xref: /titanic_52/usr/src/cmd/ldap/ns_ldap/idsconfig.sh (revision f275d02f08c70e13825071e2577d1481e8bba78e)
1#!/bin/sh
2#
3# CDDL HEADER START
4#
5# The contents of this file are subject to the terms of the
6# Common Development and Distribution License (the "License").
7# You may not use this file except in compliance with the License.
8#
9# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10# or http://www.opensolaris.org/os/licensing.
11# See the License for the specific language governing permissions
12# and limitations under the License.
13#
14# When distributing Covered Code, include this CDDL HEADER in each
15# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16# If applicable, add the following below this CDDL HEADER, with the
17# fields enclosed by brackets "[]" replaced with your own identifying
18# information: Portions Copyright [yyyy] [name of copyright owner]
19#
20# CDDL HEADER END
21#
22#
23# idsconfig -- script to setup iDS 5.x/6.x for Native LDAP II.
24#
25# Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
26# Use is subject to license terms.
27#
28
29#
30# display_msg(): Displays message corresponding to the tag passed in.
31#
32display_msg()
33{
34    case "$1" in
35    usage) cat <<EOF
36 $PROG: [ -v ] [ -i input file ] [ -o output file ]
37   i <input file>     Get setup info from input file.
38   o <output file>    Generate a server configuration output file.
39   v                  Verbose mode
40EOF
41    ;;
42    backup_server) cat <<EOF
43It is strongly recommended that you BACKUP the directory server
44before running $PROG.
45
46Hit Ctrl-C at any time before the final confirmation to exit.
47
48EOF
49    ;;
50    setup_complete) cat <<EOF
51
52$PROG: Setup of iDS server ${IDS_SERVER} is complete.
53
54EOF
55    ;;
56    display_vlv_list) cat <<EOF
57
58Note: idsconfig has created entries for VLV indexes. 
59
60      For DS5.x, use the directoryserver(1m) script on ${IDS_SERVER}
61      to stop the server.  Then, using directoryserver, follow the
62      directoryserver examples below to create the actual VLV indexes.
63
64      For DS6.x, use dsadm command delivered with DS6.x on ${IDS_SERVER}
65      to stop the server.  Then, using dsadm, follow the
66      dsadm examples below to create the actual VLV indexes.
67
68EOF
69    ;;
70    cred_level_menu) cat <<EOF
71The following are the supported credential levels:
72  1  anonymous
73  2  proxy
74  3  proxy anonymous
75  4  self
76  5  self proxy
77  6  self proxy anonymous
78EOF
79    ;;
80    auth_method_menu) cat <<EOF
81The following are the supported Authentication Methods:
82  1  none
83  2  simple
84  3  sasl/DIGEST-MD5
85  4  tls:simple
86  5  tls:sasl/DIGEST-MD5
87  6  sasl/GSSAPI
88EOF
89    ;;
90    srvauth_method_menu) cat <<EOF
91The following are the supported Authentication Methods:
92  1  simple
93  2  sasl/DIGEST-MD5
94  3  tls:simple
95  4  tls:sasl/DIGEST-MD5
96  5  sasl/GSSAPI
97EOF
98    ;;
99    prompt_ssd_menu) cat <<EOF
100  A  Add a Service Search Descriptor
101  D  Delete a SSD
102  M  Modify a SSD
103  P  Display all SSD's
104  H  Help
105  X  Clear all SSD's
106
107  Q  Exit menu
108EOF
109    ;;
110    summary_menu)
111
112	SUFFIX_INFO=
113	DB_INFO=
114
115	[ -n "${NEED_CREATE_SUFFIX}" ] &&
116	{
117		SUFFIX_INFO=`cat <<EOF
118
119         Suffix to create          : $LDAP_SUFFIX
120EOF
121`
122		[ -n "${NEED_CREATE_BACKEND}" ] &&
123			DB_INFO=`cat <<EOF
124
125         Database to create        : $IDS_DATABASE
126EOF
127`
128	}
129
130	cat <<EOF
131              Summary of Configuration
132
133  1  Domain to serve               : $LDAP_DOMAIN
134  2  Base DN to setup              : $LDAP_BASEDN$SUFFIX_INFO$DB_INFO
135  3  Profile name to create        : $LDAP_PROFILE_NAME
136  4  Default Server List           : $LDAP_SERVER_LIST
137  5  Preferred Server List         : $LDAP_PREF_SRVLIST
138  6  Default Search Scope          : $LDAP_SEARCH_SCOPE
139  7  Credential Level              : $LDAP_CRED_LEVEL
140  8  Authentication Method         : $LDAP_AUTHMETHOD
141  9  Enable Follow Referrals       : $LDAP_FOLLOWREF
142 10  iDS Time Limit                : $IDS_TIMELIMIT
143 11  iDS Size Limit                : $IDS_SIZELIMIT
144 12  Enable crypt password storage : $NEED_CRYPT
145 13  Service Auth Method pam_ldap  : $LDAP_SRV_AUTHMETHOD_PAM
146 14  Service Auth Method keyserv   : $LDAP_SRV_AUTHMETHOD_KEY
147 15  Service Auth Method passwd-cmd: $LDAP_SRV_AUTHMETHOD_CMD
148 16  Search Time Limit             : $LDAP_SEARCH_TIME_LIMIT
149 17  Profile Time to Live          : $LDAP_PROFILE_TTL
150 18  Bind Limit                    : $LDAP_BIND_LIMIT
151 19  Enable shadow update          : $LDAP_ENABLE_SHADOW_UPDATE
152 20  Service Search Descriptors Menu
153
154EOF
155    ;;
156    sfx_not_suitable) cat <<EOF
157
158Sorry, suffix ${LDAP_SUFFIX} is not suitable for Base DN ${LDAP_BASEDN}
159
160EOF
161    ;;
162    obj_not_found) cat <<EOF
163
164Sorry, ${PROG} can't find an objectclass for "$_ATT" attribute
165
166EOF
167    ;;
168    sfx_config_incons) cat <<EOF
169
170Sorry, there is no suffix mapping for ${LDAP_SUFFIX},
171while ldbm database exists, server configuration needs to be fixed manually,
172look at cn=mapping tree,cn=config and cn=ldbm database,cn=plugins,cn=config
173
174EOF
175    ;;
176    ldbm_db_exist) cat <<EOF
177
178Database "${IDS_DATABASE}" already exists,
179however "${IDS_DATABASE_AVAIL}" name is available
180
181EOF
182    ;;
183    unable_find_db_name) cat <<EOF
184    
185Unable to find any available database name close to "${IDS_DATABASE}"
186
187EOF
188    ;;
189    create_ldbm_db_error) cat <<EOF
190
191ERROR: unable to create suffix ${LDAP_SUFFIX}
192       due to server error that occurred during creation of ldbm database
193
194EOF
195    ;;
196    create_suffix_entry_error) cat <<EOF
197
198ERROR: unable to create entry ${LDAP_SUFFIX} of ${LDAP_SUFFIX_OBJ} class
199
200EOF
201    ;;
202    ldap_suffix_list) cat <<EOF
203
204No valid suffixes (naming contexts) were found for LDAP base DN:
205${LDAP_BASEDN}
206
207Available suffixes are:
208${LDAP_SUFFIX_LIST}
209
210EOF
211    ;;
212    sorry) cat <<EOF
213
214HELP - No help is available for this topic.
215
216EOF
217    ;;
218    create_suffix_help) cat <<EOF
219
220HELP - Our Base DN is ${LDAP_BASEDN}
221       and we need to create a Directory Suffix,
222       which can be equal to Base DN itself or be any of Base DN parents.
223       All intermediate entries up to suffix will be created on demand.
224
225EOF
226    ;;
227    enter_ldbm_db_help) cat <<EOF
228
229HELP - ldbm database is an internal database for storage of our suffix data.
230       Database name must be alphanumeric due to Directory Server restriction.
231
232EOF
233    ;;
234    backup_help) cat <<EOF
235
236HELP - Since idsconfig modifies the directory server configuration,
237       it is strongly recommended that you backup the server prior
238       to running this utility.  This is especially true if the server
239       being configured is a production server.
240
241EOF
242    ;;
243    port_help) cat <<EOF
244
245HELP - Enter the port number the directory server is configured to
246       use for LDAP.
247
248EOF
249    ;;
250    domain_help) cat <<EOF
251
252HELP - This is the DNS domain name this server will be serving.  You
253       must provide this name even if the server is not going to be populated
254       with hostnames.  Any unqualified hostname stored in the directory
255       will be fully qualified using this DNS domain name.
256
257EOF
258    ;;
259    basedn_help) cat <<EOF
260
261HELP - This parameter defines the default location in the directory tree for
262       the naming services entries.  You can override this default by using 
263       serviceSearchDescriptors (SSD). You will be given the option to set up 
264       an SSD later on in the setup.
265
266EOF
267    ;;
268    profile_help) cat <<EOF
269
270HELP - Name of the configuration profile with which the clients will be
271       configured. A directory server can store various profiles for multiple 
272       groups of clients.  The initialization tool, (ldapclient(1M)), assumes 
273       "default" unless another is specified.
274
275EOF
276    ;;
277    def_srvlist_help) cat <<EOF
278
279HELP - Provide a list of directory servers to serve clients using this profile.
280       All these servers should contain consistent data and provide similar 
281       functionality.  This list is not ordered, and clients might change the 
282       order given in this list. Note that this is a space separated list of 
283       *IP addresses* (not host names).  Providing port numbers is optional.
284
285EOF
286    ;;
287    pref_srvlist_help) cat <<EOF
288
289HELP - Provide a list of directory servers to serve this client profile. 
290       Unlike the default server list, which is not ordered, the preferred 
291       servers must be entered IN THE ORDER you wish to have them contacted. 
292       If you do specify a preferred server list, clients will always contact 
293       them before attempting to contact any of the servers on the default 
294       server list. Note that you must enter the preferred server list as a 
295       space-separated list of *IP addresses* (not host names).  Providing port 
296       numbers is optional.
297
298EOF
299    ;;
300    srch_scope_help) cat <<EOF
301
302HELP - Default search scope to be used for all searches unless they are
303       overwritten using serviceSearchDescriptors.  The valid options
304       are "one", which would specify the search will only be performed 
305       at the base DN for the given service, or "sub", which would specify 
306       the search will be performed through *all* levels below the base DN 
307       for the given service.
308
309EOF
310    ;;
311    cred_lvl_help) cat <<EOF
312
313HELP - This parameter defines what credentials the clients use to
314       authenticate to the directory server.  This list might contain
315       multiple credential levels and is ordered.  If a proxy level
316       is configured, you will also be prompted to enter a bind DN
317       for the proxy agent along with a password.  This proxy agent
318       will be created if it does not exist.
319
320EOF
321    ;;
322    auth_help) cat <<EOF
323
324HELP - The default authentication method(s) to be used by all services
325       in the client using this profile.  This is a ordered list of
326       authentication methods separated by a ';'.  The supported methods
327       are provided in a menu.  Note that sasl/DIGEST-MD5 binds require
328       passwords to be stored un-encrypted on the server.
329
330EOF
331    ;;
332    srvauth_help) cat <<EOF
333
334HELP - The authentication methods to be used by a given service.  Currently
335       3 services support this feature: pam_ldap, keyserv, and passwd-cmd.
336       The authentication method specified in this attribute overrides
337       the default authentication method defined in the profile.  This
338       feature can be used to select stronger authentication methods for
339       services which require increased security.
340
341EOF
342    ;;
343    pam_ldap_help) cat <<EOF
344
345HELP - The authentication method(s) to be used by pam_ldap when contacting
346       the directory server.  This is a ordered list, and, if provided, will
347       override the default authentication method parameter.
348
349EOF
350    ;;
351    keyserv_help) cat <<EOF
352
353HELP - The authentication method(s) to be used by newkey(1M) and chkey(1)
354       when contacting the directory server.  This is a ordered list and
355       if provided will override the default authentication method
356       parameter.
357
358EOF
359    ;;
360    passwd-cmd_help) cat <<EOF
361
362HELP - The authentication method(s) to be used by passwd(1) command when
363       contacting the directory server.  This is a ordered list and if
364       provided will override the default authentication method parameter.
365
366EOF
367    ;;
368    referrals_help) cat <<EOF
369
370HELP - This parameter indicates whether the client should follow
371       ldap referrals if it encounters one during naming lookups.
372
373EOF
374    ;;
375    tlim_help) cat <<EOF
376
377HELP - The server time limit value indicates the maximum amount of time the
378       server would spend on a query from the client before abandoning it.
379       A value of '-1' indicates no limit.
380
381EOF
382    ;;
383    slim_help) cat <<EOF
384
385HELP - The server sizelimit value indicates the maximum number of entries
386       the server would return in respond to a query from the client.  A
387       value of '-1' indicates no limit.
388
389EOF
390    ;;
391    crypt_help) cat <<EOF
392
393HELP - By default iDS does not store userPassword attribute values using
394       unix "crypt" format.  If you need to keep your passwords in the crypt
395       format for NIS/NIS+ and pam_unix compatibility, choose 'yes'.  If
396       passwords are stored using any other format than crypt, pam_ldap
397       MUST be used by clients to authenticate users to the system. Note 
398       that if you wish to use sasl/DIGEST-MD5 in conjunction with pam_ldap,
399       user passwords must be stored in the clear format.
400
401EOF
402    ;;
403    srchtime_help) cat <<EOF
404
405HELP - The search time limit the client will enforce for directory
406       lookups.
407
408EOF
409    ;;
410    profttl_help) cat <<EOF
411
412HELP - The time to live value for profile.  The client will refresh its
413       cached version of the configuration profile at this TTL interval.
414
415EOF
416    ;;
417    bindlim_help) cat <<EOF
418
419HELP - The time limit for the bind operation to the directory.  This
420       value controls the responsiveness of the client in case a server
421       becomes unavailable.  The smallest timeout value for a given
422       network architecture/conditions would work best.  This is very
423       similar to setting TCP timeout, but only for LDAP bind operation.
424
425EOF
426    ;;
427    ssd_help) cat <<EOF
428
429HELP - Using Service Search Descriptors (SSD), you can override the
430       default configuration for a given service.  The SSD can be
431       used to override the default search base DN, the default search
432       scope, and the default search filter to be used for directory
433       lookups.  SSD are supported for all services (databases)
434       defined in nsswitch.conf(4).  The default base DN is defined
435       in ldap(1).
436
437       Note: SSD are powerful tools in defining configuration profiles
438             and provide a great deal of flexibility.  However, care
439             must be taken in creating them.  If you decide to make use
440             of SSDs, consult the documentation first.
441
442EOF
443    ;;
444    ssd_menu_help) cat <<EOF
445
446HELP - Using this menu SSD can be added, updated, or deleted from
447       the profile.
448
449       A - This option creates a new SSD by prompting for the
450           service name, base DN, and scope.  Service name is
451           any valid service as defined in ldap(1).  base is
452           either the distinguished name to the container where
453           this service will use, or a relative DN followed
454           by a ','.
455       D - Delete a previously created SSD.
456       M - Modify a previously created SSD.
457       P - Display a list of all the previously created SSD.
458       X - Delete all of the previously created SSD.
459
460       Q - Exit the menu and continue with the server configuration.
461
462EOF
463    ;;
464    ldap_suffix_list_help) cat <<EOF
465
466HELP - No valid suffixes (naming contexts) are available on server 
467       ${IDS_SERVER}:${IDS_PORT}.
468       You must set an LDAP Base DN that can be contained in 
469       an existing suffix.
470
471EOF
472    ;;
473    enable_shadow_update_help) cat <<EOF
474
475HELP - Enter 'y' to set up the LDAP server for shadow update.
476       The setup will add an administrator identity/credential
477       and modify the necessary access controls for the client
478       to update shadow(4) data on the LDAP server. If sasl/GSSAPI
479       is in use, the Kerberos host principal will be used as the
480       administrator identity.
481
482       Shadow data is used for password aging and account locking.
483       Please refer to the shadow(4) manual page for details.
484
485EOF
486    ;;
487    add_admin_cred_help) cat <<EOF
488
489HELP - Start the setup to add an administrator identity/credential
490       and to modify access controls for the client to update
491       shadow(4) data on the LDAP server.
492
493       Shadow data is used for password aging and account locking.
494       Please refer to the shadow(4) manual page for details.
495
496EOF
497    ;;
498    use_host_principal_help) cat <<EOF
499
500HELP - A profile with a 'sasl/GSSAPI' authentication method and a 'self'
501       credential level is detected, enter 'y' to modify the necessary
502       access controls for allowing the client to update shadow(4) data
503       on the LDAP server.
504
505       Shadow data is used for password aging and account locking.
506       Please refer to the shadow(4) manual page for details.
507
508EOF
509    ;;
510    esac
511}
512
513
514#
515# get_ans(): gets an answer from the user.
516#		$1  instruction/comment/description/question
517#		$2  default value
518#
519get_ans()
520{
521    if [ -z "$2" ]
522    then
523	${ECHO} "$1 \c"
524    else
525	${ECHO} "$1 [$2] \c"
526    fi
527
528    read ANS
529    if [ -z "$ANS" ]
530    then
531	ANS=$2
532    fi
533}
534
535
536#
537# get_ans_req(): gets an answer (required) from the user, NULL value not allowed.
538#		$@  instruction/comment/description/question
539#
540get_ans_req()
541{
542    ANS=""                  # Set ANS to NULL.
543    while [ "$ANS" = "" ]
544    do
545	get_ans "$@"
546	[ "$ANS" = "" ] && ${ECHO} "NULL value not allowed!"
547    done
548}
549
550
551#
552# get_number(): Querys and verifies that number entered is numeric.
553#               Function will repeat prompt user for number value.
554#               $1  Message text.
555#		$2  default value.
556#               $3  Help argument.
557#
558get_number()
559{
560    ANS=""                  # Set ANS to NULL.
561    NUM=""
562
563    get_ans "$1" "$2"
564
565    # Verify that value is numeric.
566    while not_numeric $ANS
567    do
568	case "$ANS" in
569	    [Hh] | help | Help | \?) display_msg ${3:-sorry} ;;
570	    * ) ${ECHO} "Invalid value: \"${ANS}\". \c"
571	     ;;
572	esac
573	# Get a new value.
574	get_ans "Enter a numeric value:" "$2"
575    done
576    NUM=$ANS
577}
578
579
580#
581# get_negone_num(): Only allows a -1 or positive integer.
582#                   Used for values where -1 has special meaning.
583#
584#                   $1 - Prompt message.
585#                   $2 - Default value (require).
586#                   $3 - Optional help argument.
587get_negone_num()
588{
589    while :
590    do
591	get_number "$1" "$2" "$3"
592	if is_negative $ANS
593	then
594	    if [ "$ANS" = "-1" ]; then
595		break  # -1 is OK, so break.
596	    else       # Need to re-enter number.
597		${ECHO} "Invalid number: please enter -1 or positive number."
598	    fi
599	else
600	    break      # Positive number
601	fi
602    done
603}
604
605
606#
607# get_passwd(): Reads a password from the user and verify with second.
608#		$@  instruction/comment/description/question
609#
610get_passwd()
611{
612    [ $DEBUG -eq 1 ] && ${ECHO} "In get_passwd()"
613
614    # Temporary PASSWD variables
615    _PASS1=""
616    _PASS2=""
617
618    /usr/bin/stty -echo     # Turn echo OFF
619
620    # Endless loop that continues until passwd and re-entered passwd
621    # match.
622    while :
623    do
624	ANS=""                  # Set ANS to NULL.
625
626	# Don't allow NULL for first try.
627	while [ "$ANS" = "" ]
628	do
629	    get_ans "$@"
630	    [ "$ANS" = "" ] && ${ECHO} "" && ${ECHO} "NULL passwd not allowed!"
631	done
632	_PASS1=$ANS         # Store first try.
633
634	# Get second try.
635	${ECHO} ""
636	get_ans "Re-enter passwd:"
637	_PASS2=$ANS
638
639	# Test if passwords are identical.
640	if [ "$_PASS1" = "$_PASS2" ]; then
641	    break
642	fi
643
644	# Move cursor down to next line and print ERROR message.
645	${ECHO} ""
646	${ECHO} "ERROR: passwords don't match; try again."
647    done
648
649    /usr/bin/stty echo      # Turn echo ON
650
651    ${ECHO} ""
652}
653
654
655#
656# get_passwd_nochk(): Reads a password from the user w/o check.
657#		$@  instruction/comment/description/question
658#
659get_passwd_nochk()
660{
661    [ $DEBUG -eq 1 ] && ${ECHO} "In get_passwd_nochk()"
662
663    /usr/bin/stty -echo     # Turn echo OFF
664
665    get_ans "$@"
666
667    /usr/bin/stty echo      # Turn echo ON
668
669    ${ECHO} ""
670}
671
672
673#
674# get_menu_choice(): Get a menu choice from user.  Continue prompting
675#                    till the choice is in required range.
676#   $1 .. Message text.
677#   $2 .. min value
678#   $3 .. max value
679#   $4 .. OPTIONAL: default value
680#
681#   Return value:
682#     MN_CH will contain the value selected.
683#
684get_menu_choice()
685{
686    # Check for req parameter.
687    if [ $# -lt 3 ]; then
688	${ECHO} "get_menu_choice(): Did not get required parameters."
689	return 1
690    fi
691
692    while :
693    do
694	get_ans "$1" "$4"
695	MN_CH=$ANS
696	is_negative $MN_CH
697	if [ $? -eq 1 ]; then
698	    if [ $MN_CH -ge $2 ]; then
699		if [ $MN_CH -le $3 ]; then
700		    return
701		fi
702	    fi
703	fi
704	${ECHO} "Invalid choice: $MN_CH"
705    done
706}
707
708
709#
710# get_confirm(): Get confirmation from the user. (Y/Yes or N/No)
711#                $1 - Message
712#                $2 - default value.
713#
714get_confirm()
715{
716    _ANSWER=
717
718    while :
719    do
720	# Display Internal ERROR if $2 not set.
721	if [ -z "$2" ]
722	then
723	    ${ECHO} "INTERNAL ERROR: get_confirm requires 2 args, 3rd is optional."
724	    exit 2
725	fi
726
727	# Display prompt.
728	${ECHO} "$1 [$2] \c"
729
730	# Get the ANSWER.
731	read _ANSWER
732	if [ "$_ANSWER" = "" ] && [ -n "$2" ] ; then
733	    _ANSWER=$2
734	fi
735	case "$_ANSWER" in
736	    [Yy] | yes | Yes | YES) return 1 ;;
737	    [Nn] | no  | No  | NO)  return 0 ;;
738	    [Hh] | help | Help | \?) display_msg ${3:-sorry};;
739	    * ) ${ECHO} "Please enter y or n."  ;;
740	esac
741    done
742}
743
744
745#
746# get_confirm_nodef(): Get confirmation from the user. (Y/Yes or N/No)
747#                      No default value supported.
748#
749get_confirm_nodef()
750{
751    _ANSWER=
752
753    while :
754    do
755	${ECHO} "$@ \c"
756	read _ANSWER
757	case "$_ANSWER" in
758	    [Yy] | yes | Yes | YES) return 1 ;;
759	    [Nn] | no  | No  | NO)  return 0 ;;
760	    * ) ${ECHO} "Please enter y or n."  ;;
761	esac
762    done
763}
764
765
766#
767# is_numeric(): Tells is a string is numeric.
768#    0 = Numeric
769#    1 = NOT Numeric
770#
771is_numeric()
772{
773    # Check for parameter.
774    if [ $# -ne 1 ]; then
775	return 1
776    fi
777
778    # Determine if numeric.
779    expr "$1" + 1 > /dev/null 2>&1
780    if [ $? -ge 2 ]; then
781	return 1
782    fi
783
784    # Made it here, it's Numeric.
785    return 0
786}
787
788
789#
790# not_numeric(): Reverses the return values of is_numeric.  Useful
791#                 for if and while statements that want to test for
792#                 non-numeric data.
793#    0 = NOT Numeric
794#    1 = Numeric
795#
796not_numeric()
797{
798    is_numeric $1
799    if [ $? -eq 0 ]; then
800       return 1
801    else
802       return 0
803    fi
804}
805
806
807#
808# is_negative(): Tells is a Numeric value is less than zero.
809#    0 = Negative Numeric
810#    1 = Positive Numeric
811#    2 = NOT Numeric
812#
813is_negative()
814{
815    # Check for parameter.
816    if [ $# -ne 1 ]; then
817	return 1
818    fi
819
820    # Determine if numeric.  Can't use expr because -0 is
821    # considered positive??
822    if is_numeric $1; then
823	case "$1" in
824	    -*)  return 0 ;;   # Negative Numeric
825	    *)   return 1 ;;   # Positive Numeric
826	esac
827    else
828	return 2
829    fi
830}
831
832
833#
834# check_domainname(): check validity of a domain name.  Currently we check
835#                     that it has at least two components.
836#		$1  the domain name to be checked
837#
838check_domainname()
839{
840    if [ ! -z "$1" ]
841    then
842	t=`expr "$1" : '[^.]\{1,\}[.][^.]\{1,\}'`
843	if [ "$t" = 0 ]
844	then
845	    return 1
846	fi
847    fi
848    return 0
849}
850
851
852#
853# check_baseDN(): check validity of the baseDN name.
854#		$1  the baseDN name to be checked
855#
856#     NOTE: The check_baseDN function does not catch all invalid DN's.
857#           Its purpose is to reduce the number of invalid DN's to
858#           get past the input routine.  The invalid DN's will be
859#           caught by the LDAP server when they are attempted to be
860#           created.
861#
862check_baseDN()
863{
864    ck_DN=$1
865    ${ECHO} "  Checking LDAP Base DN ..."
866    if [ ! -z "$ck_DN" ]; then
867        [ $DEBUG -eq 1 ] && ${ECHO} "Checking baseDN: $ck_DN"
868        # Check for = (assignment operator)
869        ${ECHO} "$ck_DN" | ${GREP} "=" > /dev/null 2>&1
870        if [ $? -ne 0 ]; then
871            [ $DEBUG -eq 1 ] && ${ECHO} "check_baseDN: No '=' in baseDN."
872            return 1
873        fi
874
875        # Check all keys.
876        while :
877        do
878            # Get first key.
879            dkey=`${ECHO} $ck_DN | cut -d'=' -f1`
880
881            # Check that the key string is valid
882	    check_attrName $dkey
883	    if [ $? -ne 0 ]; then
884                [ $DEBUG -eq 1 ] && ${ECHO} "check_baseDN: invalid key=${dkey}"
885                return 1
886            fi
887
888            [ $DEBUG -eq 1 ] && ${ECHO} "check_baseDN: valid key=${dkey}"
889
890            # Remove first key from DN
891            ck_DN=`${ECHO} $ck_DN | cut -s -d',' -f2-`
892
893            # Break loop if nothing left.
894            if [ "$ck_DN" = "" ]; then
895                break
896            fi
897        done
898    fi
899    return 0
900}
901
902
903#
904# domain_2_dc(): Convert a domain name into dc string.
905#    $1  .. Domain name.
906#
907domain_2_dc()
908{
909    _DOM=$1           # Domain parameter.
910    _DOM_2_DC=""      # Return value from function.
911    _FIRST=1          # Flag for first time.
912
913    export _DOM_2_DC  # Make visible for others.
914
915    # Convert "."'s to spaces for "for" loop.
916    domtmp="`${ECHO} ${_DOM} | tr '.' ' '`"
917    for i in $domtmp; do
918	if [ $_FIRST -eq 1 ]; then
919	    _DOM_2_DC="dc=${i}"
920	    _FIRST=0
921	else
922	    _DOM_2_DC="${_DOM_2_DC},dc=${i}"
923	fi
924    done
925}
926
927
928#
929# is_root_user(): Check to see if logged in as root user.
930#
931is_root_user()
932{
933    case `id` in
934	uid=0\(root\)*) return 0 ;;
935	* )             return 1 ;;
936    esac
937}
938
939
940#
941# parse_arg(): Parses the command line arguments and sets the
942#              appropriate variables.
943#
944parse_arg()
945{
946    while getopts "dvhi:o:" ARG
947    do
948	case $ARG in
949	    d)      DEBUG=1;;
950	    v)      VERB="";;
951	    i)      INPUT_FILE=$OPTARG;;
952	    o)      OUTPUT_FILE=$OPTARG;;
953	    \?)	display_msg usage
954		    exit 1;;
955	    *)	${ECHO} "**ERROR: Supported option missing handler!"
956		    display_msg usage
957		    exit 1;;
958	esac
959    done
960    return `expr $OPTIND - 1`
961}
962
963
964#
965# init(): initializes variables and options
966#
967init()
968{
969    # General variables.
970    PROG=`basename $0`	# Program name
971    PID=$$              # Program ID
972    VERB='> /dev/null 2>&1'	# NULL or "> /dev/null"
973    ECHO="/bin/echo"	# print message on screen
974    EVAL="eval"		# eval or echo
975    EGREP="/usr/bin/egrep"
976    GREP="/usr/bin/grep"
977    DEBUG=0             # Set Debug OFF
978    BACKUP=no_ldap	# backup suffix
979    HOST=""		# NULL or <hostname>
980    NAWK="/usr/bin/nawk"
981    RM="/usr/bin/rm"
982    WC="/usr/bin/wc"
983    CAT="/usr/bin/cat"
984    SED="/usr/bin/sed"
985
986    DOM=""              # Set to NULL
987    # If DNS domain (resolv.conf) exists use that, otherwise use domainname.
988    if [ -f /etc/resolv.conf ]; then
989        DOM=`/usr/xpg4/bin/grep -i -E '^domain|^search' /etc/resolv.conf \
990	    | awk '{ print $2 }' | tail -1`
991    fi
992
993    # If for any reason the DOM did not get set (error'd resolv.conf) set
994    # DOM to the domainname command's output.
995    if [ "$DOM" = "" ]; then
996        DOM=`domainname`	# domain from domainname command.
997    fi
998
999    STEP=1
1000    INTERACTIVE=1       # 0 = on, 1 = off (For input file mode)
1001    DEL_OLD_PROFILE=0   # 0 (default), 1 = delete old profile.
1002
1003    # idsconfig specific variables.
1004    INPUT_FILE=""
1005    OUTPUT_FILE=""
1006    LDAP_ENABLE_SHADOW_UPDATE="FALSE"
1007    NEED_PROXY=0        # 0 = No Proxy,    1 = Create Proxy.
1008    NEED_ADMIN=0        # 0 = No Admin,    1 = Create Admin.
1009    NEED_HOSTACL=0      # 0 = No Host ACL, 1 = Create Host ACL.
1010    EXISTING_PROFILE=0
1011    LDAP_PROXYAGENT=""
1012    LDAP_ADMINDN=""
1013    LDAP_SUFFIX=""
1014    LDAP_DOMAIN=$DOM	# domainname on Server (default value)
1015    GEN_CMD=""
1016    PROXY_ACI_NAME="LDAP_Naming_Services_proxy_password_read"
1017
1018    # LDAP COMMANDS
1019    LDAPSEARCH="/bin/ldapsearch -r"
1020    LDAPMODIFY=/bin/ldapmodify
1021    LDAPADD=/bin/ldapadd
1022    LDAPDELETE=/bin/ldapdelete
1023    LDAP_GEN_PROFILE=/usr/sbin/ldap_gen_profile
1024
1025    # iDS specific information
1026    IDS_SERVER=""
1027    IDS_PORT=389
1028    NEED_TIME=0
1029    NEED_SIZE=0
1030    NEED_SRVAUTH_PAM=0
1031    NEED_SRVAUTH_KEY=0
1032    NEED_SRVAUTH_CMD=0
1033    IDS_TIMELIMIT=""
1034    IDS_SIZELIMIT=""
1035
1036    # LDAP PROFILE related defaults
1037    LDAP_ROOTDN="cn=Directory Manager"   # Provide common default.
1038    LDAP_ROOTPWD=""                      # NULL passwd as default (i.e. invalid)
1039    LDAP_PROFILE_NAME="default"
1040    LDAP_BASEDN=""
1041    LDAP_SERVER_LIST=""
1042    LDAP_AUTHMETHOD=""
1043    LDAP_FOLLOWREF="FALSE"
1044    NEED_CRYPT=""
1045    LDAP_SEARCH_SCOPE="one"
1046    LDAP_SRV_AUTHMETHOD_PAM=""
1047    LDAP_SRV_AUTHMETHOD_KEY=""
1048    LDAP_SRV_AUTHMETHOD_CMD=""
1049    LDAP_SEARCH_TIME_LIMIT=30
1050    LDAP_PREF_SRVLIST=""
1051    LDAP_PROFILE_TTL=43200
1052    LDAP_CRED_LEVEL="proxy"
1053    LDAP_BIND_LIMIT=10
1054
1055    # Prevent new files from being read by group or others.
1056    umask 077
1057
1058    # Service Search Descriptors
1059    LDAP_SERV_SRCH_DES=""
1060
1061    # Set and create TMPDIR.
1062    TMPDIR="/tmp/idsconfig.${PID}"
1063    if mkdir -m 700 ${TMPDIR}
1064    then
1065	# Cleanup on exit.
1066	trap 'rm -rf ${TMPDIR}; /usr/bin/stty echo; exit' 1 2 3 6 15
1067    else
1068	echo "ERROR: unable to create a safe temporary directory."
1069	exit 1
1070    fi
1071    LDAP_ROOTPWF=${TMPDIR}/rootPWD
1072
1073    # Set the SSD file name after setting TMPDIR.
1074    SSD_FILE=${TMPDIR}/ssd_list
1075
1076    # GSSAPI setup
1077    LDAP_KRB_REALM=""
1078    LDAP_GSSAPI_PROFILE=""
1079    SCHEMA_UPDATED=0
1080
1081    export DEBUG VERB ECHO EVAL EGREP GREP STEP TMPDIR
1082    export IDS_SERVER IDS_PORT LDAP_ROOTDN LDAP_ROOTPWD LDAP_SERVER_LIST
1083    export LDAP_BASEDN LDAP_ROOTPWF
1084    export LDAP_DOMAIN LDAP_SUFFIX LDAP_PROXYAGENT LDAP_PROXYAGENT_CRED
1085    export NEED_PROXY
1086    export LDAP_ENABLE_SHADOW_UPDATE LDAP_ADMINDN LDAP_ADMIN_CRED
1087    export NEED_ADMIN NEED_HOSTACL EXISTING_PROFILE
1088    export LDAP_PROFILE_NAME LDAP_BASEDN LDAP_SERVER_LIST
1089    export LDAP_AUTHMETHOD LDAP_FOLLOWREF LDAP_SEARCH_SCOPE LDAP_SEARCH_TIME_LIMIT
1090    export LDAP_PREF_SRVLIST LDAP_PROFILE_TTL LDAP_CRED_LEVEL LDAP_BIND_LIMIT
1091    export NEED_SRVAUTH_PAM NEED_SRVAUTH_KEY NEED_SRVAUTH_CMD
1092    export LDAP_SRV_AUTHMETHOD_PAM LDAP_SRV_AUTHMETHOD_KEY LDAP_SRV_AUTHMETHOD_CMD
1093    export LDAP_SERV_SRCH_DES SSD_FILE
1094    export GEN_CMD LDAP_KRB_REALM LDAP_GSSAPI_PROFILE SCHEMA_UPDATED
1095}
1096
1097
1098#
1099# disp_full_debug(): List of all debug variables usually interested in.
1100#                    Grouped to avoid MASSIVE code duplication.
1101#
1102disp_full_debug()
1103{
1104    [ $DEBUG -eq 1 ] && ${ECHO} "  IDS_SERVER = $IDS_SERVER"
1105    [ $DEBUG -eq 1 ] && ${ECHO} "  IDS_PORT = $IDS_PORT"
1106    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_ROOTDN = $LDAP_ROOTDN"
1107    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_ROOTPWD = $LDAP_ROOTPWD"
1108    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_DOMAIN = $LDAP_DOMAIN"
1109    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_SUFFIX = $LDAP_SUFFIX"
1110    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_BASEDN = $LDAP_BASEDN"
1111    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_PROFILE_NAME = $LDAP_PROFILE_NAME"
1112    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_SERVER_LIST = $LDAP_SERVER_LIST"
1113    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_PREF_SRVLIST = $LDAP_PREF_SRVLIST"
1114    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_SEARCH_SCOPE = $LDAP_SEARCH_SCOPE"
1115    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_CRED_LEVEL = $LDAP_CRED_LEVEL"
1116    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_AUTHMETHOD = $LDAP_AUTHMETHOD"
1117    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_FOLLOWREF = $LDAP_FOLLOWREF"
1118    [ $DEBUG -eq 1 ] && ${ECHO} "  IDS_TIMELIMIT = $IDS_TIMELIMIT"
1119    [ $DEBUG -eq 1 ] && ${ECHO} "  IDS_SIZELIMIT = $IDS_SIZELIMIT"
1120    [ $DEBUG -eq 1 ] && ${ECHO} "  NEED_CRYPT = $NEED_CRYPT"
1121    [ $DEBUG -eq 1 ] && ${ECHO} "  NEED_SRVAUTH_PAM = $NEED_SRVAUTH_PAM"
1122    [ $DEBUG -eq 1 ] && ${ECHO} "  NEED_SRVAUTH_KEY = $NEED_SRVAUTH_KEY"
1123    [ $DEBUG -eq 1 ] && ${ECHO} "  NEED_SRVAUTH_CMD = $NEED_SRVAUTH_CMD"
1124    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_SRV_AUTHMETHOD_PAM = $LDAP_SRV_AUTHMETHOD_PAM"
1125    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_SRV_AUTHMETHOD_KEY = $LDAP_SRV_AUTHMETHOD_KEY"
1126    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_SRV_AUTHMETHOD_CMD = $LDAP_SRV_AUTHMETHOD_CMD"
1127    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_SEARCH_TIME_LIMIT = $LDAP_SEARCH_TIME_LIMIT"
1128    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_PROFILE_TTL = $LDAP_PROFILE_TTL"
1129    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_BIND_LIMIT = $LDAP_BIND_LIMIT"
1130    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_ENABLE_SHADOW_UPDATE = $LDAP_ENABLE_SHADOW_UPDATE"
1131
1132    # Only display proxy stuff if needed.
1133    [ $DEBUG -eq 1 ] && ${ECHO} "  NEED_PROXY = $NEED_PROXY"
1134    if [ $NEED_PROXY -eq  1 ]; then
1135	[ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_PROXYAGENT = $LDAP_PROXYAGENT"
1136	[ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_PROXYAGENT_CRED = $LDAP_PROXYAGENT_CRED"
1137    fi
1138
1139    # Only display admin credential if needed.
1140    [ $DEBUG -eq 1 ] && ${ECHO} "  NEED_ADMIN = $NEED_ADMIN"
1141    [ $DEBUG -eq 1 ] && ${ECHO} "  NEED_HOSTACL = $NEED_HOSTACL"
1142    if [ $NEED_ADMIN -eq  1 ]; then
1143	[ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_ADMINDN = $LDAP_ADMINDN"
1144	[ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_ADMIN_CRED = $LDAP_ADMIN_CRED"
1145    fi
1146
1147    # Service Search Descriptors are a special case.
1148    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_SERV_SRCH_DES = $LDAP_SERV_SRCH_DES"
1149}
1150
1151
1152#
1153# load_config_file(): Loads the config file.
1154#
1155load_config_file()
1156{
1157    [ $DEBUG -eq 1 ] && ${ECHO} "In load_config_file()"
1158
1159    # Remove SSD lines from input file before sourcing.
1160    # The SSD lines must be removed because some forms of the
1161    # data could cause SHELL errors.
1162    ${GREP} -v "LDAP_SERV_SRCH_DES=" ${INPUT_FILE} > ${TMPDIR}/inputfile.noSSD
1163
1164    # Source the input file.
1165    . ${TMPDIR}/inputfile.noSSD
1166
1167    # If LDAP_SUFFIX is no set, try to utilize LDAP_TREETOP since older
1168    # config files use LDAP_TREETOP
1169    LDAP_SUFFIX="${LDAP_SUFFIX:-$LDAP_TREETOP}"
1170
1171    # Save password to temporary file.
1172    save_password
1173
1174    # Create the SSD file.
1175    create_ssd_file
1176
1177    # Display FULL debugging info.
1178    disp_full_debug
1179}
1180
1181#
1182# save_password(): Save password to temporary file.
1183#
1184save_password()
1185{
1186    cat > ${LDAP_ROOTPWF} <<EOF
1187${LDAP_ROOTPWD}
1188EOF
1189}
1190
1191######################################################################
1192# FUNCTIONS  FOR prompt_config_info() START HERE.
1193######################################################################
1194
1195#
1196# get_ids_server(): Prompt for iDS server name.
1197#
1198get_ids_server()
1199{
1200    while :
1201    do
1202	# Prompt for server name.
1203	get_ans "Enter the JES Directory Server's  hostname to setup:" "$IDS_SERVER"
1204	IDS_SERVER="$ANS"
1205
1206	# Ping server to see if live.  If valid break out of loop.
1207	ping $IDS_SERVER > /dev/null 2>&1
1208	if [ $? -eq 0 ]; then
1209	    break
1210	fi
1211
1212	# Invalid server, enter a new name.
1213	${ECHO} "ERROR: Server '${IDS_SERVER}' is invalid or unreachable."
1214	IDS_SERVER=""
1215    done
1216
1217    # Set SERVER_ARGS and LDAP_ARGS since values might of changed.
1218    SERVER_ARGS="-h ${IDS_SERVER} -p ${IDS_PORT}"
1219    LDAP_ARGS="${SERVER_ARGS} ${AUTH_ARGS}"
1220    export SERVER_ARGS
1221
1222}
1223
1224#
1225# get_ids_port(): Prompt for iDS port number.
1226#
1227get_ids_port()
1228{
1229    # Get a valid iDS port number.
1230    while :
1231    do
1232	# Enter port number.
1233	get_number "Enter the port number for iDS (h=help):" "$IDS_PORT" "port_help"
1234	IDS_PORT=$ANS
1235	# Do a simple search to check hostname and port number.
1236	# If search returns SUCCESS, break out, host and port must
1237	# be valid.
1238	${LDAPSEARCH} -h ${IDS_SERVER} -p ${IDS_PORT} -b "" -s base "objectclass=*" > /dev/null 2>&1
1239	if [ $? -eq 0 ]; then
1240	    break
1241	fi
1242
1243	# Invalid host/port pair, Re-enter.
1244	${ECHO} "ERROR: Invalid host or port: ${IDS_SERVER}:${IDS_PORT}, Please re-enter!"
1245	get_ids_server
1246    done
1247
1248    # Set SERVER_ARGS and LDAP_ARGS since values might of changed.
1249    SERVER_ARGS="-h ${IDS_SERVER} -p ${IDS_PORT}"
1250    LDAP_ARGS="${SERVER_ARGS} ${AUTH_ARGS}"
1251    export SERVER_ARGS
1252}
1253
1254
1255#
1256# chk_ids_version(): Read the slapd config file and set variables
1257#
1258chk_ids_version()
1259{
1260    [ $DEBUG -eq 1 ] && ${ECHO} "In chk_ids_version()"
1261
1262    # check iDS version number.
1263    eval "${LDAPSEARCH} ${SERVER_ARGS} -b cn=monitor -s base \"objectclass=*\" version | ${GREP} \"^version=\" | cut -f2 -d'/' | cut -f1 -d' ' > ${TMPDIR}/checkDSver 2>&1"
1264    if [ $? -ne 0 ]; then
1265	${ECHO} "ERROR: Can not determine the version number of iDS!"
1266	exit 1
1267    fi
1268    IDS_VER=`cat ${TMPDIR}/checkDSver`
1269    IDS_MAJVER=`${ECHO} ${IDS_VER} | cut -f1 -d.`
1270    IDS_MINVER=`${ECHO} ${IDS_VER} | cut -f2 -d.`
1271    if [ "${IDS_MAJVER}" != "5" ] && [ "${IDS_MAJVER}" != "6" ]; then
1272	${ECHO} "ERROR: $PROG only works with JES DS version 5.x and 6.x, not ${IDS_VER}."
1273    	exit 1
1274    fi
1275    if [ $DEBUG -eq 1 ]; then
1276	${ECHO} "  IDS_MAJVER = $IDS_MAJVER"
1277	${ECHO} "  IDS_MINVER = $IDS_MINVER"
1278    fi
1279}
1280
1281
1282#
1283# get_dirmgr_dn(): Get the directory manger DN.
1284#
1285get_dirmgr_dn()
1286{
1287    get_ans "Enter the directory manager DN:" "$LDAP_ROOTDN"
1288    LDAP_ROOTDN=$ANS
1289
1290    # Update ENV variables using DN.
1291    AUTH_ARGS="-D \"${LDAP_ROOTDN}\" -j ${LDAP_ROOTPWF}"
1292    LDAP_ARGS="${SERVER_ARGS} ${AUTH_ARGS}"
1293    export AUTH_ARGS LDAP_ARGS
1294}
1295
1296
1297#
1298# get_dirmgr_pw(): Get the Root DN passwd. (Root DN found in slapd.conf)
1299#
1300get_dirmgr_pw()
1301{
1302    while :
1303    do
1304	# Get passwd.
1305	get_passwd_nochk "Enter passwd for ${LDAP_ROOTDN} :"
1306	LDAP_ROOTPWD=$ANS
1307
1308	# Store password in file.
1309	save_password
1310
1311	# Update ENV variables using DN's PW.
1312	AUTH_ARGS="-D \"${LDAP_ROOTDN}\" -j ${LDAP_ROOTPWF}"
1313	LDAP_ARGS="${SERVER_ARGS} ${AUTH_ARGS}"
1314	export AUTH_ARGS LDAP_ARGS
1315
1316	# Verify that ROOTDN and ROOTPWD are valid.
1317	eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"\" -s base \"objectclass=*\" > ${TMPDIR}/checkDN 2>&1"
1318	if [ $? -ne 0 ]; then
1319	    eval "${GREP} credential ${TMPDIR}/checkDN ${VERB}"
1320	    if [ $? -eq 0 ]; then
1321		${ECHO} "ERROR: Root DN passwd is invalid."
1322	    else
1323		${ECHO} "ERROR: Invalid Root DN <${LDAP_ROOTDN}>."
1324		get_dirmgr_dn
1325	    fi
1326	else
1327	    break         # Both are valid.
1328	fi
1329    done
1330
1331
1332}
1333
1334
1335#
1336# get_domain(): Get the Domain that will be served by the LDAP server.
1337#               $1 - Help argument.
1338#
1339get_domain()
1340{
1341    # Use LDAP_DOMAIN as default.
1342    get_ans "Enter the domainname to be served (h=help):" $LDAP_DOMAIN
1343
1344    # Check domainname, and have user re-enter if not valid.
1345    check_domainname $ANS
1346    while [ $? -ne 0 ]
1347    do
1348	case "$ANS" in
1349	    [Hh] | help | Help | \?) display_msg ${1:-sorry} ;;
1350	    * ) ${ECHO} "Invalid domainname: \"${ANS}\"."
1351	     ;;
1352	esac
1353	get_ans "Enter domainname to be served (h=help):" $DOM
1354
1355	check_domainname $ANS
1356    done
1357
1358    # Set the domainname to valid name.
1359    LDAP_DOMAIN=$ANS
1360}
1361
1362
1363#
1364# get_basedn(): Query for the Base DN.
1365#
1366get_basedn()
1367{
1368    # Set the $_DOM_2_DC and assign to LDAP_BASEDN as default.
1369    # Then call get_basedn().  This method remakes the default
1370    # each time just in case the domain changed.
1371    domain_2_dc $LDAP_DOMAIN
1372    LDAP_BASEDN=$_DOM_2_DC
1373
1374    # Get Base DN.
1375    while :
1376    do
1377	get_ans_req "Enter LDAP Base DN (h=help):" "${_DOM_2_DC}"
1378	check_baseDN "$ANS"
1379	while [ $? -ne 0 ]
1380	do
1381	    case "$ANS" in
1382		[Hh] | help | Help | \?) display_msg basedn_help ;;
1383		* ) ${ECHO} "Invalid base DN: \"${ANS}\"."
1384		;;
1385	    esac
1386
1387	    # Re-Enter the BaseDN
1388	    get_ans_req "Enter LDAP Base DN (h=help):" "${_DOM_2_DC}"
1389	    check_baseDN "$ANS"
1390	done
1391
1392	# Set base DN and check its suffix
1393	LDAP_BASEDN=${ANS}
1394	check_basedn_suffix ||
1395	{
1396		cleanup
1397		exit 1
1398	}
1399
1400	# suffix may need to be created, in that case get suffix from user
1401	[ -n "${NEED_CREATE_SUFFIX}" ] &&
1402	{
1403		get_suffix || continue
1404	}
1405
1406	# suffix is ok, break out of the base dn inquire loop
1407	break
1408    done
1409}
1410
1411#
1412# get_want_shadow_update(): Ask user if want to enable shadow update?
1413#
1414get_want_shadow_update()
1415{
1416    MSG="Do you want to enable shadow update (y/n/h)?"
1417    get_confirm "$MSG" "n" "enable_shadow_update_help"
1418    if [ $? -eq 1 ]; then
1419	LDAP_ENABLE_SHADOW_UPDATE="TRUE"
1420    else
1421	LDAP_ENABLE_SHADOW_UPDATE="FALSE"
1422    fi
1423}
1424
1425get_krb_realm() {
1426
1427    # To upper cases
1428    LDAP_KRB_REALM=`${ECHO} ${LDAP_DOMAIN} | ${NAWK} '{ print toupper($0) }'`
1429    get_ans_req "Enter Kerberos Realm:" "$LDAP_KRB_REALM"
1430    # To upper cases
1431    LDAP_KRB_REALM=`${ECHO} ${ANS} | ${NAWK} '{ print toupper($0) }'`
1432}
1433
1434# $1: DN
1435# $2: ldif file
1436add_entry_by_DN() {
1437
1438    ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"${1}\" -s base \"objectclass=*\" ${VERB}"
1439    if [ $? -eq 0 ]; then
1440	    ${ECHO} "  ${1} already exists"
1441	    return 0
1442    else
1443	${EVAL} "${LDAPADD} ${LDAP_ARGS} -f ${2} ${VERB}"
1444	if [ $? -eq 0 ]; then
1445		${ECHO} "  ${1} is added"
1446	    	return 0
1447	else
1448		${ECHO} "  ERROR: failed to add ${1}"
1449		return 1
1450	fi
1451    fi
1452
1453}
1454#
1455# Kerberos princiapl to DN mapping rules
1456#
1457# Add rules for host credentails and user credentials
1458#
1459add_id_mapping_rules() {
1460
1461    ${ECHO} "  Adding Kerberos principal to DN mapping rules..."
1462
1463    _C_DN="cn=GSSAPI,cn=identity mapping,cn=config"
1464    ( cat << EOF
1465dn: cn=GSSAPI,cn=identity mapping,cn=config
1466objectClass: top
1467objectClass: nsContainer
1468cn: GSSAPI
1469EOF
1470) > ${TMPDIR}/GSSAPI_container.ldif
1471
1472    add_entry_by_DN "${_C_DN}" "${TMPDIR}/GSSAPI_container.ldif"
1473    if [ $? -ne 0 ];
1474    then
1475    	${RM} ${TMPDIR}/GSSAPI_container.ldif
1476	return
1477    fi
1478
1479    _H_CN="host_auth_${LDAP_KRB_REALM}"
1480    _H_DN="cn=${_H_CN}, ${_C_DN}"
1481    ( cat << EOF
1482dn: ${_H_DN}
1483objectClass: top
1484objectClass: nsContainer
1485objectClass: dsIdentityMapping
1486objectClass: dsPatternMatching
1487cn: ${_H_CN}
1488dsMatching-pattern: \${Principal}
1489dsMatching-regexp: host\/(.*).${LDAP_DOMAIN}@${LDAP_KRB_REALM}
1490dsSearchBaseDN: ou=hosts,${LDAP_BASEDN}
1491dsSearchFilter: (&(objectClass=ipHost)(cn=\$1))
1492dsSearchScope: one
1493
1494EOF
1495) > ${TMPDIR}/${_H_CN}.ldif
1496
1497    add_entry_by_DN "${_H_DN}" "${TMPDIR}/${_H_CN}.ldif"
1498
1499    _U_CN="user_auth_${LDAP_KRB_REALM}"
1500    _U_DN="cn=${_U_CN}, ${_C_DN}"
1501    ( cat << EOF
1502dn: ${_U_DN}
1503objectClass: top
1504objectClass: nsContainer
1505objectClass: dsIdentityMapping
1506objectClass: dsPatternMatching
1507cn: ${_U_CN}
1508dsMatching-pattern: \${Principal}
1509dsMatching-regexp: (.*)@${LDAP_KRB_REALM}
1510dsMappedDN: uid=\$1,ou=People,${LDAP_BASEDN}
1511
1512EOF
1513) > ${TMPDIR}/${_U_CN}.ldif
1514
1515    add_entry_by_DN "${_U_DN}" "${TMPDIR}/${_U_CN}.ldif"
1516
1517}
1518
1519
1520#
1521# Modify ACL to allow root to read all the password and only self can read
1522# its own password when sasl/GSSAPI bind is used
1523#
1524modify_userpassword_acl_for_gssapi() {
1525
1526    _P_DN="ou=People,${LDAP_BASEDN}"
1527    _H_DN="ou=Hosts,${LDAP_BASEDN}"
1528    _P_ACI="self-read-pwd"
1529
1530    ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"${_P_DN}\" -s base \"objectclass=*\" > /dev/null 2>&1"
1531    if [ $? -ne 0 ]; then
1532	    ${ECHO} "  ${_P_DN} does not exist"
1533	# Not Found. Create a new entry
1534	( cat << EOF
1535dn: ${_P_DN}
1536ou: People
1537objectClass: top
1538objectClass: organizationalUnit
1539EOF
1540) > ${TMPDIR}/gssapi_people.ldif
1541
1542	add_entry_by_DN "${_P_DN}" "${TMPDIR}/gssapi_people.ldif"
1543    else
1544	${ECHO} "  ${_P_DN} already exists"
1545    fi
1546
1547    ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"${_P_DN}\" -s base \"objectclass=*\" aci > ${TMPDIR}/chk_gssapi_aci 2>&1"
1548
1549    if [ $? -eq 0 ]; then
1550	    ${EVAL} "${GREP} ${_P_ACI} ${TMPDIR}/chk_gssapi_aci > /dev/null 2>&1"
1551	    if [ $? -eq 0 ]; then
1552		${ECHO} "  userpassword ACL ${_P_ACI} already exists."
1553		return
1554	    else
1555		${ECHO} "  userpassword ACL ${_P_ACI} not found. Create a new one."
1556	    fi
1557    else
1558	${ECHO} "  Error searching aci for ${_P_DN}"
1559	cat ${TMPDIR}/chk_gssapi_aci
1560	cleanup
1561	exit 1
1562    fi
1563    ( cat << EOF
1564dn: ${_P_DN}
1565changetype: modify
1566add: aci
1567aci: (targetattr="userPassword")(version 3.0; acl self-read-pwd; allow (read,search) userdn="ldap:///self" and authmethod="sasl GSSAPI";)
1568-
1569add: aci
1570aci: (targetattr="userPassword")(version 3.0; acl host-read-pwd; allow (read,search) userdn="ldap:///cn=*+ipHostNumber=*,ou=Hosts,${LDAP_BASEDN}" and authmethod="sasl GSSAPI";)
1571EOF
1572) > ${TMPDIR}/user_gssapi.ldif
1573    LDAP_TYPE_OR_VALUE_EXISTS=20
1574    ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/user_gssapi.ldif ${VERB}"
1575
1576    case $? in
1577    0)
1578	${ECHO} "  ${_P_DN} uaserpassword ACL is updated."
1579	;;
1580    20)
1581	${ECHO} "  ${_P_DN} uaserpassword ACL already exists."
1582	;;
1583    *)
1584	${ECHO} "  ERROR: update of userpassword ACL for ${_P_DN} failed!"
1585	cleanup
1586	exit 1
1587	;;
1588    esac
1589}
1590#
1591# $1: objectclass or attributetyp
1592# $2: name
1593search_update_schema() {
1594
1595    ATTR="${1}es"
1596
1597    ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b cn=schema -s base \"objectclass=*\" ${ATTR} | ${GREP} -i \"${2}\" ${VERB}"
1598    if [ $? -ne 0 ]; then
1599	${ECHO} "${1} ${2} does not exist."
1600        update_schema_attr
1601        update_schema_obj
1602	SCHEMA_UPDATED=1
1603    else
1604	${ECHO} "${1} ${2} already exists. Schema has been updated"
1605    fi
1606}
1607
1608#
1609# $1: 1 - interactive, 0 - no
1610#
1611create_gssapi_profile() {
1612
1613
1614    if [ ${1} -eq 1 ]; then
1615        echo
1616        echo "You can create a sasl/GSSAPI enabled profile with default values now."
1617        get_confirm "Do you want to create a sasl/GSSAPI default profile ?" "n"
1618
1619        if [ $? -eq 0 ]; then
1620	    return
1621        fi
1622    fi
1623
1624    # Add profile container if it does not exist
1625    eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"ou=profile,${LDAP_BASEDN}\" -s base \"objectclass=*\" > /dev/null 2>&1"
1626    if [ $? -ne 0 ]; then
1627	( cat << EOF
1628dn: ou=profile,${LDAP_BASEDN}
1629ou: profile
1630objectClass: top
1631objectClass: organizationalUnit
1632EOF
1633) > ${TMPDIR}/profile_people.ldif
1634
1635        add_entry_by_DN "ou=profile,${LDAP_BASEDN}" "${TMPDIR}/profile_people.ldif"
1636
1637    fi
1638
1639    search_update_schema "objectclass" "DUAConfigProfile"
1640
1641    _P_NAME="gssapi_${LDAP_KRB_REALM}"
1642    if [ ${1} -eq 1 ]; then
1643    	_P_TMP=${LDAP_PROFILE_NAME}
1644    	LDAP_PROFILE_NAME=${_P_NAME}
1645   	get_profile_name
1646        LDAP_GSSAPI_PROFILE=${LDAP_PROFILE_NAME}
1647    	LDAP_PROFILE_NAME=${_P_TMP}
1648    fi
1649
1650    _P_DN="cn=${LDAP_GSSAPI_PROFILE},ou=profile,${LDAP_BASEDN}"
1651    if [ ${DEL_OLD_PROFILE} -eq 1 ]; then
1652	    DEL_OLD_PROFILE=0
1653	    ${EVAL} "${LDAPDELETE} ${LDAP_ARGS} ${_P_DN} ${VERB}"
1654    fi
1655
1656    _SVR=`getent hosts ${IDS_SERVER} | ${NAWK} '{ print $1 }'`
1657    if [ ${IDS_PORT} -ne 389 ]; then
1658	    _SVR="${_SVR}:${IDS_PORT}"
1659    fi
1660
1661    (cat << EOF
1662dn: ${_P_DN}
1663objectClass: top
1664objectClass: DUAConfigProfile
1665defaultServerList: ${_SVR}
1666defaultSearchBase: ${LDAP_BASEDN}
1667authenticationMethod: sasl/GSSAPI
1668followReferrals: ${LDAP_FOLLOWREF}
1669defaultSearchScope: ${LDAP_SEARCH_SCOPE}
1670searchTimeLimit: ${LDAP_SEARCH_TIME_LIMIT}
1671profileTTL: ${LDAP_PROFILE_TTL}
1672cn: ${LDAP_GSSAPI_PROFILE}
1673credentialLevel: self
1674bindTimeLimit: ${LDAP_BIND_LIMIT}
1675EOF
1676) > ${TMPDIR}/gssapi_profile.ldif
1677
1678    add_entry_by_DN "${_P_DN}" "${TMPDIR}/gssapi_profile.ldif"
1679
1680}
1681#
1682# Set up GSSAPI if necessary
1683#
1684gssapi_setup() {
1685
1686	# assume sasl/GSSAPI is supported by the ldap server and may be used
1687	GSSAPI_AUTH_MAY_BE_USED=1
1688	${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"\" -s base \"objectclass=*\" supportedSASLMechanisms | ${GREP} GSSAPI ${VERB}"
1689	if [ $? -ne 0 ]; then
1690		GSSAPI_AUTH_MAY_BE_USED=0
1691		${ECHO} "  sasl/GSSAPI is not supported by this LDAP server"
1692		return
1693	fi
1694
1695	get_confirm "GSSAPI is supported. Do you want to set up gssapi:(y/n)" "n"
1696	if [ $? -eq 0 ]; then
1697		${ECHO}
1698		${ECHO} "GSSAPI is not set up."
1699		${ECHO} "sasl/GSSAPI bind may not work if it's not set up first."
1700	else
1701		get_krb_realm
1702		add_id_mapping_rules
1703		modify_userpassword_acl_for_gssapi
1704		create_gssapi_profile 1
1705		${ECHO}
1706		${ECHO} "GSSAPI setup is done."
1707	fi
1708
1709	cat << EOF
1710
1711You can continue to create a profile and
1712configure the LDAP server.
1713Or you can stop now.
1714
1715EOF
1716	get_confirm "Do you want to stop:(y/n)" "n"
1717	if [ $? -eq 1 ]; then
1718		cleanup
1719		exit
1720	fi
1721
1722}
1723gssapi_setup_auto() {
1724	GSSAPI_AUTH_MAY_BE_USED=0
1725	${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"\" -s base \"objectclass=*\" supportedSASLMechanisms | ${GREP} GSSAPI ${VERB}"
1726	if [ $? -ne 0 ]; then
1727		${ECHO}
1728		${ECHO} "sasl/GSSAPI is not supported by this LDAP server"
1729		${ECHO}
1730		return
1731	fi
1732	if [ -z "${LDAP_KRB_REALM}" ]; then
1733		${ECHO}
1734		${ECHO} "LDAP_KRB_REALM is not set. Skip gssapi setup."
1735		${ECHO} "sasl/GSSAPI bind won't work properly."
1736		${ECHO}
1737		return
1738	fi
1739	GSSAPI_AUTH_MAY_BE_USED=1
1740	if [ -z "${LDAP_GSSAPI_PROFILE}" ]; then
1741		${ECHO}
1742		${ECHO} "LDAP_GSSAPI_PROFILE is not set. Default is gssapi_${LDAP_KRB_REALM}"
1743		${ECHO}
1744		LDAP_GSSAPI_PROFILE="gssapi_${LDAP_KRB_REALM}"
1745	fi
1746	add_id_mapping_rules
1747	modify_userpassword_acl_for_gssapi
1748	create_gssapi_profile 0
1749}
1750# get_profile_name(): Enter the profile name.
1751#
1752get_profile_name()
1753{
1754    # Reset Delete Old Profile since getting new profile name.
1755    DEL_OLD_PROFILE=0
1756
1757    # Loop until valid profile name, or replace.
1758    while :
1759    do
1760	# Prompt for profile name.
1761	get_ans "Enter the profile name (h=help):" "$LDAP_PROFILE_NAME"
1762
1763	# Check for Help.
1764	case "$ANS" in
1765	    [Hh] | help | Help | \?) display_msg profile_help
1766				     continue ;;
1767	    * )  ;;
1768	esac
1769
1770	# Search to see if profile name already exists.
1771	eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=${ANS},ou=profile,${LDAP_BASEDN}\" -s base \"objectclass=*\" ${VERB}"
1772	if [ $? -eq 0 ]; then
1773
1774	    cat << EOF
1775
1776Profile '${ANS}' already exists, it is possible to enable
1777shadow update now. idsconfig will exit after shadow update
1778is enabled. You can also continue to overwrite the profile 
1779or create a new one and be given the chance to enable
1780shadow update later.
1781
1782EOF
1783
1784	    MSG="Just enable shadow update (y/n/h)?"
1785	    get_confirm "$MSG" "n" "enable_shadow_update_help"
1786	    if [ $? -eq 1 ]; then
1787	        [ $DEBUG -eq 1 ] && ${ECHO} "set up shadow update"
1788	        LDAP_ENABLE_SHADOW_UPDATE=TRUE
1789		# display alternate messages
1790		EXISTING_PROFILE=1
1791	        # Set Profile Name.
1792	        LDAP_PROFILE_NAME=$ANS
1793	        return 0  # set up credentials for shadow update.
1794	    fi
1795
1796	    get_confirm_nodef "Are you sure you want to overwrite profile cn=${ANS}?"
1797	    if [ $? -eq 1 ]; then
1798		DEL_OLD_PROFILE=1
1799		return 0  # Replace old profile name.
1800	    else
1801		${ECHO} "Please re-enter a new profile name."
1802	    fi
1803	else
1804	    break  # Unique profile name.
1805	fi
1806    done
1807
1808    # Set Profile Name.
1809    LDAP_PROFILE_NAME=$ANS
1810}
1811
1812
1813#
1814# get_srv_list(): Get the default server list.
1815#
1816get_srv_list()
1817{
1818    # If LDAP_SERVER_LIST is NULL, then set, otherwise leave alone.
1819    if [ -z "${LDAP_SERVER_LIST}" ]; then
1820	LDAP_SERVER_LIST=`getent hosts ${IDS_SERVER} | awk '{print $1}'`
1821        if [ ${IDS_PORT} -ne 389 ]; then
1822	    LDAP_SERVER_LIST="${LDAP_SERVER_LIST}:${IDS_PORT}"
1823	fi
1824    fi
1825
1826    # Prompt for new LDAP_SERVER_LIST.
1827    while :
1828    do
1829	get_ans "Default server list (h=help):" $LDAP_SERVER_LIST
1830
1831	# If help continue, otherwise break.
1832	case "$ANS" in
1833	    [Hh] | help | Help | \?) display_msg def_srvlist_help ;;
1834	    * ) break ;;
1835	esac
1836    done
1837    LDAP_SERVER_LIST=$ANS
1838}
1839
1840
1841#
1842# get_pref_srv(): The preferred server list (Overrides the server list)
1843#
1844get_pref_srv()
1845{
1846    while :
1847    do
1848	get_ans "Preferred server list (h=help):" $LDAP_PREF_SRVLIST
1849
1850	# If help continue, otherwise break.
1851	case "$ANS" in
1852	    [Hh] | help | Help | \?) display_msg pref_srvlist_help ;;
1853	    * ) break ;;
1854	esac
1855    done
1856    LDAP_PREF_SRVLIST=$ANS
1857}
1858
1859
1860#
1861# get_search_scope(): Get the search scope from the user.
1862#
1863get_search_scope()
1864{
1865    [ $DEBUG -eq 1 ] && ${ECHO} "In get_search_scope()"
1866
1867    _MENU_CHOICE=0
1868    while :
1869    do
1870	get_ans "Choose desired search scope (one, sub, h=help): " "one"
1871	_MENU_CHOICE=$ANS
1872	case "$_MENU_CHOICE" in
1873	    one) LDAP_SEARCH_SCOPE="one"
1874	       return 1 ;;
1875	    sub) LDAP_SEARCH_SCOPE="sub"
1876	       return 2 ;;
1877	    h) display_msg srch_scope_help ;;
1878	    *) ${ECHO} "Please enter \"one\", \"sub\", or \"h\"." ;;
1879	esac
1880    done
1881
1882}
1883
1884
1885#
1886# get_cred_level(): Function to display menu to user and get the
1887#                  credential level.
1888#
1889get_cred_level()
1890{
1891    [ $DEBUG -eq 1 ] && ${ECHO} "In get_cred_level()"
1892
1893    _MENU_CHOICE=0
1894    display_msg cred_level_menu
1895    while :
1896    do
1897	get_ans "Choose Credential level [h=help]:" "1"
1898	_MENU_CHOICE=$ANS
1899	case "$_MENU_CHOICE" in
1900	    1) LDAP_CRED_LEVEL="anonymous"
1901	       return 1 ;;
1902	    2) LDAP_CRED_LEVEL="proxy"
1903	       return 2 ;;
1904	    3) LDAP_CRED_LEVEL="proxy anonymous"
1905	       return 3 ;;
1906	    4) LDAP_CRED_LEVEL="self"
1907	       SELF_GSSAPI=1
1908	       return 4 ;;
1909	    5) LDAP_CRED_LEVEL="self proxy"
1910	       SELF_GSSAPI=1
1911	       return 5 ;;
1912	    6) LDAP_CRED_LEVEL="self proxy anonymous"
1913	       SELF_GSSAPI=1
1914	       return 6 ;;
1915	    h) display_msg cred_lvl_help ;;
1916	    *) ${ECHO} "Please enter 1, 2, 3, 4, 5 or 6." ;;
1917	esac
1918    done
1919}
1920
1921
1922#
1923# srvauth_menu_handler(): Enter the Service Authentication method.
1924#
1925srvauth_menu_handler()
1926{
1927    # Display Auth menu
1928    display_msg srvauth_method_menu
1929
1930    # Get a Valid choice.
1931    while :
1932    do
1933	# Display appropriate prompt and get answer.
1934	if [ $_FIRST -eq 1 ]; then
1935	    get_ans "Choose Service Authentication Method:" "1"
1936	else
1937	    get_ans "Choose Service Authentication Method (0=reset):"
1938	fi
1939
1940	# Determine choice.
1941	_MENU_CHOICE=$ANS
1942	case "$_MENU_CHOICE" in
1943	    1) _AUTHMETHOD="simple"
1944		break ;;
1945	    2) _AUTHMETHOD="sasl/DIGEST-MD5"
1946		break ;;
1947	    3) _AUTHMETHOD="tls:simple"
1948		break ;;
1949	    4) _AUTHMETHOD="tls:sasl/DIGEST-MD5"
1950		break ;;
1951	    5) _AUTHMETHOD="sasl/GSSAPI"
1952		break ;;
1953	    0) _AUTHMETHOD=""
1954		_FIRST=1
1955		break ;;
1956	    *) ${ECHO} "Please enter 1-5 or 0 to reset." ;;
1957	esac
1958    done
1959}
1960
1961
1962#
1963# auth_menu_handler(): Enter the Authentication method.
1964#
1965auth_menu_handler()
1966{
1967    # Display Auth menu
1968    display_msg auth_method_menu
1969
1970    # Get a Valid choice.
1971    while :
1972    do
1973	# Display appropriate prompt and get answer.
1974	if [ $_FIRST -eq 1 ]; then
1975	    get_ans "Choose Authentication Method (h=help):" "1"
1976	else
1977	    get_ans "Choose Authentication Method (0=reset, h=help):"
1978	fi
1979
1980	# Determine choice.
1981	_MENU_CHOICE=$ANS
1982	case "$_MENU_CHOICE" in
1983	    1) _AUTHMETHOD="none"
1984		break ;;
1985	    2) _AUTHMETHOD="simple"
1986		break ;;
1987	    3) _AUTHMETHOD="sasl/DIGEST-MD5"
1988		break ;;
1989	    4) _AUTHMETHOD="tls:simple"
1990		break ;;
1991	    5) _AUTHMETHOD="tls:sasl/DIGEST-MD5"
1992		break ;;
1993	    6) _AUTHMETHOD="sasl/GSSAPI"
1994		break ;;
1995	    0) _AUTHMETHOD=""
1996		_FIRST=1
1997		break ;;
1998	    h) display_msg auth_help ;;
1999	    *) ${ECHO} "Please enter 1-6, 0=reset, or h=help." ;;
2000	esac
2001    done
2002}
2003
2004
2005#
2006# get_auth(): Enter the Authentication method.
2007#
2008get_auth()
2009{
2010    [ $DEBUG -eq 1 ] && ${ECHO} "In get_auth()"
2011
2012    _FIRST=1          # Flag for first time.
2013    _MENU_CHOICE=0
2014    _AUTHMETHOD=""    # Tmp method.
2015
2016    while :
2017    do
2018	# Call Menu handler
2019	auth_menu_handler
2020
2021	# Add Auth Method to list.
2022        if [ $_FIRST -eq 1 ]; then
2023	    LDAP_AUTHMETHOD="${_AUTHMETHOD}"
2024	    _FIRST=0
2025	else
2026	    LDAP_AUTHMETHOD="${LDAP_AUTHMETHOD};${_AUTHMETHOD}"
2027	fi
2028
2029	# Display current Authentication Method.
2030	${ECHO} ""
2031	${ECHO} "Current authenticationMethod: ${LDAP_AUTHMETHOD}"
2032	${ECHO} ""
2033
2034	# Prompt for another Auth Method, or break out.
2035	get_confirm_nodef "Do you want to add another Authentication Method?"
2036	if [ $? -eq 0 ]; then
2037	    break;
2038	fi
2039    done
2040}
2041
2042
2043#
2044# get_followref(): Whether or not to follow referrals.
2045#
2046get_followref()
2047{
2048    get_confirm "Do you want the clients to follow referrals (y/n/h)?" "n" "referrals_help"
2049    if [ $? -eq 1 ]; then
2050	LDAP_FOLLOWREF="TRUE"
2051    else
2052	LDAP_FOLLOWREF="FALSE"
2053    fi
2054}
2055
2056
2057#
2058# get_timelimit(): Set the time limit. -1 is max time.
2059#
2060get_timelimit()
2061{
2062    # Get current timeout value from cn=config.
2063    eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=config\" -s base \"objectclass=*\" nsslapd-timelimit > ${TMPDIR}/chk_timeout 2>&1"
2064    if [ $? -ne 0 ]; then
2065	${ECHO} "  ERROR: Could not reach LDAP server to check current timeout!"
2066	cleanup
2067	exit 1
2068    fi
2069    CURR_TIMELIMIT=`${GREP} timelimit ${TMPDIR}/chk_timeout | cut -f2 -d=`
2070
2071    get_negone_num "Enter the time limit for iDS (current=${CURR_TIMELIMIT}):" "-1"
2072    IDS_TIMELIMIT=$NUM
2073}
2074
2075
2076#
2077# get_sizelimit(): Set the size limit. -1 is max size.
2078#
2079get_sizelimit()
2080{
2081    # Get current sizelimit value from cn=config.
2082    eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=config\" -s base \"objectclass=*\" nsslapd-sizelimit > ${TMPDIR}/chk_sizelimit 2>&1"
2083    if [ $? -ne 0 ]; then
2084	${ECHO} "  ERROR: Could not reach LDAP server to check current sizelimit!"
2085	cleanup
2086	exit 1
2087    fi
2088    CURR_SIZELIMIT=`${GREP} sizelimit ${TMPDIR}/chk_sizelimit | cut -f2 -d=`
2089
2090    get_negone_num "Enter the size limit for iDS (current=${CURR_SIZELIMIT}):" "-1"
2091    IDS_SIZELIMIT=$NUM
2092}
2093
2094
2095#
2096# get_want_crypt(): Ask user if want to store passwords in crypt?
2097#
2098get_want_crypt()
2099{
2100    get_confirm "Do you want to store passwords in \"crypt\" format (y/n/h)?" "n" "crypt_help"
2101    if [ $? -eq 1 ]; then
2102	NEED_CRYPT="TRUE"
2103    else
2104	NEED_CRYPT="FALSE"
2105    fi
2106}
2107
2108
2109#
2110# get_srv_authMethod_pam(): Get the Service Auth Method for pam_ldap from user.
2111#
2112#  NOTE: This function is base on get_auth().
2113#
2114get_srv_authMethod_pam()
2115{
2116    [ $DEBUG -eq 1 ] && ${ECHO} "In get_srv_authMethod_pam()"
2117
2118    _FIRST=1          # Flag for first time.
2119    _MENU_CHOICE=0
2120    _AUTHMETHOD=""    # Tmp method.
2121
2122    while :
2123    do
2124	# Call Menu handler
2125	srvauth_menu_handler
2126
2127	# Add Auth Method to list.
2128        if [ $_FIRST -eq 1 ]; then
2129	    if [ "$_AUTHMETHOD" = "" ]; then
2130		LDAP_SRV_AUTHMETHOD_PAM=""
2131	    else
2132		LDAP_SRV_AUTHMETHOD_PAM="pam_ldap:${_AUTHMETHOD}"
2133	    fi
2134	    _FIRST=0
2135	else
2136	    LDAP_SRV_AUTHMETHOD_PAM="${LDAP_SRV_AUTHMETHOD_PAM};${_AUTHMETHOD}"
2137	fi
2138
2139	# Display current Authentication Method.
2140	${ECHO} ""
2141	${ECHO} "Current authenticationMethod: ${LDAP_SRV_AUTHMETHOD_PAM}"
2142	${ECHO} ""
2143
2144	# Prompt for another Auth Method, or break out.
2145	get_confirm_nodef "Do you want to add another Authentication Method?"
2146	if [ $? -eq 0 ]; then
2147	    break;
2148	fi
2149    done
2150
2151    # Check in case user reset string and exited loop.
2152    if [ "$LDAP_SRV_AUTHMETHOD_PAM" = "" ]; then
2153	NEED_SRVAUTH_PAM=0
2154    fi
2155}
2156
2157
2158#
2159# get_srv_authMethod_key(): Get the Service Auth Method for keyserv from user.
2160#
2161#  NOTE: This function is base on get_auth().
2162#
2163get_srv_authMethod_key()
2164{
2165    [ $DEBUG -eq 1 ] && ${ECHO} "In get_srv_authMethod_key()"
2166
2167    _FIRST=1          # Flag for first time.
2168    _MENU_CHOICE=0
2169    _AUTHMETHOD=""    # Tmp method.
2170
2171    while :
2172    do
2173	# Call Menu handler
2174	srvauth_menu_handler
2175
2176	# Add Auth Method to list.
2177        if [ $_FIRST -eq 1 ]; then
2178	    if [ "$_AUTHMETHOD" = "" ]; then
2179		LDAP_SRV_AUTHMETHOD_KEY=""
2180	    else
2181		LDAP_SRV_AUTHMETHOD_KEY="keyserv:${_AUTHMETHOD}"
2182	    fi
2183	    _FIRST=0
2184	else
2185	    LDAP_SRV_AUTHMETHOD_KEY="${LDAP_SRV_AUTHMETHOD_KEY};${_AUTHMETHOD}"
2186	fi
2187
2188	# Display current Authentication Method.
2189	${ECHO} ""
2190	${ECHO} "Current authenticationMethod: ${LDAP_SRV_AUTHMETHOD_KEY}"
2191	${ECHO} ""
2192
2193	# Prompt for another Auth Method, or break out.
2194	get_confirm_nodef "Do you want to add another Authentication Method?"
2195	if [ $? -eq 0 ]; then
2196	    break;
2197	fi
2198    done
2199
2200    # Check in case user reset string and exited loop.
2201    if [ "$LDAP_SRV_AUTHMETHOD_KEY" = "" ]; then
2202	NEED_SRVAUTH_KEY=0
2203    fi
2204}
2205
2206
2207#
2208# get_srv_authMethod_cmd(): Get the Service Auth Method for passwd-cmd from user.
2209#
2210#  NOTE: This function is base on get_auth().
2211#
2212get_srv_authMethod_cmd()
2213{
2214    [ $DEBUG -eq 1 ] && ${ECHO} "In get_srv_authMethod_cmd()"
2215
2216    _FIRST=1          # Flag for first time.
2217    _MENU_CHOICE=0
2218    _AUTHMETHOD=""    # Tmp method.
2219
2220    while :
2221    do
2222	# Call Menu handler
2223	srvauth_menu_handler
2224
2225	# Add Auth Method to list.
2226        if [ $_FIRST -eq 1 ]; then
2227	    if [ "$_AUTHMETHOD" = "" ]; then
2228		LDAP_SRV_AUTHMETHOD_CMD=""
2229	    else
2230		LDAP_SRV_AUTHMETHOD_CMD="passwd-cmd:${_AUTHMETHOD}"
2231	    fi
2232	    _FIRST=0
2233	else
2234	    LDAP_SRV_AUTHMETHOD_CMD="${LDAP_SRV_AUTHMETHOD_CMD};${_AUTHMETHOD}"
2235	fi
2236
2237	# Display current Authentication Method.
2238	${ECHO} ""
2239	${ECHO} "Current authenticationMethod: ${LDAP_SRV_AUTHMETHOD_CMD}"
2240	${ECHO} ""
2241
2242	# Prompt for another Auth Method, or break out.
2243	get_confirm_nodef "Do you want to add another Authentication Method?"
2244	if [ $? -eq 0 ]; then
2245	    break;
2246	fi
2247    done
2248
2249    # Check in case user reset string and exited loop.
2250    if [ "$LDAP_SRV_AUTHMETHOD_CMD" = "" ]; then
2251	NEED_SRVAUTH_CMD=0
2252    fi
2253}
2254
2255
2256#
2257# get_srch_time(): Amount of time to search.
2258#
2259get_srch_time()
2260{
2261    get_negone_num "Client search time limit in seconds (h=help):" "$LDAP_SEARCH_TIME_LIMIT" "srchtime_help"
2262    LDAP_SEARCH_TIME_LIMIT=$NUM
2263}
2264
2265
2266#
2267# get_prof_ttl(): The profile time to live (TTL)
2268#
2269get_prof_ttl()
2270{
2271    get_negone_num "Profile Time To Live in seconds (h=help):" "$LDAP_PROFILE_TTL" "profttl_help"
2272    LDAP_PROFILE_TTL=$NUM
2273}
2274
2275
2276#
2277# get_bind_limit(): Bind time limit
2278#
2279get_bind_limit()
2280{
2281    get_negone_num "Bind time limit in seconds (h=help):" "$LDAP_BIND_LIMIT" "bindlim_help"
2282    LDAP_BIND_LIMIT=$NUM
2283}
2284
2285
2286######################################################################
2287# FUNCTIONS  FOR Service Search Descriptor's START HERE.
2288######################################################################
2289
2290
2291#
2292# add_ssd(): Get SSD's from user and add to file.
2293#
2294add_ssd()
2295{
2296    [ $DEBUG -eq 1 ] && ${ECHO} "In add_ssd()"
2297
2298    # Enter the service id.  Loop til unique.
2299    while :
2300    do
2301	get_ans "Enter the service id:"
2302	_SERV_ID=$ANS
2303
2304	# Grep for name existing.
2305	${GREP} -i "^$ANS:" ${SSD_FILE} > /dev/null 2>&1
2306	if [ $? -eq 1 ]; then
2307	    break
2308	fi
2309
2310	# Name exists, print message, let user decide.
2311	${ECHO} "ERROR: Service id ${ANS} already exists."
2312    done
2313
2314    get_ans "Enter the base:"
2315    _BASE=$ANS
2316
2317    # Get the scope and verify that its one or sub.
2318    while :
2319    do
2320	get_ans "Enter the scope:"
2321	_SCOPE=$ANS
2322	case `${ECHO} ${_SCOPE} | tr '[A-Z]' '[a-z]'` in
2323	    one) break ;;
2324	    sub) break ;;
2325	    *)   ${ECHO} "${_SCOPE} is Not valid - Enter 'one' or 'sub'" ;;
2326	esac
2327    done
2328
2329    # Build SSD to add to file.
2330    _SSD="${_SERV_ID}:${_BASE}?${_SCOPE}"
2331
2332    # Add the SSD to the file.
2333    ${ECHO} "${_SSD}" >> ${SSD_FILE}
2334}
2335
2336
2337#
2338# delete_ssd(): Delete a SSD from the list.
2339#
2340delete_ssd()
2341{
2342    [ $DEBUG -eq 1 ] && ${ECHO} "In delete_ssd()"
2343
2344    # Get service id name from user for SSD to delete.
2345    get_ans_req "Enter service id to delete:"
2346
2347    # Make sure service id exists.
2348    ${GREP} "$ANS" ${SSD_FILE} > /dev/null 2>&1
2349    if [ $? -eq 1 ]; then
2350	${ECHO} "Invalid service id: $ANS not present in list."
2351	return
2352    fi
2353
2354    # Create temporary back SSD file.
2355    cp ${SSD_FILE} ${SSD_FILE}.bak
2356    if [ $? -eq 1 ]; then
2357	${ECHO} "ERROR: could not create file: ${SSD_FILE}.bak"
2358	exit 1
2359    fi
2360
2361    # Use ${GREP} to remove the SSD.  Read from temp file
2362    # and write to the orig file.
2363    ${GREP} -v "$ANS" ${SSD_FILE}.bak > ${SSD_FILE}
2364}
2365
2366
2367#
2368# modify_ssd(): Allow user to modify a SSD.
2369#
2370modify_ssd()
2371{
2372    [ $DEBUG -eq 1 ] && ${ECHO} "In modify_ssd()"
2373
2374    # Prompt user for service id.
2375    get_ans_req "Enter service id to modify:"
2376
2377    # Put into temp _LINE.
2378    _LINE=`${GREP} "^$ANS:" ${SSD_FILE}`
2379    if [ "$_LINE" = "" ]; then
2380	${ECHO} "Invalid service id: $ANS"
2381	return
2382    fi
2383
2384    # Display current filter for user to see.
2385    ${ECHO} ""
2386    ${ECHO} "Current SSD: $_LINE"
2387    ${ECHO} ""
2388
2389    # Get the defaults.
2390    _CURR_BASE=`${ECHO} $_LINE | cut -d: -f2 | cut -d'?' -f 1`
2391    _CURR_SCOPE=`${ECHO} $_LINE | cut -d: -f2 | cut -d'?' -f 2`
2392
2393    # Create temporary back SSD file.
2394    cp ${SSD_FILE} ${SSD_FILE}.bak
2395    if [ $? -eq 1 ]; then
2396	${ECHO} "ERROR: could not create file: ${SSD_FILE}.bak"
2397	cleanup
2398	exit 1
2399    fi
2400
2401    # Removed the old line.
2402    ${GREP} -v "^$ANS:" ${SSD_FILE}.bak > ${SSD_FILE} 2>&1
2403
2404    # New Entry
2405    _SERV_ID=$ANS
2406    get_ans_req "Enter the base:" "$_CURR_BASE"
2407    _BASE=$ANS
2408    get_ans_req "Enter the scope:" "$_CURR_SCOPE"
2409    _SCOPE=$ANS
2410
2411    # Build the new SSD.
2412    _SSD="${_SERV_ID}:${_BASE}?${_SCOPE}"
2413
2414    # Add the SSD to the file.
2415    ${ECHO} "${_SSD}" >> ${SSD_FILE}
2416}
2417
2418
2419#
2420# display_ssd(): Display the current SSD list.
2421#
2422display_ssd()
2423{
2424    [ $DEBUG -eq 1 ] && ${ECHO} "In display_ssd()"
2425
2426    ${ECHO} ""
2427    ${ECHO} "Current Service Search Descriptors:"
2428    ${ECHO} "=================================="
2429    cat ${SSD_FILE}
2430    ${ECHO} ""
2431    ${ECHO} "Hit return to continue."
2432    read __A
2433}
2434
2435
2436#
2437# prompt_ssd(): Get SSD's from user.
2438#
2439prompt_ssd()
2440{
2441    [ $DEBUG -eq 1 ] && ${ECHO} "In prompt_ssd()"
2442    # See if user wants SSD's?
2443    get_confirm "Do you wish to setup Service Search Descriptors (y/n/h)?" "n" "ssd_help"
2444    [ "$?" -eq 0 ] && return
2445
2446    # Display menu for SSD choices.
2447    while :
2448    do
2449	display_msg prompt_ssd_menu
2450	get_ans "Enter menu choice:" "Quit"
2451	case "$ANS" in
2452	    [Aa] | add) add_ssd ;;
2453	    [Dd] | delete) delete_ssd ;;
2454	    [Mm] | modify) modify_ssd ;;
2455	    [Pp] | print | display) display_ssd ;;
2456	    [Xx] | reset | clear) reset_ssd_file ;;
2457	    [Hh] | Help | help)	display_msg ssd_menu_help
2458				${ECHO} " Press return to continue."
2459				read __A ;;
2460	    [Qq] | Quit | quit)	return ;;
2461	    *)    ${ECHO} "Invalid choice: $ANS please re-enter from menu." ;;
2462	esac
2463    done
2464}
2465
2466
2467#
2468# reset_ssd_file(): Blank out current SSD file.
2469#
2470reset_ssd_file()
2471{
2472    [ $DEBUG -eq 1 ] && ${ECHO} "In reset_ssd_file()"
2473
2474    rm -f ${SSD_FILE}
2475    touch ${SSD_FILE}
2476}
2477
2478
2479#
2480# create_ssd_file(): Create a temporary file for SSD's.
2481#
2482create_ssd_file()
2483{
2484    [ $DEBUG -eq 1 ] && ${ECHO} "In create_ssd_file()"
2485
2486    # Build a list of SSD's and store in temp file.
2487    ${GREP} "LDAP_SERV_SRCH_DES=" ${INPUT_FILE} | \
2488	sed 's/LDAP_SERV_SRCH_DES=//' \
2489	> ${SSD_FILE}
2490}
2491
2492
2493#
2494# ssd_2_config(): Append the SSD file to the output file.
2495#
2496ssd_2_config()
2497{
2498    [ $DEBUG -eq 1 ] && ${ECHO} "In ssd_2_config()"
2499
2500    # Convert to config file format using sed.
2501    sed -e "s/^/LDAP_SERV_SRCH_DES=/" ${SSD_FILE} >> ${OUTPUT_FILE}
2502}
2503
2504
2505#
2506# ssd_2_profile(): Add SSD's to the GEN_CMD string.
2507#
2508ssd_2_profile()
2509{
2510    [ $DEBUG -eq 1 ] && ${ECHO} "In ssd_2_profile()"
2511
2512    GEN_TMPFILE=${TMPDIR}/ssd_tmpfile
2513    touch ${GEN_TMPFILE}
2514
2515    # Add and convert each SSD to string.
2516    while read SSD_LINE
2517    do
2518	${ECHO} " -a \"serviceSearchDescriptor=${SSD_LINE}\"\c" >> ${GEN_TMPFILE}
2519    done <${SSD_FILE}
2520
2521    # Add SSD's to GEN_CMD.
2522    GEN_CMD="${GEN_CMD} `cat ${GEN_TMPFILE}`"
2523}
2524
2525#
2526# get_adminDN(): Get the admin DN.
2527#
2528get_adminDN()
2529{
2530    LDAP_ADMINDN="cn=admin,ou=profile,${LDAP_BASEDN}"  # default
2531    get_ans "Enter DN for the administrator:" "$LDAP_ADMINDN"
2532    LDAP_ADMINDN=$ANS
2533    [ $DEBUG -eq 1 ] && ${ECHO} "LDAP_ADMINDN = $LDAP_ADMINDN"
2534}
2535
2536#
2537# get_admin_pw(): Get the admin passwd.
2538#
2539get_admin_pw()
2540{
2541    get_passwd "Enter passwd for the administrator:"
2542    LDAP_ADMIN_CRED=$ANS
2543    [ $DEBUG -eq 1 ] && ${ECHO} "LDAP_ADMIN_CRED = $LDAP_ADMIN_CRED"
2544}
2545
2546#
2547# add_admin(): Add an admin entry for nameservice for updating shadow data.
2548#
2549add_admin()
2550{
2551    [ $DEBUG -eq 1 ] && ${ECHO} "In add_admin()"
2552
2553    # Check if the admin user already exists.
2554    eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_ADMINDN}\" -s base \"objectclass=*\" ${VERB}"
2555    if [ $? -eq 0 ]; then
2556	MSG="Administrator ${LDAP_ADMINDN} already exists."
2557	if [ $EXISTING_PROFILE -eq 1 ]; then
2558	    ${ECHO} "  NOT ADDED: $MSG"
2559	else
2560	    ${ECHO} "  ${STEP}. $MSG"
2561	    STEP=`expr $STEP + 1`
2562	fi
2563	return 0
2564    fi
2565
2566    # Get cn and sn names from LDAP_ADMINDN.
2567    cn_tmp=`${ECHO} ${LDAP_ADMINDN} | cut -f1 -d, | cut -f2 -d=`
2568
2569    # Create the tmp file to add.
2570    ( cat <<EOF
2571dn: ${LDAP_ADMINDN}
2572cn: ${cn_tmp}
2573sn: ${cn_tmp}
2574objectclass: top
2575objectclass: person
2576userpassword: ${LDAP_ADMIN_CRED}
2577EOF
2578) > ${TMPDIR}/admin
2579
2580    # Add the entry.
2581    ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/admin ${VERB}"
2582    if [ $? -ne 0 ]; then
2583	${ECHO} "  ERROR: Adding administrator identity failed!"
2584	cleanup
2585	exit 1
2586    fi
2587
2588    ${RM} -f ${TMPDIR}/admin
2589
2590    # Display message that the administrator identity is added.
2591    MSG="Administrator identity ${LDAP_ADMINDN}"
2592    if [ $EXISTING_PROFILE -eq 1 ]; then
2593	${ECHO} "  ADDED: $MSG."
2594    else
2595	${ECHO} "  ${STEP}. $MSG added."
2596	STEP=`expr $STEP + 1`
2597    fi
2598}
2599
2600#
2601# allow_admin_read_write_shadow(): Give Admin read/write permission
2602# to shadow data.
2603#
2604allow_admin_read_write_shadow()
2605{
2606    [ $DEBUG -eq 1 ] && ${ECHO} "In allow_admin_read_write_shadow()"
2607
2608    # Set ACI Name
2609    ADMIN_ACI_NAME="LDAP_Naming_Services_admin_shadow_write"
2610
2611    # Search for ACI_NAME
2612    eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_BASEDN}\" \
2613    -s base objectclass=* aci > ${TMPDIR}/chk_adminwrite_aci 2>&1"
2614
2615    # if an ACI with ${ADMIN_ACI_NAME} and "write,compare,read,search"
2616    # and ${LDAP_ADMINDN} already exists, we are done
2617    ${EGREP} ".*${ADMIN_ACI_NAME}.*write,compare,read,search.*${LDAP_ADMINDN}.*" \
2618    	${TMPDIR}/chk_adminwrite_aci 2>&1 > /dev/null
2619    if [ $? -eq 0 ]; then
2620	MSG="Admin ACI ${ADMIN_ACI_NAME} already exists for ${LDAP_BASEDN}."
2621	if [ $EXISTING_PROFILE -eq 1 ]; then
2622	    ${ECHO} "  NOT SET: $MSG"
2623	else
2624	    ${ECHO} "  ${STEP}. $MSG"
2625	    STEP=`expr $STEP + 1`
2626	fi
2627	return 0
2628    fi
2629
2630    # If an ACI with ${ADMIN_ACI_NAME} and "(write)" and ${LDAP_ADMINDN}
2631    # already exists, delete it first.
2632    find_and_delete_ACI ".*${ADMIN_ACI_NAME}.*(write).*${LDAP_ADMINDN}.*" \
2633	${TMPDIR}/chk_adminwrite_aci ${ADMIN_ACI_NAME}
2634
2635    # Create the tmp file to add.
2636    ( cat <<EOF
2637dn: ${LDAP_BASEDN}
2638changetype: modify
2639add: aci
2640aci: (target="ldap:///${LDAP_BASEDN}")(targetattr="shadowLastChange
2641 ||shadowMin||shadowMax||shadowWarning||shadowInactive||shadowExpire
2642 ||shadowFlag||userPassword||loginShell||homeDirectory||gecos")
2643  (version 3.0; acl ${ADMIN_ACI_NAME}; allow (write,compare,read,search)
2644  userdn = "ldap:///${LDAP_ADMINDN}";)
2645EOF
2646) > ${TMPDIR}/admin_write
2647
2648    # Add the entry.
2649    ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/admin_write ${VERB}"
2650    if [ $? -ne 0 ]; then
2651	${ECHO} "  ERROR: Allow ${LDAP_ADMINDN} read/write access to shadow data failed!"
2652	cleanup
2653	exit 1
2654    fi
2655
2656    ${RM} -f ${TMPDIR}/admin_write
2657    # Display message that the administrator ACL is set.
2658    MSG="Give ${LDAP_ADMINDN} read/write access to shadow data."
2659    if [ $EXISTING_PROFILE -eq 1 ]; then
2660	${ECHO} "  ACI SET: $MSG"
2661    else
2662	${ECHO} "  ${STEP}. $MSG"
2663	STEP=`expr $STEP + 1`
2664    fi
2665}
2666
2667#
2668# allow_host_read_write_shadow(): Give host principal read/write permission
2669# for shadow data.
2670#
2671allow_host_read_write_shadow()
2672{
2673    [ $DEBUG -eq 1 ] && ${ECHO} "In allow_host_read_write_shadow()"
2674
2675    # Set ACI Name
2676    HOST_ACI_NAME="LDAP_Naming_Services_host_shadow_write"
2677
2678    # Search for ACI_NAME
2679    eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_BASEDN}\" -s base objectclass=* aci > ${TMPDIR}/chk_hostwrite_aci 2>&1"
2680    ${GREP} "${HOST_ACI_NAME}" ${TMPDIR}/chk_hostwrite_aci > /dev/null 2>&1
2681    if [ $? -eq 0 ]; then
2682	MSG="Host ACI ${HOST_ACI_NAME} already exists for ${LDAP_BASEDN}."
2683	if [ $EXISTING_PROFILE -eq 1 ]; then
2684	    ${ECHO} "  NOT ADDED: $MSG"
2685	else
2686	    ${ECHO} "  ${STEP}. $MSG"
2687	    STEP=`expr $STEP + 1`
2688	fi
2689	return 0
2690    fi
2691
2692    # Create the tmp file to add.
2693    ( cat <<EOF
2694dn: ${LDAP_BASEDN}
2695changetype: modify
2696add: aci
2697aci: (target="ldap:///${LDAP_BASEDN}")(targetattr="shadowLastChange||shadowMin||shadowMax||shadowWarning||shadowInactive||shadowExpire||shadowFlag||userPassword||loginShell||homeDirectory||gecos")(version 3.0; acl ${HOST_ACI_NAME}; allow (write,compare,read,search) authmethod="sasl GSSAPI" and userdn = "ldap:///cn=*+ipHostNumber=*,ou=Hosts,${LDAP_BASEDN}";)
2698EOF
2699) > ${TMPDIR}/host_read_write
2700
2701    # Add the entry.
2702    ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/host_read_write ${VERB}"
2703    if [ $? -ne 0 ]; then
2704	${ECHO} "  ERROR: Allow Host Principal to write shadow data failed!"
2705	cleanup
2706	exit 1
2707    fi
2708
2709    ${RM} -f ${TMPDIR}/host_read_write
2710    MSG="Give host principal read/write permission for shadow."
2711    if [ $EXISTING_PROFILE -eq 1 ]; then
2712	${ECHO} "  ACI SET: $MSG"
2713    else
2714	${ECHO} "  ${STEP}. $MSG"
2715	STEP=`expr $STEP + 1`
2716    fi
2717}
2718
2719#
2720# Set up shadow update
2721#
2722setup_shadow_update() {
2723    [ $DEBUG -eq 1 ] && ${ECHO} "In setup_shadow_update()"
2724
2725    # get content of the profile
2726    PROFILE_OUT=${TMPDIR}/prof_tmpfile
2727    ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=${LDAP_PROFILE_NAME},ou=profile,${LDAP_BASEDN}\" -s base \"objectclass=*\" > $PROFILE_OUT 2>&1"
2728    ${GREP} -i cn $PROFILE_OUT >/dev/null 2>&1
2729    if [ $? -ne 0 ]; then
2730	[ $DEBUG -eq 1 ] && ${ECHO} "Profile ${LDAP_PROFILE_NAME} does not exist"
2731	${RM} ${PROFILE_OUT}
2732	return
2733    fi
2734
2735    # Search to see if authenticationMethod has 'GSSAPI' and
2736    # credentialLevel has 'self'. If so, ask to use the
2737    # host principal for shadow update
2738    if [ $GSSAPI_AUTH_MAY_BE_USED -eq 1 ]; then
2739	if ${GREP} authenticationMethod $PROFILE_OUT | ${GREP} GSSAPI >/dev/null 2>&1
2740	then
2741	    if ${GREP} credentialLevel $PROFILE_OUT | ${GREP} self >/dev/null 2>&1
2742	    then
2743		NEED_HOSTACL=1
2744	    fi
2745	fi
2746	${RM} ${PROFILE_OUT}
2747	[ $DEBUG -eq 1 ] && ${ECHO} "NEED_HOSTACL = $NEED_HOSTACL"
2748
2749	if [ $NEED_HOSTACL -eq 1 ]; then
2750	    MSG="Use host principal for shadow data update (y/n/h)?"
2751	    get_confirm "$MSG" "y" "use_host_principal_help"
2752	    if [ $? -eq 1 ]; then
2753		delete_proxy_read_pw
2754		allow_host_read_write_shadow
2755		deny_non_host_shadow_access
2756	        ${ECHO} ""
2757		${ECHO} "  Shadow update has been enabled."
2758	    else
2759	        ${ECHO} ""
2760    		${ECHO} "  Shadow update may not work."
2761	    fi
2762	    return
2763	fi
2764    fi
2765
2766    MSG="Add the administrator identity (y/n/h)?"
2767    get_confirm "$MSG" "y" "add_admin_cred_help"
2768    if [ $? -eq 1 ]; then
2769	get_adminDN
2770	get_admin_pw
2771	add_admin
2772	delete_proxy_read_pw
2773	allow_admin_read_write_shadow
2774	deny_non_admin_shadow_access
2775        ${ECHO} ""
2776	${ECHO} "  Shadow update has been enabled."
2777	return
2778    fi
2779
2780    ${ECHO} "  No administrator identity specified, shadow update may not work."
2781}
2782
2783
2784#
2785# prompt_config_info(): This function prompts the user for the config
2786# info that is not specified in the input file.
2787#
2788prompt_config_info()
2789{
2790    [ $DEBUG -eq 1 ] && ${ECHO} "In prompt_config_info()"
2791
2792    # Prompt for iDS server name.
2793    get_ids_server
2794
2795    # Prompt for iDS port number.
2796    get_ids_port
2797
2798    # Check iDS version for compatibility.
2799    chk_ids_version
2800
2801    # Check if the server supports the VLV.
2802    chk_vlv_indexes
2803
2804    # Get the Directory manager DN and passwd.
2805    get_dirmgr_dn
2806    get_dirmgr_pw
2807
2808    #
2809    # LDAP CLIENT PROFILE SPECIFIC INFORMATION.
2810    #   (i.e. The fields that show up in the profile.)
2811    #
2812    get_domain "domain_help"
2813
2814    get_basedn
2815
2816    gssapi_setup
2817
2818    get_profile_name
2819
2820    if [ "$LDAP_ENABLE_SHADOW_UPDATE" = "TRUE" ];then
2821	setup_shadow_update
2822	cleanup
2823	exit 0
2824    fi
2825
2826    get_srv_list
2827    get_pref_srv
2828    get_search_scope
2829
2830    # If cred is "anonymous", make auth == "none"
2831    get_cred_level
2832    if [ "$LDAP_CRED_LEVEL" != "anonymous" ]; then
2833	get_auth
2834    fi
2835
2836    get_followref
2837
2838    # Query user about timelimt.
2839    get_confirm "Do you want to modify the server timelimit value (y/n/h)?" "n" "tlim_help"
2840    NEED_TIME=$?
2841    [ $NEED_TIME -eq 1 ] && get_timelimit
2842
2843    # Query user about sizelimit.
2844    get_confirm "Do you want to modify the server sizelimit value (y/n/h)?" "n" "slim_help"
2845    NEED_SIZE=$?
2846    [ $NEED_SIZE -eq 1 ] && get_sizelimit
2847
2848    # Does the user want to store passwords in crypt format?
2849    get_want_crypt
2850
2851    # Prompt for any Service Authentication Methods?
2852    get_confirm "Do you want to setup a Service Authentication Methods (y/n/h)?" "n" "srvauth_help"
2853    if [ $? -eq 1 ]; then
2854	# Does the user want to set Service Authentication Method for pam_ldap?
2855	get_confirm "Do you want to setup a Service Auth. Method for \"pam_ldap\" (y/n/h)?" "n" "pam_ldap_help"
2856	NEED_SRVAUTH_PAM=$?
2857	[ $NEED_SRVAUTH_PAM -eq 1 ] && get_srv_authMethod_pam
2858
2859	# Does the user want to set Service Authentication Method for keyserv?
2860	get_confirm "Do you want to setup a Service Auth. Method for \"keyserv\" (y/n/h)?" "n" "keyserv_help"
2861	NEED_SRVAUTH_KEY=$?
2862	[ $NEED_SRVAUTH_KEY -eq 1 ] && get_srv_authMethod_key
2863
2864	# Does the user want to set Service Authentication Method for passwd-cmd?
2865	get_confirm "Do you want to setup a Service Auth. Method for \"passwd-cmd\" (y/n/h)?" "n" "passwd-cmd_help"
2866	NEED_SRVAUTH_CMD=$?
2867	[ $NEED_SRVAUTH_CMD -eq 1 ] && get_srv_authMethod_cmd
2868    fi
2869
2870
2871    # Get Timeouts
2872    get_srch_time
2873    get_prof_ttl
2874    get_bind_limit
2875
2876    # Ask whether to enable shadow update
2877    get_want_shadow_update
2878
2879    # Reset the sdd_file and prompt user for SSD.  Will use menus
2880    # to build an SSD File.
2881    reset_ssd_file
2882    prompt_ssd
2883
2884    # Display FULL debugging info.
2885    disp_full_debug
2886
2887    # Extra blank line to separate prompt lines from steps.
2888    ${ECHO} " "
2889}
2890
2891
2892######################################################################
2893# FUNCTIONS  FOR display_summary() START HERE.
2894######################################################################
2895
2896
2897#
2898# get_proxyagent(): Get the proxyagent DN.
2899#
2900get_proxyagent()
2901{
2902    LDAP_PROXYAGENT="cn=proxyagent,ou=profile,${LDAP_BASEDN}"  # default
2903    get_ans "Enter DN for proxy agent:" "$LDAP_PROXYAGENT"
2904    LDAP_PROXYAGENT=$ANS
2905}
2906
2907
2908#
2909# get_proxy_pw(): Get the proxyagent passwd.
2910#
2911get_proxy_pw()
2912{
2913    get_passwd "Enter passwd for proxyagent:"
2914    LDAP_PROXYAGENT_CRED=$ANS
2915}
2916
2917#
2918# display_summary(): Display a summary of values entered and let the
2919#                    user modify values at will.
2920#
2921display_summary()
2922{
2923    [ $DEBUG -eq 1 ] && ${ECHO} "In display_summary()"
2924
2925    # Create lookup table for function names.  First entry is dummy for
2926    # shift.
2927    TBL1="dummy"
2928    TBL2="get_domain get_basedn get_profile_name"
2929    TBL3="get_srv_list get_pref_srv get_search_scope get_cred_level"
2930    TBL4="get_auth get_followref"
2931    TBL5="get_timelimit get_sizelimit get_want_crypt"
2932    TBL6="get_srv_authMethod_pam get_srv_authMethod_key get_srv_authMethod_cmd"
2933    TBL7="get_srch_time get_prof_ttl get_bind_limit"
2934    TBL8="get_want_shadow_update"
2935    TBL9="prompt_ssd"
2936    FUNC_TBL="$TBL1 $TBL2 $TBL3 $TBL4 $TBL5 $TBL6 $TBL7 $TBL8 $TBL9"
2937
2938    # Since menu prompt string is long, set here.
2939    _MENU_PROMPT="Enter config value to change: (1-20 0=commit changes)"
2940
2941    # Infinite loop.  Test for 0, and break in loop.
2942    while :
2943    do
2944	# Display menu and get value in range.
2945	display_msg summary_menu
2946	get_menu_choice "${_MENU_PROMPT}" "0" "20" "0"
2947	_CH=$MN_CH
2948
2949	# Make sure where not exiting.
2950	if [ $_CH -eq 0 ]; then
2951	    break       # Break out of loop if 0 selected.
2952	fi
2953
2954	# Call appropriate function from function table.
2955	set $FUNC_TBL
2956	shift $_CH
2957	$1          # Call the appropriate function.
2958    done
2959
2960    # If cred level is still see if user wants a change?
2961    if ${ECHO} "$LDAP_CRED_LEVEL" | ${GREP} "proxy" > /dev/null 2>&1
2962    then
2963	if [ "$LDAP_AUTHMETHOD" != "none" ]; then
2964	    NEED_PROXY=1    # I assume integer test is faster?
2965	    get_proxyagent
2966	    get_proxy_pw
2967	else
2968	    ${ECHO} "WARNING: Since Authentication method is 'none'."
2969	    ${ECHO} "         Credential level will be set to 'anonymous'."
2970	    LDAP_CRED_LEVEL="anonymous"
2971	fi
2972    fi
2973
2974    # If shadow update is enabled, set up administrator credential
2975    if [ "$LDAP_ENABLE_SHADOW_UPDATE" = "TRUE" ]; then
2976	NEED_ADMIN=1
2977	if ${ECHO} "$LDAP_CRED_LEVEL" | ${GREP} "self" > /dev/null 2>&1; then
2978	    if ${ECHO} "$LDAP_AUTHMETHOD" | ${GREP} "GSSAPI" > /dev/null 2>&1; then
2979		NEED_HOSTACL=1
2980		NEED_ADMIN=0
2981	    fi
2982	fi
2983        [ $DEBUG -eq 1 ] && ${ECHO} "NEED_HOSTACL = $NEED_HOSTACL"
2984        [ $DEBUG -eq 1 ] && ${ECHO} "NEED_ADMIN   = $NEED_ADMIN"
2985	if [ $NEED_ADMIN -eq 1 ]; then
2986	    get_adminDN
2987	    get_admin_pw
2988	fi
2989    fi
2990
2991    # Display FULL debugging info.
2992    disp_full_debug
2993
2994    # Final confirmation message. (ARE YOU SURE!)
2995    ${ECHO} " "
2996    get_confirm_nodef "WARNING: About to start committing changes. (y=continue, n=EXIT)"
2997    if [ $? -eq 0 ]; then
2998	${ECHO} "Terminating setup without making changes at users request."
2999	cleanup
3000	exit 1
3001    fi
3002
3003    # Print newline
3004    ${ECHO} " "
3005}
3006
3007
3008#
3009# create_config_file(): Write config data to config file specified.
3010#
3011create_config_file()
3012{
3013    [ $DEBUG -eq 1 ] && ${ECHO} "In create_config_file()"
3014
3015    # If output file exists, delete it.
3016    [ -f $OUTPUT_FILE ] && rm $OUTPUT_FILE
3017
3018    # Create output file.
3019    cat > $OUTPUT_FILE <<EOF
3020#!/bin/sh
3021# $OUTPUT_FILE - This file contains configuration information for
3022#                Native LDAP.  Use the idsconfig tool to load it.
3023#
3024# WARNING: This file was generated by idsconfig, and is intended to
3025#          be loaded by idsconfig as is.  DO NOT EDIT THIS FILE!
3026#
3027IDS_SERVER="$IDS_SERVER"
3028IDS_PORT=$IDS_PORT
3029IDS_TIMELIMIT=$IDS_TIMELIMIT
3030IDS_SIZELIMIT=$IDS_SIZELIMIT
3031LDAP_ROOTDN="$LDAP_ROOTDN"
3032LDAP_ROOTPWD=$LDAP_ROOTPWD
3033LDAP_DOMAIN="$LDAP_DOMAIN"
3034LDAP_SUFFIX="$LDAP_SUFFIX"
3035LDAP_KRB_REALM="$LDAP_KRB_REALM"
3036LDAP_GSSAPI_PROFILE="$LDAP_GSSAPI_PROFILE"
3037
3038# Internal program variables that need to be set.
3039NEED_PROXY=$NEED_PROXY
3040NEED_TIME=$NEED_TIME
3041NEED_SIZE=$NEED_SIZE
3042NEED_CRYPT=$NEED_CRYPT
3043NEED_ADMIN=$NEED_ADMIN
3044NEED_HOSTACL=$NEED_HOSTACL
3045EXISTING_PROFILE=$EXISTING_PROFILE
3046
3047# LDAP PROFILE related defaults
3048LDAP_PROFILE_NAME="$LDAP_PROFILE_NAME"
3049DEL_OLD_PROFILE=1
3050LDAP_BASEDN="$LDAP_BASEDN"
3051LDAP_SERVER_LIST="$LDAP_SERVER_LIST"
3052LDAP_AUTHMETHOD="$LDAP_AUTHMETHOD"
3053LDAP_FOLLOWREF=$LDAP_FOLLOWREF
3054LDAP_SEARCH_SCOPE="$LDAP_SEARCH_SCOPE"
3055NEED_SRVAUTH_PAM=$NEED_SRVAUTH_PAM
3056NEED_SRVAUTH_KEY=$NEED_SRVAUTH_KEY
3057NEED_SRVAUTH_CMD=$NEED_SRVAUTH_CMD
3058LDAP_SRV_AUTHMETHOD_PAM="$LDAP_SRV_AUTHMETHOD_PAM"
3059LDAP_SRV_AUTHMETHOD_KEY="$LDAP_SRV_AUTHMETHOD_KEY"
3060LDAP_SRV_AUTHMETHOD_CMD="$LDAP_SRV_AUTHMETHOD_CMD"
3061LDAP_SEARCH_TIME_LIMIT=$LDAP_SEARCH_TIME_LIMIT
3062LDAP_PREF_SRVLIST="$LDAP_PREF_SRVLIST"
3063LDAP_PROFILE_TTL=$LDAP_PROFILE_TTL
3064LDAP_CRED_LEVEL="$LDAP_CRED_LEVEL"
3065LDAP_BIND_LIMIT=$LDAP_BIND_LIMIT
3066
3067# Proxy Agent
3068LDAP_PROXYAGENT="$LDAP_PROXYAGENT"
3069LDAP_PROXYAGENT_CRED=$LDAP_PROXYAGENT_CRED
3070
3071# enableShadowUpdate flag and Administrator credential
3072LDAP_ENABLE_SHADOW_UPDATE=$LDAP_ENABLE_SHADOW_UPDATE
3073LDAP_ADMINDN="$LDAP_ADMINDN"
3074LDAP_ADMIN_CRED=$LDAP_ADMIN_CRED
3075
3076# Export all the variables (just in case)
3077export IDS_HOME IDS_PORT LDAP_ROOTDN LDAP_ROOTPWD LDAP_SERVER_LIST LDAP_BASEDN
3078export LDAP_DOMAIN LDAP_SUFFIX LDAP_PROXYAGENT LDAP_PROXYAGENT_CRED
3079export NEED_PROXY
3080export LDAP_ENABLE_SHADOW_UPDATE LDAP_ADMINDN LDAP_ADMIN_CRED
3081export NEED_ADMIN NEED_HOSTACL EXISTING_PROFILE
3082export LDAP_PROFILE_NAME LDAP_BASEDN LDAP_SERVER_LIST 
3083export LDAP_AUTHMETHOD LDAP_FOLLOWREF LDAP_SEARCH_SCOPE LDAP_SEARCH_TIME_LIMIT
3084export LDAP_PREF_SRVLIST LDAP_PROFILE_TTL LDAP_CRED_LEVEL LDAP_BIND_LIMIT
3085export NEED_SRVAUTH_PAM NEED_SRVAUTH_KEY NEED_SRVAUTH_CMD
3086export LDAP_SRV_AUTHMETHOD_PAM LDAP_SRV_AUTHMETHOD_KEY LDAP_SRV_AUTHMETHOD_CMD
3087export LDAP_SERV_SRCH_DES SSD_FILE LDAP_KRB_REALM LDAP_GSSAPI_PROFILE
3088
3089# Service Search Descriptors start here if present:
3090EOF
3091    # Add service search descriptors.
3092    ssd_2_config "${OUTPUT_FILE}"
3093
3094    # Add LDAP suffix preferences
3095    print_suffix_config >> "${OUTPUT_FILE}"
3096
3097    # Add the end of FILE tag.
3098    ${ECHO} "" >> ${OUTPUT_FILE}
3099    ${ECHO} "# End of $OUTPUT_FILE" >> ${OUTPUT_FILE}
3100}
3101
3102
3103#
3104# chk_vlv_indexes(): Do ldapsearch to see if server supports VLV.
3105#
3106chk_vlv_indexes()
3107{
3108    # Do ldapsearch to see if server supports VLV.
3109    ${LDAPSEARCH} ${SERVER_ARGS} -b "" -s base "objectclass=*" > ${TMPDIR}/checkVLV 2>&1
3110    eval "${GREP} 2.16.840.1.113730.3.4.9 ${TMPDIR}/checkVLV ${VERB}"
3111    if [ $? -ne 0 ]; then
3112	${ECHO} "ERROR: VLV is not supported on LDAP server!"
3113	cleanup
3114	exit 1
3115    fi
3116    [ $DEBUG -eq 1 ] && ${ECHO} "  VLV controls found on LDAP server."
3117}
3118
3119#
3120# get_backend(): this function gets the relevant backend
3121#                (database) for LDAP_BASED.
3122#                Description: set IDS_DATABASE; exit on failure.
3123#                Prerequisite: LDAP_BASEDN and LDAP_SUFFIX are
3124#                valid.
3125#
3126#                backend is retrieved from suffixes and subsuffixes
3127#                defined under "cn=mapping tree,cn=config". The
3128#                nsslapd-state attribute of these suffixes entries
3129#                is filled with either Backend, Disabled or referrals
3130#                related values. We only want those that have a true
3131#                backend database to select the relevant backend.
3132#
3133get_backend()
3134{
3135    [ $DEBUG -eq 1 ] && ${ECHO} "In get_backend()"
3136
3137    cur_suffix=${LDAP_BASEDN}
3138    prev_suffix=
3139    IDS_DATABASE=
3140    while [ "${cur_suffix}" != "${prev_suffix}" ]
3141    do
3142	[ $DEBUG -eq 1 ] && ${ECHO} "testing LDAP suffix: ${cur_suffix}"
3143	eval "${LDAPSEARCH} ${LDAP_ARGS} " \
3144		"-b \"cn=\\\"${cur_suffix}\\\",cn=mapping tree,cn=config\" " \
3145		"-s base nsslapd-state=Backend nsslapd-backend 2>&1 " \
3146		"| ${GREP} 'nsslapd-backend=' " \
3147		"> ${TMPDIR}/ids_database_name 2>&1"
3148	NUM_DBS=`wc -l ${TMPDIR}/ids_database_name | awk '{print $1}'`
3149	case ${NUM_DBS} in
3150	0) # not a suffix, or suffix not activated; try next
3151	    prev_suffix=${cur_suffix}
3152	    cur_suffix=`${ECHO} ${cur_suffix} | cut -f2- -d','`
3153	    ;;
3154	1) # suffix found; get database name
3155	    IDS_DATABASE=`cat ${TMPDIR}/ids_database_name | cut -d= -f2`
3156	    ;;
3157	*) # can not handle more than one database per suffix
3158	    ${ECHO} "ERROR: More than one database is configured "
3159	    ${ECHO} "       for $LDAP_SUFFIX!"
3160	    ${ECHO} "       $PROG can not configure suffixes where "
3161	    ${ECHO} "       more than one database is used for one suffix."
3162	    cleanup
3163	    exit 1
3164	    ;;
3165	esac
3166	if [ -n "${IDS_DATABASE}" ]; then
3167	    break
3168	fi
3169    done
3170
3171    if [ -z "${IDS_DATABASE}" ]; then
3172	# should not happen, since LDAP_BASEDN is supposed to be valid
3173	${ECHO} "Could not find a valid backend for ${LDAP_BASEDN}."
3174	${ECHO} "Exiting."
3175	cleanup
3176	exit 1
3177    fi
3178
3179    [ $DEBUG -eq 1 ] && ${ECHO} "IDS_DATABASE: ${IDS_DATABASE}"
3180}
3181
3182#
3183# validate_suffix(): This function validates ${LDAP_SUFFIX}
3184#                  THIS FUNCTION IS FOR THE LOAD CONFIG FILE OPTION.
3185#
3186validate_suffix()
3187{
3188    [ $DEBUG -eq 1 ] && ${ECHO} "In validate_suffix()"
3189
3190    # Check LDAP_SUFFIX is not null
3191    if [ -z "${LDAP_SUFFIX}" ]; then
3192	${ECHO} "Invalid suffix (null suffix)"
3193	cleanup
3194	exit 1
3195    fi
3196
3197    # Check LDAP_SUFFIX and LDAP_BASEDN are consistent
3198    # Convert to lower case for basename.
3199    format_string "${LDAP_BASEDN}"
3200    LOWER_BASEDN="${FMT_STR}"
3201    format_string "${LDAP_SUFFIX}"
3202    LOWER_SUFFIX="${FMT_STR}"
3203
3204    [ $DEBUG -eq 1 ] && ${ECHO} "LOWER_BASEDN: ${LOWER_BASEDN}"
3205    [ $DEBUG -eq 1 ] && ${ECHO} "LOWER_SUFFIX: ${LOWER_SUFFIX}"
3206
3207    if [ "${LOWER_BASEDN}" != "${LOWER_SUFFIX}" ]; then
3208    	sub_basedn=`basename "${LOWER_BASEDN}" "${LOWER_SUFFIX}"`
3209    	if [ "$sub_basedn" = "${LOWER_BASEDN}" ]; then
3210	    ${ECHO} "Invalid suffix ${LOWER_SUFFIX}"
3211	    ${ECHO} "for Base DN ${LOWER_BASEDN}"
3212	    cleanup
3213	    exit 1
3214	fi
3215    fi
3216
3217    # Check LDAP_SUFFIX does exist
3218    ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_SUFFIX}\" -s base \"objectclass=*\" > ${TMPDIR}/checkSuffix 2>&1" && return 0
3219
3220    # Well, suffix does not exist, try to prepare create it ...
3221    NEED_CREATE_SUFFIX=1
3222    prep_create_sfx_entry ||
3223    {
3224	cleanup
3225	exit 1
3226    }
3227    [ -n "${NEED_CREATE_BACKEND}" ] &&
3228    {
3229	# try to use id attr value of the suffix as a database name
3230	IDS_DATABASE=${_VAL}
3231	prep_create_sfx_backend
3232	case $? in
3233	1)	# cann't use the name we want, so we can either exit or use
3234		# some another available name - doing the last ...
3235		IDS_DATABASE=${IDS_DATABASE_AVAIL}
3236		;;
3237	2)	# unable to determine database name
3238		cleanup
3239		exit 1
3240		;;
3241	esac
3242    }
3243
3244    [ $DEBUG -eq 1 ] && ${ECHO} "Suffix $LDAP_SUFFIX, Database $IDS_DATABASE"
3245}
3246
3247#
3248# validate_info(): This function validates the basic info collected
3249#                  So that some problems are caught right away.
3250#                  THIS FUNCTION IS FOR THE LOAD CONFIG FILE OPTION.
3251#
3252validate_info()
3253{
3254    [ $DEBUG -eq 1 ] && ${ECHO} "In validate_info()"
3255
3256    # Set SERVER_ARGS, AUTH_ARGS, and LDAP_ARGS for the config file.
3257    SERVER_ARGS="-h ${IDS_SERVER} -p ${IDS_PORT}"
3258    AUTH_ARGS="-D \"${LDAP_ROOTDN}\" -j ${LDAP_ROOTPWF}"
3259    LDAP_ARGS="${SERVER_ARGS} ${AUTH_ARGS}"
3260    export SERVER_ARGS
3261
3262    # Check the Root DN and Root DN passwd.
3263    # Use eval instead of $EVAL because not part of setup. (validate)
3264    eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"\" -s base \"objectclass=*\" > ${TMPDIR}/checkDN 2>&1"
3265    if [ $? -ne 0 ]; then
3266	eval "${GREP} credential ${TMPDIR}/checkDN ${VERB}"
3267	if [ $? -eq 0 ]; then
3268	    ${ECHO} "ERROR: Root DN passwd is invalid."
3269	else
3270	    ${ECHO} "ERROR2: Invalid Root DN <${LDAP_ROOTDN}>."
3271	fi
3272	cleanup
3273	exit 1
3274    fi
3275    [ $DEBUG -eq 1 ] && ${ECHO} "  RootDN ... OK"
3276    [ $DEBUG -eq 1 ] && ${ECHO} "  RootDN passwd ... OK"
3277
3278    # Check if the server supports the VLV.
3279    chk_vlv_indexes
3280    [ $DEBUG -eq 1 ] && ${ECHO} "  VLV indexes ... OK"
3281
3282    # Check LDAP suffix
3283    validate_suffix
3284    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP suffix ... OK"
3285}
3286
3287#
3288# format_string(): take a string as argument and set FMT_STR
3289# to be the same string formatted as follow:
3290# - only lower case characters
3291# - no unnecessary spaces around , and =
3292#
3293format_string()
3294{
3295    FMT_STR=`${ECHO} "$1" | tr '[A-Z]' '[a-z]' |
3296	sed -e 's/[ ]*,[ ]*/,/g' -e 's/[ ]*=[ ]*/=/g'`
3297}
3298
3299#
3300# prepare for the suffix entry creation
3301#
3302# input  : LDAP_BASEDN, LDAP_SUFFIX - base dn and suffix;
3303# in/out : LDAP_SUFFIX_OBJ, LDAP_SUFFIX_ACI - initially may come from config.
3304# output : NEED_CREATE_BACKEND - backend for this suffix needs to be created;
3305#          _RDN, _ATT, _VAL - suffix's RDN, id attribute name and its value.
3306# return : 0 - success, otherwise error.
3307#
3308prep_create_sfx_entry()
3309{
3310    [ $DEBUG -eq 1 ] && ${ECHO} "In prep_create_sfx_entry()"
3311
3312    # check whether suffix corresponds to base dn
3313    format_string "${LDAP_BASEDN}"
3314    ${ECHO} ",${FMT_STR}" | ${GREP} ",${LDAP_SUFFIX}$" >/dev/null 2>&1 ||
3315    {
3316	display_msg sfx_not_suitable
3317	return 1
3318    }
3319
3320    # parse LDAP_SUFFIX
3321    _RDN=`${ECHO} "${LDAP_SUFFIX}" | cut -d, -f1`
3322    _ATT=`${ECHO} "${_RDN}" | cut -d= -f1`
3323    _VAL=`${ECHO} "${_RDN}" | cut -d= -f2-`
3324
3325    # find out an objectclass for suffix entry if it is not defined yet
3326    [ -z "${LDAP_SUFFIX_OBJ}" ] &&
3327    {
3328	get_objectclass ${_ATT}
3329	[ -z "${_ATTR_NAME}" ] &&
3330	{
3331		display_msg obj_not_found
3332		return 1
3333	}
3334	LDAP_SUFFIX_OBJ=${_ATTR_NAME}
3335    }
3336    [ $DEBUG -eq 1 ] && ${ECHO} "Suffix entry object is ${LDAP_SUFFIX_OBJ}"
3337
3338    # find out an aci for suffix entry if it is not defined yet
3339    [ -z "${LDAP_SUFFIX_ACI}" ] &&
3340    {
3341	# set Directory Server default aci
3342	LDAP_SUFFIX_ACI=`cat <<EOF
3343aci: (targetattr != "userPassword || passwordHistory || passwordExpirationTime
3344 || passwordExpWarned || passwordRetryCount || retryCountResetTime ||
3345 accountUnlockTime || passwordAllowChangeTime")
3346 (
3347   version 3.0;
3348   acl "Anonymous access";
3349   allow (read, search, compare) userdn = "ldap:///anyone";
3350 )
3351aci: (targetattr != "nsroledn || aci || nsLookThroughLimit || nsSizeLimit ||
3352 nsTimeLimit || nsIdleTimeout || passwordPolicySubentry ||
3353 passwordExpirationTime || passwordExpWarned || passwordRetryCount ||
3354 retryCountResetTime || accountUnlockTime || passwordHistory ||
3355 passwordAllowChangeTime")
3356 (
3357   version 3.0;
3358   acl "Allow self entry modification except for some attributes";
3359   allow (write) userdn = "ldap:///self";
3360 )
3361aci: (targetattr = "*")
3362 (
3363   version 3.0;
3364   acl "Configuration Administrator";
3365   allow (all) userdn = "ldap:///uid=admin,ou=Administrators,
3366                         ou=TopologyManagement,o=NetscapeRoot";
3367 )
3368aci: (targetattr ="*")
3369 (
3370   version 3.0;
3371   acl "Configuration Administrators Group";
3372   allow (all) groupdn = "ldap:///cn=Configuration Administrators,
3373                          ou=Groups,ou=TopologyManagement,o=NetscapeRoot";
3374 )
3375EOF
3376`
3377    }
3378    [ $DEBUG -eq 1 ] && cat <<EOF
3379DEBUG: ACI for ${LDAP_SUFFIX} is
3380${LDAP_SUFFIX_ACI}
3381EOF
3382
3383    NEED_CREATE_BACKEND=
3384
3385    # check the suffix mapping tree ...
3386    # if mapping exists, suffix should work, otherwise DS inconsistent
3387    # NOTE: -b 'cn=mapping tree,cn=config' -s one 'cn=\"$1\"' won't work
3388    #       in case of 'cn' value in LDAP is not quoted by '"',
3389    #       -b 'cn=\"$1\",cn=mapping tree,cn=config' works in all cases
3390    ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} \
3391	-b 'cn=\"${LDAP_SUFFIX}\",cn=mapping tree,cn=config' \
3392	-s base 'objectclass=*' dn ${VERB}" &&
3393    {
3394	[ $DEBUG -eq 1 ] && ${ECHO} "Suffix mapping already exists"
3395	# get_backend() either gets IDS_DATABASE or exits
3396	get_backend
3397	return 0
3398    }
3399
3400    # no suffix mapping, just in case check ldbm backends consistency -
3401    # there are must be NO any databases pointing to LDAP_SUFFIX
3402    [ -n "`${EVAL} \"${LDAPSEARCH} ${LDAP_ARGS} \
3403	-b 'cn=ldbm database,cn=plugins,cn=config' \
3404	-s one 'nsslapd-suffix=${LDAP_SUFFIX}' dn\" 2>/dev/null`" ] &&
3405    {
3406	display_msg sfx_config_incons
3407	return 1
3408    }
3409
3410    # ok, no suffix mapping, no ldbm database
3411    [ $DEBUG -eq 1 ] && ${ECHO} "DEBUG: backend needs to be created ..."
3412    NEED_CREATE_BACKEND=1
3413    return 0
3414}
3415
3416#
3417# prepare for the suffix backend creation
3418#
3419# input  : IDS_DATABASE - requested ldbm db name (must be not null)
3420# in/out : IDS_DATABASE_AVAIL - available ldbm db name
3421# return : 0 - ldbm db name ok
3422#          1 - IDS_DATABASE exists,
3423#              so IDS_DATABASE_AVAIL contains available name
3424#          2 - unable to find any available name
3425#
3426prep_create_sfx_backend()
3427{
3428    [ $DEBUG -eq 1 ] && ${ECHO} "In prep_create_sfx_backend()"
3429
3430    # check if requested name available
3431    [ "${IDS_DATABASE}" = "${IDS_DATABASE_AVAIL}" ] && return 0
3432
3433    # get the list of database names start with a requested name
3434    _LDBM_DBS=`${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} \
3435	-b 'cn=ldbm database,cn=plugins,cn=config' \
3436	-s one 'cn=${IDS_DATABASE}*' cn"` 2>/dev/null
3437
3438    # find available db name based on a requested name
3439    _i=""; _i_MAX=10
3440    while [ ${_i:-0} -lt ${_i_MAX} ]
3441    do
3442	_name="${IDS_DATABASE}${_i}"
3443	${ECHO} "${_LDBM_DBS}" | ${GREP} -i "^cn=${_name}$" >/dev/null 2>&1 ||
3444	{
3445		IDS_DATABASE_AVAIL="${_name}"
3446		break
3447	}
3448	_i=`expr ${_i:-0} + 1`
3449    done
3450
3451    [ "${IDS_DATABASE}" = "${IDS_DATABASE_AVAIL}" ] && return 0
3452
3453    [ -n "${IDS_DATABASE_AVAIL}" ] &&
3454    {
3455	display_msg ldbm_db_exist
3456	return 1
3457    }
3458
3459    display_msg unable_find_db_name
3460    return 2
3461}
3462
3463#
3464# add suffix if needed,
3465#     suffix entry and backend MUST be prepared by
3466#     prep_create_sfx_entry and prep_create_sfx_backend correspondingly
3467#
3468# input  : NEED_CREATE_SUFFIX, LDAP_SUFFIX, LDAP_SUFFIX_OBJ, _ATT, _VAL
3469#          LDAP_SUFFIX_ACI, NEED_CREATE_BACKEND, IDS_DATABASE
3470# return : 0 - suffix successfully created, otherwise error occured
3471#
3472add_suffix()
3473{
3474    [ $DEBUG -eq 1 ] && ${ECHO} "In add_suffix()"
3475
3476    [ -n "${NEED_CREATE_SUFFIX}" ] || return 0
3477
3478    [ -n "${NEED_CREATE_BACKEND}" ] &&
3479    {
3480	${EVAL} "${LDAPADD} ${LDAP_ARGS} ${VERB}" <<EOF
3481dn: cn="${LDAP_SUFFIX}",cn=mapping tree,cn=config
3482objectclass: top
3483objectclass: extensibleObject
3484objectclass: nsMappingTree
3485cn: ${LDAP_SUFFIX}
3486nsslapd-state: backend
3487nsslapd-backend: ${IDS_DATABASE}
3488
3489dn: cn=${IDS_DATABASE},cn=ldbm database,cn=plugins,cn=config
3490objectclass: top
3491objectclass: extensibleObject
3492objectclass: nsBackendInstance
3493cn: ${IDS_DATABASE}
3494nsslapd-suffix: ${LDAP_SUFFIX}
3495EOF
3496	[ $? -ne 0 ] &&
3497	{
3498		display_msg create_ldbm_db_error
3499		return 1
3500	}
3501
3502	${ECHO} "  ${STEP}. Database ${IDS_DATABASE} successfully created"
3503	STEP=`expr $STEP + 1`
3504    }
3505
3506    ${EVAL} "${LDAPADD} ${LDAP_ARGS} ${VERB}" <<EOF
3507dn: ${LDAP_SUFFIX}
3508objectclass: ${LDAP_SUFFIX_OBJ}
3509${_ATT}: ${_VAL}
3510${LDAP_SUFFIX_ACI}
3511EOF
3512    [ $? -ne 0 ] &&
3513    {
3514	display_msg create_suffix_entry_error
3515	return 1
3516    }
3517
3518    ${ECHO} "  ${STEP}. Suffix ${LDAP_SUFFIX} successfully created"
3519    STEP=`expr $STEP + 1`
3520    return 0
3521}
3522
3523#
3524# interactively get suffix and related info from a user
3525#
3526# input  : LDAP_BASEDN - Base DN
3527# output : LDAP_SUFFIX - Suffix, _ATT, _VAL - id attribute and its value;
3528#          LDAP_SUFFIX_OBJ, LDAP_SUFFIX_ACI - objectclass and aci;
3529#          NEED_CREATE_BACKEND - tells whether backend needs to be created;
3530#          IDS_DATABASE - prepared ldbm db name
3531# return : 0 - user gave a correct suffix
3532#          1 - suffix given by user cann't be created
3533#
3534get_suffix()
3535{
3536    [ $DEBUG -eq 1 ] && ${ECHO} "In get_suffix()"
3537
3538    while :
3539    do
3540	get_ans "Enter suffix to be created (b=back/h=help):" ${LDAP_BASEDN}
3541	case "${ANS}" in
3542	[Hh] | Help | help | \? ) display_msg create_suffix_help ;;
3543	[Bb] | Back | back | \< ) return 1 ;;
3544	* )
3545		format_string "${ANS}"
3546		LDAP_SUFFIX=${FMT_STR}
3547		prep_create_sfx_entry || continue
3548
3549		[ -n "${NEED_CREATE_BACKEND}" ] &&
3550		{
3551		    IDS_DATABASE_AVAIL= # reset the available db name
3552
3553		    reenter_suffix=
3554		    while :
3555		    do
3556			get_ans "Enter ldbm database name (b=back/h=help):" \
3557				${IDS_DATABASE_AVAIL:-${_VAL}}
3558			case "${ANS}" in
3559			[Hh] | \? ) display_msg enter_ldbm_db_help ;;
3560			[Bb] | \< ) reenter_suffix=1; break ;;
3561			* )
3562				IDS_DATABASE="${ANS}"
3563				prep_create_sfx_backend && break
3564			esac
3565		    done
3566		    [ -n "${reenter_suffix}" ] && continue
3567
3568		    [ $DEBUG -eq 1 ] && cat <<EOF
3569DEBUG: backend name for suffix ${LDAP_SUFFIX} will be ${IDS_DATABASE}
3570EOF
3571		}
3572
3573		# eventually everything is prepared
3574		return 0
3575		;;
3576	esac
3577    done
3578}
3579
3580#
3581# print out a script which sets LDAP suffix related preferences
3582#
3583print_suffix_config()
3584{
3585    cat <<EOF2
3586# LDAP suffix related preferences used only if needed
3587IDS_DATABASE="${IDS_DATABASE}"
3588LDAP_SUFFIX_OBJ="$LDAP_SUFFIX_OBJ"
3589LDAP_SUFFIX_ACI=\`cat <<EOF
3590${LDAP_SUFFIX_ACI}
3591EOF
3592\`
3593export IDS_DATABASE LDAP_SUFFIX_OBJ LDAP_SUFFIX_ACI
3594EOF2
3595}
3596
3597#
3598# check_basedn_suffix(): check that there is an existing
3599# valid suffix to hold current base DN
3600# return:
3601#   0: valid suffix found or new one should be created,
3602#      NEED_CREATE_SUFFIX flag actually indicates that
3603#   1: some error occures
3604#
3605check_basedn_suffix()
3606{
3607    [ $DEBUG -eq 1 ] && ${ECHO} "In check_basedn_suffix()"
3608
3609    NEED_CREATE_SUFFIX=
3610
3611    # find out existing suffixes
3612    discover_serv_suffix
3613
3614    ${ECHO} "  Validating LDAP Base DN and Suffix ..."
3615
3616    # check that LDAP Base DN might be added
3617    cur_ldap_entry=${LDAP_BASEDN}
3618    prev_ldap_entry=
3619    while [ "${cur_ldap_entry}" != "${prev_ldap_entry}" ]
3620    do
3621	[ $DEBUG -eq 1 ] && ${ECHO} "testing LDAP entry: ${cur_ldap_entry}"
3622	${LDAPSEARCH} ${SERVER_ARGS} -b "${cur_ldap_entry}" \
3623		-s one "objectclass=*" > /dev/null 2>&1
3624	if [ $? -eq 0 ]; then
3625	    break
3626	else
3627	    prev_ldap_entry=${cur_ldap_entry}
3628	    cur_ldap_entry=`${ECHO} ${cur_ldap_entry} | cut -f2- -d','`
3629	fi
3630    done
3631
3632    if [ "${cur_ldap_entry}" = "${prev_ldap_entry}" ]; then
3633	${ECHO} "  No valid suffixes were found for Base DN ${LDAP_BASEDN}"
3634
3635	NEED_CREATE_SUFFIX=1
3636	return 0
3637
3638    else
3639	[ $DEBUG -eq 1 ] && ${ECHO} "found valid LDAP entry: ${cur_ldap_entry}"
3640
3641	# Now looking for relevant suffix for this entry.
3642	# LDAP_SUFFIX will then be used to add necessary
3643	# base objects. See add_base_objects().
3644	format_string "${cur_ldap_entry}"
3645	lower_entry="${FMT_STR}"
3646	[ $DEBUG -eq 1 ] && ${ECHO} "final suffix list: ${LDAP_SUFFIX_LIST}"
3647	oIFS=$IFS
3648	[ $DEBUG -eq 1 ] && ${ECHO} "setting IFS to new line"
3649	IFS='
3650'
3651	for suff in ${LDAP_SUFFIX_LIST}
3652	do
3653	    [ $DEBUG -eq 1 ] && ${ECHO} "testing suffix: ${suff}"
3654	    format_string "${suff}"
3655	    lower_suff="${FMT_STR}"
3656	    if [ "${lower_entry}" = "${lower_suff}" ]; then
3657		LDAP_SUFFIX="${suff}"
3658		break
3659	    else
3660		dcstmp=`basename "${lower_entry}" "${lower_suff}"`
3661		if [ "${dcstmp}" = "${lower_entry}" ]; then
3662		    # invalid suffix, try next one
3663		    continue
3664		else
3665		    # valid suffix found
3666		    LDAP_SUFFIX="${suff}"
3667		    break
3668		fi
3669	    fi
3670	done
3671	[ $DEBUG -eq 1 ] && ${ECHO} "setting IFS to original value"
3672	IFS=$oIFS
3673
3674	[ $DEBUG -eq 1 ] && ${ECHO} "LDAP_SUFFIX: ${LDAP_SUFFIX}"
3675
3676	if [ -z "${LDAP_SUFFIX}" ]; then
3677	    # should not happen, since we found the entry
3678	    ${ECHO} "Could not find a valid suffix for ${LDAP_BASEDN}."
3679	    ${ECHO} "Exiting."
3680	    return 1
3681	fi
3682
3683	# Getting relevant database (backend)
3684	# IDS_DATABASE will then be used to create indexes.
3685	get_backend
3686
3687	return 0
3688    fi
3689}
3690
3691#
3692# discover_serv_suffix(): This function queries the server to find
3693#    suffixes available
3694#  return: 0: OK, suffix found
3695#          1: suffix not determined
3696discover_serv_suffix()
3697{
3698    [ $DEBUG -eq 1 ] && ${ECHO} "In discover_serv_suffix()"
3699
3700    # Search the server for the TOP of the TREE.
3701    ${LDAPSEARCH} ${SERVER_ARGS} -b "" -s base "objectclass=*" > ${TMPDIR}/checkTOP 2>&1
3702    ${GREP} -i namingcontexts ${TMPDIR}/checkTOP | \
3703	${GREP} -i -v NetscapeRoot > ${TMPDIR}/treeTOP
3704    NUM_TOP=`wc -l ${TMPDIR}/treeTOP | awk '{print $1}'`
3705    case $NUM_TOP in
3706	0)
3707	    [ $DEBUG -eq 1 ] && ${ECHO} "DEBUG: No suffix found in LDAP tree"
3708	    return 1
3709	    ;;
3710	*)  # build the list of suffixes; take out 'namingContexts=' in
3711	    # each line of ${TMPDIR}/treeTOP
3712	    LDAP_SUFFIX_LIST=`cat ${TMPDIR}/treeTOP |
3713		awk '{ printf("%s\n",substr($0,16,length-15)) }'`
3714	    ;;
3715    esac
3716
3717    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_SUFFIX_LIST = $LDAP_SUFFIX_LIST"
3718    return 0
3719}
3720
3721
3722#
3723# modify_cn(): Change the cn from MUST to MAY in ipNetwork.
3724#
3725modify_cn()
3726{
3727    [ $DEBUG -eq 1 ] && ${ECHO} "In modify_cn()"
3728
3729    ( cat <<EOF
3730dn: cn=schema
3731changetype: modify
3732add: objectclasses
3733objectclasses: ( 1.3.6.1.1.1.2.7 NAME 'ipNetwork' DESC 'Standard LDAP objectclass' SUP top STRUCTURAL MUST ipNetworkNumber MAY ( ipNetmaskNumber $ manager $ cn $ l $ description ) X-ORIGIN 'RFC 2307' )
3734EOF
3735) > ${TMPDIR}/ipNetwork_cn
3736
3737    # Modify the cn for ipNetwork.
3738    ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/ipNetwork_cn ${VERB}"
3739    if [ $? -ne 0 ]; then
3740	${ECHO} "  ERROR: update of cn for ipNetwork failed!"
3741	cleanup
3742	exit 1
3743    fi
3744}
3745
3746
3747# modify_timelimit(): Modify timelimit to user value.
3748modify_timelimit()
3749{
3750    [ $DEBUG -eq 1 ] && ${ECHO} "In modify_timelimit()"
3751
3752    # Here doc to modify timelimit.
3753    ( cat <<EOF
3754dn: cn=config
3755changetype: modify
3756replace: nsslapd-timelimit
3757nsslapd-timelimit: ${IDS_TIMELIMIT}
3758EOF
3759) > ${TMPDIR}/ids_timelimit
3760
3761    # Add the entry.
3762    ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/ids_timelimit ${VERB}"
3763    if [ $? -ne 0 ]; then
3764	${ECHO} "  ERROR: update of nsslapd-timelimit failed!"
3765	cleanup
3766	exit 1
3767    fi
3768
3769    # Display messages for modifications made in patch.
3770    ${ECHO} "  ${STEP}. Changed timelimit to ${IDS_TIMELIMIT} in cn=config."
3771    STEP=`expr $STEP + 1`
3772}
3773
3774
3775# modify_sizelimit(): Modify sizelimit to user value.
3776modify_sizelimit()
3777{
3778    [ $DEBUG -eq 1 ] && ${ECHO} "In modify_sizelimit()"
3779
3780    # Here doc to modify sizelimit.
3781    ( cat <<EOF
3782dn: cn=config
3783changetype: modify
3784replace: nsslapd-sizelimit
3785nsslapd-sizelimit: ${IDS_SIZELIMIT}
3786EOF
3787) > ${TMPDIR}/ids_sizelimit
3788
3789    # Add the entry.
3790    ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/ids_sizelimit ${VERB}"
3791    if [ $? -ne 0 ]; then
3792	${ECHO} "  ERROR: update of nsslapd-sizelimit failed!"
3793	cleanup
3794	exit 1
3795    fi
3796
3797    # Display messages for modifications made in patch.
3798    ${ECHO} "  ${STEP}. Changed sizelimit to ${IDS_SIZELIMIT} in cn=config."
3799    STEP=`expr $STEP + 1`
3800}
3801
3802
3803# modify_pwd_crypt(): Modify the passwd storage scheme to support CRYPT.
3804modify_pwd_crypt()
3805{
3806    [ $DEBUG -eq 1 ] && ${ECHO} "In modify_pwd_crypt()"
3807
3808    # Here doc to modify passwordstoragescheme.
3809    # IDS 5.2 moved passwordchangesceme off to a new data structure.
3810    if [ $IDS_MAJVER -le 5 ] && [ $IDS_MINVER -le 1 ]; then
3811	( cat <<EOF
3812dn: cn=config
3813changetype: modify
3814replace: passwordstoragescheme
3815passwordstoragescheme: crypt
3816EOF
3817	) > ${TMPDIR}/ids_crypt
3818    else
3819	( cat <<EOF
3820dn: cn=Password Policy,cn=config
3821changetype: modify
3822replace: passwordstoragescheme
3823passwordstoragescheme: crypt
3824EOF
3825	) > ${TMPDIR}/ids_crypt
3826    fi
3827
3828    # Add the entry.
3829    ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/ids_crypt ${VERB}"
3830    if [ $? -ne 0 ]; then
3831	${ECHO} "  ERROR: update of passwordstoragescheme failed!"
3832	cleanup
3833	exit 1
3834    fi
3835
3836    # Display messages for modifications made in patch.
3837    ${ECHO} "  ${STEP}. Changed passwordstoragescheme to \"crypt\" in cn=config."
3838    STEP=`expr $STEP + 1`
3839}
3840
3841
3842#
3843# add_eq_indexes(): Add indexes to improve search performance.
3844#
3845add_eq_indexes()
3846{
3847    [ $DEBUG -eq 1 ] && ${ECHO} "In add_eq_indexes()"
3848
3849    # Set eq indexes to add.
3850    _INDEXES="uidNumber ipNetworkNumber gidnumber oncrpcnumber automountKey"
3851
3852    if [ -z "${IDS_DATABASE}" ]; then
3853	get_backend
3854    fi
3855
3856    # Set _EXT to use as shortcut.
3857    _EXT="cn=index,cn=${IDS_DATABASE},cn=ldbm database,cn=plugins,cn=config"
3858
3859    # Display message to id current step.
3860    ${ECHO} "  ${STEP}. Processing eq,pres indexes:"
3861    STEP=`expr $STEP + 1`
3862
3863    # For loop to create indexes.
3864    for i in ${_INDEXES}; do
3865	[ $DEBUG -eq 1 ] && ${ECHO} "  Adding index for ${i}"
3866
3867	# Check if entry exists first, if so, skip to next.
3868	${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=${i},${_EXT}\" -s base \
3869	    \"objectclass=*\" > /dev/null 2>&1"
3870	if [ $? -eq 0 ]; then
3871	    # Display index skipped.
3872	    ${ECHO} "      ${i} (eq,pres) skipped already exists"
3873	    continue
3874	fi
3875
3876	# Here doc to create LDIF.
3877	( cat <<EOF
3878dn: cn=${i},${_EXT}
3879objectClass: top
3880objectClass: nsIndex
3881cn: ${i}
3882nsSystemIndex: false
3883nsIndexType: pres
3884nsIndexType: eq
3885EOF
3886) > ${TMPDIR}/index_${i}
3887
3888	# Add the index.
3889	${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/index_${i} ${VERB}"
3890	if [ $? -ne 0 ]; then
3891	    ${ECHO} "  ERROR: Adding EQ,PRES index for ${i} failed!"
3892	    cleanup
3893	    exit 1
3894	fi
3895
3896	# Build date for task name.
3897	_YR=`date '+%y'`
3898	_MN=`date '+%m'`
3899	_DY=`date '+%d'`
3900	_H=`date '+%H'`
3901	_M=`date '+%M'`
3902	_S=`date '+%S'`
3903
3904	# Build task name
3905	TASKNAME="${i}_${_YR}_${_MN}_${_DY}_${_H}_${_M}_${_S}"
3906
3907	# Build the task entry to add.
3908	( cat <<EOF
3909dn: cn=${TASKNAME}, cn=index, cn=tasks, cn=config
3910changetype: add
3911objectclass: top
3912objectclass: extensibleObject
3913cn: ${TASKNAME}
3914nsInstance: ${IDS_DATABASE}
3915nsIndexAttribute: ${i}
3916EOF
3917) > ${TMPDIR}/task_${i}
3918
3919	# Add the task.
3920	${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/task_${i} ${VERB}"
3921	if [ $? -ne 0 ]; then
3922	    ${ECHO} "  ERROR: Adding task for ${i} failed!"
3923	    cleanup
3924	    exit 1
3925	fi
3926
3927	# Wait for task to finish, display current status.
3928	while :
3929	do
3930	    ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} \
3931	        -b \"cn=${TASKNAME}, cn=index, cn=tasks, cn=config\" -s base \
3932	        \"objectclass=*\" nstaskstatus > \"${TMPDIR}/istask_${i}\" 2>&1"
3933	    ${GREP} "${TASKNAME}" "${TMPDIR}/istask_${i}" > /dev/null 2>&1
3934	    if [ $? -ne 0 ]; then
3935		break
3936	    fi
3937	    TASK_STATUS=`${GREP} -i nstaskstatus "${TMPDIR}/istask_${i}" |
3938	        head -1 | cut -d: -f2`
3939	    ${ECHO} "      ${i} (eq,pres)  $TASK_STATUS                  \r\c"
3940	    ${ECHO} "$TASK_STATUS" | ${GREP} "Finished" > /dev/null 2>&1
3941	    if [ $? -eq 0 ]; then
3942		break
3943	    fi
3944	    sleep 2
3945	done
3946
3947	# Print newline because of \c.
3948	${ECHO} " "
3949    done
3950}
3951
3952
3953#
3954# add_sub_indexes(): Add indexes to improve search performance.
3955#
3956add_sub_indexes()
3957{
3958    [ $DEBUG -eq 1 ] && ${ECHO} "In add_sub_indexes()"
3959
3960    # Set eq indexes to add.
3961    _INDEXES="ipHostNumber membernisnetgroup nisnetgrouptriple"
3962
3963    # Set _EXT to use as shortcut.
3964    _EXT="cn=index,cn=${IDS_DATABASE},cn=ldbm database,cn=plugins,cn=config"
3965
3966
3967    # Display message to id current step.
3968    ${ECHO} "  ${STEP}. Processing eq,pres,sub indexes:"
3969    STEP=`expr $STEP + 1`
3970
3971    # For loop to create indexes.
3972    for i in ${_INDEXES}; do
3973	[ $DEBUG -eq 1 ] && ${ECHO} "  Adding index for ${i}"
3974
3975	# Check if entry exists first, if so, skip to next.
3976	${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=${i},${_EXT}\" \
3977	    -s base \"objectclass=*\" > /dev/null 2>&1"
3978	if [ $? -eq 0 ]; then
3979	    # Display index skipped.
3980	    ${ECHO} "      ${i} (eq,pres,sub) skipped already exists"
3981	    continue
3982	fi
3983
3984	# Here doc to create LDIF.
3985	( cat <<EOF
3986dn: cn=${i},${_EXT}
3987objectClass: top
3988objectClass: nsIndex
3989cn: ${i}
3990nsSystemIndex: false
3991nsIndexType: pres
3992nsIndexType: eq
3993nsIndexType: sub
3994EOF
3995) > ${TMPDIR}/index_${i}
3996
3997	# Add the index.
3998	${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/index_${i} ${VERB}"
3999	if [ $? -ne 0 ]; then
4000	    ${ECHO} "  ERROR: Adding EQ,PRES,SUB index for ${i} failed!"
4001	    cleanup
4002	    exit 1
4003	fi
4004
4005	# Build date for task name.
4006	_YR=`date '+%y'`
4007	_MN=`date '+%m'`
4008	_DY=`date '+%d'`
4009	_H=`date '+%H'`
4010	_M=`date '+%M'`
4011	_S=`date '+%S'`
4012
4013	# Build task name
4014	TASKNAME="${i}_${_YR}_${_MN}_${_DY}_${_H}_${_M}_${_S}"
4015
4016	# Build the task entry to add.
4017	( cat <<EOF
4018dn: cn=${TASKNAME}, cn=index, cn=tasks, cn=config
4019changetype: add
4020objectclass: top
4021objectclass: extensibleObject
4022cn: ${TASKNAME}
4023nsInstance: ${IDS_DATABASE}
4024nsIndexAttribute: ${i}
4025EOF
4026) > ${TMPDIR}/task_${i}
4027
4028	# Add the task.
4029	${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/task_${i} ${VERB}"
4030	if [ $? -ne 0 ]; then
4031	    ${ECHO} "  ERROR: Adding task for ${i} failed!"
4032	    cleanup
4033	    exit 1
4034	fi
4035
4036	# Wait for task to finish, display current status.
4037	while :
4038	do
4039	    ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} \
4040	        -b \"cn=${TASKNAME}, cn=index, cn=tasks, cn=config\" -s base \
4041	        \"objectclass=*\" nstaskstatus > \"${TMPDIR}/istask_${i}\" 2>&1"
4042	    ${GREP} "${TASKNAME}" "${TMPDIR}/istask_${i}" > /dev/null 2>&1
4043	    if [ $? -ne 0 ]; then
4044		break
4045	    fi
4046	    TASK_STATUS=`${GREP} -i nstaskstatus "${TMPDIR}/istask_${i}" |
4047	        head -1 | cut -d: -f2`
4048	    ${ECHO} "      ${i} (eq,pres,sub)  $TASK_STATUS                  \r\c"
4049	    ${ECHO} "$TASK_STATUS" | ${GREP} "Finished" > /dev/null 2>&1
4050	    if [ $? -eq 0 ]; then
4051		break
4052	    fi
4053	    sleep 2
4054	done
4055
4056	# Print newline because of \c.
4057	${ECHO} " "
4058    done
4059}
4060
4061
4062#
4063# add_vlv_indexes(): Add VLV indexes to improve search performance.
4064#
4065add_vlv_indexes()
4066{
4067    [ $DEBUG -eq 1 ] && ${ECHO} "In add_vlv_indexes()"
4068
4069    # Set eq indexes to add.
4070    # Note semi colon separators because some filters contain colons
4071    _INDEX1="${LDAP_DOMAIN}.getgrent;${LDAP_DOMAIN}_group_vlv_index;ou=group;objectClass=posixGroup"
4072    _INDEX2="${LDAP_DOMAIN}.gethostent;${LDAP_DOMAIN}_hosts_vlv_index;ou=hosts;objectClass=ipHost"
4073    _INDEX3="${LDAP_DOMAIN}.getnetent;${LDAP_DOMAIN}_networks_vlv_index;ou=networks;objectClass=ipNetwork"
4074    _INDEX4="${LDAP_DOMAIN}.getpwent;${LDAP_DOMAIN}_passwd_vlv_index;ou=people;objectClass=posixAccount"
4075    _INDEX5="${LDAP_DOMAIN}.getrpcent;${LDAP_DOMAIN}_rpc_vlv_index;ou=rpc;objectClass=oncRpc"
4076    _INDEX6="${LDAP_DOMAIN}.getspent;${LDAP_DOMAIN}_shadow_vlv_index;ou=people;objectClass=shadowAccount"
4077
4078    # Indexes added during NIS to LDAP transition
4079    _INDEX7="${LDAP_DOMAIN}.getauhoent;${LDAP_DOMAIN}_auho_vlv_index;automountmapname=auto_home;objectClass=automount"
4080    _INDEX8="${LDAP_DOMAIN}.getsoluent;${LDAP_DOMAIN}_solu_vlv_index;ou=people;objectClass=SolarisUserAttr"
4081    _INDEX9="${LDAP_DOMAIN}.getauduent;${LDAP_DOMAIN}_audu_vlv_index;ou=people;objectClass=SolarisAuditUser"
4082    _INDEX10="${LDAP_DOMAIN}.getauthent;${LDAP_DOMAIN}_auth_vlv_index;ou=SolarisAuthAttr;objectClass=SolarisAuthAttr"
4083    _INDEX11="${LDAP_DOMAIN}.getexecent;${LDAP_DOMAIN}_exec_vlv_index;ou=SolarisProfAttr;&(objectClass=SolarisExecAttr)(SolarisKernelSecurityPolicy=*)"
4084    _INDEX12="${LDAP_DOMAIN}.getprofent;${LDAP_DOMAIN}_prof_vlv_index;ou=SolarisProfAttr;&(objectClass=SolarisProfAttr)(SolarisAttrLongDesc=*)"
4085    _INDEX13="${LDAP_DOMAIN}.getmailent;${LDAP_DOMAIN}_mail_vlv_index;ou=aliases;objectClass=mailGroup"
4086    _INDEX14="${LDAP_DOMAIN}.getbootent;${LDAP_DOMAIN}__boot_vlv_index;ou=ethers;&(objectClass=bootableDevice)(bootParameter=*)"
4087    _INDEX15="${LDAP_DOMAIN}.getethent;${LDAP_DOMAIN}_ethers_vlv_index;ou=ethers;&(objectClass=ieee802Device)(macAddress=*)"
4088    _INDEX16="${LDAP_DOMAIN}.getngrpent;${LDAP_DOMAIN}_netgroup_vlv_index;ou=netgroup;objectClass=nisNetgroup"
4089    _INDEX17="${LDAP_DOMAIN}.getipnent;${LDAP_DOMAIN}_ipn_vlv_index;ou=networks;&(objectClass=ipNetwork)(cn=*)"
4090    _INDEX18="${LDAP_DOMAIN}.getmaskent;${LDAP_DOMAIN}_mask_vlv_index;ou=networks;&(objectClass=ipNetwork)(ipNetmaskNumber=*)"
4091    _INDEX19="${LDAP_DOMAIN}.getprent;${LDAP_DOMAIN}_pr_vlv_index;ou=printers;objectClass=printerService"
4092    _INDEX20="${LDAP_DOMAIN}.getip4ent;${LDAP_DOMAIN}_ip4_vlv_index;ou=hosts;&(objectClass=ipHost)(ipHostNumber=*.*)"
4093    _INDEX21="${LDAP_DOMAIN}.getip6ent;${LDAP_DOMAIN}_ip6_vlv_index;ou=hosts;&(objectClass=ipHost)(ipHostNumber=*:*)"
4094
4095    _INDEXES="$_INDEX1 $_INDEX2 $_INDEX3 $_INDEX4 $_INDEX5 $_INDEX6 $_INDEX7 $_INDEX8 $_INDEX9 $_INDEX10 $_INDEX11 $_INDEX12 $_INDEX13 $_INDEX14 $_INDEX15 $_INDEX16 $_INDEX17 $_INDEX18 $_INDEX19 $_INDEX20 $_INDEX21 "
4096
4097
4098    # Set _EXT to use as shortcut.
4099    _EXT="cn=${IDS_DATABASE},cn=ldbm database,cn=plugins,cn=config"
4100
4101
4102    # Display message to id current step.
4103    ${ECHO} "  ${STEP}. Processing VLV indexes:"
4104    STEP=`expr $STEP + 1`
4105
4106    # Reset temp file for vlvindex commands.
4107    [ -f ${TMPDIR}/ds5_vlvindex_list ] &&  rm ${TMPDIR}/ds5_vlvindex_list
4108    touch ${TMPDIR}/ds5_vlvindex_list
4109    [ -f ${TMPDIR}/ds6_vlvindex_list ] &&  rm ${TMPDIR}/ds6_vlvindex_list
4110    touch ${TMPDIR}/ds6_vlvindex_list
4111
4112    # Get the instance name from iDS server.
4113    _INSTANCE="<server-instance>"    # Default to old output.
4114
4115    eval "${LDAPSEARCH} -v ${LDAP_ARGS} -b \"cn=config\" -s base \"objectclass=*\" nsslapd-instancedir | ${GREP} 'nsslapd-instancedir=' | cut -d'=' -f2- > ${TMPDIR}/instance_name 2>&1"
4116
4117    ${GREP} "slapd-" ${TMPDIR}/instance_name > /dev/null 2>&1 # Check if seems right?
4118    if [ $? -eq 0 ]; then # If success, grab name after "slapd-".
4119	_INST_DIR=`cat ${TMPDIR}/instance_name`
4120	_INSTANCE=`basename "${_INST_DIR}" | cut -d'-' -f2-`
4121    fi
4122
4123    # For loop to create indexes.
4124    for p in ${_INDEXES}; do
4125	[ $DEBUG -eq 1 ] && ${ECHO} "  Adding index for ${i}"
4126
4127	# Break p (pair) into i and j parts.
4128        i=`${ECHO} $p | cut -d';' -f1`
4129        j=`${ECHO} $p | cut -d';' -f2`
4130        k=`${ECHO} $p | cut -d';' -f3`
4131        m=`${ECHO} $p | cut -d';' -f4`
4132
4133	# Set _jEXT to use as shortcut.
4134	_jEXT="cn=${j},${_EXT}"
4135
4136	# Check if entry exists first, if so, skip to next.
4137	${LDAPSEARCH} ${SERVER_ARGS} -b "cn=${i},${_jEXT}" -s base "objectclass=*" > /dev/null 2>&1
4138	if [ $? -eq 0 ]; then
4139	    # Display index skipped.
4140	    ${ECHO} "      ${i} vlv_index skipped already exists"
4141	    continue
4142	fi
4143
4144	# Compute the VLV Scope from the LDAP_SEARCH_SCOPE.
4145	# NOTE: A value of "base (0)" does not make sense.
4146        case "$LDAP_SEARCH_SCOPE" in
4147            sub) VLV_SCOPE="2" ;;
4148            *)   VLV_SCOPE="1" ;;
4149        esac
4150
4151	# Here doc to create LDIF.
4152	( cat <<EOF
4153dn: ${_jEXT}
4154objectClass: top
4155objectClass: vlvSearch
4156cn: ${j}
4157vlvbase: ${k},${LDAP_BASEDN}
4158vlvscope: ${VLV_SCOPE}
4159vlvfilter: (${m})
4160aci: (target="ldap:///${_jEXT}")(targetattr="*")(version 3.0; acl "Config";allow(read,search,compare)userdn="ldap:///anyone";)
4161
4162dn: cn=${i},${_jEXT}
4163cn: ${i}
4164vlvSort: cn uid
4165objectclass: top
4166objectclass: vlvIndex
4167EOF
4168) > ${TMPDIR}/vlv_index_${i}
4169
4170	# Add the index.
4171	${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/vlv_index_${i} ${VERB}"
4172	if [ $? -ne 0 ]; then
4173	    ${ECHO} "  ERROR: Adding VLV index for ${i} failed!"
4174	    cleanup
4175	    exit 1
4176	fi
4177
4178	# Print message that index was created.
4179	${ECHO} "      ${i} vlv_index   Entry created"
4180
4181	# Add command to list of vlvindex commands to run.
4182	${ECHO} "  directoryserver -s ${_INSTANCE} vlvindex -n ${IDS_DATABASE} -T ${i}" >> ${TMPDIR}/ds5_vlvindex_list
4183	${ECHO} "  <install-path>/bin/dsadm reindex -l -t ${i} <directory-instance-path> ${LDAP_SUFFIX}" >> ${TMPDIR}/ds6_vlvindex_list
4184    done
4185}
4186
4187
4188#
4189# display_vlv_cmds(): Display VLV index commands to run on server.
4190#
4191display_vlv_cmds()
4192{
4193    if [ -s "${TMPDIR}/ds5_vlvindex_list" -o \
4194	 -s "${TMPDIR}/ds6_vlvindex_list" ]; then
4195	display_msg display_vlv_list
4196    fi
4197
4198    if [ -s "${TMPDIR}/ds5_vlvindex_list" ]; then
4199	cat ${TMPDIR}/ds5_vlvindex_list
4200    fi
4201
4202    cat << EOF
4203
4204
4205EOF
4206
4207    if [ -s "${TMPDIR}/ds6_vlvindex_list" ]; then
4208	cat ${TMPDIR}/ds6_vlvindex_list
4209    fi
4210}
4211
4212
4213#
4214# update_schema_attr(): Update Schema to support Naming.
4215#
4216update_schema_attr()
4217{
4218    [ $DEBUG -eq 1 ] && ${ECHO} "In update_schema_attr()"
4219
4220    ( cat <<EOF
4221dn: cn=schema
4222changetype: modify
4223add: attributetypes
4224attributetypes: ( 1.3.6.1.1.1.1.28 NAME 'nisPublickey' DESC 'NIS public key' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
4225attributetypes: ( 1.3.6.1.1.1.1.29 NAME 'nisSecretkey' DESC 'NIS secret key' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
4226attributetypes: ( 1.3.6.1.1.1.1.30 NAME 'nisDomain' DESC 'NIS domain' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
4227attributetypes: ( 1.3.6.1.1.1.1.31 NAME 'automountMapName' DESC 'automount Map Name' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
4228attributetypes: ( 1.3.6.1.1.1.1.32 NAME 'automountKey' DESC 'automount Key Value' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
4229attributetypes: ( 1.3.6.1.1.1.1.33 NAME 'automountInformation' DESC 'automount information' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
4230attributetypes: ( 1.3.6.1.4.1.42.2.27.1.1.12 NAME 'nisNetIdUser' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
4231attributetypes: ( 1.3.6.1.4.1.42.2.27.1.1.13 NAME 'nisNetIdGroup' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
4232attributetypes: ( 1.3.6.1.4.1.42.2.27.1.1.14 NAME 'nisNetIdHost' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
4233attributetypes: ( 1.3.6.1.4.1.42.2.27.2.1.15 NAME 'rfc822mailMember' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
4234attributetypes: ( 2.16.840.1.113730.3.1.30 NAME 'mgrpRFC822MailMember' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
4235attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.15 NAME 'SolarisLDAPServers' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
4236attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.16 NAME 'SolarisSearchBaseDN' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE )
4237attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.17 NAME 'SolarisCacheTTL' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
4238attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.18 NAME 'SolarisBindDN' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE )
4239attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.19 NAME 'SolarisBindPassword' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
4240attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.20 NAME 'SolarisAuthMethod' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
4241attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.21 NAME 'SolarisTransportSecurity' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
4242attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.22 NAME 'SolarisCertificatePath' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
4243attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.23 NAME 'SolarisCertificatePassword' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
4244attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.24 NAME 'SolarisDataSearchDN' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
4245attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.25 NAME 'SolarisSearchScope' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
4246attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.26 NAME 'SolarisSearchTimeLimit' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
4247attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.27 NAME 'SolarisPreferredServer' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
4248attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.28 NAME 'SolarisPreferredServerOnly' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
4249attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.29 NAME 'SolarisSearchReferral' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
4250attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.4 NAME 'SolarisAttrKeyValue' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
4251attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.5 NAME 'SolarisAuditAlways' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
4252attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.6 NAME 'SolarisAuditNever' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
4253attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.7 NAME 'SolarisAttrShortDesc' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
4254attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.8 NAME 'SolarisAttrLongDesc' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
4255attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.9 NAME 'SolarisKernelSecurityPolicy' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
4256attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.10 NAME 'SolarisProfileType' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
4257attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.11 NAME 'SolarisProfileId' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
4258attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.12 NAME 'SolarisUserQualifier' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
4259attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.13 NAME 'SolarisAttrReserved1' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
4260attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.14 NAME 'SolarisAttrReserved2' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
4261attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.1 NAME 'SolarisProjectID' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
4262attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.2 NAME 'SolarisProjectName' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
4263attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.3 NAME 'SolarisProjectAttr' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
4264attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.30 NAME 'memberGid' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
4265attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.0 NAME 'defaultServerList' DESC 'Default LDAP server host address used by a DUA' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
4266attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.1 NAME 'defaultSearchBase' DESC 'Default LDAP base DN used by a DUA' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE )
4267attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.2 NAME 'preferredServerList' DESC 'Preferred LDAP server host addresses to be used by a DUA' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
4268attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.3 NAME 'searchTimeLimit' DESC 'Maximum time in seconds a DUA should allow for a search to complete' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
4269attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.4 NAME 'bindTimeLimit' DESC 'Maximum time in seconds a DUA should allow for the bind operation to complete' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
4270attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.5 NAME 'followReferrals' DESC 'Tells DUA if it should follow referrals returned by a DSA search result' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
4271attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.6 NAME 'authenticationMethod' DESC 'A keystring which identifies the type of authentication method used to contact the DSA' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
4272attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.7 NAME 'profileTTL' DESC 'Time to live before a client DUA should re-read this configuration profile' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
4273attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.14 NAME 'serviceSearchDescriptor' DESC 'LDAP search descriptor list used by Naming-DUA' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
4274attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.9 NAME 'attributeMap' DESC 'Attribute mappings used by a Naming-DUA' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
4275attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.10 NAME 'credentialLevel' DESC 'Identifies type of credentials a DUA should use when binding to the LDAP server' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
4276attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.11 NAME 'objectclassMap' DESC 'Objectclass mappings used by a Naming-DUA' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
4277attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.12 NAME 'defaultSearchScope' DESC 'Default search scope used by a DUA' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
4278attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.13 NAME 'serviceCredentialLevel' DESC 'Search scope used by a service of the DUA' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
4279attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.15 NAME 'serviceAuthenticationMethod' DESC 'Authentication Method used by a service of the DUA' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
4280attributetypes: ( 1.3.18.0.2.4.1140 NAME 'printer-uri' DESC 'A URI supported by this printer.  This URI SHOULD be used as a relative distinguished name (RDN).  If printer-xri-supported is implemented, then this URI value MUST be listed in a member value of printer-xri-supported.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
4281attributetypes: ( 1.3.18.0.2.4.1107 NAME 'printer-xri-supported' DESC 'The unordered list of XRI (extended resource identifiers) supported by this printer.  Each member of the list consists of a URI (uniform resource identifier) followed by optional authentication and security metaparameters.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
4282attributetypes: ( 1.3.18.0.2.4.1135 NAME 'printer-name' DESC 'The site-specific administrative name of this printer, more end-user friendly than a URI.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{127}  SINGLE-VALUE )
4283attributetypes: ( 1.3.18.0.2.4.1119 NAME 'printer-natural-language-configured' DESC 'The configured language in which error and status messages will be generated (by default) by this printer.  Also, a possible language for printer string attributes set by operator, system administrator, or manufacturer.  Also, the (declared) language of the "printer-name", "printer-location", "printer-info", and "printer-make-and-model" attributes of this printer. For example: "en-us" (US English) or "fr-fr" (French in France) Legal values of language tags conform to [RFC3066] "Tags for the Identification of Languages".' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{127}  SINGLE-VALUE )
4284attributetypes: ( 1.3.18.0.2.4.1136 NAME 'printer-location' DESC 'Identifies the location of the printer. This could include things like: "in Room 123A", "second floor of building XYZ".' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{127} SINGLE-VALUE )
4285attributetypes: ( 1.3.18.0.2.4.1139 NAME 'printer-info' DESC 'Identifies the descriptive information about this printer.  This could include things like: "This printer can be used for printing color transparencies for HR presentations", or "Out of courtesy for others, please print only small (1-5 page) jobs at this printer", or even "This printer is going away on July 1, 1997, please find a new printer".' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{127} SINGLE-VALUE )
4286attributetypes: ( 1.3.18.0.2.4.1134 NAME 'printer-more-info' DESC 'A URI used to obtain more information about this specific printer.  For example, this could be an HTTP type URI referencing an HTML page accessible to a Web Browser.  The information obtained from this URI is intended for end user consumption.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
4287attributetypes: ( 1.3.18.0.2.4.1138 NAME 'printer-make-and-model' DESC 'Identifies the make and model of the device.  The device manufacturer MAY initially populate this attribute.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127}  SINGLE-VALUE )
4288attributetypes: ( 1.3.18.0.2.4.1133 NAME 'printer-ipp-versions-supported' DESC 'Identifies the IPP protocol version(s) that this printer supports, including major and minor versions, i.e., the version numbers for which this Printer implementation meets the conformance requirements.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{127} )
4289attributetypes: ( 1.3.18.0.2.4.1132 NAME 'printer-multiple-document-jobs-supported' DESC 'Indicates whether or not the printer supports more than one document per job, i.e., more than one Send-Document or Send-Data operation with document data.' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
4290attributetypes: ( 1.3.18.0.2.4.1109 NAME 'printer-charset-configured' DESC 'The configured charset in which error and status messages will be generated (by default) by this printer.  Also, a possible charset for printer string attributes set by operator, system administrator, or manufacturer.  For example: "utf-8" (ISO 10646/Unicode) or "iso-8859-1" (Latin1).  Legal values are defined by the IANA Registry of Coded Character Sets and the "(preferred MIME name)" SHALL be used as the tag.  For coherence with IPP Model, charset tags in this attribute SHALL be lowercase normalized.  This attribute SHOULD be static (time of registration) and SHOULD NOT be dynamically refreshed attributetypes: (subsequently).' EQUALITY caseIgnoreMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{63} SINGLE-VALUE )
4291attributetypes: ( 1.3.18.0.2.4.1131 NAME 'printer-charset-supported' DESC 'Identifies the set of charsets supported for attribute type values of type Directory String for this directory entry.  For example: "utf-8" (ISO 10646/Unicode) or "iso-8859-1" (Latin1).  Legal values are defined by the IANA Registry of Coded Character Sets and the preferred MIME name.' EQUALITY caseIgnoreMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{63} )
4292attributetypes: ( 1.3.18.0.2.4.1137 NAME 'printer-generated-natural-language-supported' DESC 'Identifies the natural language(s) supported for this directory entry.  For example: "en-us" (US English) or "fr-fr" (French in France).  Legal values conform to [RFC3066], Tags for the Identification of Languages.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{63} )
4293attributetypes: ( 1.3.18.0.2.4.1130 NAME 'printer-document-format-supported' DESC 'The possible document formats in which data may be interpreted and printed by this printer.  Legal values are MIME types come from the IANA Registry of Internet Media Types.' EQUALITY caseIgnoreMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{127} )
4294attributetypes: ( 1.3.18.0.2.4.1129 NAME 'printer-color-supported' DESC 'Indicates whether this printer is capable of any type of color printing at all, including highlight color.' EQUALITY booleanMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
4295attributetypes: ( 1.3.18.0.2.4.1128 NAME 'printer-compression-supported' DESC 'Compression algorithms supported by this printer.  For example: "deflate, gzip".  Legal values include; "none", "deflate" attributetypes: (public domain ZIP), "gzip" (GNU ZIP), "compress" (UNIX).' EQUALITY caseIgnoreMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{255} )
4296attributetypes: ( 1.3.18.0.2.4.1127 NAME 'printer-pages-per-minute' DESC 'The nominal number of pages per minute which may be output by this printer (e.g., a simplex or black-and-white printer).  This attribute is informative, NOT a service guarantee.  Typically, it is the value used in marketing literature to describe this printer.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
4297attributetypes: ( 1.3.18.0.2.4.1126 NAME 'printer-pages-per-minute-color' DESC 'The nominal number of color pages per minute which may be output by this printer (e.g., a simplex or color printer).  This attribute is informative, NOT a service guarantee.  Typically, it is the value used in marketing literature to describe this printer.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
4298attributetypes: ( 1.3.18.0.2.4.1125 NAME 'printer-finishings-supported' DESC 'The possible finishing operations supported by this printer. Legal values include; "none", "staple", "punch", "cover", "bind", "saddle-stitch", "edge-stitch", "staple-top-left", "staple-bottom-left", "staple-top-right", "staple-bottom-right", "edge-stitch-left", "edge-stitch-top", "edge-stitch-right", "edge-stitch-bottom", "staple-dual-left", "staple-dual-top", "staple-dual-right", "staple-dual-bottom".' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{255} )
4299attributetypes: ( 1.3.18.0.2.4.1124 NAME 'printer-number-up-supported' DESC 'The possible numbers of print-stream pages to impose upon a single side of an instance of a selected medium. Legal values include; 1, 2, and 4.  Implementations may support other values.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.27 )
4300attributetypes: ( 1.3.18.0.2.4.1123 NAME 'printer-sides-supported' DESC 'The number of impression sides (one or two) and the two-sided impression rotations supported by this printer.  Legal values include; "one-sided", "two-sided-long-edge", "two-sided-short-edge".' EQUALITY caseIgnoreMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{127} )
4301attributetypes: ( 1.3.18.0.2.4.1122 NAME 'printer-media-supported' DESC 'The standard names/types/sizes (and optional color suffixes) of the media supported by this printer.  For example: "iso-a4",  "envelope", or "na-letter-white".  Legal values  conform to ISO 10175, Document Printing Application (DPA), and any IANA registered extensions.' EQUALITY caseIgnoreMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{255} )
4302attributetypes: ( 1.3.18.0.2.4.1117 NAME 'printer-media-local-supported' DESC 'Site-specific names of media supported by this printer, in the language in "printer-natural-language-configured".  For example: "purchasing-form" (site-specific name) as opposed to (in "printer-media-supported"): "na-letter" (standard keyword from ISO 10175).' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{255} )
4303attributetypes: ( 1.3.18.0.2.4.1121 NAME 'printer-resolution-supported' DESC 'List of resolutions supported for printing documents by this printer.  Each resolution value is a string with 3 fields:  1) Cross feed direction resolution (positive integer), 2) Feed direction resolution (positive integer), 3) Resolution unit.  Legal values are "dpi" (dots per inch) and "dpcm" (dots per centimeter).  Each resolution field is delimited by ">".  For example:  "300> 300> dpi>".' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{255} )
4304attributetypes: ( 1.3.18.0.2.4.1120 NAME 'printer-print-quality-supported' DESC 'List of print qualities supported for printing documents on this printer.  For example: "draft, normal".  Legal values include; "unknown", "draft", "normal", "high".' EQUALITY caseIgnoreMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{127} )
4305attributetypes: ( 1.3.18.0.2.4.1110 NAME 'printer-job-priority-supported' DESC 'Indicates the number of job priority levels supported.  An IPP conformant printer which supports job priority must always support a full range of priorities from "1" to "100" (to ensure consistent behavior), therefore this attribute describes the "granularity".  Legal values of this attribute are from "1" to "100".' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
4306attributetypes: ( 1.3.18.0.2.4.1118 NAME 'printer-copies-supported' DESC 'The maximum number of copies of a document that may be printed as a single job.  A value of "0" indicates no maximum limit.  A value of "-1" indicates unknown.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
4307attributetypes: ( 1.3.18.0.2.4.1111 NAME 'printer-job-k-octets-supported' DESC 'The maximum size in kilobytes (1,024 octets actually) incoming print job that this printer will accept.  A value of "0" indicates no maximum limit.  A value of "-1" indicates unknown.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
4308attributetypes: ( 1.3.18.0.2.4.1112 NAME 'printer-current-operator' DESC 'The name of the current human operator responsible for operating this printer.  It is suggested that this string include information that would enable other humans to reach the operator, such as a phone number.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{127} SINGLE-VALUE )
4309attributetypes: ( 1.3.18.0.2.4.1113 NAME 'printer-service-person' DESC 'The name of the current human service person responsible for servicing this printer.  It is suggested that this string include information that would enable other humans to reach the service person, such as a phone number.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{127}  SINGLE-VALUE )
4310attributetypes: ( 1.3.18.0.2.4.1114 NAME 'printer-delivery-orientation-supported' DESC 'The possible delivery orientations of pages as they are printed and ejected from this printer.  Legal values include; "unknown", "face-up", and "face-down".' EQUALITY caseIgnoreMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{127} )
4311attributetypes: ( 1.3.18.0.2.4.1115 NAME 'printer-stacking-order-supported' DESC 'The possible stacking order of pages as they are printed and ejected from this printer. Legal values include; "unknown", "first-to-last", "last-to-first".' EQUALITY caseIgnoreMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{127} )
4312attributetypes: ( 1.3.18.0.2.4.1116 NAME 'printer-output-features-supported' DESC 'The possible output features supported by this printer. Legal values include; "unknown", "bursting", "decollating", "page-collating", "offset-stacking".' EQUALITY caseIgnoreMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{127} )
4313attributetypes: ( 1.3.18.0.2.4.1108 NAME 'printer-aliases' DESC 'Site-specific administrative names of this printer in addition the printer name specified for printer-name.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX  1.3.6.1.4.1.1466.115.121.1.15{127} )
4314attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.63 NAME 'sun-printer-bsdaddr' DESC 'Sets the server, print queue destination name and whether the client generates protocol extensions. "Solaris" specifies a Solaris print server extension. The value is represented by the following value: server "," destination ", Solaris".' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
4315attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.64 NAME 'sun-printer-kvp' DESC 'This attribute contains a set of key value pairs which may have meaning to the print subsystem or may be user defined. Each value is represented by the following: key "=" value.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
4316attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.57 NAME 'nisplusTimeZone' DESC 'tzone column from NIS+ timezone table' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
4317attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.67 NAME 'ipTnetTemplateName' DESC 'Trusted Solaris network template template_name' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
4318attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.68 NAME 'ipTnetNumber' DESC 'Trusted Solaris network template ip_address' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
4319EOF
4320) > ${TMPDIR}/schema_attr
4321
4322    # Add the entry.
4323    ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/schema_attr ${VERB}"
4324    if [ $? -ne 0 ]; then
4325	${ECHO} "  ERROR: update of schema attributes failed!"
4326	cleanup
4327	exit 1
4328    fi
4329
4330    # Display message that schema is updated.
4331    ${ECHO} "  ${STEP}. Schema attributes have been updated."
4332    STEP=`expr $STEP + 1`
4333}
4334
4335
4336#
4337# update_schema_obj(): Update the schema objectclass definitions.
4338#
4339update_schema_obj()
4340{
4341    [ $DEBUG -eq 1 ] && ${ECHO} "In update_schema_obj()"
4342
4343    # Add the objectclass definitions.
4344    ( cat <<EOF
4345dn: cn=schema
4346changetype: modify
4347add: objectclasses
4348objectclasses: ( 1.3.6.1.1.1.2.14 NAME 'NisKeyObject' SUP top MUST ( cn $ nisPublickey $ nisSecretkey ) MAY ( uidNumber $ description ) )
4349
4350dn: cn=schema
4351changetype: modify
4352add: objectclasses
4353objectclasses: ( 1.3.6.1.1.1.2.15 NAME 'nisDomainObject' SUP top MUST nisDomain )
4354
4355dn: cn=schema
4356changetype: modify
4357add: objectclasses
4358objectclasses: ( 1.3.6.1.1.1.2.16 NAME 'automountMap' SUP top MUST automountMapName MAY description )
4359
4360dn: cn=schema
4361changetype: modify
4362add: objectclasses
4363objectclasses: ( 1.3.6.1.1.1.2.17 NAME 'automount' SUP top MUST ( automountKey $ automountInformation ) MAY description )
4364
4365dn: cn=schema
4366changetype: modify
4367add: objectclasses
4368objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.7 NAME 'SolarisNamingProfile' SUP top MUST ( cn $ SolarisLDAPservers $ SolarisSearchBaseDN ) MAY ( SolarisBindDN $ SolarisBindPassword $ SolarisAuthMethod $ SolarisTransportSecurity $ SolarisCertificatePath $ SolarisCertificatePassword $ SolarisDataSearchDN $ SolarisSearchScope $ SolarisSearchTimeLimit $ SolarisPreferredServer $ SolarisPreferredServerOnly $ SolarisCacheTTL $ SolarisSearchReferral ) )
4369
4370dn: cn=schema
4371changetype: modify
4372add: objectclasses
4373objectclasses: ( 2.16.840.1.113730.3.2.4 NAME 'mailGroup' SUP top MUST mail MAY ( cn $ mgrpRFC822MailMember ) )
4374
4375dn: cn=schema
4376changetype: modify
4377add: objectclasses
4378objectclasses: ( 1.3.6.1.4.1.42.2.27.1.2.5 NAME 'nisMailAlias' SUP top MUST cn MAY rfc822mailMember )
4379
4380dn: cn=schema
4381changetype: modify
4382add: objectclasses
4383objectclasses: ( 1.3.6.1.4.1.42.2.27.1.2.6 NAME 'nisNetId' SUP top MUST cn MAY ( nisNetIdUser $ nisNetIdGroup $ nisNetIdHost ) )
4384
4385dn: cn=schema
4386changetype: modify
4387add: objectclasses
4388objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.2 NAME 'SolarisAuditUser' SUP top AUXILIARY MAY ( SolarisAuditAlways $ SolarisAuditNever ) )
4389
4390dn: cn=schema
4391changetype: modify
4392add: objectclasses
4393objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.3 NAME 'SolarisUserAttr' SUP top AUXILIARY MAY ( SolarisUserQualifier $ SolarisAttrReserved1 $ SolarisAttrReserved2 $ SolarisAttrKeyValue ) )
4394
4395dn: cn=schema
4396changetype: modify
4397add: objectclasses
4398objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.4 NAME 'SolarisAuthAttr' SUP top MUST cn MAY ( SolarisAttrReserved1 $ SolarisAttrReserved2 $ SolarisAttrShortDesc $ SolarisAttrLongDesc $ SolarisAttrKeyValue ) )
4399
4400dn: cn=schema
4401changetype: modify
4402add: objectclasses
4403objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.5 NAME 'SolarisProfAttr' SUP top MUST cn MAY ( SolarisAttrReserved1 $ SolarisAttrReserved2 $ SolarisAttrLongDesc $ SolarisAttrKeyValue ) )
4404
4405dn: cn=schema
4406changetype: modify
4407add: objectclasses
4408objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.6 NAME 'SolarisExecAttr' SUP top AUXILIARY MAY ( SolarisKernelSecurityPolicy $ SolarisProfileType $ SolarisAttrReserved1 $ SolarisAttrReserved2 $ SolarisProfileID $ SolarisAttrKeyValue ) )
4409
4410dn: cn=schema
4411changetype: modify
4412add: objectclasses
4413objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.1 NAME 'SolarisProject' SUP top MUST ( SolarisProjectID $ SolarisProjectName ) MAY ( memberUid $ memberGid $ description $ SolarisProjectAttr ) )
4414
4415dn: cn=schema
4416changetype: modify
4417add: objectclasses
4418objectclasses: ( 1.3.6.1.4.1.11.1.3.1.2.4 NAME 'DUAConfigProfile' SUP top DESC 'Abstraction of a base configuration for a DUA' MUST cn MAY ( defaultServerList $ preferredServerList $ defaultSearchBase $ defaultSearchScope $ searchTimeLimit $ bindTimeLimit $ credentialLevel $ authenticationMethod $ followReferrals $ serviceSearchDescriptor $ serviceCredentialLevel $ serviceAuthenticationMethod $ objectclassMap $ attributeMap $ profileTTL ) )
4419
4420dn: cn=schema
4421changetype: modify
4422add: objectclasses
4423objectclasses: ( 1.3.18.0.2.6.2549 NAME 'slpService' DESC 'DUMMY definition' SUP top MUST objectclass )
4424
4425dn: cn=schema
4426changetype: modify
4427add: objectclasses
4428objectclasses: ( 1.3.18.0.2.6.254 NAME 'slpServicePrinter' DESC 'Service Location Protocol (SLP) information.' SUP slpService AUXILIARY )
4429
4430dn: cn=schema
4431changetype: modify
4432add: objectclasses
4433objectclasses: ( 1.3.18.0.2.6.258 NAME 'printerAbstract' DESC 'Printer related information.' SUP top ABSTRACT MAY ( printer-name $ printer-natural-language-configured $ printer-location $ printer-info $ printer-more-info $ printer-make-and-model $ printer-multiple-document-jobs-supported $ printer-charset-configured $ printer-charset-supported $ printer-generated-natural-language-supported $ printer-document-format-supported $ printer-color-supported $ printer-compression-supported $ printer-pages-per-minute $ printer-pages-per-minute-color $ printer-finishings-supported $ printer-number-up-supported $ printer-sides-supported $ printer-media-supported $ printer-media-local-supported $ printer-resolution-supported $ printer-print-quality-supported $ printer-job-priority-supported $ printer-copies-supported $ printer-job-k-octets-supported $ printer-current-operator $ printer-service-person $ printer-delivery-orientation-supported $ printer-stacking-order-supported $ printer-output-features-supported ) )
4434
4435dn: cn=schema
4436changetype: modify
4437add: objectclasses
4438objectclasses: ( 1.3.18.0.2.6.255 NAME 'printerService' DESC 'Printer information.' SUP printerAbstract STRUCTURAL MAY ( printer-uri $ printer-xri-supported ) )
4439
4440dn: cn=schema
4441changetype: modify
4442add: objectclasses
4443objectclasses: ( 1.3.18.0.2.6.257 NAME 'printerServiceAuxClass' DESC 'Printer information.' SUP printerAbstract AUXILIARY MAY ( printer-uri $ printer-xri-supported ) )
4444
4445dn: cn=schema
4446changetype: modify
4447add: objectclasses
4448objectclasses: ( 1.3.18.0.2.6.256 NAME 'printerIPP' DESC 'Internet Printing Protocol (IPP) information.' SUP top AUXILIARY MAY ( printer-ipp-versions-supported $ printer-multiple-document-jobs-supported ) )
4449
4450dn: cn=schema
4451changetype: modify
4452add: objectclasses
4453objectclasses: ( 1.3.18.0.2.6.253 NAME 'printerLPR' DESC 'LPR information.' SUP top AUXILIARY MUST printer-name MAY printer-aliases )
4454
4455dn: cn=schema
4456changetype: modify
4457add: objectclasses
4458objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.14 NAME 'sunPrinter' DESC 'Sun printer information' SUP top AUXILIARY MUST printer-name MAY ( sun-printer-bsdaddr $ sun-printer-kvp ) )
4459
4460dn: cn=schema
4461changetype: modify
4462add: objectclasses
4463objectclasses:	( 1.3.6.1.4.1.42.2.27.5.2.12 NAME 'nisplusTimeZoneData' DESC 'NIS+ timezone table data' SUP top STRUCTURAL MUST cn MAY ( nisplusTimeZone $ description ) )
4464
4465dn: cn=schema
4466changetype: modify
4467add: objectclasses
4468objectclasses:  ( 1.3.6.1.4.1.42.2.27.5.2.8 NAME 'ipTnetTemplate' DESC 'Object class for TSOL network templates' SUP top MUST ipTnetTemplateName MAY SolarisAttrKeyValue )
4469
4470dn: cn=schema
4471changetype: modify
4472add: objectclasses
4473objectclasses:	( 1.3.6.1.4.1.42.2.27.5.2.9 NAME 'ipTnetHost' DESC 'Associates an IP address or wildcard with a TSOL template_name' SUP top AUXILIARY MUST ipTnetNumber )
4474EOF
4475) > ${TMPDIR}/schema_obj
4476
4477    # Add the entry.
4478    ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/schema_obj ${VERB}"
4479    if [ $? -ne 0 ]; then
4480	${ECHO} "  ERROR: update of schema objectclass definitions failed!"
4481	cleanup
4482	exit 1
4483    fi
4484
4485    # Display message that schema is updated.
4486    ${ECHO} "  ${STEP}. Schema objectclass definitions have been added."
4487    STEP=`expr $STEP + 1`
4488}
4489
4490#
4491# modify_top_aci(): Modify the ACI for the top entry to disable self modify
4492#                   of user attributes.
4493#
4494modify_top_aci()
4495{
4496    [ $DEBUG -eq 1 ] && ${ECHO} "In modify_top_aci()"
4497
4498    # Set ACI Name
4499    ACI_NAME="LDAP_Naming_Services_deny_write_access"
4500
4501    # Search for ACI_NAME
4502    eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_BASEDN}\" -s base objectclass=* aci > ${TMPDIR}/chk_top_aci 2>&1"
4503    if [ $? -ne 0 ]; then
4504	${ECHO} "Error searching aci for ${LDAP_BASEDN}"
4505	cat ${TMPDIR}/chk_top_aci
4506	cleanup
4507	exit 1
4508    fi
4509    ${GREP} "${ACI_NAME}" ${TMPDIR}/chk_top_aci > /dev/null 2>&1
4510    if [ $? -eq 0 ]; then
4511	${ECHO} "  ${STEP}. Top level ACI ${ACI_NAME} already exists for ${LDAP_BASEDN}."
4512	STEP=`expr $STEP + 1`
4513	return 0
4514    fi
4515
4516    # Crate LDIF for top level ACI.
4517    ( cat <<EOF
4518dn: ${LDAP_BASEDN}
4519changetype: modify
4520add: aci
4521aci: (targetattr = "cn||uid||uidNumber||gidNumber||homeDirectory||shadowLastChange||shadowMin||shadowMax||shadowWarning||shadowInactive||shadowExpire||shadowFlag||memberUid||SolarisAuditAlways||SolarisAuditNever||SolarisAttrKeyValue||SolarisAttrReserved1||SolarisAttrReserved2||SolarisUserQualifier")(version 3.0; acl ${ACI_NAME}; deny (write) userdn = "ldap:///self";)
4522-
4523EOF
4524) > ${TMPDIR}/top_aci
4525
4526    # Add the entry.
4527    ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/top_aci ${VERB}"
4528    if [ $? -ne 0 ]; then
4529	${ECHO} "  ERROR: Modify of top level ACI failed! (restricts self modify)"
4530	cleanup
4531	exit 1
4532    fi
4533
4534    # Display message that ACI is updated.
4535    MSG="ACI for ${LDAP_BASEDN} modified to disable self modify."
4536    if [ $EXISTING_PROFILE -eq 1 ];then
4537	${ECHO} "  ACI SET: $MSG"
4538    else
4539	${ECHO} "  ${STEP}. $MSG"
4540	STEP=`expr $STEP + 1`
4541    fi
4542}
4543
4544#
4545# find_and_delete_ACI(): Find an ACI in file $2 with a matching pattern $1.
4546# Delete the ACI and print a message using $3 as the ACI name. $3 is needed
4547# because it could have a different value than that of $1.
4548find_and_delete_ACI()
4549{
4550    [ $DEBUG -eq 1 ] && ${ECHO} "In find_and_delete_ACI"
4551
4552    # if an ACI with pattern $1 exists in file $2, delete it from ${LDAP_BASEDN}
4553    ${EGREP} $1 $2 | ${SED} -e 's/aci=//' > ${TMPDIR}/grep_find_delete_aci 2>&1
4554    if [ -s ${TMPDIR}/grep_find_delete_aci ]; then
4555	aci_to_delete=`${CAT} ${TMPDIR}/grep_find_delete_aci`
4556
4557	# Create the tmp file to delete the ACI.
4558	( cat <<EOF
4559dn: ${LDAP_BASEDN}
4560changetype: modify
4561delete: aci
4562aci: ${aci_to_delete}
4563EOF
4564	) > ${TMPDIR}/find_delete_aci
4565
4566	# Delete the ACI
4567	${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/find_delete_aci ${VERB}"
4568	if [ $? -ne 0 ]; then
4569	    ${ECHO} "  ERROR: Remove of $3 ACI failed!"
4570	    cleanup
4571	    exit 1
4572	fi
4573
4574	${RM} -f ${TMPDIR}/find_delete_aci
4575	# Display message that an ACL is deleted.
4576	MSG="ACI $3 deleted."
4577	if [ $EXISTING_PROFILE -eq 1 ]; then
4578	    ${ECHO} "  ACI DELETED: $MSG"
4579	else
4580	    ${ECHO} "  ${STEP}. $MSG"
4581	    STEP=`expr $STEP + 1`
4582	fi
4583    fi
4584}
4585
4586#
4587# Add an ACI to deny non-admin access to shadow data when
4588# shadow update is enabled.
4589#
4590deny_non_admin_shadow_access()
4591{
4592    [ $DEBUG -eq 1 ] && ${ECHO} "In deny_non_admin_shadow_access()"
4593
4594    # Set ACI Names
4595    ACI_TO_ADD="LDAP_Naming_Services_deny_non_admin_shadow_access"
4596    ACI_TO_DEL="LDAP_Naming_Services_deny_non_host_shadow_access"
4597
4598    # Search for ACI_TO_ADD
4599    eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_BASEDN}\" -s base objectclass=* aci > ${TMPDIR}/chk_aci_non_admin 2>&1"
4600    if [ $? -ne 0 ]; then
4601	${ECHO} "Error searching aci for ${LDAP_BASEDN}"
4602	cleanup
4603	exit 1
4604    fi
4605
4606    # If an ACI with ${ACI_TO_ADD} already exists, we are done.
4607    ${EGREP} ${ACI_TO_ADD} ${TMPDIR}/chk_aci_non_admin 2>&1 > /dev/null
4608    if [ $? -eq 0 ]; then
4609	MSG="ACI ${ACI_TO_ADD} already set for ${LDAP_BASEDN}."
4610	if [ $EXISTING_PROFILE -eq 1 ]; then
4611	    ${ECHO} "  NOT SET: $MSG"
4612	else
4613	    ${ECHO} "  ${STEP}. $MSG"
4614	    STEP=`expr $STEP + 1`
4615	fi
4616	return 0
4617    fi
4618
4619    # The deny_non_admin_shadow_access and deny_non_host_shadow_access ACIs
4620    # should be mutually exclusive, so if the latter exists, delete it.
4621    find_and_delete_ACI ${ACI_TO_DEL} ${TMPDIR}/chk_aci_non_admin ${ACI_TO_DEL}
4622
4623    # Create the tmp file to add.
4624    ( cat <<EOF
4625dn: ${LDAP_BASEDN}
4626changetype: modify
4627add: aci
4628aci: (target="ldap:///${LDAP_BASEDN}")(targetattr = "shadowLastChange||
4629 shadowMin|| shadowMax||shadowWarning||shadowInactive||shadowExpire||
4630 shadowFlag||userPassword") (version 3.0; acl ${ACI_TO_ADD};
4631 deny (write,read,search,compare) userdn != "ldap:///${LDAP_ADMINDN}";)
4632EOF
4633) > ${TMPDIR}/non_admin_aci_write
4634
4635    # Add the entry.
4636    ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/non_admin_aci_write ${VERB}"
4637    if [ $? -ne 0 ]; then
4638	${ECHO} "  ERROR: Adding ACI ${ACI_TO_ADD} failed!"
4639	${CAT} ${TMPDIR}/non_admin_aci_write
4640	cleanup
4641	exit 1
4642    fi
4643
4644    ${RM} -f ${TMPDIR}/non_admin_aci_write
4645    # Display message that the non-admin access to shadow data is denied.
4646    MSG="Non-Admin access to shadow data denied."
4647    if [ $EXISTING_PROFILE -eq 1 ]; then
4648	${ECHO} "  ACI SET: $MSG"
4649    else
4650	${ECHO} "  ${STEP}. $MSG"
4651	STEP=`expr $STEP + 1`
4652    fi
4653}
4654
4655#
4656# Add an ACI to deny non-host access to shadow data when
4657# shadow update is enabled and auth Method if gssapi.
4658#
4659deny_non_host_shadow_access()
4660{
4661    [ $DEBUG -eq 1 ] && ${ECHO} "In deny_non_host_shadow_access()"
4662
4663    # Set ACI Names
4664    ACI_TO_ADD="LDAP_Naming_Services_deny_non_host_shadow_access"
4665    ACI_TO_DEL="LDAP_Naming_Services_deny_non_admin_shadow_access"
4666
4667    # Search for ACI_TO_ADD
4668    eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_BASEDN}\" -s base objectclass=* aci > ${TMPDIR}/chk_aci_non_host 2>&1"
4669    if [ $? -ne 0 ]; then
4670	${ECHO} "Error searching aci for ${LDAP_BASEDN}"
4671	cleanup
4672	exit 1
4673    fi
4674
4675    # If an ACI with ${ACI_TO_ADD} already exists, we are done.
4676    ${EGREP} ${ACI_TO_ADD} ${TMPDIR}/chk_aci_non_host 2>&1 > /dev/null
4677    if [ $? -eq 0 ]; then
4678	MSG="ACI ${ACI_TO_ADD} already set for ${LDAP_BASEDN}."
4679	if [ $EXISTING_PROFILE -eq 1 ]; then
4680	    ${ECHO} "  NOT SET: $MSG"
4681	else
4682	    ${ECHO} "  ${STEP}. $MSG"
4683	    STEP=`expr $STEP + 1`
4684	fi
4685	return 0
4686    fi
4687
4688    # The deny_non_admin_shadow_access and deny_non_host_shadow_access ACIs
4689    # should be mutually exclusive, so if the former exists, delete it.
4690    find_and_delete_ACI ${ACI_TO_DEL} ${TMPDIR}/chk_aci_non_host ${ACI_TO_DEL}
4691
4692    # Create the tmp file to add.
4693    ( cat <<EOF
4694dn: ${LDAP_BASEDN}
4695changetype: modify
4696add: aci
4697aci: (target="ldap:///${LDAP_BASEDN}")(targetattr = "shadowLastChange||
4698 shadowMin|| shadowMax||shadowWarning||shadowInactive||shadowExpire||
4699 shadowFlag||userPassword") (version 3.0; acl ${ACI_TO_ADD};
4700  deny (write,read,search,compare)
4701  userdn != "ldap:///cn=*+ipHostNumber=*,ou=Hosts,${LDAP_BASEDN}";)
4702EOF
4703) > ${TMPDIR}/non_host_aci_write
4704
4705    # Add the entry.
4706    ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/non_host_aci_write ${VERB}"
4707    if [ $? -ne 0 ]; then
4708	${ECHO} "  ERROR: Adding ACI ${ACI_TO_ADD} failed!"
4709	${CAT} ${TMPDIR}/non_host_aci_write
4710	cleanup
4711	exit 1
4712    fi
4713
4714    ${RM} -f ${TMPDIR}/non_host_aci_write
4715    # Display message that the non-host access to shadow data is denied.
4716    MSG="Non-host access to shadow data is denied."
4717    if [ $EXISTING_PROFILE -eq 1 ]; then
4718	${ECHO} "  ACI SET: $MSG"
4719    else
4720	${ECHO} "  ${STEP}. $MSG"
4721	STEP=`expr $STEP + 1`
4722    fi
4723}
4724
4725#
4726# add_vlv_aci(): Add access control information (aci) for VLV.
4727#
4728add_vlv_aci()
4729{
4730    [ $DEBUG -eq 1 ] && ${ECHO} "In add_vlv_aci()"
4731
4732    # Add the VLV ACI.
4733    ( cat <<EOF
4734dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
4735changetype: modify
4736replace: aci
4737aci: (targetattr != "aci") (version 3.0; acl "VLV Request Control"; allow(read,search,compare) userdn = "ldap:///anyone";)
4738EOF
4739) > ${TMPDIR}/vlv_aci
4740
4741    # Add the entry.
4742    ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/vlv_aci ${VERB}"
4743    if [ $? -ne 0 ]; then
4744	${ECHO} "  ERROR: Add of VLV ACI failed!"
4745	cleanup
4746	exit 1
4747    fi
4748
4749    # Display message that schema is updated.
4750    ${ECHO} "  ${STEP}. Add of VLV Access Control Information (ACI)."
4751    STEP=`expr $STEP + 1`
4752}
4753
4754
4755#
4756# set_nisdomain(): Add the NisDomainObject to the Base DN.
4757#
4758set_nisdomain()
4759{
4760    [ $DEBUG -eq 1 ] && ${ECHO} "In set_nisdomain()"
4761
4762    # Check if nisDomain is already set.
4763    ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_BASEDN}\" -s base \
4764	\"objectclass=*\"" > ${TMPDIR}/chk_nisdomain 2>&1
4765    ${EVAL} "${GREP} -i nisDomain ${TMPDIR}/chk_nisdomain ${VERB}"
4766    if [ $? -eq 0 ]; then
4767	${ECHO} "  ${STEP}. NisDomainObject for ${LDAP_BASEDN} was already set."
4768	STEP=`expr $STEP + 1`
4769	return 0
4770    fi
4771
4772    # Add the new top level containers.
4773    ( cat <<EOF
4774dn: ${LDAP_BASEDN}
4775changetype: modify
4776objectclass: nisDomainObject
4777nisdomain: ${LDAP_DOMAIN}
4778EOF
4779) > ${TMPDIR}/nis_domain
4780
4781    # Add the entry.
4782    ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/nis_domain ${VERB}"
4783    if [ $? -ne 0 ]; then
4784	${ECHO} "  ERROR: update of NisDomainObject in ${LDAP_BASEDN} failed."
4785	cleanup
4786	exit 1
4787    fi
4788
4789    # Display message that schema is updated.
4790    ${ECHO} "  ${STEP}. NisDomainObject added to ${LDAP_BASEDN}."
4791    STEP=`expr $STEP + 1`
4792}
4793
4794
4795#
4796# check_attrName(): Check that the attribute name is valid.
4797#              $1   Key to check.
4798#         Returns   0 : valid name	1 : invalid name
4799#
4800check_attrName()
4801{
4802    [ $DEBUG -eq 1 ] && ${ECHO} "In check_attrName()"
4803    [ $DEBUG -eq 1 ] && ${ECHO} "check_attrName: Input Param = $1"
4804
4805    ${ECHO} $1 | ${EGREP} '^[0-9]+(\.[0-9]+)*$' > /dev/null 2>&1
4806    if [ $? -eq 0 ]; then
4807	${EVAL} "${LDAPSEARCH} ${SERVER_ARGS} -b cn=schema -s base \"objectclass=*\" \
4808			attributeTypes | ${EGREP} -i '^attributetypes[ ]*=[ ]*\([ ]*$1 ' ${VERB}"
4809    else
4810	${EVAL} "${LDAPSEARCH} ${SERVER_ARGS} -b cn=schema -s base \"objectclass=*\" \
4811			attributeTypes | ${EGREP} -i \"'$1'\" ${VERB}"
4812    fi
4813
4814    if [ $? -ne 0 ]; then
4815	return 1
4816    else
4817	return 0
4818    fi
4819}
4820
4821
4822#
4823# get_objectclass():   Determine the objectclass for the given attribute name
4824#              $1   Attribute name to check.
4825#      _ATTR_NAME   Return value, Object Name or NULL if unknown to idsconfig.
4826#
4827#      NOTE: An attribute name can be valid but still we might not be able
4828#            to determine the objectclass from the table.
4829#            In such cases, the user needs to create the necessary object(s).
4830#
4831get_objectclass()
4832{
4833    [ $DEBUG -eq 1 ] && ${ECHO} "In get_objectclass()"
4834    [ $DEBUG -eq 1 ] && ${ECHO} "get_objectclass: Input Param = $1"
4835
4836    # Set return value to NULL string.
4837    _ATTR_NAME=""
4838
4839    # Test key for type:
4840    case `${ECHO} ${1} | tr '[A-Z]' '[a-z]'` in
4841	ou | organizationalunitname | 2.5.4.11) _ATTR_NAME="organizationalUnit" ;;
4842	dc | domaincomponent | 0.9.2342.19200300.100.1.25) _ATTR_NAME="domain" ;;
4843	 o | organizationname | 2.5.4.10) _ATTR_NAME="organization" ;;
4844	 c | countryname | 2.5.4.6) _ATTR_NAME="country" ;;
4845	 *)  _ATTR_NAME="" ;;
4846    esac
4847
4848    [ $DEBUG -eq 1 ] && ${ECHO} "get_objectclass: _ATTR_NAME = $_ATTR_NAME"
4849}
4850
4851
4852#
4853# add_base_objects(): Add any necessary base objects.
4854#
4855add_base_objects()
4856{
4857    [ $DEBUG -eq 1 ] && ${ECHO} "In add_base_objects()"
4858
4859    # Convert to lower case for basename.
4860    format_string "${LDAP_BASEDN}"
4861    LOWER_BASEDN="${FMT_STR}"
4862    format_string "${LDAP_SUFFIX}"
4863    LOWER_SUFFIX="${FMT_STR}"
4864
4865    [ $DEBUG -eq 1 ] && ${ECHO} "LOWER_BASEDN: ${LOWER_BASEDN}"
4866    [ $DEBUG -eq 1 ] && ${ECHO} "LOWER_SUFFIX: ${LOWER_SUFFIX}"
4867
4868    # Create additional components.
4869    if [ "${LOWER_BASEDN}" = "${LOWER_SUFFIX}" ]; then
4870	[ $DEBUG -eq 1 ] && ${ECHO} "Base DN and Suffix equivalent"
4871    else
4872	# first, test that the suffix is valid
4873	dcstmp=`basename "${LOWER_BASEDN}" "${LOWER_SUFFIX}"`
4874	if [ "$dcstmp" = "${LOWER_BASEDN}" ]; then
4875	    # should not happen since check_basedn_suffix() succeeded
4876	    ${ECHO} "Invalid suffix ${LOWER_SUFFIX}"
4877	    ${ECHO} "for Base DN ${LOWER_BASEDN}"
4878	    cleanup
4879	    exit 1
4880	fi
4881	# OK, suffix is valid, start working with LDAP_BASEDN
4882	# field separator is ',' (i.e., space is a valid character)
4883	dcstmp2="`${ECHO} ${LDAP_BASEDN} |
4884		sed -e 's/[ ]*,[ ]*/,/g' -e 's/[ ]*=[ ]*/=/g'`"
4885	dcs=""
4886	# use dcstmp to count the loop, and dcstmp2 to get the correct
4887	# string case
4888	# dcs should be in reverse order, only for these components
4889	# that need to be added
4890	while [ -n "${dcstmp}" ]
4891	do
4892	    i2=`${ECHO} "$dcstmp2" | cut -f1 -d','`
4893	    dk=`${ECHO} $i2 | awk -F= '{print $1}'`
4894	    dc=`${ECHO} $i2 | awk -F= '{print $2}'`
4895	    dcs="$dk=$dc,$dcs";
4896	    dcstmp2=`${ECHO} "$dcstmp2" | cut -f2- -d','`
4897	    dcstmp=`${ECHO} "$dcstmp" | cut -f2- -d','`
4898	    [ $DEBUG -eq 1 ] && \
4899		${ECHO} "dcs: ${dcs}\ndcstmp: ${dcstmp}\ndcstmp2: ${dcstmp2}\n"
4900	done
4901
4902
4903
4904	lastdc=${LDAP_SUFFIX}
4905	dc=`${ECHO} "${dcs}" | cut -f1 -d','`
4906	dcstmp=`${ECHO} "${dcs}" | cut -f2- -d','`
4907	while [ -n "${dc}" ]; do
4908	    # Get Key and component from $dc.
4909	    dk2=`${ECHO} $dc | awk -F= '{print $1}'`
4910	    dc2=`${ECHO} $dc | awk -F= '{print $2}'`
4911
4912	    # At this point, ${dk2} is a valid attribute name
4913
4914	    # Check if entry exists first, if so, skip to next.
4915	    ${LDAPSEARCH} ${SERVER_ARGS} -b "${dk2}=${dc2},$lastdc" -s base "objectclass=*" > /dev/null 2>&1
4916	    if [ $? -eq 0 ]; then
4917	        # Set the $lastdc to new dc.
4918	        lastdc="${dk2}=${dc2},$lastdc"
4919
4920		# Process next component.
4921		dc=`${ECHO} "${dcstmp}" | cut -f1 -d','`
4922		dcstmp=`${ECHO} "${dcstmp}" | cut -f2- -d','`
4923		continue
4924
4925	    fi
4926
4927	    # Determine the objectclass for the entry.
4928            get_objectclass $dk2
4929	    OBJ_Name=${_ATTR_NAME}
4930	    if [ "${OBJ_Name}" = "" ]; then
4931	        ${ECHO} "Cannot determine objectclass for $dk2"
4932	        ${ECHO} "Please create ${dk2}=${dc2},$lastdc entry and rerun idsconfig"
4933	        exit 1
4934	    fi
4935
4936	    # Add the new container.
4937	    ( cat <<EOF
4938dn: ${dk2}=${dc2},$lastdc
4939${dk2}: $dc2
4940objectClass: top
4941objectClass: ${OBJ_Name}
4942EOF
4943) > ${TMPDIR}/base_objects
4944
4945
4946	    # Set the $lastdc to new dc.
4947	    lastdc="${dk2}=${dc2},$lastdc"
4948
4949	    # Add the entry.
4950	    ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/base_objects ${VERB}"
4951	    if [ $? -ne 0 ]; then
4952		${ECHO} "  ERROR: update of base objects ${dc} failed."
4953		cleanup
4954		exit 1
4955	    fi
4956
4957	    # Display message that schema is updated.
4958	    ${ECHO} "  ${STEP}. Created DN component ${dc}."
4959	    STEP=`expr $STEP + 1`
4960
4961	    # Process next component.
4962	    dc=`${ECHO} "${dcstmp}" | cut -f1 -d','`
4963	    dcstmp=`${ECHO} "${dcstmp}" | cut -f2- -d','`
4964	done
4965    fi
4966}
4967
4968
4969#
4970# add_new_containers(): Add the top level classes.
4971#
4972#    $1 = Base DN
4973#
4974add_new_containers()
4975{
4976    [ $DEBUG -eq 1 ] && ${ECHO} "In add_new_containers()"
4977
4978    for ou in people group rpc protocols networks netgroup \
4979	aliases hosts services ethers profile printers projects \
4980	SolarisAuthAttr SolarisProfAttr Timezone ipTnet ; do
4981
4982	# Check if nismaps already exist.
4983	eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"ou=${ou},${LDAP_BASEDN}\" -s base \"objectclass=*\" ${VERB}"
4984	if [ $? -eq 0 ]; then
4985	    continue
4986	fi
4987
4988	# Create TMP file to add.
4989	( cat <<EOF
4990dn: ou=${ou},${LDAP_BASEDN}
4991ou: ${ou}
4992objectClass: top
4993objectClass: organizationalUnit
4994EOF
4995) > ${TMPDIR}/toplevel.${ou}
4996
4997	# Add the entry.
4998	${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/toplevel.${ou} ${VERB}"
4999	if [ $? -ne 0 ]; then
5000	    ${ECHO} "  ERROR: Add of ou=${ou} container failed!"
5001	    cleanup
5002	    exit 1
5003	fi
5004    done
5005
5006    # Display message that top level OU containers complete.
5007    ${ECHO} "  ${STEP}. Top level \"ou\" containers complete."
5008    STEP=`expr $STEP + 1`
5009}
5010
5011
5012#
5013# add_auto_maps(): Add the automount map entries.
5014#
5015# auto_home, auto_direct, auto_master, auto_shared
5016#
5017add_auto_maps()
5018{
5019    [ $DEBUG -eq 1 ] && ${ECHO} "In add_auto_maps()"
5020
5021    # Set AUTO_MAPS for maps to create.
5022    AUTO_MAPS="auto_home auto_direct auto_master auto_shared"
5023
5024    for automap in $AUTO_MAPS; do
5025	# Check if automaps already exist.
5026	eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"automountMapName=${automap},${LDAP_BASEDN}\" -s base \"objectclass=*\" ${VERB}"
5027	if [ $? -eq 0 ]; then
5028	    continue
5029	fi
5030
5031	# Create the tmp file to add.
5032	( cat <<EOF
5033dn: automountMapName=${automap},${LDAP_BASEDN}
5034automountMapName: ${automap}
5035objectClass: top
5036objectClass: automountMap
5037EOF
5038) > ${TMPDIR}/automap.${automap}
5039
5040	# Add the entry.
5041	${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/automap.${automap} ${VERB}"
5042	if [ $? -ne 0 ]; then
5043	    ${ECHO} "  ERROR: Add of automap ${automap} failed!"
5044	    cleanup
5045	    exit 1
5046	fi
5047    done
5048
5049    # Display message that automount entries are updated.
5050    ${ECHO} "  ${STEP}. automount maps: $AUTO_MAPS processed."
5051    STEP=`expr $STEP + 1`
5052}
5053
5054
5055#
5056# add_proxyagent(): Add entry for nameservice to use to access server.
5057#
5058add_proxyagent()
5059{
5060    [ $DEBUG -eq 1 ] && ${ECHO} "In add_proxyagent()"
5061
5062    # Check if proxy agent already exists.
5063    eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_PROXYAGENT}\" -s base \"objectclass=*\" ${VERB}"
5064    if [ $? -eq 0 ]; then
5065	${ECHO} "  ${STEP}. Proxy Agent ${LDAP_PROXYAGENT} already exists."
5066	STEP=`expr $STEP + 1`
5067	return 0
5068    fi
5069
5070    # Get cn and sn names from LDAP_PROXYAGENT.
5071    cn_tmp=`${ECHO} ${LDAP_PROXYAGENT} | cut -f1 -d, | cut -f2 -d=`
5072
5073    # Create the tmp file to add.
5074    ( cat <<EOF
5075dn: ${LDAP_PROXYAGENT}
5076cn: ${cn_tmp}
5077sn: ${cn_tmp}
5078objectclass: top
5079objectclass: person
5080userpassword: ${LDAP_PROXYAGENT_CRED}
5081EOF
5082) > ${TMPDIR}/proxyagent
5083
5084    # Add the entry.
5085    ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/proxyagent ${VERB}"
5086    if [ $? -ne 0 ]; then
5087	${ECHO} "  ERROR: Adding proxyagent failed!"
5088	cleanup
5089	exit 1
5090    fi
5091
5092    # Display message that schema is updated.
5093    ${ECHO} "  ${STEP}. Proxy Agent ${LDAP_PROXYAGENT} added."
5094    STEP=`expr $STEP + 1`
5095}
5096
5097#
5098# allow_proxy_read_pw(): Give Proxy Agent read permission for password.
5099#
5100allow_proxy_read_pw()
5101{
5102    [ $DEBUG -eq 1 ] && ${ECHO} "In allow_proxy_read_pw()"
5103
5104    # Search for ACI_NAME
5105    eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_BASEDN}\" -s base objectclass=* aci > ${TMPDIR}/chk_proxyread_aci 2>&1"
5106    ${GREP} "${PROXY_ACI_NAME}" ${TMPDIR}/chk_proxyread_aci > /dev/null 2>&1
5107    if [ $? -eq 0 ]; then
5108	${ECHO} "  ${STEP}. Proxy ACI ${PROXY_ACI_NAME=} already exists for ${LDAP_BASEDN}."
5109	STEP=`expr $STEP + 1`
5110	return 0
5111    fi
5112
5113    # Create the tmp file to add.
5114    ( cat <<EOF
5115dn: ${LDAP_BASEDN}
5116changetype: modify
5117add: aci
5118aci: (target="ldap:///${LDAP_BASEDN}")(targetattr="userPassword")
5119  (version 3.0; acl ${PROXY_ACI_NAME}; allow (compare,read,search)
5120  userdn = "ldap:///${LDAP_PROXYAGENT}";)
5121EOF
5122) > ${TMPDIR}/proxy_read
5123
5124    # Add the entry.
5125    ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/proxy_read ${VERB}"
5126    if [ $? -ne 0 ]; then
5127	${ECHO} "  ERROR: Allow ${LDAP_PROXYAGENT} to read password failed!"
5128	cleanup
5129	exit 1
5130    fi
5131
5132    # Display message that schema is updated.
5133    ${ECHO} "  ${STEP}. Give ${LDAP_PROXYAGENT} read permission for password."
5134    STEP=`expr $STEP + 1`
5135}
5136
5137#  Delete Proxy Agent read permission for password.
5138delete_proxy_read_pw()
5139{
5140    [ $DEBUG -eq 1 ] && ${ECHO} "In delete_proxy_read_pw()"
5141
5142    # Search for ACI_NAME
5143    eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_BASEDN}\" -s base objectclass=* aci > ${TMPDIR}/chk_proxyread_aci 2>&1"
5144    ${GREP} "${PROXY_ACI_NAME}" ${TMPDIR}/chk_proxyread_aci | \
5145	${SED} -e 's/aci=//' > ${TMPDIR}/grep_proxyread_aci 2>&1
5146    if [ $? -ne 0 ]; then
5147	${ECHO} "Proxy ACI ${PROXY_ACI_NAME} does not exist for ${LDAP_BASEDN}."
5148	return 0
5149    fi
5150
5151    # We need to remove proxy agent's read access to user passwords,
5152    # but We do not know the value of the ${LDAP_PROXYAGENT} here, so
5153    # 1. if only one match found, delete it
5154    # 2. if more than one matches found, ask the user which one to delete
5155    HOWMANY=`${WC} -l ${TMPDIR}/grep_proxyread_aci | ${NAWK} '{print $1}'`
5156    if [ $HOWMANY -eq 0 ]; then
5157	${ECHO} "Proxy ACI ${PROXY_ACI_NAME} does not exist for ${LDAP_BASEDN}."
5158	return 0
5159    fi
5160    if [ $HOWMANY -eq 1 ];then
5161	proxy_aci=`${CAT} ${TMPDIR}/grep_proxyread_aci`
5162    else
5163	    ${CAT} << EOF
5164
5165Proxy agent is not allowed to read user passwords when shadow
5166update is enabled. There are more than one proxy agents found.
5167Please select the currently proxy agent being used, so that
5168idsconfig can remove its read access to user passwords.
5169
5170The proxy agents are:
5171
5172EOF
5173	    # generate the proxy agent list
5174    	    ${SED} -e "s/.*ldap:\/\/\/.*ldap:\/\/\///" \
5175	    ${TMPDIR}/grep_proxyread_aci | ${SED} -e "s/\";)//" > \
5176	    	${TMPDIR}/proxy_agent_list
5177
5178	    # print the proxy agent list
5179	    ${NAWK} '{print NR ": " $0}' ${TMPDIR}/proxy_agent_list
5180
5181	    # ask the user to pick one
5182	    _MENU_PROMPT="Select the proxy agent (1-$HOWMANY): "
5183	    get_menu_choice "${_MENU_PROMPT}" "0" "$HOWMANY"
5184	    _CH=$MN_CH
5185	    proxy_aci=`${SED} -n "$_CH p" ${TMPDIR}/grep_proxyread_aci`
5186    fi
5187
5188    # Create the tmp file to delete the ACI.
5189    ( cat <<EOF
5190dn: ${LDAP_BASEDN}
5191changetype: modify
5192delete: aci
5193aci: ${proxy_aci}
5194EOF
5195    ) > ${TMPDIR}/proxy_delete
5196
5197    # Delete the ACI
5198    ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/proxy_delete ${VERB}"
5199    if [ $? -ne 0 ]; then
5200	${ECHO} "  ERROR: Remove of ${PROXY_ACI_NAME} ACI failed!"
5201	cat ${TMPDIR}/proxy_delete
5202	cleanup
5203	exit 1
5204    fi
5205
5206    # Display message that ACI is updated.
5207    MSG="Removed ${PROXY_ACI_NAME} ACI for proxyagent read permission for password."
5208    ${ECHO} " "
5209    ${ECHO} "  ACI REMOVED: $MSG"
5210    ${ECHO} "  The ACI removed is $proxy_aci"
5211    ${ECHO} " "
5212}
5213
5214#
5215# add_profile(): Add client profile to server.
5216#
5217add_profile()
5218{
5219    [ $DEBUG -eq 1 ] && ${ECHO} "In add_profile()"
5220
5221    # If profile name already exists, DELETE it, and add new one.
5222    eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=${LDAP_PROFILE_NAME},ou=profile,${LDAP_BASEDN}\" -s base \"objectclass=*\" ${VERB}"
5223    if [ $? -eq 0 ]; then
5224	# Create Delete file.
5225	( cat <<EOF
5226cn=${LDAP_PROFILE_NAME},ou=profile,${LDAP_BASEDN}
5227EOF
5228) > ${TMPDIR}/del_profile
5229
5230	# Check if DEL_OLD_PROFILE is set.  (If not ERROR)
5231	if [ $DEL_OLD_PROFILE -eq 0 ]; then
5232	    ${ECHO} "ERROR: Profile name ${LDAP_PROFILE_NAME} exists! Add failed!"
5233	    exit 1
5234	fi
5235
5236	# Delete the OLD profile.
5237	${EVAL} "${LDAPDELETE} ${LDAP_ARGS} -f ${TMPDIR}/del_profile ${VERB}"
5238	if [ $? -ne 0 ]; then
5239	    ${ECHO} "  ERROR: Attempt to DELETE profile failed!"
5240	    cleanup
5241	    exit 1
5242	fi
5243    fi
5244
5245    # Build the "ldapclient genprofile" command string to execute.
5246    GEN_CMD="ldapclient genprofile -a \"profileName=${LDAP_PROFILE_NAME}\""
5247
5248    # Add required argument defaultSearchBase.
5249    GEN_CMD="${GEN_CMD} -a \"defaultSearchBase=${LDAP_BASEDN}\""
5250
5251    # Add optional parameters.
5252    [ -n "$LDAP_SERVER_LIST" ] && \
5253	GEN_CMD="${GEN_CMD} -a \"defaultServerList=${LDAP_SERVER_LIST}\""
5254    [ -n "$LDAP_SEARCH_SCOPE" ] && \
5255	GEN_CMD="${GEN_CMD} -a \"defaultSearchScope=${LDAP_SEARCH_SCOPE}\""
5256    [ -n "$LDAP_CRED_LEVEL" ] && \
5257	GEN_CMD="${GEN_CMD} -a \"credentialLevel=${LDAP_CRED_LEVEL}\""
5258    [ -n "$LDAP_AUTHMETHOD" ] && \
5259	GEN_CMD="${GEN_CMD} -a \"authenticationMethod=${LDAP_AUTHMETHOD}\""
5260    [ -n "$LDAP_FOLLOWREF" ] && \
5261	GEN_CMD="${GEN_CMD} -a \"followReferrals=${LDAP_FOLLOWREF}\""
5262    [ -n "$LDAP_SEARCH_TIME_LIMIT" ] && \
5263	GEN_CMD="${GEN_CMD} -a \"searchTimeLimit=${LDAP_SEARCH_TIME_LIMIT}\""
5264    [ -n "$LDAP_PROFILE_TTL" ] && \
5265	GEN_CMD="${GEN_CMD} -a \"profileTTL=${LDAP_PROFILE_TTL}\""
5266    [ -n "$LDAP_BIND_LIMIT" ] && \
5267	GEN_CMD="${GEN_CMD} -a \"bindTimeLimit=${LDAP_BIND_LIMIT}\""
5268    [ -n "$LDAP_PREF_SRVLIST" ] && \
5269	GEN_CMD="${GEN_CMD} -a \"preferredServerList=${LDAP_PREF_SRVLIST}\""
5270    [ -n "$LDAP_SRV_AUTHMETHOD_PAM" ] && \
5271	GEN_CMD="${GEN_CMD} -a \"serviceAuthenticationMethod=${LDAP_SRV_AUTHMETHOD_PAM}\""
5272    [ -n "$LDAP_SRV_AUTHMETHOD_KEY" ] && \
5273	GEN_CMD="${GEN_CMD} -a \"serviceAuthenticationMethod=${LDAP_SRV_AUTHMETHOD_KEY}\""
5274    [ -n "$LDAP_SRV_AUTHMETHOD_CMD" ] && \
5275	GEN_CMD="${GEN_CMD} -a \"serviceAuthenticationMethod=${LDAP_SRV_AUTHMETHOD_CMD}\""
5276
5277    # Check if there are any service search descriptors to ad.
5278    if [ -s "${SSD_FILE}" ]; then
5279	ssd_2_profile
5280    fi
5281
5282    # Execute "ldapclient genprofile" to create profile.
5283    eval ${GEN_CMD} > ${TMPDIR}/gen_profile 2> ${TMPDIR}/gen_profile_ERR
5284    if [ $? -ne 0 ]; then
5285	${ECHO} "  ERROR: ldapclient genprofile failed!"
5286	cleanup
5287	exit 1
5288    fi
5289
5290    # Add the generated profile..
5291    ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/gen_profile ${VERB}"
5292    if [ $? -ne 0 ]; then
5293	${ECHO} "  ERROR: Attempt to add profile failed!"
5294	cleanup
5295	exit 1
5296    fi
5297
5298    # Display message that schema is updated.
5299    ${ECHO} "  ${STEP}. Generated client profile and loaded on server."
5300    STEP=`expr $STEP + 1`
5301}
5302
5303
5304#
5305# cleanup(): Remove the TMPDIR and all files in it.
5306#
5307cleanup()
5308{
5309    [ $DEBUG -eq 1 ] && ${ECHO} "In cleanup()"
5310
5311    rm -fr ${TMPDIR}
5312}
5313
5314
5315#
5316# 			* * * MAIN * * *
5317#
5318# Description:
5319# This script assumes that the iPlanet Directory Server (iDS) is
5320# installed and that setup has been run.  This script takes the
5321# iDS server from that point and sets up the infrastructure for
5322# LDAP Naming Services.  After running this script, ldapaddent(1M)
5323# or some other tools can be used to populate data.
5324
5325# Initialize the variables that need to be set to NULL, or some
5326# other initial value before the rest of the functions can be called.
5327init
5328
5329# Parse command line arguments.
5330parse_arg $*
5331shift $?
5332
5333# Print extra line to separate from prompt.
5334${ECHO} " "
5335
5336# Either Load the user specified config file
5337# or prompt user for config info.
5338if [ -n "$INPUT_FILE" ]
5339then
5340    load_config_file
5341    INTERACTIVE=0      # Turns off prompts that occur later.
5342    validate_info      # Validate basic info in file.
5343    chk_ids_version    # Check iDS version for compatibility.
5344    gssapi_setup_auto
5345else
5346    # Display BACKUP warning to user.
5347    display_msg backup_server
5348    get_confirm "Do you wish to continue with server setup (y/n/h)?" "n" "backup_help"
5349    if [ $? -eq 0 ]; then    # if No, cleanup and exit.
5350	cleanup ; exit 1
5351    fi
5352
5353    # Prompt for values.
5354    prompt_config_info
5355    display_summary    # Allow user to modify results.
5356    INTERACTIVE=1      # Insures future prompting.
5357fi
5358
5359# Modify slapd.oc.conf to ALLOW cn instead of REQUIRE.
5360modify_cn
5361
5362# Modify timelimit to user value.
5363[ $NEED_TIME -eq 1 ] && modify_timelimit
5364
5365# Modify sizelimit to user value.
5366[ $NEED_SIZE -eq 1 ] && modify_sizelimit
5367
5368# Modify the password storage scheme to support CRYPT.
5369if [ "$NEED_CRYPT" = "TRUE" ]; then
5370    modify_pwd_crypt
5371fi
5372
5373# Update the schema (Attributes, Objectclass Definitions)
5374if [ ${SCHEMA_UPDATED} -eq 0 ]; then
5375        update_schema_attr
5376        update_schema_obj
5377fi
5378
5379# Add suffix together with its root entry (if needed)
5380add_suffix ||
5381{
5382	cleanup
5383	exit 1
5384}
5385
5386# Add base objects (if needed)
5387add_base_objects
5388
5389# Update the NisDomainObject.
5390#   The Base DN might of just been created, so this MUST happen after
5391#   the base objects have been added!
5392set_nisdomain
5393
5394# Add top level classes (new containers)
5395add_new_containers
5396
5397# Add common nismaps.
5398add_auto_maps
5399
5400# Modify top ACI.
5401modify_top_aci
5402
5403# Add Access Control Information for VLV.
5404add_vlv_aci
5405
5406# if Proxy needed, Add Proxy Agent and give read permission for password.
5407if [ $NEED_PROXY -eq 1 ]; then
5408    add_proxyagent
5409    if [ "$LDAP_ENABLE_SHADOW_UPDATE" != "TRUE" ]; then
5410	allow_proxy_read_pw
5411    fi
5412fi
5413
5414# If admin needed for shadow update, Add the administrator identity and
5415# give read/write permission for shadow, and deny all others read/write
5416# access to it.
5417if [ $NEED_ADMIN -eq 1 ]; then
5418    add_admin
5419    allow_admin_read_write_shadow
5420    # deny non-admin access to shadow data
5421    deny_non_admin_shadow_access
5422fi
5423
5424# If use host principal for shadow update, give read/write permission for
5425# shadow, and deny all others' read/write access to it.
5426if [ $NEED_HOSTACL -eq 1 ]; then
5427    allow_host_read_write_shadow
5428    # deny non-host access to shadow data
5429    deny_non_host_shadow_access
5430fi
5431
5432
5433# Generate client profile and add it to the server.
5434add_profile
5435
5436# Add Indexes to improve Search Performance.
5437add_eq_indexes
5438add_sub_indexes
5439add_vlv_indexes
5440
5441# Display setup complete message
5442display_msg setup_complete
5443
5444# Display VLV index commands to be executed on server.
5445display_vlv_cmds
5446
5447# Create config file if requested.
5448[ -n "$OUTPUT_FILE" ] && create_config_file
5449
5450# Removed the TMPDIR and all files in it.
5451cleanup
5452
5453exit 0
5454# end of MAIN.
5455