#!/bin/ksh
#  ALTRAN_PROLOG_BEGIN_TAG                                                    
#  This is an automatically generated prolog.                                  
#                                                                              
#  Copyright (C) Altran ACT S.A.S. 2019,2021.  All rights reserved.  
#                                                                              
#  ALTRAN_PROLOG_END_TAG                                                      
#                                                                              
# IBM_PROLOG_BEGIN_TAG 
# This is an automatically generated prolog. 
#  
# 61haes_r714 src/43haes/usr/sbin/cluster/cspoc/utilities/cl_ldap_server_existing.sh 1.3 
#  
# Licensed Materials - Property of IBM 
#  
# COPYRIGHT International Business Machines Corp. 2010,2011 
# All Rights Reserved 
#  
# US Government Users Restricted Rights - Use, duplication or 
# disclosure restricted by GSA ADP Schedule Contract with IBM Corp. 
#  
# IBM_PROLOG_END_TAG 
# @(#)  7d4c34b 43haes/usr/sbin/cluster/cspoc/utilities/cl_ldap_server_existing.sh, 726, 2147A_aha726, Feb 05 2021 09:50 PM
#including common initialization and definitions
. /usr/es/sbin/cluster/cspoc/cl_federatedsec_source
fsec_init
#processing arguements
_USAGE="$( dspmsg -s 129 cspoc.cat 90 "Usage: %s -h <hostnames> -a <admin_DN> -w <password> -d <base DN> -p <port_num> -S <ssl_keypath> -W <ssl_password>" "$0")"

while getopts :h:a:w:d:p:S:W: flag
do	
	case "$flag" in
	h)	SERVER_LIST="$OPTARG";;
	a)	ADMIN_DN="$OPTARG";;
	w)	ADMIN_DNPW="$OPTARG";;
	d)	BASE_DN="$OPTARG";;
	p)	SSL_PORT_NUM="$OPTARG";;
	S)	CLNT_KDB_PATH="$OPTARG";;
	W)	CLNT_KDB_PW="$OPTARG";;
	*)  print -u2
		 /usr/bin/dspmsg -s 4 utilities.cat 50 '%1$s: unknown option "%2$s"\n' "$(/usr/bin/basename $0)" "-$OPTARG" 1>&2
		print -u2 "\n$_USAGE\n"
		exit 1;;
	esac
done
shift $OPTIND-1

odm_check
#check whether ldap server exists ?
[[ -n `odmget -q "group=LDAPServer and name=ServerList" HACMPLDAP` ]] && {  dspmsg -s 129 cspoc.cat 142 "A LDAP server exists.\n"; exit 2; }
#check ssl key path extension
echo $CLNT_KDB_PATH|grep ".kdb$" >/dev/null || {  dspmsg -s 129 cspoc.cat 140 "Key file path should be in '*.kdb' format.\n"; exit 2; }
#extract list of servers
SERVER_LIST_CC=`echo $SERVER_LIST|sed 's/,/ /g'` 
[[ -z $SERVER_LIST_CC ]] && ret_fail "Server list not found." 1 
#get the first server
TMP_SRV=`echo $SERVER_LIST_CC|awk '{print $1}'` 
[[ -z $TMP_SRV ]] && ret_fail "First server not found." 1 
RSHFLAG=1 #to check rsh enablement
VTYPE=1 #to check ldap server vendor type
TMP_LDIF=${FSEC_LOG_DIR}/ldap_tmp.$$ #to store temprory ldap modification

#to get the ldap client fileset version
VERSION=`lslpp -lc |grep idsldap.cltbase*|awk -F: '{print $3}'|awk -F. '{print $1 $2}'|sort -u` 
[[ -z $VERSION ]] && ret_fail "Version not found." 1 
FLAG=0
MAX_VER=0
for X in $VERSION
do
	if [[ $X -ge 62 ]]
	then
		if [[ $MAX_VER -lt $X ]]
		then
			MAX_VER=$X
		fi
		FLAG=1
	fi
done

VERSION=$MAX_VER
[[ FLAG -eq 0 ]] && ret_fail "Client filesets are not installed" 1

#to get the ldap client base path
TDS_CLT_PATH=`/usr/bin/lslpp -f idsldap.cltbase${VERSION}.rte|grep "/etc$"|/usr/bin/sed 's/\/etc//g'` 
[[ -z $TDS_CLT_PATH ]] && ret_fail "Client path not found." 1 
TDS_CLT_PATH=`echo $TDS_CLT_PATH|tr -s ' '`
TDS_CLT_VER=`lslpp -cl idsldap.cltbase${VERSION}.rte|sed '1d'|awk -F: '{print $3}'|sort -u` 
[[ -z $TDS_CLT_VER ]] && ret_fail "Client version not found." 1 

[[ $VERSION -ge 62 ]] &&  dspmsg -s 129 cspoc.cat 91 "ITDS client version %s is compatible, continuing configuration...\n" "$TDS_CLT_VER" \
	|| {  dspmsg -s 129 cspoc.cat 92 "Incompatible ITDS client version installed!"; exit 1; }

#setting required filesets
set -A LDAP_CL_FSETS idsldap.clt32bit${VERSION}.rte idsldap.clt64bit${VERSION}.rte idsldap.clt_max_crypto32bit${VERSION}.rte idsldap.clt_max_crypto64bit${VERSION}.rte idsldap.cltbase${VERSION}.adt idsldap.cltbase${VERSION}.rte idsldap.cltjava${VERSION}.rte idsldap.clt32bit${VERSION}.rte idsldap.clt64bit${VERSION}.rte idsldap.cltbase${VERSION}.rte
/usr/bin/lslpp -l ${LDAP_CL_FSETS[*]} > /dev/null || {  dspmsg -s 129 cspoc.cat 145 "ITDS client filesets were not installed.\n"; exit 2; }

[[ -f $CLNT_KDB_PATH ]] || ret_fail "Keys file not exisiting" 1
#checking if specified ldap server is IBM TDS ?
for X in $SERVER_LIST_CC
do
    if [[ $VTYPE -eq 1 ]]
    then
        if [ "$(${TDS_CLT_PATH}/bin/ldapsearch -h $X -D $ADMIN_DN -w  $ADMIN_DNPW -K $CLNT_KDB_PATH -P $CLNT_KDB_PW -p $SSL_PORT_NUM -b "" -s base objectclass=* |grep -w "vendorname=International Business Machines (IBM)")" ]
        then
            VTYPE=1
        else
            VTYPE=0
        fi
    fi
    if [[ $VTYPE -eq 0 ]]
    then
        if [ "$(${TDS_CLT_PATH}/bin/ldapsearch -h $X -D $ADMIN_DN -w  $ADMIN_DNPW -K $CLNT_KDB_PATH -P $CLNT_KDB_PW -p $SSL_PORT_NUM -b $BASE_DN -s base objectclass=* |grep -w "CN=Microsoft,CN=Program Data")" ]
        then
            VTYPE=0
        else
             dspmsg -s 129 cspoc.cat 146 "Server %s specified is not valid or inaccessible.\n" "$X"
			exit 2
        fi
    fi
done
#checking rsh enablement
for X in $SERVER_LIST_CC
do
	rsh $X date >/dev/null 2>&1 || {  dspmsg -s 129 cspoc.cat 94 "RSH service failed with an error on %s, continuing assuming server already updated with relevant schemas and data...\n" "$X"; RSHFLAG=0; }
    SERVER_HOST=$(echo ${SERVER_HOST},$(host $X|awk '{print $1}'|cut -f1 -d.))
done
SERVER_HOST=`echo $SERVER_HOST|sed s/^,//g`
[[ -z $SERVER_HOST ]] && ret_fail "Host list not found." 1 
#processing if rsh is enabled and ldap server is MSAD
if [ $RSHFLAG -eq 1 -a $VTYPE -eq 0 ]
then
	for X in $SERVER_LIST_CC
	do
		#getting MSAD domain in ldap format
		AD_DOMAIN=`rsh $X "/dev/fs/C/WINDOWS/system32/ipconfig.exe /all < /dev/null |cat"|grep "Primary Dns Suffix"|awk -F: '{print $2}'` 
		[[ -z $AD_DOMAIN ]] && ret_fail "Active Directory domain not found." 1 
		AD_DOMAIN=`echo $AD_DOMAIN|sed -e 's/\./,DC=/g' -e 's/^/DC=/g' -e 's/.$//g'`
		#copying schema file from AIX to 
		rcp /etc/security/ldap/aixSchemaForAD.ldif $X:/ >/dev/null  || ret_fail "AD schema remote copy failed with an error." $?
		#loading schema
		rsh $X "/dev/fs/C/WINDOWS/system32/ldifde.exe -i -f aixSchemaForAD.ldif -c \"{Forest Root}\" \"$AD_DOMAIN\" -k -j . < /dev/null |cat" >/dev/null \
			|| ret_fail "AD schema modification failed with an error." $?
		rsh $X rm -rf aixSchemaForAD.ldif
		#changing auxiliary class for user and group
		echo "dn: CN=user,CN=Schema,CN=Configuration,${AD_DOMAIN}" > ${TMP_LDIF}.ldif
		echo "changetype: modify" >> ${TMP_LDIF}.ldif
		echo "add: auxiliaryClass" >> ${TMP_LDIF}.ldif
		echo "auxiliaryClass: aixAuxAccount" >> ${TMP_LDIF}.ldif
		echo "-" >> ${TMP_LDIF}.ldif
				
		rcp ${TMP_LDIF}.ldif $X:/ >/dev/null  || ret_fail "rcp failed with an error." $?
		#adding aix auxiliary class for user
		rsh $X "/dev/fs/C/WINDOWS/system32/ldifde.exe -i -f ldap_tmp.ldif -c \"{Forest Root}\" \"$AD_DOMAIN\" -k -j . < /dev/null |cat" >/dev/null \
			|| ret_fail "AD user class modification failed with an error." $?
		cat ${TMP_LDIF}.ldif |sed -e 's/user/group/g' -e 's/aixAuxAccount/aixAuxGroup/g' > ${TMP_LDIF}1.ldif
		mv ${TMP_LDIF}1.ldif ${TMP_LDIF}.ldif || ret_fail "mv failed with an error." $?
		rcp ${TMP_LDIF}.ldif $X:/ >/dev/null  || ret_fail "rcp failed with an error." $?
		#adding aix auxiliary class for group
		rsh $X "/dev/fs/C/WINDOWS/system32/ldifde.exe -i -f ldap_tmp.ldif -c \"{Forest Root}\" \"$AD_DOMAIN\" -k -j . < /dev/null |cat" >/dev/null \
			|| ret_fail "AD group class modification failed with an error." $?
		rsh $X rm -rf ldap_tmp.ldif
		rm -rf ${TMP_LDIF}.ldif
	done
fi

#configuring temprory client to fetch details and checking input parameters are correct ?
for X in $SERVER_LIST_CC
do
	${TDS_CLT_PATH}/bin/ldapsearch -h $X -D $ADMIN_DN -w  $ADMIN_DNPW -K $CLNT_KDB_PATH \
		-P $CLNT_KDB_PW -p $SSL_PORT_NUM -b $BASE_DN -s base objectclass=* >/dev/null || ret_fail "Not able to bind using SSL, ldapsearch failed." $?
done
#loading AIX tables to ldap server
TMP_LDIF_FILE=${FSEC_LOG_DIR}/rbacload.$$.ldif
rbactoldif -d $BASE_DN > $TMP_LDIF_FILE 
${TDS_CLT_PATH}/bin/idsldapadd -h $TMP_SRV -D $ADMIN_DN -w  $ADMIN_DNPW -K $CLNT_KDB_PATH -P $CLNT_KDB_PW -p $SSL_PORT_NUM \
	-c -f $TMP_LDIF_FILE  > ${FSEC_LOG_DIR}/rbactoldif.log.$$ 2>&1
ret_code=$?
if [[ $ret_code -ne 0 ]] && [[ $ret_code -ne 20 ]] && [[ $ret_code -ne 68 ]]
then
	ret_fail "rbactoldif ldapadd failed." $ret_code
fi

TMP_EFS_LDIF=${FSEC_LOG_DIR}/efstoexport.$$.ldif
efskstoldif -d $BASE_DN > $TMP_EFS_LDIF
${TDS_CLT_PATH}/bin/idsldapadd -h $TMP_SRV -D $ADMIN_DN -w  $ADMIN_DNPW -K $CLNT_KDB_PATH \
	-P $CLNT_KDB_PW -p $SSL_PORT_NUM -c -f $TMP_EFS_LDIF > ${FSEC_LOG_DIR}/ldapadd_efskstoldif.log.$$ 2>&1
ret_code=$?
if [[ $ret_code -ne 0 ]] && [[ $ret_code -ne 20 ]] && [[ $ret_code -ne 68 ]]
then
	ret_fail "efskstoldif ldapadd failed." $ret_code
fi
rm -f $TMP_LDIF_FILE $TMP_EFS_LDIF

mksecldap -c -h $TMP_SRV -a $ADMIN_DN -p $ADMIN_DNPW -A ldap_auth -d $BASE_DN -n $SSL_PORT_NUM -k $CLNT_KDB_PATH -w $CLNT_KDB_PW >/dev/null \
	|| ret_fail "Temprory mksecldap client failed" $?

#deleting temprory client

#Following variable LDAP_DEL_ACTION takes only value "NO"
#to makes sure that the utility cl_rbac_permissions_conf
#doesn't get called as part of this server configuration.

LDAP_DEL_ACTION="NO" ${HA_BASE_PATH}/cspoc/cl_ldapcl_del "$CLNT_KDB_PATH" 1

#creating ODM entries
ODM_ENT_TMP=${FSEC_LOG_DIR}/odm_entry_tmp.$$

if [[ $VTYPE -eq 1 ]]
then
	Stype=IBMExisting
else
	Stype=MSAD
fi

echo "HACMPLDAP:
       group="LDAPServer"
       type="$Stype"
       name="ServerList"
       value="$SERVER_HOST"

HACMPLDAP:
       group="LDAPServer"
       type="$Stype"
       name="AdminDN"
       value="$ADMIN_DN"
	   
HACMPLDAP:
       group="LDAPServer"
       type="$Stype"
       name="AdminDNPwd"
       value="$ADMIN_DNPW"
	   
HACMPLDAP:
       group="LDAPServer"
       type="$Stype"
       name="SchemaType"
       value="rfc2307aix"
	  
HACMPLDAP:
       group="LDAPServer"
       type="$Stype"
       name="BaseDN"
       value="$BASE_DN"

HACMPLDAP:
       group="LDAPServer"
       type="$Stype"
       name="SSLPortNumber"
       value="$SSL_PORT_NUM"
	   
HACMPLDAP:
       group="LDAPServer"
       type="$Stype"
       name="PortNumber"
       value="389"
	   
HACMPLDAP:
       group="LDAPServer"
       type="$Stype"
       name="SSLAdminPortNumber"
       value="3539"
	 
HACMPLDAP:
       group="LDAPServer"
       type="$Stype"
       name="AdminPortNumber"
       value="3538"
	   
HACMPLDAP:
       group="LDAPServer"
       type="$Stype"
       name="ServerKdbPath"
       value="$CLNT_KDB_PATH"
	   
HACMPLDAP:
       group="LDAPServer"
       type="$Stype"
       name="ServerKdbPwd"
       value="$CLNT_KDB_PW"
	   
HACMPLDAP:
       group="LDAPServer"
       type="$Stype"
       name="BasePath"
       value="$TDS_CLT_PATH"
	   
HACMPLDAP:
       group="LDAPServer"
       type="$Stype"
       name="Version"
       value="`echo $VERSION|sed 's/./&\./1'`"" > $ODM_ENT_TMP	   
	   
st=$(odmadd $ODM_ENT_TMP ) || { 
		 dspmsg -s 129 cspoc.cat 71 "ODM update is failed.\n"
		 dspmsg -s 129 cspoc.cat 152 "Try to update ODM manually using odmadd %s , in case not succeed then clean the configuration and try again.\n" "$ODM_ENT_TMP"
		exit 1
		}	
rm -r $ODM_ENT_TMP

fsec_vsync "LDAP server configure" || ret_fail "clverify restriction failed" $?
run_on_allnode "rm -rf $FSEC_LOG_DIR" || ret_fail "Removing log directory failed." $?

exit 0