#!/bin/ksh
#  ALTRAN_PROLOG_BEGIN_TAG
#  This is an automatically generated prolog.
#
#  Copyright (C) Altran ACT S.A.S. 2017,2018,2021.  All rights reserved.
#
#  ALTRAN_PROLOG_END_TAG
#
# IBM_PROLOG_BEGIN_TAG 
# This is an automatically generated prolog. 
#  
# 61haes_r721 src/43haes/usr/sbin/cluster/cspoc/utilities/cl_ldap_server_config.sh 1.4 
#  
# Licensed Materials - Property of IBM 
#  
# COPYRIGHT International Business Machines Corp. 2010,2011 
# All Rights Reserved 
#  
# US Government Users Restricted Rights - Use, duplication or 
# disclosure restricted by GSA ADP Schedule Contract with IBM Corp. 
#  
# IBM_PROLOG_END_TAG 
# @(#)  7d4c34b 43haes/usr/sbin/cluster/cspoc/utilities/cl_ldap_server_config.sh, 726, 2147A_aha726, Feb 05 2021 09:50 PM

#Including source function and variables
. /usr/es/sbin/cluster/cspoc/cl_federatedsec_source		
#
#Initializing..
fsec_init
#
# Usage for this utility
_USAGE="$( dspmsg -s 129 cspoc.cat 88 "Usage: %s -h <hostnames> -a <admin_DN> -w <password> -s <schema_type> -d <base DN> -p <port_num> -S <ssl_keypath> -W <ssl_password> -V <version> -X <DB2 password> -E <encryption seed>" "$0")"
# 
# Getting options from different fields
while getopts :h:a:w:s:d:p:S:W:V:X:E: flag
do	
	case "$flag" in
	h)	SERVER_LIST="$OPTARG";;
	a)	ADMIN_DN="$OPTARG";;
	w)	ADMIN_DNPW="$OPTARG";;
	s)	SCHEMA_TYPE="rfc2307aix";;
	d)	BASE_DN="$OPTARG";;
	p)	SSL_PORT_NUM="$OPTARG";;
	S)	SERV_KDB_PATH="$OPTARG";;
	W)	SERV_KDB_PW="$OPTARG";;
	V)	VERSION="$OPTARG";;
	X)	DB2_PWD="$OPTARG";;
	E)	ENC_SEED="$OPTARG";;
	*)	print -u2
		 /usr/bin/dspmsg -s 4 utilities.cat 50 '%1$s: unknown option "%2$s"\n' "$(/usr/bin/basename $0)" "-$OPTARG" 1>&2
		print -u2 "\n$_USAGE\n"
		exit 1;;
	esac
done
shift $OPTIND-1
#
# Checking HACMPLDAP ODM consistency
odm_check
#checking if server already exists ?
[[ -n `odmget -q "group=LDAPServer and name=ServerList" HACMPLDAP` ]] && {  dspmsg -s 129 cspoc.cat 142 "A LDAP server exists.\n"; exit 2; }
# Checking encryption seed length
[[ $(echo $ENC_SEED | wc -c) -lt 13 ]] && {  dspmsg -s 129 cspoc.cat 143 "Encryption seed should be minimum of 12 characters.\n"; exit 2; }
# Check ssl key path extension
echo $SERV_KDB_PATH|grep ".kdb$" >/dev/null || {  dspmsg -s 129 cspoc.cat 140 "Key file path should be in '*.kdb' format.\n"; exit 2; }
# Getting server list w/o comma
SERVER_LIST_CC=`echo $SERVER_LIST|sed 's/,/ /g'` 
[[ -z $SERVER_LIST_CC ]] && ret_fail "Server list not found." 1 
# Getting server count
SRV_CNT=`echo $SERVER_LIST_CC|wc -w` 
[[ -z $SRV_CNT ]] && ret_fail "Server count not found." 1 
[ $SRV_CNT -lt 2 -o $SRV_CNT -gt 6 ] && {  dspmsg -s 129 cspoc.cat 144 "Supported number of servers should be at least 2 and at most 6.\n"; exit 2; }
#validate if any ldap instance already exist
for X in $SERVER_LIST_CC
do
	TNODE=`${HA_BASE_PATH}/utilities/cllsif -cp|grep -w $X|awk -F: '{print $6}'|sort -u` 
	[[ -z $TNODE ]] && ret_fail "Node not found." 1 
	cl_rsh -n $TNODE "ps -eo 'args'|grep ibmslapd|grep -vw grep" >/dev/null 2>&1 \
		|| cl_rsh -n $TNODE "ps -eo 'args'|grep ibmdiradm|grep -vw grep" >/dev/null 2>&1 && {
			 dspmsg -s 129 cspoc.cat 125 "WARNING: Node %s having directory instance/server running, configuration can only be continued only in case the instance name is not ldapdb2. However this is not recommended.\n" "$TNODE"
			cl_rsh -n $TNODE "ps -eo 'args'|grep -w 'ldapdb2'|grep -vw grep" >/dev/null 2>&1 && ret_fail "Configuration cannot be continued." 1
		}
	SERVER_HOST=`echo ${SERVER_HOST},$(clodmget -q "name = $X AND object = COMMUNICATION_PATH" -f value -n HACMPnode|cut -f1 -d.)`
done


#
SERVER_HOST=`echo $SERVER_HOST|sed s/^,//g`
[[ -z $SERVER_HOST ]] && ret_fail "Host list not found." 1 
TMP_SRV=`echo $SERVER_LIST_CC|awk '{print $1}'` 
[[ -z $TMP_SRV ]] && ret_fail "First server not found." 1 
TMP_SRV=`${HA_BASE_PATH}/utilities/cllsif -c|grep -w $TMP_SRV|awk -F: '{print $6}'|sort -u` 
[[ -z $TMP_SRV ]] && ret_fail "First server not found." 1 
TMP_HOST=$(clodmget -q "name = $TMP_SRV AND object = COMMUNICATION_PATH" -f value -n HACMPnode)
[[ -z $TMP_HOST ]] && ret_fail "First server communication path not found." 1 

LDAP_INST=ldapdb2
# Setting ldap conf file path
LDAP_CONF_DIR="/home/${LDAP_INST}/idsslapd-${LDAP_INST}/etc/ibmslapd.conf"
# Setting ldap version
TVERSION=$VERSION
VERSION=`echo $VERSION|sed 's/\.//g'` 
[[ -z $VERSION ]] && ret_fail "Version not found." 1 
# Getting kdb file name
SERV_KDB_FILE=`echo $SERV_KDB_PATH |awk -F"/" '{print $NF}'|/usr/bin/sed 's/\.kdb//g'` 
[[ -z $SERV_KDB_FILE ]] && ret_fail "Server key file not found." 1 
# Getting kdb dir name
SERV_KDB_DIR=`echo $SERV_KDB_PATH |awk -F"/" '{$NF=""; print $0}'|/usr/bin/sed 's/ /\//g'` 
[[ -z $SERV_KDB_DIR ]] && ret_fail "Server key directory not found." 1 
# Setting 1 if kdb file exists else 0
KDB_BIT=0
[[ -f $SERV_KDB_PATH ]] && KDB_BIT=1

FLAG=0
# Setting global flag for all the nodes of cluster
run_on_allnode "echo 0 > /tmp/global_FLAG"
# Calling ldap server config on all specified nodes
for X in $SERVER_LIST_CC
do
	TNODE=`${HA_BASE_PATH}/utilities/cllsif -cp|grep -w $X|awk -F: '{print $6}'|sort -u` 
	[[ -z $TNODE ]] && ret_fail "Node not found." 1 
	cl_rsh -n $TNODE "FSECDEBUG=$FSECDEBUG ${HA_BASE_PATH}/cspoc/cl_ldapsr_conf "$ADMIN_DN" "$ADMIN_DNPW" "$SCHEMA_TYPE" "$BASE_DN" "$SSL_PORT_NUM" "$SERV_KDB_PATH" "$SERV_KDB_PW" "$VERSION" "$DB2_PWD" "$ENC_SEED"" \
	|| {  dspmsg -s 129 cspoc.cat 86 "Failed in %s node, cleaning all...\n" "$X"; FLAG=1; break; }
done
#
# Getting ldap server base path
BASE_PATH=`/usr/es/sbin/cluster/cspoc/cli_on_node -N $TMP_SRV "/usr/bin/lslpp -f idsldap.srvbase64bit${VERSION}.rte|grep "/etc$"| /usr/bin/sed 's/\/etc//g'"|awk '{print $2}'`
[[ -z $BASE_PATH ]] && ret_fail "Base path not found." 1 
BASE_PATH=`echo $BASE_PATH|tr -s ' '`
# Getting other port details for all ldap server
if [[ $FLAG -eq 0 ]]
then
	for X in $SERVER_LIST_CC
	do
		tmptmp=`cl_rsh -n $X "cat $LDAP_CONF_DIR|grep ibm-slapdPort|cut -f2 -d:|head -1"` 
		[[ -z $tmptmp ]] && ret_fail "Port number not found." 1 
		tmptmp=`echo $tmptmp|tr -s ' '`
		PORT_NUM=`echo ${PORT_NUM},$tmptmp`
		tmptmp=`cl_rsh -n $X "cat $LDAP_CONF_DIR|grep ibm-slapdPort|cut -f2 -d:|head -2|tail -1"` 
		[[ -z $tmptmp ]] && ret_fail "Admin port number not found." 1 
		tmptmp=`echo $tmptmp|tr -s ' '`
		ADMIN_PORT_NUM=`echo ${ADMIN_PORT_NUM},$tmptmp`
		tmptmp=`cl_rsh -n $X "cat $LDAP_CONF_DIR|grep ibm-slapdSecurePort|cut -f2 -d:|head -1"` 
		[[ -z $tmptmp ]] && ret_fail "SSL admin port number not found." 1 
		tmptmp=`echo $tmptmp|tr -s ' '`
		SSL_ADMIN_PORT_NUM=`echo ${SSL_ADMIN_PORT_NUM},$tmptmp`
	done
fi

PORT_NUM=`echo $PORT_NUM|sed s/^,//g`
ADMIN_PORT_NUM=`echo $ADMIN_PORT_NUM|sed s/^,//g`
SSL_ADMIN_PORT_NUM=`echo $SSL_ADMIN_PORT_NUM|sed s/^,//g`
#
# Cleaning if fails else call p2p conf
if [[ $FLAG -eq 1 ]] && [[ `cat /tmp/global_FLAG` -eq 1 ]]
then
	#cleaning if fails
	for X in $SERVER_LIST_CC
	do	
		TNODE=`${HA_BASE_PATH}/utilities/cllsif -cp|grep -w $X|awk -F: '{print $6}'|sort -u` 
		[[ -z $TNODE ]] && ret_fail "Node not found." 1 
		cl_rsh -n $TNODE "FSECDEBUG=$FSECDEBUG ${HA_BASE_PATH}/cspoc/cl_ldapsr_alldel $BASE_PATH $VERSION $SERV_KDB_PATH $KDB_BIT"
	done
	exit 1
elif [[ $FLAG -eq 0 ]]
then
	#calling p2p configuration if server config passes
	FLAG=0
	${HA_BASE_PATH}/cspoc/cl_ldapp2psr_conf "$SERVER_LIST" "$ADMIN_DN" "$ADMIN_DNPW" "$BASE_DN" "$PORT_NUM" "$ADMIN_PORT_NUM" "$BASE_PATH" \
		|| {  dspmsg -s 129 cspoc.cat 89 "TDS Setup failed, cleaning all...\n"; FLAG=1; }
else
	exit 2
fi
#
# Cleaning if fails
if [[ $FLAG -eq 1 ]]
then
	#cleaning if fails
	for X in $SERVER_LIST_CC
	do	
		TNODE=`${HA_BASE_PATH}/utilities/cllsif -cp|grep -w $X|awk -F: '{print $6}'|sort -u` 
		[[ -z $TNODE ]] && ret_fail "Node not found." 1 
		cl_rsh -n $TNODE "FSECDEBUG=$FSECDEBUG ${HA_BASE_PATH}/cspoc/cl_ldapsr_alldel $BASE_PATH $VERSION $SERV_KDB_PATH $KDB_BIT"
	done
	exit 1
fi
#
#loading user data
fsectoldif_file=${FSEC_LOG_DIR}/fsectoldif.$$.ldif
cl_rsh -n $TMP_SRV "sectoldif -d $BASE_DN -S rfc2307aix > $fsectoldif_file"
cl_rsh -n $TMP_SRV "${BASE_PATH}/bin/ldapadd -h $TMP_HOST -D $ADMIN_DN -w $ADMIN_DNPW -p $PORT_NUM -c -f $fsectoldif_file" > ${FSEC_LOG_DIR}/ldapadd_sectoldif.log.$$ 2>&1
ret_code=$?
if [[ $ret_code -ne 0 ]] && [[ $ret_code -ne 20 ]] && [[ $ret_code -ne 68 ]]
then
	ret_fail "sectoldif ldapadd failed." $ret_code
fi
cl_rsh -n $TMP_SRV "rm -rf $fsectoldif_file"
#
#Loading AIX tables to LDAP server
TMP_LDIF_FILE=${FSEC_LOG_DIR}/rbacload.$$.ldif
cl_rsh -n $TMP_SRV "rbactoldif -d $BASE_DN > $TMP_LDIF_FILE"
cl_rsh -n $TMP_SRV "${BASE_PATH}/bin/idsldapadd -h $TMP_HOST -D $ADMIN_DN -w $ADMIN_DNPW -p $PORT_NUM -c -f $TMP_LDIF_FILE" > ${FSEC_LOG_DIR}/rbactoldif.log.$$ 2>&1
ret_code=$?
if [[ $ret_code -ne 0 ]] && [[ $ret_code -ne 20 ]] && [[ $ret_code -ne 68 ]]
then
	ret_fail "rbactoldif ldapadd failed." $ret_code
fi
#
TMP_EFS_LDIF=${FSEC_LOG_DIR}/efstoexport.$$.ldif
cl_rsh -n $TMP_SRV "efskstoldif -d $BASE_DN > $TMP_EFS_LDIF"
cl_rsh -n $TMP_SRV "${BASE_PATH}/bin/idsldapadd -h $TMP_HOST -D $ADMIN_DN -w $ADMIN_DNPW -p $PORT_NUM -c -f $TMP_EFS_LDIF" > ${FSEC_LOG_DIR}/ldapadd_efskstoldif.log.$$ 2>&1
ret_code=$?
if [[ $ret_code -ne 0 ]] && [[ $ret_code -ne 20 ]] && [[ $ret_code -ne 68 ]]
then
	ret_fail "efskstoldif ldapadd failed." $ret_code
fi
#
cl_rsh -n $TMP_SRV "rm -f $TMP_LDIF_FILE $TMP_EFS_LDIF"
# Adding ODM entries for HACMPLDAP
ODM_ENT_TMP=${FSEC_LOG_DIR}/odm_entry_tmp.$$

echo "HACMPLDAP:
       group="LDAPServer"
       type="IBMNew"
       name="ServerList"
       value="$SERVER_HOST"

HACMPLDAP:
       group="LDAPServer"
       type="IBMNew"
       name="AdminDN"
       value="$ADMIN_DN"

HACMPLDAP:
       group="LDAPServer"
       type="IBMNew"
       name="AdminDNPwd"
       value="$ADMIN_DNPW"

HACMPLDAP:
       group="LDAPServer"
       type="IBMNew"
       name="SchemaType"
       value="$SCHEMA_TYPE"

HACMPLDAP:
       group="LDAPServer"
       type="IBMNew"
       name="BaseDN"
       value="$BASE_DN"

HACMPLDAP:
       group="LDAPServer"
       type="IBMNew"
       name="SSLPortNumber"
       value="$SSL_PORT_NUM"

HACMPLDAP:
       group="LDAPServer"
       type="IBMNew"
       name="PortNumber"
       value="$PORT_NUM"

HACMPLDAP:
       group="LDAPServer"
       type="IBMNew"
       name="SSLAdminPortNumber"
       value="$SSL_ADMIN_PORT_NUM"

HACMPLDAP:
       group="LDAPServer"
       type="IBMNew"
       name="AdminPortNumber"
       value="$ADMIN_PORT_NUM"

HACMPLDAP:
       group="LDAPServer"
       type="IBMNew"
       name="ServerKdbPath"
       value="$SERV_KDB_PATH"

HACMPLDAP:
       group="LDAPServer"
       type="IBMNew"
       name="ServerKdbPwd"
       value="$SERV_KDB_PW"

HACMPLDAP:
       group="LDAPServer"
       type="IBMNew"
       name="BasePath"
       value="$BASE_PATH"

HACMPLDAP:
       group="LDAPServer"
       type="IBMNew"
       name="Version"
       value="$TVERSION"" > $ODM_ENT_TMP
	   
st=$(odmadd $ODM_ENT_TMP ) || { 
		 dspmsg -s 129 cspoc.cat 71 "ODM update is failed.\n"
		 dspmsg -s 129 cspoc.cat 152 "Try to update ODM manually using odmadd %s , in case not succeed then clean the configuration and try again.\n" "$ODM_ENT_TMP"
		exit 1
		}	
rm -rf $ODM_ENT_TMP
#
fsec_vsync "LDAP Server configure" || ret_fail "clverify restriction failed" $?
run_on_allnode "rm -rf $FSEC_LOG_DIR" || ret_fail "Removing log directory failed." $?

exit 0