#!/bin/ksh
#  ALTRAN_PROLOG_BEGIN_TAG                                                    
#  This is an automatically generated prolog.                                  
#                                                                              
#  Copyright (C) Altran ACT S.A.S. 2019,2021.  All rights reserved.  
#                                                                              
#  ALTRAN_PROLOG_END_TAG                                                      
#                                                                              
# IBM_PROLOG_BEGIN_TAG 
# This is an automatically generated prolog. 
#  
# 61haes_r714 src/43haes/usr/sbin/cluster/cspoc/utilities/cl_ldapcl_conf.sh 1.2 
#  
# Licensed Materials - Property of IBM 
#  
# COPYRIGHT International Business Machines Corp. 2010,2011 
# All Rights Reserved 
#  
# US Government Users Restricted Rights - Use, duplication or 
# disclosure restricted by GSA ADP Schedule Contract with IBM Corp. 
#  
# IBM_PROLOG_END_TAG 
# @(#)  7d4c34b 43haes/usr/sbin/cluster/cspoc/utilities/cl_ldapcl_conf.sh, 726, 2147A_aha726, Feb 05 2021 09:50 PM
. /usr/es/sbin/cluster/cspoc/cl_federatedsec_source
fsec_init
fsec_ldap_init

##MAIN START##

SERVER_LIST="$1"
ADMIN_DN="$2"
ADMIN_DNPW="$3"
SUFFIX="$4"
SSL_PORT_NUM="$5"
CLNT_KDB_PATH="$6"
CLNT_KDB_PW="$7"

SERVER_LIST_CC=$(echo $SERVER_LIST|sed 's/,/ /g')
[[ -z $SERVER_LIST_CC ]] && ret_fail "Server list not found." 2

#If the ldap client daemon is already running and connected to the
#LDAP server provided, we don't continue with creation of client.
typeset -i clt_configured_for_servers=0

for ldap_server in $SERVER_LIST_CC
do
    ls-secldapclntd|grep -w ldapservers|grep -qw $ldap_server
    if(( $? != 0 ));then
        clt_configured_for_servers=1
        break
    fi
done
if(( $clt_configured_for_servers == 0 ));then
    exit 0
fi

 dspmsg -s 129 cspoc.cat 127 "INFO: Running ldap client configuration on %s, please wait...\n" "$(hostname)"
SERV_KDB_PATH=$(clodmget -n -q "group=LDAPServer and name=ServerKdbPath" -f value HACMPLDAP|sort -u 2>/dev/null) 
[[ -z $SERV_KDB_PATH ]] && ret_fail "Server key path not found." 2
SERV_KDB_FILE=`echo $SERV_KDB_PATH |awk -F"/" '{print $NF}'|/usr/bin/sed 's/\.kdb//g'` 
[[ -z $SERV_KDB_FILE ]] && ret_fail "Server key file not found." 2
SERV_KDB_DIR=`echo $SERV_KDB_PATH |awk -F"/" '{$NF=""; print $0}'|/usr/bin/sed 's/ /\//g'` 
[[ -z $SERV_KDB_DIR ]] && ret_fail "Server key dir not found." 2
CLNT_KDB_DIR=`echo $CLNT_KDB_PATH |awk -F"/" '{$NF=""; print $0}'|/usr/bin/sed 's/ /\//g'` 
[[ -z $CLNT_KDB_DIR ]] && ret_fail "Client key dir not found." 2
CLNT_KDB_FILE=`echo $CLNT_KDB_PATH |awk -F"/" '{print $NF}'|/usr/bin/sed 's/\.kdb//g'` 
[[ -z $CLNT_KDB_FILE ]] && ret_fail "Client key file not found." 2
TDS_SRV_PATH=$(clodmget -n -q "group=LDAPServer and name=BasePath" -f value HACMPLDAP|sort -u 2>/dev/null) 
[[ -z $TDS_SRV_PATH ]] && ret_fail "Server base path not found." 2
VTYPE=$(clodmget -n -q group=LDAPServer -f type HACMPLDAP|sort -u 2>/dev/null) 
[[ -z $VTYPE ]] && ret_fail "Server vendor type not found." 2
[[ "$VTYPE" != "IBMNew" ]] && [[ ! -f ${CLNT_KDB_DIR}/${CLNT_KDB_FILE}.kdb ]] && {  dspmsg -s 129 cspoc.cat 147 "Keys should exists on all nodes.\n"; exit 2; }
VERSION=$(clodmget -n -q "group=LDAPServer and name=Version" -f value HACMPLDAP|sort -u 2>/dev/null) 
[[ -z $VERSION ]] && ret_fail "Version not found." 2

KDB_BIT=0
[[ -f $CLNT_KDB_PATH ]] && KDB_BIT=1

set -A GSKIT_FSETS GSKit8.gskcrypt32.ppc.rte GSKit8.gskssl32.ppc.rte GSKit8.gskcrypt64.ppc.rte GSKit8.gskssl64.ppc.rte
/usr/bin/lslpp -l ${GSKIT_FSETS[*]} > /dev/null || {  dspmsg -s 129 cspoc.cat 148 "GSKIT filesets not installed.\n"; exit 2; }

TDS_CLT_VER=`${TDS_SRV_PATH}/bin/idsversion -r 2>&1|grep "TDS_CLTBASE"|cut -f2 -d#|grep "^$VERSION"` 
[[ -z $TDS_CLT_VER ]] && ret_fail "Client version not found." 1 

VERSION=`echo $TDS_CLT_VER|awk -F. '{print $1 $2}'` 
[[ -z $VERSION ]] && ret_fail "Version not found." 2 

set -A LDAP_CL_FSETS idsldap.clt32bit${VERSION}.rte idsldap.clt64bit${VERSION}.rte idsldap.clt_max_crypto32bit${VERSION}.rte idsldap.clt_max_crypto64bit${VERSION}.rte idsldap.cltbase${VERSION}.adt idsldap.cltbase${VERSION}.rte idsldap.cltjava${VERSION}.rte idsldap.clt32bit${VERSION}.rte idsldap.clt64bit${VERSION}.rte idsldap.cltbase${VERSION}.rte
/usr/bin/lslpp -l ${LDAP_CL_FSETS[*]} >/dev/null || {  dspmsg -s 129 cspoc.cat 145 "ITDS client filesets were not installed.\n"; exit 2; }

[[ $VERSION -ge 62 ]] &&  dspmsg -s 129 cspoc.cat 105 "ITDS client version %s is compatible, continuing configuration...\n" "$TDS_CLT_VER" \
	|| {  dspmsg -s 129 cspoc.cat 106 "Incompatible ITDS client version installed!"; exit 2; }
	
#echo "Generating client SSL keys..."
FLAG=0
[[ -f ${CLNT_KDB_DIR}/${CLNT_KDB_FILE}.kdb ]] && {  dspmsg -s 129 cspoc.cat 95 "Keys and certificates exists...\n"; FLAG=1; }
if [[ $FLAG -eq 0 ]]
then
	mkdir -p $CLNT_KDB_DIR 
	/usr/bin/gsk8capicmd_64 -keydb -create -db ${CLNT_KDB_DIR}/${CLNT_KDB_FILE}.kdb -pw ${CLNT_KDB_PW} -type cms -stash \
		|| ret_fail "Client -keydb -create -db failed!" $?
	for X in $SERVER_LIST_CC
	do
		/usr/es/sbin/cluster/utilities/cl_rcp ${X}:${SERV_KDB_DIR}/${SERV_KDB_FILE}.arm ${CLNT_KDB_DIR}/${X}key.arm || ret_fail "Server extracted certificate copy failed!" $?
		/usr/bin/gsk8capicmd_64 -cert -add -db ${CLNT_KDB_DIR}/${CLNT_KDB_FILE}.kdb -pw ${CLNT_KDB_PW} -label ${X} -file ${CLNT_KDB_DIR}/${X}key.arm \
			|| ret_fail "Server -cert -add -db failed!" $?
		#echo "Checking SSL access..."
		${TDS_SRV_PATH}/bin/idsldapsearch -h ${X} -Z -K ${CLNT_KDB_DIR}/${CLNT_KDB_FILE}.kdb -P ${CLNT_KDB_PW} -b "" -s base -p $SSL_PORT_NUM objectclass=* > /dev/null \
			|| ret_fail "SSL sccess not configured properly!" $?
	done
fi

#echo "Configuring LDAP client..."
for X in $SERVER_LIST_CC
do
	${TDS_SRV_PATH}/bin/ldapsearch  -h $X -D $ADMIN_DN -w  $ADMIN_DNPW -K ${CLNT_KDB_DIR}/${CLNT_KDB_FILE}.kdb \
		-P $CLNT_KDB_PW -p $SSL_PORT_NUM -b $SUFFIX -s base objectclass=* >/dev/null || ret_fail "Not able to bind using SSL, ldapsearch failed." $?
done
/usr/sbin/mksecldap -c -h $SERVER_LIST -a $ADMIN_DN -p $ADMIN_DNPW -A 'ldap_auth' -d $SUFFIX -n $SSL_PORT_NUM \
	-k ${CLNT_KDB_DIR}/${CLNT_KDB_FILE}.kdb -w $CLNT_KDB_PW  >/dev/null
[[ $? -eq 0 ]] || {  dspmsg -s 129 cspoc.cat 96 "LDAP configuration failed, cleaning...\n"; \
	${HA_BASE_PATH}/cspoc/cl_ldapcl_del "$CLNT_KDB_PATH" "$KDB_BIT"; exit 2; }

if [[ "$VTYPE" == "MSAD" ]]
then
	cat /etc/security/ldap/ldap.cfg|sed -e "s/sfur2user\.map/sfur2aixuser\.map/g" -e "s/sfur2group\.map/sfur2aixgroup\.map/g" > /etc/security/ldap/ldap.cfg1 \
		|| ret_fail "schema copy failed" $?
	cat /etc/security/ldap/ldap.cfg|sed -e "s/sfu30user\.map/sfu30aixuser\.map/g" -e "s/sfu30group\.map/sfu30aixgroup\.map/g" > /etc/security/ldap/ldap.cfg1 \
		|| ret_fail "schema copy failed" $?
	cp /etc/security/ldap/ldap.cfg1 /etc/security/ldap/ldap.cfg || ret_fail "copy failed" $?
fi
restart-secldapclntd || {  dspmsg -s 129 cspoc.cat 96 "LDAP configuration failed, cleaning...\n"; \
	${HA_BASE_PATH}/cspoc/cl_ldapcl_del "$CLNT_KDB_PATH" "$KDB_BIT"; exit 2; }
	
run_on_allnode "rm -rf $FSEC_LOG_DIR" || ret_fail "Removing log directory failed." $?

exit 0

##MAIN END##