME 'nisplusTimeZone' DESC 'tzone column from NIS+ timezone table' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
3148attributetypes:( 1.3.6.1.4.1.42.2.27.5.1.67 NAME 'ipTnetTemplateName' DESC 'Trusted Solaris network template template_name' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
3149attributetypes:( 1.3.6.1.4.1.42.2.27.5.1.68 NAME 'ipTnetNumber' DESC 'Trusted Solaris network template ip_address' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
3150EOF
3151) > ${TMPDIR}/schema_attr
3152
3153    # Add the entry.
3154    ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/schema_attr ${VERB}"
3155    if [ $? -ne 0 ]; then
3156	${ECHO} "  ERROR: update of schema attributes failed!"
3157	cleanup
3158	exit 1
3159    fi
3160
3161    # Display message that schema is updated.
3162    ${ECHO} "  ${STEP}. Schema attributes have been updated."
3163    STEP=`expr $STEP + 1`
3164}
3165
3166
3167#
3168# update_schema_obj(): Update the schema objectclass definitions.
3169#
3170update_schema_obj()
3171{
3172    [ $DEBUG -eq 1 ] && ${ECHO} "In update_schema_obj()"
3173
3174    # Add the objectclass definitions.
3175    ( cat <<EOF
3176dn: cn=schema
3177changetype: modify
3178add: objectclasses
3179objectclasses: ( 1.3.6.1.1.1.2.14 NAME 'NisKeyObject' SUP 'top' MUST (objectclass $ cn $ nisPublickey $ nisSecretkey) MAY (uidNumber $ description))
3180
3181dn: cn=schema
3182changetype: modify
3183add: objectclasses
3184objectclasses: ( 1.3.6.1.1.1.2.15 NAME 'nisDomainObject' SUP 'top' MUST (objectclass $ nisDomain) MAY ())
3185
3186dn: cn=schema
3187changetype: modify
3188add: objectclasses
3189objectclasses: ( 1.3.6.1.1.1.2.16 NAME 'automountMap' SUP 'top' MUST (objectclass $ automountMapName) MAY (description))
3190
3191dn: cn=schema
3192changetype: modify
3193add: objectclasses
3194objectclasses: ( 1.3.6.1.1.1.2.17 NAME 'automount' SUP 'top' MUST (objectclass $ automountKey $ automountInformation ) MAY (description))
3195
3196dn: cn=schema
3197changetype: modify
3198add: objectclasses
3199objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.7 NAME 'SolarisNamingProfile' SUP 'top' MUST (objectclass $ cn $ SolarisLDAPservers $ SolarisSearchBaseDN) MAY (SolarisBindDN $ SolarisBindPassword $ SolarisAuthMethod $ SolarisTransportSecurity $ SolarisCertificatePath $ SolarisCertificatePassword $ SolarisDataSearchDN $ SolarisSearchScope $ SolarisSearchTimeLimit $ SolarisPreferredServer $ SolarisPreferredServerOnly $ SolarisCacheTTL $ SolarisSearchReferral))
3200
3201dn: cn=schema
3202changetype: modify
3203add: objectclasses
3204objectclasses: ( 2.16.840.1.113730.3.2.4 NAME 'mailGroup' SUP 'top' MUST (objectclass $ mail) MAY (cn $ mgrpRFC822MailMember))
3205
3206dn: cn=schema
3207changetype: modify
3208add: objectclasses
3209objectclasses: ( 1.3.6.1.4.1.42.2.27.1.2.5 NAME 'nisMailAlias' SUP 'top' MUST (objectclass $ cn) MAY (rfc822mailMember))
3210
3211dn: cn=schema
3212changetype: modify
3213add: objectclasses
3214objectclasses: ( 1.3.6.1.4.1.42.2.27.1.2.6 NAME 'nisNetId' SUP 'top' MUST (objectclass $ cn) MAY (nisNetIdUser $ nisNetIdGroup $ nisNetIdHost))
3215
3216dn: cn=schema
3217changetype: modify
3218add: objectclasses
3219objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.2 NAME 'SolarisAuditUser' SUP 'top' AUXILIARY MUST (objectclass) MAY (SolarisAuditAlways $ SolarisAuditNever))
3220
3221dn: cn=schema
3222changetype: modify
3223add: objectclasses
3224objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.3 NAME 'SolarisUserAttr' SUP 'top' AUXILIARY MUST (objectclass) MAY (SolarisUserQualifier $ SolarisAttrReserved1 $ SolarisAttrReserved2 $ SolarisAttrKeyValue))
3225
3226dn: cn=schema
3227changetype: modify
3228add: objectclasses
3229objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.4 NAME 'SolarisAuthAttr' SUP 'top' MUST (objectclass $ cn) MAY (SolarisAttrReserved1 $ SolarisAttrReserved2 $ SolarisAttrShortDesc $ SolarisAttrLongDesc $ SolarisAttrKeyValue))
3230
3231dn: cn=schema
3232changetype: modify
3233add: objectclasses
3234objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.5 NAME 'SolarisProfAttr' SUP 'top' MUST (objectclass $ cn) MAY (SolarisAttrReserved1 $ SolarisAttrReserved2 $ SolarisAttrLongDesc $ SolarisAttrKeyValue))
3235
3236dn: cn=schema
3237changetype: modify
3238add: objectclasses
3239objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.6 NAME 'SolarisExecAttr' SUP 'top' AUXILIARY MUST (objectclass) MAY (SolarisKernelSecurityPolicy $ SolarisProfileType $ SolarisAttrReserved1 $ SolarisAttrReserved2 $ SolarisProfileID $ SolarisAttrKeyValue))
3240
3241dn: cn=schema
3242changetype: modify
3243add: objectclasses
3244objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.1 NAME 'SolarisProject' SUP 'top' MUST (objectclass $ SolarisProjectID $ SolarisProjectName) MAY (memberUid $ memberGid $ description $ SolarisProjectAttr))
3245
3246dn: cn=schema
3247changetype: modify
3248add: objectclasses
3249objectclasses: ( 1.3.6.1.4.1.11.1.3.1.2.4 NAME 'DUAConfigProfile' SUP 'top' DESC 'Abstraction of a base configuration for a DUA' MUST (cn) MAY (defaultServerList $ preferredServerList $ defaultSearchBase $ defaultSearchScope $ searchTimeLimit $ bindTimeLimit $ credentialLevel $ authenticationMethod $ followReferrals $ serviceSearchDescriptor $ serviceCredentialLevel $ serviceAuthenticationMethod $ objectclassMap $ attributeMap $ profileTTL))
3250
3251dn: cn=schema
3252changetype: modify
3253add: objectclasses
3254objectclasses: ( 1.3.18.0.2.6.2549 NAME 'slpService' DESC 'DUMMY definition' SUP 'top' MUST (objectclass) MAY ())
3255
3256dn: cn=schema
3257changetype: modify
3258add: objectclasses
3259objectclasses: ( 1.3.18.0.2.6.254 NAME 'slpServicePrinter' DESC 'Service Location Protocol (SLP) information.' AUXILIARY SUP 'slpService')
3260
3261dn: cn=schema
3262changetype: modify
3263add: objectclasses
3264objectclasses: ( 1.3.18.0.2.6.258 NAME 'printerAbstract' DESC 'Printer related information.' ABSTRACT SUP 'top' MAY ( printer-name $ printer-natural-language-configured $ printer-location $ printer-info $ printer-more-info $ printer-make-and-model $ printer-multiple-document-jobs-supported $ printer-charset-configured $ printer-charset-supported $ printer-generated-natural-language-supported $ printer-document-format-supported $ printer-color-supported $ printer-compression-supported $ printer-pages-per-minute $ printer-pages-per-minute-color $ printer-finishings-supported $ printer-number-up-supported $ printer-sides-supported $ printer-media-supported $ printer-media-local-supported $ printer-resolution-supported $ printer-print-quality-supported $ printer-job-priority-supported $ printer-copies-supported $ printer-job-k-octets-supported $ printer-current-operator $ printer-service-person $ printer-delivery-orientation-supported $ printer-stacking-order-supported $ printer-output-features-supported ))
3265
3266dn: cn=schema
3267changetype: modify
3268add: objectclasses
3269objectclasses: ( 1.3.18.0.2.6.255 NAME 'printerService' DESC 'Printer information.' STRUCTURAL SUP 'printerAbstract' MAY ( printer-uri $ printer-xri-supported ))
3270
3271dn: cn=schema
3272changetype: modify
3273add: objectclasses
3274objectclasses: ( 1.3.18.0.2.6.257 NAME 'printerServiceAuxClass' DESC 'Printer information.' AUXILIARY SUP 'printerAbstract' MAY ( printer-uri $ printer-xri-supported ))
3275
3276dn: cn=schema
3277changetype: modify
3278add: objectclasses
3279objectclasses: ( 1.3.18.0.2.6.256 NAME 'printerIPP' DESC 'Internet Printing Protocol (IPP) information.' AUXILIARY SUP 'top' MAY   ( printer-ipp-versions-supported $ printer-multiple-document-jobs-supported ))
3280
3281dn: cn=schema
3282changetype: modify
3283add: objectclasses
3284objectclasses: ( 1.3.18.0.2.6.253 NAME 'printerLPR' DESC 'LPR information.' AUXILIARY SUP 'top' MUST ( printer-name ) MAY ( printer-aliases))
3285
3286dn: cn=schema
3287changetype: modify
3288add: objectclasses
3289objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.14 NAME 'sunPrinter' DESC 'Sun printer information' SUP 'top' AUXILIARY MUST (objectclass $ printer-name)  MAY (sun-printer-bsdaddr $ sun-printer-kvp))
3290
3291dn: cn=schema
3292changetype: modify
3293add: objectclasses
3294objectclasses:	( 1.3.6.1.4.1.42.2.27.5.2.12 NAME 'nisplusTimeZoneData' DESC 'NIS+ timezone table data' SUP top STRUCTURAL MUST ( cn ) MAY ( nisplusTimeZone $ description ) )
3295
3296dn: cn=schema
3297changetype: modify
3298add: objectclasses
3299objectclasses:  ( 1.3.6.1.4.1.42.2.27.5.2.8 NAME 'ipTnetTemplate' DESC 'Object class for TSOL network templates' SUP 'top' MUST ( objectclass $ ipTnetTemplateName ) MAY ( SolarisAttrKeyValue ) )
3300
3301dn: cn=schema
3302changetype: modify
3303add: objectclasses
3304objectclasses:	( 1.3.6.1.4.1.42.2.27.5.2.9 NAME 'ipTnetHost' DESC 'Associates an IP address or wildcard with a TSOL template_name' SUP 'top' AUXILIARY MUST ( objectclass $ ipTnetNumber ) )
3305EOF
3306) > ${TMPDIR}/schema_obj
3307
3308    # Add the entry.
3309    ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/schema_obj ${VERB}"
3310    if [ $? -ne 0 ]; then
3311	${ECHO} "  ERROR: update of schema objectclass definitions failed!"
3312	cleanup
3313	exit 1
3314    fi
3315
3316    # Display message that schema is updated.
3317    ${ECHO} "  ${STEP}. Schema objectclass definitions have been added."
3318    STEP=`expr $STEP + 1`
3319}
3320
3321
3322#
3323# modify_top_aci(): Modify the ACI for the top entry to disable self modify
3324#                   of user attributes.
3325#
3326modify_top_aci()
3327{
3328    [ $DEBUG -eq 1 ] && ${ECHO} "In modify_top_aci()"
3329
3330    # Set ACI Name
3331    ACI_NAME="LDAP_Naming_Services_deny_write_access"
3332
3333    # Search for ACI_NAME
3334    eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_BASEDN}\" -s base objectclass=* aci > ${TMPDIR}/chk_top_aci 2>&1"
3335    if [ $? -ne 0 ]; then
3336	${ECHO} "Error searching aci for ${LDAP_BASEDN}"
3337	cat ${TMPDIR}/chk_top_aci
3338	cleanup
3339	exit 1
3340    fi
3341    ${GREP} "${ACI_NAME}" ${TMPDIR}/chk_top_aci > /dev/null 2>&1
3342    if [ $? -eq 0 ]; then
3343	${ECHO} "  ${STEP}. Top level ACI ${ACI_NAME} already exists for ${LDAP_BASEDN}."
3344	STEP=`expr $STEP + 1`
3345	return 0
3346    fi
3347
3348    # Crate LDIF for top level ACI.
3349    ( cat <<EOF
3350dn: ${LDAP_BASEDN}
3351changetype: modify
3352add: aci
3353aci: (targetattr = "cn||uid||uidNumber||gidNumber||homeDirectory||shadowLastChange||shadowMin||shadowMax||shadowWarning||shadowInactive||shadowExpire||shadowFlag||memberUid")(version 3.0; acl ${ACI_NAME}; deny (write) userdn = "ldap:///self";)
3354-
3355EOF
3356) > ${TMPDIR}/top_aci
3357
3358    # Add the entry.
3359    ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/top_aci ${VERB}"
3360    if [ $? -ne 0 ]; then
3361	${ECHO} "  ERROR: Modify of top level ACI failed! (restricts self modify)"
3362	cleanup
3363	exit 1
3364    fi
3365
3366    # Display message that schema is updated.
3367    ${ECHO} "  ${STEP}. ACI for ${LDAP_BASEDN} modified to disable self modify."
3368    STEP=`expr $STEP + 1`
3369}
3370
3371
3372#
3373# add_vlv_aci(): Add access control information (aci) for VLV.
3374#
3375add_vlv_aci()
3376{
3377    [ $DEBUG -eq 1 ] && ${ECHO} "In add_vlv_aci()"
3378
3379    # Add the VLV ACI.
3380    ( cat <<EOF
3381dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
3382changetype: modify
3383replace: aci
3384aci: (targetattr != "aci") (version 3.0; acl "VLV Request Control"; allow(read,search,compare) userdn = "ldap:///anyone";)
3385EOF
3386) > ${TMPDIR}/vlv_aci
3387
3388    # Add the entry.
3389    ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/vlv_aci ${VERB}"
3390    if [ $? -ne 0 ]; then
3391	${ECHO} "  ERROR: Add of VLV ACI failed!"
3392	cleanup
3393	exit 1
3394    fi
3395
3396    # Display message that schema is updated.
3397    ${ECHO} "  ${STEP}. Add of VLV Access Control Information (ACI)."
3398    STEP=`expr $STEP + 1`
3399}
3400
3401
3402#
3403# set_nisdomain(): Add the NisDomainObject to the Base DN.
3404#
3405set_nisdomain()
3406{
3407    [ $DEBUG -eq 1 ] && ${ECHO} "In set_nisdomain()"
3408
3409    # Check if nisDomain is already set.
3410    ${LDAPSEARCH} ${SERVER_ARGS} -b "${LDAP_BASEDN}" -s base "objectclass=*" > ${TMPDIR}/chk_nisdomain 2>&1
3411    eval "${GREP} -i nisDomain ${TMPDIR}/chk_nisdomain ${VERB}"
3412    if [ $? -eq 0 ]; then
3413	${ECHO} "  ${STEP}. NisDomainObject for ${LDAP_BASEDN} was already set."
3414	STEP=`expr $STEP + 1`
3415	return 0
3416    fi
3417
3418    # Add the new top level containers.
3419    ( cat <<EOF
3420dn: ${LDAP_BASEDN}
3421changetype: modify
3422objectclass: nisDomainObject
3423nisdomain: ${LDAP_DOMAIN}
3424EOF
3425) > ${TMPDIR}/nis_domain
3426
3427    # Add the entry.
3428    ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/nis_domain ${VERB}"
3429    if [ $? -ne 0 ]; then
3430	${ECHO} "  ERROR: update of NisDomainObject in ${LDAP_BASEDN} failed."
3431	cleanup
3432	exit 1
3433    fi
3434
3435    # Display message that schema is updated.
3436    ${ECHO} "  ${STEP}. NisDomainObject added to ${LDAP_BASEDN}."
3437    STEP=`expr $STEP + 1`
3438}
3439
3440
3441#
3442# check_attrName(): Check that the attribute name is valid.
3443#              $1   Key to check.
3444#         Returns   0 : valid name	1 : invalid name
3445#
3446check_attrName()
3447{
3448    [ $DEBUG -eq 1 ] && ${ECHO} "In check_attrName()"
3449    [ $DEBUG -eq 1 ] && ${ECHO} "check_attrName: Input Param = $1"
3450
3451    ${ECHO} $1 | ${EGREP} '^[0-9]+(\.[0-9]+)*$' > /dev/null 2>&1
3452    if [ $? -eq 0 ]; then
3453	${EVAL} "${LDAPSEARCH} ${SERVER_ARGS} -b cn=schema -s base \"objectclass=*\" \
3454			attributeTypes | ${EGREP} -i '^attributetypes[ ]*=[ ]*\([ ]*$1 ' ${VERB}"
3455    else
3456	${EVAL} "${LDAPSEARCH} ${SERVER_ARGS} -b cn=schema -s base \"objectclass=*\" \
3457			attributeTypes | ${EGREP} -i \"'$1'\" ${VERB}"
3458    fi
3459
3460    if [ $? -ne 0 ]; then
3461	return 1
3462    else
3463	return 0
3464    fi
3465}
3466
3467
3468#
3469# get_objectclass():   Determine the objectclass for the given attribute name
3470#              $1   Attribute name to check.
3471#      _ATTR_NAME   Return value, Object Name or NULL if unknown to idsconfig.
3472#
3473#      NOTE: An attribute name can be valid but still we might not be able
3474#            to determine the objectclass from the table.
3475#            In such cases, the user needs to create the necessary object(s).
3476#
3477get_objectclass()
3478{
3479    [ $DEBUG -eq 1 ] && ${ECHO} "In get_objectclass()"
3480    [ $DEBUG -eq 1 ] && ${ECHO} "get_objectclass: Input Param = $1"
3481
3482    # Set return value to NULL string.
3483    _ATTR_NAME=""
3484
3485    # Test key for type:
3486    case `${ECHO} ${1} | tr '[A-Z]' '[a-z]'` in
3487	ou | organizationalunitname | 2.5.4.11) _ATTR_NAME="organizationalUnit" ;;
3488	dc | domaincomponent | 0.9.2342.19200300.100.1.25) _ATTR_NAME="domain" ;;
3489	 o | organizationname | 2.5.4.10) _ATTR_NAME="organization" ;;
3490	 c | countryname | 2.5.4.6) _ATTR_NAME="country" ;;
3491	 *)  _ATTR_NAME="" ;;
3492    esac
3493
3494    [ $DEBUG -eq 1 ] && ${ECHO} "get_objectclass: _ATTR_NAME = $_ATTR_NAME"
3495}
3496
3497
3498#
3499# add_base_objects(): Add any necessary base objects.
3500#
3501add_base_objects()
3502{
3503    [ $DEBUG -eq 1 ] && ${ECHO} "In add_base_objects()"
3504
3505    # Convert to lower case for basename.
3506    format_string "${LDAP_BASEDN}"
3507    LOWER_BASEDN="${FMT_STR}"
3508    format_string "${LDAP_SUFFIX}"
3509    LOWER_SUFFIX="${FMT_STR}"
3510
3511    [ $DEBUG -eq 1 ] && ${ECHO} "LOWER_BASEDN: ${LOWER_BASEDN}"
3512    [ $DEBUG -eq 1 ] && ${ECHO} "LOWER_SUFFIX: ${LOWER_SUFFIX}"
3513
3514    # Create additional components.
3515    if [ "${LOWER_BASEDN}" = "${LOWER_SUFFIX}" ]; then
3516	[ $DEBUG -eq 1 ] && ${ECHO} "Base DN and Suffix equivalent"
3517    else
3518	# first, test that the suffix is valid
3519	dcstmp=`basename "${LOWER_BASEDN}" "${LOWER_SUFFIX}"`
3520	if [ "$dcstmp" = "${LOWER_BASEDN}" ]; then
3521	    # should not happen since check_basedn_suffix() succeeded
3522	    ${ECHO} "Invalid suffix ${LOWER_SUFFIX}"
3523	    ${ECHO} "for Base DN ${LOWER_BASEDN}"
3524	    cleanup
3525	    exit 1
3526	fi
3527	# OK, suffix is valid, start working with LDAP_BASEDN
3528	# field separator is ',' (i.e., space is a valid character)
3529	dcstmp2="`${ECHO} ${LDAP_BASEDN} |
3530		sed -e 's/[ ]*,[ ]*/,/g' -e 's/[ ]*=[ ]*/=/g'`"
3531	dcs=""
3532	# use dcstmp to count the loop, and dcstmp2 to get the correct
3533	# string case
3534	# dcs should be in reverse order, only for these components
3535	# that need to be added
3536	while [ -n "${dcstmp}" ]
3537	do
3538	    i2=`${ECHO} "$dcstmp2" | cut -f1 -d','`
3539	    dk=`${ECHO} $i2 | awk -F= '{print $1}'`
3540	    dc=`${ECHO} $i2 | awk -F= '{print $2}'`
3541	    dcs="$dk=$dc,$dcs";
3542	    dcstmp2=`${ECHO} "$dcstmp2" | cut -f2- -d','`
3543	    dcstmp=`${ECHO} "$dcstmp" | cut -f2- -d','`
3544	    [ $DEBUG -eq 1 ] && \
3545		${ECHO} "dcs: ${dcs}\ndcstmp: ${dcstmp}\ndcstmp2: ${dcstmp2}\n"
3546	done
3547
3548
3549
3550	lastdc=${LDAP_SUFFIX}
3551	dc=`${ECHO} "${dcs}" | cut -f1 -d','`
3552	dcstmp=`${ECHO} "${dcs}" | cut -f2- -d','`
3553	while [ -n "${dc}" ]; do
3554	    # Get Key and component from $dc.
3555	    dk2=`${ECHO} $dc | awk -F= '{print $1}'`
3556	    dc2=`${ECHO} $dc | awk -F= '{print $2}'`
3557
3558	    # At this point, ${dk2} is a valid attribute name
3559
3560	    # Check if entry exists first, if so, skip to next.
3561	    ${LDAPSEARCH} ${SERVER_ARGS} -b "${dk2}=${dc2},$lastdc" -s base "objectclass=*" > /dev/null 2>&1
3562	    if [ $? -eq 0 ]; then
3563	        # Set the $lastdc to new dc.
3564	        lastdc="${dk2}=${dc2},$lastdc"
3565
3566		# Process next component.
3567		dc=`${ECHO} "${dcstmp}" | cut -f1 -d','`
3568		dcstmp=`${ECHO} "${dcstmp}" | cut -f2- -d','`
3569		continue
3570
3571	    fi
3572
3573	    # Determine the objectclass for the entry.
3574            get_objectclass $dk2
3575	    OBJ_Name=${_ATTR_NAME}
3576	    if [ "${OBJ_Name}" = "" ]; then
3577	        ${ECHO} "Cannot determine objectclass for $dk2"
3578	        ${ECHO} "Please create ${dk2}=${dc2},$lastdc entry and rerun idsconfig"
3579	        exit 1
3580	    fi
3581
3582	    # Add the new container.
3583	    ( cat <<EOF
3584dn: ${dk2}=${dc2},$lastdc
3585${dk2}: $dc2
3586objectClass: top
3587objectClass: ${OBJ_Name}
3588EOF
3589) > ${TMPDIR}/base_objects
3590
3591
3592	    # Set the $lastdc to new dc.
3593	    lastdc="${dk2}=${dc2},$lastdc"
3594
3595	    # Add the entry.
3596	    ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/base_objects ${VERB}"
3597	    if [ $? -ne 0 ]; then
3598		${ECHO} "  ERROR: update of base objects ${dc} failed."
3599		cleanup
3600		exit 1
3601	    fi
3602
3603	    # Display message that schema is updated.
3604	    ${ECHO} "  ${STEP}. Created DN component ${dc}."
3605	    STEP=`expr $STEP + 1`
3606
3607	    # Process next component.
3608	    dc=`${ECHO} "${dcstmp}" | cut -f1 -d','`
3609	    dcstmp=`${ECHO} "${dcstmp}" | cut -f2- -d','`
3610	done
3611    fi
3612}
3613
3614
3615#
3616# add_new_containers(): Add the top level classes.
3617#
3618#    $1 = Base DN
3619#
3620add_new_containers()
3621{
3622    [ $DEBUG -eq 1 ] && ${ECHO} "In add_new_containers()"
3623
3624    for ou in people group rpc protocols networks netgroup \
3625	aliases hosts services ethers profile printers \
3626	SolarisAuthAttr SolarisProfAttr Timezone ipTnet ; do
3627
3628	# Check if nismaps already exist.
3629	eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"ou=${ou},${LDAP_BASEDN}\" -s base \"objectclass=*\" ${VERB}"
3630	if [ $? -eq 0 ]; then
3631	    continue
3632	fi
3633
3634	# Create TMP file to add.
3635	( cat <<EOF
3636dn: ou=${ou},${LDAP_BASEDN}
3637ou: ${ou}
3638objectClass: top
3639objectClass: organizationalUnit
3640EOF
3641) > ${TMPDIR}/toplevel.${ou}
3642
3643	# Add the entry.
3644	${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/toplevel.${ou} ${VERB}"
3645	if [ $? -ne 0 ]; then
3646	    ${ECHO} "  ERROR: Add of ou=${ou} container failed!"
3647	    cleanup
3648	    exit 1
3649	fi
3650    done
3651
3652    # Display message that top level OU containers complete.
3653    ${ECHO} "  ${STEP}. Top level \"ou\" containers complete."
3654    STEP=`expr $STEP + 1`
3655}
3656
3657
3658#
3659# add_auto_maps(): Add the automount map entries.
3660#
3661# auto_home, auto_direct, auto_master, auto_shared
3662#
3663add_auto_maps()
3664{
3665    [ $DEBUG -eq 1 ] && ${ECHO} "In add_auto_maps()"
3666
3667    # Set AUTO_MAPS for maps to create.
3668    AUTO_MAPS="auto_home auto_direct auto_master auto_shared"
3669
3670    for automap in $AUTO_MAPS; do
3671	# Check if automaps already exist.
3672	eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"automountMapName=${automap},${LDAP_BASEDN}\" -s base \"objectclass=*\" ${VERB}"
3673	if [ $? -eq 0 ]; then
3674	    continue
3675	fi
3676
3677	# Create the tmp file to add.
3678	( cat <<EOF
3679dn: automountMapName=${automap},${LDAP_BASEDN}
3680automountMapName: ${automap}
3681objectClass: top
3682objectClass: automountMap
3683EOF
3684) > ${TMPDIR}/automap.${automap}
3685
3686	# Add the entry.
3687	${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/automap.${automap} ${VERB}"
3688	if [ $? -ne 0 ]; then
3689	    ${ECHO} "  ERROR: Add of automap ${automap} failed!"
3690	    cleanup
3691	    exit 1
3692	fi
3693    done
3694
3695    # Display message that automount entries are updated.
3696    ${ECHO} "  ${STEP}. automount maps: $AUTO_MAPS processed."
3697    STEP=`expr $STEP + 1`
3698}
3699
3700
3701#
3702# add_proxyagent(): Add entry for nameservice to use to access server.
3703#
3704add_proxyagent()
3705{
3706    [ $DEBUG -eq 1 ] && ${ECHO} "In add_proxyagent()"
3707
3708    # Check if nismaps already exist.
3709    eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_PROXYAGENT}\" -s base \"objectclass=*\" ${VERB}"
3710    if [ $? -eq 0 ]; then
3711	${ECHO} "  ${STEP}. Proxy Agent ${LDAP_PROXYAGENT} already exists."
3712	STEP=`expr $STEP + 1`
3713	return 0
3714    fi
3715
3716    # Get cn and sn names from LDAP_PROXYAGENT.
3717    cn_tmp=`${ECHO} ${LDAP_PROXYAGENT} | cut -f1 -d, | cut -f2 -d=`
3718
3719    # Create the tmp file to add.
3720    ( cat <<EOF
3721dn: ${LDAP_PROXYAGENT}
3722cn: ${cn_tmp}
3723sn: ${cn_tmp}
3724objectclass: top
3725objectclass: person
3726userpassword: ${LDAP_PROXYAGENT_CRED}
3727EOF
3728) > ${TMPDIR}/proxyagent
3729
3730    # Add the entry.
3731    ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/proxyagent ${VERB}"
3732    if [ $? -ne 0 ]; then
3733	${ECHO} "  ERROR: Adding proxyagent failed!"
3734	cleanup
3735	exit 1
3736    fi
3737
3738    # Display message that schema is updated.
3739    ${ECHO} "  ${STEP}. Proxy Agent ${LDAP_PROXYAGENT} added."
3740    STEP=`expr $STEP + 1`
3741}
3742
3743
3744#
3745# allow_proxy_read_pw(): Give Proxy Agent read permission for password.
3746#
3747allow_proxy_read_pw()
3748{
3749    [ $DEBUG -eq 1 ] && ${ECHO} "In allow_proxy_read_pw()"
3750
3751    # Set ACI Name
3752    PROXY_ACI_NAME="LDAP_Naming_Services_proxy_password_read"
3753
3754    # Search for ACI_NAME
3755    eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_BASEDN}\" -s base objectclass=* aci > ${TMPDIR}/chk_proxyread_aci 2>&1"
3756    ${GREP} "${PROXY_ACI_NAME}" ${TMPDIR}/chk_proxyread_aci > /dev/null 2>&1
3757    if [ $? -eq 0 ]; then
3758	${ECHO} "  ${STEP}. Proxy ACI ${PROXY_ACI_NAME=} already exists for ${LDAP_BASEDN}."
3759	STEP=`expr $STEP + 1`
3760	return 0
3761    fi
3762
3763    # Create the tmp file to add.
3764    ( cat <<EOF
3765dn: ${LDAP_BASEDN}
3766changetype: modify
3767add: aci
3768aci: (target="ldap:///${LDAP_BASEDN}")(targetattr="userPassword")(version 3.0; acl ${PROXY_ACI_NAME}; allow (compare,read,search) userdn = "ldap:///${LDAP_PROXYAGENT}";)
3769EOF
3770) > ${TMPDIR}/proxy_read
3771
3772    # Add the entry.
3773    ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/proxy_read ${VERB}"
3774    if [ $? -ne 0 ]; then
3775	${ECHO} "  ERROR: Allow ${LDAP_PROXYAGENT} to read password failed!"
3776	cleanup
3777	exit 1
3778    fi
3779
3780    # Display message that schema is updated.
3781    ${ECHO} "  ${STEP}. Give ${LDAP_PROXYAGENT} read permission for password."
3782    STEP=`expr $STEP + 1`
3783}
3784
3785
3786#
3787# add_profile(): Add client profile to server.
3788#
3789add_profile()
3790{
3791    [ $DEBUG -eq 1 ] && ${ECHO} "In add_profile()"
3792
3793    # If profile name already exists, DELETE it, and add new one.
3794    eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=${LDAP_PROFILE_NAME},ou=profile,${LDAP_BASEDN}\" -s base \"objectclass=*\" ${VERB}"
3795    if [ $? -eq 0 ]; then
3796	# Create Delete file.
3797	( cat <<EOF
3798cn=${LDAP_PROFILE_NAME},ou=profile,${LDAP_BASEDN}
3799EOF
3800) > ${TMPDIR}/del_profile
3801
3802	# Check if DEL_OLD_PROFILE is set.  (If not ERROR)
3803	if [ $DEL_OLD_PROFILE -eq 0 ]; then
3804	    ${ECHO} "ERROR: Profile name ${LDAP_PROFILE_NAME} exists! Add failed!"
3805	    exit 1
3806	fi
3807
3808	# Delete the OLD profile.
3809	${EVAL} "${LDAPDELETE} ${LDAP_ARGS} -f ${TMPDIR}/del_profile ${VERB}"
3810	if [ $? -ne 0 ]; then
3811	    ${ECHO} "  ERROR: Attempt to DELETE profile failed!"
3812	    cleanup
3813	    exit 1
3814	fi
3815    fi
3816
3817    # Build the "ldapclient genprofile" command string to execute.
3818    GEN_CMD="ldapclient genprofile -a \"profileName=${LDAP_PROFILE_NAME}\""
3819
3820    # Add required argument defaultSearchBase.
3821    GEN_CMD="${GEN_CMD} -a \"defaultSearchBase=${LDAP_BASEDN}\""
3822
3823    # Add optional parameters.
3824    [ -n "$LDAP_SERVER_LIST" ] && \
3825	GEN_CMD="${GEN_CMD} -a \"defaultServerList=${LDAP_SERVER_LIST}\""
3826    [ -n "$LDAP_SEARCH_SCOPE" ] && \
3827	GEN_CMD="${GEN_CMD} -a \"defaultSearchScope=${LDAP_SEARCH_SCOPE}\""
3828    [ -n "$LDAP_CRED_LEVEL" ] && \
3829	GEN_CMD="${GEN_CMD} -a \"credentialLevel=${LDAP_CRED_LEVEL}\""
3830    [ -n "$LDAP_AUTHMETHOD" ] && \
3831	GEN_CMD="${GEN_CMD} -a \"authenticationMethod=${LDAP_AUTHMETHOD}\""
3832    [ -n "$LDAP_FOLLOWREF" ] && \
3833	GEN_CMD="${GEN_CMD} -a \"followReferrals=${LDAP_FOLLOWREF}\""
3834    [ -n "$LDAP_SEARCH_TIME_LIMIT" ] && \
3835	GEN_CMD="${GEN_CMD} -a \"searchTimeLimit=${LDAP_SEARCH_TIME_LIMIT}\""
3836    [ -n "$LDAP_PROFILE_TTL" ] && \
3837	GEN_CMD="${GEN_CMD} -a \"profileTTL=${LDAP_PROFILE_TTL}\""
3838    [ -n "$LDAP_BIND_LIMIT" ] && \
3839	GEN_CMD="${GEN_CMD} -a \"bindTimeLimit=${LDAP_BIND_LIMIT}\""
3840    [ -n "$LDAP_PREF_SRVLIST" ] && \
3841	GEN_CMD="${GEN_CMD} -a \"preferredServerList=${LDAP_PREF_SRVLIST}\""
3842    [ -n "$LDAP_SRV_AUTHMETHOD_PAM" ] && \
3843	GEN_CMD="${GEN_CMD} -a \"serviceAuthenticationMethod=${LDAP_SRV_AUTHMETHOD_PAM}\""
3844    [ -n "$LDAP_SRV_AUTHMETHOD_KEY" ] && \
3845	GEN_CMD="${GEN_CMD} -a \"serviceAuthenticationMethod=${LDAP_SRV_AUTHMETHOD_KEY}\""
3846    [ -n "$LDAP_SRV_AUTHMETHOD_CMD" ] && \
3847	GEN_CMD="${GEN_CMD} -a \"serviceAuthenticationMethod=${LDAP_SRV_AUTHMETHOD_CMD}\""
3848
3849    # Check if there are any service search descriptors to ad.
3850    if [ -s "${SSD_FILE}" ]; then
3851	ssd_2_profile
3852    fi
3853
3854    # Execute "ldapclient genprofile" to create profile.
3855    eval ${GEN_CMD} > ${TMPDIR}/gen_profile 2> ${TMPDIR}/gen_profile_ERR
3856    if [ $? -ne 0 ]; then
3857	${ECHO} "  ERROR: ldapclient genprofile failed!"
3858	cleanup
3859	exit 1
3860    fi
3861
3862    # Add the generated profile..
3863    ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/gen_profile ${VERB}"
3864    if [ $? -ne 0 ]; then
3865	${ECHO} "  ERROR: Attempt to add profile failed!"
3866	cleanup
3867	exit 1
3868    fi
3869
3870    # Display message that schema is updated.
3871    ${ECHO} "  ${STEP}. Generated client profile and loaded on server."
3872    STEP=`expr $STEP + 1`
3873}
3874
3875
3876#
3877# cleanup(): Remove the TMPDIR and all files in it.
3878#
3879cleanup()
3880{
3881    [ $DEBUG -eq 1 ] && ${ECHO} "In cleanup()"
3882
3883    rm -fr ${TMPDIR}
3884}
3885
3886
3887#
3888# 			* * * MAIN * * *
3889#
3890# Description:
3891# This script assumes that the iPlanet Directory Server (iDS) is
3892# installed and that setup has been run.  This script takes the
3893# iDS server from that point and sets up the infrastructure for
3894# LDAP Naming Services.  After running this script, ldapaddent(1M)
3895# or some other tools can be used to populate data.
3896
3897# Initialize the variables that need to be set to NULL, or some
3898# other initial value before the rest of the functions can be called.
3899init
3900
3901# Parse command line arguments.
3902parse_arg $*
3903shift $?
3904
3905# Print extra line to separate from prompt.
3906${ECHO} " "
3907
3908# Either Load the user specified config file
3909# or prompt user for config info.
3910if [ -n "$INPUT_FILE" ]
3911then
3912    load_config_file
3913    INTERACTIVE=0      # Turns off prompts that occur later.
3914    validate_info      # Validate basic info in file.
3915    chk_ids_version    # Check iDS version for compatibility.
3916else
3917    # Display BACKUP warning to user.
3918    display_msg backup_server
3919    get_confirm "Do you wish to continue with server setup (y/n/h)?" "n" "backup_help"
3920    if [ $? -eq 0 ]; then    # if No, cleanup and exit.
3921	cleanup ; exit 1
3922    fi
3923
3924    # Prompt for values.
3925    prompt_config_info
3926    display_summary    # Allow user to modify results.
3927    INTERACTIVE=1      # Insures future prompting.
3928fi
3929
3930# Modify slapd.oc.conf to ALLOW cn instead of REQUIRE.
3931modify_cn
3932
3933# Modify timelimit to user value.
3934[ $NEED_TIME -eq 1 ] && modify_timelimit
3935
3936# Modify sizelimit to user value.
3937[ $NEED_SIZE -eq 1 ] && modify_sizelimit
3938
3939# Modify the password storage scheme to support CRYPT.
3940if [ "$NEED_CRYPT" = "TRUE" ]; then
3941    modify_pwd_crypt
3942fi
3943
3944# Update the schema (Attributes, Objectclass Definitions)
3945update_schema_attr
3946update_schema_obj
3947
3948# Add base objects (if needed)
3949add_base_objects
3950
3951# Update the NisDomainObject.
3952#   The Base DN might of just been created, so this MUST happen after
3953#   the base objects have been added!
3954set_nisdomain
3955
3956# Add top level classes (new containers)
3957add_new_containers
3958
3959# Add common nismaps.
3960add_auto_maps
3961
3962# Modify top ACI.
3963modify_top_aci
3964
3965# Add Access Control Information for VLV.
3966add_vlv_aci
3967
3968# if Proxy needed, Add Proxy Agent and give read permission for password.
3969if [ $NEED_PROXY -eq 1 ]; then
3970    add_proxyagent
3971    allow_proxy_read_pw
3972fi
3973
3974# Generate client profile and add it to the server.
3975add_profile
3976
3977# Add Indexes to improve Search Performance.
3978add_eq_indexes
3979add_sub_indexes
3980add_vlv_indexes
3981
3982# Display setup complete message
3983display_msg setup_complete
3984
3985# Display VLV index commands to be executed on server.
3986display_vlv_cmds
3987
3988# Create config file if requested.
3989[ -n "$OUTPUT_FILE" ] && create_config_file
3990
3991# Removed the TMPDIR and all files in it.
3992cleanup
3993
3994exit 0
3995# end of MAIN.
3996