#!/bin/sh -e

##########################################################################
#   Script description:
#       Configure this system to authenticate users via LDAP
#       
#   History:
#   Date        Name        Modification
#   2012-01-09  Jason Bacon Begin
##########################################################################

pause()
{
    printf "Press return to continue..."
    read junk
}

##########################################################################
#   Main
##########################################################################

    
case $(auto-ostype) in
FreeBSD)
    # FIXME: Unify user interface across platforms
    if [ $# != 4 ]; then
	printf "Usage: $0 uri ou o cacert-file\n"
	printf "Example:\n    $0 ldap://ldap.my.domain people my.domain ./cacert.crt\n"
	exit 1
    fi
    
    uri=$1
    ou=$2
    o=$3
    cacert=$4
    
    if [ -z $EDITOR ]; then
	export EDITOR=vi
    fi
    
    # Let this install as a dependency?
    auto-install-packages security/pam_ldap net/nss_ldap
    
    # Install cert
    cp $cacert /usr/local/etc/openldap/cacert.crt
    
    # Set up ldap.conf files for openldap and PAM
    for ldap_conf in /usr/local/etc/openldap/ldap.conf /usr/local/etc/ldap.conf; do
	touch $ldap_conf
	if ! fgrep -q uwm.edu $ldap_conf; then
	    cat << EOM >> $ldap_conf
base ou=$ou,o=$o
uri $uri
ssl start tls
tls_cacert /usr/local/etc/openldap/cacert.crt
tls_reqcert allow
EOM
	    printf "Updated %s.  Check/correct syntax if necessary.\n" $ldap_conf
	    pause
	    $EDITOR $ldap_conf
	fi
    done
    
    # Instruct PAM what attribute to look for in the LDAP database
    ldap_conf="/usr/local/etc/ldap.conf"
    if ! fgrep -q login_attribute $ldap_conf; then
	printf "pam_login_attribute uid\n" >> $ldap_conf
    fi
    
    # Tell PAM to use LDAP for ssh logins
    for service in sshd system xdm; do
	if ! fgrep -q pam_ldap.so /etc/pam.d/$service; then
	    awk ' { if ( $1 == "auth" && $3 == "pam_unix.so" )
		    {
			print "# Attempt and accept LDAP auth before unix auth"
			printf("auth\t\tsufficient\t/usr/local/lib/pam_ldap.so\tno_warn\n");
			print "# If LDAP auth fails, unix auth must succeed to grant access"
			print $0;
		    }
		    else
		    {
			print $0;
		    }
		  }' /etc/pam.d/$service > /etc/pam.d/temp
	    mv /etc/pam.d/$service /etc/pam.d/$service.orig
	    mv /etc/pam.d/temp /etc/pam.d/$service
	    printf "Updated /etc/pam.d/$service.  Check/correct syntax if necessary.\n"
	fi
    done
    
    # Tell ssh to use PAM
    # Does not appear to be necessary
    # printf "Set UsePAM to yes in sshd_config.\n"
    # pause
    # vi /etc/ssh/sshd_config
    # /etc/rc.d/sshd restart
    
    cat << EOM

==========================================================================

Make sure forward and reverse DNS are functioning for $(hostname).

Some LDAP servers will reject authentication requests if they cannot
verify the hostname and IP.

==========================================================================
EOM
    ;;

RHEL)
    ##########################################################################
    #   Script description:
    #       Redhat/CentOS LDAP client configurator
    #       This script is part of auto-admin tools.  The most up-to-date
    #       version can be obtained by downloading the latest auto-admin
    #       distfile from http://acadix.biz/Ports/distfiles/
    #
    #   Arguments:
    #       1)  URI of ldap server
    #       2)  Base DN for LDAP queries
    #       3)  cacert filename
    #
    #   Returns:
    #       0 or exit status of first failed command
    #
    #   History:
    #   Date        Name        Modification
    #   2013-02-12  Jason Bacon Begin
    ##########################################################################

    case $(auto-os-release) in
    RHEL6)
	;;
    
    RHEL7)
	;;
    
    *)
	auto-unsupported-release $0
	exit 1
	;;
    
    esac
    
    if [ $# != 3 ]; then
	printf "Usage: $0 uri basedn cacert-file\n"
	printf "Example:\n    $0 ldap://ldap.my.domain "ou=people,o=my.domain" ./cacert.crt\n"
	exit 1
    fi
    
    uri=$1
    basedn=$2
    cacert=$3
    
    # FIXME: Check for release 6.  This script will not work on 5.x.
    if [ ! -e /etc/redhat-release ]; then
	printf "$0 is only for Redhat and similar Linux distrubutions.\n"
	exit 1
    fi
    
    yum -y install openldap openldap-clients nss-pam-ldapd
    
    # Install cert
    certs_dir=/etc/openldap/cacerts
    mkdir -p $certs_dir
    cp $cacert $certs_dir
    
    # In web example, but should not be needed:
    # --useshadow --passalgo=md5
    authconfig --enableldap --enableldapauth --enableldaptls \
	--ldapserver="$uri" --ldapbasedn="$basedn" \
	--enablelocauthorize --update
    
    pause
    
    cat << EOM >> /etc/openldap/ldap.conf

ssl start tls
tls_reqcert allow

EOM
    
    if [ -z $EDITOR ]; then
	export EDITOR=vi
    fi
    $EDITOR /etc/openldap/ldap.conf
    
    cat << EOM

==========================================================================

Make sure forward and reverse DNS are functioning for $(hostname).

Some LDAP servers will reject authentication requests if they cannot
verify the hostname and IP.

==========================================================================
EOM
    ;;

*)
    auto-unsupported-os $0
    exit 1
    ;;

esac
