Print this page
XXX Remove nawk(1)
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/cmd/ldap/ns_ldap/idsconfig.sh
+++ new/usr/src/cmd/ldap/ns_ldap/idsconfig.sh
1 1 #!/bin/sh
2 2 #
3 3 # CDDL HEADER START
4 4 #
5 5 # The contents of this file are subject to the terms of the
6 6 # Common Development and Distribution License (the "License").
7 7 # You may not use this file except in compliance with the License.
8 8 #
9 9 # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10 10 # or http://www.opensolaris.org/os/licensing.
11 11 # See the License for the specific language governing permissions
12 12 # and limitations under the License.
13 13 #
14 14 # When distributing Covered Code, include this CDDL HEADER in each
15 15 # file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16 16 # If applicable, add the following below this CDDL HEADER, with the
17 17 # fields enclosed by brackets "[]" replaced with your own identifying
18 18 # information: Portions Copyright [yyyy] [name of copyright owner]
19 19 #
20 20 # CDDL HEADER END
21 21 #
22 22 #
23 23 # idsconfig -- script to setup iDS 5.x/6.x/7.x for Native LDAP II.
24 24 #
25 25 # Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved.
26 26 #
27 27
28 28 #
29 29 # display_msg(): Displays message corresponding to the tag passed in.
30 30 #
31 31 display_msg()
32 32 {
33 33 case "$1" in
34 34 usage) cat <<EOF
35 35 $PROG: [ -v ] [ -i input file ] [ -o output file ]
36 36 i <input file> Get setup info from input file.
37 37 o <output file> Generate a server configuration output file.
38 38 v Verbose mode
39 39 EOF
40 40 ;;
41 41 backup_server) cat <<EOF
42 42 It is strongly recommended that you BACKUP the directory server
43 43 before running $PROG.
44 44
45 45 Hit Ctrl-C at any time before the final confirmation to exit.
46 46
47 47 EOF
48 48 ;;
49 49 setup_complete) cat <<EOF
50 50
51 51 $PROG: Setup of iDS server ${IDS_SERVER} is complete.
52 52
53 53 EOF
54 54 ;;
55 55 display_vlv_list) cat <<EOF
56 56
57 57 Note: idsconfig has created entries for VLV indexes.
58 58
59 59 For DS5.x, use the directoryserver(1m) script on ${IDS_SERVER}
60 60 to stop the server. Then, using directoryserver, follow the
61 61 directoryserver examples below to create the actual VLV indexes.
62 62
63 63 For DS6.x or later, use dsadm command delivered with DS on ${IDS_SERVER}
64 64 to stop the server. Then, using dsadm, follow the
65 65 dsadm examples below to create the actual VLV indexes.
66 66
67 67 EOF
68 68 ;;
69 69 cred_level_menu) cat <<EOF
70 70 The following are the supported credential levels:
71 71 1 anonymous
72 72 2 proxy
73 73 3 proxy anonymous
74 74 4 self
75 75 EOF
76 76 ;;
77 77 auth_method_menu) cat <<EOF
78 78 The following are the supported Authentication Methods:
79 79 1 none
80 80 2 simple
81 81 3 sasl/DIGEST-MD5
82 82 4 tls:simple
83 83 5 tls:sasl/DIGEST-MD5
84 84 6 sasl/GSSAPI
85 85 EOF
86 86 ;;
87 87 srvauth_method_menu) cat <<EOF
88 88 The following are the supported Authentication Methods:
89 89 1 simple
90 90 2 sasl/DIGEST-MD5
91 91 3 tls:simple
92 92 4 tls:sasl/DIGEST-MD5
93 93 5 sasl/GSSAPI
94 94 EOF
95 95 ;;
96 96 prompt_ssd_menu) cat <<EOF
97 97 A Add a Service Search Descriptor
98 98 D Delete a SSD
99 99 M Modify a SSD
100 100 P Display all SSD's
101 101 H Help
102 102 X Clear all SSD's
103 103
104 104 Q Exit menu
105 105 EOF
106 106 ;;
107 107 summary_menu)
108 108
109 109 SUFFIX_INFO=
110 110 DB_INFO=
111 111
112 112 [ -n "${NEED_CREATE_SUFFIX}" ] &&
113 113 {
114 114 SUFFIX_INFO=`cat <<EOF
115 115
116 116 Suffix to create : $LDAP_SUFFIX
117 117 EOF
118 118 `
119 119 [ -n "${NEED_CREATE_BACKEND}" ] &&
120 120 DB_INFO=`cat <<EOF
121 121
122 122 Database to create : $IDS_DATABASE
123 123 EOF
124 124 `
125 125 }
126 126
127 127 cat <<EOF
128 128 Summary of Configuration
129 129
130 130 1 Domain to serve : $LDAP_DOMAIN
131 131 2 Base DN to setup : $LDAP_BASEDN$SUFFIX_INFO$DB_INFO
132 132 3 Profile name to create : $LDAP_PROFILE_NAME
133 133 4 Default Server List : $LDAP_SERVER_LIST
134 134 5 Preferred Server List : $LDAP_PREF_SRVLIST
135 135 6 Default Search Scope : $LDAP_SEARCH_SCOPE
136 136 7 Credential Level : $LDAP_CRED_LEVEL
137 137 8 Authentication Method : $LDAP_AUTHMETHOD
138 138 9 Enable Follow Referrals : $LDAP_FOLLOWREF
139 139 10 iDS Time Limit : $IDS_TIMELIMIT
140 140 11 iDS Size Limit : $IDS_SIZELIMIT
141 141 12 Enable crypt password storage : $NEED_CRYPT
142 142 13 Service Auth Method pam_ldap : $LDAP_SRV_AUTHMETHOD_PAM
143 143 14 Service Auth Method keyserv : $LDAP_SRV_AUTHMETHOD_KEY
144 144 15 Service Auth Method passwd-cmd: $LDAP_SRV_AUTHMETHOD_CMD
145 145 16 Search Time Limit : $LDAP_SEARCH_TIME_LIMIT
146 146 17 Profile Time to Live : $LDAP_PROFILE_TTL
147 147 18 Bind Limit : $LDAP_BIND_LIMIT
148 148 19 Enable shadow update : $LDAP_ENABLE_SHADOW_UPDATE
149 149 20 Service Search Descriptors Menu
150 150
151 151 EOF
152 152 ;;
153 153 sfx_not_suitable) cat <<EOF
154 154
155 155 Sorry, suffix ${LDAP_SUFFIX} is not suitable for Base DN ${LDAP_BASEDN}
156 156
157 157 EOF
158 158 ;;
159 159 obj_not_found) cat <<EOF
160 160
161 161 Sorry, ${PROG} can't find an objectclass for "$_ATT" attribute
162 162
163 163 EOF
164 164 ;;
165 165 sfx_config_incons) cat <<EOF
166 166
167 167 Sorry, there is no suffix mapping for ${LDAP_SUFFIX},
168 168 while ldbm database exists, server configuration needs to be fixed manually,
169 169 look at cn=mapping tree,cn=config and cn=ldbm database,cn=plugins,cn=config
170 170
171 171 EOF
172 172 ;;
173 173 ldbm_db_exist) cat <<EOF
174 174
175 175 Database "${IDS_DATABASE}" already exists,
176 176 however "${IDS_DATABASE_AVAIL}" name is available
177 177
178 178 EOF
179 179 ;;
180 180 unable_find_db_name) cat <<EOF
181 181
182 182 Unable to find any available database name close to "${IDS_DATABASE}"
183 183
184 184 EOF
185 185 ;;
186 186 create_ldbm_db_error) cat <<EOF
187 187
188 188 ERROR: unable to create suffix ${LDAP_SUFFIX}
189 189 due to server error that occurred during creation of ldbm database
190 190
191 191 EOF
192 192 ;;
193 193 create_suffix_entry_error) cat <<EOF
194 194
195 195 ERROR: unable to create entry ${LDAP_SUFFIX} of ${LDAP_SUFFIX_OBJ} class
196 196
197 197 EOF
198 198 ;;
199 199 ldap_suffix_list) cat <<EOF
200 200
201 201 No valid suffixes (naming contexts) were found for LDAP base DN:
202 202 ${LDAP_BASEDN}
203 203
204 204 Available suffixes are:
205 205 ${LDAP_SUFFIX_LIST}
206 206
207 207 EOF
208 208 ;;
209 209 sorry) cat <<EOF
210 210
211 211 HELP - No help is available for this topic.
212 212
213 213 EOF
214 214 ;;
215 215 create_suffix_help) cat <<EOF
216 216
217 217 HELP - Our Base DN is ${LDAP_BASEDN}
218 218 and we need to create a Directory Suffix,
219 219 which can be equal to Base DN itself or be any of Base DN parents.
220 220 All intermediate entries up to suffix will be created on demand.
221 221
222 222 EOF
223 223 ;;
224 224 enter_ldbm_db_help) cat <<EOF
225 225
226 226 HELP - ldbm database is an internal database for storage of our suffix data.
227 227 Database name must be alphanumeric due to Directory Server restriction.
228 228
229 229 EOF
230 230 ;;
231 231 backup_help) cat <<EOF
232 232
233 233 HELP - Since idsconfig modifies the directory server configuration,
234 234 it is strongly recommended that you backup the server prior
235 235 to running this utility. This is especially true if the server
236 236 being configured is a production server.
237 237
238 238 EOF
239 239 ;;
240 240 port_help) cat <<EOF
241 241
242 242 HELP - Enter the port number the directory server is configured to
243 243 use for LDAP.
244 244
245 245 EOF
246 246 ;;
247 247 domain_help) cat <<EOF
248 248
249 249 HELP - This is the DNS domain name this server will be serving. You
250 250 must provide this name even if the server is not going to be populated
251 251 with hostnames. Any unqualified hostname stored in the directory
252 252 will be fully qualified using this DNS domain name.
253 253
254 254 EOF
255 255 ;;
256 256 basedn_help) cat <<EOF
257 257
258 258 HELP - This parameter defines the default location in the directory tree for
259 259 the naming services entries. You can override this default by using
260 260 serviceSearchDescriptors (SSD). You will be given the option to set up
261 261 an SSD later on in the setup.
262 262
263 263 EOF
264 264 ;;
265 265 profile_help) cat <<EOF
266 266
267 267 HELP - Name of the configuration profile with which the clients will be
268 268 configured. A directory server can store various profiles for multiple
269 269 groups of clients. The initialization tool, (ldapclient(1M)), assumes
270 270 "default" unless another is specified.
271 271
272 272 EOF
273 273 ;;
274 274 def_srvlist_help) cat <<EOF
275 275
276 276 HELP - Provide a list of directory servers to serve clients using this profile.
277 277 All these servers should contain consistent data and provide similar
278 278 functionality. This list is not ordered, and clients might change the
279 279 order given in this list. Note that this is a space separated list of
280 280 *IP addresses* (not host names). Providing port numbers is optional.
281 281
282 282 EOF
283 283 ;;
284 284 pref_srvlist_help) cat <<EOF
285 285
286 286 HELP - Provide a list of directory servers to serve this client profile.
287 287 Unlike the default server list, which is not ordered, the preferred
288 288 servers must be entered IN THE ORDER you wish to have them contacted.
289 289 If you do specify a preferred server list, clients will always contact
290 290 them before attempting to contact any of the servers on the default
291 291 server list. Note that you must enter the preferred server list as a
292 292 space-separated list of *IP addresses* (not host names). Providing port
293 293 numbers is optional.
294 294
295 295 EOF
296 296 ;;
297 297 srch_scope_help) cat <<EOF
298 298
299 299 HELP - Default search scope to be used for all searches unless they are
300 300 overwritten using serviceSearchDescriptors. The valid options
301 301 are "one", which would specify the search will only be performed
302 302 at the base DN for the given service, or "sub", which would specify
303 303 the search will be performed through *all* levels below the base DN
304 304 for the given service.
305 305
306 306 EOF
307 307 ;;
308 308 cred_lvl_help) cat <<EOF
309 309
310 310 HELP - This parameter defines what credentials the clients use to
311 311 authenticate to the directory server. This list might contain
312 312 multiple credential levels and is ordered. If a proxy level
313 313 is configured, you will also be prompted to enter a bind DN
314 314 for the proxy agent along with a password. This proxy agent
315 315 will be created if it does not exist.
316 316
317 317 EOF
318 318 ;;
319 319 auth_help) cat <<EOF
320 320
321 321 HELP - The default authentication method(s) to be used by all services
322 322 in the client using this profile. This is a ordered list of
323 323 authentication methods separated by a ';'. The supported methods
324 324 are provided in a menu. Note that sasl/DIGEST-MD5 binds require
325 325 passwords to be stored un-encrypted on the server.
326 326
327 327 EOF
328 328 ;;
329 329 srvauth_help) cat <<EOF
330 330
331 331 HELP - The authentication methods to be used by a given service. Currently
332 332 3 services support this feature: pam_ldap, keyserv, and passwd-cmd.
333 333 The authentication method specified in this attribute overrides
334 334 the default authentication method defined in the profile. This
335 335 feature can be used to select stronger authentication methods for
336 336 services which require increased security.
337 337
338 338 EOF
339 339 ;;
340 340 pam_ldap_help) cat <<EOF
341 341
342 342 HELP - The authentication method(s) to be used by pam_ldap when contacting
343 343 the directory server. This is a ordered list, and, if provided, will
344 344 override the default authentication method parameter.
345 345
346 346 EOF
347 347 ;;
348 348 keyserv_help) cat <<EOF
349 349
350 350 HELP - The authentication method(s) to be used by newkey(1M) and chkey(1)
351 351 when contacting the directory server. This is a ordered list and
352 352 if provided will override the default authentication method
353 353 parameter.
354 354
355 355 EOF
356 356 ;;
357 357 passwd-cmd_help) cat <<EOF
358 358
359 359 HELP - The authentication method(s) to be used by passwd(1) command when
360 360 contacting the directory server. This is a ordered list and if
361 361 provided will override the default authentication method parameter.
362 362
363 363 EOF
364 364 ;;
365 365 referrals_help) cat <<EOF
366 366
367 367 HELP - This parameter indicates whether the client should follow
368 368 ldap referrals if it encounters one during naming lookups.
369 369
370 370 EOF
371 371 ;;
372 372 tlim_help) cat <<EOF
373 373
374 374 HELP - The server time limit value indicates the maximum amount of time the
375 375 server would spend on a query from the client before abandoning it.
376 376 A value of '-1' indicates no limit.
377 377
378 378 EOF
379 379 ;;
380 380 slim_help) cat <<EOF
381 381
382 382 HELP - The server sizelimit value indicates the maximum number of entries
383 383 the server would return in respond to a query from the client. A
384 384 value of '-1' indicates no limit.
385 385
386 386 EOF
387 387 ;;
388 388 crypt_help) cat <<EOF
389 389
390 390 HELP - By default iDS does not store userPassword attribute values using
391 391 unix "crypt" format. If you need to keep your passwords in the crypt
392 392 format for NIS/NIS+ and pam_unix compatibility, choose 'yes'. If
393 393 passwords are stored using any other format than crypt, pam_ldap
394 394 MUST be used by clients to authenticate users to the system. Note
395 395 that if you wish to use sasl/DIGEST-MD5 in conjunction with pam_ldap,
396 396 user passwords must be stored in the clear format.
397 397
398 398 EOF
399 399 ;;
400 400 srchtime_help) cat <<EOF
401 401
402 402 HELP - The search time limit the client will enforce for directory
403 403 lookups.
404 404
405 405 EOF
406 406 ;;
407 407 profttl_help) cat <<EOF
408 408
409 409 HELP - The time to live value for profile. The client will refresh its
410 410 cached version of the configuration profile at this TTL interval.
411 411
412 412 EOF
413 413 ;;
414 414 bindlim_help) cat <<EOF
415 415
416 416 HELP - The time limit for the bind operation to the directory. This
417 417 value controls the responsiveness of the client in case a server
418 418 becomes unavailable. The smallest timeout value for a given
419 419 network architecture/conditions would work best. This is very
420 420 similar to setting TCP timeout, but only for LDAP bind operation.
421 421
422 422 EOF
423 423 ;;
424 424 ssd_help) cat <<EOF
425 425
426 426 HELP - Using Service Search Descriptors (SSD), you can override the
427 427 default configuration for a given service. The SSD can be
428 428 used to override the default search base DN, the default search
429 429 scope, and the default search filter to be used for directory
430 430 lookups. SSD are supported for all services (databases)
431 431 defined in nsswitch.conf(4). The default base DN is defined
432 432 in ldap(1).
433 433
434 434 Note: SSD are powerful tools in defining configuration profiles
435 435 and provide a great deal of flexibility. However, care
436 436 must be taken in creating them. If you decide to make use
437 437 of SSDs, consult the documentation first.
438 438
439 439 EOF
440 440 ;;
441 441 ssd_menu_help) cat <<EOF
442 442
443 443 HELP - Using this menu SSD can be added, updated, or deleted from
444 444 the profile.
445 445
446 446 A - This option creates a new SSD by prompting for the
447 447 service name, base DN, and scope. Service name is
448 448 any valid service as defined in ldap(1). base is
449 449 either the distinguished name to the container where
450 450 this service will use, or a relative DN followed
451 451 by a ','.
452 452 D - Delete a previously created SSD.
453 453 M - Modify a previously created SSD.
454 454 P - Display a list of all the previously created SSD.
455 455 X - Delete all of the previously created SSD.
456 456
457 457 Q - Exit the menu and continue with the server configuration.
458 458
459 459 EOF
460 460 ;;
461 461 ldap_suffix_list_help) cat <<EOF
462 462
463 463 HELP - No valid suffixes (naming contexts) are available on server
464 464 ${IDS_SERVER}:${IDS_PORT}.
465 465 You must set an LDAP Base DN that can be contained in
466 466 an existing suffix.
467 467
468 468 EOF
469 469 ;;
470 470 enable_shadow_update_help) cat <<EOF
471 471
472 472 HELP - Enter 'y' to set up the LDAP server for shadow update.
473 473 The setup will add an administrator identity/credential
474 474 and modify the necessary access controls for the client
475 475 to update shadow(4) data on the LDAP server. If sasl/GSSAPI
476 476 is in use, the Kerberos host principal will be used as the
477 477 administrator identity.
478 478
479 479 Shadow data is used for password aging and account locking.
480 480 Please refer to the shadow(4) manual page for details.
481 481
482 482 EOF
483 483 ;;
484 484 add_admin_cred_help) cat <<EOF
485 485
486 486 HELP - Start the setup to add an administrator identity/credential
487 487 and to modify access controls for the client to update
488 488 shadow(4) data on the LDAP server.
489 489
490 490 Shadow data is used for password aging and account locking.
491 491 Please refer to the shadow(4) manual page for details.
492 492
493 493 EOF
494 494 ;;
495 495 use_host_principal_help) cat <<EOF
496 496
497 497 HELP - A profile with a 'sasl/GSSAPI' authentication method and a 'self'
498 498 credential level is detected, enter 'y' to modify the necessary
499 499 access controls for allowing the client to update shadow(4) data
500 500 on the LDAP server.
501 501
502 502 Shadow data is used for password aging and account locking.
503 503 Please refer to the shadow(4) manual page for details.
504 504
505 505 EOF
506 506 ;;
507 507 esac
508 508 }
509 509
510 510
511 511 #
512 512 # get_ans(): gets an answer from the user.
513 513 # $1 instruction/comment/description/question
514 514 # $2 default value
515 515 #
516 516 get_ans()
517 517 {
518 518 if [ -z "$2" ]
519 519 then
520 520 ${ECHO} "$1 \c"
521 521 else
522 522 ${ECHO} "$1 [$2] \c"
523 523 fi
524 524
525 525 read ANS
526 526 if [ -z "$ANS" ]
527 527 then
528 528 ANS=$2
529 529 fi
530 530 }
531 531
532 532
533 533 #
534 534 # get_ans_req(): gets an answer (required) from the user, NULL value not allowed.
535 535 # $@ instruction/comment/description/question
536 536 #
537 537 get_ans_req()
538 538 {
539 539 ANS="" # Set ANS to NULL.
540 540 while [ "$ANS" = "" ]
541 541 do
542 542 get_ans "$@"
543 543 [ "$ANS" = "" ] && ${ECHO} "NULL value not allowed!"
544 544 done
545 545 }
546 546
547 547
548 548 #
549 549 # get_number(): Querys and verifies that number entered is numeric.
550 550 # Function will repeat prompt user for number value.
551 551 # $1 Message text.
552 552 # $2 default value.
553 553 # $3 Help argument.
554 554 #
555 555 get_number()
556 556 {
557 557 ANS="" # Set ANS to NULL.
558 558 NUM=""
559 559
560 560 get_ans "$1" "$2"
561 561
562 562 # Verify that value is numeric.
563 563 while not_numeric $ANS
564 564 do
565 565 case "$ANS" in
566 566 [Hh] | help | Help | \?) display_msg ${3:-sorry} ;;
567 567 * ) ${ECHO} "Invalid value: \"${ANS}\". \c"
568 568 ;;
569 569 esac
570 570 # Get a new value.
571 571 get_ans "Enter a numeric value:" "$2"
572 572 done
573 573 NUM=$ANS
574 574 }
575 575
576 576
577 577 #
578 578 # get_negone_num(): Only allows a -1 or positive integer.
579 579 # Used for values where -1 has special meaning.
580 580 #
581 581 # $1 - Prompt message.
582 582 # $2 - Default value (require).
583 583 # $3 - Optional help argument.
584 584 get_negone_num()
585 585 {
586 586 while :
587 587 do
588 588 get_number "$1" "$2" "$3"
589 589 if is_negative $ANS
590 590 then
591 591 if [ "$ANS" = "-1" ]; then
592 592 break # -1 is OK, so break.
593 593 else # Need to re-enter number.
594 594 ${ECHO} "Invalid number: please enter -1 or positive number."
595 595 fi
596 596 else
597 597 break # Positive number
598 598 fi
599 599 done
600 600 }
601 601
602 602
603 603 #
604 604 # get_passwd(): Reads a password from the user and verify with second.
605 605 # $@ instruction/comment/description/question
606 606 #
607 607 get_passwd()
608 608 {
609 609 [ $DEBUG -eq 1 ] && ${ECHO} "In get_passwd()"
610 610
611 611 # Temporary PASSWD variables
612 612 _PASS1=""
613 613 _PASS2=""
614 614
615 615 /usr/bin/stty -echo # Turn echo OFF
616 616
617 617 # Endless loop that continues until passwd and re-entered passwd
618 618 # match.
619 619 while :
620 620 do
621 621 ANS="" # Set ANS to NULL.
622 622
623 623 # Don't allow NULL for first try.
624 624 while [ "$ANS" = "" ]
625 625 do
626 626 get_ans "$@"
627 627 [ "$ANS" = "" ] && ${ECHO} "" && ${ECHO} "NULL passwd not allowed!"
628 628 done
629 629 _PASS1=$ANS # Store first try.
630 630
631 631 # Get second try.
632 632 ${ECHO} ""
633 633 get_ans "Re-enter passwd:"
634 634 _PASS2=$ANS
635 635
636 636 # Test if passwords are identical.
637 637 if [ "$_PASS1" = "$_PASS2" ]; then
638 638 break
639 639 fi
640 640
641 641 # Move cursor down to next line and print ERROR message.
642 642 ${ECHO} ""
643 643 ${ECHO} "ERROR: passwords don't match; try again."
644 644 done
645 645
646 646 /usr/bin/stty echo # Turn echo ON
647 647
648 648 ${ECHO} ""
649 649 }
650 650
651 651
652 652 #
653 653 # get_passwd_nochk(): Reads a password from the user w/o check.
654 654 # $@ instruction/comment/description/question
655 655 #
656 656 get_passwd_nochk()
657 657 {
658 658 [ $DEBUG -eq 1 ] && ${ECHO} "In get_passwd_nochk()"
659 659
660 660 /usr/bin/stty -echo # Turn echo OFF
661 661
662 662 get_ans "$@"
663 663
664 664 /usr/bin/stty echo # Turn echo ON
665 665
666 666 ${ECHO} ""
667 667 }
668 668
669 669
670 670 #
671 671 # get_menu_choice(): Get a menu choice from user. Continue prompting
672 672 # till the choice is in required range.
673 673 # $1 .. Message text.
674 674 # $2 .. min value
675 675 # $3 .. max value
676 676 # $4 .. OPTIONAL: default value
677 677 #
678 678 # Return value:
679 679 # MN_CH will contain the value selected.
680 680 #
681 681 get_menu_choice()
682 682 {
683 683 # Check for req parameter.
684 684 if [ $# -lt 3 ]; then
685 685 ${ECHO} "get_menu_choice(): Did not get required parameters."
686 686 return 1
687 687 fi
688 688
689 689 while :
690 690 do
691 691 get_ans "$1" "$4"
692 692 MN_CH=$ANS
693 693 is_negative $MN_CH
694 694 if [ $? -eq 1 ]; then
695 695 if [ $MN_CH -ge $2 ]; then
696 696 if [ $MN_CH -le $3 ]; then
697 697 return
698 698 fi
699 699 fi
700 700 fi
701 701 ${ECHO} "Invalid choice: $MN_CH"
702 702 done
703 703 }
704 704
705 705
706 706 #
707 707 # get_confirm(): Get confirmation from the user. (Y/Yes or N/No)
708 708 # $1 - Message
709 709 # $2 - default value.
710 710 #
711 711 get_confirm()
712 712 {
713 713 _ANSWER=
714 714
715 715 while :
716 716 do
717 717 # Display Internal ERROR if $2 not set.
718 718 if [ -z "$2" ]
719 719 then
720 720 ${ECHO} "INTERNAL ERROR: get_confirm requires 2 args, 3rd is optional."
721 721 exit 2
722 722 fi
723 723
724 724 # Display prompt.
725 725 ${ECHO} "$1 [$2] \c"
726 726
727 727 # Get the ANSWER.
728 728 read _ANSWER
729 729 if [ "$_ANSWER" = "" ] && [ -n "$2" ] ; then
730 730 _ANSWER=$2
731 731 fi
732 732 case "$_ANSWER" in
733 733 [Yy] | yes | Yes | YES) return 1 ;;
734 734 [Nn] | no | No | NO) return 0 ;;
735 735 [Hh] | help | Help | \?) display_msg ${3:-sorry};;
736 736 * ) ${ECHO} "Please enter y or n." ;;
737 737 esac
738 738 done
739 739 }
740 740
741 741
742 742 #
743 743 # get_confirm_nodef(): Get confirmation from the user. (Y/Yes or N/No)
744 744 # No default value supported.
745 745 #
746 746 get_confirm_nodef()
747 747 {
748 748 _ANSWER=
749 749
750 750 while :
751 751 do
752 752 ${ECHO} "$@ \c"
753 753 read _ANSWER
754 754 case "$_ANSWER" in
755 755 [Yy] | yes | Yes | YES) return 1 ;;
756 756 [Nn] | no | No | NO) return 0 ;;
757 757 * ) ${ECHO} "Please enter y or n." ;;
758 758 esac
759 759 done
760 760 }
761 761
762 762
763 763 #
764 764 # is_numeric(): Tells is a string is numeric.
765 765 # 0 = Numeric
766 766 # 1 = NOT Numeric
767 767 #
768 768 is_numeric()
769 769 {
770 770 # Check for parameter.
771 771 if [ $# -ne 1 ]; then
772 772 return 1
773 773 fi
774 774
775 775 # Determine if numeric.
776 776 expr "$1" + 1 > /dev/null 2>&1
777 777 if [ $? -ge 2 ]; then
778 778 return 1
779 779 fi
780 780
781 781 # Made it here, it's Numeric.
782 782 return 0
783 783 }
784 784
785 785
786 786 #
787 787 # not_numeric(): Reverses the return values of is_numeric. Useful
788 788 # for if and while statements that want to test for
789 789 # non-numeric data.
790 790 # 0 = NOT Numeric
791 791 # 1 = Numeric
792 792 #
793 793 not_numeric()
794 794 {
795 795 is_numeric $1
796 796 if [ $? -eq 0 ]; then
797 797 return 1
798 798 else
799 799 return 0
800 800 fi
801 801 }
802 802
803 803
804 804 #
805 805 # is_negative(): Tells is a Numeric value is less than zero.
806 806 # 0 = Negative Numeric
807 807 # 1 = Positive Numeric
808 808 # 2 = NOT Numeric
809 809 #
810 810 is_negative()
811 811 {
812 812 # Check for parameter.
813 813 if [ $# -ne 1 ]; then
814 814 return 1
815 815 fi
816 816
817 817 # Determine if numeric. Can't use expr because -0 is
818 818 # considered positive??
819 819 if is_numeric $1; then
820 820 case "$1" in
821 821 -*) return 0 ;; # Negative Numeric
822 822 *) return 1 ;; # Positive Numeric
823 823 esac
824 824 else
825 825 return 2
826 826 fi
827 827 }
828 828
829 829
830 830 #
831 831 # check_domainname(): check validity of a domain name. Currently we check
832 832 # that it has at least two components.
833 833 # $1 the domain name to be checked
834 834 #
835 835 check_domainname()
836 836 {
837 837 if [ ! -z "$1" ]
838 838 then
839 839 t=`expr "$1" : '[^.]\{1,\}[.][^.]\{1,\}'`
840 840 if [ "$t" = 0 ]
841 841 then
842 842 return 1
843 843 fi
844 844 fi
845 845 return 0
846 846 }
847 847
848 848
849 849 #
850 850 # check_baseDN(): check validity of the baseDN name.
851 851 # $1 the baseDN name to be checked
852 852 #
853 853 # NOTE: The check_baseDN function does not catch all invalid DN's.
854 854 # Its purpose is to reduce the number of invalid DN's to
855 855 # get past the input routine. The invalid DN's will be
856 856 # caught by the LDAP server when they are attempted to be
857 857 # created.
858 858 #
859 859 check_baseDN()
860 860 {
861 861 ck_DN=$1
862 862 ${ECHO} " Checking LDAP Base DN ..."
863 863 if [ ! -z "$ck_DN" ]; then
864 864 [ $DEBUG -eq 1 ] && ${ECHO} "Checking baseDN: $ck_DN"
865 865 # Check for = (assignment operator)
866 866 ${ECHO} "$ck_DN" | ${GREP} "=" > /dev/null 2>&1
867 867 if [ $? -ne 0 ]; then
868 868 [ $DEBUG -eq 1 ] && ${ECHO} "check_baseDN: No '=' in baseDN."
869 869 return 1
870 870 fi
871 871
872 872 # Check all keys.
873 873 while :
874 874 do
875 875 # Get first key.
876 876 dkey=`${ECHO} $ck_DN | cut -d'=' -f1`
877 877
878 878 # Check that the key string is valid
879 879 check_attrName $dkey
880 880 if [ $? -ne 0 ]; then
881 881 [ $DEBUG -eq 1 ] && ${ECHO} "check_baseDN: invalid key=${dkey}"
882 882 return 1
883 883 fi
884 884
885 885 [ $DEBUG -eq 1 ] && ${ECHO} "check_baseDN: valid key=${dkey}"
886 886
887 887 # Remove first key from DN
888 888 ck_DN=`${ECHO} $ck_DN | cut -s -d',' -f2-`
889 889
890 890 # Break loop if nothing left.
891 891 if [ "$ck_DN" = "" ]; then
892 892 break
893 893 fi
894 894 done
895 895 fi
896 896 return 0
897 897 }
898 898
899 899
900 900 #
901 901 # domain_2_dc(): Convert a domain name into dc string.
902 902 # $1 .. Domain name.
903 903 #
904 904 domain_2_dc()
905 905 {
906 906 _DOM=$1 # Domain parameter.
907 907 _DOM_2_DC="" # Return value from function.
908 908 _FIRST=1 # Flag for first time.
909 909
910 910 export _DOM_2_DC # Make visible for others.
911 911
912 912 # Convert "."'s to spaces for "for" loop.
913 913 domtmp="`${ECHO} ${_DOM} | tr '.' ' '`"
914 914 for i in $domtmp; do
915 915 if [ $_FIRST -eq 1 ]; then
916 916 _DOM_2_DC="dc=${i}"
917 917 _FIRST=0
918 918 else
919 919 _DOM_2_DC="${_DOM_2_DC},dc=${i}"
920 920 fi
921 921 done
922 922 }
923 923
924 924
925 925 #
926 926 # is_root_user(): Check to see if logged in as root user.
927 927 #
928 928 is_root_user()
929 929 {
930 930 case `id` in
931 931 uid=0\(root\)*) return 0 ;;
932 932 * ) return 1 ;;
933 933 esac
934 934 }
935 935
936 936
937 937 #
938 938 # parse_arg(): Parses the command line arguments and sets the
939 939 # appropriate variables.
940 940 #
941 941 parse_arg()
942 942 {
943 943 while getopts "dvhi:o:" ARG
944 944 do
945 945 case $ARG in
946 946 d) DEBUG=1;;
947 947 v) VERB="";;
948 948 i) INPUT_FILE=$OPTARG;;
949 949 o) OUTPUT_FILE=$OPTARG;;
950 950 \?) display_msg usage
951 951 exit 1;;
952 952 *) ${ECHO} "**ERROR: Supported option missing handler!"
953 953 display_msg usage
954 954 exit 1;;
955 955 esac
956 956 done
957 957 return `expr $OPTIND - 1`
958 958 }
959 959
960 960
961 961 #
962 962 # init(): initializes variables and options
963 963 #
964 964 init()
965 965 {
966 966 # General variables.
|
↓ open down ↓ |
966 lines elided |
↑ open up ↑ |
967 967 PROG=`basename $0` # Program name
968 968 PID=$$ # Program ID
969 969 VERB='> /dev/null 2>&1' # NULL or "> /dev/null"
970 970 ECHO="/bin/echo" # print message on screen
971 971 EVAL="eval" # eval or echo
972 972 EGREP="/usr/bin/egrep"
973 973 GREP="/usr/bin/grep"
974 974 DEBUG=0 # Set Debug OFF
975 975 BACKUP=no_ldap # backup suffix
976 976 HOST="" # NULL or <hostname>
977 - NAWK="/usr/bin/nawk"
977 + AWK="/usr/xpg4/bin/awk"
978 978 RM="/usr/bin/rm"
979 979 WC="/usr/bin/wc"
980 980 CAT="/usr/bin/cat"
981 981 SED="/usr/bin/sed"
982 982 MV="/usr/bin/mv"
983 983
984 984 DOM="" # Set to NULL
985 985 # If DNS domain (resolv.conf) exists use that, otherwise use domainname.
986 986 if [ -f /etc/resolv.conf ]; then
987 987 DOM=`/usr/xpg4/bin/grep -i -E '^domain|^search' /etc/resolv.conf \
988 988 | awk '{ print $2 }' | tail -1`
989 989 fi
990 990
991 991 # If for any reason the DOM did not get set (error'd resolv.conf) set
992 992 # DOM to the domainname command's output.
993 993 if [ "$DOM" = "" ]; then
994 994 DOM=`domainname` # domain from domainname command.
995 995 fi
996 996
997 997 STEP=1
998 998 INTERACTIVE=1 # 0 = on, 1 = off (For input file mode)
999 999 DEL_OLD_PROFILE=0 # 0 (default), 1 = delete old profile.
1000 1000
1001 1001 # idsconfig specific variables.
1002 1002 INPUT_FILE=""
1003 1003 OUTPUT_FILE=""
1004 1004 LDAP_ENABLE_SHADOW_UPDATE="FALSE"
1005 1005 NEED_PROXY=0 # 0 = No Proxy, 1 = Create Proxy.
1006 1006 NEED_ADMIN=0 # 0 = No Admin, 1 = Create Admin.
1007 1007 NEED_HOSTACL=0 # 0 = No Host ACL, 1 = Create Host ACL.
1008 1008 EXISTING_PROFILE=0
1009 1009 LDAP_PROXYAGENT=""
1010 1010 LDAP_ADMINDN=""
1011 1011 LDAP_SUFFIX=""
1012 1012 LDAP_DOMAIN=$DOM # domainname on Server (default value)
1013 1013 GEN_CMD=""
1014 1014 PROXY_ACI_NAME="LDAP_Naming_Services_proxy_password_read"
1015 1015
1016 1016 # LDAP COMMANDS
1017 1017 LDAPSEARCH="/bin/ldapsearch -r"
1018 1018 LDAPMODIFY=/bin/ldapmodify
1019 1019 LDAPADD=/bin/ldapadd
1020 1020 LDAPDELETE=/bin/ldapdelete
1021 1021 LDAP_GEN_PROFILE=/usr/sbin/ldap_gen_profile
1022 1022
1023 1023 # iDS specific information
1024 1024 IDS_SERVER=""
1025 1025 IDS_PORT=389
1026 1026 NEED_TIME=0
1027 1027 NEED_SIZE=0
1028 1028 NEED_SRVAUTH_PAM=0
1029 1029 NEED_SRVAUTH_KEY=0
1030 1030 NEED_SRVAUTH_CMD=0
1031 1031 IDS_TIMELIMIT=""
1032 1032 IDS_SIZELIMIT=""
1033 1033
1034 1034 # LDAP PROFILE related defaults
1035 1035 LDAP_ROOTDN="cn=Directory Manager" # Provide common default.
1036 1036 LDAP_ROOTPWD="" # NULL passwd as default (i.e. invalid)
1037 1037 LDAP_PROFILE_NAME="default"
1038 1038 LDAP_BASEDN=""
1039 1039 LDAP_SERVER_LIST=""
1040 1040 LDAP_AUTHMETHOD=""
1041 1041 LDAP_FOLLOWREF="FALSE"
1042 1042 NEED_CRYPT=""
1043 1043 LDAP_SEARCH_SCOPE="one"
1044 1044 LDAP_SRV_AUTHMETHOD_PAM=""
1045 1045 LDAP_SRV_AUTHMETHOD_KEY=""
1046 1046 LDAP_SRV_AUTHMETHOD_CMD=""
1047 1047 LDAP_SEARCH_TIME_LIMIT=30
1048 1048 LDAP_PREF_SRVLIST=""
1049 1049 LDAP_PROFILE_TTL=43200
1050 1050 LDAP_CRED_LEVEL="proxy"
1051 1051 LDAP_BIND_LIMIT=10
1052 1052
1053 1053 # Prevent new files from being read by group or others.
1054 1054 umask 077
1055 1055
1056 1056 # Service Search Descriptors
1057 1057 LDAP_SERV_SRCH_DES=""
1058 1058
1059 1059 # Set and create TMPDIR.
1060 1060 TMPDIR="/tmp/idsconfig.${PID}"
1061 1061 if mkdir -m 700 ${TMPDIR}
1062 1062 then
1063 1063 # Cleanup on exit.
1064 1064 trap 'rm -rf ${TMPDIR}; /usr/bin/stty echo; exit' 1 2 3 6 15
1065 1065 else
1066 1066 echo "ERROR: unable to create a safe temporary directory."
1067 1067 exit 1
1068 1068 fi
1069 1069 LDAP_ROOTPWF=${TMPDIR}/rootPWD
1070 1070
1071 1071 # Set the SSD file name after setting TMPDIR.
1072 1072 SSD_FILE=${TMPDIR}/ssd_list
1073 1073
1074 1074 # GSSAPI setup
1075 1075 GSSAPI_ENABLE=0
1076 1076 LDAP_KRB_REALM=""
1077 1077 SCHEMA_UPDATED=0
1078 1078
1079 1079 export DEBUG VERB ECHO EVAL EGREP GREP STEP TMPDIR
1080 1080 export IDS_SERVER IDS_PORT LDAP_ROOTDN LDAP_ROOTPWD LDAP_SERVER_LIST
1081 1081 export LDAP_BASEDN LDAP_ROOTPWF
1082 1082 export LDAP_DOMAIN LDAP_SUFFIX LDAP_PROXYAGENT LDAP_PROXYAGENT_CRED
1083 1083 export NEED_PROXY
1084 1084 export LDAP_ENABLE_SHADOW_UPDATE LDAP_ADMINDN LDAP_ADMIN_CRED
1085 1085 export NEED_ADMIN NEED_HOSTACL EXISTING_PROFILE
1086 1086 export LDAP_PROFILE_NAME LDAP_BASEDN LDAP_SERVER_LIST
1087 1087 export LDAP_AUTHMETHOD LDAP_FOLLOWREF LDAP_SEARCH_SCOPE LDAP_SEARCH_TIME_LIMIT
1088 1088 export LDAP_PREF_SRVLIST LDAP_PROFILE_TTL LDAP_CRED_LEVEL LDAP_BIND_LIMIT
1089 1089 export NEED_SRVAUTH_PAM NEED_SRVAUTH_KEY NEED_SRVAUTH_CMD
1090 1090 export LDAP_SRV_AUTHMETHOD_PAM LDAP_SRV_AUTHMETHOD_KEY LDAP_SRV_AUTHMETHOD_CMD
1091 1091 export LDAP_SERV_SRCH_DES SSD_FILE
1092 1092 export GEN_CMD GSSAPI_ENABLE LDAP_KRB_REALM SCHEMA_UPDATED
1093 1093 }
1094 1094
1095 1095
1096 1096 #
1097 1097 # disp_full_debug(): List of all debug variables usually interested in.
1098 1098 # Grouped to avoid MASSIVE code duplication.
1099 1099 #
1100 1100 disp_full_debug()
1101 1101 {
1102 1102 [ $DEBUG -eq 1 ] && ${ECHO} " IDS_SERVER = $IDS_SERVER"
1103 1103 [ $DEBUG -eq 1 ] && ${ECHO} " IDS_PORT = $IDS_PORT"
1104 1104 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_ROOTDN = $LDAP_ROOTDN"
1105 1105 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_ROOTPWD = $LDAP_ROOTPWD"
1106 1106 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_DOMAIN = $LDAP_DOMAIN"
1107 1107 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_SUFFIX = $LDAP_SUFFIX"
1108 1108 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_BASEDN = $LDAP_BASEDN"
1109 1109 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_PROFILE_NAME = $LDAP_PROFILE_NAME"
1110 1110 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_SERVER_LIST = $LDAP_SERVER_LIST"
1111 1111 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_PREF_SRVLIST = $LDAP_PREF_SRVLIST"
1112 1112 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_SEARCH_SCOPE = $LDAP_SEARCH_SCOPE"
1113 1113 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_CRED_LEVEL = $LDAP_CRED_LEVEL"
1114 1114 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_AUTHMETHOD = $LDAP_AUTHMETHOD"
1115 1115 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_FOLLOWREF = $LDAP_FOLLOWREF"
1116 1116 [ $DEBUG -eq 1 ] && ${ECHO} " IDS_TIMELIMIT = $IDS_TIMELIMIT"
1117 1117 [ $DEBUG -eq 1 ] && ${ECHO} " IDS_SIZELIMIT = $IDS_SIZELIMIT"
1118 1118 [ $DEBUG -eq 1 ] && ${ECHO} " NEED_CRYPT = $NEED_CRYPT"
1119 1119 [ $DEBUG -eq 1 ] && ${ECHO} " NEED_SRVAUTH_PAM = $NEED_SRVAUTH_PAM"
1120 1120 [ $DEBUG -eq 1 ] && ${ECHO} " NEED_SRVAUTH_KEY = $NEED_SRVAUTH_KEY"
1121 1121 [ $DEBUG -eq 1 ] && ${ECHO} " NEED_SRVAUTH_CMD = $NEED_SRVAUTH_CMD"
1122 1122 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_SRV_AUTHMETHOD_PAM = $LDAP_SRV_AUTHMETHOD_PAM"
1123 1123 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_SRV_AUTHMETHOD_KEY = $LDAP_SRV_AUTHMETHOD_KEY"
1124 1124 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_SRV_AUTHMETHOD_CMD = $LDAP_SRV_AUTHMETHOD_CMD"
1125 1125 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_SEARCH_TIME_LIMIT = $LDAP_SEARCH_TIME_LIMIT"
1126 1126 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_PROFILE_TTL = $LDAP_PROFILE_TTL"
1127 1127 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_BIND_LIMIT = $LDAP_BIND_LIMIT"
1128 1128 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_ENABLE_SHADOW_UPDATE = $LDAP_ENABLE_SHADOW_UPDATE"
1129 1129
1130 1130 # Only display proxy stuff if needed.
1131 1131 [ $DEBUG -eq 1 ] && ${ECHO} " NEED_PROXY = $NEED_PROXY"
1132 1132 if [ $NEED_PROXY -eq 1 ]; then
1133 1133 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_PROXYAGENT = $LDAP_PROXYAGENT"
1134 1134 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_PROXYAGENT_CRED = $LDAP_PROXYAGENT_CRED"
1135 1135 fi
1136 1136
1137 1137 # Only display admin credential if needed.
1138 1138 [ $DEBUG -eq 1 ] && ${ECHO} " NEED_ADMIN = $NEED_ADMIN"
1139 1139 [ $DEBUG -eq 1 ] && ${ECHO} " NEED_HOSTACL = $NEED_HOSTACL"
1140 1140 if [ $NEED_ADMIN -eq 1 ]; then
1141 1141 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_ADMINDN = $LDAP_ADMINDN"
1142 1142 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_ADMIN_CRED = $LDAP_ADMIN_CRED"
1143 1143 fi
1144 1144
1145 1145 # Service Search Descriptors are a special case.
1146 1146 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_SERV_SRCH_DES = $LDAP_SERV_SRCH_DES"
1147 1147 }
1148 1148
1149 1149
1150 1150 #
1151 1151 # load_config_file(): Loads the config file.
1152 1152 #
1153 1153 load_config_file()
1154 1154 {
1155 1155 [ $DEBUG -eq 1 ] && ${ECHO} "In load_config_file()"
1156 1156
1157 1157 # Remove SSD lines from input file before sourcing.
1158 1158 # The SSD lines must be removed because some forms of the
1159 1159 # data could cause SHELL errors.
1160 1160 ${GREP} -v "LDAP_SERV_SRCH_DES=" ${INPUT_FILE} > ${TMPDIR}/inputfile.noSSD
1161 1161
1162 1162 # Source the input file.
1163 1163 . ${TMPDIR}/inputfile.noSSD
1164 1164
1165 1165 # If LDAP_SUFFIX is no set, try to utilize LDAP_TREETOP since older
1166 1166 # config files use LDAP_TREETOP
1167 1167 LDAP_SUFFIX="${LDAP_SUFFIX:-$LDAP_TREETOP}"
1168 1168
1169 1169 # Save password to temporary file.
1170 1170 save_password
1171 1171
1172 1172 # Create the SSD file.
1173 1173 create_ssd_file
1174 1174
1175 1175 # Display FULL debugging info.
1176 1176 disp_full_debug
1177 1177 }
1178 1178
1179 1179 #
1180 1180 # save_password(): Save password to temporary file.
1181 1181 #
1182 1182 save_password()
1183 1183 {
1184 1184 cat > ${LDAP_ROOTPWF} <<EOF
1185 1185 ${LDAP_ROOTPWD}
1186 1186 EOF
1187 1187 }
1188 1188
1189 1189 ######################################################################
1190 1190 # FUNCTIONS FOR prompt_config_info() START HERE.
1191 1191 ######################################################################
1192 1192
1193 1193 #
1194 1194 # get_ids_server(): Prompt for iDS server name.
1195 1195 #
1196 1196 get_ids_server()
1197 1197 {
1198 1198 while :
1199 1199 do
1200 1200 # Prompt for server name.
1201 1201 get_ans "Enter the JES Directory Server's hostname to setup:" "$IDS_SERVER"
1202 1202 IDS_SERVER="$ANS"
1203 1203
1204 1204 # Ping server to see if live. If valid break out of loop.
1205 1205 ping $IDS_SERVER > /dev/null 2>&1
1206 1206 if [ $? -eq 0 ]; then
1207 1207 break
1208 1208 fi
1209 1209
1210 1210 # Invalid server, enter a new name.
1211 1211 ${ECHO} "ERROR: Server '${IDS_SERVER}' is invalid or unreachable."
1212 1212 IDS_SERVER=""
1213 1213 done
1214 1214
1215 1215 # Set SERVER_ARGS and LDAP_ARGS since values might of changed.
1216 1216 SERVER_ARGS="-h ${IDS_SERVER} -p ${IDS_PORT}"
1217 1217 LDAP_ARGS="${SERVER_ARGS} ${AUTH_ARGS}"
1218 1218 export SERVER_ARGS
1219 1219
1220 1220 }
1221 1221
1222 1222 #
1223 1223 # get_ids_port(): Prompt for iDS port number.
1224 1224 #
1225 1225 get_ids_port()
1226 1226 {
1227 1227 # Get a valid iDS port number.
1228 1228 while :
1229 1229 do
1230 1230 # Enter port number.
1231 1231 get_number "Enter the port number for iDS (h=help):" "$IDS_PORT" "port_help"
1232 1232 IDS_PORT=$ANS
1233 1233 # Do a simple search to check hostname and port number.
1234 1234 # If search returns SUCCESS, break out, host and port must
1235 1235 # be valid.
1236 1236 ${LDAPSEARCH} -h ${IDS_SERVER} -p ${IDS_PORT} -b "" -s base "objectclass=*" > /dev/null 2>&1
1237 1237 if [ $? -eq 0 ]; then
1238 1238 break
1239 1239 fi
1240 1240
1241 1241 # Invalid host/port pair, Re-enter.
1242 1242 ${ECHO} "ERROR: Invalid host or port: ${IDS_SERVER}:${IDS_PORT}, Please re-enter!"
1243 1243 get_ids_server
1244 1244 done
1245 1245
1246 1246 # Set SERVER_ARGS and LDAP_ARGS since values might of changed.
1247 1247 SERVER_ARGS="-h ${IDS_SERVER} -p ${IDS_PORT}"
1248 1248 LDAP_ARGS="${SERVER_ARGS} ${AUTH_ARGS}"
1249 1249 export SERVER_ARGS
1250 1250 }
1251 1251
1252 1252
1253 1253 #
1254 1254 # chk_ids_version(): Read the slapd config file and set variables
1255 1255 #
1256 1256 chk_ids_version()
1257 1257 {
1258 1258 [ $DEBUG -eq 1 ] && ${ECHO} "In chk_ids_version()"
1259 1259
1260 1260 # check iDS version number.
1261 1261 eval "${LDAPSEARCH} ${SERVER_ARGS} -b cn=monitor -s base \"objectclass=*\" version | ${GREP} \"^version=\" | cut -f2 -d'/' | cut -f1 -d' ' > ${TMPDIR}/checkDSver 2>&1"
1262 1262 if [ $? -ne 0 ]; then
1263 1263 ${ECHO} "ERROR: Can not determine the version number of iDS!"
1264 1264 exit 1
1265 1265 fi
1266 1266 IDS_VER=`cat ${TMPDIR}/checkDSver`
1267 1267 IDS_MAJVER=`${ECHO} ${IDS_VER} | cut -f1 -d.`
1268 1268 IDS_MINVER=`${ECHO} ${IDS_VER} | cut -f2 -d.`
1269 1269 case "${IDS_MAJVER}" in
1270 1270 5|6|7) : ;;
1271 1271 *) ${ECHO} "ERROR: $PROG only works with JES DS version 5.x, 6.x or 7.x, not ${IDS_VER}."; exit 1;;
1272 1272 esac
1273 1273
1274 1274 if [ $DEBUG -eq 1 ]; then
1275 1275 ${ECHO} " IDS_MAJVER = $IDS_MAJVER"
1276 1276 ${ECHO} " IDS_MINVER = $IDS_MINVER"
1277 1277 fi
1278 1278 }
1279 1279
1280 1280
1281 1281 #
1282 1282 # get_dirmgr_dn(): Get the directory manger DN.
1283 1283 #
1284 1284 get_dirmgr_dn()
1285 1285 {
1286 1286 get_ans "Enter the directory manager DN:" "$LDAP_ROOTDN"
1287 1287 LDAP_ROOTDN=$ANS
1288 1288
1289 1289 # Update ENV variables using DN.
1290 1290 AUTH_ARGS="-D \"${LDAP_ROOTDN}\" -j ${LDAP_ROOTPWF}"
1291 1291 LDAP_ARGS="${SERVER_ARGS} ${AUTH_ARGS}"
1292 1292 export AUTH_ARGS LDAP_ARGS
1293 1293 }
1294 1294
1295 1295
1296 1296 #
1297 1297 # get_dirmgr_pw(): Get the Root DN passwd. (Root DN found in slapd.conf)
1298 1298 #
1299 1299 get_dirmgr_pw()
1300 1300 {
1301 1301 while :
1302 1302 do
1303 1303 # Get passwd.
1304 1304 get_passwd_nochk "Enter passwd for ${LDAP_ROOTDN} :"
1305 1305 LDAP_ROOTPWD=$ANS
1306 1306
1307 1307 # Store password in file.
1308 1308 save_password
1309 1309
1310 1310 # Update ENV variables using DN's PW.
1311 1311 AUTH_ARGS="-D \"${LDAP_ROOTDN}\" -j ${LDAP_ROOTPWF}"
1312 1312 LDAP_ARGS="${SERVER_ARGS} ${AUTH_ARGS}"
1313 1313 export AUTH_ARGS LDAP_ARGS
1314 1314
1315 1315 # Verify that ROOTDN and ROOTPWD are valid.
1316 1316 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"\" -s base \"objectclass=*\" > ${TMPDIR}/checkDN 2>&1"
1317 1317 if [ $? -ne 0 ]; then
1318 1318 eval "${GREP} credential ${TMPDIR}/checkDN ${VERB}"
1319 1319 if [ $? -eq 0 ]; then
1320 1320 ${ECHO} "ERROR: Root DN passwd is invalid."
1321 1321 else
1322 1322 ${ECHO} "ERROR: Invalid Root DN <${LDAP_ROOTDN}>."
1323 1323 get_dirmgr_dn
1324 1324 fi
1325 1325 else
1326 1326 break # Both are valid.
1327 1327 fi
1328 1328 done
1329 1329
1330 1330
1331 1331 }
1332 1332
1333 1333
1334 1334 #
1335 1335 # get_domain(): Get the Domain that will be served by the LDAP server.
1336 1336 # $1 - Help argument.
1337 1337 #
1338 1338 get_domain()
1339 1339 {
1340 1340 # Use LDAP_DOMAIN as default.
1341 1341 get_ans "Enter the domainname to be served (h=help):" $LDAP_DOMAIN
1342 1342
1343 1343 # Check domainname, and have user re-enter if not valid.
1344 1344 check_domainname $ANS
1345 1345 while [ $? -ne 0 ]
1346 1346 do
1347 1347 case "$ANS" in
1348 1348 [Hh] | help | Help | \?) display_msg ${1:-sorry} ;;
1349 1349 * ) ${ECHO} "Invalid domainname: \"${ANS}\"."
1350 1350 ;;
1351 1351 esac
1352 1352 get_ans "Enter domainname to be served (h=help):" $DOM
1353 1353
1354 1354 check_domainname $ANS
1355 1355 done
1356 1356
1357 1357 # Set the domainname to valid name.
1358 1358 LDAP_DOMAIN=$ANS
1359 1359 }
1360 1360
1361 1361
1362 1362 #
1363 1363 # get_basedn(): Query for the Base DN.
1364 1364 #
1365 1365 get_basedn()
1366 1366 {
1367 1367 # Set the $_DOM_2_DC and assign to LDAP_BASEDN as default.
1368 1368 # Then call get_basedn(). This method remakes the default
1369 1369 # each time just in case the domain changed.
1370 1370 domain_2_dc $LDAP_DOMAIN
1371 1371 LDAP_BASEDN=$_DOM_2_DC
1372 1372
1373 1373 # Get Base DN.
1374 1374 while :
1375 1375 do
1376 1376 get_ans_req "Enter LDAP Base DN (h=help):" "${_DOM_2_DC}"
1377 1377 check_baseDN "$ANS"
1378 1378 while [ $? -ne 0 ]
1379 1379 do
1380 1380 case "$ANS" in
1381 1381 [Hh] | help | Help | \?) display_msg basedn_help ;;
1382 1382 * ) ${ECHO} "Invalid base DN: \"${ANS}\"."
1383 1383 ;;
1384 1384 esac
1385 1385
1386 1386 # Re-Enter the BaseDN
1387 1387 get_ans_req "Enter LDAP Base DN (h=help):" "${_DOM_2_DC}"
1388 1388 check_baseDN "$ANS"
1389 1389 done
1390 1390
1391 1391 # Set base DN and check its suffix
1392 1392 LDAP_BASEDN=${ANS}
1393 1393 check_basedn_suffix ||
1394 1394 {
1395 1395 cleanup
1396 1396 exit 1
1397 1397 }
1398 1398
1399 1399 # suffix may need to be created, in that case get suffix from user
1400 1400 [ -n "${NEED_CREATE_SUFFIX}" ] &&
1401 1401 {
1402 1402 get_suffix || continue
1403 1403 }
1404 1404
1405 1405 # suffix is ok, break out of the base dn inquire loop
1406 1406 break
1407 1407 done
1408 1408 }
1409 1409
1410 1410 #
1411 1411 # get_want_shadow_update(): Ask user if want to enable shadow update?
1412 1412 #
1413 1413 get_want_shadow_update()
1414 1414 {
1415 1415 MSG="Do you want to enable shadow update (y/n/h)?"
1416 1416 get_confirm "$MSG" "n" "enable_shadow_update_help"
|
↓ open down ↓ |
429 lines elided |
↑ open up ↑ |
1417 1417 if [ $? -eq 1 ]; then
1418 1418 LDAP_ENABLE_SHADOW_UPDATE="TRUE"
1419 1419 else
1420 1420 LDAP_ENABLE_SHADOW_UPDATE="FALSE"
1421 1421 fi
1422 1422 }
1423 1423
1424 1424 get_krb_realm() {
1425 1425
1426 1426 # To upper cases
1427 - LDAP_KRB_REALM=`${ECHO} ${LDAP_DOMAIN} | ${NAWK} '{ print toupper($0) }'`
1427 + LDAP_KRB_REALM=`${ECHO} ${LDAP_DOMAIN} | ${AWK} '{ print toupper($0) }'`
1428 1428 get_ans_req "Enter Kerberos Realm:" "$LDAP_KRB_REALM"
1429 1429 # To upper cases
1430 - LDAP_KRB_REALM=`${ECHO} ${ANS} | ${NAWK} '{ print toupper($0) }'`
1430 + LDAP_KRB_REALM=`${ECHO} ${ANS} | ${AWK} '{ print toupper($0) }'`
1431 1431 }
1432 1432
1433 1433 # $1: DN
1434 1434 # $2: ldif file
1435 1435 add_entry_by_DN() {
1436 1436
1437 1437 ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"${1}\" -s base \"objectclass=*\" ${VERB}"
1438 1438 if [ $? -eq 0 ]; then
1439 1439 ${ECHO} " ${1} already exists"
1440 1440 return 0
1441 1441 else
1442 1442 ${EVAL} "${LDAPADD} ${LDAP_ARGS} -f ${2} ${VERB}"
1443 1443 if [ $? -eq 0 ]; then
1444 1444 ${ECHO} " ${1} is added"
1445 1445 return 0
1446 1446 else
1447 1447 ${ECHO} " ERROR: failed to add ${1}"
1448 1448 return 1
1449 1449 fi
1450 1450 fi
1451 1451
1452 1452 }
1453 1453 #
1454 1454 # Kerberos princiapl to DN mapping rules
1455 1455 #
1456 1456 # Add rules for host credentails and user credentials
1457 1457 #
1458 1458 add_id_mapping_rules() {
1459 1459
1460 1460 ${ECHO} " Adding Kerberos principal to DN mapping rules..."
1461 1461
1462 1462 _C_DN="cn=GSSAPI,cn=identity mapping,cn=config"
1463 1463 ( cat << EOF
1464 1464 dn: cn=GSSAPI,cn=identity mapping,cn=config
1465 1465 objectClass: top
1466 1466 objectClass: nsContainer
1467 1467 cn: GSSAPI
1468 1468 EOF
1469 1469 ) > ${TMPDIR}/GSSAPI_container.ldif
1470 1470
1471 1471 add_entry_by_DN "${_C_DN}" "${TMPDIR}/GSSAPI_container.ldif"
1472 1472 if [ $? -ne 0 ];
1473 1473 then
1474 1474 ${RM} ${TMPDIR}/GSSAPI_container.ldif
1475 1475 return
1476 1476 fi
1477 1477
1478 1478 _H_CN="host_auth_${LDAP_KRB_REALM}"
1479 1479 _H_DN="cn=${_H_CN}, ${_C_DN}"
1480 1480 ( cat << EOF
1481 1481 dn: ${_H_DN}
1482 1482 objectClass: top
1483 1483 objectClass: nsContainer
1484 1484 objectClass: dsIdentityMapping
1485 1485 objectClass: dsPatternMatching
1486 1486 cn: ${_H_CN}
1487 1487 dsMatching-pattern: \${Principal}
1488 1488 dsMatching-regexp: host\/(.*).${LDAP_DOMAIN}@${LDAP_KRB_REALM}
1489 1489 dsSearchBaseDN: ou=hosts,${LDAP_BASEDN}
1490 1490 dsSearchFilter: (&(objectClass=ipHost)(cn=\$1))
1491 1491 dsSearchScope: one
1492 1492
1493 1493 EOF
1494 1494 ) > ${TMPDIR}/${_H_CN}.ldif
1495 1495
1496 1496 add_entry_by_DN "${_H_DN}" "${TMPDIR}/${_H_CN}.ldif"
1497 1497
1498 1498 _U_CN="user_auth_${LDAP_KRB_REALM}"
1499 1499 _U_DN="cn=${_U_CN}, ${_C_DN}"
1500 1500 ( cat << EOF
1501 1501 dn: ${_U_DN}
1502 1502 objectClass: top
1503 1503 objectClass: nsContainer
1504 1504 objectClass: dsIdentityMapping
1505 1505 objectClass: dsPatternMatching
1506 1506 cn: ${_U_CN}
1507 1507 dsMatching-pattern: \${Principal}
1508 1508 dsMatching-regexp: (.*)@${LDAP_KRB_REALM}
1509 1509 dsMappedDN: uid=\$1,ou=People,${LDAP_BASEDN}
1510 1510
1511 1511 EOF
1512 1512 ) > ${TMPDIR}/${_U_CN}.ldif
1513 1513
1514 1514 add_entry_by_DN "${_U_DN}" "${TMPDIR}/${_U_CN}.ldif"
1515 1515
1516 1516 }
1517 1517
1518 1518
1519 1519 #
1520 1520 # Modify ACL to allow root to read all the password and only self can read
1521 1521 # its own password when sasl/GSSAPI bind is used
1522 1522 #
1523 1523 modify_userpassword_acl_for_gssapi() {
1524 1524
1525 1525 _P_DN="ou=People,${LDAP_BASEDN}"
1526 1526 _H_DN="ou=Hosts,${LDAP_BASEDN}"
1527 1527 _P_ACI="self-read-pwd"
1528 1528
1529 1529 ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"${_P_DN}\" -s base \"objectclass=*\" > /dev/null 2>&1"
1530 1530 if [ $? -ne 0 ]; then
1531 1531 ${ECHO} " ${_P_DN} does not exist"
1532 1532 # Not Found. Create a new entry
1533 1533 ( cat << EOF
1534 1534 dn: ${_P_DN}
1535 1535 ou: People
1536 1536 objectClass: top
1537 1537 objectClass: organizationalUnit
1538 1538 EOF
1539 1539 ) > ${TMPDIR}/gssapi_people.ldif
1540 1540
1541 1541 add_entry_by_DN "${_P_DN}" "${TMPDIR}/gssapi_people.ldif"
1542 1542 else
1543 1543 ${ECHO} " ${_P_DN} already exists"
1544 1544 fi
1545 1545
1546 1546 ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"${_P_DN}\" -s base \"objectclass=*\" aci > ${TMPDIR}/chk_gssapi_aci 2>&1"
1547 1547
1548 1548 if [ $? -eq 0 ]; then
1549 1549 ${EVAL} "${GREP} ${_P_ACI} ${TMPDIR}/chk_gssapi_aci > /dev/null 2>&1"
1550 1550 if [ $? -eq 0 ]; then
1551 1551 ${ECHO} " userpassword ACL ${_P_ACI} already exists."
1552 1552 return
1553 1553 else
1554 1554 ${ECHO} " userpassword ACL ${_P_ACI} not found. Create a new one."
1555 1555 fi
1556 1556 else
1557 1557 ${ECHO} " Error searching aci for ${_P_DN}"
1558 1558 cat ${TMPDIR}/chk_gssapi_aci
1559 1559 cleanup
1560 1560 exit 1
1561 1561 fi
1562 1562 ( cat << EOF
1563 1563 dn: ${_P_DN}
1564 1564 changetype: modify
1565 1565 add: aci
1566 1566 aci: (targetattr="userPassword")(version 3.0; acl self-read-pwd; allow (read,search) userdn="ldap:///self" and authmethod="sasl GSSAPI";)
1567 1567 -
1568 1568 add: aci
1569 1569 aci: (targetattr="userPassword")(version 3.0; acl host-read-pwd; allow (read,search) userdn="ldap:///cn=*+ipHostNumber=*,ou=Hosts,${LDAP_BASEDN}" and authmethod="sasl GSSAPI";)
1570 1570 EOF
1571 1571 ) > ${TMPDIR}/user_gssapi.ldif
1572 1572 LDAP_TYPE_OR_VALUE_EXISTS=20
1573 1573 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/user_gssapi.ldif ${VERB}"
1574 1574
1575 1575 case $? in
1576 1576 0)
1577 1577 ${ECHO} " ${_P_DN} uaserpassword ACL is updated."
1578 1578 ;;
1579 1579 20)
1580 1580 ${ECHO} " ${_P_DN} uaserpassword ACL already exists."
1581 1581 ;;
1582 1582 *)
1583 1583 ${ECHO} " ERROR: update of userpassword ACL for ${_P_DN} failed!"
1584 1584 cleanup
1585 1585 exit 1
1586 1586 ;;
1587 1587 esac
1588 1588 }
1589 1589 #
1590 1590 # $1: objectclass or attributetyp
1591 1591 # $2: name
1592 1592 search_update_schema() {
1593 1593
1594 1594 ATTR="${1}es"
1595 1595
1596 1596 ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b cn=schema -s base \"objectclass=*\" ${ATTR} | ${GREP} -i \"${2}\" ${VERB}"
1597 1597 if [ $? -ne 0 ]; then
1598 1598 ${ECHO} "${1} ${2} does not exist."
1599 1599 update_schema_attr
1600 1600 update_schema_obj
1601 1601 SCHEMA_UPDATED=1
1602 1602 else
1603 1603 ${ECHO} "${1} ${2} already exists. Schema has been updated"
1604 1604 fi
1605 1605 }
1606 1606
1607 1607 #
1608 1608 # Set up GSSAPI if necessary
1609 1609 #
1610 1610 gssapi_setup() {
1611 1611
1612 1612 GSSAPI_ENABLE=0
1613 1613
1614 1614 # assume sasl/GSSAPI is supported by the ldap server and may be used
1615 1615 GSSAPI_AUTH_MAY_BE_USED=1
1616 1616
1617 1617 ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"\" -s base \"objectclass=*\" supportedSASLMechanisms | ${GREP} GSSAPI ${VERB}"
1618 1618 if [ $? -ne 0 ]; then
1619 1619 GSSAPI_AUTH_MAY_BE_USED=0
1620 1620 ${ECHO} " sasl/GSSAPI is not supported by this LDAP server"
1621 1621 return
1622 1622 fi
1623 1623
1624 1624 get_confirm "GSSAPI is supported. Do you want to set up gssapi:(y/n)" "n"
1625 1625 if [ $? -eq 0 ]; then
1626 1626 GSSAPI_ENABLE=0
1627 1627 ${ECHO}
1628 1628 ${ECHO} "GSSAPI is not set up."
1629 1629 ${ECHO} "sasl/GSSAPI bind may not work if it's not set up first."
1630 1630 else
1631 1631 GSSAPI_ENABLE=1
1632 1632 get_krb_realm
1633 1633 fi
1634 1634
1635 1635 }
1636 1636 #
1637 1637 # get_profile_name(): Enter the profile name.
1638 1638 #
1639 1639 get_profile_name()
1640 1640 {
1641 1641 # Reset Delete Old Profile since getting new profile name.
1642 1642 DEL_OLD_PROFILE=0
1643 1643
1644 1644 # Loop until valid profile name, or replace.
1645 1645 while :
1646 1646 do
1647 1647 # Prompt for profile name.
1648 1648 get_ans "Enter the profile name (h=help):" "$LDAP_PROFILE_NAME"
1649 1649
1650 1650 # Check for Help.
1651 1651 case "$ANS" in
1652 1652 [Hh] | help | Help | \?) display_msg profile_help
1653 1653 continue ;;
1654 1654 * ) ;;
1655 1655 esac
1656 1656
1657 1657 # Search to see if profile name already exists.
1658 1658 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=${ANS},ou=profile,${LDAP_BASEDN}\" -s base \"objectclass=*\" ${VERB}"
1659 1659 if [ $? -eq 0 ]; then
1660 1660
1661 1661 cat << EOF
1662 1662
1663 1663 Profile '${ANS}' already exists, it is possible to enable
1664 1664 shadow update now. idsconfig will exit after shadow update
1665 1665 is enabled. You can also continue to overwrite the profile
1666 1666 or create a new one and be given the chance to enable
1667 1667 shadow update later.
1668 1668
1669 1669 EOF
1670 1670
1671 1671 MSG="Just enable shadow update (y/n/h)?"
1672 1672 get_confirm "$MSG" "n" "enable_shadow_update_help"
1673 1673 if [ $? -eq 1 ]; then
1674 1674 [ $DEBUG -eq 1 ] && ${ECHO} "set up shadow update"
1675 1675 LDAP_ENABLE_SHADOW_UPDATE=TRUE
1676 1676 # display alternate messages
1677 1677 EXISTING_PROFILE=1
1678 1678 # Set Profile Name.
1679 1679 LDAP_PROFILE_NAME=$ANS
1680 1680 return 0 # set up credentials for shadow update.
1681 1681 fi
1682 1682
1683 1683 get_confirm_nodef "Are you sure you want to overwrite profile cn=${ANS}?"
1684 1684 if [ $? -eq 1 ]; then
1685 1685 DEL_OLD_PROFILE=1
1686 1686 return 0 # Replace old profile name.
1687 1687 else
1688 1688 ${ECHO} "Please re-enter a new profile name."
1689 1689 fi
1690 1690 else
1691 1691 break # Unique profile name.
1692 1692 fi
1693 1693 done
1694 1694
1695 1695 # Set Profile Name.
1696 1696 LDAP_PROFILE_NAME=$ANS
1697 1697 }
1698 1698
1699 1699
1700 1700 #
1701 1701 # get_srv_list(): Get the default server list.
1702 1702 #
1703 1703 get_srv_list()
1704 1704 {
1705 1705 # If LDAP_SERVER_LIST is NULL, then set, otherwise leave alone.
1706 1706 if [ -z "${LDAP_SERVER_LIST}" ]; then
1707 1707 LDAP_SERVER_LIST=`getent hosts ${IDS_SERVER} | awk '{print $1}'`
1708 1708 if [ ${IDS_PORT} -ne 389 ]; then
1709 1709 LDAP_SERVER_LIST="${LDAP_SERVER_LIST}:${IDS_PORT}"
1710 1710 fi
1711 1711 fi
1712 1712
1713 1713 # Prompt for new LDAP_SERVER_LIST.
1714 1714 while :
1715 1715 do
1716 1716 get_ans "Default server list (h=help):" $LDAP_SERVER_LIST
1717 1717
1718 1718 # If help continue, otherwise break.
1719 1719 case "$ANS" in
1720 1720 [Hh] | help | Help | \?) display_msg def_srvlist_help ;;
1721 1721 * ) break ;;
1722 1722 esac
1723 1723 done
1724 1724 LDAP_SERVER_LIST=$ANS
1725 1725 }
1726 1726
1727 1727
1728 1728 #
1729 1729 # get_pref_srv(): The preferred server list (Overrides the server list)
1730 1730 #
1731 1731 get_pref_srv()
1732 1732 {
1733 1733 while :
1734 1734 do
1735 1735 get_ans "Preferred server list (h=help):" $LDAP_PREF_SRVLIST
1736 1736
1737 1737 # If help continue, otherwise break.
1738 1738 case "$ANS" in
1739 1739 [Hh] | help | Help | \?) display_msg pref_srvlist_help ;;
1740 1740 * ) break ;;
1741 1741 esac
1742 1742 done
1743 1743 LDAP_PREF_SRVLIST=$ANS
1744 1744 }
1745 1745
1746 1746
1747 1747 #
1748 1748 # get_search_scope(): Get the search scope from the user.
1749 1749 #
1750 1750 get_search_scope()
1751 1751 {
1752 1752 [ $DEBUG -eq 1 ] && ${ECHO} "In get_search_scope()"
1753 1753
1754 1754 _MENU_CHOICE=0
1755 1755 while :
1756 1756 do
1757 1757 get_ans "Choose desired search scope (one, sub, h=help): " "one"
1758 1758 _MENU_CHOICE=$ANS
1759 1759 case "$_MENU_CHOICE" in
1760 1760 one) LDAP_SEARCH_SCOPE="one"
1761 1761 return 1 ;;
1762 1762 sub) LDAP_SEARCH_SCOPE="sub"
1763 1763 return 2 ;;
1764 1764 h) display_msg srch_scope_help ;;
1765 1765 *) ${ECHO} "Please enter \"one\", \"sub\", or \"h\"." ;;
1766 1766 esac
1767 1767 done
1768 1768
1769 1769 }
1770 1770
1771 1771
1772 1772 #
1773 1773 # get_cred_level(): Function to display menu to user and get the
1774 1774 # credential level.
1775 1775 #
1776 1776 get_cred_level()
1777 1777 {
1778 1778 [ $DEBUG -eq 1 ] && ${ECHO} "In get_cred_level()"
1779 1779
1780 1780 _MENU_CHOICE=0
1781 1781 display_msg cred_level_menu
1782 1782 while :
1783 1783 do
1784 1784 if [ $GSSAPI_ENABLE -eq 1 ]; then
1785 1785 ${ECHO} '"self" is needed for GSSAPI profile'
1786 1786 fi
1787 1787 get_ans "Choose Credential level [h=help]:" "1"
1788 1788 _MENU_CHOICE=$ANS
1789 1789 case "$_MENU_CHOICE" in
1790 1790 1) LDAP_CRED_LEVEL="anonymous"
1791 1791 return 1 ;;
1792 1792 2) LDAP_CRED_LEVEL="proxy"
1793 1793 return 2 ;;
1794 1794 3) LDAP_CRED_LEVEL="proxy anonymous"
1795 1795 return 3 ;;
1796 1796 4) LDAP_CRED_LEVEL="self"
1797 1797 return 4 ;;
1798 1798 h) display_msg cred_lvl_help ;;
1799 1799 *) ${ECHO} "Please enter 1, 2, 3 or 4." ;;
1800 1800 esac
1801 1801 done
1802 1802 }
1803 1803
1804 1804
1805 1805 #
1806 1806 # srvauth_menu_handler(): Enter the Service Authentication method.
1807 1807 #
1808 1808 srvauth_menu_handler()
1809 1809 {
1810 1810 # Display Auth menu
1811 1811 display_msg srvauth_method_menu
1812 1812
1813 1813 # Get a Valid choice.
1814 1814 while :
1815 1815 do
1816 1816 # Display appropriate prompt and get answer.
1817 1817 if [ $_FIRST -eq 1 ]; then
1818 1818 get_ans "Choose Service Authentication Method:" "1"
1819 1819 else
1820 1820 get_ans "Choose Service Authentication Method (0=reset):"
1821 1821 fi
1822 1822
1823 1823 # Determine choice.
1824 1824 _MENU_CHOICE=$ANS
1825 1825 case "$_MENU_CHOICE" in
1826 1826 1) _AUTHMETHOD="simple"
1827 1827 break ;;
1828 1828 2) _AUTHMETHOD="sasl/DIGEST-MD5"
1829 1829 break ;;
1830 1830 3) _AUTHMETHOD="tls:simple"
1831 1831 break ;;
1832 1832 4) _AUTHMETHOD="tls:sasl/DIGEST-MD5"
1833 1833 break ;;
1834 1834 5) _AUTHMETHOD="sasl/GSSAPI"
1835 1835 break ;;
1836 1836 0) _AUTHMETHOD=""
1837 1837 _FIRST=1
1838 1838 break ;;
1839 1839 *) ${ECHO} "Please enter 1-5 or 0 to reset." ;;
1840 1840 esac
1841 1841 done
1842 1842 }
1843 1843
1844 1844
1845 1845 #
1846 1846 # auth_menu_handler(): Enter the Authentication method.
1847 1847 #
1848 1848 auth_menu_handler()
1849 1849 {
1850 1850 # Display Auth menu
1851 1851 display_msg auth_method_menu
1852 1852
1853 1853 # Get a Valid choice.
1854 1854 while :
1855 1855 do
1856 1856 if [ $GSSAPI_ENABLE -eq 1 ]; then
1857 1857 ${ECHO} '"sasl/GSSAPI" is needed for GSSAPI profile'
1858 1858 fi
1859 1859 # Display appropriate prompt and get answer.
1860 1860 if [ $_FIRST -eq 1 ]; then
1861 1861 get_ans "Choose Authentication Method (h=help):" "1"
1862 1862 else
1863 1863 get_ans "Choose Authentication Method (0=reset, h=help):"
1864 1864 fi
1865 1865
1866 1866 # Determine choice.
1867 1867 _MENU_CHOICE=$ANS
1868 1868 case "$_MENU_CHOICE" in
1869 1869 1) _AUTHMETHOD="none"
1870 1870 break ;;
1871 1871 2) _AUTHMETHOD="simple"
1872 1872 break ;;
1873 1873 3) _AUTHMETHOD="sasl/DIGEST-MD5"
1874 1874 break ;;
1875 1875 4) _AUTHMETHOD="tls:simple"
1876 1876 break ;;
1877 1877 5) _AUTHMETHOD="tls:sasl/DIGEST-MD5"
1878 1878 break ;;
1879 1879 6) _AUTHMETHOD="sasl/GSSAPI"
1880 1880 break ;;
1881 1881 0) _AUTHMETHOD=""
1882 1882 _FIRST=1
1883 1883 break ;;
1884 1884 h) display_msg auth_help ;;
1885 1885 *) ${ECHO} "Please enter 1-6, 0=reset, or h=help." ;;
1886 1886 esac
1887 1887 done
1888 1888 }
1889 1889
1890 1890
1891 1891 #
1892 1892 # get_auth(): Enter the Authentication method.
1893 1893 #
1894 1894 get_auth()
1895 1895 {
1896 1896 [ $DEBUG -eq 1 ] && ${ECHO} "In get_auth()"
1897 1897
1898 1898 _FIRST=1 # Flag for first time.
1899 1899 _MENU_CHOICE=0
1900 1900 _AUTHMETHOD="" # Tmp method.
1901 1901
1902 1902 while :
1903 1903 do
1904 1904 # Call Menu handler
1905 1905 auth_menu_handler
1906 1906
1907 1907 # Add Auth Method to list.
1908 1908 if [ $_FIRST -eq 1 ]; then
1909 1909 LDAP_AUTHMETHOD="${_AUTHMETHOD}"
1910 1910 _FIRST=0
1911 1911 else
1912 1912 LDAP_AUTHMETHOD="${LDAP_AUTHMETHOD};${_AUTHMETHOD}"
1913 1913 fi
1914 1914
1915 1915 # Display current Authentication Method.
1916 1916 ${ECHO} ""
1917 1917 ${ECHO} "Current authenticationMethod: ${LDAP_AUTHMETHOD}"
1918 1918 ${ECHO} ""
1919 1919
1920 1920 # Prompt for another Auth Method, or break out.
1921 1921 get_confirm_nodef "Do you want to add another Authentication Method?"
1922 1922 if [ $? -eq 0 ]; then
1923 1923 break;
1924 1924 fi
1925 1925 done
1926 1926 }
1927 1927
1928 1928
1929 1929 #
1930 1930 # get_followref(): Whether or not to follow referrals.
1931 1931 #
1932 1932 get_followref()
1933 1933 {
1934 1934 get_confirm "Do you want the clients to follow referrals (y/n/h)?" "n" "referrals_help"
1935 1935 if [ $? -eq 1 ]; then
1936 1936 LDAP_FOLLOWREF="TRUE"
1937 1937 else
1938 1938 LDAP_FOLLOWREF="FALSE"
1939 1939 fi
1940 1940 }
1941 1941
1942 1942
1943 1943 #
1944 1944 # get_timelimit(): Set the time limit. -1 is max time.
1945 1945 #
1946 1946 get_timelimit()
1947 1947 {
1948 1948 # Get current timeout value from cn=config.
1949 1949 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=config\" -s base \"objectclass=*\" nsslapd-timelimit > ${TMPDIR}/chk_timeout 2>&1"
1950 1950 if [ $? -ne 0 ]; then
1951 1951 ${ECHO} " ERROR: Could not reach LDAP server to check current timeout!"
1952 1952 cleanup
1953 1953 exit 1
1954 1954 fi
1955 1955 CURR_TIMELIMIT=`${GREP} timelimit ${TMPDIR}/chk_timeout | cut -f2 -d=`
1956 1956
1957 1957 get_negone_num "Enter the time limit for iDS (current=${CURR_TIMELIMIT}):" "-1"
1958 1958 IDS_TIMELIMIT=$NUM
1959 1959 }
1960 1960
1961 1961
1962 1962 #
1963 1963 # get_sizelimit(): Set the size limit. -1 is max size.
1964 1964 #
1965 1965 get_sizelimit()
1966 1966 {
1967 1967 # Get current sizelimit value from cn=config.
1968 1968 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=config\" -s base \"objectclass=*\" nsslapd-sizelimit > ${TMPDIR}/chk_sizelimit 2>&1"
1969 1969 if [ $? -ne 0 ]; then
1970 1970 ${ECHO} " ERROR: Could not reach LDAP server to check current sizelimit!"
1971 1971 cleanup
1972 1972 exit 1
1973 1973 fi
1974 1974 CURR_SIZELIMIT=`${GREP} sizelimit ${TMPDIR}/chk_sizelimit | cut -f2 -d=`
1975 1975
1976 1976 get_negone_num "Enter the size limit for iDS (current=${CURR_SIZELIMIT}):" "-1"
1977 1977 IDS_SIZELIMIT=$NUM
1978 1978 }
1979 1979
1980 1980
1981 1981 #
1982 1982 # get_want_crypt(): Ask user if want to store passwords in crypt?
1983 1983 #
1984 1984 get_want_crypt()
1985 1985 {
1986 1986 get_confirm "Do you want to store passwords in \"crypt\" format (y/n/h)?" "n" "crypt_help"
1987 1987 if [ $? -eq 1 ]; then
1988 1988 NEED_CRYPT="TRUE"
1989 1989 else
1990 1990 NEED_CRYPT="FALSE"
1991 1991 fi
1992 1992 }
1993 1993
1994 1994
1995 1995 #
1996 1996 # get_srv_authMethod_pam(): Get the Service Auth Method for pam_ldap from user.
1997 1997 #
1998 1998 # NOTE: This function is base on get_auth().
1999 1999 #
2000 2000 get_srv_authMethod_pam()
2001 2001 {
2002 2002 [ $DEBUG -eq 1 ] && ${ECHO} "In get_srv_authMethod_pam()"
2003 2003
2004 2004 _FIRST=1 # Flag for first time.
2005 2005 _MENU_CHOICE=0
2006 2006 _AUTHMETHOD="" # Tmp method.
2007 2007
2008 2008 while :
2009 2009 do
2010 2010 # Call Menu handler
2011 2011 srvauth_menu_handler
2012 2012
2013 2013 # Add Auth Method to list.
2014 2014 if [ $_FIRST -eq 1 ]; then
2015 2015 if [ "$_AUTHMETHOD" = "" ]; then
2016 2016 LDAP_SRV_AUTHMETHOD_PAM=""
2017 2017 else
2018 2018 LDAP_SRV_AUTHMETHOD_PAM="pam_ldap:${_AUTHMETHOD}"
2019 2019 fi
2020 2020 _FIRST=0
2021 2021 else
2022 2022 LDAP_SRV_AUTHMETHOD_PAM="${LDAP_SRV_AUTHMETHOD_PAM};${_AUTHMETHOD}"
2023 2023 fi
2024 2024
2025 2025 # Display current Authentication Method.
2026 2026 ${ECHO} ""
2027 2027 ${ECHO} "Current authenticationMethod: ${LDAP_SRV_AUTHMETHOD_PAM}"
2028 2028 ${ECHO} ""
2029 2029
2030 2030 # Prompt for another Auth Method, or break out.
2031 2031 get_confirm_nodef "Do you want to add another Authentication Method?"
2032 2032 if [ $? -eq 0 ]; then
2033 2033 break;
2034 2034 fi
2035 2035 done
2036 2036
2037 2037 # Check in case user reset string and exited loop.
2038 2038 if [ "$LDAP_SRV_AUTHMETHOD_PAM" = "" ]; then
2039 2039 NEED_SRVAUTH_PAM=0
2040 2040 fi
2041 2041 }
2042 2042
2043 2043
2044 2044 #
2045 2045 # get_srv_authMethod_key(): Get the Service Auth Method for keyserv from user.
2046 2046 #
2047 2047 # NOTE: This function is base on get_auth().
2048 2048 #
2049 2049 get_srv_authMethod_key()
2050 2050 {
2051 2051 [ $DEBUG -eq 1 ] && ${ECHO} "In get_srv_authMethod_key()"
2052 2052
2053 2053 _FIRST=1 # Flag for first time.
2054 2054 _MENU_CHOICE=0
2055 2055 _AUTHMETHOD="" # Tmp method.
2056 2056
2057 2057 while :
2058 2058 do
2059 2059 # Call Menu handler
2060 2060 srvauth_menu_handler
2061 2061
2062 2062 # Add Auth Method to list.
2063 2063 if [ $_FIRST -eq 1 ]; then
2064 2064 if [ "$_AUTHMETHOD" = "" ]; then
2065 2065 LDAP_SRV_AUTHMETHOD_KEY=""
2066 2066 else
2067 2067 LDAP_SRV_AUTHMETHOD_KEY="keyserv:${_AUTHMETHOD}"
2068 2068 fi
2069 2069 _FIRST=0
2070 2070 else
2071 2071 LDAP_SRV_AUTHMETHOD_KEY="${LDAP_SRV_AUTHMETHOD_KEY};${_AUTHMETHOD}"
2072 2072 fi
2073 2073
2074 2074 # Display current Authentication Method.
2075 2075 ${ECHO} ""
2076 2076 ${ECHO} "Current authenticationMethod: ${LDAP_SRV_AUTHMETHOD_KEY}"
2077 2077 ${ECHO} ""
2078 2078
2079 2079 # Prompt for another Auth Method, or break out.
2080 2080 get_confirm_nodef "Do you want to add another Authentication Method?"
2081 2081 if [ $? -eq 0 ]; then
2082 2082 break;
2083 2083 fi
2084 2084 done
2085 2085
2086 2086 # Check in case user reset string and exited loop.
2087 2087 if [ "$LDAP_SRV_AUTHMETHOD_KEY" = "" ]; then
2088 2088 NEED_SRVAUTH_KEY=0
2089 2089 fi
2090 2090 }
2091 2091
2092 2092
2093 2093 #
2094 2094 # get_srv_authMethod_cmd(): Get the Service Auth Method for passwd-cmd from user.
2095 2095 #
2096 2096 # NOTE: This function is base on get_auth().
2097 2097 #
2098 2098 get_srv_authMethod_cmd()
2099 2099 {
2100 2100 [ $DEBUG -eq 1 ] && ${ECHO} "In get_srv_authMethod_cmd()"
2101 2101
2102 2102 _FIRST=1 # Flag for first time.
2103 2103 _MENU_CHOICE=0
2104 2104 _AUTHMETHOD="" # Tmp method.
2105 2105
2106 2106 while :
2107 2107 do
2108 2108 # Call Menu handler
2109 2109 srvauth_menu_handler
2110 2110
2111 2111 # Add Auth Method to list.
2112 2112 if [ $_FIRST -eq 1 ]; then
2113 2113 if [ "$_AUTHMETHOD" = "" ]; then
2114 2114 LDAP_SRV_AUTHMETHOD_CMD=""
2115 2115 else
2116 2116 LDAP_SRV_AUTHMETHOD_CMD="passwd-cmd:${_AUTHMETHOD}"
2117 2117 fi
2118 2118 _FIRST=0
2119 2119 else
2120 2120 LDAP_SRV_AUTHMETHOD_CMD="${LDAP_SRV_AUTHMETHOD_CMD};${_AUTHMETHOD}"
2121 2121 fi
2122 2122
2123 2123 # Display current Authentication Method.
2124 2124 ${ECHO} ""
2125 2125 ${ECHO} "Current authenticationMethod: ${LDAP_SRV_AUTHMETHOD_CMD}"
2126 2126 ${ECHO} ""
2127 2127
2128 2128 # Prompt for another Auth Method, or break out.
2129 2129 get_confirm_nodef "Do you want to add another Authentication Method?"
2130 2130 if [ $? -eq 0 ]; then
2131 2131 break;
2132 2132 fi
2133 2133 done
2134 2134
2135 2135 # Check in case user reset string and exited loop.
2136 2136 if [ "$LDAP_SRV_AUTHMETHOD_CMD" = "" ]; then
2137 2137 NEED_SRVAUTH_CMD=0
2138 2138 fi
2139 2139 }
2140 2140
2141 2141
2142 2142 #
2143 2143 # get_srch_time(): Amount of time to search.
2144 2144 #
2145 2145 get_srch_time()
2146 2146 {
2147 2147 get_negone_num "Client search time limit in seconds (h=help):" "$LDAP_SEARCH_TIME_LIMIT" "srchtime_help"
2148 2148 LDAP_SEARCH_TIME_LIMIT=$NUM
2149 2149 }
2150 2150
2151 2151
2152 2152 #
2153 2153 # get_prof_ttl(): The profile time to live (TTL)
2154 2154 #
2155 2155 get_prof_ttl()
2156 2156 {
2157 2157 get_negone_num "Profile Time To Live in seconds (h=help):" "$LDAP_PROFILE_TTL" "profttl_help"
2158 2158 LDAP_PROFILE_TTL=$NUM
2159 2159 }
2160 2160
2161 2161
2162 2162 #
2163 2163 # get_bind_limit(): Bind time limit
2164 2164 #
2165 2165 get_bind_limit()
2166 2166 {
2167 2167 get_negone_num "Bind time limit in seconds (h=help):" "$LDAP_BIND_LIMIT" "bindlim_help"
2168 2168 LDAP_BIND_LIMIT=$NUM
2169 2169 }
2170 2170
2171 2171
2172 2172 ######################################################################
2173 2173 # FUNCTIONS FOR Service Search Descriptor's START HERE.
2174 2174 ######################################################################
2175 2175
2176 2176
2177 2177 #
2178 2178 # add_ssd(): Get SSD's from user and add to file.
2179 2179 #
2180 2180 add_ssd()
2181 2181 {
2182 2182 [ $DEBUG -eq 1 ] && ${ECHO} "In add_ssd()"
2183 2183
2184 2184 # Enter the service id. Loop til unique.
2185 2185 while :
2186 2186 do
2187 2187 get_ans "Enter the service id:"
2188 2188 _SERV_ID=$ANS
2189 2189
2190 2190 # Grep for name existing.
2191 2191 ${GREP} -i "^$ANS:" ${SSD_FILE} > /dev/null 2>&1
2192 2192 if [ $? -eq 1 ]; then
2193 2193 break
2194 2194 fi
2195 2195
2196 2196 # Name exists, print message, let user decide.
2197 2197 ${ECHO} "ERROR: Service id ${ANS} already exists."
2198 2198 done
2199 2199
2200 2200 get_ans "Enter the base:"
2201 2201 _BASE=$ANS
2202 2202
2203 2203 # Get the scope and verify that its one or sub.
2204 2204 while :
2205 2205 do
2206 2206 get_ans "Enter the scope:"
2207 2207 _SCOPE=$ANS
2208 2208 case `${ECHO} ${_SCOPE} | tr '[A-Z]' '[a-z]'` in
2209 2209 one) break ;;
2210 2210 sub) break ;;
2211 2211 *) ${ECHO} "${_SCOPE} is Not valid - Enter 'one' or 'sub'" ;;
2212 2212 esac
2213 2213 done
2214 2214
2215 2215 # Build SSD to add to file.
2216 2216 _SSD="${_SERV_ID}:${_BASE}?${_SCOPE}"
2217 2217
2218 2218 # Add the SSD to the file.
2219 2219 ${ECHO} "${_SSD}" >> ${SSD_FILE}
2220 2220 }
2221 2221
2222 2222
2223 2223 #
2224 2224 # delete_ssd(): Delete a SSD from the list.
2225 2225 #
2226 2226 delete_ssd()
2227 2227 {
2228 2228 [ $DEBUG -eq 1 ] && ${ECHO} "In delete_ssd()"
2229 2229
2230 2230 # Get service id name from user for SSD to delete.
2231 2231 get_ans_req "Enter service id to delete:"
2232 2232
2233 2233 # Make sure service id exists.
2234 2234 ${GREP} "$ANS" ${SSD_FILE} > /dev/null 2>&1
2235 2235 if [ $? -eq 1 ]; then
2236 2236 ${ECHO} "Invalid service id: $ANS not present in list."
2237 2237 return
2238 2238 fi
2239 2239
2240 2240 # Create temporary back SSD file.
2241 2241 cp ${SSD_FILE} ${SSD_FILE}.bak
2242 2242 if [ $? -eq 1 ]; then
2243 2243 ${ECHO} "ERROR: could not create file: ${SSD_FILE}.bak"
2244 2244 exit 1
2245 2245 fi
2246 2246
2247 2247 # Use ${GREP} to remove the SSD. Read from temp file
2248 2248 # and write to the orig file.
2249 2249 ${GREP} -v "$ANS" ${SSD_FILE}.bak > ${SSD_FILE}
2250 2250 }
2251 2251
2252 2252
2253 2253 #
2254 2254 # modify_ssd(): Allow user to modify a SSD.
2255 2255 #
2256 2256 modify_ssd()
2257 2257 {
2258 2258 [ $DEBUG -eq 1 ] && ${ECHO} "In modify_ssd()"
2259 2259
2260 2260 # Prompt user for service id.
2261 2261 get_ans_req "Enter service id to modify:"
2262 2262
2263 2263 # Put into temp _LINE.
2264 2264 _LINE=`${GREP} "^$ANS:" ${SSD_FILE}`
2265 2265 if [ "$_LINE" = "" ]; then
2266 2266 ${ECHO} "Invalid service id: $ANS"
2267 2267 return
2268 2268 fi
2269 2269
2270 2270 # Display current filter for user to see.
2271 2271 ${ECHO} ""
2272 2272 ${ECHO} "Current SSD: $_LINE"
2273 2273 ${ECHO} ""
2274 2274
2275 2275 # Get the defaults.
2276 2276 _CURR_BASE=`${ECHO} $_LINE | cut -d: -f2 | cut -d'?' -f 1`
2277 2277 _CURR_SCOPE=`${ECHO} $_LINE | cut -d: -f2 | cut -d'?' -f 2`
2278 2278
2279 2279 # Create temporary back SSD file.
2280 2280 cp ${SSD_FILE} ${SSD_FILE}.bak
2281 2281 if [ $? -eq 1 ]; then
2282 2282 ${ECHO} "ERROR: could not create file: ${SSD_FILE}.bak"
2283 2283 cleanup
2284 2284 exit 1
2285 2285 fi
2286 2286
2287 2287 # Removed the old line.
2288 2288 ${GREP} -v "^$ANS:" ${SSD_FILE}.bak > ${SSD_FILE} 2>&1
2289 2289
2290 2290 # New Entry
2291 2291 _SERV_ID=$ANS
2292 2292 get_ans_req "Enter the base:" "$_CURR_BASE"
2293 2293 _BASE=$ANS
2294 2294 get_ans_req "Enter the scope:" "$_CURR_SCOPE"
2295 2295 _SCOPE=$ANS
2296 2296
2297 2297 # Build the new SSD.
2298 2298 _SSD="${_SERV_ID}:${_BASE}?${_SCOPE}"
2299 2299
2300 2300 # Add the SSD to the file.
2301 2301 ${ECHO} "${_SSD}" >> ${SSD_FILE}
2302 2302 }
2303 2303
2304 2304
2305 2305 #
2306 2306 # display_ssd(): Display the current SSD list.
2307 2307 #
2308 2308 display_ssd()
2309 2309 {
2310 2310 [ $DEBUG -eq 1 ] && ${ECHO} "In display_ssd()"
2311 2311
2312 2312 ${ECHO} ""
2313 2313 ${ECHO} "Current Service Search Descriptors:"
2314 2314 ${ECHO} "=================================="
2315 2315 cat ${SSD_FILE}
2316 2316 ${ECHO} ""
2317 2317 ${ECHO} "Hit return to continue."
2318 2318 read __A
2319 2319 }
2320 2320
2321 2321
2322 2322 #
2323 2323 # prompt_ssd(): Get SSD's from user.
2324 2324 #
2325 2325 prompt_ssd()
2326 2326 {
2327 2327 [ $DEBUG -eq 1 ] && ${ECHO} "In prompt_ssd()"
2328 2328 # See if user wants SSD's?
2329 2329 get_confirm "Do you wish to setup Service Search Descriptors (y/n/h)?" "n" "ssd_help"
2330 2330 [ "$?" -eq 0 ] && return
2331 2331
2332 2332 # Display menu for SSD choices.
2333 2333 while :
2334 2334 do
2335 2335 display_msg prompt_ssd_menu
2336 2336 get_ans "Enter menu choice:" "Quit"
2337 2337 case "$ANS" in
2338 2338 [Aa] | add) add_ssd ;;
2339 2339 [Dd] | delete) delete_ssd ;;
2340 2340 [Mm] | modify) modify_ssd ;;
2341 2341 [Pp] | print | display) display_ssd ;;
2342 2342 [Xx] | reset | clear) reset_ssd_file ;;
2343 2343 [Hh] | Help | help) display_msg ssd_menu_help
2344 2344 ${ECHO} " Press return to continue."
2345 2345 read __A ;;
2346 2346 [Qq] | Quit | quit) return ;;
2347 2347 *) ${ECHO} "Invalid choice: $ANS please re-enter from menu." ;;
2348 2348 esac
2349 2349 done
2350 2350 }
2351 2351
2352 2352
2353 2353 #
2354 2354 # reset_ssd_file(): Blank out current SSD file.
2355 2355 #
2356 2356 reset_ssd_file()
2357 2357 {
2358 2358 [ $DEBUG -eq 1 ] && ${ECHO} "In reset_ssd_file()"
2359 2359
2360 2360 rm -f ${SSD_FILE}
2361 2361 touch ${SSD_FILE}
2362 2362 }
2363 2363
2364 2364
2365 2365 #
2366 2366 # create_ssd_file(): Create a temporary file for SSD's.
2367 2367 #
2368 2368 create_ssd_file()
2369 2369 {
2370 2370 [ $DEBUG -eq 1 ] && ${ECHO} "In create_ssd_file()"
2371 2371
2372 2372 # Build a list of SSD's and store in temp file.
2373 2373 ${GREP} "LDAP_SERV_SRCH_DES=" ${INPUT_FILE} | \
2374 2374 sed 's/LDAP_SERV_SRCH_DES=//' \
2375 2375 > ${SSD_FILE}
2376 2376 }
2377 2377
2378 2378
2379 2379 #
2380 2380 # ssd_2_config(): Append the SSD file to the output file.
2381 2381 #
2382 2382 ssd_2_config()
2383 2383 {
2384 2384 [ $DEBUG -eq 1 ] && ${ECHO} "In ssd_2_config()"
2385 2385
2386 2386 # Convert to config file format using sed.
2387 2387 sed -e "s/^/LDAP_SERV_SRCH_DES=/" ${SSD_FILE} >> ${OUTPUT_FILE}
2388 2388 }
2389 2389
2390 2390
2391 2391 #
2392 2392 # ssd_2_profile(): Add SSD's to the GEN_CMD string.
2393 2393 #
2394 2394 ssd_2_profile()
2395 2395 {
2396 2396 [ $DEBUG -eq 1 ] && ${ECHO} "In ssd_2_profile()"
2397 2397
2398 2398 GEN_TMPFILE=${TMPDIR}/ssd_tmpfile
2399 2399 touch ${GEN_TMPFILE}
2400 2400
2401 2401 # Add and convert each SSD to string.
2402 2402 while read SSD_LINE
2403 2403 do
2404 2404 ${ECHO} " -a \"serviceSearchDescriptor=${SSD_LINE}\"\c" >> ${GEN_TMPFILE}
2405 2405 done <${SSD_FILE}
2406 2406
2407 2407 # Add SSD's to GEN_CMD.
2408 2408 GEN_CMD="${GEN_CMD} `cat ${GEN_TMPFILE}`"
2409 2409 }
2410 2410
2411 2411 #
2412 2412 # get_adminDN(): Get the admin DN.
2413 2413 #
2414 2414 get_adminDN()
2415 2415 {
2416 2416 LDAP_ADMINDN="cn=admin,ou=profile,${LDAP_BASEDN}" # default
2417 2417 get_ans "Enter DN for the administrator:" "$LDAP_ADMINDN"
2418 2418 LDAP_ADMINDN=$ANS
2419 2419 [ $DEBUG -eq 1 ] && ${ECHO} "LDAP_ADMINDN = $LDAP_ADMINDN"
2420 2420 }
2421 2421
2422 2422 #
2423 2423 # get_admin_pw(): Get the admin passwd.
2424 2424 #
2425 2425 get_admin_pw()
2426 2426 {
2427 2427 get_passwd "Enter passwd for the administrator:"
2428 2428 LDAP_ADMIN_CRED=$ANS
2429 2429 [ $DEBUG -eq 1 ] && ${ECHO} "LDAP_ADMIN_CRED = $LDAP_ADMIN_CRED"
2430 2430 }
2431 2431
2432 2432 #
2433 2433 # add_admin(): Add an admin entry for nameservice for updating shadow data.
2434 2434 #
2435 2435 add_admin()
2436 2436 {
2437 2437 [ $DEBUG -eq 1 ] && ${ECHO} "In add_admin()"
2438 2438
2439 2439 # Check if the admin user already exists.
2440 2440 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_ADMINDN}\" -s base \"objectclass=*\" ${VERB}"
2441 2441 if [ $? -eq 0 ]; then
2442 2442 MSG="Administrator ${LDAP_ADMINDN} already exists."
2443 2443 if [ $EXISTING_PROFILE -eq 1 ]; then
2444 2444 ${ECHO} " NOT ADDED: $MSG"
2445 2445 else
2446 2446 ${ECHO} " ${STEP}. $MSG"
2447 2447 STEP=`expr $STEP + 1`
2448 2448 fi
2449 2449 return 0
2450 2450 fi
2451 2451
2452 2452 # Get cn and sn names from LDAP_ADMINDN.
2453 2453 cn_tmp=`${ECHO} ${LDAP_ADMINDN} | cut -f1 -d, | cut -f2 -d=`
2454 2454
2455 2455 # Create the tmp file to add.
2456 2456 ( cat <<EOF
2457 2457 dn: ${LDAP_ADMINDN}
2458 2458 cn: ${cn_tmp}
2459 2459 sn: ${cn_tmp}
2460 2460 objectclass: top
2461 2461 objectclass: person
2462 2462 userpassword: ${LDAP_ADMIN_CRED}
2463 2463 EOF
2464 2464 ) > ${TMPDIR}/admin
2465 2465
2466 2466 # Add the entry.
2467 2467 ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/admin ${VERB}"
2468 2468 if [ $? -ne 0 ]; then
2469 2469 ${ECHO} " ERROR: Adding administrator identity failed!"
2470 2470 cleanup
2471 2471 exit 1
2472 2472 fi
2473 2473
2474 2474 ${RM} -f ${TMPDIR}/admin
2475 2475
2476 2476 # Display message that the administrator identity is added.
2477 2477 MSG="Administrator identity ${LDAP_ADMINDN}"
2478 2478 if [ $EXISTING_PROFILE -eq 1 ]; then
2479 2479 ${ECHO} " ADDED: $MSG."
2480 2480 else
2481 2481 ${ECHO} " ${STEP}. $MSG added."
2482 2482 STEP=`expr $STEP + 1`
2483 2483 fi
2484 2484 }
2485 2485
2486 2486 #
2487 2487 # allow_admin_read_write_shadow(): Give Admin read/write permission
2488 2488 # to shadow data.
2489 2489 #
2490 2490 allow_admin_read_write_shadow()
2491 2491 {
2492 2492 [ $DEBUG -eq 1 ] && ${ECHO} "In allow_admin_read_write_shadow()"
2493 2493
2494 2494 # Set ACI Name
2495 2495 ADMIN_ACI_NAME="LDAP_Naming_Services_admin_shadow_write"
2496 2496
2497 2497 # Search for ACI_NAME
2498 2498 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_BASEDN}\" \
2499 2499 -s base objectclass=* aci > ${TMPDIR}/chk_adminwrite_aci 2>&1"
2500 2500
2501 2501 # if an ACI with ${ADMIN_ACI_NAME} and "write,compare,read,search"
2502 2502 # and ${LDAP_ADMINDN} already exists, we are done
2503 2503 ${EGREP} ".*${ADMIN_ACI_NAME}.*write,compare,read,search.*${LDAP_ADMINDN}.*" \
2504 2504 ${TMPDIR}/chk_adminwrite_aci 2>&1 > /dev/null
2505 2505 if [ $? -eq 0 ]; then
2506 2506 MSG="Admin ACI ${ADMIN_ACI_NAME} already exists for ${LDAP_BASEDN}."
2507 2507 if [ $EXISTING_PROFILE -eq 1 ]; then
2508 2508 ${ECHO} " NOT SET: $MSG"
2509 2509 else
2510 2510 ${ECHO} " ${STEP}. $MSG"
2511 2511 STEP=`expr $STEP + 1`
2512 2512 fi
2513 2513 return 0
2514 2514 fi
2515 2515
2516 2516 # If an ACI with ${ADMIN_ACI_NAME} and "(write)" and ${LDAP_ADMINDN}
2517 2517 # already exists, delete it first.
2518 2518 find_and_delete_ACI ".*${ADMIN_ACI_NAME}.*(write).*${LDAP_ADMINDN}.*" \
2519 2519 ${TMPDIR}/chk_adminwrite_aci ${ADMIN_ACI_NAME}
2520 2520
2521 2521 # Create the tmp file to add.
2522 2522 ( cat <<EOF
2523 2523 dn: ${LDAP_BASEDN}
2524 2524 changetype: modify
2525 2525 add: aci
2526 2526 aci: (target="ldap:///${LDAP_BASEDN}")(targetattr="shadowLastChange
2527 2527 ||shadowMin||shadowMax||shadowWarning||shadowInactive||shadowExpire
2528 2528 ||shadowFlag||userPassword||loginShell||homeDirectory||gecos")
2529 2529 (version 3.0; acl ${ADMIN_ACI_NAME}; allow (write,compare,read,search)
2530 2530 userdn = "ldap:///${LDAP_ADMINDN}";)
2531 2531 EOF
2532 2532 ) > ${TMPDIR}/admin_write
2533 2533
2534 2534 # Add the entry.
2535 2535 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/admin_write ${VERB}"
2536 2536 if [ $? -ne 0 ]; then
2537 2537 ${ECHO} " ERROR: Allow ${LDAP_ADMINDN} read/write access to shadow data failed!"
2538 2538 cleanup
2539 2539 exit 1
2540 2540 fi
2541 2541
2542 2542 ${RM} -f ${TMPDIR}/admin_write
2543 2543 # Display message that the administrator ACL is set.
2544 2544 MSG="Give ${LDAP_ADMINDN} read/write access to shadow data."
2545 2545 if [ $EXISTING_PROFILE -eq 1 ]; then
2546 2546 ${ECHO} " ACI SET: $MSG"
2547 2547 else
2548 2548 ${ECHO} " ${STEP}. $MSG"
2549 2549 STEP=`expr $STEP + 1`
2550 2550 fi
2551 2551 }
2552 2552
2553 2553 #
2554 2554 # allow_host_read_write_shadow(): Give host principal read/write permission
2555 2555 # for shadow data.
2556 2556 #
2557 2557 allow_host_read_write_shadow()
2558 2558 {
2559 2559 [ $DEBUG -eq 1 ] && ${ECHO} "In allow_host_read_write_shadow()"
2560 2560
2561 2561 # Set ACI Name
2562 2562 HOST_ACI_NAME="LDAP_Naming_Services_host_shadow_write"
2563 2563
2564 2564 # Search for ACI_NAME
2565 2565 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_BASEDN}\" -s base objectclass=* aci > ${TMPDIR}/chk_hostwrite_aci 2>&1"
2566 2566 ${GREP} "${HOST_ACI_NAME}" ${TMPDIR}/chk_hostwrite_aci > /dev/null 2>&1
2567 2567 if [ $? -eq 0 ]; then
2568 2568 MSG="Host ACI ${HOST_ACI_NAME} already exists for ${LDAP_BASEDN}."
2569 2569 if [ $EXISTING_PROFILE -eq 1 ]; then
2570 2570 ${ECHO} " NOT ADDED: $MSG"
2571 2571 else
2572 2572 ${ECHO} " ${STEP}. $MSG"
2573 2573 STEP=`expr $STEP + 1`
2574 2574 fi
2575 2575 return 0
2576 2576 fi
2577 2577
2578 2578 # Create the tmp file to add.
2579 2579 ( cat <<EOF
2580 2580 dn: ${LDAP_BASEDN}
2581 2581 changetype: modify
2582 2582 add: aci
2583 2583 aci: (target="ldap:///${LDAP_BASEDN}")(targetattr="shadowLastChange||shadowMin||shadowMax||shadowWarning||shadowInactive||shadowExpire||shadowFlag||userPassword||loginShell||homeDirectory||gecos")(version 3.0; acl ${HOST_ACI_NAME}; allow (write,compare,read,search) authmethod="sasl GSSAPI" and userdn = "ldap:///cn=*+ipHostNumber=*,ou=Hosts,${LDAP_BASEDN}";)
2584 2584 EOF
2585 2585 ) > ${TMPDIR}/host_read_write
2586 2586
2587 2587 # Add the entry.
2588 2588 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/host_read_write ${VERB}"
2589 2589 if [ $? -ne 0 ]; then
2590 2590 ${ECHO} " ERROR: Allow Host Principal to write shadow data failed!"
2591 2591 cleanup
2592 2592 exit 1
2593 2593 fi
2594 2594
2595 2595 ${RM} -f ${TMPDIR}/host_read_write
2596 2596 MSG="Give host principal read/write permission for shadow."
2597 2597 if [ $EXISTING_PROFILE -eq 1 ]; then
2598 2598 ${ECHO} " ACI SET: $MSG"
2599 2599 else
2600 2600 ${ECHO} " ${STEP}. $MSG"
2601 2601 STEP=`expr $STEP + 1`
2602 2602 fi
2603 2603 }
2604 2604
2605 2605 #
2606 2606 # Set up shadow update
2607 2607 #
2608 2608 setup_shadow_update() {
2609 2609 [ $DEBUG -eq 1 ] && ${ECHO} "In setup_shadow_update()"
2610 2610
2611 2611 # get content of the profile
2612 2612 PROFILE_OUT=${TMPDIR}/prof_tmpfile
2613 2613 ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=${LDAP_PROFILE_NAME},ou=profile,${LDAP_BASEDN}\" -s base \"objectclass=*\" > $PROFILE_OUT 2>&1"
2614 2614 ${GREP} -i cn $PROFILE_OUT >/dev/null 2>&1
2615 2615 if [ $? -ne 0 ]; then
2616 2616 [ $DEBUG -eq 1 ] && ${ECHO} "Profile ${LDAP_PROFILE_NAME} does not exist"
2617 2617 ${RM} ${PROFILE_OUT}
2618 2618 return
2619 2619 fi
2620 2620
2621 2621 # Search to see if authenticationMethod has 'GSSAPI' and
2622 2622 # credentialLevel has 'self'. If so, ask to use the
2623 2623 # host principal for shadow update
2624 2624 if [ $GSSAPI_AUTH_MAY_BE_USED -eq 1 ]; then
2625 2625 if ${GREP} authenticationMethod $PROFILE_OUT | ${GREP} GSSAPI >/dev/null 2>&1
2626 2626 then
2627 2627 if ${GREP} credentialLevel $PROFILE_OUT | ${GREP} self >/dev/null 2>&1
2628 2628 then
2629 2629 NEED_HOSTACL=1
2630 2630 fi
2631 2631 fi
2632 2632 ${RM} ${PROFILE_OUT}
2633 2633 [ $DEBUG -eq 1 ] && ${ECHO} "NEED_HOSTACL = $NEED_HOSTACL"
2634 2634
2635 2635 if [ $NEED_HOSTACL -eq 1 ]; then
2636 2636 MSG="Use host principal for shadow data update (y/n/h)?"
2637 2637 get_confirm "$MSG" "y" "use_host_principal_help"
2638 2638 if [ $? -eq 1 ]; then
2639 2639 delete_proxy_read_pw
2640 2640 allow_host_read_write_shadow
2641 2641 deny_non_host_shadow_access
2642 2642 ${ECHO} ""
2643 2643 ${ECHO} " Shadow update has been enabled."
2644 2644 else
2645 2645 ${ECHO} ""
2646 2646 ${ECHO} " Shadow update may not work."
2647 2647 fi
2648 2648 return
2649 2649 fi
2650 2650 fi
2651 2651
2652 2652 MSG="Add the administrator identity (y/n/h)?"
2653 2653 get_confirm "$MSG" "y" "add_admin_cred_help"
2654 2654 if [ $? -eq 1 ]; then
2655 2655 get_adminDN
2656 2656 get_admin_pw
2657 2657 add_admin
2658 2658 delete_proxy_read_pw
2659 2659 allow_admin_read_write_shadow
2660 2660 deny_non_admin_shadow_access
2661 2661 ${ECHO} ""
2662 2662 ${ECHO} " Shadow update has been enabled."
2663 2663 return
2664 2664 fi
2665 2665
2666 2666 ${ECHO} " No administrator identity specified, shadow update may not work."
2667 2667 }
2668 2668
2669 2669
2670 2670 #
2671 2671 # prompt_config_info(): This function prompts the user for the config
2672 2672 # info that is not specified in the input file.
2673 2673 #
2674 2674 prompt_config_info()
2675 2675 {
2676 2676 [ $DEBUG -eq 1 ] && ${ECHO} "In prompt_config_info()"
2677 2677
2678 2678 # Prompt for iDS server name.
2679 2679 get_ids_server
2680 2680
2681 2681 # Prompt for iDS port number.
2682 2682 get_ids_port
2683 2683
2684 2684 # Check iDS version for compatibility.
2685 2685 chk_ids_version
2686 2686
2687 2687 # Check if the server supports the VLV.
2688 2688 chk_vlv_indexes
2689 2689
2690 2690 # Get the Directory manager DN and passwd.
2691 2691 get_dirmgr_dn
2692 2692 get_dirmgr_pw
2693 2693
2694 2694 #
2695 2695 # LDAP CLIENT PROFILE SPECIFIC INFORMATION.
2696 2696 # (i.e. The fields that show up in the profile.)
2697 2697 #
2698 2698 get_domain "domain_help"
2699 2699
2700 2700 get_basedn
2701 2701
2702 2702 gssapi_setup
2703 2703
2704 2704 get_profile_name
2705 2705
2706 2706 if [ "$LDAP_ENABLE_SHADOW_UPDATE" = "TRUE" ];then
2707 2707 setup_shadow_update
2708 2708 cleanup
2709 2709 exit 0
2710 2710 fi
2711 2711
2712 2712 get_srv_list
2713 2713 get_pref_srv
2714 2714 get_search_scope
2715 2715
2716 2716 # If cred is "anonymous", make auth == "none"
2717 2717 get_cred_level
2718 2718 if [ "$LDAP_CRED_LEVEL" != "anonymous" ]; then
2719 2719 get_auth
2720 2720 fi
2721 2721
2722 2722 get_followref
2723 2723
2724 2724 # Query user about timelimt.
2725 2725 get_confirm "Do you want to modify the server timelimit value (y/n/h)?" "n" "tlim_help"
2726 2726 NEED_TIME=$?
2727 2727 [ $NEED_TIME -eq 1 ] && get_timelimit
2728 2728
2729 2729 # Query user about sizelimit.
2730 2730 get_confirm "Do you want to modify the server sizelimit value (y/n/h)?" "n" "slim_help"
2731 2731 NEED_SIZE=$?
2732 2732 [ $NEED_SIZE -eq 1 ] && get_sizelimit
2733 2733
2734 2734 # Does the user want to store passwords in crypt format?
2735 2735 get_want_crypt
2736 2736
2737 2737 # Prompt for any Service Authentication Methods?
2738 2738 get_confirm "Do you want to setup a Service Authentication Methods (y/n/h)?" "n" "srvauth_help"
2739 2739 if [ $? -eq 1 ]; then
2740 2740 # Does the user want to set Service Authentication Method for pam_ldap?
2741 2741 get_confirm "Do you want to setup a Service Auth. Method for \"pam_ldap\" (y/n/h)?" "n" "pam_ldap_help"
2742 2742 NEED_SRVAUTH_PAM=$?
2743 2743 [ $NEED_SRVAUTH_PAM -eq 1 ] && get_srv_authMethod_pam
2744 2744
2745 2745 # Does the user want to set Service Authentication Method for keyserv?
2746 2746 get_confirm "Do you want to setup a Service Auth. Method for \"keyserv\" (y/n/h)?" "n" "keyserv_help"
2747 2747 NEED_SRVAUTH_KEY=$?
2748 2748 [ $NEED_SRVAUTH_KEY -eq 1 ] && get_srv_authMethod_key
2749 2749
2750 2750 # Does the user want to set Service Authentication Method for passwd-cmd?
2751 2751 get_confirm "Do you want to setup a Service Auth. Method for \"passwd-cmd\" (y/n/h)?" "n" "passwd-cmd_help"
2752 2752 NEED_SRVAUTH_CMD=$?
2753 2753 [ $NEED_SRVAUTH_CMD -eq 1 ] && get_srv_authMethod_cmd
2754 2754 fi
2755 2755
2756 2756
2757 2757 # Get Timeouts
2758 2758 get_srch_time
2759 2759 get_prof_ttl
2760 2760 get_bind_limit
2761 2761
2762 2762 # Ask whether to enable shadow update
2763 2763 get_want_shadow_update
2764 2764
2765 2765 # Reset the sdd_file and prompt user for SSD. Will use menus
2766 2766 # to build an SSD File.
2767 2767 reset_ssd_file
2768 2768 prompt_ssd
2769 2769
2770 2770 # Display FULL debugging info.
2771 2771 disp_full_debug
2772 2772
2773 2773 # Extra blank line to separate prompt lines from steps.
2774 2774 ${ECHO} " "
2775 2775 }
2776 2776
2777 2777
2778 2778 ######################################################################
2779 2779 # FUNCTIONS FOR display_summary() START HERE.
2780 2780 ######################################################################
2781 2781
2782 2782
2783 2783 #
2784 2784 # get_proxyagent(): Get the proxyagent DN.
2785 2785 #
2786 2786 get_proxyagent()
2787 2787 {
2788 2788 LDAP_PROXYAGENT="cn=proxyagent,ou=profile,${LDAP_BASEDN}" # default
2789 2789 get_ans "Enter DN for proxy agent:" "$LDAP_PROXYAGENT"
2790 2790 LDAP_PROXYAGENT=$ANS
2791 2791 }
2792 2792
2793 2793
2794 2794 #
2795 2795 # get_proxy_pw(): Get the proxyagent passwd.
2796 2796 #
2797 2797 get_proxy_pw()
2798 2798 {
2799 2799 get_passwd "Enter passwd for proxyagent:"
2800 2800 LDAP_PROXYAGENT_CRED=$ANS
2801 2801 }
2802 2802
2803 2803 #
2804 2804 # display_summary(): Display a summary of values entered and let the
2805 2805 # user modify values at will.
2806 2806 #
2807 2807 display_summary()
2808 2808 {
2809 2809 [ $DEBUG -eq 1 ] && ${ECHO} "In display_summary()"
2810 2810
2811 2811 # Create lookup table for function names. First entry is dummy for
2812 2812 # shift.
2813 2813 TBL1="dummy"
2814 2814 TBL2="get_domain get_basedn get_profile_name"
2815 2815 TBL3="get_srv_list get_pref_srv get_search_scope get_cred_level"
2816 2816 TBL4="get_auth get_followref"
2817 2817 TBL5="get_timelimit get_sizelimit get_want_crypt"
2818 2818 TBL6="get_srv_authMethod_pam get_srv_authMethod_key get_srv_authMethod_cmd"
2819 2819 TBL7="get_srch_time get_prof_ttl get_bind_limit"
2820 2820 TBL8="get_want_shadow_update"
2821 2821 TBL9="prompt_ssd"
2822 2822 FUNC_TBL="$TBL1 $TBL2 $TBL3 $TBL4 $TBL5 $TBL6 $TBL7 $TBL8 $TBL9"
2823 2823
2824 2824 # Since menu prompt string is long, set here.
2825 2825 _MENU_PROMPT="Enter config value to change: (1-20 0=commit changes)"
2826 2826
2827 2827 # Infinite loop. Test for 0, and break in loop.
2828 2828 while :
2829 2829 do
2830 2830 # Display menu and get value in range.
2831 2831 display_msg summary_menu
2832 2832 get_menu_choice "${_MENU_PROMPT}" "0" "20" "0"
2833 2833 _CH=$MN_CH
2834 2834
2835 2835 # Make sure where not exiting.
2836 2836 if [ $_CH -eq 0 ]; then
2837 2837 break # Break out of loop if 0 selected.
2838 2838 fi
2839 2839
2840 2840 # Call appropriate function from function table.
2841 2841 set $FUNC_TBL
2842 2842 shift $_CH
2843 2843 $1 # Call the appropriate function.
2844 2844 done
2845 2845
2846 2846 # If cred level is still see if user wants a change?
2847 2847 if ${ECHO} "$LDAP_CRED_LEVEL" | ${GREP} "proxy" > /dev/null 2>&1
2848 2848 then
2849 2849 if [ "$LDAP_AUTHMETHOD" != "none" ]; then
2850 2850 NEED_PROXY=1 # I assume integer test is faster?
2851 2851 get_proxyagent
2852 2852 get_proxy_pw
2853 2853 else
2854 2854 ${ECHO} "WARNING: Since Authentication method is 'none'."
2855 2855 ${ECHO} " Credential level will be set to 'anonymous'."
2856 2856 LDAP_CRED_LEVEL="anonymous"
2857 2857 fi
2858 2858 fi
2859 2859
2860 2860 # If shadow update is enabled, set up administrator credential
2861 2861 if [ "$LDAP_ENABLE_SHADOW_UPDATE" = "TRUE" ]; then
2862 2862 NEED_ADMIN=1
2863 2863 if ${ECHO} "$LDAP_CRED_LEVEL" | ${GREP} "self" > /dev/null 2>&1; then
2864 2864 if ${ECHO} "$LDAP_AUTHMETHOD" | ${GREP} "GSSAPI" > /dev/null 2>&1; then
2865 2865 NEED_HOSTACL=1
2866 2866 NEED_ADMIN=0
2867 2867 fi
2868 2868 fi
2869 2869 [ $DEBUG -eq 1 ] && ${ECHO} "NEED_HOSTACL = $NEED_HOSTACL"
2870 2870 [ $DEBUG -eq 1 ] && ${ECHO} "NEED_ADMIN = $NEED_ADMIN"
2871 2871 if [ $NEED_ADMIN -eq 1 ]; then
2872 2872 get_adminDN
2873 2873 get_admin_pw
2874 2874 fi
2875 2875 fi
2876 2876
2877 2877 # Display FULL debugging info.
2878 2878 disp_full_debug
2879 2879
2880 2880 # Final confirmation message. (ARE YOU SURE!)
2881 2881 ${ECHO} " "
2882 2882 get_confirm_nodef "WARNING: About to start committing changes. (y=continue, n=EXIT)"
2883 2883 if [ $? -eq 0 ]; then
2884 2884 ${ECHO} "Terminating setup without making changes at users request."
2885 2885 cleanup
2886 2886 exit 1
2887 2887 fi
2888 2888
2889 2889 # Print newline
2890 2890 ${ECHO} " "
2891 2891 }
2892 2892
2893 2893
2894 2894 #
2895 2895 # create_config_file(): Write config data to config file specified.
2896 2896 #
2897 2897 create_config_file()
2898 2898 {
2899 2899 [ $DEBUG -eq 1 ] && ${ECHO} "In create_config_file()"
2900 2900
2901 2901 # If output file exists, delete it.
2902 2902 [ -f $OUTPUT_FILE ] && rm $OUTPUT_FILE
2903 2903
2904 2904 # Create output file.
2905 2905 cat > $OUTPUT_FILE <<EOF
2906 2906 #!/bin/sh
2907 2907 # $OUTPUT_FILE - This file contains configuration information for
2908 2908 # Native LDAP. Use the idsconfig tool to load it.
2909 2909 #
2910 2910 # WARNING: This file was generated by idsconfig, and is intended to
2911 2911 # be loaded by idsconfig as is. DO NOT EDIT THIS FILE!
2912 2912 #
2913 2913 IDS_SERVER="$IDS_SERVER"
2914 2914 IDS_PORT=$IDS_PORT
2915 2915 IDS_TIMELIMIT=$IDS_TIMELIMIT
2916 2916 IDS_SIZELIMIT=$IDS_SIZELIMIT
2917 2917 LDAP_ROOTDN="$LDAP_ROOTDN"
2918 2918 LDAP_ROOTPWD=$LDAP_ROOTPWD
2919 2919 LDAP_DOMAIN="$LDAP_DOMAIN"
2920 2920 LDAP_SUFFIX="$LDAP_SUFFIX"
2921 2921 GSSAPI_ENABLE=$GSSAPI_ENABLE
2922 2922 LDAP_KRB_REALM="$LDAP_KRB_REALM"
2923 2923
2924 2924 # Internal program variables that need to be set.
2925 2925 NEED_PROXY=$NEED_PROXY
2926 2926 NEED_TIME=$NEED_TIME
2927 2927 NEED_SIZE=$NEED_SIZE
2928 2928 NEED_CRYPT=$NEED_CRYPT
2929 2929 NEED_ADMIN=$NEED_ADMIN
2930 2930 NEED_HOSTACL=$NEED_HOSTACL
2931 2931 EXISTING_PROFILE=$EXISTING_PROFILE
2932 2932
2933 2933 # LDAP PROFILE related defaults
2934 2934 LDAP_PROFILE_NAME="$LDAP_PROFILE_NAME"
2935 2935 DEL_OLD_PROFILE=1
2936 2936 LDAP_BASEDN="$LDAP_BASEDN"
2937 2937 LDAP_SERVER_LIST="$LDAP_SERVER_LIST"
2938 2938 LDAP_AUTHMETHOD="$LDAP_AUTHMETHOD"
2939 2939 LDAP_FOLLOWREF=$LDAP_FOLLOWREF
2940 2940 LDAP_SEARCH_SCOPE="$LDAP_SEARCH_SCOPE"
2941 2941 NEED_SRVAUTH_PAM=$NEED_SRVAUTH_PAM
2942 2942 NEED_SRVAUTH_KEY=$NEED_SRVAUTH_KEY
2943 2943 NEED_SRVAUTH_CMD=$NEED_SRVAUTH_CMD
2944 2944 LDAP_SRV_AUTHMETHOD_PAM="$LDAP_SRV_AUTHMETHOD_PAM"
2945 2945 LDAP_SRV_AUTHMETHOD_KEY="$LDAP_SRV_AUTHMETHOD_KEY"
2946 2946 LDAP_SRV_AUTHMETHOD_CMD="$LDAP_SRV_AUTHMETHOD_CMD"
2947 2947 LDAP_SEARCH_TIME_LIMIT=$LDAP_SEARCH_TIME_LIMIT
2948 2948 LDAP_PREF_SRVLIST="$LDAP_PREF_SRVLIST"
2949 2949 LDAP_PROFILE_TTL=$LDAP_PROFILE_TTL
2950 2950 LDAP_CRED_LEVEL="$LDAP_CRED_LEVEL"
2951 2951 LDAP_BIND_LIMIT=$LDAP_BIND_LIMIT
2952 2952
2953 2953 # Proxy Agent
2954 2954 LDAP_PROXYAGENT="$LDAP_PROXYAGENT"
2955 2955 LDAP_PROXYAGENT_CRED=$LDAP_PROXYAGENT_CRED
2956 2956
2957 2957 # enableShadowUpdate flag and Administrator credential
2958 2958 LDAP_ENABLE_SHADOW_UPDATE=$LDAP_ENABLE_SHADOW_UPDATE
2959 2959 LDAP_ADMINDN="$LDAP_ADMINDN"
2960 2960 LDAP_ADMIN_CRED=$LDAP_ADMIN_CRED
2961 2961
2962 2962 # Export all the variables (just in case)
2963 2963 export IDS_HOME IDS_PORT LDAP_ROOTDN LDAP_ROOTPWD LDAP_SERVER_LIST LDAP_BASEDN
2964 2964 export LDAP_DOMAIN LDAP_SUFFIX LDAP_PROXYAGENT LDAP_PROXYAGENT_CRED
2965 2965 export NEED_PROXY
2966 2966 export LDAP_ENABLE_SHADOW_UPDATE LDAP_ADMINDN LDAP_ADMIN_CRED
2967 2967 export NEED_ADMIN NEED_HOSTACL EXISTING_PROFILE
2968 2968 export LDAP_PROFILE_NAME LDAP_BASEDN LDAP_SERVER_LIST
2969 2969 export LDAP_AUTHMETHOD LDAP_FOLLOWREF LDAP_SEARCH_SCOPE LDAP_SEARCH_TIME_LIMIT
2970 2970 export LDAP_PREF_SRVLIST LDAP_PROFILE_TTL LDAP_CRED_LEVEL LDAP_BIND_LIMIT
2971 2971 export NEED_SRVAUTH_PAM NEED_SRVAUTH_KEY NEED_SRVAUTH_CMD
2972 2972 export LDAP_SRV_AUTHMETHOD_PAM LDAP_SRV_AUTHMETHOD_KEY LDAP_SRV_AUTHMETHOD_CMD
2973 2973 export LDAP_SERV_SRCH_DES SSD_FILE GSSAPI_ENABLE LDAP_KRB_REALM
2974 2974
2975 2975 # Service Search Descriptors start here if present:
2976 2976 EOF
2977 2977 # Add service search descriptors.
2978 2978 ssd_2_config "${OUTPUT_FILE}"
2979 2979
2980 2980 # Add LDAP suffix preferences
2981 2981 print_suffix_config >> "${OUTPUT_FILE}"
2982 2982
2983 2983 # Add the end of FILE tag.
2984 2984 ${ECHO} "" >> ${OUTPUT_FILE}
2985 2985 ${ECHO} "# End of $OUTPUT_FILE" >> ${OUTPUT_FILE}
2986 2986 }
2987 2987
2988 2988
2989 2989 #
2990 2990 # chk_vlv_indexes(): Do ldapsearch to see if server supports VLV.
2991 2991 #
2992 2992 chk_vlv_indexes()
2993 2993 {
2994 2994 # Do ldapsearch to see if server supports VLV.
2995 2995 ${LDAPSEARCH} ${SERVER_ARGS} -b "" -s base "objectclass=*" > ${TMPDIR}/checkVLV 2>&1
2996 2996 eval "${GREP} 2.16.840.1.113730.3.4.9 ${TMPDIR}/checkVLV ${VERB}"
2997 2997 if [ $? -ne 0 ]; then
2998 2998 ${ECHO} "ERROR: VLV is not supported on LDAP server!"
2999 2999 cleanup
3000 3000 exit 1
3001 3001 fi
3002 3002 [ $DEBUG -eq 1 ] && ${ECHO} " VLV controls found on LDAP server."
3003 3003 }
3004 3004
3005 3005 #
3006 3006 # get_backend(): this function gets the relevant backend
3007 3007 # (database) for LDAP_BASED.
3008 3008 # Description: set IDS_DATABASE; exit on failure.
3009 3009 # Prerequisite: LDAP_BASEDN and LDAP_SUFFIX are
3010 3010 # valid.
3011 3011 #
3012 3012 # backend is retrieved from suffixes and subsuffixes
3013 3013 # defined under "cn=mapping tree,cn=config". The
3014 3014 # nsslapd-state attribute of these suffixes entries
3015 3015 # is filled with either Backend, Disabled or referrals
3016 3016 # related values. We only want those that have a true
3017 3017 # backend database to select the relevant backend.
3018 3018 #
3019 3019 get_backend()
3020 3020 {
3021 3021 [ $DEBUG -eq 1 ] && ${ECHO} "In get_backend()"
3022 3022
3023 3023 cur_suffix=${LDAP_BASEDN}
3024 3024 prev_suffix=
3025 3025 IDS_DATABASE=
3026 3026 while [ "${cur_suffix}" != "${prev_suffix}" ]
3027 3027 do
3028 3028 [ $DEBUG -eq 1 ] && ${ECHO} "testing LDAP suffix: ${cur_suffix}"
3029 3029 eval "${LDAPSEARCH} ${LDAP_ARGS} " \
3030 3030 "-b \"cn=\\\"${cur_suffix}\\\",cn=mapping tree,cn=config\" " \
3031 3031 "-s base nsslapd-state=Backend nsslapd-backend 2>&1 " \
3032 3032 "| ${GREP} 'nsslapd-backend=' " \
3033 3033 "> ${TMPDIR}/ids_database_name 2>&1"
3034 3034 NUM_DBS=`wc -l ${TMPDIR}/ids_database_name | awk '{print $1}'`
3035 3035 case ${NUM_DBS} in
3036 3036 0) # not a suffix, or suffix not activated; try next
3037 3037 prev_suffix=${cur_suffix}
3038 3038 cur_suffix=`${ECHO} ${cur_suffix} | cut -f2- -d','`
3039 3039 ;;
3040 3040 1) # suffix found; get database name
3041 3041 IDS_DATABASE=`cat ${TMPDIR}/ids_database_name | cut -d= -f2`
3042 3042 ;;
3043 3043 *) # can not handle more than one database per suffix
3044 3044 ${ECHO} "ERROR: More than one database is configured "
3045 3045 ${ECHO} " for $LDAP_SUFFIX!"
3046 3046 ${ECHO} " $PROG can not configure suffixes where "
3047 3047 ${ECHO} " more than one database is used for one suffix."
3048 3048 cleanup
3049 3049 exit 1
3050 3050 ;;
3051 3051 esac
3052 3052 if [ -n "${IDS_DATABASE}" ]; then
3053 3053 break
3054 3054 fi
3055 3055 done
3056 3056
3057 3057 if [ -z "${IDS_DATABASE}" ]; then
3058 3058 # should not happen, since LDAP_BASEDN is supposed to be valid
3059 3059 ${ECHO} "Could not find a valid backend for ${LDAP_BASEDN}."
3060 3060 ${ECHO} "Exiting."
3061 3061 cleanup
3062 3062 exit 1
3063 3063 fi
3064 3064
3065 3065 [ $DEBUG -eq 1 ] && ${ECHO} "IDS_DATABASE: ${IDS_DATABASE}"
3066 3066 }
3067 3067
3068 3068 #
3069 3069 # validate_suffix(): This function validates ${LDAP_SUFFIX}
3070 3070 # THIS FUNCTION IS FOR THE LOAD CONFIG FILE OPTION.
3071 3071 #
3072 3072 validate_suffix()
3073 3073 {
3074 3074 [ $DEBUG -eq 1 ] && ${ECHO} "In validate_suffix()"
3075 3075
3076 3076 # Check LDAP_SUFFIX is not null
3077 3077 if [ -z "${LDAP_SUFFIX}" ]; then
3078 3078 ${ECHO} "Invalid suffix (null suffix)"
3079 3079 cleanup
3080 3080 exit 1
3081 3081 fi
3082 3082
3083 3083 # Check LDAP_SUFFIX and LDAP_BASEDN are consistent
3084 3084 # Convert to lower case for basename.
3085 3085 format_string "${LDAP_BASEDN}"
3086 3086 LOWER_BASEDN="${FMT_STR}"
3087 3087 format_string "${LDAP_SUFFIX}"
3088 3088 LOWER_SUFFIX="${FMT_STR}"
3089 3089
3090 3090 [ $DEBUG -eq 1 ] && ${ECHO} "LOWER_BASEDN: ${LOWER_BASEDN}"
3091 3091 [ $DEBUG -eq 1 ] && ${ECHO} "LOWER_SUFFIX: ${LOWER_SUFFIX}"
3092 3092
3093 3093 if [ "${LOWER_BASEDN}" != "${LOWER_SUFFIX}" ]; then
3094 3094 sub_basedn=`basename "${LOWER_BASEDN}" "${LOWER_SUFFIX}"`
3095 3095 if [ "$sub_basedn" = "${LOWER_BASEDN}" ]; then
3096 3096 ${ECHO} "Invalid suffix ${LOWER_SUFFIX}"
3097 3097 ${ECHO} "for Base DN ${LOWER_BASEDN}"
3098 3098 cleanup
3099 3099 exit 1
3100 3100 fi
3101 3101 fi
3102 3102
3103 3103 # Check LDAP_SUFFIX does exist
3104 3104 ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_SUFFIX}\" -s base \"objectclass=*\" > ${TMPDIR}/checkSuffix 2>&1" && return 0
3105 3105
3106 3106 # Well, suffix does not exist, try to prepare create it ...
3107 3107 NEED_CREATE_SUFFIX=1
3108 3108 prep_create_sfx_entry ||
3109 3109 {
3110 3110 cleanup
3111 3111 exit 1
3112 3112 }
3113 3113 [ -n "${NEED_CREATE_BACKEND}" ] &&
3114 3114 {
3115 3115 # try to use id attr value of the suffix as a database name
3116 3116 IDS_DATABASE=${_VAL}
3117 3117 prep_create_sfx_backend
3118 3118 case $? in
3119 3119 1) # cann't use the name we want, so we can either exit or use
3120 3120 # some another available name - doing the last ...
3121 3121 IDS_DATABASE=${IDS_DATABASE_AVAIL}
3122 3122 ;;
3123 3123 2) # unable to determine database name
3124 3124 cleanup
3125 3125 exit 1
3126 3126 ;;
3127 3127 esac
3128 3128 }
3129 3129
3130 3130 [ $DEBUG -eq 1 ] && ${ECHO} "Suffix $LDAP_SUFFIX, Database $IDS_DATABASE"
3131 3131 }
3132 3132
3133 3133 #
3134 3134 # validate_info(): This function validates the basic info collected
3135 3135 # So that some problems are caught right away.
3136 3136 # THIS FUNCTION IS FOR THE LOAD CONFIG FILE OPTION.
3137 3137 #
3138 3138 validate_info()
3139 3139 {
3140 3140 [ $DEBUG -eq 1 ] && ${ECHO} "In validate_info()"
3141 3141
3142 3142 # Set SERVER_ARGS, AUTH_ARGS, and LDAP_ARGS for the config file.
3143 3143 SERVER_ARGS="-h ${IDS_SERVER} -p ${IDS_PORT}"
3144 3144 AUTH_ARGS="-D \"${LDAP_ROOTDN}\" -j ${LDAP_ROOTPWF}"
3145 3145 LDAP_ARGS="${SERVER_ARGS} ${AUTH_ARGS}"
3146 3146 export SERVER_ARGS
3147 3147
3148 3148 # Check the Root DN and Root DN passwd.
3149 3149 # Use eval instead of $EVAL because not part of setup. (validate)
3150 3150 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"\" -s base \"objectclass=*\" > ${TMPDIR}/checkDN 2>&1"
3151 3151 if [ $? -ne 0 ]; then
3152 3152 eval "${GREP} credential ${TMPDIR}/checkDN ${VERB}"
3153 3153 if [ $? -eq 0 ]; then
3154 3154 ${ECHO} "ERROR: Root DN passwd is invalid."
3155 3155 else
3156 3156 ${ECHO} "ERROR2: Invalid Root DN <${LDAP_ROOTDN}>."
3157 3157 fi
3158 3158 cleanup
3159 3159 exit 1
3160 3160 fi
3161 3161 [ $DEBUG -eq 1 ] && ${ECHO} " RootDN ... OK"
3162 3162 [ $DEBUG -eq 1 ] && ${ECHO} " RootDN passwd ... OK"
3163 3163
3164 3164 # Check if the server supports the VLV.
3165 3165 chk_vlv_indexes
3166 3166 [ $DEBUG -eq 1 ] && ${ECHO} " VLV indexes ... OK"
3167 3167
3168 3168 # Check LDAP suffix
3169 3169 validate_suffix
3170 3170 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP suffix ... OK"
3171 3171 }
3172 3172
3173 3173 #
3174 3174 # format_string(): take a string as argument and set FMT_STR
3175 3175 # to be the same string formatted as follow:
3176 3176 # - only lower case characters
3177 3177 # - no unnecessary spaces around , and =
3178 3178 #
3179 3179 format_string()
3180 3180 {
3181 3181 FMT_STR=`${ECHO} "$1" | tr '[A-Z]' '[a-z]' |
3182 3182 sed -e 's/[ ]*,[ ]*/,/g' -e 's/[ ]*=[ ]*/=/g'`
3183 3183 }
3184 3184
3185 3185 #
3186 3186 # prepare for the suffix entry creation
3187 3187 #
3188 3188 # input : LDAP_BASEDN, LDAP_SUFFIX - base dn and suffix;
3189 3189 # in/out : LDAP_SUFFIX_OBJ, LDAP_SUFFIX_ACI - initially may come from config.
3190 3190 # output : NEED_CREATE_BACKEND - backend for this suffix needs to be created;
3191 3191 # _RDN, _ATT, _VAL - suffix's RDN, id attribute name and its value.
3192 3192 # return : 0 - success, otherwise error.
3193 3193 #
3194 3194 prep_create_sfx_entry()
3195 3195 {
3196 3196 [ $DEBUG -eq 1 ] && ${ECHO} "In prep_create_sfx_entry()"
3197 3197
3198 3198 # check whether suffix corresponds to base dn
3199 3199 format_string "${LDAP_BASEDN}"
3200 3200 ${ECHO} ",${FMT_STR}" | ${GREP} ",${LDAP_SUFFIX}$" >/dev/null 2>&1 ||
3201 3201 {
3202 3202 display_msg sfx_not_suitable
3203 3203 return 1
3204 3204 }
3205 3205
3206 3206 # parse LDAP_SUFFIX
3207 3207 _RDN=`${ECHO} "${LDAP_SUFFIX}" | cut -d, -f1`
3208 3208 _ATT=`${ECHO} "${_RDN}" | cut -d= -f1`
3209 3209 _VAL=`${ECHO} "${_RDN}" | cut -d= -f2-`
3210 3210
3211 3211 # find out an objectclass for suffix entry if it is not defined yet
3212 3212 [ -z "${LDAP_SUFFIX_OBJ}" ] &&
3213 3213 {
3214 3214 get_objectclass ${_ATT}
3215 3215 [ -z "${_ATTR_NAME}" ] &&
3216 3216 {
3217 3217 display_msg obj_not_found
3218 3218 return 1
3219 3219 }
3220 3220 LDAP_SUFFIX_OBJ=${_ATTR_NAME}
3221 3221 }
3222 3222 [ $DEBUG -eq 1 ] && ${ECHO} "Suffix entry object is ${LDAP_SUFFIX_OBJ}"
3223 3223
3224 3224 # find out an aci for suffix entry if it is not defined yet
3225 3225 [ -z "${LDAP_SUFFIX_ACI}" ] &&
3226 3226 {
3227 3227 # set Directory Server default aci
3228 3228 LDAP_SUFFIX_ACI=`cat <<EOF
3229 3229 aci: (targetattr != "userPassword || passwordHistory || passwordExpirationTime
3230 3230 || passwordExpWarned || passwordRetryCount || retryCountResetTime ||
3231 3231 accountUnlockTime || passwordAllowChangeTime")
3232 3232 (
3233 3233 version 3.0;
3234 3234 acl "Anonymous access";
3235 3235 allow (read, search, compare) userdn = "ldap:///anyone";
3236 3236 )
3237 3237 aci: (targetattr != "nsroledn || aci || nsLookThroughLimit || nsSizeLimit ||
3238 3238 nsTimeLimit || nsIdleTimeout || passwordPolicySubentry ||
3239 3239 passwordExpirationTime || passwordExpWarned || passwordRetryCount ||
3240 3240 retryCountResetTime || accountUnlockTime || passwordHistory ||
3241 3241 passwordAllowChangeTime")
3242 3242 (
3243 3243 version 3.0;
3244 3244 acl "Allow self entry modification except for some attributes";
3245 3245 allow (write) userdn = "ldap:///self";
3246 3246 )
3247 3247 aci: (targetattr = "*")
3248 3248 (
3249 3249 version 3.0;
3250 3250 acl "Configuration Administrator";
3251 3251 allow (all) userdn = "ldap:///uid=admin,ou=Administrators,
3252 3252 ou=TopologyManagement,o=NetscapeRoot";
3253 3253 )
3254 3254 aci: (targetattr ="*")
3255 3255 (
3256 3256 version 3.0;
3257 3257 acl "Configuration Administrators Group";
3258 3258 allow (all) groupdn = "ldap:///cn=Configuration Administrators,
3259 3259 ou=Groups,ou=TopologyManagement,o=NetscapeRoot";
3260 3260 )
3261 3261 EOF
3262 3262 `
3263 3263 }
3264 3264 [ $DEBUG -eq 1 ] && cat <<EOF
3265 3265 DEBUG: ACI for ${LDAP_SUFFIX} is
3266 3266 ${LDAP_SUFFIX_ACI}
3267 3267 EOF
3268 3268
3269 3269 NEED_CREATE_BACKEND=
3270 3270
3271 3271 # check the suffix mapping tree ...
3272 3272 # if mapping exists, suffix should work, otherwise DS inconsistent
3273 3273 # NOTE: -b 'cn=mapping tree,cn=config' -s one 'cn=\"$1\"' won't work
3274 3274 # in case of 'cn' value in LDAP is not quoted by '"',
3275 3275 # -b 'cn=\"$1\",cn=mapping tree,cn=config' works in all cases
3276 3276 ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} \
3277 3277 -b 'cn=\"${LDAP_SUFFIX}\",cn=mapping tree,cn=config' \
3278 3278 -s base 'objectclass=*' dn ${VERB}" &&
3279 3279 {
3280 3280 [ $DEBUG -eq 1 ] && ${ECHO} "Suffix mapping already exists"
3281 3281 # get_backend() either gets IDS_DATABASE or exits
3282 3282 get_backend
3283 3283 return 0
3284 3284 }
3285 3285
3286 3286 # no suffix mapping, just in case check ldbm backends consistency -
3287 3287 # there are must be NO any databases pointing to LDAP_SUFFIX
3288 3288 [ -n "`${EVAL} \"${LDAPSEARCH} ${LDAP_ARGS} \
3289 3289 -b 'cn=ldbm database,cn=plugins,cn=config' \
3290 3290 -s one 'nsslapd-suffix=${LDAP_SUFFIX}' dn\" 2>/dev/null`" ] &&
3291 3291 {
3292 3292 display_msg sfx_config_incons
3293 3293 return 1
3294 3294 }
3295 3295
3296 3296 # ok, no suffix mapping, no ldbm database
3297 3297 [ $DEBUG -eq 1 ] && ${ECHO} "DEBUG: backend needs to be created ..."
3298 3298 NEED_CREATE_BACKEND=1
3299 3299 return 0
3300 3300 }
3301 3301
3302 3302 #
3303 3303 # prepare for the suffix backend creation
3304 3304 #
3305 3305 # input : IDS_DATABASE - requested ldbm db name (must be not null)
3306 3306 # in/out : IDS_DATABASE_AVAIL - available ldbm db name
3307 3307 # return : 0 - ldbm db name ok
3308 3308 # 1 - IDS_DATABASE exists,
3309 3309 # so IDS_DATABASE_AVAIL contains available name
3310 3310 # 2 - unable to find any available name
3311 3311 #
3312 3312 prep_create_sfx_backend()
3313 3313 {
3314 3314 [ $DEBUG -eq 1 ] && ${ECHO} "In prep_create_sfx_backend()"
3315 3315
3316 3316 # check if requested name available
3317 3317 [ "${IDS_DATABASE}" = "${IDS_DATABASE_AVAIL}" ] && return 0
3318 3318
3319 3319 # get the list of database names start with a requested name
3320 3320 _LDBM_DBS=`${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} \
3321 3321 -b 'cn=ldbm database,cn=plugins,cn=config' \
3322 3322 -s one 'cn=${IDS_DATABASE}*' cn"` 2>/dev/null
3323 3323
3324 3324 # find available db name based on a requested name
3325 3325 _i=""; _i_MAX=10
3326 3326 while [ ${_i:-0} -lt ${_i_MAX} ]
3327 3327 do
3328 3328 _name="${IDS_DATABASE}${_i}"
3329 3329 ${ECHO} "${_LDBM_DBS}" | ${GREP} -i "^cn=${_name}$" >/dev/null 2>&1 ||
3330 3330 {
3331 3331 IDS_DATABASE_AVAIL="${_name}"
3332 3332 break
3333 3333 }
3334 3334 _i=`expr ${_i:-0} + 1`
3335 3335 done
3336 3336
3337 3337 [ "${IDS_DATABASE}" = "${IDS_DATABASE_AVAIL}" ] && return 0
3338 3338
3339 3339 [ -n "${IDS_DATABASE_AVAIL}" ] &&
3340 3340 {
3341 3341 display_msg ldbm_db_exist
3342 3342 return 1
3343 3343 }
3344 3344
3345 3345 display_msg unable_find_db_name
3346 3346 return 2
3347 3347 }
3348 3348
3349 3349 #
3350 3350 # add suffix if needed,
3351 3351 # suffix entry and backend MUST be prepared by
3352 3352 # prep_create_sfx_entry and prep_create_sfx_backend correspondingly
3353 3353 #
3354 3354 # input : NEED_CREATE_SUFFIX, LDAP_SUFFIX, LDAP_SUFFIX_OBJ, _ATT, _VAL
3355 3355 # LDAP_SUFFIX_ACI, NEED_CREATE_BACKEND, IDS_DATABASE
3356 3356 # return : 0 - suffix successfully created, otherwise error occured
3357 3357 #
3358 3358 add_suffix()
3359 3359 {
3360 3360 [ $DEBUG -eq 1 ] && ${ECHO} "In add_suffix()"
3361 3361
3362 3362 [ -n "${NEED_CREATE_SUFFIX}" ] || return 0
3363 3363
3364 3364 [ -n "${NEED_CREATE_BACKEND}" ] &&
3365 3365 {
3366 3366 ${EVAL} "${LDAPADD} ${LDAP_ARGS} ${VERB}" <<EOF
3367 3367 dn: cn="${LDAP_SUFFIX}",cn=mapping tree,cn=config
3368 3368 objectclass: top
3369 3369 objectclass: extensibleObject
3370 3370 objectclass: nsMappingTree
3371 3371 cn: ${LDAP_SUFFIX}
3372 3372 nsslapd-state: backend
3373 3373 nsslapd-backend: ${IDS_DATABASE}
3374 3374
3375 3375 dn: cn=${IDS_DATABASE},cn=ldbm database,cn=plugins,cn=config
3376 3376 objectclass: top
3377 3377 objectclass: extensibleObject
3378 3378 objectclass: nsBackendInstance
3379 3379 cn: ${IDS_DATABASE}
3380 3380 nsslapd-suffix: ${LDAP_SUFFIX}
3381 3381 EOF
3382 3382 [ $? -ne 0 ] &&
3383 3383 {
3384 3384 display_msg create_ldbm_db_error
3385 3385 return 1
3386 3386 }
3387 3387
3388 3388 ${ECHO} " ${STEP}. Database ${IDS_DATABASE} successfully created"
3389 3389 STEP=`expr $STEP + 1`
3390 3390 }
3391 3391
3392 3392 ${EVAL} "${LDAPADD} ${LDAP_ARGS} ${VERB}" <<EOF
3393 3393 dn: ${LDAP_SUFFIX}
3394 3394 objectclass: ${LDAP_SUFFIX_OBJ}
3395 3395 ${_ATT}: ${_VAL}
3396 3396 ${LDAP_SUFFIX_ACI}
3397 3397 EOF
3398 3398 [ $? -ne 0 ] &&
3399 3399 {
3400 3400 display_msg create_suffix_entry_error
3401 3401 return 1
3402 3402 }
3403 3403
3404 3404 ${ECHO} " ${STEP}. Suffix ${LDAP_SUFFIX} successfully created"
3405 3405 STEP=`expr $STEP + 1`
3406 3406 return 0
3407 3407 }
3408 3408
3409 3409 #
3410 3410 # interactively get suffix and related info from a user
3411 3411 #
3412 3412 # input : LDAP_BASEDN - Base DN
3413 3413 # output : LDAP_SUFFIX - Suffix, _ATT, _VAL - id attribute and its value;
3414 3414 # LDAP_SUFFIX_OBJ, LDAP_SUFFIX_ACI - objectclass and aci;
3415 3415 # NEED_CREATE_BACKEND - tells whether backend needs to be created;
3416 3416 # IDS_DATABASE - prepared ldbm db name
3417 3417 # return : 0 - user gave a correct suffix
3418 3418 # 1 - suffix given by user cann't be created
3419 3419 #
3420 3420 get_suffix()
3421 3421 {
3422 3422 [ $DEBUG -eq 1 ] && ${ECHO} "In get_suffix()"
3423 3423
3424 3424 while :
3425 3425 do
3426 3426 get_ans "Enter suffix to be created (b=back/h=help):" ${LDAP_BASEDN}
3427 3427 case "${ANS}" in
3428 3428 [Hh] | Help | help | \? ) display_msg create_suffix_help ;;
3429 3429 [Bb] | Back | back | \< ) return 1 ;;
3430 3430 * )
3431 3431 format_string "${ANS}"
3432 3432 LDAP_SUFFIX=${FMT_STR}
3433 3433 prep_create_sfx_entry || continue
3434 3434
3435 3435 [ -n "${NEED_CREATE_BACKEND}" ] &&
3436 3436 {
3437 3437 IDS_DATABASE_AVAIL= # reset the available db name
3438 3438
3439 3439 reenter_suffix=
3440 3440 while :
3441 3441 do
3442 3442 get_ans "Enter ldbm database name (b=back/h=help):" \
3443 3443 ${IDS_DATABASE_AVAIL:-${_VAL}}
3444 3444 case "${ANS}" in
3445 3445 [Hh] | \? ) display_msg enter_ldbm_db_help ;;
3446 3446 [Bb] | \< ) reenter_suffix=1; break ;;
3447 3447 * )
3448 3448 IDS_DATABASE="${ANS}"
3449 3449 prep_create_sfx_backend && break
3450 3450 esac
3451 3451 done
3452 3452 [ -n "${reenter_suffix}" ] && continue
3453 3453
3454 3454 [ $DEBUG -eq 1 ] && cat <<EOF
3455 3455 DEBUG: backend name for suffix ${LDAP_SUFFIX} will be ${IDS_DATABASE}
3456 3456 EOF
3457 3457 }
3458 3458
3459 3459 # eventually everything is prepared
3460 3460 return 0
3461 3461 ;;
3462 3462 esac
3463 3463 done
3464 3464 }
3465 3465
3466 3466 #
3467 3467 # print out a script which sets LDAP suffix related preferences
3468 3468 #
3469 3469 print_suffix_config()
3470 3470 {
3471 3471 cat <<EOF2
3472 3472 # LDAP suffix related preferences used only if needed
3473 3473 IDS_DATABASE="${IDS_DATABASE}"
3474 3474 LDAP_SUFFIX_OBJ="$LDAP_SUFFIX_OBJ"
3475 3475 LDAP_SUFFIX_ACI=\`cat <<EOF
3476 3476 ${LDAP_SUFFIX_ACI}
3477 3477 EOF
3478 3478 \`
3479 3479 export IDS_DATABASE LDAP_SUFFIX_OBJ LDAP_SUFFIX_ACI
3480 3480 EOF2
3481 3481 }
3482 3482
3483 3483 #
3484 3484 # check_basedn_suffix(): check that there is an existing
3485 3485 # valid suffix to hold current base DN
3486 3486 # return:
3487 3487 # 0: valid suffix found or new one should be created,
3488 3488 # NEED_CREATE_SUFFIX flag actually indicates that
3489 3489 # 1: some error occures
3490 3490 #
3491 3491 check_basedn_suffix()
3492 3492 {
3493 3493 [ $DEBUG -eq 1 ] && ${ECHO} "In check_basedn_suffix()"
3494 3494
3495 3495 NEED_CREATE_SUFFIX=
3496 3496
3497 3497 # find out existing suffixes
3498 3498 discover_serv_suffix
3499 3499
3500 3500 ${ECHO} " Validating LDAP Base DN and Suffix ..."
3501 3501
3502 3502 # check that LDAP Base DN might be added
3503 3503 cur_ldap_entry=${LDAP_BASEDN}
3504 3504 prev_ldap_entry=
3505 3505 while [ "${cur_ldap_entry}" != "${prev_ldap_entry}" ]
3506 3506 do
3507 3507 [ $DEBUG -eq 1 ] && ${ECHO} "testing LDAP entry: ${cur_ldap_entry}"
3508 3508 ${LDAPSEARCH} ${SERVER_ARGS} -b "${cur_ldap_entry}" \
3509 3509 -s one "objectclass=*" > /dev/null 2>&1
3510 3510 if [ $? -eq 0 ]; then
3511 3511 break
3512 3512 else
3513 3513 prev_ldap_entry=${cur_ldap_entry}
3514 3514 cur_ldap_entry=`${ECHO} ${cur_ldap_entry} | cut -f2- -d','`
3515 3515 fi
3516 3516 done
3517 3517
3518 3518 if [ "${cur_ldap_entry}" = "${prev_ldap_entry}" ]; then
3519 3519 ${ECHO} " No valid suffixes were found for Base DN ${LDAP_BASEDN}"
3520 3520
3521 3521 NEED_CREATE_SUFFIX=1
3522 3522 return 0
3523 3523
3524 3524 else
3525 3525 [ $DEBUG -eq 1 ] && ${ECHO} "found valid LDAP entry: ${cur_ldap_entry}"
3526 3526
3527 3527 # Now looking for relevant suffix for this entry.
3528 3528 # LDAP_SUFFIX will then be used to add necessary
3529 3529 # base objects. See add_base_objects().
3530 3530 format_string "${cur_ldap_entry}"
3531 3531 lower_entry="${FMT_STR}"
3532 3532 [ $DEBUG -eq 1 ] && ${ECHO} "final suffix list: ${LDAP_SUFFIX_LIST}"
3533 3533 oIFS=$IFS
3534 3534 [ $DEBUG -eq 1 ] && ${ECHO} "setting IFS to new line"
3535 3535 IFS='
3536 3536 '
3537 3537 for suff in ${LDAP_SUFFIX_LIST}
3538 3538 do
3539 3539 [ $DEBUG -eq 1 ] && ${ECHO} "testing suffix: ${suff}"
3540 3540 format_string "${suff}"
3541 3541 lower_suff="${FMT_STR}"
3542 3542 if [ "${lower_entry}" = "${lower_suff}" ]; then
3543 3543 LDAP_SUFFIX="${suff}"
3544 3544 break
3545 3545 else
3546 3546 dcstmp=`basename "${lower_entry}" "${lower_suff}"`
3547 3547 if [ "${dcstmp}" = "${lower_entry}" ]; then
3548 3548 # invalid suffix, try next one
3549 3549 continue
3550 3550 else
3551 3551 # valid suffix found
3552 3552 LDAP_SUFFIX="${suff}"
3553 3553 break
3554 3554 fi
3555 3555 fi
3556 3556 done
3557 3557 [ $DEBUG -eq 1 ] && ${ECHO} "setting IFS to original value"
3558 3558 IFS=$oIFS
3559 3559
3560 3560 [ $DEBUG -eq 1 ] && ${ECHO} "LDAP_SUFFIX: ${LDAP_SUFFIX}"
3561 3561
3562 3562 if [ -z "${LDAP_SUFFIX}" ]; then
3563 3563 # should not happen, since we found the entry
3564 3564 ${ECHO} "Could not find a valid suffix for ${LDAP_BASEDN}."
3565 3565 ${ECHO} "Exiting."
3566 3566 return 1
3567 3567 fi
3568 3568
3569 3569 # Getting relevant database (backend)
3570 3570 # IDS_DATABASE will then be used to create indexes.
3571 3571 get_backend
3572 3572
3573 3573 return 0
3574 3574 fi
3575 3575 }
3576 3576
3577 3577 #
3578 3578 # discover_serv_suffix(): This function queries the server to find
3579 3579 # suffixes available
3580 3580 # return: 0: OK, suffix found
3581 3581 # 1: suffix not determined
3582 3582 discover_serv_suffix()
3583 3583 {
3584 3584 [ $DEBUG -eq 1 ] && ${ECHO} "In discover_serv_suffix()"
3585 3585
3586 3586 # Search the server for the TOP of the TREE.
3587 3587 ${LDAPSEARCH} ${SERVER_ARGS} -b "" -s base "objectclass=*" > ${TMPDIR}/checkTOP 2>&1
3588 3588 ${GREP} -i namingcontexts ${TMPDIR}/checkTOP | \
3589 3589 ${GREP} -i -v NetscapeRoot > ${TMPDIR}/treeTOP
3590 3590 NUM_TOP=`wc -l ${TMPDIR}/treeTOP | awk '{print $1}'`
3591 3591 case $NUM_TOP in
3592 3592 0)
3593 3593 [ $DEBUG -eq 1 ] && ${ECHO} "DEBUG: No suffix found in LDAP tree"
3594 3594 return 1
3595 3595 ;;
3596 3596 *) # build the list of suffixes; take out 'namingContexts=' in
3597 3597 # each line of ${TMPDIR}/treeTOP
3598 3598 LDAP_SUFFIX_LIST=`cat ${TMPDIR}/treeTOP |
3599 3599 awk '{ printf("%s\n",substr($0,16,length-15)) }'`
3600 3600 ;;
3601 3601 esac
3602 3602
3603 3603 [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_SUFFIX_LIST = $LDAP_SUFFIX_LIST"
3604 3604 return 0
3605 3605 }
3606 3606
3607 3607
3608 3608 #
3609 3609 # modify_cn(): Change the cn from MUST to MAY in ipNetwork.
3610 3610 #
3611 3611 modify_cn()
3612 3612 {
3613 3613 [ $DEBUG -eq 1 ] && ${ECHO} "In modify_cn()"
3614 3614
3615 3615 ( cat <<EOF
3616 3616 dn: cn=schema
3617 3617 changetype: modify
3618 3618 add: objectclasses
3619 3619 objectclasses: ( 1.3.6.1.1.1.2.7 NAME 'ipNetwork' DESC 'Standard LDAP objectclass' SUP top STRUCTURAL MUST ipNetworkNumber MAY ( ipNetmaskNumber $ manager $ cn $ l $ description ) X-ORIGIN 'RFC 2307' )
3620 3620 EOF
3621 3621 ) > ${TMPDIR}/ipNetwork_cn
3622 3622
3623 3623 # Modify the cn for ipNetwork.
3624 3624 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/ipNetwork_cn ${VERB}"
3625 3625 if [ $? -ne 0 ]; then
3626 3626 ${ECHO} " ERROR: update of cn for ipNetwork failed!"
3627 3627 cleanup
3628 3628 exit 1
3629 3629 fi
3630 3630 }
3631 3631
3632 3632
3633 3633 # modify_timelimit(): Modify timelimit to user value.
3634 3634 modify_timelimit()
3635 3635 {
3636 3636 [ $DEBUG -eq 1 ] && ${ECHO} "In modify_timelimit()"
3637 3637
3638 3638 # Here doc to modify timelimit.
3639 3639 ( cat <<EOF
3640 3640 dn: cn=config
3641 3641 changetype: modify
3642 3642 replace: nsslapd-timelimit
3643 3643 nsslapd-timelimit: ${IDS_TIMELIMIT}
3644 3644 EOF
3645 3645 ) > ${TMPDIR}/ids_timelimit
3646 3646
3647 3647 # Add the entry.
3648 3648 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/ids_timelimit ${VERB}"
3649 3649 if [ $? -ne 0 ]; then
3650 3650 ${ECHO} " ERROR: update of nsslapd-timelimit failed!"
3651 3651 cleanup
3652 3652 exit 1
3653 3653 fi
3654 3654
3655 3655 # Display messages for modifications made in patch.
3656 3656 ${ECHO} " ${STEP}. Changed timelimit to ${IDS_TIMELIMIT} in cn=config."
3657 3657 STEP=`expr $STEP + 1`
3658 3658 }
3659 3659
3660 3660
3661 3661 # modify_sizelimit(): Modify sizelimit to user value.
3662 3662 modify_sizelimit()
3663 3663 {
3664 3664 [ $DEBUG -eq 1 ] && ${ECHO} "In modify_sizelimit()"
3665 3665
3666 3666 # Here doc to modify sizelimit.
3667 3667 ( cat <<EOF
3668 3668 dn: cn=config
3669 3669 changetype: modify
3670 3670 replace: nsslapd-sizelimit
3671 3671 nsslapd-sizelimit: ${IDS_SIZELIMIT}
3672 3672 EOF
3673 3673 ) > ${TMPDIR}/ids_sizelimit
3674 3674
3675 3675 # Add the entry.
3676 3676 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/ids_sizelimit ${VERB}"
3677 3677 if [ $? -ne 0 ]; then
3678 3678 ${ECHO} " ERROR: update of nsslapd-sizelimit failed!"
3679 3679 cleanup
3680 3680 exit 1
3681 3681 fi
3682 3682
3683 3683 # Display messages for modifications made in patch.
3684 3684 ${ECHO} " ${STEP}. Changed sizelimit to ${IDS_SIZELIMIT} in cn=config."
3685 3685 STEP=`expr $STEP + 1`
3686 3686 }
3687 3687
3688 3688
3689 3689 # modify_pwd_crypt(): Modify the passwd storage scheme to support CRYPT.
3690 3690 modify_pwd_crypt()
3691 3691 {
3692 3692 [ $DEBUG -eq 1 ] && ${ECHO} "In modify_pwd_crypt()"
3693 3693
3694 3694 # Here doc to modify passwordstoragescheme.
3695 3695 # IDS 5.2 moved passwordchangesceme off to a new data structure.
3696 3696 if [ $IDS_MAJVER -le 5 ] && [ $IDS_MINVER -le 1 ]; then
3697 3697 ( cat <<EOF
3698 3698 dn: cn=config
3699 3699 changetype: modify
3700 3700 replace: passwordstoragescheme
3701 3701 passwordstoragescheme: crypt
3702 3702 EOF
3703 3703 ) > ${TMPDIR}/ids_crypt
3704 3704 else
3705 3705 ( cat <<EOF
3706 3706 dn: cn=Password Policy,cn=config
3707 3707 changetype: modify
3708 3708 replace: passwordstoragescheme
3709 3709 passwordstoragescheme: crypt
3710 3710 EOF
3711 3711 ) > ${TMPDIR}/ids_crypt
3712 3712 fi
3713 3713
3714 3714 # Add the entry.
3715 3715 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/ids_crypt ${VERB}"
3716 3716 if [ $? -ne 0 ]; then
3717 3717 ${ECHO} " ERROR: update of passwordstoragescheme failed!"
3718 3718 cleanup
3719 3719 exit 1
3720 3720 fi
3721 3721
3722 3722 # Display messages for modifications made in patch.
3723 3723 ${ECHO} " ${STEP}. Changed passwordstoragescheme to \"crypt\" in cn=config."
3724 3724 STEP=`expr $STEP + 1`
3725 3725 }
3726 3726
3727 3727
3728 3728 #
3729 3729 # add_eq_indexes(): Add indexes to improve search performance.
3730 3730 #
3731 3731 add_eq_indexes()
3732 3732 {
3733 3733 [ $DEBUG -eq 1 ] && ${ECHO} "In add_eq_indexes()"
3734 3734
3735 3735 # Set eq indexes to add.
3736 3736 _INDEXES="uidNumber ipNetworkNumber gidnumber oncrpcnumber automountKey"
3737 3737
3738 3738 if [ -z "${IDS_DATABASE}" ]; then
3739 3739 get_backend
3740 3740 fi
3741 3741
3742 3742 # Set _EXT to use as shortcut.
3743 3743 _EXT="cn=index,cn=${IDS_DATABASE},cn=ldbm database,cn=plugins,cn=config"
3744 3744
3745 3745 # Display message to id current step.
3746 3746 ${ECHO} " ${STEP}. Processing eq,pres indexes:"
3747 3747 STEP=`expr $STEP + 1`
3748 3748
3749 3749 # For loop to create indexes.
3750 3750 for i in ${_INDEXES}; do
3751 3751 [ $DEBUG -eq 1 ] && ${ECHO} " Adding index for ${i}"
3752 3752
3753 3753 # Check if entry exists first, if so, skip to next.
3754 3754 ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=${i},${_EXT}\" -s base \
3755 3755 \"objectclass=*\" > /dev/null 2>&1"
3756 3756 if [ $? -eq 0 ]; then
3757 3757 # Display index skipped.
3758 3758 ${ECHO} " ${i} (eq,pres) skipped already exists"
3759 3759 continue
3760 3760 fi
3761 3761
3762 3762 # Here doc to create LDIF.
3763 3763 ( cat <<EOF
3764 3764 dn: cn=${i},${_EXT}
3765 3765 objectClass: top
3766 3766 objectClass: nsIndex
3767 3767 cn: ${i}
3768 3768 nsSystemIndex: false
3769 3769 nsIndexType: pres
3770 3770 nsIndexType: eq
3771 3771 EOF
3772 3772 ) > ${TMPDIR}/index_${i}
3773 3773
3774 3774 # Add the index.
3775 3775 ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/index_${i} ${VERB}"
3776 3776 if [ $? -ne 0 ]; then
3777 3777 ${ECHO} " ERROR: Adding EQ,PRES index for ${i} failed!"
3778 3778 cleanup
3779 3779 exit 1
3780 3780 fi
3781 3781
3782 3782 # Build date for task name.
3783 3783 _YR=`date '+%y'`
3784 3784 _MN=`date '+%m'`
3785 3785 _DY=`date '+%d'`
3786 3786 _H=`date '+%H'`
3787 3787 _M=`date '+%M'`
3788 3788 _S=`date '+%S'`
3789 3789
3790 3790 # Build task name
3791 3791 TASKNAME="${i}_${_YR}_${_MN}_${_DY}_${_H}_${_M}_${_S}"
3792 3792
3793 3793 # Build the task entry to add.
3794 3794 ( cat <<EOF
3795 3795 dn: cn=${TASKNAME}, cn=index, cn=tasks, cn=config
3796 3796 changetype: add
3797 3797 objectclass: top
3798 3798 objectclass: extensibleObject
3799 3799 cn: ${TASKNAME}
3800 3800 nsInstance: ${IDS_DATABASE}
3801 3801 nsIndexAttribute: ${i}
3802 3802 EOF
3803 3803 ) > ${TMPDIR}/task_${i}
3804 3804
3805 3805 # Add the task.
3806 3806 ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/task_${i} ${VERB}"
3807 3807 if [ $? -ne 0 ]; then
3808 3808 ${ECHO} " ERROR: Adding task for ${i} failed!"
3809 3809 cleanup
3810 3810 exit 1
3811 3811 fi
3812 3812
3813 3813 # Wait for task to finish, display current status.
3814 3814 while :
3815 3815 do
3816 3816 ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} \
3817 3817 -b \"cn=${TASKNAME}, cn=index, cn=tasks, cn=config\" -s base \
3818 3818 \"objectclass=*\" nstaskstatus > \"${TMPDIR}/istask_${i}\" 2>&1"
3819 3819 ${GREP} "${TASKNAME}" "${TMPDIR}/istask_${i}" > /dev/null 2>&1
3820 3820 if [ $? -ne 0 ]; then
3821 3821 break
3822 3822 fi
3823 3823 TASK_STATUS=`${GREP} -i nstaskstatus "${TMPDIR}/istask_${i}" |
3824 3824 head -1 | cut -d: -f2`
3825 3825 ${ECHO} " ${i} (eq,pres) $TASK_STATUS \r\c"
3826 3826 ${ECHO} "$TASK_STATUS" | ${GREP} "Finished" > /dev/null 2>&1
3827 3827 if [ $? -eq 0 ]; then
3828 3828 break
3829 3829 fi
3830 3830 sleep 2
3831 3831 done
3832 3832
3833 3833 # Print newline because of \c.
3834 3834 ${ECHO} " "
3835 3835 done
3836 3836 }
3837 3837
3838 3838
3839 3839 #
3840 3840 # add_sub_indexes(): Add indexes to improve search performance.
3841 3841 #
3842 3842 add_sub_indexes()
3843 3843 {
3844 3844 [ $DEBUG -eq 1 ] && ${ECHO} "In add_sub_indexes()"
3845 3845
3846 3846 # Set eq indexes to add.
3847 3847 _INDEXES="ipHostNumber membernisnetgroup nisnetgrouptriple"
3848 3848
3849 3849 # Set _EXT to use as shortcut.
3850 3850 _EXT="cn=index,cn=${IDS_DATABASE},cn=ldbm database,cn=plugins,cn=config"
3851 3851
3852 3852
3853 3853 # Display message to id current step.
3854 3854 ${ECHO} " ${STEP}. Processing eq,pres,sub indexes:"
3855 3855 STEP=`expr $STEP + 1`
3856 3856
3857 3857 # For loop to create indexes.
3858 3858 for i in ${_INDEXES}; do
3859 3859 [ $DEBUG -eq 1 ] && ${ECHO} " Adding index for ${i}"
3860 3860
3861 3861 # Check if entry exists first, if so, skip to next.
3862 3862 ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=${i},${_EXT}\" \
3863 3863 -s base \"objectclass=*\" > /dev/null 2>&1"
3864 3864 if [ $? -eq 0 ]; then
3865 3865 # Display index skipped.
3866 3866 ${ECHO} " ${i} (eq,pres,sub) skipped already exists"
3867 3867 continue
3868 3868 fi
3869 3869
3870 3870 # Here doc to create LDIF.
3871 3871 ( cat <<EOF
3872 3872 dn: cn=${i},${_EXT}
3873 3873 objectClass: top
3874 3874 objectClass: nsIndex
3875 3875 cn: ${i}
3876 3876 nsSystemIndex: false
3877 3877 nsIndexType: pres
3878 3878 nsIndexType: eq
3879 3879 nsIndexType: sub
3880 3880 EOF
3881 3881 ) > ${TMPDIR}/index_${i}
3882 3882
3883 3883 # Add the index.
3884 3884 ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/index_${i} ${VERB}"
3885 3885 if [ $? -ne 0 ]; then
3886 3886 ${ECHO} " ERROR: Adding EQ,PRES,SUB index for ${i} failed!"
3887 3887 cleanup
3888 3888 exit 1
3889 3889 fi
3890 3890
3891 3891 # Build date for task name.
3892 3892 _YR=`date '+%y'`
3893 3893 _MN=`date '+%m'`
3894 3894 _DY=`date '+%d'`
3895 3895 _H=`date '+%H'`
3896 3896 _M=`date '+%M'`
3897 3897 _S=`date '+%S'`
3898 3898
3899 3899 # Build task name
3900 3900 TASKNAME="${i}_${_YR}_${_MN}_${_DY}_${_H}_${_M}_${_S}"
3901 3901
3902 3902 # Build the task entry to add.
3903 3903 ( cat <<EOF
3904 3904 dn: cn=${TASKNAME}, cn=index, cn=tasks, cn=config
3905 3905 changetype: add
3906 3906 objectclass: top
3907 3907 objectclass: extensibleObject
3908 3908 cn: ${TASKNAME}
3909 3909 nsInstance: ${IDS_DATABASE}
3910 3910 nsIndexAttribute: ${i}
3911 3911 EOF
3912 3912 ) > ${TMPDIR}/task_${i}
3913 3913
3914 3914 # Add the task.
3915 3915 ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/task_${i} ${VERB}"
3916 3916 if [ $? -ne 0 ]; then
3917 3917 ${ECHO} " ERROR: Adding task for ${i} failed!"
3918 3918 cleanup
3919 3919 exit 1
3920 3920 fi
3921 3921
3922 3922 # Wait for task to finish, display current status.
3923 3923 while :
3924 3924 do
3925 3925 ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} \
3926 3926 -b \"cn=${TASKNAME}, cn=index, cn=tasks, cn=config\" -s base \
3927 3927 \"objectclass=*\" nstaskstatus > \"${TMPDIR}/istask_${i}\" 2>&1"
3928 3928 ${GREP} "${TASKNAME}" "${TMPDIR}/istask_${i}" > /dev/null 2>&1
3929 3929 if [ $? -ne 0 ]; then
3930 3930 break
3931 3931 fi
3932 3932 TASK_STATUS=`${GREP} -i nstaskstatus "${TMPDIR}/istask_${i}" |
3933 3933 head -1 | cut -d: -f2`
3934 3934 ${ECHO} " ${i} (eq,pres,sub) $TASK_STATUS \r\c"
3935 3935 ${ECHO} "$TASK_STATUS" | ${GREP} "Finished" > /dev/null 2>&1
3936 3936 if [ $? -eq 0 ]; then
3937 3937 break
3938 3938 fi
3939 3939 sleep 2
3940 3940 done
3941 3941
3942 3942 # Print newline because of \c.
3943 3943 ${ECHO} " "
3944 3944 done
3945 3945 }
3946 3946
3947 3947
3948 3948 #
3949 3949 # add_vlv_indexes(): Add VLV indexes to improve search performance.
3950 3950 #
3951 3951 add_vlv_indexes()
3952 3952 {
3953 3953 [ $DEBUG -eq 1 ] && ${ECHO} "In add_vlv_indexes()"
3954 3954
3955 3955 # Set eq indexes to add.
3956 3956 # Note semi colon separators because some filters contain colons
3957 3957 _INDEX1="${LDAP_DOMAIN}.getgrent;${LDAP_DOMAIN}_group_vlv_index;ou=group;objectClass=posixGroup"
3958 3958 _INDEX2="${LDAP_DOMAIN}.gethostent;${LDAP_DOMAIN}_hosts_vlv_index;ou=hosts;objectClass=ipHost"
3959 3959 _INDEX3="${LDAP_DOMAIN}.getnetent;${LDAP_DOMAIN}_networks_vlv_index;ou=networks;objectClass=ipNetwork"
3960 3960 _INDEX4="${LDAP_DOMAIN}.getpwent;${LDAP_DOMAIN}_passwd_vlv_index;ou=people;objectClass=posixAccount"
3961 3961 _INDEX5="${LDAP_DOMAIN}.getrpcent;${LDAP_DOMAIN}_rpc_vlv_index;ou=rpc;objectClass=oncRpc"
3962 3962 _INDEX6="${LDAP_DOMAIN}.getspent;${LDAP_DOMAIN}_shadow_vlv_index;ou=people;objectClass=shadowAccount"
3963 3963
3964 3964 # Indexes added during NIS to LDAP transition
3965 3965 _INDEX7="${LDAP_DOMAIN}.getauhoent;${LDAP_DOMAIN}_auho_vlv_index;automountmapname=auto_home;objectClass=automount"
3966 3966 _INDEX8="${LDAP_DOMAIN}.getsoluent;${LDAP_DOMAIN}_solu_vlv_index;ou=people;objectClass=SolarisUserAttr"
3967 3967 _INDEX10="${LDAP_DOMAIN}.getauthent;${LDAP_DOMAIN}_auth_vlv_index;ou=SolarisAuthAttr;objectClass=SolarisAuthAttr"
3968 3968 _INDEX11="${LDAP_DOMAIN}.getexecent;${LDAP_DOMAIN}_exec_vlv_index;ou=SolarisProfAttr;&(objectClass=SolarisExecAttr)(SolarisKernelSecurityPolicy=*)"
3969 3969 _INDEX12="${LDAP_DOMAIN}.getprofent;${LDAP_DOMAIN}_prof_vlv_index;ou=SolarisProfAttr;&(objectClass=SolarisProfAttr)(SolarisAttrLongDesc=*)"
3970 3970 _INDEX13="${LDAP_DOMAIN}.getmailent;${LDAP_DOMAIN}_mail_vlv_index;ou=aliases;objectClass=mailGroup"
3971 3971 _INDEX14="${LDAP_DOMAIN}.getbootent;${LDAP_DOMAIN}__boot_vlv_index;ou=ethers;&(objectClass=bootableDevice)(bootParameter=*)"
3972 3972 _INDEX15="${LDAP_DOMAIN}.getethent;${LDAP_DOMAIN}_ethers_vlv_index;ou=ethers;&(objectClass=ieee802Device)(macAddress=*)"
3973 3973 _INDEX16="${LDAP_DOMAIN}.getngrpent;${LDAP_DOMAIN}_netgroup_vlv_index;ou=netgroup;objectClass=nisNetgroup"
3974 3974 _INDEX17="${LDAP_DOMAIN}.getipnent;${LDAP_DOMAIN}_ipn_vlv_index;ou=networks;&(objectClass=ipNetwork)(cn=*)"
3975 3975 _INDEX18="${LDAP_DOMAIN}.getmaskent;${LDAP_DOMAIN}_mask_vlv_index;ou=networks;&(objectClass=ipNetwork)(ipNetmaskNumber=*)"
3976 3976 _INDEX19="${LDAP_DOMAIN}.getprent;${LDAP_DOMAIN}_pr_vlv_index;ou=printers;objectClass=printerService"
3977 3977 _INDEX20="${LDAP_DOMAIN}.getip4ent;${LDAP_DOMAIN}_ip4_vlv_index;ou=hosts;&(objectClass=ipHost)(ipHostNumber=*.*)"
3978 3978 _INDEX21="${LDAP_DOMAIN}.getip6ent;${LDAP_DOMAIN}_ip6_vlv_index;ou=hosts;&(objectClass=ipHost)(ipHostNumber=*:*)"
3979 3979
3980 3980 _INDEXES="$_INDEX1 $_INDEX2 $_INDEX3 $_INDEX4 $_INDEX5 $_INDEX6 $_INDEX7 $_INDEX8 $_INDEX9 $_INDEX10 $_INDEX11 $_INDEX12 $_INDEX13 $_INDEX14 $_INDEX15 $_INDEX16 $_INDEX17 $_INDEX18 $_INDEX19 $_INDEX20 $_INDEX21 "
3981 3981
3982 3982
3983 3983 # Set _EXT to use as shortcut.
3984 3984 _EXT="cn=${IDS_DATABASE},cn=ldbm database,cn=plugins,cn=config"
3985 3985
3986 3986
3987 3987 # Display message to id current step.
3988 3988 ${ECHO} " ${STEP}. Processing VLV indexes:"
3989 3989 STEP=`expr $STEP + 1`
3990 3990
3991 3991 # Reset temp file for vlvindex commands.
3992 3992 [ -f ${TMPDIR}/ds5_vlvindex_list ] && rm ${TMPDIR}/ds5_vlvindex_list
3993 3993 touch ${TMPDIR}/ds5_vlvindex_list
3994 3994 [ -f ${TMPDIR}/ds6_vlvindex_list ] && rm ${TMPDIR}/ds6_vlvindex_list
3995 3995 touch ${TMPDIR}/ds6_vlvindex_list
3996 3996
3997 3997 # Get the instance name from iDS server.
3998 3998 _INSTANCE="<server-instance>" # Default to old output.
3999 3999
4000 4000 eval "${LDAPSEARCH} -v ${LDAP_ARGS} -b \"cn=config\" -s base \"objectclass=*\" nsslapd-instancedir | ${GREP} 'nsslapd-instancedir=' | cut -d'=' -f2- > ${TMPDIR}/instance_name 2>&1"
4001 4001
4002 4002 ${GREP} "slapd-" ${TMPDIR}/instance_name > /dev/null 2>&1 # Check if seems right?
4003 4003 if [ $? -eq 0 ]; then # If success, grab name after "slapd-".
4004 4004 _INST_DIR=`cat ${TMPDIR}/instance_name`
4005 4005 _INSTANCE=`basename "${_INST_DIR}" | cut -d'-' -f2-`
4006 4006 fi
4007 4007
4008 4008 # For loop to create indexes.
4009 4009 for p in ${_INDEXES}; do
4010 4010 [ $DEBUG -eq 1 ] && ${ECHO} " Adding index for ${i}"
4011 4011
4012 4012 # Break p (pair) into i and j parts.
4013 4013 i=`${ECHO} $p | cut -d';' -f1`
4014 4014 j=`${ECHO} $p | cut -d';' -f2`
4015 4015 k=`${ECHO} $p | cut -d';' -f3`
4016 4016 m=`${ECHO} $p | cut -d';' -f4`
4017 4017
4018 4018 # Set _jEXT to use as shortcut.
4019 4019 _jEXT="cn=${j},${_EXT}"
4020 4020
4021 4021 # Check if entry exists first, if so, skip to next.
4022 4022 ${LDAPSEARCH} ${SERVER_ARGS} -b "cn=${i},${_jEXT}" -s base "objectclass=*" > /dev/null 2>&1
4023 4023 if [ $? -eq 0 ]; then
4024 4024 # Display index skipped.
4025 4025 ${ECHO} " ${i} vlv_index skipped already exists"
4026 4026 continue
4027 4027 fi
4028 4028
4029 4029 # Compute the VLV Scope from the LDAP_SEARCH_SCOPE.
4030 4030 # NOTE: A value of "base (0)" does not make sense.
4031 4031 case "$LDAP_SEARCH_SCOPE" in
4032 4032 sub) VLV_SCOPE="2" ;;
4033 4033 *) VLV_SCOPE="1" ;;
4034 4034 esac
4035 4035
4036 4036 # Here doc to create LDIF.
4037 4037 ( cat <<EOF
4038 4038 dn: ${_jEXT}
4039 4039 objectClass: top
4040 4040 objectClass: vlvSearch
4041 4041 cn: ${j}
4042 4042 vlvbase: ${k},${LDAP_BASEDN}
4043 4043 vlvscope: ${VLV_SCOPE}
4044 4044 vlvfilter: (${m})
4045 4045 aci: (target="ldap:///${_jEXT}")(targetattr="*")(version 3.0; acl "Config";allow(read,search,compare)userdn="ldap:///anyone";)
4046 4046
4047 4047 dn: cn=${i},${_jEXT}
4048 4048 cn: ${i}
4049 4049 vlvSort: cn uid
4050 4050 objectclass: top
4051 4051 objectclass: vlvIndex
4052 4052 EOF
4053 4053 ) > ${TMPDIR}/vlv_index_${i}
4054 4054
4055 4055 # Add the index.
4056 4056 ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/vlv_index_${i} ${VERB}"
4057 4057 if [ $? -ne 0 ]; then
4058 4058 ${ECHO} " ERROR: Adding VLV index for ${i} failed!"
4059 4059 cleanup
4060 4060 exit 1
4061 4061 fi
4062 4062
4063 4063 # Print message that index was created.
4064 4064 ${ECHO} " ${i} vlv_index Entry created"
4065 4065
4066 4066 # Add command to list of vlvindex commands to run.
4067 4067 ${ECHO} " directoryserver -s ${_INSTANCE} vlvindex -n ${IDS_DATABASE} -T ${i}" >> ${TMPDIR}/ds5_vlvindex_list
4068 4068 ${ECHO} " <install-path>/bin/dsadm reindex -l -t ${i} <directory-instance-path> ${LDAP_SUFFIX}" >> ${TMPDIR}/ds6_vlvindex_list
4069 4069 done
4070 4070 }
4071 4071
4072 4072
4073 4073 #
4074 4074 # display_vlv_cmds(): Display VLV index commands to run on server.
4075 4075 #
4076 4076 display_vlv_cmds()
4077 4077 {
4078 4078 if [ -s "${TMPDIR}/ds5_vlvindex_list" -o \
4079 4079 -s "${TMPDIR}/ds6_vlvindex_list" ]; then
4080 4080 display_msg display_vlv_list
4081 4081 fi
4082 4082
4083 4083 if [ -s "${TMPDIR}/ds5_vlvindex_list" ]; then
4084 4084 cat ${TMPDIR}/ds5_vlvindex_list
4085 4085 fi
4086 4086
4087 4087 cat << EOF
4088 4088
4089 4089
4090 4090 EOF
4091 4091
4092 4092 if [ -s "${TMPDIR}/ds6_vlvindex_list" ]; then
4093 4093 cat ${TMPDIR}/ds6_vlvindex_list
4094 4094 fi
4095 4095 }
4096 4096
4097 4097 #
4098 4098 # keep_backward_compatibility(): Modify schema for the backward compatibility if
4099 4099 # there are the incompatible attributes already
4100 4100 #
4101 4101 keep_backward_compatibility()
4102 4102 {
4103 4103 ${EVAL} "${LDAPSEARCH} ${SERVER_ARGS} -b cn=schema -s base \
4104 4104 \"objectclass=*\" attributeTypes | ${GREP} -i memberGid-oid ${VERB}"
4105 4105 if [ $? -eq 0 ]; then
4106 4106 ${SED} -e 's/1\.3\.6\.1\.4\.1\.42\.2\.27\.5\.1\.30\ /memberGid-oid\ /' \
4107 4107 ${TMPDIR}/schema_attr > ${TMPDIR}/schema_attr.new
4108 4108 ${MV} ${TMPDIR}/schema_attr.new ${TMPDIR}/schema_attr
4109 4109 fi
4110 4110
4111 4111 ${EVAL} "${LDAPSEARCH} ${SERVER_ARGS} -b cn=schema -s base \
4112 4112 \"objectclass=*\" attributeTypes | ${GREP} -i rfc822mailMember-oid \
4113 4113 ${VERB}"
4114 4114 if [ $? -eq 0 ]; then
4115 4115 ${SED} -e \
4116 4116 's/1\.3\.6\.1\.4\.1\.42\.2\.27\.2\.1\.15\ /rfc822mailMember-oid\ /' \
4117 4117 ${TMPDIR}/schema_attr > ${TMPDIR}/schema_attr.new
4118 4118 ${MV} ${TMPDIR}/schema_attr.new ${TMPDIR}/schema_attr
4119 4119 fi
4120 4120 }
4121 4121
4122 4122 #
4123 4123 # update_schema_attr(): Update Schema to support Naming.
4124 4124 #
4125 4125 update_schema_attr()
4126 4126 {
4127 4127 [ $DEBUG -eq 1 ] && ${ECHO} "In update_schema_attr()"
4128 4128
4129 4129 ( cat <<EOF
4130 4130 dn: cn=schema
4131 4131 changetype: modify
4132 4132 add: attributetypes
4133 4133 attributetypes: ( 1.3.6.1.1.1.1.28 NAME 'nisPublickey' DESC 'NIS public key' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
4134 4134 attributetypes: ( 1.3.6.1.1.1.1.29 NAME 'nisSecretkey' DESC 'NIS secret key' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
4135 4135 attributetypes: ( 1.3.6.1.1.1.1.30 NAME 'nisDomain' DESC 'NIS domain' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
4136 4136 attributetypes: ( 1.3.6.1.1.1.1.31 NAME 'automountMapName' DESC 'automount Map Name' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
4137 4137 attributetypes: ( 1.3.6.1.1.1.1.32 NAME 'automountKey' DESC 'automount Key Value' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
4138 4138 attributetypes: ( 1.3.6.1.1.1.1.33 NAME 'automountInformation' DESC 'automount information' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
4139 4139 attributetypes: ( 1.3.6.1.4.1.42.2.27.1.1.12 NAME 'nisNetIdUser' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
4140 4140 attributetypes: ( 1.3.6.1.4.1.42.2.27.1.1.13 NAME 'nisNetIdGroup' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
4141 4141 attributetypes: ( 1.3.6.1.4.1.42.2.27.1.1.14 NAME 'nisNetIdHost' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
4142 4142 attributetypes: ( 1.3.6.1.4.1.42.2.27.2.1.15 NAME 'rfc822mailMember' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
4143 4143 attributetypes: ( 2.16.840.1.113730.3.1.30 NAME 'mgrpRFC822MailMember' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
4144 4144 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.15 NAME 'SolarisLDAPServers' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
4145 4145 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.16 NAME 'SolarisSearchBaseDN' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE )
4146 4146 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.17 NAME 'SolarisCacheTTL' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
4147 4147 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.18 NAME 'SolarisBindDN' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE )
4148 4148 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.19 NAME 'SolarisBindPassword' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
4149 4149 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.20 NAME 'SolarisAuthMethod' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
4150 4150 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.21 NAME 'SolarisTransportSecurity' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
4151 4151 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.22 NAME 'SolarisCertificatePath' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
4152 4152 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.23 NAME 'SolarisCertificatePassword' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
4153 4153 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.24 NAME 'SolarisDataSearchDN' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
4154 4154 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.25 NAME 'SolarisSearchScope' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
4155 4155 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.26 NAME 'SolarisSearchTimeLimit' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
4156 4156 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.27 NAME 'SolarisPreferredServer' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
4157 4157 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.28 NAME 'SolarisPreferredServerOnly' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
4158 4158 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.29 NAME 'SolarisSearchReferral' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
4159 4159 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.4 NAME 'SolarisAttrKeyValue' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
4160 4160 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.5 NAME 'SolarisAuditAlways' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
4161 4161 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.6 NAME 'SolarisAuditNever' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
4162 4162 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.7 NAME 'SolarisAttrShortDesc' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
4163 4163 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.8 NAME 'SolarisAttrLongDesc' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
4164 4164 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.9 NAME 'SolarisKernelSecurityPolicy' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
4165 4165 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.10 NAME 'SolarisProfileType' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
4166 4166 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.11 NAME 'SolarisProfileId' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
4167 4167 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.12 NAME 'SolarisUserQualifier' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
4168 4168 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.13 NAME 'SolarisAttrReserved1' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
4169 4169 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.14 NAME 'SolarisAttrReserved2' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
4170 4170 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.1 NAME 'SolarisProjectID' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
4171 4171 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.2 NAME 'SolarisProjectName' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
4172 4172 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.3 NAME 'SolarisProjectAttr' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
4173 4173 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.30 NAME 'memberGid' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
4174 4174 attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.0 NAME 'defaultServerList' DESC 'Default LDAP server host address used by a DUA' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
4175 4175 attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.1 NAME 'defaultSearchBase' DESC 'Default LDAP base DN used by a DUA' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE )
4176 4176 attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.2 NAME 'preferredServerList' DESC 'Preferred LDAP server host addresses to be used by a DUA' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
4177 4177 attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.3 NAME 'searchTimeLimit' DESC 'Maximum time in seconds a DUA should allow for a search to complete' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
4178 4178 attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.4 NAME 'bindTimeLimit' DESC 'Maximum time in seconds a DUA should allow for the bind operation to complete' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
4179 4179 attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.5 NAME 'followReferrals' DESC 'Tells DUA if it should follow referrals returned by a DSA search result' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
4180 4180 attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.6 NAME 'authenticationMethod' DESC 'A keystring which identifies the type of authentication method used to contact the DSA' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
4181 4181 attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.7 NAME 'profileTTL' DESC 'Time to live before a client DUA should re-read this configuration profile' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
4182 4182 attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.14 NAME 'serviceSearchDescriptor' DESC 'LDAP search descriptor list used by Naming-DUA' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
4183 4183 attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.9 NAME 'attributeMap' DESC 'Attribute mappings used by a Naming-DUA' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
4184 4184 attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.10 NAME 'credentialLevel' DESC 'Identifies type of credentials a DUA should use when binding to the LDAP server' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
4185 4185 attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.11 NAME 'objectclassMap' DESC 'Objectclass mappings used by a Naming-DUA' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
4186 4186 attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.12 NAME 'defaultSearchScope' DESC 'Default search scope used by a DUA' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
4187 4187 attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.13 NAME 'serviceCredentialLevel' DESC 'Search scope used by a service of the DUA' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
4188 4188 attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.15 NAME 'serviceAuthenticationMethod' DESC 'Authentication Method used by a service of the DUA' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
4189 4189 attributetypes: ( 1.3.18.0.2.4.1140 NAME 'printer-uri' DESC 'A URI supported by this printer. This URI SHOULD be used as a relative distinguished name (RDN). If printer-xri-supported is implemented, then this URI value MUST be listed in a member value of printer-xri-supported.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
4190 4190 attributetypes: ( 1.3.18.0.2.4.1107 NAME 'printer-xri-supported' DESC 'The unordered list of XRI (extended resource identifiers) supported by this printer. Each member of the list consists of a URI (uniform resource identifier) followed by optional authentication and security metaparameters.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
4191 4191 attributetypes: ( 1.3.18.0.2.4.1135 NAME 'printer-name' DESC 'The site-specific administrative name of this printer, more end-user friendly than a URI.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} SINGLE-VALUE )
4192 4192 attributetypes: ( 1.3.18.0.2.4.1119 NAME 'printer-natural-language-configured' DESC 'The configured language in which error and status messages will be generated (by default) by this printer. Also, a possible language for printer string attributes set by operator, system administrator, or manufacturer. Also, the (declared) language of the "printer-name", "printer-location", "printer-info", and "printer-make-and-model" attributes of this printer. For example: "en-us" (US English) or "fr-fr" (French in France) Legal values of language tags conform to [RFC3066] "Tags for the Identification of Languages".' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} SINGLE-VALUE )
4193 4193 attributetypes: ( 1.3.18.0.2.4.1136 NAME 'printer-location' DESC 'Identifies the location of the printer. This could include things like: "in Room 123A", "second floor of building XYZ".' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} SINGLE-VALUE )
4194 4194 attributetypes: ( 1.3.18.0.2.4.1139 NAME 'printer-info' DESC 'Identifies the descriptive information about this printer. This could include things like: "This printer can be used for printing color transparencies for HR presentations", or "Out of courtesy for others, please print only small (1-5 page) jobs at this printer", or even "This printer is going away on July 1, 1997, please find a new printer".' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} SINGLE-VALUE )
4195 4195 attributetypes: ( 1.3.18.0.2.4.1134 NAME 'printer-more-info' DESC 'A URI used to obtain more information about this specific printer. For example, this could be an HTTP type URI referencing an HTML page accessible to a Web Browser. The information obtained from this URI is intended for end user consumption.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
4196 4196 attributetypes: ( 1.3.18.0.2.4.1138 NAME 'printer-make-and-model' DESC 'Identifies the make and model of the device. The device manufacturer MAY initially populate this attribute.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} SINGLE-VALUE )
4197 4197 attributetypes: ( 1.3.18.0.2.4.1133 NAME 'printer-ipp-versions-supported' DESC 'Identifies the IPP protocol version(s) that this printer supports, including major and minor versions, i.e., the version numbers for which this Printer implementation meets the conformance requirements.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} )
4198 4198 attributetypes: ( 1.3.18.0.2.4.1132 NAME 'printer-multiple-document-jobs-supported' DESC 'Indicates whether or not the printer supports more than one document per job, i.e., more than one Send-Document or Send-Data operation with document data.' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
4199 4199 attributetypes: ( 1.3.18.0.2.4.1109 NAME 'printer-charset-configured' DESC 'The configured charset in which error and status messages will be generated (by default) by this printer. Also, a possible charset for printer string attributes set by operator, system administrator, or manufacturer. For example: "utf-8" (ISO 10646/Unicode) or "iso-8859-1" (Latin1). Legal values are defined by the IANA Registry of Coded Character Sets and the "(preferred MIME name)" SHALL be used as the tag. For coherence with IPP Model, charset tags in this attribute SHALL be lowercase normalized. This attribute SHOULD be static (time of registration) and SHOULD NOT be dynamically refreshed attributetypes: (subsequently).' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{63} SINGLE-VALUE )
4200 4200 attributetypes: ( 1.3.18.0.2.4.1131 NAME 'printer-charset-supported' DESC 'Identifies the set of charsets supported for attribute type values of type Directory String for this directory entry. For example: "utf-8" (ISO 10646/Unicode) or "iso-8859-1" (Latin1). Legal values are defined by the IANA Registry of Coded Character Sets and the preferred MIME name.' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{63} )
4201 4201 attributetypes: ( 1.3.18.0.2.4.1137 NAME 'printer-generated-natural-language-supported' DESC 'Identifies the natural language(s) supported for this directory entry. For example: "en-us" (US English) or "fr-fr" (French in France). Legal values conform to [RFC3066], Tags for the Identification of Languages.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{63} )
4202 4202 attributetypes: ( 1.3.18.0.2.4.1130 NAME 'printer-document-format-supported' DESC 'The possible document formats in which data may be interpreted and printed by this printer. Legal values are MIME types come from the IANA Registry of Internet Media Types.' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} )
4203 4203 attributetypes: ( 1.3.18.0.2.4.1129 NAME 'printer-color-supported' DESC 'Indicates whether this printer is capable of any type of color printing at all, including highlight color.' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
4204 4204 attributetypes: ( 1.3.18.0.2.4.1128 NAME 'printer-compression-supported' DESC 'Compression algorithms supported by this printer. For example: "deflate, gzip". Legal values include; "none", "deflate" attributetypes: (public domain ZIP), "gzip" (GNU ZIP), "compress" (UNIX).' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} )
4205 4205 attributetypes: ( 1.3.18.0.2.4.1127 NAME 'printer-pages-per-minute' DESC 'The nominal number of pages per minute which may be output by this printer (e.g., a simplex or black-and-white printer). This attribute is informative, NOT a service guarantee. Typically, it is the value used in marketing literature to describe this printer.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
4206 4206 attributetypes: ( 1.3.18.0.2.4.1126 NAME 'printer-pages-per-minute-color' DESC 'The nominal number of color pages per minute which may be output by this printer (e.g., a simplex or color printer). This attribute is informative, NOT a service guarantee. Typically, it is the value used in marketing literature to describe this printer.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
4207 4207 attributetypes: ( 1.3.18.0.2.4.1125 NAME 'printer-finishings-supported' DESC 'The possible finishing operations supported by this printer. Legal values include; "none", "staple", "punch", "cover", "bind", "saddle-stitch", "edge-stitch", "staple-top-left", "staple-bottom-left", "staple-top-right", "staple-bottom-right", "edge-stitch-left", "edge-stitch-top", "edge-stitch-right", "edge-stitch-bottom", "staple-dual-left", "staple-dual-top", "staple-dual-right", "staple-dual-bottom".' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} )
4208 4208 attributetypes: ( 1.3.18.0.2.4.1124 NAME 'printer-number-up-supported' DESC 'The possible numbers of print-stream pages to impose upon a single side of an instance of a selected medium. Legal values include; 1, 2, and 4. Implementations may support other values.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
4209 4209 attributetypes: ( 1.3.18.0.2.4.1123 NAME 'printer-sides-supported' DESC 'The number of impression sides (one or two) and the two-sided impression rotations supported by this printer. Legal values include; "one-sided", "two-sided-long-edge", "two-sided-short-edge".' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} )
4210 4210 attributetypes: ( 1.3.18.0.2.4.1122 NAME 'printer-media-supported' DESC 'The standard names/types/sizes (and optional color suffixes) of the media supported by this printer. For example: "iso-a4", "envelope", or "na-letter-white". Legal values conform to ISO 10175, Document Printing Application (DPA), and any IANA registered extensions.' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} )
4211 4211 attributetypes: ( 1.3.18.0.2.4.1117 NAME 'printer-media-local-supported' DESC 'Site-specific names of media supported by this printer, in the language in "printer-natural-language-configured". For example: "purchasing-form" (site-specific name) as opposed to (in "printer-media-supported"): "na-letter" (standard keyword from ISO 10175).' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} )
4212 4212 attributetypes: ( 1.3.18.0.2.4.1121 NAME 'printer-resolution-supported' DESC 'List of resolutions supported for printing documents by this printer. Each resolution value is a string with 3 fields: 1) Cross feed direction resolution (positive integer), 2) Feed direction resolution (positive integer), 3) Resolution unit. Legal values are "dpi" (dots per inch) and "dpcm" (dots per centimeter). Each resolution field is delimited by ">". For example: "300> 300> dpi>".' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} )
4213 4213 attributetypes: ( 1.3.18.0.2.4.1120 NAME 'printer-print-quality-supported' DESC 'List of print qualities supported for printing documents on this printer. For example: "draft, normal". Legal values include; "unknown", "draft", "normal", "high".' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} )
4214 4214 attributetypes: ( 1.3.18.0.2.4.1110 NAME 'printer-job-priority-supported' DESC 'Indicates the number of job priority levels supported. An IPP conformant printer which supports job priority must always support a full range of priorities from "1" to "100" (to ensure consistent behavior), therefore this attribute describes the "granularity". Legal values of this attribute are from "1" to "100".' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
4215 4215 attributetypes: ( 1.3.18.0.2.4.1118 NAME 'printer-copies-supported' DESC 'The maximum number of copies of a document that may be printed as a single job. A value of "0" indicates no maximum limit. A value of "-1" indicates unknown.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
4216 4216 attributetypes: ( 1.3.18.0.2.4.1111 NAME 'printer-job-k-octets-supported' DESC 'The maximum size in kilobytes (1,024 octets actually) incoming print job that this printer will accept. A value of "0" indicates no maximum limit. A value of "-1" indicates unknown.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
4217 4217 attributetypes: ( 1.3.18.0.2.4.1112 NAME 'printer-current-operator' DESC 'The name of the current human operator responsible for operating this printer. It is suggested that this string include information that would enable other humans to reach the operator, such as a phone number.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} SINGLE-VALUE )
4218 4218 attributetypes: ( 1.3.18.0.2.4.1113 NAME 'printer-service-person' DESC 'The name of the current human service person responsible for servicing this printer. It is suggested that this string include information that would enable other humans to reach the service person, such as a phone number.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} SINGLE-VALUE )
4219 4219 attributetypes: ( 1.3.18.0.2.4.1114 NAME 'printer-delivery-orientation-supported' DESC 'The possible delivery orientations of pages as they are printed and ejected from this printer. Legal values include; "unknown", "face-up", and "face-down".' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} )
4220 4220 attributetypes: ( 1.3.18.0.2.4.1115 NAME 'printer-stacking-order-supported' DESC 'The possible stacking order of pages as they are printed and ejected from this printer. Legal values include; "unknown", "first-to-last", "last-to-first".' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} )
4221 4221 attributetypes: ( 1.3.18.0.2.4.1116 NAME 'printer-output-features-supported' DESC 'The possible output features supported by this printer. Legal values include; "unknown", "bursting", "decollating", "page-collating", "offset-stacking".' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} )
4222 4222 attributetypes: ( 1.3.18.0.2.4.1108 NAME 'printer-aliases' DESC 'Site-specific administrative names of this printer in addition the printer name specified for printer-name.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} )
4223 4223 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.63 NAME 'sun-printer-bsdaddr' DESC 'Sets the server, print queue destination name and whether the client generates protocol extensions. "Solaris" specifies a Solaris print server extension. The value is represented by the following value: server "," destination ", Solaris".' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
4224 4224 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.64 NAME 'sun-printer-kvp' DESC 'This attribute contains a set of key value pairs which may have meaning to the print subsystem or may be user defined. Each value is represented by the following: key "=" value.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
4225 4225 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.57 NAME 'nisplusTimeZone' DESC 'tzone column from NIS+ timezone table' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
4226 4226 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.67 NAME 'ipTnetTemplateName' DESC 'Trusted Solaris network template template_name' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
4227 4227 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.68 NAME 'ipTnetNumber' DESC 'Trusted Solaris network template ip_address' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
4228 4228 EOF
4229 4229 ) > ${TMPDIR}/schema_attr
4230 4230
4231 4231 keep_backward_compatibility
4232 4232
4233 4233 # Add the entry.
4234 4234 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/schema_attr ${VERB}"
4235 4235 if [ $? -ne 0 ]; then
4236 4236 ${ECHO} " ERROR: update of schema attributes failed!"
4237 4237 cleanup
4238 4238 exit 1
4239 4239 fi
4240 4240
4241 4241 # Display message that schema is updated.
4242 4242 ${ECHO} " ${STEP}. Schema attributes have been updated."
4243 4243 STEP=`expr $STEP + 1`
4244 4244 }
4245 4245
4246 4246
4247 4247 #
4248 4248 # update_schema_obj(): Update the schema objectclass definitions.
4249 4249 #
4250 4250 update_schema_obj()
4251 4251 {
4252 4252 [ $DEBUG -eq 1 ] && ${ECHO} "In update_schema_obj()"
4253 4253
4254 4254 # Add the objectclass definitions.
4255 4255 ( cat <<EOF
4256 4256 dn: cn=schema
4257 4257 changetype: modify
4258 4258 add: objectclasses
4259 4259 objectclasses: ( 1.3.6.1.1.1.2.14 NAME 'NisKeyObject' SUP top MUST ( cn $ nisPublickey $ nisSecretkey ) MAY ( uidNumber $ description ) )
4260 4260
4261 4261 dn: cn=schema
4262 4262 changetype: modify
4263 4263 add: objectclasses
4264 4264 objectclasses: ( 1.3.6.1.1.1.2.15 NAME 'nisDomainObject' SUP top MUST nisDomain )
4265 4265
4266 4266 dn: cn=schema
4267 4267 changetype: modify
4268 4268 add: objectclasses
4269 4269 objectclasses: ( 1.3.6.1.1.1.2.16 NAME 'automountMap' SUP top MUST automountMapName MAY description )
4270 4270
4271 4271 dn: cn=schema
4272 4272 changetype: modify
4273 4273 add: objectclasses
4274 4274 objectclasses: ( 1.3.6.1.1.1.2.17 NAME 'automount' SUP top MUST ( automountKey $ automountInformation ) MAY description )
4275 4275
4276 4276 dn: cn=schema
4277 4277 changetype: modify
4278 4278 add: objectclasses
4279 4279 objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.7 NAME 'SolarisNamingProfile' SUP top MUST ( cn $ SolarisLDAPservers $ SolarisSearchBaseDN ) MAY ( SolarisBindDN $ SolarisBindPassword $ SolarisAuthMethod $ SolarisTransportSecurity $ SolarisCertificatePath $ SolarisCertificatePassword $ SolarisDataSearchDN $ SolarisSearchScope $ SolarisSearchTimeLimit $ SolarisPreferredServer $ SolarisPreferredServerOnly $ SolarisCacheTTL $ SolarisSearchReferral ) )
4280 4280
4281 4281 dn: cn=schema
4282 4282 changetype: modify
4283 4283 add: objectclasses
4284 4284 objectclasses: ( 2.16.840.1.113730.3.2.4 NAME 'mailGroup' SUP top MUST mail MAY ( cn $ mgrpRFC822MailMember ) )
4285 4285
4286 4286 dn: cn=schema
4287 4287 changetype: modify
4288 4288 add: objectclasses
4289 4289 objectclasses: ( 1.3.6.1.4.1.42.2.27.1.2.5 NAME 'nisMailAlias' SUP top MUST cn MAY rfc822mailMember )
4290 4290
4291 4291 dn: cn=schema
4292 4292 changetype: modify
4293 4293 add: objectclasses
4294 4294 objectclasses: ( 1.3.6.1.4.1.42.2.27.1.2.6 NAME 'nisNetId' SUP top MUST cn MAY ( nisNetIdUser $ nisNetIdGroup $ nisNetIdHost ) )
4295 4295
4296 4296 dn: cn=schema
4297 4297 changetype: modify
4298 4298 add: objectclasses
4299 4299 objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.2 NAME 'SolarisAuditUser' SUP top AUXILIARY MAY ( SolarisAuditAlways $ SolarisAuditNever ) )
4300 4300
4301 4301 dn: cn=schema
4302 4302 changetype: modify
4303 4303 add: objectclasses
4304 4304 objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.3 NAME 'SolarisUserAttr' SUP top AUXILIARY MAY ( SolarisUserQualifier $ SolarisAttrReserved1 $ SolarisAttrReserved2 $ SolarisAttrKeyValue ) )
4305 4305
4306 4306 dn: cn=schema
4307 4307 changetype: modify
4308 4308 add: objectclasses
4309 4309 objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.4 NAME 'SolarisAuthAttr' SUP top MUST cn MAY ( SolarisAttrReserved1 $ SolarisAttrReserved2 $ SolarisAttrShortDesc $ SolarisAttrLongDesc $ SolarisAttrKeyValue ) )
4310 4310
4311 4311 dn: cn=schema
4312 4312 changetype: modify
4313 4313 add: objectclasses
4314 4314 objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.5 NAME 'SolarisProfAttr' SUP top MUST cn MAY ( SolarisAttrReserved1 $ SolarisAttrReserved2 $ SolarisAttrLongDesc $ SolarisAttrKeyValue ) )
4315 4315
4316 4316 dn: cn=schema
4317 4317 changetype: modify
4318 4318 add: objectclasses
4319 4319 objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.6 NAME 'SolarisExecAttr' SUP top AUXILIARY MAY ( SolarisKernelSecurityPolicy $ SolarisProfileType $ SolarisAttrReserved1 $ SolarisAttrReserved2 $ SolarisProfileID $ SolarisAttrKeyValue ) )
4320 4320
4321 4321 dn: cn=schema
4322 4322 changetype: modify
4323 4323 add: objectclasses
4324 4324 objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.1 NAME 'SolarisProject' SUP top MUST ( SolarisProjectID $ SolarisProjectName ) MAY ( memberUid $ memberGid $ description $ SolarisProjectAttr ) )
4325 4325
4326 4326 dn: cn=schema
4327 4327 changetype: modify
4328 4328 add: objectclasses
4329 4329 objectclasses: ( 1.3.6.1.4.1.11.1.3.1.2.4 NAME 'DUAConfigProfile' SUP top DESC 'Abstraction of a base configuration for a DUA' MUST cn MAY ( defaultServerList $ preferredServerList $ defaultSearchBase $ defaultSearchScope $ searchTimeLimit $ bindTimeLimit $ credentialLevel $ authenticationMethod $ followReferrals $ serviceSearchDescriptor $ serviceCredentialLevel $ serviceAuthenticationMethod $ objectclassMap $ attributeMap $ profileTTL ) )
4330 4330
4331 4331 dn: cn=schema
4332 4332 changetype: modify
4333 4333 add: objectclasses
4334 4334 objectclasses: ( 1.3.18.0.2.6.2549 NAME 'slpService' DESC 'DUMMY definition' SUP top MUST objectclass )
4335 4335
4336 4336 dn: cn=schema
4337 4337 changetype: modify
4338 4338 add: objectclasses
4339 4339 objectclasses: ( 1.3.18.0.2.6.254 NAME 'slpServicePrinter' DESC 'Service Location Protocol (SLP) information.' SUP slpService AUXILIARY )
4340 4340
4341 4341 dn: cn=schema
4342 4342 changetype: modify
4343 4343 add: objectclasses
4344 4344 objectclasses: ( 1.3.18.0.2.6.258 NAME 'printerAbstract' DESC 'Printer related information.' SUP top ABSTRACT MAY ( printer-name $ printer-natural-language-configured $ printer-location $ printer-info $ printer-more-info $ printer-make-and-model $ printer-multiple-document-jobs-supported $ printer-charset-configured $ printer-charset-supported $ printer-generated-natural-language-supported $ printer-document-format-supported $ printer-color-supported $ printer-compression-supported $ printer-pages-per-minute $ printer-pages-per-minute-color $ printer-finishings-supported $ printer-number-up-supported $ printer-sides-supported $ printer-media-supported $ printer-media-local-supported $ printer-resolution-supported $ printer-print-quality-supported $ printer-job-priority-supported $ printer-copies-supported $ printer-job-k-octets-supported $ printer-current-operator $ printer-service-person $ printer-delivery-orientation-supported $ printer-stacking-order-supported $ printer-output-features-supported ) )
4345 4345
4346 4346 dn: cn=schema
4347 4347 changetype: modify
4348 4348 add: objectclasses
4349 4349 objectclasses: ( 1.3.18.0.2.6.255 NAME 'printerService' DESC 'Printer information.' SUP printerAbstract STRUCTURAL MAY ( printer-uri $ printer-xri-supported ) )
4350 4350
4351 4351 dn: cn=schema
4352 4352 changetype: modify
4353 4353 add: objectclasses
4354 4354 objectclasses: ( 1.3.18.0.2.6.257 NAME 'printerServiceAuxClass' DESC 'Printer information.' SUP printerAbstract AUXILIARY MAY ( printer-uri $ printer-xri-supported ) )
4355 4355
4356 4356 dn: cn=schema
4357 4357 changetype: modify
4358 4358 add: objectclasses
4359 4359 objectclasses: ( 1.3.18.0.2.6.256 NAME 'printerIPP' DESC 'Internet Printing Protocol (IPP) information.' SUP top AUXILIARY MAY ( printer-ipp-versions-supported $ printer-multiple-document-jobs-supported ) )
4360 4360
4361 4361 dn: cn=schema
4362 4362 changetype: modify
4363 4363 add: objectclasses
4364 4364 objectclasses: ( 1.3.18.0.2.6.253 NAME 'printerLPR' DESC 'LPR information.' SUP top AUXILIARY MUST printer-name MAY printer-aliases )
4365 4365
4366 4366 dn: cn=schema
4367 4367 changetype: modify
4368 4368 add: objectclasses
4369 4369 objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.14 NAME 'sunPrinter' DESC 'Sun printer information' SUP top AUXILIARY MUST printer-name MAY ( sun-printer-bsdaddr $ sun-printer-kvp ) )
4370 4370
4371 4371 dn: cn=schema
4372 4372 changetype: modify
4373 4373 add: objectclasses
4374 4374 objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.12 NAME 'nisplusTimeZoneData' DESC 'NIS+ timezone table data' SUP top STRUCTURAL MUST cn MAY ( nisplusTimeZone $ description ) )
4375 4375
4376 4376 dn: cn=schema
4377 4377 changetype: modify
4378 4378 add: objectclasses
4379 4379 objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.8 NAME 'ipTnetTemplate' DESC 'Object class for TSOL network templates' SUP top MUST ipTnetTemplateName MAY SolarisAttrKeyValue )
4380 4380
4381 4381 dn: cn=schema
4382 4382 changetype: modify
4383 4383 add: objectclasses
4384 4384 objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.9 NAME 'ipTnetHost' DESC 'Associates an IP address or wildcard with a TSOL template_name' SUP top AUXILIARY MUST ipTnetNumber )
4385 4385 EOF
4386 4386 ) > ${TMPDIR}/schema_obj
4387 4387
4388 4388 # Add the entry.
4389 4389 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/schema_obj ${VERB}"
4390 4390 if [ $? -ne 0 ]; then
4391 4391 ${ECHO} " ERROR: update of schema objectclass definitions failed!"
4392 4392 cleanup
4393 4393 exit 1
4394 4394 fi
4395 4395
4396 4396 # Display message that schema is updated.
4397 4397 ${ECHO} " ${STEP}. Schema objectclass definitions have been added."
4398 4398 STEP=`expr $STEP + 1`
4399 4399 }
4400 4400
4401 4401 #
4402 4402 # modify_top_aci(): Modify the ACI for the top entry to disable self modify
4403 4403 # of user attributes.
4404 4404 #
4405 4405 modify_top_aci()
4406 4406 {
4407 4407 [ $DEBUG -eq 1 ] && ${ECHO} "In modify_top_aci()"
4408 4408
4409 4409 # Set ACI Name
4410 4410 ACI_NAME="LDAP_Naming_Services_deny_write_access"
4411 4411
4412 4412 # Search for ACI_NAME
4413 4413 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_BASEDN}\" -s base objectclass=* aci > ${TMPDIR}/chk_top_aci 2>&1"
4414 4414 if [ $? -ne 0 ]; then
4415 4415 ${ECHO} "Error searching aci for ${LDAP_BASEDN}"
4416 4416 cat ${TMPDIR}/chk_top_aci
4417 4417 cleanup
4418 4418 exit 1
4419 4419 fi
4420 4420 ${GREP} "${ACI_NAME}" ${TMPDIR}/chk_top_aci > /dev/null 2>&1
4421 4421 if [ $? -eq 0 ]; then
4422 4422 ${ECHO} " ${STEP}. Top level ACI ${ACI_NAME} already exists for ${LDAP_BASEDN}."
4423 4423 STEP=`expr $STEP + 1`
4424 4424 return 0
4425 4425 fi
4426 4426
4427 4427 # Crate LDIF for top level ACI.
4428 4428 ( cat <<EOF
4429 4429 dn: ${LDAP_BASEDN}
4430 4430 changetype: modify
4431 4431 add: aci
4432 4432 aci: (targetattr = "cn||uid||uidNumber||gidNumber||homeDirectory||shadowLastChange||shadowMin||shadowMax||shadowWarning||shadowInactive||shadowExpire||shadowFlag||memberUid||SolarisAttrKeyValue||SolarisAttrReserved1||SolarisAttrReserved2||SolarisUserQualifier")(version 3.0; acl ${ACI_NAME}; deny (write) userdn = "ldap:///self";)
4433 4433 -
4434 4434 EOF
4435 4435 ) > ${TMPDIR}/top_aci
4436 4436
4437 4437 # Add the entry.
4438 4438 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/top_aci ${VERB}"
4439 4439 if [ $? -ne 0 ]; then
4440 4440 ${ECHO} " ERROR: Modify of top level ACI failed! (restricts self modify)"
4441 4441 cleanup
4442 4442 exit 1
4443 4443 fi
4444 4444
4445 4445 # Display message that ACI is updated.
4446 4446 MSG="ACI for ${LDAP_BASEDN} modified to disable self modify."
4447 4447 if [ $EXISTING_PROFILE -eq 1 ];then
4448 4448 ${ECHO} " ACI SET: $MSG"
4449 4449 else
4450 4450 ${ECHO} " ${STEP}. $MSG"
4451 4451 STEP=`expr $STEP + 1`
4452 4452 fi
4453 4453 }
4454 4454
4455 4455 #
4456 4456 # find_and_delete_ACI(): Find an ACI in file $2 with a matching pattern $1.
4457 4457 # Delete the ACI and print a message using $3 as the ACI name. $3 is needed
4458 4458 # because it could have a different value than that of $1.
4459 4459 find_and_delete_ACI()
4460 4460 {
4461 4461 [ $DEBUG -eq 1 ] && ${ECHO} "In find_and_delete_ACI"
4462 4462
4463 4463 # if an ACI with pattern $1 exists in file $2, delete it from ${LDAP_BASEDN}
4464 4464 ${EGREP} $1 $2 | ${SED} -e 's/aci=//' > ${TMPDIR}/grep_find_delete_aci 2>&1
4465 4465 if [ -s ${TMPDIR}/grep_find_delete_aci ]; then
4466 4466 aci_to_delete=`${CAT} ${TMPDIR}/grep_find_delete_aci`
4467 4467
4468 4468 # Create the tmp file to delete the ACI.
4469 4469 ( cat <<EOF
4470 4470 dn: ${LDAP_BASEDN}
4471 4471 changetype: modify
4472 4472 delete: aci
4473 4473 aci: ${aci_to_delete}
4474 4474 EOF
4475 4475 ) > ${TMPDIR}/find_delete_aci
4476 4476
4477 4477 # Delete the ACI
4478 4478 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/find_delete_aci ${VERB}"
4479 4479 if [ $? -ne 0 ]; then
4480 4480 ${ECHO} " ERROR: Remove of $3 ACI failed!"
4481 4481 cleanup
4482 4482 exit 1
4483 4483 fi
4484 4484
4485 4485 ${RM} -f ${TMPDIR}/find_delete_aci
4486 4486 # Display message that an ACL is deleted.
4487 4487 MSG="ACI $3 deleted."
4488 4488 if [ $EXISTING_PROFILE -eq 1 ]; then
4489 4489 ${ECHO} " ACI DELETED: $MSG"
4490 4490 else
4491 4491 ${ECHO} " ${STEP}. $MSG"
4492 4492 STEP=`expr $STEP + 1`
4493 4493 fi
4494 4494 fi
4495 4495 }
4496 4496
4497 4497 #
4498 4498 # Add an ACI to deny non-admin access to shadow data when
4499 4499 # shadow update is enabled.
4500 4500 #
4501 4501 deny_non_admin_shadow_access()
4502 4502 {
4503 4503 [ $DEBUG -eq 1 ] && ${ECHO} "In deny_non_admin_shadow_access()"
4504 4504
4505 4505 # Set ACI Names
4506 4506 ACI_TO_ADD="LDAP_Naming_Services_deny_non_admin_shadow_access"
4507 4507 ACI_TO_DEL="LDAP_Naming_Services_deny_non_host_shadow_access"
4508 4508
4509 4509 # Search for ACI_TO_ADD
4510 4510 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_BASEDN}\" -s base objectclass=* aci > ${TMPDIR}/chk_aci_non_admin 2>&1"
4511 4511 if [ $? -ne 0 ]; then
4512 4512 ${ECHO} "Error searching aci for ${LDAP_BASEDN}"
4513 4513 cleanup
4514 4514 exit 1
4515 4515 fi
4516 4516
4517 4517 # If an ACI with ${ACI_TO_ADD} already exists, we are done.
4518 4518 ${EGREP} ${ACI_TO_ADD} ${TMPDIR}/chk_aci_non_admin 2>&1 > /dev/null
4519 4519 if [ $? -eq 0 ]; then
4520 4520 MSG="ACI ${ACI_TO_ADD} already set for ${LDAP_BASEDN}."
4521 4521 if [ $EXISTING_PROFILE -eq 1 ]; then
4522 4522 ${ECHO} " NOT SET: $MSG"
4523 4523 else
4524 4524 ${ECHO} " ${STEP}. $MSG"
4525 4525 STEP=`expr $STEP + 1`
4526 4526 fi
4527 4527 return 0
4528 4528 fi
4529 4529
4530 4530 # The deny_non_admin_shadow_access and deny_non_host_shadow_access ACIs
4531 4531 # should be mutually exclusive, so if the latter exists, delete it.
4532 4532 find_and_delete_ACI ${ACI_TO_DEL} ${TMPDIR}/chk_aci_non_admin ${ACI_TO_DEL}
4533 4533
4534 4534 # Create the tmp file to add.
4535 4535 ( cat <<EOF
4536 4536 dn: ${LDAP_BASEDN}
4537 4537 changetype: modify
4538 4538 add: aci
4539 4539 aci: (target="ldap:///${LDAP_BASEDN}")(targetattr = "shadowLastChange||
4540 4540 shadowMin|| shadowMax||shadowWarning||shadowInactive||shadowExpire||
4541 4541 shadowFlag||userPassword") (version 3.0; acl ${ACI_TO_ADD};
4542 4542 deny (write,read,search,compare) userdn != "ldap:///${LDAP_ADMINDN}";)
4543 4543 EOF
4544 4544 ) > ${TMPDIR}/non_admin_aci_write
4545 4545
4546 4546 # Add the entry.
4547 4547 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/non_admin_aci_write ${VERB}"
4548 4548 if [ $? -ne 0 ]; then
4549 4549 ${ECHO} " ERROR: Adding ACI ${ACI_TO_ADD} failed!"
4550 4550 ${CAT} ${TMPDIR}/non_admin_aci_write
4551 4551 cleanup
4552 4552 exit 1
4553 4553 fi
4554 4554
4555 4555 ${RM} -f ${TMPDIR}/non_admin_aci_write
4556 4556 # Display message that the non-admin access to shadow data is denied.
4557 4557 MSG="Non-Admin access to shadow data denied."
4558 4558 if [ $EXISTING_PROFILE -eq 1 ]; then
4559 4559 ${ECHO} " ACI SET: $MSG"
4560 4560 else
4561 4561 ${ECHO} " ${STEP}. $MSG"
4562 4562 STEP=`expr $STEP + 1`
4563 4563 fi
4564 4564 }
4565 4565
4566 4566 #
4567 4567 # Add an ACI to deny non-host access to shadow data when
4568 4568 # shadow update is enabled and auth Method if gssapi.
4569 4569 #
4570 4570 deny_non_host_shadow_access()
4571 4571 {
4572 4572 [ $DEBUG -eq 1 ] && ${ECHO} "In deny_non_host_shadow_access()"
4573 4573
4574 4574 # Set ACI Names
4575 4575 ACI_TO_ADD="LDAP_Naming_Services_deny_non_host_shadow_access"
4576 4576 ACI_TO_DEL="LDAP_Naming_Services_deny_non_admin_shadow_access"
4577 4577
4578 4578 # Search for ACI_TO_ADD
4579 4579 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_BASEDN}\" -s base objectclass=* aci > ${TMPDIR}/chk_aci_non_host 2>&1"
4580 4580 if [ $? -ne 0 ]; then
4581 4581 ${ECHO} "Error searching aci for ${LDAP_BASEDN}"
4582 4582 cleanup
4583 4583 exit 1
4584 4584 fi
4585 4585
4586 4586 # If an ACI with ${ACI_TO_ADD} already exists, we are done.
4587 4587 ${EGREP} ${ACI_TO_ADD} ${TMPDIR}/chk_aci_non_host 2>&1 > /dev/null
4588 4588 if [ $? -eq 0 ]; then
4589 4589 MSG="ACI ${ACI_TO_ADD} already set for ${LDAP_BASEDN}."
4590 4590 if [ $EXISTING_PROFILE -eq 1 ]; then
4591 4591 ${ECHO} " NOT SET: $MSG"
4592 4592 else
4593 4593 ${ECHO} " ${STEP}. $MSG"
4594 4594 STEP=`expr $STEP + 1`
4595 4595 fi
4596 4596 return 0
4597 4597 fi
4598 4598
4599 4599 # The deny_non_admin_shadow_access and deny_non_host_shadow_access ACIs
4600 4600 # should be mutually exclusive, so if the former exists, delete it.
4601 4601 find_and_delete_ACI ${ACI_TO_DEL} ${TMPDIR}/chk_aci_non_host ${ACI_TO_DEL}
4602 4602
4603 4603 # Create the tmp file to add.
4604 4604 ( cat <<EOF
4605 4605 dn: ${LDAP_BASEDN}
4606 4606 changetype: modify
4607 4607 add: aci
4608 4608 aci: (target="ldap:///${LDAP_BASEDN}")(targetattr = "shadowLastChange||
4609 4609 shadowMin|| shadowMax||shadowWarning||shadowInactive||shadowExpire||
4610 4610 shadowFlag||userPassword") (version 3.0; acl ${ACI_TO_ADD};
4611 4611 deny (write,read,search,compare)
4612 4612 userdn != "ldap:///cn=*+ipHostNumber=*,ou=Hosts,${LDAP_BASEDN}";)
4613 4613 EOF
4614 4614 ) > ${TMPDIR}/non_host_aci_write
4615 4615
4616 4616 # Add the entry.
4617 4617 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/non_host_aci_write ${VERB}"
4618 4618 if [ $? -ne 0 ]; then
4619 4619 ${ECHO} " ERROR: Adding ACI ${ACI_TO_ADD} failed!"
4620 4620 ${CAT} ${TMPDIR}/non_host_aci_write
4621 4621 cleanup
4622 4622 exit 1
4623 4623 fi
4624 4624
4625 4625 ${RM} -f ${TMPDIR}/non_host_aci_write
4626 4626 # Display message that the non-host access to shadow data is denied.
4627 4627 MSG="Non-host access to shadow data is denied."
4628 4628 if [ $EXISTING_PROFILE -eq 1 ]; then
4629 4629 ${ECHO} " ACI SET: $MSG"
4630 4630 else
4631 4631 ${ECHO} " ${STEP}. $MSG"
4632 4632 STEP=`expr $STEP + 1`
4633 4633 fi
4634 4634 }
4635 4635
4636 4636 #
4637 4637 # add_vlv_aci(): Add access control information (aci) for VLV.
4638 4638 #
4639 4639 add_vlv_aci()
4640 4640 {
4641 4641 [ $DEBUG -eq 1 ] && ${ECHO} "In add_vlv_aci()"
4642 4642
4643 4643 # Add the VLV ACI.
4644 4644 ( cat <<EOF
4645 4645 dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
4646 4646 changetype: modify
4647 4647 replace: aci
4648 4648 aci: (targetattr != "aci") (version 3.0; acl "VLV Request Control"; allow(read,search,compare) userdn = "ldap:///anyone";)
4649 4649 EOF
4650 4650 ) > ${TMPDIR}/vlv_aci
4651 4651
4652 4652 # Add the entry.
4653 4653 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/vlv_aci ${VERB}"
4654 4654 if [ $? -ne 0 ]; then
4655 4655 ${ECHO} " ERROR: Add of VLV ACI failed!"
4656 4656 cleanup
4657 4657 exit 1
4658 4658 fi
4659 4659
4660 4660 # Display message that schema is updated.
4661 4661 ${ECHO} " ${STEP}. Add of VLV Access Control Information (ACI)."
4662 4662 STEP=`expr $STEP + 1`
4663 4663 }
4664 4664
4665 4665
4666 4666 #
4667 4667 # set_nisdomain(): Add the NisDomainObject to the Base DN.
4668 4668 #
4669 4669 set_nisdomain()
4670 4670 {
4671 4671 [ $DEBUG -eq 1 ] && ${ECHO} "In set_nisdomain()"
4672 4672
4673 4673 # Check if nisDomain is already set.
4674 4674 ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_BASEDN}\" -s base \
4675 4675 \"objectclass=*\"" > ${TMPDIR}/chk_nisdomain 2>&1
4676 4676 ${EVAL} "${GREP} -i nisDomain ${TMPDIR}/chk_nisdomain ${VERB}"
4677 4677 if [ $? -eq 0 ]; then
4678 4678 ${ECHO} " ${STEP}. NisDomainObject for ${LDAP_BASEDN} was already set."
4679 4679 STEP=`expr $STEP + 1`
4680 4680 return 0
4681 4681 fi
4682 4682
4683 4683 # Add the new top level containers.
4684 4684 ( cat <<EOF
4685 4685 dn: ${LDAP_BASEDN}
4686 4686 changetype: modify
4687 4687 objectclass: nisDomainObject
4688 4688 nisdomain: ${LDAP_DOMAIN}
4689 4689 EOF
4690 4690 ) > ${TMPDIR}/nis_domain
4691 4691
4692 4692 # Add the entry.
4693 4693 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/nis_domain ${VERB}"
4694 4694 if [ $? -ne 0 ]; then
4695 4695 ${ECHO} " ERROR: update of NisDomainObject in ${LDAP_BASEDN} failed."
4696 4696 cleanup
4697 4697 exit 1
4698 4698 fi
4699 4699
4700 4700 # Display message that schema is updated.
4701 4701 ${ECHO} " ${STEP}. NisDomainObject added to ${LDAP_BASEDN}."
4702 4702 STEP=`expr $STEP + 1`
4703 4703 }
4704 4704
4705 4705
4706 4706 #
4707 4707 # check_attrName(): Check that the attribute name is valid.
4708 4708 # $1 Key to check.
4709 4709 # Returns 0 : valid name 1 : invalid name
4710 4710 #
4711 4711 check_attrName()
4712 4712 {
4713 4713 [ $DEBUG -eq 1 ] && ${ECHO} "In check_attrName()"
4714 4714 [ $DEBUG -eq 1 ] && ${ECHO} "check_attrName: Input Param = $1"
4715 4715
4716 4716 ${ECHO} $1 | ${EGREP} '^[0-9]+(\.[0-9]+)*$' > /dev/null 2>&1
4717 4717 if [ $? -eq 0 ]; then
4718 4718 ${EVAL} "${LDAPSEARCH} ${SERVER_ARGS} -b cn=schema -s base \"objectclass=*\" \
4719 4719 attributeTypes | ${EGREP} -i '^attributetypes[ ]*=[ ]*\([ ]*$1 ' ${VERB}"
4720 4720 else
4721 4721 ${EVAL} "${LDAPSEARCH} ${SERVER_ARGS} -b cn=schema -s base \"objectclass=*\" \
4722 4722 attributeTypes | ${EGREP} -i \"'$1'\" ${VERB}"
4723 4723 fi
4724 4724
4725 4725 if [ $? -ne 0 ]; then
4726 4726 return 1
4727 4727 else
4728 4728 return 0
4729 4729 fi
4730 4730 }
4731 4731
4732 4732
4733 4733 #
4734 4734 # get_objectclass(): Determine the objectclass for the given attribute name
4735 4735 # $1 Attribute name to check.
4736 4736 # _ATTR_NAME Return value, Object Name or NULL if unknown to idsconfig.
4737 4737 #
4738 4738 # NOTE: An attribute name can be valid but still we might not be able
4739 4739 # to determine the objectclass from the table.
4740 4740 # In such cases, the user needs to create the necessary object(s).
4741 4741 #
4742 4742 get_objectclass()
4743 4743 {
4744 4744 [ $DEBUG -eq 1 ] && ${ECHO} "In get_objectclass()"
4745 4745 [ $DEBUG -eq 1 ] && ${ECHO} "get_objectclass: Input Param = $1"
4746 4746
4747 4747 # Set return value to NULL string.
4748 4748 _ATTR_NAME=""
4749 4749
4750 4750 # Test key for type:
4751 4751 case `${ECHO} ${1} | tr '[A-Z]' '[a-z]'` in
4752 4752 ou | organizationalunitname | 2.5.4.11) _ATTR_NAME="organizationalUnit" ;;
4753 4753 dc | domaincomponent | 0.9.2342.19200300.100.1.25) _ATTR_NAME="domain" ;;
4754 4754 o | organizationname | 2.5.4.10) _ATTR_NAME="organization" ;;
4755 4755 c | countryname | 2.5.4.6) _ATTR_NAME="country" ;;
4756 4756 *) _ATTR_NAME="" ;;
4757 4757 esac
4758 4758
4759 4759 [ $DEBUG -eq 1 ] && ${ECHO} "get_objectclass: _ATTR_NAME = $_ATTR_NAME"
4760 4760 }
4761 4761
4762 4762
4763 4763 #
4764 4764 # add_base_objects(): Add any necessary base objects.
4765 4765 #
4766 4766 add_base_objects()
4767 4767 {
4768 4768 [ $DEBUG -eq 1 ] && ${ECHO} "In add_base_objects()"
4769 4769
4770 4770 # Convert to lower case for basename.
4771 4771 format_string "${LDAP_BASEDN}"
4772 4772 LOWER_BASEDN="${FMT_STR}"
4773 4773 format_string "${LDAP_SUFFIX}"
4774 4774 LOWER_SUFFIX="${FMT_STR}"
4775 4775
4776 4776 [ $DEBUG -eq 1 ] && ${ECHO} "LOWER_BASEDN: ${LOWER_BASEDN}"
4777 4777 [ $DEBUG -eq 1 ] && ${ECHO} "LOWER_SUFFIX: ${LOWER_SUFFIX}"
4778 4778
4779 4779 # Create additional components.
4780 4780 if [ "${LOWER_BASEDN}" = "${LOWER_SUFFIX}" ]; then
4781 4781 [ $DEBUG -eq 1 ] && ${ECHO} "Base DN and Suffix equivalent"
4782 4782 else
4783 4783 # first, test that the suffix is valid
4784 4784 dcstmp=`basename "${LOWER_BASEDN}" "${LOWER_SUFFIX}"`
4785 4785 if [ "$dcstmp" = "${LOWER_BASEDN}" ]; then
4786 4786 # should not happen since check_basedn_suffix() succeeded
4787 4787 ${ECHO} "Invalid suffix ${LOWER_SUFFIX}"
4788 4788 ${ECHO} "for Base DN ${LOWER_BASEDN}"
4789 4789 cleanup
4790 4790 exit 1
4791 4791 fi
4792 4792 # OK, suffix is valid, start working with LDAP_BASEDN
4793 4793 # field separator is ',' (i.e., space is a valid character)
4794 4794 dcstmp2="`${ECHO} ${LDAP_BASEDN} |
4795 4795 sed -e 's/[ ]*,[ ]*/,/g' -e 's/[ ]*=[ ]*/=/g'`"
4796 4796 dcs=""
4797 4797 # use dcstmp to count the loop, and dcstmp2 to get the correct
4798 4798 # string case
4799 4799 # dcs should be in reverse order, only for these components
4800 4800 # that need to be added
4801 4801 while [ -n "${dcstmp}" ]
4802 4802 do
4803 4803 i2=`${ECHO} "$dcstmp2" | cut -f1 -d','`
4804 4804 dk=`${ECHO} $i2 | awk -F= '{print $1}'`
4805 4805 dc=`${ECHO} $i2 | awk -F= '{print $2}'`
4806 4806 dcs="$dk=$dc,$dcs";
4807 4807 dcstmp2=`${ECHO} "$dcstmp2" | cut -f2- -d','`
4808 4808 dcstmp=`${ECHO} "$dcstmp" | cut -f2- -d','`
4809 4809 [ $DEBUG -eq 1 ] && \
4810 4810 ${ECHO} "dcs: ${dcs}\ndcstmp: ${dcstmp}\ndcstmp2: ${dcstmp2}\n"
4811 4811 done
4812 4812
4813 4813
4814 4814
4815 4815 lastdc=${LDAP_SUFFIX}
4816 4816 dc=`${ECHO} "${dcs}" | cut -f1 -d','`
4817 4817 dcstmp=`${ECHO} "${dcs}" | cut -f2- -d','`
4818 4818 while [ -n "${dc}" ]; do
4819 4819 # Get Key and component from $dc.
4820 4820 dk2=`${ECHO} $dc | awk -F= '{print $1}'`
4821 4821 dc2=`${ECHO} $dc | awk -F= '{print $2}'`
4822 4822
4823 4823 # At this point, ${dk2} is a valid attribute name
4824 4824
4825 4825 # Check if entry exists first, if so, skip to next.
4826 4826 ${LDAPSEARCH} ${SERVER_ARGS} -b "${dk2}=${dc2},$lastdc" -s base "objectclass=*" > /dev/null 2>&1
4827 4827 if [ $? -eq 0 ]; then
4828 4828 # Set the $lastdc to new dc.
4829 4829 lastdc="${dk2}=${dc2},$lastdc"
4830 4830
4831 4831 # Process next component.
4832 4832 dc=`${ECHO} "${dcstmp}" | cut -f1 -d','`
4833 4833 dcstmp=`${ECHO} "${dcstmp}" | cut -f2- -d','`
4834 4834 continue
4835 4835
4836 4836 fi
4837 4837
4838 4838 # Determine the objectclass for the entry.
4839 4839 get_objectclass $dk2
4840 4840 OBJ_Name=${_ATTR_NAME}
4841 4841 if [ "${OBJ_Name}" = "" ]; then
4842 4842 ${ECHO} "Cannot determine objectclass for $dk2"
4843 4843 ${ECHO} "Please create ${dk2}=${dc2},$lastdc entry and rerun idsconfig"
4844 4844 exit 1
4845 4845 fi
4846 4846
4847 4847 # Add the new container.
4848 4848 ( cat <<EOF
4849 4849 dn: ${dk2}=${dc2},$lastdc
4850 4850 ${dk2}: $dc2
4851 4851 objectClass: top
4852 4852 objectClass: ${OBJ_Name}
4853 4853 EOF
4854 4854 ) > ${TMPDIR}/base_objects
4855 4855
4856 4856
4857 4857 # Set the $lastdc to new dc.
4858 4858 lastdc="${dk2}=${dc2},$lastdc"
4859 4859
4860 4860 # Add the entry.
4861 4861 ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/base_objects ${VERB}"
4862 4862 if [ $? -ne 0 ]; then
4863 4863 ${ECHO} " ERROR: update of base objects ${dc} failed."
4864 4864 cleanup
4865 4865 exit 1
4866 4866 fi
4867 4867
4868 4868 # Display message that schema is updated.
4869 4869 ${ECHO} " ${STEP}. Created DN component ${dc}."
4870 4870 STEP=`expr $STEP + 1`
4871 4871
4872 4872 # Process next component.
4873 4873 dc=`${ECHO} "${dcstmp}" | cut -f1 -d','`
4874 4874 dcstmp=`${ECHO} "${dcstmp}" | cut -f2- -d','`
4875 4875 done
4876 4876 fi
4877 4877 }
4878 4878
4879 4879
4880 4880 #
4881 4881 # add_new_containers(): Add the top level classes.
4882 4882 #
4883 4883 # $1 = Base DN
4884 4884 #
4885 4885 add_new_containers()
4886 4886 {
4887 4887 [ $DEBUG -eq 1 ] && ${ECHO} "In add_new_containers()"
4888 4888
4889 4889 for ou in people group rpc protocols networks netgroup \
4890 4890 aliases hosts services ethers profile printers projects \
4891 4891 SolarisAuthAttr SolarisProfAttr Timezone ipTnet ; do
4892 4892
4893 4893 # Check if nismaps already exist.
4894 4894 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"ou=${ou},${LDAP_BASEDN}\" -s base \"objectclass=*\" ${VERB}"
4895 4895 if [ $? -eq 0 ]; then
4896 4896 continue
4897 4897 fi
4898 4898
4899 4899 # Create TMP file to add.
4900 4900 ( cat <<EOF
4901 4901 dn: ou=${ou},${LDAP_BASEDN}
4902 4902 ou: ${ou}
4903 4903 objectClass: top
4904 4904 objectClass: organizationalUnit
4905 4905 EOF
4906 4906 ) > ${TMPDIR}/toplevel.${ou}
4907 4907
4908 4908 # Add the entry.
4909 4909 ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/toplevel.${ou} ${VERB}"
4910 4910 if [ $? -ne 0 ]; then
4911 4911 ${ECHO} " ERROR: Add of ou=${ou} container failed!"
4912 4912 cleanup
4913 4913 exit 1
4914 4914 fi
4915 4915 done
4916 4916
4917 4917 # Display message that top level OU containers complete.
4918 4918 ${ECHO} " ${STEP}. Top level \"ou\" containers complete."
4919 4919 STEP=`expr $STEP + 1`
4920 4920 }
4921 4921
4922 4922
4923 4923 #
4924 4924 # add_auto_maps(): Add the automount map entries.
4925 4925 #
4926 4926 # auto_home, auto_direct, auto_master, auto_shared
4927 4927 #
4928 4928 add_auto_maps()
4929 4929 {
4930 4930 [ $DEBUG -eq 1 ] && ${ECHO} "In add_auto_maps()"
4931 4931
4932 4932 # Set AUTO_MAPS for maps to create.
4933 4933 AUTO_MAPS="auto_home auto_direct auto_master auto_shared"
4934 4934
4935 4935 for automap in $AUTO_MAPS; do
4936 4936 # Check if automaps already exist.
4937 4937 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"automountMapName=${automap},${LDAP_BASEDN}\" -s base \"objectclass=*\" ${VERB}"
4938 4938 if [ $? -eq 0 ]; then
4939 4939 continue
4940 4940 fi
4941 4941
4942 4942 # Create the tmp file to add.
4943 4943 ( cat <<EOF
4944 4944 dn: automountMapName=${automap},${LDAP_BASEDN}
4945 4945 automountMapName: ${automap}
4946 4946 objectClass: top
4947 4947 objectClass: automountMap
4948 4948 EOF
4949 4949 ) > ${TMPDIR}/automap.${automap}
4950 4950
4951 4951 # Add the entry.
4952 4952 ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/automap.${automap} ${VERB}"
4953 4953 if [ $? -ne 0 ]; then
4954 4954 ${ECHO} " ERROR: Add of automap ${automap} failed!"
4955 4955 cleanup
4956 4956 exit 1
4957 4957 fi
4958 4958 done
4959 4959
4960 4960 # Display message that automount entries are updated.
4961 4961 ${ECHO} " ${STEP}. automount maps: $AUTO_MAPS processed."
4962 4962 STEP=`expr $STEP + 1`
4963 4963 }
4964 4964
4965 4965
4966 4966 #
4967 4967 # add_proxyagent(): Add entry for nameservice to use to access server.
4968 4968 #
4969 4969 add_proxyagent()
4970 4970 {
4971 4971 [ $DEBUG -eq 1 ] && ${ECHO} "In add_proxyagent()"
4972 4972
4973 4973 # Check if proxy agent already exists.
4974 4974 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_PROXYAGENT}\" -s base \"objectclass=*\" ${VERB}"
4975 4975 if [ $? -eq 0 ]; then
4976 4976 ${ECHO} " ${STEP}. Proxy Agent ${LDAP_PROXYAGENT} already exists."
4977 4977 STEP=`expr $STEP + 1`
4978 4978 return 0
4979 4979 fi
4980 4980
4981 4981 # Get cn and sn names from LDAP_PROXYAGENT.
4982 4982 cn_tmp=`${ECHO} ${LDAP_PROXYAGENT} | cut -f1 -d, | cut -f2 -d=`
4983 4983
4984 4984 # Create the tmp file to add.
4985 4985 ( cat <<EOF
4986 4986 dn: ${LDAP_PROXYAGENT}
4987 4987 cn: ${cn_tmp}
4988 4988 sn: ${cn_tmp}
4989 4989 objectclass: top
4990 4990 objectclass: person
4991 4991 userpassword: ${LDAP_PROXYAGENT_CRED}
4992 4992 EOF
4993 4993 ) > ${TMPDIR}/proxyagent
4994 4994
4995 4995 # Add the entry.
4996 4996 ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/proxyagent ${VERB}"
4997 4997 if [ $? -ne 0 ]; then
4998 4998 ${ECHO} " ERROR: Adding proxyagent failed!"
4999 4999 cleanup
5000 5000 exit 1
5001 5001 fi
5002 5002
5003 5003 # Display message that schema is updated.
5004 5004 ${ECHO} " ${STEP}. Proxy Agent ${LDAP_PROXYAGENT} added."
5005 5005 STEP=`expr $STEP + 1`
5006 5006 }
5007 5007
5008 5008 #
5009 5009 # allow_proxy_read_pw(): Give Proxy Agent read permission for password.
5010 5010 #
5011 5011 allow_proxy_read_pw()
5012 5012 {
5013 5013 [ $DEBUG -eq 1 ] && ${ECHO} "In allow_proxy_read_pw()"
5014 5014
5015 5015 # Search for ACI_NAME
5016 5016 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_BASEDN}\" -s base objectclass=* aci > ${TMPDIR}/chk_proxyread_aci 2>&1"
5017 5017 ${GREP} "${PROXY_ACI_NAME}" ${TMPDIR}/chk_proxyread_aci > /dev/null 2>&1
5018 5018 if [ $? -eq 0 ]; then
5019 5019 ${ECHO} " ${STEP}. Proxy ACI ${PROXY_ACI_NAME=} already exists for ${LDAP_BASEDN}."
5020 5020 STEP=`expr $STEP + 1`
5021 5021 return 0
5022 5022 fi
5023 5023
5024 5024 # Create the tmp file to add.
5025 5025 ( cat <<EOF
5026 5026 dn: ${LDAP_BASEDN}
5027 5027 changetype: modify
5028 5028 add: aci
5029 5029 aci: (target="ldap:///${LDAP_BASEDN}")(targetattr="userPassword")
5030 5030 (version 3.0; acl ${PROXY_ACI_NAME}; allow (compare,read,search)
5031 5031 userdn = "ldap:///${LDAP_PROXYAGENT}";)
5032 5032 EOF
5033 5033 ) > ${TMPDIR}/proxy_read
5034 5034
5035 5035 # Add the entry.
5036 5036 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/proxy_read ${VERB}"
5037 5037 if [ $? -ne 0 ]; then
5038 5038 ${ECHO} " ERROR: Allow ${LDAP_PROXYAGENT} to read password failed!"
5039 5039 cleanup
5040 5040 exit 1
5041 5041 fi
5042 5042
5043 5043 # Display message that schema is updated.
5044 5044 ${ECHO} " ${STEP}. Give ${LDAP_PROXYAGENT} read permission for password."
5045 5045 STEP=`expr $STEP + 1`
5046 5046 }
5047 5047
5048 5048 # Delete Proxy Agent read permission for password.
5049 5049 delete_proxy_read_pw()
5050 5050 {
5051 5051 [ $DEBUG -eq 1 ] && ${ECHO} "In delete_proxy_read_pw()"
5052 5052
5053 5053 # Search for ACI_NAME
5054 5054 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_BASEDN}\" -s base objectclass=* aci > ${TMPDIR}/chk_proxyread_aci 2>&1"
5055 5055 ${GREP} "${PROXY_ACI_NAME}" ${TMPDIR}/chk_proxyread_aci | \
|
↓ open down ↓ |
3615 lines elided |
↑ open up ↑ |
5056 5056 ${SED} -e 's/aci=//' > ${TMPDIR}/grep_proxyread_aci 2>&1
5057 5057 if [ $? -ne 0 ]; then
5058 5058 ${ECHO} "Proxy ACI ${PROXY_ACI_NAME} does not exist for ${LDAP_BASEDN}."
5059 5059 return 0
5060 5060 fi
5061 5061
5062 5062 # We need to remove proxy agent's read access to user passwords,
5063 5063 # but We do not know the value of the ${LDAP_PROXYAGENT} here, so
5064 5064 # 1. if only one match found, delete it
5065 5065 # 2. if more than one matches found, ask the user which one to delete
5066 - HOWMANY=`${WC} -l ${TMPDIR}/grep_proxyread_aci | ${NAWK} '{print $1}'`
5066 + HOWMANY=`${WC} -l ${TMPDIR}/grep_proxyread_aci | ${AWK} '{print $1}'`
5067 5067 if [ $HOWMANY -eq 0 ]; then
5068 5068 ${ECHO} "Proxy ACI ${PROXY_ACI_NAME} does not exist for ${LDAP_BASEDN}."
5069 5069 return 0
5070 5070 fi
5071 5071 if [ $HOWMANY -eq 1 ];then
5072 5072 proxy_aci=`${CAT} ${TMPDIR}/grep_proxyread_aci`
5073 5073 else
5074 5074 ${CAT} << EOF
5075 5075
5076 5076 Proxy agent is not allowed to read user passwords when shadow
5077 5077 update is enabled. There are more than one proxy agents found.
5078 5078 Please select the currently proxy agent being used, so that
5079 5079 idsconfig can remove its read access to user passwords.
|
↓ open down ↓ |
3 lines elided |
↑ open up ↑ |
5080 5080
5081 5081 The proxy agents are:
5082 5082
5083 5083 EOF
5084 5084 # generate the proxy agent list
5085 5085 ${SED} -e "s/.*ldap:\/\/\/.*ldap:\/\/\///" \
5086 5086 ${TMPDIR}/grep_proxyread_aci | ${SED} -e "s/\";)//" > \
5087 5087 ${TMPDIR}/proxy_agent_list
5088 5088
5089 5089 # print the proxy agent list
5090 - ${NAWK} '{print NR ": " $0}' ${TMPDIR}/proxy_agent_list
5090 + ${AWK} '{print NR ": " $0}' ${TMPDIR}/proxy_agent_list
5091 5091
5092 5092 # ask the user to pick one
5093 5093 _MENU_PROMPT="Select the proxy agent (1-$HOWMANY): "
5094 5094 get_menu_choice "${_MENU_PROMPT}" "0" "$HOWMANY"
5095 5095 _CH=$MN_CH
5096 5096 proxy_aci=`${SED} -n "$_CH p" ${TMPDIR}/grep_proxyread_aci`
5097 5097 fi
5098 5098
5099 5099 # Create the tmp file to delete the ACI.
5100 5100 ( cat <<EOF
5101 5101 dn: ${LDAP_BASEDN}
5102 5102 changetype: modify
5103 5103 delete: aci
5104 5104 aci: ${proxy_aci}
5105 5105 EOF
5106 5106 ) > ${TMPDIR}/proxy_delete
5107 5107
5108 5108 # Delete the ACI
5109 5109 ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/proxy_delete ${VERB}"
5110 5110 if [ $? -ne 0 ]; then
5111 5111 ${ECHO} " ERROR: Remove of ${PROXY_ACI_NAME} ACI failed!"
5112 5112 cat ${TMPDIR}/proxy_delete
5113 5113 cleanup
5114 5114 exit 1
5115 5115 fi
5116 5116
5117 5117 # Display message that ACI is updated.
5118 5118 MSG="Removed ${PROXY_ACI_NAME} ACI for proxyagent read permission for password."
5119 5119 ${ECHO} " "
5120 5120 ${ECHO} " ACI REMOVED: $MSG"
5121 5121 ${ECHO} " The ACI removed is $proxy_aci"
5122 5122 ${ECHO} " "
5123 5123 }
5124 5124
5125 5125 #
5126 5126 # add_profile(): Add client profile to server.
5127 5127 #
5128 5128 add_profile()
5129 5129 {
5130 5130 [ $DEBUG -eq 1 ] && ${ECHO} "In add_profile()"
5131 5131
5132 5132 # If profile name already exists, DELETE it, and add new one.
5133 5133 eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=${LDAP_PROFILE_NAME},ou=profile,${LDAP_BASEDN}\" -s base \"objectclass=*\" ${VERB}"
5134 5134 if [ $? -eq 0 ]; then
5135 5135 # Create Delete file.
5136 5136 ( cat <<EOF
5137 5137 cn=${LDAP_PROFILE_NAME},ou=profile,${LDAP_BASEDN}
5138 5138 EOF
5139 5139 ) > ${TMPDIR}/del_profile
5140 5140
5141 5141 # Check if DEL_OLD_PROFILE is set. (If not ERROR)
5142 5142 if [ $DEL_OLD_PROFILE -eq 0 ]; then
5143 5143 ${ECHO} "ERROR: Profile name ${LDAP_PROFILE_NAME} exists! Add failed!"
5144 5144 exit 1
5145 5145 fi
5146 5146
5147 5147 # Delete the OLD profile.
5148 5148 ${EVAL} "${LDAPDELETE} ${LDAP_ARGS} -f ${TMPDIR}/del_profile ${VERB}"
5149 5149 if [ $? -ne 0 ]; then
5150 5150 ${ECHO} " ERROR: Attempt to DELETE profile failed!"
5151 5151 cleanup
5152 5152 exit 1
5153 5153 fi
5154 5154 fi
5155 5155
5156 5156 # Build the "ldapclient genprofile" command string to execute.
5157 5157 GEN_CMD="ldapclient genprofile -a \"profileName=${LDAP_PROFILE_NAME}\""
5158 5158
5159 5159 # Add required argument defaultSearchBase.
5160 5160 GEN_CMD="${GEN_CMD} -a \"defaultSearchBase=${LDAP_BASEDN}\""
5161 5161
5162 5162 # Add optional parameters.
5163 5163 [ -n "$LDAP_SERVER_LIST" ] && \
5164 5164 GEN_CMD="${GEN_CMD} -a \"defaultServerList=${LDAP_SERVER_LIST}\""
5165 5165 [ -n "$LDAP_SEARCH_SCOPE" ] && \
5166 5166 GEN_CMD="${GEN_CMD} -a \"defaultSearchScope=${LDAP_SEARCH_SCOPE}\""
5167 5167 [ -n "$LDAP_CRED_LEVEL" ] && \
5168 5168 GEN_CMD="${GEN_CMD} -a \"credentialLevel=${LDAP_CRED_LEVEL}\""
5169 5169 [ -n "$LDAP_AUTHMETHOD" ] && \
5170 5170 GEN_CMD="${GEN_CMD} -a \"authenticationMethod=${LDAP_AUTHMETHOD}\""
5171 5171 [ -n "$LDAP_FOLLOWREF" ] && \
5172 5172 GEN_CMD="${GEN_CMD} -a \"followReferrals=${LDAP_FOLLOWREF}\""
5173 5173 [ -n "$LDAP_SEARCH_TIME_LIMIT" ] && \
5174 5174 GEN_CMD="${GEN_CMD} -a \"searchTimeLimit=${LDAP_SEARCH_TIME_LIMIT}\""
5175 5175 [ -n "$LDAP_PROFILE_TTL" ] && \
5176 5176 GEN_CMD="${GEN_CMD} -a \"profileTTL=${LDAP_PROFILE_TTL}\""
5177 5177 [ -n "$LDAP_BIND_LIMIT" ] && \
5178 5178 GEN_CMD="${GEN_CMD} -a \"bindTimeLimit=${LDAP_BIND_LIMIT}\""
5179 5179 [ -n "$LDAP_PREF_SRVLIST" ] && \
5180 5180 GEN_CMD="${GEN_CMD} -a \"preferredServerList=${LDAP_PREF_SRVLIST}\""
5181 5181 [ -n "$LDAP_SRV_AUTHMETHOD_PAM" ] && \
5182 5182 GEN_CMD="${GEN_CMD} -a \"serviceAuthenticationMethod=${LDAP_SRV_AUTHMETHOD_PAM}\""
5183 5183 [ -n "$LDAP_SRV_AUTHMETHOD_KEY" ] && \
5184 5184 GEN_CMD="${GEN_CMD} -a \"serviceAuthenticationMethod=${LDAP_SRV_AUTHMETHOD_KEY}\""
5185 5185 [ -n "$LDAP_SRV_AUTHMETHOD_CMD" ] && \
5186 5186 GEN_CMD="${GEN_CMD} -a \"serviceAuthenticationMethod=${LDAP_SRV_AUTHMETHOD_CMD}\""
5187 5187
5188 5188 # Check if there are any service search descriptors to ad.
5189 5189 if [ -s "${SSD_FILE}" ]; then
5190 5190 ssd_2_profile
5191 5191 fi
5192 5192
5193 5193 # Execute "ldapclient genprofile" to create profile.
5194 5194 eval ${GEN_CMD} > ${TMPDIR}/gen_profile 2> ${TMPDIR}/gen_profile_ERR
5195 5195 if [ $? -ne 0 ]; then
5196 5196 ${ECHO} " ERROR: ldapclient genprofile failed!"
5197 5197 cleanup
5198 5198 exit 1
5199 5199 fi
5200 5200
5201 5201 # Add the generated profile..
5202 5202 ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/gen_profile ${VERB}"
5203 5203 if [ $? -ne 0 ]; then
5204 5204 ${ECHO} " ERROR: Attempt to add profile failed!"
5205 5205 cleanup
5206 5206 exit 1
5207 5207 fi
5208 5208
5209 5209 # Display message that schema is updated.
5210 5210 ${ECHO} " ${STEP}. Generated client profile and loaded on server."
5211 5211 STEP=`expr $STEP + 1`
5212 5212 }
5213 5213
5214 5214
5215 5215 #
5216 5216 # cleanup(): Remove the TMPDIR and all files in it.
5217 5217 #
5218 5218 cleanup()
5219 5219 {
5220 5220 [ $DEBUG -eq 1 ] && ${ECHO} "In cleanup()"
5221 5221
5222 5222 rm -fr ${TMPDIR}
5223 5223 }
5224 5224
5225 5225
5226 5226 #
5227 5227 # * * * MAIN * * *
5228 5228 #
5229 5229 # Description:
5230 5230 # This script assumes that the iPlanet Directory Server (iDS) is
5231 5231 # installed and that setup has been run. This script takes the
5232 5232 # iDS server from that point and sets up the infrastructure for
5233 5233 # LDAP Naming Services. After running this script, ldapaddent(1M)
5234 5234 # or some other tools can be used to populate data.
5235 5235
5236 5236 # Initialize the variables that need to be set to NULL, or some
5237 5237 # other initial value before the rest of the functions can be called.
5238 5238 init
5239 5239
5240 5240 # Parse command line arguments.
5241 5241 parse_arg $*
5242 5242 shift $?
5243 5243
5244 5244 # Print extra line to separate from prompt.
5245 5245 ${ECHO} " "
5246 5246
5247 5247 # Either Load the user specified config file
5248 5248 # or prompt user for config info.
5249 5249 if [ -n "$INPUT_FILE" ]
5250 5250 then
5251 5251 load_config_file
5252 5252 INTERACTIVE=0 # Turns off prompts that occur later.
5253 5253 validate_info # Validate basic info in file.
5254 5254 chk_ids_version # Check iDS version for compatibility.
5255 5255 else
5256 5256 # Display BACKUP warning to user.
5257 5257 display_msg backup_server
5258 5258 get_confirm "Do you wish to continue with server setup (y/n/h)?" "n" "backup_help"
5259 5259 if [ $? -eq 0 ]; then # if No, cleanup and exit.
5260 5260 cleanup ; exit 1
5261 5261 fi
5262 5262
5263 5263 # Prompt for values.
5264 5264 prompt_config_info
5265 5265 display_summary # Allow user to modify results.
5266 5266 INTERACTIVE=1 # Insures future prompting.
5267 5267 fi
5268 5268
5269 5269 # Modify slapd.oc.conf to ALLOW cn instead of REQUIRE.
5270 5270 modify_cn
5271 5271
5272 5272 # Modify timelimit to user value.
5273 5273 [ $NEED_TIME -eq 1 ] && modify_timelimit
5274 5274
5275 5275 # Modify sizelimit to user value.
5276 5276 [ $NEED_SIZE -eq 1 ] && modify_sizelimit
5277 5277
5278 5278 # Modify the password storage scheme to support CRYPT.
5279 5279 if [ "$NEED_CRYPT" = "TRUE" ]; then
5280 5280 modify_pwd_crypt
5281 5281 fi
5282 5282
5283 5283 # Update the schema (Attributes, Objectclass Definitions)
5284 5284 if [ ${SCHEMA_UPDATED} -eq 0 ]; then
5285 5285 update_schema_attr
5286 5286 update_schema_obj
5287 5287 fi
5288 5288
5289 5289 # Add suffix together with its root entry (if needed)
5290 5290 add_suffix ||
5291 5291 {
5292 5292 cleanup
5293 5293 exit 1
5294 5294 }
5295 5295
5296 5296 # Add base objects (if needed)
5297 5297 add_base_objects
5298 5298
5299 5299 # Update the NisDomainObject.
5300 5300 # The Base DN might of just been created, so this MUST happen after
5301 5301 # the base objects have been added!
5302 5302 set_nisdomain
5303 5303
5304 5304 # Add top level classes (new containers)
5305 5305 add_new_containers
5306 5306
5307 5307 # Add common nismaps.
5308 5308 add_auto_maps
5309 5309
5310 5310 # Modify top ACI.
5311 5311 modify_top_aci
5312 5312
5313 5313 # Add Access Control Information for VLV.
5314 5314 add_vlv_aci
5315 5315
5316 5316 # if Proxy needed, Add Proxy Agent and give read permission for password.
5317 5317 if [ $NEED_PROXY -eq 1 ]; then
5318 5318 add_proxyagent
5319 5319 if [ "$LDAP_ENABLE_SHADOW_UPDATE" != "TRUE" ]; then
5320 5320 allow_proxy_read_pw
5321 5321 fi
5322 5322 fi
5323 5323
5324 5324 # If admin needed for shadow update, Add the administrator identity and
5325 5325 # give read/write permission for shadow, and deny all others read/write
5326 5326 # access to it.
5327 5327 if [ $NEED_ADMIN -eq 1 ]; then
5328 5328 add_admin
5329 5329 allow_admin_read_write_shadow
5330 5330 # deny non-admin access to shadow data
5331 5331 deny_non_admin_shadow_access
5332 5332 fi
5333 5333
5334 5334 if [ $GSSAPI_ENABLE -eq 1 ]; then
5335 5335 add_id_mapping_rules
5336 5336 # do not modify ACI if "sasl/GSSAPI" and "self" are not selected
5337 5337 if [ "$LDAP_CRED_LEVEL" = "self" -a "$LDAP_AUTHMETHOD" = "sasl/GSSAPI" ]; then
5338 5338 modify_userpassword_acl_for_gssapi
5339 5339 else
5340 5340 ${ECHO} " ACL for GSSAPI was not set because of incompatibility in profile."
5341 5341 fi
5342 5342 fi
5343 5343
5344 5344 # If use host principal for shadow update, give read/write permission for
5345 5345 # shadow, and deny all others' read/write access to it.
5346 5346 if [ $NEED_HOSTACL -eq 1 ]; then
5347 5347 allow_host_read_write_shadow
5348 5348 # deny non-host access to shadow data
5349 5349 deny_non_host_shadow_access
5350 5350 fi
5351 5351
5352 5352
5353 5353 # Generate client profile and add it to the server.
5354 5354 add_profile
5355 5355
5356 5356 # Add Indexes to improve Search Performance.
5357 5357 add_eq_indexes
5358 5358 add_sub_indexes
5359 5359 add_vlv_indexes
5360 5360
5361 5361 # Display setup complete message
5362 5362 display_msg setup_complete
5363 5363
5364 5364 # Display VLV index commands to be executed on server.
5365 5365 display_vlv_cmds
5366 5366
5367 5367 # Create config file if requested.
5368 5368 [ -n "$OUTPUT_FILE" ] && create_config_file
5369 5369
5370 5370 # Removed the TMPDIR and all files in it.
5371 5371 cleanup
5372 5372
5373 5373 exit 0
5374 5374 # end of MAIN.
|
↓ open down ↓ |
274 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX