17c478bd9Sstevel@tonic-gate#!/bin/sh 27c478bd9Sstevel@tonic-gate# 37c478bd9Sstevel@tonic-gate# CDDL HEADER START 47c478bd9Sstevel@tonic-gate# 57c478bd9Sstevel@tonic-gate# The contents of this file are subject to the terms of the 645916cd2Sjpk# Common Development and Distribution License (the "License"). 745916cd2Sjpk# You may not use this file except in compliance with the License. 87c478bd9Sstevel@tonic-gate# 97c478bd9Sstevel@tonic-gate# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 107c478bd9Sstevel@tonic-gate# or http://www.opensolaris.org/os/licensing. 117c478bd9Sstevel@tonic-gate# See the License for the specific language governing permissions 127c478bd9Sstevel@tonic-gate# and limitations under the License. 137c478bd9Sstevel@tonic-gate# 147c478bd9Sstevel@tonic-gate# When distributing Covered Code, include this CDDL HEADER in each 157c478bd9Sstevel@tonic-gate# file and include the License file at usr/src/OPENSOLARIS.LICENSE. 167c478bd9Sstevel@tonic-gate# If applicable, add the following below this CDDL HEADER, with the 177c478bd9Sstevel@tonic-gate# fields enclosed by brackets "[]" replaced with your own identifying 187c478bd9Sstevel@tonic-gate# information: Portions Copyright [yyyy] [name of copyright owner] 197c478bd9Sstevel@tonic-gate# 207c478bd9Sstevel@tonic-gate# CDDL HEADER END 217c478bd9Sstevel@tonic-gate# 227c478bd9Sstevel@tonic-gate# 23cb5caa98Sdjl# idsconfig -- script to setup iDS 5.x/6.x for Native LDAP II. 247c478bd9Sstevel@tonic-gate# 25dd1104fbSMichen Chang# Copyright 2009 Sun Microsystems, Inc. All rights reserved. 267c478bd9Sstevel@tonic-gate# Use is subject to license terms. 277c478bd9Sstevel@tonic-gate# 287c478bd9Sstevel@tonic-gate 297c478bd9Sstevel@tonic-gate# 307c478bd9Sstevel@tonic-gate# display_msg(): Displays message corresponding to the tag passed in. 317c478bd9Sstevel@tonic-gate# 327c478bd9Sstevel@tonic-gatedisplay_msg() 337c478bd9Sstevel@tonic-gate{ 347c478bd9Sstevel@tonic-gate case "$1" in 357c478bd9Sstevel@tonic-gate usage) cat <<EOF 367c478bd9Sstevel@tonic-gate $PROG: [ -v ] [ -i input file ] [ -o output file ] 377c478bd9Sstevel@tonic-gate i <input file> Get setup info from input file. 387c478bd9Sstevel@tonic-gate o <output file> Generate a server configuration output file. 397c478bd9Sstevel@tonic-gate v Verbose mode 407c478bd9Sstevel@tonic-gateEOF 417c478bd9Sstevel@tonic-gate ;; 427c478bd9Sstevel@tonic-gate backup_server) cat <<EOF 437c478bd9Sstevel@tonic-gateIt is strongly recommended that you BACKUP the directory server 447c478bd9Sstevel@tonic-gatebefore running $PROG. 457c478bd9Sstevel@tonic-gate 467c478bd9Sstevel@tonic-gateHit Ctrl-C at any time before the final confirmation to exit. 477c478bd9Sstevel@tonic-gate 487c478bd9Sstevel@tonic-gateEOF 497c478bd9Sstevel@tonic-gate ;; 507c478bd9Sstevel@tonic-gate setup_complete) cat <<EOF 517c478bd9Sstevel@tonic-gate 527c478bd9Sstevel@tonic-gate$PROG: Setup of iDS server ${IDS_SERVER} is complete. 537c478bd9Sstevel@tonic-gate 547c478bd9Sstevel@tonic-gateEOF 557c478bd9Sstevel@tonic-gate ;; 567c478bd9Sstevel@tonic-gate display_vlv_list) cat <<EOF 577c478bd9Sstevel@tonic-gate 58e1dd0a2fSthNote: idsconfig has created entries for VLV indexes. 59e1dd0a2fSth 60e1dd0a2fSth For DS5.x, use the directoryserver(1m) script on ${IDS_SERVER} 61e1dd0a2fSth to stop the server. Then, using directoryserver, follow the 62e1dd0a2fSth directoryserver examples below to create the actual VLV indexes. 63e1dd0a2fSth 64e1dd0a2fSth For DS6.x, use dsadm command delivered with DS6.x on ${IDS_SERVER} 65e1dd0a2fSth to stop the server. Then, using dsadm, follow the 66e1dd0a2fSth dsadm examples below to create the actual VLV indexes. 677c478bd9Sstevel@tonic-gate 687c478bd9Sstevel@tonic-gateEOF 697c478bd9Sstevel@tonic-gate ;; 707c478bd9Sstevel@tonic-gate cred_level_menu) cat <<EOF 717c478bd9Sstevel@tonic-gateThe following are the supported credential levels: 727c478bd9Sstevel@tonic-gate 1 anonymous 737c478bd9Sstevel@tonic-gate 2 proxy 747c478bd9Sstevel@tonic-gate 3 proxy anonymous 75cb5caa98Sdjl 4 self 76cb5caa98Sdjl 5 self proxy 77cb5caa98Sdjl 6 self proxy anonymous 787c478bd9Sstevel@tonic-gateEOF 797c478bd9Sstevel@tonic-gate ;; 807c478bd9Sstevel@tonic-gate auth_method_menu) cat <<EOF 817c478bd9Sstevel@tonic-gateThe following are the supported Authentication Methods: 827c478bd9Sstevel@tonic-gate 1 none 837c478bd9Sstevel@tonic-gate 2 simple 847c478bd9Sstevel@tonic-gate 3 sasl/DIGEST-MD5 857c478bd9Sstevel@tonic-gate 4 tls:simple 867c478bd9Sstevel@tonic-gate 5 tls:sasl/DIGEST-MD5 87cb5caa98Sdjl 6 sasl/GSSAPI 887c478bd9Sstevel@tonic-gateEOF 897c478bd9Sstevel@tonic-gate ;; 907c478bd9Sstevel@tonic-gate srvauth_method_menu) cat <<EOF 917c478bd9Sstevel@tonic-gateThe following are the supported Authentication Methods: 927c478bd9Sstevel@tonic-gate 1 simple 937c478bd9Sstevel@tonic-gate 2 sasl/DIGEST-MD5 947c478bd9Sstevel@tonic-gate 3 tls:simple 957c478bd9Sstevel@tonic-gate 4 tls:sasl/DIGEST-MD5 96cb5caa98Sdjl 5 sasl/GSSAPI 977c478bd9Sstevel@tonic-gateEOF 987c478bd9Sstevel@tonic-gate ;; 997c478bd9Sstevel@tonic-gate prompt_ssd_menu) cat <<EOF 1007c478bd9Sstevel@tonic-gate A Add a Service Search Descriptor 1017c478bd9Sstevel@tonic-gate D Delete a SSD 1027c478bd9Sstevel@tonic-gate M Modify a SSD 1037c478bd9Sstevel@tonic-gate P Display all SSD's 1047c478bd9Sstevel@tonic-gate H Help 1057c478bd9Sstevel@tonic-gate X Clear all SSD's 1067c478bd9Sstevel@tonic-gate 1077c478bd9Sstevel@tonic-gate Q Exit menu 1087c478bd9Sstevel@tonic-gateEOF 1097c478bd9Sstevel@tonic-gate ;; 110017e8b01Svl summary_menu) 111017e8b01Svl 112017e8b01Svl SUFFIX_INFO= 113017e8b01Svl DB_INFO= 114017e8b01Svl 115017e8b01Svl [ -n "${NEED_CREATE_SUFFIX}" ] && 116017e8b01Svl { 117017e8b01Svl SUFFIX_INFO=`cat <<EOF 118017e8b01Svl 119017e8b01Svl Suffix to create : $LDAP_SUFFIX 120017e8b01SvlEOF 121017e8b01Svl` 122017e8b01Svl [ -n "${NEED_CREATE_BACKEND}" ] && 123017e8b01Svl DB_INFO=`cat <<EOF 124017e8b01Svl 125017e8b01Svl Database to create : $IDS_DATABASE 126017e8b01SvlEOF 127017e8b01Svl` 128017e8b01Svl } 129017e8b01Svl 130017e8b01Svl cat <<EOF 1317c478bd9Sstevel@tonic-gate Summary of Configuration 1327c478bd9Sstevel@tonic-gate 1337c478bd9Sstevel@tonic-gate 1 Domain to serve : $LDAP_DOMAIN 134017e8b01Svl 2 Base DN to setup : $LDAP_BASEDN$SUFFIX_INFO$DB_INFO 1357c478bd9Sstevel@tonic-gate 3 Profile name to create : $LDAP_PROFILE_NAME 1367c478bd9Sstevel@tonic-gate 4 Default Server List : $LDAP_SERVER_LIST 1377c478bd9Sstevel@tonic-gate 5 Preferred Server List : $LDAP_PREF_SRVLIST 1387c478bd9Sstevel@tonic-gate 6 Default Search Scope : $LDAP_SEARCH_SCOPE 1397c478bd9Sstevel@tonic-gate 7 Credential Level : $LDAP_CRED_LEVEL 1407c478bd9Sstevel@tonic-gate 8 Authentication Method : $LDAP_AUTHMETHOD 1417c478bd9Sstevel@tonic-gate 9 Enable Follow Referrals : $LDAP_FOLLOWREF 1427c478bd9Sstevel@tonic-gate 10 iDS Time Limit : $IDS_TIMELIMIT 1437c478bd9Sstevel@tonic-gate 11 iDS Size Limit : $IDS_SIZELIMIT 1447c478bd9Sstevel@tonic-gate 12 Enable crypt password storage : $NEED_CRYPT 1457c478bd9Sstevel@tonic-gate 13 Service Auth Method pam_ldap : $LDAP_SRV_AUTHMETHOD_PAM 1467c478bd9Sstevel@tonic-gate 14 Service Auth Method keyserv : $LDAP_SRV_AUTHMETHOD_KEY 1477c478bd9Sstevel@tonic-gate 15 Service Auth Method passwd-cmd: $LDAP_SRV_AUTHMETHOD_CMD 1487c478bd9Sstevel@tonic-gate 16 Search Time Limit : $LDAP_SEARCH_TIME_LIMIT 1497c478bd9Sstevel@tonic-gate 17 Profile Time to Live : $LDAP_PROFILE_TTL 1507c478bd9Sstevel@tonic-gate 18 Bind Limit : $LDAP_BIND_LIMIT 151dd1104fbSMichen Chang 19 Enable shadow update : $LDAP_ENABLE_SHADOW_UPDATE 152dd1104fbSMichen Chang 20 Service Search Descriptors Menu 1537c478bd9Sstevel@tonic-gate 154017e8b01SvlEOF 155017e8b01Svl ;; 156017e8b01Svl sfx_not_suitable) cat <<EOF 157017e8b01Svl 158017e8b01SvlSorry, suffix ${LDAP_SUFFIX} is not suitable for Base DN ${LDAP_BASEDN} 159017e8b01Svl 160017e8b01SvlEOF 161017e8b01Svl ;; 162017e8b01Svl obj_not_found) cat <<EOF 163017e8b01Svl 164017e8b01SvlSorry, ${PROG} can't find an objectclass for "$_ATT" attribute 165017e8b01Svl 166017e8b01SvlEOF 167017e8b01Svl ;; 168017e8b01Svl sfx_config_incons) cat <<EOF 169017e8b01Svl 170017e8b01SvlSorry, there is no suffix mapping for ${LDAP_SUFFIX}, 171017e8b01Svlwhile ldbm database exists, server configuration needs to be fixed manually, 172017e8b01Svllook at cn=mapping tree,cn=config and cn=ldbm database,cn=plugins,cn=config 173017e8b01Svl 174017e8b01SvlEOF 175017e8b01Svl ;; 176017e8b01Svl ldbm_db_exist) cat <<EOF 177017e8b01Svl 178017e8b01SvlDatabase "${IDS_DATABASE}" already exists, 179017e8b01Svlhowever "${IDS_DATABASE_AVAIL}" name is available 180017e8b01Svl 181017e8b01SvlEOF 182017e8b01Svl ;; 183017e8b01Svl unable_find_db_name) cat <<EOF 184017e8b01Svl 185017e8b01SvlUnable to find any available database name close to "${IDS_DATABASE}" 186017e8b01Svl 187017e8b01SvlEOF 188017e8b01Svl ;; 189017e8b01Svl create_ldbm_db_error) cat <<EOF 190017e8b01Svl 191017e8b01SvlERROR: unable to create suffix ${LDAP_SUFFIX} 192017e8b01Svl due to server error that occurred during creation of ldbm database 193017e8b01Svl 194017e8b01SvlEOF 195017e8b01Svl ;; 196017e8b01Svl create_suffix_entry_error) cat <<EOF 197017e8b01Svl 198017e8b01SvlERROR: unable to create entry ${LDAP_SUFFIX} of ${LDAP_SUFFIX_OBJ} class 199017e8b01Svl 2007c478bd9Sstevel@tonic-gateEOF 2017c478bd9Sstevel@tonic-gate ;; 2027c478bd9Sstevel@tonic-gate ldap_suffix_list) cat <<EOF 2037c478bd9Sstevel@tonic-gate 2047c478bd9Sstevel@tonic-gateNo valid suffixes (naming contexts) were found for LDAP base DN: 2057c478bd9Sstevel@tonic-gate${LDAP_BASEDN} 2067c478bd9Sstevel@tonic-gate 2077c478bd9Sstevel@tonic-gateAvailable suffixes are: 2087c478bd9Sstevel@tonic-gate${LDAP_SUFFIX_LIST} 2097c478bd9Sstevel@tonic-gate 2107c478bd9Sstevel@tonic-gateEOF 2117c478bd9Sstevel@tonic-gate ;; 2127c478bd9Sstevel@tonic-gate sorry) cat <<EOF 2137c478bd9Sstevel@tonic-gate 2147c478bd9Sstevel@tonic-gateHELP - No help is available for this topic. 2157c478bd9Sstevel@tonic-gate 216017e8b01SvlEOF 217017e8b01Svl ;; 218017e8b01Svl create_suffix_help) cat <<EOF 219017e8b01Svl 220017e8b01SvlHELP - Our Base DN is ${LDAP_BASEDN} 221017e8b01Svl and we need to create a Directory Suffix, 222017e8b01Svl which can be equal to Base DN itself or be any of Base DN parents. 223017e8b01Svl All intermediate entries up to suffix will be created on demand. 224017e8b01Svl 225017e8b01SvlEOF 226017e8b01Svl ;; 227017e8b01Svl enter_ldbm_db_help) cat <<EOF 228017e8b01Svl 229017e8b01SvlHELP - ldbm database is an internal database for storage of our suffix data. 230017e8b01Svl Database name must be alphanumeric due to Directory Server restriction. 231017e8b01Svl 2327c478bd9Sstevel@tonic-gateEOF 2337c478bd9Sstevel@tonic-gate ;; 2347c478bd9Sstevel@tonic-gate backup_help) cat <<EOF 2357c478bd9Sstevel@tonic-gate 2367c478bd9Sstevel@tonic-gateHELP - Since idsconfig modifies the directory server configuration, 2377c478bd9Sstevel@tonic-gate it is strongly recommended that you backup the server prior 2387c478bd9Sstevel@tonic-gate to running this utility. This is especially true if the server 2397c478bd9Sstevel@tonic-gate being configured is a production server. 2407c478bd9Sstevel@tonic-gate 2417c478bd9Sstevel@tonic-gateEOF 2427c478bd9Sstevel@tonic-gate ;; 2437c478bd9Sstevel@tonic-gate port_help) cat <<EOF 2447c478bd9Sstevel@tonic-gate 2457c478bd9Sstevel@tonic-gateHELP - Enter the port number the directory server is configured to 2467c478bd9Sstevel@tonic-gate use for LDAP. 2477c478bd9Sstevel@tonic-gate 2487c478bd9Sstevel@tonic-gateEOF 2497c478bd9Sstevel@tonic-gate ;; 2507c478bd9Sstevel@tonic-gate domain_help) cat <<EOF 2517c478bd9Sstevel@tonic-gate 2527c478bd9Sstevel@tonic-gateHELP - This is the DNS domain name this server will be serving. You 2537c478bd9Sstevel@tonic-gate must provide this name even if the server is not going to be populated 2547c478bd9Sstevel@tonic-gate with hostnames. Any unqualified hostname stored in the directory 2557c478bd9Sstevel@tonic-gate will be fully qualified using this DNS domain name. 2567c478bd9Sstevel@tonic-gate 2577c478bd9Sstevel@tonic-gateEOF 2587c478bd9Sstevel@tonic-gate ;; 2597c478bd9Sstevel@tonic-gate basedn_help) cat <<EOF 2607c478bd9Sstevel@tonic-gate 2617c478bd9Sstevel@tonic-gateHELP - This parameter defines the default location in the directory tree for 2627c478bd9Sstevel@tonic-gate the naming services entries. You can override this default by using 2637c478bd9Sstevel@tonic-gate serviceSearchDescriptors (SSD). You will be given the option to set up 2647c478bd9Sstevel@tonic-gate an SSD later on in the setup. 2657c478bd9Sstevel@tonic-gate 2667c478bd9Sstevel@tonic-gateEOF 2677c478bd9Sstevel@tonic-gate ;; 2687c478bd9Sstevel@tonic-gate profile_help) cat <<EOF 2697c478bd9Sstevel@tonic-gate 2707c478bd9Sstevel@tonic-gateHELP - Name of the configuration profile with which the clients will be 2717c478bd9Sstevel@tonic-gate configured. A directory server can store various profiles for multiple 2727c478bd9Sstevel@tonic-gate groups of clients. The initialization tool, (ldapclient(1M)), assumes 2737c478bd9Sstevel@tonic-gate "default" unless another is specified. 2747c478bd9Sstevel@tonic-gate 2757c478bd9Sstevel@tonic-gateEOF 2767c478bd9Sstevel@tonic-gate ;; 2777c478bd9Sstevel@tonic-gate def_srvlist_help) cat <<EOF 2787c478bd9Sstevel@tonic-gate 2797c478bd9Sstevel@tonic-gateHELP - Provide a list of directory servers to serve clients using this profile. 2807c478bd9Sstevel@tonic-gate All these servers should contain consistent data and provide similar 2817c478bd9Sstevel@tonic-gate functionality. This list is not ordered, and clients might change the 2827c478bd9Sstevel@tonic-gate order given in this list. Note that this is a space separated list of 2837c478bd9Sstevel@tonic-gate *IP addresses* (not host names). Providing port numbers is optional. 2847c478bd9Sstevel@tonic-gate 2857c478bd9Sstevel@tonic-gateEOF 2867c478bd9Sstevel@tonic-gate ;; 2877c478bd9Sstevel@tonic-gate pref_srvlist_help) cat <<EOF 2887c478bd9Sstevel@tonic-gate 2897c478bd9Sstevel@tonic-gateHELP - Provide a list of directory servers to serve this client profile. 2907c478bd9Sstevel@tonic-gate Unlike the default server list, which is not ordered, the preferred 2917c478bd9Sstevel@tonic-gate servers must be entered IN THE ORDER you wish to have them contacted. 2927c478bd9Sstevel@tonic-gate If you do specify a preferred server list, clients will always contact 2937c478bd9Sstevel@tonic-gate them before attempting to contact any of the servers on the default 2947c478bd9Sstevel@tonic-gate server list. Note that you must enter the preferred server list as a 2957c478bd9Sstevel@tonic-gate space-separated list of *IP addresses* (not host names). Providing port 2967c478bd9Sstevel@tonic-gate numbers is optional. 2977c478bd9Sstevel@tonic-gate 2987c478bd9Sstevel@tonic-gateEOF 2997c478bd9Sstevel@tonic-gate ;; 3007c478bd9Sstevel@tonic-gate srch_scope_help) cat <<EOF 3017c478bd9Sstevel@tonic-gate 3027c478bd9Sstevel@tonic-gateHELP - Default search scope to be used for all searches unless they are 3037c478bd9Sstevel@tonic-gate overwritten using serviceSearchDescriptors. The valid options 3047c478bd9Sstevel@tonic-gate are "one", which would specify the search will only be performed 3057c478bd9Sstevel@tonic-gate at the base DN for the given service, or "sub", which would specify 3067c478bd9Sstevel@tonic-gate the search will be performed through *all* levels below the base DN 3077c478bd9Sstevel@tonic-gate for the given service. 3087c478bd9Sstevel@tonic-gate 3097c478bd9Sstevel@tonic-gateEOF 3107c478bd9Sstevel@tonic-gate ;; 3117c478bd9Sstevel@tonic-gate cred_lvl_help) cat <<EOF 3127c478bd9Sstevel@tonic-gate 3137c478bd9Sstevel@tonic-gateHELP - This parameter defines what credentials the clients use to 3147c478bd9Sstevel@tonic-gate authenticate to the directory server. This list might contain 3157c478bd9Sstevel@tonic-gate multiple credential levels and is ordered. If a proxy level 3167c478bd9Sstevel@tonic-gate is configured, you will also be prompted to enter a bind DN 3177c478bd9Sstevel@tonic-gate for the proxy agent along with a password. This proxy agent 3187c478bd9Sstevel@tonic-gate will be created if it does not exist. 3197c478bd9Sstevel@tonic-gate 3207c478bd9Sstevel@tonic-gateEOF 3217c478bd9Sstevel@tonic-gate ;; 3227c478bd9Sstevel@tonic-gate auth_help) cat <<EOF 3237c478bd9Sstevel@tonic-gate 3247c478bd9Sstevel@tonic-gateHELP - The default authentication method(s) to be used by all services 3257c478bd9Sstevel@tonic-gate in the client using this profile. This is a ordered list of 3267c478bd9Sstevel@tonic-gate authentication methods separated by a ';'. The supported methods 3277c478bd9Sstevel@tonic-gate are provided in a menu. Note that sasl/DIGEST-MD5 binds require 3287c478bd9Sstevel@tonic-gate passwords to be stored un-encrypted on the server. 3297c478bd9Sstevel@tonic-gate 3307c478bd9Sstevel@tonic-gateEOF 3317c478bd9Sstevel@tonic-gate ;; 3327c478bd9Sstevel@tonic-gate srvauth_help) cat <<EOF 3337c478bd9Sstevel@tonic-gate 3347c478bd9Sstevel@tonic-gateHELP - The authentication methods to be used by a given service. Currently 3357c478bd9Sstevel@tonic-gate 3 services support this feature: pam_ldap, keyserv, and passwd-cmd. 3367c478bd9Sstevel@tonic-gate The authentication method specified in this attribute overrides 3377c478bd9Sstevel@tonic-gate the default authentication method defined in the profile. This 3387c478bd9Sstevel@tonic-gate feature can be used to select stronger authentication methods for 3397c478bd9Sstevel@tonic-gate services which require increased security. 3407c478bd9Sstevel@tonic-gate 3417c478bd9Sstevel@tonic-gateEOF 3427c478bd9Sstevel@tonic-gate ;; 3437c478bd9Sstevel@tonic-gate pam_ldap_help) cat <<EOF 3447c478bd9Sstevel@tonic-gate 3457c478bd9Sstevel@tonic-gateHELP - The authentication method(s) to be used by pam_ldap when contacting 3467c478bd9Sstevel@tonic-gate the directory server. This is a ordered list, and, if provided, will 3477c478bd9Sstevel@tonic-gate override the default authentication method parameter. 3487c478bd9Sstevel@tonic-gate 3497c478bd9Sstevel@tonic-gateEOF 3507c478bd9Sstevel@tonic-gate ;; 3517c478bd9Sstevel@tonic-gate keyserv_help) cat <<EOF 3527c478bd9Sstevel@tonic-gate 3537c478bd9Sstevel@tonic-gateHELP - The authentication method(s) to be used by newkey(1M) and chkey(1) 3547c478bd9Sstevel@tonic-gate when contacting the directory server. This is a ordered list and 3557c478bd9Sstevel@tonic-gate if provided will override the default authentication method 3567c478bd9Sstevel@tonic-gate parameter. 3577c478bd9Sstevel@tonic-gate 3587c478bd9Sstevel@tonic-gateEOF 3597c478bd9Sstevel@tonic-gate ;; 3607c478bd9Sstevel@tonic-gate passwd-cmd_help) cat <<EOF 3617c478bd9Sstevel@tonic-gate 3627c478bd9Sstevel@tonic-gateHELP - The authentication method(s) to be used by passwd(1) command when 3637c478bd9Sstevel@tonic-gate contacting the directory server. This is a ordered list and if 3647c478bd9Sstevel@tonic-gate provided will override the default authentication method parameter. 3657c478bd9Sstevel@tonic-gate 3667c478bd9Sstevel@tonic-gateEOF 3677c478bd9Sstevel@tonic-gate ;; 3687c478bd9Sstevel@tonic-gate referrals_help) cat <<EOF 3697c478bd9Sstevel@tonic-gate 3707c478bd9Sstevel@tonic-gateHELP - This parameter indicates whether the client should follow 3717c478bd9Sstevel@tonic-gate ldap referrals if it encounters one during naming lookups. 3727c478bd9Sstevel@tonic-gate 3737c478bd9Sstevel@tonic-gateEOF 3747c478bd9Sstevel@tonic-gate ;; 3757c478bd9Sstevel@tonic-gate tlim_help) cat <<EOF 3767c478bd9Sstevel@tonic-gate 3777c478bd9Sstevel@tonic-gateHELP - The server time limit value indicates the maximum amount of time the 3787c478bd9Sstevel@tonic-gate server would spend on a query from the client before abandoning it. 3797c478bd9Sstevel@tonic-gate A value of '-1' indicates no limit. 3807c478bd9Sstevel@tonic-gate 3817c478bd9Sstevel@tonic-gateEOF 3827c478bd9Sstevel@tonic-gate ;; 3837c478bd9Sstevel@tonic-gate slim_help) cat <<EOF 3847c478bd9Sstevel@tonic-gate 3857c478bd9Sstevel@tonic-gateHELP - The server sizelimit value indicates the maximum number of entries 3867c478bd9Sstevel@tonic-gate the server would return in respond to a query from the client. A 3877c478bd9Sstevel@tonic-gate value of '-1' indicates no limit. 3887c478bd9Sstevel@tonic-gate 3897c478bd9Sstevel@tonic-gateEOF 3907c478bd9Sstevel@tonic-gate ;; 3917c478bd9Sstevel@tonic-gate crypt_help) cat <<EOF 3927c478bd9Sstevel@tonic-gate 3937c478bd9Sstevel@tonic-gateHELP - By default iDS does not store userPassword attribute values using 3947c478bd9Sstevel@tonic-gate unix "crypt" format. If you need to keep your passwords in the crypt 3957c478bd9Sstevel@tonic-gate format for NIS/NIS+ and pam_unix compatibility, choose 'yes'. If 3967c478bd9Sstevel@tonic-gate passwords are stored using any other format than crypt, pam_ldap 3977c478bd9Sstevel@tonic-gate MUST be used by clients to authenticate users to the system. Note 3987c478bd9Sstevel@tonic-gate that if you wish to use sasl/DIGEST-MD5 in conjunction with pam_ldap, 3997c478bd9Sstevel@tonic-gate user passwords must be stored in the clear format. 4007c478bd9Sstevel@tonic-gate 4017c478bd9Sstevel@tonic-gateEOF 4027c478bd9Sstevel@tonic-gate ;; 4037c478bd9Sstevel@tonic-gate srchtime_help) cat <<EOF 4047c478bd9Sstevel@tonic-gate 4057c478bd9Sstevel@tonic-gateHELP - The search time limit the client will enforce for directory 4067c478bd9Sstevel@tonic-gate lookups. 4077c478bd9Sstevel@tonic-gate 4087c478bd9Sstevel@tonic-gateEOF 4097c478bd9Sstevel@tonic-gate ;; 4107c478bd9Sstevel@tonic-gate profttl_help) cat <<EOF 4117c478bd9Sstevel@tonic-gate 4127c478bd9Sstevel@tonic-gateHELP - The time to live value for profile. The client will refresh its 4137c478bd9Sstevel@tonic-gate cached version of the configuration profile at this TTL interval. 4147c478bd9Sstevel@tonic-gate 4157c478bd9Sstevel@tonic-gateEOF 4167c478bd9Sstevel@tonic-gate ;; 4177c478bd9Sstevel@tonic-gate bindlim_help) cat <<EOF 4187c478bd9Sstevel@tonic-gate 4197c478bd9Sstevel@tonic-gateHELP - The time limit for the bind operation to the directory. This 4207c478bd9Sstevel@tonic-gate value controls the responsiveness of the client in case a server 4217c478bd9Sstevel@tonic-gate becomes unavailable. The smallest timeout value for a given 4227c478bd9Sstevel@tonic-gate network architecture/conditions would work best. This is very 4237c478bd9Sstevel@tonic-gate similar to setting TCP timeout, but only for LDAP bind operation. 4247c478bd9Sstevel@tonic-gate 4257c478bd9Sstevel@tonic-gateEOF 4267c478bd9Sstevel@tonic-gate ;; 4277c478bd9Sstevel@tonic-gate ssd_help) cat <<EOF 4287c478bd9Sstevel@tonic-gate 4297c478bd9Sstevel@tonic-gateHELP - Using Service Search Descriptors (SSD), you can override the 4307c478bd9Sstevel@tonic-gate default configuration for a given service. The SSD can be 4317c478bd9Sstevel@tonic-gate used to override the default search base DN, the default search 4327c478bd9Sstevel@tonic-gate scope, and the default search filter to be used for directory 4337c478bd9Sstevel@tonic-gate lookups. SSD are supported for all services (databases) 4347c478bd9Sstevel@tonic-gate defined in nsswitch.conf(4). The default base DN is defined 4357c478bd9Sstevel@tonic-gate in ldap(1). 4367c478bd9Sstevel@tonic-gate 4377c478bd9Sstevel@tonic-gate Note: SSD are powerful tools in defining configuration profiles 4387c478bd9Sstevel@tonic-gate and provide a great deal of flexibility. However, care 4397c478bd9Sstevel@tonic-gate must be taken in creating them. If you decide to make use 4407c478bd9Sstevel@tonic-gate of SSDs, consult the documentation first. 4417c478bd9Sstevel@tonic-gate 4427c478bd9Sstevel@tonic-gateEOF 4437c478bd9Sstevel@tonic-gate ;; 4447c478bd9Sstevel@tonic-gate ssd_menu_help) cat <<EOF 4457c478bd9Sstevel@tonic-gate 4467c478bd9Sstevel@tonic-gateHELP - Using this menu SSD can be added, updated, or deleted from 4477c478bd9Sstevel@tonic-gate the profile. 4487c478bd9Sstevel@tonic-gate 4497c478bd9Sstevel@tonic-gate A - This option creates a new SSD by prompting for the 4507c478bd9Sstevel@tonic-gate service name, base DN, and scope. Service name is 4517c478bd9Sstevel@tonic-gate any valid service as defined in ldap(1). base is 4527c478bd9Sstevel@tonic-gate either the distinguished name to the container where 4537c478bd9Sstevel@tonic-gate this service will use, or a relative DN followed 4547c478bd9Sstevel@tonic-gate by a ','. 4557c478bd9Sstevel@tonic-gate D - Delete a previously created SSD. 4567c478bd9Sstevel@tonic-gate M - Modify a previously created SSD. 4577c478bd9Sstevel@tonic-gate P - Display a list of all the previously created SSD. 4587c478bd9Sstevel@tonic-gate X - Delete all of the previously created SSD. 4597c478bd9Sstevel@tonic-gate 4607c478bd9Sstevel@tonic-gate Q - Exit the menu and continue with the server configuration. 4617c478bd9Sstevel@tonic-gate 4627c478bd9Sstevel@tonic-gateEOF 4637c478bd9Sstevel@tonic-gate ;; 4647c478bd9Sstevel@tonic-gate ldap_suffix_list_help) cat <<EOF 4657c478bd9Sstevel@tonic-gate 4667c478bd9Sstevel@tonic-gateHELP - No valid suffixes (naming contexts) are available on server 4677c478bd9Sstevel@tonic-gate ${IDS_SERVER}:${IDS_PORT}. 4687c478bd9Sstevel@tonic-gate You must set an LDAP Base DN that can be contained in 4697c478bd9Sstevel@tonic-gate an existing suffix. 4707c478bd9Sstevel@tonic-gate 471dd1104fbSMichen ChangEOF 472dd1104fbSMichen Chang ;; 473dd1104fbSMichen Chang enable_shadow_update_help) cat <<EOF 474dd1104fbSMichen Chang 475dd1104fbSMichen ChangHELP - Enter 'y' to set up the LDAP server for shadow update. 476dd1104fbSMichen Chang The setup will add an administrator identity/credential 477dd1104fbSMichen Chang and modify the necessary access controls for the client 478dd1104fbSMichen Chang to update shadow(4) data on the LDAP server. If sasl/GSSAPI 479dd1104fbSMichen Chang is in use, the Kerberos host principal will be used as the 480dd1104fbSMichen Chang administrator identity. 481dd1104fbSMichen Chang 482dd1104fbSMichen Chang Shadow data is used for password aging and account locking. 483dd1104fbSMichen Chang Please refer to the shadow(4) manual page for details. 484dd1104fbSMichen Chang 485dd1104fbSMichen ChangEOF 486dd1104fbSMichen Chang ;; 487dd1104fbSMichen Chang add_admin_cred_help) cat <<EOF 488dd1104fbSMichen Chang 489dd1104fbSMichen ChangHELP - Start the setup to add an administrator identity/credential 490dd1104fbSMichen Chang and to modify access controls for the client to update 491dd1104fbSMichen Chang shadow(4) data on the LDAP server. 492dd1104fbSMichen Chang 493dd1104fbSMichen Chang Shadow data is used for password aging and account locking. 494dd1104fbSMichen Chang Please refer to the shadow(4) manual page for details. 495dd1104fbSMichen Chang 496dd1104fbSMichen ChangEOF 497dd1104fbSMichen Chang ;; 498dd1104fbSMichen Chang use_host_principal_help) cat <<EOF 499dd1104fbSMichen Chang 500dd1104fbSMichen ChangHELP - A profile with a 'sasl/GSSAPI' authentication method and a 'self' 501dd1104fbSMichen Chang credential level is detected, enter 'y' to modify the necessary 502dd1104fbSMichen Chang access controls for allowing the client to update shadow(4) data 503dd1104fbSMichen Chang on the LDAP server. 504dd1104fbSMichen Chang 505dd1104fbSMichen Chang Shadow data is used for password aging and account locking. 506dd1104fbSMichen Chang Please refer to the shadow(4) manual page for details. 507dd1104fbSMichen Chang 5087c478bd9Sstevel@tonic-gateEOF 5097c478bd9Sstevel@tonic-gate ;; 5107c478bd9Sstevel@tonic-gate esac 5117c478bd9Sstevel@tonic-gate} 5127c478bd9Sstevel@tonic-gate 5137c478bd9Sstevel@tonic-gate 5147c478bd9Sstevel@tonic-gate# 5157c478bd9Sstevel@tonic-gate# get_ans(): gets an answer from the user. 5167c478bd9Sstevel@tonic-gate# $1 instruction/comment/description/question 5177c478bd9Sstevel@tonic-gate# $2 default value 5187c478bd9Sstevel@tonic-gate# 5197c478bd9Sstevel@tonic-gateget_ans() 5207c478bd9Sstevel@tonic-gate{ 5217c478bd9Sstevel@tonic-gate if [ -z "$2" ] 5227c478bd9Sstevel@tonic-gate then 5237c478bd9Sstevel@tonic-gate ${ECHO} "$1 \c" 5247c478bd9Sstevel@tonic-gate else 5257c478bd9Sstevel@tonic-gate ${ECHO} "$1 [$2] \c" 5267c478bd9Sstevel@tonic-gate fi 5277c478bd9Sstevel@tonic-gate 5287c478bd9Sstevel@tonic-gate read ANS 5297c478bd9Sstevel@tonic-gate if [ -z "$ANS" ] 5307c478bd9Sstevel@tonic-gate then 5317c478bd9Sstevel@tonic-gate ANS=$2 5327c478bd9Sstevel@tonic-gate fi 5337c478bd9Sstevel@tonic-gate} 5347c478bd9Sstevel@tonic-gate 5357c478bd9Sstevel@tonic-gate 5367c478bd9Sstevel@tonic-gate# 5377c478bd9Sstevel@tonic-gate# get_ans_req(): gets an answer (required) from the user, NULL value not allowed. 5387c478bd9Sstevel@tonic-gate# $@ instruction/comment/description/question 5397c478bd9Sstevel@tonic-gate# 5407c478bd9Sstevel@tonic-gateget_ans_req() 5417c478bd9Sstevel@tonic-gate{ 5427c478bd9Sstevel@tonic-gate ANS="" # Set ANS to NULL. 5437c478bd9Sstevel@tonic-gate while [ "$ANS" = "" ] 5447c478bd9Sstevel@tonic-gate do 5457c478bd9Sstevel@tonic-gate get_ans "$@" 5467c478bd9Sstevel@tonic-gate [ "$ANS" = "" ] && ${ECHO} "NULL value not allowed!" 5477c478bd9Sstevel@tonic-gate done 5487c478bd9Sstevel@tonic-gate} 5497c478bd9Sstevel@tonic-gate 5507c478bd9Sstevel@tonic-gate 5517c478bd9Sstevel@tonic-gate# 5527c478bd9Sstevel@tonic-gate# get_number(): Querys and verifies that number entered is numeric. 5537c478bd9Sstevel@tonic-gate# Function will repeat prompt user for number value. 5547c478bd9Sstevel@tonic-gate# $1 Message text. 5557c478bd9Sstevel@tonic-gate# $2 default value. 5567c478bd9Sstevel@tonic-gate# $3 Help argument. 5577c478bd9Sstevel@tonic-gate# 5587c478bd9Sstevel@tonic-gateget_number() 5597c478bd9Sstevel@tonic-gate{ 5607c478bd9Sstevel@tonic-gate ANS="" # Set ANS to NULL. 5617c478bd9Sstevel@tonic-gate NUM="" 5627c478bd9Sstevel@tonic-gate 5637c478bd9Sstevel@tonic-gate get_ans "$1" "$2" 5647c478bd9Sstevel@tonic-gate 5657c478bd9Sstevel@tonic-gate # Verify that value is numeric. 5667c478bd9Sstevel@tonic-gate while not_numeric $ANS 5677c478bd9Sstevel@tonic-gate do 5687c478bd9Sstevel@tonic-gate case "$ANS" in 5697c478bd9Sstevel@tonic-gate [Hh] | help | Help | \?) display_msg ${3:-sorry} ;; 5707c478bd9Sstevel@tonic-gate * ) ${ECHO} "Invalid value: \"${ANS}\". \c" 5717c478bd9Sstevel@tonic-gate ;; 5727c478bd9Sstevel@tonic-gate esac 5737c478bd9Sstevel@tonic-gate # Get a new value. 5747c478bd9Sstevel@tonic-gate get_ans "Enter a numeric value:" "$2" 5757c478bd9Sstevel@tonic-gate done 5767c478bd9Sstevel@tonic-gate NUM=$ANS 5777c478bd9Sstevel@tonic-gate} 5787c478bd9Sstevel@tonic-gate 5797c478bd9Sstevel@tonic-gate 5807c478bd9Sstevel@tonic-gate# 5817c478bd9Sstevel@tonic-gate# get_negone_num(): Only allows a -1 or positive integer. 5827c478bd9Sstevel@tonic-gate# Used for values where -1 has special meaning. 5837c478bd9Sstevel@tonic-gate# 5847c478bd9Sstevel@tonic-gate# $1 - Prompt message. 5857c478bd9Sstevel@tonic-gate# $2 - Default value (require). 5867c478bd9Sstevel@tonic-gate# $3 - Optional help argument. 5877c478bd9Sstevel@tonic-gateget_negone_num() 5887c478bd9Sstevel@tonic-gate{ 5897c478bd9Sstevel@tonic-gate while : 5907c478bd9Sstevel@tonic-gate do 5917c478bd9Sstevel@tonic-gate get_number "$1" "$2" "$3" 5927c478bd9Sstevel@tonic-gate if is_negative $ANS 5937c478bd9Sstevel@tonic-gate then 5947c478bd9Sstevel@tonic-gate if [ "$ANS" = "-1" ]; then 5957c478bd9Sstevel@tonic-gate break # -1 is OK, so break. 5967c478bd9Sstevel@tonic-gate else # Need to re-enter number. 5977c478bd9Sstevel@tonic-gate ${ECHO} "Invalid number: please enter -1 or positive number." 5987c478bd9Sstevel@tonic-gate fi 5997c478bd9Sstevel@tonic-gate else 6007c478bd9Sstevel@tonic-gate break # Positive number 6017c478bd9Sstevel@tonic-gate fi 6027c478bd9Sstevel@tonic-gate done 6037c478bd9Sstevel@tonic-gate} 6047c478bd9Sstevel@tonic-gate 6057c478bd9Sstevel@tonic-gate 6067c478bd9Sstevel@tonic-gate# 6077c478bd9Sstevel@tonic-gate# get_passwd(): Reads a password from the user and verify with second. 6087c478bd9Sstevel@tonic-gate# $@ instruction/comment/description/question 6097c478bd9Sstevel@tonic-gate# 6107c478bd9Sstevel@tonic-gateget_passwd() 6117c478bd9Sstevel@tonic-gate{ 6127c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In get_passwd()" 6137c478bd9Sstevel@tonic-gate 6147c478bd9Sstevel@tonic-gate # Temporary PASSWD variables 6157c478bd9Sstevel@tonic-gate _PASS1="" 6167c478bd9Sstevel@tonic-gate _PASS2="" 6177c478bd9Sstevel@tonic-gate 6187c478bd9Sstevel@tonic-gate /usr/bin/stty -echo # Turn echo OFF 6197c478bd9Sstevel@tonic-gate 6207c478bd9Sstevel@tonic-gate # Endless loop that continues until passwd and re-entered passwd 6217c478bd9Sstevel@tonic-gate # match. 6227c478bd9Sstevel@tonic-gate while : 6237c478bd9Sstevel@tonic-gate do 6247c478bd9Sstevel@tonic-gate ANS="" # Set ANS to NULL. 6257c478bd9Sstevel@tonic-gate 6267c478bd9Sstevel@tonic-gate # Don't allow NULL for first try. 6277c478bd9Sstevel@tonic-gate while [ "$ANS" = "" ] 6287c478bd9Sstevel@tonic-gate do 6297c478bd9Sstevel@tonic-gate get_ans "$@" 6307c478bd9Sstevel@tonic-gate [ "$ANS" = "" ] && ${ECHO} "" && ${ECHO} "NULL passwd not allowed!" 6317c478bd9Sstevel@tonic-gate done 6327c478bd9Sstevel@tonic-gate _PASS1=$ANS # Store first try. 6337c478bd9Sstevel@tonic-gate 6347c478bd9Sstevel@tonic-gate # Get second try. 6357c478bd9Sstevel@tonic-gate ${ECHO} "" 6367c478bd9Sstevel@tonic-gate get_ans "Re-enter passwd:" 6377c478bd9Sstevel@tonic-gate _PASS2=$ANS 6387c478bd9Sstevel@tonic-gate 6397c478bd9Sstevel@tonic-gate # Test if passwords are identical. 6407c478bd9Sstevel@tonic-gate if [ "$_PASS1" = "$_PASS2" ]; then 6417c478bd9Sstevel@tonic-gate break 6427c478bd9Sstevel@tonic-gate fi 6437c478bd9Sstevel@tonic-gate 6447c478bd9Sstevel@tonic-gate # Move cursor down to next line and print ERROR message. 6457c478bd9Sstevel@tonic-gate ${ECHO} "" 6467c478bd9Sstevel@tonic-gate ${ECHO} "ERROR: passwords don't match; try again." 6477c478bd9Sstevel@tonic-gate done 6487c478bd9Sstevel@tonic-gate 6497c478bd9Sstevel@tonic-gate /usr/bin/stty echo # Turn echo ON 6507c478bd9Sstevel@tonic-gate 6517c478bd9Sstevel@tonic-gate ${ECHO} "" 6527c478bd9Sstevel@tonic-gate} 6537c478bd9Sstevel@tonic-gate 6547c478bd9Sstevel@tonic-gate 6557c478bd9Sstevel@tonic-gate# 6567c478bd9Sstevel@tonic-gate# get_passwd_nochk(): Reads a password from the user w/o check. 6577c478bd9Sstevel@tonic-gate# $@ instruction/comment/description/question 6587c478bd9Sstevel@tonic-gate# 6597c478bd9Sstevel@tonic-gateget_passwd_nochk() 6607c478bd9Sstevel@tonic-gate{ 6617c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In get_passwd_nochk()" 6627c478bd9Sstevel@tonic-gate 6637c478bd9Sstevel@tonic-gate /usr/bin/stty -echo # Turn echo OFF 6647c478bd9Sstevel@tonic-gate 6657c478bd9Sstevel@tonic-gate get_ans "$@" 6667c478bd9Sstevel@tonic-gate 6677c478bd9Sstevel@tonic-gate /usr/bin/stty echo # Turn echo ON 6687c478bd9Sstevel@tonic-gate 6697c478bd9Sstevel@tonic-gate ${ECHO} "" 6707c478bd9Sstevel@tonic-gate} 6717c478bd9Sstevel@tonic-gate 6727c478bd9Sstevel@tonic-gate 6737c478bd9Sstevel@tonic-gate# 6747c478bd9Sstevel@tonic-gate# get_menu_choice(): Get a menu choice from user. Continue prompting 6757c478bd9Sstevel@tonic-gate# till the choice is in required range. 6767c478bd9Sstevel@tonic-gate# $1 .. Message text. 6777c478bd9Sstevel@tonic-gate# $2 .. min value 6787c478bd9Sstevel@tonic-gate# $3 .. max value 6797c478bd9Sstevel@tonic-gate# $4 .. OPTIONAL: default value 6807c478bd9Sstevel@tonic-gate# 6817c478bd9Sstevel@tonic-gate# Return value: 6827c478bd9Sstevel@tonic-gate# MN_CH will contain the value selected. 6837c478bd9Sstevel@tonic-gate# 6847c478bd9Sstevel@tonic-gateget_menu_choice() 6857c478bd9Sstevel@tonic-gate{ 6867c478bd9Sstevel@tonic-gate # Check for req parameter. 6877c478bd9Sstevel@tonic-gate if [ $# -lt 3 ]; then 6887c478bd9Sstevel@tonic-gate ${ECHO} "get_menu_choice(): Did not get required parameters." 6897c478bd9Sstevel@tonic-gate return 1 6907c478bd9Sstevel@tonic-gate fi 6917c478bd9Sstevel@tonic-gate 6927c478bd9Sstevel@tonic-gate while : 6937c478bd9Sstevel@tonic-gate do 6947c478bd9Sstevel@tonic-gate get_ans "$1" "$4" 6957c478bd9Sstevel@tonic-gate MN_CH=$ANS 6967c478bd9Sstevel@tonic-gate is_negative $MN_CH 6977c478bd9Sstevel@tonic-gate if [ $? -eq 1 ]; then 6987c478bd9Sstevel@tonic-gate if [ $MN_CH -ge $2 ]; then 6997c478bd9Sstevel@tonic-gate if [ $MN_CH -le $3 ]; then 7007c478bd9Sstevel@tonic-gate return 7017c478bd9Sstevel@tonic-gate fi 7027c478bd9Sstevel@tonic-gate fi 7037c478bd9Sstevel@tonic-gate fi 7047c478bd9Sstevel@tonic-gate ${ECHO} "Invalid choice: $MN_CH" 7057c478bd9Sstevel@tonic-gate done 7067c478bd9Sstevel@tonic-gate} 7077c478bd9Sstevel@tonic-gate 7087c478bd9Sstevel@tonic-gate 7097c478bd9Sstevel@tonic-gate# 7107c478bd9Sstevel@tonic-gate# get_confirm(): Get confirmation from the user. (Y/Yes or N/No) 7117c478bd9Sstevel@tonic-gate# $1 - Message 7127c478bd9Sstevel@tonic-gate# $2 - default value. 7137c478bd9Sstevel@tonic-gate# 7147c478bd9Sstevel@tonic-gateget_confirm() 7157c478bd9Sstevel@tonic-gate{ 7167c478bd9Sstevel@tonic-gate _ANSWER= 7177c478bd9Sstevel@tonic-gate 7187c478bd9Sstevel@tonic-gate while : 7197c478bd9Sstevel@tonic-gate do 7207c478bd9Sstevel@tonic-gate # Display Internal ERROR if $2 not set. 7217c478bd9Sstevel@tonic-gate if [ -z "$2" ] 7227c478bd9Sstevel@tonic-gate then 7237c478bd9Sstevel@tonic-gate ${ECHO} "INTERNAL ERROR: get_confirm requires 2 args, 3rd is optional." 7247c478bd9Sstevel@tonic-gate exit 2 7257c478bd9Sstevel@tonic-gate fi 7267c478bd9Sstevel@tonic-gate 7277c478bd9Sstevel@tonic-gate # Display prompt. 7287c478bd9Sstevel@tonic-gate ${ECHO} "$1 [$2] \c" 7297c478bd9Sstevel@tonic-gate 7307c478bd9Sstevel@tonic-gate # Get the ANSWER. 7317c478bd9Sstevel@tonic-gate read _ANSWER 7327c478bd9Sstevel@tonic-gate if [ "$_ANSWER" = "" ] && [ -n "$2" ] ; then 7337c478bd9Sstevel@tonic-gate _ANSWER=$2 7347c478bd9Sstevel@tonic-gate fi 7357c478bd9Sstevel@tonic-gate case "$_ANSWER" in 7367c478bd9Sstevel@tonic-gate [Yy] | yes | Yes | YES) return 1 ;; 7377c478bd9Sstevel@tonic-gate [Nn] | no | No | NO) return 0 ;; 7387c478bd9Sstevel@tonic-gate [Hh] | help | Help | \?) display_msg ${3:-sorry};; 7397c478bd9Sstevel@tonic-gate * ) ${ECHO} "Please enter y or n." ;; 7407c478bd9Sstevel@tonic-gate esac 7417c478bd9Sstevel@tonic-gate done 7427c478bd9Sstevel@tonic-gate} 7437c478bd9Sstevel@tonic-gate 7447c478bd9Sstevel@tonic-gate 7457c478bd9Sstevel@tonic-gate# 7467c478bd9Sstevel@tonic-gate# get_confirm_nodef(): Get confirmation from the user. (Y/Yes or N/No) 7477c478bd9Sstevel@tonic-gate# No default value supported. 7487c478bd9Sstevel@tonic-gate# 7497c478bd9Sstevel@tonic-gateget_confirm_nodef() 7507c478bd9Sstevel@tonic-gate{ 7517c478bd9Sstevel@tonic-gate _ANSWER= 7527c478bd9Sstevel@tonic-gate 7537c478bd9Sstevel@tonic-gate while : 7547c478bd9Sstevel@tonic-gate do 7557c478bd9Sstevel@tonic-gate ${ECHO} "$@ \c" 7567c478bd9Sstevel@tonic-gate read _ANSWER 7577c478bd9Sstevel@tonic-gate case "$_ANSWER" in 7587c478bd9Sstevel@tonic-gate [Yy] | yes | Yes | YES) return 1 ;; 7597c478bd9Sstevel@tonic-gate [Nn] | no | No | NO) return 0 ;; 7607c478bd9Sstevel@tonic-gate * ) ${ECHO} "Please enter y or n." ;; 7617c478bd9Sstevel@tonic-gate esac 7627c478bd9Sstevel@tonic-gate done 7637c478bd9Sstevel@tonic-gate} 7647c478bd9Sstevel@tonic-gate 7657c478bd9Sstevel@tonic-gate 7667c478bd9Sstevel@tonic-gate# 7677c478bd9Sstevel@tonic-gate# is_numeric(): Tells is a string is numeric. 7687c478bd9Sstevel@tonic-gate# 0 = Numeric 7697c478bd9Sstevel@tonic-gate# 1 = NOT Numeric 7707c478bd9Sstevel@tonic-gate# 7717c478bd9Sstevel@tonic-gateis_numeric() 7727c478bd9Sstevel@tonic-gate{ 7737c478bd9Sstevel@tonic-gate # Check for parameter. 7747c478bd9Sstevel@tonic-gate if [ $# -ne 1 ]; then 7757c478bd9Sstevel@tonic-gate return 1 7767c478bd9Sstevel@tonic-gate fi 7777c478bd9Sstevel@tonic-gate 7787c478bd9Sstevel@tonic-gate # Determine if numeric. 7797c478bd9Sstevel@tonic-gate expr "$1" + 1 > /dev/null 2>&1 7807c478bd9Sstevel@tonic-gate if [ $? -ge 2 ]; then 7817c478bd9Sstevel@tonic-gate return 1 7827c478bd9Sstevel@tonic-gate fi 7837c478bd9Sstevel@tonic-gate 7847c478bd9Sstevel@tonic-gate # Made it here, it's Numeric. 7857c478bd9Sstevel@tonic-gate return 0 7867c478bd9Sstevel@tonic-gate} 7877c478bd9Sstevel@tonic-gate 7887c478bd9Sstevel@tonic-gate 7897c478bd9Sstevel@tonic-gate# 7907c478bd9Sstevel@tonic-gate# not_numeric(): Reverses the return values of is_numeric. Useful 7917c478bd9Sstevel@tonic-gate# for if and while statements that want to test for 7927c478bd9Sstevel@tonic-gate# non-numeric data. 7937c478bd9Sstevel@tonic-gate# 0 = NOT Numeric 7947c478bd9Sstevel@tonic-gate# 1 = Numeric 7957c478bd9Sstevel@tonic-gate# 7967c478bd9Sstevel@tonic-gatenot_numeric() 7977c478bd9Sstevel@tonic-gate{ 7987c478bd9Sstevel@tonic-gate is_numeric $1 7997c478bd9Sstevel@tonic-gate if [ $? -eq 0 ]; then 8007c478bd9Sstevel@tonic-gate return 1 8017c478bd9Sstevel@tonic-gate else 8027c478bd9Sstevel@tonic-gate return 0 8037c478bd9Sstevel@tonic-gate fi 8047c478bd9Sstevel@tonic-gate} 8057c478bd9Sstevel@tonic-gate 8067c478bd9Sstevel@tonic-gate 8077c478bd9Sstevel@tonic-gate# 8087c478bd9Sstevel@tonic-gate# is_negative(): Tells is a Numeric value is less than zero. 8097c478bd9Sstevel@tonic-gate# 0 = Negative Numeric 8107c478bd9Sstevel@tonic-gate# 1 = Positive Numeric 8117c478bd9Sstevel@tonic-gate# 2 = NOT Numeric 8127c478bd9Sstevel@tonic-gate# 8137c478bd9Sstevel@tonic-gateis_negative() 8147c478bd9Sstevel@tonic-gate{ 8157c478bd9Sstevel@tonic-gate # Check for parameter. 8167c478bd9Sstevel@tonic-gate if [ $# -ne 1 ]; then 8177c478bd9Sstevel@tonic-gate return 1 8187c478bd9Sstevel@tonic-gate fi 8197c478bd9Sstevel@tonic-gate 8207c478bd9Sstevel@tonic-gate # Determine if numeric. Can't use expr because -0 is 8217c478bd9Sstevel@tonic-gate # considered positive?? 8227c478bd9Sstevel@tonic-gate if is_numeric $1; then 8237c478bd9Sstevel@tonic-gate case "$1" in 8247c478bd9Sstevel@tonic-gate -*) return 0 ;; # Negative Numeric 8257c478bd9Sstevel@tonic-gate *) return 1 ;; # Positive Numeric 8267c478bd9Sstevel@tonic-gate esac 8277c478bd9Sstevel@tonic-gate else 8287c478bd9Sstevel@tonic-gate return 2 8297c478bd9Sstevel@tonic-gate fi 8307c478bd9Sstevel@tonic-gate} 8317c478bd9Sstevel@tonic-gate 8327c478bd9Sstevel@tonic-gate 8337c478bd9Sstevel@tonic-gate# 8347c478bd9Sstevel@tonic-gate# check_domainname(): check validity of a domain name. Currently we check 8357c478bd9Sstevel@tonic-gate# that it has at least two components. 8367c478bd9Sstevel@tonic-gate# $1 the domain name to be checked 8377c478bd9Sstevel@tonic-gate# 8387c478bd9Sstevel@tonic-gatecheck_domainname() 8397c478bd9Sstevel@tonic-gate{ 8407c478bd9Sstevel@tonic-gate if [ ! -z "$1" ] 8417c478bd9Sstevel@tonic-gate then 8427c478bd9Sstevel@tonic-gate t=`expr "$1" : '[^.]\{1,\}[.][^.]\{1,\}'` 8437c478bd9Sstevel@tonic-gate if [ "$t" = 0 ] 8447c478bd9Sstevel@tonic-gate then 8457c478bd9Sstevel@tonic-gate return 1 8467c478bd9Sstevel@tonic-gate fi 8477c478bd9Sstevel@tonic-gate fi 8487c478bd9Sstevel@tonic-gate return 0 8497c478bd9Sstevel@tonic-gate} 8507c478bd9Sstevel@tonic-gate 8517c478bd9Sstevel@tonic-gate 8527c478bd9Sstevel@tonic-gate# 8537c478bd9Sstevel@tonic-gate# check_baseDN(): check validity of the baseDN name. 8547c478bd9Sstevel@tonic-gate# $1 the baseDN name to be checked 8557c478bd9Sstevel@tonic-gate# 8567c478bd9Sstevel@tonic-gate# NOTE: The check_baseDN function does not catch all invalid DN's. 8577c478bd9Sstevel@tonic-gate# Its purpose is to reduce the number of invalid DN's to 8587c478bd9Sstevel@tonic-gate# get past the input routine. The invalid DN's will be 8597c478bd9Sstevel@tonic-gate# caught by the LDAP server when they are attempted to be 8607c478bd9Sstevel@tonic-gate# created. 8617c478bd9Sstevel@tonic-gate# 8627c478bd9Sstevel@tonic-gatecheck_baseDN() 8637c478bd9Sstevel@tonic-gate{ 8647c478bd9Sstevel@tonic-gate ck_DN=$1 8657c478bd9Sstevel@tonic-gate ${ECHO} " Checking LDAP Base DN ..." 8667c478bd9Sstevel@tonic-gate if [ ! -z "$ck_DN" ]; then 8677c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "Checking baseDN: $ck_DN" 8687c478bd9Sstevel@tonic-gate # Check for = (assignment operator) 8697c478bd9Sstevel@tonic-gate ${ECHO} "$ck_DN" | ${GREP} "=" > /dev/null 2>&1 8707c478bd9Sstevel@tonic-gate if [ $? -ne 0 ]; then 8717c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "check_baseDN: No '=' in baseDN." 8727c478bd9Sstevel@tonic-gate return 1 8737c478bd9Sstevel@tonic-gate fi 8747c478bd9Sstevel@tonic-gate 8757c478bd9Sstevel@tonic-gate # Check all keys. 8767c478bd9Sstevel@tonic-gate while : 8777c478bd9Sstevel@tonic-gate do 8787c478bd9Sstevel@tonic-gate # Get first key. 8797c478bd9Sstevel@tonic-gate dkey=`${ECHO} $ck_DN | cut -d'=' -f1` 8807c478bd9Sstevel@tonic-gate 8817c478bd9Sstevel@tonic-gate # Check that the key string is valid 8827c478bd9Sstevel@tonic-gate check_attrName $dkey 8837c478bd9Sstevel@tonic-gate if [ $? -ne 0 ]; then 8847c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "check_baseDN: invalid key=${dkey}" 8857c478bd9Sstevel@tonic-gate return 1 8867c478bd9Sstevel@tonic-gate fi 8877c478bd9Sstevel@tonic-gate 8887c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "check_baseDN: valid key=${dkey}" 8897c478bd9Sstevel@tonic-gate 8907c478bd9Sstevel@tonic-gate # Remove first key from DN 8917c478bd9Sstevel@tonic-gate ck_DN=`${ECHO} $ck_DN | cut -s -d',' -f2-` 8927c478bd9Sstevel@tonic-gate 8937c478bd9Sstevel@tonic-gate # Break loop if nothing left. 8947c478bd9Sstevel@tonic-gate if [ "$ck_DN" = "" ]; then 8957c478bd9Sstevel@tonic-gate break 8967c478bd9Sstevel@tonic-gate fi 8977c478bd9Sstevel@tonic-gate done 8987c478bd9Sstevel@tonic-gate fi 8997c478bd9Sstevel@tonic-gate return 0 9007c478bd9Sstevel@tonic-gate} 9017c478bd9Sstevel@tonic-gate 9027c478bd9Sstevel@tonic-gate 9037c478bd9Sstevel@tonic-gate# 9047c478bd9Sstevel@tonic-gate# domain_2_dc(): Convert a domain name into dc string. 9057c478bd9Sstevel@tonic-gate# $1 .. Domain name. 9067c478bd9Sstevel@tonic-gate# 9077c478bd9Sstevel@tonic-gatedomain_2_dc() 9087c478bd9Sstevel@tonic-gate{ 9097c478bd9Sstevel@tonic-gate _DOM=$1 # Domain parameter. 9107c478bd9Sstevel@tonic-gate _DOM_2_DC="" # Return value from function. 9117c478bd9Sstevel@tonic-gate _FIRST=1 # Flag for first time. 9127c478bd9Sstevel@tonic-gate 9137c478bd9Sstevel@tonic-gate export _DOM_2_DC # Make visible for others. 9147c478bd9Sstevel@tonic-gate 9157c478bd9Sstevel@tonic-gate # Convert "."'s to spaces for "for" loop. 9167c478bd9Sstevel@tonic-gate domtmp="`${ECHO} ${_DOM} | tr '.' ' '`" 9177c478bd9Sstevel@tonic-gate for i in $domtmp; do 9187c478bd9Sstevel@tonic-gate if [ $_FIRST -eq 1 ]; then 9197c478bd9Sstevel@tonic-gate _DOM_2_DC="dc=${i}" 9207c478bd9Sstevel@tonic-gate _FIRST=0 9217c478bd9Sstevel@tonic-gate else 9227c478bd9Sstevel@tonic-gate _DOM_2_DC="${_DOM_2_DC},dc=${i}" 9237c478bd9Sstevel@tonic-gate fi 9247c478bd9Sstevel@tonic-gate done 9257c478bd9Sstevel@tonic-gate} 9267c478bd9Sstevel@tonic-gate 9277c478bd9Sstevel@tonic-gate 9287c478bd9Sstevel@tonic-gate# 9297c478bd9Sstevel@tonic-gate# is_root_user(): Check to see if logged in as root user. 9307c478bd9Sstevel@tonic-gate# 9317c478bd9Sstevel@tonic-gateis_root_user() 9327c478bd9Sstevel@tonic-gate{ 9337c478bd9Sstevel@tonic-gate case `id` in 9347c478bd9Sstevel@tonic-gate uid=0\(root\)*) return 0 ;; 9357c478bd9Sstevel@tonic-gate * ) return 1 ;; 9367c478bd9Sstevel@tonic-gate esac 9377c478bd9Sstevel@tonic-gate} 9387c478bd9Sstevel@tonic-gate 9397c478bd9Sstevel@tonic-gate 9407c478bd9Sstevel@tonic-gate# 9417c478bd9Sstevel@tonic-gate# parse_arg(): Parses the command line arguments and sets the 9427c478bd9Sstevel@tonic-gate# appropriate variables. 9437c478bd9Sstevel@tonic-gate# 9447c478bd9Sstevel@tonic-gateparse_arg() 9457c478bd9Sstevel@tonic-gate{ 9467c478bd9Sstevel@tonic-gate while getopts "dvhi:o:" ARG 9477c478bd9Sstevel@tonic-gate do 9487c478bd9Sstevel@tonic-gate case $ARG in 9497c478bd9Sstevel@tonic-gate d) DEBUG=1;; 9507c478bd9Sstevel@tonic-gate v) VERB="";; 9517c478bd9Sstevel@tonic-gate i) INPUT_FILE=$OPTARG;; 9527c478bd9Sstevel@tonic-gate o) OUTPUT_FILE=$OPTARG;; 9537c478bd9Sstevel@tonic-gate \?) display_msg usage 9547c478bd9Sstevel@tonic-gate exit 1;; 9557c478bd9Sstevel@tonic-gate *) ${ECHO} "**ERROR: Supported option missing handler!" 9567c478bd9Sstevel@tonic-gate display_msg usage 9577c478bd9Sstevel@tonic-gate exit 1;; 9587c478bd9Sstevel@tonic-gate esac 9597c478bd9Sstevel@tonic-gate done 9607c478bd9Sstevel@tonic-gate return `expr $OPTIND - 1` 9617c478bd9Sstevel@tonic-gate} 9627c478bd9Sstevel@tonic-gate 9637c478bd9Sstevel@tonic-gate 9647c478bd9Sstevel@tonic-gate# 9657c478bd9Sstevel@tonic-gate# init(): initializes variables and options 9667c478bd9Sstevel@tonic-gate# 9677c478bd9Sstevel@tonic-gateinit() 9687c478bd9Sstevel@tonic-gate{ 9697c478bd9Sstevel@tonic-gate # General variables. 9707c478bd9Sstevel@tonic-gate PROG=`basename $0` # Program name 9717c478bd9Sstevel@tonic-gate PID=$$ # Program ID 9727c478bd9Sstevel@tonic-gate VERB='> /dev/null 2>&1' # NULL or "> /dev/null" 9737c478bd9Sstevel@tonic-gate ECHO="/bin/echo" # print message on screen 9747c478bd9Sstevel@tonic-gate EVAL="eval" # eval or echo 9757c478bd9Sstevel@tonic-gate EGREP="/usr/bin/egrep" 9767c478bd9Sstevel@tonic-gate GREP="/usr/bin/grep" 9777c478bd9Sstevel@tonic-gate DEBUG=0 # Set Debug OFF 9787c478bd9Sstevel@tonic-gate BACKUP=no_ldap # backup suffix 9797c478bd9Sstevel@tonic-gate HOST="" # NULL or <hostname> 980cb5caa98Sdjl NAWK="/usr/bin/nawk" 981dd1104fbSMichen Chang RM="/usr/bin/rm" 982*b57459abSJulian Pullen WC="/usr/bin/wc" 983*b57459abSJulian Pullen CAT="/usr/bin/cat" 984*b57459abSJulian Pullen SED="/usr/bin/sed" 9857c478bd9Sstevel@tonic-gate 9867c478bd9Sstevel@tonic-gate DOM="" # Set to NULL 9877c478bd9Sstevel@tonic-gate # If DNS domain (resolv.conf) exists use that, otherwise use domainname. 9887c478bd9Sstevel@tonic-gate if [ -f /etc/resolv.conf ]; then 9897c478bd9Sstevel@tonic-gate DOM=`/usr/xpg4/bin/grep -i -E '^domain|^search' /etc/resolv.conf \ 9907c478bd9Sstevel@tonic-gate | awk '{ print $2 }' | tail -1` 9917c478bd9Sstevel@tonic-gate fi 9927c478bd9Sstevel@tonic-gate 9937c478bd9Sstevel@tonic-gate # If for any reason the DOM did not get set (error'd resolv.conf) set 9947c478bd9Sstevel@tonic-gate # DOM to the domainname command's output. 9957c478bd9Sstevel@tonic-gate if [ "$DOM" = "" ]; then 9967c478bd9Sstevel@tonic-gate DOM=`domainname` # domain from domainname command. 9977c478bd9Sstevel@tonic-gate fi 9987c478bd9Sstevel@tonic-gate 9997c478bd9Sstevel@tonic-gate STEP=1 10007c478bd9Sstevel@tonic-gate INTERACTIVE=1 # 0 = on, 1 = off (For input file mode) 10017c478bd9Sstevel@tonic-gate DEL_OLD_PROFILE=0 # 0 (default), 1 = delete old profile. 10027c478bd9Sstevel@tonic-gate 10037c478bd9Sstevel@tonic-gate # idsconfig specific variables. 10047c478bd9Sstevel@tonic-gate INPUT_FILE="" 10057c478bd9Sstevel@tonic-gate OUTPUT_FILE="" 1006dd1104fbSMichen Chang LDAP_ENABLE_SHADOW_UPDATE="FALSE" 1007dd1104fbSMichen Chang NEED_PROXY=0 # 0 = No Proxy, 1 = Create Proxy. 1008dd1104fbSMichen Chang NEED_ADMIN=0 # 0 = No Admin, 1 = Create Admin. 1009dd1104fbSMichen Chang NEED_HOSTACL=0 # 0 = No Host ACL, 1 = Create Host ACL. 1010dd1104fbSMichen Chang EXISTING_PROFILE=0 10117c478bd9Sstevel@tonic-gate LDAP_PROXYAGENT="" 1012dd1104fbSMichen Chang LDAP_ADMINDN="" 10137c478bd9Sstevel@tonic-gate LDAP_SUFFIX="" 10147c478bd9Sstevel@tonic-gate LDAP_DOMAIN=$DOM # domainname on Server (default value) 10157c478bd9Sstevel@tonic-gate GEN_CMD="" 1016*b57459abSJulian Pullen PROXY_ACI_NAME="LDAP_Naming_Services_proxy_password_read" 10177c478bd9Sstevel@tonic-gate 10187c478bd9Sstevel@tonic-gate # LDAP COMMANDS 10197c478bd9Sstevel@tonic-gate LDAPSEARCH="/bin/ldapsearch -r" 10207c478bd9Sstevel@tonic-gate LDAPMODIFY=/bin/ldapmodify 10217c478bd9Sstevel@tonic-gate LDAPADD=/bin/ldapadd 10227c478bd9Sstevel@tonic-gate LDAPDELETE=/bin/ldapdelete 10237c478bd9Sstevel@tonic-gate LDAP_GEN_PROFILE=/usr/sbin/ldap_gen_profile 10247c478bd9Sstevel@tonic-gate 10257c478bd9Sstevel@tonic-gate # iDS specific information 10267c478bd9Sstevel@tonic-gate IDS_SERVER="" 10277c478bd9Sstevel@tonic-gate IDS_PORT=389 10287c478bd9Sstevel@tonic-gate NEED_TIME=0 10297c478bd9Sstevel@tonic-gate NEED_SIZE=0 10307c478bd9Sstevel@tonic-gate NEED_SRVAUTH_PAM=0 10317c478bd9Sstevel@tonic-gate NEED_SRVAUTH_KEY=0 10327c478bd9Sstevel@tonic-gate NEED_SRVAUTH_CMD=0 10337c478bd9Sstevel@tonic-gate IDS_TIMELIMIT="" 10347c478bd9Sstevel@tonic-gate IDS_SIZELIMIT="" 10357c478bd9Sstevel@tonic-gate 10367c478bd9Sstevel@tonic-gate # LDAP PROFILE related defaults 10377c478bd9Sstevel@tonic-gate LDAP_ROOTDN="cn=Directory Manager" # Provide common default. 10387c478bd9Sstevel@tonic-gate LDAP_ROOTPWD="" # NULL passwd as default (i.e. invalid) 10397c478bd9Sstevel@tonic-gate LDAP_PROFILE_NAME="default" 10407c478bd9Sstevel@tonic-gate LDAP_BASEDN="" 10417c478bd9Sstevel@tonic-gate LDAP_SERVER_LIST="" 10427c478bd9Sstevel@tonic-gate LDAP_AUTHMETHOD="" 10437c478bd9Sstevel@tonic-gate LDAP_FOLLOWREF="FALSE" 10447c478bd9Sstevel@tonic-gate NEED_CRYPT="" 10457c478bd9Sstevel@tonic-gate LDAP_SEARCH_SCOPE="one" 10467c478bd9Sstevel@tonic-gate LDAP_SRV_AUTHMETHOD_PAM="" 10477c478bd9Sstevel@tonic-gate LDAP_SRV_AUTHMETHOD_KEY="" 10487c478bd9Sstevel@tonic-gate LDAP_SRV_AUTHMETHOD_CMD="" 10497c478bd9Sstevel@tonic-gate LDAP_SEARCH_TIME_LIMIT=30 10507c478bd9Sstevel@tonic-gate LDAP_PREF_SRVLIST="" 10517c478bd9Sstevel@tonic-gate LDAP_PROFILE_TTL=43200 10527c478bd9Sstevel@tonic-gate LDAP_CRED_LEVEL="proxy" 10537c478bd9Sstevel@tonic-gate LDAP_BIND_LIMIT=10 10547c478bd9Sstevel@tonic-gate 10557c478bd9Sstevel@tonic-gate # Prevent new files from being read by group or others. 10567c478bd9Sstevel@tonic-gate umask 077 10577c478bd9Sstevel@tonic-gate 10587c478bd9Sstevel@tonic-gate # Service Search Descriptors 10597c478bd9Sstevel@tonic-gate LDAP_SERV_SRCH_DES="" 10607c478bd9Sstevel@tonic-gate 10617c478bd9Sstevel@tonic-gate # Set and create TMPDIR. 10627c478bd9Sstevel@tonic-gate TMPDIR="/tmp/idsconfig.${PID}" 10637c478bd9Sstevel@tonic-gate if mkdir -m 700 ${TMPDIR} 10647c478bd9Sstevel@tonic-gate then 10657c478bd9Sstevel@tonic-gate # Cleanup on exit. 10667c478bd9Sstevel@tonic-gate trap 'rm -rf ${TMPDIR}; /usr/bin/stty echo; exit' 1 2 3 6 15 10677c478bd9Sstevel@tonic-gate else 10687c478bd9Sstevel@tonic-gate echo "ERROR: unable to create a safe temporary directory." 10697c478bd9Sstevel@tonic-gate exit 1 10707c478bd9Sstevel@tonic-gate fi 10717c478bd9Sstevel@tonic-gate LDAP_ROOTPWF=${TMPDIR}/rootPWD 10727c478bd9Sstevel@tonic-gate 10737c478bd9Sstevel@tonic-gate # Set the SSD file name after setting TMPDIR. 10747c478bd9Sstevel@tonic-gate SSD_FILE=${TMPDIR}/ssd_list 1075cb5caa98Sdjl 1076cb5caa98Sdjl # GSSAPI setup 1077cb5caa98Sdjl LDAP_KRB_REALM="" 1078cb5caa98Sdjl LDAP_GSSAPI_PROFILE="" 1079cb5caa98Sdjl SCHEMA_UPDATED=0 10807c478bd9Sstevel@tonic-gate 10817c478bd9Sstevel@tonic-gate export DEBUG VERB ECHO EVAL EGREP GREP STEP TMPDIR 10827c478bd9Sstevel@tonic-gate export IDS_SERVER IDS_PORT LDAP_ROOTDN LDAP_ROOTPWD LDAP_SERVER_LIST 10837c478bd9Sstevel@tonic-gate export LDAP_BASEDN LDAP_ROOTPWF 10847c478bd9Sstevel@tonic-gate export LDAP_DOMAIN LDAP_SUFFIX LDAP_PROXYAGENT LDAP_PROXYAGENT_CRED 10857c478bd9Sstevel@tonic-gate export NEED_PROXY 1086dd1104fbSMichen Chang export LDAP_ENABLE_SHADOW_UPDATE LDAP_ADMINDN LDAP_ADMIN_CRED 1087dd1104fbSMichen Chang export NEED_ADMIN NEED_HOSTACL EXISTING_PROFILE 10887c478bd9Sstevel@tonic-gate export LDAP_PROFILE_NAME LDAP_BASEDN LDAP_SERVER_LIST 10897c478bd9Sstevel@tonic-gate export LDAP_AUTHMETHOD LDAP_FOLLOWREF LDAP_SEARCH_SCOPE LDAP_SEARCH_TIME_LIMIT 10907c478bd9Sstevel@tonic-gate export LDAP_PREF_SRVLIST LDAP_PROFILE_TTL LDAP_CRED_LEVEL LDAP_BIND_LIMIT 10917c478bd9Sstevel@tonic-gate export NEED_SRVAUTH_PAM NEED_SRVAUTH_KEY NEED_SRVAUTH_CMD 10927c478bd9Sstevel@tonic-gate export LDAP_SRV_AUTHMETHOD_PAM LDAP_SRV_AUTHMETHOD_KEY LDAP_SRV_AUTHMETHOD_CMD 10937c478bd9Sstevel@tonic-gate export LDAP_SERV_SRCH_DES SSD_FILE 1094cb5caa98Sdjl export GEN_CMD LDAP_KRB_REALM LDAP_GSSAPI_PROFILE SCHEMA_UPDATED 10957c478bd9Sstevel@tonic-gate} 10967c478bd9Sstevel@tonic-gate 10977c478bd9Sstevel@tonic-gate 10987c478bd9Sstevel@tonic-gate# 10997c478bd9Sstevel@tonic-gate# disp_full_debug(): List of all debug variables usually interested in. 11007c478bd9Sstevel@tonic-gate# Grouped to avoid MASSIVE code duplication. 11017c478bd9Sstevel@tonic-gate# 11027c478bd9Sstevel@tonic-gatedisp_full_debug() 11037c478bd9Sstevel@tonic-gate{ 11047c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} " IDS_SERVER = $IDS_SERVER" 11057c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} " IDS_PORT = $IDS_PORT" 11067c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_ROOTDN = $LDAP_ROOTDN" 11077c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_ROOTPWD = $LDAP_ROOTPWD" 11087c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_DOMAIN = $LDAP_DOMAIN" 11097c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_SUFFIX = $LDAP_SUFFIX" 11107c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_BASEDN = $LDAP_BASEDN" 11117c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_PROFILE_NAME = $LDAP_PROFILE_NAME" 11127c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_SERVER_LIST = $LDAP_SERVER_LIST" 11137c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_PREF_SRVLIST = $LDAP_PREF_SRVLIST" 11147c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_SEARCH_SCOPE = $LDAP_SEARCH_SCOPE" 11157c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_CRED_LEVEL = $LDAP_CRED_LEVEL" 11167c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_AUTHMETHOD = $LDAP_AUTHMETHOD" 11177c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_FOLLOWREF = $LDAP_FOLLOWREF" 11187c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} " IDS_TIMELIMIT = $IDS_TIMELIMIT" 11197c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} " IDS_SIZELIMIT = $IDS_SIZELIMIT" 11207c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} " NEED_CRYPT = $NEED_CRYPT" 11217c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} " NEED_SRVAUTH_PAM = $NEED_SRVAUTH_PAM" 11227c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} " NEED_SRVAUTH_KEY = $NEED_SRVAUTH_KEY" 11237c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} " NEED_SRVAUTH_CMD = $NEED_SRVAUTH_CMD" 11247c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_SRV_AUTHMETHOD_PAM = $LDAP_SRV_AUTHMETHOD_PAM" 11257c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_SRV_AUTHMETHOD_KEY = $LDAP_SRV_AUTHMETHOD_KEY" 11267c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_SRV_AUTHMETHOD_CMD = $LDAP_SRV_AUTHMETHOD_CMD" 11277c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_SEARCH_TIME_LIMIT = $LDAP_SEARCH_TIME_LIMIT" 11287c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_PROFILE_TTL = $LDAP_PROFILE_TTL" 11297c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_BIND_LIMIT = $LDAP_BIND_LIMIT" 1130dd1104fbSMichen Chang [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_ENABLE_SHADOW_UPDATE = $LDAP_ENABLE_SHADOW_UPDATE" 11317c478bd9Sstevel@tonic-gate 11327c478bd9Sstevel@tonic-gate # Only display proxy stuff if needed. 1133dd1104fbSMichen Chang [ $DEBUG -eq 1 ] && ${ECHO} " NEED_PROXY = $NEED_PROXY" 11347c478bd9Sstevel@tonic-gate if [ $NEED_PROXY -eq 1 ]; then 11357c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_PROXYAGENT = $LDAP_PROXYAGENT" 11367c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_PROXYAGENT_CRED = $LDAP_PROXYAGENT_CRED" 1137dd1104fbSMichen Chang fi 1138dd1104fbSMichen Chang 1139dd1104fbSMichen Chang # Only display admin credential if needed. 1140dd1104fbSMichen Chang [ $DEBUG -eq 1 ] && ${ECHO} " NEED_ADMIN = $NEED_ADMIN" 1141dd1104fbSMichen Chang [ $DEBUG -eq 1 ] && ${ECHO} " NEED_HOSTACL = $NEED_HOSTACL" 1142dd1104fbSMichen Chang if [ $NEED_ADMIN -eq 1 ]; then 1143dd1104fbSMichen Chang [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_ADMINDN = $LDAP_ADMINDN" 1144dd1104fbSMichen Chang [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_ADMIN_CRED = $LDAP_ADMIN_CRED" 11457c478bd9Sstevel@tonic-gate fi 11467c478bd9Sstevel@tonic-gate 11477c478bd9Sstevel@tonic-gate # Service Search Descriptors are a special case. 11487c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_SERV_SRCH_DES = $LDAP_SERV_SRCH_DES" 11497c478bd9Sstevel@tonic-gate} 11507c478bd9Sstevel@tonic-gate 11517c478bd9Sstevel@tonic-gate 11527c478bd9Sstevel@tonic-gate# 11537c478bd9Sstevel@tonic-gate# load_config_file(): Loads the config file. 11547c478bd9Sstevel@tonic-gate# 11557c478bd9Sstevel@tonic-gateload_config_file() 11567c478bd9Sstevel@tonic-gate{ 11577c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In load_config_file()" 11587c478bd9Sstevel@tonic-gate 11597c478bd9Sstevel@tonic-gate # Remove SSD lines from input file before sourcing. 11607c478bd9Sstevel@tonic-gate # The SSD lines must be removed because some forms of the 11617c478bd9Sstevel@tonic-gate # data could cause SHELL errors. 11627c478bd9Sstevel@tonic-gate ${GREP} -v "LDAP_SERV_SRCH_DES=" ${INPUT_FILE} > ${TMPDIR}/inputfile.noSSD 11637c478bd9Sstevel@tonic-gate 11647c478bd9Sstevel@tonic-gate # Source the input file. 11657c478bd9Sstevel@tonic-gate . ${TMPDIR}/inputfile.noSSD 11667c478bd9Sstevel@tonic-gate 11677c478bd9Sstevel@tonic-gate # If LDAP_SUFFIX is no set, try to utilize LDAP_TREETOP since older 11687c478bd9Sstevel@tonic-gate # config files use LDAP_TREETOP 11697c478bd9Sstevel@tonic-gate LDAP_SUFFIX="${LDAP_SUFFIX:-$LDAP_TREETOP}" 11707c478bd9Sstevel@tonic-gate 11717c478bd9Sstevel@tonic-gate # Save password to temporary file. 11727c478bd9Sstevel@tonic-gate save_password 11737c478bd9Sstevel@tonic-gate 11747c478bd9Sstevel@tonic-gate # Create the SSD file. 11757c478bd9Sstevel@tonic-gate create_ssd_file 11767c478bd9Sstevel@tonic-gate 11777c478bd9Sstevel@tonic-gate # Display FULL debugging info. 11787c478bd9Sstevel@tonic-gate disp_full_debug 11797c478bd9Sstevel@tonic-gate} 11807c478bd9Sstevel@tonic-gate 11817c478bd9Sstevel@tonic-gate# 11827c478bd9Sstevel@tonic-gate# save_password(): Save password to temporary file. 11837c478bd9Sstevel@tonic-gate# 11847c478bd9Sstevel@tonic-gatesave_password() 11857c478bd9Sstevel@tonic-gate{ 11867c478bd9Sstevel@tonic-gate cat > ${LDAP_ROOTPWF} <<EOF 11877c478bd9Sstevel@tonic-gate${LDAP_ROOTPWD} 11887c478bd9Sstevel@tonic-gateEOF 11897c478bd9Sstevel@tonic-gate} 11907c478bd9Sstevel@tonic-gate 11917c478bd9Sstevel@tonic-gate###################################################################### 11927c478bd9Sstevel@tonic-gate# FUNCTIONS FOR prompt_config_info() START HERE. 11937c478bd9Sstevel@tonic-gate###################################################################### 11947c478bd9Sstevel@tonic-gate 11957c478bd9Sstevel@tonic-gate# 11967c478bd9Sstevel@tonic-gate# get_ids_server(): Prompt for iDS server name. 11977c478bd9Sstevel@tonic-gate# 11987c478bd9Sstevel@tonic-gateget_ids_server() 11997c478bd9Sstevel@tonic-gate{ 12007c478bd9Sstevel@tonic-gate while : 12017c478bd9Sstevel@tonic-gate do 12027c478bd9Sstevel@tonic-gate # Prompt for server name. 1203cb5caa98Sdjl get_ans "Enter the JES Directory Server's hostname to setup:" "$IDS_SERVER" 1204cb5caa98Sdjl IDS_SERVER="$ANS" 12057c478bd9Sstevel@tonic-gate 12067c478bd9Sstevel@tonic-gate # Ping server to see if live. If valid break out of loop. 12077c478bd9Sstevel@tonic-gate ping $IDS_SERVER > /dev/null 2>&1 12087c478bd9Sstevel@tonic-gate if [ $? -eq 0 ]; then 12097c478bd9Sstevel@tonic-gate break 12107c478bd9Sstevel@tonic-gate fi 12117c478bd9Sstevel@tonic-gate 12127c478bd9Sstevel@tonic-gate # Invalid server, enter a new name. 12137c478bd9Sstevel@tonic-gate ${ECHO} "ERROR: Server '${IDS_SERVER}' is invalid or unreachable." 12147c478bd9Sstevel@tonic-gate IDS_SERVER="" 12157c478bd9Sstevel@tonic-gate done 12167c478bd9Sstevel@tonic-gate 12177c478bd9Sstevel@tonic-gate # Set SERVER_ARGS and LDAP_ARGS since values might of changed. 12187c478bd9Sstevel@tonic-gate SERVER_ARGS="-h ${IDS_SERVER} -p ${IDS_PORT}" 12197c478bd9Sstevel@tonic-gate LDAP_ARGS="${SERVER_ARGS} ${AUTH_ARGS}" 12207c478bd9Sstevel@tonic-gate export SERVER_ARGS 12217c478bd9Sstevel@tonic-gate 12227c478bd9Sstevel@tonic-gate} 12237c478bd9Sstevel@tonic-gate 12247c478bd9Sstevel@tonic-gate# 12257c478bd9Sstevel@tonic-gate# get_ids_port(): Prompt for iDS port number. 12267c478bd9Sstevel@tonic-gate# 12277c478bd9Sstevel@tonic-gateget_ids_port() 12287c478bd9Sstevel@tonic-gate{ 12297c478bd9Sstevel@tonic-gate # Get a valid iDS port number. 12307c478bd9Sstevel@tonic-gate while : 12317c478bd9Sstevel@tonic-gate do 12327c478bd9Sstevel@tonic-gate # Enter port number. 12337c478bd9Sstevel@tonic-gate get_number "Enter the port number for iDS (h=help):" "$IDS_PORT" "port_help" 12347c478bd9Sstevel@tonic-gate IDS_PORT=$ANS 12357c478bd9Sstevel@tonic-gate # Do a simple search to check hostname and port number. 12367c478bd9Sstevel@tonic-gate # If search returns SUCCESS, break out, host and port must 12377c478bd9Sstevel@tonic-gate # be valid. 12387c478bd9Sstevel@tonic-gate ${LDAPSEARCH} -h ${IDS_SERVER} -p ${IDS_PORT} -b "" -s base "objectclass=*" > /dev/null 2>&1 12397c478bd9Sstevel@tonic-gate if [ $? -eq 0 ]; then 12407c478bd9Sstevel@tonic-gate break 12417c478bd9Sstevel@tonic-gate fi 12427c478bd9Sstevel@tonic-gate 12437c478bd9Sstevel@tonic-gate # Invalid host/port pair, Re-enter. 12447c478bd9Sstevel@tonic-gate ${ECHO} "ERROR: Invalid host or port: ${IDS_SERVER}:${IDS_PORT}, Please re-enter!" 12457c478bd9Sstevel@tonic-gate get_ids_server 12467c478bd9Sstevel@tonic-gate done 12477c478bd9Sstevel@tonic-gate 12487c478bd9Sstevel@tonic-gate # Set SERVER_ARGS and LDAP_ARGS since values might of changed. 12497c478bd9Sstevel@tonic-gate SERVER_ARGS="-h ${IDS_SERVER} -p ${IDS_PORT}" 12507c478bd9Sstevel@tonic-gate LDAP_ARGS="${SERVER_ARGS} ${AUTH_ARGS}" 12517c478bd9Sstevel@tonic-gate export SERVER_ARGS 12527c478bd9Sstevel@tonic-gate} 12537c478bd9Sstevel@tonic-gate 12547c478bd9Sstevel@tonic-gate 12557c478bd9Sstevel@tonic-gate# 12567c478bd9Sstevel@tonic-gate# chk_ids_version(): Read the slapd config file and set variables 12577c478bd9Sstevel@tonic-gate# 12587c478bd9Sstevel@tonic-gatechk_ids_version() 12597c478bd9Sstevel@tonic-gate{ 12607c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In chk_ids_version()" 12617c478bd9Sstevel@tonic-gate 12627c478bd9Sstevel@tonic-gate # check iDS version number. 12637c478bd9Sstevel@tonic-gate eval "${LDAPSEARCH} ${SERVER_ARGS} -b cn=monitor -s base \"objectclass=*\" version | ${GREP} \"^version=\" | cut -f2 -d'/' | cut -f1 -d' ' > ${TMPDIR}/checkDSver 2>&1" 12647c478bd9Sstevel@tonic-gate if [ $? -ne 0 ]; then 12657c478bd9Sstevel@tonic-gate ${ECHO} "ERROR: Can not determine the version number of iDS!" 12667c478bd9Sstevel@tonic-gate exit 1 12677c478bd9Sstevel@tonic-gate fi 12687c478bd9Sstevel@tonic-gate IDS_VER=`cat ${TMPDIR}/checkDSver` 12697c478bd9Sstevel@tonic-gate IDS_MAJVER=`${ECHO} ${IDS_VER} | cut -f1 -d.` 12707c478bd9Sstevel@tonic-gate IDS_MINVER=`${ECHO} ${IDS_VER} | cut -f2 -d.` 1271cb5caa98Sdjl if [ "${IDS_MAJVER}" != "5" ] && [ "${IDS_MAJVER}" != "6" ]; then 1272cb5caa98Sdjl ${ECHO} "ERROR: $PROG only works with JES DS version 5.x and 6.x, not ${IDS_VER}." 12737c478bd9Sstevel@tonic-gate exit 1 12747c478bd9Sstevel@tonic-gate fi 12757c478bd9Sstevel@tonic-gate if [ $DEBUG -eq 1 ]; then 12767c478bd9Sstevel@tonic-gate ${ECHO} " IDS_MAJVER = $IDS_MAJVER" 12777c478bd9Sstevel@tonic-gate ${ECHO} " IDS_MINVER = $IDS_MINVER" 12787c478bd9Sstevel@tonic-gate fi 12797c478bd9Sstevel@tonic-gate} 12807c478bd9Sstevel@tonic-gate 12817c478bd9Sstevel@tonic-gate 12827c478bd9Sstevel@tonic-gate# 12837c478bd9Sstevel@tonic-gate# get_dirmgr_dn(): Get the directory manger DN. 12847c478bd9Sstevel@tonic-gate# 12857c478bd9Sstevel@tonic-gateget_dirmgr_dn() 12867c478bd9Sstevel@tonic-gate{ 12877c478bd9Sstevel@tonic-gate get_ans "Enter the directory manager DN:" "$LDAP_ROOTDN" 12887c478bd9Sstevel@tonic-gate LDAP_ROOTDN=$ANS 12897c478bd9Sstevel@tonic-gate 12907c478bd9Sstevel@tonic-gate # Update ENV variables using DN. 12917c478bd9Sstevel@tonic-gate AUTH_ARGS="-D \"${LDAP_ROOTDN}\" -j ${LDAP_ROOTPWF}" 12927c478bd9Sstevel@tonic-gate LDAP_ARGS="${SERVER_ARGS} ${AUTH_ARGS}" 12937c478bd9Sstevel@tonic-gate export AUTH_ARGS LDAP_ARGS 12947c478bd9Sstevel@tonic-gate} 12957c478bd9Sstevel@tonic-gate 12967c478bd9Sstevel@tonic-gate 12977c478bd9Sstevel@tonic-gate# 12987c478bd9Sstevel@tonic-gate# get_dirmgr_pw(): Get the Root DN passwd. (Root DN found in slapd.conf) 12997c478bd9Sstevel@tonic-gate# 13007c478bd9Sstevel@tonic-gateget_dirmgr_pw() 13017c478bd9Sstevel@tonic-gate{ 13027c478bd9Sstevel@tonic-gate while : 13037c478bd9Sstevel@tonic-gate do 13047c478bd9Sstevel@tonic-gate # Get passwd. 13057c478bd9Sstevel@tonic-gate get_passwd_nochk "Enter passwd for ${LDAP_ROOTDN} :" 13067c478bd9Sstevel@tonic-gate LDAP_ROOTPWD=$ANS 13077c478bd9Sstevel@tonic-gate 13087c478bd9Sstevel@tonic-gate # Store password in file. 13097c478bd9Sstevel@tonic-gate save_password 13107c478bd9Sstevel@tonic-gate 13117c478bd9Sstevel@tonic-gate # Update ENV variables using DN's PW. 13127c478bd9Sstevel@tonic-gate AUTH_ARGS="-D \"${LDAP_ROOTDN}\" -j ${LDAP_ROOTPWF}" 13137c478bd9Sstevel@tonic-gate LDAP_ARGS="${SERVER_ARGS} ${AUTH_ARGS}" 13147c478bd9Sstevel@tonic-gate export AUTH_ARGS LDAP_ARGS 13157c478bd9Sstevel@tonic-gate 13167c478bd9Sstevel@tonic-gate # Verify that ROOTDN and ROOTPWD are valid. 13177c478bd9Sstevel@tonic-gate eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"\" -s base \"objectclass=*\" > ${TMPDIR}/checkDN 2>&1" 13187c478bd9Sstevel@tonic-gate if [ $? -ne 0 ]; then 13197c478bd9Sstevel@tonic-gate eval "${GREP} credential ${TMPDIR}/checkDN ${VERB}" 13207c478bd9Sstevel@tonic-gate if [ $? -eq 0 ]; then 13217c478bd9Sstevel@tonic-gate ${ECHO} "ERROR: Root DN passwd is invalid." 13227c478bd9Sstevel@tonic-gate else 13237c478bd9Sstevel@tonic-gate ${ECHO} "ERROR: Invalid Root DN <${LDAP_ROOTDN}>." 13247c478bd9Sstevel@tonic-gate get_dirmgr_dn 13257c478bd9Sstevel@tonic-gate fi 13267c478bd9Sstevel@tonic-gate else 13277c478bd9Sstevel@tonic-gate break # Both are valid. 13287c478bd9Sstevel@tonic-gate fi 13297c478bd9Sstevel@tonic-gate done 13307c478bd9Sstevel@tonic-gate 13317c478bd9Sstevel@tonic-gate 13327c478bd9Sstevel@tonic-gate} 13337c478bd9Sstevel@tonic-gate 13347c478bd9Sstevel@tonic-gate 13357c478bd9Sstevel@tonic-gate# 13367c478bd9Sstevel@tonic-gate# get_domain(): Get the Domain that will be served by the LDAP server. 13377c478bd9Sstevel@tonic-gate# $1 - Help argument. 13387c478bd9Sstevel@tonic-gate# 13397c478bd9Sstevel@tonic-gateget_domain() 13407c478bd9Sstevel@tonic-gate{ 13417c478bd9Sstevel@tonic-gate # Use LDAP_DOMAIN as default. 13427c478bd9Sstevel@tonic-gate get_ans "Enter the domainname to be served (h=help):" $LDAP_DOMAIN 13437c478bd9Sstevel@tonic-gate 13447c478bd9Sstevel@tonic-gate # Check domainname, and have user re-enter if not valid. 13457c478bd9Sstevel@tonic-gate check_domainname $ANS 13467c478bd9Sstevel@tonic-gate while [ $? -ne 0 ] 13477c478bd9Sstevel@tonic-gate do 13487c478bd9Sstevel@tonic-gate case "$ANS" in 13497c478bd9Sstevel@tonic-gate [Hh] | help | Help | \?) display_msg ${1:-sorry} ;; 13507c478bd9Sstevel@tonic-gate * ) ${ECHO} "Invalid domainname: \"${ANS}\"." 13517c478bd9Sstevel@tonic-gate ;; 13527c478bd9Sstevel@tonic-gate esac 13537c478bd9Sstevel@tonic-gate get_ans "Enter domainname to be served (h=help):" $DOM 13547c478bd9Sstevel@tonic-gate 13557c478bd9Sstevel@tonic-gate check_domainname $ANS 13567c478bd9Sstevel@tonic-gate done 13577c478bd9Sstevel@tonic-gate 13587c478bd9Sstevel@tonic-gate # Set the domainname to valid name. 13597c478bd9Sstevel@tonic-gate LDAP_DOMAIN=$ANS 13607c478bd9Sstevel@tonic-gate} 13617c478bd9Sstevel@tonic-gate 13627c478bd9Sstevel@tonic-gate 13637c478bd9Sstevel@tonic-gate# 13647c478bd9Sstevel@tonic-gate# get_basedn(): Query for the Base DN. 13657c478bd9Sstevel@tonic-gate# 13667c478bd9Sstevel@tonic-gateget_basedn() 13677c478bd9Sstevel@tonic-gate{ 13687c478bd9Sstevel@tonic-gate # Set the $_DOM_2_DC and assign to LDAP_BASEDN as default. 13697c478bd9Sstevel@tonic-gate # Then call get_basedn(). This method remakes the default 13707c478bd9Sstevel@tonic-gate # each time just in case the domain changed. 13717c478bd9Sstevel@tonic-gate domain_2_dc $LDAP_DOMAIN 13727c478bd9Sstevel@tonic-gate LDAP_BASEDN=$_DOM_2_DC 13737c478bd9Sstevel@tonic-gate 13747c478bd9Sstevel@tonic-gate # Get Base DN. 13757c478bd9Sstevel@tonic-gate while : 13767c478bd9Sstevel@tonic-gate do 1377017e8b01Svl get_ans_req "Enter LDAP Base DN (h=help):" "${_DOM_2_DC}" 13787c478bd9Sstevel@tonic-gate check_baseDN "$ANS" 13797c478bd9Sstevel@tonic-gate while [ $? -ne 0 ] 13807c478bd9Sstevel@tonic-gate do 13817c478bd9Sstevel@tonic-gate case "$ANS" in 13827c478bd9Sstevel@tonic-gate [Hh] | help | Help | \?) display_msg basedn_help ;; 13837c478bd9Sstevel@tonic-gate * ) ${ECHO} "Invalid base DN: \"${ANS}\"." 13847c478bd9Sstevel@tonic-gate ;; 13857c478bd9Sstevel@tonic-gate esac 13867c478bd9Sstevel@tonic-gate 13877c478bd9Sstevel@tonic-gate # Re-Enter the BaseDN 1388017e8b01Svl get_ans_req "Enter LDAP Base DN (h=help):" "${_DOM_2_DC}" 13897c478bd9Sstevel@tonic-gate check_baseDN "$ANS" 13907c478bd9Sstevel@tonic-gate done 13917c478bd9Sstevel@tonic-gate 1392017e8b01Svl # Set base DN and check its suffix 13937c478bd9Sstevel@tonic-gate LDAP_BASEDN=${ANS} 1394017e8b01Svl check_basedn_suffix || 1395017e8b01Svl { 1396017e8b01Svl cleanup 1397017e8b01Svl exit 1 1398017e8b01Svl } 13997c478bd9Sstevel@tonic-gate 1400017e8b01Svl # suffix may need to be created, in that case get suffix from user 1401017e8b01Svl [ -n "${NEED_CREATE_SUFFIX}" ] && 1402017e8b01Svl { 1403017e8b01Svl get_suffix || continue 1404017e8b01Svl } 1405017e8b01Svl 1406017e8b01Svl # suffix is ok, break out of the base dn inquire loop 1407017e8b01Svl break 14087c478bd9Sstevel@tonic-gate done 14097c478bd9Sstevel@tonic-gate} 14107c478bd9Sstevel@tonic-gate 1411dd1104fbSMichen Chang# 1412dd1104fbSMichen Chang# get_want_shadow_update(): Ask user if want to enable shadow update? 1413dd1104fbSMichen Chang# 1414dd1104fbSMichen Changget_want_shadow_update() 1415dd1104fbSMichen Chang{ 1416dd1104fbSMichen Chang MSG="Do you want to enable shadow update (y/n/h)?" 1417dd1104fbSMichen Chang get_confirm "$MSG" "n" "enable_shadow_update_help" 1418dd1104fbSMichen Chang if [ $? -eq 1 ]; then 1419dd1104fbSMichen Chang LDAP_ENABLE_SHADOW_UPDATE="TRUE" 1420dd1104fbSMichen Chang else 1421dd1104fbSMichen Chang LDAP_ENABLE_SHADOW_UPDATE="FALSE" 1422dd1104fbSMichen Chang fi 1423dd1104fbSMichen Chang} 1424dd1104fbSMichen Chang 1425cb5caa98Sdjlget_krb_realm() { 1426cb5caa98Sdjl 1427cb5caa98Sdjl # To upper cases 1428cb5caa98Sdjl LDAP_KRB_REALM=`${ECHO} ${LDAP_DOMAIN} | ${NAWK} '{ print toupper($0) }'` 1429cb5caa98Sdjl get_ans_req "Enter Kerberos Realm:" "$LDAP_KRB_REALM" 1430cb5caa98Sdjl # To upper cases 1431cb5caa98Sdjl LDAP_KRB_REALM=`${ECHO} ${ANS} | ${NAWK} '{ print toupper($0) }'` 1432cb5caa98Sdjl} 1433cb5caa98Sdjl 1434cb5caa98Sdjl# $1: DN 1435cb5caa98Sdjl# $2: ldif file 1436cb5caa98Sdjladd_entry_by_DN() { 1437cb5caa98Sdjl 1438cb5caa98Sdjl ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"${1}\" -s base \"objectclass=*\" ${VERB}" 1439cb5caa98Sdjl if [ $? -eq 0 ]; then 1440cb5caa98Sdjl ${ECHO} " ${1} already exists" 1441cb5caa98Sdjl return 0 1442cb5caa98Sdjl else 1443cb5caa98Sdjl ${EVAL} "${LDAPADD} ${LDAP_ARGS} -f ${2} ${VERB}" 1444cb5caa98Sdjl if [ $? -eq 0 ]; then 1445cb5caa98Sdjl ${ECHO} " ${1} is added" 1446cb5caa98Sdjl return 0 1447cb5caa98Sdjl else 1448cb5caa98Sdjl ${ECHO} " ERROR: failed to add ${1}" 1449cb5caa98Sdjl return 1 1450cb5caa98Sdjl fi 1451cb5caa98Sdjl fi 1452cb5caa98Sdjl 1453cb5caa98Sdjl} 1454cb5caa98Sdjl# 1455cb5caa98Sdjl# Kerberos princiapl to DN mapping rules 1456cb5caa98Sdjl# 1457cb5caa98Sdjl# Add rules for host credentails and user credentials 1458cb5caa98Sdjl# 1459cb5caa98Sdjladd_id_mapping_rules() { 1460cb5caa98Sdjl 1461cb5caa98Sdjl ${ECHO} " Adding Kerberos principal to DN mapping rules..." 1462cb5caa98Sdjl 1463cb5caa98Sdjl _C_DN="cn=GSSAPI,cn=identity mapping,cn=config" 1464cb5caa98Sdjl ( cat << EOF 1465cb5caa98Sdjldn: cn=GSSAPI,cn=identity mapping,cn=config 1466cb5caa98SdjlobjectClass: top 1467cb5caa98SdjlobjectClass: nsContainer 1468cb5caa98Sdjlcn: GSSAPI 1469cb5caa98SdjlEOF 1470cb5caa98Sdjl) > ${TMPDIR}/GSSAPI_container.ldif 1471cb5caa98Sdjl 1472cb5caa98Sdjl add_entry_by_DN "${_C_DN}" "${TMPDIR}/GSSAPI_container.ldif" 1473cb5caa98Sdjl if [ $? -ne 0 ]; 1474cb5caa98Sdjl then 1475cb5caa98Sdjl ${RM} ${TMPDIR}/GSSAPI_container.ldif 1476cb5caa98Sdjl return 1477cb5caa98Sdjl fi 1478cb5caa98Sdjl 1479cb5caa98Sdjl _H_CN="host_auth_${LDAP_KRB_REALM}" 1480cb5caa98Sdjl _H_DN="cn=${_H_CN}, ${_C_DN}" 1481cb5caa98Sdjl ( cat << EOF 1482cb5caa98Sdjldn: ${_H_DN} 1483cb5caa98SdjlobjectClass: top 1484cb5caa98SdjlobjectClass: nsContainer 1485cb5caa98SdjlobjectClass: dsIdentityMapping 1486cb5caa98SdjlobjectClass: dsPatternMatching 1487cb5caa98Sdjlcn: ${_H_CN} 1488cb5caa98SdjldsMatching-pattern: \${Principal} 1489cb5caa98SdjldsMatching-regexp: host\/(.*).${LDAP_DOMAIN}@${LDAP_KRB_REALM} 1490cb5caa98SdjldsSearchBaseDN: ou=hosts,${LDAP_BASEDN} 1491cb5caa98SdjldsSearchFilter: (&(objectClass=ipHost)(cn=\$1)) 1492cb5caa98SdjldsSearchScope: one 1493cb5caa98Sdjl 1494cb5caa98SdjlEOF 1495cb5caa98Sdjl) > ${TMPDIR}/${_H_CN}.ldif 1496cb5caa98Sdjl 1497cb5caa98Sdjl add_entry_by_DN "${_H_DN}" "${TMPDIR}/${_H_CN}.ldif" 1498cb5caa98Sdjl 1499cb5caa98Sdjl _U_CN="user_auth_${LDAP_KRB_REALM}" 1500cb5caa98Sdjl _U_DN="cn=${_U_CN}, ${_C_DN}" 1501cb5caa98Sdjl ( cat << EOF 1502cb5caa98Sdjldn: ${_U_DN} 1503cb5caa98SdjlobjectClass: top 1504cb5caa98SdjlobjectClass: nsContainer 1505cb5caa98SdjlobjectClass: dsIdentityMapping 1506cb5caa98SdjlobjectClass: dsPatternMatching 1507cb5caa98Sdjlcn: ${_U_CN} 1508cb5caa98SdjldsMatching-pattern: \${Principal} 1509cb5caa98SdjldsMatching-regexp: (.*)@${LDAP_KRB_REALM} 1510cb5caa98SdjldsMappedDN: uid=\$1,ou=People,${LDAP_BASEDN} 1511cb5caa98Sdjl 1512cb5caa98SdjlEOF 1513cb5caa98Sdjl) > ${TMPDIR}/${_U_CN}.ldif 1514cb5caa98Sdjl 1515cb5caa98Sdjl add_entry_by_DN "${_U_DN}" "${TMPDIR}/${_U_CN}.ldif" 1516cb5caa98Sdjl 1517cb5caa98Sdjl} 1518cb5caa98Sdjl 1519cb5caa98Sdjl 1520cb5caa98Sdjl# 1521cb5caa98Sdjl# Modify ACL to allow root to read all the password and only self can read 1522cb5caa98Sdjl# its own password when sasl/GSSAPI bind is used 15237c478bd9Sstevel@tonic-gate# 1524cb5caa98Sdjlmodify_userpassword_acl_for_gssapi() { 1525cb5caa98Sdjl 1526cb5caa98Sdjl _P_DN="ou=People,${LDAP_BASEDN}" 1527cb5caa98Sdjl _H_DN="ou=Hosts,${LDAP_BASEDN}" 1528cb5caa98Sdjl _P_ACI="self-read-pwd" 1529cb5caa98Sdjl 1530cb5caa98Sdjl ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"${_P_DN}\" -s base \"objectclass=*\" > /dev/null 2>&1" 1531cb5caa98Sdjl if [ $? -ne 0 ]; then 1532cb5caa98Sdjl ${ECHO} " ${_P_DN} does not exist" 1533cb5caa98Sdjl # Not Found. Create a new entry 1534cb5caa98Sdjl ( cat << EOF 1535cb5caa98Sdjldn: ${_P_DN} 1536cb5caa98Sdjlou: People 1537cb5caa98SdjlobjectClass: top 1538cb5caa98SdjlobjectClass: organizationalUnit 1539cb5caa98SdjlEOF 1540cb5caa98Sdjl) > ${TMPDIR}/gssapi_people.ldif 1541cb5caa98Sdjl 1542cb5caa98Sdjl add_entry_by_DN "${_P_DN}" "${TMPDIR}/gssapi_people.ldif" 1543cb5caa98Sdjl else 1544cb5caa98Sdjl ${ECHO} " ${_P_DN} already exists" 1545cb5caa98Sdjl fi 1546cb5caa98Sdjl 1547cb5caa98Sdjl ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"${_P_DN}\" -s base \"objectclass=*\" aci > ${TMPDIR}/chk_gssapi_aci 2>&1" 1548cb5caa98Sdjl 1549cb5caa98Sdjl if [ $? -eq 0 ]; then 1550cb5caa98Sdjl ${EVAL} "${GREP} ${_P_ACI} ${TMPDIR}/chk_gssapi_aci > /dev/null 2>&1" 1551cb5caa98Sdjl if [ $? -eq 0 ]; then 1552cb5caa98Sdjl ${ECHO} " userpassword ACL ${_P_ACI} already exists." 1553cb5caa98Sdjl return 1554cb5caa98Sdjl else 1555cb5caa98Sdjl ${ECHO} " userpassword ACL ${_P_ACI} not found. Create a new one." 1556cb5caa98Sdjl fi 1557cb5caa98Sdjl else 1558cb5caa98Sdjl ${ECHO} " Error searching aci for ${_P_DN}" 1559cb5caa98Sdjl cat ${TMPDIR}/chk_gssapi_aci 1560cb5caa98Sdjl cleanup 1561cb5caa98Sdjl exit 1 1562cb5caa98Sdjl fi 1563cb5caa98Sdjl ( cat << EOF 1564cb5caa98Sdjldn: ${_P_DN} 1565cb5caa98Sdjlchangetype: modify 1566cb5caa98Sdjladd: aci 1567cb5caa98Sdjlaci: (targetattr="userPassword")(version 3.0; acl self-read-pwd; allow (read,search) userdn="ldap:///self" and authmethod="sasl GSSAPI";) 1568cb5caa98Sdjl- 1569cb5caa98Sdjladd: aci 1570cb5caa98Sdjlaci: (targetattr="userPassword")(version 3.0; acl host-read-pwd; allow (read,search) userdn="ldap:///cn=*+ipHostNumber=*,ou=Hosts,${LDAP_BASEDN}" and authmethod="sasl GSSAPI";) 1571cb5caa98SdjlEOF 1572cb5caa98Sdjl) > ${TMPDIR}/user_gssapi.ldif 1573cb5caa98Sdjl LDAP_TYPE_OR_VALUE_EXISTS=20 1574cb5caa98Sdjl ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/user_gssapi.ldif ${VERB}" 1575cb5caa98Sdjl 1576cb5caa98Sdjl case $? in 1577cb5caa98Sdjl 0) 1578cb5caa98Sdjl ${ECHO} " ${_P_DN} uaserpassword ACL is updated." 1579cb5caa98Sdjl ;; 1580cb5caa98Sdjl 20) 1581cb5caa98Sdjl ${ECHO} " ${_P_DN} uaserpassword ACL already exists." 1582cb5caa98Sdjl ;; 1583cb5caa98Sdjl *) 1584cb5caa98Sdjl ${ECHO} " ERROR: update of userpassword ACL for ${_P_DN} failed!" 1585cb5caa98Sdjl cleanup 1586cb5caa98Sdjl exit 1 1587cb5caa98Sdjl ;; 1588cb5caa98Sdjl esac 1589cb5caa98Sdjl} 1590cb5caa98Sdjl# 1591cb5caa98Sdjl# $1: objectclass or attributetyp 1592cb5caa98Sdjl# $2: name 1593cb5caa98Sdjlsearch_update_schema() { 1594cb5caa98Sdjl 1595cb5caa98Sdjl ATTR="${1}es" 1596cb5caa98Sdjl 1597cb5caa98Sdjl ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b cn=schema -s base \"objectclass=*\" ${ATTR} | ${GREP} -i \"${2}\" ${VERB}" 1598cb5caa98Sdjl if [ $? -ne 0 ]; then 1599cb5caa98Sdjl ${ECHO} "${1} ${2} does not exist." 1600cb5caa98Sdjl update_schema_attr 1601cb5caa98Sdjl update_schema_obj 1602cb5caa98Sdjl SCHEMA_UPDATED=1 1603cb5caa98Sdjl else 1604cb5caa98Sdjl ${ECHO} "${1} ${2} already exists. Schema has been updated" 1605cb5caa98Sdjl fi 1606cb5caa98Sdjl} 1607cb5caa98Sdjl 1608cb5caa98Sdjl# 1609cb5caa98Sdjl# $1: 1 - interactive, 0 - no 1610cb5caa98Sdjl# 1611cb5caa98Sdjlcreate_gssapi_profile() { 1612cb5caa98Sdjl 1613cb5caa98Sdjl 1614cb5caa98Sdjl if [ ${1} -eq 1 ]; then 1615cb5caa98Sdjl echo 1616cb5caa98Sdjl echo "You can create a sasl/GSSAPI enabled profile with default values now." 1617cb5caa98Sdjl get_confirm "Do you want to create a sasl/GSSAPI default profile ?" "n" 1618cb5caa98Sdjl 1619cb5caa98Sdjl if [ $? -eq 0 ]; then 1620cb5caa98Sdjl return 1621cb5caa98Sdjl fi 1622cb5caa98Sdjl fi 1623cb5caa98Sdjl 1624cb5caa98Sdjl # Add profile container if it does not exist 1625cb5caa98Sdjl eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"ou=profile,${LDAP_BASEDN}\" -s base \"objectclass=*\" > /dev/null 2>&1" 1626cb5caa98Sdjl if [ $? -ne 0 ]; then 1627cb5caa98Sdjl ( cat << EOF 1628cb5caa98Sdjldn: ou=profile,${LDAP_BASEDN} 1629cb5caa98Sdjlou: profile 1630cb5caa98SdjlobjectClass: top 1631cb5caa98SdjlobjectClass: organizationalUnit 1632cb5caa98SdjlEOF 1633cb5caa98Sdjl) > ${TMPDIR}/profile_people.ldif 1634cb5caa98Sdjl 1635cb5caa98Sdjl add_entry_by_DN "ou=profile,${LDAP_BASEDN}" "${TMPDIR}/profile_people.ldif" 1636cb5caa98Sdjl 1637cb5caa98Sdjl fi 1638cb5caa98Sdjl 1639cb5caa98Sdjl search_update_schema "objectclass" "DUAConfigProfile" 1640cb5caa98Sdjl 1641cb5caa98Sdjl _P_NAME="gssapi_${LDAP_KRB_REALM}" 1642cb5caa98Sdjl if [ ${1} -eq 1 ]; then 1643cb5caa98Sdjl _P_TMP=${LDAP_PROFILE_NAME} 1644cb5caa98Sdjl LDAP_PROFILE_NAME=${_P_NAME} 1645cb5caa98Sdjl get_profile_name 1646cb5caa98Sdjl LDAP_GSSAPI_PROFILE=${LDAP_PROFILE_NAME} 1647cb5caa98Sdjl LDAP_PROFILE_NAME=${_P_TMP} 1648cb5caa98Sdjl fi 1649cb5caa98Sdjl 1650cb5caa98Sdjl _P_DN="cn=${LDAP_GSSAPI_PROFILE},ou=profile,${LDAP_BASEDN}" 1651cb5caa98Sdjl if [ ${DEL_OLD_PROFILE} -eq 1 ]; then 1652cb5caa98Sdjl DEL_OLD_PROFILE=0 1653cb5caa98Sdjl ${EVAL} "${LDAPDELETE} ${LDAP_ARGS} ${_P_DN} ${VERB}" 1654cb5caa98Sdjl fi 1655cb5caa98Sdjl 1656cb5caa98Sdjl _SVR=`getent hosts ${IDS_SERVER} | ${NAWK} '{ print $1 }'` 1657cb5caa98Sdjl if [ ${IDS_PORT} -ne 389 ]; then 1658cb5caa98Sdjl _SVR="${_SVR}:${IDS_PORT}" 1659cb5caa98Sdjl fi 1660cb5caa98Sdjl 1661cb5caa98Sdjl (cat << EOF 1662cb5caa98Sdjldn: ${_P_DN} 1663cb5caa98SdjlobjectClass: top 1664cb5caa98SdjlobjectClass: DUAConfigProfile 1665cb5caa98SdjldefaultServerList: ${_SVR} 1666cb5caa98SdjldefaultSearchBase: ${LDAP_BASEDN} 1667cb5caa98SdjlauthenticationMethod: sasl/GSSAPI 1668cb5caa98SdjlfollowReferrals: ${LDAP_FOLLOWREF} 1669cb5caa98SdjldefaultSearchScope: ${LDAP_SEARCH_SCOPE} 1670cb5caa98SdjlsearchTimeLimit: ${LDAP_SEARCH_TIME_LIMIT} 1671cb5caa98SdjlprofileTTL: ${LDAP_PROFILE_TTL} 1672cb5caa98Sdjlcn: ${LDAP_GSSAPI_PROFILE} 1673cb5caa98SdjlcredentialLevel: self 1674cb5caa98SdjlbindTimeLimit: ${LDAP_BIND_LIMIT} 1675cb5caa98SdjlEOF 1676cb5caa98Sdjl) > ${TMPDIR}/gssapi_profile.ldif 1677cb5caa98Sdjl 1678cb5caa98Sdjl add_entry_by_DN "${_P_DN}" "${TMPDIR}/gssapi_profile.ldif" 1679cb5caa98Sdjl 1680cb5caa98Sdjl} 1681cb5caa98Sdjl# 1682cb5caa98Sdjl# Set up GSSAPI if necessary 1683cb5caa98Sdjl# 1684cb5caa98Sdjlgssapi_setup() { 1685cb5caa98Sdjl 1686dd1104fbSMichen Chang # assume sasl/GSSAPI is supported by the ldap server and may be used 1687dd1104fbSMichen Chang GSSAPI_AUTH_MAY_BE_USED=1 1688cb5caa98Sdjl ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"\" -s base \"objectclass=*\" supportedSASLMechanisms | ${GREP} GSSAPI ${VERB}" 1689cb5caa98Sdjl if [ $? -ne 0 ]; then 1690dd1104fbSMichen Chang GSSAPI_AUTH_MAY_BE_USED=0 1691cb5caa98Sdjl ${ECHO} " sasl/GSSAPI is not supported by this LDAP server" 1692cb5caa98Sdjl return 1693cb5caa98Sdjl fi 1694cb5caa98Sdjl 1695cb5caa98Sdjl get_confirm "GSSAPI is supported. Do you want to set up gssapi:(y/n)" "n" 1696cb5caa98Sdjl if [ $? -eq 0 ]; then 1697cb5caa98Sdjl ${ECHO} 1698cb5caa98Sdjl ${ECHO} "GSSAPI is not set up." 1699dd1104fbSMichen Chang ${ECHO} "sasl/GSSAPI bind may not work if it's not set up first." 1700cb5caa98Sdjl else 1701cb5caa98Sdjl get_krb_realm 1702cb5caa98Sdjl add_id_mapping_rules 1703cb5caa98Sdjl modify_userpassword_acl_for_gssapi 1704cb5caa98Sdjl create_gssapi_profile 1 1705cb5caa98Sdjl ${ECHO} 1706cb5caa98Sdjl ${ECHO} "GSSAPI setup is done." 1707cb5caa98Sdjl fi 1708cb5caa98Sdjl 1709cb5caa98Sdjl cat << EOF 1710cb5caa98Sdjl 1711cb5caa98SdjlYou can continue to create a profile and 1712cb5caa98Sdjlconfigure the LDAP server. 1713cb5caa98SdjlOr you can stop now. 1714cb5caa98Sdjl 1715cb5caa98SdjlEOF 1716cb5caa98Sdjl get_confirm "Do you want to stop:(y/n)" "n" 1717cb5caa98Sdjl if [ $? -eq 1 ]; then 1718cb5caa98Sdjl cleanup 1719cb5caa98Sdjl exit 1720cb5caa98Sdjl fi 1721cb5caa98Sdjl 1722cb5caa98Sdjl} 1723cb5caa98Sdjlgssapi_setup_auto() { 1724dd1104fbSMichen Chang GSSAPI_AUTH_MAY_BE_USED=0 1725cb5caa98Sdjl ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"\" -s base \"objectclass=*\" supportedSASLMechanisms | ${GREP} GSSAPI ${VERB}" 1726cb5caa98Sdjl if [ $? -ne 0 ]; then 1727cb5caa98Sdjl ${ECHO} 1728cb5caa98Sdjl ${ECHO} "sasl/GSSAPI is not supported by this LDAP server" 1729cb5caa98Sdjl ${ECHO} 1730cb5caa98Sdjl return 1731cb5caa98Sdjl fi 1732cb5caa98Sdjl if [ -z "${LDAP_KRB_REALM}" ]; then 1733cb5caa98Sdjl ${ECHO} 1734cb5caa98Sdjl ${ECHO} "LDAP_KRB_REALM is not set. Skip gssapi setup." 1735cb5caa98Sdjl ${ECHO} "sasl/GSSAPI bind won't work properly." 1736cb5caa98Sdjl ${ECHO} 1737cb5caa98Sdjl return 1738cb5caa98Sdjl fi 1739dd1104fbSMichen Chang GSSAPI_AUTH_MAY_BE_USED=1 1740cb5caa98Sdjl if [ -z "${LDAP_GSSAPI_PROFILE}" ]; then 1741cb5caa98Sdjl ${ECHO} 1742cb5caa98Sdjl ${ECHO} "LDAP_GSSAPI_PROFILE is not set. Default is gssapi_${LDAP_KRB_REALM}" 1743cb5caa98Sdjl ${ECHO} 1744cb5caa98Sdjl LDAP_GSSAPI_PROFILE="gssapi_${LDAP_KRB_REALM}" 1745cb5caa98Sdjl fi 1746cb5caa98Sdjl add_id_mapping_rules 1747cb5caa98Sdjl modify_userpassword_acl_for_gssapi 1748cb5caa98Sdjl create_gssapi_profile 0 1749cb5caa98Sdjl} 17507c478bd9Sstevel@tonic-gate# get_profile_name(): Enter the profile name. 17517c478bd9Sstevel@tonic-gate# 17527c478bd9Sstevel@tonic-gateget_profile_name() 17537c478bd9Sstevel@tonic-gate{ 17547c478bd9Sstevel@tonic-gate # Reset Delete Old Profile since getting new profile name. 17557c478bd9Sstevel@tonic-gate DEL_OLD_PROFILE=0 17567c478bd9Sstevel@tonic-gate 17577c478bd9Sstevel@tonic-gate # Loop until valid profile name, or replace. 17587c478bd9Sstevel@tonic-gate while : 17597c478bd9Sstevel@tonic-gate do 17607c478bd9Sstevel@tonic-gate # Prompt for profile name. 17617c478bd9Sstevel@tonic-gate get_ans "Enter the profile name (h=help):" "$LDAP_PROFILE_NAME" 17627c478bd9Sstevel@tonic-gate 17637c478bd9Sstevel@tonic-gate # Check for Help. 17647c478bd9Sstevel@tonic-gate case "$ANS" in 17657c478bd9Sstevel@tonic-gate [Hh] | help | Help | \?) display_msg profile_help 17667c478bd9Sstevel@tonic-gate continue ;; 17677c478bd9Sstevel@tonic-gate * ) ;; 17687c478bd9Sstevel@tonic-gate esac 17697c478bd9Sstevel@tonic-gate 17707c478bd9Sstevel@tonic-gate # Search to see if profile name already exists. 17717c478bd9Sstevel@tonic-gate eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=${ANS},ou=profile,${LDAP_BASEDN}\" -s base \"objectclass=*\" ${VERB}" 17727c478bd9Sstevel@tonic-gate if [ $? -eq 0 ]; then 1773dd1104fbSMichen Chang 1774dd1104fbSMichen Chang cat << EOF 1775dd1104fbSMichen Chang 1776dd1104fbSMichen ChangProfile '${ANS}' already exists, it is possible to enable 1777dd1104fbSMichen Changshadow update now. idsconfig will exit after shadow update 1778dd1104fbSMichen Changis enabled. You can also continue to overwrite the profile 1779dd1104fbSMichen Changor create a new one and be given the chance to enable 1780dd1104fbSMichen Changshadow update later. 1781dd1104fbSMichen Chang 1782dd1104fbSMichen ChangEOF 1783dd1104fbSMichen Chang 1784dd1104fbSMichen Chang MSG="Just enable shadow update (y/n/h)?" 1785dd1104fbSMichen Chang get_confirm "$MSG" "n" "enable_shadow_update_help" 1786dd1104fbSMichen Chang if [ $? -eq 1 ]; then 1787dd1104fbSMichen Chang [ $DEBUG -eq 1 ] && ${ECHO} "set up shadow update" 1788dd1104fbSMichen Chang LDAP_ENABLE_SHADOW_UPDATE=TRUE 1789dd1104fbSMichen Chang # display alternate messages 1790dd1104fbSMichen Chang EXISTING_PROFILE=1 1791dd1104fbSMichen Chang # Set Profile Name. 1792dd1104fbSMichen Chang LDAP_PROFILE_NAME=$ANS 1793dd1104fbSMichen Chang return 0 # set up credentials for shadow update. 1794dd1104fbSMichen Chang fi 1795dd1104fbSMichen Chang 1796dd1104fbSMichen Chang get_confirm_nodef "Are you sure you want to overwrite profile cn=${ANS}?" 17977c478bd9Sstevel@tonic-gate if [ $? -eq 1 ]; then 17987c478bd9Sstevel@tonic-gate DEL_OLD_PROFILE=1 17997c478bd9Sstevel@tonic-gate return 0 # Replace old profile name. 18007c478bd9Sstevel@tonic-gate else 18017c478bd9Sstevel@tonic-gate ${ECHO} "Please re-enter a new profile name." 18027c478bd9Sstevel@tonic-gate fi 18037c478bd9Sstevel@tonic-gate else 18047c478bd9Sstevel@tonic-gate break # Unique profile name. 18057c478bd9Sstevel@tonic-gate fi 18067c478bd9Sstevel@tonic-gate done 18077c478bd9Sstevel@tonic-gate 18087c478bd9Sstevel@tonic-gate # Set Profile Name. 18097c478bd9Sstevel@tonic-gate LDAP_PROFILE_NAME=$ANS 18107c478bd9Sstevel@tonic-gate} 18117c478bd9Sstevel@tonic-gate 18127c478bd9Sstevel@tonic-gate 18137c478bd9Sstevel@tonic-gate# 18147c478bd9Sstevel@tonic-gate# get_srv_list(): Get the default server list. 18157c478bd9Sstevel@tonic-gate# 18167c478bd9Sstevel@tonic-gateget_srv_list() 18177c478bd9Sstevel@tonic-gate{ 18187c478bd9Sstevel@tonic-gate # If LDAP_SERVER_LIST is NULL, then set, otherwise leave alone. 18197c478bd9Sstevel@tonic-gate if [ -z "${LDAP_SERVER_LIST}" ]; then 18207c478bd9Sstevel@tonic-gate LDAP_SERVER_LIST=`getent hosts ${IDS_SERVER} | awk '{print $1}'` 18217c478bd9Sstevel@tonic-gate if [ ${IDS_PORT} -ne 389 ]; then 18227c478bd9Sstevel@tonic-gate LDAP_SERVER_LIST="${LDAP_SERVER_LIST}:${IDS_PORT}" 18237c478bd9Sstevel@tonic-gate fi 18247c478bd9Sstevel@tonic-gate fi 18257c478bd9Sstevel@tonic-gate 18267c478bd9Sstevel@tonic-gate # Prompt for new LDAP_SERVER_LIST. 18277c478bd9Sstevel@tonic-gate while : 18287c478bd9Sstevel@tonic-gate do 18297c478bd9Sstevel@tonic-gate get_ans "Default server list (h=help):" $LDAP_SERVER_LIST 18307c478bd9Sstevel@tonic-gate 18317c478bd9Sstevel@tonic-gate # If help continue, otherwise break. 18327c478bd9Sstevel@tonic-gate case "$ANS" in 18337c478bd9Sstevel@tonic-gate [Hh] | help | Help | \?) display_msg def_srvlist_help ;; 18347c478bd9Sstevel@tonic-gate * ) break ;; 18357c478bd9Sstevel@tonic-gate esac 18367c478bd9Sstevel@tonic-gate done 18377c478bd9Sstevel@tonic-gate LDAP_SERVER_LIST=$ANS 18387c478bd9Sstevel@tonic-gate} 18397c478bd9Sstevel@tonic-gate 18407c478bd9Sstevel@tonic-gate 18417c478bd9Sstevel@tonic-gate# 18427c478bd9Sstevel@tonic-gate# get_pref_srv(): The preferred server list (Overrides the server list) 18437c478bd9Sstevel@tonic-gate# 18447c478bd9Sstevel@tonic-gateget_pref_srv() 18457c478bd9Sstevel@tonic-gate{ 18467c478bd9Sstevel@tonic-gate while : 18477c478bd9Sstevel@tonic-gate do 18487c478bd9Sstevel@tonic-gate get_ans "Preferred server list (h=help):" $LDAP_PREF_SRVLIST 18497c478bd9Sstevel@tonic-gate 18507c478bd9Sstevel@tonic-gate # If help continue, otherwise break. 18517c478bd9Sstevel@tonic-gate case "$ANS" in 18527c478bd9Sstevel@tonic-gate [Hh] | help | Help | \?) display_msg pref_srvlist_help ;; 18537c478bd9Sstevel@tonic-gate * ) break ;; 18547c478bd9Sstevel@tonic-gate esac 18557c478bd9Sstevel@tonic-gate done 18567c478bd9Sstevel@tonic-gate LDAP_PREF_SRVLIST=$ANS 18577c478bd9Sstevel@tonic-gate} 18587c478bd9Sstevel@tonic-gate 18597c478bd9Sstevel@tonic-gate 18607c478bd9Sstevel@tonic-gate# 18617c478bd9Sstevel@tonic-gate# get_search_scope(): Get the search scope from the user. 18627c478bd9Sstevel@tonic-gate# 18637c478bd9Sstevel@tonic-gateget_search_scope() 18647c478bd9Sstevel@tonic-gate{ 18657c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In get_search_scope()" 18667c478bd9Sstevel@tonic-gate 18677c478bd9Sstevel@tonic-gate _MENU_CHOICE=0 18687c478bd9Sstevel@tonic-gate while : 18697c478bd9Sstevel@tonic-gate do 18707c478bd9Sstevel@tonic-gate get_ans "Choose desired search scope (one, sub, h=help): " "one" 18717c478bd9Sstevel@tonic-gate _MENU_CHOICE=$ANS 18727c478bd9Sstevel@tonic-gate case "$_MENU_CHOICE" in 18737c478bd9Sstevel@tonic-gate one) LDAP_SEARCH_SCOPE="one" 18747c478bd9Sstevel@tonic-gate return 1 ;; 18757c478bd9Sstevel@tonic-gate sub) LDAP_SEARCH_SCOPE="sub" 18767c478bd9Sstevel@tonic-gate return 2 ;; 18777c478bd9Sstevel@tonic-gate h) display_msg srch_scope_help ;; 18787c478bd9Sstevel@tonic-gate *) ${ECHO} "Please enter \"one\", \"sub\", or \"h\"." ;; 18797c478bd9Sstevel@tonic-gate esac 18807c478bd9Sstevel@tonic-gate done 18817c478bd9Sstevel@tonic-gate 18827c478bd9Sstevel@tonic-gate} 18837c478bd9Sstevel@tonic-gate 18847c478bd9Sstevel@tonic-gate 18857c478bd9Sstevel@tonic-gate# 18867c478bd9Sstevel@tonic-gate# get_cred_level(): Function to display menu to user and get the 18877c478bd9Sstevel@tonic-gate# credential level. 18887c478bd9Sstevel@tonic-gate# 18897c478bd9Sstevel@tonic-gateget_cred_level() 18907c478bd9Sstevel@tonic-gate{ 18917c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In get_cred_level()" 18927c478bd9Sstevel@tonic-gate 18937c478bd9Sstevel@tonic-gate _MENU_CHOICE=0 18947c478bd9Sstevel@tonic-gate display_msg cred_level_menu 18957c478bd9Sstevel@tonic-gate while : 18967c478bd9Sstevel@tonic-gate do 18977c478bd9Sstevel@tonic-gate get_ans "Choose Credential level [h=help]:" "1" 18987c478bd9Sstevel@tonic-gate _MENU_CHOICE=$ANS 18997c478bd9Sstevel@tonic-gate case "$_MENU_CHOICE" in 19007c478bd9Sstevel@tonic-gate 1) LDAP_CRED_LEVEL="anonymous" 19017c478bd9Sstevel@tonic-gate return 1 ;; 19027c478bd9Sstevel@tonic-gate 2) LDAP_CRED_LEVEL="proxy" 19037c478bd9Sstevel@tonic-gate return 2 ;; 19047c478bd9Sstevel@tonic-gate 3) LDAP_CRED_LEVEL="proxy anonymous" 19057c478bd9Sstevel@tonic-gate return 3 ;; 1906cb5caa98Sdjl 4) LDAP_CRED_LEVEL="self" 1907cb5caa98Sdjl SELF_GSSAPI=1 1908cb5caa98Sdjl return 4 ;; 1909cb5caa98Sdjl 5) LDAP_CRED_LEVEL="self proxy" 1910cb5caa98Sdjl SELF_GSSAPI=1 1911cb5caa98Sdjl return 5 ;; 1912cb5caa98Sdjl 6) LDAP_CRED_LEVEL="self proxy anonymous" 1913cb5caa98Sdjl SELF_GSSAPI=1 1914cb5caa98Sdjl return 6 ;; 19157c478bd9Sstevel@tonic-gate h) display_msg cred_lvl_help ;; 1916cb5caa98Sdjl *) ${ECHO} "Please enter 1, 2, 3, 4, 5 or 6." ;; 19177c478bd9Sstevel@tonic-gate esac 19187c478bd9Sstevel@tonic-gate done 19197c478bd9Sstevel@tonic-gate} 19207c478bd9Sstevel@tonic-gate 19217c478bd9Sstevel@tonic-gate 19227c478bd9Sstevel@tonic-gate# 19237c478bd9Sstevel@tonic-gate# srvauth_menu_handler(): Enter the Service Authentication method. 19247c478bd9Sstevel@tonic-gate# 19257c478bd9Sstevel@tonic-gatesrvauth_menu_handler() 19267c478bd9Sstevel@tonic-gate{ 19277c478bd9Sstevel@tonic-gate # Display Auth menu 19287c478bd9Sstevel@tonic-gate display_msg srvauth_method_menu 19297c478bd9Sstevel@tonic-gate 19307c478bd9Sstevel@tonic-gate # Get a Valid choice. 19317c478bd9Sstevel@tonic-gate while : 19327c478bd9Sstevel@tonic-gate do 19337c478bd9Sstevel@tonic-gate # Display appropriate prompt and get answer. 19347c478bd9Sstevel@tonic-gate if [ $_FIRST -eq 1 ]; then 19357c478bd9Sstevel@tonic-gate get_ans "Choose Service Authentication Method:" "1" 19367c478bd9Sstevel@tonic-gate else 19377c478bd9Sstevel@tonic-gate get_ans "Choose Service Authentication Method (0=reset):" 19387c478bd9Sstevel@tonic-gate fi 19397c478bd9Sstevel@tonic-gate 19407c478bd9Sstevel@tonic-gate # Determine choice. 19417c478bd9Sstevel@tonic-gate _MENU_CHOICE=$ANS 19427c478bd9Sstevel@tonic-gate case "$_MENU_CHOICE" in 19437c478bd9Sstevel@tonic-gate 1) _AUTHMETHOD="simple" 19447c478bd9Sstevel@tonic-gate break ;; 19457c478bd9Sstevel@tonic-gate 2) _AUTHMETHOD="sasl/DIGEST-MD5" 19467c478bd9Sstevel@tonic-gate break ;; 19477c478bd9Sstevel@tonic-gate 3) _AUTHMETHOD="tls:simple" 19487c478bd9Sstevel@tonic-gate break ;; 19497c478bd9Sstevel@tonic-gate 4) _AUTHMETHOD="tls:sasl/DIGEST-MD5" 19507c478bd9Sstevel@tonic-gate break ;; 1951cb5caa98Sdjl 5) _AUTHMETHOD="sasl/GSSAPI" 1952cb5caa98Sdjl break ;; 19537c478bd9Sstevel@tonic-gate 0) _AUTHMETHOD="" 19547c478bd9Sstevel@tonic-gate _FIRST=1 19557c478bd9Sstevel@tonic-gate break ;; 1956cb5caa98Sdjl *) ${ECHO} "Please enter 1-5 or 0 to reset." ;; 19577c478bd9Sstevel@tonic-gate esac 19587c478bd9Sstevel@tonic-gate done 19597c478bd9Sstevel@tonic-gate} 19607c478bd9Sstevel@tonic-gate 19617c478bd9Sstevel@tonic-gate 19627c478bd9Sstevel@tonic-gate# 19637c478bd9Sstevel@tonic-gate# auth_menu_handler(): Enter the Authentication method. 19647c478bd9Sstevel@tonic-gate# 19657c478bd9Sstevel@tonic-gateauth_menu_handler() 19667c478bd9Sstevel@tonic-gate{ 19677c478bd9Sstevel@tonic-gate # Display Auth menu 19687c478bd9Sstevel@tonic-gate display_msg auth_method_menu 19697c478bd9Sstevel@tonic-gate 19707c478bd9Sstevel@tonic-gate # Get a Valid choice. 19717c478bd9Sstevel@tonic-gate while : 19727c478bd9Sstevel@tonic-gate do 19737c478bd9Sstevel@tonic-gate # Display appropriate prompt and get answer. 19747c478bd9Sstevel@tonic-gate if [ $_FIRST -eq 1 ]; then 19757c478bd9Sstevel@tonic-gate get_ans "Choose Authentication Method (h=help):" "1" 19767c478bd9Sstevel@tonic-gate else 19777c478bd9Sstevel@tonic-gate get_ans "Choose Authentication Method (0=reset, h=help):" 19787c478bd9Sstevel@tonic-gate fi 19797c478bd9Sstevel@tonic-gate 19807c478bd9Sstevel@tonic-gate # Determine choice. 19817c478bd9Sstevel@tonic-gate _MENU_CHOICE=$ANS 19827c478bd9Sstevel@tonic-gate case "$_MENU_CHOICE" in 19837c478bd9Sstevel@tonic-gate 1) _AUTHMETHOD="none" 19847c478bd9Sstevel@tonic-gate break ;; 19857c478bd9Sstevel@tonic-gate 2) _AUTHMETHOD="simple" 19867c478bd9Sstevel@tonic-gate break ;; 19877c478bd9Sstevel@tonic-gate 3) _AUTHMETHOD="sasl/DIGEST-MD5" 19887c478bd9Sstevel@tonic-gate break ;; 19897c478bd9Sstevel@tonic-gate 4) _AUTHMETHOD="tls:simple" 19907c478bd9Sstevel@tonic-gate break ;; 19917c478bd9Sstevel@tonic-gate 5) _AUTHMETHOD="tls:sasl/DIGEST-MD5" 19927c478bd9Sstevel@tonic-gate break ;; 1993cb5caa98Sdjl 6) _AUTHMETHOD="sasl/GSSAPI" 1994cb5caa98Sdjl break ;; 19957c478bd9Sstevel@tonic-gate 0) _AUTHMETHOD="" 19967c478bd9Sstevel@tonic-gate _FIRST=1 19977c478bd9Sstevel@tonic-gate break ;; 19987c478bd9Sstevel@tonic-gate h) display_msg auth_help ;; 1999cb5caa98Sdjl *) ${ECHO} "Please enter 1-6, 0=reset, or h=help." ;; 20007c478bd9Sstevel@tonic-gate esac 20017c478bd9Sstevel@tonic-gate done 20027c478bd9Sstevel@tonic-gate} 20037c478bd9Sstevel@tonic-gate 20047c478bd9Sstevel@tonic-gate 20057c478bd9Sstevel@tonic-gate# 20067c478bd9Sstevel@tonic-gate# get_auth(): Enter the Authentication method. 20077c478bd9Sstevel@tonic-gate# 20087c478bd9Sstevel@tonic-gateget_auth() 20097c478bd9Sstevel@tonic-gate{ 20107c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In get_auth()" 20117c478bd9Sstevel@tonic-gate 20127c478bd9Sstevel@tonic-gate _FIRST=1 # Flag for first time. 20137c478bd9Sstevel@tonic-gate _MENU_CHOICE=0 20147c478bd9Sstevel@tonic-gate _AUTHMETHOD="" # Tmp method. 20157c478bd9Sstevel@tonic-gate 20167c478bd9Sstevel@tonic-gate while : 20177c478bd9Sstevel@tonic-gate do 20187c478bd9Sstevel@tonic-gate # Call Menu handler 20197c478bd9Sstevel@tonic-gate auth_menu_handler 20207c478bd9Sstevel@tonic-gate 20217c478bd9Sstevel@tonic-gate # Add Auth Method to list. 20227c478bd9Sstevel@tonic-gate if [ $_FIRST -eq 1 ]; then 20237c478bd9Sstevel@tonic-gate LDAP_AUTHMETHOD="${_AUTHMETHOD}" 20247c478bd9Sstevel@tonic-gate _FIRST=0 20257c478bd9Sstevel@tonic-gate else 20267c478bd9Sstevel@tonic-gate LDAP_AUTHMETHOD="${LDAP_AUTHMETHOD};${_AUTHMETHOD}" 20277c478bd9Sstevel@tonic-gate fi 20287c478bd9Sstevel@tonic-gate 20297c478bd9Sstevel@tonic-gate # Display current Authentication Method. 20307c478bd9Sstevel@tonic-gate ${ECHO} "" 20317c478bd9Sstevel@tonic-gate ${ECHO} "Current authenticationMethod: ${LDAP_AUTHMETHOD}" 20327c478bd9Sstevel@tonic-gate ${ECHO} "" 20337c478bd9Sstevel@tonic-gate 20347c478bd9Sstevel@tonic-gate # Prompt for another Auth Method, or break out. 20357c478bd9Sstevel@tonic-gate get_confirm_nodef "Do you want to add another Authentication Method?" 20367c478bd9Sstevel@tonic-gate if [ $? -eq 0 ]; then 20377c478bd9Sstevel@tonic-gate break; 20387c478bd9Sstevel@tonic-gate fi 20397c478bd9Sstevel@tonic-gate done 20407c478bd9Sstevel@tonic-gate} 20417c478bd9Sstevel@tonic-gate 20427c478bd9Sstevel@tonic-gate 20437c478bd9Sstevel@tonic-gate# 20447c478bd9Sstevel@tonic-gate# get_followref(): Whether or not to follow referrals. 20457c478bd9Sstevel@tonic-gate# 20467c478bd9Sstevel@tonic-gateget_followref() 20477c478bd9Sstevel@tonic-gate{ 20487c478bd9Sstevel@tonic-gate get_confirm "Do you want the clients to follow referrals (y/n/h)?" "n" "referrals_help" 20497c478bd9Sstevel@tonic-gate if [ $? -eq 1 ]; then 20507c478bd9Sstevel@tonic-gate LDAP_FOLLOWREF="TRUE" 20517c478bd9Sstevel@tonic-gate else 20527c478bd9Sstevel@tonic-gate LDAP_FOLLOWREF="FALSE" 20537c478bd9Sstevel@tonic-gate fi 20547c478bd9Sstevel@tonic-gate} 20557c478bd9Sstevel@tonic-gate 20567c478bd9Sstevel@tonic-gate 20577c478bd9Sstevel@tonic-gate# 20587c478bd9Sstevel@tonic-gate# get_timelimit(): Set the time limit. -1 is max time. 20597c478bd9Sstevel@tonic-gate# 20607c478bd9Sstevel@tonic-gateget_timelimit() 20617c478bd9Sstevel@tonic-gate{ 20627c478bd9Sstevel@tonic-gate # Get current timeout value from cn=config. 20637c478bd9Sstevel@tonic-gate eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=config\" -s base \"objectclass=*\" nsslapd-timelimit > ${TMPDIR}/chk_timeout 2>&1" 20647c478bd9Sstevel@tonic-gate if [ $? -ne 0 ]; then 20657c478bd9Sstevel@tonic-gate ${ECHO} " ERROR: Could not reach LDAP server to check current timeout!" 20667c478bd9Sstevel@tonic-gate cleanup 20677c478bd9Sstevel@tonic-gate exit 1 20687c478bd9Sstevel@tonic-gate fi 20697c478bd9Sstevel@tonic-gate CURR_TIMELIMIT=`${GREP} timelimit ${TMPDIR}/chk_timeout | cut -f2 -d=` 20707c478bd9Sstevel@tonic-gate 20717c478bd9Sstevel@tonic-gate get_negone_num "Enter the time limit for iDS (current=${CURR_TIMELIMIT}):" "-1" 20727c478bd9Sstevel@tonic-gate IDS_TIMELIMIT=$NUM 20737c478bd9Sstevel@tonic-gate} 20747c478bd9Sstevel@tonic-gate 20757c478bd9Sstevel@tonic-gate 20767c478bd9Sstevel@tonic-gate# 20777c478bd9Sstevel@tonic-gate# get_sizelimit(): Set the size limit. -1 is max size. 20787c478bd9Sstevel@tonic-gate# 20797c478bd9Sstevel@tonic-gateget_sizelimit() 20807c478bd9Sstevel@tonic-gate{ 20817c478bd9Sstevel@tonic-gate # Get current sizelimit value from cn=config. 20827c478bd9Sstevel@tonic-gate eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=config\" -s base \"objectclass=*\" nsslapd-sizelimit > ${TMPDIR}/chk_sizelimit 2>&1" 20837c478bd9Sstevel@tonic-gate if [ $? -ne 0 ]; then 20847c478bd9Sstevel@tonic-gate ${ECHO} " ERROR: Could not reach LDAP server to check current sizelimit!" 20857c478bd9Sstevel@tonic-gate cleanup 20867c478bd9Sstevel@tonic-gate exit 1 20877c478bd9Sstevel@tonic-gate fi 20887c478bd9Sstevel@tonic-gate CURR_SIZELIMIT=`${GREP} sizelimit ${TMPDIR}/chk_sizelimit | cut -f2 -d=` 20897c478bd9Sstevel@tonic-gate 20907c478bd9Sstevel@tonic-gate get_negone_num "Enter the size limit for iDS (current=${CURR_SIZELIMIT}):" "-1" 20917c478bd9Sstevel@tonic-gate IDS_SIZELIMIT=$NUM 20927c478bd9Sstevel@tonic-gate} 20937c478bd9Sstevel@tonic-gate 20947c478bd9Sstevel@tonic-gate 20957c478bd9Sstevel@tonic-gate# 20967c478bd9Sstevel@tonic-gate# get_want_crypt(): Ask user if want to store passwords in crypt? 20977c478bd9Sstevel@tonic-gate# 20987c478bd9Sstevel@tonic-gateget_want_crypt() 20997c478bd9Sstevel@tonic-gate{ 21007c478bd9Sstevel@tonic-gate get_confirm "Do you want to store passwords in \"crypt\" format (y/n/h)?" "n" "crypt_help" 21017c478bd9Sstevel@tonic-gate if [ $? -eq 1 ]; then 21027c478bd9Sstevel@tonic-gate NEED_CRYPT="TRUE" 21037c478bd9Sstevel@tonic-gate else 21047c478bd9Sstevel@tonic-gate NEED_CRYPT="FALSE" 21057c478bd9Sstevel@tonic-gate fi 21067c478bd9Sstevel@tonic-gate} 21077c478bd9Sstevel@tonic-gate 21087c478bd9Sstevel@tonic-gate 21097c478bd9Sstevel@tonic-gate# 21107c478bd9Sstevel@tonic-gate# get_srv_authMethod_pam(): Get the Service Auth Method for pam_ldap from user. 21117c478bd9Sstevel@tonic-gate# 21127c478bd9Sstevel@tonic-gate# NOTE: This function is base on get_auth(). 21137c478bd9Sstevel@tonic-gate# 21147c478bd9Sstevel@tonic-gateget_srv_authMethod_pam() 21157c478bd9Sstevel@tonic-gate{ 21167c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In get_srv_authMethod_pam()" 21177c478bd9Sstevel@tonic-gate 21187c478bd9Sstevel@tonic-gate _FIRST=1 # Flag for first time. 21197c478bd9Sstevel@tonic-gate _MENU_CHOICE=0 21207c478bd9Sstevel@tonic-gate _AUTHMETHOD="" # Tmp method. 21217c478bd9Sstevel@tonic-gate 21227c478bd9Sstevel@tonic-gate while : 21237c478bd9Sstevel@tonic-gate do 21247c478bd9Sstevel@tonic-gate # Call Menu handler 21257c478bd9Sstevel@tonic-gate srvauth_menu_handler 21267c478bd9Sstevel@tonic-gate 21277c478bd9Sstevel@tonic-gate # Add Auth Method to list. 21287c478bd9Sstevel@tonic-gate if [ $_FIRST -eq 1 ]; then 21297c478bd9Sstevel@tonic-gate if [ "$_AUTHMETHOD" = "" ]; then 21307c478bd9Sstevel@tonic-gate LDAP_SRV_AUTHMETHOD_PAM="" 21317c478bd9Sstevel@tonic-gate else 21327c478bd9Sstevel@tonic-gate LDAP_SRV_AUTHMETHOD_PAM="pam_ldap:${_AUTHMETHOD}" 21337c478bd9Sstevel@tonic-gate fi 21347c478bd9Sstevel@tonic-gate _FIRST=0 21357c478bd9Sstevel@tonic-gate else 21367c478bd9Sstevel@tonic-gate LDAP_SRV_AUTHMETHOD_PAM="${LDAP_SRV_AUTHMETHOD_PAM};${_AUTHMETHOD}" 21377c478bd9Sstevel@tonic-gate fi 21387c478bd9Sstevel@tonic-gate 21397c478bd9Sstevel@tonic-gate # Display current Authentication Method. 21407c478bd9Sstevel@tonic-gate ${ECHO} "" 21417c478bd9Sstevel@tonic-gate ${ECHO} "Current authenticationMethod: ${LDAP_SRV_AUTHMETHOD_PAM}" 21427c478bd9Sstevel@tonic-gate ${ECHO} "" 21437c478bd9Sstevel@tonic-gate 21447c478bd9Sstevel@tonic-gate # Prompt for another Auth Method, or break out. 21457c478bd9Sstevel@tonic-gate get_confirm_nodef "Do you want to add another Authentication Method?" 21467c478bd9Sstevel@tonic-gate if [ $? -eq 0 ]; then 21477c478bd9Sstevel@tonic-gate break; 21487c478bd9Sstevel@tonic-gate fi 21497c478bd9Sstevel@tonic-gate done 21507c478bd9Sstevel@tonic-gate 21517c478bd9Sstevel@tonic-gate # Check in case user reset string and exited loop. 21527c478bd9Sstevel@tonic-gate if [ "$LDAP_SRV_AUTHMETHOD_PAM" = "" ]; then 21537c478bd9Sstevel@tonic-gate NEED_SRVAUTH_PAM=0 21547c478bd9Sstevel@tonic-gate fi 21557c478bd9Sstevel@tonic-gate} 21567c478bd9Sstevel@tonic-gate 21577c478bd9Sstevel@tonic-gate 21587c478bd9Sstevel@tonic-gate# 21597c478bd9Sstevel@tonic-gate# get_srv_authMethod_key(): Get the Service Auth Method for keyserv from user. 21607c478bd9Sstevel@tonic-gate# 21617c478bd9Sstevel@tonic-gate# NOTE: This function is base on get_auth(). 21627c478bd9Sstevel@tonic-gate# 21637c478bd9Sstevel@tonic-gateget_srv_authMethod_key() 21647c478bd9Sstevel@tonic-gate{ 21657c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In get_srv_authMethod_key()" 21667c478bd9Sstevel@tonic-gate 21677c478bd9Sstevel@tonic-gate _FIRST=1 # Flag for first time. 21687c478bd9Sstevel@tonic-gate _MENU_CHOICE=0 21697c478bd9Sstevel@tonic-gate _AUTHMETHOD="" # Tmp method. 21707c478bd9Sstevel@tonic-gate 21717c478bd9Sstevel@tonic-gate while : 21727c478bd9Sstevel@tonic-gate do 21737c478bd9Sstevel@tonic-gate # Call Menu handler 21747c478bd9Sstevel@tonic-gate srvauth_menu_handler 21757c478bd9Sstevel@tonic-gate 21767c478bd9Sstevel@tonic-gate # Add Auth Method to list. 21777c478bd9Sstevel@tonic-gate if [ $_FIRST -eq 1 ]; then 21787c478bd9Sstevel@tonic-gate if [ "$_AUTHMETHOD" = "" ]; then 21797c478bd9Sstevel@tonic-gate LDAP_SRV_AUTHMETHOD_KEY="" 21807c478bd9Sstevel@tonic-gate else 21817c478bd9Sstevel@tonic-gate LDAP_SRV_AUTHMETHOD_KEY="keyserv:${_AUTHMETHOD}" 21827c478bd9Sstevel@tonic-gate fi 21837c478bd9Sstevel@tonic-gate _FIRST=0 21847c478bd9Sstevel@tonic-gate else 21857c478bd9Sstevel@tonic-gate LDAP_SRV_AUTHMETHOD_KEY="${LDAP_SRV_AUTHMETHOD_KEY};${_AUTHMETHOD}" 21867c478bd9Sstevel@tonic-gate fi 21877c478bd9Sstevel@tonic-gate 21887c478bd9Sstevel@tonic-gate # Display current Authentication Method. 21897c478bd9Sstevel@tonic-gate ${ECHO} "" 21907c478bd9Sstevel@tonic-gate ${ECHO} "Current authenticationMethod: ${LDAP_SRV_AUTHMETHOD_KEY}" 21917c478bd9Sstevel@tonic-gate ${ECHO} "" 21927c478bd9Sstevel@tonic-gate 21937c478bd9Sstevel@tonic-gate # Prompt for another Auth Method, or break out. 21947c478bd9Sstevel@tonic-gate get_confirm_nodef "Do you want to add another Authentication Method?" 21957c478bd9Sstevel@tonic-gate if [ $? -eq 0 ]; then 21967c478bd9Sstevel@tonic-gate break; 21977c478bd9Sstevel@tonic-gate fi 21987c478bd9Sstevel@tonic-gate done 21997c478bd9Sstevel@tonic-gate 22007c478bd9Sstevel@tonic-gate # Check in case user reset string and exited loop. 22017c478bd9Sstevel@tonic-gate if [ "$LDAP_SRV_AUTHMETHOD_KEY" = "" ]; then 22027c478bd9Sstevel@tonic-gate NEED_SRVAUTH_KEY=0 22037c478bd9Sstevel@tonic-gate fi 22047c478bd9Sstevel@tonic-gate} 22057c478bd9Sstevel@tonic-gate 22067c478bd9Sstevel@tonic-gate 22077c478bd9Sstevel@tonic-gate# 22087c478bd9Sstevel@tonic-gate# get_srv_authMethod_cmd(): Get the Service Auth Method for passwd-cmd from user. 22097c478bd9Sstevel@tonic-gate# 22107c478bd9Sstevel@tonic-gate# NOTE: This function is base on get_auth(). 22117c478bd9Sstevel@tonic-gate# 22127c478bd9Sstevel@tonic-gateget_srv_authMethod_cmd() 22137c478bd9Sstevel@tonic-gate{ 22147c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In get_srv_authMethod_cmd()" 22157c478bd9Sstevel@tonic-gate 22167c478bd9Sstevel@tonic-gate _FIRST=1 # Flag for first time. 22177c478bd9Sstevel@tonic-gate _MENU_CHOICE=0 22187c478bd9Sstevel@tonic-gate _AUTHMETHOD="" # Tmp method. 22197c478bd9Sstevel@tonic-gate 22207c478bd9Sstevel@tonic-gate while : 22217c478bd9Sstevel@tonic-gate do 22227c478bd9Sstevel@tonic-gate # Call Menu handler 22237c478bd9Sstevel@tonic-gate srvauth_menu_handler 22247c478bd9Sstevel@tonic-gate 22257c478bd9Sstevel@tonic-gate # Add Auth Method to list. 22267c478bd9Sstevel@tonic-gate if [ $_FIRST -eq 1 ]; then 22277c478bd9Sstevel@tonic-gate if [ "$_AUTHMETHOD" = "" ]; then 22287c478bd9Sstevel@tonic-gate LDAP_SRV_AUTHMETHOD_CMD="" 22297c478bd9Sstevel@tonic-gate else 22307c478bd9Sstevel@tonic-gate LDAP_SRV_AUTHMETHOD_CMD="passwd-cmd:${_AUTHMETHOD}" 22317c478bd9Sstevel@tonic-gate fi 22327c478bd9Sstevel@tonic-gate _FIRST=0 22337c478bd9Sstevel@tonic-gate else 22347c478bd9Sstevel@tonic-gate LDAP_SRV_AUTHMETHOD_CMD="${LDAP_SRV_AUTHMETHOD_CMD};${_AUTHMETHOD}" 22357c478bd9Sstevel@tonic-gate fi 22367c478bd9Sstevel@tonic-gate 22377c478bd9Sstevel@tonic-gate # Display current Authentication Method. 22387c478bd9Sstevel@tonic-gate ${ECHO} "" 22397c478bd9Sstevel@tonic-gate ${ECHO} "Current authenticationMethod: ${LDAP_SRV_AUTHMETHOD_CMD}" 22407c478bd9Sstevel@tonic-gate ${ECHO} "" 22417c478bd9Sstevel@tonic-gate 22427c478bd9Sstevel@tonic-gate # Prompt for another Auth Method, or break out. 22437c478bd9Sstevel@tonic-gate get_confirm_nodef "Do you want to add another Authentication Method?" 22447c478bd9Sstevel@tonic-gate if [ $? -eq 0 ]; then 22457c478bd9Sstevel@tonic-gate break; 22467c478bd9Sstevel@tonic-gate fi 22477c478bd9Sstevel@tonic-gate done 22487c478bd9Sstevel@tonic-gate 22497c478bd9Sstevel@tonic-gate # Check in case user reset string and exited loop. 22507c478bd9Sstevel@tonic-gate if [ "$LDAP_SRV_AUTHMETHOD_CMD" = "" ]; then 22517c478bd9Sstevel@tonic-gate NEED_SRVAUTH_CMD=0 22527c478bd9Sstevel@tonic-gate fi 22537c478bd9Sstevel@tonic-gate} 22547c478bd9Sstevel@tonic-gate 22557c478bd9Sstevel@tonic-gate 22567c478bd9Sstevel@tonic-gate# 22577c478bd9Sstevel@tonic-gate# get_srch_time(): Amount of time to search. 22587c478bd9Sstevel@tonic-gate# 22597c478bd9Sstevel@tonic-gateget_srch_time() 22607c478bd9Sstevel@tonic-gate{ 22617c478bd9Sstevel@tonic-gate get_negone_num "Client search time limit in seconds (h=help):" "$LDAP_SEARCH_TIME_LIMIT" "srchtime_help" 22627c478bd9Sstevel@tonic-gate LDAP_SEARCH_TIME_LIMIT=$NUM 22637c478bd9Sstevel@tonic-gate} 22647c478bd9Sstevel@tonic-gate 22657c478bd9Sstevel@tonic-gate 22667c478bd9Sstevel@tonic-gate# 22677c478bd9Sstevel@tonic-gate# get_prof_ttl(): The profile time to live (TTL) 22687c478bd9Sstevel@tonic-gate# 22697c478bd9Sstevel@tonic-gateget_prof_ttl() 22707c478bd9Sstevel@tonic-gate{ 22717c478bd9Sstevel@tonic-gate get_negone_num "Profile Time To Live in seconds (h=help):" "$LDAP_PROFILE_TTL" "profttl_help" 22727c478bd9Sstevel@tonic-gate LDAP_PROFILE_TTL=$NUM 22737c478bd9Sstevel@tonic-gate} 22747c478bd9Sstevel@tonic-gate 22757c478bd9Sstevel@tonic-gate 22767c478bd9Sstevel@tonic-gate# 22777c478bd9Sstevel@tonic-gate# get_bind_limit(): Bind time limit 22787c478bd9Sstevel@tonic-gate# 22797c478bd9Sstevel@tonic-gateget_bind_limit() 22807c478bd9Sstevel@tonic-gate{ 22817c478bd9Sstevel@tonic-gate get_negone_num "Bind time limit in seconds (h=help):" "$LDAP_BIND_LIMIT" "bindlim_help" 22827c478bd9Sstevel@tonic-gate LDAP_BIND_LIMIT=$NUM 22837c478bd9Sstevel@tonic-gate} 22847c478bd9Sstevel@tonic-gate 22857c478bd9Sstevel@tonic-gate 22867c478bd9Sstevel@tonic-gate###################################################################### 22877c478bd9Sstevel@tonic-gate# FUNCTIONS FOR Service Search Descriptor's START HERE. 22887c478bd9Sstevel@tonic-gate###################################################################### 22897c478bd9Sstevel@tonic-gate 22907c478bd9Sstevel@tonic-gate 22917c478bd9Sstevel@tonic-gate# 22927c478bd9Sstevel@tonic-gate# add_ssd(): Get SSD's from user and add to file. 22937c478bd9Sstevel@tonic-gate# 22947c478bd9Sstevel@tonic-gateadd_ssd() 22957c478bd9Sstevel@tonic-gate{ 22967c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In add_ssd()" 22977c478bd9Sstevel@tonic-gate 22987c478bd9Sstevel@tonic-gate # Enter the service id. Loop til unique. 22997c478bd9Sstevel@tonic-gate while : 23007c478bd9Sstevel@tonic-gate do 23017c478bd9Sstevel@tonic-gate get_ans "Enter the service id:" 23027c478bd9Sstevel@tonic-gate _SERV_ID=$ANS 23037c478bd9Sstevel@tonic-gate 23047c478bd9Sstevel@tonic-gate # Grep for name existing. 23057c478bd9Sstevel@tonic-gate ${GREP} -i "^$ANS:" ${SSD_FILE} > /dev/null 2>&1 23067c478bd9Sstevel@tonic-gate if [ $? -eq 1 ]; then 23077c478bd9Sstevel@tonic-gate break 23087c478bd9Sstevel@tonic-gate fi 23097c478bd9Sstevel@tonic-gate 23107c478bd9Sstevel@tonic-gate # Name exists, print message, let user decide. 23117c478bd9Sstevel@tonic-gate ${ECHO} "ERROR: Service id ${ANS} already exists." 23127c478bd9Sstevel@tonic-gate done 23137c478bd9Sstevel@tonic-gate 23147c478bd9Sstevel@tonic-gate get_ans "Enter the base:" 23157c478bd9Sstevel@tonic-gate _BASE=$ANS 23167c478bd9Sstevel@tonic-gate 23177c478bd9Sstevel@tonic-gate # Get the scope and verify that its one or sub. 23187c478bd9Sstevel@tonic-gate while : 23197c478bd9Sstevel@tonic-gate do 23207c478bd9Sstevel@tonic-gate get_ans "Enter the scope:" 23217c478bd9Sstevel@tonic-gate _SCOPE=$ANS 23227c478bd9Sstevel@tonic-gate case `${ECHO} ${_SCOPE} | tr '[A-Z]' '[a-z]'` in 23237c478bd9Sstevel@tonic-gate one) break ;; 23247c478bd9Sstevel@tonic-gate sub) break ;; 23257c478bd9Sstevel@tonic-gate *) ${ECHO} "${_SCOPE} is Not valid - Enter 'one' or 'sub'" ;; 23267c478bd9Sstevel@tonic-gate esac 23277c478bd9Sstevel@tonic-gate done 23287c478bd9Sstevel@tonic-gate 23297c478bd9Sstevel@tonic-gate # Build SSD to add to file. 23307c478bd9Sstevel@tonic-gate _SSD="${_SERV_ID}:${_BASE}?${_SCOPE}" 23317c478bd9Sstevel@tonic-gate 23327c478bd9Sstevel@tonic-gate # Add the SSD to the file. 23337c478bd9Sstevel@tonic-gate ${ECHO} "${_SSD}" >> ${SSD_FILE} 23347c478bd9Sstevel@tonic-gate} 23357c478bd9Sstevel@tonic-gate 23367c478bd9Sstevel@tonic-gate 23377c478bd9Sstevel@tonic-gate# 23387c478bd9Sstevel@tonic-gate# delete_ssd(): Delete a SSD from the list. 23397c478bd9Sstevel@tonic-gate# 23407c478bd9Sstevel@tonic-gatedelete_ssd() 23417c478bd9Sstevel@tonic-gate{ 23427c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In delete_ssd()" 23437c478bd9Sstevel@tonic-gate 23447c478bd9Sstevel@tonic-gate # Get service id name from user for SSD to delete. 23457c478bd9Sstevel@tonic-gate get_ans_req "Enter service id to delete:" 23467c478bd9Sstevel@tonic-gate 23477c478bd9Sstevel@tonic-gate # Make sure service id exists. 23487c478bd9Sstevel@tonic-gate ${GREP} "$ANS" ${SSD_FILE} > /dev/null 2>&1 23497c478bd9Sstevel@tonic-gate if [ $? -eq 1 ]; then 23507c478bd9Sstevel@tonic-gate ${ECHO} "Invalid service id: $ANS not present in list." 23517c478bd9Sstevel@tonic-gate return 23527c478bd9Sstevel@tonic-gate fi 23537c478bd9Sstevel@tonic-gate 23547c478bd9Sstevel@tonic-gate # Create temporary back SSD file. 23557c478bd9Sstevel@tonic-gate cp ${SSD_FILE} ${SSD_FILE}.bak 23567c478bd9Sstevel@tonic-gate if [ $? -eq 1 ]; then 23577c478bd9Sstevel@tonic-gate ${ECHO} "ERROR: could not create file: ${SSD_FILE}.bak" 23587c478bd9Sstevel@tonic-gate exit 1 23597c478bd9Sstevel@tonic-gate fi 23607c478bd9Sstevel@tonic-gate 23617c478bd9Sstevel@tonic-gate # Use ${GREP} to remove the SSD. Read from temp file 23627c478bd9Sstevel@tonic-gate # and write to the orig file. 23637c478bd9Sstevel@tonic-gate ${GREP} -v "$ANS" ${SSD_FILE}.bak > ${SSD_FILE} 23647c478bd9Sstevel@tonic-gate} 23657c478bd9Sstevel@tonic-gate 23667c478bd9Sstevel@tonic-gate 23677c478bd9Sstevel@tonic-gate# 23687c478bd9Sstevel@tonic-gate# modify_ssd(): Allow user to modify a SSD. 23697c478bd9Sstevel@tonic-gate# 23707c478bd9Sstevel@tonic-gatemodify_ssd() 23717c478bd9Sstevel@tonic-gate{ 23727c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In modify_ssd()" 23737c478bd9Sstevel@tonic-gate 23747c478bd9Sstevel@tonic-gate # Prompt user for service id. 23757c478bd9Sstevel@tonic-gate get_ans_req "Enter service id to modify:" 23767c478bd9Sstevel@tonic-gate 23777c478bd9Sstevel@tonic-gate # Put into temp _LINE. 23787c478bd9Sstevel@tonic-gate _LINE=`${GREP} "^$ANS:" ${SSD_FILE}` 23797c478bd9Sstevel@tonic-gate if [ "$_LINE" = "" ]; then 23807c478bd9Sstevel@tonic-gate ${ECHO} "Invalid service id: $ANS" 23817c478bd9Sstevel@tonic-gate return 23827c478bd9Sstevel@tonic-gate fi 23837c478bd9Sstevel@tonic-gate 23847c478bd9Sstevel@tonic-gate # Display current filter for user to see. 23857c478bd9Sstevel@tonic-gate ${ECHO} "" 23867c478bd9Sstevel@tonic-gate ${ECHO} "Current SSD: $_LINE" 23877c478bd9Sstevel@tonic-gate ${ECHO} "" 23887c478bd9Sstevel@tonic-gate 23897c478bd9Sstevel@tonic-gate # Get the defaults. 23907c478bd9Sstevel@tonic-gate _CURR_BASE=`${ECHO} $_LINE | cut -d: -f2 | cut -d'?' -f 1` 23917c478bd9Sstevel@tonic-gate _CURR_SCOPE=`${ECHO} $_LINE | cut -d: -f2 | cut -d'?' -f 2` 23927c478bd9Sstevel@tonic-gate 23937c478bd9Sstevel@tonic-gate # Create temporary back SSD file. 23947c478bd9Sstevel@tonic-gate cp ${SSD_FILE} ${SSD_FILE}.bak 23957c478bd9Sstevel@tonic-gate if [ $? -eq 1 ]; then 23967c478bd9Sstevel@tonic-gate ${ECHO} "ERROR: could not create file: ${SSD_FILE}.bak" 23977c478bd9Sstevel@tonic-gate cleanup 23987c478bd9Sstevel@tonic-gate exit 1 23997c478bd9Sstevel@tonic-gate fi 24007c478bd9Sstevel@tonic-gate 24017c478bd9Sstevel@tonic-gate # Removed the old line. 24027c478bd9Sstevel@tonic-gate ${GREP} -v "^$ANS:" ${SSD_FILE}.bak > ${SSD_FILE} 2>&1 24037c478bd9Sstevel@tonic-gate 24047c478bd9Sstevel@tonic-gate # New Entry 24057c478bd9Sstevel@tonic-gate _SERV_ID=$ANS 24067c478bd9Sstevel@tonic-gate get_ans_req "Enter the base:" "$_CURR_BASE" 24077c478bd9Sstevel@tonic-gate _BASE=$ANS 24087c478bd9Sstevel@tonic-gate get_ans_req "Enter the scope:" "$_CURR_SCOPE" 24097c478bd9Sstevel@tonic-gate _SCOPE=$ANS 24107c478bd9Sstevel@tonic-gate 24117c478bd9Sstevel@tonic-gate # Build the new SSD. 24127c478bd9Sstevel@tonic-gate _SSD="${_SERV_ID}:${_BASE}?${_SCOPE}" 24137c478bd9Sstevel@tonic-gate 24147c478bd9Sstevel@tonic-gate # Add the SSD to the file. 24157c478bd9Sstevel@tonic-gate ${ECHO} "${_SSD}" >> ${SSD_FILE} 24167c478bd9Sstevel@tonic-gate} 24177c478bd9Sstevel@tonic-gate 24187c478bd9Sstevel@tonic-gate 24197c478bd9Sstevel@tonic-gate# 24207c478bd9Sstevel@tonic-gate# display_ssd(): Display the current SSD list. 24217c478bd9Sstevel@tonic-gate# 24227c478bd9Sstevel@tonic-gatedisplay_ssd() 24237c478bd9Sstevel@tonic-gate{ 24247c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In display_ssd()" 24257c478bd9Sstevel@tonic-gate 24267c478bd9Sstevel@tonic-gate ${ECHO} "" 24277c478bd9Sstevel@tonic-gate ${ECHO} "Current Service Search Descriptors:" 24287c478bd9Sstevel@tonic-gate ${ECHO} "==================================" 24297c478bd9Sstevel@tonic-gate cat ${SSD_FILE} 24307c478bd9Sstevel@tonic-gate ${ECHO} "" 24317c478bd9Sstevel@tonic-gate ${ECHO} "Hit return to continue." 24327c478bd9Sstevel@tonic-gate read __A 24337c478bd9Sstevel@tonic-gate} 24347c478bd9Sstevel@tonic-gate 24357c478bd9Sstevel@tonic-gate 24367c478bd9Sstevel@tonic-gate# 24377c478bd9Sstevel@tonic-gate# prompt_ssd(): Get SSD's from user. 24387c478bd9Sstevel@tonic-gate# 24397c478bd9Sstevel@tonic-gateprompt_ssd() 24407c478bd9Sstevel@tonic-gate{ 24417c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In prompt_ssd()" 24427c478bd9Sstevel@tonic-gate # See if user wants SSD's? 24437c478bd9Sstevel@tonic-gate get_confirm "Do you wish to setup Service Search Descriptors (y/n/h)?" "n" "ssd_help" 24447c478bd9Sstevel@tonic-gate [ "$?" -eq 0 ] && return 24457c478bd9Sstevel@tonic-gate 24467c478bd9Sstevel@tonic-gate # Display menu for SSD choices. 24477c478bd9Sstevel@tonic-gate while : 24487c478bd9Sstevel@tonic-gate do 24497c478bd9Sstevel@tonic-gate display_msg prompt_ssd_menu 24507c478bd9Sstevel@tonic-gate get_ans "Enter menu choice:" "Quit" 24517c478bd9Sstevel@tonic-gate case "$ANS" in 24527c478bd9Sstevel@tonic-gate [Aa] | add) add_ssd ;; 24537c478bd9Sstevel@tonic-gate [Dd] | delete) delete_ssd ;; 24547c478bd9Sstevel@tonic-gate [Mm] | modify) modify_ssd ;; 24557c478bd9Sstevel@tonic-gate [Pp] | print | display) display_ssd ;; 24567c478bd9Sstevel@tonic-gate [Xx] | reset | clear) reset_ssd_file ;; 24577c478bd9Sstevel@tonic-gate [Hh] | Help | help) display_msg ssd_menu_help 24587c478bd9Sstevel@tonic-gate ${ECHO} " Press return to continue." 24597c478bd9Sstevel@tonic-gate read __A ;; 24607c478bd9Sstevel@tonic-gate [Qq] | Quit | quit) return ;; 24617c478bd9Sstevel@tonic-gate *) ${ECHO} "Invalid choice: $ANS please re-enter from menu." ;; 24627c478bd9Sstevel@tonic-gate esac 24637c478bd9Sstevel@tonic-gate done 24647c478bd9Sstevel@tonic-gate} 24657c478bd9Sstevel@tonic-gate 24667c478bd9Sstevel@tonic-gate 24677c478bd9Sstevel@tonic-gate# 24687c478bd9Sstevel@tonic-gate# reset_ssd_file(): Blank out current SSD file. 24697c478bd9Sstevel@tonic-gate# 24707c478bd9Sstevel@tonic-gatereset_ssd_file() 24717c478bd9Sstevel@tonic-gate{ 24727c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In reset_ssd_file()" 24737c478bd9Sstevel@tonic-gate 24747c478bd9Sstevel@tonic-gate rm -f ${SSD_FILE} 24757c478bd9Sstevel@tonic-gate touch ${SSD_FILE} 24767c478bd9Sstevel@tonic-gate} 24777c478bd9Sstevel@tonic-gate 24787c478bd9Sstevel@tonic-gate 24797c478bd9Sstevel@tonic-gate# 24807c478bd9Sstevel@tonic-gate# create_ssd_file(): Create a temporary file for SSD's. 24817c478bd9Sstevel@tonic-gate# 24827c478bd9Sstevel@tonic-gatecreate_ssd_file() 24837c478bd9Sstevel@tonic-gate{ 24847c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In create_ssd_file()" 24857c478bd9Sstevel@tonic-gate 24867c478bd9Sstevel@tonic-gate # Build a list of SSD's and store in temp file. 24877c478bd9Sstevel@tonic-gate ${GREP} "LDAP_SERV_SRCH_DES=" ${INPUT_FILE} | \ 24887c478bd9Sstevel@tonic-gate sed 's/LDAP_SERV_SRCH_DES=//' \ 24897c478bd9Sstevel@tonic-gate > ${SSD_FILE} 24907c478bd9Sstevel@tonic-gate} 24917c478bd9Sstevel@tonic-gate 24927c478bd9Sstevel@tonic-gate 24937c478bd9Sstevel@tonic-gate# 24947c478bd9Sstevel@tonic-gate# ssd_2_config(): Append the SSD file to the output file. 24957c478bd9Sstevel@tonic-gate# 24967c478bd9Sstevel@tonic-gatessd_2_config() 24977c478bd9Sstevel@tonic-gate{ 24987c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In ssd_2_config()" 24997c478bd9Sstevel@tonic-gate 25007c478bd9Sstevel@tonic-gate # Convert to config file format using sed. 25017c478bd9Sstevel@tonic-gate sed -e "s/^/LDAP_SERV_SRCH_DES=/" ${SSD_FILE} >> ${OUTPUT_FILE} 25027c478bd9Sstevel@tonic-gate} 25037c478bd9Sstevel@tonic-gate 25047c478bd9Sstevel@tonic-gate 25057c478bd9Sstevel@tonic-gate# 25067c478bd9Sstevel@tonic-gate# ssd_2_profile(): Add SSD's to the GEN_CMD string. 25077c478bd9Sstevel@tonic-gate# 25087c478bd9Sstevel@tonic-gatessd_2_profile() 25097c478bd9Sstevel@tonic-gate{ 25107c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In ssd_2_profile()" 25117c478bd9Sstevel@tonic-gate 25127c478bd9Sstevel@tonic-gate GEN_TMPFILE=${TMPDIR}/ssd_tmpfile 25137c478bd9Sstevel@tonic-gate touch ${GEN_TMPFILE} 25147c478bd9Sstevel@tonic-gate 25157c478bd9Sstevel@tonic-gate # Add and convert each SSD to string. 25167c478bd9Sstevel@tonic-gate while read SSD_LINE 25177c478bd9Sstevel@tonic-gate do 25187c478bd9Sstevel@tonic-gate ${ECHO} " -a \"serviceSearchDescriptor=${SSD_LINE}\"\c" >> ${GEN_TMPFILE} 25197c478bd9Sstevel@tonic-gate done <${SSD_FILE} 25207c478bd9Sstevel@tonic-gate 25217c478bd9Sstevel@tonic-gate # Add SSD's to GEN_CMD. 25227c478bd9Sstevel@tonic-gate GEN_CMD="${GEN_CMD} `cat ${GEN_TMPFILE}`" 25237c478bd9Sstevel@tonic-gate} 25247c478bd9Sstevel@tonic-gate 2525dd1104fbSMichen Chang# 2526dd1104fbSMichen Chang# get_adminDN(): Get the admin DN. 2527dd1104fbSMichen Chang# 2528dd1104fbSMichen Changget_adminDN() 2529dd1104fbSMichen Chang{ 2530dd1104fbSMichen Chang LDAP_ADMINDN="cn=admin,ou=profile,${LDAP_BASEDN}" # default 2531dd1104fbSMichen Chang get_ans "Enter DN for the administrator:" "$LDAP_ADMINDN" 2532dd1104fbSMichen Chang LDAP_ADMINDN=$ANS 2533dd1104fbSMichen Chang [ $DEBUG -eq 1 ] && ${ECHO} "LDAP_ADMINDN = $LDAP_ADMINDN" 2534dd1104fbSMichen Chang} 2535dd1104fbSMichen Chang 2536dd1104fbSMichen Chang# 2537dd1104fbSMichen Chang# get_admin_pw(): Get the admin passwd. 2538dd1104fbSMichen Chang# 2539dd1104fbSMichen Changget_admin_pw() 2540dd1104fbSMichen Chang{ 2541dd1104fbSMichen Chang get_passwd "Enter passwd for the administrator:" 2542dd1104fbSMichen Chang LDAP_ADMIN_CRED=$ANS 2543dd1104fbSMichen Chang [ $DEBUG -eq 1 ] && ${ECHO} "LDAP_ADMIN_CRED = $LDAP_ADMIN_CRED" 2544dd1104fbSMichen Chang} 2545dd1104fbSMichen Chang 2546dd1104fbSMichen Chang# 2547dd1104fbSMichen Chang# add_admin(): Add an admin entry for nameservice for updating shadow data. 2548dd1104fbSMichen Chang# 2549dd1104fbSMichen Changadd_admin() 2550dd1104fbSMichen Chang{ 2551dd1104fbSMichen Chang [ $DEBUG -eq 1 ] && ${ECHO} "In add_admin()" 2552dd1104fbSMichen Chang 2553dd1104fbSMichen Chang # Check if the admin user already exists. 2554dd1104fbSMichen Chang eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_ADMINDN}\" -s base \"objectclass=*\" ${VERB}" 2555dd1104fbSMichen Chang if [ $? -eq 0 ]; then 2556dd1104fbSMichen Chang MSG="Administrator ${LDAP_ADMINDN} already exists." 2557dd1104fbSMichen Chang if [ $EXISTING_PROFILE -eq 1 ]; then 2558dd1104fbSMichen Chang ${ECHO} " NOT ADDED: $MSG" 2559dd1104fbSMichen Chang else 2560dd1104fbSMichen Chang ${ECHO} " ${STEP}. $MSG" 2561dd1104fbSMichen Chang STEP=`expr $STEP + 1` 2562dd1104fbSMichen Chang fi 2563dd1104fbSMichen Chang return 0 2564dd1104fbSMichen Chang fi 2565dd1104fbSMichen Chang 2566dd1104fbSMichen Chang # Get cn and sn names from LDAP_ADMINDN. 2567dd1104fbSMichen Chang cn_tmp=`${ECHO} ${LDAP_ADMINDN} | cut -f1 -d, | cut -f2 -d=` 2568dd1104fbSMichen Chang 2569dd1104fbSMichen Chang # Create the tmp file to add. 2570dd1104fbSMichen Chang ( cat <<EOF 2571dd1104fbSMichen Changdn: ${LDAP_ADMINDN} 2572dd1104fbSMichen Changcn: ${cn_tmp} 2573dd1104fbSMichen Changsn: ${cn_tmp} 2574dd1104fbSMichen Changobjectclass: top 2575dd1104fbSMichen Changobjectclass: person 2576dd1104fbSMichen Changuserpassword: ${LDAP_ADMIN_CRED} 2577dd1104fbSMichen ChangEOF 2578dd1104fbSMichen Chang) > ${TMPDIR}/admin 2579dd1104fbSMichen Chang 2580dd1104fbSMichen Chang # Add the entry. 2581dd1104fbSMichen Chang ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/admin ${VERB}" 2582dd1104fbSMichen Chang if [ $? -ne 0 ]; then 2583dd1104fbSMichen Chang ${ECHO} " ERROR: Adding administrator identity failed!" 2584dd1104fbSMichen Chang cleanup 2585dd1104fbSMichen Chang exit 1 2586dd1104fbSMichen Chang fi 2587dd1104fbSMichen Chang 2588dd1104fbSMichen Chang ${RM} -f ${TMPDIR}/admin 2589dd1104fbSMichen Chang 2590dd1104fbSMichen Chang # Display message that the administrator identity is added. 2591dd1104fbSMichen Chang MSG="Administrator identity ${LDAP_ADMINDN}" 2592dd1104fbSMichen Chang if [ $EXISTING_PROFILE -eq 1 ]; then 2593dd1104fbSMichen Chang ${ECHO} " ADDED: $MSG." 2594dd1104fbSMichen Chang else 2595dd1104fbSMichen Chang ${ECHO} " ${STEP}. $MSG added." 2596dd1104fbSMichen Chang STEP=`expr $STEP + 1` 2597dd1104fbSMichen Chang fi 2598dd1104fbSMichen Chang} 2599dd1104fbSMichen Chang 2600dd1104fbSMichen Chang# 2601*b57459abSJulian Pullen# allow_admin_read_write_shadow(): Give Admin read/write permission 2602*b57459abSJulian Pullen# to shadow data. 2603dd1104fbSMichen Chang# 2604*b57459abSJulian Pullenallow_admin_read_write_shadow() 2605dd1104fbSMichen Chang{ 2606*b57459abSJulian Pullen [ $DEBUG -eq 1 ] && ${ECHO} "In allow_admin_read_write_shadow()" 2607dd1104fbSMichen Chang 2608dd1104fbSMichen Chang # Set ACI Name 2609dd1104fbSMichen Chang ADMIN_ACI_NAME="LDAP_Naming_Services_admin_shadow_write" 2610dd1104fbSMichen Chang 2611dd1104fbSMichen Chang # Search for ACI_NAME 2612dd1104fbSMichen Chang eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_BASEDN}\" \ 2613dd1104fbSMichen Chang -s base objectclass=* aci > ${TMPDIR}/chk_adminwrite_aci 2>&1" 2614*b57459abSJulian Pullen 2615*b57459abSJulian Pullen # if an ACI with ${ADMIN_ACI_NAME} and "write,compare,read,search" 2616*b57459abSJulian Pullen # and ${LDAP_ADMINDN} already exists, we are done 2617*b57459abSJulian Pullen ${EGREP} ".*${ADMIN_ACI_NAME}.*write,compare,read,search.*${LDAP_ADMINDN}.*" \ 2618*b57459abSJulian Pullen ${TMPDIR}/chk_adminwrite_aci 2>&1 > /dev/null 2619dd1104fbSMichen Chang if [ $? -eq 0 ]; then 2620dd1104fbSMichen Chang MSG="Admin ACI ${ADMIN_ACI_NAME} already exists for ${LDAP_BASEDN}." 2621dd1104fbSMichen Chang if [ $EXISTING_PROFILE -eq 1 ]; then 2622dd1104fbSMichen Chang ${ECHO} " NOT SET: $MSG" 2623dd1104fbSMichen Chang else 2624dd1104fbSMichen Chang ${ECHO} " ${STEP}. $MSG" 2625dd1104fbSMichen Chang STEP=`expr $STEP + 1` 2626dd1104fbSMichen Chang fi 2627dd1104fbSMichen Chang return 0 2628dd1104fbSMichen Chang fi 2629dd1104fbSMichen Chang 2630*b57459abSJulian Pullen # If an ACI with ${ADMIN_ACI_NAME} and "(write)" and ${LDAP_ADMINDN} 2631*b57459abSJulian Pullen # already exists, delete it first. 2632*b57459abSJulian Pullen find_and_delete_ACI ".*${ADMIN_ACI_NAME}.*(write).*${LDAP_ADMINDN}.*" \ 2633*b57459abSJulian Pullen ${TMPDIR}/chk_adminwrite_aci ${ADMIN_ACI_NAME} 2634*b57459abSJulian Pullen 2635dd1104fbSMichen Chang # Create the tmp file to add. 2636dd1104fbSMichen Chang ( cat <<EOF 2637dd1104fbSMichen Changdn: ${LDAP_BASEDN} 2638dd1104fbSMichen Changchangetype: modify 2639dd1104fbSMichen Changadd: aci 2640*b57459abSJulian Pullenaci: (target="ldap:///${LDAP_BASEDN}")(targetattr="shadowLastChange 2641*b57459abSJulian Pullen ||shadowMin||shadowMax||shadowWarning||shadowInactive||shadowExpire 2642*b57459abSJulian Pullen ||shadowFlag||userPassword||loginShell||homeDirectory||gecos") 2643*b57459abSJulian Pullen (version 3.0; acl ${ADMIN_ACI_NAME}; allow (write,compare,read,search) 2644*b57459abSJulian Pullen userdn = "ldap:///${LDAP_ADMINDN}";) 2645dd1104fbSMichen ChangEOF 2646dd1104fbSMichen Chang) > ${TMPDIR}/admin_write 2647dd1104fbSMichen Chang 2648dd1104fbSMichen Chang # Add the entry. 2649dd1104fbSMichen Chang ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/admin_write ${VERB}" 2650dd1104fbSMichen Chang if [ $? -ne 0 ]; then 2651*b57459abSJulian Pullen ${ECHO} " ERROR: Allow ${LDAP_ADMINDN} read/write access to shadow data failed!" 2652dd1104fbSMichen Chang cleanup 2653dd1104fbSMichen Chang exit 1 2654dd1104fbSMichen Chang fi 2655dd1104fbSMichen Chang 2656dd1104fbSMichen Chang ${RM} -f ${TMPDIR}/admin_write 2657dd1104fbSMichen Chang # Display message that the administrator ACL is set. 2658*b57459abSJulian Pullen MSG="Give ${LDAP_ADMINDN} read/write access to shadow data." 2659dd1104fbSMichen Chang if [ $EXISTING_PROFILE -eq 1 ]; then 2660dd1104fbSMichen Chang ${ECHO} " ACI SET: $MSG" 2661dd1104fbSMichen Chang else 2662dd1104fbSMichen Chang ${ECHO} " ${STEP}. $MSG" 2663dd1104fbSMichen Chang STEP=`expr $STEP + 1` 2664dd1104fbSMichen Chang fi 2665dd1104fbSMichen Chang} 2666dd1104fbSMichen Chang 2667dd1104fbSMichen Chang# 2668*b57459abSJulian Pullen# allow_host_read_write_shadow(): Give host principal read/write permission 2669dd1104fbSMichen Chang# for shadow data. 2670dd1104fbSMichen Chang# 2671*b57459abSJulian Pullenallow_host_read_write_shadow() 2672dd1104fbSMichen Chang{ 2673*b57459abSJulian Pullen [ $DEBUG -eq 1 ] && ${ECHO} "In allow_host_read_write_shadow()" 2674dd1104fbSMichen Chang 2675dd1104fbSMichen Chang # Set ACI Name 2676dd1104fbSMichen Chang HOST_ACI_NAME="LDAP_Naming_Services_host_shadow_write" 2677dd1104fbSMichen Chang 2678dd1104fbSMichen Chang # Search for ACI_NAME 2679dd1104fbSMichen Chang eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_BASEDN}\" -s base objectclass=* aci > ${TMPDIR}/chk_hostwrite_aci 2>&1" 2680dd1104fbSMichen Chang ${GREP} "${HOST_ACI_NAME}" ${TMPDIR}/chk_hostwrite_aci > /dev/null 2>&1 2681dd1104fbSMichen Chang if [ $? -eq 0 ]; then 2682dd1104fbSMichen Chang MSG="Host ACI ${HOST_ACI_NAME} already exists for ${LDAP_BASEDN}." 2683dd1104fbSMichen Chang if [ $EXISTING_PROFILE -eq 1 ]; then 2684dd1104fbSMichen Chang ${ECHO} " NOT ADDED: $MSG" 2685dd1104fbSMichen Chang else 2686dd1104fbSMichen Chang ${ECHO} " ${STEP}. $MSG" 2687dd1104fbSMichen Chang STEP=`expr $STEP + 1` 2688dd1104fbSMichen Chang fi 2689dd1104fbSMichen Chang return 0 2690dd1104fbSMichen Chang fi 2691dd1104fbSMichen Chang 2692dd1104fbSMichen Chang # Create the tmp file to add. 2693dd1104fbSMichen Chang ( cat <<EOF 2694dd1104fbSMichen Changdn: ${LDAP_BASEDN} 2695dd1104fbSMichen Changchangetype: modify 2696dd1104fbSMichen Changadd: aci 2697*b57459abSJulian Pullenaci: (target="ldap:///${LDAP_BASEDN}")(targetattr="shadowLastChange||shadowMin||shadowMax||shadowWarning||shadowInactive||shadowExpire||shadowFlag||userPassword||loginShell||homeDirectory||gecos")(version 3.0; acl ${HOST_ACI_NAME}; allow (write,compare,read,search) authmethod="sasl GSSAPI" and userdn = "ldap:///cn=*+ipHostNumber=*,ou=Hosts,${LDAP_BASEDN}";) 2698dd1104fbSMichen ChangEOF 2699*b57459abSJulian Pullen) > ${TMPDIR}/host_read_write 2700dd1104fbSMichen Chang 2701dd1104fbSMichen Chang # Add the entry. 2702*b57459abSJulian Pullen ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/host_read_write ${VERB}" 2703dd1104fbSMichen Chang if [ $? -ne 0 ]; then 2704dd1104fbSMichen Chang ${ECHO} " ERROR: Allow Host Principal to write shadow data failed!" 2705dd1104fbSMichen Chang cleanup 2706dd1104fbSMichen Chang exit 1 2707dd1104fbSMichen Chang fi 2708dd1104fbSMichen Chang 2709*b57459abSJulian Pullen ${RM} -f ${TMPDIR}/host_read_write 2710*b57459abSJulian Pullen MSG="Give host principal read/write permission for shadow." 2711dd1104fbSMichen Chang if [ $EXISTING_PROFILE -eq 1 ]; then 2712dd1104fbSMichen Chang ${ECHO} " ACI SET: $MSG" 2713dd1104fbSMichen Chang else 2714dd1104fbSMichen Chang ${ECHO} " ${STEP}. $MSG" 2715dd1104fbSMichen Chang STEP=`expr $STEP + 1` 2716dd1104fbSMichen Chang fi 2717dd1104fbSMichen Chang} 2718dd1104fbSMichen Chang 2719dd1104fbSMichen Chang# 2720dd1104fbSMichen Chang# Set up shadow update 2721dd1104fbSMichen Chang# 2722dd1104fbSMichen Changsetup_shadow_update() { 2723dd1104fbSMichen Chang [ $DEBUG -eq 1 ] && ${ECHO} "In setup_shadow_update()" 2724dd1104fbSMichen Chang 2725dd1104fbSMichen Chang # get content of the profile 2726dd1104fbSMichen Chang PROFILE_OUT=${TMPDIR}/prof_tmpfile 2727dd1104fbSMichen Chang ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=${LDAP_PROFILE_NAME},ou=profile,${LDAP_BASEDN}\" -s base \"objectclass=*\" > $PROFILE_OUT 2>&1" 2728dd1104fbSMichen Chang ${GREP} -i cn $PROFILE_OUT >/dev/null 2>&1 2729dd1104fbSMichen Chang if [ $? -ne 0 ]; then 2730dd1104fbSMichen Chang [ $DEBUG -eq 1 ] && ${ECHO} "Profile ${LDAP_PROFILE_NAME} does not exist" 2731dd1104fbSMichen Chang ${RM} ${PROFILE_OUT} 2732dd1104fbSMichen Chang return 2733dd1104fbSMichen Chang fi 2734dd1104fbSMichen Chang 2735dd1104fbSMichen Chang # Search to see if authenticationMethod has 'GSSAPI' and 2736dd1104fbSMichen Chang # credentialLevel has 'self'. If so, ask to use the 2737dd1104fbSMichen Chang # host principal for shadow update 2738dd1104fbSMichen Chang if [ $GSSAPI_AUTH_MAY_BE_USED -eq 1 ]; then 2739dd1104fbSMichen Chang if ${GREP} authenticationMethod $PROFILE_OUT | ${GREP} GSSAPI >/dev/null 2>&1 2740dd1104fbSMichen Chang then 2741dd1104fbSMichen Chang if ${GREP} credentialLevel $PROFILE_OUT | ${GREP} self >/dev/null 2>&1 2742dd1104fbSMichen Chang then 2743dd1104fbSMichen Chang NEED_HOSTACL=1 2744dd1104fbSMichen Chang fi 2745dd1104fbSMichen Chang fi 2746dd1104fbSMichen Chang ${RM} ${PROFILE_OUT} 2747dd1104fbSMichen Chang [ $DEBUG -eq 1 ] && ${ECHO} "NEED_HOSTACL = $NEED_HOSTACL" 2748dd1104fbSMichen Chang 2749dd1104fbSMichen Chang if [ $NEED_HOSTACL -eq 1 ]; then 2750dd1104fbSMichen Chang MSG="Use host principal for shadow data update (y/n/h)?" 2751dd1104fbSMichen Chang get_confirm "$MSG" "y" "use_host_principal_help" 2752dd1104fbSMichen Chang if [ $? -eq 1 ]; then 2753*b57459abSJulian Pullen delete_proxy_read_pw 2754*b57459abSJulian Pullen allow_host_read_write_shadow 2755*b57459abSJulian Pullen deny_non_host_shadow_access 2756dd1104fbSMichen Chang ${ECHO} "" 2757dd1104fbSMichen Chang ${ECHO} " Shadow update has been enabled." 2758dd1104fbSMichen Chang else 2759dd1104fbSMichen Chang ${ECHO} "" 2760dd1104fbSMichen Chang ${ECHO} " Shadow update may not work." 2761dd1104fbSMichen Chang fi 2762dd1104fbSMichen Chang return 2763dd1104fbSMichen Chang fi 2764dd1104fbSMichen Chang fi 2765dd1104fbSMichen Chang 2766dd1104fbSMichen Chang MSG="Add the administrator identity (y/n/h)?" 2767dd1104fbSMichen Chang get_confirm "$MSG" "y" "add_admin_cred_help" 2768dd1104fbSMichen Chang if [ $? -eq 1 ]; then 2769dd1104fbSMichen Chang get_adminDN 2770dd1104fbSMichen Chang get_admin_pw 2771dd1104fbSMichen Chang add_admin 2772*b57459abSJulian Pullen delete_proxy_read_pw 2773*b57459abSJulian Pullen allow_admin_read_write_shadow 2774*b57459abSJulian Pullen deny_non_admin_shadow_access 2775dd1104fbSMichen Chang ${ECHO} "" 2776dd1104fbSMichen Chang ${ECHO} " Shadow update has been enabled." 2777dd1104fbSMichen Chang return 2778dd1104fbSMichen Chang fi 2779dd1104fbSMichen Chang 2780dd1104fbSMichen Chang ${ECHO} " No administrator identity specified, shadow update may not work." 2781dd1104fbSMichen Chang} 2782dd1104fbSMichen Chang 27837c478bd9Sstevel@tonic-gate 27847c478bd9Sstevel@tonic-gate# 27857c478bd9Sstevel@tonic-gate# prompt_config_info(): This function prompts the user for the config 27867c478bd9Sstevel@tonic-gate# info that is not specified in the input file. 27877c478bd9Sstevel@tonic-gate# 27887c478bd9Sstevel@tonic-gateprompt_config_info() 27897c478bd9Sstevel@tonic-gate{ 27907c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In prompt_config_info()" 27917c478bd9Sstevel@tonic-gate 27927c478bd9Sstevel@tonic-gate # Prompt for iDS server name. 27937c478bd9Sstevel@tonic-gate get_ids_server 27947c478bd9Sstevel@tonic-gate 27957c478bd9Sstevel@tonic-gate # Prompt for iDS port number. 27967c478bd9Sstevel@tonic-gate get_ids_port 27977c478bd9Sstevel@tonic-gate 27987c478bd9Sstevel@tonic-gate # Check iDS version for compatibility. 27997c478bd9Sstevel@tonic-gate chk_ids_version 28007c478bd9Sstevel@tonic-gate 28017c478bd9Sstevel@tonic-gate # Check if the server supports the VLV. 28027c478bd9Sstevel@tonic-gate chk_vlv_indexes 28037c478bd9Sstevel@tonic-gate 28047c478bd9Sstevel@tonic-gate # Get the Directory manager DN and passwd. 28057c478bd9Sstevel@tonic-gate get_dirmgr_dn 28067c478bd9Sstevel@tonic-gate get_dirmgr_pw 28077c478bd9Sstevel@tonic-gate 28087c478bd9Sstevel@tonic-gate # 28097c478bd9Sstevel@tonic-gate # LDAP CLIENT PROFILE SPECIFIC INFORMATION. 28107c478bd9Sstevel@tonic-gate # (i.e. The fields that show up in the profile.) 28117c478bd9Sstevel@tonic-gate # 28127c478bd9Sstevel@tonic-gate get_domain "domain_help" 28137c478bd9Sstevel@tonic-gate 28147c478bd9Sstevel@tonic-gate get_basedn 28157c478bd9Sstevel@tonic-gate 2816cb5caa98Sdjl gssapi_setup 2817cb5caa98Sdjl 28187c478bd9Sstevel@tonic-gate get_profile_name 2819dd1104fbSMichen Chang 2820dd1104fbSMichen Chang if [ "$LDAP_ENABLE_SHADOW_UPDATE" = "TRUE" ];then 2821dd1104fbSMichen Chang setup_shadow_update 2822*b57459abSJulian Pullen cleanup 2823dd1104fbSMichen Chang exit 0 2824dd1104fbSMichen Chang fi 2825dd1104fbSMichen Chang 28267c478bd9Sstevel@tonic-gate get_srv_list 28277c478bd9Sstevel@tonic-gate get_pref_srv 28287c478bd9Sstevel@tonic-gate get_search_scope 28297c478bd9Sstevel@tonic-gate 28307c478bd9Sstevel@tonic-gate # If cred is "anonymous", make auth == "none" 28317c478bd9Sstevel@tonic-gate get_cred_level 28327c478bd9Sstevel@tonic-gate if [ "$LDAP_CRED_LEVEL" != "anonymous" ]; then 28337c478bd9Sstevel@tonic-gate get_auth 28347c478bd9Sstevel@tonic-gate fi 28357c478bd9Sstevel@tonic-gate 28367c478bd9Sstevel@tonic-gate get_followref 28377c478bd9Sstevel@tonic-gate 28387c478bd9Sstevel@tonic-gate # Query user about timelimt. 28397c478bd9Sstevel@tonic-gate get_confirm "Do you want to modify the server timelimit value (y/n/h)?" "n" "tlim_help" 28407c478bd9Sstevel@tonic-gate NEED_TIME=$? 28417c478bd9Sstevel@tonic-gate [ $NEED_TIME -eq 1 ] && get_timelimit 28427c478bd9Sstevel@tonic-gate 28437c478bd9Sstevel@tonic-gate # Query user about sizelimit. 28447c478bd9Sstevel@tonic-gate get_confirm "Do you want to modify the server sizelimit value (y/n/h)?" "n" "slim_help" 28457c478bd9Sstevel@tonic-gate NEED_SIZE=$? 28467c478bd9Sstevel@tonic-gate [ $NEED_SIZE -eq 1 ] && get_sizelimit 28477c478bd9Sstevel@tonic-gate 28487c478bd9Sstevel@tonic-gate # Does the user want to store passwords in crypt format? 28497c478bd9Sstevel@tonic-gate get_want_crypt 28507c478bd9Sstevel@tonic-gate 28517c478bd9Sstevel@tonic-gate # Prompt for any Service Authentication Methods? 28527c478bd9Sstevel@tonic-gate get_confirm "Do you want to setup a Service Authentication Methods (y/n/h)?" "n" "srvauth_help" 28537c478bd9Sstevel@tonic-gate if [ $? -eq 1 ]; then 28547c478bd9Sstevel@tonic-gate # Does the user want to set Service Authentication Method for pam_ldap? 28557c478bd9Sstevel@tonic-gate get_confirm "Do you want to setup a Service Auth. Method for \"pam_ldap\" (y/n/h)?" "n" "pam_ldap_help" 28567c478bd9Sstevel@tonic-gate NEED_SRVAUTH_PAM=$? 28577c478bd9Sstevel@tonic-gate [ $NEED_SRVAUTH_PAM -eq 1 ] && get_srv_authMethod_pam 28587c478bd9Sstevel@tonic-gate 28597c478bd9Sstevel@tonic-gate # Does the user want to set Service Authentication Method for keyserv? 28607c478bd9Sstevel@tonic-gate get_confirm "Do you want to setup a Service Auth. Method for \"keyserv\" (y/n/h)?" "n" "keyserv_help" 28617c478bd9Sstevel@tonic-gate NEED_SRVAUTH_KEY=$? 28627c478bd9Sstevel@tonic-gate [ $NEED_SRVAUTH_KEY -eq 1 ] && get_srv_authMethod_key 28637c478bd9Sstevel@tonic-gate 28647c478bd9Sstevel@tonic-gate # Does the user want to set Service Authentication Method for passwd-cmd? 28657c478bd9Sstevel@tonic-gate get_confirm "Do you want to setup a Service Auth. Method for \"passwd-cmd\" (y/n/h)?" "n" "passwd-cmd_help" 28667c478bd9Sstevel@tonic-gate NEED_SRVAUTH_CMD=$? 28677c478bd9Sstevel@tonic-gate [ $NEED_SRVAUTH_CMD -eq 1 ] && get_srv_authMethod_cmd 28687c478bd9Sstevel@tonic-gate fi 2869cb5caa98Sdjl 28707c478bd9Sstevel@tonic-gate 28717c478bd9Sstevel@tonic-gate # Get Timeouts 28727c478bd9Sstevel@tonic-gate get_srch_time 28737c478bd9Sstevel@tonic-gate get_prof_ttl 28747c478bd9Sstevel@tonic-gate get_bind_limit 28757c478bd9Sstevel@tonic-gate 2876dd1104fbSMichen Chang # Ask whether to enable shadow update 2877dd1104fbSMichen Chang get_want_shadow_update 2878dd1104fbSMichen Chang 28797c478bd9Sstevel@tonic-gate # Reset the sdd_file and prompt user for SSD. Will use menus 28807c478bd9Sstevel@tonic-gate # to build an SSD File. 28817c478bd9Sstevel@tonic-gate reset_ssd_file 28827c478bd9Sstevel@tonic-gate prompt_ssd 28837c478bd9Sstevel@tonic-gate 28847c478bd9Sstevel@tonic-gate # Display FULL debugging info. 28857c478bd9Sstevel@tonic-gate disp_full_debug 28867c478bd9Sstevel@tonic-gate 28877c478bd9Sstevel@tonic-gate # Extra blank line to separate prompt lines from steps. 28887c478bd9Sstevel@tonic-gate ${ECHO} " " 28897c478bd9Sstevel@tonic-gate} 28907c478bd9Sstevel@tonic-gate 28917c478bd9Sstevel@tonic-gate 28927c478bd9Sstevel@tonic-gate###################################################################### 28937c478bd9Sstevel@tonic-gate# FUNCTIONS FOR display_summary() START HERE. 28947c478bd9Sstevel@tonic-gate###################################################################### 28957c478bd9Sstevel@tonic-gate 28967c478bd9Sstevel@tonic-gate 28977c478bd9Sstevel@tonic-gate# 28987c478bd9Sstevel@tonic-gate# get_proxyagent(): Get the proxyagent DN. 28997c478bd9Sstevel@tonic-gate# 29007c478bd9Sstevel@tonic-gateget_proxyagent() 29017c478bd9Sstevel@tonic-gate{ 29027c478bd9Sstevel@tonic-gate LDAP_PROXYAGENT="cn=proxyagent,ou=profile,${LDAP_BASEDN}" # default 29037c478bd9Sstevel@tonic-gate get_ans "Enter DN for proxy agent:" "$LDAP_PROXYAGENT" 29047c478bd9Sstevel@tonic-gate LDAP_PROXYAGENT=$ANS 29057c478bd9Sstevel@tonic-gate} 29067c478bd9Sstevel@tonic-gate 29077c478bd9Sstevel@tonic-gate 29087c478bd9Sstevel@tonic-gate# 29097c478bd9Sstevel@tonic-gate# get_proxy_pw(): Get the proxyagent passwd. 29107c478bd9Sstevel@tonic-gate# 29117c478bd9Sstevel@tonic-gateget_proxy_pw() 29127c478bd9Sstevel@tonic-gate{ 29137c478bd9Sstevel@tonic-gate get_passwd "Enter passwd for proxyagent:" 29147c478bd9Sstevel@tonic-gate LDAP_PROXYAGENT_CRED=$ANS 29157c478bd9Sstevel@tonic-gate} 29167c478bd9Sstevel@tonic-gate 29177c478bd9Sstevel@tonic-gate# 29187c478bd9Sstevel@tonic-gate# display_summary(): Display a summary of values entered and let the 29197c478bd9Sstevel@tonic-gate# user modify values at will. 29207c478bd9Sstevel@tonic-gate# 29217c478bd9Sstevel@tonic-gatedisplay_summary() 29227c478bd9Sstevel@tonic-gate{ 29237c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In display_summary()" 29247c478bd9Sstevel@tonic-gate 29257c478bd9Sstevel@tonic-gate # Create lookup table for function names. First entry is dummy for 29267c478bd9Sstevel@tonic-gate # shift. 29277c478bd9Sstevel@tonic-gate TBL1="dummy" 29287c478bd9Sstevel@tonic-gate TBL2="get_domain get_basedn get_profile_name" 29297c478bd9Sstevel@tonic-gate TBL3="get_srv_list get_pref_srv get_search_scope get_cred_level" 29307c478bd9Sstevel@tonic-gate TBL4="get_auth get_followref" 29317c478bd9Sstevel@tonic-gate TBL5="get_timelimit get_sizelimit get_want_crypt" 29327c478bd9Sstevel@tonic-gate TBL6="get_srv_authMethod_pam get_srv_authMethod_key get_srv_authMethod_cmd" 29337c478bd9Sstevel@tonic-gate TBL7="get_srch_time get_prof_ttl get_bind_limit" 2934dd1104fbSMichen Chang TBL8="get_want_shadow_update" 2935dd1104fbSMichen Chang TBL9="prompt_ssd" 2936dd1104fbSMichen Chang FUNC_TBL="$TBL1 $TBL2 $TBL3 $TBL4 $TBL5 $TBL6 $TBL7 $TBL8 $TBL9" 29377c478bd9Sstevel@tonic-gate 29387c478bd9Sstevel@tonic-gate # Since menu prompt string is long, set here. 2939dd1104fbSMichen Chang _MENU_PROMPT="Enter config value to change: (1-20 0=commit changes)" 29407c478bd9Sstevel@tonic-gate 29417c478bd9Sstevel@tonic-gate # Infinite loop. Test for 0, and break in loop. 29427c478bd9Sstevel@tonic-gate while : 29437c478bd9Sstevel@tonic-gate do 29447c478bd9Sstevel@tonic-gate # Display menu and get value in range. 29457c478bd9Sstevel@tonic-gate display_msg summary_menu 2946dd1104fbSMichen Chang get_menu_choice "${_MENU_PROMPT}" "0" "20" "0" 29477c478bd9Sstevel@tonic-gate _CH=$MN_CH 29487c478bd9Sstevel@tonic-gate 29497c478bd9Sstevel@tonic-gate # Make sure where not exiting. 29507c478bd9Sstevel@tonic-gate if [ $_CH -eq 0 ]; then 29517c478bd9Sstevel@tonic-gate break # Break out of loop if 0 selected. 29527c478bd9Sstevel@tonic-gate fi 29537c478bd9Sstevel@tonic-gate 29547c478bd9Sstevel@tonic-gate # Call appropriate function from function table. 29557c478bd9Sstevel@tonic-gate set $FUNC_TBL 29567c478bd9Sstevel@tonic-gate shift $_CH 29577c478bd9Sstevel@tonic-gate $1 # Call the appropriate function. 29587c478bd9Sstevel@tonic-gate done 29597c478bd9Sstevel@tonic-gate 29607c478bd9Sstevel@tonic-gate # If cred level is still see if user wants a change? 29617c478bd9Sstevel@tonic-gate if ${ECHO} "$LDAP_CRED_LEVEL" | ${GREP} "proxy" > /dev/null 2>&1 29627c478bd9Sstevel@tonic-gate then 29637c478bd9Sstevel@tonic-gate if [ "$LDAP_AUTHMETHOD" != "none" ]; then 29647c478bd9Sstevel@tonic-gate NEED_PROXY=1 # I assume integer test is faster? 29657c478bd9Sstevel@tonic-gate get_proxyagent 29667c478bd9Sstevel@tonic-gate get_proxy_pw 29677c478bd9Sstevel@tonic-gate else 29687c478bd9Sstevel@tonic-gate ${ECHO} "WARNING: Since Authentication method is 'none'." 29697c478bd9Sstevel@tonic-gate ${ECHO} " Credential level will be set to 'anonymous'." 29707c478bd9Sstevel@tonic-gate LDAP_CRED_LEVEL="anonymous" 29717c478bd9Sstevel@tonic-gate fi 29727c478bd9Sstevel@tonic-gate fi 29737c478bd9Sstevel@tonic-gate 2974dd1104fbSMichen Chang # If shadow update is enabled, set up administrator credential 2975dd1104fbSMichen Chang if [ "$LDAP_ENABLE_SHADOW_UPDATE" = "TRUE" ]; then 2976dd1104fbSMichen Chang NEED_ADMIN=1 2977dd1104fbSMichen Chang if ${ECHO} "$LDAP_CRED_LEVEL" | ${GREP} "self" > /dev/null 2>&1; then 2978dd1104fbSMichen Chang if ${ECHO} "$LDAP_AUTHMETHOD" | ${GREP} "GSSAPI" > /dev/null 2>&1; then 2979dd1104fbSMichen Chang NEED_HOSTACL=1 2980dd1104fbSMichen Chang NEED_ADMIN=0 2981dd1104fbSMichen Chang fi 2982dd1104fbSMichen Chang fi 2983dd1104fbSMichen Chang [ $DEBUG -eq 1 ] && ${ECHO} "NEED_HOSTACL = $NEED_HOSTACL" 2984dd1104fbSMichen Chang [ $DEBUG -eq 1 ] && ${ECHO} "NEED_ADMIN = $NEED_ADMIN" 2985dd1104fbSMichen Chang if [ $NEED_ADMIN -eq 1 ]; then 2986dd1104fbSMichen Chang get_adminDN 2987dd1104fbSMichen Chang get_admin_pw 2988dd1104fbSMichen Chang fi 2989dd1104fbSMichen Chang fi 2990dd1104fbSMichen Chang 29917c478bd9Sstevel@tonic-gate # Display FULL debugging info. 29927c478bd9Sstevel@tonic-gate disp_full_debug 29937c478bd9Sstevel@tonic-gate 29947c478bd9Sstevel@tonic-gate # Final confirmation message. (ARE YOU SURE!) 29957c478bd9Sstevel@tonic-gate ${ECHO} " " 29967c478bd9Sstevel@tonic-gate get_confirm_nodef "WARNING: About to start committing changes. (y=continue, n=EXIT)" 29977c478bd9Sstevel@tonic-gate if [ $? -eq 0 ]; then 29987c478bd9Sstevel@tonic-gate ${ECHO} "Terminating setup without making changes at users request." 2999017e8b01Svl cleanup 30007c478bd9Sstevel@tonic-gate exit 1 30017c478bd9Sstevel@tonic-gate fi 30027c478bd9Sstevel@tonic-gate 30037c478bd9Sstevel@tonic-gate # Print newline 30047c478bd9Sstevel@tonic-gate ${ECHO} " " 30057c478bd9Sstevel@tonic-gate} 30067c478bd9Sstevel@tonic-gate 30077c478bd9Sstevel@tonic-gate 30087c478bd9Sstevel@tonic-gate# 30097c478bd9Sstevel@tonic-gate# create_config_file(): Write config data to config file specified. 30107c478bd9Sstevel@tonic-gate# 30117c478bd9Sstevel@tonic-gatecreate_config_file() 30127c478bd9Sstevel@tonic-gate{ 30137c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In create_config_file()" 30147c478bd9Sstevel@tonic-gate 30157c478bd9Sstevel@tonic-gate # If output file exists, delete it. 30167c478bd9Sstevel@tonic-gate [ -f $OUTPUT_FILE ] && rm $OUTPUT_FILE 30177c478bd9Sstevel@tonic-gate 30187c478bd9Sstevel@tonic-gate # Create output file. 30197c478bd9Sstevel@tonic-gate cat > $OUTPUT_FILE <<EOF 30207c478bd9Sstevel@tonic-gate#!/bin/sh 30217c478bd9Sstevel@tonic-gate# $OUTPUT_FILE - This file contains configuration information for 30227c478bd9Sstevel@tonic-gate# Native LDAP. Use the idsconfig tool to load it. 30237c478bd9Sstevel@tonic-gate# 30247c478bd9Sstevel@tonic-gate# WARNING: This file was generated by idsconfig, and is intended to 30257c478bd9Sstevel@tonic-gate# be loaded by idsconfig as is. DO NOT EDIT THIS FILE! 30267c478bd9Sstevel@tonic-gate# 30277c478bd9Sstevel@tonic-gateIDS_SERVER="$IDS_SERVER" 30287c478bd9Sstevel@tonic-gateIDS_PORT=$IDS_PORT 30297c478bd9Sstevel@tonic-gateIDS_TIMELIMIT=$IDS_TIMELIMIT 30307c478bd9Sstevel@tonic-gateIDS_SIZELIMIT=$IDS_SIZELIMIT 30317c478bd9Sstevel@tonic-gateLDAP_ROOTDN="$LDAP_ROOTDN" 30327c478bd9Sstevel@tonic-gateLDAP_ROOTPWD=$LDAP_ROOTPWD 30337c478bd9Sstevel@tonic-gateLDAP_DOMAIN="$LDAP_DOMAIN" 30347c478bd9Sstevel@tonic-gateLDAP_SUFFIX="$LDAP_SUFFIX" 3035cb5caa98SdjlLDAP_KRB_REALM="$LDAP_KRB_REALM" 3036cb5caa98SdjlLDAP_GSSAPI_PROFILE="$LDAP_GSSAPI_PROFILE" 30377c478bd9Sstevel@tonic-gate 30387c478bd9Sstevel@tonic-gate# Internal program variables that need to be set. 30397c478bd9Sstevel@tonic-gateNEED_PROXY=$NEED_PROXY 30407c478bd9Sstevel@tonic-gateNEED_TIME=$NEED_TIME 30417c478bd9Sstevel@tonic-gateNEED_SIZE=$NEED_SIZE 30427c478bd9Sstevel@tonic-gateNEED_CRYPT=$NEED_CRYPT 3043dd1104fbSMichen ChangNEED_ADMIN=$NEED_ADMIN 3044dd1104fbSMichen ChangNEED_HOSTACL=$NEED_HOSTACL 3045dd1104fbSMichen ChangEXISTING_PROFILE=$EXISTING_PROFILE 30467c478bd9Sstevel@tonic-gate 30477c478bd9Sstevel@tonic-gate# LDAP PROFILE related defaults 30487c478bd9Sstevel@tonic-gateLDAP_PROFILE_NAME="$LDAP_PROFILE_NAME" 30497c478bd9Sstevel@tonic-gateDEL_OLD_PROFILE=1 30507c478bd9Sstevel@tonic-gateLDAP_BASEDN="$LDAP_BASEDN" 30517c478bd9Sstevel@tonic-gateLDAP_SERVER_LIST="$LDAP_SERVER_LIST" 30527c478bd9Sstevel@tonic-gateLDAP_AUTHMETHOD="$LDAP_AUTHMETHOD" 30537c478bd9Sstevel@tonic-gateLDAP_FOLLOWREF=$LDAP_FOLLOWREF 30547c478bd9Sstevel@tonic-gateLDAP_SEARCH_SCOPE="$LDAP_SEARCH_SCOPE" 30557c478bd9Sstevel@tonic-gateNEED_SRVAUTH_PAM=$NEED_SRVAUTH_PAM 30567c478bd9Sstevel@tonic-gateNEED_SRVAUTH_KEY=$NEED_SRVAUTH_KEY 30577c478bd9Sstevel@tonic-gateNEED_SRVAUTH_CMD=$NEED_SRVAUTH_CMD 30587c478bd9Sstevel@tonic-gateLDAP_SRV_AUTHMETHOD_PAM="$LDAP_SRV_AUTHMETHOD_PAM" 30597c478bd9Sstevel@tonic-gateLDAP_SRV_AUTHMETHOD_KEY="$LDAP_SRV_AUTHMETHOD_KEY" 30607c478bd9Sstevel@tonic-gateLDAP_SRV_AUTHMETHOD_CMD="$LDAP_SRV_AUTHMETHOD_CMD" 30617c478bd9Sstevel@tonic-gateLDAP_SEARCH_TIME_LIMIT=$LDAP_SEARCH_TIME_LIMIT 30627c478bd9Sstevel@tonic-gateLDAP_PREF_SRVLIST="$LDAP_PREF_SRVLIST" 30637c478bd9Sstevel@tonic-gateLDAP_PROFILE_TTL=$LDAP_PROFILE_TTL 30647c478bd9Sstevel@tonic-gateLDAP_CRED_LEVEL="$LDAP_CRED_LEVEL" 30657c478bd9Sstevel@tonic-gateLDAP_BIND_LIMIT=$LDAP_BIND_LIMIT 30667c478bd9Sstevel@tonic-gate 30677c478bd9Sstevel@tonic-gate# Proxy Agent 30687c478bd9Sstevel@tonic-gateLDAP_PROXYAGENT="$LDAP_PROXYAGENT" 30697c478bd9Sstevel@tonic-gateLDAP_PROXYAGENT_CRED=$LDAP_PROXYAGENT_CRED 30707c478bd9Sstevel@tonic-gate 3071dd1104fbSMichen Chang# enableShadowUpdate flag and Administrator credential 3072dd1104fbSMichen ChangLDAP_ENABLE_SHADOW_UPDATE=$LDAP_ENABLE_SHADOW_UPDATE 3073dd1104fbSMichen ChangLDAP_ADMINDN="$LDAP_ADMINDN" 3074dd1104fbSMichen ChangLDAP_ADMIN_CRED=$LDAP_ADMIN_CRED 3075dd1104fbSMichen Chang 30767c478bd9Sstevel@tonic-gate# Export all the variables (just in case) 30777c478bd9Sstevel@tonic-gateexport IDS_HOME IDS_PORT LDAP_ROOTDN LDAP_ROOTPWD LDAP_SERVER_LIST LDAP_BASEDN 30787c478bd9Sstevel@tonic-gateexport LDAP_DOMAIN LDAP_SUFFIX LDAP_PROXYAGENT LDAP_PROXYAGENT_CRED 30797c478bd9Sstevel@tonic-gateexport NEED_PROXY 3080dd1104fbSMichen Changexport LDAP_ENABLE_SHADOW_UPDATE LDAP_ADMINDN LDAP_ADMIN_CRED 3081dd1104fbSMichen Changexport NEED_ADMIN NEED_HOSTACL EXISTING_PROFILE 30827c478bd9Sstevel@tonic-gateexport LDAP_PROFILE_NAME LDAP_BASEDN LDAP_SERVER_LIST 30837c478bd9Sstevel@tonic-gateexport LDAP_AUTHMETHOD LDAP_FOLLOWREF LDAP_SEARCH_SCOPE LDAP_SEARCH_TIME_LIMIT 30847c478bd9Sstevel@tonic-gateexport LDAP_PREF_SRVLIST LDAP_PROFILE_TTL LDAP_CRED_LEVEL LDAP_BIND_LIMIT 30857c478bd9Sstevel@tonic-gateexport NEED_SRVAUTH_PAM NEED_SRVAUTH_KEY NEED_SRVAUTH_CMD 30867c478bd9Sstevel@tonic-gateexport LDAP_SRV_AUTHMETHOD_PAM LDAP_SRV_AUTHMETHOD_KEY LDAP_SRV_AUTHMETHOD_CMD 3087cb5caa98Sdjlexport LDAP_SERV_SRCH_DES SSD_FILE LDAP_KRB_REALM LDAP_GSSAPI_PROFILE 30887c478bd9Sstevel@tonic-gate 30897c478bd9Sstevel@tonic-gate# Service Search Descriptors start here if present: 30907c478bd9Sstevel@tonic-gateEOF 30917c478bd9Sstevel@tonic-gate # Add service search descriptors. 30927c478bd9Sstevel@tonic-gate ssd_2_config "${OUTPUT_FILE}" 30937c478bd9Sstevel@tonic-gate 3094017e8b01Svl # Add LDAP suffix preferences 3095017e8b01Svl print_suffix_config >> "${OUTPUT_FILE}" 3096017e8b01Svl 30977c478bd9Sstevel@tonic-gate # Add the end of FILE tag. 30987c478bd9Sstevel@tonic-gate ${ECHO} "" >> ${OUTPUT_FILE} 30997c478bd9Sstevel@tonic-gate ${ECHO} "# End of $OUTPUT_FILE" >> ${OUTPUT_FILE} 31007c478bd9Sstevel@tonic-gate} 31017c478bd9Sstevel@tonic-gate 31027c478bd9Sstevel@tonic-gate 31037c478bd9Sstevel@tonic-gate# 31047c478bd9Sstevel@tonic-gate# chk_vlv_indexes(): Do ldapsearch to see if server supports VLV. 31057c478bd9Sstevel@tonic-gate# 31067c478bd9Sstevel@tonic-gatechk_vlv_indexes() 31077c478bd9Sstevel@tonic-gate{ 31087c478bd9Sstevel@tonic-gate # Do ldapsearch to see if server supports VLV. 31097c478bd9Sstevel@tonic-gate ${LDAPSEARCH} ${SERVER_ARGS} -b "" -s base "objectclass=*" > ${TMPDIR}/checkVLV 2>&1 31107c478bd9Sstevel@tonic-gate eval "${GREP} 2.16.840.1.113730.3.4.9 ${TMPDIR}/checkVLV ${VERB}" 31117c478bd9Sstevel@tonic-gate if [ $? -ne 0 ]; then 31127c478bd9Sstevel@tonic-gate ${ECHO} "ERROR: VLV is not supported on LDAP server!" 31137c478bd9Sstevel@tonic-gate cleanup 31147c478bd9Sstevel@tonic-gate exit 1 31157c478bd9Sstevel@tonic-gate fi 31167c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} " VLV controls found on LDAP server." 31177c478bd9Sstevel@tonic-gate} 31187c478bd9Sstevel@tonic-gate 31197c478bd9Sstevel@tonic-gate# 31207c478bd9Sstevel@tonic-gate# get_backend(): this function gets the relevant backend 31217c478bd9Sstevel@tonic-gate# (database) for LDAP_BASED. 31227c478bd9Sstevel@tonic-gate# Description: set IDS_DATABASE; exit on failure. 31237c478bd9Sstevel@tonic-gate# Prerequisite: LDAP_BASEDN and LDAP_SUFFIX are 31247c478bd9Sstevel@tonic-gate# valid. 31257c478bd9Sstevel@tonic-gate# 31267c478bd9Sstevel@tonic-gate# backend is retrieved from suffixes and subsuffixes 31277c478bd9Sstevel@tonic-gate# defined under "cn=mapping tree,cn=config". The 31287c478bd9Sstevel@tonic-gate# nsslapd-state attribute of these suffixes entries 31297c478bd9Sstevel@tonic-gate# is filled with either Backend, Disabled or referrals 31307c478bd9Sstevel@tonic-gate# related values. We only want those that have a true 31317c478bd9Sstevel@tonic-gate# backend database to select the relevant backend. 31327c478bd9Sstevel@tonic-gate# 31337c478bd9Sstevel@tonic-gateget_backend() 31347c478bd9Sstevel@tonic-gate{ 31357c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In get_backend()" 31367c478bd9Sstevel@tonic-gate 31377c478bd9Sstevel@tonic-gate cur_suffix=${LDAP_BASEDN} 31387c478bd9Sstevel@tonic-gate prev_suffix= 31397c478bd9Sstevel@tonic-gate IDS_DATABASE= 31407c478bd9Sstevel@tonic-gate while [ "${cur_suffix}" != "${prev_suffix}" ] 31417c478bd9Sstevel@tonic-gate do 31427c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "testing LDAP suffix: ${cur_suffix}" 31437c478bd9Sstevel@tonic-gate eval "${LDAPSEARCH} ${LDAP_ARGS} " \ 31447c478bd9Sstevel@tonic-gate "-b \"cn=\\\"${cur_suffix}\\\",cn=mapping tree,cn=config\" " \ 31457c478bd9Sstevel@tonic-gate "-s base nsslapd-state=Backend nsslapd-backend 2>&1 " \ 31467c478bd9Sstevel@tonic-gate "| ${GREP} 'nsslapd-backend=' " \ 31477c478bd9Sstevel@tonic-gate "> ${TMPDIR}/ids_database_name 2>&1" 31487c478bd9Sstevel@tonic-gate NUM_DBS=`wc -l ${TMPDIR}/ids_database_name | awk '{print $1}'` 31497c478bd9Sstevel@tonic-gate case ${NUM_DBS} in 31507c478bd9Sstevel@tonic-gate 0) # not a suffix, or suffix not activated; try next 31517c478bd9Sstevel@tonic-gate prev_suffix=${cur_suffix} 31527c478bd9Sstevel@tonic-gate cur_suffix=`${ECHO} ${cur_suffix} | cut -f2- -d','` 31537c478bd9Sstevel@tonic-gate ;; 31547c478bd9Sstevel@tonic-gate 1) # suffix found; get database name 31557c478bd9Sstevel@tonic-gate IDS_DATABASE=`cat ${TMPDIR}/ids_database_name | cut -d= -f2` 31567c478bd9Sstevel@tonic-gate ;; 31577c478bd9Sstevel@tonic-gate *) # can not handle more than one database per suffix 31587c478bd9Sstevel@tonic-gate ${ECHO} "ERROR: More than one database is configured " 31597c478bd9Sstevel@tonic-gate ${ECHO} " for $LDAP_SUFFIX!" 31607c478bd9Sstevel@tonic-gate ${ECHO} " $PROG can not configure suffixes where " 31617c478bd9Sstevel@tonic-gate ${ECHO} " more than one database is used for one suffix." 31627c478bd9Sstevel@tonic-gate cleanup 31637c478bd9Sstevel@tonic-gate exit 1 31647c478bd9Sstevel@tonic-gate ;; 31657c478bd9Sstevel@tonic-gate esac 31667c478bd9Sstevel@tonic-gate if [ -n "${IDS_DATABASE}" ]; then 31677c478bd9Sstevel@tonic-gate break 31687c478bd9Sstevel@tonic-gate fi 31697c478bd9Sstevel@tonic-gate done 31707c478bd9Sstevel@tonic-gate 31717c478bd9Sstevel@tonic-gate if [ -z "${IDS_DATABASE}" ]; then 31727c478bd9Sstevel@tonic-gate # should not happen, since LDAP_BASEDN is supposed to be valid 31737c478bd9Sstevel@tonic-gate ${ECHO} "Could not find a valid backend for ${LDAP_BASEDN}." 31747c478bd9Sstevel@tonic-gate ${ECHO} "Exiting." 31757c478bd9Sstevel@tonic-gate cleanup 31767c478bd9Sstevel@tonic-gate exit 1 31777c478bd9Sstevel@tonic-gate fi 31787c478bd9Sstevel@tonic-gate 31797c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "IDS_DATABASE: ${IDS_DATABASE}" 31807c478bd9Sstevel@tonic-gate} 31817c478bd9Sstevel@tonic-gate 31827c478bd9Sstevel@tonic-gate# 31837c478bd9Sstevel@tonic-gate# validate_suffix(): This function validates ${LDAP_SUFFIX} 31847c478bd9Sstevel@tonic-gate# THIS FUNCTION IS FOR THE LOAD CONFIG FILE OPTION. 31857c478bd9Sstevel@tonic-gate# 31867c478bd9Sstevel@tonic-gatevalidate_suffix() 31877c478bd9Sstevel@tonic-gate{ 31887c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In validate_suffix()" 31897c478bd9Sstevel@tonic-gate 31907c478bd9Sstevel@tonic-gate # Check LDAP_SUFFIX is not null 31917c478bd9Sstevel@tonic-gate if [ -z "${LDAP_SUFFIX}" ]; then 31927c478bd9Sstevel@tonic-gate ${ECHO} "Invalid suffix (null suffix)" 31937c478bd9Sstevel@tonic-gate cleanup 31947c478bd9Sstevel@tonic-gate exit 1 31957c478bd9Sstevel@tonic-gate fi 31967c478bd9Sstevel@tonic-gate 31977c478bd9Sstevel@tonic-gate # Check LDAP_SUFFIX and LDAP_BASEDN are consistent 31987c478bd9Sstevel@tonic-gate # Convert to lower case for basename. 31997c478bd9Sstevel@tonic-gate format_string "${LDAP_BASEDN}" 32007c478bd9Sstevel@tonic-gate LOWER_BASEDN="${FMT_STR}" 32017c478bd9Sstevel@tonic-gate format_string "${LDAP_SUFFIX}" 32027c478bd9Sstevel@tonic-gate LOWER_SUFFIX="${FMT_STR}" 32037c478bd9Sstevel@tonic-gate 32047c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "LOWER_BASEDN: ${LOWER_BASEDN}" 32057c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "LOWER_SUFFIX: ${LOWER_SUFFIX}" 32067c478bd9Sstevel@tonic-gate 32077c478bd9Sstevel@tonic-gate if [ "${LOWER_BASEDN}" != "${LOWER_SUFFIX}" ]; then 32087c478bd9Sstevel@tonic-gate sub_basedn=`basename "${LOWER_BASEDN}" "${LOWER_SUFFIX}"` 32097c478bd9Sstevel@tonic-gate if [ "$sub_basedn" = "${LOWER_BASEDN}" ]; then 32107c478bd9Sstevel@tonic-gate ${ECHO} "Invalid suffix ${LOWER_SUFFIX}" 32117c478bd9Sstevel@tonic-gate ${ECHO} "for Base DN ${LOWER_BASEDN}" 32127c478bd9Sstevel@tonic-gate cleanup 32137c478bd9Sstevel@tonic-gate exit 1 32147c478bd9Sstevel@tonic-gate fi 32157c478bd9Sstevel@tonic-gate fi 3216017e8b01Svl 3217017e8b01Svl # Check LDAP_SUFFIX does exist 3218017e8b01Svl ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_SUFFIX}\" -s base \"objectclass=*\" > ${TMPDIR}/checkSuffix 2>&1" && return 0 3219017e8b01Svl 3220017e8b01Svl # Well, suffix does not exist, try to prepare create it ... 3221017e8b01Svl NEED_CREATE_SUFFIX=1 3222017e8b01Svl prep_create_sfx_entry || 3223017e8b01Svl { 3224017e8b01Svl cleanup 3225017e8b01Svl exit 1 3226017e8b01Svl } 3227017e8b01Svl [ -n "${NEED_CREATE_BACKEND}" ] && 3228017e8b01Svl { 3229017e8b01Svl # try to use id attr value of the suffix as a database name 3230017e8b01Svl IDS_DATABASE=${_VAL} 3231017e8b01Svl prep_create_sfx_backend 3232017e8b01Svl case $? in 3233017e8b01Svl 1) # cann't use the name we want, so we can either exit or use 3234017e8b01Svl # some another available name - doing the last ... 3235017e8b01Svl IDS_DATABASE=${IDS_DATABASE_AVAIL} 3236017e8b01Svl ;; 3237017e8b01Svl 2) # unable to determine database name 3238017e8b01Svl cleanup 3239017e8b01Svl exit 1 3240017e8b01Svl ;; 3241017e8b01Svl esac 3242017e8b01Svl } 3243017e8b01Svl 3244017e8b01Svl [ $DEBUG -eq 1 ] && ${ECHO} "Suffix $LDAP_SUFFIX, Database $IDS_DATABASE" 32457c478bd9Sstevel@tonic-gate} 32467c478bd9Sstevel@tonic-gate 32477c478bd9Sstevel@tonic-gate# 32487c478bd9Sstevel@tonic-gate# validate_info(): This function validates the basic info collected 32497c478bd9Sstevel@tonic-gate# So that some problems are caught right away. 32507c478bd9Sstevel@tonic-gate# THIS FUNCTION IS FOR THE LOAD CONFIG FILE OPTION. 32517c478bd9Sstevel@tonic-gate# 32527c478bd9Sstevel@tonic-gatevalidate_info() 32537c478bd9Sstevel@tonic-gate{ 32547c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In validate_info()" 32557c478bd9Sstevel@tonic-gate 32567c478bd9Sstevel@tonic-gate # Set SERVER_ARGS, AUTH_ARGS, and LDAP_ARGS for the config file. 32577c478bd9Sstevel@tonic-gate SERVER_ARGS="-h ${IDS_SERVER} -p ${IDS_PORT}" 32587c478bd9Sstevel@tonic-gate AUTH_ARGS="-D \"${LDAP_ROOTDN}\" -j ${LDAP_ROOTPWF}" 32597c478bd9Sstevel@tonic-gate LDAP_ARGS="${SERVER_ARGS} ${AUTH_ARGS}" 32607c478bd9Sstevel@tonic-gate export SERVER_ARGS 32617c478bd9Sstevel@tonic-gate 32627c478bd9Sstevel@tonic-gate # Check the Root DN and Root DN passwd. 32637c478bd9Sstevel@tonic-gate # Use eval instead of $EVAL because not part of setup. (validate) 32647c478bd9Sstevel@tonic-gate eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"\" -s base \"objectclass=*\" > ${TMPDIR}/checkDN 2>&1" 32657c478bd9Sstevel@tonic-gate if [ $? -ne 0 ]; then 32667c478bd9Sstevel@tonic-gate eval "${GREP} credential ${TMPDIR}/checkDN ${VERB}" 32677c478bd9Sstevel@tonic-gate if [ $? -eq 0 ]; then 32687c478bd9Sstevel@tonic-gate ${ECHO} "ERROR: Root DN passwd is invalid." 32697c478bd9Sstevel@tonic-gate else 32707c478bd9Sstevel@tonic-gate ${ECHO} "ERROR2: Invalid Root DN <${LDAP_ROOTDN}>." 32717c478bd9Sstevel@tonic-gate fi 32727c478bd9Sstevel@tonic-gate cleanup 32737c478bd9Sstevel@tonic-gate exit 1 32747c478bd9Sstevel@tonic-gate fi 32757c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} " RootDN ... OK" 32767c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} " RootDN passwd ... OK" 32777c478bd9Sstevel@tonic-gate 32787c478bd9Sstevel@tonic-gate # Check if the server supports the VLV. 32797c478bd9Sstevel@tonic-gate chk_vlv_indexes 32807c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} " VLV indexes ... OK" 32817c478bd9Sstevel@tonic-gate 32827c478bd9Sstevel@tonic-gate # Check LDAP suffix 32837c478bd9Sstevel@tonic-gate validate_suffix 32847c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} " LDAP suffix ... OK" 32857c478bd9Sstevel@tonic-gate} 32867c478bd9Sstevel@tonic-gate 32877c478bd9Sstevel@tonic-gate# 32887c478bd9Sstevel@tonic-gate# format_string(): take a string as argument and set FMT_STR 32897c478bd9Sstevel@tonic-gate# to be the same string formatted as follow: 32907c478bd9Sstevel@tonic-gate# - only lower case characters 32917c478bd9Sstevel@tonic-gate# - no unnecessary spaces around , and = 32927c478bd9Sstevel@tonic-gate# 32937c478bd9Sstevel@tonic-gateformat_string() 32947c478bd9Sstevel@tonic-gate{ 32957c478bd9Sstevel@tonic-gate FMT_STR=`${ECHO} "$1" | tr '[A-Z]' '[a-z]' | 32967c478bd9Sstevel@tonic-gate sed -e 's/[ ]*,[ ]*/,/g' -e 's/[ ]*=[ ]*/=/g'` 32977c478bd9Sstevel@tonic-gate} 32987c478bd9Sstevel@tonic-gate 3299017e8b01Svl# 3300017e8b01Svl# prepare for the suffix entry creation 3301017e8b01Svl# 3302017e8b01Svl# input : LDAP_BASEDN, LDAP_SUFFIX - base dn and suffix; 3303017e8b01Svl# in/out : LDAP_SUFFIX_OBJ, LDAP_SUFFIX_ACI - initially may come from config. 3304017e8b01Svl# output : NEED_CREATE_BACKEND - backend for this suffix needs to be created; 3305017e8b01Svl# _RDN, _ATT, _VAL - suffix's RDN, id attribute name and its value. 3306017e8b01Svl# return : 0 - success, otherwise error. 3307017e8b01Svl# 3308017e8b01Svlprep_create_sfx_entry() 3309017e8b01Svl{ 3310017e8b01Svl [ $DEBUG -eq 1 ] && ${ECHO} "In prep_create_sfx_entry()" 3311017e8b01Svl 3312017e8b01Svl # check whether suffix corresponds to base dn 3313017e8b01Svl format_string "${LDAP_BASEDN}" 3314017e8b01Svl ${ECHO} ",${FMT_STR}" | ${GREP} ",${LDAP_SUFFIX}$" >/dev/null 2>&1 || 3315017e8b01Svl { 3316017e8b01Svl display_msg sfx_not_suitable 3317017e8b01Svl return 1 3318017e8b01Svl } 3319017e8b01Svl 3320017e8b01Svl # parse LDAP_SUFFIX 3321017e8b01Svl _RDN=`${ECHO} "${LDAP_SUFFIX}" | cut -d, -f1` 3322017e8b01Svl _ATT=`${ECHO} "${_RDN}" | cut -d= -f1` 3323017e8b01Svl _VAL=`${ECHO} "${_RDN}" | cut -d= -f2-` 3324017e8b01Svl 3325017e8b01Svl # find out an objectclass for suffix entry if it is not defined yet 3326017e8b01Svl [ -z "${LDAP_SUFFIX_OBJ}" ] && 3327017e8b01Svl { 3328017e8b01Svl get_objectclass ${_ATT} 3329017e8b01Svl [ -z "${_ATTR_NAME}" ] && 3330017e8b01Svl { 3331017e8b01Svl display_msg obj_not_found 3332017e8b01Svl return 1 3333017e8b01Svl } 3334017e8b01Svl LDAP_SUFFIX_OBJ=${_ATTR_NAME} 3335017e8b01Svl } 3336017e8b01Svl [ $DEBUG -eq 1 ] && ${ECHO} "Suffix entry object is ${LDAP_SUFFIX_OBJ}" 3337017e8b01Svl 3338017e8b01Svl # find out an aci for suffix entry if it is not defined yet 3339017e8b01Svl [ -z "${LDAP_SUFFIX_ACI}" ] && 3340017e8b01Svl { 3341017e8b01Svl # set Directory Server default aci 3342017e8b01Svl LDAP_SUFFIX_ACI=`cat <<EOF 3343017e8b01Svlaci: (targetattr != "userPassword || passwordHistory || passwordExpirationTime 3344017e8b01Svl || passwordExpWarned || passwordRetryCount || retryCountResetTime || 3345017e8b01Svl accountUnlockTime || passwordAllowChangeTime") 3346017e8b01Svl ( 3347017e8b01Svl version 3.0; 3348017e8b01Svl acl "Anonymous access"; 3349017e8b01Svl allow (read, search, compare) userdn = "ldap:///anyone"; 3350017e8b01Svl ) 3351017e8b01Svlaci: (targetattr != "nsroledn || aci || nsLookThroughLimit || nsSizeLimit || 3352017e8b01Svl nsTimeLimit || nsIdleTimeout || passwordPolicySubentry || 3353017e8b01Svl passwordExpirationTime || passwordExpWarned || passwordRetryCount || 3354017e8b01Svl retryCountResetTime || accountUnlockTime || passwordHistory || 3355017e8b01Svl passwordAllowChangeTime") 3356017e8b01Svl ( 3357017e8b01Svl version 3.0; 3358017e8b01Svl acl "Allow self entry modification except for some attributes"; 3359017e8b01Svl allow (write) userdn = "ldap:///self"; 3360017e8b01Svl ) 3361017e8b01Svlaci: (targetattr = "*") 3362017e8b01Svl ( 3363017e8b01Svl version 3.0; 3364017e8b01Svl acl "Configuration Administrator"; 3365017e8b01Svl allow (all) userdn = "ldap:///uid=admin,ou=Administrators, 3366017e8b01Svl ou=TopologyManagement,o=NetscapeRoot"; 3367017e8b01Svl ) 3368017e8b01Svlaci: (targetattr ="*") 3369017e8b01Svl ( 3370017e8b01Svl version 3.0; 3371017e8b01Svl acl "Configuration Administrators Group"; 3372017e8b01Svl allow (all) groupdn = "ldap:///cn=Configuration Administrators, 3373017e8b01Svl ou=Groups,ou=TopologyManagement,o=NetscapeRoot"; 3374017e8b01Svl ) 3375017e8b01SvlEOF 3376017e8b01Svl` 3377017e8b01Svl } 3378017e8b01Svl [ $DEBUG -eq 1 ] && cat <<EOF 3379017e8b01SvlDEBUG: ACI for ${LDAP_SUFFIX} is 3380017e8b01Svl${LDAP_SUFFIX_ACI} 3381017e8b01SvlEOF 3382017e8b01Svl 3383017e8b01Svl NEED_CREATE_BACKEND= 3384017e8b01Svl 3385017e8b01Svl # check the suffix mapping tree ... 3386017e8b01Svl # if mapping exists, suffix should work, otherwise DS inconsistent 3387017e8b01Svl # NOTE: -b 'cn=mapping tree,cn=config' -s one 'cn=\"$1\"' won't work 3388017e8b01Svl # in case of 'cn' value in LDAP is not quoted by '"', 3389017e8b01Svl # -b 'cn=\"$1\",cn=mapping tree,cn=config' works in all cases 3390017e8b01Svl ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} \ 3391017e8b01Svl -b 'cn=\"${LDAP_SUFFIX}\",cn=mapping tree,cn=config' \ 3392017e8b01Svl -s base 'objectclass=*' dn ${VERB}" && 3393017e8b01Svl { 3394017e8b01Svl [ $DEBUG -eq 1 ] && ${ECHO} "Suffix mapping already exists" 3395017e8b01Svl # get_backend() either gets IDS_DATABASE or exits 3396017e8b01Svl get_backend 3397017e8b01Svl return 0 3398017e8b01Svl } 3399017e8b01Svl 3400017e8b01Svl # no suffix mapping, just in case check ldbm backends consistency - 3401017e8b01Svl # there are must be NO any databases pointing to LDAP_SUFFIX 3402017e8b01Svl [ -n "`${EVAL} \"${LDAPSEARCH} ${LDAP_ARGS} \ 3403017e8b01Svl -b 'cn=ldbm database,cn=plugins,cn=config' \ 3404017e8b01Svl -s one 'nsslapd-suffix=${LDAP_SUFFIX}' dn\" 2>/dev/null`" ] && 3405017e8b01Svl { 3406017e8b01Svl display_msg sfx_config_incons 3407017e8b01Svl return 1 3408017e8b01Svl } 3409017e8b01Svl 3410017e8b01Svl # ok, no suffix mapping, no ldbm database 3411017e8b01Svl [ $DEBUG -eq 1 ] && ${ECHO} "DEBUG: backend needs to be created ..." 3412017e8b01Svl NEED_CREATE_BACKEND=1 3413017e8b01Svl return 0 3414017e8b01Svl} 3415017e8b01Svl 3416017e8b01Svl# 3417017e8b01Svl# prepare for the suffix backend creation 3418017e8b01Svl# 3419017e8b01Svl# input : IDS_DATABASE - requested ldbm db name (must be not null) 3420017e8b01Svl# in/out : IDS_DATABASE_AVAIL - available ldbm db name 3421017e8b01Svl# return : 0 - ldbm db name ok 3422017e8b01Svl# 1 - IDS_DATABASE exists, 3423017e8b01Svl# so IDS_DATABASE_AVAIL contains available name 3424017e8b01Svl# 2 - unable to find any available name 3425017e8b01Svl# 3426017e8b01Svlprep_create_sfx_backend() 3427017e8b01Svl{ 3428017e8b01Svl [ $DEBUG -eq 1 ] && ${ECHO} "In prep_create_sfx_backend()" 3429017e8b01Svl 3430017e8b01Svl # check if requested name available 3431017e8b01Svl [ "${IDS_DATABASE}" = "${IDS_DATABASE_AVAIL}" ] && return 0 3432017e8b01Svl 3433017e8b01Svl # get the list of database names start with a requested name 3434017e8b01Svl _LDBM_DBS=`${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} \ 3435017e8b01Svl -b 'cn=ldbm database,cn=plugins,cn=config' \ 3436017e8b01Svl -s one 'cn=${IDS_DATABASE}*' cn"` 2>/dev/null 3437017e8b01Svl 3438017e8b01Svl # find available db name based on a requested name 3439017e8b01Svl _i=""; _i_MAX=10 3440017e8b01Svl while [ ${_i:-0} -lt ${_i_MAX} ] 3441017e8b01Svl do 3442017e8b01Svl _name="${IDS_DATABASE}${_i}" 3443017e8b01Svl ${ECHO} "${_LDBM_DBS}" | ${GREP} -i "^cn=${_name}$" >/dev/null 2>&1 || 3444017e8b01Svl { 3445017e8b01Svl IDS_DATABASE_AVAIL="${_name}" 3446017e8b01Svl break 3447017e8b01Svl } 3448017e8b01Svl _i=`expr ${_i:-0} + 1` 3449017e8b01Svl done 3450017e8b01Svl 3451017e8b01Svl [ "${IDS_DATABASE}" = "${IDS_DATABASE_AVAIL}" ] && return 0 3452017e8b01Svl 3453017e8b01Svl [ -n "${IDS_DATABASE_AVAIL}" ] && 3454017e8b01Svl { 3455017e8b01Svl display_msg ldbm_db_exist 3456017e8b01Svl return 1 3457017e8b01Svl } 3458017e8b01Svl 3459017e8b01Svl display_msg unable_find_db_name 3460017e8b01Svl return 2 3461017e8b01Svl} 3462017e8b01Svl 3463017e8b01Svl# 3464017e8b01Svl# add suffix if needed, 3465017e8b01Svl# suffix entry and backend MUST be prepared by 3466017e8b01Svl# prep_create_sfx_entry and prep_create_sfx_backend correspondingly 3467017e8b01Svl# 3468017e8b01Svl# input : NEED_CREATE_SUFFIX, LDAP_SUFFIX, LDAP_SUFFIX_OBJ, _ATT, _VAL 3469017e8b01Svl# LDAP_SUFFIX_ACI, NEED_CREATE_BACKEND, IDS_DATABASE 3470017e8b01Svl# return : 0 - suffix successfully created, otherwise error occured 3471017e8b01Svl# 3472017e8b01Svladd_suffix() 3473017e8b01Svl{ 3474017e8b01Svl [ $DEBUG -eq 1 ] && ${ECHO} "In add_suffix()" 3475017e8b01Svl 3476017e8b01Svl [ -n "${NEED_CREATE_SUFFIX}" ] || return 0 3477017e8b01Svl 3478017e8b01Svl [ -n "${NEED_CREATE_BACKEND}" ] && 3479017e8b01Svl { 3480017e8b01Svl ${EVAL} "${LDAPADD} ${LDAP_ARGS} ${VERB}" <<EOF 3481017e8b01Svldn: cn="${LDAP_SUFFIX}",cn=mapping tree,cn=config 3482017e8b01Svlobjectclass: top 3483017e8b01Svlobjectclass: extensibleObject 3484017e8b01Svlobjectclass: nsMappingTree 3485017e8b01Svlcn: ${LDAP_SUFFIX} 3486017e8b01Svlnsslapd-state: backend 3487017e8b01Svlnsslapd-backend: ${IDS_DATABASE} 3488017e8b01Svl 3489017e8b01Svldn: cn=${IDS_DATABASE},cn=ldbm database,cn=plugins,cn=config 3490017e8b01Svlobjectclass: top 3491017e8b01Svlobjectclass: extensibleObject 3492017e8b01Svlobjectclass: nsBackendInstance 3493017e8b01Svlcn: ${IDS_DATABASE} 3494017e8b01Svlnsslapd-suffix: ${LDAP_SUFFIX} 3495017e8b01SvlEOF 3496017e8b01Svl [ $? -ne 0 ] && 3497017e8b01Svl { 3498017e8b01Svl display_msg create_ldbm_db_error 3499017e8b01Svl return 1 3500017e8b01Svl } 3501017e8b01Svl 3502017e8b01Svl ${ECHO} " ${STEP}. Database ${IDS_DATABASE} successfully created" 3503017e8b01Svl STEP=`expr $STEP + 1` 3504017e8b01Svl } 3505017e8b01Svl 3506017e8b01Svl ${EVAL} "${LDAPADD} ${LDAP_ARGS} ${VERB}" <<EOF 3507017e8b01Svldn: ${LDAP_SUFFIX} 3508017e8b01Svlobjectclass: ${LDAP_SUFFIX_OBJ} 3509017e8b01Svl${_ATT}: ${_VAL} 3510017e8b01Svl${LDAP_SUFFIX_ACI} 3511017e8b01SvlEOF 3512017e8b01Svl [ $? -ne 0 ] && 3513017e8b01Svl { 3514017e8b01Svl display_msg create_suffix_entry_error 3515017e8b01Svl return 1 3516017e8b01Svl } 3517017e8b01Svl 3518017e8b01Svl ${ECHO} " ${STEP}. Suffix ${LDAP_SUFFIX} successfully created" 3519017e8b01Svl STEP=`expr $STEP + 1` 3520017e8b01Svl return 0 3521017e8b01Svl} 3522017e8b01Svl 3523017e8b01Svl# 3524017e8b01Svl# interactively get suffix and related info from a user 3525017e8b01Svl# 3526017e8b01Svl# input : LDAP_BASEDN - Base DN 3527017e8b01Svl# output : LDAP_SUFFIX - Suffix, _ATT, _VAL - id attribute and its value; 3528017e8b01Svl# LDAP_SUFFIX_OBJ, LDAP_SUFFIX_ACI - objectclass and aci; 3529017e8b01Svl# NEED_CREATE_BACKEND - tells whether backend needs to be created; 3530017e8b01Svl# IDS_DATABASE - prepared ldbm db name 3531017e8b01Svl# return : 0 - user gave a correct suffix 3532017e8b01Svl# 1 - suffix given by user cann't be created 3533017e8b01Svl# 3534017e8b01Svlget_suffix() 3535017e8b01Svl{ 3536017e8b01Svl [ $DEBUG -eq 1 ] && ${ECHO} "In get_suffix()" 3537017e8b01Svl 3538017e8b01Svl while : 3539017e8b01Svl do 3540017e8b01Svl get_ans "Enter suffix to be created (b=back/h=help):" ${LDAP_BASEDN} 3541017e8b01Svl case "${ANS}" in 3542017e8b01Svl [Hh] | Help | help | \? ) display_msg create_suffix_help ;; 3543017e8b01Svl [Bb] | Back | back | \< ) return 1 ;; 3544017e8b01Svl * ) 3545017e8b01Svl format_string "${ANS}" 3546017e8b01Svl LDAP_SUFFIX=${FMT_STR} 3547017e8b01Svl prep_create_sfx_entry || continue 3548017e8b01Svl 3549017e8b01Svl [ -n "${NEED_CREATE_BACKEND}" ] && 3550017e8b01Svl { 3551017e8b01Svl IDS_DATABASE_AVAIL= # reset the available db name 3552017e8b01Svl 3553017e8b01Svl reenter_suffix= 3554017e8b01Svl while : 3555017e8b01Svl do 3556017e8b01Svl get_ans "Enter ldbm database name (b=back/h=help):" \ 3557017e8b01Svl ${IDS_DATABASE_AVAIL:-${_VAL}} 3558017e8b01Svl case "${ANS}" in 3559017e8b01Svl [Hh] | \? ) display_msg enter_ldbm_db_help ;; 3560017e8b01Svl [Bb] | \< ) reenter_suffix=1; break ;; 3561017e8b01Svl * ) 3562017e8b01Svl IDS_DATABASE="${ANS}" 3563017e8b01Svl prep_create_sfx_backend && break 3564017e8b01Svl esac 3565017e8b01Svl done 3566017e8b01Svl [ -n "${reenter_suffix}" ] && continue 3567017e8b01Svl 3568017e8b01Svl [ $DEBUG -eq 1 ] && cat <<EOF 3569017e8b01SvlDEBUG: backend name for suffix ${LDAP_SUFFIX} will be ${IDS_DATABASE} 3570017e8b01SvlEOF 3571017e8b01Svl } 3572017e8b01Svl 3573017e8b01Svl # eventually everything is prepared 3574017e8b01Svl return 0 3575017e8b01Svl ;; 3576017e8b01Svl esac 3577017e8b01Svl done 3578017e8b01Svl} 3579017e8b01Svl 3580017e8b01Svl# 3581017e8b01Svl# print out a script which sets LDAP suffix related preferences 3582017e8b01Svl# 3583017e8b01Svlprint_suffix_config() 3584017e8b01Svl{ 3585017e8b01Svl cat <<EOF2 3586017e8b01Svl# LDAP suffix related preferences used only if needed 3587a58015d1SvlIDS_DATABASE="${IDS_DATABASE}" 3588017e8b01SvlLDAP_SUFFIX_OBJ="$LDAP_SUFFIX_OBJ" 3589017e8b01SvlLDAP_SUFFIX_ACI=\`cat <<EOF 3590017e8b01Svl${LDAP_SUFFIX_ACI} 3591017e8b01SvlEOF 3592017e8b01Svl\` 3593017e8b01Svlexport IDS_DATABASE LDAP_SUFFIX_OBJ LDAP_SUFFIX_ACI 3594017e8b01SvlEOF2 3595017e8b01Svl} 3596017e8b01Svl 35977c478bd9Sstevel@tonic-gate# 35987c478bd9Sstevel@tonic-gate# check_basedn_suffix(): check that there is an existing 35997c478bd9Sstevel@tonic-gate# valid suffix to hold current base DN 36007c478bd9Sstevel@tonic-gate# return: 3601017e8b01Svl# 0: valid suffix found or new one should be created, 3602017e8b01Svl# NEED_CREATE_SUFFIX flag actually indicates that 3603017e8b01Svl# 1: some error occures 36047c478bd9Sstevel@tonic-gate# 36057c478bd9Sstevel@tonic-gatecheck_basedn_suffix() 36067c478bd9Sstevel@tonic-gate{ 36077c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In check_basedn_suffix()" 36087c478bd9Sstevel@tonic-gate 3609017e8b01Svl NEED_CREATE_SUFFIX= 3610017e8b01Svl 36117c478bd9Sstevel@tonic-gate # find out existing suffixes 36127c478bd9Sstevel@tonic-gate discover_serv_suffix 36137c478bd9Sstevel@tonic-gate 36147c478bd9Sstevel@tonic-gate ${ECHO} " Validating LDAP Base DN and Suffix ..." 36157c478bd9Sstevel@tonic-gate 36167c478bd9Sstevel@tonic-gate # check that LDAP Base DN might be added 36177c478bd9Sstevel@tonic-gate cur_ldap_entry=${LDAP_BASEDN} 36187c478bd9Sstevel@tonic-gate prev_ldap_entry= 36197c478bd9Sstevel@tonic-gate while [ "${cur_ldap_entry}" != "${prev_ldap_entry}" ] 36207c478bd9Sstevel@tonic-gate do 36217c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "testing LDAP entry: ${cur_ldap_entry}" 36227c478bd9Sstevel@tonic-gate ${LDAPSEARCH} ${SERVER_ARGS} -b "${cur_ldap_entry}" \ 36237c478bd9Sstevel@tonic-gate -s one "objectclass=*" > /dev/null 2>&1 36247c478bd9Sstevel@tonic-gate if [ $? -eq 0 ]; then 36257c478bd9Sstevel@tonic-gate break 36267c478bd9Sstevel@tonic-gate else 36277c478bd9Sstevel@tonic-gate prev_ldap_entry=${cur_ldap_entry} 36287c478bd9Sstevel@tonic-gate cur_ldap_entry=`${ECHO} ${cur_ldap_entry} | cut -f2- -d','` 36297c478bd9Sstevel@tonic-gate fi 36307c478bd9Sstevel@tonic-gate done 36317c478bd9Sstevel@tonic-gate 36327c478bd9Sstevel@tonic-gate if [ "${cur_ldap_entry}" = "${prev_ldap_entry}" ]; then 3633017e8b01Svl ${ECHO} " No valid suffixes were found for Base DN ${LDAP_BASEDN}" 3634017e8b01Svl 3635017e8b01Svl NEED_CREATE_SUFFIX=1 3636017e8b01Svl return 0 3637017e8b01Svl 36387c478bd9Sstevel@tonic-gate else 36397c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "found valid LDAP entry: ${cur_ldap_entry}" 36407c478bd9Sstevel@tonic-gate 36417c478bd9Sstevel@tonic-gate # Now looking for relevant suffix for this entry. 36427c478bd9Sstevel@tonic-gate # LDAP_SUFFIX will then be used to add necessary 36437c478bd9Sstevel@tonic-gate # base objects. See add_base_objects(). 36447c478bd9Sstevel@tonic-gate format_string "${cur_ldap_entry}" 36457c478bd9Sstevel@tonic-gate lower_entry="${FMT_STR}" 36467c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "final suffix list: ${LDAP_SUFFIX_LIST}" 36477c478bd9Sstevel@tonic-gate oIFS=$IFS 36487c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "setting IFS to new line" 36497c478bd9Sstevel@tonic-gate IFS=' 36507c478bd9Sstevel@tonic-gate' 36517c478bd9Sstevel@tonic-gate for suff in ${LDAP_SUFFIX_LIST} 36527c478bd9Sstevel@tonic-gate do 36537c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "testing suffix: ${suff}" 36547c478bd9Sstevel@tonic-gate format_string "${suff}" 36557c478bd9Sstevel@tonic-gate lower_suff="${FMT_STR}" 36567c478bd9Sstevel@tonic-gate if [ "${lower_entry}" = "${lower_suff}" ]; then 36577c478bd9Sstevel@tonic-gate LDAP_SUFFIX="${suff}" 36587c478bd9Sstevel@tonic-gate break 36597c478bd9Sstevel@tonic-gate else 36607c478bd9Sstevel@tonic-gate dcstmp=`basename "${lower_entry}" "${lower_suff}"` 36617c478bd9Sstevel@tonic-gate if [ "${dcstmp}" = "${lower_entry}" ]; then 36627c478bd9Sstevel@tonic-gate # invalid suffix, try next one 36637c478bd9Sstevel@tonic-gate continue 36647c478bd9Sstevel@tonic-gate else 36657c478bd9Sstevel@tonic-gate # valid suffix found 36667c478bd9Sstevel@tonic-gate LDAP_SUFFIX="${suff}" 36677c478bd9Sstevel@tonic-gate break 36687c478bd9Sstevel@tonic-gate fi 36697c478bd9Sstevel@tonic-gate fi 36707c478bd9Sstevel@tonic-gate done 36717c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "setting IFS to original value" 36727c478bd9Sstevel@tonic-gate IFS=$oIFS 36737c478bd9Sstevel@tonic-gate 36747c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "LDAP_SUFFIX: ${LDAP_SUFFIX}" 36757c478bd9Sstevel@tonic-gate 36767c478bd9Sstevel@tonic-gate if [ -z "${LDAP_SUFFIX}" ]; then 36777c478bd9Sstevel@tonic-gate # should not happen, since we found the entry 36787c478bd9Sstevel@tonic-gate ${ECHO} "Could not find a valid suffix for ${LDAP_BASEDN}." 36797c478bd9Sstevel@tonic-gate ${ECHO} "Exiting." 36807c478bd9Sstevel@tonic-gate return 1 36817c478bd9Sstevel@tonic-gate fi 36827c478bd9Sstevel@tonic-gate 36837c478bd9Sstevel@tonic-gate # Getting relevant database (backend) 36847c478bd9Sstevel@tonic-gate # IDS_DATABASE will then be used to create indexes. 36857c478bd9Sstevel@tonic-gate get_backend 36867c478bd9Sstevel@tonic-gate 36877c478bd9Sstevel@tonic-gate return 0 36887c478bd9Sstevel@tonic-gate fi 36897c478bd9Sstevel@tonic-gate} 36907c478bd9Sstevel@tonic-gate 36917c478bd9Sstevel@tonic-gate# 36927c478bd9Sstevel@tonic-gate# discover_serv_suffix(): This function queries the server to find 36937c478bd9Sstevel@tonic-gate# suffixes available 36947c478bd9Sstevel@tonic-gate# return: 0: OK, suffix found 36957c478bd9Sstevel@tonic-gate# 1: suffix not determined 36967c478bd9Sstevel@tonic-gatediscover_serv_suffix() 36977c478bd9Sstevel@tonic-gate{ 36987c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In discover_serv_suffix()" 36997c478bd9Sstevel@tonic-gate 37007c478bd9Sstevel@tonic-gate # Search the server for the TOP of the TREE. 37017c478bd9Sstevel@tonic-gate ${LDAPSEARCH} ${SERVER_ARGS} -b "" -s base "objectclass=*" > ${TMPDIR}/checkTOP 2>&1 37027c478bd9Sstevel@tonic-gate ${GREP} -i namingcontexts ${TMPDIR}/checkTOP | \ 37037c478bd9Sstevel@tonic-gate ${GREP} -i -v NetscapeRoot > ${TMPDIR}/treeTOP 37047c478bd9Sstevel@tonic-gate NUM_TOP=`wc -l ${TMPDIR}/treeTOP | awk '{print $1}'` 37057c478bd9Sstevel@tonic-gate case $NUM_TOP in 37067c478bd9Sstevel@tonic-gate 0) 3707017e8b01Svl [ $DEBUG -eq 1 ] && ${ECHO} "DEBUG: No suffix found in LDAP tree" 37087c478bd9Sstevel@tonic-gate return 1 37097c478bd9Sstevel@tonic-gate ;; 37107c478bd9Sstevel@tonic-gate *) # build the list of suffixes; take out 'namingContexts=' in 37117c478bd9Sstevel@tonic-gate # each line of ${TMPDIR}/treeTOP 37127c478bd9Sstevel@tonic-gate LDAP_SUFFIX_LIST=`cat ${TMPDIR}/treeTOP | 37137c478bd9Sstevel@tonic-gate awk '{ printf("%s\n",substr($0,16,length-15)) }'` 37147c478bd9Sstevel@tonic-gate ;; 37157c478bd9Sstevel@tonic-gate esac 37167c478bd9Sstevel@tonic-gate 37177c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_SUFFIX_LIST = $LDAP_SUFFIX_LIST" 37187c478bd9Sstevel@tonic-gate return 0 37197c478bd9Sstevel@tonic-gate} 37207c478bd9Sstevel@tonic-gate 37217c478bd9Sstevel@tonic-gate 37227c478bd9Sstevel@tonic-gate# 37237c478bd9Sstevel@tonic-gate# modify_cn(): Change the cn from MUST to MAY in ipNetwork. 37247c478bd9Sstevel@tonic-gate# 37257c478bd9Sstevel@tonic-gatemodify_cn() 37267c478bd9Sstevel@tonic-gate{ 37277c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In modify_cn()" 37287c478bd9Sstevel@tonic-gate 37297c478bd9Sstevel@tonic-gate ( cat <<EOF 37307c478bd9Sstevel@tonic-gatedn: cn=schema 37317c478bd9Sstevel@tonic-gatechangetype: modify 37327c478bd9Sstevel@tonic-gateadd: objectclasses 37331d473207SMilan Jurikobjectclasses: ( 1.3.6.1.1.1.2.7 NAME 'ipNetwork' DESC 'Standard LDAP objectclass' SUP top STRUCTURAL MUST ipNetworkNumber MAY ( ipNetmaskNumber $ manager $ cn $ l $ description ) X-ORIGIN 'RFC 2307' ) 37347c478bd9Sstevel@tonic-gateEOF 37357c478bd9Sstevel@tonic-gate) > ${TMPDIR}/ipNetwork_cn 37367c478bd9Sstevel@tonic-gate 37377c478bd9Sstevel@tonic-gate # Modify the cn for ipNetwork. 37387c478bd9Sstevel@tonic-gate ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/ipNetwork_cn ${VERB}" 37397c478bd9Sstevel@tonic-gate if [ $? -ne 0 ]; then 37407c478bd9Sstevel@tonic-gate ${ECHO} " ERROR: update of cn for ipNetwork failed!" 37417c478bd9Sstevel@tonic-gate cleanup 37427c478bd9Sstevel@tonic-gate exit 1 37437c478bd9Sstevel@tonic-gate fi 37447c478bd9Sstevel@tonic-gate} 37457c478bd9Sstevel@tonic-gate 37467c478bd9Sstevel@tonic-gate 37477c478bd9Sstevel@tonic-gate# modify_timelimit(): Modify timelimit to user value. 37487c478bd9Sstevel@tonic-gatemodify_timelimit() 37497c478bd9Sstevel@tonic-gate{ 37507c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In modify_timelimit()" 37517c478bd9Sstevel@tonic-gate 37527c478bd9Sstevel@tonic-gate # Here doc to modify timelimit. 37537c478bd9Sstevel@tonic-gate ( cat <<EOF 37547c478bd9Sstevel@tonic-gatedn: cn=config 37557c478bd9Sstevel@tonic-gatechangetype: modify 37567c478bd9Sstevel@tonic-gatereplace: nsslapd-timelimit 37577c478bd9Sstevel@tonic-gatensslapd-timelimit: ${IDS_TIMELIMIT} 37587c478bd9Sstevel@tonic-gateEOF 37597c478bd9Sstevel@tonic-gate) > ${TMPDIR}/ids_timelimit 37607c478bd9Sstevel@tonic-gate 37617c478bd9Sstevel@tonic-gate # Add the entry. 37627c478bd9Sstevel@tonic-gate ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/ids_timelimit ${VERB}" 37637c478bd9Sstevel@tonic-gate if [ $? -ne 0 ]; then 37647c478bd9Sstevel@tonic-gate ${ECHO} " ERROR: update of nsslapd-timelimit failed!" 37657c478bd9Sstevel@tonic-gate cleanup 37667c478bd9Sstevel@tonic-gate exit 1 37677c478bd9Sstevel@tonic-gate fi 37687c478bd9Sstevel@tonic-gate 37697c478bd9Sstevel@tonic-gate # Display messages for modifications made in patch. 37707c478bd9Sstevel@tonic-gate ${ECHO} " ${STEP}. Changed timelimit to ${IDS_TIMELIMIT} in cn=config." 37717c478bd9Sstevel@tonic-gate STEP=`expr $STEP + 1` 37727c478bd9Sstevel@tonic-gate} 37737c478bd9Sstevel@tonic-gate 37747c478bd9Sstevel@tonic-gate 37757c478bd9Sstevel@tonic-gate# modify_sizelimit(): Modify sizelimit to user value. 37767c478bd9Sstevel@tonic-gatemodify_sizelimit() 37777c478bd9Sstevel@tonic-gate{ 37787c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In modify_sizelimit()" 37797c478bd9Sstevel@tonic-gate 37807c478bd9Sstevel@tonic-gate # Here doc to modify sizelimit. 37817c478bd9Sstevel@tonic-gate ( cat <<EOF 37827c478bd9Sstevel@tonic-gatedn: cn=config 37837c478bd9Sstevel@tonic-gatechangetype: modify 37847c478bd9Sstevel@tonic-gatereplace: nsslapd-sizelimit 37857c478bd9Sstevel@tonic-gatensslapd-sizelimit: ${IDS_SIZELIMIT} 37867c478bd9Sstevel@tonic-gateEOF 37877c478bd9Sstevel@tonic-gate) > ${TMPDIR}/ids_sizelimit 37887c478bd9Sstevel@tonic-gate 37897c478bd9Sstevel@tonic-gate # Add the entry. 37907c478bd9Sstevel@tonic-gate ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/ids_sizelimit ${VERB}" 37917c478bd9Sstevel@tonic-gate if [ $? -ne 0 ]; then 37927c478bd9Sstevel@tonic-gate ${ECHO} " ERROR: update of nsslapd-sizelimit failed!" 37937c478bd9Sstevel@tonic-gate cleanup 37947c478bd9Sstevel@tonic-gate exit 1 37957c478bd9Sstevel@tonic-gate fi 37967c478bd9Sstevel@tonic-gate 37977c478bd9Sstevel@tonic-gate # Display messages for modifications made in patch. 37987c478bd9Sstevel@tonic-gate ${ECHO} " ${STEP}. Changed sizelimit to ${IDS_SIZELIMIT} in cn=config." 37997c478bd9Sstevel@tonic-gate STEP=`expr $STEP + 1` 38007c478bd9Sstevel@tonic-gate} 38017c478bd9Sstevel@tonic-gate 38027c478bd9Sstevel@tonic-gate 38037c478bd9Sstevel@tonic-gate# modify_pwd_crypt(): Modify the passwd storage scheme to support CRYPT. 38047c478bd9Sstevel@tonic-gatemodify_pwd_crypt() 38057c478bd9Sstevel@tonic-gate{ 38067c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In modify_pwd_crypt()" 38077c478bd9Sstevel@tonic-gate 38087c478bd9Sstevel@tonic-gate # Here doc to modify passwordstoragescheme. 38097c478bd9Sstevel@tonic-gate # IDS 5.2 moved passwordchangesceme off to a new data structure. 38107c478bd9Sstevel@tonic-gate if [ $IDS_MAJVER -le 5 ] && [ $IDS_MINVER -le 1 ]; then 38117c478bd9Sstevel@tonic-gate ( cat <<EOF 38127c478bd9Sstevel@tonic-gatedn: cn=config 38137c478bd9Sstevel@tonic-gatechangetype: modify 38147c478bd9Sstevel@tonic-gatereplace: passwordstoragescheme 38157c478bd9Sstevel@tonic-gatepasswordstoragescheme: crypt 38167c478bd9Sstevel@tonic-gateEOF 38177c478bd9Sstevel@tonic-gate ) > ${TMPDIR}/ids_crypt 38187c478bd9Sstevel@tonic-gate else 38197c478bd9Sstevel@tonic-gate ( cat <<EOF 38207c478bd9Sstevel@tonic-gatedn: cn=Password Policy,cn=config 38217c478bd9Sstevel@tonic-gatechangetype: modify 38227c478bd9Sstevel@tonic-gatereplace: passwordstoragescheme 38237c478bd9Sstevel@tonic-gatepasswordstoragescheme: crypt 38247c478bd9Sstevel@tonic-gateEOF 38257c478bd9Sstevel@tonic-gate ) > ${TMPDIR}/ids_crypt 38267c478bd9Sstevel@tonic-gate fi 38277c478bd9Sstevel@tonic-gate 38287c478bd9Sstevel@tonic-gate # Add the entry. 38297c478bd9Sstevel@tonic-gate ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/ids_crypt ${VERB}" 38307c478bd9Sstevel@tonic-gate if [ $? -ne 0 ]; then 38317c478bd9Sstevel@tonic-gate ${ECHO} " ERROR: update of passwordstoragescheme failed!" 38327c478bd9Sstevel@tonic-gate cleanup 38337c478bd9Sstevel@tonic-gate exit 1 38347c478bd9Sstevel@tonic-gate fi 38357c478bd9Sstevel@tonic-gate 38367c478bd9Sstevel@tonic-gate # Display messages for modifications made in patch. 38377c478bd9Sstevel@tonic-gate ${ECHO} " ${STEP}. Changed passwordstoragescheme to \"crypt\" in cn=config." 38387c478bd9Sstevel@tonic-gate STEP=`expr $STEP + 1` 38397c478bd9Sstevel@tonic-gate} 38407c478bd9Sstevel@tonic-gate 38417c478bd9Sstevel@tonic-gate 38427c478bd9Sstevel@tonic-gate# 38437c478bd9Sstevel@tonic-gate# add_eq_indexes(): Add indexes to improve search performance. 38447c478bd9Sstevel@tonic-gate# 38457c478bd9Sstevel@tonic-gateadd_eq_indexes() 38467c478bd9Sstevel@tonic-gate{ 38477c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In add_eq_indexes()" 38487c478bd9Sstevel@tonic-gate 38497c478bd9Sstevel@tonic-gate # Set eq indexes to add. 38507c478bd9Sstevel@tonic-gate _INDEXES="uidNumber ipNetworkNumber gidnumber oncrpcnumber automountKey" 38517c478bd9Sstevel@tonic-gate 3852cb5caa98Sdjl if [ -z "${IDS_DATABASE}" ]; then 3853cb5caa98Sdjl get_backend 3854cb5caa98Sdjl fi 3855a58015d1Svl 38567c478bd9Sstevel@tonic-gate # Set _EXT to use as shortcut. 38577c478bd9Sstevel@tonic-gate _EXT="cn=index,cn=${IDS_DATABASE},cn=ldbm database,cn=plugins,cn=config" 38587c478bd9Sstevel@tonic-gate 38597c478bd9Sstevel@tonic-gate # Display message to id current step. 38607c478bd9Sstevel@tonic-gate ${ECHO} " ${STEP}. Processing eq,pres indexes:" 38617c478bd9Sstevel@tonic-gate STEP=`expr $STEP + 1` 38627c478bd9Sstevel@tonic-gate 38637c478bd9Sstevel@tonic-gate # For loop to create indexes. 38647c478bd9Sstevel@tonic-gate for i in ${_INDEXES}; do 38657c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} " Adding index for ${i}" 38667c478bd9Sstevel@tonic-gate 38677c478bd9Sstevel@tonic-gate # Check if entry exists first, if so, skip to next. 3868a58015d1Svl ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=${i},${_EXT}\" -s base \ 3869a58015d1Svl \"objectclass=*\" > /dev/null 2>&1" 38707c478bd9Sstevel@tonic-gate if [ $? -eq 0 ]; then 38717c478bd9Sstevel@tonic-gate # Display index skipped. 38727c478bd9Sstevel@tonic-gate ${ECHO} " ${i} (eq,pres) skipped already exists" 38737c478bd9Sstevel@tonic-gate continue 38747c478bd9Sstevel@tonic-gate fi 38757c478bd9Sstevel@tonic-gate 38767c478bd9Sstevel@tonic-gate # Here doc to create LDIF. 38777c478bd9Sstevel@tonic-gate ( cat <<EOF 38787c478bd9Sstevel@tonic-gatedn: cn=${i},${_EXT} 38797c478bd9Sstevel@tonic-gateobjectClass: top 38807c478bd9Sstevel@tonic-gateobjectClass: nsIndex 38817c478bd9Sstevel@tonic-gatecn: ${i} 38827c478bd9Sstevel@tonic-gatensSystemIndex: false 38837c478bd9Sstevel@tonic-gatensIndexType: pres 38847c478bd9Sstevel@tonic-gatensIndexType: eq 38857c478bd9Sstevel@tonic-gateEOF 38867c478bd9Sstevel@tonic-gate) > ${TMPDIR}/index_${i} 38877c478bd9Sstevel@tonic-gate 38887c478bd9Sstevel@tonic-gate # Add the index. 38897c478bd9Sstevel@tonic-gate ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/index_${i} ${VERB}" 38907c478bd9Sstevel@tonic-gate if [ $? -ne 0 ]; then 38917c478bd9Sstevel@tonic-gate ${ECHO} " ERROR: Adding EQ,PRES index for ${i} failed!" 38927c478bd9Sstevel@tonic-gate cleanup 38937c478bd9Sstevel@tonic-gate exit 1 38947c478bd9Sstevel@tonic-gate fi 38957c478bd9Sstevel@tonic-gate 38967c478bd9Sstevel@tonic-gate # Build date for task name. 38977c478bd9Sstevel@tonic-gate _YR=`date '+%y'` 38987c478bd9Sstevel@tonic-gate _MN=`date '+%m'` 38997c478bd9Sstevel@tonic-gate _DY=`date '+%d'` 39007c478bd9Sstevel@tonic-gate _H=`date '+%H'` 39017c478bd9Sstevel@tonic-gate _M=`date '+%M'` 39027c478bd9Sstevel@tonic-gate _S=`date '+%S'` 39037c478bd9Sstevel@tonic-gate 39047c478bd9Sstevel@tonic-gate # Build task name 39057c478bd9Sstevel@tonic-gate TASKNAME="${i}_${_YR}_${_MN}_${_DY}_${_H}_${_M}_${_S}" 39067c478bd9Sstevel@tonic-gate 39077c478bd9Sstevel@tonic-gate # Build the task entry to add. 39087c478bd9Sstevel@tonic-gate ( cat <<EOF 39097c478bd9Sstevel@tonic-gatedn: cn=${TASKNAME}, cn=index, cn=tasks, cn=config 39107c478bd9Sstevel@tonic-gatechangetype: add 39117c478bd9Sstevel@tonic-gateobjectclass: top 39127c478bd9Sstevel@tonic-gateobjectclass: extensibleObject 39137c478bd9Sstevel@tonic-gatecn: ${TASKNAME} 39147c478bd9Sstevel@tonic-gatensInstance: ${IDS_DATABASE} 39157c478bd9Sstevel@tonic-gatensIndexAttribute: ${i} 39167c478bd9Sstevel@tonic-gateEOF 39177c478bd9Sstevel@tonic-gate) > ${TMPDIR}/task_${i} 39187c478bd9Sstevel@tonic-gate 39197c478bd9Sstevel@tonic-gate # Add the task. 39207c478bd9Sstevel@tonic-gate ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/task_${i} ${VERB}" 39217c478bd9Sstevel@tonic-gate if [ $? -ne 0 ]; then 39227c478bd9Sstevel@tonic-gate ${ECHO} " ERROR: Adding task for ${i} failed!" 39237c478bd9Sstevel@tonic-gate cleanup 39247c478bd9Sstevel@tonic-gate exit 1 39257c478bd9Sstevel@tonic-gate fi 39267c478bd9Sstevel@tonic-gate 39277c478bd9Sstevel@tonic-gate # Wait for task to finish, display current status. 39287c478bd9Sstevel@tonic-gate while : 39297c478bd9Sstevel@tonic-gate do 3930a58015d1Svl ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} \ 3931a58015d1Svl -b \"cn=${TASKNAME}, cn=index, cn=tasks, cn=config\" -s base \ 3932a58015d1Svl \"objectclass=*\" nstaskstatus > \"${TMPDIR}/istask_${i}\" 2>&1" 3933a58015d1Svl ${GREP} "${TASKNAME}" "${TMPDIR}/istask_${i}" > /dev/null 2>&1 39347c478bd9Sstevel@tonic-gate if [ $? -ne 0 ]; then 39357c478bd9Sstevel@tonic-gate break 39367c478bd9Sstevel@tonic-gate fi 3937a58015d1Svl TASK_STATUS=`${GREP} -i nstaskstatus "${TMPDIR}/istask_${i}" | 3938a58015d1Svl head -1 | cut -d: -f2` 39397c478bd9Sstevel@tonic-gate ${ECHO} " ${i} (eq,pres) $TASK_STATUS \r\c" 39407c478bd9Sstevel@tonic-gate ${ECHO} "$TASK_STATUS" | ${GREP} "Finished" > /dev/null 2>&1 39417c478bd9Sstevel@tonic-gate if [ $? -eq 0 ]; then 39427c478bd9Sstevel@tonic-gate break 39437c478bd9Sstevel@tonic-gate fi 39447c478bd9Sstevel@tonic-gate sleep 2 39457c478bd9Sstevel@tonic-gate done 39467c478bd9Sstevel@tonic-gate 39477c478bd9Sstevel@tonic-gate # Print newline because of \c. 39487c478bd9Sstevel@tonic-gate ${ECHO} " " 39497c478bd9Sstevel@tonic-gate done 39507c478bd9Sstevel@tonic-gate} 39517c478bd9Sstevel@tonic-gate 39527c478bd9Sstevel@tonic-gate 39537c478bd9Sstevel@tonic-gate# 39547c478bd9Sstevel@tonic-gate# add_sub_indexes(): Add indexes to improve search performance. 39557c478bd9Sstevel@tonic-gate# 39567c478bd9Sstevel@tonic-gateadd_sub_indexes() 39577c478bd9Sstevel@tonic-gate{ 39587c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In add_sub_indexes()" 39597c478bd9Sstevel@tonic-gate 39607c478bd9Sstevel@tonic-gate # Set eq indexes to add. 39617c478bd9Sstevel@tonic-gate _INDEXES="ipHostNumber membernisnetgroup nisnetgrouptriple" 39627c478bd9Sstevel@tonic-gate 39637c478bd9Sstevel@tonic-gate # Set _EXT to use as shortcut. 39647c478bd9Sstevel@tonic-gate _EXT="cn=index,cn=${IDS_DATABASE},cn=ldbm database,cn=plugins,cn=config" 39657c478bd9Sstevel@tonic-gate 39667c478bd9Sstevel@tonic-gate 39677c478bd9Sstevel@tonic-gate # Display message to id current step. 39687c478bd9Sstevel@tonic-gate ${ECHO} " ${STEP}. Processing eq,pres,sub indexes:" 39697c478bd9Sstevel@tonic-gate STEP=`expr $STEP + 1` 39707c478bd9Sstevel@tonic-gate 39717c478bd9Sstevel@tonic-gate # For loop to create indexes. 39727c478bd9Sstevel@tonic-gate for i in ${_INDEXES}; do 39737c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} " Adding index for ${i}" 39747c478bd9Sstevel@tonic-gate 39757c478bd9Sstevel@tonic-gate # Check if entry exists first, if so, skip to next. 3976a58015d1Svl ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=${i},${_EXT}\" \ 3977a58015d1Svl -s base \"objectclass=*\" > /dev/null 2>&1" 39787c478bd9Sstevel@tonic-gate if [ $? -eq 0 ]; then 39797c478bd9Sstevel@tonic-gate # Display index skipped. 39807c478bd9Sstevel@tonic-gate ${ECHO} " ${i} (eq,pres,sub) skipped already exists" 39817c478bd9Sstevel@tonic-gate continue 39827c478bd9Sstevel@tonic-gate fi 39837c478bd9Sstevel@tonic-gate 39847c478bd9Sstevel@tonic-gate # Here doc to create LDIF. 39857c478bd9Sstevel@tonic-gate ( cat <<EOF 39867c478bd9Sstevel@tonic-gatedn: cn=${i},${_EXT} 39877c478bd9Sstevel@tonic-gateobjectClass: top 39887c478bd9Sstevel@tonic-gateobjectClass: nsIndex 39897c478bd9Sstevel@tonic-gatecn: ${i} 39907c478bd9Sstevel@tonic-gatensSystemIndex: false 39917c478bd9Sstevel@tonic-gatensIndexType: pres 39927c478bd9Sstevel@tonic-gatensIndexType: eq 39937c478bd9Sstevel@tonic-gatensIndexType: sub 39947c478bd9Sstevel@tonic-gateEOF 39957c478bd9Sstevel@tonic-gate) > ${TMPDIR}/index_${i} 39967c478bd9Sstevel@tonic-gate 39977c478bd9Sstevel@tonic-gate # Add the index. 39987c478bd9Sstevel@tonic-gate ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/index_${i} ${VERB}" 39997c478bd9Sstevel@tonic-gate if [ $? -ne 0 ]; then 40007c478bd9Sstevel@tonic-gate ${ECHO} " ERROR: Adding EQ,PRES,SUB index for ${i} failed!" 40017c478bd9Sstevel@tonic-gate cleanup 40027c478bd9Sstevel@tonic-gate exit 1 40037c478bd9Sstevel@tonic-gate fi 40047c478bd9Sstevel@tonic-gate 40057c478bd9Sstevel@tonic-gate # Build date for task name. 40067c478bd9Sstevel@tonic-gate _YR=`date '+%y'` 40077c478bd9Sstevel@tonic-gate _MN=`date '+%m'` 40087c478bd9Sstevel@tonic-gate _DY=`date '+%d'` 40097c478bd9Sstevel@tonic-gate _H=`date '+%H'` 40107c478bd9Sstevel@tonic-gate _M=`date '+%M'` 40117c478bd9Sstevel@tonic-gate _S=`date '+%S'` 40127c478bd9Sstevel@tonic-gate 40137c478bd9Sstevel@tonic-gate # Build task name 40147c478bd9Sstevel@tonic-gate TASKNAME="${i}_${_YR}_${_MN}_${_DY}_${_H}_${_M}_${_S}" 40157c478bd9Sstevel@tonic-gate 40167c478bd9Sstevel@tonic-gate # Build the task entry to add. 40177c478bd9Sstevel@tonic-gate ( cat <<EOF 40187c478bd9Sstevel@tonic-gatedn: cn=${TASKNAME}, cn=index, cn=tasks, cn=config 40197c478bd9Sstevel@tonic-gatechangetype: add 40207c478bd9Sstevel@tonic-gateobjectclass: top 40217c478bd9Sstevel@tonic-gateobjectclass: extensibleObject 40227c478bd9Sstevel@tonic-gatecn: ${TASKNAME} 40237c478bd9Sstevel@tonic-gatensInstance: ${IDS_DATABASE} 40247c478bd9Sstevel@tonic-gatensIndexAttribute: ${i} 40257c478bd9Sstevel@tonic-gateEOF 40267c478bd9Sstevel@tonic-gate) > ${TMPDIR}/task_${i} 40277c478bd9Sstevel@tonic-gate 40287c478bd9Sstevel@tonic-gate # Add the task. 40297c478bd9Sstevel@tonic-gate ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/task_${i} ${VERB}" 40307c478bd9Sstevel@tonic-gate if [ $? -ne 0 ]; then 40317c478bd9Sstevel@tonic-gate ${ECHO} " ERROR: Adding task for ${i} failed!" 40327c478bd9Sstevel@tonic-gate cleanup 40337c478bd9Sstevel@tonic-gate exit 1 40347c478bd9Sstevel@tonic-gate fi 40357c478bd9Sstevel@tonic-gate 40367c478bd9Sstevel@tonic-gate # Wait for task to finish, display current status. 40377c478bd9Sstevel@tonic-gate while : 40387c478bd9Sstevel@tonic-gate do 4039a58015d1Svl ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} \ 4040a58015d1Svl -b \"cn=${TASKNAME}, cn=index, cn=tasks, cn=config\" -s base \ 4041a58015d1Svl \"objectclass=*\" nstaskstatus > \"${TMPDIR}/istask_${i}\" 2>&1" 4042a58015d1Svl ${GREP} "${TASKNAME}" "${TMPDIR}/istask_${i}" > /dev/null 2>&1 40437c478bd9Sstevel@tonic-gate if [ $? -ne 0 ]; then 40447c478bd9Sstevel@tonic-gate break 40457c478bd9Sstevel@tonic-gate fi 4046a58015d1Svl TASK_STATUS=`${GREP} -i nstaskstatus "${TMPDIR}/istask_${i}" | 4047a58015d1Svl head -1 | cut -d: -f2` 40487c478bd9Sstevel@tonic-gate ${ECHO} " ${i} (eq,pres,sub) $TASK_STATUS \r\c" 40497c478bd9Sstevel@tonic-gate ${ECHO} "$TASK_STATUS" | ${GREP} "Finished" > /dev/null 2>&1 40507c478bd9Sstevel@tonic-gate if [ $? -eq 0 ]; then 40517c478bd9Sstevel@tonic-gate break 40527c478bd9Sstevel@tonic-gate fi 40537c478bd9Sstevel@tonic-gate sleep 2 40547c478bd9Sstevel@tonic-gate done 40557c478bd9Sstevel@tonic-gate 40567c478bd9Sstevel@tonic-gate # Print newline because of \c. 40577c478bd9Sstevel@tonic-gate ${ECHO} " " 40587c478bd9Sstevel@tonic-gate done 40597c478bd9Sstevel@tonic-gate} 40607c478bd9Sstevel@tonic-gate 40617c478bd9Sstevel@tonic-gate 40627c478bd9Sstevel@tonic-gate# 40637c478bd9Sstevel@tonic-gate# add_vlv_indexes(): Add VLV indexes to improve search performance. 40647c478bd9Sstevel@tonic-gate# 40657c478bd9Sstevel@tonic-gateadd_vlv_indexes() 40667c478bd9Sstevel@tonic-gate{ 40677c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In add_vlv_indexes()" 40687c478bd9Sstevel@tonic-gate 40697c478bd9Sstevel@tonic-gate # Set eq indexes to add. 40707c478bd9Sstevel@tonic-gate # Note semi colon separators because some filters contain colons 40717c478bd9Sstevel@tonic-gate _INDEX1="${LDAP_DOMAIN}.getgrent;${LDAP_DOMAIN}_group_vlv_index;ou=group;objectClass=posixGroup" 40727c478bd9Sstevel@tonic-gate _INDEX2="${LDAP_DOMAIN}.gethostent;${LDAP_DOMAIN}_hosts_vlv_index;ou=hosts;objectClass=ipHost" 40737c478bd9Sstevel@tonic-gate _INDEX3="${LDAP_DOMAIN}.getnetent;${LDAP_DOMAIN}_networks_vlv_index;ou=networks;objectClass=ipNetwork" 40747c478bd9Sstevel@tonic-gate _INDEX4="${LDAP_DOMAIN}.getpwent;${LDAP_DOMAIN}_passwd_vlv_index;ou=people;objectClass=posixAccount" 40757c478bd9Sstevel@tonic-gate _INDEX5="${LDAP_DOMAIN}.getrpcent;${LDAP_DOMAIN}_rpc_vlv_index;ou=rpc;objectClass=oncRpc" 40767c478bd9Sstevel@tonic-gate _INDEX6="${LDAP_DOMAIN}.getspent;${LDAP_DOMAIN}_shadow_vlv_index;ou=people;objectClass=shadowAccount" 40777c478bd9Sstevel@tonic-gate 40787c478bd9Sstevel@tonic-gate # Indexes added during NIS to LDAP transition 40797c478bd9Sstevel@tonic-gate _INDEX7="${LDAP_DOMAIN}.getauhoent;${LDAP_DOMAIN}_auho_vlv_index;automountmapname=auto_home;objectClass=automount" 40807c478bd9Sstevel@tonic-gate _INDEX8="${LDAP_DOMAIN}.getsoluent;${LDAP_DOMAIN}_solu_vlv_index;ou=people;objectClass=SolarisUserAttr" 40817c478bd9Sstevel@tonic-gate _INDEX9="${LDAP_DOMAIN}.getauduent;${LDAP_DOMAIN}_audu_vlv_index;ou=people;objectClass=SolarisAuditUser" 40827c478bd9Sstevel@tonic-gate _INDEX10="${LDAP_DOMAIN}.getauthent;${LDAP_DOMAIN}_auth_vlv_index;ou=SolarisAuthAttr;objectClass=SolarisAuthAttr" 40837c478bd9Sstevel@tonic-gate _INDEX11="${LDAP_DOMAIN}.getexecent;${LDAP_DOMAIN}_exec_vlv_index;ou=SolarisProfAttr;&(objectClass=SolarisExecAttr)(SolarisKernelSecurityPolicy=*)" 40847c478bd9Sstevel@tonic-gate _INDEX12="${LDAP_DOMAIN}.getprofent;${LDAP_DOMAIN}_prof_vlv_index;ou=SolarisProfAttr;&(objectClass=SolarisProfAttr)(SolarisAttrLongDesc=*)" 40857c478bd9Sstevel@tonic-gate _INDEX13="${LDAP_DOMAIN}.getmailent;${LDAP_DOMAIN}_mail_vlv_index;ou=aliases;objectClass=mailGroup" 40867c478bd9Sstevel@tonic-gate _INDEX14="${LDAP_DOMAIN}.getbootent;${LDAP_DOMAIN}__boot_vlv_index;ou=ethers;&(objectClass=bootableDevice)(bootParameter=*)" 40877c478bd9Sstevel@tonic-gate _INDEX15="${LDAP_DOMAIN}.getethent;${LDAP_DOMAIN}_ethers_vlv_index;ou=ethers;&(objectClass=ieee802Device)(macAddress=*)" 40887c478bd9Sstevel@tonic-gate _INDEX16="${LDAP_DOMAIN}.getngrpent;${LDAP_DOMAIN}_netgroup_vlv_index;ou=netgroup;objectClass=nisNetgroup" 40897c478bd9Sstevel@tonic-gate _INDEX17="${LDAP_DOMAIN}.getipnent;${LDAP_DOMAIN}_ipn_vlv_index;ou=networks;&(objectClass=ipNetwork)(cn=*)" 40907c478bd9Sstevel@tonic-gate _INDEX18="${LDAP_DOMAIN}.getmaskent;${LDAP_DOMAIN}_mask_vlv_index;ou=networks;&(objectClass=ipNetwork)(ipNetmaskNumber=*)" 40917c478bd9Sstevel@tonic-gate _INDEX19="${LDAP_DOMAIN}.getprent;${LDAP_DOMAIN}_pr_vlv_index;ou=printers;objectClass=printerService" 40927c478bd9Sstevel@tonic-gate _INDEX20="${LDAP_DOMAIN}.getip4ent;${LDAP_DOMAIN}_ip4_vlv_index;ou=hosts;&(objectClass=ipHost)(ipHostNumber=*.*)" 40937c478bd9Sstevel@tonic-gate _INDEX21="${LDAP_DOMAIN}.getip6ent;${LDAP_DOMAIN}_ip6_vlv_index;ou=hosts;&(objectClass=ipHost)(ipHostNumber=*:*)" 40947c478bd9Sstevel@tonic-gate 40957c478bd9Sstevel@tonic-gate _INDEXES="$_INDEX1 $_INDEX2 $_INDEX3 $_INDEX4 $_INDEX5 $_INDEX6 $_INDEX7 $_INDEX8 $_INDEX9 $_INDEX10 $_INDEX11 $_INDEX12 $_INDEX13 $_INDEX14 $_INDEX15 $_INDEX16 $_INDEX17 $_INDEX18 $_INDEX19 $_INDEX20 $_INDEX21 " 40967c478bd9Sstevel@tonic-gate 40977c478bd9Sstevel@tonic-gate 40987c478bd9Sstevel@tonic-gate # Set _EXT to use as shortcut. 40997c478bd9Sstevel@tonic-gate _EXT="cn=${IDS_DATABASE},cn=ldbm database,cn=plugins,cn=config" 41007c478bd9Sstevel@tonic-gate 41017c478bd9Sstevel@tonic-gate 41027c478bd9Sstevel@tonic-gate # Display message to id current step. 41037c478bd9Sstevel@tonic-gate ${ECHO} " ${STEP}. Processing VLV indexes:" 41047c478bd9Sstevel@tonic-gate STEP=`expr $STEP + 1` 41057c478bd9Sstevel@tonic-gate 41067c478bd9Sstevel@tonic-gate # Reset temp file for vlvindex commands. 4107e1dd0a2fSth [ -f ${TMPDIR}/ds5_vlvindex_list ] && rm ${TMPDIR}/ds5_vlvindex_list 4108e1dd0a2fSth touch ${TMPDIR}/ds5_vlvindex_list 4109e1dd0a2fSth [ -f ${TMPDIR}/ds6_vlvindex_list ] && rm ${TMPDIR}/ds6_vlvindex_list 4110e1dd0a2fSth touch ${TMPDIR}/ds6_vlvindex_list 41117c478bd9Sstevel@tonic-gate 41127c478bd9Sstevel@tonic-gate # Get the instance name from iDS server. 41137c478bd9Sstevel@tonic-gate _INSTANCE="<server-instance>" # Default to old output. 41147c478bd9Sstevel@tonic-gate 41157c478bd9Sstevel@tonic-gate eval "${LDAPSEARCH} -v ${LDAP_ARGS} -b \"cn=config\" -s base \"objectclass=*\" nsslapd-instancedir | ${GREP} 'nsslapd-instancedir=' | cut -d'=' -f2- > ${TMPDIR}/instance_name 2>&1" 41167c478bd9Sstevel@tonic-gate 41177c478bd9Sstevel@tonic-gate ${GREP} "slapd-" ${TMPDIR}/instance_name > /dev/null 2>&1 # Check if seems right? 41187c478bd9Sstevel@tonic-gate if [ $? -eq 0 ]; then # If success, grab name after "slapd-". 41197c478bd9Sstevel@tonic-gate _INST_DIR=`cat ${TMPDIR}/instance_name` 41207c478bd9Sstevel@tonic-gate _INSTANCE=`basename "${_INST_DIR}" | cut -d'-' -f2-` 41217c478bd9Sstevel@tonic-gate fi 41227c478bd9Sstevel@tonic-gate 41237c478bd9Sstevel@tonic-gate # For loop to create indexes. 41247c478bd9Sstevel@tonic-gate for p in ${_INDEXES}; do 41257c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} " Adding index for ${i}" 41267c478bd9Sstevel@tonic-gate 41277c478bd9Sstevel@tonic-gate # Break p (pair) into i and j parts. 41287c478bd9Sstevel@tonic-gate i=`${ECHO} $p | cut -d';' -f1` 41297c478bd9Sstevel@tonic-gate j=`${ECHO} $p | cut -d';' -f2` 41307c478bd9Sstevel@tonic-gate k=`${ECHO} $p | cut -d';' -f3` 41317c478bd9Sstevel@tonic-gate m=`${ECHO} $p | cut -d';' -f4` 41327c478bd9Sstevel@tonic-gate 41337c478bd9Sstevel@tonic-gate # Set _jEXT to use as shortcut. 41347c478bd9Sstevel@tonic-gate _jEXT="cn=${j},${_EXT}" 41357c478bd9Sstevel@tonic-gate 41367c478bd9Sstevel@tonic-gate # Check if entry exists first, if so, skip to next. 41377c478bd9Sstevel@tonic-gate ${LDAPSEARCH} ${SERVER_ARGS} -b "cn=${i},${_jEXT}" -s base "objectclass=*" > /dev/null 2>&1 41387c478bd9Sstevel@tonic-gate if [ $? -eq 0 ]; then 41397c478bd9Sstevel@tonic-gate # Display index skipped. 41407c478bd9Sstevel@tonic-gate ${ECHO} " ${i} vlv_index skipped already exists" 41417c478bd9Sstevel@tonic-gate continue 41427c478bd9Sstevel@tonic-gate fi 41437c478bd9Sstevel@tonic-gate 41447c478bd9Sstevel@tonic-gate # Compute the VLV Scope from the LDAP_SEARCH_SCOPE. 41457c478bd9Sstevel@tonic-gate # NOTE: A value of "base (0)" does not make sense. 41467c478bd9Sstevel@tonic-gate case "$LDAP_SEARCH_SCOPE" in 41477c478bd9Sstevel@tonic-gate sub) VLV_SCOPE="2" ;; 41487c478bd9Sstevel@tonic-gate *) VLV_SCOPE="1" ;; 41497c478bd9Sstevel@tonic-gate esac 41507c478bd9Sstevel@tonic-gate 41517c478bd9Sstevel@tonic-gate # Here doc to create LDIF. 41527c478bd9Sstevel@tonic-gate ( cat <<EOF 41537c478bd9Sstevel@tonic-gatedn: ${_jEXT} 41547c478bd9Sstevel@tonic-gateobjectClass: top 41557c478bd9Sstevel@tonic-gateobjectClass: vlvSearch 41567c478bd9Sstevel@tonic-gatecn: ${j} 41577c478bd9Sstevel@tonic-gatevlvbase: ${k},${LDAP_BASEDN} 41587c478bd9Sstevel@tonic-gatevlvscope: ${VLV_SCOPE} 41597c478bd9Sstevel@tonic-gatevlvfilter: (${m}) 41607c478bd9Sstevel@tonic-gateaci: (target="ldap:///${_jEXT}")(targetattr="*")(version 3.0; acl "Config";allow(read,search,compare)userdn="ldap:///anyone";) 41617c478bd9Sstevel@tonic-gate 41627c478bd9Sstevel@tonic-gatedn: cn=${i},${_jEXT} 41637c478bd9Sstevel@tonic-gatecn: ${i} 41647c478bd9Sstevel@tonic-gatevlvSort: cn uid 41657c478bd9Sstevel@tonic-gateobjectclass: top 41667c478bd9Sstevel@tonic-gateobjectclass: vlvIndex 41677c478bd9Sstevel@tonic-gateEOF 41687c478bd9Sstevel@tonic-gate) > ${TMPDIR}/vlv_index_${i} 41697c478bd9Sstevel@tonic-gate 41707c478bd9Sstevel@tonic-gate # Add the index. 41717c478bd9Sstevel@tonic-gate ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/vlv_index_${i} ${VERB}" 41727c478bd9Sstevel@tonic-gate if [ $? -ne 0 ]; then 41737c478bd9Sstevel@tonic-gate ${ECHO} " ERROR: Adding VLV index for ${i} failed!" 41747c478bd9Sstevel@tonic-gate cleanup 41757c478bd9Sstevel@tonic-gate exit 1 41767c478bd9Sstevel@tonic-gate fi 41777c478bd9Sstevel@tonic-gate 41787c478bd9Sstevel@tonic-gate # Print message that index was created. 41797c478bd9Sstevel@tonic-gate ${ECHO} " ${i} vlv_index Entry created" 41807c478bd9Sstevel@tonic-gate 41817c478bd9Sstevel@tonic-gate # Add command to list of vlvindex commands to run. 4182e1dd0a2fSth ${ECHO} " directoryserver -s ${_INSTANCE} vlvindex -n ${IDS_DATABASE} -T ${i}" >> ${TMPDIR}/ds5_vlvindex_list 4183e1dd0a2fSth ${ECHO} " <install-path>/bin/dsadm reindex -l -t ${i} <directory-instance-path> ${LDAP_SUFFIX}" >> ${TMPDIR}/ds6_vlvindex_list 41847c478bd9Sstevel@tonic-gate done 41857c478bd9Sstevel@tonic-gate} 41867c478bd9Sstevel@tonic-gate 41877c478bd9Sstevel@tonic-gate 41887c478bd9Sstevel@tonic-gate# 41897c478bd9Sstevel@tonic-gate# display_vlv_cmds(): Display VLV index commands to run on server. 41907c478bd9Sstevel@tonic-gate# 41917c478bd9Sstevel@tonic-gatedisplay_vlv_cmds() 41927c478bd9Sstevel@tonic-gate{ 4193e1dd0a2fSth if [ -s "${TMPDIR}/ds5_vlvindex_list" -o \ 4194e1dd0a2fSth -s "${TMPDIR}/ds6_vlvindex_list" ]; then 41957c478bd9Sstevel@tonic-gate display_msg display_vlv_list 4196e1dd0a2fSth fi 4197e1dd0a2fSth 4198e1dd0a2fSth if [ -s "${TMPDIR}/ds5_vlvindex_list" ]; then 4199e1dd0a2fSth cat ${TMPDIR}/ds5_vlvindex_list 4200e1dd0a2fSth fi 4201e1dd0a2fSth 4202e1dd0a2fSth cat << EOF 4203e1dd0a2fSth 4204e1dd0a2fSth 4205e1dd0a2fSthEOF 4206e1dd0a2fSth 4207e1dd0a2fSth if [ -s "${TMPDIR}/ds6_vlvindex_list" ]; then 4208e1dd0a2fSth cat ${TMPDIR}/ds6_vlvindex_list 42097c478bd9Sstevel@tonic-gate fi 42107c478bd9Sstevel@tonic-gate} 42117c478bd9Sstevel@tonic-gate 42127c478bd9Sstevel@tonic-gate 42137c478bd9Sstevel@tonic-gate# 42147c478bd9Sstevel@tonic-gate# update_schema_attr(): Update Schema to support Naming. 42157c478bd9Sstevel@tonic-gate# 42167c478bd9Sstevel@tonic-gateupdate_schema_attr() 42177c478bd9Sstevel@tonic-gate{ 42187c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In update_schema_attr()" 42197c478bd9Sstevel@tonic-gate 42207c478bd9Sstevel@tonic-gate ( cat <<EOF 42217c478bd9Sstevel@tonic-gatedn: cn=schema 42227c478bd9Sstevel@tonic-gatechangetype: modify 42237c478bd9Sstevel@tonic-gateadd: attributetypes 42241d473207SMilan Jurikattributetypes: ( 1.3.6.1.1.1.1.28 NAME 'nisPublickey' DESC 'NIS public key' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 42251d473207SMilan Jurikattributetypes: ( 1.3.6.1.1.1.1.29 NAME 'nisSecretkey' DESC 'NIS secret key' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 42261d473207SMilan Jurikattributetypes: ( 1.3.6.1.1.1.1.30 NAME 'nisDomain' DESC 'NIS domain' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 42271d473207SMilan Jurikattributetypes: ( 1.3.6.1.1.1.1.31 NAME 'automountMapName' DESC 'automount Map Name' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) 42281d473207SMilan Jurikattributetypes: ( 1.3.6.1.1.1.1.32 NAME 'automountKey' DESC 'automount Key Value' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) 42291d473207SMilan Jurikattributetypes: ( 1.3.6.1.1.1.1.33 NAME 'automountInformation' DESC 'automount information' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) 42301d473207SMilan Jurikattributetypes: ( 1.3.6.1.4.1.42.2.27.1.1.12 NAME 'nisNetIdUser' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) 42311d473207SMilan Jurikattributetypes: ( 1.3.6.1.4.1.42.2.27.1.1.13 NAME 'nisNetIdGroup' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) 42321d473207SMilan Jurikattributetypes: ( 1.3.6.1.4.1.42.2.27.1.1.14 NAME 'nisNetIdHost' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) 42331d473207SMilan Jurikattributetypes: ( 1.3.6.1.4.1.42.2.27.2.1.15 NAME 'rfc822mailMember' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) 42341d473207SMilan Jurikattributetypes: ( 2.16.840.1.113730.3.1.30 NAME 'mgrpRFC822MailMember' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 42351d473207SMilan Jurikattributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.15 NAME 'SolarisLDAPServers' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 42361d473207SMilan Jurikattributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.16 NAME 'SolarisSearchBaseDN' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ) 42371d473207SMilan Jurikattributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.17 NAME 'SolarisCacheTTL' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 42381d473207SMilan Jurikattributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.18 NAME 'SolarisBindDN' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ) 42391d473207SMilan Jurikattributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.19 NAME 'SolarisBindPassword' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) 42401d473207SMilan Jurikattributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.20 NAME 'SolarisAuthMethod' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 42411d473207SMilan Jurikattributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.21 NAME 'SolarisTransportSecurity' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 42421d473207SMilan Jurikattributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.22 NAME 'SolarisCertificatePath' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) 42431d473207SMilan Jurikattributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.23 NAME 'SolarisCertificatePassword' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) 42441d473207SMilan Jurikattributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.24 NAME 'SolarisDataSearchDN' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 42451d473207SMilan Jurikattributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.25 NAME 'SolarisSearchScope' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 42461d473207SMilan Jurikattributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.26 NAME 'SolarisSearchTimeLimit' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 42471d473207SMilan Jurikattributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.27 NAME 'SolarisPreferredServer' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 42481d473207SMilan Jurikattributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.28 NAME 'SolarisPreferredServerOnly' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 42491d473207SMilan Jurikattributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.29 NAME 'SolarisSearchReferral' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 42501d473207SMilan Jurikattributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.4 NAME 'SolarisAttrKeyValue' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 42511d473207SMilan Jurikattributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.5 NAME 'SolarisAuditAlways' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 42521d473207SMilan Jurikattributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.6 NAME 'SolarisAuditNever' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 42531d473207SMilan Jurikattributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.7 NAME 'SolarisAttrShortDesc' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 42541d473207SMilan Jurikattributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.8 NAME 'SolarisAttrLongDesc' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 42551d473207SMilan Jurikattributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.9 NAME 'SolarisKernelSecurityPolicy' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 42561d473207SMilan Jurikattributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.10 NAME 'SolarisProfileType' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 42571d473207SMilan Jurikattributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.11 NAME 'SolarisProfileId' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) 42581d473207SMilan Jurikattributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.12 NAME 'SolarisUserQualifier' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 42591d473207SMilan Jurikattributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.13 NAME 'SolarisAttrReserved1' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 42601d473207SMilan Jurikattributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.14 NAME 'SolarisAttrReserved2' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 42611d473207SMilan Jurikattributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.1 NAME 'SolarisProjectID' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 42621d473207SMilan Jurikattributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.2 NAME 'SolarisProjectName' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) 42631d473207SMilan Jurikattributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.3 NAME 'SolarisProjectAttr' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) 42641d473207SMilan Jurikattributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.30 NAME 'memberGid' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) 42651d473207SMilan Jurikattributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.0 NAME 'defaultServerList' DESC 'Default LDAP server host address used by a DUA' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 42661d473207SMilan Jurikattributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.1 NAME 'defaultSearchBase' DESC 'Default LDAP base DN used by a DUA' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ) 42671d473207SMilan Jurikattributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.2 NAME 'preferredServerList' DESC 'Preferred LDAP server host addresses to be used by a DUA' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 42681d473207SMilan Jurikattributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.3 NAME 'searchTimeLimit' DESC 'Maximum time in seconds a DUA should allow for a search to complete' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 42691d473207SMilan Jurikattributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.4 NAME 'bindTimeLimit' DESC 'Maximum time in seconds a DUA should allow for the bind operation to complete' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 42701d473207SMilan Jurikattributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.5 NAME 'followReferrals' DESC 'Tells DUA if it should follow referrals returned by a DSA search result' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 42711d473207SMilan Jurikattributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.6 NAME 'authenticationMethod' DESC 'A keystring which identifies the type of authentication method used to contact the DSA' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 42721d473207SMilan Jurikattributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.7 NAME 'profileTTL' DESC 'Time to live before a client DUA should re-read this configuration profile' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 42731d473207SMilan Jurikattributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.14 NAME 'serviceSearchDescriptor' DESC 'LDAP search descriptor list used by Naming-DUA' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) 42741d473207SMilan Jurikattributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.9 NAME 'attributeMap' DESC 'Attribute mappings used by a Naming-DUA' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 42751d473207SMilan Jurikattributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.10 NAME 'credentialLevel' DESC 'Identifies type of credentials a DUA should use when binding to the LDAP server' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 42761d473207SMilan Jurikattributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.11 NAME 'objectclassMap' DESC 'Objectclass mappings used by a Naming-DUA' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 42771d473207SMilan Jurikattributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.12 NAME 'defaultSearchScope' DESC 'Default search scope used by a DUA' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 42787c478bd9Sstevel@tonic-gateattributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.13 NAME 'serviceCredentialLevel' DESC 'Search scope used by a service of the DUA' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) 42797c478bd9Sstevel@tonic-gateattributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.15 NAME 'serviceAuthenticationMethod' DESC 'Authentication Method used by a service of the DUA' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 42801d473207SMilan Jurikattributetypes: ( 1.3.18.0.2.4.1140 NAME 'printer-uri' DESC 'A URI supported by this printer. This URI SHOULD be used as a relative distinguished name (RDN). If printer-xri-supported is implemented, then this URI value MUST be listed in a member value of printer-xri-supported.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 42811d473207SMilan Jurikattributetypes: ( 1.3.18.0.2.4.1107 NAME 'printer-xri-supported' DESC 'The unordered list of XRI (extended resource identifiers) supported by this printer. Each member of the list consists of a URI (uniform resource identifier) followed by optional authentication and security metaparameters.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 42821d473207SMilan Jurikattributetypes: ( 1.3.18.0.2.4.1135 NAME 'printer-name' DESC 'The site-specific administrative name of this printer, more end-user friendly than a URI.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} SINGLE-VALUE ) 42831d473207SMilan Jurikattributetypes: ( 1.3.18.0.2.4.1119 NAME 'printer-natural-language-configured' DESC 'The configured language in which error and status messages will be generated (by default) by this printer. Also, a possible language for printer string attributes set by operator, system administrator, or manufacturer. Also, the (declared) language of the "printer-name", "printer-location", "printer-info", and "printer-make-and-model" attributes of this printer. For example: "en-us" (US English) or "fr-fr" (French in France) Legal values of language tags conform to [RFC3066] "Tags for the Identification of Languages".' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} SINGLE-VALUE ) 42841d473207SMilan Jurikattributetypes: ( 1.3.18.0.2.4.1136 NAME 'printer-location' DESC 'Identifies the location of the printer. This could include things like: "in Room 123A", "second floor of building XYZ".' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} SINGLE-VALUE ) 42851d473207SMilan Jurikattributetypes: ( 1.3.18.0.2.4.1139 NAME 'printer-info' DESC 'Identifies the descriptive information about this printer. This could include things like: "This printer can be used for printing color transparencies for HR presentations", or "Out of courtesy for others, please print only small (1-5 page) jobs at this printer", or even "This printer is going away on July 1, 1997, please find a new printer".' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} SINGLE-VALUE ) 42861d473207SMilan Jurikattributetypes: ( 1.3.18.0.2.4.1134 NAME 'printer-more-info' DESC 'A URI used to obtain more information about this specific printer. For example, this could be an HTTP type URI referencing an HTML page accessible to a Web Browser. The information obtained from this URI is intended for end user consumption.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 42871d473207SMilan Jurikattributetypes: ( 1.3.18.0.2.4.1138 NAME 'printer-make-and-model' DESC 'Identifies the make and model of the device. The device manufacturer MAY initially populate this attribute.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} SINGLE-VALUE ) 42881d473207SMilan Jurikattributetypes: ( 1.3.18.0.2.4.1133 NAME 'printer-ipp-versions-supported' DESC 'Identifies the IPP protocol version(s) that this printer supports, including major and minor versions, i.e., the version numbers for which this Printer implementation meets the conformance requirements.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} ) 42891d473207SMilan Jurikattributetypes: ( 1.3.18.0.2.4.1132 NAME 'printer-multiple-document-jobs-supported' DESC 'Indicates whether or not the printer supports more than one document per job, i.e., more than one Send-Document or Send-Data operation with document data.' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) 42901d473207SMilan Jurikattributetypes: ( 1.3.18.0.2.4.1109 NAME 'printer-charset-configured' DESC 'The configured charset in which error and status messages will be generated (by default) by this printer. Also, a possible charset for printer string attributes set by operator, system administrator, or manufacturer. For example: "utf-8" (ISO 10646/Unicode) or "iso-8859-1" (Latin1). Legal values are defined by the IANA Registry of Coded Character Sets and the "(preferred MIME name)" SHALL be used as the tag. For coherence with IPP Model, charset tags in this attribute SHALL be lowercase normalized. This attribute SHOULD be static (time of registration) and SHOULD NOT be dynamically refreshed attributetypes: (subsequently).' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{63} SINGLE-VALUE ) 42911d473207SMilan Jurikattributetypes: ( 1.3.18.0.2.4.1131 NAME 'printer-charset-supported' DESC 'Identifies the set of charsets supported for attribute type values of type Directory String for this directory entry. For example: "utf-8" (ISO 10646/Unicode) or "iso-8859-1" (Latin1). Legal values are defined by the IANA Registry of Coded Character Sets and the preferred MIME name.' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{63} ) 42921d473207SMilan Jurikattributetypes: ( 1.3.18.0.2.4.1137 NAME 'printer-generated-natural-language-supported' DESC 'Identifies the natural language(s) supported for this directory entry. For example: "en-us" (US English) or "fr-fr" (French in France). Legal values conform to [RFC3066], Tags for the Identification of Languages.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{63} ) 42931d473207SMilan Jurikattributetypes: ( 1.3.18.0.2.4.1130 NAME 'printer-document-format-supported' DESC 'The possible document formats in which data may be interpreted and printed by this printer. Legal values are MIME types come from the IANA Registry of Internet Media Types.' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} ) 42941d473207SMilan Jurikattributetypes: ( 1.3.18.0.2.4.1129 NAME 'printer-color-supported' DESC 'Indicates whether this printer is capable of any type of color printing at all, including highlight color.' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) 42951d473207SMilan Jurikattributetypes: ( 1.3.18.0.2.4.1128 NAME 'printer-compression-supported' DESC 'Compression algorithms supported by this printer. For example: "deflate, gzip". Legal values include; "none", "deflate" attributetypes: (public domain ZIP), "gzip" (GNU ZIP), "compress" (UNIX).' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} ) 42961d473207SMilan Jurikattributetypes: ( 1.3.18.0.2.4.1127 NAME 'printer-pages-per-minute' DESC 'The nominal number of pages per minute which may be output by this printer (e.g., a simplex or black-and-white printer). This attribute is informative, NOT a service guarantee. Typically, it is the value used in marketing literature to describe this printer.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 42971d473207SMilan Jurikattributetypes: ( 1.3.18.0.2.4.1126 NAME 'printer-pages-per-minute-color' DESC 'The nominal number of color pages per minute which may be output by this printer (e.g., a simplex or color printer). This attribute is informative, NOT a service guarantee. Typically, it is the value used in marketing literature to describe this printer.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 42981d473207SMilan Jurikattributetypes: ( 1.3.18.0.2.4.1125 NAME 'printer-finishings-supported' DESC 'The possible finishing operations supported by this printer. Legal values include; "none", "staple", "punch", "cover", "bind", "saddle-stitch", "edge-stitch", "staple-top-left", "staple-bottom-left", "staple-top-right", "staple-bottom-right", "edge-stitch-left", "edge-stitch-top", "edge-stitch-right", "edge-stitch-bottom", "staple-dual-left", "staple-dual-top", "staple-dual-right", "staple-dual-bottom".' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} ) 42991d473207SMilan Jurikattributetypes: ( 1.3.18.0.2.4.1124 NAME 'printer-number-up-supported' DESC 'The possible numbers of print-stream pages to impose upon a single side of an instance of a selected medium. Legal values include; 1, 2, and 4. Implementations may support other values.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) 43001d473207SMilan Jurikattributetypes: ( 1.3.18.0.2.4.1123 NAME 'printer-sides-supported' DESC 'The number of impression sides (one or two) and the two-sided impression rotations supported by this printer. Legal values include; "one-sided", "two-sided-long-edge", "two-sided-short-edge".' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} ) 43011d473207SMilan Jurikattributetypes: ( 1.3.18.0.2.4.1122 NAME 'printer-media-supported' DESC 'The standard names/types/sizes (and optional color suffixes) of the media supported by this printer. For example: "iso-a4", "envelope", or "na-letter-white". Legal values conform to ISO 10175, Document Printing Application (DPA), and any IANA registered extensions.' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} ) 43021d473207SMilan Jurikattributetypes: ( 1.3.18.0.2.4.1117 NAME 'printer-media-local-supported' DESC 'Site-specific names of media supported by this printer, in the language in "printer-natural-language-configured". For example: "purchasing-form" (site-specific name) as opposed to (in "printer-media-supported"): "na-letter" (standard keyword from ISO 10175).' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} ) 43031d473207SMilan Jurikattributetypes: ( 1.3.18.0.2.4.1121 NAME 'printer-resolution-supported' DESC 'List of resolutions supported for printing documents by this printer. Each resolution value is a string with 3 fields: 1) Cross feed direction resolution (positive integer), 2) Feed direction resolution (positive integer), 3) Resolution unit. Legal values are "dpi" (dots per inch) and "dpcm" (dots per centimeter). Each resolution field is delimited by ">". For example: "300> 300> dpi>".' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} ) 43041d473207SMilan Jurikattributetypes: ( 1.3.18.0.2.4.1120 NAME 'printer-print-quality-supported' DESC 'List of print qualities supported for printing documents on this printer. For example: "draft, normal". Legal values include; "unknown", "draft", "normal", "high".' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} ) 43051d473207SMilan Jurikattributetypes: ( 1.3.18.0.2.4.1110 NAME 'printer-job-priority-supported' DESC 'Indicates the number of job priority levels supported. An IPP conformant printer which supports job priority must always support a full range of priorities from "1" to "100" (to ensure consistent behavior), therefore this attribute describes the "granularity". Legal values of this attribute are from "1" to "100".' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 43061d473207SMilan Jurikattributetypes: ( 1.3.18.0.2.4.1118 NAME 'printer-copies-supported' DESC 'The maximum number of copies of a document that may be printed as a single job. A value of "0" indicates no maximum limit. A value of "-1" indicates unknown.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 43071d473207SMilan Jurikattributetypes: ( 1.3.18.0.2.4.1111 NAME 'printer-job-k-octets-supported' DESC 'The maximum size in kilobytes (1,024 octets actually) incoming print job that this printer will accept. A value of "0" indicates no maximum limit. A value of "-1" indicates unknown.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 43081d473207SMilan Jurikattributetypes: ( 1.3.18.0.2.4.1112 NAME 'printer-current-operator' DESC 'The name of the current human operator responsible for operating this printer. It is suggested that this string include information that would enable other humans to reach the operator, such as a phone number.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} SINGLE-VALUE ) 43091d473207SMilan Jurikattributetypes: ( 1.3.18.0.2.4.1113 NAME 'printer-service-person' DESC 'The name of the current human service person responsible for servicing this printer. It is suggested that this string include information that would enable other humans to reach the service person, such as a phone number.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} SINGLE-VALUE ) 43101d473207SMilan Jurikattributetypes: ( 1.3.18.0.2.4.1114 NAME 'printer-delivery-orientation-supported' DESC 'The possible delivery orientations of pages as they are printed and ejected from this printer. Legal values include; "unknown", "face-up", and "face-down".' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} ) 43111d473207SMilan Jurikattributetypes: ( 1.3.18.0.2.4.1115 NAME 'printer-stacking-order-supported' DESC 'The possible stacking order of pages as they are printed and ejected from this printer. Legal values include; "unknown", "first-to-last", "last-to-first".' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} ) 43121d473207SMilan Jurikattributetypes: ( 1.3.18.0.2.4.1116 NAME 'printer-output-features-supported' DESC 'The possible output features supported by this printer. Legal values include; "unknown", "bursting", "decollating", "page-collating", "offset-stacking".' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} ) 43131d473207SMilan Jurikattributetypes: ( 1.3.18.0.2.4.1108 NAME 'printer-aliases' DESC 'Site-specific administrative names of this printer in addition the printer name specified for printer-name.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} ) 43141d473207SMilan Jurikattributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.63 NAME 'sun-printer-bsdaddr' DESC 'Sets the server, print queue destination name and whether the client generates protocol extensions. "Solaris" specifies a Solaris print server extension. The value is represented by the following value: server "," destination ", Solaris".' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 43151d473207SMilan Jurikattributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.64 NAME 'sun-printer-kvp' DESC 'This attribute contains a set of key value pairs which may have meaning to the print subsystem or may be user defined. Each value is represented by the following: key "=" value.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 43167c478bd9Sstevel@tonic-gateattributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.57 NAME 'nisplusTimeZone' DESC 'tzone column from NIS+ timezone table' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) 43171d473207SMilan Jurikattributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.67 NAME 'ipTnetTemplateName' DESC 'Trusted Solaris network template template_name' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) 43181d473207SMilan Jurikattributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.68 NAME 'ipTnetNumber' DESC 'Trusted Solaris network template ip_address' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) 43197c478bd9Sstevel@tonic-gateEOF 43207c478bd9Sstevel@tonic-gate) > ${TMPDIR}/schema_attr 43217c478bd9Sstevel@tonic-gate 43227c478bd9Sstevel@tonic-gate # Add the entry. 43237c478bd9Sstevel@tonic-gate ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/schema_attr ${VERB}" 43247c478bd9Sstevel@tonic-gate if [ $? -ne 0 ]; then 43257c478bd9Sstevel@tonic-gate ${ECHO} " ERROR: update of schema attributes failed!" 43267c478bd9Sstevel@tonic-gate cleanup 43277c478bd9Sstevel@tonic-gate exit 1 43287c478bd9Sstevel@tonic-gate fi 43297c478bd9Sstevel@tonic-gate 43307c478bd9Sstevel@tonic-gate # Display message that schema is updated. 43317c478bd9Sstevel@tonic-gate ${ECHO} " ${STEP}. Schema attributes have been updated." 43327c478bd9Sstevel@tonic-gate STEP=`expr $STEP + 1` 43337c478bd9Sstevel@tonic-gate} 43347c478bd9Sstevel@tonic-gate 43357c478bd9Sstevel@tonic-gate 43367c478bd9Sstevel@tonic-gate# 43377c478bd9Sstevel@tonic-gate# update_schema_obj(): Update the schema objectclass definitions. 43387c478bd9Sstevel@tonic-gate# 43397c478bd9Sstevel@tonic-gateupdate_schema_obj() 43407c478bd9Sstevel@tonic-gate{ 43417c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In update_schema_obj()" 43427c478bd9Sstevel@tonic-gate 43437c478bd9Sstevel@tonic-gate # Add the objectclass definitions. 43447c478bd9Sstevel@tonic-gate ( cat <<EOF 43457c478bd9Sstevel@tonic-gatedn: cn=schema 43467c478bd9Sstevel@tonic-gatechangetype: modify 43477c478bd9Sstevel@tonic-gateadd: objectclasses 43481d473207SMilan Jurikobjectclasses: ( 1.3.6.1.1.1.2.14 NAME 'NisKeyObject' SUP top MUST ( cn $ nisPublickey $ nisSecretkey ) MAY ( uidNumber $ description ) ) 43497c478bd9Sstevel@tonic-gate 43507c478bd9Sstevel@tonic-gatedn: cn=schema 43517c478bd9Sstevel@tonic-gatechangetype: modify 43527c478bd9Sstevel@tonic-gateadd: objectclasses 43531d473207SMilan Jurikobjectclasses: ( 1.3.6.1.1.1.2.15 NAME 'nisDomainObject' SUP top MUST nisDomain ) 43547c478bd9Sstevel@tonic-gate 43557c478bd9Sstevel@tonic-gatedn: cn=schema 43567c478bd9Sstevel@tonic-gatechangetype: modify 43577c478bd9Sstevel@tonic-gateadd: objectclasses 43581d473207SMilan Jurikobjectclasses: ( 1.3.6.1.1.1.2.16 NAME 'automountMap' SUP top MUST automountMapName MAY description ) 43597c478bd9Sstevel@tonic-gate 43607c478bd9Sstevel@tonic-gatedn: cn=schema 43617c478bd9Sstevel@tonic-gatechangetype: modify 43627c478bd9Sstevel@tonic-gateadd: objectclasses 43631d473207SMilan Jurikobjectclasses: ( 1.3.6.1.1.1.2.17 NAME 'automount' SUP top MUST ( automountKey $ automountInformation ) MAY description ) 43647c478bd9Sstevel@tonic-gate 43657c478bd9Sstevel@tonic-gatedn: cn=schema 43667c478bd9Sstevel@tonic-gatechangetype: modify 43677c478bd9Sstevel@tonic-gateadd: objectclasses 43681d473207SMilan Jurikobjectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.7 NAME 'SolarisNamingProfile' SUP top MUST ( cn $ SolarisLDAPservers $ SolarisSearchBaseDN ) MAY ( SolarisBindDN $ SolarisBindPassword $ SolarisAuthMethod $ SolarisTransportSecurity $ SolarisCertificatePath $ SolarisCertificatePassword $ SolarisDataSearchDN $ SolarisSearchScope $ SolarisSearchTimeLimit $ SolarisPreferredServer $ SolarisPreferredServerOnly $ SolarisCacheTTL $ SolarisSearchReferral ) ) 43697c478bd9Sstevel@tonic-gate 43707c478bd9Sstevel@tonic-gatedn: cn=schema 43717c478bd9Sstevel@tonic-gatechangetype: modify 43727c478bd9Sstevel@tonic-gateadd: objectclasses 43731d473207SMilan Jurikobjectclasses: ( 2.16.840.1.113730.3.2.4 NAME 'mailGroup' SUP top MUST mail MAY ( cn $ mgrpRFC822MailMember ) ) 43747c478bd9Sstevel@tonic-gate 43757c478bd9Sstevel@tonic-gatedn: cn=schema 43767c478bd9Sstevel@tonic-gatechangetype: modify 43777c478bd9Sstevel@tonic-gateadd: objectclasses 43781d473207SMilan Jurikobjectclasses: ( 1.3.6.1.4.1.42.2.27.1.2.5 NAME 'nisMailAlias' SUP top MUST cn MAY rfc822mailMember ) 43797c478bd9Sstevel@tonic-gate 43807c478bd9Sstevel@tonic-gatedn: cn=schema 43817c478bd9Sstevel@tonic-gatechangetype: modify 43827c478bd9Sstevel@tonic-gateadd: objectclasses 43831d473207SMilan Jurikobjectclasses: ( 1.3.6.1.4.1.42.2.27.1.2.6 NAME 'nisNetId' SUP top MUST cn MAY ( nisNetIdUser $ nisNetIdGroup $ nisNetIdHost ) ) 43847c478bd9Sstevel@tonic-gate 43857c478bd9Sstevel@tonic-gatedn: cn=schema 43867c478bd9Sstevel@tonic-gatechangetype: modify 43877c478bd9Sstevel@tonic-gateadd: objectclasses 43881d473207SMilan Jurikobjectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.2 NAME 'SolarisAuditUser' SUP top AUXILIARY MAY ( SolarisAuditAlways $ SolarisAuditNever ) ) 43897c478bd9Sstevel@tonic-gate 43907c478bd9Sstevel@tonic-gatedn: cn=schema 43917c478bd9Sstevel@tonic-gatechangetype: modify 43927c478bd9Sstevel@tonic-gateadd: objectclasses 43931d473207SMilan Jurikobjectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.3 NAME 'SolarisUserAttr' SUP top AUXILIARY MAY ( SolarisUserQualifier $ SolarisAttrReserved1 $ SolarisAttrReserved2 $ SolarisAttrKeyValue ) ) 43947c478bd9Sstevel@tonic-gate 43957c478bd9Sstevel@tonic-gatedn: cn=schema 43967c478bd9Sstevel@tonic-gatechangetype: modify 43977c478bd9Sstevel@tonic-gateadd: objectclasses 43981d473207SMilan Jurikobjectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.4 NAME 'SolarisAuthAttr' SUP top MUST cn MAY ( SolarisAttrReserved1 $ SolarisAttrReserved2 $ SolarisAttrShortDesc $ SolarisAttrLongDesc $ SolarisAttrKeyValue ) ) 43997c478bd9Sstevel@tonic-gate 44007c478bd9Sstevel@tonic-gatedn: cn=schema 44017c478bd9Sstevel@tonic-gatechangetype: modify 44027c478bd9Sstevel@tonic-gateadd: objectclasses 44031d473207SMilan Jurikobjectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.5 NAME 'SolarisProfAttr' SUP top MUST cn MAY ( SolarisAttrReserved1 $ SolarisAttrReserved2 $ SolarisAttrLongDesc $ SolarisAttrKeyValue ) ) 44047c478bd9Sstevel@tonic-gate 44057c478bd9Sstevel@tonic-gatedn: cn=schema 44067c478bd9Sstevel@tonic-gatechangetype: modify 44077c478bd9Sstevel@tonic-gateadd: objectclasses 44081d473207SMilan Jurikobjectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.6 NAME 'SolarisExecAttr' SUP top AUXILIARY MAY ( SolarisKernelSecurityPolicy $ SolarisProfileType $ SolarisAttrReserved1 $ SolarisAttrReserved2 $ SolarisProfileID $ SolarisAttrKeyValue ) ) 44097c478bd9Sstevel@tonic-gate 44107c478bd9Sstevel@tonic-gatedn: cn=schema 44117c478bd9Sstevel@tonic-gatechangetype: modify 44127c478bd9Sstevel@tonic-gateadd: objectclasses 44131d473207SMilan Jurikobjectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.1 NAME 'SolarisProject' SUP top MUST ( SolarisProjectID $ SolarisProjectName ) MAY ( memberUid $ memberGid $ description $ SolarisProjectAttr ) ) 44147c478bd9Sstevel@tonic-gate 44157c478bd9Sstevel@tonic-gatedn: cn=schema 44167c478bd9Sstevel@tonic-gatechangetype: modify 44177c478bd9Sstevel@tonic-gateadd: objectclasses 44181d473207SMilan Jurikobjectclasses: ( 1.3.6.1.4.1.11.1.3.1.2.4 NAME 'DUAConfigProfile' SUP top DESC 'Abstraction of a base configuration for a DUA' MUST cn MAY ( defaultServerList $ preferredServerList $ defaultSearchBase $ defaultSearchScope $ searchTimeLimit $ bindTimeLimit $ credentialLevel $ authenticationMethod $ followReferrals $ serviceSearchDescriptor $ serviceCredentialLevel $ serviceAuthenticationMethod $ objectclassMap $ attributeMap $ profileTTL ) ) 44197c478bd9Sstevel@tonic-gate 44207c478bd9Sstevel@tonic-gatedn: cn=schema 44217c478bd9Sstevel@tonic-gatechangetype: modify 44227c478bd9Sstevel@tonic-gateadd: objectclasses 44231d473207SMilan Jurikobjectclasses: ( 1.3.18.0.2.6.2549 NAME 'slpService' DESC 'DUMMY definition' SUP top MUST objectclass ) 44247c478bd9Sstevel@tonic-gate 44257c478bd9Sstevel@tonic-gatedn: cn=schema 44267c478bd9Sstevel@tonic-gatechangetype: modify 44277c478bd9Sstevel@tonic-gateadd: objectclasses 44281d473207SMilan Jurikobjectclasses: ( 1.3.18.0.2.6.254 NAME 'slpServicePrinter' DESC 'Service Location Protocol (SLP) information.' SUP slpService AUXILIARY ) 44297c478bd9Sstevel@tonic-gate 44307c478bd9Sstevel@tonic-gatedn: cn=schema 44317c478bd9Sstevel@tonic-gatechangetype: modify 44327c478bd9Sstevel@tonic-gateadd: objectclasses 44331d473207SMilan Jurikobjectclasses: ( 1.3.18.0.2.6.258 NAME 'printerAbstract' DESC 'Printer related information.' SUP top ABSTRACT MAY ( printer-name $ printer-natural-language-configured $ printer-location $ printer-info $ printer-more-info $ printer-make-and-model $ printer-multiple-document-jobs-supported $ printer-charset-configured $ printer-charset-supported $ printer-generated-natural-language-supported $ printer-document-format-supported $ printer-color-supported $ printer-compression-supported $ printer-pages-per-minute $ printer-pages-per-minute-color $ printer-finishings-supported $ printer-number-up-supported $ printer-sides-supported $ printer-media-supported $ printer-media-local-supported $ printer-resolution-supported $ printer-print-quality-supported $ printer-job-priority-supported $ printer-copies-supported $ printer-job-k-octets-supported $ printer-current-operator $ printer-service-person $ printer-delivery-orientation-supported $ printer-stacking-order-supported $ printer-output-features-supported ) ) 44347c478bd9Sstevel@tonic-gate 44357c478bd9Sstevel@tonic-gatedn: cn=schema 44367c478bd9Sstevel@tonic-gatechangetype: modify 44377c478bd9Sstevel@tonic-gateadd: objectclasses 44381d473207SMilan Jurikobjectclasses: ( 1.3.18.0.2.6.255 NAME 'printerService' DESC 'Printer information.' SUP printerAbstract STRUCTURAL MAY ( printer-uri $ printer-xri-supported ) ) 44397c478bd9Sstevel@tonic-gate 44407c478bd9Sstevel@tonic-gatedn: cn=schema 44417c478bd9Sstevel@tonic-gatechangetype: modify 44427c478bd9Sstevel@tonic-gateadd: objectclasses 44431d473207SMilan Jurikobjectclasses: ( 1.3.18.0.2.6.257 NAME 'printerServiceAuxClass' DESC 'Printer information.' SUP printerAbstract AUXILIARY MAY ( printer-uri $ printer-xri-supported ) ) 44447c478bd9Sstevel@tonic-gate 44457c478bd9Sstevel@tonic-gatedn: cn=schema 44467c478bd9Sstevel@tonic-gatechangetype: modify 44477c478bd9Sstevel@tonic-gateadd: objectclasses 44481d473207SMilan Jurikobjectclasses: ( 1.3.18.0.2.6.256 NAME 'printerIPP' DESC 'Internet Printing Protocol (IPP) information.' SUP top AUXILIARY MAY ( printer-ipp-versions-supported $ printer-multiple-document-jobs-supported ) ) 44497c478bd9Sstevel@tonic-gate 44507c478bd9Sstevel@tonic-gatedn: cn=schema 44517c478bd9Sstevel@tonic-gatechangetype: modify 44527c478bd9Sstevel@tonic-gateadd: objectclasses 44531d473207SMilan Jurikobjectclasses: ( 1.3.18.0.2.6.253 NAME 'printerLPR' DESC 'LPR information.' SUP top AUXILIARY MUST printer-name MAY printer-aliases ) 44547c478bd9Sstevel@tonic-gate 44557c478bd9Sstevel@tonic-gatedn: cn=schema 44567c478bd9Sstevel@tonic-gatechangetype: modify 44577c478bd9Sstevel@tonic-gateadd: objectclasses 44581d473207SMilan Jurikobjectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.14 NAME 'sunPrinter' DESC 'Sun printer information' SUP top AUXILIARY MUST printer-name MAY ( sun-printer-bsdaddr $ sun-printer-kvp ) ) 44597c478bd9Sstevel@tonic-gate 44607c478bd9Sstevel@tonic-gatedn: cn=schema 44617c478bd9Sstevel@tonic-gatechangetype: modify 44627c478bd9Sstevel@tonic-gateadd: objectclasses 44631d473207SMilan Jurikobjectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.12 NAME 'nisplusTimeZoneData' DESC 'NIS+ timezone table data' SUP top STRUCTURAL MUST cn MAY ( nisplusTimeZone $ description ) ) 446445916cd2Sjpk 446545916cd2Sjpkdn: cn=schema 446645916cd2Sjpkchangetype: modify 446745916cd2Sjpkadd: objectclasses 44681d473207SMilan Jurikobjectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.8 NAME 'ipTnetTemplate' DESC 'Object class for TSOL network templates' SUP top MUST ipTnetTemplateName MAY SolarisAttrKeyValue ) 446945916cd2Sjpk 447045916cd2Sjpkdn: cn=schema 447145916cd2Sjpkchangetype: modify 447245916cd2Sjpkadd: objectclasses 44731d473207SMilan Jurikobjectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.9 NAME 'ipTnetHost' DESC 'Associates an IP address or wildcard with a TSOL template_name' SUP top AUXILIARY MUST ipTnetNumber ) 44747c478bd9Sstevel@tonic-gateEOF 44757c478bd9Sstevel@tonic-gate) > ${TMPDIR}/schema_obj 44767c478bd9Sstevel@tonic-gate 44777c478bd9Sstevel@tonic-gate # Add the entry. 44787c478bd9Sstevel@tonic-gate ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/schema_obj ${VERB}" 44797c478bd9Sstevel@tonic-gate if [ $? -ne 0 ]; then 44807c478bd9Sstevel@tonic-gate ${ECHO} " ERROR: update of schema objectclass definitions failed!" 44817c478bd9Sstevel@tonic-gate cleanup 44827c478bd9Sstevel@tonic-gate exit 1 44837c478bd9Sstevel@tonic-gate fi 44847c478bd9Sstevel@tonic-gate 44857c478bd9Sstevel@tonic-gate # Display message that schema is updated. 44867c478bd9Sstevel@tonic-gate ${ECHO} " ${STEP}. Schema objectclass definitions have been added." 44877c478bd9Sstevel@tonic-gate STEP=`expr $STEP + 1` 44887c478bd9Sstevel@tonic-gate} 44897c478bd9Sstevel@tonic-gate 44907c478bd9Sstevel@tonic-gate# 44917c478bd9Sstevel@tonic-gate# modify_top_aci(): Modify the ACI for the top entry to disable self modify 44927c478bd9Sstevel@tonic-gate# of user attributes. 44937c478bd9Sstevel@tonic-gate# 44947c478bd9Sstevel@tonic-gatemodify_top_aci() 44957c478bd9Sstevel@tonic-gate{ 44967c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In modify_top_aci()" 44977c478bd9Sstevel@tonic-gate 44987c478bd9Sstevel@tonic-gate # Set ACI Name 44997c478bd9Sstevel@tonic-gate ACI_NAME="LDAP_Naming_Services_deny_write_access" 45007c478bd9Sstevel@tonic-gate 45017c478bd9Sstevel@tonic-gate # Search for ACI_NAME 45027c478bd9Sstevel@tonic-gate eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_BASEDN}\" -s base objectclass=* aci > ${TMPDIR}/chk_top_aci 2>&1" 45037c478bd9Sstevel@tonic-gate if [ $? -ne 0 ]; then 45047c478bd9Sstevel@tonic-gate ${ECHO} "Error searching aci for ${LDAP_BASEDN}" 45057c478bd9Sstevel@tonic-gate cat ${TMPDIR}/chk_top_aci 45067c478bd9Sstevel@tonic-gate cleanup 45077c478bd9Sstevel@tonic-gate exit 1 45087c478bd9Sstevel@tonic-gate fi 45097c478bd9Sstevel@tonic-gate ${GREP} "${ACI_NAME}" ${TMPDIR}/chk_top_aci > /dev/null 2>&1 45107c478bd9Sstevel@tonic-gate if [ $? -eq 0 ]; then 4511*b57459abSJulian Pullen ${ECHO} " ${STEP}. Top level ACI ${ACI_NAME} already exists for ${LDAP_BASEDN}." 4512*b57459abSJulian Pullen STEP=`expr $STEP + 1` 4513*b57459abSJulian Pullen return 0 45147c478bd9Sstevel@tonic-gate fi 45157c478bd9Sstevel@tonic-gate 45167c478bd9Sstevel@tonic-gate # Crate LDIF for top level ACI. 45177c478bd9Sstevel@tonic-gate ( cat <<EOF 45187c478bd9Sstevel@tonic-gatedn: ${LDAP_BASEDN} 45197c478bd9Sstevel@tonic-gatechangetype: modify 45207c478bd9Sstevel@tonic-gateadd: aci 4521*b57459abSJulian Pullenaci: (targetattr = "cn||uid||uidNumber||gidNumber||homeDirectory||shadowLastChange||shadowMin||shadowMax||shadowWarning||shadowInactive||shadowExpire||shadowFlag||memberUid||SolarisAuditAlways||SolarisAuditNever||SolarisAttrKeyValue||SolarisAttrReserved1||SolarisAttrReserved2||SolarisUserQualifier")(version 3.0; acl ${ACI_NAME}; deny (write) userdn = "ldap:///self";) 45227c478bd9Sstevel@tonic-gate- 45237c478bd9Sstevel@tonic-gateEOF 45247c478bd9Sstevel@tonic-gate) > ${TMPDIR}/top_aci 45257c478bd9Sstevel@tonic-gate 45267c478bd9Sstevel@tonic-gate # Add the entry. 45277c478bd9Sstevel@tonic-gate ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/top_aci ${VERB}" 45287c478bd9Sstevel@tonic-gate if [ $? -ne 0 ]; then 45297c478bd9Sstevel@tonic-gate ${ECHO} " ERROR: Modify of top level ACI failed! (restricts self modify)" 45307c478bd9Sstevel@tonic-gate cleanup 45317c478bd9Sstevel@tonic-gate exit 1 45327c478bd9Sstevel@tonic-gate fi 45337c478bd9Sstevel@tonic-gate 4534*b57459abSJulian Pullen # Display message that ACI is updated. 4535dd1104fbSMichen Chang MSG="ACI for ${LDAP_BASEDN} modified to disable self modify." 4536dd1104fbSMichen Chang if [ $EXISTING_PROFILE -eq 1 ];then 4537dd1104fbSMichen Chang ${ECHO} " ACI SET: $MSG" 4538dd1104fbSMichen Chang else 4539dd1104fbSMichen Chang ${ECHO} " ${STEP}. $MSG" 4540dd1104fbSMichen Chang STEP=`expr $STEP + 1` 4541dd1104fbSMichen Chang fi 45427c478bd9Sstevel@tonic-gate} 45437c478bd9Sstevel@tonic-gate 4544*b57459abSJulian Pullen# 4545*b57459abSJulian Pullen# find_and_delete_ACI(): Find an ACI in file $2 with a matching pattern $1. 4546*b57459abSJulian Pullen# Delete the ACI and print a message using $3 as the ACI name. $3 is needed 4547*b57459abSJulian Pullen# because it could have a different value than that of $1. 4548*b57459abSJulian Pullenfind_and_delete_ACI() 4549*b57459abSJulian Pullen{ 4550*b57459abSJulian Pullen [ $DEBUG -eq 1 ] && ${ECHO} "In find_and_delete_ACI" 4551*b57459abSJulian Pullen 4552*b57459abSJulian Pullen # if an ACI with pattern $1 exists in file $2, delete it from ${LDAP_BASEDN} 4553*b57459abSJulian Pullen ${EGREP} $1 $2 | ${SED} -e 's/aci=//' > ${TMPDIR}/grep_find_delete_aci 2>&1 4554*b57459abSJulian Pullen if [ -s ${TMPDIR}/grep_find_delete_aci ]; then 4555*b57459abSJulian Pullen aci_to_delete=`${CAT} ${TMPDIR}/grep_find_delete_aci` 4556*b57459abSJulian Pullen 4557*b57459abSJulian Pullen # Create the tmp file to delete the ACI. 4558*b57459abSJulian Pullen ( cat <<EOF 4559*b57459abSJulian Pullendn: ${LDAP_BASEDN} 4560*b57459abSJulian Pullenchangetype: modify 4561*b57459abSJulian Pullendelete: aci 4562*b57459abSJulian Pullenaci: ${aci_to_delete} 4563*b57459abSJulian PullenEOF 4564*b57459abSJulian Pullen ) > ${TMPDIR}/find_delete_aci 4565*b57459abSJulian Pullen 4566*b57459abSJulian Pullen # Delete the ACI 4567*b57459abSJulian Pullen ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/find_delete_aci ${VERB}" 4568*b57459abSJulian Pullen if [ $? -ne 0 ]; then 4569*b57459abSJulian Pullen ${ECHO} " ERROR: Remove of $3 ACI failed!" 4570*b57459abSJulian Pullen cleanup 4571*b57459abSJulian Pullen exit 1 4572*b57459abSJulian Pullen fi 4573*b57459abSJulian Pullen 4574*b57459abSJulian Pullen ${RM} -f ${TMPDIR}/find_delete_aci 4575*b57459abSJulian Pullen # Display message that an ACL is deleted. 4576*b57459abSJulian Pullen MSG="ACI $3 deleted." 4577*b57459abSJulian Pullen if [ $EXISTING_PROFILE -eq 1 ]; then 4578*b57459abSJulian Pullen ${ECHO} " ACI DELETED: $MSG" 4579*b57459abSJulian Pullen else 4580*b57459abSJulian Pullen ${ECHO} " ${STEP}. $MSG" 4581*b57459abSJulian Pullen STEP=`expr $STEP + 1` 4582*b57459abSJulian Pullen fi 4583*b57459abSJulian Pullen fi 4584*b57459abSJulian Pullen} 4585*b57459abSJulian Pullen 4586*b57459abSJulian Pullen# 4587*b57459abSJulian Pullen# Add an ACI to deny non-admin access to shadow data when 4588*b57459abSJulian Pullen# shadow update is enabled. 4589*b57459abSJulian Pullen# 4590*b57459abSJulian Pullendeny_non_admin_shadow_access() 4591*b57459abSJulian Pullen{ 4592*b57459abSJulian Pullen [ $DEBUG -eq 1 ] && ${ECHO} "In deny_non_admin_shadow_access()" 4593*b57459abSJulian Pullen 4594*b57459abSJulian Pullen # Set ACI Names 4595*b57459abSJulian Pullen ACI_TO_ADD="LDAP_Naming_Services_deny_non_admin_shadow_access" 4596*b57459abSJulian Pullen ACI_TO_DEL="LDAP_Naming_Services_deny_non_host_shadow_access" 4597*b57459abSJulian Pullen 4598*b57459abSJulian Pullen # Search for ACI_TO_ADD 4599*b57459abSJulian Pullen eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_BASEDN}\" -s base objectclass=* aci > ${TMPDIR}/chk_aci_non_admin 2>&1" 4600*b57459abSJulian Pullen if [ $? -ne 0 ]; then 4601*b57459abSJulian Pullen ${ECHO} "Error searching aci for ${LDAP_BASEDN}" 4602*b57459abSJulian Pullen cleanup 4603*b57459abSJulian Pullen exit 1 4604*b57459abSJulian Pullen fi 4605*b57459abSJulian Pullen 4606*b57459abSJulian Pullen # If an ACI with ${ACI_TO_ADD} already exists, we are done. 4607*b57459abSJulian Pullen ${EGREP} ${ACI_TO_ADD} ${TMPDIR}/chk_aci_non_admin 2>&1 > /dev/null 4608*b57459abSJulian Pullen if [ $? -eq 0 ]; then 4609*b57459abSJulian Pullen MSG="ACI ${ACI_TO_ADD} already set for ${LDAP_BASEDN}." 4610*b57459abSJulian Pullen if [ $EXISTING_PROFILE -eq 1 ]; then 4611*b57459abSJulian Pullen ${ECHO} " NOT SET: $MSG" 4612*b57459abSJulian Pullen else 4613*b57459abSJulian Pullen ${ECHO} " ${STEP}. $MSG" 4614*b57459abSJulian Pullen STEP=`expr $STEP + 1` 4615*b57459abSJulian Pullen fi 4616*b57459abSJulian Pullen return 0 4617*b57459abSJulian Pullen fi 4618*b57459abSJulian Pullen 4619*b57459abSJulian Pullen # The deny_non_admin_shadow_access and deny_non_host_shadow_access ACIs 4620*b57459abSJulian Pullen # should be mutually exclusive, so if the latter exists, delete it. 4621*b57459abSJulian Pullen find_and_delete_ACI ${ACI_TO_DEL} ${TMPDIR}/chk_aci_non_admin ${ACI_TO_DEL} 4622*b57459abSJulian Pullen 4623*b57459abSJulian Pullen # Create the tmp file to add. 4624*b57459abSJulian Pullen ( cat <<EOF 4625*b57459abSJulian Pullendn: ${LDAP_BASEDN} 4626*b57459abSJulian Pullenchangetype: modify 4627*b57459abSJulian Pullenadd: aci 4628*b57459abSJulian Pullenaci: (target="ldap:///${LDAP_BASEDN}")(targetattr = "shadowLastChange|| 4629*b57459abSJulian Pullen shadowMin|| shadowMax||shadowWarning||shadowInactive||shadowExpire|| 4630*b57459abSJulian Pullen shadowFlag||userPassword") (version 3.0; acl ${ACI_TO_ADD}; 4631*b57459abSJulian Pullen deny (write,read,search,compare) userdn != "ldap:///${LDAP_ADMINDN}";) 4632*b57459abSJulian PullenEOF 4633*b57459abSJulian Pullen) > ${TMPDIR}/non_admin_aci_write 4634*b57459abSJulian Pullen 4635*b57459abSJulian Pullen # Add the entry. 4636*b57459abSJulian Pullen ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/non_admin_aci_write ${VERB}" 4637*b57459abSJulian Pullen if [ $? -ne 0 ]; then 4638*b57459abSJulian Pullen ${ECHO} " ERROR: Adding ACI ${ACI_TO_ADD} failed!" 4639*b57459abSJulian Pullen ${CAT} ${TMPDIR}/non_admin_aci_write 4640*b57459abSJulian Pullen cleanup 4641*b57459abSJulian Pullen exit 1 4642*b57459abSJulian Pullen fi 4643*b57459abSJulian Pullen 4644*b57459abSJulian Pullen ${RM} -f ${TMPDIR}/non_admin_aci_write 4645*b57459abSJulian Pullen # Display message that the non-admin access to shadow data is denied. 4646*b57459abSJulian Pullen MSG="Non-Admin access to shadow data denied." 4647*b57459abSJulian Pullen if [ $EXISTING_PROFILE -eq 1 ]; then 4648*b57459abSJulian Pullen ${ECHO} " ACI SET: $MSG" 4649*b57459abSJulian Pullen else 4650*b57459abSJulian Pullen ${ECHO} " ${STEP}. $MSG" 4651*b57459abSJulian Pullen STEP=`expr $STEP + 1` 4652*b57459abSJulian Pullen fi 4653*b57459abSJulian Pullen} 4654*b57459abSJulian Pullen 4655*b57459abSJulian Pullen# 4656*b57459abSJulian Pullen# Add an ACI to deny non-host access to shadow data when 4657*b57459abSJulian Pullen# shadow update is enabled and auth Method if gssapi. 4658*b57459abSJulian Pullen# 4659*b57459abSJulian Pullendeny_non_host_shadow_access() 4660*b57459abSJulian Pullen{ 4661*b57459abSJulian Pullen [ $DEBUG -eq 1 ] && ${ECHO} "In deny_non_host_shadow_access()" 4662*b57459abSJulian Pullen 4663*b57459abSJulian Pullen # Set ACI Names 4664*b57459abSJulian Pullen ACI_TO_ADD="LDAP_Naming_Services_deny_non_host_shadow_access" 4665*b57459abSJulian Pullen ACI_TO_DEL="LDAP_Naming_Services_deny_non_admin_shadow_access" 4666*b57459abSJulian Pullen 4667*b57459abSJulian Pullen # Search for ACI_TO_ADD 4668*b57459abSJulian Pullen eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_BASEDN}\" -s base objectclass=* aci > ${TMPDIR}/chk_aci_non_host 2>&1" 4669*b57459abSJulian Pullen if [ $? -ne 0 ]; then 4670*b57459abSJulian Pullen ${ECHO} "Error searching aci for ${LDAP_BASEDN}" 4671*b57459abSJulian Pullen cleanup 4672*b57459abSJulian Pullen exit 1 4673*b57459abSJulian Pullen fi 4674*b57459abSJulian Pullen 4675*b57459abSJulian Pullen # If an ACI with ${ACI_TO_ADD} already exists, we are done. 4676*b57459abSJulian Pullen ${EGREP} ${ACI_TO_ADD} ${TMPDIR}/chk_aci_non_host 2>&1 > /dev/null 4677*b57459abSJulian Pullen if [ $? -eq 0 ]; then 4678*b57459abSJulian Pullen MSG="ACI ${ACI_TO_ADD} already set for ${LDAP_BASEDN}." 4679*b57459abSJulian Pullen if [ $EXISTING_PROFILE -eq 1 ]; then 4680*b57459abSJulian Pullen ${ECHO} " NOT SET: $MSG" 4681*b57459abSJulian Pullen else 4682*b57459abSJulian Pullen ${ECHO} " ${STEP}. $MSG" 4683*b57459abSJulian Pullen STEP=`expr $STEP + 1` 4684*b57459abSJulian Pullen fi 4685*b57459abSJulian Pullen return 0 4686*b57459abSJulian Pullen fi 4687*b57459abSJulian Pullen 4688*b57459abSJulian Pullen # The deny_non_admin_shadow_access and deny_non_host_shadow_access ACIs 4689*b57459abSJulian Pullen # should be mutually exclusive, so if the former exists, delete it. 4690*b57459abSJulian Pullen find_and_delete_ACI ${ACI_TO_DEL} ${TMPDIR}/chk_aci_non_host ${ACI_TO_DEL} 4691*b57459abSJulian Pullen 4692*b57459abSJulian Pullen # Create the tmp file to add. 4693*b57459abSJulian Pullen ( cat <<EOF 4694*b57459abSJulian Pullendn: ${LDAP_BASEDN} 4695*b57459abSJulian Pullenchangetype: modify 4696*b57459abSJulian Pullenadd: aci 4697*b57459abSJulian Pullenaci: (target="ldap:///${LDAP_BASEDN}")(targetattr = "shadowLastChange|| 4698*b57459abSJulian Pullen shadowMin|| shadowMax||shadowWarning||shadowInactive||shadowExpire|| 4699*b57459abSJulian Pullen shadowFlag||userPassword") (version 3.0; acl ${ACI_TO_ADD}; 4700*b57459abSJulian Pullen deny (write,read,search,compare) 4701*b57459abSJulian Pullen userdn != "ldap:///cn=*+ipHostNumber=*,ou=Hosts,${LDAP_BASEDN}";) 4702*b57459abSJulian PullenEOF 4703*b57459abSJulian Pullen) > ${TMPDIR}/non_host_aci_write 4704*b57459abSJulian Pullen 4705*b57459abSJulian Pullen # Add the entry. 4706*b57459abSJulian Pullen ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/non_host_aci_write ${VERB}" 4707*b57459abSJulian Pullen if [ $? -ne 0 ]; then 4708*b57459abSJulian Pullen ${ECHO} " ERROR: Adding ACI ${ACI_TO_ADD} failed!" 4709*b57459abSJulian Pullen ${CAT} ${TMPDIR}/non_host_aci_write 4710*b57459abSJulian Pullen cleanup 4711*b57459abSJulian Pullen exit 1 4712*b57459abSJulian Pullen fi 4713*b57459abSJulian Pullen 4714*b57459abSJulian Pullen ${RM} -f ${TMPDIR}/non_host_aci_write 4715*b57459abSJulian Pullen # Display message that the non-host access to shadow data is denied. 4716*b57459abSJulian Pullen MSG="Non-host access to shadow data is denied." 4717*b57459abSJulian Pullen if [ $EXISTING_PROFILE -eq 1 ]; then 4718*b57459abSJulian Pullen ${ECHO} " ACI SET: $MSG" 4719*b57459abSJulian Pullen else 4720*b57459abSJulian Pullen ${ECHO} " ${STEP}. $MSG" 4721*b57459abSJulian Pullen STEP=`expr $STEP + 1` 4722*b57459abSJulian Pullen fi 4723*b57459abSJulian Pullen} 4724*b57459abSJulian Pullen 47257c478bd9Sstevel@tonic-gate# 47267c478bd9Sstevel@tonic-gate# add_vlv_aci(): Add access control information (aci) for VLV. 47277c478bd9Sstevel@tonic-gate# 47287c478bd9Sstevel@tonic-gateadd_vlv_aci() 47297c478bd9Sstevel@tonic-gate{ 47307c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In add_vlv_aci()" 47317c478bd9Sstevel@tonic-gate 47327c478bd9Sstevel@tonic-gate # Add the VLV ACI. 47337c478bd9Sstevel@tonic-gate ( cat <<EOF 47347c478bd9Sstevel@tonic-gatedn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config 47357c478bd9Sstevel@tonic-gatechangetype: modify 47367c478bd9Sstevel@tonic-gatereplace: aci 47377c478bd9Sstevel@tonic-gateaci: (targetattr != "aci") (version 3.0; acl "VLV Request Control"; allow(read,search,compare) userdn = "ldap:///anyone";) 47387c478bd9Sstevel@tonic-gateEOF 47397c478bd9Sstevel@tonic-gate) > ${TMPDIR}/vlv_aci 47407c478bd9Sstevel@tonic-gate 47417c478bd9Sstevel@tonic-gate # Add the entry. 47427c478bd9Sstevel@tonic-gate ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/vlv_aci ${VERB}" 47437c478bd9Sstevel@tonic-gate if [ $? -ne 0 ]; then 47447c478bd9Sstevel@tonic-gate ${ECHO} " ERROR: Add of VLV ACI failed!" 47457c478bd9Sstevel@tonic-gate cleanup 47467c478bd9Sstevel@tonic-gate exit 1 47477c478bd9Sstevel@tonic-gate fi 47487c478bd9Sstevel@tonic-gate 47497c478bd9Sstevel@tonic-gate # Display message that schema is updated. 47507c478bd9Sstevel@tonic-gate ${ECHO} " ${STEP}. Add of VLV Access Control Information (ACI)." 47517c478bd9Sstevel@tonic-gate STEP=`expr $STEP + 1` 47527c478bd9Sstevel@tonic-gate} 47537c478bd9Sstevel@tonic-gate 47547c478bd9Sstevel@tonic-gate 47557c478bd9Sstevel@tonic-gate# 47567c478bd9Sstevel@tonic-gate# set_nisdomain(): Add the NisDomainObject to the Base DN. 47577c478bd9Sstevel@tonic-gate# 47587c478bd9Sstevel@tonic-gateset_nisdomain() 47597c478bd9Sstevel@tonic-gate{ 47607c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In set_nisdomain()" 47617c478bd9Sstevel@tonic-gate 47627c478bd9Sstevel@tonic-gate # Check if nisDomain is already set. 4763017e8b01Svl ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_BASEDN}\" -s base \ 4764017e8b01Svl \"objectclass=*\"" > ${TMPDIR}/chk_nisdomain 2>&1 4765017e8b01Svl ${EVAL} "${GREP} -i nisDomain ${TMPDIR}/chk_nisdomain ${VERB}" 47667c478bd9Sstevel@tonic-gate if [ $? -eq 0 ]; then 47677c478bd9Sstevel@tonic-gate ${ECHO} " ${STEP}. NisDomainObject for ${LDAP_BASEDN} was already set." 47687c478bd9Sstevel@tonic-gate STEP=`expr $STEP + 1` 47697c478bd9Sstevel@tonic-gate return 0 47707c478bd9Sstevel@tonic-gate fi 47717c478bd9Sstevel@tonic-gate 47727c478bd9Sstevel@tonic-gate # Add the new top level containers. 47737c478bd9Sstevel@tonic-gate ( cat <<EOF 47747c478bd9Sstevel@tonic-gatedn: ${LDAP_BASEDN} 47757c478bd9Sstevel@tonic-gatechangetype: modify 47767c478bd9Sstevel@tonic-gateobjectclass: nisDomainObject 47777c478bd9Sstevel@tonic-gatenisdomain: ${LDAP_DOMAIN} 47787c478bd9Sstevel@tonic-gateEOF 47797c478bd9Sstevel@tonic-gate) > ${TMPDIR}/nis_domain 47807c478bd9Sstevel@tonic-gate 47817c478bd9Sstevel@tonic-gate # Add the entry. 47827c478bd9Sstevel@tonic-gate ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/nis_domain ${VERB}" 47837c478bd9Sstevel@tonic-gate if [ $? -ne 0 ]; then 47847c478bd9Sstevel@tonic-gate ${ECHO} " ERROR: update of NisDomainObject in ${LDAP_BASEDN} failed." 47857c478bd9Sstevel@tonic-gate cleanup 47867c478bd9Sstevel@tonic-gate exit 1 47877c478bd9Sstevel@tonic-gate fi 47887c478bd9Sstevel@tonic-gate 47897c478bd9Sstevel@tonic-gate # Display message that schema is updated. 47907c478bd9Sstevel@tonic-gate ${ECHO} " ${STEP}. NisDomainObject added to ${LDAP_BASEDN}." 47917c478bd9Sstevel@tonic-gate STEP=`expr $STEP + 1` 47927c478bd9Sstevel@tonic-gate} 47937c478bd9Sstevel@tonic-gate 47947c478bd9Sstevel@tonic-gate 47957c478bd9Sstevel@tonic-gate# 47967c478bd9Sstevel@tonic-gate# check_attrName(): Check that the attribute name is valid. 47977c478bd9Sstevel@tonic-gate# $1 Key to check. 47987c478bd9Sstevel@tonic-gate# Returns 0 : valid name 1 : invalid name 47997c478bd9Sstevel@tonic-gate# 48007c478bd9Sstevel@tonic-gatecheck_attrName() 48017c478bd9Sstevel@tonic-gate{ 48027c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In check_attrName()" 48037c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "check_attrName: Input Param = $1" 48047c478bd9Sstevel@tonic-gate 48057c478bd9Sstevel@tonic-gate ${ECHO} $1 | ${EGREP} '^[0-9]+(\.[0-9]+)*$' > /dev/null 2>&1 48067c478bd9Sstevel@tonic-gate if [ $? -eq 0 ]; then 48077c478bd9Sstevel@tonic-gate ${EVAL} "${LDAPSEARCH} ${SERVER_ARGS} -b cn=schema -s base \"objectclass=*\" \ 48087c478bd9Sstevel@tonic-gate attributeTypes | ${EGREP} -i '^attributetypes[ ]*=[ ]*\([ ]*$1 ' ${VERB}" 48097c478bd9Sstevel@tonic-gate else 48107c478bd9Sstevel@tonic-gate ${EVAL} "${LDAPSEARCH} ${SERVER_ARGS} -b cn=schema -s base \"objectclass=*\" \ 48117c478bd9Sstevel@tonic-gate attributeTypes | ${EGREP} -i \"'$1'\" ${VERB}" 48127c478bd9Sstevel@tonic-gate fi 48137c478bd9Sstevel@tonic-gate 48147c478bd9Sstevel@tonic-gate if [ $? -ne 0 ]; then 48157c478bd9Sstevel@tonic-gate return 1 48167c478bd9Sstevel@tonic-gate else 48177c478bd9Sstevel@tonic-gate return 0 48187c478bd9Sstevel@tonic-gate fi 48197c478bd9Sstevel@tonic-gate} 48207c478bd9Sstevel@tonic-gate 48217c478bd9Sstevel@tonic-gate 48227c478bd9Sstevel@tonic-gate# 48237c478bd9Sstevel@tonic-gate# get_objectclass(): Determine the objectclass for the given attribute name 48247c478bd9Sstevel@tonic-gate# $1 Attribute name to check. 48257c478bd9Sstevel@tonic-gate# _ATTR_NAME Return value, Object Name or NULL if unknown to idsconfig. 48267c478bd9Sstevel@tonic-gate# 48277c478bd9Sstevel@tonic-gate# NOTE: An attribute name can be valid but still we might not be able 48287c478bd9Sstevel@tonic-gate# to determine the objectclass from the table. 48297c478bd9Sstevel@tonic-gate# In such cases, the user needs to create the necessary object(s). 48307c478bd9Sstevel@tonic-gate# 48317c478bd9Sstevel@tonic-gateget_objectclass() 48327c478bd9Sstevel@tonic-gate{ 48337c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In get_objectclass()" 48347c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "get_objectclass: Input Param = $1" 48357c478bd9Sstevel@tonic-gate 48367c478bd9Sstevel@tonic-gate # Set return value to NULL string. 48377c478bd9Sstevel@tonic-gate _ATTR_NAME="" 48387c478bd9Sstevel@tonic-gate 48397c478bd9Sstevel@tonic-gate # Test key for type: 48407c478bd9Sstevel@tonic-gate case `${ECHO} ${1} | tr '[A-Z]' '[a-z]'` in 48417c478bd9Sstevel@tonic-gate ou | organizationalunitname | 2.5.4.11) _ATTR_NAME="organizationalUnit" ;; 48427c478bd9Sstevel@tonic-gate dc | domaincomponent | 0.9.2342.19200300.100.1.25) _ATTR_NAME="domain" ;; 48437c478bd9Sstevel@tonic-gate o | organizationname | 2.5.4.10) _ATTR_NAME="organization" ;; 48447c478bd9Sstevel@tonic-gate c | countryname | 2.5.4.6) _ATTR_NAME="country" ;; 48457c478bd9Sstevel@tonic-gate *) _ATTR_NAME="" ;; 48467c478bd9Sstevel@tonic-gate esac 48477c478bd9Sstevel@tonic-gate 48487c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "get_objectclass: _ATTR_NAME = $_ATTR_NAME" 48497c478bd9Sstevel@tonic-gate} 48507c478bd9Sstevel@tonic-gate 48517c478bd9Sstevel@tonic-gate 48527c478bd9Sstevel@tonic-gate# 48537c478bd9Sstevel@tonic-gate# add_base_objects(): Add any necessary base objects. 48547c478bd9Sstevel@tonic-gate# 48557c478bd9Sstevel@tonic-gateadd_base_objects() 48567c478bd9Sstevel@tonic-gate{ 48577c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In add_base_objects()" 48587c478bd9Sstevel@tonic-gate 48597c478bd9Sstevel@tonic-gate # Convert to lower case for basename. 48607c478bd9Sstevel@tonic-gate format_string "${LDAP_BASEDN}" 48617c478bd9Sstevel@tonic-gate LOWER_BASEDN="${FMT_STR}" 48627c478bd9Sstevel@tonic-gate format_string "${LDAP_SUFFIX}" 48637c478bd9Sstevel@tonic-gate LOWER_SUFFIX="${FMT_STR}" 48647c478bd9Sstevel@tonic-gate 48657c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "LOWER_BASEDN: ${LOWER_BASEDN}" 48667c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "LOWER_SUFFIX: ${LOWER_SUFFIX}" 48677c478bd9Sstevel@tonic-gate 48687c478bd9Sstevel@tonic-gate # Create additional components. 48697c478bd9Sstevel@tonic-gate if [ "${LOWER_BASEDN}" = "${LOWER_SUFFIX}" ]; then 48707c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "Base DN and Suffix equivalent" 48717c478bd9Sstevel@tonic-gate else 48727c478bd9Sstevel@tonic-gate # first, test that the suffix is valid 48737c478bd9Sstevel@tonic-gate dcstmp=`basename "${LOWER_BASEDN}" "${LOWER_SUFFIX}"` 48747c478bd9Sstevel@tonic-gate if [ "$dcstmp" = "${LOWER_BASEDN}" ]; then 48757c478bd9Sstevel@tonic-gate # should not happen since check_basedn_suffix() succeeded 48767c478bd9Sstevel@tonic-gate ${ECHO} "Invalid suffix ${LOWER_SUFFIX}" 48777c478bd9Sstevel@tonic-gate ${ECHO} "for Base DN ${LOWER_BASEDN}" 48787c478bd9Sstevel@tonic-gate cleanup 48797c478bd9Sstevel@tonic-gate exit 1 48807c478bd9Sstevel@tonic-gate fi 48817c478bd9Sstevel@tonic-gate # OK, suffix is valid, start working with LDAP_BASEDN 48827c478bd9Sstevel@tonic-gate # field separator is ',' (i.e., space is a valid character) 48837c478bd9Sstevel@tonic-gate dcstmp2="`${ECHO} ${LDAP_BASEDN} | 48847c478bd9Sstevel@tonic-gate sed -e 's/[ ]*,[ ]*/,/g' -e 's/[ ]*=[ ]*/=/g'`" 48857c478bd9Sstevel@tonic-gate dcs="" 48867c478bd9Sstevel@tonic-gate # use dcstmp to count the loop, and dcstmp2 to get the correct 48877c478bd9Sstevel@tonic-gate # string case 48887c478bd9Sstevel@tonic-gate # dcs should be in reverse order, only for these components 48897c478bd9Sstevel@tonic-gate # that need to be added 48907c478bd9Sstevel@tonic-gate while [ -n "${dcstmp}" ] 48917c478bd9Sstevel@tonic-gate do 48927c478bd9Sstevel@tonic-gate i2=`${ECHO} "$dcstmp2" | cut -f1 -d','` 48937c478bd9Sstevel@tonic-gate dk=`${ECHO} $i2 | awk -F= '{print $1}'` 48947c478bd9Sstevel@tonic-gate dc=`${ECHO} $i2 | awk -F= '{print $2}'` 48957c478bd9Sstevel@tonic-gate dcs="$dk=$dc,$dcs"; 48967c478bd9Sstevel@tonic-gate dcstmp2=`${ECHO} "$dcstmp2" | cut -f2- -d','` 48977c478bd9Sstevel@tonic-gate dcstmp=`${ECHO} "$dcstmp" | cut -f2- -d','` 48987c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && \ 48997c478bd9Sstevel@tonic-gate ${ECHO} "dcs: ${dcs}\ndcstmp: ${dcstmp}\ndcstmp2: ${dcstmp2}\n" 49007c478bd9Sstevel@tonic-gate done 49017c478bd9Sstevel@tonic-gate 49027c478bd9Sstevel@tonic-gate 49037c478bd9Sstevel@tonic-gate 49047c478bd9Sstevel@tonic-gate lastdc=${LDAP_SUFFIX} 49057c478bd9Sstevel@tonic-gate dc=`${ECHO} "${dcs}" | cut -f1 -d','` 49067c478bd9Sstevel@tonic-gate dcstmp=`${ECHO} "${dcs}" | cut -f2- -d','` 49077c478bd9Sstevel@tonic-gate while [ -n "${dc}" ]; do 49087c478bd9Sstevel@tonic-gate # Get Key and component from $dc. 49097c478bd9Sstevel@tonic-gate dk2=`${ECHO} $dc | awk -F= '{print $1}'` 49107c478bd9Sstevel@tonic-gate dc2=`${ECHO} $dc | awk -F= '{print $2}'` 49117c478bd9Sstevel@tonic-gate 49127c478bd9Sstevel@tonic-gate # At this point, ${dk2} is a valid attribute name 49137c478bd9Sstevel@tonic-gate 49147c478bd9Sstevel@tonic-gate # Check if entry exists first, if so, skip to next. 49157c478bd9Sstevel@tonic-gate ${LDAPSEARCH} ${SERVER_ARGS} -b "${dk2}=${dc2},$lastdc" -s base "objectclass=*" > /dev/null 2>&1 49167c478bd9Sstevel@tonic-gate if [ $? -eq 0 ]; then 49177c478bd9Sstevel@tonic-gate # Set the $lastdc to new dc. 49187c478bd9Sstevel@tonic-gate lastdc="${dk2}=${dc2},$lastdc" 49197c478bd9Sstevel@tonic-gate 49207c478bd9Sstevel@tonic-gate # Process next component. 49217c478bd9Sstevel@tonic-gate dc=`${ECHO} "${dcstmp}" | cut -f1 -d','` 49227c478bd9Sstevel@tonic-gate dcstmp=`${ECHO} "${dcstmp}" | cut -f2- -d','` 49237c478bd9Sstevel@tonic-gate continue 49247c478bd9Sstevel@tonic-gate 49257c478bd9Sstevel@tonic-gate fi 49267c478bd9Sstevel@tonic-gate 49277c478bd9Sstevel@tonic-gate # Determine the objectclass for the entry. 49287c478bd9Sstevel@tonic-gate get_objectclass $dk2 49297c478bd9Sstevel@tonic-gate OBJ_Name=${_ATTR_NAME} 49307c478bd9Sstevel@tonic-gate if [ "${OBJ_Name}" = "" ]; then 49317c478bd9Sstevel@tonic-gate ${ECHO} "Cannot determine objectclass for $dk2" 49327c478bd9Sstevel@tonic-gate ${ECHO} "Please create ${dk2}=${dc2},$lastdc entry and rerun idsconfig" 49337c478bd9Sstevel@tonic-gate exit 1 49347c478bd9Sstevel@tonic-gate fi 49357c478bd9Sstevel@tonic-gate 49367c478bd9Sstevel@tonic-gate # Add the new container. 49377c478bd9Sstevel@tonic-gate ( cat <<EOF 49387c478bd9Sstevel@tonic-gatedn: ${dk2}=${dc2},$lastdc 49397c478bd9Sstevel@tonic-gate${dk2}: $dc2 49407c478bd9Sstevel@tonic-gateobjectClass: top 49417c478bd9Sstevel@tonic-gateobjectClass: ${OBJ_Name} 49427c478bd9Sstevel@tonic-gateEOF 49437c478bd9Sstevel@tonic-gate) > ${TMPDIR}/base_objects 49447c478bd9Sstevel@tonic-gate 49457c478bd9Sstevel@tonic-gate 49467c478bd9Sstevel@tonic-gate # Set the $lastdc to new dc. 49477c478bd9Sstevel@tonic-gate lastdc="${dk2}=${dc2},$lastdc" 49487c478bd9Sstevel@tonic-gate 49497c478bd9Sstevel@tonic-gate # Add the entry. 49507c478bd9Sstevel@tonic-gate ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/base_objects ${VERB}" 49517c478bd9Sstevel@tonic-gate if [ $? -ne 0 ]; then 49527c478bd9Sstevel@tonic-gate ${ECHO} " ERROR: update of base objects ${dc} failed." 49537c478bd9Sstevel@tonic-gate cleanup 49547c478bd9Sstevel@tonic-gate exit 1 49557c478bd9Sstevel@tonic-gate fi 49567c478bd9Sstevel@tonic-gate 49577c478bd9Sstevel@tonic-gate # Display message that schema is updated. 49587c478bd9Sstevel@tonic-gate ${ECHO} " ${STEP}. Created DN component ${dc}." 49597c478bd9Sstevel@tonic-gate STEP=`expr $STEP + 1` 49607c478bd9Sstevel@tonic-gate 49617c478bd9Sstevel@tonic-gate # Process next component. 49627c478bd9Sstevel@tonic-gate dc=`${ECHO} "${dcstmp}" | cut -f1 -d','` 49637c478bd9Sstevel@tonic-gate dcstmp=`${ECHO} "${dcstmp}" | cut -f2- -d','` 49647c478bd9Sstevel@tonic-gate done 49657c478bd9Sstevel@tonic-gate fi 49667c478bd9Sstevel@tonic-gate} 49677c478bd9Sstevel@tonic-gate 49687c478bd9Sstevel@tonic-gate 49697c478bd9Sstevel@tonic-gate# 49707c478bd9Sstevel@tonic-gate# add_new_containers(): Add the top level classes. 49717c478bd9Sstevel@tonic-gate# 49727c478bd9Sstevel@tonic-gate# $1 = Base DN 49737c478bd9Sstevel@tonic-gate# 49747c478bd9Sstevel@tonic-gateadd_new_containers() 49757c478bd9Sstevel@tonic-gate{ 49767c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In add_new_containers()" 49777c478bd9Sstevel@tonic-gate 49787c478bd9Sstevel@tonic-gate for ou in people group rpc protocols networks netgroup \ 4979a58015d1Svl aliases hosts services ethers profile printers projects \ 498045916cd2Sjpk SolarisAuthAttr SolarisProfAttr Timezone ipTnet ; do 49817c478bd9Sstevel@tonic-gate 49827c478bd9Sstevel@tonic-gate # Check if nismaps already exist. 49837c478bd9Sstevel@tonic-gate eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"ou=${ou},${LDAP_BASEDN}\" -s base \"objectclass=*\" ${VERB}" 49847c478bd9Sstevel@tonic-gate if [ $? -eq 0 ]; then 49857c478bd9Sstevel@tonic-gate continue 49867c478bd9Sstevel@tonic-gate fi 49877c478bd9Sstevel@tonic-gate 49887c478bd9Sstevel@tonic-gate # Create TMP file to add. 49897c478bd9Sstevel@tonic-gate ( cat <<EOF 49907c478bd9Sstevel@tonic-gatedn: ou=${ou},${LDAP_BASEDN} 49917c478bd9Sstevel@tonic-gateou: ${ou} 49927c478bd9Sstevel@tonic-gateobjectClass: top 49937c478bd9Sstevel@tonic-gateobjectClass: organizationalUnit 49947c478bd9Sstevel@tonic-gateEOF 49957c478bd9Sstevel@tonic-gate) > ${TMPDIR}/toplevel.${ou} 49967c478bd9Sstevel@tonic-gate 49977c478bd9Sstevel@tonic-gate # Add the entry. 49987c478bd9Sstevel@tonic-gate ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/toplevel.${ou} ${VERB}" 49997c478bd9Sstevel@tonic-gate if [ $? -ne 0 ]; then 50007c478bd9Sstevel@tonic-gate ${ECHO} " ERROR: Add of ou=${ou} container failed!" 50017c478bd9Sstevel@tonic-gate cleanup 50027c478bd9Sstevel@tonic-gate exit 1 50037c478bd9Sstevel@tonic-gate fi 50047c478bd9Sstevel@tonic-gate done 50057c478bd9Sstevel@tonic-gate 50067c478bd9Sstevel@tonic-gate # Display message that top level OU containers complete. 50077c478bd9Sstevel@tonic-gate ${ECHO} " ${STEP}. Top level \"ou\" containers complete." 50087c478bd9Sstevel@tonic-gate STEP=`expr $STEP + 1` 50097c478bd9Sstevel@tonic-gate} 50107c478bd9Sstevel@tonic-gate 50117c478bd9Sstevel@tonic-gate 50127c478bd9Sstevel@tonic-gate# 50137c478bd9Sstevel@tonic-gate# add_auto_maps(): Add the automount map entries. 50147c478bd9Sstevel@tonic-gate# 50157c478bd9Sstevel@tonic-gate# auto_home, auto_direct, auto_master, auto_shared 50167c478bd9Sstevel@tonic-gate# 50177c478bd9Sstevel@tonic-gateadd_auto_maps() 50187c478bd9Sstevel@tonic-gate{ 50197c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In add_auto_maps()" 50207c478bd9Sstevel@tonic-gate 50217c478bd9Sstevel@tonic-gate # Set AUTO_MAPS for maps to create. 50227c478bd9Sstevel@tonic-gate AUTO_MAPS="auto_home auto_direct auto_master auto_shared" 50237c478bd9Sstevel@tonic-gate 50247c478bd9Sstevel@tonic-gate for automap in $AUTO_MAPS; do 50257c478bd9Sstevel@tonic-gate # Check if automaps already exist. 50267c478bd9Sstevel@tonic-gate eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"automountMapName=${automap},${LDAP_BASEDN}\" -s base \"objectclass=*\" ${VERB}" 50277c478bd9Sstevel@tonic-gate if [ $? -eq 0 ]; then 50287c478bd9Sstevel@tonic-gate continue 50297c478bd9Sstevel@tonic-gate fi 50307c478bd9Sstevel@tonic-gate 50317c478bd9Sstevel@tonic-gate # Create the tmp file to add. 50327c478bd9Sstevel@tonic-gate ( cat <<EOF 50337c478bd9Sstevel@tonic-gatedn: automountMapName=${automap},${LDAP_BASEDN} 50347c478bd9Sstevel@tonic-gateautomountMapName: ${automap} 50357c478bd9Sstevel@tonic-gateobjectClass: top 50367c478bd9Sstevel@tonic-gateobjectClass: automountMap 50377c478bd9Sstevel@tonic-gateEOF 50387c478bd9Sstevel@tonic-gate) > ${TMPDIR}/automap.${automap} 50397c478bd9Sstevel@tonic-gate 50407c478bd9Sstevel@tonic-gate # Add the entry. 50417c478bd9Sstevel@tonic-gate ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/automap.${automap} ${VERB}" 50427c478bd9Sstevel@tonic-gate if [ $? -ne 0 ]; then 50437c478bd9Sstevel@tonic-gate ${ECHO} " ERROR: Add of automap ${automap} failed!" 50447c478bd9Sstevel@tonic-gate cleanup 50457c478bd9Sstevel@tonic-gate exit 1 50467c478bd9Sstevel@tonic-gate fi 50477c478bd9Sstevel@tonic-gate done 50487c478bd9Sstevel@tonic-gate 50497c478bd9Sstevel@tonic-gate # Display message that automount entries are updated. 50507c478bd9Sstevel@tonic-gate ${ECHO} " ${STEP}. automount maps: $AUTO_MAPS processed." 50517c478bd9Sstevel@tonic-gate STEP=`expr $STEP + 1` 50527c478bd9Sstevel@tonic-gate} 50537c478bd9Sstevel@tonic-gate 50547c478bd9Sstevel@tonic-gate 50557c478bd9Sstevel@tonic-gate# 50567c478bd9Sstevel@tonic-gate# add_proxyagent(): Add entry for nameservice to use to access server. 50577c478bd9Sstevel@tonic-gate# 50587c478bd9Sstevel@tonic-gateadd_proxyagent() 50597c478bd9Sstevel@tonic-gate{ 50607c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In add_proxyagent()" 50617c478bd9Sstevel@tonic-gate 50621d473207SMilan Jurik # Check if proxy agent already exists. 50637c478bd9Sstevel@tonic-gate eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_PROXYAGENT}\" -s base \"objectclass=*\" ${VERB}" 50647c478bd9Sstevel@tonic-gate if [ $? -eq 0 ]; then 50657c478bd9Sstevel@tonic-gate ${ECHO} " ${STEP}. Proxy Agent ${LDAP_PROXYAGENT} already exists." 50667c478bd9Sstevel@tonic-gate STEP=`expr $STEP + 1` 50677c478bd9Sstevel@tonic-gate return 0 50687c478bd9Sstevel@tonic-gate fi 50697c478bd9Sstevel@tonic-gate 50707c478bd9Sstevel@tonic-gate # Get cn and sn names from LDAP_PROXYAGENT. 50717c478bd9Sstevel@tonic-gate cn_tmp=`${ECHO} ${LDAP_PROXYAGENT} | cut -f1 -d, | cut -f2 -d=` 50727c478bd9Sstevel@tonic-gate 50737c478bd9Sstevel@tonic-gate # Create the tmp file to add. 50747c478bd9Sstevel@tonic-gate ( cat <<EOF 50757c478bd9Sstevel@tonic-gatedn: ${LDAP_PROXYAGENT} 50767c478bd9Sstevel@tonic-gatecn: ${cn_tmp} 50777c478bd9Sstevel@tonic-gatesn: ${cn_tmp} 50787c478bd9Sstevel@tonic-gateobjectclass: top 50797c478bd9Sstevel@tonic-gateobjectclass: person 50807c478bd9Sstevel@tonic-gateuserpassword: ${LDAP_PROXYAGENT_CRED} 50817c478bd9Sstevel@tonic-gateEOF 50827c478bd9Sstevel@tonic-gate) > ${TMPDIR}/proxyagent 50837c478bd9Sstevel@tonic-gate 50847c478bd9Sstevel@tonic-gate # Add the entry. 50857c478bd9Sstevel@tonic-gate ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/proxyagent ${VERB}" 50867c478bd9Sstevel@tonic-gate if [ $? -ne 0 ]; then 50877c478bd9Sstevel@tonic-gate ${ECHO} " ERROR: Adding proxyagent failed!" 50887c478bd9Sstevel@tonic-gate cleanup 50897c478bd9Sstevel@tonic-gate exit 1 50907c478bd9Sstevel@tonic-gate fi 50917c478bd9Sstevel@tonic-gate 50927c478bd9Sstevel@tonic-gate # Display message that schema is updated. 50937c478bd9Sstevel@tonic-gate ${ECHO} " ${STEP}. Proxy Agent ${LDAP_PROXYAGENT} added." 50947c478bd9Sstevel@tonic-gate STEP=`expr $STEP + 1` 50957c478bd9Sstevel@tonic-gate} 50967c478bd9Sstevel@tonic-gate 50977c478bd9Sstevel@tonic-gate# 50987c478bd9Sstevel@tonic-gate# allow_proxy_read_pw(): Give Proxy Agent read permission for password. 50997c478bd9Sstevel@tonic-gate# 51007c478bd9Sstevel@tonic-gateallow_proxy_read_pw() 51017c478bd9Sstevel@tonic-gate{ 51027c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In allow_proxy_read_pw()" 51037c478bd9Sstevel@tonic-gate 51047c478bd9Sstevel@tonic-gate # Search for ACI_NAME 51057c478bd9Sstevel@tonic-gate eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_BASEDN}\" -s base objectclass=* aci > ${TMPDIR}/chk_proxyread_aci 2>&1" 51067c478bd9Sstevel@tonic-gate ${GREP} "${PROXY_ACI_NAME}" ${TMPDIR}/chk_proxyread_aci > /dev/null 2>&1 51077c478bd9Sstevel@tonic-gate if [ $? -eq 0 ]; then 51087c478bd9Sstevel@tonic-gate ${ECHO} " ${STEP}. Proxy ACI ${PROXY_ACI_NAME=} already exists for ${LDAP_BASEDN}." 51097c478bd9Sstevel@tonic-gate STEP=`expr $STEP + 1` 51107c478bd9Sstevel@tonic-gate return 0 51117c478bd9Sstevel@tonic-gate fi 51127c478bd9Sstevel@tonic-gate 51137c478bd9Sstevel@tonic-gate # Create the tmp file to add. 51147c478bd9Sstevel@tonic-gate ( cat <<EOF 51157c478bd9Sstevel@tonic-gatedn: ${LDAP_BASEDN} 51167c478bd9Sstevel@tonic-gatechangetype: modify 51177c478bd9Sstevel@tonic-gateadd: aci 5118*b57459abSJulian Pullenaci: (target="ldap:///${LDAP_BASEDN}")(targetattr="userPassword") 5119*b57459abSJulian Pullen (version 3.0; acl ${PROXY_ACI_NAME}; allow (compare,read,search) 5120*b57459abSJulian Pullen userdn = "ldap:///${LDAP_PROXYAGENT}";) 51217c478bd9Sstevel@tonic-gateEOF 51227c478bd9Sstevel@tonic-gate) > ${TMPDIR}/proxy_read 51237c478bd9Sstevel@tonic-gate 51247c478bd9Sstevel@tonic-gate # Add the entry. 51257c478bd9Sstevel@tonic-gate ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/proxy_read ${VERB}" 51267c478bd9Sstevel@tonic-gate if [ $? -ne 0 ]; then 51277c478bd9Sstevel@tonic-gate ${ECHO} " ERROR: Allow ${LDAP_PROXYAGENT} to read password failed!" 51287c478bd9Sstevel@tonic-gate cleanup 51297c478bd9Sstevel@tonic-gate exit 1 51307c478bd9Sstevel@tonic-gate fi 51317c478bd9Sstevel@tonic-gate 51327c478bd9Sstevel@tonic-gate # Display message that schema is updated. 51337c478bd9Sstevel@tonic-gate ${ECHO} " ${STEP}. Give ${LDAP_PROXYAGENT} read permission for password." 51347c478bd9Sstevel@tonic-gate STEP=`expr $STEP + 1` 51357c478bd9Sstevel@tonic-gate} 51367c478bd9Sstevel@tonic-gate 5137*b57459abSJulian Pullen# Delete Proxy Agent read permission for password. 5138*b57459abSJulian Pullendelete_proxy_read_pw() 5139*b57459abSJulian Pullen{ 5140*b57459abSJulian Pullen [ $DEBUG -eq 1 ] && ${ECHO} "In delete_proxy_read_pw()" 5141*b57459abSJulian Pullen 5142*b57459abSJulian Pullen # Search for ACI_NAME 5143*b57459abSJulian Pullen eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_BASEDN}\" -s base objectclass=* aci > ${TMPDIR}/chk_proxyread_aci 2>&1" 5144*b57459abSJulian Pullen ${GREP} "${PROXY_ACI_NAME}" ${TMPDIR}/chk_proxyread_aci | \ 5145*b57459abSJulian Pullen ${SED} -e 's/aci=//' > ${TMPDIR}/grep_proxyread_aci 2>&1 5146*b57459abSJulian Pullen if [ $? -ne 0 ]; then 5147*b57459abSJulian Pullen ${ECHO} "Proxy ACI ${PROXY_ACI_NAME} does not exist for ${LDAP_BASEDN}." 5148*b57459abSJulian Pullen return 0 5149*b57459abSJulian Pullen fi 5150*b57459abSJulian Pullen 5151*b57459abSJulian Pullen # We need to remove proxy agent's read access to user passwords, 5152*b57459abSJulian Pullen # but We do not know the value of the ${LDAP_PROXYAGENT} here, so 5153*b57459abSJulian Pullen # 1. if only one match found, delete it 5154*b57459abSJulian Pullen # 2. if more than one matches found, ask the user which one to delete 5155*b57459abSJulian Pullen HOWMANY=`${WC} -l ${TMPDIR}/grep_proxyread_aci | ${NAWK} '{print $1}'` 5156*b57459abSJulian Pullen if [ $HOWMANY -eq 0 ]; then 5157*b57459abSJulian Pullen ${ECHO} "Proxy ACI ${PROXY_ACI_NAME} does not exist for ${LDAP_BASEDN}." 5158*b57459abSJulian Pullen return 0 5159*b57459abSJulian Pullen fi 5160*b57459abSJulian Pullen if [ $HOWMANY -eq 1 ];then 5161*b57459abSJulian Pullen proxy_aci=`${CAT} ${TMPDIR}/grep_proxyread_aci` 5162*b57459abSJulian Pullen else 5163*b57459abSJulian Pullen ${CAT} << EOF 5164*b57459abSJulian Pullen 5165*b57459abSJulian PullenProxy agent is not allowed to read user passwords when shadow 5166*b57459abSJulian Pullenupdate is enabled. There are more than one proxy agents found. 5167*b57459abSJulian PullenPlease select the currently proxy agent being used, so that 5168*b57459abSJulian Pullenidsconfig can remove its read access to user passwords. 5169*b57459abSJulian Pullen 5170*b57459abSJulian PullenThe proxy agents are: 5171*b57459abSJulian Pullen 5172*b57459abSJulian PullenEOF 5173*b57459abSJulian Pullen # generate the proxy agent list 5174*b57459abSJulian Pullen ${SED} -e "s/.*ldap:\/\/\/.*ldap:\/\/\///" \ 5175*b57459abSJulian Pullen ${TMPDIR}/grep_proxyread_aci | ${SED} -e "s/\";)//" > \ 5176*b57459abSJulian Pullen ${TMPDIR}/proxy_agent_list 5177*b57459abSJulian Pullen 5178*b57459abSJulian Pullen # print the proxy agent list 5179*b57459abSJulian Pullen ${NAWK} '{print NR ": " $0}' ${TMPDIR}/proxy_agent_list 5180*b57459abSJulian Pullen 5181*b57459abSJulian Pullen # ask the user to pick one 5182*b57459abSJulian Pullen _MENU_PROMPT="Select the proxy agent (1-$HOWMANY): " 5183*b57459abSJulian Pullen get_menu_choice "${_MENU_PROMPT}" "0" "$HOWMANY" 5184*b57459abSJulian Pullen _CH=$MN_CH 5185*b57459abSJulian Pullen proxy_aci=`${SED} -n "$_CH p" ${TMPDIR}/grep_proxyread_aci` 5186*b57459abSJulian Pullen fi 5187*b57459abSJulian Pullen 5188*b57459abSJulian Pullen # Create the tmp file to delete the ACI. 5189*b57459abSJulian Pullen ( cat <<EOF 5190*b57459abSJulian Pullendn: ${LDAP_BASEDN} 5191*b57459abSJulian Pullenchangetype: modify 5192*b57459abSJulian Pullendelete: aci 5193*b57459abSJulian Pullenaci: ${proxy_aci} 5194*b57459abSJulian PullenEOF 5195*b57459abSJulian Pullen ) > ${TMPDIR}/proxy_delete 5196*b57459abSJulian Pullen 5197*b57459abSJulian Pullen # Delete the ACI 5198*b57459abSJulian Pullen ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/proxy_delete ${VERB}" 5199*b57459abSJulian Pullen if [ $? -ne 0 ]; then 5200*b57459abSJulian Pullen ${ECHO} " ERROR: Remove of ${PROXY_ACI_NAME} ACI failed!" 5201*b57459abSJulian Pullen cat ${TMPDIR}/proxy_delete 5202*b57459abSJulian Pullen cleanup 5203*b57459abSJulian Pullen exit 1 5204*b57459abSJulian Pullen fi 5205*b57459abSJulian Pullen 5206*b57459abSJulian Pullen # Display message that ACI is updated. 5207*b57459abSJulian Pullen MSG="Removed ${PROXY_ACI_NAME} ACI for proxyagent read permission for password." 5208*b57459abSJulian Pullen ${ECHO} " " 5209*b57459abSJulian Pullen ${ECHO} " ACI REMOVED: $MSG" 5210*b57459abSJulian Pullen ${ECHO} " The ACI removed is $proxy_aci" 5211*b57459abSJulian Pullen ${ECHO} " " 5212*b57459abSJulian Pullen} 5213*b57459abSJulian Pullen 52147c478bd9Sstevel@tonic-gate# 52157c478bd9Sstevel@tonic-gate# add_profile(): Add client profile to server. 52167c478bd9Sstevel@tonic-gate# 52177c478bd9Sstevel@tonic-gateadd_profile() 52187c478bd9Sstevel@tonic-gate{ 52197c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In add_profile()" 52207c478bd9Sstevel@tonic-gate 52217c478bd9Sstevel@tonic-gate # If profile name already exists, DELETE it, and add new one. 52227c478bd9Sstevel@tonic-gate eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=${LDAP_PROFILE_NAME},ou=profile,${LDAP_BASEDN}\" -s base \"objectclass=*\" ${VERB}" 52237c478bd9Sstevel@tonic-gate if [ $? -eq 0 ]; then 52247c478bd9Sstevel@tonic-gate # Create Delete file. 52257c478bd9Sstevel@tonic-gate ( cat <<EOF 52267c478bd9Sstevel@tonic-gatecn=${LDAP_PROFILE_NAME},ou=profile,${LDAP_BASEDN} 52277c478bd9Sstevel@tonic-gateEOF 52287c478bd9Sstevel@tonic-gate) > ${TMPDIR}/del_profile 52297c478bd9Sstevel@tonic-gate 52307c478bd9Sstevel@tonic-gate # Check if DEL_OLD_PROFILE is set. (If not ERROR) 52317c478bd9Sstevel@tonic-gate if [ $DEL_OLD_PROFILE -eq 0 ]; then 52327c478bd9Sstevel@tonic-gate ${ECHO} "ERROR: Profile name ${LDAP_PROFILE_NAME} exists! Add failed!" 52337c478bd9Sstevel@tonic-gate exit 1 52347c478bd9Sstevel@tonic-gate fi 52357c478bd9Sstevel@tonic-gate 52367c478bd9Sstevel@tonic-gate # Delete the OLD profile. 52377c478bd9Sstevel@tonic-gate ${EVAL} "${LDAPDELETE} ${LDAP_ARGS} -f ${TMPDIR}/del_profile ${VERB}" 52387c478bd9Sstevel@tonic-gate if [ $? -ne 0 ]; then 52397c478bd9Sstevel@tonic-gate ${ECHO} " ERROR: Attempt to DELETE profile failed!" 52407c478bd9Sstevel@tonic-gate cleanup 52417c478bd9Sstevel@tonic-gate exit 1 52427c478bd9Sstevel@tonic-gate fi 52437c478bd9Sstevel@tonic-gate fi 52447c478bd9Sstevel@tonic-gate 52457c478bd9Sstevel@tonic-gate # Build the "ldapclient genprofile" command string to execute. 52467c478bd9Sstevel@tonic-gate GEN_CMD="ldapclient genprofile -a \"profileName=${LDAP_PROFILE_NAME}\"" 52477c478bd9Sstevel@tonic-gate 52487c478bd9Sstevel@tonic-gate # Add required argument defaultSearchBase. 52497c478bd9Sstevel@tonic-gate GEN_CMD="${GEN_CMD} -a \"defaultSearchBase=${LDAP_BASEDN}\"" 52507c478bd9Sstevel@tonic-gate 52517c478bd9Sstevel@tonic-gate # Add optional parameters. 52527c478bd9Sstevel@tonic-gate [ -n "$LDAP_SERVER_LIST" ] && \ 52537c478bd9Sstevel@tonic-gate GEN_CMD="${GEN_CMD} -a \"defaultServerList=${LDAP_SERVER_LIST}\"" 52547c478bd9Sstevel@tonic-gate [ -n "$LDAP_SEARCH_SCOPE" ] && \ 52557c478bd9Sstevel@tonic-gate GEN_CMD="${GEN_CMD} -a \"defaultSearchScope=${LDAP_SEARCH_SCOPE}\"" 52567c478bd9Sstevel@tonic-gate [ -n "$LDAP_CRED_LEVEL" ] && \ 52577c478bd9Sstevel@tonic-gate GEN_CMD="${GEN_CMD} -a \"credentialLevel=${LDAP_CRED_LEVEL}\"" 52587c478bd9Sstevel@tonic-gate [ -n "$LDAP_AUTHMETHOD" ] && \ 52597c478bd9Sstevel@tonic-gate GEN_CMD="${GEN_CMD} -a \"authenticationMethod=${LDAP_AUTHMETHOD}\"" 52607c478bd9Sstevel@tonic-gate [ -n "$LDAP_FOLLOWREF" ] && \ 52617c478bd9Sstevel@tonic-gate GEN_CMD="${GEN_CMD} -a \"followReferrals=${LDAP_FOLLOWREF}\"" 52627c478bd9Sstevel@tonic-gate [ -n "$LDAP_SEARCH_TIME_LIMIT" ] && \ 52637c478bd9Sstevel@tonic-gate GEN_CMD="${GEN_CMD} -a \"searchTimeLimit=${LDAP_SEARCH_TIME_LIMIT}\"" 52647c478bd9Sstevel@tonic-gate [ -n "$LDAP_PROFILE_TTL" ] && \ 52657c478bd9Sstevel@tonic-gate GEN_CMD="${GEN_CMD} -a \"profileTTL=${LDAP_PROFILE_TTL}\"" 52667c478bd9Sstevel@tonic-gate [ -n "$LDAP_BIND_LIMIT" ] && \ 52677c478bd9Sstevel@tonic-gate GEN_CMD="${GEN_CMD} -a \"bindTimeLimit=${LDAP_BIND_LIMIT}\"" 52687c478bd9Sstevel@tonic-gate [ -n "$LDAP_PREF_SRVLIST" ] && \ 52697c478bd9Sstevel@tonic-gate GEN_CMD="${GEN_CMD} -a \"preferredServerList=${LDAP_PREF_SRVLIST}\"" 52707c478bd9Sstevel@tonic-gate [ -n "$LDAP_SRV_AUTHMETHOD_PAM" ] && \ 52717c478bd9Sstevel@tonic-gate GEN_CMD="${GEN_CMD} -a \"serviceAuthenticationMethod=${LDAP_SRV_AUTHMETHOD_PAM}\"" 52727c478bd9Sstevel@tonic-gate [ -n "$LDAP_SRV_AUTHMETHOD_KEY" ] && \ 52737c478bd9Sstevel@tonic-gate GEN_CMD="${GEN_CMD} -a \"serviceAuthenticationMethod=${LDAP_SRV_AUTHMETHOD_KEY}\"" 52747c478bd9Sstevel@tonic-gate [ -n "$LDAP_SRV_AUTHMETHOD_CMD" ] && \ 52757c478bd9Sstevel@tonic-gate GEN_CMD="${GEN_CMD} -a \"serviceAuthenticationMethod=${LDAP_SRV_AUTHMETHOD_CMD}\"" 52767c478bd9Sstevel@tonic-gate 52777c478bd9Sstevel@tonic-gate # Check if there are any service search descriptors to ad. 52787c478bd9Sstevel@tonic-gate if [ -s "${SSD_FILE}" ]; then 52797c478bd9Sstevel@tonic-gate ssd_2_profile 52807c478bd9Sstevel@tonic-gate fi 52817c478bd9Sstevel@tonic-gate 52827c478bd9Sstevel@tonic-gate # Execute "ldapclient genprofile" to create profile. 52837c478bd9Sstevel@tonic-gate eval ${GEN_CMD} > ${TMPDIR}/gen_profile 2> ${TMPDIR}/gen_profile_ERR 52847c478bd9Sstevel@tonic-gate if [ $? -ne 0 ]; then 52857c478bd9Sstevel@tonic-gate ${ECHO} " ERROR: ldapclient genprofile failed!" 52867c478bd9Sstevel@tonic-gate cleanup 52877c478bd9Sstevel@tonic-gate exit 1 52887c478bd9Sstevel@tonic-gate fi 52897c478bd9Sstevel@tonic-gate 52907c478bd9Sstevel@tonic-gate # Add the generated profile.. 52917c478bd9Sstevel@tonic-gate ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/gen_profile ${VERB}" 52927c478bd9Sstevel@tonic-gate if [ $? -ne 0 ]; then 52937c478bd9Sstevel@tonic-gate ${ECHO} " ERROR: Attempt to add profile failed!" 52947c478bd9Sstevel@tonic-gate cleanup 52957c478bd9Sstevel@tonic-gate exit 1 52967c478bd9Sstevel@tonic-gate fi 52977c478bd9Sstevel@tonic-gate 52987c478bd9Sstevel@tonic-gate # Display message that schema is updated. 52997c478bd9Sstevel@tonic-gate ${ECHO} " ${STEP}. Generated client profile and loaded on server." 53007c478bd9Sstevel@tonic-gate STEP=`expr $STEP + 1` 53017c478bd9Sstevel@tonic-gate} 53027c478bd9Sstevel@tonic-gate 53037c478bd9Sstevel@tonic-gate 53047c478bd9Sstevel@tonic-gate# 53057c478bd9Sstevel@tonic-gate# cleanup(): Remove the TMPDIR and all files in it. 53067c478bd9Sstevel@tonic-gate# 53077c478bd9Sstevel@tonic-gatecleanup() 53087c478bd9Sstevel@tonic-gate{ 53097c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In cleanup()" 53107c478bd9Sstevel@tonic-gate 53117c478bd9Sstevel@tonic-gate rm -fr ${TMPDIR} 53127c478bd9Sstevel@tonic-gate} 53137c478bd9Sstevel@tonic-gate 53147c478bd9Sstevel@tonic-gate 53157c478bd9Sstevel@tonic-gate# 53167c478bd9Sstevel@tonic-gate# * * * MAIN * * * 53177c478bd9Sstevel@tonic-gate# 53187c478bd9Sstevel@tonic-gate# Description: 53197c478bd9Sstevel@tonic-gate# This script assumes that the iPlanet Directory Server (iDS) is 53207c478bd9Sstevel@tonic-gate# installed and that setup has been run. This script takes the 53217c478bd9Sstevel@tonic-gate# iDS server from that point and sets up the infrastructure for 53227c478bd9Sstevel@tonic-gate# LDAP Naming Services. After running this script, ldapaddent(1M) 53237c478bd9Sstevel@tonic-gate# or some other tools can be used to populate data. 53247c478bd9Sstevel@tonic-gate 53257c478bd9Sstevel@tonic-gate# Initialize the variables that need to be set to NULL, or some 53267c478bd9Sstevel@tonic-gate# other initial value before the rest of the functions can be called. 53277c478bd9Sstevel@tonic-gateinit 53287c478bd9Sstevel@tonic-gate 53297c478bd9Sstevel@tonic-gate# Parse command line arguments. 53307c478bd9Sstevel@tonic-gateparse_arg $* 53317c478bd9Sstevel@tonic-gateshift $? 53327c478bd9Sstevel@tonic-gate 53337c478bd9Sstevel@tonic-gate# Print extra line to separate from prompt. 53347c478bd9Sstevel@tonic-gate${ECHO} " " 53357c478bd9Sstevel@tonic-gate 53367c478bd9Sstevel@tonic-gate# Either Load the user specified config file 53377c478bd9Sstevel@tonic-gate# or prompt user for config info. 53387c478bd9Sstevel@tonic-gateif [ -n "$INPUT_FILE" ] 53397c478bd9Sstevel@tonic-gatethen 53407c478bd9Sstevel@tonic-gate load_config_file 53417c478bd9Sstevel@tonic-gate INTERACTIVE=0 # Turns off prompts that occur later. 53427c478bd9Sstevel@tonic-gate validate_info # Validate basic info in file. 53437c478bd9Sstevel@tonic-gate chk_ids_version # Check iDS version for compatibility. 5344cb5caa98Sdjl gssapi_setup_auto 53457c478bd9Sstevel@tonic-gateelse 53467c478bd9Sstevel@tonic-gate # Display BACKUP warning to user. 53477c478bd9Sstevel@tonic-gate display_msg backup_server 53487c478bd9Sstevel@tonic-gate get_confirm "Do you wish to continue with server setup (y/n/h)?" "n" "backup_help" 53497c478bd9Sstevel@tonic-gate if [ $? -eq 0 ]; then # if No, cleanup and exit. 53507c478bd9Sstevel@tonic-gate cleanup ; exit 1 53517c478bd9Sstevel@tonic-gate fi 53527c478bd9Sstevel@tonic-gate 53537c478bd9Sstevel@tonic-gate # Prompt for values. 53547c478bd9Sstevel@tonic-gate prompt_config_info 53557c478bd9Sstevel@tonic-gate display_summary # Allow user to modify results. 53567c478bd9Sstevel@tonic-gate INTERACTIVE=1 # Insures future prompting. 53577c478bd9Sstevel@tonic-gatefi 53587c478bd9Sstevel@tonic-gate 53597c478bd9Sstevel@tonic-gate# Modify slapd.oc.conf to ALLOW cn instead of REQUIRE. 53607c478bd9Sstevel@tonic-gatemodify_cn 53617c478bd9Sstevel@tonic-gate 53627c478bd9Sstevel@tonic-gate# Modify timelimit to user value. 53637c478bd9Sstevel@tonic-gate[ $NEED_TIME -eq 1 ] && modify_timelimit 53647c478bd9Sstevel@tonic-gate 53657c478bd9Sstevel@tonic-gate# Modify sizelimit to user value. 53667c478bd9Sstevel@tonic-gate[ $NEED_SIZE -eq 1 ] && modify_sizelimit 53677c478bd9Sstevel@tonic-gate 53687c478bd9Sstevel@tonic-gate# Modify the password storage scheme to support CRYPT. 53697c478bd9Sstevel@tonic-gateif [ "$NEED_CRYPT" = "TRUE" ]; then 53707c478bd9Sstevel@tonic-gate modify_pwd_crypt 53717c478bd9Sstevel@tonic-gatefi 53727c478bd9Sstevel@tonic-gate 53737c478bd9Sstevel@tonic-gate# Update the schema (Attributes, Objectclass Definitions) 5374cb5caa98Sdjlif [ ${SCHEMA_UPDATED} -eq 0 ]; then 5375cb5caa98Sdjl update_schema_attr 5376cb5caa98Sdjl update_schema_obj 5377cb5caa98Sdjlfi 53787c478bd9Sstevel@tonic-gate 5379017e8b01Svl# Add suffix together with its root entry (if needed) 5380017e8b01Svladd_suffix || 5381017e8b01Svl{ 5382017e8b01Svl cleanup 5383017e8b01Svl exit 1 5384017e8b01Svl} 5385017e8b01Svl 53867c478bd9Sstevel@tonic-gate# Add base objects (if needed) 53877c478bd9Sstevel@tonic-gateadd_base_objects 53887c478bd9Sstevel@tonic-gate 53897c478bd9Sstevel@tonic-gate# Update the NisDomainObject. 53907c478bd9Sstevel@tonic-gate# The Base DN might of just been created, so this MUST happen after 53917c478bd9Sstevel@tonic-gate# the base objects have been added! 53927c478bd9Sstevel@tonic-gateset_nisdomain 53937c478bd9Sstevel@tonic-gate 53947c478bd9Sstevel@tonic-gate# Add top level classes (new containers) 53957c478bd9Sstevel@tonic-gateadd_new_containers 53967c478bd9Sstevel@tonic-gate 53977c478bd9Sstevel@tonic-gate# Add common nismaps. 53987c478bd9Sstevel@tonic-gateadd_auto_maps 53997c478bd9Sstevel@tonic-gate 54007c478bd9Sstevel@tonic-gate# Modify top ACI. 54017c478bd9Sstevel@tonic-gatemodify_top_aci 54027c478bd9Sstevel@tonic-gate 54037c478bd9Sstevel@tonic-gate# Add Access Control Information for VLV. 54047c478bd9Sstevel@tonic-gateadd_vlv_aci 54057c478bd9Sstevel@tonic-gate 54067c478bd9Sstevel@tonic-gate# if Proxy needed, Add Proxy Agent and give read permission for password. 54077c478bd9Sstevel@tonic-gateif [ $NEED_PROXY -eq 1 ]; then 54087c478bd9Sstevel@tonic-gate add_proxyagent 5409*b57459abSJulian Pullen if [ "$LDAP_ENABLE_SHADOW_UPDATE" != "TRUE" ]; then 5410*b57459abSJulian Pullen allow_proxy_read_pw 5411*b57459abSJulian Pullen fi 54127c478bd9Sstevel@tonic-gatefi 54137c478bd9Sstevel@tonic-gate 5414dd1104fbSMichen Chang# If admin needed for shadow update, Add the administrator identity and 5415*b57459abSJulian Pullen# give read/write permission for shadow, and deny all others read/write 5416*b57459abSJulian Pullen# access to it. 5417dd1104fbSMichen Changif [ $NEED_ADMIN -eq 1 ]; then 5418dd1104fbSMichen Chang add_admin 5419*b57459abSJulian Pullen allow_admin_read_write_shadow 5420*b57459abSJulian Pullen # deny non-admin access to shadow data 5421*b57459abSJulian Pullen deny_non_admin_shadow_access 5422dd1104fbSMichen Changfi 5423dd1104fbSMichen Chang 5424*b57459abSJulian Pullen# If use host principal for shadow update, give read/write permission for 5425*b57459abSJulian Pullen# shadow, and deny all others' read/write access to it. 5426dd1104fbSMichen Changif [ $NEED_HOSTACL -eq 1 ]; then 5427*b57459abSJulian Pullen allow_host_read_write_shadow 5428*b57459abSJulian Pullen # deny non-host access to shadow data 5429*b57459abSJulian Pullen deny_non_host_shadow_access 5430dd1104fbSMichen Changfi 5431dd1104fbSMichen Chang 5432*b57459abSJulian Pullen 54337c478bd9Sstevel@tonic-gate# Generate client profile and add it to the server. 54347c478bd9Sstevel@tonic-gateadd_profile 54357c478bd9Sstevel@tonic-gate 54367c478bd9Sstevel@tonic-gate# Add Indexes to improve Search Performance. 54377c478bd9Sstevel@tonic-gateadd_eq_indexes 54387c478bd9Sstevel@tonic-gateadd_sub_indexes 54397c478bd9Sstevel@tonic-gateadd_vlv_indexes 54407c478bd9Sstevel@tonic-gate 54417c478bd9Sstevel@tonic-gate# Display setup complete message 54427c478bd9Sstevel@tonic-gatedisplay_msg setup_complete 54437c478bd9Sstevel@tonic-gate 54447c478bd9Sstevel@tonic-gate# Display VLV index commands to be executed on server. 54457c478bd9Sstevel@tonic-gatedisplay_vlv_cmds 54467c478bd9Sstevel@tonic-gate 54477c478bd9Sstevel@tonic-gate# Create config file if requested. 54487c478bd9Sstevel@tonic-gate[ -n "$OUTPUT_FILE" ] && create_config_file 54497c478bd9Sstevel@tonic-gate 54507c478bd9Sstevel@tonic-gate# Removed the TMPDIR and all files in it. 54517c478bd9Sstevel@tonic-gatecleanup 54527c478bd9Sstevel@tonic-gate 54537c478bd9Sstevel@tonic-gateexit 0 54547c478bd9Sstevel@tonic-gate# end of MAIN. 5455