#!/bin/ksh # ALTRAN_PROLOG_BEGIN_TAG # This is an automatically generated prolog. # # Copyright (C) Altran ACT S.A.S. 2019,2021. All rights reserved. # # ALTRAN_PROLOG_END_TAG # # IBM_PROLOG_BEGIN_TAG # This is an automatically generated prolog. # # 61haes_r714 src/43haes/usr/sbin/cluster/cspoc/utilities/cl_ldap_client_config.sh 1.1 # # Licensed Materials - Property of IBM # # COPYRIGHT International Business Machines Corp. 2010,2011 # All Rights Reserved # # US Government Users Restricted Rights - Use, duplication or # disclosure restricted by GSA ADP Schedule Contract with IBM Corp. # # IBM_PROLOG_END_TAG # @(#) 7d4c34b 43haes/usr/sbin/cluster/cspoc/utilities/cl_ldap_client_config.sh, 726, 2147A_aha726, Feb 05 2021 09:50 PM #Including source function and variables . /usr/es/sbin/cluster/cspoc/cl_federatedsec_source # #Initializing.. fsec_init # # Usage for this utility _USAGE="$( dspmsg -s 129 cspoc.cat 85 "Usage: %s -h -a -w -s -d -p -S -W " "$0")" # # For a non root user, finding the user name. [[ -z "$LOGIN" ]] && user_name=$(id -nu 2>/dev/null) || user_name="$LOGIN" if [[ $user_name != "root" ]];then # Check if RBAC is enabled typeset is_rbac_enabled="" is_rbac_enabled=$(clodmget -nq "group=LDAPClient and name=RBACConfig" -f value HACMPLDAP 2>/dev/null) if [[ $is_rbac_enabled != "YES" ]];then dspmsg -s 129 cspoc.cat 218 "This action can be performed only with root." exit 1 fi fi while getopts :h:a:w:s:d:p:S:W: flag do case "$flag" in h) SERVER_LIST="$OPTARG";; a) BIND_DN="$OPTARG";; w) BIND_DNPW="$OPTARG";; s) AUTH_TYPE="ldap_auth";; d) SUFFIX="$OPTARG";; p) SSL_PORT_NUM="$OPTARG";; S) CLNT_KDB_PATH="$OPTARG";; W) CLNT_KDB_PW="$OPTARG";; *) print -u2 /usr/bin/dspmsg -s 4 utilities.cat 50 '%1$s: unknown option "%2$s"\n' "$(/usr/bin/basename $0)" "-$OPTARG" 1>&2 print -u2 "\n$_USAGE\n" exit 1;; esac done shift $OPTIND-1 # # Checking ODM consistency odm_check #checking ldap server exists [[ -z `odmget -q "group=LDAPServer and name=ServerList" HACMPLDAP` ]] && { dspmsg -s 129 cspoc.cat 139 "A LDAP server is not defined.\n"; exit 2; } # #check ssl key path extension echo $CLNT_KDB_PATH|grep ".kdb$" >/dev/null || { dspmsg -s 129 cspoc.cat 140 "Key file path should be in '*.kdb' format.\n"; exit 2; } # Cheking if enteres server list is compatible with odm values clodmget -n -q "group=LDAPServer and name=ServerList" -f value HACMPLDAP | grep "$SERVER_LIST" >/dev/null \ || ret_fail "Server list is not valid." 1 # # Getting nodes list, if add_on_oneNode value is YES then configure LDAP client on current node. if [[ $add_on_oneNode == "YES" ]] then NODES=$(hostname) else NODES=$(${HA_BASE_PATH}/utilities/cllsnode -c|sed '1d'|awk -F: '{print $1}') fi [[ -z $NODES ]] && ret_fail "Cluster nodes not found." 1 # FLAG=0 # Setting 1 if kdb file exists else 0 KDB_BIT=0 [[ -f $CLNT_KDB_PATH ]] && KDB_BIT=1 SSL_PORT_NUM=`echo $SSL_PORT_NUM|tr -s ' '` SUFFIX=`echo $SUFFIX|tr -s ' '` # Calling client conf on each node, and clean if fails for X in $NODES do cl_rsh -n $X "FSECDEBUG=$FSECDEBUG ${HA_BASE_PATH}/cspoc/cl_ldapcl_conf "$SERVER_LIST" "$BIND_DN" "$BIND_DNPW" "$SUFFIX" "$SSL_PORT_NUM" "$CLNT_KDB_PATH" "$CLNT_KDB_PW"" \ || { dspmsg -s 129 cspoc.cat 86 "Failed in %s node, cleaning all...\n" "$X"; FLAG=1; break; } done # Cleaning in all configured nodes if fails if [[ $FLAG -eq 1 ]] then for X in $NODES do cl_rsh -n $X "FSECDEBUG=$FSECDEBUG ${HA_BASE_PATH}/cspoc/cl_ldapcl_del "$CLNT_KDB_PATH" "$KDB_BIT"" exit 1 done fi # Calling rbac conf now, cleaning all if fails FLAG=0 ${HA_BASE_PATH}/cspoc/cl_rbac_conf "$SSL_PORT_NUM" "$CLNT_KDB_PATH" "$CLNT_KDB_PW" \ || { dspmsg -s 129 cspoc.cat 87 "RBAC configuration failed, cleaning all...\n"; FLAG=1; } if [[ $FLAG -eq 1 ]] then for X in $NODES do cl_rsh -n $X "FSECDEBUG=$FSECDEBUG ${HA_BASE_PATH}/cspoc/cl_ldapcl_del "$CLNT_KDB_PATH" "$KDB_BIT"" done exit 1 fi # #Client configured on current node, hence run_on_allnode is not required. if [[ $add_on_oneNode == "YES" ]] then chsec -f /etc/security/login.cfg -s usw -a mkhomeatlogin=true >/dev/null || ret_fail "mkhomeatlogin=true failed on one of the node" 0 else run_on_allnode "chsec -f /etc/security/login.cfg -s usw -a mkhomeatlogin=true" >/dev/null || ret_fail "mkhomeatlogin=true failed on one of the node" 0 fi # Adding odm entries ODM_ENT_TMP=${FSEC_LOG_DIR}/odm_entry_tmp.$$ echo "HACMPLDAP: group="LDAPClient" type="ITDSClinet" name="ServerList" value="$SERVER_LIST" HACMPLDAP: group="LDAPClient" type="ITDSClinet" name="BindDN" value="$BIND_DN" HACMPLDAP: group="LDAPClient" type="ITDSClinet" name="BindDNPwd" value="$BIND_DNPW" HACMPLDAP: group="LDAPClient" type="ITDSClinet" name="AuthType" value="ldap_auth" HACMPLDAP: group="LDAPClient" type="ITDSClinet" name="Suffix" value="$SUFFIX" HACMPLDAP: group="LDAPClient" type="ITDSClinet" name="SSLPortNumber" value="$SSL_PORT_NUM" HACMPLDAP: group="LDAPClient" type="ITDSClinet" name="ClientKdbPath" value="$CLNT_KDB_PATH" HACMPLDAP: group="LDAPClient" type="ITDSClinet" name="ClientKdbPwd" value="$CLNT_KDB_PW"" > $ODM_ENT_TMP st=$(odmadd $ODM_ENT_TMP ) || { dspmsg -s 129 cspoc.cat 71 "ODM update is failed.\n" dspmsg -s 129 cspoc.cat 152 "Try to update ODM manually using odmadd %s , in case not succeed then clean the configuration and try again.\n" "$ODM_ENT_TMP" exit 1 } rm -r $ODM_ENT_TMP #If value of add_on_oneNode is YES then LDAP client is configured on newly added node in cluster. #Hence fsec_vsync is not required. if [[ ! $add_on_oneNode == "YES" ]] then fsec_vsync "LDAP Client configure" || ret_fail "clverify restriction failed" $? run_on_allnode "rm -rf $FSEC_LOG_DIR" || ret_fail "Removing log directory failed." $? else rm -rf $FSEC_LOG_DIR || ret_fail "Removing log directory failed." $? fi exit 0