1 #!/bin/sh 2 # 3 # CDDL HEADER START 4 # 5 # The contents of this file are subject to the terms of the 6 # Common Development and Distribution License (the "License"). 7 # You may not use this file except in compliance with the License. 8 # 9 # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10 # or http://www.opensolaris.org/os/licensing. 11 # See the License for the specific language governing permissions 12 # and limitations under the License. 13 # 14 # When distributing Covered Code, include this CDDL HEADER in each 15 # file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16 # If applicable, add the following below this CDDL HEADER, with the 17 # fields enclosed by brackets "[]" replaced with your own identifying 18 # information: Portions Copyright [yyyy] [name of copyright owner] 19 # 20 # CDDL HEADER END 21 # 22 # 23 # idsconfig -- script to setup iDS 5.x/6.x/7.x for Native LDAP II. 24 # 25 # Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved. 26 # 27 28 # 29 # display_msg(): Displays message corresponding to the tag passed in. 30 # 31 display_msg() 32 { 33 case "$1" in 34 usage) cat <<EOF 35 $PROG: [ -v ] [ -i input file ] [ -o output file ] 36 i <input file> Get setup info from input file. 37 o <output file> Generate a server configuration output file. 38 v Verbose mode 39 EOF 40 ;; 41 backup_server) cat <<EOF 42 It is strongly recommended that you BACKUP the directory server 43 before running $PROG. 44 45 Hit Ctrl-C at any time before the final confirmation to exit. 46 47 EOF 48 ;; 49 setup_complete) cat <<EOF 50 51 $PROG: Setup of iDS server ${IDS_SERVER} is complete. 52 53 EOF 54 ;; 55 display_vlv_list) cat <<EOF 56 57 Note: idsconfig has created entries for VLV indexes. 58 59 For DS5.x, use the directoryserver(1m) script on ${IDS_SERVER} 60 to stop the server. Then, using directoryserver, follow the 61 directoryserver examples below to create the actual VLV indexes. 62 63 For DS6.x or later, use dsadm command delivered with DS on ${IDS_SERVER} 64 to stop the server. Then, using dsadm, follow the 65 dsadm examples below to create the actual VLV indexes. 66 67 EOF 68 ;; 69 cred_level_menu) cat <<EOF 70 The following are the supported credential levels: 71 1 anonymous 72 2 proxy 73 3 proxy anonymous 74 4 self 75 EOF 76 ;; 77 auth_method_menu) cat <<EOF 78 The following are the supported Authentication Methods: 79 1 none 80 2 simple 81 3 sasl/DIGEST-MD5 82 4 tls:simple 83 5 tls:sasl/DIGEST-MD5 84 6 sasl/GSSAPI 85 EOF 86 ;; 87 srvauth_method_menu) cat <<EOF 88 The following are the supported Authentication Methods: 89 1 simple 90 2 sasl/DIGEST-MD5 91 3 tls:simple 92 4 tls:sasl/DIGEST-MD5 93 5 sasl/GSSAPI 94 EOF 95 ;; 96 prompt_ssd_menu) cat <<EOF 97 A Add a Service Search Descriptor 98 D Delete a SSD 99 M Modify a SSD 100 P Display all SSD's 101 H Help 102 X Clear all SSD's 103 104 Q Exit menu 105 EOF 106 ;; 107 summary_menu) 108 109 SUFFIX_INFO= 110 DB_INFO= 111 112 [ -n "${NEED_CREATE_SUFFIX}" ] && 113 { 114 SUFFIX_INFO=`cat <<EOF 115 116 Suffix to create : $LDAP_SUFFIX 117 EOF 118 ` 119 [ -n "${NEED_CREATE_BACKEND}" ] && 120 DB_INFO=`cat <<EOF 121 122 Database to create : $IDS_DATABASE 123 EOF 124 ` 125 } 126 127 cat <<EOF 128 Summary of Configuration 129 130 1 Domain to serve : $LDAP_DOMAIN 131 2 Base DN to setup : $LDAP_BASEDN$SUFFIX_INFO$DB_INFO 132 3 Profile name to create : $LDAP_PROFILE_NAME 133 4 Default Server List : $LDAP_SERVER_LIST 134 5 Preferred Server List : $LDAP_PREF_SRVLIST 135 6 Default Search Scope : $LDAP_SEARCH_SCOPE 136 7 Credential Level : $LDAP_CRED_LEVEL 137 8 Authentication Method : $LDAP_AUTHMETHOD 138 9 Enable Follow Referrals : $LDAP_FOLLOWREF 139 10 iDS Time Limit : $IDS_TIMELIMIT 140 11 iDS Size Limit : $IDS_SIZELIMIT 141 12 Enable crypt password storage : $NEED_CRYPT 142 13 Service Auth Method pam_ldap : $LDAP_SRV_AUTHMETHOD_PAM 143 14 Service Auth Method keyserv : $LDAP_SRV_AUTHMETHOD_KEY 144 15 Service Auth Method passwd-cmd: $LDAP_SRV_AUTHMETHOD_CMD 145 16 Search Time Limit : $LDAP_SEARCH_TIME_LIMIT 146 17 Profile Time to Live : $LDAP_PROFILE_TTL 147 18 Bind Limit : $LDAP_BIND_LIMIT 148 19 Enable shadow update : $LDAP_ENABLE_SHADOW_UPDATE 149 20 Service Search Descriptors Menu 150 151 EOF 152 ;; 153 sfx_not_suitable) cat <<EOF 154 155 Sorry, suffix ${LDAP_SUFFIX} is not suitable for Base DN ${LDAP_BASEDN} 156 157 EOF 158 ;; 159 obj_not_found) cat <<EOF 160 161 Sorry, ${PROG} can't find an objectclass for "$_ATT" attribute 162 163 EOF 164 ;; 165 sfx_config_incons) cat <<EOF 166 167 Sorry, there is no suffix mapping for ${LDAP_SUFFIX}, 168 while ldbm database exists, server configuration needs to be fixed manually, 169 look at cn=mapping tree,cn=config and cn=ldbm database,cn=plugins,cn=config 170 171 EOF 172 ;; 173 ldbm_db_exist) cat <<EOF 174 175 Database "${IDS_DATABASE}" already exists, 176 however "${IDS_DATABASE_AVAIL}" name is available 177 178 EOF 179 ;; 180 unable_find_db_name) cat <<EOF 181 182 Unable to find any available database name close to "${IDS_DATABASE}" 183 184 EOF 185 ;; 186 create_ldbm_db_error) cat <<EOF 187 188 ERROR: unable to create suffix ${LDAP_SUFFIX} 189 due to server error that occurred during creation of ldbm database 190 191 EOF 192 ;; 193 create_suffix_entry_error) cat <<EOF 194 195 ERROR: unable to create entry ${LDAP_SUFFIX} of ${LDAP_SUFFIX_OBJ} class 196 197 EOF 198 ;; 199 ldap_suffix_list) cat <<EOF 200 201 No valid suffixes (naming contexts) were found for LDAP base DN: 202 ${LDAP_BASEDN} 203 204 Available suffixes are: 205 ${LDAP_SUFFIX_LIST} 206 207 EOF 208 ;; 209 sorry) cat <<EOF 210 211 HELP - No help is available for this topic. 212 213 EOF 214 ;; 215 create_suffix_help) cat <<EOF 216 217 HELP - Our Base DN is ${LDAP_BASEDN} 218 and we need to create a Directory Suffix, 219 which can be equal to Base DN itself or be any of Base DN parents. 220 All intermediate entries up to suffix will be created on demand. 221 222 EOF 223 ;; 224 enter_ldbm_db_help) cat <<EOF 225 226 HELP - ldbm database is an internal database for storage of our suffix data. 227 Database name must be alphanumeric due to Directory Server restriction. 228 229 EOF 230 ;; 231 backup_help) cat <<EOF 232 233 HELP - Since idsconfig modifies the directory server configuration, 234 it is strongly recommended that you backup the server prior 235 to running this utility. This is especially true if the server 236 being configured is a production server. 237 238 EOF 239 ;; 240 port_help) cat <<EOF 241 242 HELP - Enter the port number the directory server is configured to 243 use for LDAP. 244 245 EOF 246 ;; 247 domain_help) cat <<EOF 248 249 HELP - This is the DNS domain name this server will be serving. You 250 must provide this name even if the server is not going to be populated 251 with hostnames. Any unqualified hostname stored in the directory 252 will be fully qualified using this DNS domain name. 253 254 EOF 255 ;; 256 basedn_help) cat <<EOF 257 258 HELP - This parameter defines the default location in the directory tree for 259 the naming services entries. You can override this default by using 260 serviceSearchDescriptors (SSD). You will be given the option to set up 261 an SSD later on in the setup. 262 263 EOF 264 ;; 265 profile_help) cat <<EOF 266 267 HELP - Name of the configuration profile with which the clients will be 268 configured. A directory server can store various profiles for multiple 269 groups of clients. The initialization tool, (ldapclient(1M)), assumes 270 "default" unless another is specified. 271 272 EOF 273 ;; 274 def_srvlist_help) cat <<EOF 275 276 HELP - Provide a list of directory servers to serve clients using this profile. 277 All these servers should contain consistent data and provide similar 278 functionality. This list is not ordered, and clients might change the 279 order given in this list. Note that this is a space separated list of 280 *IP addresses* (not host names). Providing port numbers is optional. 281 282 EOF 283 ;; 284 pref_srvlist_help) cat <<EOF 285 286 HELP - Provide a list of directory servers to serve this client profile. 287 Unlike the default server list, which is not ordered, the preferred 288 servers must be entered IN THE ORDER you wish to have them contacted. 289 If you do specify a preferred server list, clients will always contact 290 them before attempting to contact any of the servers on the default 291 server list. Note that you must enter the preferred server list as a 292 space-separated list of *IP addresses* (not host names). Providing port 293 numbers is optional. 294 295 EOF 296 ;; 297 srch_scope_help) cat <<EOF 298 299 HELP - Default search scope to be used for all searches unless they are 300 overwritten using serviceSearchDescriptors. The valid options 301 are "one", which would specify the search will only be performed 302 at the base DN for the given service, or "sub", which would specify 303 the search will be performed through *all* levels below the base DN 304 for the given service. 305 306 EOF 307 ;; 308 cred_lvl_help) cat <<EOF 309 310 HELP - This parameter defines what credentials the clients use to 311 authenticate to the directory server. This list might contain 312 multiple credential levels and is ordered. If a proxy level 313 is configured, you will also be prompted to enter a bind DN 314 for the proxy agent along with a password. This proxy agent 315 will be created if it does not exist. 316 317 EOF 318 ;; 319 auth_help) cat <<EOF 320 321 HELP - The default authentication method(s) to be used by all services 322 in the client using this profile. This is a ordered list of 323 authentication methods separated by a ';'. The supported methods 324 are provided in a menu. Note that sasl/DIGEST-MD5 binds require 325 passwords to be stored un-encrypted on the server. 326 327 EOF 328 ;; 329 srvauth_help) cat <<EOF 330 331 HELP - The authentication methods to be used by a given service. Currently 332 3 services support this feature: pam_ldap, keyserv, and passwd-cmd. 333 The authentication method specified in this attribute overrides 334 the default authentication method defined in the profile. This 335 feature can be used to select stronger authentication methods for 336 services which require increased security. 337 338 EOF 339 ;; 340 pam_ldap_help) cat <<EOF 341 342 HELP - The authentication method(s) to be used by pam_ldap when contacting 343 the directory server. This is a ordered list, and, if provided, will 344 override the default authentication method parameter. 345 346 EOF 347 ;; 348 keyserv_help) cat <<EOF 349 350 HELP - The authentication method(s) to be used by newkey(1M) and chkey(1) 351 when contacting the directory server. This is a ordered list and 352 if provided will override the default authentication method 353 parameter. 354 355 EOF 356 ;; 357 passwd-cmd_help) cat <<EOF 358 359 HELP - The authentication method(s) to be used by passwd(1) command when 360 contacting the directory server. This is a ordered list and if 361 provided will override the default authentication method parameter. 362 363 EOF 364 ;; 365 referrals_help) cat <<EOF 366 367 HELP - This parameter indicates whether the client should follow 368 ldap referrals if it encounters one during naming lookups. 369 370 EOF 371 ;; 372 tlim_help) cat <<EOF 373 374 HELP - The server time limit value indicates the maximum amount of time the 375 server would spend on a query from the client before abandoning it. 376 A value of '-1' indicates no limit. 377 378 EOF 379 ;; 380 slim_help) cat <<EOF 381 382 HELP - The server sizelimit value indicates the maximum number of entries 383 the server would return in respond to a query from the client. A 384 value of '-1' indicates no limit. 385 386 EOF 387 ;; 388 crypt_help) cat <<EOF 389 390 HELP - By default iDS does not store userPassword attribute values using 391 unix "crypt" format. If you need to keep your passwords in the crypt 392 format for NIS/NIS+ and pam_unix compatibility, choose 'yes'. If 393 passwords are stored using any other format than crypt, pam_ldap 394 MUST be used by clients to authenticate users to the system. Note 395 that if you wish to use sasl/DIGEST-MD5 in conjunction with pam_ldap, 396 user passwords must be stored in the clear format. 397 398 EOF 399 ;; 400 srchtime_help) cat <<EOF 401 402 HELP - The search time limit the client will enforce for directory 403 lookups. 404 405 EOF 406 ;; 407 profttl_help) cat <<EOF 408 409 HELP - The time to live value for profile. The client will refresh its 410 cached version of the configuration profile at this TTL interval. 411 412 EOF 413 ;; 414 bindlim_help) cat <<EOF 415 416 HELP - The time limit for the bind operation to the directory. This 417 value controls the responsiveness of the client in case a server 418 becomes unavailable. The smallest timeout value for a given 419 network architecture/conditions would work best. This is very 420 similar to setting TCP timeout, but only for LDAP bind operation. 421 422 EOF 423 ;; 424 ssd_help) cat <<EOF 425 426 HELP - Using Service Search Descriptors (SSD), you can override the 427 default configuration for a given service. The SSD can be 428 used to override the default search base DN, the default search 429 scope, and the default search filter to be used for directory 430 lookups. SSD are supported for all services (databases) 431 defined in nsswitch.conf(4). The default base DN is defined 432 in ldap(1). 433 434 Note: SSD are powerful tools in defining configuration profiles 435 and provide a great deal of flexibility. However, care 436 must be taken in creating them. If you decide to make use 437 of SSDs, consult the documentation first. 438 439 EOF 440 ;; 441 ssd_menu_help) cat <<EOF 442 443 HELP - Using this menu SSD can be added, updated, or deleted from 444 the profile. 445 446 A - This option creates a new SSD by prompting for the 447 service name, base DN, and scope. Service name is 448 any valid service as defined in ldap(1). base is 449 either the distinguished name to the container where 450 this service will use, or a relative DN followed 451 by a ','. 452 D - Delete a previously created SSD. 453 M - Modify a previously created SSD. 454 P - Display a list of all the previously created SSD. 455 X - Delete all of the previously created SSD. 456 457 Q - Exit the menu and continue with the server configuration. 458 459 EOF 460 ;; 461 ldap_suffix_list_help) cat <<EOF 462 463 HELP - No valid suffixes (naming contexts) are available on server 464 ${IDS_SERVER}:${IDS_PORT}. 465 You must set an LDAP Base DN that can be contained in 466 an existing suffix. 467 468 EOF 469 ;; 470 enable_shadow_update_help) cat <<EOF 471 472 HELP - Enter 'y' to set up the LDAP server for shadow update. 473 The setup will add an administrator identity/credential 474 and modify the necessary access controls for the client 475 to update shadow(4) data on the LDAP server. If sasl/GSSAPI 476 is in use, the Kerberos host principal will be used as the 477 administrator identity. 478 479 Shadow data is used for password aging and account locking. 480 Please refer to the shadow(4) manual page for details. 481 482 EOF 483 ;; 484 add_admin_cred_help) cat <<EOF 485 486 HELP - Start the setup to add an administrator identity/credential 487 and to modify access controls for the client to update 488 shadow(4) data on the LDAP server. 489 490 Shadow data is used for password aging and account locking. 491 Please refer to the shadow(4) manual page for details. 492 493 EOF 494 ;; 495 use_host_principal_help) cat <<EOF 496 497 HELP - A profile with a 'sasl/GSSAPI' authentication method and a 'self' 498 credential level is detected, enter 'y' to modify the necessary 499 access controls for allowing the client to update shadow(4) data 500 on the LDAP server. 501 502 Shadow data is used for password aging and account locking. 503 Please refer to the shadow(4) manual page for details. 504 505 EOF 506 ;; 507 esac 508 } 509 510 511 # 512 # get_ans(): gets an answer from the user. 513 # $1 instruction/comment/description/question 514 # $2 default value 515 # 516 get_ans() 517 { 518 if [ -z "$2" ] 519 then 520 ${ECHO} "$1 \c" 521 else 522 ${ECHO} "$1 [$2] \c" 523 fi 524 525 read ANS 526 if [ -z "$ANS" ] 527 then 528 ANS=$2 529 fi 530 } 531 532 533 # 534 # get_ans_req(): gets an answer (required) from the user, NULL value not allowed. 535 # $@ instruction/comment/description/question 536 # 537 get_ans_req() 538 { 539 ANS="" # Set ANS to NULL. 540 while [ "$ANS" = "" ] 541 do 542 get_ans "$@" 543 [ "$ANS" = "" ] && ${ECHO} "NULL value not allowed!" 544 done 545 } 546 547 548 # 549 # get_number(): Querys and verifies that number entered is numeric. 550 # Function will repeat prompt user for number value. 551 # $1 Message text. 552 # $2 default value. 553 # $3 Help argument. 554 # 555 get_number() 556 { 557 ANS="" # Set ANS to NULL. 558 NUM="" 559 560 get_ans "$1" "$2" 561 562 # Verify that value is numeric. 563 while not_numeric $ANS 564 do 565 case "$ANS" in 566 [Hh] | help | Help | \?) display_msg ${3:-sorry} ;; 567 * ) ${ECHO} "Invalid value: \"${ANS}\". \c" 568 ;; 569 esac 570 # Get a new value. 571 get_ans "Enter a numeric value:" "$2" 572 done 573 NUM=$ANS 574 } 575 576 577 # 578 # get_negone_num(): Only allows a -1 or positive integer. 579 # Used for values where -1 has special meaning. 580 # 581 # $1 - Prompt message. 582 # $2 - Default value (require). 583 # $3 - Optional help argument. 584 get_negone_num() 585 { 586 while : 587 do 588 get_number "$1" "$2" "$3" 589 if is_negative $ANS 590 then 591 if [ "$ANS" = "-1" ]; then 592 break # -1 is OK, so break. 593 else # Need to re-enter number. 594 ${ECHO} "Invalid number: please enter -1 or positive number." 595 fi 596 else 597 break # Positive number 598 fi 599 done 600 } 601 602 603 # 604 # get_passwd(): Reads a password from the user and verify with second. 605 # $@ instruction/comment/description/question 606 # 607 get_passwd() 608 { 609 [ $DEBUG -eq 1 ] && ${ECHO} "In get_passwd()" 610 611 # Temporary PASSWD variables 612 _PASS1="" 613 _PASS2="" 614 615 /usr/bin/stty -echo # Turn echo OFF 616 617 # Endless loop that continues until passwd and re-entered passwd 618 # match. 619 while : 620 do 621 ANS="" # Set ANS to NULL. 622 623 # Don't allow NULL for first try. 624 while [ "$ANS" = "" ] 625 do 626 get_ans "$@" 627 [ "$ANS" = "" ] && ${ECHO} "" && ${ECHO} "NULL passwd not allowed!" 628 done 629 _PASS1=$ANS # Store first try. 630 631 # Get second try. 632 ${ECHO} "" 633 get_ans "Re-enter passwd:" 634 _PASS2=$ANS 635 636 # Test if passwords are identical. 637 if [ "$_PASS1" = "$_PASS2" ]; then 638 break 639 fi 640 641 # Move cursor down to next line and print ERROR message. 642 ${ECHO} "" 643 ${ECHO} "ERROR: passwords don't match; try again." 644 done 645 646 /usr/bin/stty echo # Turn echo ON 647 648 ${ECHO} "" 649 } 650 651 652 # 653 # get_passwd_nochk(): Reads a password from the user w/o check. 654 # $@ instruction/comment/description/question 655 # 656 get_passwd_nochk() 657 { 658 [ $DEBUG -eq 1 ] && ${ECHO} "In get_passwd_nochk()" 659 660 /usr/bin/stty -echo # Turn echo OFF 661 662 get_ans "$@" 663 664 /usr/bin/stty echo # Turn echo ON 665 666 ${ECHO} "" 667 } 668 669 670 # 671 # get_menu_choice(): Get a menu choice from user. Continue prompting 672 # till the choice is in required range. 673 # $1 .. Message text. 674 # $2 .. min value 675 # $3 .. max value 676 # $4 .. OPTIONAL: default value 677 # 678 # Return value: 679 # MN_CH will contain the value selected. 680 # 681 get_menu_choice() 682 { 683 # Check for req parameter. 684 if [ $# -lt 3 ]; then 685 ${ECHO} "get_menu_choice(): Did not get required parameters." 686 return 1 687 fi 688 689 while : 690 do 691 get_ans "$1" "$4" 692 MN_CH=$ANS 693 is_negative $MN_CH 694 if [ $? -eq 1 ]; then 695 if [ $MN_CH -ge $2 ]; then 696 if [ $MN_CH -le $3 ]; then 697 return 698 fi 699 fi 700 fi 701 ${ECHO} "Invalid choice: $MN_CH" 702 done 703 } 704 705 706 # 707 # get_confirm(): Get confirmation from the user. (Y/Yes or N/No) 708 # $1 - Message 709 # $2 - default value. 710 # 711 get_confirm() 712 { 713 _ANSWER= 714 715 while : 716 do 717 # Display Internal ERROR if $2 not set. 718 if [ -z "$2" ] 719 then 720 ${ECHO} "INTERNAL ERROR: get_confirm requires 2 args, 3rd is optional." 721 exit 2 722 fi 723 724 # Display prompt. 725 ${ECHO} "$1 [$2] \c" 726 727 # Get the ANSWER. 728 read _ANSWER 729 if [ "$_ANSWER" = "" ] && [ -n "$2" ] ; then 730 _ANSWER=$2 731 fi 732 case "$_ANSWER" in 733 [Yy] | yes | Yes | YES) return 1 ;; 734 [Nn] | no | No | NO) return 0 ;; 735 [Hh] | help | Help | \?) display_msg ${3:-sorry};; 736 * ) ${ECHO} "Please enter y or n." ;; 737 esac 738 done 739 } 740 741 742 # 743 # get_confirm_nodef(): Get confirmation from the user. (Y/Yes or N/No) 744 # No default value supported. 745 # 746 get_confirm_nodef() 747 { 748 _ANSWER= 749 750 while : 751 do 752 ${ECHO} "$@ \c" 753 read _ANSWER 754 case "$_ANSWER" in 755 [Yy] | yes | Yes | YES) return 1 ;; 756 [Nn] | no | No | NO) return 0 ;; 757 * ) ${ECHO} "Please enter y or n." ;; 758 esac 759 done 760 } 761 762 763 # 764 # is_numeric(): Tells is a string is numeric. 765 # 0 = Numeric 766 # 1 = NOT Numeric 767 # 768 is_numeric() 769 { 770 # Check for parameter. 771 if [ $# -ne 1 ]; then 772 return 1 773 fi 774 775 # Determine if numeric. 776 expr "$1" + 1 > /dev/null 2>&1 777 if [ $? -ge 2 ]; then 778 return 1 779 fi 780 781 # Made it here, it's Numeric. 782 return 0 783 } 784 785 786 # 787 # not_numeric(): Reverses the return values of is_numeric. Useful 788 # for if and while statements that want to test for 789 # non-numeric data. 790 # 0 = NOT Numeric 791 # 1 = Numeric 792 # 793 not_numeric() 794 { 795 is_numeric $1 796 if [ $? -eq 0 ]; then 797 return 1 798 else 799 return 0 800 fi 801 } 802 803 804 # 805 # is_negative(): Tells is a Numeric value is less than zero. 806 # 0 = Negative Numeric 807 # 1 = Positive Numeric 808 # 2 = NOT Numeric 809 # 810 is_negative() 811 { 812 # Check for parameter. 813 if [ $# -ne 1 ]; then 814 return 1 815 fi 816 817 # Determine if numeric. Can't use expr because -0 is 818 # considered positive?? 819 if is_numeric $1; then 820 case "$1" in 821 -*) return 0 ;; # Negative Numeric 822 *) return 1 ;; # Positive Numeric 823 esac 824 else 825 return 2 826 fi 827 } 828 829 830 # 831 # check_domainname(): check validity of a domain name. Currently we check 832 # that it has at least two components. 833 # $1 the domain name to be checked 834 # 835 check_domainname() 836 { 837 if [ ! -z "$1" ] 838 then 839 t=`expr "$1" : '[^.]\{1,\}[.][^.]\{1,\}'` 840 if [ "$t" = 0 ] 841 then 842 return 1 843 fi 844 fi 845 return 0 846 } 847 848 849 # 850 # check_baseDN(): check validity of the baseDN name. 851 # $1 the baseDN name to be checked 852 # 853 # NOTE: The check_baseDN function does not catch all invalid DN's. 854 # Its purpose is to reduce the number of invalid DN's to 855 # get past the input routine. The invalid DN's will be 856 # caught by the LDAP server when they are attempted to be 857 # created. 858 # 859 check_baseDN() 860 { 861 ck_DN=$1 862 ${ECHO} " Checking LDAP Base DN ..." 863 if [ ! -z "$ck_DN" ]; then 864 [ $DEBUG -eq 1 ] && ${ECHO} "Checking baseDN: $ck_DN" 865 # Check for = (assignment operator) 866 ${ECHO} "$ck_DN" | ${GREP} "=" > /dev/null 2>&1 867 if [ $? -ne 0 ]; then 868 [ $DEBUG -eq 1 ] && ${ECHO} "check_baseDN: No '=' in baseDN." 869 return 1 870 fi 871 872 # Check all keys. 873 while : 874 do 875 # Get first key. 876 dkey=`${ECHO} $ck_DN | cut -d'=' -f1` 877 878 # Check that the key string is valid 879 check_attrName $dkey 880 if [ $? -ne 0 ]; then 881 [ $DEBUG -eq 1 ] && ${ECHO} "check_baseDN: invalid key=${dkey}" 882 return 1 883 fi 884 885 [ $DEBUG -eq 1 ] && ${ECHO} "check_baseDN: valid key=${dkey}" 886 887 # Remove first key from DN 888 ck_DN=`${ECHO} $ck_DN | cut -s -d',' -f2-` 889 890 # Break loop if nothing left. 891 if [ "$ck_DN" = "" ]; then 892 break 893 fi 894 done 895 fi 896 return 0 897 } 898 899 900 # 901 # domain_2_dc(): Convert a domain name into dc string. 902 # $1 .. Domain name. 903 # 904 domain_2_dc() 905 { 906 _DOM=$1 # Domain parameter. 907 _DOM_2_DC="" # Return value from function. 908 _FIRST=1 # Flag for first time. 909 910 export _DOM_2_DC # Make visible for others. 911 912 # Convert "."'s to spaces for "for" loop. 913 domtmp="`${ECHO} ${_DOM} | tr '.' ' '`" 914 for i in $domtmp; do 915 if [ $_FIRST -eq 1 ]; then 916 _DOM_2_DC="dc=${i}" 917 _FIRST=0 918 else 919 _DOM_2_DC="${_DOM_2_DC},dc=${i}" 920 fi 921 done 922 } 923 924 925 # 926 # is_root_user(): Check to see if logged in as root user. 927 # 928 is_root_user() 929 { 930 case `id` in 931 uid=0\(root\)*) return 0 ;; 932 * ) return 1 ;; 933 esac 934 } 935 936 937 # 938 # parse_arg(): Parses the command line arguments and sets the 939 # appropriate variables. 940 # 941 parse_arg() 942 { 943 while getopts "dvhi:o:" ARG 944 do 945 case $ARG in 946 d) DEBUG=1;; 947 v) VERB="";; 948 i) INPUT_FILE=$OPTARG;; 949 o) OUTPUT_FILE=$OPTARG;; 950 \?) display_msg usage 951 exit 1;; 952 *) ${ECHO} "**ERROR: Supported option missing handler!" 953 display_msg usage 954 exit 1;; 955 esac 956 done 957 return `expr $OPTIND - 1` 958 } 959 960 961 # 962 # init(): initializes variables and options 963 # 964 init() 965 { 966 # General variables. 967 PROG=`basename $0` # Program name 968 PID=$$ # Program ID 969 VERB='> /dev/null 2>&1' # NULL or "> /dev/null" 970 ECHO="/bin/echo" # print message on screen 971 EVAL="eval" # eval or echo 972 EGREP="/usr/bin/egrep" 973 GREP="/usr/bin/grep" 974 DEBUG=0 # Set Debug OFF 975 BACKUP=no_ldap # backup suffix 976 HOST="" # NULL or <hostname> 977 AWK="/usr/xpg4/bin/awk" 978 RM="/usr/bin/rm" 979 WC="/usr/bin/wc" 980 CAT="/usr/bin/cat" 981 SED="/usr/bin/sed" 982 MV="/usr/bin/mv" 983 984 DOM="" # Set to NULL 985 # If DNS domain (resolv.conf) exists use that, otherwise use domainname. 986 if [ -f /etc/resolv.conf ]; then 987 DOM=`/usr/xpg4/bin/grep -i -E '^domain|^search' /etc/resolv.conf \ 988 | awk '{ print $2 }' | tail -1` 989 fi 990 991 # If for any reason the DOM did not get set (error'd resolv.conf) set 992 # DOM to the domainname command's output. 993 if [ "$DOM" = "" ]; then 994 DOM=`domainname` # domain from domainname command. 995 fi 996 997 STEP=1 998 INTERACTIVE=1 # 0 = on, 1 = off (For input file mode) 999 DEL_OLD_PROFILE=0 # 0 (default), 1 = delete old profile. 1000 1001 # idsconfig specific variables. 1002 INPUT_FILE="" 1003 OUTPUT_FILE="" 1004 LDAP_ENABLE_SHADOW_UPDATE="FALSE" 1005 NEED_PROXY=0 # 0 = No Proxy, 1 = Create Proxy. 1006 NEED_ADMIN=0 # 0 = No Admin, 1 = Create Admin. 1007 NEED_HOSTACL=0 # 0 = No Host ACL, 1 = Create Host ACL. 1008 EXISTING_PROFILE=0 1009 LDAP_PROXYAGENT="" 1010 LDAP_ADMINDN="" 1011 LDAP_SUFFIX="" 1012 LDAP_DOMAIN=$DOM # domainname on Server (default value) 1013 GEN_CMD="" 1014 PROXY_ACI_NAME="LDAP_Naming_Services_proxy_password_read" 1015 1016 # LDAP COMMANDS 1017 LDAPSEARCH="/bin/ldapsearch -r" 1018 LDAPMODIFY=/bin/ldapmodify 1019 LDAPADD=/bin/ldapadd 1020 LDAPDELETE=/bin/ldapdelete 1021 LDAP_GEN_PROFILE=/usr/sbin/ldap_gen_profile 1022 1023 # iDS specific information 1024 IDS_SERVER="" 1025 IDS_PORT=389 1026 NEED_TIME=0 1027 NEED_SIZE=0 1028 NEED_SRVAUTH_PAM=0 1029 NEED_SRVAUTH_KEY=0 1030 NEED_SRVAUTH_CMD=0 1031 IDS_TIMELIMIT="" 1032 IDS_SIZELIMIT="" 1033 1034 # LDAP PROFILE related defaults 1035 LDAP_ROOTDN="cn=Directory Manager" # Provide common default. 1036 LDAP_ROOTPWD="" # NULL passwd as default (i.e. invalid) 1037 LDAP_PROFILE_NAME="default" 1038 LDAP_BASEDN="" 1039 LDAP_SERVER_LIST="" 1040 LDAP_AUTHMETHOD="" 1041 LDAP_FOLLOWREF="FALSE" 1042 NEED_CRYPT="" 1043 LDAP_SEARCH_SCOPE="one" 1044 LDAP_SRV_AUTHMETHOD_PAM="" 1045 LDAP_SRV_AUTHMETHOD_KEY="" 1046 LDAP_SRV_AUTHMETHOD_CMD="" 1047 LDAP_SEARCH_TIME_LIMIT=30 1048 LDAP_PREF_SRVLIST="" 1049 LDAP_PROFILE_TTL=43200 1050 LDAP_CRED_LEVEL="proxy" 1051 LDAP_BIND_LIMIT=10 1052 1053 # Prevent new files from being read by group or others. 1054 umask 077 1055 1056 # Service Search Descriptors 1057 LDAP_SERV_SRCH_DES="" 1058 1059 # Set and create TMPDIR. 1060 TMPDIR="/tmp/idsconfig.${PID}" 1061 if mkdir -m 700 ${TMPDIR} 1062 then 1063 # Cleanup on exit. 1064 trap 'rm -rf ${TMPDIR}; /usr/bin/stty echo; exit' 1 2 3 6 15 1065 else 1066 echo "ERROR: unable to create a safe temporary directory." 1067 exit 1 1068 fi 1069 LDAP_ROOTPWF=${TMPDIR}/rootPWD 1070 1071 # Set the SSD file name after setting TMPDIR. 1072 SSD_FILE=${TMPDIR}/ssd_list 1073 1074 # GSSAPI setup 1075 GSSAPI_ENABLE=0 1076 LDAP_KRB_REALM="" 1077 SCHEMA_UPDATED=0 1078 1079 export DEBUG VERB ECHO EVAL EGREP GREP STEP TMPDIR 1080 export IDS_SERVER IDS_PORT LDAP_ROOTDN LDAP_ROOTPWD LDAP_SERVER_LIST 1081 export LDAP_BASEDN LDAP_ROOTPWF 1082 export LDAP_DOMAIN LDAP_SUFFIX LDAP_PROXYAGENT LDAP_PROXYAGENT_CRED 1083 export NEED_PROXY 1084 export LDAP_ENABLE_SHADOW_UPDATE LDAP_ADMINDN LDAP_ADMIN_CRED 1085 export NEED_ADMIN NEED_HOSTACL EXISTING_PROFILE 1086 export LDAP_PROFILE_NAME LDAP_BASEDN LDAP_SERVER_LIST 1087 export LDAP_AUTHMETHOD LDAP_FOLLOWREF LDAP_SEARCH_SCOPE LDAP_SEARCH_TIME_LIMIT 1088 export LDAP_PREF_SRVLIST LDAP_PROFILE_TTL LDAP_CRED_LEVEL LDAP_BIND_LIMIT 1089 export NEED_SRVAUTH_PAM NEED_SRVAUTH_KEY NEED_SRVAUTH_CMD 1090 export LDAP_SRV_AUTHMETHOD_PAM LDAP_SRV_AUTHMETHOD_KEY LDAP_SRV_AUTHMETHOD_CMD 1091 export LDAP_SERV_SRCH_DES SSD_FILE 1092 export GEN_CMD GSSAPI_ENABLE LDAP_KRB_REALM SCHEMA_UPDATED 1093 } 1094 1095 1096 # 1097 # disp_full_debug(): List of all debug variables usually interested in. 1098 # Grouped to avoid MASSIVE code duplication. 1099 # 1100 disp_full_debug() 1101 { 1102 [ $DEBUG -eq 1 ] && ${ECHO} " IDS_SERVER = $IDS_SERVER" 1103 [ $DEBUG -eq 1 ] && ${ECHO} " IDS_PORT = $IDS_PORT" 1104 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_ROOTDN = $LDAP_ROOTDN" 1105 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_ROOTPWD = $LDAP_ROOTPWD" 1106 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_DOMAIN = $LDAP_DOMAIN" 1107 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_SUFFIX = $LDAP_SUFFIX" 1108 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_BASEDN = $LDAP_BASEDN" 1109 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_PROFILE_NAME = $LDAP_PROFILE_NAME" 1110 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_SERVER_LIST = $LDAP_SERVER_LIST" 1111 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_PREF_SRVLIST = $LDAP_PREF_SRVLIST" 1112 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_SEARCH_SCOPE = $LDAP_SEARCH_SCOPE" 1113 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_CRED_LEVEL = $LDAP_CRED_LEVEL" 1114 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_AUTHMETHOD = $LDAP_AUTHMETHOD" 1115 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_FOLLOWREF = $LDAP_FOLLOWREF" 1116 [ $DEBUG -eq 1 ] && ${ECHO} " IDS_TIMELIMIT = $IDS_TIMELIMIT" 1117 [ $DEBUG -eq 1 ] && ${ECHO} " IDS_SIZELIMIT = $IDS_SIZELIMIT" 1118 [ $DEBUG -eq 1 ] && ${ECHO} " NEED_CRYPT = $NEED_CRYPT" 1119 [ $DEBUG -eq 1 ] && ${ECHO} " NEED_SRVAUTH_PAM = $NEED_SRVAUTH_PAM" 1120 [ $DEBUG -eq 1 ] && ${ECHO} " NEED_SRVAUTH_KEY = $NEED_SRVAUTH_KEY" 1121 [ $DEBUG -eq 1 ] && ${ECHO} " NEED_SRVAUTH_CMD = $NEED_SRVAUTH_CMD" 1122 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_SRV_AUTHMETHOD_PAM = $LDAP_SRV_AUTHMETHOD_PAM" 1123 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_SRV_AUTHMETHOD_KEY = $LDAP_SRV_AUTHMETHOD_KEY" 1124 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_SRV_AUTHMETHOD_CMD = $LDAP_SRV_AUTHMETHOD_CMD" 1125 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_SEARCH_TIME_LIMIT = $LDAP_SEARCH_TIME_LIMIT" 1126 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_PROFILE_TTL = $LDAP_PROFILE_TTL" 1127 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_BIND_LIMIT = $LDAP_BIND_LIMIT" 1128 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_ENABLE_SHADOW_UPDATE = $LDAP_ENABLE_SHADOW_UPDATE" 1129 1130 # Only display proxy stuff if needed. 1131 [ $DEBUG -eq 1 ] && ${ECHO} " NEED_PROXY = $NEED_PROXY" 1132 if [ $NEED_PROXY -eq 1 ]; then 1133 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_PROXYAGENT = $LDAP_PROXYAGENT" 1134 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_PROXYAGENT_CRED = $LDAP_PROXYAGENT_CRED" 1135 fi 1136 1137 # Only display admin credential if needed. 1138 [ $DEBUG -eq 1 ] && ${ECHO} " NEED_ADMIN = $NEED_ADMIN" 1139 [ $DEBUG -eq 1 ] && ${ECHO} " NEED_HOSTACL = $NEED_HOSTACL" 1140 if [ $NEED_ADMIN -eq 1 ]; then 1141 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_ADMINDN = $LDAP_ADMINDN" 1142 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_ADMIN_CRED = $LDAP_ADMIN_CRED" 1143 fi 1144 1145 # Service Search Descriptors are a special case. 1146 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_SERV_SRCH_DES = $LDAP_SERV_SRCH_DES" 1147 } 1148 1149 1150 # 1151 # load_config_file(): Loads the config file. 1152 # 1153 load_config_file() 1154 { 1155 [ $DEBUG -eq 1 ] && ${ECHO} "In load_config_file()" 1156 1157 # Remove SSD lines from input file before sourcing. 1158 # The SSD lines must be removed because some forms of the 1159 # data could cause SHELL errors. 1160 ${GREP} -v "LDAP_SERV_SRCH_DES=" ${INPUT_FILE} > ${TMPDIR}/inputfile.noSSD 1161 1162 # Source the input file. 1163 . ${TMPDIR}/inputfile.noSSD 1164 1165 # If LDAP_SUFFIX is no set, try to utilize LDAP_TREETOP since older 1166 # config files use LDAP_TREETOP 1167 LDAP_SUFFIX="${LDAP_SUFFIX:-$LDAP_TREETOP}" 1168 1169 # Save password to temporary file. 1170 save_password 1171 1172 # Create the SSD file. 1173 create_ssd_file 1174 1175 # Display FULL debugging info. 1176 disp_full_debug 1177 } 1178 1179 # 1180 # save_password(): Save password to temporary file. 1181 # 1182 save_password() 1183 { 1184 cat > ${LDAP_ROOTPWF} <<EOF 1185 ${LDAP_ROOTPWD} 1186 EOF 1187 } 1188 1189 ###################################################################### 1190 # FUNCTIONS FOR prompt_config_info() START HERE. 1191 ###################################################################### 1192 1193 # 1194 # get_ids_server(): Prompt for iDS server name. 1195 # 1196 get_ids_server() 1197 { 1198 while : 1199 do 1200 # Prompt for server name. 1201 get_ans "Enter the JES Directory Server's hostname to setup:" "$IDS_SERVER" 1202 IDS_SERVER="$ANS" 1203 1204 # Ping server to see if live. If valid break out of loop. 1205 ping $IDS_SERVER > /dev/null 2>&1 1206 if [ $? -eq 0 ]; then 1207 break 1208 fi 1209 1210 # Invalid server, enter a new name. 1211 ${ECHO} "ERROR: Server '${IDS_SERVER}' is invalid or unreachable." 1212 IDS_SERVER="" 1213 done 1214 1215 # Set SERVER_ARGS and LDAP_ARGS since values might of changed. 1216 SERVER_ARGS="-h ${IDS_SERVER} -p ${IDS_PORT}" 1217 LDAP_ARGS="${SERVER_ARGS} ${AUTH_ARGS}" 1218 export SERVER_ARGS 1219 1220 } 1221 1222 # 1223 # get_ids_port(): Prompt for iDS port number. 1224 # 1225 get_ids_port() 1226 { 1227 # Get a valid iDS port number. 1228 while : 1229 do 1230 # Enter port number. 1231 get_number "Enter the port number for iDS (h=help):" "$IDS_PORT" "port_help" 1232 IDS_PORT=$ANS 1233 # Do a simple search to check hostname and port number. 1234 # If search returns SUCCESS, break out, host and port must 1235 # be valid. 1236 ${LDAPSEARCH} -h ${IDS_SERVER} -p ${IDS_PORT} -b "" -s base "objectclass=*" > /dev/null 2>&1 1237 if [ $? -eq 0 ]; then 1238 break 1239 fi 1240 1241 # Invalid host/port pair, Re-enter. 1242 ${ECHO} "ERROR: Invalid host or port: ${IDS_SERVER}:${IDS_PORT}, Please re-enter!" 1243 get_ids_server 1244 done 1245 1246 # Set SERVER_ARGS and LDAP_ARGS since values might of changed. 1247 SERVER_ARGS="-h ${IDS_SERVER} -p ${IDS_PORT}" 1248 LDAP_ARGS="${SERVER_ARGS} ${AUTH_ARGS}" 1249 export SERVER_ARGS 1250 } 1251 1252 1253 # 1254 # chk_ids_version(): Read the slapd config file and set variables 1255 # 1256 chk_ids_version() 1257 { 1258 [ $DEBUG -eq 1 ] && ${ECHO} "In chk_ids_version()" 1259 1260 # check iDS version number. 1261 eval "${LDAPSEARCH} ${SERVER_ARGS} -b cn=monitor -s base \"objectclass=*\" version | ${GREP} \"^version=\" | cut -f2 -d'/' | cut -f1 -d' ' > ${TMPDIR}/checkDSver 2>&1" 1262 if [ $? -ne 0 ]; then 1263 ${ECHO} "ERROR: Can not determine the version number of iDS!" 1264 exit 1 1265 fi 1266 IDS_VER=`cat ${TMPDIR}/checkDSver` 1267 IDS_MAJVER=`${ECHO} ${IDS_VER} | cut -f1 -d.` 1268 IDS_MINVER=`${ECHO} ${IDS_VER} | cut -f2 -d.` 1269 case "${IDS_MAJVER}" in 1270 5|6|7) : ;; 1271 *) ${ECHO} "ERROR: $PROG only works with JES DS version 5.x, 6.x or 7.x, not ${IDS_VER}."; exit 1;; 1272 esac 1273 1274 if [ $DEBUG -eq 1 ]; then 1275 ${ECHO} " IDS_MAJVER = $IDS_MAJVER" 1276 ${ECHO} " IDS_MINVER = $IDS_MINVER" 1277 fi 1278 } 1279 1280 1281 # 1282 # get_dirmgr_dn(): Get the directory manger DN. 1283 # 1284 get_dirmgr_dn() 1285 { 1286 get_ans "Enter the directory manager DN:" "$LDAP_ROOTDN" 1287 LDAP_ROOTDN=$ANS 1288 1289 # Update ENV variables using DN. 1290 AUTH_ARGS="-D \"${LDAP_ROOTDN}\" -j ${LDAP_ROOTPWF}" 1291 LDAP_ARGS="${SERVER_ARGS} ${AUTH_ARGS}" 1292 export AUTH_ARGS LDAP_ARGS 1293 } 1294 1295 1296 # 1297 # get_dirmgr_pw(): Get the Root DN passwd. (Root DN found in slapd.conf) 1298 # 1299 get_dirmgr_pw() 1300 { 1301 while : 1302 do 1303 # Get passwd. 1304 get_passwd_nochk "Enter passwd for ${LDAP_ROOTDN} :" 1305 LDAP_ROOTPWD=$ANS 1306 1307 # Store password in file. 1308 save_password 1309 1310 # Update ENV variables using DN's PW. 1311 AUTH_ARGS="-D \"${LDAP_ROOTDN}\" -j ${LDAP_ROOTPWF}" 1312 LDAP_ARGS="${SERVER_ARGS} ${AUTH_ARGS}" 1313 export AUTH_ARGS LDAP_ARGS 1314 1315 # Verify that ROOTDN and ROOTPWD are valid. 1316 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"\" -s base \"objectclass=*\" > ${TMPDIR}/checkDN 2>&1" 1317 if [ $? -ne 0 ]; then 1318 eval "${GREP} credential ${TMPDIR}/checkDN ${VERB}" 1319 if [ $? -eq 0 ]; then 1320 ${ECHO} "ERROR: Root DN passwd is invalid." 1321 else 1322 ${ECHO} "ERROR: Invalid Root DN <${LDAP_ROOTDN}>." 1323 get_dirmgr_dn 1324 fi 1325 else 1326 break # Both are valid. 1327 fi 1328 done 1329 1330 1331 } 1332 1333 1334 # 1335 # get_domain(): Get the Domain that will be served by the LDAP server. 1336 # $1 - Help argument. 1337 # 1338 get_domain() 1339 { 1340 # Use LDAP_DOMAIN as default. 1341 get_ans "Enter the domainname to be served (h=help):" $LDAP_DOMAIN 1342 1343 # Check domainname, and have user re-enter if not valid. 1344 check_domainname $ANS 1345 while [ $? -ne 0 ] 1346 do 1347 case "$ANS" in 1348 [Hh] | help | Help | \?) display_msg ${1:-sorry} ;; 1349 * ) ${ECHO} "Invalid domainname: \"${ANS}\"." 1350 ;; 1351 esac 1352 get_ans "Enter domainname to be served (h=help):" $DOM 1353 1354 check_domainname $ANS 1355 done 1356 1357 # Set the domainname to valid name. 1358 LDAP_DOMAIN=$ANS 1359 } 1360 1361 1362 # 1363 # get_basedn(): Query for the Base DN. 1364 # 1365 get_basedn() 1366 { 1367 # Set the $_DOM_2_DC and assign to LDAP_BASEDN as default. 1368 # Then call get_basedn(). This method remakes the default 1369 # each time just in case the domain changed. 1370 domain_2_dc $LDAP_DOMAIN 1371 LDAP_BASEDN=$_DOM_2_DC 1372 1373 # Get Base DN. 1374 while : 1375 do 1376 get_ans_req "Enter LDAP Base DN (h=help):" "${_DOM_2_DC}" 1377 check_baseDN "$ANS" 1378 while [ $? -ne 0 ] 1379 do 1380 case "$ANS" in 1381 [Hh] | help | Help | \?) display_msg basedn_help ;; 1382 * ) ${ECHO} "Invalid base DN: \"${ANS}\"." 1383 ;; 1384 esac 1385 1386 # Re-Enter the BaseDN 1387 get_ans_req "Enter LDAP Base DN (h=help):" "${_DOM_2_DC}" 1388 check_baseDN "$ANS" 1389 done 1390 1391 # Set base DN and check its suffix 1392 LDAP_BASEDN=${ANS} 1393 check_basedn_suffix || 1394 { 1395 cleanup 1396 exit 1 1397 } 1398 1399 # suffix may need to be created, in that case get suffix from user 1400 [ -n "${NEED_CREATE_SUFFIX}" ] && 1401 { 1402 get_suffix || continue 1403 } 1404 1405 # suffix is ok, break out of the base dn inquire loop 1406 break 1407 done 1408 } 1409 1410 # 1411 # get_want_shadow_update(): Ask user if want to enable shadow update? 1412 # 1413 get_want_shadow_update() 1414 { 1415 MSG="Do you want to enable shadow update (y/n/h)?" 1416 get_confirm "$MSG" "n" "enable_shadow_update_help" 1417 if [ $? -eq 1 ]; then 1418 LDAP_ENABLE_SHADOW_UPDATE="TRUE" 1419 else 1420 LDAP_ENABLE_SHADOW_UPDATE="FALSE" 1421 fi 1422 } 1423 1424 get_krb_realm() { 1425 1426 # To upper cases 1427 LDAP_KRB_REALM=`${ECHO} ${LDAP_DOMAIN} | ${AWK} '{ print toupper($0) }'` 1428 get_ans_req "Enter Kerberos Realm:" "$LDAP_KRB_REALM" 1429 # To upper cases 1430 LDAP_KRB_REALM=`${ECHO} ${ANS} | ${AWK} '{ print toupper($0) }'` 1431 } 1432 1433 # $1: DN 1434 # $2: ldif file 1435 add_entry_by_DN() { 1436 1437 ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"${1}\" -s base \"objectclass=*\" ${VERB}" 1438 if [ $? -eq 0 ]; then 1439 ${ECHO} " ${1} already exists" 1440 return 0 1441 else 1442 ${EVAL} "${LDAPADD} ${LDAP_ARGS} -f ${2} ${VERB}" 1443 if [ $? -eq 0 ]; then 1444 ${ECHO} " ${1} is added" 1445 return 0 1446 else 1447 ${ECHO} " ERROR: failed to add ${1}" 1448 return 1 1449 fi 1450 fi 1451 1452 } 1453 # 1454 # Kerberos princiapl to DN mapping rules 1455 # 1456 # Add rules for host credentails and user credentials 1457 # 1458 add_id_mapping_rules() { 1459 1460 ${ECHO} " Adding Kerberos principal to DN mapping rules..." 1461 1462 _C_DN="cn=GSSAPI,cn=identity mapping,cn=config" 1463 ( cat << EOF 1464 dn: cn=GSSAPI,cn=identity mapping,cn=config 1465 objectClass: top 1466 objectClass: nsContainer 1467 cn: GSSAPI 1468 EOF 1469 ) > ${TMPDIR}/GSSAPI_container.ldif 1470 1471 add_entry_by_DN "${_C_DN}" "${TMPDIR}/GSSAPI_container.ldif" 1472 if [ $? -ne 0 ]; 1473 then 1474 ${RM} ${TMPDIR}/GSSAPI_container.ldif 1475 return 1476 fi 1477 1478 _H_CN="host_auth_${LDAP_KRB_REALM}" 1479 _H_DN="cn=${_H_CN}, ${_C_DN}" 1480 ( cat << EOF 1481 dn: ${_H_DN} 1482 objectClass: top 1483 objectClass: nsContainer 1484 objectClass: dsIdentityMapping 1485 objectClass: dsPatternMatching 1486 cn: ${_H_CN} 1487 dsMatching-pattern: \${Principal} 1488 dsMatching-regexp: host\/(.*).${LDAP_DOMAIN}@${LDAP_KRB_REALM} 1489 dsSearchBaseDN: ou=hosts,${LDAP_BASEDN} 1490 dsSearchFilter: (&(objectClass=ipHost)(cn=\$1)) 1491 dsSearchScope: one 1492 1493 EOF 1494 ) > ${TMPDIR}/${_H_CN}.ldif 1495 1496 add_entry_by_DN "${_H_DN}" "${TMPDIR}/${_H_CN}.ldif" 1497 1498 _U_CN="user_auth_${LDAP_KRB_REALM}" 1499 _U_DN="cn=${_U_CN}, ${_C_DN}" 1500 ( cat << EOF 1501 dn: ${_U_DN} 1502 objectClass: top 1503 objectClass: nsContainer 1504 objectClass: dsIdentityMapping 1505 objectClass: dsPatternMatching 1506 cn: ${_U_CN} 1507 dsMatching-pattern: \${Principal} 1508 dsMatching-regexp: (.*)@${LDAP_KRB_REALM} 1509 dsMappedDN: uid=\$1,ou=People,${LDAP_BASEDN} 1510 1511 EOF 1512 ) > ${TMPDIR}/${_U_CN}.ldif 1513 1514 add_entry_by_DN "${_U_DN}" "${TMPDIR}/${_U_CN}.ldif" 1515 1516 } 1517 1518 1519 # 1520 # Modify ACL to allow root to read all the password and only self can read 1521 # its own password when sasl/GSSAPI bind is used 1522 # 1523 modify_userpassword_acl_for_gssapi() { 1524 1525 _P_DN="ou=People,${LDAP_BASEDN}" 1526 _H_DN="ou=Hosts,${LDAP_BASEDN}" 1527 _P_ACI="self-read-pwd" 1528 1529 ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"${_P_DN}\" -s base \"objectclass=*\" > /dev/null 2>&1" 1530 if [ $? -ne 0 ]; then 1531 ${ECHO} " ${_P_DN} does not exist" 1532 # Not Found. Create a new entry 1533 ( cat << EOF 1534 dn: ${_P_DN} 1535 ou: People 1536 objectClass: top 1537 objectClass: organizationalUnit 1538 EOF 1539 ) > ${TMPDIR}/gssapi_people.ldif 1540 1541 add_entry_by_DN "${_P_DN}" "${TMPDIR}/gssapi_people.ldif" 1542 else 1543 ${ECHO} " ${_P_DN} already exists" 1544 fi 1545 1546 ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"${_P_DN}\" -s base \"objectclass=*\" aci > ${TMPDIR}/chk_gssapi_aci 2>&1" 1547 1548 if [ $? -eq 0 ]; then 1549 ${EVAL} "${GREP} ${_P_ACI} ${TMPDIR}/chk_gssapi_aci > /dev/null 2>&1" 1550 if [ $? -eq 0 ]; then 1551 ${ECHO} " userpassword ACL ${_P_ACI} already exists." 1552 return 1553 else 1554 ${ECHO} " userpassword ACL ${_P_ACI} not found. Create a new one." 1555 fi 1556 else 1557 ${ECHO} " Error searching aci for ${_P_DN}" 1558 cat ${TMPDIR}/chk_gssapi_aci 1559 cleanup 1560 exit 1 1561 fi 1562 ( cat << EOF 1563 dn: ${_P_DN} 1564 changetype: modify 1565 add: aci 1566 aci: (targetattr="userPassword")(version 3.0; acl self-read-pwd; allow (read,search) userdn="ldap:///self" and authmethod="sasl GSSAPI";) 1567 - 1568 add: aci 1569 aci: (targetattr="userPassword")(version 3.0; acl host-read-pwd; allow (read,search) userdn="ldap:///cn=*+ipHostNumber=*,ou=Hosts,${LDAP_BASEDN}" and authmethod="sasl GSSAPI";) 1570 EOF 1571 ) > ${TMPDIR}/user_gssapi.ldif 1572 LDAP_TYPE_OR_VALUE_EXISTS=20 1573 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/user_gssapi.ldif ${VERB}" 1574 1575 case $? in 1576 0) 1577 ${ECHO} " ${_P_DN} uaserpassword ACL is updated." 1578 ;; 1579 20) 1580 ${ECHO} " ${_P_DN} uaserpassword ACL already exists." 1581 ;; 1582 *) 1583 ${ECHO} " ERROR: update of userpassword ACL for ${_P_DN} failed!" 1584 cleanup 1585 exit 1 1586 ;; 1587 esac 1588 } 1589 # 1590 # $1: objectclass or attributetyp 1591 # $2: name 1592 search_update_schema() { 1593 1594 ATTR="${1}es" 1595 1596 ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b cn=schema -s base \"objectclass=*\" ${ATTR} | ${GREP} -i \"${2}\" ${VERB}" 1597 if [ $? -ne 0 ]; then 1598 ${ECHO} "${1} ${2} does not exist." 1599 update_schema_attr 1600 update_schema_obj 1601 SCHEMA_UPDATED=1 1602 else 1603 ${ECHO} "${1} ${2} already exists. Schema has been updated" 1604 fi 1605 } 1606 1607 # 1608 # Set up GSSAPI if necessary 1609 # 1610 gssapi_setup() { 1611 1612 GSSAPI_ENABLE=0 1613 1614 # assume sasl/GSSAPI is supported by the ldap server and may be used 1615 GSSAPI_AUTH_MAY_BE_USED=1 1616 1617 ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"\" -s base \"objectclass=*\" supportedSASLMechanisms | ${GREP} GSSAPI ${VERB}" 1618 if [ $? -ne 0 ]; then 1619 GSSAPI_AUTH_MAY_BE_USED=0 1620 ${ECHO} " sasl/GSSAPI is not supported by this LDAP server" 1621 return 1622 fi 1623 1624 get_confirm "GSSAPI is supported. Do you want to set up gssapi:(y/n)" "n" 1625 if [ $? -eq 0 ]; then 1626 GSSAPI_ENABLE=0 1627 ${ECHO} 1628 ${ECHO} "GSSAPI is not set up." 1629 ${ECHO} "sasl/GSSAPI bind may not work if it's not set up first." 1630 else 1631 GSSAPI_ENABLE=1 1632 get_krb_realm 1633 fi 1634 1635 } 1636 # 1637 # get_profile_name(): Enter the profile name. 1638 # 1639 get_profile_name() 1640 { 1641 # Reset Delete Old Profile since getting new profile name. 1642 DEL_OLD_PROFILE=0 1643 1644 # Loop until valid profile name, or replace. 1645 while : 1646 do 1647 # Prompt for profile name. 1648 get_ans "Enter the profile name (h=help):" "$LDAP_PROFILE_NAME" 1649 1650 # Check for Help. 1651 case "$ANS" in 1652 [Hh] | help | Help | \?) display_msg profile_help 1653 continue ;; 1654 * ) ;; 1655 esac 1656 1657 # Search to see if profile name already exists. 1658 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=${ANS},ou=profile,${LDAP_BASEDN}\" -s base \"objectclass=*\" ${VERB}" 1659 if [ $? -eq 0 ]; then 1660 1661 cat << EOF 1662 1663 Profile '${ANS}' already exists, it is possible to enable 1664 shadow update now. idsconfig will exit after shadow update 1665 is enabled. You can also continue to overwrite the profile 1666 or create a new one and be given the chance to enable 1667 shadow update later. 1668 1669 EOF 1670 1671 MSG="Just enable shadow update (y/n/h)?" 1672 get_confirm "$MSG" "n" "enable_shadow_update_help" 1673 if [ $? -eq 1 ]; then 1674 [ $DEBUG -eq 1 ] && ${ECHO} "set up shadow update" 1675 LDAP_ENABLE_SHADOW_UPDATE=TRUE 1676 # display alternate messages 1677 EXISTING_PROFILE=1 1678 # Set Profile Name. 1679 LDAP_PROFILE_NAME=$ANS 1680 return 0 # set up credentials for shadow update. 1681 fi 1682 1683 get_confirm_nodef "Are you sure you want to overwrite profile cn=${ANS}?" 1684 if [ $? -eq 1 ]; then 1685 DEL_OLD_PROFILE=1 1686 return 0 # Replace old profile name. 1687 else 1688 ${ECHO} "Please re-enter a new profile name." 1689 fi 1690 else 1691 break # Unique profile name. 1692 fi 1693 done 1694 1695 # Set Profile Name. 1696 LDAP_PROFILE_NAME=$ANS 1697 } 1698 1699 1700 # 1701 # get_srv_list(): Get the default server list. 1702 # 1703 get_srv_list() 1704 { 1705 # If LDAP_SERVER_LIST is NULL, then set, otherwise leave alone. 1706 if [ -z "${LDAP_SERVER_LIST}" ]; then 1707 LDAP_SERVER_LIST=`getent hosts ${IDS_SERVER} | awk '{print $1}'` 1708 if [ ${IDS_PORT} -ne 389 ]; then 1709 LDAP_SERVER_LIST="${LDAP_SERVER_LIST}:${IDS_PORT}" 1710 fi 1711 fi 1712 1713 # Prompt for new LDAP_SERVER_LIST. 1714 while : 1715 do 1716 get_ans "Default server list (h=help):" $LDAP_SERVER_LIST 1717 1718 # If help continue, otherwise break. 1719 case "$ANS" in 1720 [Hh] | help | Help | \?) display_msg def_srvlist_help ;; 1721 * ) break ;; 1722 esac 1723 done 1724 LDAP_SERVER_LIST=$ANS 1725 } 1726 1727 1728 # 1729 # get_pref_srv(): The preferred server list (Overrides the server list) 1730 # 1731 get_pref_srv() 1732 { 1733 while : 1734 do 1735 get_ans "Preferred server list (h=help):" $LDAP_PREF_SRVLIST 1736 1737 # If help continue, otherwise break. 1738 case "$ANS" in 1739 [Hh] | help | Help | \?) display_msg pref_srvlist_help ;; 1740 * ) break ;; 1741 esac 1742 done 1743 LDAP_PREF_SRVLIST=$ANS 1744 } 1745 1746 1747 # 1748 # get_search_scope(): Get the search scope from the user. 1749 # 1750 get_search_scope() 1751 { 1752 [ $DEBUG -eq 1 ] && ${ECHO} "In get_search_scope()" 1753 1754 _MENU_CHOICE=0 1755 while : 1756 do 1757 get_ans "Choose desired search scope (one, sub, h=help): " "one" 1758 _MENU_CHOICE=$ANS 1759 case "$_MENU_CHOICE" in 1760 one) LDAP_SEARCH_SCOPE="one" 1761 return 1 ;; 1762 sub) LDAP_SEARCH_SCOPE="sub" 1763 return 2 ;; 1764 h) display_msg srch_scope_help ;; 1765 *) ${ECHO} "Please enter \"one\", \"sub\", or \"h\"." ;; 1766 esac 1767 done 1768 1769 } 1770 1771 1772 # 1773 # get_cred_level(): Function to display menu to user and get the 1774 # credential level. 1775 # 1776 get_cred_level() 1777 { 1778 [ $DEBUG -eq 1 ] && ${ECHO} "In get_cred_level()" 1779 1780 _MENU_CHOICE=0 1781 display_msg cred_level_menu 1782 while : 1783 do 1784 if [ $GSSAPI_ENABLE -eq 1 ]; then 1785 ${ECHO} '"self" is needed for GSSAPI profile' 1786 fi 1787 get_ans "Choose Credential level [h=help]:" "1" 1788 _MENU_CHOICE=$ANS 1789 case "$_MENU_CHOICE" in 1790 1) LDAP_CRED_LEVEL="anonymous" 1791 return 1 ;; 1792 2) LDAP_CRED_LEVEL="proxy" 1793 return 2 ;; 1794 3) LDAP_CRED_LEVEL="proxy anonymous" 1795 return 3 ;; 1796 4) LDAP_CRED_LEVEL="self" 1797 return 4 ;; 1798 h) display_msg cred_lvl_help ;; 1799 *) ${ECHO} "Please enter 1, 2, 3 or 4." ;; 1800 esac 1801 done 1802 } 1803 1804 1805 # 1806 # srvauth_menu_handler(): Enter the Service Authentication method. 1807 # 1808 srvauth_menu_handler() 1809 { 1810 # Display Auth menu 1811 display_msg srvauth_method_menu 1812 1813 # Get a Valid choice. 1814 while : 1815 do 1816 # Display appropriate prompt and get answer. 1817 if [ $_FIRST -eq 1 ]; then 1818 get_ans "Choose Service Authentication Method:" "1" 1819 else 1820 get_ans "Choose Service Authentication Method (0=reset):" 1821 fi 1822 1823 # Determine choice. 1824 _MENU_CHOICE=$ANS 1825 case "$_MENU_CHOICE" in 1826 1) _AUTHMETHOD="simple" 1827 break ;; 1828 2) _AUTHMETHOD="sasl/DIGEST-MD5" 1829 break ;; 1830 3) _AUTHMETHOD="tls:simple" 1831 break ;; 1832 4) _AUTHMETHOD="tls:sasl/DIGEST-MD5" 1833 break ;; 1834 5) _AUTHMETHOD="sasl/GSSAPI" 1835 break ;; 1836 0) _AUTHMETHOD="" 1837 _FIRST=1 1838 break ;; 1839 *) ${ECHO} "Please enter 1-5 or 0 to reset." ;; 1840 esac 1841 done 1842 } 1843 1844 1845 # 1846 # auth_menu_handler(): Enter the Authentication method. 1847 # 1848 auth_menu_handler() 1849 { 1850 # Display Auth menu 1851 display_msg auth_method_menu 1852 1853 # Get a Valid choice. 1854 while : 1855 do 1856 if [ $GSSAPI_ENABLE -eq 1 ]; then 1857 ${ECHO} '"sasl/GSSAPI" is needed for GSSAPI profile' 1858 fi 1859 # Display appropriate prompt and get answer. 1860 if [ $_FIRST -eq 1 ]; then 1861 get_ans "Choose Authentication Method (h=help):" "1" 1862 else 1863 get_ans "Choose Authentication Method (0=reset, h=help):" 1864 fi 1865 1866 # Determine choice. 1867 _MENU_CHOICE=$ANS 1868 case "$_MENU_CHOICE" in 1869 1) _AUTHMETHOD="none" 1870 break ;; 1871 2) _AUTHMETHOD="simple" 1872 break ;; 1873 3) _AUTHMETHOD="sasl/DIGEST-MD5" 1874 break ;; 1875 4) _AUTHMETHOD="tls:simple" 1876 break ;; 1877 5) _AUTHMETHOD="tls:sasl/DIGEST-MD5" 1878 break ;; 1879 6) _AUTHMETHOD="sasl/GSSAPI" 1880 break ;; 1881 0) _AUTHMETHOD="" 1882 _FIRST=1 1883 break ;; 1884 h) display_msg auth_help ;; 1885 *) ${ECHO} "Please enter 1-6, 0=reset, or h=help." ;; 1886 esac 1887 done 1888 } 1889 1890 1891 # 1892 # get_auth(): Enter the Authentication method. 1893 # 1894 get_auth() 1895 { 1896 [ $DEBUG -eq 1 ] && ${ECHO} "In get_auth()" 1897 1898 _FIRST=1 # Flag for first time. 1899 _MENU_CHOICE=0 1900 _AUTHMETHOD="" # Tmp method. 1901 1902 while : 1903 do 1904 # Call Menu handler 1905 auth_menu_handler 1906 1907 # Add Auth Method to list. 1908 if [ $_FIRST -eq 1 ]; then 1909 LDAP_AUTHMETHOD="${_AUTHMETHOD}" 1910 _FIRST=0 1911 else 1912 LDAP_AUTHMETHOD="${LDAP_AUTHMETHOD};${_AUTHMETHOD}" 1913 fi 1914 1915 # Display current Authentication Method. 1916 ${ECHO} "" 1917 ${ECHO} "Current authenticationMethod: ${LDAP_AUTHMETHOD}" 1918 ${ECHO} "" 1919 1920 # Prompt for another Auth Method, or break out. 1921 get_confirm_nodef "Do you want to add another Authentication Method?" 1922 if [ $? -eq 0 ]; then 1923 break; 1924 fi 1925 done 1926 } 1927 1928 1929 # 1930 # get_followref(): Whether or not to follow referrals. 1931 # 1932 get_followref() 1933 { 1934 get_confirm "Do you want the clients to follow referrals (y/n/h)?" "n" "referrals_help" 1935 if [ $? -eq 1 ]; then 1936 LDAP_FOLLOWREF="TRUE" 1937 else 1938 LDAP_FOLLOWREF="FALSE" 1939 fi 1940 } 1941 1942 1943 # 1944 # get_timelimit(): Set the time limit. -1 is max time. 1945 # 1946 get_timelimit() 1947 { 1948 # Get current timeout value from cn=config. 1949 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=config\" -s base \"objectclass=*\" nsslapd-timelimit > ${TMPDIR}/chk_timeout 2>&1" 1950 if [ $? -ne 0 ]; then 1951 ${ECHO} " ERROR: Could not reach LDAP server to check current timeout!" 1952 cleanup 1953 exit 1 1954 fi 1955 CURR_TIMELIMIT=`${GREP} timelimit ${TMPDIR}/chk_timeout | cut -f2 -d=` 1956 1957 get_negone_num "Enter the time limit for iDS (current=${CURR_TIMELIMIT}):" "-1" 1958 IDS_TIMELIMIT=$NUM 1959 } 1960 1961 1962 # 1963 # get_sizelimit(): Set the size limit. -1 is max size. 1964 # 1965 get_sizelimit() 1966 { 1967 # Get current sizelimit value from cn=config. 1968 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=config\" -s base \"objectclass=*\" nsslapd-sizelimit > ${TMPDIR}/chk_sizelimit 2>&1" 1969 if [ $? -ne 0 ]; then 1970 ${ECHO} " ERROR: Could not reach LDAP server to check current sizelimit!" 1971 cleanup 1972 exit 1 1973 fi 1974 CURR_SIZELIMIT=`${GREP} sizelimit ${TMPDIR}/chk_sizelimit | cut -f2 -d=` 1975 1976 get_negone_num "Enter the size limit for iDS (current=${CURR_SIZELIMIT}):" "-1" 1977 IDS_SIZELIMIT=$NUM 1978 } 1979 1980 1981 # 1982 # get_want_crypt(): Ask user if want to store passwords in crypt? 1983 # 1984 get_want_crypt() 1985 { 1986 get_confirm "Do you want to store passwords in \"crypt\" format (y/n/h)?" "n" "crypt_help" 1987 if [ $? -eq 1 ]; then 1988 NEED_CRYPT="TRUE" 1989 else 1990 NEED_CRYPT="FALSE" 1991 fi 1992 } 1993 1994 1995 # 1996 # get_srv_authMethod_pam(): Get the Service Auth Method for pam_ldap from user. 1997 # 1998 # NOTE: This function is base on get_auth(). 1999 # 2000 get_srv_authMethod_pam() 2001 { 2002 [ $DEBUG -eq 1 ] && ${ECHO} "In get_srv_authMethod_pam()" 2003 2004 _FIRST=1 # Flag for first time. 2005 _MENU_CHOICE=0 2006 _AUTHMETHOD="" # Tmp method. 2007 2008 while : 2009 do 2010 # Call Menu handler 2011 srvauth_menu_handler 2012 2013 # Add Auth Method to list. 2014 if [ $_FIRST -eq 1 ]; then 2015 if [ "$_AUTHMETHOD" = "" ]; then 2016 LDAP_SRV_AUTHMETHOD_PAM="" 2017 else 2018 LDAP_SRV_AUTHMETHOD_PAM="pam_ldap:${_AUTHMETHOD}" 2019 fi 2020 _FIRST=0 2021 else 2022 LDAP_SRV_AUTHMETHOD_PAM="${LDAP_SRV_AUTHMETHOD_PAM};${_AUTHMETHOD}" 2023 fi 2024 2025 # Display current Authentication Method. 2026 ${ECHO} "" 2027 ${ECHO} "Current authenticationMethod: ${LDAP_SRV_AUTHMETHOD_PAM}" 2028 ${ECHO} "" 2029 2030 # Prompt for another Auth Method, or break out. 2031 get_confirm_nodef "Do you want to add another Authentication Method?" 2032 if [ $? -eq 0 ]; then 2033 break; 2034 fi 2035 done 2036 2037 # Check in case user reset string and exited loop. 2038 if [ "$LDAP_SRV_AUTHMETHOD_PAM" = "" ]; then 2039 NEED_SRVAUTH_PAM=0 2040 fi 2041 } 2042 2043 2044 # 2045 # get_srv_authMethod_key(): Get the Service Auth Method for keyserv from user. 2046 # 2047 # NOTE: This function is base on get_auth(). 2048 # 2049 get_srv_authMethod_key() 2050 { 2051 [ $DEBUG -eq 1 ] && ${ECHO} "In get_srv_authMethod_key()" 2052 2053 _FIRST=1 # Flag for first time. 2054 _MENU_CHOICE=0 2055 _AUTHMETHOD="" # Tmp method. 2056 2057 while : 2058 do 2059 # Call Menu handler 2060 srvauth_menu_handler 2061 2062 # Add Auth Method to list. 2063 if [ $_FIRST -eq 1 ]; then 2064 if [ "$_AUTHMETHOD" = "" ]; then 2065 LDAP_SRV_AUTHMETHOD_KEY="" 2066 else 2067 LDAP_SRV_AUTHMETHOD_KEY="keyserv:${_AUTHMETHOD}" 2068 fi 2069 _FIRST=0 2070 else 2071 LDAP_SRV_AUTHMETHOD_KEY="${LDAP_SRV_AUTHMETHOD_KEY};${_AUTHMETHOD}" 2072 fi 2073 2074 # Display current Authentication Method. 2075 ${ECHO} "" 2076 ${ECHO} "Current authenticationMethod: ${LDAP_SRV_AUTHMETHOD_KEY}" 2077 ${ECHO} "" 2078 2079 # Prompt for another Auth Method, or break out. 2080 get_confirm_nodef "Do you want to add another Authentication Method?" 2081 if [ $? -eq 0 ]; then 2082 break; 2083 fi 2084 done 2085 2086 # Check in case user reset string and exited loop. 2087 if [ "$LDAP_SRV_AUTHMETHOD_KEY" = "" ]; then 2088 NEED_SRVAUTH_KEY=0 2089 fi 2090 } 2091 2092 2093 # 2094 # get_srv_authMethod_cmd(): Get the Service Auth Method for passwd-cmd from user. 2095 # 2096 # NOTE: This function is base on get_auth(). 2097 # 2098 get_srv_authMethod_cmd() 2099 { 2100 [ $DEBUG -eq 1 ] && ${ECHO} "In get_srv_authMethod_cmd()" 2101 2102 _FIRST=1 # Flag for first time. 2103 _MENU_CHOICE=0 2104 _AUTHMETHOD="" # Tmp method. 2105 2106 while : 2107 do 2108 # Call Menu handler 2109 srvauth_menu_handler 2110 2111 # Add Auth Method to list. 2112 if [ $_FIRST -eq 1 ]; then 2113 if [ "$_AUTHMETHOD" = "" ]; then 2114 LDAP_SRV_AUTHMETHOD_CMD="" 2115 else 2116 LDAP_SRV_AUTHMETHOD_CMD="passwd-cmd:${_AUTHMETHOD}" 2117 fi 2118 _FIRST=0 2119 else 2120 LDAP_SRV_AUTHMETHOD_CMD="${LDAP_SRV_AUTHMETHOD_CMD};${_AUTHMETHOD}" 2121 fi 2122 2123 # Display current Authentication Method. 2124 ${ECHO} "" 2125 ${ECHO} "Current authenticationMethod: ${LDAP_SRV_AUTHMETHOD_CMD}" 2126 ${ECHO} "" 2127 2128 # Prompt for another Auth Method, or break out. 2129 get_confirm_nodef "Do you want to add another Authentication Method?" 2130 if [ $? -eq 0 ]; then 2131 break; 2132 fi 2133 done 2134 2135 # Check in case user reset string and exited loop. 2136 if [ "$LDAP_SRV_AUTHMETHOD_CMD" = "" ]; then 2137 NEED_SRVAUTH_CMD=0 2138 fi 2139 } 2140 2141 2142 # 2143 # get_srch_time(): Amount of time to search. 2144 # 2145 get_srch_time() 2146 { 2147 get_negone_num "Client search time limit in seconds (h=help):" "$LDAP_SEARCH_TIME_LIMIT" "srchtime_help" 2148 LDAP_SEARCH_TIME_LIMIT=$NUM 2149 } 2150 2151 2152 # 2153 # get_prof_ttl(): The profile time to live (TTL) 2154 # 2155 get_prof_ttl() 2156 { 2157 get_negone_num "Profile Time To Live in seconds (h=help):" "$LDAP_PROFILE_TTL" "profttl_help" 2158 LDAP_PROFILE_TTL=$NUM 2159 } 2160 2161 2162 # 2163 # get_bind_limit(): Bind time limit 2164 # 2165 get_bind_limit() 2166 { 2167 get_negone_num "Bind time limit in seconds (h=help):" "$LDAP_BIND_LIMIT" "bindlim_help" 2168 LDAP_BIND_LIMIT=$NUM 2169 } 2170 2171 2172 ###################################################################### 2173 # FUNCTIONS FOR Service Search Descriptor's START HERE. 2174 ###################################################################### 2175 2176 2177 # 2178 # add_ssd(): Get SSD's from user and add to file. 2179 # 2180 add_ssd() 2181 { 2182 [ $DEBUG -eq 1 ] && ${ECHO} "In add_ssd()" 2183 2184 # Enter the service id. Loop til unique. 2185 while : 2186 do 2187 get_ans "Enter the service id:" 2188 _SERV_ID=$ANS 2189 2190 # Grep for name existing. 2191 ${GREP} -i "^$ANS:" ${SSD_FILE} > /dev/null 2>&1 2192 if [ $? -eq 1 ]; then 2193 break 2194 fi 2195 2196 # Name exists, print message, let user decide. 2197 ${ECHO} "ERROR: Service id ${ANS} already exists." 2198 done 2199 2200 get_ans "Enter the base:" 2201 _BASE=$ANS 2202 2203 # Get the scope and verify that its one or sub. 2204 while : 2205 do 2206 get_ans "Enter the scope:" 2207 _SCOPE=$ANS 2208 case `${ECHO} ${_SCOPE} | tr '[A-Z]' '[a-z]'` in 2209 one) break ;; 2210 sub) break ;; 2211 *) ${ECHO} "${_SCOPE} is Not valid - Enter 'one' or 'sub'" ;; 2212 esac 2213 done 2214 2215 # Build SSD to add to file. 2216 _SSD="${_SERV_ID}:${_BASE}?${_SCOPE}" 2217 2218 # Add the SSD to the file. 2219 ${ECHO} "${_SSD}" >> ${SSD_FILE} 2220 } 2221 2222 2223 # 2224 # delete_ssd(): Delete a SSD from the list. 2225 # 2226 delete_ssd() 2227 { 2228 [ $DEBUG -eq 1 ] && ${ECHO} "In delete_ssd()" 2229 2230 # Get service id name from user for SSD to delete. 2231 get_ans_req "Enter service id to delete:" 2232 2233 # Make sure service id exists. 2234 ${GREP} "$ANS" ${SSD_FILE} > /dev/null 2>&1 2235 if [ $? -eq 1 ]; then 2236 ${ECHO} "Invalid service id: $ANS not present in list." 2237 return 2238 fi 2239 2240 # Create temporary back SSD file. 2241 cp ${SSD_FILE} ${SSD_FILE}.bak 2242 if [ $? -eq 1 ]; then 2243 ${ECHO} "ERROR: could not create file: ${SSD_FILE}.bak" 2244 exit 1 2245 fi 2246 2247 # Use ${GREP} to remove the SSD. Read from temp file 2248 # and write to the orig file. 2249 ${GREP} -v "$ANS" ${SSD_FILE}.bak > ${SSD_FILE} 2250 } 2251 2252 2253 # 2254 # modify_ssd(): Allow user to modify a SSD. 2255 # 2256 modify_ssd() 2257 { 2258 [ $DEBUG -eq 1 ] && ${ECHO} "In modify_ssd()" 2259 2260 # Prompt user for service id. 2261 get_ans_req "Enter service id to modify:" 2262 2263 # Put into temp _LINE. 2264 _LINE=`${GREP} "^$ANS:" ${SSD_FILE}` 2265 if [ "$_LINE" = "" ]; then 2266 ${ECHO} "Invalid service id: $ANS" 2267 return 2268 fi 2269 2270 # Display current filter for user to see. 2271 ${ECHO} "" 2272 ${ECHO} "Current SSD: $_LINE" 2273 ${ECHO} "" 2274 2275 # Get the defaults. 2276 _CURR_BASE=`${ECHO} $_LINE | cut -d: -f2 | cut -d'?' -f 1` 2277 _CURR_SCOPE=`${ECHO} $_LINE | cut -d: -f2 | cut -d'?' -f 2` 2278 2279 # Create temporary back SSD file. 2280 cp ${SSD_FILE} ${SSD_FILE}.bak 2281 if [ $? -eq 1 ]; then 2282 ${ECHO} "ERROR: could not create file: ${SSD_FILE}.bak" 2283 cleanup 2284 exit 1 2285 fi 2286 2287 # Removed the old line. 2288 ${GREP} -v "^$ANS:" ${SSD_FILE}.bak > ${SSD_FILE} 2>&1 2289 2290 # New Entry 2291 _SERV_ID=$ANS 2292 get_ans_req "Enter the base:" "$_CURR_BASE" 2293 _BASE=$ANS 2294 get_ans_req "Enter the scope:" "$_CURR_SCOPE" 2295 _SCOPE=$ANS 2296 2297 # Build the new SSD. 2298 _SSD="${_SERV_ID}:${_BASE}?${_SCOPE}" 2299 2300 # Add the SSD to the file. 2301 ${ECHO} "${_SSD}" >> ${SSD_FILE} 2302 } 2303 2304 2305 # 2306 # display_ssd(): Display the current SSD list. 2307 # 2308 display_ssd() 2309 { 2310 [ $DEBUG -eq 1 ] && ${ECHO} "In display_ssd()" 2311 2312 ${ECHO} "" 2313 ${ECHO} "Current Service Search Descriptors:" 2314 ${ECHO} "==================================" 2315 cat ${SSD_FILE} 2316 ${ECHO} "" 2317 ${ECHO} "Hit return to continue." 2318 read __A 2319 } 2320 2321 2322 # 2323 # prompt_ssd(): Get SSD's from user. 2324 # 2325 prompt_ssd() 2326 { 2327 [ $DEBUG -eq 1 ] && ${ECHO} "In prompt_ssd()" 2328 # See if user wants SSD's? 2329 get_confirm "Do you wish to setup Service Search Descriptors (y/n/h)?" "n" "ssd_help" 2330 [ "$?" -eq 0 ] && return 2331 2332 # Display menu for SSD choices. 2333 while : 2334 do 2335 display_msg prompt_ssd_menu 2336 get_ans "Enter menu choice:" "Quit" 2337 case "$ANS" in 2338 [Aa] | add) add_ssd ;; 2339 [Dd] | delete) delete_ssd ;; 2340 [Mm] | modify) modify_ssd ;; 2341 [Pp] | print | display) display_ssd ;; 2342 [Xx] | reset | clear) reset_ssd_file ;; 2343 [Hh] | Help | help) display_msg ssd_menu_help 2344 ${ECHO} " Press return to continue." 2345 read __A ;; 2346 [Qq] | Quit | quit) return ;; 2347 *) ${ECHO} "Invalid choice: $ANS please re-enter from menu." ;; 2348 esac 2349 done 2350 } 2351 2352 2353 # 2354 # reset_ssd_file(): Blank out current SSD file. 2355 # 2356 reset_ssd_file() 2357 { 2358 [ $DEBUG -eq 1 ] && ${ECHO} "In reset_ssd_file()" 2359 2360 rm -f ${SSD_FILE} 2361 touch ${SSD_FILE} 2362 } 2363 2364 2365 # 2366 # create_ssd_file(): Create a temporary file for SSD's. 2367 # 2368 create_ssd_file() 2369 { 2370 [ $DEBUG -eq 1 ] && ${ECHO} "In create_ssd_file()" 2371 2372 # Build a list of SSD's and store in temp file. 2373 ${GREP} "LDAP_SERV_SRCH_DES=" ${INPUT_FILE} | \ 2374 sed 's/LDAP_SERV_SRCH_DES=//' \ 2375 > ${SSD_FILE} 2376 } 2377 2378 2379 # 2380 # ssd_2_config(): Append the SSD file to the output file. 2381 # 2382 ssd_2_config() 2383 { 2384 [ $DEBUG -eq 1 ] && ${ECHO} "In ssd_2_config()" 2385 2386 # Convert to config file format using sed. 2387 sed -e "s/^/LDAP_SERV_SRCH_DES=/" ${SSD_FILE} >> ${OUTPUT_FILE} 2388 } 2389 2390 2391 # 2392 # ssd_2_profile(): Add SSD's to the GEN_CMD string. 2393 # 2394 ssd_2_profile() 2395 { 2396 [ $DEBUG -eq 1 ] && ${ECHO} "In ssd_2_profile()" 2397 2398 GEN_TMPFILE=${TMPDIR}/ssd_tmpfile 2399 touch ${GEN_TMPFILE} 2400 2401 # Add and convert each SSD to string. 2402 while read SSD_LINE 2403 do 2404 ${ECHO} " -a \"serviceSearchDescriptor=${SSD_LINE}\"\c" >> ${GEN_TMPFILE} 2405 done <${SSD_FILE} 2406 2407 # Add SSD's to GEN_CMD. 2408 GEN_CMD="${GEN_CMD} `cat ${GEN_TMPFILE}`" 2409 } 2410 2411 # 2412 # get_adminDN(): Get the admin DN. 2413 # 2414 get_adminDN() 2415 { 2416 LDAP_ADMINDN="cn=admin,ou=profile,${LDAP_BASEDN}" # default 2417 get_ans "Enter DN for the administrator:" "$LDAP_ADMINDN" 2418 LDAP_ADMINDN=$ANS 2419 [ $DEBUG -eq 1 ] && ${ECHO} "LDAP_ADMINDN = $LDAP_ADMINDN" 2420 } 2421 2422 # 2423 # get_admin_pw(): Get the admin passwd. 2424 # 2425 get_admin_pw() 2426 { 2427 get_passwd "Enter passwd for the administrator:" 2428 LDAP_ADMIN_CRED=$ANS 2429 [ $DEBUG -eq 1 ] && ${ECHO} "LDAP_ADMIN_CRED = $LDAP_ADMIN_CRED" 2430 } 2431 2432 # 2433 # add_admin(): Add an admin entry for nameservice for updating shadow data. 2434 # 2435 add_admin() 2436 { 2437 [ $DEBUG -eq 1 ] && ${ECHO} "In add_admin()" 2438 2439 # Check if the admin user already exists. 2440 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_ADMINDN}\" -s base \"objectclass=*\" ${VERB}" 2441 if [ $? -eq 0 ]; then 2442 MSG="Administrator ${LDAP_ADMINDN} already exists." 2443 if [ $EXISTING_PROFILE -eq 1 ]; then 2444 ${ECHO} " NOT ADDED: $MSG" 2445 else 2446 ${ECHO} " ${STEP}. $MSG" 2447 STEP=`expr $STEP + 1` 2448 fi 2449 return 0 2450 fi 2451 2452 # Get cn and sn names from LDAP_ADMINDN. 2453 cn_tmp=`${ECHO} ${LDAP_ADMINDN} | cut -f1 -d, | cut -f2 -d=` 2454 2455 # Create the tmp file to add. 2456 ( cat <<EOF 2457 dn: ${LDAP_ADMINDN} 2458 cn: ${cn_tmp} 2459 sn: ${cn_tmp} 2460 objectclass: top 2461 objectclass: person 2462 userpassword: ${LDAP_ADMIN_CRED} 2463 EOF 2464 ) > ${TMPDIR}/admin 2465 2466 # Add the entry. 2467 ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/admin ${VERB}" 2468 if [ $? -ne 0 ]; then 2469 ${ECHO} " ERROR: Adding administrator identity failed!" 2470 cleanup 2471 exit 1 2472 fi 2473 2474 ${RM} -f ${TMPDIR}/admin 2475 2476 # Display message that the administrator identity is added. 2477 MSG="Administrator identity ${LDAP_ADMINDN}" 2478 if [ $EXISTING_PROFILE -eq 1 ]; then 2479 ${ECHO} " ADDED: $MSG." 2480 else 2481 ${ECHO} " ${STEP}. $MSG added." 2482 STEP=`expr $STEP + 1` 2483 fi 2484 } 2485 2486 # 2487 # allow_admin_read_write_shadow(): Give Admin read/write permission 2488 # to shadow data. 2489 # 2490 allow_admin_read_write_shadow() 2491 { 2492 [ $DEBUG -eq 1 ] && ${ECHO} "In allow_admin_read_write_shadow()" 2493 2494 # Set ACI Name 2495 ADMIN_ACI_NAME="LDAP_Naming_Services_admin_shadow_write" 2496 2497 # Search for ACI_NAME 2498 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_BASEDN}\" \ 2499 -s base objectclass=* aci > ${TMPDIR}/chk_adminwrite_aci 2>&1" 2500 2501 # if an ACI with ${ADMIN_ACI_NAME} and "write,compare,read,search" 2502 # and ${LDAP_ADMINDN} already exists, we are done 2503 ${EGREP} ".*${ADMIN_ACI_NAME}.*write,compare,read,search.*${LDAP_ADMINDN}.*" \ 2504 ${TMPDIR}/chk_adminwrite_aci 2>&1 > /dev/null 2505 if [ $? -eq 0 ]; then 2506 MSG="Admin ACI ${ADMIN_ACI_NAME} already exists for ${LDAP_BASEDN}." 2507 if [ $EXISTING_PROFILE -eq 1 ]; then 2508 ${ECHO} " NOT SET: $MSG" 2509 else 2510 ${ECHO} " ${STEP}. $MSG" 2511 STEP=`expr $STEP + 1` 2512 fi 2513 return 0 2514 fi 2515 2516 # If an ACI with ${ADMIN_ACI_NAME} and "(write)" and ${LDAP_ADMINDN} 2517 # already exists, delete it first. 2518 find_and_delete_ACI ".*${ADMIN_ACI_NAME}.*(write).*${LDAP_ADMINDN}.*" \ 2519 ${TMPDIR}/chk_adminwrite_aci ${ADMIN_ACI_NAME} 2520 2521 # Create the tmp file to add. 2522 ( cat <<EOF 2523 dn: ${LDAP_BASEDN} 2524 changetype: modify 2525 add: aci 2526 aci: (target="ldap:///${LDAP_BASEDN}")(targetattr="shadowLastChange 2527 ||shadowMin||shadowMax||shadowWarning||shadowInactive||shadowExpire 2528 ||shadowFlag||userPassword||loginShell||homeDirectory||gecos") 2529 (version 3.0; acl ${ADMIN_ACI_NAME}; allow (write,compare,read,search) 2530 userdn = "ldap:///${LDAP_ADMINDN}";) 2531 EOF 2532 ) > ${TMPDIR}/admin_write 2533 2534 # Add the entry. 2535 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/admin_write ${VERB}" 2536 if [ $? -ne 0 ]; then 2537 ${ECHO} " ERROR: Allow ${LDAP_ADMINDN} read/write access to shadow data failed!" 2538 cleanup 2539 exit 1 2540 fi 2541 2542 ${RM} -f ${TMPDIR}/admin_write 2543 # Display message that the administrator ACL is set. 2544 MSG="Give ${LDAP_ADMINDN} read/write access to shadow data." 2545 if [ $EXISTING_PROFILE -eq 1 ]; then 2546 ${ECHO} " ACI SET: $MSG" 2547 else 2548 ${ECHO} " ${STEP}. $MSG" 2549 STEP=`expr $STEP + 1` 2550 fi 2551 } 2552 2553 # 2554 # allow_host_read_write_shadow(): Give host principal read/write permission 2555 # for shadow data. 2556 # 2557 allow_host_read_write_shadow() 2558 { 2559 [ $DEBUG -eq 1 ] && ${ECHO} "In allow_host_read_write_shadow()" 2560 2561 # Set ACI Name 2562 HOST_ACI_NAME="LDAP_Naming_Services_host_shadow_write" 2563 2564 # Search for ACI_NAME 2565 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_BASEDN}\" -s base objectclass=* aci > ${TMPDIR}/chk_hostwrite_aci 2>&1" 2566 ${GREP} "${HOST_ACI_NAME}" ${TMPDIR}/chk_hostwrite_aci > /dev/null 2>&1 2567 if [ $? -eq 0 ]; then 2568 MSG="Host ACI ${HOST_ACI_NAME} already exists for ${LDAP_BASEDN}." 2569 if [ $EXISTING_PROFILE -eq 1 ]; then 2570 ${ECHO} " NOT ADDED: $MSG" 2571 else 2572 ${ECHO} " ${STEP}. $MSG" 2573 STEP=`expr $STEP + 1` 2574 fi 2575 return 0 2576 fi 2577 2578 # Create the tmp file to add. 2579 ( cat <<EOF 2580 dn: ${LDAP_BASEDN} 2581 changetype: modify 2582 add: aci 2583 aci: (target="ldap:///${LDAP_BASEDN}")(targetattr="shadowLastChange||shadowMin||shadowMax||shadowWarning||shadowInactive||shadowExpire||shadowFlag||userPassword||loginShell||homeDirectory||gecos")(version 3.0; acl ${HOST_ACI_NAME}; allow (write,compare,read,search) authmethod="sasl GSSAPI" and userdn = "ldap:///cn=*+ipHostNumber=*,ou=Hosts,${LDAP_BASEDN}";) 2584 EOF 2585 ) > ${TMPDIR}/host_read_write 2586 2587 # Add the entry. 2588 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/host_read_write ${VERB}" 2589 if [ $? -ne 0 ]; then 2590 ${ECHO} " ERROR: Allow Host Principal to write shadow data failed!" 2591 cleanup 2592 exit 1 2593 fi 2594 2595 ${RM} -f ${TMPDIR}/host_read_write 2596 MSG="Give host principal read/write permission for shadow." 2597 if [ $EXISTING_PROFILE -eq 1 ]; then 2598 ${ECHO} " ACI SET: $MSG" 2599 else 2600 ${ECHO} " ${STEP}. $MSG" 2601 STEP=`expr $STEP + 1` 2602 fi 2603 } 2604 2605 # 2606 # Set up shadow update 2607 # 2608 setup_shadow_update() { 2609 [ $DEBUG -eq 1 ] && ${ECHO} "In setup_shadow_update()" 2610 2611 # get content of the profile 2612 PROFILE_OUT=${TMPDIR}/prof_tmpfile 2613 ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=${LDAP_PROFILE_NAME},ou=profile,${LDAP_BASEDN}\" -s base \"objectclass=*\" > $PROFILE_OUT 2>&1" 2614 ${GREP} -i cn $PROFILE_OUT >/dev/null 2>&1 2615 if [ $? -ne 0 ]; then 2616 [ $DEBUG -eq 1 ] && ${ECHO} "Profile ${LDAP_PROFILE_NAME} does not exist" 2617 ${RM} ${PROFILE_OUT} 2618 return 2619 fi 2620 2621 # Search to see if authenticationMethod has 'GSSAPI' and 2622 # credentialLevel has 'self'. If so, ask to use the 2623 # host principal for shadow update 2624 if [ $GSSAPI_AUTH_MAY_BE_USED -eq 1 ]; then 2625 if ${GREP} authenticationMethod $PROFILE_OUT | ${GREP} GSSAPI >/dev/null 2>&1 2626 then 2627 if ${GREP} credentialLevel $PROFILE_OUT | ${GREP} self >/dev/null 2>&1 2628 then 2629 NEED_HOSTACL=1 2630 fi 2631 fi 2632 ${RM} ${PROFILE_OUT} 2633 [ $DEBUG -eq 1 ] && ${ECHO} "NEED_HOSTACL = $NEED_HOSTACL" 2634 2635 if [ $NEED_HOSTACL -eq 1 ]; then 2636 MSG="Use host principal for shadow data update (y/n/h)?" 2637 get_confirm "$MSG" "y" "use_host_principal_help" 2638 if [ $? -eq 1 ]; then 2639 delete_proxy_read_pw 2640 allow_host_read_write_shadow 2641 deny_non_host_shadow_access 2642 ${ECHO} "" 2643 ${ECHO} " Shadow update has been enabled." 2644 else 2645 ${ECHO} "" 2646 ${ECHO} " Shadow update may not work." 2647 fi 2648 return 2649 fi 2650 fi 2651 2652 MSG="Add the administrator identity (y/n/h)?" 2653 get_confirm "$MSG" "y" "add_admin_cred_help" 2654 if [ $? -eq 1 ]; then 2655 get_adminDN 2656 get_admin_pw 2657 add_admin 2658 delete_proxy_read_pw 2659 allow_admin_read_write_shadow 2660 deny_non_admin_shadow_access 2661 ${ECHO} "" 2662 ${ECHO} " Shadow update has been enabled." 2663 return 2664 fi 2665 2666 ${ECHO} " No administrator identity specified, shadow update may not work." 2667 } 2668 2669 2670 # 2671 # prompt_config_info(): This function prompts the user for the config 2672 # info that is not specified in the input file. 2673 # 2674 prompt_config_info() 2675 { 2676 [ $DEBUG -eq 1 ] && ${ECHO} "In prompt_config_info()" 2677 2678 # Prompt for iDS server name. 2679 get_ids_server 2680 2681 # Prompt for iDS port number. 2682 get_ids_port 2683 2684 # Check iDS version for compatibility. 2685 chk_ids_version 2686 2687 # Check if the server supports the VLV. 2688 chk_vlv_indexes 2689 2690 # Get the Directory manager DN and passwd. 2691 get_dirmgr_dn 2692 get_dirmgr_pw 2693 2694 # 2695 # LDAP CLIENT PROFILE SPECIFIC INFORMATION. 2696 # (i.e. The fields that show up in the profile.) 2697 # 2698 get_domain "domain_help" 2699 2700 get_basedn 2701 2702 gssapi_setup 2703 2704 get_profile_name 2705 2706 if [ "$LDAP_ENABLE_SHADOW_UPDATE" = "TRUE" ];then 2707 setup_shadow_update 2708 cleanup 2709 exit 0 2710 fi 2711 2712 get_srv_list 2713 get_pref_srv 2714 get_search_scope 2715 2716 # If cred is "anonymous", make auth == "none" 2717 get_cred_level 2718 if [ "$LDAP_CRED_LEVEL" != "anonymous" ]; then 2719 get_auth 2720 fi 2721 2722 get_followref 2723 2724 # Query user about timelimt. 2725 get_confirm "Do you want to modify the server timelimit value (y/n/h)?" "n" "tlim_help" 2726 NEED_TIME=$? 2727 [ $NEED_TIME -eq 1 ] && get_timelimit 2728 2729 # Query user about sizelimit. 2730 get_confirm "Do you want to modify the server sizelimit value (y/n/h)?" "n" "slim_help" 2731 NEED_SIZE=$? 2732 [ $NEED_SIZE -eq 1 ] && get_sizelimit 2733 2734 # Does the user want to store passwords in crypt format? 2735 get_want_crypt 2736 2737 # Prompt for any Service Authentication Methods? 2738 get_confirm "Do you want to setup a Service Authentication Methods (y/n/h)?" "n" "srvauth_help" 2739 if [ $? -eq 1 ]; then 2740 # Does the user want to set Service Authentication Method for pam_ldap? 2741 get_confirm "Do you want to setup a Service Auth. Method for \"pam_ldap\" (y/n/h)?" "n" "pam_ldap_help" 2742 NEED_SRVAUTH_PAM=$? 2743 [ $NEED_SRVAUTH_PAM -eq 1 ] && get_srv_authMethod_pam 2744 2745 # Does the user want to set Service Authentication Method for keyserv? 2746 get_confirm "Do you want to setup a Service Auth. Method for \"keyserv\" (y/n/h)?" "n" "keyserv_help" 2747 NEED_SRVAUTH_KEY=$? 2748 [ $NEED_SRVAUTH_KEY -eq 1 ] && get_srv_authMethod_key 2749 2750 # Does the user want to set Service Authentication Method for passwd-cmd? 2751 get_confirm "Do you want to setup a Service Auth. Method for \"passwd-cmd\" (y/n/h)?" "n" "passwd-cmd_help" 2752 NEED_SRVAUTH_CMD=$? 2753 [ $NEED_SRVAUTH_CMD -eq 1 ] && get_srv_authMethod_cmd 2754 fi 2755 2756 2757 # Get Timeouts 2758 get_srch_time 2759 get_prof_ttl 2760 get_bind_limit 2761 2762 # Ask whether to enable shadow update 2763 get_want_shadow_update 2764 2765 # Reset the sdd_file and prompt user for SSD. Will use menus 2766 # to build an SSD File. 2767 reset_ssd_file 2768 prompt_ssd 2769 2770 # Display FULL debugging info. 2771 disp_full_debug 2772 2773 # Extra blank line to separate prompt lines from steps. 2774 ${ECHO} " " 2775 } 2776 2777 2778 ###################################################################### 2779 # FUNCTIONS FOR display_summary() START HERE. 2780 ###################################################################### 2781 2782 2783 # 2784 # get_proxyagent(): Get the proxyagent DN. 2785 # 2786 get_proxyagent() 2787 { 2788 LDAP_PROXYAGENT="cn=proxyagent,ou=profile,${LDAP_BASEDN}" # default 2789 get_ans "Enter DN for proxy agent:" "$LDAP_PROXYAGENT" 2790 LDAP_PROXYAGENT=$ANS 2791 } 2792 2793 2794 # 2795 # get_proxy_pw(): Get the proxyagent passwd. 2796 # 2797 get_proxy_pw() 2798 { 2799 get_passwd "Enter passwd for proxyagent:" 2800 LDAP_PROXYAGENT_CRED=$ANS 2801 } 2802 2803 # 2804 # display_summary(): Display a summary of values entered and let the 2805 # user modify values at will. 2806 # 2807 display_summary() 2808 { 2809 [ $DEBUG -eq 1 ] && ${ECHO} "In display_summary()" 2810 2811 # Create lookup table for function names. First entry is dummy for 2812 # shift. 2813 TBL1="dummy" 2814 TBL2="get_domain get_basedn get_profile_name" 2815 TBL3="get_srv_list get_pref_srv get_search_scope get_cred_level" 2816 TBL4="get_auth get_followref" 2817 TBL5="get_timelimit get_sizelimit get_want_crypt" 2818 TBL6="get_srv_authMethod_pam get_srv_authMethod_key get_srv_authMethod_cmd" 2819 TBL7="get_srch_time get_prof_ttl get_bind_limit" 2820 TBL8="get_want_shadow_update" 2821 TBL9="prompt_ssd" 2822 FUNC_TBL="$TBL1 $TBL2 $TBL3 $TBL4 $TBL5 $TBL6 $TBL7 $TBL8 $TBL9" 2823 2824 # Since menu prompt string is long, set here. 2825 _MENU_PROMPT="Enter config value to change: (1-20 0=commit changes)" 2826 2827 # Infinite loop. Test for 0, and break in loop. 2828 while : 2829 do 2830 # Display menu and get value in range. 2831 display_msg summary_menu 2832 get_menu_choice "${_MENU_PROMPT}" "0" "20" "0" 2833 _CH=$MN_CH 2834 2835 # Make sure where not exiting. 2836 if [ $_CH -eq 0 ]; then 2837 break # Break out of loop if 0 selected. 2838 fi 2839 2840 # Call appropriate function from function table. 2841 set $FUNC_TBL 2842 shift $_CH 2843 $1 # Call the appropriate function. 2844 done 2845 2846 # If cred level is still see if user wants a change? 2847 if ${ECHO} "$LDAP_CRED_LEVEL" | ${GREP} "proxy" > /dev/null 2>&1 2848 then 2849 if [ "$LDAP_AUTHMETHOD" != "none" ]; then 2850 NEED_PROXY=1 # I assume integer test is faster? 2851 get_proxyagent 2852 get_proxy_pw 2853 else 2854 ${ECHO} "WARNING: Since Authentication method is 'none'." 2855 ${ECHO} " Credential level will be set to 'anonymous'." 2856 LDAP_CRED_LEVEL="anonymous" 2857 fi 2858 fi 2859 2860 # If shadow update is enabled, set up administrator credential 2861 if [ "$LDAP_ENABLE_SHADOW_UPDATE" = "TRUE" ]; then 2862 NEED_ADMIN=1 2863 if ${ECHO} "$LDAP_CRED_LEVEL" | ${GREP} "self" > /dev/null 2>&1; then 2864 if ${ECHO} "$LDAP_AUTHMETHOD" | ${GREP} "GSSAPI" > /dev/null 2>&1; then 2865 NEED_HOSTACL=1 2866 NEED_ADMIN=0 2867 fi 2868 fi 2869 [ $DEBUG -eq 1 ] && ${ECHO} "NEED_HOSTACL = $NEED_HOSTACL" 2870 [ $DEBUG -eq 1 ] && ${ECHO} "NEED_ADMIN = $NEED_ADMIN" 2871 if [ $NEED_ADMIN -eq 1 ]; then 2872 get_adminDN 2873 get_admin_pw 2874 fi 2875 fi 2876 2877 # Display FULL debugging info. 2878 disp_full_debug 2879 2880 # Final confirmation message. (ARE YOU SURE!) 2881 ${ECHO} " " 2882 get_confirm_nodef "WARNING: About to start committing changes. (y=continue, n=EXIT)" 2883 if [ $? -eq 0 ]; then 2884 ${ECHO} "Terminating setup without making changes at users request." 2885 cleanup 2886 exit 1 2887 fi 2888 2889 # Print newline 2890 ${ECHO} " " 2891 } 2892 2893 2894 # 2895 # create_config_file(): Write config data to config file specified. 2896 # 2897 create_config_file() 2898 { 2899 [ $DEBUG -eq 1 ] && ${ECHO} "In create_config_file()" 2900 2901 # If output file exists, delete it. 2902 [ -f $OUTPUT_FILE ] && rm $OUTPUT_FILE 2903 2904 # Create output file. 2905 cat > $OUTPUT_FILE <<EOF 2906 #!/bin/sh 2907 # $OUTPUT_FILE - This file contains configuration information for 2908 # Native LDAP. Use the idsconfig tool to load it. 2909 # 2910 # WARNING: This file was generated by idsconfig, and is intended to 2911 # be loaded by idsconfig as is. DO NOT EDIT THIS FILE! 2912 # 2913 IDS_SERVER="$IDS_SERVER" 2914 IDS_PORT=$IDS_PORT 2915 IDS_TIMELIMIT=$IDS_TIMELIMIT 2916 IDS_SIZELIMIT=$IDS_SIZELIMIT 2917 LDAP_ROOTDN="$LDAP_ROOTDN" 2918 LDAP_ROOTPWD=$LDAP_ROOTPWD 2919 LDAP_DOMAIN="$LDAP_DOMAIN" 2920 LDAP_SUFFIX="$LDAP_SUFFIX" 2921 GSSAPI_ENABLE=$GSSAPI_ENABLE 2922 LDAP_KRB_REALM="$LDAP_KRB_REALM" 2923 2924 # Internal program variables that need to be set. 2925 NEED_PROXY=$NEED_PROXY 2926 NEED_TIME=$NEED_TIME 2927 NEED_SIZE=$NEED_SIZE 2928 NEED_CRYPT=$NEED_CRYPT 2929 NEED_ADMIN=$NEED_ADMIN 2930 NEED_HOSTACL=$NEED_HOSTACL 2931 EXISTING_PROFILE=$EXISTING_PROFILE 2932 2933 # LDAP PROFILE related defaults 2934 LDAP_PROFILE_NAME="$LDAP_PROFILE_NAME" 2935 DEL_OLD_PROFILE=1 2936 LDAP_BASEDN="$LDAP_BASEDN" 2937 LDAP_SERVER_LIST="$LDAP_SERVER_LIST" 2938 LDAP_AUTHMETHOD="$LDAP_AUTHMETHOD" 2939 LDAP_FOLLOWREF=$LDAP_FOLLOWREF 2940 LDAP_SEARCH_SCOPE="$LDAP_SEARCH_SCOPE" 2941 NEED_SRVAUTH_PAM=$NEED_SRVAUTH_PAM 2942 NEED_SRVAUTH_KEY=$NEED_SRVAUTH_KEY 2943 NEED_SRVAUTH_CMD=$NEED_SRVAUTH_CMD 2944 LDAP_SRV_AUTHMETHOD_PAM="$LDAP_SRV_AUTHMETHOD_PAM" 2945 LDAP_SRV_AUTHMETHOD_KEY="$LDAP_SRV_AUTHMETHOD_KEY" 2946 LDAP_SRV_AUTHMETHOD_CMD="$LDAP_SRV_AUTHMETHOD_CMD" 2947 LDAP_SEARCH_TIME_LIMIT=$LDAP_SEARCH_TIME_LIMIT 2948 LDAP_PREF_SRVLIST="$LDAP_PREF_SRVLIST" 2949 LDAP_PROFILE_TTL=$LDAP_PROFILE_TTL 2950 LDAP_CRED_LEVEL="$LDAP_CRED_LEVEL" 2951 LDAP_BIND_LIMIT=$LDAP_BIND_LIMIT 2952 2953 # Proxy Agent 2954 LDAP_PROXYAGENT="$LDAP_PROXYAGENT" 2955 LDAP_PROXYAGENT_CRED=$LDAP_PROXYAGENT_CRED 2956 2957 # enableShadowUpdate flag and Administrator credential 2958 LDAP_ENABLE_SHADOW_UPDATE=$LDAP_ENABLE_SHADOW_UPDATE 2959 LDAP_ADMINDN="$LDAP_ADMINDN" 2960 LDAP_ADMIN_CRED=$LDAP_ADMIN_CRED 2961 2962 # Export all the variables (just in case) 2963 export IDS_HOME IDS_PORT LDAP_ROOTDN LDAP_ROOTPWD LDAP_SERVER_LIST LDAP_BASEDN 2964 export LDAP_DOMAIN LDAP_SUFFIX LDAP_PROXYAGENT LDAP_PROXYAGENT_CRED 2965 export NEED_PROXY 2966 export LDAP_ENABLE_SHADOW_UPDATE LDAP_ADMINDN LDAP_ADMIN_CRED 2967 export NEED_ADMIN NEED_HOSTACL EXISTING_PROFILE 2968 export LDAP_PROFILE_NAME LDAP_BASEDN LDAP_SERVER_LIST 2969 export LDAP_AUTHMETHOD LDAP_FOLLOWREF LDAP_SEARCH_SCOPE LDAP_SEARCH_TIME_LIMIT 2970 export LDAP_PREF_SRVLIST LDAP_PROFILE_TTL LDAP_CRED_LEVEL LDAP_BIND_LIMIT 2971 export NEED_SRVAUTH_PAM NEED_SRVAUTH_KEY NEED_SRVAUTH_CMD 2972 export LDAP_SRV_AUTHMETHOD_PAM LDAP_SRV_AUTHMETHOD_KEY LDAP_SRV_AUTHMETHOD_CMD 2973 export LDAP_SERV_SRCH_DES SSD_FILE GSSAPI_ENABLE LDAP_KRB_REALM 2974 2975 # Service Search Descriptors start here if present: 2976 EOF 2977 # Add service search descriptors. 2978 ssd_2_config "${OUTPUT_FILE}" 2979 2980 # Add LDAP suffix preferences 2981 print_suffix_config >> "${OUTPUT_FILE}" 2982 2983 # Add the end of FILE tag. 2984 ${ECHO} "" >> ${OUTPUT_FILE} 2985 ${ECHO} "# End of $OUTPUT_FILE" >> ${OUTPUT_FILE} 2986 } 2987 2988 2989 # 2990 # chk_vlv_indexes(): Do ldapsearch to see if server supports VLV. 2991 # 2992 chk_vlv_indexes() 2993 { 2994 # Do ldapsearch to see if server supports VLV. 2995 ${LDAPSEARCH} ${SERVER_ARGS} -b "" -s base "objectclass=*" > ${TMPDIR}/checkVLV 2>&1 2996 eval "${GREP} 2.16.840.1.113730.3.4.9 ${TMPDIR}/checkVLV ${VERB}" 2997 if [ $? -ne 0 ]; then 2998 ${ECHO} "ERROR: VLV is not supported on LDAP server!" 2999 cleanup 3000 exit 1 3001 fi 3002 [ $DEBUG -eq 1 ] && ${ECHO} " VLV controls found on LDAP server." 3003 } 3004 3005 # 3006 # get_backend(): this function gets the relevant backend 3007 # (database) for LDAP_BASED. 3008 # Description: set IDS_DATABASE; exit on failure. 3009 # Prerequisite: LDAP_BASEDN and LDAP_SUFFIX are 3010 # valid. 3011 # 3012 # backend is retrieved from suffixes and subsuffixes 3013 # defined under "cn=mapping tree,cn=config". The 3014 # nsslapd-state attribute of these suffixes entries 3015 # is filled with either Backend, Disabled or referrals 3016 # related values. We only want those that have a true 3017 # backend database to select the relevant backend. 3018 # 3019 get_backend() 3020 { 3021 [ $DEBUG -eq 1 ] && ${ECHO} "In get_backend()" 3022 3023 cur_suffix=${LDAP_BASEDN} 3024 prev_suffix= 3025 IDS_DATABASE= 3026 while [ "${cur_suffix}" != "${prev_suffix}" ] 3027 do 3028 [ $DEBUG -eq 1 ] && ${ECHO} "testing LDAP suffix: ${cur_suffix}" 3029 eval "${LDAPSEARCH} ${LDAP_ARGS} " \ 3030 "-b \"cn=\\\"${cur_suffix}\\\",cn=mapping tree,cn=config\" " \ 3031 "-s base nsslapd-state=Backend nsslapd-backend 2>&1 " \ 3032 "| ${GREP} 'nsslapd-backend=' " \ 3033 "> ${TMPDIR}/ids_database_name 2>&1" 3034 NUM_DBS=`wc -l ${TMPDIR}/ids_database_name | awk '{print $1}'` 3035 case ${NUM_DBS} in 3036 0) # not a suffix, or suffix not activated; try next 3037 prev_suffix=${cur_suffix} 3038 cur_suffix=`${ECHO} ${cur_suffix} | cut -f2- -d','` 3039 ;; 3040 1) # suffix found; get database name 3041 IDS_DATABASE=`cat ${TMPDIR}/ids_database_name | cut -d= -f2` 3042 ;; 3043 *) # can not handle more than one database per suffix 3044 ${ECHO} "ERROR: More than one database is configured " 3045 ${ECHO} " for $LDAP_SUFFIX!" 3046 ${ECHO} " $PROG can not configure suffixes where " 3047 ${ECHO} " more than one database is used for one suffix." 3048 cleanup 3049 exit 1 3050 ;; 3051 esac 3052 if [ -n "${IDS_DATABASE}" ]; then 3053 break 3054 fi 3055 done 3056 3057 if [ -z "${IDS_DATABASE}" ]; then 3058 # should not happen, since LDAP_BASEDN is supposed to be valid 3059 ${ECHO} "Could not find a valid backend for ${LDAP_BASEDN}." 3060 ${ECHO} "Exiting." 3061 cleanup 3062 exit 1 3063 fi 3064 3065 [ $DEBUG -eq 1 ] && ${ECHO} "IDS_DATABASE: ${IDS_DATABASE}" 3066 } 3067 3068 # 3069 # validate_suffix(): This function validates ${LDAP_SUFFIX} 3070 # THIS FUNCTION IS FOR THE LOAD CONFIG FILE OPTION. 3071 # 3072 validate_suffix() 3073 { 3074 [ $DEBUG -eq 1 ] && ${ECHO} "In validate_suffix()" 3075 3076 # Check LDAP_SUFFIX is not null 3077 if [ -z "${LDAP_SUFFIX}" ]; then 3078 ${ECHO} "Invalid suffix (null suffix)" 3079 cleanup 3080 exit 1 3081 fi 3082 3083 # Check LDAP_SUFFIX and LDAP_BASEDN are consistent 3084 # Convert to lower case for basename. 3085 format_string "${LDAP_BASEDN}" 3086 LOWER_BASEDN="${FMT_STR}" 3087 format_string "${LDAP_SUFFIX}" 3088 LOWER_SUFFIX="${FMT_STR}" 3089 3090 [ $DEBUG -eq 1 ] && ${ECHO} "LOWER_BASEDN: ${LOWER_BASEDN}" 3091 [ $DEBUG -eq 1 ] && ${ECHO} "LOWER_SUFFIX: ${LOWER_SUFFIX}" 3092 3093 if [ "${LOWER_BASEDN}" != "${LOWER_SUFFIX}" ]; then 3094 sub_basedn=`basename "${LOWER_BASEDN}" "${LOWER_SUFFIX}"` 3095 if [ "$sub_basedn" = "${LOWER_BASEDN}" ]; then 3096 ${ECHO} "Invalid suffix ${LOWER_SUFFIX}" 3097 ${ECHO} "for Base DN ${LOWER_BASEDN}" 3098 cleanup 3099 exit 1 3100 fi 3101 fi 3102 3103 # Check LDAP_SUFFIX does exist 3104 ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_SUFFIX}\" -s base \"objectclass=*\" > ${TMPDIR}/checkSuffix 2>&1" && return 0 3105 3106 # Well, suffix does not exist, try to prepare create it ... 3107 NEED_CREATE_SUFFIX=1 3108 prep_create_sfx_entry || 3109 { 3110 cleanup 3111 exit 1 3112 } 3113 [ -n "${NEED_CREATE_BACKEND}" ] && 3114 { 3115 # try to use id attr value of the suffix as a database name 3116 IDS_DATABASE=${_VAL} 3117 prep_create_sfx_backend 3118 case $? in 3119 1) # cann't use the name we want, so we can either exit or use 3120 # some another available name - doing the last ... 3121 IDS_DATABASE=${IDS_DATABASE_AVAIL} 3122 ;; 3123 2) # unable to determine database name 3124 cleanup 3125 exit 1 3126 ;; 3127 esac 3128 } 3129 3130 [ $DEBUG -eq 1 ] && ${ECHO} "Suffix $LDAP_SUFFIX, Database $IDS_DATABASE" 3131 } 3132 3133 # 3134 # validate_info(): This function validates the basic info collected 3135 # So that some problems are caught right away. 3136 # THIS FUNCTION IS FOR THE LOAD CONFIG FILE OPTION. 3137 # 3138 validate_info() 3139 { 3140 [ $DEBUG -eq 1 ] && ${ECHO} "In validate_info()" 3141 3142 # Set SERVER_ARGS, AUTH_ARGS, and LDAP_ARGS for the config file. 3143 SERVER_ARGS="-h ${IDS_SERVER} -p ${IDS_PORT}" 3144 AUTH_ARGS="-D \"${LDAP_ROOTDN}\" -j ${LDAP_ROOTPWF}" 3145 LDAP_ARGS="${SERVER_ARGS} ${AUTH_ARGS}" 3146 export SERVER_ARGS 3147 3148 # Check the Root DN and Root DN passwd. 3149 # Use eval instead of $EVAL because not part of setup. (validate) 3150 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"\" -s base \"objectclass=*\" > ${TMPDIR}/checkDN 2>&1" 3151 if [ $? -ne 0 ]; then 3152 eval "${GREP} credential ${TMPDIR}/checkDN ${VERB}" 3153 if [ $? -eq 0 ]; then 3154 ${ECHO} "ERROR: Root DN passwd is invalid." 3155 else 3156 ${ECHO} "ERROR2: Invalid Root DN <${LDAP_ROOTDN}>." 3157 fi 3158 cleanup 3159 exit 1 3160 fi 3161 [ $DEBUG -eq 1 ] && ${ECHO} " RootDN ... OK" 3162 [ $DEBUG -eq 1 ] && ${ECHO} " RootDN passwd ... OK" 3163 3164 # Check if the server supports the VLV. 3165 chk_vlv_indexes 3166 [ $DEBUG -eq 1 ] && ${ECHO} " VLV indexes ... OK" 3167 3168 # Check LDAP suffix 3169 validate_suffix 3170 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP suffix ... OK" 3171 } 3172 3173 # 3174 # format_string(): take a string as argument and set FMT_STR 3175 # to be the same string formatted as follow: 3176 # - only lower case characters 3177 # - no unnecessary spaces around , and = 3178 # 3179 format_string() 3180 { 3181 FMT_STR=`${ECHO} "$1" | tr '[A-Z]' '[a-z]' | 3182 sed -e 's/[ ]*,[ ]*/,/g' -e 's/[ ]*=[ ]*/=/g'` 3183 } 3184 3185 # 3186 # prepare for the suffix entry creation 3187 # 3188 # input : LDAP_BASEDN, LDAP_SUFFIX - base dn and suffix; 3189 # in/out : LDAP_SUFFIX_OBJ, LDAP_SUFFIX_ACI - initially may come from config. 3190 # output : NEED_CREATE_BACKEND - backend for this suffix needs to be created; 3191 # _RDN, _ATT, _VAL - suffix's RDN, id attribute name and its value. 3192 # return : 0 - success, otherwise error. 3193 # 3194 prep_create_sfx_entry() 3195 { 3196 [ $DEBUG -eq 1 ] && ${ECHO} "In prep_create_sfx_entry()" 3197 3198 # check whether suffix corresponds to base dn 3199 format_string "${LDAP_BASEDN}" 3200 ${ECHO} ",${FMT_STR}" | ${GREP} ",${LDAP_SUFFIX}$" >/dev/null 2>&1 || 3201 { 3202 display_msg sfx_not_suitable 3203 return 1 3204 } 3205 3206 # parse LDAP_SUFFIX 3207 _RDN=`${ECHO} "${LDAP_SUFFIX}" | cut -d, -f1` 3208 _ATT=`${ECHO} "${_RDN}" | cut -d= -f1` 3209 _VAL=`${ECHO} "${_RDN}" | cut -d= -f2-` 3210 3211 # find out an objectclass for suffix entry if it is not defined yet 3212 [ -z "${LDAP_SUFFIX_OBJ}" ] && 3213 { 3214 get_objectclass ${_ATT} 3215 [ -z "${_ATTR_NAME}" ] && 3216 { 3217 display_msg obj_not_found 3218 return 1 3219 } 3220 LDAP_SUFFIX_OBJ=${_ATTR_NAME} 3221 } 3222 [ $DEBUG -eq 1 ] && ${ECHO} "Suffix entry object is ${LDAP_SUFFIX_OBJ}" 3223 3224 # find out an aci for suffix entry if it is not defined yet 3225 [ -z "${LDAP_SUFFIX_ACI}" ] && 3226 { 3227 # set Directory Server default aci 3228 LDAP_SUFFIX_ACI=`cat <<EOF 3229 aci: (targetattr != "userPassword || passwordHistory || passwordExpirationTime 3230 || passwordExpWarned || passwordRetryCount || retryCountResetTime || 3231 accountUnlockTime || passwordAllowChangeTime") 3232 ( 3233 version 3.0; 3234 acl "Anonymous access"; 3235 allow (read, search, compare) userdn = "ldap:///anyone"; 3236 ) 3237 aci: (targetattr != "nsroledn || aci || nsLookThroughLimit || nsSizeLimit || 3238 nsTimeLimit || nsIdleTimeout || passwordPolicySubentry || 3239 passwordExpirationTime || passwordExpWarned || passwordRetryCount || 3240 retryCountResetTime || accountUnlockTime || passwordHistory || 3241 passwordAllowChangeTime") 3242 ( 3243 version 3.0; 3244 acl "Allow self entry modification except for some attributes"; 3245 allow (write) userdn = "ldap:///self"; 3246 ) 3247 aci: (targetattr = "*") 3248 ( 3249 version 3.0; 3250 acl "Configuration Administrator"; 3251 allow (all) userdn = "ldap:///uid=admin,ou=Administrators, 3252 ou=TopologyManagement,o=NetscapeRoot"; 3253 ) 3254 aci: (targetattr ="*") 3255 ( 3256 version 3.0; 3257 acl "Configuration Administrators Group"; 3258 allow (all) groupdn = "ldap:///cn=Configuration Administrators, 3259 ou=Groups,ou=TopologyManagement,o=NetscapeRoot"; 3260 ) 3261 EOF 3262 ` 3263 } 3264 [ $DEBUG -eq 1 ] && cat <<EOF 3265 DEBUG: ACI for ${LDAP_SUFFIX} is 3266 ${LDAP_SUFFIX_ACI} 3267 EOF 3268 3269 NEED_CREATE_BACKEND= 3270 3271 # check the suffix mapping tree ... 3272 # if mapping exists, suffix should work, otherwise DS inconsistent 3273 # NOTE: -b 'cn=mapping tree,cn=config' -s one 'cn=\"$1\"' won't work 3274 # in case of 'cn' value in LDAP is not quoted by '"', 3275 # -b 'cn=\"$1\",cn=mapping tree,cn=config' works in all cases 3276 ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} \ 3277 -b 'cn=\"${LDAP_SUFFIX}\",cn=mapping tree,cn=config' \ 3278 -s base 'objectclass=*' dn ${VERB}" && 3279 { 3280 [ $DEBUG -eq 1 ] && ${ECHO} "Suffix mapping already exists" 3281 # get_backend() either gets IDS_DATABASE or exits 3282 get_backend 3283 return 0 3284 } 3285 3286 # no suffix mapping, just in case check ldbm backends consistency - 3287 # there are must be NO any databases pointing to LDAP_SUFFIX 3288 [ -n "`${EVAL} \"${LDAPSEARCH} ${LDAP_ARGS} \ 3289 -b 'cn=ldbm database,cn=plugins,cn=config' \ 3290 -s one 'nsslapd-suffix=${LDAP_SUFFIX}' dn\" 2>/dev/null`" ] && 3291 { 3292 display_msg sfx_config_incons 3293 return 1 3294 } 3295 3296 # ok, no suffix mapping, no ldbm database 3297 [ $DEBUG -eq 1 ] && ${ECHO} "DEBUG: backend needs to be created ..." 3298 NEED_CREATE_BACKEND=1 3299 return 0 3300 } 3301 3302 # 3303 # prepare for the suffix backend creation 3304 # 3305 # input : IDS_DATABASE - requested ldbm db name (must be not null) 3306 # in/out : IDS_DATABASE_AVAIL - available ldbm db name 3307 # return : 0 - ldbm db name ok 3308 # 1 - IDS_DATABASE exists, 3309 # so IDS_DATABASE_AVAIL contains available name 3310 # 2 - unable to find any available name 3311 # 3312 prep_create_sfx_backend() 3313 { 3314 [ $DEBUG -eq 1 ] && ${ECHO} "In prep_create_sfx_backend()" 3315 3316 # check if requested name available 3317 [ "${IDS_DATABASE}" = "${IDS_DATABASE_AVAIL}" ] && return 0 3318 3319 # get the list of database names start with a requested name 3320 _LDBM_DBS=`${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} \ 3321 -b 'cn=ldbm database,cn=plugins,cn=config' \ 3322 -s one 'cn=${IDS_DATABASE}*' cn"` 2>/dev/null 3323 3324 # find available db name based on a requested name 3325 _i=""; _i_MAX=10 3326 while [ ${_i:-0} -lt ${_i_MAX} ] 3327 do 3328 _name="${IDS_DATABASE}${_i}" 3329 ${ECHO} "${_LDBM_DBS}" | ${GREP} -i "^cn=${_name}$" >/dev/null 2>&1 || 3330 { 3331 IDS_DATABASE_AVAIL="${_name}" 3332 break 3333 } 3334 _i=`expr ${_i:-0} + 1` 3335 done 3336 3337 [ "${IDS_DATABASE}" = "${IDS_DATABASE_AVAIL}" ] && return 0 3338 3339 [ -n "${IDS_DATABASE_AVAIL}" ] && 3340 { 3341 display_msg ldbm_db_exist 3342 return 1 3343 } 3344 3345 display_msg unable_find_db_name 3346 return 2 3347 } 3348 3349 # 3350 # add suffix if needed, 3351 # suffix entry and backend MUST be prepared by 3352 # prep_create_sfx_entry and prep_create_sfx_backend correspondingly 3353 # 3354 # input : NEED_CREATE_SUFFIX, LDAP_SUFFIX, LDAP_SUFFIX_OBJ, _ATT, _VAL 3355 # LDAP_SUFFIX_ACI, NEED_CREATE_BACKEND, IDS_DATABASE 3356 # return : 0 - suffix successfully created, otherwise error occured 3357 # 3358 add_suffix() 3359 { 3360 [ $DEBUG -eq 1 ] && ${ECHO} "In add_suffix()" 3361 3362 [ -n "${NEED_CREATE_SUFFIX}" ] || return 0 3363 3364 [ -n "${NEED_CREATE_BACKEND}" ] && 3365 { 3366 ${EVAL} "${LDAPADD} ${LDAP_ARGS} ${VERB}" <<EOF 3367 dn: cn="${LDAP_SUFFIX}",cn=mapping tree,cn=config 3368 objectclass: top 3369 objectclass: extensibleObject 3370 objectclass: nsMappingTree 3371 cn: ${LDAP_SUFFIX} 3372 nsslapd-state: backend 3373 nsslapd-backend: ${IDS_DATABASE} 3374 3375 dn: cn=${IDS_DATABASE},cn=ldbm database,cn=plugins,cn=config 3376 objectclass: top 3377 objectclass: extensibleObject 3378 objectclass: nsBackendInstance 3379 cn: ${IDS_DATABASE} 3380 nsslapd-suffix: ${LDAP_SUFFIX} 3381 EOF 3382 [ $? -ne 0 ] && 3383 { 3384 display_msg create_ldbm_db_error 3385 return 1 3386 } 3387 3388 ${ECHO} " ${STEP}. Database ${IDS_DATABASE} successfully created" 3389 STEP=`expr $STEP + 1` 3390 } 3391 3392 ${EVAL} "${LDAPADD} ${LDAP_ARGS} ${VERB}" <<EOF 3393 dn: ${LDAP_SUFFIX} 3394 objectclass: ${LDAP_SUFFIX_OBJ} 3395 ${_ATT}: ${_VAL} 3396 ${LDAP_SUFFIX_ACI} 3397 EOF 3398 [ $? -ne 0 ] && 3399 { 3400 display_msg create_suffix_entry_error 3401 return 1 3402 } 3403 3404 ${ECHO} " ${STEP}. Suffix ${LDAP_SUFFIX} successfully created" 3405 STEP=`expr $STEP + 1` 3406 return 0 3407 } 3408 3409 # 3410 # interactively get suffix and related info from a user 3411 # 3412 # input : LDAP_BASEDN - Base DN 3413 # output : LDAP_SUFFIX - Suffix, _ATT, _VAL - id attribute and its value; 3414 # LDAP_SUFFIX_OBJ, LDAP_SUFFIX_ACI - objectclass and aci; 3415 # NEED_CREATE_BACKEND - tells whether backend needs to be created; 3416 # IDS_DATABASE - prepared ldbm db name 3417 # return : 0 - user gave a correct suffix 3418 # 1 - suffix given by user cann't be created 3419 # 3420 get_suffix() 3421 { 3422 [ $DEBUG -eq 1 ] && ${ECHO} "In get_suffix()" 3423 3424 while : 3425 do 3426 get_ans "Enter suffix to be created (b=back/h=help):" ${LDAP_BASEDN} 3427 case "${ANS}" in 3428 [Hh] | Help | help | \? ) display_msg create_suffix_help ;; 3429 [Bb] | Back | back | \< ) return 1 ;; 3430 * ) 3431 format_string "${ANS}" 3432 LDAP_SUFFIX=${FMT_STR} 3433 prep_create_sfx_entry || continue 3434 3435 [ -n "${NEED_CREATE_BACKEND}" ] && 3436 { 3437 IDS_DATABASE_AVAIL= # reset the available db name 3438 3439 reenter_suffix= 3440 while : 3441 do 3442 get_ans "Enter ldbm database name (b=back/h=help):" \ 3443 ${IDS_DATABASE_AVAIL:-${_VAL}} 3444 case "${ANS}" in 3445 [Hh] | \? ) display_msg enter_ldbm_db_help ;; 3446 [Bb] | \< ) reenter_suffix=1; break ;; 3447 * ) 3448 IDS_DATABASE="${ANS}" 3449 prep_create_sfx_backend && break 3450 esac 3451 done 3452 [ -n "${reenter_suffix}" ] && continue 3453 3454 [ $DEBUG -eq 1 ] && cat <<EOF 3455 DEBUG: backend name for suffix ${LDAP_SUFFIX} will be ${IDS_DATABASE} 3456 EOF 3457 } 3458 3459 # eventually everything is prepared 3460 return 0 3461 ;; 3462 esac 3463 done 3464 } 3465 3466 # 3467 # print out a script which sets LDAP suffix related preferences 3468 # 3469 print_suffix_config() 3470 { 3471 cat <<EOF2 3472 # LDAP suffix related preferences used only if needed 3473 IDS_DATABASE="${IDS_DATABASE}" 3474 LDAP_SUFFIX_OBJ="$LDAP_SUFFIX_OBJ" 3475 LDAP_SUFFIX_ACI=\`cat <<EOF 3476 ${LDAP_SUFFIX_ACI} 3477 EOF 3478 \` 3479 export IDS_DATABASE LDAP_SUFFIX_OBJ LDAP_SUFFIX_ACI 3480 EOF2 3481 } 3482 3483 # 3484 # check_basedn_suffix(): check that there is an existing 3485 # valid suffix to hold current base DN 3486 # return: 3487 # 0: valid suffix found or new one should be created, 3488 # NEED_CREATE_SUFFIX flag actually indicates that 3489 # 1: some error occures 3490 # 3491 check_basedn_suffix() 3492 { 3493 [ $DEBUG -eq 1 ] && ${ECHO} "In check_basedn_suffix()" 3494 3495 NEED_CREATE_SUFFIX= 3496 3497 # find out existing suffixes 3498 discover_serv_suffix 3499 3500 ${ECHO} " Validating LDAP Base DN and Suffix ..." 3501 3502 # check that LDAP Base DN might be added 3503 cur_ldap_entry=${LDAP_BASEDN} 3504 prev_ldap_entry= 3505 while [ "${cur_ldap_entry}" != "${prev_ldap_entry}" ] 3506 do 3507 [ $DEBUG -eq 1 ] && ${ECHO} "testing LDAP entry: ${cur_ldap_entry}" 3508 ${LDAPSEARCH} ${SERVER_ARGS} -b "${cur_ldap_entry}" \ 3509 -s one "objectclass=*" > /dev/null 2>&1 3510 if [ $? -eq 0 ]; then 3511 break 3512 else 3513 prev_ldap_entry=${cur_ldap_entry} 3514 cur_ldap_entry=`${ECHO} ${cur_ldap_entry} | cut -f2- -d','` 3515 fi 3516 done 3517 3518 if [ "${cur_ldap_entry}" = "${prev_ldap_entry}" ]; then 3519 ${ECHO} " No valid suffixes were found for Base DN ${LDAP_BASEDN}" 3520 3521 NEED_CREATE_SUFFIX=1 3522 return 0 3523 3524 else 3525 [ $DEBUG -eq 1 ] && ${ECHO} "found valid LDAP entry: ${cur_ldap_entry}" 3526 3527 # Now looking for relevant suffix for this entry. 3528 # LDAP_SUFFIX will then be used to add necessary 3529 # base objects. See add_base_objects(). 3530 format_string "${cur_ldap_entry}" 3531 lower_entry="${FMT_STR}" 3532 [ $DEBUG -eq 1 ] && ${ECHO} "final suffix list: ${LDAP_SUFFIX_LIST}" 3533 oIFS=$IFS 3534 [ $DEBUG -eq 1 ] && ${ECHO} "setting IFS to new line" 3535 IFS=' 3536 ' 3537 for suff in ${LDAP_SUFFIX_LIST} 3538 do 3539 [ $DEBUG -eq 1 ] && ${ECHO} "testing suffix: ${suff}" 3540 format_string "${suff}" 3541 lower_suff="${FMT_STR}" 3542 if [ "${lower_entry}" = "${lower_suff}" ]; then 3543 LDAP_SUFFIX="${suff}" 3544 break 3545 else 3546 dcstmp=`basename "${lower_entry}" "${lower_suff}"` 3547 if [ "${dcstmp}" = "${lower_entry}" ]; then 3548 # invalid suffix, try next one 3549 continue 3550 else 3551 # valid suffix found 3552 LDAP_SUFFIX="${suff}" 3553 break 3554 fi 3555 fi 3556 done 3557 [ $DEBUG -eq 1 ] && ${ECHO} "setting IFS to original value" 3558 IFS=$oIFS 3559 3560 [ $DEBUG -eq 1 ] && ${ECHO} "LDAP_SUFFIX: ${LDAP_SUFFIX}" 3561 3562 if [ -z "${LDAP_SUFFIX}" ]; then 3563 # should not happen, since we found the entry 3564 ${ECHO} "Could not find a valid suffix for ${LDAP_BASEDN}." 3565 ${ECHO} "Exiting." 3566 return 1 3567 fi 3568 3569 # Getting relevant database (backend) 3570 # IDS_DATABASE will then be used to create indexes. 3571 get_backend 3572 3573 return 0 3574 fi 3575 } 3576 3577 # 3578 # discover_serv_suffix(): This function queries the server to find 3579 # suffixes available 3580 # return: 0: OK, suffix found 3581 # 1: suffix not determined 3582 discover_serv_suffix() 3583 { 3584 [ $DEBUG -eq 1 ] && ${ECHO} "In discover_serv_suffix()" 3585 3586 # Search the server for the TOP of the TREE. 3587 ${LDAPSEARCH} ${SERVER_ARGS} -b "" -s base "objectclass=*" > ${TMPDIR}/checkTOP 2>&1 3588 ${GREP} -i namingcontexts ${TMPDIR}/checkTOP | \ 3589 ${GREP} -i -v NetscapeRoot > ${TMPDIR}/treeTOP 3590 NUM_TOP=`wc -l ${TMPDIR}/treeTOP | awk '{print $1}'` 3591 case $NUM_TOP in 3592 0) 3593 [ $DEBUG -eq 1 ] && ${ECHO} "DEBUG: No suffix found in LDAP tree" 3594 return 1 3595 ;; 3596 *) # build the list of suffixes; take out 'namingContexts=' in 3597 # each line of ${TMPDIR}/treeTOP 3598 LDAP_SUFFIX_LIST=`cat ${TMPDIR}/treeTOP | 3599 awk '{ printf("%s\n",substr($0,16,length-15)) }'` 3600 ;; 3601 esac 3602 3603 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_SUFFIX_LIST = $LDAP_SUFFIX_LIST" 3604 return 0 3605 } 3606 3607 3608 # 3609 # modify_cn(): Change the cn from MUST to MAY in ipNetwork. 3610 # 3611 modify_cn() 3612 { 3613 [ $DEBUG -eq 1 ] && ${ECHO} "In modify_cn()" 3614 3615 ( cat <<EOF 3616 dn: cn=schema 3617 changetype: modify 3618 add: objectclasses 3619 objectclasses: ( 1.3.6.1.1.1.2.7 NAME 'ipNetwork' DESC 'Standard LDAP objectclass' SUP top STRUCTURAL MUST ipNetworkNumber MAY ( ipNetmaskNumber $ manager $ cn $ l $ description ) X-ORIGIN 'RFC 2307' ) 3620 EOF 3621 ) > ${TMPDIR}/ipNetwork_cn 3622 3623 # Modify the cn for ipNetwork. 3624 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/ipNetwork_cn ${VERB}" 3625 if [ $? -ne 0 ]; then 3626 ${ECHO} " ERROR: update of cn for ipNetwork failed!" 3627 cleanup 3628 exit 1 3629 fi 3630 } 3631 3632 3633 # modify_timelimit(): Modify timelimit to user value. 3634 modify_timelimit() 3635 { 3636 [ $DEBUG -eq 1 ] && ${ECHO} "In modify_timelimit()" 3637 3638 # Here doc to modify timelimit. 3639 ( cat <<EOF 3640 dn: cn=config 3641 changetype: modify 3642 replace: nsslapd-timelimit 3643 nsslapd-timelimit: ${IDS_TIMELIMIT} 3644 EOF 3645 ) > ${TMPDIR}/ids_timelimit 3646 3647 # Add the entry. 3648 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/ids_timelimit ${VERB}" 3649 if [ $? -ne 0 ]; then 3650 ${ECHO} " ERROR: update of nsslapd-timelimit failed!" 3651 cleanup 3652 exit 1 3653 fi 3654 3655 # Display messages for modifications made in patch. 3656 ${ECHO} " ${STEP}. Changed timelimit to ${IDS_TIMELIMIT} in cn=config." 3657 STEP=`expr $STEP + 1` 3658 } 3659 3660 3661 # modify_sizelimit(): Modify sizelimit to user value. 3662 modify_sizelimit() 3663 { 3664 [ $DEBUG -eq 1 ] && ${ECHO} "In modify_sizelimit()" 3665 3666 # Here doc to modify sizelimit. 3667 ( cat <<EOF 3668 dn: cn=config 3669 changetype: modify 3670 replace: nsslapd-sizelimit 3671 nsslapd-sizelimit: ${IDS_SIZELIMIT} 3672 EOF 3673 ) > ${TMPDIR}/ids_sizelimit 3674 3675 # Add the entry. 3676 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/ids_sizelimit ${VERB}" 3677 if [ $? -ne 0 ]; then 3678 ${ECHO} " ERROR: update of nsslapd-sizelimit failed!" 3679 cleanup 3680 exit 1 3681 fi 3682 3683 # Display messages for modifications made in patch. 3684 ${ECHO} " ${STEP}. Changed sizelimit to ${IDS_SIZELIMIT} in cn=config." 3685 STEP=`expr $STEP + 1` 3686 } 3687 3688 3689 # modify_pwd_crypt(): Modify the passwd storage scheme to support CRYPT. 3690 modify_pwd_crypt() 3691 { 3692 [ $DEBUG -eq 1 ] && ${ECHO} "In modify_pwd_crypt()" 3693 3694 # Here doc to modify passwordstoragescheme. 3695 # IDS 5.2 moved passwordchangesceme off to a new data structure. 3696 if [ $IDS_MAJVER -le 5 ] && [ $IDS_MINVER -le 1 ]; then 3697 ( cat <<EOF 3698 dn: cn=config 3699 changetype: modify 3700 replace: passwordstoragescheme 3701 passwordstoragescheme: crypt 3702 EOF 3703 ) > ${TMPDIR}/ids_crypt 3704 else 3705 ( cat <<EOF 3706 dn: cn=Password Policy,cn=config 3707 changetype: modify 3708 replace: passwordstoragescheme 3709 passwordstoragescheme: crypt 3710 EOF 3711 ) > ${TMPDIR}/ids_crypt 3712 fi 3713 3714 # Add the entry. 3715 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/ids_crypt ${VERB}" 3716 if [ $? -ne 0 ]; then 3717 ${ECHO} " ERROR: update of passwordstoragescheme failed!" 3718 cleanup 3719 exit 1 3720 fi 3721 3722 # Display messages for modifications made in patch. 3723 ${ECHO} " ${STEP}. Changed passwordstoragescheme to \"crypt\" in cn=config." 3724 STEP=`expr $STEP + 1` 3725 } 3726 3727 3728 # 3729 # add_eq_indexes(): Add indexes to improve search performance. 3730 # 3731 add_eq_indexes() 3732 { 3733 [ $DEBUG -eq 1 ] && ${ECHO} "In add_eq_indexes()" 3734 3735 # Set eq indexes to add. 3736 _INDEXES="uidNumber ipNetworkNumber gidnumber oncrpcnumber automountKey" 3737 3738 if [ -z "${IDS_DATABASE}" ]; then 3739 get_backend 3740 fi 3741 3742 # Set _EXT to use as shortcut. 3743 _EXT="cn=index,cn=${IDS_DATABASE},cn=ldbm database,cn=plugins,cn=config" 3744 3745 # Display message to id current step. 3746 ${ECHO} " ${STEP}. Processing eq,pres indexes:" 3747 STEP=`expr $STEP + 1` 3748 3749 # For loop to create indexes. 3750 for i in ${_INDEXES}; do 3751 [ $DEBUG -eq 1 ] && ${ECHO} " Adding index for ${i}" 3752 3753 # Check if entry exists first, if so, skip to next. 3754 ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=${i},${_EXT}\" -s base \ 3755 \"objectclass=*\" > /dev/null 2>&1" 3756 if [ $? -eq 0 ]; then 3757 # Display index skipped. 3758 ${ECHO} " ${i} (eq,pres) skipped already exists" 3759 continue 3760 fi 3761 3762 # Here doc to create LDIF. 3763 ( cat <<EOF 3764 dn: cn=${i},${_EXT} 3765 objectClass: top 3766 objectClass: nsIndex 3767 cn: ${i} 3768 nsSystemIndex: false 3769 nsIndexType: pres 3770 nsIndexType: eq 3771 EOF 3772 ) > ${TMPDIR}/index_${i} 3773 3774 # Add the index. 3775 ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/index_${i} ${VERB}" 3776 if [ $? -ne 0 ]; then 3777 ${ECHO} " ERROR: Adding EQ,PRES index for ${i} failed!" 3778 cleanup 3779 exit 1 3780 fi 3781 3782 # Build date for task name. 3783 _YR=`date '+%y'` 3784 _MN=`date '+%m'` 3785 _DY=`date '+%d'` 3786 _H=`date '+%H'` 3787 _M=`date '+%M'` 3788 _S=`date '+%S'` 3789 3790 # Build task name 3791 TASKNAME="${i}_${_YR}_${_MN}_${_DY}_${_H}_${_M}_${_S}" 3792 3793 # Build the task entry to add. 3794 ( cat <<EOF 3795 dn: cn=${TASKNAME}, cn=index, cn=tasks, cn=config 3796 changetype: add 3797 objectclass: top 3798 objectclass: extensibleObject 3799 cn: ${TASKNAME} 3800 nsInstance: ${IDS_DATABASE} 3801 nsIndexAttribute: ${i} 3802 EOF 3803 ) > ${TMPDIR}/task_${i} 3804 3805 # Add the task. 3806 ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/task_${i} ${VERB}" 3807 if [ $? -ne 0 ]; then 3808 ${ECHO} " ERROR: Adding task for ${i} failed!" 3809 cleanup 3810 exit 1 3811 fi 3812 3813 # Wait for task to finish, display current status. 3814 while : 3815 do 3816 ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} \ 3817 -b \"cn=${TASKNAME}, cn=index, cn=tasks, cn=config\" -s base \ 3818 \"objectclass=*\" nstaskstatus > \"${TMPDIR}/istask_${i}\" 2>&1" 3819 ${GREP} "${TASKNAME}" "${TMPDIR}/istask_${i}" > /dev/null 2>&1 3820 if [ $? -ne 0 ]; then 3821 break 3822 fi 3823 TASK_STATUS=`${GREP} -i nstaskstatus "${TMPDIR}/istask_${i}" | 3824 head -1 | cut -d: -f2` 3825 ${ECHO} " ${i} (eq,pres) $TASK_STATUS \r\c" 3826 ${ECHO} "$TASK_STATUS" | ${GREP} "Finished" > /dev/null 2>&1 3827 if [ $? -eq 0 ]; then 3828 break 3829 fi 3830 sleep 2 3831 done 3832 3833 # Print newline because of \c. 3834 ${ECHO} " " 3835 done 3836 } 3837 3838 3839 # 3840 # add_sub_indexes(): Add indexes to improve search performance. 3841 # 3842 add_sub_indexes() 3843 { 3844 [ $DEBUG -eq 1 ] && ${ECHO} "In add_sub_indexes()" 3845 3846 # Set eq indexes to add. 3847 _INDEXES="ipHostNumber membernisnetgroup nisnetgrouptriple" 3848 3849 # Set _EXT to use as shortcut. 3850 _EXT="cn=index,cn=${IDS_DATABASE},cn=ldbm database,cn=plugins,cn=config" 3851 3852 3853 # Display message to id current step. 3854 ${ECHO} " ${STEP}. Processing eq,pres,sub indexes:" 3855 STEP=`expr $STEP + 1` 3856 3857 # For loop to create indexes. 3858 for i in ${_INDEXES}; do 3859 [ $DEBUG -eq 1 ] && ${ECHO} " Adding index for ${i}" 3860 3861 # Check if entry exists first, if so, skip to next. 3862 ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=${i},${_EXT}\" \ 3863 -s base \"objectclass=*\" > /dev/null 2>&1" 3864 if [ $? -eq 0 ]; then 3865 # Display index skipped. 3866 ${ECHO} " ${i} (eq,pres,sub) skipped already exists" 3867 continue 3868 fi 3869 3870 # Here doc to create LDIF. 3871 ( cat <<EOF 3872 dn: cn=${i},${_EXT} 3873 objectClass: top 3874 objectClass: nsIndex 3875 cn: ${i} 3876 nsSystemIndex: false 3877 nsIndexType: pres 3878 nsIndexType: eq 3879 nsIndexType: sub 3880 EOF 3881 ) > ${TMPDIR}/index_${i} 3882 3883 # Add the index. 3884 ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/index_${i} ${VERB}" 3885 if [ $? -ne 0 ]; then 3886 ${ECHO} " ERROR: Adding EQ,PRES,SUB index for ${i} failed!" 3887 cleanup 3888 exit 1 3889 fi 3890 3891 # Build date for task name. 3892 _YR=`date '+%y'` 3893 _MN=`date '+%m'` 3894 _DY=`date '+%d'` 3895 _H=`date '+%H'` 3896 _M=`date '+%M'` 3897 _S=`date '+%S'` 3898 3899 # Build task name 3900 TASKNAME="${i}_${_YR}_${_MN}_${_DY}_${_H}_${_M}_${_S}" 3901 3902 # Build the task entry to add. 3903 ( cat <<EOF 3904 dn: cn=${TASKNAME}, cn=index, cn=tasks, cn=config 3905 changetype: add 3906 objectclass: top 3907 objectclass: extensibleObject 3908 cn: ${TASKNAME} 3909 nsInstance: ${IDS_DATABASE} 3910 nsIndexAttribute: ${i} 3911 EOF 3912 ) > ${TMPDIR}/task_${i} 3913 3914 # Add the task. 3915 ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/task_${i} ${VERB}" 3916 if [ $? -ne 0 ]; then 3917 ${ECHO} " ERROR: Adding task for ${i} failed!" 3918 cleanup 3919 exit 1 3920 fi 3921 3922 # Wait for task to finish, display current status. 3923 while : 3924 do 3925 ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} \ 3926 -b \"cn=${TASKNAME}, cn=index, cn=tasks, cn=config\" -s base \ 3927 \"objectclass=*\" nstaskstatus > \"${TMPDIR}/istask_${i}\" 2>&1" 3928 ${GREP} "${TASKNAME}" "${TMPDIR}/istask_${i}" > /dev/null 2>&1 3929 if [ $? -ne 0 ]; then 3930 break 3931 fi 3932 TASK_STATUS=`${GREP} -i nstaskstatus "${TMPDIR}/istask_${i}" | 3933 head -1 | cut -d: -f2` 3934 ${ECHO} " ${i} (eq,pres,sub) $TASK_STATUS \r\c" 3935 ${ECHO} "$TASK_STATUS" | ${GREP} "Finished" > /dev/null 2>&1 3936 if [ $? -eq 0 ]; then 3937 break 3938 fi 3939 sleep 2 3940 done 3941 3942 # Print newline because of \c. 3943 ${ECHO} " " 3944 done 3945 } 3946 3947 3948 # 3949 # add_vlv_indexes(): Add VLV indexes to improve search performance. 3950 # 3951 add_vlv_indexes() 3952 { 3953 [ $DEBUG -eq 1 ] && ${ECHO} "In add_vlv_indexes()" 3954 3955 # Set eq indexes to add. 3956 # Note semi colon separators because some filters contain colons 3957 _INDEX1="${LDAP_DOMAIN}.getgrent;${LDAP_DOMAIN}_group_vlv_index;ou=group;objectClass=posixGroup" 3958 _INDEX2="${LDAP_DOMAIN}.gethostent;${LDAP_DOMAIN}_hosts_vlv_index;ou=hosts;objectClass=ipHost" 3959 _INDEX3="${LDAP_DOMAIN}.getnetent;${LDAP_DOMAIN}_networks_vlv_index;ou=networks;objectClass=ipNetwork" 3960 _INDEX4="${LDAP_DOMAIN}.getpwent;${LDAP_DOMAIN}_passwd_vlv_index;ou=people;objectClass=posixAccount" 3961 _INDEX5="${LDAP_DOMAIN}.getrpcent;${LDAP_DOMAIN}_rpc_vlv_index;ou=rpc;objectClass=oncRpc" 3962 _INDEX6="${LDAP_DOMAIN}.getspent;${LDAP_DOMAIN}_shadow_vlv_index;ou=people;objectClass=shadowAccount" 3963 3964 # Indexes added during NIS to LDAP transition 3965 _INDEX7="${LDAP_DOMAIN}.getauhoent;${LDAP_DOMAIN}_auho_vlv_index;automountmapname=auto_home;objectClass=automount" 3966 _INDEX8="${LDAP_DOMAIN}.getsoluent;${LDAP_DOMAIN}_solu_vlv_index;ou=people;objectClass=SolarisUserAttr" 3967 _INDEX10="${LDAP_DOMAIN}.getauthent;${LDAP_DOMAIN}_auth_vlv_index;ou=SolarisAuthAttr;objectClass=SolarisAuthAttr" 3968 _INDEX11="${LDAP_DOMAIN}.getexecent;${LDAP_DOMAIN}_exec_vlv_index;ou=SolarisProfAttr;&(objectClass=SolarisExecAttr)(SolarisKernelSecurityPolicy=*)" 3969 _INDEX12="${LDAP_DOMAIN}.getprofent;${LDAP_DOMAIN}_prof_vlv_index;ou=SolarisProfAttr;&(objectClass=SolarisProfAttr)(SolarisAttrLongDesc=*)" 3970 _INDEX13="${LDAP_DOMAIN}.getmailent;${LDAP_DOMAIN}_mail_vlv_index;ou=aliases;objectClass=mailGroup" 3971 _INDEX14="${LDAP_DOMAIN}.getbootent;${LDAP_DOMAIN}__boot_vlv_index;ou=ethers;&(objectClass=bootableDevice)(bootParameter=*)" 3972 _INDEX15="${LDAP_DOMAIN}.getethent;${LDAP_DOMAIN}_ethers_vlv_index;ou=ethers;&(objectClass=ieee802Device)(macAddress=*)" 3973 _INDEX16="${LDAP_DOMAIN}.getngrpent;${LDAP_DOMAIN}_netgroup_vlv_index;ou=netgroup;objectClass=nisNetgroup" 3974 _INDEX17="${LDAP_DOMAIN}.getipnent;${LDAP_DOMAIN}_ipn_vlv_index;ou=networks;&(objectClass=ipNetwork)(cn=*)" 3975 _INDEX18="${LDAP_DOMAIN}.getmaskent;${LDAP_DOMAIN}_mask_vlv_index;ou=networks;&(objectClass=ipNetwork)(ipNetmaskNumber=*)" 3976 _INDEX19="${LDAP_DOMAIN}.getprent;${LDAP_DOMAIN}_pr_vlv_index;ou=printers;objectClass=printerService" 3977 _INDEX20="${LDAP_DOMAIN}.getip4ent;${LDAP_DOMAIN}_ip4_vlv_index;ou=hosts;&(objectClass=ipHost)(ipHostNumber=*.*)" 3978 _INDEX21="${LDAP_DOMAIN}.getip6ent;${LDAP_DOMAIN}_ip6_vlv_index;ou=hosts;&(objectClass=ipHost)(ipHostNumber=*:*)" 3979 3980 _INDEXES="$_INDEX1 $_INDEX2 $_INDEX3 $_INDEX4 $_INDEX5 $_INDEX6 $_INDEX7 $_INDEX8 $_INDEX9 $_INDEX10 $_INDEX11 $_INDEX12 $_INDEX13 $_INDEX14 $_INDEX15 $_INDEX16 $_INDEX17 $_INDEX18 $_INDEX19 $_INDEX20 $_INDEX21 " 3981 3982 3983 # Set _EXT to use as shortcut. 3984 _EXT="cn=${IDS_DATABASE},cn=ldbm database,cn=plugins,cn=config" 3985 3986 3987 # Display message to id current step. 3988 ${ECHO} " ${STEP}. Processing VLV indexes:" 3989 STEP=`expr $STEP + 1` 3990 3991 # Reset temp file for vlvindex commands. 3992 [ -f ${TMPDIR}/ds5_vlvindex_list ] && rm ${TMPDIR}/ds5_vlvindex_list 3993 touch ${TMPDIR}/ds5_vlvindex_list 3994 [ -f ${TMPDIR}/ds6_vlvindex_list ] && rm ${TMPDIR}/ds6_vlvindex_list 3995 touch ${TMPDIR}/ds6_vlvindex_list 3996 3997 # Get the instance name from iDS server. 3998 _INSTANCE="<server-instance>" # Default to old output. 3999 4000 eval "${LDAPSEARCH} -v ${LDAP_ARGS} -b \"cn=config\" -s base \"objectclass=*\" nsslapd-instancedir | ${GREP} 'nsslapd-instancedir=' | cut -d'=' -f2- > ${TMPDIR}/instance_name 2>&1" 4001 4002 ${GREP} "slapd-" ${TMPDIR}/instance_name > /dev/null 2>&1 # Check if seems right? 4003 if [ $? -eq 0 ]; then # If success, grab name after "slapd-". 4004 _INST_DIR=`cat ${TMPDIR}/instance_name` 4005 _INSTANCE=`basename "${_INST_DIR}" | cut -d'-' -f2-` 4006 fi 4007 4008 # For loop to create indexes. 4009 for p in ${_INDEXES}; do 4010 [ $DEBUG -eq 1 ] && ${ECHO} " Adding index for ${i}" 4011 4012 # Break p (pair) into i and j parts. 4013 i=`${ECHO} $p | cut -d';' -f1` 4014 j=`${ECHO} $p | cut -d';' -f2` 4015 k=`${ECHO} $p | cut -d';' -f3` 4016 m=`${ECHO} $p | cut -d';' -f4` 4017 4018 # Set _jEXT to use as shortcut. 4019 _jEXT="cn=${j},${_EXT}" 4020 4021 # Check if entry exists first, if so, skip to next. 4022 ${LDAPSEARCH} ${SERVER_ARGS} -b "cn=${i},${_jEXT}" -s base "objectclass=*" > /dev/null 2>&1 4023 if [ $? -eq 0 ]; then 4024 # Display index skipped. 4025 ${ECHO} " ${i} vlv_index skipped already exists" 4026 continue 4027 fi 4028 4029 # Compute the VLV Scope from the LDAP_SEARCH_SCOPE. 4030 # NOTE: A value of "base (0)" does not make sense. 4031 case "$LDAP_SEARCH_SCOPE" in 4032 sub) VLV_SCOPE="2" ;; 4033 *) VLV_SCOPE="1" ;; 4034 esac 4035 4036 # Here doc to create LDIF. 4037 ( cat <<EOF 4038 dn: ${_jEXT} 4039 objectClass: top 4040 objectClass: vlvSearch 4041 cn: ${j} 4042 vlvbase: ${k},${LDAP_BASEDN} 4043 vlvscope: ${VLV_SCOPE} 4044 vlvfilter: (${m}) 4045 aci: (target="ldap:///${_jEXT}")(targetattr="*")(version 3.0; acl "Config";allow(read,search,compare)userdn="ldap:///anyone";) 4046 4047 dn: cn=${i},${_jEXT} 4048 cn: ${i} 4049 vlvSort: cn uid 4050 objectclass: top 4051 objectclass: vlvIndex 4052 EOF 4053 ) > ${TMPDIR}/vlv_index_${i} 4054 4055 # Add the index. 4056 ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/vlv_index_${i} ${VERB}" 4057 if [ $? -ne 0 ]; then 4058 ${ECHO} " ERROR: Adding VLV index for ${i} failed!" 4059 cleanup 4060 exit 1 4061 fi 4062 4063 # Print message that index was created. 4064 ${ECHO} " ${i} vlv_index Entry created" 4065 4066 # Add command to list of vlvindex commands to run. 4067 ${ECHO} " directoryserver -s ${_INSTANCE} vlvindex -n ${IDS_DATABASE} -T ${i}" >> ${TMPDIR}/ds5_vlvindex_list 4068 ${ECHO} " <install-path>/bin/dsadm reindex -l -t ${i} <directory-instance-path> ${LDAP_SUFFIX}" >> ${TMPDIR}/ds6_vlvindex_list 4069 done 4070 } 4071 4072 4073 # 4074 # display_vlv_cmds(): Display VLV index commands to run on server. 4075 # 4076 display_vlv_cmds() 4077 { 4078 if [ -s "${TMPDIR}/ds5_vlvindex_list" -o \ 4079 -s "${TMPDIR}/ds6_vlvindex_list" ]; then 4080 display_msg display_vlv_list 4081 fi 4082 4083 if [ -s "${TMPDIR}/ds5_vlvindex_list" ]; then 4084 cat ${TMPDIR}/ds5_vlvindex_list 4085 fi 4086 4087 cat << EOF 4088 4089 4090 EOF 4091 4092 if [ -s "${TMPDIR}/ds6_vlvindex_list" ]; then 4093 cat ${TMPDIR}/ds6_vlvindex_list 4094 fi 4095 } 4096 4097 # 4098 # keep_backward_compatibility(): Modify schema for the backward compatibility if 4099 # there are the incompatible attributes already 4100 # 4101 keep_backward_compatibility() 4102 { 4103 ${EVAL} "${LDAPSEARCH} ${SERVER_ARGS} -b cn=schema -s base \ 4104 \"objectclass=*\" attributeTypes | ${GREP} -i memberGid-oid ${VERB}" 4105 if [ $? -eq 0 ]; then 4106 ${SED} -e 's/1\.3\.6\.1\.4\.1\.42\.2\.27\.5\.1\.30\ /memberGid-oid\ /' \ 4107 ${TMPDIR}/schema_attr > ${TMPDIR}/schema_attr.new 4108 ${MV} ${TMPDIR}/schema_attr.new ${TMPDIR}/schema_attr 4109 fi 4110 4111 ${EVAL} "${LDAPSEARCH} ${SERVER_ARGS} -b cn=schema -s base \ 4112 \"objectclass=*\" attributeTypes | ${GREP} -i rfc822mailMember-oid \ 4113 ${VERB}" 4114 if [ $? -eq 0 ]; then 4115 ${SED} -e \ 4116 's/1\.3\.6\.1\.4\.1\.42\.2\.27\.2\.1\.15\ /rfc822mailMember-oid\ /' \ 4117 ${TMPDIR}/schema_attr > ${TMPDIR}/schema_attr.new 4118 ${MV} ${TMPDIR}/schema_attr.new ${TMPDIR}/schema_attr 4119 fi 4120 } 4121 4122 # 4123 # update_schema_attr(): Update Schema to support Naming. 4124 # 4125 update_schema_attr() 4126 { 4127 [ $DEBUG -eq 1 ] && ${ECHO} "In update_schema_attr()" 4128 4129 ( cat <<EOF 4130 dn: cn=schema 4131 changetype: modify 4132 add: attributetypes 4133 attributetypes: ( 1.3.6.1.1.1.1.28 NAME 'nisPublickey' DESC 'NIS public key' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 4134 attributetypes: ( 1.3.6.1.1.1.1.29 NAME 'nisSecretkey' DESC 'NIS secret key' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 4135 attributetypes: ( 1.3.6.1.1.1.1.30 NAME 'nisDomain' DESC 'NIS domain' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 4136 attributetypes: ( 1.3.6.1.1.1.1.31 NAME 'automountMapName' DESC 'automount Map Name' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) 4137 attributetypes: ( 1.3.6.1.1.1.1.32 NAME 'automountKey' DESC 'automount Key Value' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) 4138 attributetypes: ( 1.3.6.1.1.1.1.33 NAME 'automountInformation' DESC 'automount information' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) 4139 attributetypes: ( 1.3.6.1.4.1.42.2.27.1.1.12 NAME 'nisNetIdUser' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) 4140 attributetypes: ( 1.3.6.1.4.1.42.2.27.1.1.13 NAME 'nisNetIdGroup' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) 4141 attributetypes: ( 1.3.6.1.4.1.42.2.27.1.1.14 NAME 'nisNetIdHost' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) 4142 attributetypes: ( 1.3.6.1.4.1.42.2.27.2.1.15 NAME 'rfc822mailMember' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) 4143 attributetypes: ( 2.16.840.1.113730.3.1.30 NAME 'mgrpRFC822MailMember' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 4144 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.15 NAME 'SolarisLDAPServers' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 4145 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.16 NAME 'SolarisSearchBaseDN' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ) 4146 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.17 NAME 'SolarisCacheTTL' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 4147 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.18 NAME 'SolarisBindDN' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ) 4148 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.19 NAME 'SolarisBindPassword' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) 4149 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.20 NAME 'SolarisAuthMethod' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 4150 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.21 NAME 'SolarisTransportSecurity' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 4151 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.22 NAME 'SolarisCertificatePath' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) 4152 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.23 NAME 'SolarisCertificatePassword' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) 4153 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.24 NAME 'SolarisDataSearchDN' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 4154 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.25 NAME 'SolarisSearchScope' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 4155 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.26 NAME 'SolarisSearchTimeLimit' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 4156 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.27 NAME 'SolarisPreferredServer' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 4157 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.28 NAME 'SolarisPreferredServerOnly' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 4158 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.29 NAME 'SolarisSearchReferral' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 4159 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.4 NAME 'SolarisAttrKeyValue' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 4160 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.5 NAME 'SolarisAuditAlways' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 4161 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.6 NAME 'SolarisAuditNever' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 4162 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.7 NAME 'SolarisAttrShortDesc' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 4163 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.8 NAME 'SolarisAttrLongDesc' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 4164 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.9 NAME 'SolarisKernelSecurityPolicy' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 4165 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.10 NAME 'SolarisProfileType' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 4166 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.11 NAME 'SolarisProfileId' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) 4167 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.12 NAME 'SolarisUserQualifier' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 4168 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.13 NAME 'SolarisAttrReserved1' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 4169 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.14 NAME 'SolarisAttrReserved2' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 4170 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.1 NAME 'SolarisProjectID' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 4171 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.2 NAME 'SolarisProjectName' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) 4172 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.3 NAME 'SolarisProjectAttr' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) 4173 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.30 NAME 'memberGid' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) 4174 attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.0 NAME 'defaultServerList' DESC 'Default LDAP server host address used by a DUA' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 4175 attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.1 NAME 'defaultSearchBase' DESC 'Default LDAP base DN used by a DUA' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ) 4176 attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.2 NAME 'preferredServerList' DESC 'Preferred LDAP server host addresses to be used by a DUA' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 4177 attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.3 NAME 'searchTimeLimit' DESC 'Maximum time in seconds a DUA should allow for a search to complete' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 4178 attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.4 NAME 'bindTimeLimit' DESC 'Maximum time in seconds a DUA should allow for the bind operation to complete' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 4179 attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.5 NAME 'followReferrals' DESC 'Tells DUA if it should follow referrals returned by a DSA search result' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 4180 attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.6 NAME 'authenticationMethod' DESC 'A keystring which identifies the type of authentication method used to contact the DSA' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 4181 attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.7 NAME 'profileTTL' DESC 'Time to live before a client DUA should re-read this configuration profile' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 4182 attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.14 NAME 'serviceSearchDescriptor' DESC 'LDAP search descriptor list used by Naming-DUA' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) 4183 attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.9 NAME 'attributeMap' DESC 'Attribute mappings used by a Naming-DUA' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 4184 attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.10 NAME 'credentialLevel' DESC 'Identifies type of credentials a DUA should use when binding to the LDAP server' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 4185 attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.11 NAME 'objectclassMap' DESC 'Objectclass mappings used by a Naming-DUA' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 4186 attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.12 NAME 'defaultSearchScope' DESC 'Default search scope used by a DUA' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 4187 attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.13 NAME 'serviceCredentialLevel' DESC 'Search scope used by a service of the DUA' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) 4188 attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.15 NAME 'serviceAuthenticationMethod' DESC 'Authentication Method used by a service of the DUA' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 4189 attributetypes: ( 1.3.18.0.2.4.1140 NAME 'printer-uri' DESC 'A URI supported by this printer. This URI SHOULD be used as a relative distinguished name (RDN). If printer-xri-supported is implemented, then this URI value MUST be listed in a member value of printer-xri-supported.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 4190 attributetypes: ( 1.3.18.0.2.4.1107 NAME 'printer-xri-supported' DESC 'The unordered list of XRI (extended resource identifiers) supported by this printer. Each member of the list consists of a URI (uniform resource identifier) followed by optional authentication and security metaparameters.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 4191 attributetypes: ( 1.3.18.0.2.4.1135 NAME 'printer-name' DESC 'The site-specific administrative name of this printer, more end-user friendly than a URI.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} SINGLE-VALUE ) 4192 attributetypes: ( 1.3.18.0.2.4.1119 NAME 'printer-natural-language-configured' DESC 'The configured language in which error and status messages will be generated (by default) by this printer. Also, a possible language for printer string attributes set by operator, system administrator, or manufacturer. Also, the (declared) language of the "printer-name", "printer-location", "printer-info", and "printer-make-and-model" attributes of this printer. For example: "en-us" (US English) or "fr-fr" (French in France) Legal values of language tags conform to [RFC3066] "Tags for the Identification of Languages".' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} SINGLE-VALUE ) 4193 attributetypes: ( 1.3.18.0.2.4.1136 NAME 'printer-location' DESC 'Identifies the location of the printer. This could include things like: "in Room 123A", "second floor of building XYZ".' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} SINGLE-VALUE ) 4194 attributetypes: ( 1.3.18.0.2.4.1139 NAME 'printer-info' DESC 'Identifies the descriptive information about this printer. This could include things like: "This printer can be used for printing color transparencies for HR presentations", or "Out of courtesy for others, please print only small (1-5 page) jobs at this printer", or even "This printer is going away on July 1, 1997, please find a new printer".' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} SINGLE-VALUE ) 4195 attributetypes: ( 1.3.18.0.2.4.1134 NAME 'printer-more-info' DESC 'A URI used to obtain more information about this specific printer. For example, this could be an HTTP type URI referencing an HTML page accessible to a Web Browser. The information obtained from this URI is intended for end user consumption.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 4196 attributetypes: ( 1.3.18.0.2.4.1138 NAME 'printer-make-and-model' DESC 'Identifies the make and model of the device. The device manufacturer MAY initially populate this attribute.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} SINGLE-VALUE ) 4197 attributetypes: ( 1.3.18.0.2.4.1133 NAME 'printer-ipp-versions-supported' DESC 'Identifies the IPP protocol version(s) that this printer supports, including major and minor versions, i.e., the version numbers for which this Printer implementation meets the conformance requirements.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} ) 4198 attributetypes: ( 1.3.18.0.2.4.1132 NAME 'printer-multiple-document-jobs-supported' DESC 'Indicates whether or not the printer supports more than one document per job, i.e., more than one Send-Document or Send-Data operation with document data.' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) 4199 attributetypes: ( 1.3.18.0.2.4.1109 NAME 'printer-charset-configured' DESC 'The configured charset in which error and status messages will be generated (by default) by this printer. Also, a possible charset for printer string attributes set by operator, system administrator, or manufacturer. For example: "utf-8" (ISO 10646/Unicode) or "iso-8859-1" (Latin1). Legal values are defined by the IANA Registry of Coded Character Sets and the "(preferred MIME name)" SHALL be used as the tag. For coherence with IPP Model, charset tags in this attribute SHALL be lowercase normalized. This attribute SHOULD be static (time of registration) and SHOULD NOT be dynamically refreshed attributetypes: (subsequently).' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{63} SINGLE-VALUE ) 4200 attributetypes: ( 1.3.18.0.2.4.1131 NAME 'printer-charset-supported' DESC 'Identifies the set of charsets supported for attribute type values of type Directory String for this directory entry. For example: "utf-8" (ISO 10646/Unicode) or "iso-8859-1" (Latin1). Legal values are defined by the IANA Registry of Coded Character Sets and the preferred MIME name.' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{63} ) 4201 attributetypes: ( 1.3.18.0.2.4.1137 NAME 'printer-generated-natural-language-supported' DESC 'Identifies the natural language(s) supported for this directory entry. For example: "en-us" (US English) or "fr-fr" (French in France). Legal values conform to [RFC3066], Tags for the Identification of Languages.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{63} ) 4202 attributetypes: ( 1.3.18.0.2.4.1130 NAME 'printer-document-format-supported' DESC 'The possible document formats in which data may be interpreted and printed by this printer. Legal values are MIME types come from the IANA Registry of Internet Media Types.' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} ) 4203 attributetypes: ( 1.3.18.0.2.4.1129 NAME 'printer-color-supported' DESC 'Indicates whether this printer is capable of any type of color printing at all, including highlight color.' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) 4204 attributetypes: ( 1.3.18.0.2.4.1128 NAME 'printer-compression-supported' DESC 'Compression algorithms supported by this printer. For example: "deflate, gzip". Legal values include; "none", "deflate" attributetypes: (public domain ZIP), "gzip" (GNU ZIP), "compress" (UNIX).' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} ) 4205 attributetypes: ( 1.3.18.0.2.4.1127 NAME 'printer-pages-per-minute' DESC 'The nominal number of pages per minute which may be output by this printer (e.g., a simplex or black-and-white printer). This attribute is informative, NOT a service guarantee. Typically, it is the value used in marketing literature to describe this printer.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 4206 attributetypes: ( 1.3.18.0.2.4.1126 NAME 'printer-pages-per-minute-color' DESC 'The nominal number of color pages per minute which may be output by this printer (e.g., a simplex or color printer). This attribute is informative, NOT a service guarantee. Typically, it is the value used in marketing literature to describe this printer.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 4207 attributetypes: ( 1.3.18.0.2.4.1125 NAME 'printer-finishings-supported' DESC 'The possible finishing operations supported by this printer. Legal values include; "none", "staple", "punch", "cover", "bind", "saddle-stitch", "edge-stitch", "staple-top-left", "staple-bottom-left", "staple-top-right", "staple-bottom-right", "edge-stitch-left", "edge-stitch-top", "edge-stitch-right", "edge-stitch-bottom", "staple-dual-left", "staple-dual-top", "staple-dual-right", "staple-dual-bottom".' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} ) 4208 attributetypes: ( 1.3.18.0.2.4.1124 NAME 'printer-number-up-supported' DESC 'The possible numbers of print-stream pages to impose upon a single side of an instance of a selected medium. Legal values include; 1, 2, and 4. Implementations may support other values.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) 4209 attributetypes: ( 1.3.18.0.2.4.1123 NAME 'printer-sides-supported' DESC 'The number of impression sides (one or two) and the two-sided impression rotations supported by this printer. Legal values include; "one-sided", "two-sided-long-edge", "two-sided-short-edge".' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} ) 4210 attributetypes: ( 1.3.18.0.2.4.1122 NAME 'printer-media-supported' DESC 'The standard names/types/sizes (and optional color suffixes) of the media supported by this printer. For example: "iso-a4", "envelope", or "na-letter-white". Legal values conform to ISO 10175, Document Printing Application (DPA), and any IANA registered extensions.' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} ) 4211 attributetypes: ( 1.3.18.0.2.4.1117 NAME 'printer-media-local-supported' DESC 'Site-specific names of media supported by this printer, in the language in "printer-natural-language-configured". For example: "purchasing-form" (site-specific name) as opposed to (in "printer-media-supported"): "na-letter" (standard keyword from ISO 10175).' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} ) 4212 attributetypes: ( 1.3.18.0.2.4.1121 NAME 'printer-resolution-supported' DESC 'List of resolutions supported for printing documents by this printer. Each resolution value is a string with 3 fields: 1) Cross feed direction resolution (positive integer), 2) Feed direction resolution (positive integer), 3) Resolution unit. Legal values are "dpi" (dots per inch) and "dpcm" (dots per centimeter). Each resolution field is delimited by ">". For example: "300> 300> dpi>".' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} ) 4213 attributetypes: ( 1.3.18.0.2.4.1120 NAME 'printer-print-quality-supported' DESC 'List of print qualities supported for printing documents on this printer. For example: "draft, normal". Legal values include; "unknown", "draft", "normal", "high".' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} ) 4214 attributetypes: ( 1.3.18.0.2.4.1110 NAME 'printer-job-priority-supported' DESC 'Indicates the number of job priority levels supported. An IPP conformant printer which supports job priority must always support a full range of priorities from "1" to "100" (to ensure consistent behavior), therefore this attribute describes the "granularity". Legal values of this attribute are from "1" to "100".' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 4215 attributetypes: ( 1.3.18.0.2.4.1118 NAME 'printer-copies-supported' DESC 'The maximum number of copies of a document that may be printed as a single job. A value of "0" indicates no maximum limit. A value of "-1" indicates unknown.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 4216 attributetypes: ( 1.3.18.0.2.4.1111 NAME 'printer-job-k-octets-supported' DESC 'The maximum size in kilobytes (1,024 octets actually) incoming print job that this printer will accept. A value of "0" indicates no maximum limit. A value of "-1" indicates unknown.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 4217 attributetypes: ( 1.3.18.0.2.4.1112 NAME 'printer-current-operator' DESC 'The name of the current human operator responsible for operating this printer. It is suggested that this string include information that would enable other humans to reach the operator, such as a phone number.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} SINGLE-VALUE ) 4218 attributetypes: ( 1.3.18.0.2.4.1113 NAME 'printer-service-person' DESC 'The name of the current human service person responsible for servicing this printer. It is suggested that this string include information that would enable other humans to reach the service person, such as a phone number.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} SINGLE-VALUE ) 4219 attributetypes: ( 1.3.18.0.2.4.1114 NAME 'printer-delivery-orientation-supported' DESC 'The possible delivery orientations of pages as they are printed and ejected from this printer. Legal values include; "unknown", "face-up", and "face-down".' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} ) 4220 attributetypes: ( 1.3.18.0.2.4.1115 NAME 'printer-stacking-order-supported' DESC 'The possible stacking order of pages as they are printed and ejected from this printer. Legal values include; "unknown", "first-to-last", "last-to-first".' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} ) 4221 attributetypes: ( 1.3.18.0.2.4.1116 NAME 'printer-output-features-supported' DESC 'The possible output features supported by this printer. Legal values include; "unknown", "bursting", "decollating", "page-collating", "offset-stacking".' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} ) 4222 attributetypes: ( 1.3.18.0.2.4.1108 NAME 'printer-aliases' DESC 'Site-specific administrative names of this printer in addition the printer name specified for printer-name.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} ) 4223 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.63 NAME 'sun-printer-bsdaddr' DESC 'Sets the server, print queue destination name and whether the client generates protocol extensions. "Solaris" specifies a Solaris print server extension. The value is represented by the following value: server "," destination ", Solaris".' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 4224 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.64 NAME 'sun-printer-kvp' DESC 'This attribute contains a set of key value pairs which may have meaning to the print subsystem or may be user defined. Each value is represented by the following: key "=" value.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 4225 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.57 NAME 'nisplusTimeZone' DESC 'tzone column from NIS+ timezone table' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) 4226 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.67 NAME 'ipTnetTemplateName' DESC 'Trusted Solaris network template template_name' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) 4227 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.68 NAME 'ipTnetNumber' DESC 'Trusted Solaris network template ip_address' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) 4228 EOF 4229 ) > ${TMPDIR}/schema_attr 4230 4231 keep_backward_compatibility 4232 4233 # Add the entry. 4234 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/schema_attr ${VERB}" 4235 if [ $? -ne 0 ]; then 4236 ${ECHO} " ERROR: update of schema attributes failed!" 4237 cleanup 4238 exit 1 4239 fi 4240 4241 # Display message that schema is updated. 4242 ${ECHO} " ${STEP}. Schema attributes have been updated." 4243 STEP=`expr $STEP + 1` 4244 } 4245 4246 4247 # 4248 # update_schema_obj(): Update the schema objectclass definitions. 4249 # 4250 update_schema_obj() 4251 { 4252 [ $DEBUG -eq 1 ] && ${ECHO} "In update_schema_obj()" 4253 4254 # Add the objectclass definitions. 4255 ( cat <<EOF 4256 dn: cn=schema 4257 changetype: modify 4258 add: objectclasses 4259 objectclasses: ( 1.3.6.1.1.1.2.14 NAME 'NisKeyObject' SUP top MUST ( cn $ nisPublickey $ nisSecretkey ) MAY ( uidNumber $ description ) ) 4260 4261 dn: cn=schema 4262 changetype: modify 4263 add: objectclasses 4264 objectclasses: ( 1.3.6.1.1.1.2.15 NAME 'nisDomainObject' SUP top MUST nisDomain ) 4265 4266 dn: cn=schema 4267 changetype: modify 4268 add: objectclasses 4269 objectclasses: ( 1.3.6.1.1.1.2.16 NAME 'automountMap' SUP top MUST automountMapName MAY description ) 4270 4271 dn: cn=schema 4272 changetype: modify 4273 add: objectclasses 4274 objectclasses: ( 1.3.6.1.1.1.2.17 NAME 'automount' SUP top MUST ( automountKey $ automountInformation ) MAY description ) 4275 4276 dn: cn=schema 4277 changetype: modify 4278 add: objectclasses 4279 objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.7 NAME 'SolarisNamingProfile' SUP top MUST ( cn $ SolarisLDAPservers $ SolarisSearchBaseDN ) MAY ( SolarisBindDN $ SolarisBindPassword $ SolarisAuthMethod $ SolarisTransportSecurity $ SolarisCertificatePath $ SolarisCertificatePassword $ SolarisDataSearchDN $ SolarisSearchScope $ SolarisSearchTimeLimit $ SolarisPreferredServer $ SolarisPreferredServerOnly $ SolarisCacheTTL $ SolarisSearchReferral ) ) 4280 4281 dn: cn=schema 4282 changetype: modify 4283 add: objectclasses 4284 objectclasses: ( 2.16.840.1.113730.3.2.4 NAME 'mailGroup' SUP top MUST mail MAY ( cn $ mgrpRFC822MailMember ) ) 4285 4286 dn: cn=schema 4287 changetype: modify 4288 add: objectclasses 4289 objectclasses: ( 1.3.6.1.4.1.42.2.27.1.2.5 NAME 'nisMailAlias' SUP top MUST cn MAY rfc822mailMember ) 4290 4291 dn: cn=schema 4292 changetype: modify 4293 add: objectclasses 4294 objectclasses: ( 1.3.6.1.4.1.42.2.27.1.2.6 NAME 'nisNetId' SUP top MUST cn MAY ( nisNetIdUser $ nisNetIdGroup $ nisNetIdHost ) ) 4295 4296 dn: cn=schema 4297 changetype: modify 4298 add: objectclasses 4299 objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.2 NAME 'SolarisAuditUser' SUP top AUXILIARY MAY ( SolarisAuditAlways $ SolarisAuditNever ) ) 4300 4301 dn: cn=schema 4302 changetype: modify 4303 add: objectclasses 4304 objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.3 NAME 'SolarisUserAttr' SUP top AUXILIARY MAY ( SolarisUserQualifier $ SolarisAttrReserved1 $ SolarisAttrReserved2 $ SolarisAttrKeyValue ) ) 4305 4306 dn: cn=schema 4307 changetype: modify 4308 add: objectclasses 4309 objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.4 NAME 'SolarisAuthAttr' SUP top MUST cn MAY ( SolarisAttrReserved1 $ SolarisAttrReserved2 $ SolarisAttrShortDesc $ SolarisAttrLongDesc $ SolarisAttrKeyValue ) ) 4310 4311 dn: cn=schema 4312 changetype: modify 4313 add: objectclasses 4314 objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.5 NAME 'SolarisProfAttr' SUP top MUST cn MAY ( SolarisAttrReserved1 $ SolarisAttrReserved2 $ SolarisAttrLongDesc $ SolarisAttrKeyValue ) ) 4315 4316 dn: cn=schema 4317 changetype: modify 4318 add: objectclasses 4319 objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.6 NAME 'SolarisExecAttr' SUP top AUXILIARY MAY ( SolarisKernelSecurityPolicy $ SolarisProfileType $ SolarisAttrReserved1 $ SolarisAttrReserved2 $ SolarisProfileID $ SolarisAttrKeyValue ) ) 4320 4321 dn: cn=schema 4322 changetype: modify 4323 add: objectclasses 4324 objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.1 NAME 'SolarisProject' SUP top MUST ( SolarisProjectID $ SolarisProjectName ) MAY ( memberUid $ memberGid $ description $ SolarisProjectAttr ) ) 4325 4326 dn: cn=schema 4327 changetype: modify 4328 add: objectclasses 4329 objectclasses: ( 1.3.6.1.4.1.11.1.3.1.2.4 NAME 'DUAConfigProfile' SUP top DESC 'Abstraction of a base configuration for a DUA' MUST cn MAY ( defaultServerList $ preferredServerList $ defaultSearchBase $ defaultSearchScope $ searchTimeLimit $ bindTimeLimit $ credentialLevel $ authenticationMethod $ followReferrals $ serviceSearchDescriptor $ serviceCredentialLevel $ serviceAuthenticationMethod $ objectclassMap $ attributeMap $ profileTTL ) ) 4330 4331 dn: cn=schema 4332 changetype: modify 4333 add: objectclasses 4334 objectclasses: ( 1.3.18.0.2.6.2549 NAME 'slpService' DESC 'DUMMY definition' SUP top MUST objectclass ) 4335 4336 dn: cn=schema 4337 changetype: modify 4338 add: objectclasses 4339 objectclasses: ( 1.3.18.0.2.6.254 NAME 'slpServicePrinter' DESC 'Service Location Protocol (SLP) information.' SUP slpService AUXILIARY ) 4340 4341 dn: cn=schema 4342 changetype: modify 4343 add: objectclasses 4344 objectclasses: ( 1.3.18.0.2.6.258 NAME 'printerAbstract' DESC 'Printer related information.' SUP top ABSTRACT MAY ( printer-name $ printer-natural-language-configured $ printer-location $ printer-info $ printer-more-info $ printer-make-and-model $ printer-multiple-document-jobs-supported $ printer-charset-configured $ printer-charset-supported $ printer-generated-natural-language-supported $ printer-document-format-supported $ printer-color-supported $ printer-compression-supported $ printer-pages-per-minute $ printer-pages-per-minute-color $ printer-finishings-supported $ printer-number-up-supported $ printer-sides-supported $ printer-media-supported $ printer-media-local-supported $ printer-resolution-supported $ printer-print-quality-supported $ printer-job-priority-supported $ printer-copies-supported $ printer-job-k-octets-supported $ printer-current-operator $ printer-service-person $ printer-delivery-orientation-supported $ printer-stacking-order-supported $ printer-output-features-supported ) ) 4345 4346 dn: cn=schema 4347 changetype: modify 4348 add: objectclasses 4349 objectclasses: ( 1.3.18.0.2.6.255 NAME 'printerService' DESC 'Printer information.' SUP printerAbstract STRUCTURAL MAY ( printer-uri $ printer-xri-supported ) ) 4350 4351 dn: cn=schema 4352 changetype: modify 4353 add: objectclasses 4354 objectclasses: ( 1.3.18.0.2.6.257 NAME 'printerServiceAuxClass' DESC 'Printer information.' SUP printerAbstract AUXILIARY MAY ( printer-uri $ printer-xri-supported ) ) 4355 4356 dn: cn=schema 4357 changetype: modify 4358 add: objectclasses 4359 objectclasses: ( 1.3.18.0.2.6.256 NAME 'printerIPP' DESC 'Internet Printing Protocol (IPP) information.' SUP top AUXILIARY MAY ( printer-ipp-versions-supported $ printer-multiple-document-jobs-supported ) ) 4360 4361 dn: cn=schema 4362 changetype: modify 4363 add: objectclasses 4364 objectclasses: ( 1.3.18.0.2.6.253 NAME 'printerLPR' DESC 'LPR information.' SUP top AUXILIARY MUST printer-name MAY printer-aliases ) 4365 4366 dn: cn=schema 4367 changetype: modify 4368 add: objectclasses 4369 objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.14 NAME 'sunPrinter' DESC 'Sun printer information' SUP top AUXILIARY MUST printer-name MAY ( sun-printer-bsdaddr $ sun-printer-kvp ) ) 4370 4371 dn: cn=schema 4372 changetype: modify 4373 add: objectclasses 4374 objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.12 NAME 'nisplusTimeZoneData' DESC 'NIS+ timezone table data' SUP top STRUCTURAL MUST cn MAY ( nisplusTimeZone $ description ) ) 4375 4376 dn: cn=schema 4377 changetype: modify 4378 add: objectclasses 4379 objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.8 NAME 'ipTnetTemplate' DESC 'Object class for TSOL network templates' SUP top MUST ipTnetTemplateName MAY SolarisAttrKeyValue ) 4380 4381 dn: cn=schema 4382 changetype: modify 4383 add: objectclasses 4384 objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.9 NAME 'ipTnetHost' DESC 'Associates an IP address or wildcard with a TSOL template_name' SUP top AUXILIARY MUST ipTnetNumber ) 4385 EOF 4386 ) > ${TMPDIR}/schema_obj 4387 4388 # Add the entry. 4389 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/schema_obj ${VERB}" 4390 if [ $? -ne 0 ]; then 4391 ${ECHO} " ERROR: update of schema objectclass definitions failed!" 4392 cleanup 4393 exit 1 4394 fi 4395 4396 # Display message that schema is updated. 4397 ${ECHO} " ${STEP}. Schema objectclass definitions have been added." 4398 STEP=`expr $STEP + 1` 4399 } 4400 4401 # 4402 # modify_top_aci(): Modify the ACI for the top entry to disable self modify 4403 # of user attributes. 4404 # 4405 modify_top_aci() 4406 { 4407 [ $DEBUG -eq 1 ] && ${ECHO} "In modify_top_aci()" 4408 4409 # Set ACI Name 4410 ACI_NAME="LDAP_Naming_Services_deny_write_access" 4411 4412 # Search for ACI_NAME 4413 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_BASEDN}\" -s base objectclass=* aci > ${TMPDIR}/chk_top_aci 2>&1" 4414 if [ $? -ne 0 ]; then 4415 ${ECHO} "Error searching aci for ${LDAP_BASEDN}" 4416 cat ${TMPDIR}/chk_top_aci 4417 cleanup 4418 exit 1 4419 fi 4420 ${GREP} "${ACI_NAME}" ${TMPDIR}/chk_top_aci > /dev/null 2>&1 4421 if [ $? -eq 0 ]; then 4422 ${ECHO} " ${STEP}. Top level ACI ${ACI_NAME} already exists for ${LDAP_BASEDN}." 4423 STEP=`expr $STEP + 1` 4424 return 0 4425 fi 4426 4427 # Crate LDIF for top level ACI. 4428 ( cat <<EOF 4429 dn: ${LDAP_BASEDN} 4430 changetype: modify 4431 add: aci 4432 aci: (targetattr = "cn||uid||uidNumber||gidNumber||homeDirectory||shadowLastChange||shadowMin||shadowMax||shadowWarning||shadowInactive||shadowExpire||shadowFlag||memberUid||SolarisAttrKeyValue||SolarisAttrReserved1||SolarisAttrReserved2||SolarisUserQualifier")(version 3.0; acl ${ACI_NAME}; deny (write) userdn = "ldap:///self";) 4433 - 4434 EOF 4435 ) > ${TMPDIR}/top_aci 4436 4437 # Add the entry. 4438 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/top_aci ${VERB}" 4439 if [ $? -ne 0 ]; then 4440 ${ECHO} " ERROR: Modify of top level ACI failed! (restricts self modify)" 4441 cleanup 4442 exit 1 4443 fi 4444 4445 # Display message that ACI is updated. 4446 MSG="ACI for ${LDAP_BASEDN} modified to disable self modify." 4447 if [ $EXISTING_PROFILE -eq 1 ];then 4448 ${ECHO} " ACI SET: $MSG" 4449 else 4450 ${ECHO} " ${STEP}. $MSG" 4451 STEP=`expr $STEP + 1` 4452 fi 4453 } 4454 4455 # 4456 # find_and_delete_ACI(): Find an ACI in file $2 with a matching pattern $1. 4457 # Delete the ACI and print a message using $3 as the ACI name. $3 is needed 4458 # because it could have a different value than that of $1. 4459 find_and_delete_ACI() 4460 { 4461 [ $DEBUG -eq 1 ] && ${ECHO} "In find_and_delete_ACI" 4462 4463 # if an ACI with pattern $1 exists in file $2, delete it from ${LDAP_BASEDN} 4464 ${EGREP} $1 $2 | ${SED} -e 's/aci=//' > ${TMPDIR}/grep_find_delete_aci 2>&1 4465 if [ -s ${TMPDIR}/grep_find_delete_aci ]; then 4466 aci_to_delete=`${CAT} ${TMPDIR}/grep_find_delete_aci` 4467 4468 # Create the tmp file to delete the ACI. 4469 ( cat <<EOF 4470 dn: ${LDAP_BASEDN} 4471 changetype: modify 4472 delete: aci 4473 aci: ${aci_to_delete} 4474 EOF 4475 ) > ${TMPDIR}/find_delete_aci 4476 4477 # Delete the ACI 4478 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/find_delete_aci ${VERB}" 4479 if [ $? -ne 0 ]; then 4480 ${ECHO} " ERROR: Remove of $3 ACI failed!" 4481 cleanup 4482 exit 1 4483 fi 4484 4485 ${RM} -f ${TMPDIR}/find_delete_aci 4486 # Display message that an ACL is deleted. 4487 MSG="ACI $3 deleted." 4488 if [ $EXISTING_PROFILE -eq 1 ]; then 4489 ${ECHO} " ACI DELETED: $MSG" 4490 else 4491 ${ECHO} " ${STEP}. $MSG" 4492 STEP=`expr $STEP + 1` 4493 fi 4494 fi 4495 } 4496 4497 # 4498 # Add an ACI to deny non-admin access to shadow data when 4499 # shadow update is enabled. 4500 # 4501 deny_non_admin_shadow_access() 4502 { 4503 [ $DEBUG -eq 1 ] && ${ECHO} "In deny_non_admin_shadow_access()" 4504 4505 # Set ACI Names 4506 ACI_TO_ADD="LDAP_Naming_Services_deny_non_admin_shadow_access" 4507 ACI_TO_DEL="LDAP_Naming_Services_deny_non_host_shadow_access" 4508 4509 # Search for ACI_TO_ADD 4510 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_BASEDN}\" -s base objectclass=* aci > ${TMPDIR}/chk_aci_non_admin 2>&1" 4511 if [ $? -ne 0 ]; then 4512 ${ECHO} "Error searching aci for ${LDAP_BASEDN}" 4513 cleanup 4514 exit 1 4515 fi 4516 4517 # If an ACI with ${ACI_TO_ADD} already exists, we are done. 4518 ${EGREP} ${ACI_TO_ADD} ${TMPDIR}/chk_aci_non_admin 2>&1 > /dev/null 4519 if [ $? -eq 0 ]; then 4520 MSG="ACI ${ACI_TO_ADD} already set for ${LDAP_BASEDN}." 4521 if [ $EXISTING_PROFILE -eq 1 ]; then 4522 ${ECHO} " NOT SET: $MSG" 4523 else 4524 ${ECHO} " ${STEP}. $MSG" 4525 STEP=`expr $STEP + 1` 4526 fi 4527 return 0 4528 fi 4529 4530 # The deny_non_admin_shadow_access and deny_non_host_shadow_access ACIs 4531 # should be mutually exclusive, so if the latter exists, delete it. 4532 find_and_delete_ACI ${ACI_TO_DEL} ${TMPDIR}/chk_aci_non_admin ${ACI_TO_DEL} 4533 4534 # Create the tmp file to add. 4535 ( cat <<EOF 4536 dn: ${LDAP_BASEDN} 4537 changetype: modify 4538 add: aci 4539 aci: (target="ldap:///${LDAP_BASEDN}")(targetattr = "shadowLastChange|| 4540 shadowMin|| shadowMax||shadowWarning||shadowInactive||shadowExpire|| 4541 shadowFlag||userPassword") (version 3.0; acl ${ACI_TO_ADD}; 4542 deny (write,read,search,compare) userdn != "ldap:///${LDAP_ADMINDN}";) 4543 EOF 4544 ) > ${TMPDIR}/non_admin_aci_write 4545 4546 # Add the entry. 4547 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/non_admin_aci_write ${VERB}" 4548 if [ $? -ne 0 ]; then 4549 ${ECHO} " ERROR: Adding ACI ${ACI_TO_ADD} failed!" 4550 ${CAT} ${TMPDIR}/non_admin_aci_write 4551 cleanup 4552 exit 1 4553 fi 4554 4555 ${RM} -f ${TMPDIR}/non_admin_aci_write 4556 # Display message that the non-admin access to shadow data is denied. 4557 MSG="Non-Admin access to shadow data denied." 4558 if [ $EXISTING_PROFILE -eq 1 ]; then 4559 ${ECHO} " ACI SET: $MSG" 4560 else 4561 ${ECHO} " ${STEP}. $MSG" 4562 STEP=`expr $STEP + 1` 4563 fi 4564 } 4565 4566 # 4567 # Add an ACI to deny non-host access to shadow data when 4568 # shadow update is enabled and auth Method if gssapi. 4569 # 4570 deny_non_host_shadow_access() 4571 { 4572 [ $DEBUG -eq 1 ] && ${ECHO} "In deny_non_host_shadow_access()" 4573 4574 # Set ACI Names 4575 ACI_TO_ADD="LDAP_Naming_Services_deny_non_host_shadow_access" 4576 ACI_TO_DEL="LDAP_Naming_Services_deny_non_admin_shadow_access" 4577 4578 # Search for ACI_TO_ADD 4579 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_BASEDN}\" -s base objectclass=* aci > ${TMPDIR}/chk_aci_non_host 2>&1" 4580 if [ $? -ne 0 ]; then 4581 ${ECHO} "Error searching aci for ${LDAP_BASEDN}" 4582 cleanup 4583 exit 1 4584 fi 4585 4586 # If an ACI with ${ACI_TO_ADD} already exists, we are done. 4587 ${EGREP} ${ACI_TO_ADD} ${TMPDIR}/chk_aci_non_host 2>&1 > /dev/null 4588 if [ $? -eq 0 ]; then 4589 MSG="ACI ${ACI_TO_ADD} already set for ${LDAP_BASEDN}." 4590 if [ $EXISTING_PROFILE -eq 1 ]; then 4591 ${ECHO} " NOT SET: $MSG" 4592 else 4593 ${ECHO} " ${STEP}. $MSG" 4594 STEP=`expr $STEP + 1` 4595 fi 4596 return 0 4597 fi 4598 4599 # The deny_non_admin_shadow_access and deny_non_host_shadow_access ACIs 4600 # should be mutually exclusive, so if the former exists, delete it. 4601 find_and_delete_ACI ${ACI_TO_DEL} ${TMPDIR}/chk_aci_non_host ${ACI_TO_DEL} 4602 4603 # Create the tmp file to add. 4604 ( cat <<EOF 4605 dn: ${LDAP_BASEDN} 4606 changetype: modify 4607 add: aci 4608 aci: (target="ldap:///${LDAP_BASEDN}")(targetattr = "shadowLastChange|| 4609 shadowMin|| shadowMax||shadowWarning||shadowInactive||shadowExpire|| 4610 shadowFlag||userPassword") (version 3.0; acl ${ACI_TO_ADD}; 4611 deny (write,read,search,compare) 4612 userdn != "ldap:///cn=*+ipHostNumber=*,ou=Hosts,${LDAP_BASEDN}";) 4613 EOF 4614 ) > ${TMPDIR}/non_host_aci_write 4615 4616 # Add the entry. 4617 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/non_host_aci_write ${VERB}" 4618 if [ $? -ne 0 ]; then 4619 ${ECHO} " ERROR: Adding ACI ${ACI_TO_ADD} failed!" 4620 ${CAT} ${TMPDIR}/non_host_aci_write 4621 cleanup 4622 exit 1 4623 fi 4624 4625 ${RM} -f ${TMPDIR}/non_host_aci_write 4626 # Display message that the non-host access to shadow data is denied. 4627 MSG="Non-host access to shadow data is denied." 4628 if [ $EXISTING_PROFILE -eq 1 ]; then 4629 ${ECHO} " ACI SET: $MSG" 4630 else 4631 ${ECHO} " ${STEP}. $MSG" 4632 STEP=`expr $STEP + 1` 4633 fi 4634 } 4635 4636 # 4637 # add_vlv_aci(): Add access control information (aci) for VLV. 4638 # 4639 add_vlv_aci() 4640 { 4641 [ $DEBUG -eq 1 ] && ${ECHO} "In add_vlv_aci()" 4642 4643 # Add the VLV ACI. 4644 ( cat <<EOF 4645 dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config 4646 changetype: modify 4647 replace: aci 4648 aci: (targetattr != "aci") (version 3.0; acl "VLV Request Control"; allow(read,search,compare) userdn = "ldap:///anyone";) 4649 EOF 4650 ) > ${TMPDIR}/vlv_aci 4651 4652 # Add the entry. 4653 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/vlv_aci ${VERB}" 4654 if [ $? -ne 0 ]; then 4655 ${ECHO} " ERROR: Add of VLV ACI failed!" 4656 cleanup 4657 exit 1 4658 fi 4659 4660 # Display message that schema is updated. 4661 ${ECHO} " ${STEP}. Add of VLV Access Control Information (ACI)." 4662 STEP=`expr $STEP + 1` 4663 } 4664 4665 4666 # 4667 # set_nisdomain(): Add the NisDomainObject to the Base DN. 4668 # 4669 set_nisdomain() 4670 { 4671 [ $DEBUG -eq 1 ] && ${ECHO} "In set_nisdomain()" 4672 4673 # Check if nisDomain is already set. 4674 ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_BASEDN}\" -s base \ 4675 \"objectclass=*\"" > ${TMPDIR}/chk_nisdomain 2>&1 4676 ${EVAL} "${GREP} -i nisDomain ${TMPDIR}/chk_nisdomain ${VERB}" 4677 if [ $? -eq 0 ]; then 4678 ${ECHO} " ${STEP}. NisDomainObject for ${LDAP_BASEDN} was already set." 4679 STEP=`expr $STEP + 1` 4680 return 0 4681 fi 4682 4683 # Add the new top level containers. 4684 ( cat <<EOF 4685 dn: ${LDAP_BASEDN} 4686 changetype: modify 4687 objectclass: nisDomainObject 4688 nisdomain: ${LDAP_DOMAIN} 4689 EOF 4690 ) > ${TMPDIR}/nis_domain 4691 4692 # Add the entry. 4693 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/nis_domain ${VERB}" 4694 if [ $? -ne 0 ]; then 4695 ${ECHO} " ERROR: update of NisDomainObject in ${LDAP_BASEDN} failed." 4696 cleanup 4697 exit 1 4698 fi 4699 4700 # Display message that schema is updated. 4701 ${ECHO} " ${STEP}. NisDomainObject added to ${LDAP_BASEDN}." 4702 STEP=`expr $STEP + 1` 4703 } 4704 4705 4706 # 4707 # check_attrName(): Check that the attribute name is valid. 4708 # $1 Key to check. 4709 # Returns 0 : valid name 1 : invalid name 4710 # 4711 check_attrName() 4712 { 4713 [ $DEBUG -eq 1 ] && ${ECHO} "In check_attrName()" 4714 [ $DEBUG -eq 1 ] && ${ECHO} "check_attrName: Input Param = $1" 4715 4716 ${ECHO} $1 | ${EGREP} '^[0-9]+(\.[0-9]+)*$' > /dev/null 2>&1 4717 if [ $? -eq 0 ]; then 4718 ${EVAL} "${LDAPSEARCH} ${SERVER_ARGS} -b cn=schema -s base \"objectclass=*\" \ 4719 attributeTypes | ${EGREP} -i '^attributetypes[ ]*=[ ]*\([ ]*$1 ' ${VERB}" 4720 else 4721 ${EVAL} "${LDAPSEARCH} ${SERVER_ARGS} -b cn=schema -s base \"objectclass=*\" \ 4722 attributeTypes | ${EGREP} -i \"'$1'\" ${VERB}" 4723 fi 4724 4725 if [ $? -ne 0 ]; then 4726 return 1 4727 else 4728 return 0 4729 fi 4730 } 4731 4732 4733 # 4734 # get_objectclass(): Determine the objectclass for the given attribute name 4735 # $1 Attribute name to check. 4736 # _ATTR_NAME Return value, Object Name or NULL if unknown to idsconfig. 4737 # 4738 # NOTE: An attribute name can be valid but still we might not be able 4739 # to determine the objectclass from the table. 4740 # In such cases, the user needs to create the necessary object(s). 4741 # 4742 get_objectclass() 4743 { 4744 [ $DEBUG -eq 1 ] && ${ECHO} "In get_objectclass()" 4745 [ $DEBUG -eq 1 ] && ${ECHO} "get_objectclass: Input Param = $1" 4746 4747 # Set return value to NULL string. 4748 _ATTR_NAME="" 4749 4750 # Test key for type: 4751 case `${ECHO} ${1} | tr '[A-Z]' '[a-z]'` in 4752 ou | organizationalunitname | 2.5.4.11) _ATTR_NAME="organizationalUnit" ;; 4753 dc | domaincomponent | 0.9.2342.19200300.100.1.25) _ATTR_NAME="domain" ;; 4754 o | organizationname | 2.5.4.10) _ATTR_NAME="organization" ;; 4755 c | countryname | 2.5.4.6) _ATTR_NAME="country" ;; 4756 *) _ATTR_NAME="" ;; 4757 esac 4758 4759 [ $DEBUG -eq 1 ] && ${ECHO} "get_objectclass: _ATTR_NAME = $_ATTR_NAME" 4760 } 4761 4762 4763 # 4764 # add_base_objects(): Add any necessary base objects. 4765 # 4766 add_base_objects() 4767 { 4768 [ $DEBUG -eq 1 ] && ${ECHO} "In add_base_objects()" 4769 4770 # Convert to lower case for basename. 4771 format_string "${LDAP_BASEDN}" 4772 LOWER_BASEDN="${FMT_STR}" 4773 format_string "${LDAP_SUFFIX}" 4774 LOWER_SUFFIX="${FMT_STR}" 4775 4776 [ $DEBUG -eq 1 ] && ${ECHO} "LOWER_BASEDN: ${LOWER_BASEDN}" 4777 [ $DEBUG -eq 1 ] && ${ECHO} "LOWER_SUFFIX: ${LOWER_SUFFIX}" 4778 4779 # Create additional components. 4780 if [ "${LOWER_BASEDN}" = "${LOWER_SUFFIX}" ]; then 4781 [ $DEBUG -eq 1 ] && ${ECHO} "Base DN and Suffix equivalent" 4782 else 4783 # first, test that the suffix is valid 4784 dcstmp=`basename "${LOWER_BASEDN}" "${LOWER_SUFFIX}"` 4785 if [ "$dcstmp" = "${LOWER_BASEDN}" ]; then 4786 # should not happen since check_basedn_suffix() succeeded 4787 ${ECHO} "Invalid suffix ${LOWER_SUFFIX}" 4788 ${ECHO} "for Base DN ${LOWER_BASEDN}" 4789 cleanup 4790 exit 1 4791 fi 4792 # OK, suffix is valid, start working with LDAP_BASEDN 4793 # field separator is ',' (i.e., space is a valid character) 4794 dcstmp2="`${ECHO} ${LDAP_BASEDN} | 4795 sed -e 's/[ ]*,[ ]*/,/g' -e 's/[ ]*=[ ]*/=/g'`" 4796 dcs="" 4797 # use dcstmp to count the loop, and dcstmp2 to get the correct 4798 # string case 4799 # dcs should be in reverse order, only for these components 4800 # that need to be added 4801 while [ -n "${dcstmp}" ] 4802 do 4803 i2=`${ECHO} "$dcstmp2" | cut -f1 -d','` 4804 dk=`${ECHO} $i2 | awk -F= '{print $1}'` 4805 dc=`${ECHO} $i2 | awk -F= '{print $2}'` 4806 dcs="$dk=$dc,$dcs"; 4807 dcstmp2=`${ECHO} "$dcstmp2" | cut -f2- -d','` 4808 dcstmp=`${ECHO} "$dcstmp" | cut -f2- -d','` 4809 [ $DEBUG -eq 1 ] && \ 4810 ${ECHO} "dcs: ${dcs}\ndcstmp: ${dcstmp}\ndcstmp2: ${dcstmp2}\n" 4811 done 4812 4813 4814 4815 lastdc=${LDAP_SUFFIX} 4816 dc=`${ECHO} "${dcs}" | cut -f1 -d','` 4817 dcstmp=`${ECHO} "${dcs}" | cut -f2- -d','` 4818 while [ -n "${dc}" ]; do 4819 # Get Key and component from $dc. 4820 dk2=`${ECHO} $dc | awk -F= '{print $1}'` 4821 dc2=`${ECHO} $dc | awk -F= '{print $2}'` 4822 4823 # At this point, ${dk2} is a valid attribute name 4824 4825 # Check if entry exists first, if so, skip to next. 4826 ${LDAPSEARCH} ${SERVER_ARGS} -b "${dk2}=${dc2},$lastdc" -s base "objectclass=*" > /dev/null 2>&1 4827 if [ $? -eq 0 ]; then 4828 # Set the $lastdc to new dc. 4829 lastdc="${dk2}=${dc2},$lastdc" 4830 4831 # Process next component. 4832 dc=`${ECHO} "${dcstmp}" | cut -f1 -d','` 4833 dcstmp=`${ECHO} "${dcstmp}" | cut -f2- -d','` 4834 continue 4835 4836 fi 4837 4838 # Determine the objectclass for the entry. 4839 get_objectclass $dk2 4840 OBJ_Name=${_ATTR_NAME} 4841 if [ "${OBJ_Name}" = "" ]; then 4842 ${ECHO} "Cannot determine objectclass for $dk2" 4843 ${ECHO} "Please create ${dk2}=${dc2},$lastdc entry and rerun idsconfig" 4844 exit 1 4845 fi 4846 4847 # Add the new container. 4848 ( cat <<EOF 4849 dn: ${dk2}=${dc2},$lastdc 4850 ${dk2}: $dc2 4851 objectClass: top 4852 objectClass: ${OBJ_Name} 4853 EOF 4854 ) > ${TMPDIR}/base_objects 4855 4856 4857 # Set the $lastdc to new dc. 4858 lastdc="${dk2}=${dc2},$lastdc" 4859 4860 # Add the entry. 4861 ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/base_objects ${VERB}" 4862 if [ $? -ne 0 ]; then 4863 ${ECHO} " ERROR: update of base objects ${dc} failed." 4864 cleanup 4865 exit 1 4866 fi 4867 4868 # Display message that schema is updated. 4869 ${ECHO} " ${STEP}. Created DN component ${dc}." 4870 STEP=`expr $STEP + 1` 4871 4872 # Process next component. 4873 dc=`${ECHO} "${dcstmp}" | cut -f1 -d','` 4874 dcstmp=`${ECHO} "${dcstmp}" | cut -f2- -d','` 4875 done 4876 fi 4877 } 4878 4879 4880 # 4881 # add_new_containers(): Add the top level classes. 4882 # 4883 # $1 = Base DN 4884 # 4885 add_new_containers() 4886 { 4887 [ $DEBUG -eq 1 ] && ${ECHO} "In add_new_containers()" 4888 4889 for ou in people group rpc protocols networks netgroup \ 4890 aliases hosts services ethers profile printers projects \ 4891 SolarisAuthAttr SolarisProfAttr Timezone ipTnet ; do 4892 4893 # Check if nismaps already exist. 4894 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"ou=${ou},${LDAP_BASEDN}\" -s base \"objectclass=*\" ${VERB}" 4895 if [ $? -eq 0 ]; then 4896 continue 4897 fi 4898 4899 # Create TMP file to add. 4900 ( cat <<EOF 4901 dn: ou=${ou},${LDAP_BASEDN} 4902 ou: ${ou} 4903 objectClass: top 4904 objectClass: organizationalUnit 4905 EOF 4906 ) > ${TMPDIR}/toplevel.${ou} 4907 4908 # Add the entry. 4909 ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/toplevel.${ou} ${VERB}" 4910 if [ $? -ne 0 ]; then 4911 ${ECHO} " ERROR: Add of ou=${ou} container failed!" 4912 cleanup 4913 exit 1 4914 fi 4915 done 4916 4917 # Display message that top level OU containers complete. 4918 ${ECHO} " ${STEP}. Top level \"ou\" containers complete." 4919 STEP=`expr $STEP + 1` 4920 } 4921 4922 4923 # 4924 # add_auto_maps(): Add the automount map entries. 4925 # 4926 # auto_home, auto_direct, auto_master, auto_shared 4927 # 4928 add_auto_maps() 4929 { 4930 [ $DEBUG -eq 1 ] && ${ECHO} "In add_auto_maps()" 4931 4932 # Set AUTO_MAPS for maps to create. 4933 AUTO_MAPS="auto_home auto_direct auto_master auto_shared" 4934 4935 for automap in $AUTO_MAPS; do 4936 # Check if automaps already exist. 4937 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"automountMapName=${automap},${LDAP_BASEDN}\" -s base \"objectclass=*\" ${VERB}" 4938 if [ $? -eq 0 ]; then 4939 continue 4940 fi 4941 4942 # Create the tmp file to add. 4943 ( cat <<EOF 4944 dn: automountMapName=${automap},${LDAP_BASEDN} 4945 automountMapName: ${automap} 4946 objectClass: top 4947 objectClass: automountMap 4948 EOF 4949 ) > ${TMPDIR}/automap.${automap} 4950 4951 # Add the entry. 4952 ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/automap.${automap} ${VERB}" 4953 if [ $? -ne 0 ]; then 4954 ${ECHO} " ERROR: Add of automap ${automap} failed!" 4955 cleanup 4956 exit 1 4957 fi 4958 done 4959 4960 # Display message that automount entries are updated. 4961 ${ECHO} " ${STEP}. automount maps: $AUTO_MAPS processed." 4962 STEP=`expr $STEP + 1` 4963 } 4964 4965 4966 # 4967 # add_proxyagent(): Add entry for nameservice to use to access server. 4968 # 4969 add_proxyagent() 4970 { 4971 [ $DEBUG -eq 1 ] && ${ECHO} "In add_proxyagent()" 4972 4973 # Check if proxy agent already exists. 4974 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_PROXYAGENT}\" -s base \"objectclass=*\" ${VERB}" 4975 if [ $? -eq 0 ]; then 4976 ${ECHO} " ${STEP}. Proxy Agent ${LDAP_PROXYAGENT} already exists." 4977 STEP=`expr $STEP + 1` 4978 return 0 4979 fi 4980 4981 # Get cn and sn names from LDAP_PROXYAGENT. 4982 cn_tmp=`${ECHO} ${LDAP_PROXYAGENT} | cut -f1 -d, | cut -f2 -d=` 4983 4984 # Create the tmp file to add. 4985 ( cat <<EOF 4986 dn: ${LDAP_PROXYAGENT} 4987 cn: ${cn_tmp} 4988 sn: ${cn_tmp} 4989 objectclass: top 4990 objectclass: person 4991 userpassword: ${LDAP_PROXYAGENT_CRED} 4992 EOF 4993 ) > ${TMPDIR}/proxyagent 4994 4995 # Add the entry. 4996 ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/proxyagent ${VERB}" 4997 if [ $? -ne 0 ]; then 4998 ${ECHO} " ERROR: Adding proxyagent failed!" 4999 cleanup 5000 exit 1 5001 fi 5002 5003 # Display message that schema is updated. 5004 ${ECHO} " ${STEP}. Proxy Agent ${LDAP_PROXYAGENT} added." 5005 STEP=`expr $STEP + 1` 5006 } 5007 5008 # 5009 # allow_proxy_read_pw(): Give Proxy Agent read permission for password. 5010 # 5011 allow_proxy_read_pw() 5012 { 5013 [ $DEBUG -eq 1 ] && ${ECHO} "In allow_proxy_read_pw()" 5014 5015 # Search for ACI_NAME 5016 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_BASEDN}\" -s base objectclass=* aci > ${TMPDIR}/chk_proxyread_aci 2>&1" 5017 ${GREP} "${PROXY_ACI_NAME}" ${TMPDIR}/chk_proxyread_aci > /dev/null 2>&1 5018 if [ $? -eq 0 ]; then 5019 ${ECHO} " ${STEP}. Proxy ACI ${PROXY_ACI_NAME=} already exists for ${LDAP_BASEDN}." 5020 STEP=`expr $STEP + 1` 5021 return 0 5022 fi 5023 5024 # Create the tmp file to add. 5025 ( cat <<EOF 5026 dn: ${LDAP_BASEDN} 5027 changetype: modify 5028 add: aci 5029 aci: (target="ldap:///${LDAP_BASEDN}")(targetattr="userPassword") 5030 (version 3.0; acl ${PROXY_ACI_NAME}; allow (compare,read,search) 5031 userdn = "ldap:///${LDAP_PROXYAGENT}";) 5032 EOF 5033 ) > ${TMPDIR}/proxy_read 5034 5035 # Add the entry. 5036 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/proxy_read ${VERB}" 5037 if [ $? -ne 0 ]; then 5038 ${ECHO} " ERROR: Allow ${LDAP_PROXYAGENT} to read password failed!" 5039 cleanup 5040 exit 1 5041 fi 5042 5043 # Display message that schema is updated. 5044 ${ECHO} " ${STEP}. Give ${LDAP_PROXYAGENT} read permission for password." 5045 STEP=`expr $STEP + 1` 5046 } 5047 5048 # Delete Proxy Agent read permission for password. 5049 delete_proxy_read_pw() 5050 { 5051 [ $DEBUG -eq 1 ] && ${ECHO} "In delete_proxy_read_pw()" 5052 5053 # Search for ACI_NAME 5054 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_BASEDN}\" -s base objectclass=* aci > ${TMPDIR}/chk_proxyread_aci 2>&1" 5055 ${GREP} "${PROXY_ACI_NAME}" ${TMPDIR}/chk_proxyread_aci | \ 5056 ${SED} -e 's/aci=//' > ${TMPDIR}/grep_proxyread_aci 2>&1 5057 if [ $? -ne 0 ]; then 5058 ${ECHO} "Proxy ACI ${PROXY_ACI_NAME} does not exist for ${LDAP_BASEDN}." 5059 return 0 5060 fi 5061 5062 # We need to remove proxy agent's read access to user passwords, 5063 # but We do not know the value of the ${LDAP_PROXYAGENT} here, so 5064 # 1. if only one match found, delete it 5065 # 2. if more than one matches found, ask the user which one to delete 5066 HOWMANY=`${WC} -l ${TMPDIR}/grep_proxyread_aci | ${AWK} '{print $1}'` 5067 if [ $HOWMANY -eq 0 ]; then 5068 ${ECHO} "Proxy ACI ${PROXY_ACI_NAME} does not exist for ${LDAP_BASEDN}." 5069 return 0 5070 fi 5071 if [ $HOWMANY -eq 1 ];then 5072 proxy_aci=`${CAT} ${TMPDIR}/grep_proxyread_aci` 5073 else 5074 ${CAT} << EOF 5075 5076 Proxy agent is not allowed to read user passwords when shadow 5077 update is enabled. There are more than one proxy agents found. 5078 Please select the currently proxy agent being used, so that 5079 idsconfig can remove its read access to user passwords. 5080 5081 The proxy agents are: 5082 5083 EOF 5084 # generate the proxy agent list 5085 ${SED} -e "s/.*ldap:\/\/\/.*ldap:\/\/\///" \ 5086 ${TMPDIR}/grep_proxyread_aci | ${SED} -e "s/\";)//" > \ 5087 ${TMPDIR}/proxy_agent_list 5088 5089 # print the proxy agent list 5090 ${AWK} '{print NR ": " $0}' ${TMPDIR}/proxy_agent_list 5091 5092 # ask the user to pick one 5093 _MENU_PROMPT="Select the proxy agent (1-$HOWMANY): " 5094 get_menu_choice "${_MENU_PROMPT}" "0" "$HOWMANY" 5095 _CH=$MN_CH 5096 proxy_aci=`${SED} -n "$_CH p" ${TMPDIR}/grep_proxyread_aci` 5097 fi 5098 5099 # Create the tmp file to delete the ACI. 5100 ( cat <<EOF 5101 dn: ${LDAP_BASEDN} 5102 changetype: modify 5103 delete: aci 5104 aci: ${proxy_aci} 5105 EOF 5106 ) > ${TMPDIR}/proxy_delete 5107 5108 # Delete the ACI 5109 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/proxy_delete ${VERB}" 5110 if [ $? -ne 0 ]; then 5111 ${ECHO} " ERROR: Remove of ${PROXY_ACI_NAME} ACI failed!" 5112 cat ${TMPDIR}/proxy_delete 5113 cleanup 5114 exit 1 5115 fi 5116 5117 # Display message that ACI is updated. 5118 MSG="Removed ${PROXY_ACI_NAME} ACI for proxyagent read permission for password." 5119 ${ECHO} " " 5120 ${ECHO} " ACI REMOVED: $MSG" 5121 ${ECHO} " The ACI removed is $proxy_aci" 5122 ${ECHO} " " 5123 } 5124 5125 # 5126 # add_profile(): Add client profile to server. 5127 # 5128 add_profile() 5129 { 5130 [ $DEBUG -eq 1 ] && ${ECHO} "In add_profile()" 5131 5132 # If profile name already exists, DELETE it, and add new one. 5133 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=${LDAP_PROFILE_NAME},ou=profile,${LDAP_BASEDN}\" -s base \"objectclass=*\" ${VERB}" 5134 if [ $? -eq 0 ]; then 5135 # Create Delete file. 5136 ( cat <<EOF 5137 cn=${LDAP_PROFILE_NAME},ou=profile,${LDAP_BASEDN} 5138 EOF 5139 ) > ${TMPDIR}/del_profile 5140 5141 # Check if DEL_OLD_PROFILE is set. (If not ERROR) 5142 if [ $DEL_OLD_PROFILE -eq 0 ]; then 5143 ${ECHO} "ERROR: Profile name ${LDAP_PROFILE_NAME} exists! Add failed!" 5144 exit 1 5145 fi 5146 5147 # Delete the OLD profile. 5148 ${EVAL} "${LDAPDELETE} ${LDAP_ARGS} -f ${TMPDIR}/del_profile ${VERB}" 5149 if [ $? -ne 0 ]; then 5150 ${ECHO} " ERROR: Attempt to DELETE profile failed!" 5151 cleanup 5152 exit 1 5153 fi 5154 fi 5155 5156 # Build the "ldapclient genprofile" command string to execute. 5157 GEN_CMD="ldapclient genprofile -a \"profileName=${LDAP_PROFILE_NAME}\"" 5158 5159 # Add required argument defaultSearchBase. 5160 GEN_CMD="${GEN_CMD} -a \"defaultSearchBase=${LDAP_BASEDN}\"" 5161 5162 # Add optional parameters. 5163 [ -n "$LDAP_SERVER_LIST" ] && \ 5164 GEN_CMD="${GEN_CMD} -a \"defaultServerList=${LDAP_SERVER_LIST}\"" 5165 [ -n "$LDAP_SEARCH_SCOPE" ] && \ 5166 GEN_CMD="${GEN_CMD} -a \"defaultSearchScope=${LDAP_SEARCH_SCOPE}\"" 5167 [ -n "$LDAP_CRED_LEVEL" ] && \ 5168 GEN_CMD="${GEN_CMD} -a \"credentialLevel=${LDAP_CRED_LEVEL}\"" 5169 [ -n "$LDAP_AUTHMETHOD" ] && \ 5170 GEN_CMD="${GEN_CMD} -a \"authenticationMethod=${LDAP_AUTHMETHOD}\"" 5171 [ -n "$LDAP_FOLLOWREF" ] && \ 5172 GEN_CMD="${GEN_CMD} -a \"followReferrals=${LDAP_FOLLOWREF}\"" 5173 [ -n "$LDAP_SEARCH_TIME_LIMIT" ] && \ 5174 GEN_CMD="${GEN_CMD} -a \"searchTimeLimit=${LDAP_SEARCH_TIME_LIMIT}\"" 5175 [ -n "$LDAP_PROFILE_TTL" ] && \ 5176 GEN_CMD="${GEN_CMD} -a \"profileTTL=${LDAP_PROFILE_TTL}\"" 5177 [ -n "$LDAP_BIND_LIMIT" ] && \ 5178 GEN_CMD="${GEN_CMD} -a \"bindTimeLimit=${LDAP_BIND_LIMIT}\"" 5179 [ -n "$LDAP_PREF_SRVLIST" ] && \ 5180 GEN_CMD="${GEN_CMD} -a \"preferredServerList=${LDAP_PREF_SRVLIST}\"" 5181 [ -n "$LDAP_SRV_AUTHMETHOD_PAM" ] && \ 5182 GEN_CMD="${GEN_CMD} -a \"serviceAuthenticationMethod=${LDAP_SRV_AUTHMETHOD_PAM}\"" 5183 [ -n "$LDAP_SRV_AUTHMETHOD_KEY" ] && \ 5184 GEN_CMD="${GEN_CMD} -a \"serviceAuthenticationMethod=${LDAP_SRV_AUTHMETHOD_KEY}\"" 5185 [ -n "$LDAP_SRV_AUTHMETHOD_CMD" ] && \ 5186 GEN_CMD="${GEN_CMD} -a \"serviceAuthenticationMethod=${LDAP_SRV_AUTHMETHOD_CMD}\"" 5187 5188 # Check if there are any service search descriptors to ad. 5189 if [ -s "${SSD_FILE}" ]; then 5190 ssd_2_profile 5191 fi 5192 5193 # Execute "ldapclient genprofile" to create profile. 5194 eval ${GEN_CMD} > ${TMPDIR}/gen_profile 2> ${TMPDIR}/gen_profile_ERR 5195 if [ $? -ne 0 ]; then 5196 ${ECHO} " ERROR: ldapclient genprofile failed!" 5197 cleanup 5198 exit 1 5199 fi 5200 5201 # Add the generated profile.. 5202 ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/gen_profile ${VERB}" 5203 if [ $? -ne 0 ]; then 5204 ${ECHO} " ERROR: Attempt to add profile failed!" 5205 cleanup 5206 exit 1 5207 fi 5208 5209 # Display message that schema is updated. 5210 ${ECHO} " ${STEP}. Generated client profile and loaded on server." 5211 STEP=`expr $STEP + 1` 5212 } 5213 5214 5215 # 5216 # cleanup(): Remove the TMPDIR and all files in it. 5217 # 5218 cleanup() 5219 { 5220 [ $DEBUG -eq 1 ] && ${ECHO} "In cleanup()" 5221 5222 rm -fr ${TMPDIR} 5223 } 5224 5225 5226 # 5227 # * * * MAIN * * * 5228 # 5229 # Description: 5230 # This script assumes that the iPlanet Directory Server (iDS) is 5231 # installed and that setup has been run. This script takes the 5232 # iDS server from that point and sets up the infrastructure for 5233 # LDAP Naming Services. After running this script, ldapaddent(1M) 5234 # or some other tools can be used to populate data. 5235 5236 # Initialize the variables that need to be set to NULL, or some 5237 # other initial value before the rest of the functions can be called. 5238 init 5239 5240 # Parse command line arguments. 5241 parse_arg $* 5242 shift $? 5243 5244 # Print extra line to separate from prompt. 5245 ${ECHO} " " 5246 5247 # Either Load the user specified config file 5248 # or prompt user for config info. 5249 if [ -n "$INPUT_FILE" ] 5250 then 5251 load_config_file 5252 INTERACTIVE=0 # Turns off prompts that occur later. 5253 validate_info # Validate basic info in file. 5254 chk_ids_version # Check iDS version for compatibility. 5255 else 5256 # Display BACKUP warning to user. 5257 display_msg backup_server 5258 get_confirm "Do you wish to continue with server setup (y/n/h)?" "n" "backup_help" 5259 if [ $? -eq 0 ]; then # if No, cleanup and exit. 5260 cleanup ; exit 1 5261 fi 5262 5263 # Prompt for values. 5264 prompt_config_info 5265 display_summary # Allow user to modify results. 5266 INTERACTIVE=1 # Insures future prompting. 5267 fi 5268 5269 # Modify slapd.oc.conf to ALLOW cn instead of REQUIRE. 5270 modify_cn 5271 5272 # Modify timelimit to user value. 5273 [ $NEED_TIME -eq 1 ] && modify_timelimit 5274 5275 # Modify sizelimit to user value. 5276 [ $NEED_SIZE -eq 1 ] && modify_sizelimit 5277 5278 # Modify the password storage scheme to support CRYPT. 5279 if [ "$NEED_CRYPT" = "TRUE" ]; then 5280 modify_pwd_crypt 5281 fi 5282 5283 # Update the schema (Attributes, Objectclass Definitions) 5284 if [ ${SCHEMA_UPDATED} -eq 0 ]; then 5285 update_schema_attr 5286 update_schema_obj 5287 fi 5288 5289 # Add suffix together with its root entry (if needed) 5290 add_suffix || 5291 { 5292 cleanup 5293 exit 1 5294 } 5295 5296 # Add base objects (if needed) 5297 add_base_objects 5298 5299 # Update the NisDomainObject. 5300 # The Base DN might of just been created, so this MUST happen after 5301 # the base objects have been added! 5302 set_nisdomain 5303 5304 # Add top level classes (new containers) 5305 add_new_containers 5306 5307 # Add common nismaps. 5308 add_auto_maps 5309 5310 # Modify top ACI. 5311 modify_top_aci 5312 5313 # Add Access Control Information for VLV. 5314 add_vlv_aci 5315 5316 # if Proxy needed, Add Proxy Agent and give read permission for password. 5317 if [ $NEED_PROXY -eq 1 ]; then 5318 add_proxyagent 5319 if [ "$LDAP_ENABLE_SHADOW_UPDATE" != "TRUE" ]; then 5320 allow_proxy_read_pw 5321 fi 5322 fi 5323 5324 # If admin needed for shadow update, Add the administrator identity and 5325 # give read/write permission for shadow, and deny all others read/write 5326 # access to it. 5327 if [ $NEED_ADMIN -eq 1 ]; then 5328 add_admin 5329 allow_admin_read_write_shadow 5330 # deny non-admin access to shadow data 5331 deny_non_admin_shadow_access 5332 fi 5333 5334 if [ $GSSAPI_ENABLE -eq 1 ]; then 5335 add_id_mapping_rules 5336 # do not modify ACI if "sasl/GSSAPI" and "self" are not selected 5337 if [ "$LDAP_CRED_LEVEL" = "self" -a "$LDAP_AUTHMETHOD" = "sasl/GSSAPI" ]; then 5338 modify_userpassword_acl_for_gssapi 5339 else 5340 ${ECHO} " ACL for GSSAPI was not set because of incompatibility in profile." 5341 fi 5342 fi 5343 5344 # If use host principal for shadow update, give read/write permission for 5345 # shadow, and deny all others' read/write access to it. 5346 if [ $NEED_HOSTACL -eq 1 ]; then 5347 allow_host_read_write_shadow 5348 # deny non-host access to shadow data 5349 deny_non_host_shadow_access 5350 fi 5351 5352 5353 # Generate client profile and add it to the server. 5354 add_profile 5355 5356 # Add Indexes to improve Search Performance. 5357 add_eq_indexes 5358 add_sub_indexes 5359 add_vlv_indexes 5360 5361 # Display setup complete message 5362 display_msg setup_complete 5363 5364 # Display VLV index commands to be executed on server. 5365 display_vlv_cmds 5366 5367 # Create config file if requested. 5368 [ -n "$OUTPUT_FILE" ] && create_config_file 5369 5370 # Removed the TMPDIR and all files in it. 5371 cleanup 5372 5373 exit 0 5374 # end of MAIN.