957 return `expr $OPTIND - 1`
958 }
959
960
961 #
962 # init(): initializes variables and options
963 #
964 init()
965 {
966 # General variables.
967 PROG=`basename $0` # Program name
968 PID=$$ # Program ID
969 VERB='> /dev/null 2>&1' # NULL or "> /dev/null"
970 ECHO="/bin/echo" # print message on screen
971 EVAL="eval" # eval or echo
972 EGREP="/usr/bin/egrep"
973 GREP="/usr/bin/grep"
974 DEBUG=0 # Set Debug OFF
975 BACKUP=no_ldap # backup suffix
976 HOST="" # NULL or <hostname>
977 NAWK="/usr/bin/nawk"
978 RM="/usr/bin/rm"
979 WC="/usr/bin/wc"
980 CAT="/usr/bin/cat"
981 SED="/usr/bin/sed"
982 MV="/usr/bin/mv"
983
984 DOM="" # Set to NULL
985 # If DNS domain (resolv.conf) exists use that, otherwise use domainname.
986 if [ -f /etc/resolv.conf ]; then
987 DOM=`/usr/xpg4/bin/grep -i -E '^domain|^search' /etc/resolv.conf \
988 | awk '{ print $2 }' | tail -1`
989 fi
990
991 # If for any reason the DOM did not get set (error'd resolv.conf) set
992 # DOM to the domainname command's output.
993 if [ "$DOM" = "" ]; then
994 DOM=`domainname` # domain from domainname command.
995 fi
996
997 STEP=1
1407 done
1408 }
1409
1410 #
1411 # get_want_shadow_update(): Ask user if want to enable shadow update?
1412 #
1413 get_want_shadow_update()
1414 {
1415 MSG="Do you want to enable shadow update (y/n/h)?"
1416 get_confirm "$MSG" "n" "enable_shadow_update_help"
1417 if [ $? -eq 1 ]; then
1418 LDAP_ENABLE_SHADOW_UPDATE="TRUE"
1419 else
1420 LDAP_ENABLE_SHADOW_UPDATE="FALSE"
1421 fi
1422 }
1423
1424 get_krb_realm() {
1425
1426 # To upper cases
1427 LDAP_KRB_REALM=`${ECHO} ${LDAP_DOMAIN} | ${NAWK} '{ print toupper($0) }'`
1428 get_ans_req "Enter Kerberos Realm:" "$LDAP_KRB_REALM"
1429 # To upper cases
1430 LDAP_KRB_REALM=`${ECHO} ${ANS} | ${NAWK} '{ print toupper($0) }'`
1431 }
1432
1433 # $1: DN
1434 # $2: ldif file
1435 add_entry_by_DN() {
1436
1437 ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"${1}\" -s base \"objectclass=*\" ${VERB}"
1438 if [ $? -eq 0 ]; then
1439 ${ECHO} " ${1} already exists"
1440 return 0
1441 else
1442 ${EVAL} "${LDAPADD} ${LDAP_ARGS} -f ${2} ${VERB}"
1443 if [ $? -eq 0 ]; then
1444 ${ECHO} " ${1} is added"
1445 return 0
1446 else
1447 ${ECHO} " ERROR: failed to add ${1}"
1448 return 1
1449 fi
1450 fi
5046 }
5047
5048 # Delete Proxy Agent read permission for password.
5049 delete_proxy_read_pw()
5050 {
5051 [ $DEBUG -eq 1 ] && ${ECHO} "In delete_proxy_read_pw()"
5052
5053 # Search for ACI_NAME
5054 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_BASEDN}\" -s base objectclass=* aci > ${TMPDIR}/chk_proxyread_aci 2>&1"
5055 ${GREP} "${PROXY_ACI_NAME}" ${TMPDIR}/chk_proxyread_aci | \
5056 ${SED} -e 's/aci=//' > ${TMPDIR}/grep_proxyread_aci 2>&1
5057 if [ $? -ne 0 ]; then
5058 ${ECHO} "Proxy ACI ${PROXY_ACI_NAME} does not exist for ${LDAP_BASEDN}."
5059 return 0
5060 fi
5061
5062 # We need to remove proxy agent's read access to user passwords,
5063 # but We do not know the value of the ${LDAP_PROXYAGENT} here, so
5064 # 1. if only one match found, delete it
5065 # 2. if more than one matches found, ask the user which one to delete
5066 HOWMANY=`${WC} -l ${TMPDIR}/grep_proxyread_aci | ${NAWK} '{print $1}'`
5067 if [ $HOWMANY -eq 0 ]; then
5068 ${ECHO} "Proxy ACI ${PROXY_ACI_NAME} does not exist for ${LDAP_BASEDN}."
5069 return 0
5070 fi
5071 if [ $HOWMANY -eq 1 ];then
5072 proxy_aci=`${CAT} ${TMPDIR}/grep_proxyread_aci`
5073 else
5074 ${CAT} << EOF
5075
5076 Proxy agent is not allowed to read user passwords when shadow
5077 update is enabled. There are more than one proxy agents found.
5078 Please select the currently proxy agent being used, so that
5079 idsconfig can remove its read access to user passwords.
5080
5081 The proxy agents are:
5082
5083 EOF
5084 # generate the proxy agent list
5085 ${SED} -e "s/.*ldap:\/\/\/.*ldap:\/\/\///" \
5086 ${TMPDIR}/grep_proxyread_aci | ${SED} -e "s/\";)//" > \
5087 ${TMPDIR}/proxy_agent_list
5088
5089 # print the proxy agent list
5090 ${NAWK} '{print NR ": " $0}' ${TMPDIR}/proxy_agent_list
5091
5092 # ask the user to pick one
5093 _MENU_PROMPT="Select the proxy agent (1-$HOWMANY): "
5094 get_menu_choice "${_MENU_PROMPT}" "0" "$HOWMANY"
5095 _CH=$MN_CH
5096 proxy_aci=`${SED} -n "$_CH p" ${TMPDIR}/grep_proxyread_aci`
5097 fi
5098
5099 # Create the tmp file to delete the ACI.
5100 ( cat <<EOF
5101 dn: ${LDAP_BASEDN}
5102 changetype: modify
5103 delete: aci
5104 aci: ${proxy_aci}
5105 EOF
5106 ) > ${TMPDIR}/proxy_delete
5107
5108 # Delete the ACI
5109 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/proxy_delete ${VERB}"
5110 if [ $? -ne 0 ]; then
|
957 return `expr $OPTIND - 1`
958 }
959
960
961 #
962 # init(): initializes variables and options
963 #
964 init()
965 {
966 # General variables.
967 PROG=`basename $0` # Program name
968 PID=$$ # Program ID
969 VERB='> /dev/null 2>&1' # NULL or "> /dev/null"
970 ECHO="/bin/echo" # print message on screen
971 EVAL="eval" # eval or echo
972 EGREP="/usr/bin/egrep"
973 GREP="/usr/bin/grep"
974 DEBUG=0 # Set Debug OFF
975 BACKUP=no_ldap # backup suffix
976 HOST="" # NULL or <hostname>
977 AWK="/usr/xpg4/bin/awk"
978 RM="/usr/bin/rm"
979 WC="/usr/bin/wc"
980 CAT="/usr/bin/cat"
981 SED="/usr/bin/sed"
982 MV="/usr/bin/mv"
983
984 DOM="" # Set to NULL
985 # If DNS domain (resolv.conf) exists use that, otherwise use domainname.
986 if [ -f /etc/resolv.conf ]; then
987 DOM=`/usr/xpg4/bin/grep -i -E '^domain|^search' /etc/resolv.conf \
988 | awk '{ print $2 }' | tail -1`
989 fi
990
991 # If for any reason the DOM did not get set (error'd resolv.conf) set
992 # DOM to the domainname command's output.
993 if [ "$DOM" = "" ]; then
994 DOM=`domainname` # domain from domainname command.
995 fi
996
997 STEP=1
1407 done
1408 }
1409
1410 #
1411 # get_want_shadow_update(): Ask user if want to enable shadow update?
1412 #
1413 get_want_shadow_update()
1414 {
1415 MSG="Do you want to enable shadow update (y/n/h)?"
1416 get_confirm "$MSG" "n" "enable_shadow_update_help"
1417 if [ $? -eq 1 ]; then
1418 LDAP_ENABLE_SHADOW_UPDATE="TRUE"
1419 else
1420 LDAP_ENABLE_SHADOW_UPDATE="FALSE"
1421 fi
1422 }
1423
1424 get_krb_realm() {
1425
1426 # To upper cases
1427 LDAP_KRB_REALM=`${ECHO} ${LDAP_DOMAIN} | ${AWK} '{ print toupper($0) }'`
1428 get_ans_req "Enter Kerberos Realm:" "$LDAP_KRB_REALM"
1429 # To upper cases
1430 LDAP_KRB_REALM=`${ECHO} ${ANS} | ${AWK} '{ print toupper($0) }'`
1431 }
1432
1433 # $1: DN
1434 # $2: ldif file
1435 add_entry_by_DN() {
1436
1437 ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"${1}\" -s base \"objectclass=*\" ${VERB}"
1438 if [ $? -eq 0 ]; then
1439 ${ECHO} " ${1} already exists"
1440 return 0
1441 else
1442 ${EVAL} "${LDAPADD} ${LDAP_ARGS} -f ${2} ${VERB}"
1443 if [ $? -eq 0 ]; then
1444 ${ECHO} " ${1} is added"
1445 return 0
1446 else
1447 ${ECHO} " ERROR: failed to add ${1}"
1448 return 1
1449 fi
1450 fi
5046 }
5047
5048 # Delete Proxy Agent read permission for password.
5049 delete_proxy_read_pw()
5050 {
5051 [ $DEBUG -eq 1 ] && ${ECHO} "In delete_proxy_read_pw()"
5052
5053 # Search for ACI_NAME
5054 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_BASEDN}\" -s base objectclass=* aci > ${TMPDIR}/chk_proxyread_aci 2>&1"
5055 ${GREP} "${PROXY_ACI_NAME}" ${TMPDIR}/chk_proxyread_aci | \
5056 ${SED} -e 's/aci=//' > ${TMPDIR}/grep_proxyread_aci 2>&1
5057 if [ $? -ne 0 ]; then
5058 ${ECHO} "Proxy ACI ${PROXY_ACI_NAME} does not exist for ${LDAP_BASEDN}."
5059 return 0
5060 fi
5061
5062 # We need to remove proxy agent's read access to user passwords,
5063 # but We do not know the value of the ${LDAP_PROXYAGENT} here, so
5064 # 1. if only one match found, delete it
5065 # 2. if more than one matches found, ask the user which one to delete
5066 HOWMANY=`${WC} -l ${TMPDIR}/grep_proxyread_aci | ${AWK} '{print $1}'`
5067 if [ $HOWMANY -eq 0 ]; then
5068 ${ECHO} "Proxy ACI ${PROXY_ACI_NAME} does not exist for ${LDAP_BASEDN}."
5069 return 0
5070 fi
5071 if [ $HOWMANY -eq 1 ];then
5072 proxy_aci=`${CAT} ${TMPDIR}/grep_proxyread_aci`
5073 else
5074 ${CAT} << EOF
5075
5076 Proxy agent is not allowed to read user passwords when shadow
5077 update is enabled. There are more than one proxy agents found.
5078 Please select the currently proxy agent being used, so that
5079 idsconfig can remove its read access to user passwords.
5080
5081 The proxy agents are:
5082
5083 EOF
5084 # generate the proxy agent list
5085 ${SED} -e "s/.*ldap:\/\/\/.*ldap:\/\/\///" \
5086 ${TMPDIR}/grep_proxyread_aci | ${SED} -e "s/\";)//" > \
5087 ${TMPDIR}/proxy_agent_list
5088
5089 # print the proxy agent list
5090 ${AWK} '{print NR ": " $0}' ${TMPDIR}/proxy_agent_list
5091
5092 # ask the user to pick one
5093 _MENU_PROMPT="Select the proxy agent (1-$HOWMANY): "
5094 get_menu_choice "${_MENU_PROMPT}" "0" "$HOWMANY"
5095 _CH=$MN_CH
5096 proxy_aci=`${SED} -n "$_CH p" ${TMPDIR}/grep_proxyread_aci`
5097 fi
5098
5099 # Create the tmp file to delete the ACI.
5100 ( cat <<EOF
5101 dn: ${LDAP_BASEDN}
5102 changetype: modify
5103 delete: aci
5104 aci: ${proxy_aci}
5105 EOF
5106 ) > ${TMPDIR}/proxy_delete
5107
5108 # Delete the ACI
5109 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/proxy_delete ${VERB}"
5110 if [ $? -ne 0 ]; then
|