17c478bd9Sstevel@tonic-gate#!/bin/sh 27c478bd9Sstevel@tonic-gate# 37c478bd9Sstevel@tonic-gate# CDDL HEADER START 47c478bd9Sstevel@tonic-gate# 57c478bd9Sstevel@tonic-gate# The contents of this file are subject to the terms of the 645916cd2Sjpk# Common Development and Distribution License (the "License"). 745916cd2Sjpk# You may not use this file except in compliance with the License. 87c478bd9Sstevel@tonic-gate# 97c478bd9Sstevel@tonic-gate# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 107c478bd9Sstevel@tonic-gate# or http://www.opensolaris.org/os/licensing. 117c478bd9Sstevel@tonic-gate# See the License for the specific language governing permissions 127c478bd9Sstevel@tonic-gate# and limitations under the License. 137c478bd9Sstevel@tonic-gate# 147c478bd9Sstevel@tonic-gate# When distributing Covered Code, include this CDDL HEADER in each 157c478bd9Sstevel@tonic-gate# file and include the License file at usr/src/OPENSOLARIS.LICENSE. 167c478bd9Sstevel@tonic-gate# If applicable, add the following below this CDDL HEADER, with the 177c478bd9Sstevel@tonic-gate# fields enclosed by brackets "[]" replaced with your own identifying 187c478bd9Sstevel@tonic-gate# information: Portions Copyright [yyyy] [name of copyright owner] 197c478bd9Sstevel@tonic-gate# 207c478bd9Sstevel@tonic-gate# CDDL HEADER END 217c478bd9Sstevel@tonic-gate# 227c478bd9Sstevel@tonic-gate# 23cb5caa98Sdjl# idsconfig -- script to setup iDS 5.x/6.x for Native LDAP II. 247c478bd9Sstevel@tonic-gate# 25*dd1104fbSMichen Chang# Copyright 2009 Sun Microsystems, Inc. All rights reserved. 267c478bd9Sstevel@tonic-gate# Use is subject to license terms. 277c478bd9Sstevel@tonic-gate# 287c478bd9Sstevel@tonic-gate 297c478bd9Sstevel@tonic-gate# 307c478bd9Sstevel@tonic-gate# display_msg(): Displays message corresponding to the tag passed in. 317c478bd9Sstevel@tonic-gate# 327c478bd9Sstevel@tonic-gatedisplay_msg() 337c478bd9Sstevel@tonic-gate{ 347c478bd9Sstevel@tonic-gate case "$1" in 357c478bd9Sstevel@tonic-gate usage) cat <<EOF 367c478bd9Sstevel@tonic-gate $PROG: [ -v ] [ -i input file ] [ -o output file ] 377c478bd9Sstevel@tonic-gate i <input file> Get setup info from input file. 387c478bd9Sstevel@tonic-gate o <output file> Generate a server configuration output file. 397c478bd9Sstevel@tonic-gate v Verbose mode 407c478bd9Sstevel@tonic-gateEOF 417c478bd9Sstevel@tonic-gate ;; 427c478bd9Sstevel@tonic-gate backup_server) cat <<EOF 437c478bd9Sstevel@tonic-gateIt is strongly recommended that you BACKUP the directory server 447c478bd9Sstevel@tonic-gatebefore running $PROG. 457c478bd9Sstevel@tonic-gate 467c478bd9Sstevel@tonic-gateHit Ctrl-C at any time before the final confirmation to exit. 477c478bd9Sstevel@tonic-gate 487c478bd9Sstevel@tonic-gateEOF 497c478bd9Sstevel@tonic-gate ;; 507c478bd9Sstevel@tonic-gate setup_complete) cat <<EOF 517c478bd9Sstevel@tonic-gate 527c478bd9Sstevel@tonic-gate$PROG: Setup of iDS server ${IDS_SERVER} is complete. 537c478bd9Sstevel@tonic-gate 547c478bd9Sstevel@tonic-gateEOF 557c478bd9Sstevel@tonic-gate ;; 567c478bd9Sstevel@tonic-gate display_vlv_list) cat <<EOF 577c478bd9Sstevel@tonic-gate 58e1dd0a2fSthNote: idsconfig has created entries for VLV indexes. 59e1dd0a2fSth 60e1dd0a2fSth For DS5.x, use the directoryserver(1m) script on ${IDS_SERVER} 61e1dd0a2fSth to stop the server. Then, using directoryserver, follow the 62e1dd0a2fSth directoryserver examples below to create the actual VLV indexes. 63e1dd0a2fSth 64e1dd0a2fSth For DS6.x, use dsadm command delivered with DS6.x on ${IDS_SERVER} 65e1dd0a2fSth to stop the server. Then, using dsadm, follow the 66e1dd0a2fSth dsadm examples below to create the actual VLV indexes. 677c478bd9Sstevel@tonic-gate 687c478bd9Sstevel@tonic-gateEOF 697c478bd9Sstevel@tonic-gate ;; 707c478bd9Sstevel@tonic-gate cred_level_menu) cat <<EOF 717c478bd9Sstevel@tonic-gateThe following are the supported credential levels: 727c478bd9Sstevel@tonic-gate 1 anonymous 737c478bd9Sstevel@tonic-gate 2 proxy 747c478bd9Sstevel@tonic-gate 3 proxy anonymous 75cb5caa98Sdjl 4 self 76cb5caa98Sdjl 5 self proxy 77cb5caa98Sdjl 6 self proxy anonymous 787c478bd9Sstevel@tonic-gateEOF 797c478bd9Sstevel@tonic-gate ;; 807c478bd9Sstevel@tonic-gate auth_method_menu) cat <<EOF 817c478bd9Sstevel@tonic-gateThe following are the supported Authentication Methods: 827c478bd9Sstevel@tonic-gate 1 none 837c478bd9Sstevel@tonic-gate 2 simple 847c478bd9Sstevel@tonic-gate 3 sasl/DIGEST-MD5 857c478bd9Sstevel@tonic-gate 4 tls:simple 867c478bd9Sstevel@tonic-gate 5 tls:sasl/DIGEST-MD5 87cb5caa98Sdjl 6 sasl/GSSAPI 887c478bd9Sstevel@tonic-gateEOF 897c478bd9Sstevel@tonic-gate ;; 907c478bd9Sstevel@tonic-gate srvauth_method_menu) cat <<EOF 917c478bd9Sstevel@tonic-gateThe following are the supported Authentication Methods: 927c478bd9Sstevel@tonic-gate 1 simple 937c478bd9Sstevel@tonic-gate 2 sasl/DIGEST-MD5 947c478bd9Sstevel@tonic-gate 3 tls:simple 957c478bd9Sstevel@tonic-gate 4 tls:sasl/DIGEST-MD5 96cb5caa98Sdjl 5 sasl/GSSAPI 977c478bd9Sstevel@tonic-gateEOF 987c478bd9Sstevel@tonic-gate ;; 997c478bd9Sstevel@tonic-gate prompt_ssd_menu) cat <<EOF 1007c478bd9Sstevel@tonic-gate A Add a Service Search Descriptor 1017c478bd9Sstevel@tonic-gate D Delete a SSD 1027c478bd9Sstevel@tonic-gate M Modify a SSD 1037c478bd9Sstevel@tonic-gate P Display all SSD's 1047c478bd9Sstevel@tonic-gate H Help 1057c478bd9Sstevel@tonic-gate X Clear all SSD's 1067c478bd9Sstevel@tonic-gate 1077c478bd9Sstevel@tonic-gate Q Exit menu 1087c478bd9Sstevel@tonic-gateEOF 1097c478bd9Sstevel@tonic-gate ;; 110017e8b01Svl summary_menu) 111017e8b01Svl 112017e8b01Svl SUFFIX_INFO= 113017e8b01Svl DB_INFO= 114017e8b01Svl 115017e8b01Svl [ -n "${NEED_CREATE_SUFFIX}" ] && 116017e8b01Svl { 117017e8b01Svl SUFFIX_INFO=`cat <<EOF 118017e8b01Svl 119017e8b01Svl Suffix to create : $LDAP_SUFFIX 120017e8b01SvlEOF 121017e8b01Svl` 122017e8b01Svl [ -n "${NEED_CREATE_BACKEND}" ] && 123017e8b01Svl DB_INFO=`cat <<EOF 124017e8b01Svl 125017e8b01Svl Database to create : $IDS_DATABASE 126017e8b01SvlEOF 127017e8b01Svl` 128017e8b01Svl } 129017e8b01Svl 130017e8b01Svl cat <<EOF 1317c478bd9Sstevel@tonic-gate Summary of Configuration 1327c478bd9Sstevel@tonic-gate 1337c478bd9Sstevel@tonic-gate 1 Domain to serve : $LDAP_DOMAIN 134017e8b01Svl 2 Base DN to setup : $LDAP_BASEDN$SUFFIX_INFO$DB_INFO 1357c478bd9Sstevel@tonic-gate 3 Profile name to create : $LDAP_PROFILE_NAME 1367c478bd9Sstevel@tonic-gate 4 Default Server List : $LDAP_SERVER_LIST 1377c478bd9Sstevel@tonic-gate 5 Preferred Server List : $LDAP_PREF_SRVLIST 1387c478bd9Sstevel@tonic-gate 6 Default Search Scope : $LDAP_SEARCH_SCOPE 1397c478bd9Sstevel@tonic-gate 7 Credential Level : $LDAP_CRED_LEVEL 1407c478bd9Sstevel@tonic-gate 8 Authentication Method : $LDAP_AUTHMETHOD 1417c478bd9Sstevel@tonic-gate 9 Enable Follow Referrals : $LDAP_FOLLOWREF 1427c478bd9Sstevel@tonic-gate 10 iDS Time Limit : $IDS_TIMELIMIT 1437c478bd9Sstevel@tonic-gate 11 iDS Size Limit : $IDS_SIZELIMIT 1447c478bd9Sstevel@tonic-gate 12 Enable crypt password storage : $NEED_CRYPT 1457c478bd9Sstevel@tonic-gate 13 Service Auth Method pam_ldap : $LDAP_SRV_AUTHMETHOD_PAM 1467c478bd9Sstevel@tonic-gate 14 Service Auth Method keyserv : $LDAP_SRV_AUTHMETHOD_KEY 1477c478bd9Sstevel@tonic-gate 15 Service Auth Method passwd-cmd: $LDAP_SRV_AUTHMETHOD_CMD 1487c478bd9Sstevel@tonic-gate 16 Search Time Limit : $LDAP_SEARCH_TIME_LIMIT 1497c478bd9Sstevel@tonic-gate 17 Profile Time to Live : $LDAP_PROFILE_TTL 1507c478bd9Sstevel@tonic-gate 18 Bind Limit : $LDAP_BIND_LIMIT 151*dd1104fbSMichen Chang 19 Enable shadow update : $LDAP_ENABLE_SHADOW_UPDATE 152*dd1104fbSMichen Chang 20 Service Search Descriptors Menu 1537c478bd9Sstevel@tonic-gate 154017e8b01SvlEOF 155017e8b01Svl ;; 156017e8b01Svl sfx_not_suitable) cat <<EOF 157017e8b01Svl 158017e8b01SvlSorry, suffix ${LDAP_SUFFIX} is not suitable for Base DN ${LDAP_BASEDN} 159017e8b01Svl 160017e8b01SvlEOF 161017e8b01Svl ;; 162017e8b01Svl obj_not_found) cat <<EOF 163017e8b01Svl 164017e8b01SvlSorry, ${PROG} can't find an objectclass for "$_ATT" attribute 165017e8b01Svl 166017e8b01SvlEOF 167017e8b01Svl ;; 168017e8b01Svl sfx_config_incons) cat <<EOF 169017e8b01Svl 170017e8b01SvlSorry, there is no suffix mapping for ${LDAP_SUFFIX}, 171017e8b01Svlwhile ldbm database exists, server configuration needs to be fixed manually, 172017e8b01Svllook at cn=mapping tree,cn=config and cn=ldbm database,cn=plugins,cn=config 173017e8b01Svl 174017e8b01SvlEOF 175017e8b01Svl ;; 176017e8b01Svl ldbm_db_exist) cat <<EOF 177017e8b01Svl 178017e8b01SvlDatabase "${IDS_DATABASE}" already exists, 179017e8b01Svlhowever "${IDS_DATABASE_AVAIL}" name is available 180017e8b01Svl 181017e8b01SvlEOF 182017e8b01Svl ;; 183017e8b01Svl unable_find_db_name) cat <<EOF 184017e8b01Svl 185017e8b01SvlUnable to find any available database name close to "${IDS_DATABASE}" 186017e8b01Svl 187017e8b01SvlEOF 188017e8b01Svl ;; 189017e8b01Svl create_ldbm_db_error) cat <<EOF 190017e8b01Svl 191017e8b01SvlERROR: unable to create suffix ${LDAP_SUFFIX} 192017e8b01Svl due to server error that occurred during creation of ldbm database 193017e8b01Svl 194017e8b01SvlEOF 195017e8b01Svl ;; 196017e8b01Svl create_suffix_entry_error) cat <<EOF 197017e8b01Svl 198017e8b01SvlERROR: unable to create entry ${LDAP_SUFFIX} of ${LDAP_SUFFIX_OBJ} class 199017e8b01Svl 2007c478bd9Sstevel@tonic-gateEOF 2017c478bd9Sstevel@tonic-gate ;; 2027c478bd9Sstevel@tonic-gate ldap_suffix_list) cat <<EOF 2037c478bd9Sstevel@tonic-gate 2047c478bd9Sstevel@tonic-gateNo valid suffixes (naming contexts) were found for LDAP base DN: 2057c478bd9Sstevel@tonic-gate${LDAP_BASEDN} 2067c478bd9Sstevel@tonic-gate 2077c478bd9Sstevel@tonic-gateAvailable suffixes are: 2087c478bd9Sstevel@tonic-gate${LDAP_SUFFIX_LIST} 2097c478bd9Sstevel@tonic-gate 2107c478bd9Sstevel@tonic-gateEOF 2117c478bd9Sstevel@tonic-gate ;; 2127c478bd9Sstevel@tonic-gate sorry) cat <<EOF 2137c478bd9Sstevel@tonic-gate 2147c478bd9Sstevel@tonic-gateHELP - No help is available for this topic. 2157c478bd9Sstevel@tonic-gate 216017e8b01SvlEOF 217017e8b01Svl ;; 218017e8b01Svl create_suffix_help) cat <<EOF 219017e8b01Svl 220017e8b01SvlHELP - Our Base DN is ${LDAP_BASEDN} 221017e8b01Svl and we need to create a Directory Suffix, 222017e8b01Svl which can be equal to Base DN itself or be any of Base DN parents. 223017e8b01Svl All intermediate entries up to suffix will be created on demand. 224017e8b01Svl 225017e8b01SvlEOF 226017e8b01Svl ;; 227017e8b01Svl enter_ldbm_db_help) cat <<EOF 228017e8b01Svl 229017e8b01SvlHELP - ldbm database is an internal database for storage of our suffix data. 230017e8b01Svl Database name must be alphanumeric due to Directory Server restriction. 231017e8b01Svl 2327c478bd9Sstevel@tonic-gateEOF 2337c478bd9Sstevel@tonic-gate ;; 2347c478bd9Sstevel@tonic-gate backup_help) cat <<EOF 2357c478bd9Sstevel@tonic-gate 2367c478bd9Sstevel@tonic-gateHELP - Since idsconfig modifies the directory server configuration, 2377c478bd9Sstevel@tonic-gate it is strongly recommended that you backup the server prior 2387c478bd9Sstevel@tonic-gate to running this utility. This is especially true if the server 2397c478bd9Sstevel@tonic-gate being configured is a production server. 2407c478bd9Sstevel@tonic-gate 2417c478bd9Sstevel@tonic-gateEOF 2427c478bd9Sstevel@tonic-gate ;; 2437c478bd9Sstevel@tonic-gate port_help) cat <<EOF 2447c478bd9Sstevel@tonic-gate 2457c478bd9Sstevel@tonic-gateHELP - Enter the port number the directory server is configured to 2467c478bd9Sstevel@tonic-gate use for LDAP. 2477c478bd9Sstevel@tonic-gate 2487c478bd9Sstevel@tonic-gateEOF 2497c478bd9Sstevel@tonic-gate ;; 2507c478bd9Sstevel@tonic-gate domain_help) cat <<EOF 2517c478bd9Sstevel@tonic-gate 2527c478bd9Sstevel@tonic-gateHELP - This is the DNS domain name this server will be serving. You 2537c478bd9Sstevel@tonic-gate must provide this name even if the server is not going to be populated 2547c478bd9Sstevel@tonic-gate with hostnames. Any unqualified hostname stored in the directory 2557c478bd9Sstevel@tonic-gate will be fully qualified using this DNS domain name. 2567c478bd9Sstevel@tonic-gate 2577c478bd9Sstevel@tonic-gateEOF 2587c478bd9Sstevel@tonic-gate ;; 2597c478bd9Sstevel@tonic-gate basedn_help) cat <<EOF 2607c478bd9Sstevel@tonic-gate 2617c478bd9Sstevel@tonic-gateHELP - This parameter defines the default location in the directory tree for 2627c478bd9Sstevel@tonic-gate the naming services entries. You can override this default by using 2637c478bd9Sstevel@tonic-gate serviceSearchDescriptors (SSD). You will be given the option to set up 2647c478bd9Sstevel@tonic-gate an SSD later on in the setup. 2657c478bd9Sstevel@tonic-gate 2667c478bd9Sstevel@tonic-gateEOF 2677c478bd9Sstevel@tonic-gate ;; 2687c478bd9Sstevel@tonic-gate profile_help) cat <<EOF 2697c478bd9Sstevel@tonic-gate 2707c478bd9Sstevel@tonic-gateHELP - Name of the configuration profile with which the clients will be 2717c478bd9Sstevel@tonic-gate configured. A directory server can store various profiles for multiple 2727c478bd9Sstevel@tonic-gate groups of clients. The initialization tool, (ldapclient(1M)), assumes 2737c478bd9Sstevel@tonic-gate "default" unless another is specified. 2747c478bd9Sstevel@tonic-gate 2757c478bd9Sstevel@tonic-gateEOF 2767c478bd9Sstevel@tonic-gate ;; 2777c478bd9Sstevel@tonic-gate def_srvlist_help) cat <<EOF 2787c478bd9Sstevel@tonic-gate 2797c478bd9Sstevel@tonic-gateHELP - Provide a list of directory servers to serve clients using this profile. 2807c478bd9Sstevel@tonic-gate All these servers should contain consistent data and provide similar 2817c478bd9Sstevel@tonic-gate functionality. This list is not ordered, and clients might change the 2827c478bd9Sstevel@tonic-gate order given in this list. Note that this is a space separated list of 2837c478bd9Sstevel@tonic-gate *IP addresses* (not host names). Providing port numbers is optional. 2847c478bd9Sstevel@tonic-gate 2857c478bd9Sstevel@tonic-gateEOF 2867c478bd9Sstevel@tonic-gate ;; 2877c478bd9Sstevel@tonic-gate pref_srvlist_help) cat <<EOF 2887c478bd9Sstevel@tonic-gate 2897c478bd9Sstevel@tonic-gateHELP - Provide a list of directory servers to serve this client profile. 2907c478bd9Sstevel@tonic-gate Unlike the default server list, which is not ordered, the preferred 2917c478bd9Sstevel@tonic-gate servers must be entered IN THE ORDER you wish to have them contacted. 2927c478bd9Sstevel@tonic-gate If you do specify a preferred server list, clients will always contact 2937c478bd9Sstevel@tonic-gate them before attempting to contact any of the servers on the default 2947c478bd9Sstevel@tonic-gate server list. Note that you must enter the preferred server list as a 2957c478bd9Sstevel@tonic-gate space-separated list of *IP addresses* (not host names). Providing port 2967c478bd9Sstevel@tonic-gate numbers is optional. 2977c478bd9Sstevel@tonic-gate 2987c478bd9Sstevel@tonic-gateEOF 2997c478bd9Sstevel@tonic-gate ;; 3007c478bd9Sstevel@tonic-gate srch_scope_help) cat <<EOF 3017c478bd9Sstevel@tonic-gate 3027c478bd9Sstevel@tonic-gateHELP - Default search scope to be used for all searches unless they are 3037c478bd9Sstevel@tonic-gate overwritten using serviceSearchDescriptors. The valid options 3047c478bd9Sstevel@tonic-gate are "one", which would specify the search will only be performed 3057c478bd9Sstevel@tonic-gate at the base DN for the given service, or "sub", which would specify 3067c478bd9Sstevel@tonic-gate the search will be performed through *all* levels below the base DN 3077c478bd9Sstevel@tonic-gate for the given service. 3087c478bd9Sstevel@tonic-gate 3097c478bd9Sstevel@tonic-gateEOF 3107c478bd9Sstevel@tonic-gate ;; 3117c478bd9Sstevel@tonic-gate cred_lvl_help) cat <<EOF 3127c478bd9Sstevel@tonic-gate 3137c478bd9Sstevel@tonic-gateHELP - This parameter defines what credentials the clients use to 3147c478bd9Sstevel@tonic-gate authenticate to the directory server. This list might contain 3157c478bd9Sstevel@tonic-gate multiple credential levels and is ordered. If a proxy level 3167c478bd9Sstevel@tonic-gate is configured, you will also be prompted to enter a bind DN 3177c478bd9Sstevel@tonic-gate for the proxy agent along with a password. This proxy agent 3187c478bd9Sstevel@tonic-gate will be created if it does not exist. 3197c478bd9Sstevel@tonic-gate 3207c478bd9Sstevel@tonic-gateEOF 3217c478bd9Sstevel@tonic-gate ;; 3227c478bd9Sstevel@tonic-gate auth_help) cat <<EOF 3237c478bd9Sstevel@tonic-gate 3247c478bd9Sstevel@tonic-gateHELP - The default authentication method(s) to be used by all services 3257c478bd9Sstevel@tonic-gate in the client using this profile. This is a ordered list of 3267c478bd9Sstevel@tonic-gate authentication methods separated by a ';'. The supported methods 3277c478bd9Sstevel@tonic-gate are provided in a menu. Note that sasl/DIGEST-MD5 binds require 3287c478bd9Sstevel@tonic-gate passwords to be stored un-encrypted on the server. 3297c478bd9Sstevel@tonic-gate 3307c478bd9Sstevel@tonic-gateEOF 3317c478bd9Sstevel@tonic-gate ;; 3327c478bd9Sstevel@tonic-gate srvauth_help) cat <<EOF 3337c478bd9Sstevel@tonic-gate 3347c478bd9Sstevel@tonic-gateHELP - The authentication methods to be used by a given service. Currently 3357c478bd9Sstevel@tonic-gate 3 services support this feature: pam_ldap, keyserv, and passwd-cmd. 3367c478bd9Sstevel@tonic-gate The authentication method specified in this attribute overrides 3377c478bd9Sstevel@tonic-gate the default authentication method defined in the profile. This 3387c478bd9Sstevel@tonic-gate feature can be used to select stronger authentication methods for 3397c478bd9Sstevel@tonic-gate services which require increased security. 3407c478bd9Sstevel@tonic-gate 3417c478bd9Sstevel@tonic-gateEOF 3427c478bd9Sstevel@tonic-gate ;; 3437c478bd9Sstevel@tonic-gate pam_ldap_help) cat <<EOF 3447c478bd9Sstevel@tonic-gate 3457c478bd9Sstevel@tonic-gateHELP - The authentication method(s) to be used by pam_ldap when contacting 3467c478bd9Sstevel@tonic-gate the directory server. This is a ordered list, and, if provided, will 3477c478bd9Sstevel@tonic-gate override the default authentication method parameter. 3487c478bd9Sstevel@tonic-gate 3497c478bd9Sstevel@tonic-gateEOF 3507c478bd9Sstevel@tonic-gate ;; 3517c478bd9Sstevel@tonic-gate keyserv_help) cat <<EOF 3527c478bd9Sstevel@tonic-gate 3537c478bd9Sstevel@tonic-gateHELP - The authentication method(s) to be used by newkey(1M) and chkey(1) 3547c478bd9Sstevel@tonic-gate when contacting the directory server. This is a ordered list and 3557c478bd9Sstevel@tonic-gate if provided will override the default authentication method 3567c478bd9Sstevel@tonic-gate parameter. 3577c478bd9Sstevel@tonic-gate 3587c478bd9Sstevel@tonic-gateEOF 3597c478bd9Sstevel@tonic-gate ;; 3607c478bd9Sstevel@tonic-gate passwd-cmd_help) cat <<EOF 3617c478bd9Sstevel@tonic-gate 3627c478bd9Sstevel@tonic-gateHELP - The authentication method(s) to be used by passwd(1) command when 3637c478bd9Sstevel@tonic-gate contacting the directory server. This is a ordered list and if 3647c478bd9Sstevel@tonic-gate provided will override the default authentication method parameter. 3657c478bd9Sstevel@tonic-gate 3667c478bd9Sstevel@tonic-gateEOF 3677c478bd9Sstevel@tonic-gate ;; 3687c478bd9Sstevel@tonic-gate referrals_help) cat <<EOF 3697c478bd9Sstevel@tonic-gate 3707c478bd9Sstevel@tonic-gateHELP - This parameter indicates whether the client should follow 3717c478bd9Sstevel@tonic-gate ldap referrals if it encounters one during naming lookups. 3727c478bd9Sstevel@tonic-gate 3737c478bd9Sstevel@tonic-gateEOF 3747c478bd9Sstevel@tonic-gate ;; 3757c478bd9Sstevel@tonic-gate tlim_help) cat <<EOF 3767c478bd9Sstevel@tonic-gate 3777c478bd9Sstevel@tonic-gateHELP - The server time limit value indicates the maximum amount of time the 3787c478bd9Sstevel@tonic-gate server would spend on a query from the client before abandoning it. 3797c478bd9Sstevel@tonic-gate A value of '-1' indicates no limit. 3807c478bd9Sstevel@tonic-gate 3817c478bd9Sstevel@tonic-gateEOF 3827c478bd9Sstevel@tonic-gate ;; 3837c478bd9Sstevel@tonic-gate slim_help) cat <<EOF 3847c478bd9Sstevel@tonic-gate 3857c478bd9Sstevel@tonic-gateHELP - The server sizelimit value indicates the maximum number of entries 3867c478bd9Sstevel@tonic-gate the server would return in respond to a query from the client. A 3877c478bd9Sstevel@tonic-gate value of '-1' indicates no limit. 3887c478bd9Sstevel@tonic-gate 3897c478bd9Sstevel@tonic-gateEOF 3907c478bd9Sstevel@tonic-gate ;; 3917c478bd9Sstevel@tonic-gate crypt_help) cat <<EOF 3927c478bd9Sstevel@tonic-gate 3937c478bd9Sstevel@tonic-gateHELP - By default iDS does not store userPassword attribute values using 3947c478bd9Sstevel@tonic-gate unix "crypt" format. If you need to keep your passwords in the crypt 3957c478bd9Sstevel@tonic-gate format for NIS/NIS+ and pam_unix compatibility, choose 'yes'. If 3967c478bd9Sstevel@tonic-gate passwords are stored using any other format than crypt, pam_ldap 3977c478bd9Sstevel@tonic-gate MUST be used by clients to authenticate users to the system. Note 3987c478bd9Sstevel@tonic-gate that if you wish to use sasl/DIGEST-MD5 in conjunction with pam_ldap, 3997c478bd9Sstevel@tonic-gate user passwords must be stored in the clear format. 4007c478bd9Sstevel@tonic-gate 4017c478bd9Sstevel@tonic-gateEOF 4027c478bd9Sstevel@tonic-gate ;; 4037c478bd9Sstevel@tonic-gate srchtime_help) cat <<EOF 4047c478bd9Sstevel@tonic-gate 4057c478bd9Sstevel@tonic-gateHELP - The search time limit the client will enforce for directory 4067c478bd9Sstevel@tonic-gate lookups. 4077c478bd9Sstevel@tonic-gate 4087c478bd9Sstevel@tonic-gateEOF 4097c478bd9Sstevel@tonic-gate ;; 4107c478bd9Sstevel@tonic-gate profttl_help) cat <<EOF 4117c478bd9Sstevel@tonic-gate 4127c478bd9Sstevel@tonic-gateHELP - The time to live value for profile. The client will refresh its 4137c478bd9Sstevel@tonic-gate cached version of the configuration profile at this TTL interval. 4147c478bd9Sstevel@tonic-gate 4157c478bd9Sstevel@tonic-gateEOF 4167c478bd9Sstevel@tonic-gate ;; 4177c478bd9Sstevel@tonic-gate bindlim_help) cat <<EOF 4187c478bd9Sstevel@tonic-gate 4197c478bd9Sstevel@tonic-gateHELP - The time limit for the bind operation to the directory. This 4207c478bd9Sstevel@tonic-gate value controls the responsiveness of the client in case a server 4217c478bd9Sstevel@tonic-gate becomes unavailable. The smallest timeout value for a given 4227c478bd9Sstevel@tonic-gate network architecture/conditions would work best. This is very 4237c478bd9Sstevel@tonic-gate similar to setting TCP timeout, but only for LDAP bind operation. 4247c478bd9Sstevel@tonic-gate 4257c478bd9Sstevel@tonic-gateEOF 4267c478bd9Sstevel@tonic-gate ;; 4277c478bd9Sstevel@tonic-gate ssd_help) cat <<EOF 4287c478bd9Sstevel@tonic-gate 4297c478bd9Sstevel@tonic-gateHELP - Using Service Search Descriptors (SSD), you can override the 4307c478bd9Sstevel@tonic-gate default configuration for a given service. The SSD can be 4317c478bd9Sstevel@tonic-gate used to override the default search base DN, the default search 4327c478bd9Sstevel@tonic-gate scope, and the default search filter to be used for directory 4337c478bd9Sstevel@tonic-gate lookups. SSD are supported for all services (databases) 4347c478bd9Sstevel@tonic-gate defined in nsswitch.conf(4). The default base DN is defined 4357c478bd9Sstevel@tonic-gate in ldap(1). 4367c478bd9Sstevel@tonic-gate 4377c478bd9Sstevel@tonic-gate Note: SSD are powerful tools in defining configuration profiles 4387c478bd9Sstevel@tonic-gate and provide a great deal of flexibility. However, care 4397c478bd9Sstevel@tonic-gate must be taken in creating them. If you decide to make use 4407c478bd9Sstevel@tonic-gate of SSDs, consult the documentation first. 4417c478bd9Sstevel@tonic-gate 4427c478bd9Sstevel@tonic-gateEOF 4437c478bd9Sstevel@tonic-gate ;; 4447c478bd9Sstevel@tonic-gate ssd_menu_help) cat <<EOF 4457c478bd9Sstevel@tonic-gate 4467c478bd9Sstevel@tonic-gateHELP - Using this menu SSD can be added, updated, or deleted from 4477c478bd9Sstevel@tonic-gate the profile. 4487c478bd9Sstevel@tonic-gate 4497c478bd9Sstevel@tonic-gate A - This option creates a new SSD by prompting for the 4507c478bd9Sstevel@tonic-gate service name, base DN, and scope. Service name is 4517c478bd9Sstevel@tonic-gate any valid service as defined in ldap(1). base is 4527c478bd9Sstevel@tonic-gate either the distinguished name to the container where 4537c478bd9Sstevel@tonic-gate this service will use, or a relative DN followed 4547c478bd9Sstevel@tonic-gate by a ','. 4557c478bd9Sstevel@tonic-gate D - Delete a previously created SSD. 4567c478bd9Sstevel@tonic-gate M - Modify a previously created SSD. 4577c478bd9Sstevel@tonic-gate P - Display a list of all the previously created SSD. 4587c478bd9Sstevel@tonic-gate X - Delete all of the previously created SSD. 4597c478bd9Sstevel@tonic-gate 4607c478bd9Sstevel@tonic-gate Q - Exit the menu and continue with the server configuration. 4617c478bd9Sstevel@tonic-gate 4627c478bd9Sstevel@tonic-gateEOF 4637c478bd9Sstevel@tonic-gate ;; 4647c478bd9Sstevel@tonic-gate ldap_suffix_list_help) cat <<EOF 4657c478bd9Sstevel@tonic-gate 4667c478bd9Sstevel@tonic-gateHELP - No valid suffixes (naming contexts) are available on server 4677c478bd9Sstevel@tonic-gate ${IDS_SERVER}:${IDS_PORT}. 4687c478bd9Sstevel@tonic-gate You must set an LDAP Base DN that can be contained in 4697c478bd9Sstevel@tonic-gate an existing suffix. 4707c478bd9Sstevel@tonic-gate 471*dd1104fbSMichen ChangEOF 472*dd1104fbSMichen Chang ;; 473*dd1104fbSMichen Chang enable_shadow_update_help) cat <<EOF 474*dd1104fbSMichen Chang 475*dd1104fbSMichen ChangHELP - Enter 'y' to set up the LDAP server for shadow update. 476*dd1104fbSMichen Chang The setup will add an administrator identity/credential 477*dd1104fbSMichen Chang and modify the necessary access controls for the client 478*dd1104fbSMichen Chang to update shadow(4) data on the LDAP server. If sasl/GSSAPI 479*dd1104fbSMichen Chang is in use, the Kerberos host principal will be used as the 480*dd1104fbSMichen Chang administrator identity. 481*dd1104fbSMichen Chang 482*dd1104fbSMichen Chang Shadow data is used for password aging and account locking. 483*dd1104fbSMichen Chang Please refer to the shadow(4) manual page for details. 484*dd1104fbSMichen Chang 485*dd1104fbSMichen ChangEOF 486*dd1104fbSMichen Chang ;; 487*dd1104fbSMichen Chang add_admin_cred_help) cat <<EOF 488*dd1104fbSMichen Chang 489*dd1104fbSMichen ChangHELP - Start the setup to add an administrator identity/credential 490*dd1104fbSMichen Chang and to modify access controls for the client to update 491*dd1104fbSMichen Chang shadow(4) data on the LDAP server. 492*dd1104fbSMichen Chang 493*dd1104fbSMichen Chang Shadow data is used for password aging and account locking. 494*dd1104fbSMichen Chang Please refer to the shadow(4) manual page for details. 495*dd1104fbSMichen Chang 496*dd1104fbSMichen ChangEOF 497*dd1104fbSMichen Chang ;; 498*dd1104fbSMichen Chang use_host_principal_help) cat <<EOF 499*dd1104fbSMichen Chang 500*dd1104fbSMichen ChangHELP - A profile with a 'sasl/GSSAPI' authentication method and a 'self' 501*dd1104fbSMichen Chang credential level is detected, enter 'y' to modify the necessary 502*dd1104fbSMichen Chang access controls for allowing the client to update shadow(4) data 503*dd1104fbSMichen Chang on the LDAP server. 504*dd1104fbSMichen Chang 505*dd1104fbSMichen Chang Shadow data is used for password aging and account locking. 506*dd1104fbSMichen Chang Please refer to the shadow(4) manual page for details. 507*dd1104fbSMichen Chang 5087c478bd9Sstevel@tonic-gateEOF 5097c478bd9Sstevel@tonic-gate ;; 5107c478bd9Sstevel@tonic-gate esac 5117c478bd9Sstevel@tonic-gate} 5127c478bd9Sstevel@tonic-gate 5137c478bd9Sstevel@tonic-gate 5147c478bd9Sstevel@tonic-gate# 5157c478bd9Sstevel@tonic-gate# get_ans(): gets an answer from the user. 5167c478bd9Sstevel@tonic-gate# $1 instruction/comment/description/question 5177c478bd9Sstevel@tonic-gate# $2 default value 5187c478bd9Sstevel@tonic-gate# 5197c478bd9Sstevel@tonic-gateget_ans() 5207c478bd9Sstevel@tonic-gate{ 5217c478bd9Sstevel@tonic-gate if [ -z "$2" ] 5227c478bd9Sstevel@tonic-gate then 5237c478bd9Sstevel@tonic-gate ${ECHO} "$1 \c" 5247c478bd9Sstevel@tonic-gate else 5257c478bd9Sstevel@tonic-gate ${ECHO} "$1 [$2] \c" 5267c478bd9Sstevel@tonic-gate fi 5277c478bd9Sstevel@tonic-gate 5287c478bd9Sstevel@tonic-gate read ANS 5297c478bd9Sstevel@tonic-gate if [ -z "$ANS" ] 5307c478bd9Sstevel@tonic-gate then 5317c478bd9Sstevel@tonic-gate ANS=$2 5327c478bd9Sstevel@tonic-gate fi 5337c478bd9Sstevel@tonic-gate} 5347c478bd9Sstevel@tonic-gate 5357c478bd9Sstevel@tonic-gate 5367c478bd9Sstevel@tonic-gate# 5377c478bd9Sstevel@tonic-gate# get_ans_req(): gets an answer (required) from the user, NULL value not allowed. 5387c478bd9Sstevel@tonic-gate# $@ instruction/comment/description/question 5397c478bd9Sstevel@tonic-gate# 5407c478bd9Sstevel@tonic-gateget_ans_req() 5417c478bd9Sstevel@tonic-gate{ 5427c478bd9Sstevel@tonic-gate ANS="" # Set ANS to NULL. 5437c478bd9Sstevel@tonic-gate while [ "$ANS" = "" ] 5447c478bd9Sstevel@tonic-gate do 5457c478bd9Sstevel@tonic-gate get_ans "$@" 5467c478bd9Sstevel@tonic-gate [ "$ANS" = "" ] && ${ECHO} "NULL value not allowed!" 5477c478bd9Sstevel@tonic-gate done 5487c478bd9Sstevel@tonic-gate} 5497c478bd9Sstevel@tonic-gate 5507c478bd9Sstevel@tonic-gate 5517c478bd9Sstevel@tonic-gate# 5527c478bd9Sstevel@tonic-gate# get_number(): Querys and verifies that number entered is numeric. 5537c478bd9Sstevel@tonic-gate# Function will repeat prompt user for number value. 5547c478bd9Sstevel@tonic-gate# $1 Message text. 5557c478bd9Sstevel@tonic-gate# $2 default value. 5567c478bd9Sstevel@tonic-gate# $3 Help argument. 5577c478bd9Sstevel@tonic-gate# 5587c478bd9Sstevel@tonic-gateget_number() 5597c478bd9Sstevel@tonic-gate{ 5607c478bd9Sstevel@tonic-gate ANS="" # Set ANS to NULL. 5617c478bd9Sstevel@tonic-gate NUM="" 5627c478bd9Sstevel@tonic-gate 5637c478bd9Sstevel@tonic-gate get_ans "$1" "$2" 5647c478bd9Sstevel@tonic-gate 5657c478bd9Sstevel@tonic-gate # Verify that value is numeric. 5667c478bd9Sstevel@tonic-gate while not_numeric $ANS 5677c478bd9Sstevel@tonic-gate do 5687c478bd9Sstevel@tonic-gate case "$ANS" in 5697c478bd9Sstevel@tonic-gate [Hh] | help | Help | \?) display_msg ${3:-sorry} ;; 5707c478bd9Sstevel@tonic-gate * ) ${ECHO} "Invalid value: \"${ANS}\". \c" 5717c478bd9Sstevel@tonic-gate ;; 5727c478bd9Sstevel@tonic-gate esac 5737c478bd9Sstevel@tonic-gate # Get a new value. 5747c478bd9Sstevel@tonic-gate get_ans "Enter a numeric value:" "$2" 5757c478bd9Sstevel@tonic-gate done 5767c478bd9Sstevel@tonic-gate NUM=$ANS 5777c478bd9Sstevel@tonic-gate} 5787c478bd9Sstevel@tonic-gate 5797c478bd9Sstevel@tonic-gate 5807c478bd9Sstevel@tonic-gate# 5817c478bd9Sstevel@tonic-gate# get_negone_num(): Only allows a -1 or positive integer. 5827c478bd9Sstevel@tonic-gate# Used for values where -1 has special meaning. 5837c478bd9Sstevel@tonic-gate# 5847c478bd9Sstevel@tonic-gate# $1 - Prompt message. 5857c478bd9Sstevel@tonic-gate# $2 - Default value (require). 5867c478bd9Sstevel@tonic-gate# $3 - Optional help argument. 5877c478bd9Sstevel@tonic-gateget_negone_num() 5887c478bd9Sstevel@tonic-gate{ 5897c478bd9Sstevel@tonic-gate while : 5907c478bd9Sstevel@tonic-gate do 5917c478bd9Sstevel@tonic-gate get_number "$1" "$2" "$3" 5927c478bd9Sstevel@tonic-gate if is_negative $ANS 5937c478bd9Sstevel@tonic-gate then 5947c478bd9Sstevel@tonic-gate if [ "$ANS" = "-1" ]; then 5957c478bd9Sstevel@tonic-gate break # -1 is OK, so break. 5967c478bd9Sstevel@tonic-gate else # Need to re-enter number. 5977c478bd9Sstevel@tonic-gate ${ECHO} "Invalid number: please enter -1 or positive number." 5987c478bd9Sstevel@tonic-gate fi 5997c478bd9Sstevel@tonic-gate else 6007c478bd9Sstevel@tonic-gate break # Positive number 6017c478bd9Sstevel@tonic-gate fi 6027c478bd9Sstevel@tonic-gate done 6037c478bd9Sstevel@tonic-gate} 6047c478bd9Sstevel@tonic-gate 6057c478bd9Sstevel@tonic-gate 6067c478bd9Sstevel@tonic-gate# 6077c478bd9Sstevel@tonic-gate# get_passwd(): Reads a password from the user and verify with second. 6087c478bd9Sstevel@tonic-gate# $@ instruction/comment/description/question 6097c478bd9Sstevel@tonic-gate# 6107c478bd9Sstevel@tonic-gateget_passwd() 6117c478bd9Sstevel@tonic-gate{ 6127c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In get_passwd()" 6137c478bd9Sstevel@tonic-gate 6147c478bd9Sstevel@tonic-gate # Temporary PASSWD variables 6157c478bd9Sstevel@tonic-gate _PASS1="" 6167c478bd9Sstevel@tonic-gate _PASS2="" 6177c478bd9Sstevel@tonic-gate 6187c478bd9Sstevel@tonic-gate /usr/bin/stty -echo # Turn echo OFF 6197c478bd9Sstevel@tonic-gate 6207c478bd9Sstevel@tonic-gate # Endless loop that continues until passwd and re-entered passwd 6217c478bd9Sstevel@tonic-gate # match. 6227c478bd9Sstevel@tonic-gate while : 6237c478bd9Sstevel@tonic-gate do 6247c478bd9Sstevel@tonic-gate ANS="" # Set ANS to NULL. 6257c478bd9Sstevel@tonic-gate 6267c478bd9Sstevel@tonic-gate # Don't allow NULL for first try. 6277c478bd9Sstevel@tonic-gate while [ "$ANS" = "" ] 6287c478bd9Sstevel@tonic-gate do 6297c478bd9Sstevel@tonic-gate get_ans "$@" 6307c478bd9Sstevel@tonic-gate [ "$ANS" = "" ] && ${ECHO} "" && ${ECHO} "NULL passwd not allowed!" 6317c478bd9Sstevel@tonic-gate done 6327c478bd9Sstevel@tonic-gate _PASS1=$ANS # Store first try. 6337c478bd9Sstevel@tonic-gate 6347c478bd9Sstevel@tonic-gate # Get second try. 6357c478bd9Sstevel@tonic-gate ${ECHO} "" 6367c478bd9Sstevel@tonic-gate get_ans "Re-enter passwd:" 6377c478bd9Sstevel@tonic-gate _PASS2=$ANS 6387c478bd9Sstevel@tonic-gate 6397c478bd9Sstevel@tonic-gate # Test if passwords are identical. 6407c478bd9Sstevel@tonic-gate if [ "$_PASS1" = "$_PASS2" ]; then 6417c478bd9Sstevel@tonic-gate break 6427c478bd9Sstevel@tonic-gate fi 6437c478bd9Sstevel@tonic-gate 6447c478bd9Sstevel@tonic-gate # Move cursor down to next line and print ERROR message. 6457c478bd9Sstevel@tonic-gate ${ECHO} "" 6467c478bd9Sstevel@tonic-gate ${ECHO} "ERROR: passwords don't match; try again." 6477c478bd9Sstevel@tonic-gate done 6487c478bd9Sstevel@tonic-gate 6497c478bd9Sstevel@tonic-gate /usr/bin/stty echo # Turn echo ON 6507c478bd9Sstevel@tonic-gate 6517c478bd9Sstevel@tonic-gate ${ECHO} "" 6527c478bd9Sstevel@tonic-gate} 6537c478bd9Sstevel@tonic-gate 6547c478bd9Sstevel@tonic-gate 6557c478bd9Sstevel@tonic-gate# 6567c478bd9Sstevel@tonic-gate# get_passwd_nochk(): Reads a password from the user w/o check. 6577c478bd9Sstevel@tonic-gate# $@ instruction/comment/description/question 6587c478bd9Sstevel@tonic-gate# 6597c478bd9Sstevel@tonic-gateget_passwd_nochk() 6607c478bd9Sstevel@tonic-gate{ 6617c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In get_passwd_nochk()" 6627c478bd9Sstevel@tonic-gate 6637c478bd9Sstevel@tonic-gate /usr/bin/stty -echo # Turn echo OFF 6647c478bd9Sstevel@tonic-gate 6657c478bd9Sstevel@tonic-gate get_ans "$@" 6667c478bd9Sstevel@tonic-gate 6677c478bd9Sstevel@tonic-gate /usr/bin/stty echo # Turn echo ON 6687c478bd9Sstevel@tonic-gate 6697c478bd9Sstevel@tonic-gate ${ECHO} "" 6707c478bd9Sstevel@tonic-gate} 6717c478bd9Sstevel@tonic-gate 6727c478bd9Sstevel@tonic-gate 6737c478bd9Sstevel@tonic-gate# 6747c478bd9Sstevel@tonic-gate# get_menu_choice(): Get a menu choice from user. Continue prompting 6757c478bd9Sstevel@tonic-gate# till the choice is in required range. 6767c478bd9Sstevel@tonic-gate# $1 .. Message text. 6777c478bd9Sstevel@tonic-gate# $2 .. min value 6787c478bd9Sstevel@tonic-gate# $3 .. max value 6797c478bd9Sstevel@tonic-gate# $4 .. OPTIONAL: default value 6807c478bd9Sstevel@tonic-gate# 6817c478bd9Sstevel@tonic-gate# Return value: 6827c478bd9Sstevel@tonic-gate# MN_CH will contain the value selected. 6837c478bd9Sstevel@tonic-gate# 6847c478bd9Sstevel@tonic-gateget_menu_choice() 6857c478bd9Sstevel@tonic-gate{ 6867c478bd9Sstevel@tonic-gate # Check for req parameter. 6877c478bd9Sstevel@tonic-gate if [ $# -lt 3 ]; then 6887c478bd9Sstevel@tonic-gate ${ECHO} "get_menu_choice(): Did not get required parameters." 6897c478bd9Sstevel@tonic-gate return 1 6907c478bd9Sstevel@tonic-gate fi 6917c478bd9Sstevel@tonic-gate 6927c478bd9Sstevel@tonic-gate while : 6937c478bd9Sstevel@tonic-gate do 6947c478bd9Sstevel@tonic-gate get_ans "$1" "$4" 6957c478bd9Sstevel@tonic-gate MN_CH=$ANS 6967c478bd9Sstevel@tonic-gate is_negative $MN_CH 6977c478bd9Sstevel@tonic-gate if [ $? -eq 1 ]; then 6987c478bd9Sstevel@tonic-gate if [ $MN_CH -ge $2 ]; then 6997c478bd9Sstevel@tonic-gate if [ $MN_CH -le $3 ]; then 7007c478bd9Sstevel@tonic-gate return 7017c478bd9Sstevel@tonic-gate fi 7027c478bd9Sstevel@tonic-gate fi 7037c478bd9Sstevel@tonic-gate fi 7047c478bd9Sstevel@tonic-gate ${ECHO} "Invalid choice: $MN_CH" 7057c478bd9Sstevel@tonic-gate done 7067c478bd9Sstevel@tonic-gate} 7077c478bd9Sstevel@tonic-gate 7087c478bd9Sstevel@tonic-gate 7097c478bd9Sstevel@tonic-gate# 7107c478bd9Sstevel@tonic-gate# get_confirm(): Get confirmation from the user. (Y/Yes or N/No) 7117c478bd9Sstevel@tonic-gate# $1 - Message 7127c478bd9Sstevel@tonic-gate# $2 - default value. 7137c478bd9Sstevel@tonic-gate# 7147c478bd9Sstevel@tonic-gateget_confirm() 7157c478bd9Sstevel@tonic-gate{ 7167c478bd9Sstevel@tonic-gate _ANSWER= 7177c478bd9Sstevel@tonic-gate 7187c478bd9Sstevel@tonic-gate while : 7197c478bd9Sstevel@tonic-gate do 7207c478bd9Sstevel@tonic-gate # Display Internal ERROR if $2 not set. 7217c478bd9Sstevel@tonic-gate if [ -z "$2" ] 7227c478bd9Sstevel@tonic-gate then 7237c478bd9Sstevel@tonic-gate ${ECHO} "INTERNAL ERROR: get_confirm requires 2 args, 3rd is optional." 7247c478bd9Sstevel@tonic-gate exit 2 7257c478bd9Sstevel@tonic-gate fi 7267c478bd9Sstevel@tonic-gate 7277c478bd9Sstevel@tonic-gate # Display prompt. 7287c478bd9Sstevel@tonic-gate ${ECHO} "$1 [$2] \c" 7297c478bd9Sstevel@tonic-gate 7307c478bd9Sstevel@tonic-gate # Get the ANSWER. 7317c478bd9Sstevel@tonic-gate read _ANSWER 7327c478bd9Sstevel@tonic-gate if [ "$_ANSWER" = "" ] && [ -n "$2" ] ; then 7337c478bd9Sstevel@tonic-gate _ANSWER=$2 7347c478bd9Sstevel@tonic-gate fi 7357c478bd9Sstevel@tonic-gate case "$_ANSWER" in 7367c478bd9Sstevel@tonic-gate [Yy] | yes | Yes | YES) return 1 ;; 7377c478bd9Sstevel@tonic-gate [Nn] | no | No | NO) return 0 ;; 7387c478bd9Sstevel@tonic-gate [Hh] | help | Help | \?) display_msg ${3:-sorry};; 7397c478bd9Sstevel@tonic-gate * ) ${ECHO} "Please enter y or n." ;; 7407c478bd9Sstevel@tonic-gate esac 7417c478bd9Sstevel@tonic-gate done 7427c478bd9Sstevel@tonic-gate} 7437c478bd9Sstevel@tonic-gate 7447c478bd9Sstevel@tonic-gate 7457c478bd9Sstevel@tonic-gate# 7467c478bd9Sstevel@tonic-gate# get_confirm_nodef(): Get confirmation from the user. (Y/Yes or N/No) 7477c478bd9Sstevel@tonic-gate# No default value supported. 7487c478bd9Sstevel@tonic-gate# 7497c478bd9Sstevel@tonic-gateget_confirm_nodef() 7507c478bd9Sstevel@tonic-gate{ 7517c478bd9Sstevel@tonic-gate _ANSWER= 7527c478bd9Sstevel@tonic-gate 7537c478bd9Sstevel@tonic-gate while : 7547c478bd9Sstevel@tonic-gate do 7557c478bd9Sstevel@tonic-gate ${ECHO} "$@ \c" 7567c478bd9Sstevel@tonic-gate read _ANSWER 7577c478bd9Sstevel@tonic-gate case "$_ANSWER" in 7587c478bd9Sstevel@tonic-gate [Yy] | yes | Yes | YES) return 1 ;; 7597c478bd9Sstevel@tonic-gate [Nn] | no | No | NO) return 0 ;; 7607c478bd9Sstevel@tonic-gate * ) ${ECHO} "Please enter y or n." ;; 7617c478bd9Sstevel@tonic-gate esac 7627c478bd9Sstevel@tonic-gate done 7637c478bd9Sstevel@tonic-gate} 7647c478bd9Sstevel@tonic-gate 7657c478bd9Sstevel@tonic-gate 7667c478bd9Sstevel@tonic-gate# 7677c478bd9Sstevel@tonic-gate# is_numeric(): Tells is a string is numeric. 7687c478bd9Sstevel@tonic-gate# 0 = Numeric 7697c478bd9Sstevel@tonic-gate# 1 = NOT Numeric 7707c478bd9Sstevel@tonic-gate# 7717c478bd9Sstevel@tonic-gateis_numeric() 7727c478bd9Sstevel@tonic-gate{ 7737c478bd9Sstevel@tonic-gate # Check for parameter. 7747c478bd9Sstevel@tonic-gate if [ $# -ne 1 ]; then 7757c478bd9Sstevel@tonic-gate return 1 7767c478bd9Sstevel@tonic-gate fi 7777c478bd9Sstevel@tonic-gate 7787c478bd9Sstevel@tonic-gate # Determine if numeric. 7797c478bd9Sstevel@tonic-gate expr "$1" + 1 > /dev/null 2>&1 7807c478bd9Sstevel@tonic-gate if [ $? -ge 2 ]; then 7817c478bd9Sstevel@tonic-gate return 1 7827c478bd9Sstevel@tonic-gate fi 7837c478bd9Sstevel@tonic-gate 7847c478bd9Sstevel@tonic-gate # Made it here, it's Numeric. 7857c478bd9Sstevel@tonic-gate return 0 7867c478bd9Sstevel@tonic-gate} 7877c478bd9Sstevel@tonic-gate 7887c478bd9Sstevel@tonic-gate 7897c478bd9Sstevel@tonic-gate# 7907c478bd9Sstevel@tonic-gate# not_numeric(): Reverses the return values of is_numeric. Useful 7917c478bd9Sstevel@tonic-gate# for if and while statements that want to test for 7927c478bd9Sstevel@tonic-gate# non-numeric data. 7937c478bd9Sstevel@tonic-gate# 0 = NOT Numeric 7947c478bd9Sstevel@tonic-gate# 1 = Numeric 7957c478bd9Sstevel@tonic-gate# 7967c478bd9Sstevel@tonic-gatenot_numeric() 7977c478bd9Sstevel@tonic-gate{ 7987c478bd9Sstevel@tonic-gate is_numeric $1 7997c478bd9Sstevel@tonic-gate if [ $? -eq 0 ]; then 8007c478bd9Sstevel@tonic-gate return 1 8017c478bd9Sstevel@tonic-gate else 8027c478bd9Sstevel@tonic-gate return 0 8037c478bd9Sstevel@tonic-gate fi 8047c478bd9Sstevel@tonic-gate} 8057c478bd9Sstevel@tonic-gate 8067c478bd9Sstevel@tonic-gate 8077c478bd9Sstevel@tonic-gate# 8087c478bd9Sstevel@tonic-gate# is_negative(): Tells is a Numeric value is less than zero. 8097c478bd9Sstevel@tonic-gate# 0 = Negative Numeric 8107c478bd9Sstevel@tonic-gate# 1 = Positive Numeric 8117c478bd9Sstevel@tonic-gate# 2 = NOT Numeric 8127c478bd9Sstevel@tonic-gate# 8137c478bd9Sstevel@tonic-gateis_negative() 8147c478bd9Sstevel@tonic-gate{ 8157c478bd9Sstevel@tonic-gate # Check for parameter. 8167c478bd9Sstevel@tonic-gate if [ $# -ne 1 ]; then 8177c478bd9Sstevel@tonic-gate return 1 8187c478bd9Sstevel@tonic-gate fi 8197c478bd9Sstevel@tonic-gate 8207c478bd9Sstevel@tonic-gate # Determine if numeric. Can't use expr because -0 is 8217c478bd9Sstevel@tonic-gate # considered positive?? 8227c478bd9Sstevel@tonic-gate if is_numeric $1; then 8237c478bd9Sstevel@tonic-gate case "$1" in 8247c478bd9Sstevel@tonic-gate -*) return 0 ;; # Negative Numeric 8257c478bd9Sstevel@tonic-gate *) return 1 ;; # Positive Numeric 8267c478bd9Sstevel@tonic-gate esac 8277c478bd9Sstevel@tonic-gate else 8287c478bd9Sstevel@tonic-gate return 2 8297c478bd9Sstevel@tonic-gate fi 8307c478bd9Sstevel@tonic-gate} 8317c478bd9Sstevel@tonic-gate 8327c478bd9Sstevel@tonic-gate 8337c478bd9Sstevel@tonic-gate# 8347c478bd9Sstevel@tonic-gate# check_domainname(): check validity of a domain name. Currently we check 8357c478bd9Sstevel@tonic-gate# that it has at least two components. 8367c478bd9Sstevel@tonic-gate# $1 the domain name to be checked 8377c478bd9Sstevel@tonic-gate# 8387c478bd9Sstevel@tonic-gatecheck_domainname() 8397c478bd9Sstevel@tonic-gate{ 8407c478bd9Sstevel@tonic-gate if [ ! -z "$1" ] 8417c478bd9Sstevel@tonic-gate then 8427c478bd9Sstevel@tonic-gate t=`expr "$1" : '[^.]\{1,\}[.][^.]\{1,\}'` 8437c478bd9Sstevel@tonic-gate if [ "$t" = 0 ] 8447c478bd9Sstevel@tonic-gate then 8457c478bd9Sstevel@tonic-gate return 1 8467c478bd9Sstevel@tonic-gate fi 8477c478bd9Sstevel@tonic-gate fi 8487c478bd9Sstevel@tonic-gate return 0 8497c478bd9Sstevel@tonic-gate} 8507c478bd9Sstevel@tonic-gate 8517c478bd9Sstevel@tonic-gate 8527c478bd9Sstevel@tonic-gate# 8537c478bd9Sstevel@tonic-gate# check_baseDN(): check validity of the baseDN name. 8547c478bd9Sstevel@tonic-gate# $1 the baseDN name to be checked 8557c478bd9Sstevel@tonic-gate# 8567c478bd9Sstevel@tonic-gate# NOTE: The check_baseDN function does not catch all invalid DN's. 8577c478bd9Sstevel@tonic-gate# Its purpose is to reduce the number of invalid DN's to 8587c478bd9Sstevel@tonic-gate# get past the input routine. The invalid DN's will be 8597c478bd9Sstevel@tonic-gate# caught by the LDAP server when they are attempted to be 8607c478bd9Sstevel@tonic-gate# created. 8617c478bd9Sstevel@tonic-gate# 8627c478bd9Sstevel@tonic-gatecheck_baseDN() 8637c478bd9Sstevel@tonic-gate{ 8647c478bd9Sstevel@tonic-gate ck_DN=$1 8657c478bd9Sstevel@tonic-gate ${ECHO} " Checking LDAP Base DN ..." 8667c478bd9Sstevel@tonic-gate if [ ! -z "$ck_DN" ]; then 8677c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "Checking baseDN: $ck_DN" 8687c478bd9Sstevel@tonic-gate # Check for = (assignment operator) 8697c478bd9Sstevel@tonic-gate ${ECHO} "$ck_DN" | ${GREP} "=" > /dev/null 2>&1 8707c478bd9Sstevel@tonic-gate if [ $? -ne 0 ]; then 8717c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "check_baseDN: No '=' in baseDN." 8727c478bd9Sstevel@tonic-gate return 1 8737c478bd9Sstevel@tonic-gate fi 8747c478bd9Sstevel@tonic-gate 8757c478bd9Sstevel@tonic-gate # Check all keys. 8767c478bd9Sstevel@tonic-gate while : 8777c478bd9Sstevel@tonic-gate do 8787c478bd9Sstevel@tonic-gate # Get first key. 8797c478bd9Sstevel@tonic-gate dkey=`${ECHO} $ck_DN | cut -d'=' -f1` 8807c478bd9Sstevel@tonic-gate 8817c478bd9Sstevel@tonic-gate # Check that the key string is valid 8827c478bd9Sstevel@tonic-gate check_attrName $dkey 8837c478bd9Sstevel@tonic-gate if [ $? -ne 0 ]; then 8847c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "check_baseDN: invalid key=${dkey}" 8857c478bd9Sstevel@tonic-gate return 1 8867c478bd9Sstevel@tonic-gate fi 8877c478bd9Sstevel@tonic-gate 8887c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "check_baseDN: valid key=${dkey}" 8897c478bd9Sstevel@tonic-gate 8907c478bd9Sstevel@tonic-gate # Remove first key from DN 8917c478bd9Sstevel@tonic-gate ck_DN=`${ECHO} $ck_DN | cut -s -d',' -f2-` 8927c478bd9Sstevel@tonic-gate 8937c478bd9Sstevel@tonic-gate # Break loop if nothing left. 8947c478bd9Sstevel@tonic-gate if [ "$ck_DN" = "" ]; then 8957c478bd9Sstevel@tonic-gate break 8967c478bd9Sstevel@tonic-gate fi 8977c478bd9Sstevel@tonic-gate done 8987c478bd9Sstevel@tonic-gate fi 8997c478bd9Sstevel@tonic-gate return 0 9007c478bd9Sstevel@tonic-gate} 9017c478bd9Sstevel@tonic-gate 9027c478bd9Sstevel@tonic-gate 9037c478bd9Sstevel@tonic-gate# 9047c478bd9Sstevel@tonic-gate# domain_2_dc(): Convert a domain name into dc string. 9057c478bd9Sstevel@tonic-gate# $1 .. Domain name. 9067c478bd9Sstevel@tonic-gate# 9077c478bd9Sstevel@tonic-gatedomain_2_dc() 9087c478bd9Sstevel@tonic-gate{ 9097c478bd9Sstevel@tonic-gate _DOM=$1 # Domain parameter. 9107c478bd9Sstevel@tonic-gate _DOM_2_DC="" # Return value from function. 9117c478bd9Sstevel@tonic-gate _FIRST=1 # Flag for first time. 9127c478bd9Sstevel@tonic-gate 9137c478bd9Sstevel@tonic-gate export _DOM_2_DC # Make visible for others. 9147c478bd9Sstevel@tonic-gate 9157c478bd9Sstevel@tonic-gate # Convert "."'s to spaces for "for" loop. 9167c478bd9Sstevel@tonic-gate domtmp="`${ECHO} ${_DOM} | tr '.' ' '`" 9177c478bd9Sstevel@tonic-gate for i in $domtmp; do 9187c478bd9Sstevel@tonic-gate if [ $_FIRST -eq 1 ]; then 9197c478bd9Sstevel@tonic-gate _DOM_2_DC="dc=${i}" 9207c478bd9Sstevel@tonic-gate _FIRST=0 9217c478bd9Sstevel@tonic-gate else 9227c478bd9Sstevel@tonic-gate _DOM_2_DC="${_DOM_2_DC},dc=${i}" 9237c478bd9Sstevel@tonic-gate fi 9247c478bd9Sstevel@tonic-gate done 9257c478bd9Sstevel@tonic-gate} 9267c478bd9Sstevel@tonic-gate 9277c478bd9Sstevel@tonic-gate 9287c478bd9Sstevel@tonic-gate# 9297c478bd9Sstevel@tonic-gate# is_root_user(): Check to see if logged in as root user. 9307c478bd9Sstevel@tonic-gate# 9317c478bd9Sstevel@tonic-gateis_root_user() 9327c478bd9Sstevel@tonic-gate{ 9337c478bd9Sstevel@tonic-gate case `id` in 9347c478bd9Sstevel@tonic-gate uid=0\(root\)*) return 0 ;; 9357c478bd9Sstevel@tonic-gate * ) return 1 ;; 9367c478bd9Sstevel@tonic-gate esac 9377c478bd9Sstevel@tonic-gate} 9387c478bd9Sstevel@tonic-gate 9397c478bd9Sstevel@tonic-gate 9407c478bd9Sstevel@tonic-gate# 9417c478bd9Sstevel@tonic-gate# parse_arg(): Parses the command line arguments and sets the 9427c478bd9Sstevel@tonic-gate# appropriate variables. 9437c478bd9Sstevel@tonic-gate# 9447c478bd9Sstevel@tonic-gateparse_arg() 9457c478bd9Sstevel@tonic-gate{ 9467c478bd9Sstevel@tonic-gate while getopts "dvhi:o:" ARG 9477c478bd9Sstevel@tonic-gate do 9487c478bd9Sstevel@tonic-gate case $ARG in 9497c478bd9Sstevel@tonic-gate d) DEBUG=1;; 9507c478bd9Sstevel@tonic-gate v) VERB="";; 9517c478bd9Sstevel@tonic-gate i) INPUT_FILE=$OPTARG;; 9527c478bd9Sstevel@tonic-gate o) OUTPUT_FILE=$OPTARG;; 9537c478bd9Sstevel@tonic-gate \?) display_msg usage 9547c478bd9Sstevel@tonic-gate exit 1;; 9557c478bd9Sstevel@tonic-gate *) ${ECHO} "**ERROR: Supported option missing handler!" 9567c478bd9Sstevel@tonic-gate display_msg usage 9577c478bd9Sstevel@tonic-gate exit 1;; 9587c478bd9Sstevel@tonic-gate esac 9597c478bd9Sstevel@tonic-gate done 9607c478bd9Sstevel@tonic-gate return `expr $OPTIND - 1` 9617c478bd9Sstevel@tonic-gate} 9627c478bd9Sstevel@tonic-gate 9637c478bd9Sstevel@tonic-gate 9647c478bd9Sstevel@tonic-gate# 9657c478bd9Sstevel@tonic-gate# init(): initializes variables and options 9667c478bd9Sstevel@tonic-gate# 9677c478bd9Sstevel@tonic-gateinit() 9687c478bd9Sstevel@tonic-gate{ 9697c478bd9Sstevel@tonic-gate # General variables. 9707c478bd9Sstevel@tonic-gate PROG=`basename $0` # Program name 9717c478bd9Sstevel@tonic-gate PID=$$ # Program ID 9727c478bd9Sstevel@tonic-gate VERB='> /dev/null 2>&1' # NULL or "> /dev/null" 9737c478bd9Sstevel@tonic-gate ECHO="/bin/echo" # print message on screen 9747c478bd9Sstevel@tonic-gate EVAL="eval" # eval or echo 9757c478bd9Sstevel@tonic-gate EGREP="/usr/bin/egrep" 9767c478bd9Sstevel@tonic-gate GREP="/usr/bin/grep" 9777c478bd9Sstevel@tonic-gate DEBUG=0 # Set Debug OFF 9787c478bd9Sstevel@tonic-gate BACKUP=no_ldap # backup suffix 9797c478bd9Sstevel@tonic-gate HOST="" # NULL or <hostname> 980cb5caa98Sdjl NAWK="/usr/bin/nawk" 981*dd1104fbSMichen Chang RM="/usr/bin/rm" 9827c478bd9Sstevel@tonic-gate 9837c478bd9Sstevel@tonic-gate DOM="" # Set to NULL 9847c478bd9Sstevel@tonic-gate # If DNS domain (resolv.conf) exists use that, otherwise use domainname. 9857c478bd9Sstevel@tonic-gate if [ -f /etc/resolv.conf ]; then 9867c478bd9Sstevel@tonic-gate DOM=`/usr/xpg4/bin/grep -i -E '^domain|^search' /etc/resolv.conf \ 9877c478bd9Sstevel@tonic-gate | awk '{ print $2 }' | tail -1` 9887c478bd9Sstevel@tonic-gate fi 9897c478bd9Sstevel@tonic-gate 9907c478bd9Sstevel@tonic-gate # If for any reason the DOM did not get set (error'd resolv.conf) set 9917c478bd9Sstevel@tonic-gate # DOM to the domainname command's output. 9927c478bd9Sstevel@tonic-gate if [ "$DOM" = "" ]; then 9937c478bd9Sstevel@tonic-gate DOM=`domainname` # domain from domainname command. 9947c478bd9Sstevel@tonic-gate fi 9957c478bd9Sstevel@tonic-gate 9967c478bd9Sstevel@tonic-gate STEP=1 9977c478bd9Sstevel@tonic-gate INTERACTIVE=1 # 0 = on, 1 = off (For input file mode) 9987c478bd9Sstevel@tonic-gate DEL_OLD_PROFILE=0 # 0 (default), 1 = delete old profile. 9997c478bd9Sstevel@tonic-gate 10007c478bd9Sstevel@tonic-gate # idsconfig specific variables. 10017c478bd9Sstevel@tonic-gate INPUT_FILE="" 10027c478bd9Sstevel@tonic-gate OUTPUT_FILE="" 1003*dd1104fbSMichen Chang LDAP_ENABLE_SHADOW_UPDATE="FALSE" 1004*dd1104fbSMichen Chang NEED_PROXY=0 # 0 = No Proxy, 1 = Create Proxy. 1005*dd1104fbSMichen Chang NEED_ADMIN=0 # 0 = No Admin, 1 = Create Admin. 1006*dd1104fbSMichen Chang NEED_HOSTACL=0 # 0 = No Host ACL, 1 = Create Host ACL. 1007*dd1104fbSMichen Chang EXISTING_PROFILE=0 10087c478bd9Sstevel@tonic-gate LDAP_PROXYAGENT="" 1009*dd1104fbSMichen Chang LDAP_ADMINDN="" 10107c478bd9Sstevel@tonic-gate LDAP_SUFFIX="" 10117c478bd9Sstevel@tonic-gate LDAP_DOMAIN=$DOM # domainname on Server (default value) 10127c478bd9Sstevel@tonic-gate GEN_CMD="" 10137c478bd9Sstevel@tonic-gate 10147c478bd9Sstevel@tonic-gate # LDAP COMMANDS 10157c478bd9Sstevel@tonic-gate LDAPSEARCH="/bin/ldapsearch -r" 10167c478bd9Sstevel@tonic-gate LDAPMODIFY=/bin/ldapmodify 10177c478bd9Sstevel@tonic-gate LDAPADD=/bin/ldapadd 10187c478bd9Sstevel@tonic-gate LDAPDELETE=/bin/ldapdelete 10197c478bd9Sstevel@tonic-gate LDAP_GEN_PROFILE=/usr/sbin/ldap_gen_profile 10207c478bd9Sstevel@tonic-gate 10217c478bd9Sstevel@tonic-gate # iDS specific information 10227c478bd9Sstevel@tonic-gate IDS_SERVER="" 10237c478bd9Sstevel@tonic-gate IDS_PORT=389 10247c478bd9Sstevel@tonic-gate NEED_TIME=0 10257c478bd9Sstevel@tonic-gate NEED_SIZE=0 10267c478bd9Sstevel@tonic-gate NEED_SRVAUTH_PAM=0 10277c478bd9Sstevel@tonic-gate NEED_SRVAUTH_KEY=0 10287c478bd9Sstevel@tonic-gate NEED_SRVAUTH_CMD=0 10297c478bd9Sstevel@tonic-gate IDS_TIMELIMIT="" 10307c478bd9Sstevel@tonic-gate IDS_SIZELIMIT="" 10317c478bd9Sstevel@tonic-gate 10327c478bd9Sstevel@tonic-gate # LDAP PROFILE related defaults 10337c478bd9Sstevel@tonic-gate LDAP_ROOTDN="cn=Directory Manager" # Provide common default. 10347c478bd9Sstevel@tonic-gate LDAP_ROOTPWD="" # NULL passwd as default (i.e. invalid) 10357c478bd9Sstevel@tonic-gate LDAP_PROFILE_NAME="default" 10367c478bd9Sstevel@tonic-gate LDAP_BASEDN="" 10377c478bd9Sstevel@tonic-gate LDAP_SERVER_LIST="" 10387c478bd9Sstevel@tonic-gate LDAP_AUTHMETHOD="" 10397c478bd9Sstevel@tonic-gate LDAP_FOLLOWREF="FALSE" 10407c478bd9Sstevel@tonic-gate NEED_CRYPT="" 10417c478bd9Sstevel@tonic-gate LDAP_SEARCH_SCOPE="one" 10427c478bd9Sstevel@tonic-gate LDAP_SRV_AUTHMETHOD_PAM="" 10437c478bd9Sstevel@tonic-gate LDAP_SRV_AUTHMETHOD_KEY="" 10447c478bd9Sstevel@tonic-gate LDAP_SRV_AUTHMETHOD_CMD="" 10457c478bd9Sstevel@tonic-gate LDAP_SEARCH_TIME_LIMIT=30 10467c478bd9Sstevel@tonic-gate LDAP_PREF_SRVLIST="" 10477c478bd9Sstevel@tonic-gate LDAP_PROFILE_TTL=43200 10487c478bd9Sstevel@tonic-gate LDAP_CRED_LEVEL="proxy" 10497c478bd9Sstevel@tonic-gate LDAP_BIND_LIMIT=10 10507c478bd9Sstevel@tonic-gate 10517c478bd9Sstevel@tonic-gate # Prevent new files from being read by group or others. 10527c478bd9Sstevel@tonic-gate umask 077 10537c478bd9Sstevel@tonic-gate 10547c478bd9Sstevel@tonic-gate # Service Search Descriptors 10557c478bd9Sstevel@tonic-gate LDAP_SERV_SRCH_DES="" 10567c478bd9Sstevel@tonic-gate 10577c478bd9Sstevel@tonic-gate # Set and create TMPDIR. 10587c478bd9Sstevel@tonic-gate TMPDIR="/tmp/idsconfig.${PID}" 10597c478bd9Sstevel@tonic-gate if mkdir -m 700 ${TMPDIR} 10607c478bd9Sstevel@tonic-gate then 10617c478bd9Sstevel@tonic-gate # Cleanup on exit. 10627c478bd9Sstevel@tonic-gate trap 'rm -rf ${TMPDIR}; /usr/bin/stty echo; exit' 1 2 3 6 15 10637c478bd9Sstevel@tonic-gate else 10647c478bd9Sstevel@tonic-gate echo "ERROR: unable to create a safe temporary directory." 10657c478bd9Sstevel@tonic-gate exit 1 10667c478bd9Sstevel@tonic-gate fi 10677c478bd9Sstevel@tonic-gate LDAP_ROOTPWF=${TMPDIR}/rootPWD 10687c478bd9Sstevel@tonic-gate 10697c478bd9Sstevel@tonic-gate # Set the SSD file name after setting TMPDIR. 10707c478bd9Sstevel@tonic-gate SSD_FILE=${TMPDIR}/ssd_list 1071cb5caa98Sdjl 1072cb5caa98Sdjl # GSSAPI setup 1073cb5caa98Sdjl LDAP_KRB_REALM="" 1074cb5caa98Sdjl LDAP_GSSAPI_PROFILE="" 1075cb5caa98Sdjl SCHEMA_UPDATED=0 10767c478bd9Sstevel@tonic-gate 10777c478bd9Sstevel@tonic-gate export DEBUG VERB ECHO EVAL EGREP GREP STEP TMPDIR 10787c478bd9Sstevel@tonic-gate export IDS_SERVER IDS_PORT LDAP_ROOTDN LDAP_ROOTPWD LDAP_SERVER_LIST 10797c478bd9Sstevel@tonic-gate export LDAP_BASEDN LDAP_ROOTPWF 10807c478bd9Sstevel@tonic-gate export LDAP_DOMAIN LDAP_SUFFIX LDAP_PROXYAGENT LDAP_PROXYAGENT_CRED 10817c478bd9Sstevel@tonic-gate export NEED_PROXY 1082*dd1104fbSMichen Chang export LDAP_ENABLE_SHADOW_UPDATE LDAP_ADMINDN LDAP_ADMIN_CRED 1083*dd1104fbSMichen Chang export NEED_ADMIN NEED_HOSTACL EXISTING_PROFILE 10847c478bd9Sstevel@tonic-gate export LDAP_PROFILE_NAME LDAP_BASEDN LDAP_SERVER_LIST 10857c478bd9Sstevel@tonic-gate export LDAP_AUTHMETHOD LDAP_FOLLOWREF LDAP_SEARCH_SCOPE LDAP_SEARCH_TIME_LIMIT 10867c478bd9Sstevel@tonic-gate export LDAP_PREF_SRVLIST LDAP_PROFILE_TTL LDAP_CRED_LEVEL LDAP_BIND_LIMIT 10877c478bd9Sstevel@tonic-gate export NEED_SRVAUTH_PAM NEED_SRVAUTH_KEY NEED_SRVAUTH_CMD 10887c478bd9Sstevel@tonic-gate export LDAP_SRV_AUTHMETHOD_PAM LDAP_SRV_AUTHMETHOD_KEY LDAP_SRV_AUTHMETHOD_CMD 10897c478bd9Sstevel@tonic-gate export LDAP_SERV_SRCH_DES SSD_FILE 1090cb5caa98Sdjl export GEN_CMD LDAP_KRB_REALM LDAP_GSSAPI_PROFILE SCHEMA_UPDATED 10917c478bd9Sstevel@tonic-gate} 10927c478bd9Sstevel@tonic-gate 10937c478bd9Sstevel@tonic-gate 10947c478bd9Sstevel@tonic-gate# 10957c478bd9Sstevel@tonic-gate# disp_full_debug(): List of all debug variables usually interested in. 10967c478bd9Sstevel@tonic-gate# Grouped to avoid MASSIVE code duplication. 10977c478bd9Sstevel@tonic-gate# 10987c478bd9Sstevel@tonic-gatedisp_full_debug() 10997c478bd9Sstevel@tonic-gate{ 11007c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} " IDS_SERVER = $IDS_SERVER" 11017c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} " IDS_PORT = $IDS_PORT" 11027c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_ROOTDN = $LDAP_ROOTDN" 11037c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_ROOTPWD = $LDAP_ROOTPWD" 11047c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_DOMAIN = $LDAP_DOMAIN" 11057c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_SUFFIX = $LDAP_SUFFIX" 11067c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_BASEDN = $LDAP_BASEDN" 11077c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_PROFILE_NAME = $LDAP_PROFILE_NAME" 11087c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_SERVER_LIST = $LDAP_SERVER_LIST" 11097c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_PREF_SRVLIST = $LDAP_PREF_SRVLIST" 11107c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_SEARCH_SCOPE = $LDAP_SEARCH_SCOPE" 11117c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_CRED_LEVEL = $LDAP_CRED_LEVEL" 11127c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_AUTHMETHOD = $LDAP_AUTHMETHOD" 11137c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_FOLLOWREF = $LDAP_FOLLOWREF" 11147c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} " IDS_TIMELIMIT = $IDS_TIMELIMIT" 11157c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} " IDS_SIZELIMIT = $IDS_SIZELIMIT" 11167c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} " NEED_CRYPT = $NEED_CRYPT" 11177c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} " NEED_SRVAUTH_PAM = $NEED_SRVAUTH_PAM" 11187c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} " NEED_SRVAUTH_KEY = $NEED_SRVAUTH_KEY" 11197c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} " NEED_SRVAUTH_CMD = $NEED_SRVAUTH_CMD" 11207c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_SRV_AUTHMETHOD_PAM = $LDAP_SRV_AUTHMETHOD_PAM" 11217c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_SRV_AUTHMETHOD_KEY = $LDAP_SRV_AUTHMETHOD_KEY" 11227c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_SRV_AUTHMETHOD_CMD = $LDAP_SRV_AUTHMETHOD_CMD" 11237c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_SEARCH_TIME_LIMIT = $LDAP_SEARCH_TIME_LIMIT" 11247c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_PROFILE_TTL = $LDAP_PROFILE_TTL" 11257c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_BIND_LIMIT = $LDAP_BIND_LIMIT" 1126*dd1104fbSMichen Chang [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_ENABLE_SHADOW_UPDATE = $LDAP_ENABLE_SHADOW_UPDATE" 11277c478bd9Sstevel@tonic-gate 11287c478bd9Sstevel@tonic-gate # Only display proxy stuff if needed. 1129*dd1104fbSMichen Chang [ $DEBUG -eq 1 ] && ${ECHO} " NEED_PROXY = $NEED_PROXY" 11307c478bd9Sstevel@tonic-gate if [ $NEED_PROXY -eq 1 ]; then 11317c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_PROXYAGENT = $LDAP_PROXYAGENT" 11327c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_PROXYAGENT_CRED = $LDAP_PROXYAGENT_CRED" 1133*dd1104fbSMichen Chang fi 1134*dd1104fbSMichen Chang 1135*dd1104fbSMichen Chang # Only display admin credential if needed. 1136*dd1104fbSMichen Chang [ $DEBUG -eq 1 ] && ${ECHO} " NEED_ADMIN = $NEED_ADMIN" 1137*dd1104fbSMichen Chang [ $DEBUG -eq 1 ] && ${ECHO} " NEED_HOSTACL = $NEED_HOSTACL" 1138*dd1104fbSMichen Chang if [ $NEED_ADMIN -eq 1 ]; then 1139*dd1104fbSMichen Chang [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_ADMINDN = $LDAP_ADMINDN" 1140*dd1104fbSMichen Chang [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_ADMIN_CRED = $LDAP_ADMIN_CRED" 11417c478bd9Sstevel@tonic-gate fi 11427c478bd9Sstevel@tonic-gate 11437c478bd9Sstevel@tonic-gate # Service Search Descriptors are a special case. 11447c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_SERV_SRCH_DES = $LDAP_SERV_SRCH_DES" 11457c478bd9Sstevel@tonic-gate} 11467c478bd9Sstevel@tonic-gate 11477c478bd9Sstevel@tonic-gate 11487c478bd9Sstevel@tonic-gate# 11497c478bd9Sstevel@tonic-gate# load_config_file(): Loads the config file. 11507c478bd9Sstevel@tonic-gate# 11517c478bd9Sstevel@tonic-gateload_config_file() 11527c478bd9Sstevel@tonic-gate{ 11537c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In load_config_file()" 11547c478bd9Sstevel@tonic-gate 11557c478bd9Sstevel@tonic-gate # Remove SSD lines from input file before sourcing. 11567c478bd9Sstevel@tonic-gate # The SSD lines must be removed because some forms of the 11577c478bd9Sstevel@tonic-gate # data could cause SHELL errors. 11587c478bd9Sstevel@tonic-gate ${GREP} -v "LDAP_SERV_SRCH_DES=" ${INPUT_FILE} > ${TMPDIR}/inputfile.noSSD 11597c478bd9Sstevel@tonic-gate 11607c478bd9Sstevel@tonic-gate # Source the input file. 11617c478bd9Sstevel@tonic-gate . ${TMPDIR}/inputfile.noSSD 11627c478bd9Sstevel@tonic-gate 11637c478bd9Sstevel@tonic-gate # If LDAP_SUFFIX is no set, try to utilize LDAP_TREETOP since older 11647c478bd9Sstevel@tonic-gate # config files use LDAP_TREETOP 11657c478bd9Sstevel@tonic-gate LDAP_SUFFIX="${LDAP_SUFFIX:-$LDAP_TREETOP}" 11667c478bd9Sstevel@tonic-gate 11677c478bd9Sstevel@tonic-gate # Save password to temporary file. 11687c478bd9Sstevel@tonic-gate save_password 11697c478bd9Sstevel@tonic-gate 11707c478bd9Sstevel@tonic-gate # Create the SSD file. 11717c478bd9Sstevel@tonic-gate create_ssd_file 11727c478bd9Sstevel@tonic-gate 11737c478bd9Sstevel@tonic-gate # Display FULL debugging info. 11747c478bd9Sstevel@tonic-gate disp_full_debug 11757c478bd9Sstevel@tonic-gate} 11767c478bd9Sstevel@tonic-gate 11777c478bd9Sstevel@tonic-gate# 11787c478bd9Sstevel@tonic-gate# save_password(): Save password to temporary file. 11797c478bd9Sstevel@tonic-gate# 11807c478bd9Sstevel@tonic-gatesave_password() 11817c478bd9Sstevel@tonic-gate{ 11827c478bd9Sstevel@tonic-gate cat > ${LDAP_ROOTPWF} <<EOF 11837c478bd9Sstevel@tonic-gate${LDAP_ROOTPWD} 11847c478bd9Sstevel@tonic-gateEOF 11857c478bd9Sstevel@tonic-gate} 11867c478bd9Sstevel@tonic-gate 11877c478bd9Sstevel@tonic-gate###################################################################### 11887c478bd9Sstevel@tonic-gate# FUNCTIONS FOR prompt_config_info() START HERE. 11897c478bd9Sstevel@tonic-gate###################################################################### 11907c478bd9Sstevel@tonic-gate 11917c478bd9Sstevel@tonic-gate# 11927c478bd9Sstevel@tonic-gate# get_ids_server(): Prompt for iDS server name. 11937c478bd9Sstevel@tonic-gate# 11947c478bd9Sstevel@tonic-gateget_ids_server() 11957c478bd9Sstevel@tonic-gate{ 11967c478bd9Sstevel@tonic-gate while : 11977c478bd9Sstevel@tonic-gate do 11987c478bd9Sstevel@tonic-gate # Prompt for server name. 1199cb5caa98Sdjl get_ans "Enter the JES Directory Server's hostname to setup:" "$IDS_SERVER" 1200cb5caa98Sdjl IDS_SERVER="$ANS" 12017c478bd9Sstevel@tonic-gate 12027c478bd9Sstevel@tonic-gate # Ping server to see if live. If valid break out of loop. 12037c478bd9Sstevel@tonic-gate ping $IDS_SERVER > /dev/null 2>&1 12047c478bd9Sstevel@tonic-gate if [ $? -eq 0 ]; then 12057c478bd9Sstevel@tonic-gate break 12067c478bd9Sstevel@tonic-gate fi 12077c478bd9Sstevel@tonic-gate 12087c478bd9Sstevel@tonic-gate # Invalid server, enter a new name. 12097c478bd9Sstevel@tonic-gate ${ECHO} "ERROR: Server '${IDS_SERVER}' is invalid or unreachable." 12107c478bd9Sstevel@tonic-gate IDS_SERVER="" 12117c478bd9Sstevel@tonic-gate done 12127c478bd9Sstevel@tonic-gate 12137c478bd9Sstevel@tonic-gate # Set SERVER_ARGS and LDAP_ARGS since values might of changed. 12147c478bd9Sstevel@tonic-gate SERVER_ARGS="-h ${IDS_SERVER} -p ${IDS_PORT}" 12157c478bd9Sstevel@tonic-gate LDAP_ARGS="${SERVER_ARGS} ${AUTH_ARGS}" 12167c478bd9Sstevel@tonic-gate export SERVER_ARGS 12177c478bd9Sstevel@tonic-gate 12187c478bd9Sstevel@tonic-gate} 12197c478bd9Sstevel@tonic-gate 12207c478bd9Sstevel@tonic-gate# 12217c478bd9Sstevel@tonic-gate# get_ids_port(): Prompt for iDS port number. 12227c478bd9Sstevel@tonic-gate# 12237c478bd9Sstevel@tonic-gateget_ids_port() 12247c478bd9Sstevel@tonic-gate{ 12257c478bd9Sstevel@tonic-gate # Get a valid iDS port number. 12267c478bd9Sstevel@tonic-gate while : 12277c478bd9Sstevel@tonic-gate do 12287c478bd9Sstevel@tonic-gate # Enter port number. 12297c478bd9Sstevel@tonic-gate get_number "Enter the port number for iDS (h=help):" "$IDS_PORT" "port_help" 12307c478bd9Sstevel@tonic-gate IDS_PORT=$ANS 12317c478bd9Sstevel@tonic-gate # Do a simple search to check hostname and port number. 12327c478bd9Sstevel@tonic-gate # If search returns SUCCESS, break out, host and port must 12337c478bd9Sstevel@tonic-gate # be valid. 12347c478bd9Sstevel@tonic-gate ${LDAPSEARCH} -h ${IDS_SERVER} -p ${IDS_PORT} -b "" -s base "objectclass=*" > /dev/null 2>&1 12357c478bd9Sstevel@tonic-gate if [ $? -eq 0 ]; then 12367c478bd9Sstevel@tonic-gate break 12377c478bd9Sstevel@tonic-gate fi 12387c478bd9Sstevel@tonic-gate 12397c478bd9Sstevel@tonic-gate # Invalid host/port pair, Re-enter. 12407c478bd9Sstevel@tonic-gate ${ECHO} "ERROR: Invalid host or port: ${IDS_SERVER}:${IDS_PORT}, Please re-enter!" 12417c478bd9Sstevel@tonic-gate get_ids_server 12427c478bd9Sstevel@tonic-gate done 12437c478bd9Sstevel@tonic-gate 12447c478bd9Sstevel@tonic-gate # Set SERVER_ARGS and LDAP_ARGS since values might of changed. 12457c478bd9Sstevel@tonic-gate SERVER_ARGS="-h ${IDS_SERVER} -p ${IDS_PORT}" 12467c478bd9Sstevel@tonic-gate LDAP_ARGS="${SERVER_ARGS} ${AUTH_ARGS}" 12477c478bd9Sstevel@tonic-gate export SERVER_ARGS 12487c478bd9Sstevel@tonic-gate} 12497c478bd9Sstevel@tonic-gate 12507c478bd9Sstevel@tonic-gate 12517c478bd9Sstevel@tonic-gate# 12527c478bd9Sstevel@tonic-gate# chk_ids_version(): Read the slapd config file and set variables 12537c478bd9Sstevel@tonic-gate# 12547c478bd9Sstevel@tonic-gatechk_ids_version() 12557c478bd9Sstevel@tonic-gate{ 12567c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In chk_ids_version()" 12577c478bd9Sstevel@tonic-gate 12587c478bd9Sstevel@tonic-gate # check iDS version number. 12597c478bd9Sstevel@tonic-gate eval "${LDAPSEARCH} ${SERVER_ARGS} -b cn=monitor -s base \"objectclass=*\" version | ${GREP} \"^version=\" | cut -f2 -d'/' | cut -f1 -d' ' > ${TMPDIR}/checkDSver 2>&1" 12607c478bd9Sstevel@tonic-gate if [ $? -ne 0 ]; then 12617c478bd9Sstevel@tonic-gate ${ECHO} "ERROR: Can not determine the version number of iDS!" 12627c478bd9Sstevel@tonic-gate exit 1 12637c478bd9Sstevel@tonic-gate fi 12647c478bd9Sstevel@tonic-gate IDS_VER=`cat ${TMPDIR}/checkDSver` 12657c478bd9Sstevel@tonic-gate IDS_MAJVER=`${ECHO} ${IDS_VER} | cut -f1 -d.` 12667c478bd9Sstevel@tonic-gate IDS_MINVER=`${ECHO} ${IDS_VER} | cut -f2 -d.` 1267cb5caa98Sdjl if [ "${IDS_MAJVER}" != "5" ] && [ "${IDS_MAJVER}" != "6" ]; then 1268cb5caa98Sdjl ${ECHO} "ERROR: $PROG only works with JES DS version 5.x and 6.x, not ${IDS_VER}." 12697c478bd9Sstevel@tonic-gate exit 1 12707c478bd9Sstevel@tonic-gate fi 12717c478bd9Sstevel@tonic-gate if [ $DEBUG -eq 1 ]; then 12727c478bd9Sstevel@tonic-gate ${ECHO} " IDS_MAJVER = $IDS_MAJVER" 12737c478bd9Sstevel@tonic-gate ${ECHO} " IDS_MINVER = $IDS_MINVER" 12747c478bd9Sstevel@tonic-gate fi 12757c478bd9Sstevel@tonic-gate} 12767c478bd9Sstevel@tonic-gate 12777c478bd9Sstevel@tonic-gate 12787c478bd9Sstevel@tonic-gate# 12797c478bd9Sstevel@tonic-gate# get_dirmgr_dn(): Get the directory manger DN. 12807c478bd9Sstevel@tonic-gate# 12817c478bd9Sstevel@tonic-gateget_dirmgr_dn() 12827c478bd9Sstevel@tonic-gate{ 12837c478bd9Sstevel@tonic-gate get_ans "Enter the directory manager DN:" "$LDAP_ROOTDN" 12847c478bd9Sstevel@tonic-gate LDAP_ROOTDN=$ANS 12857c478bd9Sstevel@tonic-gate 12867c478bd9Sstevel@tonic-gate # Update ENV variables using DN. 12877c478bd9Sstevel@tonic-gate AUTH_ARGS="-D \"${LDAP_ROOTDN}\" -j ${LDAP_ROOTPWF}" 12887c478bd9Sstevel@tonic-gate LDAP_ARGS="${SERVER_ARGS} ${AUTH_ARGS}" 12897c478bd9Sstevel@tonic-gate export AUTH_ARGS LDAP_ARGS 12907c478bd9Sstevel@tonic-gate} 12917c478bd9Sstevel@tonic-gate 12927c478bd9Sstevel@tonic-gate 12937c478bd9Sstevel@tonic-gate# 12947c478bd9Sstevel@tonic-gate# get_dirmgr_pw(): Get the Root DN passwd. (Root DN found in slapd.conf) 12957c478bd9Sstevel@tonic-gate# 12967c478bd9Sstevel@tonic-gateget_dirmgr_pw() 12977c478bd9Sstevel@tonic-gate{ 12987c478bd9Sstevel@tonic-gate while : 12997c478bd9Sstevel@tonic-gate do 13007c478bd9Sstevel@tonic-gate # Get passwd. 13017c478bd9Sstevel@tonic-gate get_passwd_nochk "Enter passwd for ${LDAP_ROOTDN} :" 13027c478bd9Sstevel@tonic-gate LDAP_ROOTPWD=$ANS 13037c478bd9Sstevel@tonic-gate 13047c478bd9Sstevel@tonic-gate # Store password in file. 13057c478bd9Sstevel@tonic-gate save_password 13067c478bd9Sstevel@tonic-gate 13077c478bd9Sstevel@tonic-gate # Update ENV variables using DN's PW. 13087c478bd9Sstevel@tonic-gate AUTH_ARGS="-D \"${LDAP_ROOTDN}\" -j ${LDAP_ROOTPWF}" 13097c478bd9Sstevel@tonic-gate LDAP_ARGS="${SERVER_ARGS} ${AUTH_ARGS}" 13107c478bd9Sstevel@tonic-gate export AUTH_ARGS LDAP_ARGS 13117c478bd9Sstevel@tonic-gate 13127c478bd9Sstevel@tonic-gate # Verify that ROOTDN and ROOTPWD are valid. 13137c478bd9Sstevel@tonic-gate eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"\" -s base \"objectclass=*\" > ${TMPDIR}/checkDN 2>&1" 13147c478bd9Sstevel@tonic-gate if [ $? -ne 0 ]; then 13157c478bd9Sstevel@tonic-gate eval "${GREP} credential ${TMPDIR}/checkDN ${VERB}" 13167c478bd9Sstevel@tonic-gate if [ $? -eq 0 ]; then 13177c478bd9Sstevel@tonic-gate ${ECHO} "ERROR: Root DN passwd is invalid." 13187c478bd9Sstevel@tonic-gate else 13197c478bd9Sstevel@tonic-gate ${ECHO} "ERROR: Invalid Root DN <${LDAP_ROOTDN}>." 13207c478bd9Sstevel@tonic-gate get_dirmgr_dn 13217c478bd9Sstevel@tonic-gate fi 13227c478bd9Sstevel@tonic-gate else 13237c478bd9Sstevel@tonic-gate break # Both are valid. 13247c478bd9Sstevel@tonic-gate fi 13257c478bd9Sstevel@tonic-gate done 13267c478bd9Sstevel@tonic-gate 13277c478bd9Sstevel@tonic-gate 13287c478bd9Sstevel@tonic-gate} 13297c478bd9Sstevel@tonic-gate 13307c478bd9Sstevel@tonic-gate 13317c478bd9Sstevel@tonic-gate# 13327c478bd9Sstevel@tonic-gate# get_domain(): Get the Domain that will be served by the LDAP server. 13337c478bd9Sstevel@tonic-gate# $1 - Help argument. 13347c478bd9Sstevel@tonic-gate# 13357c478bd9Sstevel@tonic-gateget_domain() 13367c478bd9Sstevel@tonic-gate{ 13377c478bd9Sstevel@tonic-gate # Use LDAP_DOMAIN as default. 13387c478bd9Sstevel@tonic-gate get_ans "Enter the domainname to be served (h=help):" $LDAP_DOMAIN 13397c478bd9Sstevel@tonic-gate 13407c478bd9Sstevel@tonic-gate # Check domainname, and have user re-enter if not valid. 13417c478bd9Sstevel@tonic-gate check_domainname $ANS 13427c478bd9Sstevel@tonic-gate while [ $? -ne 0 ] 13437c478bd9Sstevel@tonic-gate do 13447c478bd9Sstevel@tonic-gate case "$ANS" in 13457c478bd9Sstevel@tonic-gate [Hh] | help | Help | \?) display_msg ${1:-sorry} ;; 13467c478bd9Sstevel@tonic-gate * ) ${ECHO} "Invalid domainname: \"${ANS}\"." 13477c478bd9Sstevel@tonic-gate ;; 13487c478bd9Sstevel@tonic-gate esac 13497c478bd9Sstevel@tonic-gate get_ans "Enter domainname to be served (h=help):" $DOM 13507c478bd9Sstevel@tonic-gate 13517c478bd9Sstevel@tonic-gate check_domainname $ANS 13527c478bd9Sstevel@tonic-gate done 13537c478bd9Sstevel@tonic-gate 13547c478bd9Sstevel@tonic-gate # Set the domainname to valid name. 13557c478bd9Sstevel@tonic-gate LDAP_DOMAIN=$ANS 13567c478bd9Sstevel@tonic-gate} 13577c478bd9Sstevel@tonic-gate 13587c478bd9Sstevel@tonic-gate 13597c478bd9Sstevel@tonic-gate# 13607c478bd9Sstevel@tonic-gate# get_basedn(): Query for the Base DN. 13617c478bd9Sstevel@tonic-gate# 13627c478bd9Sstevel@tonic-gateget_basedn() 13637c478bd9Sstevel@tonic-gate{ 13647c478bd9Sstevel@tonic-gate # Set the $_DOM_2_DC and assign to LDAP_BASEDN as default. 13657c478bd9Sstevel@tonic-gate # Then call get_basedn(). This method remakes the default 13667c478bd9Sstevel@tonic-gate # each time just in case the domain changed. 13677c478bd9Sstevel@tonic-gate domain_2_dc $LDAP_DOMAIN 13687c478bd9Sstevel@tonic-gate LDAP_BASEDN=$_DOM_2_DC 13697c478bd9Sstevel@tonic-gate 13707c478bd9Sstevel@tonic-gate # Get Base DN. 13717c478bd9Sstevel@tonic-gate while : 13727c478bd9Sstevel@tonic-gate do 1373017e8b01Svl get_ans_req "Enter LDAP Base DN (h=help):" "${_DOM_2_DC}" 13747c478bd9Sstevel@tonic-gate check_baseDN "$ANS" 13757c478bd9Sstevel@tonic-gate while [ $? -ne 0 ] 13767c478bd9Sstevel@tonic-gate do 13777c478bd9Sstevel@tonic-gate case "$ANS" in 13787c478bd9Sstevel@tonic-gate [Hh] | help | Help | \?) display_msg basedn_help ;; 13797c478bd9Sstevel@tonic-gate * ) ${ECHO} "Invalid base DN: \"${ANS}\"." 13807c478bd9Sstevel@tonic-gate ;; 13817c478bd9Sstevel@tonic-gate esac 13827c478bd9Sstevel@tonic-gate 13837c478bd9Sstevel@tonic-gate # Re-Enter the BaseDN 1384017e8b01Svl get_ans_req "Enter LDAP Base DN (h=help):" "${_DOM_2_DC}" 13857c478bd9Sstevel@tonic-gate check_baseDN "$ANS" 13867c478bd9Sstevel@tonic-gate done 13877c478bd9Sstevel@tonic-gate 1388017e8b01Svl # Set base DN and check its suffix 13897c478bd9Sstevel@tonic-gate LDAP_BASEDN=${ANS} 1390017e8b01Svl check_basedn_suffix || 1391017e8b01Svl { 1392017e8b01Svl cleanup 1393017e8b01Svl exit 1 1394017e8b01Svl } 13957c478bd9Sstevel@tonic-gate 1396017e8b01Svl # suffix may need to be created, in that case get suffix from user 1397017e8b01Svl [ -n "${NEED_CREATE_SUFFIX}" ] && 1398017e8b01Svl { 1399017e8b01Svl get_suffix || continue 1400017e8b01Svl } 1401017e8b01Svl 1402017e8b01Svl # suffix is ok, break out of the base dn inquire loop 1403017e8b01Svl break 14047c478bd9Sstevel@tonic-gate done 14057c478bd9Sstevel@tonic-gate} 14067c478bd9Sstevel@tonic-gate 1407*dd1104fbSMichen Chang# 1408*dd1104fbSMichen Chang# get_want_shadow_update(): Ask user if want to enable shadow update? 1409*dd1104fbSMichen Chang# 1410*dd1104fbSMichen Changget_want_shadow_update() 1411*dd1104fbSMichen Chang{ 1412*dd1104fbSMichen Chang MSG="Do you want to enable shadow update (y/n/h)?" 1413*dd1104fbSMichen Chang get_confirm "$MSG" "n" "enable_shadow_update_help" 1414*dd1104fbSMichen Chang if [ $? -eq 1 ]; then 1415*dd1104fbSMichen Chang LDAP_ENABLE_SHADOW_UPDATE="TRUE" 1416*dd1104fbSMichen Chang else 1417*dd1104fbSMichen Chang LDAP_ENABLE_SHADOW_UPDATE="FALSE" 1418*dd1104fbSMichen Chang fi 1419*dd1104fbSMichen Chang} 1420*dd1104fbSMichen Chang 1421cb5caa98Sdjlget_krb_realm() { 1422cb5caa98Sdjl 1423cb5caa98Sdjl # To upper cases 1424cb5caa98Sdjl LDAP_KRB_REALM=`${ECHO} ${LDAP_DOMAIN} | ${NAWK} '{ print toupper($0) }'` 1425cb5caa98Sdjl get_ans_req "Enter Kerberos Realm:" "$LDAP_KRB_REALM" 1426cb5caa98Sdjl # To upper cases 1427cb5caa98Sdjl LDAP_KRB_REALM=`${ECHO} ${ANS} | ${NAWK} '{ print toupper($0) }'` 1428cb5caa98Sdjl} 1429cb5caa98Sdjl 1430cb5caa98Sdjl# $1: DN 1431cb5caa98Sdjl# $2: ldif file 1432cb5caa98Sdjladd_entry_by_DN() { 1433cb5caa98Sdjl 1434cb5caa98Sdjl ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"${1}\" -s base \"objectclass=*\" ${VERB}" 1435cb5caa98Sdjl if [ $? -eq 0 ]; then 1436cb5caa98Sdjl ${ECHO} " ${1} already exists" 1437cb5caa98Sdjl return 0 1438cb5caa98Sdjl else 1439cb5caa98Sdjl ${EVAL} "${LDAPADD} ${LDAP_ARGS} -f ${2} ${VERB}" 1440cb5caa98Sdjl if [ $? -eq 0 ]; then 1441cb5caa98Sdjl ${ECHO} " ${1} is added" 1442cb5caa98Sdjl return 0 1443cb5caa98Sdjl else 1444cb5caa98Sdjl ${ECHO} " ERROR: failed to add ${1}" 1445cb5caa98Sdjl return 1 1446cb5caa98Sdjl fi 1447cb5caa98Sdjl fi 1448cb5caa98Sdjl 1449cb5caa98Sdjl} 1450cb5caa98Sdjl# 1451cb5caa98Sdjl# Kerberos princiapl to DN mapping rules 1452cb5caa98Sdjl# 1453cb5caa98Sdjl# Add rules for host credentails and user credentials 1454cb5caa98Sdjl# 1455cb5caa98Sdjladd_id_mapping_rules() { 1456cb5caa98Sdjl 1457cb5caa98Sdjl ${ECHO} " Adding Kerberos principal to DN mapping rules..." 1458cb5caa98Sdjl 1459cb5caa98Sdjl _C_DN="cn=GSSAPI,cn=identity mapping,cn=config" 1460cb5caa98Sdjl ( cat << EOF 1461cb5caa98Sdjldn: cn=GSSAPI,cn=identity mapping,cn=config 1462cb5caa98SdjlobjectClass: top 1463cb5caa98SdjlobjectClass: nsContainer 1464cb5caa98Sdjlcn: GSSAPI 1465cb5caa98SdjlEOF 1466cb5caa98Sdjl) > ${TMPDIR}/GSSAPI_container.ldif 1467cb5caa98Sdjl 1468cb5caa98Sdjl add_entry_by_DN "${_C_DN}" "${TMPDIR}/GSSAPI_container.ldif" 1469cb5caa98Sdjl if [ $? -ne 0 ]; 1470cb5caa98Sdjl then 1471cb5caa98Sdjl ${RM} ${TMPDIR}/GSSAPI_container.ldif 1472cb5caa98Sdjl return 1473cb5caa98Sdjl fi 1474cb5caa98Sdjl 1475cb5caa98Sdjl _H_CN="host_auth_${LDAP_KRB_REALM}" 1476cb5caa98Sdjl _H_DN="cn=${_H_CN}, ${_C_DN}" 1477cb5caa98Sdjl ( cat << EOF 1478cb5caa98Sdjldn: ${_H_DN} 1479cb5caa98SdjlobjectClass: top 1480cb5caa98SdjlobjectClass: nsContainer 1481cb5caa98SdjlobjectClass: dsIdentityMapping 1482cb5caa98SdjlobjectClass: dsPatternMatching 1483cb5caa98Sdjlcn: ${_H_CN} 1484cb5caa98SdjldsMatching-pattern: \${Principal} 1485cb5caa98SdjldsMatching-regexp: host\/(.*).${LDAP_DOMAIN}@${LDAP_KRB_REALM} 1486cb5caa98SdjldsSearchBaseDN: ou=hosts,${LDAP_BASEDN} 1487cb5caa98SdjldsSearchFilter: (&(objectClass=ipHost)(cn=\$1)) 1488cb5caa98SdjldsSearchScope: one 1489cb5caa98Sdjl 1490cb5caa98SdjlEOF 1491cb5caa98Sdjl) > ${TMPDIR}/${_H_CN}.ldif 1492cb5caa98Sdjl 1493cb5caa98Sdjl add_entry_by_DN "${_H_DN}" "${TMPDIR}/${_H_CN}.ldif" 1494cb5caa98Sdjl 1495cb5caa98Sdjl _U_CN="user_auth_${LDAP_KRB_REALM}" 1496cb5caa98Sdjl _U_DN="cn=${_U_CN}, ${_C_DN}" 1497cb5caa98Sdjl ( cat << EOF 1498cb5caa98Sdjldn: ${_U_DN} 1499cb5caa98SdjlobjectClass: top 1500cb5caa98SdjlobjectClass: nsContainer 1501cb5caa98SdjlobjectClass: dsIdentityMapping 1502cb5caa98SdjlobjectClass: dsPatternMatching 1503cb5caa98Sdjlcn: ${_U_CN} 1504cb5caa98SdjldsMatching-pattern: \${Principal} 1505cb5caa98SdjldsMatching-regexp: (.*)@${LDAP_KRB_REALM} 1506cb5caa98SdjldsMappedDN: uid=\$1,ou=People,${LDAP_BASEDN} 1507cb5caa98Sdjl 1508cb5caa98SdjlEOF 1509cb5caa98Sdjl) > ${TMPDIR}/${_U_CN}.ldif 1510cb5caa98Sdjl 1511cb5caa98Sdjl add_entry_by_DN "${_U_DN}" "${TMPDIR}/${_U_CN}.ldif" 1512cb5caa98Sdjl 1513cb5caa98Sdjl} 1514cb5caa98Sdjl 1515cb5caa98Sdjl 1516cb5caa98Sdjl# 1517cb5caa98Sdjl# Modify ACL to allow root to read all the password and only self can read 1518cb5caa98Sdjl# its own password when sasl/GSSAPI bind is used 15197c478bd9Sstevel@tonic-gate# 1520cb5caa98Sdjlmodify_userpassword_acl_for_gssapi() { 1521cb5caa98Sdjl 1522cb5caa98Sdjl _P_DN="ou=People,${LDAP_BASEDN}" 1523cb5caa98Sdjl _H_DN="ou=Hosts,${LDAP_BASEDN}" 1524cb5caa98Sdjl _P_ACI="self-read-pwd" 1525cb5caa98Sdjl 1526cb5caa98Sdjl ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"${_P_DN}\" -s base \"objectclass=*\" > /dev/null 2>&1" 1527cb5caa98Sdjl if [ $? -ne 0 ]; then 1528cb5caa98Sdjl ${ECHO} " ${_P_DN} does not exist" 1529cb5caa98Sdjl # Not Found. Create a new entry 1530cb5caa98Sdjl ( cat << EOF 1531cb5caa98Sdjldn: ${_P_DN} 1532cb5caa98Sdjlou: People 1533cb5caa98SdjlobjectClass: top 1534cb5caa98SdjlobjectClass: organizationalUnit 1535cb5caa98SdjlEOF 1536cb5caa98Sdjl) > ${TMPDIR}/gssapi_people.ldif 1537cb5caa98Sdjl 1538cb5caa98Sdjl add_entry_by_DN "${_P_DN}" "${TMPDIR}/gssapi_people.ldif" 1539cb5caa98Sdjl else 1540cb5caa98Sdjl ${ECHO} " ${_P_DN} already exists" 1541cb5caa98Sdjl fi 1542cb5caa98Sdjl 1543cb5caa98Sdjl ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"${_P_DN}\" -s base \"objectclass=*\" aci > ${TMPDIR}/chk_gssapi_aci 2>&1" 1544cb5caa98Sdjl 1545cb5caa98Sdjl if [ $? -eq 0 ]; then 1546cb5caa98Sdjl ${EVAL} "${GREP} ${_P_ACI} ${TMPDIR}/chk_gssapi_aci > /dev/null 2>&1" 1547cb5caa98Sdjl if [ $? -eq 0 ]; then 1548cb5caa98Sdjl ${ECHO} " userpassword ACL ${_P_ACI} already exists." 1549cb5caa98Sdjl return 1550cb5caa98Sdjl else 1551cb5caa98Sdjl ${ECHO} " userpassword ACL ${_P_ACI} not found. Create a new one." 1552cb5caa98Sdjl fi 1553cb5caa98Sdjl else 1554cb5caa98Sdjl ${ECHO} " Error searching aci for ${_P_DN}" 1555cb5caa98Sdjl cat ${TMPDIR}/chk_gssapi_aci 1556cb5caa98Sdjl cleanup 1557cb5caa98Sdjl exit 1 1558cb5caa98Sdjl fi 1559cb5caa98Sdjl ( cat << EOF 1560cb5caa98Sdjldn: ${_P_DN} 1561cb5caa98Sdjlchangetype: modify 1562cb5caa98Sdjladd: aci 1563cb5caa98Sdjlaci: (targetattr="userPassword")(version 3.0; acl self-read-pwd; allow (read,search) userdn="ldap:///self" and authmethod="sasl GSSAPI";) 1564cb5caa98Sdjl- 1565cb5caa98Sdjladd: aci 1566cb5caa98Sdjlaci: (targetattr="userPassword")(version 3.0; acl host-read-pwd; allow (read,search) userdn="ldap:///cn=*+ipHostNumber=*,ou=Hosts,${LDAP_BASEDN}" and authmethod="sasl GSSAPI";) 1567cb5caa98SdjlEOF 1568cb5caa98Sdjl) > ${TMPDIR}/user_gssapi.ldif 1569cb5caa98Sdjl LDAP_TYPE_OR_VALUE_EXISTS=20 1570cb5caa98Sdjl ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/user_gssapi.ldif ${VERB}" 1571cb5caa98Sdjl 1572cb5caa98Sdjl case $? in 1573cb5caa98Sdjl 0) 1574cb5caa98Sdjl ${ECHO} " ${_P_DN} uaserpassword ACL is updated." 1575cb5caa98Sdjl ;; 1576cb5caa98Sdjl 20) 1577cb5caa98Sdjl ${ECHO} " ${_P_DN} uaserpassword ACL already exists." 1578cb5caa98Sdjl ;; 1579cb5caa98Sdjl *) 1580cb5caa98Sdjl ${ECHO} " ERROR: update of userpassword ACL for ${_P_DN} failed!" 1581cb5caa98Sdjl cleanup 1582cb5caa98Sdjl exit 1 1583cb5caa98Sdjl ;; 1584cb5caa98Sdjl esac 1585cb5caa98Sdjl} 1586cb5caa98Sdjl# 1587cb5caa98Sdjl# $1: objectclass or attributetyp 1588cb5caa98Sdjl# $2: name 1589cb5caa98Sdjlsearch_update_schema() { 1590cb5caa98Sdjl 1591cb5caa98Sdjl ATTR="${1}es" 1592cb5caa98Sdjl 1593cb5caa98Sdjl ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b cn=schema -s base \"objectclass=*\" ${ATTR} | ${GREP} -i \"${2}\" ${VERB}" 1594cb5caa98Sdjl if [ $? -ne 0 ]; then 1595cb5caa98Sdjl ${ECHO} "${1} ${2} does not exist." 1596cb5caa98Sdjl update_schema_attr 1597cb5caa98Sdjl update_schema_obj 1598cb5caa98Sdjl SCHEMA_UPDATED=1 1599cb5caa98Sdjl else 1600cb5caa98Sdjl ${ECHO} "${1} ${2} already exists. Schema has been updated" 1601cb5caa98Sdjl fi 1602cb5caa98Sdjl} 1603cb5caa98Sdjl 1604cb5caa98Sdjl# 1605cb5caa98Sdjl# $1: 1 - interactive, 0 - no 1606cb5caa98Sdjl# 1607cb5caa98Sdjlcreate_gssapi_profile() { 1608cb5caa98Sdjl 1609cb5caa98Sdjl 1610cb5caa98Sdjl if [ ${1} -eq 1 ]; then 1611cb5caa98Sdjl echo 1612cb5caa98Sdjl echo "You can create a sasl/GSSAPI enabled profile with default values now." 1613cb5caa98Sdjl get_confirm "Do you want to create a sasl/GSSAPI default profile ?" "n" 1614cb5caa98Sdjl 1615cb5caa98Sdjl if [ $? -eq 0 ]; then 1616cb5caa98Sdjl return 1617cb5caa98Sdjl fi 1618cb5caa98Sdjl fi 1619cb5caa98Sdjl 1620cb5caa98Sdjl # Add profile container if it does not exist 1621cb5caa98Sdjl eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"ou=profile,${LDAP_BASEDN}\" -s base \"objectclass=*\" > /dev/null 2>&1" 1622cb5caa98Sdjl if [ $? -ne 0 ]; then 1623cb5caa98Sdjl ( cat << EOF 1624cb5caa98Sdjldn: ou=profile,${LDAP_BASEDN} 1625cb5caa98Sdjlou: profile 1626cb5caa98SdjlobjectClass: top 1627cb5caa98SdjlobjectClass: organizationalUnit 1628cb5caa98SdjlEOF 1629cb5caa98Sdjl) > ${TMPDIR}/profile_people.ldif 1630cb5caa98Sdjl 1631cb5caa98Sdjl add_entry_by_DN "ou=profile,${LDAP_BASEDN}" "${TMPDIR}/profile_people.ldif" 1632cb5caa98Sdjl 1633cb5caa98Sdjl fi 1634cb5caa98Sdjl 1635cb5caa98Sdjl search_update_schema "objectclass" "DUAConfigProfile" 1636cb5caa98Sdjl 1637cb5caa98Sdjl _P_NAME="gssapi_${LDAP_KRB_REALM}" 1638cb5caa98Sdjl if [ ${1} -eq 1 ]; then 1639cb5caa98Sdjl _P_TMP=${LDAP_PROFILE_NAME} 1640cb5caa98Sdjl LDAP_PROFILE_NAME=${_P_NAME} 1641cb5caa98Sdjl get_profile_name 1642cb5caa98Sdjl LDAP_GSSAPI_PROFILE=${LDAP_PROFILE_NAME} 1643cb5caa98Sdjl LDAP_PROFILE_NAME=${_P_TMP} 1644cb5caa98Sdjl fi 1645cb5caa98Sdjl 1646cb5caa98Sdjl _P_DN="cn=${LDAP_GSSAPI_PROFILE},ou=profile,${LDAP_BASEDN}" 1647cb5caa98Sdjl if [ ${DEL_OLD_PROFILE} -eq 1 ]; then 1648cb5caa98Sdjl DEL_OLD_PROFILE=0 1649cb5caa98Sdjl ${EVAL} "${LDAPDELETE} ${LDAP_ARGS} ${_P_DN} ${VERB}" 1650cb5caa98Sdjl fi 1651cb5caa98Sdjl 1652cb5caa98Sdjl _SVR=`getent hosts ${IDS_SERVER} | ${NAWK} '{ print $1 }'` 1653cb5caa98Sdjl if [ ${IDS_PORT} -ne 389 ]; then 1654cb5caa98Sdjl _SVR="${_SVR}:${IDS_PORT}" 1655cb5caa98Sdjl fi 1656cb5caa98Sdjl 1657cb5caa98Sdjl (cat << EOF 1658cb5caa98Sdjldn: ${_P_DN} 1659cb5caa98SdjlobjectClass: top 1660cb5caa98SdjlobjectClass: DUAConfigProfile 1661cb5caa98SdjldefaultServerList: ${_SVR} 1662cb5caa98SdjldefaultSearchBase: ${LDAP_BASEDN} 1663cb5caa98SdjlauthenticationMethod: sasl/GSSAPI 1664cb5caa98SdjlfollowReferrals: ${LDAP_FOLLOWREF} 1665cb5caa98SdjldefaultSearchScope: ${LDAP_SEARCH_SCOPE} 1666cb5caa98SdjlsearchTimeLimit: ${LDAP_SEARCH_TIME_LIMIT} 1667cb5caa98SdjlprofileTTL: ${LDAP_PROFILE_TTL} 1668cb5caa98Sdjlcn: ${LDAP_GSSAPI_PROFILE} 1669cb5caa98SdjlcredentialLevel: self 1670cb5caa98SdjlbindTimeLimit: ${LDAP_BIND_LIMIT} 1671cb5caa98SdjlEOF 1672cb5caa98Sdjl) > ${TMPDIR}/gssapi_profile.ldif 1673cb5caa98Sdjl 1674cb5caa98Sdjl add_entry_by_DN "${_P_DN}" "${TMPDIR}/gssapi_profile.ldif" 1675cb5caa98Sdjl 1676cb5caa98Sdjl} 1677cb5caa98Sdjl# 1678cb5caa98Sdjl# Set up GSSAPI if necessary 1679cb5caa98Sdjl# 1680cb5caa98Sdjlgssapi_setup() { 1681cb5caa98Sdjl 1682*dd1104fbSMichen Chang # assume sasl/GSSAPI is supported by the ldap server and may be used 1683*dd1104fbSMichen Chang GSSAPI_AUTH_MAY_BE_USED=1 1684cb5caa98Sdjl ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"\" -s base \"objectclass=*\" supportedSASLMechanisms | ${GREP} GSSAPI ${VERB}" 1685cb5caa98Sdjl if [ $? -ne 0 ]; then 1686*dd1104fbSMichen Chang GSSAPI_AUTH_MAY_BE_USED=0 1687cb5caa98Sdjl ${ECHO} " sasl/GSSAPI is not supported by this LDAP server" 1688cb5caa98Sdjl return 1689cb5caa98Sdjl fi 1690cb5caa98Sdjl 1691cb5caa98Sdjl get_confirm "GSSAPI is supported. Do you want to set up gssapi:(y/n)" "n" 1692cb5caa98Sdjl if [ $? -eq 0 ]; then 1693cb5caa98Sdjl ${ECHO} 1694cb5caa98Sdjl ${ECHO} "GSSAPI is not set up." 1695*dd1104fbSMichen Chang ${ECHO} "sasl/GSSAPI bind may not work if it's not set up first." 1696cb5caa98Sdjl else 1697cb5caa98Sdjl get_krb_realm 1698cb5caa98Sdjl add_id_mapping_rules 1699cb5caa98Sdjl modify_userpassword_acl_for_gssapi 1700cb5caa98Sdjl create_gssapi_profile 1 1701cb5caa98Sdjl ${ECHO} 1702cb5caa98Sdjl ${ECHO} "GSSAPI setup is done." 1703cb5caa98Sdjl fi 1704cb5caa98Sdjl 1705cb5caa98Sdjl cat << EOF 1706cb5caa98Sdjl 1707cb5caa98SdjlYou can continue to create a profile and 1708cb5caa98Sdjlconfigure the LDAP server. 1709cb5caa98SdjlOr you can stop now. 1710cb5caa98Sdjl 1711cb5caa98SdjlEOF 1712cb5caa98Sdjl get_confirm "Do you want to stop:(y/n)" "n" 1713cb5caa98Sdjl if [ $? -eq 1 ]; then 1714cb5caa98Sdjl cleanup 1715cb5caa98Sdjl exit 1716cb5caa98Sdjl fi 1717cb5caa98Sdjl 1718cb5caa98Sdjl} 1719cb5caa98Sdjlgssapi_setup_auto() { 1720*dd1104fbSMichen Chang GSSAPI_AUTH_MAY_BE_USED=0 1721cb5caa98Sdjl ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"\" -s base \"objectclass=*\" supportedSASLMechanisms | ${GREP} GSSAPI ${VERB}" 1722cb5caa98Sdjl if [ $? -ne 0 ]; then 1723cb5caa98Sdjl ${ECHO} 1724cb5caa98Sdjl ${ECHO} "sasl/GSSAPI is not supported by this LDAP server" 1725cb5caa98Sdjl ${ECHO} 1726cb5caa98Sdjl return 1727cb5caa98Sdjl fi 1728cb5caa98Sdjl if [ -z "${LDAP_KRB_REALM}" ]; then 1729cb5caa98Sdjl ${ECHO} 1730cb5caa98Sdjl ${ECHO} "LDAP_KRB_REALM is not set. Skip gssapi setup." 1731cb5caa98Sdjl ${ECHO} "sasl/GSSAPI bind won't work properly." 1732cb5caa98Sdjl ${ECHO} 1733cb5caa98Sdjl return 1734cb5caa98Sdjl fi 1735*dd1104fbSMichen Chang GSSAPI_AUTH_MAY_BE_USED=1 1736cb5caa98Sdjl if [ -z "${LDAP_GSSAPI_PROFILE}" ]; then 1737cb5caa98Sdjl ${ECHO} 1738cb5caa98Sdjl ${ECHO} "LDAP_GSSAPI_PROFILE is not set. Default is gssapi_${LDAP_KRB_REALM}" 1739cb5caa98Sdjl ${ECHO} 1740cb5caa98Sdjl LDAP_GSSAPI_PROFILE="gssapi_${LDAP_KRB_REALM}" 1741cb5caa98Sdjl fi 1742cb5caa98Sdjl add_id_mapping_rules 1743cb5caa98Sdjl modify_userpassword_acl_for_gssapi 1744cb5caa98Sdjl create_gssapi_profile 0 1745cb5caa98Sdjl} 17467c478bd9Sstevel@tonic-gate# get_profile_name(): Enter the profile name. 17477c478bd9Sstevel@tonic-gate# 17487c478bd9Sstevel@tonic-gateget_profile_name() 17497c478bd9Sstevel@tonic-gate{ 17507c478bd9Sstevel@tonic-gate # Reset Delete Old Profile since getting new profile name. 17517c478bd9Sstevel@tonic-gate DEL_OLD_PROFILE=0 17527c478bd9Sstevel@tonic-gate 17537c478bd9Sstevel@tonic-gate # Loop until valid profile name, or replace. 17547c478bd9Sstevel@tonic-gate while : 17557c478bd9Sstevel@tonic-gate do 17567c478bd9Sstevel@tonic-gate # Prompt for profile name. 17577c478bd9Sstevel@tonic-gate get_ans "Enter the profile name (h=help):" "$LDAP_PROFILE_NAME" 17587c478bd9Sstevel@tonic-gate 17597c478bd9Sstevel@tonic-gate # Check for Help. 17607c478bd9Sstevel@tonic-gate case "$ANS" in 17617c478bd9Sstevel@tonic-gate [Hh] | help | Help | \?) display_msg profile_help 17627c478bd9Sstevel@tonic-gate continue ;; 17637c478bd9Sstevel@tonic-gate * ) ;; 17647c478bd9Sstevel@tonic-gate esac 17657c478bd9Sstevel@tonic-gate 17667c478bd9Sstevel@tonic-gate # Search to see if profile name already exists. 17677c478bd9Sstevel@tonic-gate eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=${ANS},ou=profile,${LDAP_BASEDN}\" -s base \"objectclass=*\" ${VERB}" 17687c478bd9Sstevel@tonic-gate if [ $? -eq 0 ]; then 1769*dd1104fbSMichen Chang 1770*dd1104fbSMichen Chang cat << EOF 1771*dd1104fbSMichen Chang 1772*dd1104fbSMichen ChangProfile '${ANS}' already exists, it is possible to enable 1773*dd1104fbSMichen Changshadow update now. idsconfig will exit after shadow update 1774*dd1104fbSMichen Changis enabled. You can also continue to overwrite the profile 1775*dd1104fbSMichen Changor create a new one and be given the chance to enable 1776*dd1104fbSMichen Changshadow update later. 1777*dd1104fbSMichen Chang 1778*dd1104fbSMichen ChangEOF 1779*dd1104fbSMichen Chang 1780*dd1104fbSMichen Chang MSG="Just enable shadow update (y/n/h)?" 1781*dd1104fbSMichen Chang get_confirm "$MSG" "n" "enable_shadow_update_help" 1782*dd1104fbSMichen Chang if [ $? -eq 1 ]; then 1783*dd1104fbSMichen Chang [ $DEBUG -eq 1 ] && ${ECHO} "set up shadow update" 1784*dd1104fbSMichen Chang LDAP_ENABLE_SHADOW_UPDATE=TRUE 1785*dd1104fbSMichen Chang # display alternate messages 1786*dd1104fbSMichen Chang EXISTING_PROFILE=1 1787*dd1104fbSMichen Chang # Set Profile Name. 1788*dd1104fbSMichen Chang LDAP_PROFILE_NAME=$ANS 1789*dd1104fbSMichen Chang return 0 # set up credentials for shadow update. 1790*dd1104fbSMichen Chang fi 1791*dd1104fbSMichen Chang 1792*dd1104fbSMichen Chang get_confirm_nodef "Are you sure you want to overwrite profile cn=${ANS}?" 17937c478bd9Sstevel@tonic-gate if [ $? -eq 1 ]; then 17947c478bd9Sstevel@tonic-gate DEL_OLD_PROFILE=1 17957c478bd9Sstevel@tonic-gate return 0 # Replace old profile name. 17967c478bd9Sstevel@tonic-gate else 17977c478bd9Sstevel@tonic-gate ${ECHO} "Please re-enter a new profile name." 17987c478bd9Sstevel@tonic-gate fi 17997c478bd9Sstevel@tonic-gate else 18007c478bd9Sstevel@tonic-gate break # Unique profile name. 18017c478bd9Sstevel@tonic-gate fi 18027c478bd9Sstevel@tonic-gate done 18037c478bd9Sstevel@tonic-gate 18047c478bd9Sstevel@tonic-gate # Set Profile Name. 18057c478bd9Sstevel@tonic-gate LDAP_PROFILE_NAME=$ANS 18067c478bd9Sstevel@tonic-gate} 18077c478bd9Sstevel@tonic-gate 18087c478bd9Sstevel@tonic-gate 18097c478bd9Sstevel@tonic-gate# 18107c478bd9Sstevel@tonic-gate# get_srv_list(): Get the default server list. 18117c478bd9Sstevel@tonic-gate# 18127c478bd9Sstevel@tonic-gateget_srv_list() 18137c478bd9Sstevel@tonic-gate{ 18147c478bd9Sstevel@tonic-gate # If LDAP_SERVER_LIST is NULL, then set, otherwise leave alone. 18157c478bd9Sstevel@tonic-gate if [ -z "${LDAP_SERVER_LIST}" ]; then 18167c478bd9Sstevel@tonic-gate LDAP_SERVER_LIST=`getent hosts ${IDS_SERVER} | awk '{print $1}'` 18177c478bd9Sstevel@tonic-gate if [ ${IDS_PORT} -ne 389 ]; then 18187c478bd9Sstevel@tonic-gate LDAP_SERVER_LIST="${LDAP_SERVER_LIST}:${IDS_PORT}" 18197c478bd9Sstevel@tonic-gate fi 18207c478bd9Sstevel@tonic-gate fi 18217c478bd9Sstevel@tonic-gate 18227c478bd9Sstevel@tonic-gate # Prompt for new LDAP_SERVER_LIST. 18237c478bd9Sstevel@tonic-gate while : 18247c478bd9Sstevel@tonic-gate do 18257c478bd9Sstevel@tonic-gate get_ans "Default server list (h=help):" $LDAP_SERVER_LIST 18267c478bd9Sstevel@tonic-gate 18277c478bd9Sstevel@tonic-gate # If help continue, otherwise break. 18287c478bd9Sstevel@tonic-gate case "$ANS" in 18297c478bd9Sstevel@tonic-gate [Hh] | help | Help | \?) display_msg def_srvlist_help ;; 18307c478bd9Sstevel@tonic-gate * ) break ;; 18317c478bd9Sstevel@tonic-gate esac 18327c478bd9Sstevel@tonic-gate done 18337c478bd9Sstevel@tonic-gate LDAP_SERVER_LIST=$ANS 18347c478bd9Sstevel@tonic-gate} 18357c478bd9Sstevel@tonic-gate 18367c478bd9Sstevel@tonic-gate 18377c478bd9Sstevel@tonic-gate# 18387c478bd9Sstevel@tonic-gate# get_pref_srv(): The preferred server list (Overrides the server list) 18397c478bd9Sstevel@tonic-gate# 18407c478bd9Sstevel@tonic-gateget_pref_srv() 18417c478bd9Sstevel@tonic-gate{ 18427c478bd9Sstevel@tonic-gate while : 18437c478bd9Sstevel@tonic-gate do 18447c478bd9Sstevel@tonic-gate get_ans "Preferred server list (h=help):" $LDAP_PREF_SRVLIST 18457c478bd9Sstevel@tonic-gate 18467c478bd9Sstevel@tonic-gate # If help continue, otherwise break. 18477c478bd9Sstevel@tonic-gate case "$ANS" in 18487c478bd9Sstevel@tonic-gate [Hh] | help | Help | \?) display_msg pref_srvlist_help ;; 18497c478bd9Sstevel@tonic-gate * ) break ;; 18507c478bd9Sstevel@tonic-gate esac 18517c478bd9Sstevel@tonic-gate done 18527c478bd9Sstevel@tonic-gate LDAP_PREF_SRVLIST=$ANS 18537c478bd9Sstevel@tonic-gate} 18547c478bd9Sstevel@tonic-gate 18557c478bd9Sstevel@tonic-gate 18567c478bd9Sstevel@tonic-gate# 18577c478bd9Sstevel@tonic-gate# get_search_scope(): Get the search scope from the user. 18587c478bd9Sstevel@tonic-gate# 18597c478bd9Sstevel@tonic-gateget_search_scope() 18607c478bd9Sstevel@tonic-gate{ 18617c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In get_search_scope()" 18627c478bd9Sstevel@tonic-gate 18637c478bd9Sstevel@tonic-gate _MENU_CHOICE=0 18647c478bd9Sstevel@tonic-gate while : 18657c478bd9Sstevel@tonic-gate do 18667c478bd9Sstevel@tonic-gate get_ans "Choose desired search scope (one, sub, h=help): " "one" 18677c478bd9Sstevel@tonic-gate _MENU_CHOICE=$ANS 18687c478bd9Sstevel@tonic-gate case "$_MENU_CHOICE" in 18697c478bd9Sstevel@tonic-gate one) LDAP_SEARCH_SCOPE="one" 18707c478bd9Sstevel@tonic-gate return 1 ;; 18717c478bd9Sstevel@tonic-gate sub) LDAP_SEARCH_SCOPE="sub" 18727c478bd9Sstevel@tonic-gate return 2 ;; 18737c478bd9Sstevel@tonic-gate h) display_msg srch_scope_help ;; 18747c478bd9Sstevel@tonic-gate *) ${ECHO} "Please enter \"one\", \"sub\", or \"h\"." ;; 18757c478bd9Sstevel@tonic-gate esac 18767c478bd9Sstevel@tonic-gate done 18777c478bd9Sstevel@tonic-gate 18787c478bd9Sstevel@tonic-gate} 18797c478bd9Sstevel@tonic-gate 18807c478bd9Sstevel@tonic-gate 18817c478bd9Sstevel@tonic-gate# 18827c478bd9Sstevel@tonic-gate# get_cred_level(): Function to display menu to user and get the 18837c478bd9Sstevel@tonic-gate# credential level. 18847c478bd9Sstevel@tonic-gate# 18857c478bd9Sstevel@tonic-gateget_cred_level() 18867c478bd9Sstevel@tonic-gate{ 18877c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In get_cred_level()" 18887c478bd9Sstevel@tonic-gate 18897c478bd9Sstevel@tonic-gate _MENU_CHOICE=0 18907c478bd9Sstevel@tonic-gate display_msg cred_level_menu 18917c478bd9Sstevel@tonic-gate while : 18927c478bd9Sstevel@tonic-gate do 18937c478bd9Sstevel@tonic-gate get_ans "Choose Credential level [h=help]:" "1" 18947c478bd9Sstevel@tonic-gate _MENU_CHOICE=$ANS 18957c478bd9Sstevel@tonic-gate case "$_MENU_CHOICE" in 18967c478bd9Sstevel@tonic-gate 1) LDAP_CRED_LEVEL="anonymous" 18977c478bd9Sstevel@tonic-gate return 1 ;; 18987c478bd9Sstevel@tonic-gate 2) LDAP_CRED_LEVEL="proxy" 18997c478bd9Sstevel@tonic-gate return 2 ;; 19007c478bd9Sstevel@tonic-gate 3) LDAP_CRED_LEVEL="proxy anonymous" 19017c478bd9Sstevel@tonic-gate return 3 ;; 1902cb5caa98Sdjl 4) LDAP_CRED_LEVEL="self" 1903cb5caa98Sdjl SELF_GSSAPI=1 1904cb5caa98Sdjl return 4 ;; 1905cb5caa98Sdjl 5) LDAP_CRED_LEVEL="self proxy" 1906cb5caa98Sdjl SELF_GSSAPI=1 1907cb5caa98Sdjl return 5 ;; 1908cb5caa98Sdjl 6) LDAP_CRED_LEVEL="self proxy anonymous" 1909cb5caa98Sdjl SELF_GSSAPI=1 1910cb5caa98Sdjl return 6 ;; 19117c478bd9Sstevel@tonic-gate h) display_msg cred_lvl_help ;; 1912cb5caa98Sdjl *) ${ECHO} "Please enter 1, 2, 3, 4, 5 or 6." ;; 19137c478bd9Sstevel@tonic-gate esac 19147c478bd9Sstevel@tonic-gate done 19157c478bd9Sstevel@tonic-gate} 19167c478bd9Sstevel@tonic-gate 19177c478bd9Sstevel@tonic-gate 19187c478bd9Sstevel@tonic-gate# 19197c478bd9Sstevel@tonic-gate# srvauth_menu_handler(): Enter the Service Authentication method. 19207c478bd9Sstevel@tonic-gate# 19217c478bd9Sstevel@tonic-gatesrvauth_menu_handler() 19227c478bd9Sstevel@tonic-gate{ 19237c478bd9Sstevel@tonic-gate # Display Auth menu 19247c478bd9Sstevel@tonic-gate display_msg srvauth_method_menu 19257c478bd9Sstevel@tonic-gate 19267c478bd9Sstevel@tonic-gate # Get a Valid choice. 19277c478bd9Sstevel@tonic-gate while : 19287c478bd9Sstevel@tonic-gate do 19297c478bd9Sstevel@tonic-gate # Display appropriate prompt and get answer. 19307c478bd9Sstevel@tonic-gate if [ $_FIRST -eq 1 ]; then 19317c478bd9Sstevel@tonic-gate get_ans "Choose Service Authentication Method:" "1" 19327c478bd9Sstevel@tonic-gate else 19337c478bd9Sstevel@tonic-gate get_ans "Choose Service Authentication Method (0=reset):" 19347c478bd9Sstevel@tonic-gate fi 19357c478bd9Sstevel@tonic-gate 19367c478bd9Sstevel@tonic-gate # Determine choice. 19377c478bd9Sstevel@tonic-gate _MENU_CHOICE=$ANS 19387c478bd9Sstevel@tonic-gate case "$_MENU_CHOICE" in 19397c478bd9Sstevel@tonic-gate 1) _AUTHMETHOD="simple" 19407c478bd9Sstevel@tonic-gate break ;; 19417c478bd9Sstevel@tonic-gate 2) _AUTHMETHOD="sasl/DIGEST-MD5" 19427c478bd9Sstevel@tonic-gate break ;; 19437c478bd9Sstevel@tonic-gate 3) _AUTHMETHOD="tls:simple" 19447c478bd9Sstevel@tonic-gate break ;; 19457c478bd9Sstevel@tonic-gate 4) _AUTHMETHOD="tls:sasl/DIGEST-MD5" 19467c478bd9Sstevel@tonic-gate break ;; 1947cb5caa98Sdjl 5) _AUTHMETHOD="sasl/GSSAPI" 1948cb5caa98Sdjl break ;; 19497c478bd9Sstevel@tonic-gate 0) _AUTHMETHOD="" 19507c478bd9Sstevel@tonic-gate _FIRST=1 19517c478bd9Sstevel@tonic-gate break ;; 1952cb5caa98Sdjl *) ${ECHO} "Please enter 1-5 or 0 to reset." ;; 19537c478bd9Sstevel@tonic-gate esac 19547c478bd9Sstevel@tonic-gate done 19557c478bd9Sstevel@tonic-gate} 19567c478bd9Sstevel@tonic-gate 19577c478bd9Sstevel@tonic-gate 19587c478bd9Sstevel@tonic-gate# 19597c478bd9Sstevel@tonic-gate# auth_menu_handler(): Enter the Authentication method. 19607c478bd9Sstevel@tonic-gate# 19617c478bd9Sstevel@tonic-gateauth_menu_handler() 19627c478bd9Sstevel@tonic-gate{ 19637c478bd9Sstevel@tonic-gate # Display Auth menu 19647c478bd9Sstevel@tonic-gate display_msg auth_method_menu 19657c478bd9Sstevel@tonic-gate 19667c478bd9Sstevel@tonic-gate # Get a Valid choice. 19677c478bd9Sstevel@tonic-gate while : 19687c478bd9Sstevel@tonic-gate do 19697c478bd9Sstevel@tonic-gate # Display appropriate prompt and get answer. 19707c478bd9Sstevel@tonic-gate if [ $_FIRST -eq 1 ]; then 19717c478bd9Sstevel@tonic-gate get_ans "Choose Authentication Method (h=help):" "1" 19727c478bd9Sstevel@tonic-gate else 19737c478bd9Sstevel@tonic-gate get_ans "Choose Authentication Method (0=reset, h=help):" 19747c478bd9Sstevel@tonic-gate fi 19757c478bd9Sstevel@tonic-gate 19767c478bd9Sstevel@tonic-gate # Determine choice. 19777c478bd9Sstevel@tonic-gate _MENU_CHOICE=$ANS 19787c478bd9Sstevel@tonic-gate case "$_MENU_CHOICE" in 19797c478bd9Sstevel@tonic-gate 1) _AUTHMETHOD="none" 19807c478bd9Sstevel@tonic-gate break ;; 19817c478bd9Sstevel@tonic-gate 2) _AUTHMETHOD="simple" 19827c478bd9Sstevel@tonic-gate break ;; 19837c478bd9Sstevel@tonic-gate 3) _AUTHMETHOD="sasl/DIGEST-MD5" 19847c478bd9Sstevel@tonic-gate break ;; 19857c478bd9Sstevel@tonic-gate 4) _AUTHMETHOD="tls:simple" 19867c478bd9Sstevel@tonic-gate break ;; 19877c478bd9Sstevel@tonic-gate 5) _AUTHMETHOD="tls:sasl/DIGEST-MD5" 19887c478bd9Sstevel@tonic-gate break ;; 1989cb5caa98Sdjl 6) _AUTHMETHOD="sasl/GSSAPI" 1990cb5caa98Sdjl break ;; 19917c478bd9Sstevel@tonic-gate 0) _AUTHMETHOD="" 19927c478bd9Sstevel@tonic-gate _FIRST=1 19937c478bd9Sstevel@tonic-gate break ;; 19947c478bd9Sstevel@tonic-gate h) display_msg auth_help ;; 1995cb5caa98Sdjl *) ${ECHO} "Please enter 1-6, 0=reset, or h=help." ;; 19967c478bd9Sstevel@tonic-gate esac 19977c478bd9Sstevel@tonic-gate done 19987c478bd9Sstevel@tonic-gate} 19997c478bd9Sstevel@tonic-gate 20007c478bd9Sstevel@tonic-gate 20017c478bd9Sstevel@tonic-gate# 20027c478bd9Sstevel@tonic-gate# get_auth(): Enter the Authentication method. 20037c478bd9Sstevel@tonic-gate# 20047c478bd9Sstevel@tonic-gateget_auth() 20057c478bd9Sstevel@tonic-gate{ 20067c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In get_auth()" 20077c478bd9Sstevel@tonic-gate 20087c478bd9Sstevel@tonic-gate _FIRST=1 # Flag for first time. 20097c478bd9Sstevel@tonic-gate _MENU_CHOICE=0 20107c478bd9Sstevel@tonic-gate _AUTHMETHOD="" # Tmp method. 20117c478bd9Sstevel@tonic-gate 20127c478bd9Sstevel@tonic-gate while : 20137c478bd9Sstevel@tonic-gate do 20147c478bd9Sstevel@tonic-gate # Call Menu handler 20157c478bd9Sstevel@tonic-gate auth_menu_handler 20167c478bd9Sstevel@tonic-gate 20177c478bd9Sstevel@tonic-gate # Add Auth Method to list. 20187c478bd9Sstevel@tonic-gate if [ $_FIRST -eq 1 ]; then 20197c478bd9Sstevel@tonic-gate LDAP_AUTHMETHOD="${_AUTHMETHOD}" 20207c478bd9Sstevel@tonic-gate _FIRST=0 20217c478bd9Sstevel@tonic-gate else 20227c478bd9Sstevel@tonic-gate LDAP_AUTHMETHOD="${LDAP_AUTHMETHOD};${_AUTHMETHOD}" 20237c478bd9Sstevel@tonic-gate fi 20247c478bd9Sstevel@tonic-gate 20257c478bd9Sstevel@tonic-gate # Display current Authentication Method. 20267c478bd9Sstevel@tonic-gate ${ECHO} "" 20277c478bd9Sstevel@tonic-gate ${ECHO} "Current authenticationMethod: ${LDAP_AUTHMETHOD}" 20287c478bd9Sstevel@tonic-gate ${ECHO} "" 20297c478bd9Sstevel@tonic-gate 20307c478bd9Sstevel@tonic-gate # Prompt for another Auth Method, or break out. 20317c478bd9Sstevel@tonic-gate get_confirm_nodef "Do you want to add another Authentication Method?" 20327c478bd9Sstevel@tonic-gate if [ $? -eq 0 ]; then 20337c478bd9Sstevel@tonic-gate break; 20347c478bd9Sstevel@tonic-gate fi 20357c478bd9Sstevel@tonic-gate done 20367c478bd9Sstevel@tonic-gate} 20377c478bd9Sstevel@tonic-gate 20387c478bd9Sstevel@tonic-gate 20397c478bd9Sstevel@tonic-gate# 20407c478bd9Sstevel@tonic-gate# get_followref(): Whether or not to follow referrals. 20417c478bd9Sstevel@tonic-gate# 20427c478bd9Sstevel@tonic-gateget_followref() 20437c478bd9Sstevel@tonic-gate{ 20447c478bd9Sstevel@tonic-gate get_confirm "Do you want the clients to follow referrals (y/n/h)?" "n" "referrals_help" 20457c478bd9Sstevel@tonic-gate if [ $? -eq 1 ]; then 20467c478bd9Sstevel@tonic-gate LDAP_FOLLOWREF="TRUE" 20477c478bd9Sstevel@tonic-gate else 20487c478bd9Sstevel@tonic-gate LDAP_FOLLOWREF="FALSE" 20497c478bd9Sstevel@tonic-gate fi 20507c478bd9Sstevel@tonic-gate} 20517c478bd9Sstevel@tonic-gate 20527c478bd9Sstevel@tonic-gate 20537c478bd9Sstevel@tonic-gate# 20547c478bd9Sstevel@tonic-gate# get_timelimit(): Set the time limit. -1 is max time. 20557c478bd9Sstevel@tonic-gate# 20567c478bd9Sstevel@tonic-gateget_timelimit() 20577c478bd9Sstevel@tonic-gate{ 20587c478bd9Sstevel@tonic-gate # Get current timeout value from cn=config. 20597c478bd9Sstevel@tonic-gate eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=config\" -s base \"objectclass=*\" nsslapd-timelimit > ${TMPDIR}/chk_timeout 2>&1" 20607c478bd9Sstevel@tonic-gate if [ $? -ne 0 ]; then 20617c478bd9Sstevel@tonic-gate ${ECHO} " ERROR: Could not reach LDAP server to check current timeout!" 20627c478bd9Sstevel@tonic-gate cleanup 20637c478bd9Sstevel@tonic-gate exit 1 20647c478bd9Sstevel@tonic-gate fi 20657c478bd9Sstevel@tonic-gate CURR_TIMELIMIT=`${GREP} timelimit ${TMPDIR}/chk_timeout | cut -f2 -d=` 20667c478bd9Sstevel@tonic-gate 20677c478bd9Sstevel@tonic-gate get_negone_num "Enter the time limit for iDS (current=${CURR_TIMELIMIT}):" "-1" 20687c478bd9Sstevel@tonic-gate IDS_TIMELIMIT=$NUM 20697c478bd9Sstevel@tonic-gate} 20707c478bd9Sstevel@tonic-gate 20717c478bd9Sstevel@tonic-gate 20727c478bd9Sstevel@tonic-gate# 20737c478bd9Sstevel@tonic-gate# get_sizelimit(): Set the size limit. -1 is max size. 20747c478bd9Sstevel@tonic-gate# 20757c478bd9Sstevel@tonic-gateget_sizelimit() 20767c478bd9Sstevel@tonic-gate{ 20777c478bd9Sstevel@tonic-gate # Get current sizelimit value from cn=config. 20787c478bd9Sstevel@tonic-gate eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=config\" -s base \"objectclass=*\" nsslapd-sizelimit > ${TMPDIR}/chk_sizelimit 2>&1" 20797c478bd9Sstevel@tonic-gate if [ $? -ne 0 ]; then 20807c478bd9Sstevel@tonic-gate ${ECHO} " ERROR: Could not reach LDAP server to check current sizelimit!" 20817c478bd9Sstevel@tonic-gate cleanup 20827c478bd9Sstevel@tonic-gate exit 1 20837c478bd9Sstevel@tonic-gate fi 20847c478bd9Sstevel@tonic-gate CURR_SIZELIMIT=`${GREP} sizelimit ${TMPDIR}/chk_sizelimit | cut -f2 -d=` 20857c478bd9Sstevel@tonic-gate 20867c478bd9Sstevel@tonic-gate get_negone_num "Enter the size limit for iDS (current=${CURR_SIZELIMIT}):" "-1" 20877c478bd9Sstevel@tonic-gate IDS_SIZELIMIT=$NUM 20887c478bd9Sstevel@tonic-gate} 20897c478bd9Sstevel@tonic-gate 20907c478bd9Sstevel@tonic-gate 20917c478bd9Sstevel@tonic-gate# 20927c478bd9Sstevel@tonic-gate# get_want_crypt(): Ask user if want to store passwords in crypt? 20937c478bd9Sstevel@tonic-gate# 20947c478bd9Sstevel@tonic-gateget_want_crypt() 20957c478bd9Sstevel@tonic-gate{ 20967c478bd9Sstevel@tonic-gate get_confirm "Do you want to store passwords in \"crypt\" format (y/n/h)?" "n" "crypt_help" 20977c478bd9Sstevel@tonic-gate if [ $? -eq 1 ]; then 20987c478bd9Sstevel@tonic-gate NEED_CRYPT="TRUE" 20997c478bd9Sstevel@tonic-gate else 21007c478bd9Sstevel@tonic-gate NEED_CRYPT="FALSE" 21017c478bd9Sstevel@tonic-gate fi 21027c478bd9Sstevel@tonic-gate} 21037c478bd9Sstevel@tonic-gate 21047c478bd9Sstevel@tonic-gate 21057c478bd9Sstevel@tonic-gate# 21067c478bd9Sstevel@tonic-gate# get_srv_authMethod_pam(): Get the Service Auth Method for pam_ldap from user. 21077c478bd9Sstevel@tonic-gate# 21087c478bd9Sstevel@tonic-gate# NOTE: This function is base on get_auth(). 21097c478bd9Sstevel@tonic-gate# 21107c478bd9Sstevel@tonic-gateget_srv_authMethod_pam() 21117c478bd9Sstevel@tonic-gate{ 21127c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In get_srv_authMethod_pam()" 21137c478bd9Sstevel@tonic-gate 21147c478bd9Sstevel@tonic-gate _FIRST=1 # Flag for first time. 21157c478bd9Sstevel@tonic-gate _MENU_CHOICE=0 21167c478bd9Sstevel@tonic-gate _AUTHMETHOD="" # Tmp method. 21177c478bd9Sstevel@tonic-gate 21187c478bd9Sstevel@tonic-gate while : 21197c478bd9Sstevel@tonic-gate do 21207c478bd9Sstevel@tonic-gate # Call Menu handler 21217c478bd9Sstevel@tonic-gate srvauth_menu_handler 21227c478bd9Sstevel@tonic-gate 21237c478bd9Sstevel@tonic-gate # Add Auth Method to list. 21247c478bd9Sstevel@tonic-gate if [ $_FIRST -eq 1 ]; then 21257c478bd9Sstevel@tonic-gate if [ "$_AUTHMETHOD" = "" ]; then 21267c478bd9Sstevel@tonic-gate LDAP_SRV_AUTHMETHOD_PAM="" 21277c478bd9Sstevel@tonic-gate else 21287c478bd9Sstevel@tonic-gate LDAP_SRV_AUTHMETHOD_PAM="pam_ldap:${_AUTHMETHOD}" 21297c478bd9Sstevel@tonic-gate fi 21307c478bd9Sstevel@tonic-gate _FIRST=0 21317c478bd9Sstevel@tonic-gate else 21327c478bd9Sstevel@tonic-gate LDAP_SRV_AUTHMETHOD_PAM="${LDAP_SRV_AUTHMETHOD_PAM};${_AUTHMETHOD}" 21337c478bd9Sstevel@tonic-gate fi 21347c478bd9Sstevel@tonic-gate 21357c478bd9Sstevel@tonic-gate # Display current Authentication Method. 21367c478bd9Sstevel@tonic-gate ${ECHO} "" 21377c478bd9Sstevel@tonic-gate ${ECHO} "Current authenticationMethod: ${LDAP_SRV_AUTHMETHOD_PAM}" 21387c478bd9Sstevel@tonic-gate ${ECHO} "" 21397c478bd9Sstevel@tonic-gate 21407c478bd9Sstevel@tonic-gate # Prompt for another Auth Method, or break out. 21417c478bd9Sstevel@tonic-gate get_confirm_nodef "Do you want to add another Authentication Method?" 21427c478bd9Sstevel@tonic-gate if [ $? -eq 0 ]; then 21437c478bd9Sstevel@tonic-gate break; 21447c478bd9Sstevel@tonic-gate fi 21457c478bd9Sstevel@tonic-gate done 21467c478bd9Sstevel@tonic-gate 21477c478bd9Sstevel@tonic-gate # Check in case user reset string and exited loop. 21487c478bd9Sstevel@tonic-gate if [ "$LDAP_SRV_AUTHMETHOD_PAM" = "" ]; then 21497c478bd9Sstevel@tonic-gate NEED_SRVAUTH_PAM=0 21507c478bd9Sstevel@tonic-gate fi 21517c478bd9Sstevel@tonic-gate} 21527c478bd9Sstevel@tonic-gate 21537c478bd9Sstevel@tonic-gate 21547c478bd9Sstevel@tonic-gate# 21557c478bd9Sstevel@tonic-gate# get_srv_authMethod_key(): Get the Service Auth Method for keyserv from user. 21567c478bd9Sstevel@tonic-gate# 21577c478bd9Sstevel@tonic-gate# NOTE: This function is base on get_auth(). 21587c478bd9Sstevel@tonic-gate# 21597c478bd9Sstevel@tonic-gateget_srv_authMethod_key() 21607c478bd9Sstevel@tonic-gate{ 21617c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In get_srv_authMethod_key()" 21627c478bd9Sstevel@tonic-gate 21637c478bd9Sstevel@tonic-gate _FIRST=1 # Flag for first time. 21647c478bd9Sstevel@tonic-gate _MENU_CHOICE=0 21657c478bd9Sstevel@tonic-gate _AUTHMETHOD="" # Tmp method. 21667c478bd9Sstevel@tonic-gate 21677c478bd9Sstevel@tonic-gate while : 21687c478bd9Sstevel@tonic-gate do 21697c478bd9Sstevel@tonic-gate # Call Menu handler 21707c478bd9Sstevel@tonic-gate srvauth_menu_handler 21717c478bd9Sstevel@tonic-gate 21727c478bd9Sstevel@tonic-gate # Add Auth Method to list. 21737c478bd9Sstevel@tonic-gate if [ $_FIRST -eq 1 ]; then 21747c478bd9Sstevel@tonic-gate if [ "$_AUTHMETHOD" = "" ]; then 21757c478bd9Sstevel@tonic-gate LDAP_SRV_AUTHMETHOD_KEY="" 21767c478bd9Sstevel@tonic-gate else 21777c478bd9Sstevel@tonic-gate LDAP_SRV_AUTHMETHOD_KEY="keyserv:${_AUTHMETHOD}" 21787c478bd9Sstevel@tonic-gate fi 21797c478bd9Sstevel@tonic-gate _FIRST=0 21807c478bd9Sstevel@tonic-gate else 21817c478bd9Sstevel@tonic-gate LDAP_SRV_AUTHMETHOD_KEY="${LDAP_SRV_AUTHMETHOD_KEY};${_AUTHMETHOD}" 21827c478bd9Sstevel@tonic-gate fi 21837c478bd9Sstevel@tonic-gate 21847c478bd9Sstevel@tonic-gate # Display current Authentication Method. 21857c478bd9Sstevel@tonic-gate ${ECHO} "" 21867c478bd9Sstevel@tonic-gate ${ECHO} "Current authenticationMethod: ${LDAP_SRV_AUTHMETHOD_KEY}" 21877c478bd9Sstevel@tonic-gate ${ECHO} "" 21887c478bd9Sstevel@tonic-gate 21897c478bd9Sstevel@tonic-gate # Prompt for another Auth Method, or break out. 21907c478bd9Sstevel@tonic-gate get_confirm_nodef "Do you want to add another Authentication Method?" 21917c478bd9Sstevel@tonic-gate if [ $? -eq 0 ]; then 21927c478bd9Sstevel@tonic-gate break; 21937c478bd9Sstevel@tonic-gate fi 21947c478bd9Sstevel@tonic-gate done 21957c478bd9Sstevel@tonic-gate 21967c478bd9Sstevel@tonic-gate # Check in case user reset string and exited loop. 21977c478bd9Sstevel@tonic-gate if [ "$LDAP_SRV_AUTHMETHOD_KEY" = "" ]; then 21987c478bd9Sstevel@tonic-gate NEED_SRVAUTH_KEY=0 21997c478bd9Sstevel@tonic-gate fi 22007c478bd9Sstevel@tonic-gate} 22017c478bd9Sstevel@tonic-gate 22027c478bd9Sstevel@tonic-gate 22037c478bd9Sstevel@tonic-gate# 22047c478bd9Sstevel@tonic-gate# get_srv_authMethod_cmd(): Get the Service Auth Method for passwd-cmd from user. 22057c478bd9Sstevel@tonic-gate# 22067c478bd9Sstevel@tonic-gate# NOTE: This function is base on get_auth(). 22077c478bd9Sstevel@tonic-gate# 22087c478bd9Sstevel@tonic-gateget_srv_authMethod_cmd() 22097c478bd9Sstevel@tonic-gate{ 22107c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In get_srv_authMethod_cmd()" 22117c478bd9Sstevel@tonic-gate 22127c478bd9Sstevel@tonic-gate _FIRST=1 # Flag for first time. 22137c478bd9Sstevel@tonic-gate _MENU_CHOICE=0 22147c478bd9Sstevel@tonic-gate _AUTHMETHOD="" # Tmp method. 22157c478bd9Sstevel@tonic-gate 22167c478bd9Sstevel@tonic-gate while : 22177c478bd9Sstevel@tonic-gate do 22187c478bd9Sstevel@tonic-gate # Call Menu handler 22197c478bd9Sstevel@tonic-gate srvauth_menu_handler 22207c478bd9Sstevel@tonic-gate 22217c478bd9Sstevel@tonic-gate # Add Auth Method to list. 22227c478bd9Sstevel@tonic-gate if [ $_FIRST -eq 1 ]; then 22237c478bd9Sstevel@tonic-gate if [ "$_AUTHMETHOD" = "" ]; then 22247c478bd9Sstevel@tonic-gate LDAP_SRV_AUTHMETHOD_CMD="" 22257c478bd9Sstevel@tonic-gate else 22267c478bd9Sstevel@tonic-gate LDAP_SRV_AUTHMETHOD_CMD="passwd-cmd:${_AUTHMETHOD}" 22277c478bd9Sstevel@tonic-gate fi 22287c478bd9Sstevel@tonic-gate _FIRST=0 22297c478bd9Sstevel@tonic-gate else 22307c478bd9Sstevel@tonic-gate LDAP_SRV_AUTHMETHOD_CMD="${LDAP_SRV_AUTHMETHOD_CMD};${_AUTHMETHOD}" 22317c478bd9Sstevel@tonic-gate fi 22327c478bd9Sstevel@tonic-gate 22337c478bd9Sstevel@tonic-gate # Display current Authentication Method. 22347c478bd9Sstevel@tonic-gate ${ECHO} "" 22357c478bd9Sstevel@tonic-gate ${ECHO} "Current authenticationMethod: ${LDAP_SRV_AUTHMETHOD_CMD}" 22367c478bd9Sstevel@tonic-gate ${ECHO} "" 22377c478bd9Sstevel@tonic-gate 22387c478bd9Sstevel@tonic-gate # Prompt for another Auth Method, or break out. 22397c478bd9Sstevel@tonic-gate get_confirm_nodef "Do you want to add another Authentication Method?" 22407c478bd9Sstevel@tonic-gate if [ $? -eq 0 ]; then 22417c478bd9Sstevel@tonic-gate break; 22427c478bd9Sstevel@tonic-gate fi 22437c478bd9Sstevel@tonic-gate done 22447c478bd9Sstevel@tonic-gate 22457c478bd9Sstevel@tonic-gate # Check in case user reset string and exited loop. 22467c478bd9Sstevel@tonic-gate if [ "$LDAP_SRV_AUTHMETHOD_CMD" = "" ]; then 22477c478bd9Sstevel@tonic-gate NEED_SRVAUTH_CMD=0 22487c478bd9Sstevel@tonic-gate fi 22497c478bd9Sstevel@tonic-gate} 22507c478bd9Sstevel@tonic-gate 22517c478bd9Sstevel@tonic-gate 22527c478bd9Sstevel@tonic-gate# 22537c478bd9Sstevel@tonic-gate# get_srch_time(): Amount of time to search. 22547c478bd9Sstevel@tonic-gate# 22557c478bd9Sstevel@tonic-gateget_srch_time() 22567c478bd9Sstevel@tonic-gate{ 22577c478bd9Sstevel@tonic-gate get_negone_num "Client search time limit in seconds (h=help):" "$LDAP_SEARCH_TIME_LIMIT" "srchtime_help" 22587c478bd9Sstevel@tonic-gate LDAP_SEARCH_TIME_LIMIT=$NUM 22597c478bd9Sstevel@tonic-gate} 22607c478bd9Sstevel@tonic-gate 22617c478bd9Sstevel@tonic-gate 22627c478bd9Sstevel@tonic-gate# 22637c478bd9Sstevel@tonic-gate# get_prof_ttl(): The profile time to live (TTL) 22647c478bd9Sstevel@tonic-gate# 22657c478bd9Sstevel@tonic-gateget_prof_ttl() 22667c478bd9Sstevel@tonic-gate{ 22677c478bd9Sstevel@tonic-gate get_negone_num "Profile Time To Live in seconds (h=help):" "$LDAP_PROFILE_TTL" "profttl_help" 22687c478bd9Sstevel@tonic-gate LDAP_PROFILE_TTL=$NUM 22697c478bd9Sstevel@tonic-gate} 22707c478bd9Sstevel@tonic-gate 22717c478bd9Sstevel@tonic-gate 22727c478bd9Sstevel@tonic-gate# 22737c478bd9Sstevel@tonic-gate# get_bind_limit(): Bind time limit 22747c478bd9Sstevel@tonic-gate# 22757c478bd9Sstevel@tonic-gateget_bind_limit() 22767c478bd9Sstevel@tonic-gate{ 22777c478bd9Sstevel@tonic-gate get_negone_num "Bind time limit in seconds (h=help):" "$LDAP_BIND_LIMIT" "bindlim_help" 22787c478bd9Sstevel@tonic-gate LDAP_BIND_LIMIT=$NUM 22797c478bd9Sstevel@tonic-gate} 22807c478bd9Sstevel@tonic-gate 22817c478bd9Sstevel@tonic-gate 22827c478bd9Sstevel@tonic-gate###################################################################### 22837c478bd9Sstevel@tonic-gate# FUNCTIONS FOR Service Search Descriptor's START HERE. 22847c478bd9Sstevel@tonic-gate###################################################################### 22857c478bd9Sstevel@tonic-gate 22867c478bd9Sstevel@tonic-gate 22877c478bd9Sstevel@tonic-gate# 22887c478bd9Sstevel@tonic-gate# add_ssd(): Get SSD's from user and add to file. 22897c478bd9Sstevel@tonic-gate# 22907c478bd9Sstevel@tonic-gateadd_ssd() 22917c478bd9Sstevel@tonic-gate{ 22927c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In add_ssd()" 22937c478bd9Sstevel@tonic-gate 22947c478bd9Sstevel@tonic-gate # Enter the service id. Loop til unique. 22957c478bd9Sstevel@tonic-gate while : 22967c478bd9Sstevel@tonic-gate do 22977c478bd9Sstevel@tonic-gate get_ans "Enter the service id:" 22987c478bd9Sstevel@tonic-gate _SERV_ID=$ANS 22997c478bd9Sstevel@tonic-gate 23007c478bd9Sstevel@tonic-gate # Grep for name existing. 23017c478bd9Sstevel@tonic-gate ${GREP} -i "^$ANS:" ${SSD_FILE} > /dev/null 2>&1 23027c478bd9Sstevel@tonic-gate if [ $? -eq 1 ]; then 23037c478bd9Sstevel@tonic-gate break 23047c478bd9Sstevel@tonic-gate fi 23057c478bd9Sstevel@tonic-gate 23067c478bd9Sstevel@tonic-gate # Name exists, print message, let user decide. 23077c478bd9Sstevel@tonic-gate ${ECHO} "ERROR: Service id ${ANS} already exists." 23087c478bd9Sstevel@tonic-gate done 23097c478bd9Sstevel@tonic-gate 23107c478bd9Sstevel@tonic-gate get_ans "Enter the base:" 23117c478bd9Sstevel@tonic-gate _BASE=$ANS 23127c478bd9Sstevel@tonic-gate 23137c478bd9Sstevel@tonic-gate # Get the scope and verify that its one or sub. 23147c478bd9Sstevel@tonic-gate while : 23157c478bd9Sstevel@tonic-gate do 23167c478bd9Sstevel@tonic-gate get_ans "Enter the scope:" 23177c478bd9Sstevel@tonic-gate _SCOPE=$ANS 23187c478bd9Sstevel@tonic-gate case `${ECHO} ${_SCOPE} | tr '[A-Z]' '[a-z]'` in 23197c478bd9Sstevel@tonic-gate one) break ;; 23207c478bd9Sstevel@tonic-gate sub) break ;; 23217c478bd9Sstevel@tonic-gate *) ${ECHO} "${_SCOPE} is Not valid - Enter 'one' or 'sub'" ;; 23227c478bd9Sstevel@tonic-gate esac 23237c478bd9Sstevel@tonic-gate done 23247c478bd9Sstevel@tonic-gate 23257c478bd9Sstevel@tonic-gate # Build SSD to add to file. 23267c478bd9Sstevel@tonic-gate _SSD="${_SERV_ID}:${_BASE}?${_SCOPE}" 23277c478bd9Sstevel@tonic-gate 23287c478bd9Sstevel@tonic-gate # Add the SSD to the file. 23297c478bd9Sstevel@tonic-gate ${ECHO} "${_SSD}" >> ${SSD_FILE} 23307c478bd9Sstevel@tonic-gate} 23317c478bd9Sstevel@tonic-gate 23327c478bd9Sstevel@tonic-gate 23337c478bd9Sstevel@tonic-gate# 23347c478bd9Sstevel@tonic-gate# delete_ssd(): Delete a SSD from the list. 23357c478bd9Sstevel@tonic-gate# 23367c478bd9Sstevel@tonic-gatedelete_ssd() 23377c478bd9Sstevel@tonic-gate{ 23387c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In delete_ssd()" 23397c478bd9Sstevel@tonic-gate 23407c478bd9Sstevel@tonic-gate # Get service id name from user for SSD to delete. 23417c478bd9Sstevel@tonic-gate get_ans_req "Enter service id to delete:" 23427c478bd9Sstevel@tonic-gate 23437c478bd9Sstevel@tonic-gate # Make sure service id exists. 23447c478bd9Sstevel@tonic-gate ${GREP} "$ANS" ${SSD_FILE} > /dev/null 2>&1 23457c478bd9Sstevel@tonic-gate if [ $? -eq 1 ]; then 23467c478bd9Sstevel@tonic-gate ${ECHO} "Invalid service id: $ANS not present in list." 23477c478bd9Sstevel@tonic-gate return 23487c478bd9Sstevel@tonic-gate fi 23497c478bd9Sstevel@tonic-gate 23507c478bd9Sstevel@tonic-gate # Create temporary back SSD file. 23517c478bd9Sstevel@tonic-gate cp ${SSD_FILE} ${SSD_FILE}.bak 23527c478bd9Sstevel@tonic-gate if [ $? -eq 1 ]; then 23537c478bd9Sstevel@tonic-gate ${ECHO} "ERROR: could not create file: ${SSD_FILE}.bak" 23547c478bd9Sstevel@tonic-gate exit 1 23557c478bd9Sstevel@tonic-gate fi 23567c478bd9Sstevel@tonic-gate 23577c478bd9Sstevel@tonic-gate # Use ${GREP} to remove the SSD. Read from temp file 23587c478bd9Sstevel@tonic-gate # and write to the orig file. 23597c478bd9Sstevel@tonic-gate ${GREP} -v "$ANS" ${SSD_FILE}.bak > ${SSD_FILE} 23607c478bd9Sstevel@tonic-gate} 23617c478bd9Sstevel@tonic-gate 23627c478bd9Sstevel@tonic-gate 23637c478bd9Sstevel@tonic-gate# 23647c478bd9Sstevel@tonic-gate# modify_ssd(): Allow user to modify a SSD. 23657c478bd9Sstevel@tonic-gate# 23667c478bd9Sstevel@tonic-gatemodify_ssd() 23677c478bd9Sstevel@tonic-gate{ 23687c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In modify_ssd()" 23697c478bd9Sstevel@tonic-gate 23707c478bd9Sstevel@tonic-gate # Prompt user for service id. 23717c478bd9Sstevel@tonic-gate get_ans_req "Enter service id to modify:" 23727c478bd9Sstevel@tonic-gate 23737c478bd9Sstevel@tonic-gate # Put into temp _LINE. 23747c478bd9Sstevel@tonic-gate _LINE=`${GREP} "^$ANS:" ${SSD_FILE}` 23757c478bd9Sstevel@tonic-gate if [ "$_LINE" = "" ]; then 23767c478bd9Sstevel@tonic-gate ${ECHO} "Invalid service id: $ANS" 23777c478bd9Sstevel@tonic-gate return 23787c478bd9Sstevel@tonic-gate fi 23797c478bd9Sstevel@tonic-gate 23807c478bd9Sstevel@tonic-gate # Display current filter for user to see. 23817c478bd9Sstevel@tonic-gate ${ECHO} "" 23827c478bd9Sstevel@tonic-gate ${ECHO} "Current SSD: $_LINE" 23837c478bd9Sstevel@tonic-gate ${ECHO} "" 23847c478bd9Sstevel@tonic-gate 23857c478bd9Sstevel@tonic-gate # Get the defaults. 23867c478bd9Sstevel@tonic-gate _CURR_BASE=`${ECHO} $_LINE | cut -d: -f2 | cut -d'?' -f 1` 23877c478bd9Sstevel@tonic-gate _CURR_SCOPE=`${ECHO} $_LINE | cut -d: -f2 | cut -d'?' -f 2` 23887c478bd9Sstevel@tonic-gate 23897c478bd9Sstevel@tonic-gate # Create temporary back SSD file. 23907c478bd9Sstevel@tonic-gate cp ${SSD_FILE} ${SSD_FILE}.bak 23917c478bd9Sstevel@tonic-gate if [ $? -eq 1 ]; then 23927c478bd9Sstevel@tonic-gate ${ECHO} "ERROR: could not create file: ${SSD_FILE}.bak" 23937c478bd9Sstevel@tonic-gate cleanup 23947c478bd9Sstevel@tonic-gate exit 1 23957c478bd9Sstevel@tonic-gate fi 23967c478bd9Sstevel@tonic-gate 23977c478bd9Sstevel@tonic-gate # Removed the old line. 23987c478bd9Sstevel@tonic-gate ${GREP} -v "^$ANS:" ${SSD_FILE}.bak > ${SSD_FILE} 2>&1 23997c478bd9Sstevel@tonic-gate 24007c478bd9Sstevel@tonic-gate # New Entry 24017c478bd9Sstevel@tonic-gate _SERV_ID=$ANS 24027c478bd9Sstevel@tonic-gate get_ans_req "Enter the base:" "$_CURR_BASE" 24037c478bd9Sstevel@tonic-gate _BASE=$ANS 24047c478bd9Sstevel@tonic-gate get_ans_req "Enter the scope:" "$_CURR_SCOPE" 24057c478bd9Sstevel@tonic-gate _SCOPE=$ANS 24067c478bd9Sstevel@tonic-gate 24077c478bd9Sstevel@tonic-gate # Build the new SSD. 24087c478bd9Sstevel@tonic-gate _SSD="${_SERV_ID}:${_BASE}?${_SCOPE}" 24097c478bd9Sstevel@tonic-gate 24107c478bd9Sstevel@tonic-gate # Add the SSD to the file. 24117c478bd9Sstevel@tonic-gate ${ECHO} "${_SSD}" >> ${SSD_FILE} 24127c478bd9Sstevel@tonic-gate} 24137c478bd9Sstevel@tonic-gate 24147c478bd9Sstevel@tonic-gate 24157c478bd9Sstevel@tonic-gate# 24167c478bd9Sstevel@tonic-gate# display_ssd(): Display the current SSD list. 24177c478bd9Sstevel@tonic-gate# 24187c478bd9Sstevel@tonic-gatedisplay_ssd() 24197c478bd9Sstevel@tonic-gate{ 24207c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In display_ssd()" 24217c478bd9Sstevel@tonic-gate 24227c478bd9Sstevel@tonic-gate ${ECHO} "" 24237c478bd9Sstevel@tonic-gate ${ECHO} "Current Service Search Descriptors:" 24247c478bd9Sstevel@tonic-gate ${ECHO} "==================================" 24257c478bd9Sstevel@tonic-gate cat ${SSD_FILE} 24267c478bd9Sstevel@tonic-gate ${ECHO} "" 24277c478bd9Sstevel@tonic-gate ${ECHO} "Hit return to continue." 24287c478bd9Sstevel@tonic-gate read __A 24297c478bd9Sstevel@tonic-gate} 24307c478bd9Sstevel@tonic-gate 24317c478bd9Sstevel@tonic-gate 24327c478bd9Sstevel@tonic-gate# 24337c478bd9Sstevel@tonic-gate# prompt_ssd(): Get SSD's from user. 24347c478bd9Sstevel@tonic-gate# 24357c478bd9Sstevel@tonic-gateprompt_ssd() 24367c478bd9Sstevel@tonic-gate{ 24377c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In prompt_ssd()" 24387c478bd9Sstevel@tonic-gate # See if user wants SSD's? 24397c478bd9Sstevel@tonic-gate get_confirm "Do you wish to setup Service Search Descriptors (y/n/h)?" "n" "ssd_help" 24407c478bd9Sstevel@tonic-gate [ "$?" -eq 0 ] && return 24417c478bd9Sstevel@tonic-gate 24427c478bd9Sstevel@tonic-gate # Display menu for SSD choices. 24437c478bd9Sstevel@tonic-gate while : 24447c478bd9Sstevel@tonic-gate do 24457c478bd9Sstevel@tonic-gate display_msg prompt_ssd_menu 24467c478bd9Sstevel@tonic-gate get_ans "Enter menu choice:" "Quit" 24477c478bd9Sstevel@tonic-gate case "$ANS" in 24487c478bd9Sstevel@tonic-gate [Aa] | add) add_ssd ;; 24497c478bd9Sstevel@tonic-gate [Dd] | delete) delete_ssd ;; 24507c478bd9Sstevel@tonic-gate [Mm] | modify) modify_ssd ;; 24517c478bd9Sstevel@tonic-gate [Pp] | print | display) display_ssd ;; 24527c478bd9Sstevel@tonic-gate [Xx] | reset | clear) reset_ssd_file ;; 24537c478bd9Sstevel@tonic-gate [Hh] | Help | help) display_msg ssd_menu_help 24547c478bd9Sstevel@tonic-gate ${ECHO} " Press return to continue." 24557c478bd9Sstevel@tonic-gate read __A ;; 24567c478bd9Sstevel@tonic-gate [Qq] | Quit | quit) return ;; 24577c478bd9Sstevel@tonic-gate *) ${ECHO} "Invalid choice: $ANS please re-enter from menu." ;; 24587c478bd9Sstevel@tonic-gate esac 24597c478bd9Sstevel@tonic-gate done 24607c478bd9Sstevel@tonic-gate} 24617c478bd9Sstevel@tonic-gate 24627c478bd9Sstevel@tonic-gate 24637c478bd9Sstevel@tonic-gate# 24647c478bd9Sstevel@tonic-gate# reset_ssd_file(): Blank out current SSD file. 24657c478bd9Sstevel@tonic-gate# 24667c478bd9Sstevel@tonic-gatereset_ssd_file() 24677c478bd9Sstevel@tonic-gate{ 24687c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In reset_ssd_file()" 24697c478bd9Sstevel@tonic-gate 24707c478bd9Sstevel@tonic-gate rm -f ${SSD_FILE} 24717c478bd9Sstevel@tonic-gate touch ${SSD_FILE} 24727c478bd9Sstevel@tonic-gate} 24737c478bd9Sstevel@tonic-gate 24747c478bd9Sstevel@tonic-gate 24757c478bd9Sstevel@tonic-gate# 24767c478bd9Sstevel@tonic-gate# create_ssd_file(): Create a temporary file for SSD's. 24777c478bd9Sstevel@tonic-gate# 24787c478bd9Sstevel@tonic-gatecreate_ssd_file() 24797c478bd9Sstevel@tonic-gate{ 24807c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In create_ssd_file()" 24817c478bd9Sstevel@tonic-gate 24827c478bd9Sstevel@tonic-gate # Build a list of SSD's and store in temp file. 24837c478bd9Sstevel@tonic-gate ${GREP} "LDAP_SERV_SRCH_DES=" ${INPUT_FILE} | \ 24847c478bd9Sstevel@tonic-gate sed 's/LDAP_SERV_SRCH_DES=//' \ 24857c478bd9Sstevel@tonic-gate > ${SSD_FILE} 24867c478bd9Sstevel@tonic-gate} 24877c478bd9Sstevel@tonic-gate 24887c478bd9Sstevel@tonic-gate 24897c478bd9Sstevel@tonic-gate# 24907c478bd9Sstevel@tonic-gate# ssd_2_config(): Append the SSD file to the output file. 24917c478bd9Sstevel@tonic-gate# 24927c478bd9Sstevel@tonic-gatessd_2_config() 24937c478bd9Sstevel@tonic-gate{ 24947c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In ssd_2_config()" 24957c478bd9Sstevel@tonic-gate 24967c478bd9Sstevel@tonic-gate # Convert to config file format using sed. 24977c478bd9Sstevel@tonic-gate sed -e "s/^/LDAP_SERV_SRCH_DES=/" ${SSD_FILE} >> ${OUTPUT_FILE} 24987c478bd9Sstevel@tonic-gate} 24997c478bd9Sstevel@tonic-gate 25007c478bd9Sstevel@tonic-gate 25017c478bd9Sstevel@tonic-gate# 25027c478bd9Sstevel@tonic-gate# ssd_2_profile(): Add SSD's to the GEN_CMD string. 25037c478bd9Sstevel@tonic-gate# 25047c478bd9Sstevel@tonic-gatessd_2_profile() 25057c478bd9Sstevel@tonic-gate{ 25067c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In ssd_2_profile()" 25077c478bd9Sstevel@tonic-gate 25087c478bd9Sstevel@tonic-gate GEN_TMPFILE=${TMPDIR}/ssd_tmpfile 25097c478bd9Sstevel@tonic-gate touch ${GEN_TMPFILE} 25107c478bd9Sstevel@tonic-gate 25117c478bd9Sstevel@tonic-gate # Add and convert each SSD to string. 25127c478bd9Sstevel@tonic-gate while read SSD_LINE 25137c478bd9Sstevel@tonic-gate do 25147c478bd9Sstevel@tonic-gate ${ECHO} " -a \"serviceSearchDescriptor=${SSD_LINE}\"\c" >> ${GEN_TMPFILE} 25157c478bd9Sstevel@tonic-gate done <${SSD_FILE} 25167c478bd9Sstevel@tonic-gate 25177c478bd9Sstevel@tonic-gate # Add SSD's to GEN_CMD. 25187c478bd9Sstevel@tonic-gate GEN_CMD="${GEN_CMD} `cat ${GEN_TMPFILE}`" 25197c478bd9Sstevel@tonic-gate} 25207c478bd9Sstevel@tonic-gate 2521*dd1104fbSMichen Chang# 2522*dd1104fbSMichen Chang# get_adminDN(): Get the admin DN. 2523*dd1104fbSMichen Chang# 2524*dd1104fbSMichen Changget_adminDN() 2525*dd1104fbSMichen Chang{ 2526*dd1104fbSMichen Chang LDAP_ADMINDN="cn=admin,ou=profile,${LDAP_BASEDN}" # default 2527*dd1104fbSMichen Chang get_ans "Enter DN for the administrator:" "$LDAP_ADMINDN" 2528*dd1104fbSMichen Chang LDAP_ADMINDN=$ANS 2529*dd1104fbSMichen Chang [ $DEBUG -eq 1 ] && ${ECHO} "LDAP_ADMINDN = $LDAP_ADMINDN" 2530*dd1104fbSMichen Chang} 2531*dd1104fbSMichen Chang 2532*dd1104fbSMichen Chang# 2533*dd1104fbSMichen Chang# get_admin_pw(): Get the admin passwd. 2534*dd1104fbSMichen Chang# 2535*dd1104fbSMichen Changget_admin_pw() 2536*dd1104fbSMichen Chang{ 2537*dd1104fbSMichen Chang get_passwd "Enter passwd for the administrator:" 2538*dd1104fbSMichen Chang LDAP_ADMIN_CRED=$ANS 2539*dd1104fbSMichen Chang [ $DEBUG -eq 1 ] && ${ECHO} "LDAP_ADMIN_CRED = $LDAP_ADMIN_CRED" 2540*dd1104fbSMichen Chang} 2541*dd1104fbSMichen Chang 2542*dd1104fbSMichen Chang# 2543*dd1104fbSMichen Chang# add_admin(): Add an admin entry for nameservice for updating shadow data. 2544*dd1104fbSMichen Chang# 2545*dd1104fbSMichen Changadd_admin() 2546*dd1104fbSMichen Chang{ 2547*dd1104fbSMichen Chang [ $DEBUG -eq 1 ] && ${ECHO} "In add_admin()" 2548*dd1104fbSMichen Chang 2549*dd1104fbSMichen Chang # Check if the admin user already exists. 2550*dd1104fbSMichen Chang eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_ADMINDN}\" -s base \"objectclass=*\" ${VERB}" 2551*dd1104fbSMichen Chang if [ $? -eq 0 ]; then 2552*dd1104fbSMichen Chang MSG="Administrator ${LDAP_ADMINDN} already exists." 2553*dd1104fbSMichen Chang if [ $EXISTING_PROFILE -eq 1 ]; then 2554*dd1104fbSMichen Chang ${ECHO} " NOT ADDED: $MSG" 2555*dd1104fbSMichen Chang else 2556*dd1104fbSMichen Chang ${ECHO} " ${STEP}. $MSG" 2557*dd1104fbSMichen Chang STEP=`expr $STEP + 1` 2558*dd1104fbSMichen Chang fi 2559*dd1104fbSMichen Chang return 0 2560*dd1104fbSMichen Chang fi 2561*dd1104fbSMichen Chang 2562*dd1104fbSMichen Chang # Get cn and sn names from LDAP_ADMINDN. 2563*dd1104fbSMichen Chang cn_tmp=`${ECHO} ${LDAP_ADMINDN} | cut -f1 -d, | cut -f2 -d=` 2564*dd1104fbSMichen Chang 2565*dd1104fbSMichen Chang # Create the tmp file to add. 2566*dd1104fbSMichen Chang ( cat <<EOF 2567*dd1104fbSMichen Changdn: ${LDAP_ADMINDN} 2568*dd1104fbSMichen Changcn: ${cn_tmp} 2569*dd1104fbSMichen Changsn: ${cn_tmp} 2570*dd1104fbSMichen Changobjectclass: top 2571*dd1104fbSMichen Changobjectclass: person 2572*dd1104fbSMichen Changuserpassword: ${LDAP_ADMIN_CRED} 2573*dd1104fbSMichen ChangEOF 2574*dd1104fbSMichen Chang) > ${TMPDIR}/admin 2575*dd1104fbSMichen Chang 2576*dd1104fbSMichen Chang # Add the entry. 2577*dd1104fbSMichen Chang ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/admin ${VERB}" 2578*dd1104fbSMichen Chang if [ $? -ne 0 ]; then 2579*dd1104fbSMichen Chang ${ECHO} " ERROR: Adding administrator identity failed!" 2580*dd1104fbSMichen Chang cleanup 2581*dd1104fbSMichen Chang exit 1 2582*dd1104fbSMichen Chang fi 2583*dd1104fbSMichen Chang 2584*dd1104fbSMichen Chang ${RM} -f ${TMPDIR}/admin 2585*dd1104fbSMichen Chang 2586*dd1104fbSMichen Chang # Display message that the administrator identity is added. 2587*dd1104fbSMichen Chang MSG="Administrator identity ${LDAP_ADMINDN}" 2588*dd1104fbSMichen Chang if [ $EXISTING_PROFILE -eq 1 ]; then 2589*dd1104fbSMichen Chang ${ECHO} " ADDED: $MSG." 2590*dd1104fbSMichen Chang else 2591*dd1104fbSMichen Chang ${ECHO} " ${STEP}. $MSG added." 2592*dd1104fbSMichen Chang STEP=`expr $STEP + 1` 2593*dd1104fbSMichen Chang fi 2594*dd1104fbSMichen Chang} 2595*dd1104fbSMichen Chang 2596*dd1104fbSMichen Chang# 2597*dd1104fbSMichen Chang# allow_admin_write_shadow(): Give Admin write permission for shadow data. 2598*dd1104fbSMichen Chang# 2599*dd1104fbSMichen Changallow_admin_write_shadow() 2600*dd1104fbSMichen Chang{ 2601*dd1104fbSMichen Chang [ $DEBUG -eq 1 ] && ${ECHO} "In allow_admin_write_shadow()" 2602*dd1104fbSMichen Chang 2603*dd1104fbSMichen Chang # Set ACI Name 2604*dd1104fbSMichen Chang ADMIN_ACI_NAME="LDAP_Naming_Services_admin_shadow_write" 2605*dd1104fbSMichen Chang 2606*dd1104fbSMichen Chang # Search for ACI_NAME 2607*dd1104fbSMichen Chang eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_BASEDN}\" \ 2608*dd1104fbSMichen Chang -s base objectclass=* aci > ${TMPDIR}/chk_adminwrite_aci 2>&1" 2609*dd1104fbSMichen Chang ${GREP} "${ADMIN_ACI_NAME}" ${TMPDIR}/chk_adminwrite_aci > /dev/null 2>&1 2610*dd1104fbSMichen Chang if [ $? -eq 0 ]; then 2611*dd1104fbSMichen Chang MSG="Admin ACI ${ADMIN_ACI_NAME} already exists for ${LDAP_BASEDN}." 2612*dd1104fbSMichen Chang if [ $EXISTING_PROFILE -eq 1 ]; then 2613*dd1104fbSMichen Chang ${ECHO} " NOT SET: $MSG" 2614*dd1104fbSMichen Chang else 2615*dd1104fbSMichen Chang ${ECHO} " ${STEP}. $MSG" 2616*dd1104fbSMichen Chang STEP=`expr $STEP + 1` 2617*dd1104fbSMichen Chang fi 2618*dd1104fbSMichen Chang return 0 2619*dd1104fbSMichen Chang fi 2620*dd1104fbSMichen Chang 2621*dd1104fbSMichen Chang # Create the tmp file to add. 2622*dd1104fbSMichen Chang ( cat <<EOF 2623*dd1104fbSMichen Changdn: ${LDAP_BASEDN} 2624*dd1104fbSMichen Changchangetype: modify 2625*dd1104fbSMichen Changadd: aci 2626*dd1104fbSMichen Changaci: (target="ldap:///${LDAP_BASEDN}")(targetattr="shadowLastChange||shadowMin||shadowMax||shadowWarning||shadowInactive||shadowExpire||shadowFlag||userPassword||loginShell||homeDirectory||gecos")(version 3.0; acl ${ADMIN_ACI_NAME}; allow (write) userdn = "ldap:///${LDAP_ADMINDN}";) 2627*dd1104fbSMichen ChangEOF 2628*dd1104fbSMichen Chang) > ${TMPDIR}/admin_write 2629*dd1104fbSMichen Chang 2630*dd1104fbSMichen Chang # Add the entry. 2631*dd1104fbSMichen Chang ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/admin_write ${VERB}" 2632*dd1104fbSMichen Chang if [ $? -ne 0 ]; then 2633*dd1104fbSMichen Chang ${ECHO} " ERROR: Allow ${LDAP_ADMINDN} to write shadow data failed!" 2634*dd1104fbSMichen Chang cleanup 2635*dd1104fbSMichen Chang exit 1 2636*dd1104fbSMichen Chang fi 2637*dd1104fbSMichen Chang 2638*dd1104fbSMichen Chang ${RM} -f ${TMPDIR}/admin_write 2639*dd1104fbSMichen Chang # Display message that the administrator ACL is set. 2640*dd1104fbSMichen Chang MSG="Give ${LDAP_ADMINDN} write permission for shadow." 2641*dd1104fbSMichen Chang if [ $EXISTING_PROFILE -eq 1 ]; then 2642*dd1104fbSMichen Chang ${ECHO} " ACI SET: $MSG" 2643*dd1104fbSMichen Chang else 2644*dd1104fbSMichen Chang ${ECHO} " ${STEP}. $MSG" 2645*dd1104fbSMichen Chang STEP=`expr $STEP + 1` 2646*dd1104fbSMichen Chang fi 2647*dd1104fbSMichen Chang} 2648*dd1104fbSMichen Chang 2649*dd1104fbSMichen Chang# 2650*dd1104fbSMichen Chang# allow_host_write_shadow(): Give host principal write permission 2651*dd1104fbSMichen Chang# for shadow data. 2652*dd1104fbSMichen Chang# 2653*dd1104fbSMichen Changallow_host_write_shadow() 2654*dd1104fbSMichen Chang{ 2655*dd1104fbSMichen Chang [ $DEBUG -eq 1 ] && ${ECHO} "In allow_host_write_shadow()" 2656*dd1104fbSMichen Chang 2657*dd1104fbSMichen Chang # Set ACI Name 2658*dd1104fbSMichen Chang HOST_ACI_NAME="LDAP_Naming_Services_host_shadow_write" 2659*dd1104fbSMichen Chang 2660*dd1104fbSMichen Chang # Search for ACI_NAME 2661*dd1104fbSMichen Chang eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_BASEDN}\" -s base objectclass=* aci > ${TMPDIR}/chk_hostwrite_aci 2>&1" 2662*dd1104fbSMichen Chang ${GREP} "${HOST_ACI_NAME}" ${TMPDIR}/chk_hostwrite_aci > /dev/null 2>&1 2663*dd1104fbSMichen Chang if [ $? -eq 0 ]; then 2664*dd1104fbSMichen Chang MSG="Host ACI ${HOST_ACI_NAME} already exists for ${LDAP_BASEDN}." 2665*dd1104fbSMichen Chang if [ $EXISTING_PROFILE -eq 1 ]; then 2666*dd1104fbSMichen Chang ${ECHO} " NOT ADDED: $MSG" 2667*dd1104fbSMichen Chang else 2668*dd1104fbSMichen Chang ${ECHO} " ${STEP}. $MSG" 2669*dd1104fbSMichen Chang STEP=`expr $STEP + 1` 2670*dd1104fbSMichen Chang fi 2671*dd1104fbSMichen Chang return 0 2672*dd1104fbSMichen Chang fi 2673*dd1104fbSMichen Chang 2674*dd1104fbSMichen Chang # Create the tmp file to add. 2675*dd1104fbSMichen Chang ( cat <<EOF 2676*dd1104fbSMichen Changdn: ${LDAP_BASEDN} 2677*dd1104fbSMichen Changchangetype: modify 2678*dd1104fbSMichen Changadd: aci 2679*dd1104fbSMichen Changaci: (target="ldap:///${LDAP_BASEDN}")(targetattr="shadowLastChange||shadowMin||shadowMax||shadowWarning||shadowInactive||shadowExpire||shadowFlag||userPassword||loginShell||homeDirectory||gecos")(version 3.0; acl ${HOST_ACI_NAME}; allow (read, write) authmethod="sasl GSSAPI" and userdn = "ldap:///cn=*+ipHostNumber=*,ou=Hosts,${LDAP_BASEDN}";) 2680*dd1104fbSMichen ChangEOF 2681*dd1104fbSMichen Chang) > ${TMPDIR}/host_write 2682*dd1104fbSMichen Chang 2683*dd1104fbSMichen Chang # Add the entry. 2684*dd1104fbSMichen Chang ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/host_write ${VERB}" 2685*dd1104fbSMichen Chang if [ $? -ne 0 ]; then 2686*dd1104fbSMichen Chang ${ECHO} " ERROR: Allow Host Principal to write shadow data failed!" 2687*dd1104fbSMichen Chang cleanup 2688*dd1104fbSMichen Chang exit 1 2689*dd1104fbSMichen Chang fi 2690*dd1104fbSMichen Chang 2691*dd1104fbSMichen Chang ${RM} -f ${TMPDIR}/host_write 2692*dd1104fbSMichen Chang MSG="Give host principal write permission for shadow." 2693*dd1104fbSMichen Chang if [ $EXISTING_PROFILE -eq 1 ]; then 2694*dd1104fbSMichen Chang ${ECHO} " ACI SET: $MSG" 2695*dd1104fbSMichen Chang else 2696*dd1104fbSMichen Chang ${ECHO} " ${STEP}. $MSG" 2697*dd1104fbSMichen Chang STEP=`expr $STEP + 1` 2698*dd1104fbSMichen Chang fi 2699*dd1104fbSMichen Chang} 2700*dd1104fbSMichen Chang 2701*dd1104fbSMichen Chang# 2702*dd1104fbSMichen Chang# Set up shadow update 2703*dd1104fbSMichen Chang# 2704*dd1104fbSMichen Changsetup_shadow_update() { 2705*dd1104fbSMichen Chang [ $DEBUG -eq 1 ] && ${ECHO} "In setup_shadow_update()" 2706*dd1104fbSMichen Chang 2707*dd1104fbSMichen Chang # get content of the profile 2708*dd1104fbSMichen Chang PROFILE_OUT=${TMPDIR}/prof_tmpfile 2709*dd1104fbSMichen Chang ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=${LDAP_PROFILE_NAME},ou=profile,${LDAP_BASEDN}\" -s base \"objectclass=*\" > $PROFILE_OUT 2>&1" 2710*dd1104fbSMichen Chang ${GREP} -i cn $PROFILE_OUT >/dev/null 2>&1 2711*dd1104fbSMichen Chang if [ $? -ne 0 ]; then 2712*dd1104fbSMichen Chang [ $DEBUG -eq 1 ] && ${ECHO} "Profile ${LDAP_PROFILE_NAME} does not exist" 2713*dd1104fbSMichen Chang ${RM} ${PROFILE_OUT} 2714*dd1104fbSMichen Chang return 2715*dd1104fbSMichen Chang fi 2716*dd1104fbSMichen Chang 2717*dd1104fbSMichen Chang # Search to see if authenticationMethod has 'GSSAPI' and 2718*dd1104fbSMichen Chang # credentialLevel has 'self'. If so, ask to use the 2719*dd1104fbSMichen Chang # host principal for shadow update 2720*dd1104fbSMichen Chang if [ $GSSAPI_AUTH_MAY_BE_USED -eq 1 ]; then 2721*dd1104fbSMichen Chang if ${GREP} authenticationMethod $PROFILE_OUT | ${GREP} GSSAPI >/dev/null 2>&1 2722*dd1104fbSMichen Chang then 2723*dd1104fbSMichen Chang if ${GREP} credentialLevel $PROFILE_OUT | ${GREP} self >/dev/null 2>&1 2724*dd1104fbSMichen Chang then 2725*dd1104fbSMichen Chang NEED_HOSTACL=1 2726*dd1104fbSMichen Chang fi 2727*dd1104fbSMichen Chang fi 2728*dd1104fbSMichen Chang ${RM} ${PROFILE_OUT} 2729*dd1104fbSMichen Chang [ $DEBUG -eq 1 ] && ${ECHO} "NEED_HOSTACL = $NEED_HOSTACL" 2730*dd1104fbSMichen Chang 2731*dd1104fbSMichen Chang if [ $NEED_HOSTACL -eq 1 ]; then 2732*dd1104fbSMichen Chang MSG="Use host principal for shadow data update (y/n/h)?" 2733*dd1104fbSMichen Chang get_confirm "$MSG" "y" "use_host_principal_help" 2734*dd1104fbSMichen Chang if [ $? -eq 1 ]; then 2735*dd1104fbSMichen Chang allow_host_write_shadow 2736*dd1104fbSMichen Chang modify_top_aci 2737*dd1104fbSMichen Chang ${ECHO} "" 2738*dd1104fbSMichen Chang ${ECHO} " Shadow update has been enabled." 2739*dd1104fbSMichen Chang else 2740*dd1104fbSMichen Chang ${ECHO} "" 2741*dd1104fbSMichen Chang ${ECHO} " Shadow update may not work." 2742*dd1104fbSMichen Chang fi 2743*dd1104fbSMichen Chang return 2744*dd1104fbSMichen Chang fi 2745*dd1104fbSMichen Chang fi 2746*dd1104fbSMichen Chang 2747*dd1104fbSMichen Chang MSG="Add the administrator identity (y/n/h)?" 2748*dd1104fbSMichen Chang get_confirm "$MSG" "y" "add_admin_cred_help" 2749*dd1104fbSMichen Chang if [ $? -eq 1 ]; then 2750*dd1104fbSMichen Chang get_adminDN 2751*dd1104fbSMichen Chang get_admin_pw 2752*dd1104fbSMichen Chang add_admin 2753*dd1104fbSMichen Chang allow_admin_write_shadow 2754*dd1104fbSMichen Chang modify_top_aci 2755*dd1104fbSMichen Chang ${ECHO} "" 2756*dd1104fbSMichen Chang ${ECHO} " Shadow update has been enabled." 2757*dd1104fbSMichen Chang return 2758*dd1104fbSMichen Chang fi 2759*dd1104fbSMichen Chang 2760*dd1104fbSMichen Chang ${ECHO} " No administrator identity specified, shadow update may not work." 2761*dd1104fbSMichen Chang} 2762*dd1104fbSMichen Chang 27637c478bd9Sstevel@tonic-gate 27647c478bd9Sstevel@tonic-gate# 27657c478bd9Sstevel@tonic-gate# prompt_config_info(): This function prompts the user for the config 27667c478bd9Sstevel@tonic-gate# info that is not specified in the input file. 27677c478bd9Sstevel@tonic-gate# 27687c478bd9Sstevel@tonic-gateprompt_config_info() 27697c478bd9Sstevel@tonic-gate{ 27707c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In prompt_config_info()" 27717c478bd9Sstevel@tonic-gate 27727c478bd9Sstevel@tonic-gate # Prompt for iDS server name. 27737c478bd9Sstevel@tonic-gate get_ids_server 27747c478bd9Sstevel@tonic-gate 27757c478bd9Sstevel@tonic-gate # Prompt for iDS port number. 27767c478bd9Sstevel@tonic-gate get_ids_port 27777c478bd9Sstevel@tonic-gate 27787c478bd9Sstevel@tonic-gate # Check iDS version for compatibility. 27797c478bd9Sstevel@tonic-gate chk_ids_version 27807c478bd9Sstevel@tonic-gate 27817c478bd9Sstevel@tonic-gate # Check if the server supports the VLV. 27827c478bd9Sstevel@tonic-gate chk_vlv_indexes 27837c478bd9Sstevel@tonic-gate 27847c478bd9Sstevel@tonic-gate # Get the Directory manager DN and passwd. 27857c478bd9Sstevel@tonic-gate get_dirmgr_dn 27867c478bd9Sstevel@tonic-gate get_dirmgr_pw 27877c478bd9Sstevel@tonic-gate 27887c478bd9Sstevel@tonic-gate # 27897c478bd9Sstevel@tonic-gate # LDAP CLIENT PROFILE SPECIFIC INFORMATION. 27907c478bd9Sstevel@tonic-gate # (i.e. The fields that show up in the profile.) 27917c478bd9Sstevel@tonic-gate # 27927c478bd9Sstevel@tonic-gate get_domain "domain_help" 27937c478bd9Sstevel@tonic-gate 27947c478bd9Sstevel@tonic-gate get_basedn 27957c478bd9Sstevel@tonic-gate 2796cb5caa98Sdjl gssapi_setup 2797cb5caa98Sdjl 27987c478bd9Sstevel@tonic-gate get_profile_name 2799*dd1104fbSMichen Chang 2800*dd1104fbSMichen Chang if [ "$LDAP_ENABLE_SHADOW_UPDATE" = "TRUE" ];then 2801*dd1104fbSMichen Chang setup_shadow_update 2802*dd1104fbSMichen Chang exit 0 2803*dd1104fbSMichen Chang fi 2804*dd1104fbSMichen Chang 28057c478bd9Sstevel@tonic-gate get_srv_list 28067c478bd9Sstevel@tonic-gate get_pref_srv 28077c478bd9Sstevel@tonic-gate get_search_scope 28087c478bd9Sstevel@tonic-gate 28097c478bd9Sstevel@tonic-gate # If cred is "anonymous", make auth == "none" 28107c478bd9Sstevel@tonic-gate get_cred_level 28117c478bd9Sstevel@tonic-gate if [ "$LDAP_CRED_LEVEL" != "anonymous" ]; then 28127c478bd9Sstevel@tonic-gate get_auth 28137c478bd9Sstevel@tonic-gate fi 28147c478bd9Sstevel@tonic-gate 28157c478bd9Sstevel@tonic-gate get_followref 28167c478bd9Sstevel@tonic-gate 28177c478bd9Sstevel@tonic-gate # Query user about timelimt. 28187c478bd9Sstevel@tonic-gate get_confirm "Do you want to modify the server timelimit value (y/n/h)?" "n" "tlim_help" 28197c478bd9Sstevel@tonic-gate NEED_TIME=$? 28207c478bd9Sstevel@tonic-gate [ $NEED_TIME -eq 1 ] && get_timelimit 28217c478bd9Sstevel@tonic-gate 28227c478bd9Sstevel@tonic-gate # Query user about sizelimit. 28237c478bd9Sstevel@tonic-gate get_confirm "Do you want to modify the server sizelimit value (y/n/h)?" "n" "slim_help" 28247c478bd9Sstevel@tonic-gate NEED_SIZE=$? 28257c478bd9Sstevel@tonic-gate [ $NEED_SIZE -eq 1 ] && get_sizelimit 28267c478bd9Sstevel@tonic-gate 28277c478bd9Sstevel@tonic-gate # Does the user want to store passwords in crypt format? 28287c478bd9Sstevel@tonic-gate get_want_crypt 28297c478bd9Sstevel@tonic-gate 28307c478bd9Sstevel@tonic-gate # Prompt for any Service Authentication Methods? 28317c478bd9Sstevel@tonic-gate get_confirm "Do you want to setup a Service Authentication Methods (y/n/h)?" "n" "srvauth_help" 28327c478bd9Sstevel@tonic-gate if [ $? -eq 1 ]; then 28337c478bd9Sstevel@tonic-gate # Does the user want to set Service Authentication Method for pam_ldap? 28347c478bd9Sstevel@tonic-gate get_confirm "Do you want to setup a Service Auth. Method for \"pam_ldap\" (y/n/h)?" "n" "pam_ldap_help" 28357c478bd9Sstevel@tonic-gate NEED_SRVAUTH_PAM=$? 28367c478bd9Sstevel@tonic-gate [ $NEED_SRVAUTH_PAM -eq 1 ] && get_srv_authMethod_pam 28377c478bd9Sstevel@tonic-gate 28387c478bd9Sstevel@tonic-gate # Does the user want to set Service Authentication Method for keyserv? 28397c478bd9Sstevel@tonic-gate get_confirm "Do you want to setup a Service Auth. Method for \"keyserv\" (y/n/h)?" "n" "keyserv_help" 28407c478bd9Sstevel@tonic-gate NEED_SRVAUTH_KEY=$? 28417c478bd9Sstevel@tonic-gate [ $NEED_SRVAUTH_KEY -eq 1 ] && get_srv_authMethod_key 28427c478bd9Sstevel@tonic-gate 28437c478bd9Sstevel@tonic-gate # Does the user want to set Service Authentication Method for passwd-cmd? 28447c478bd9Sstevel@tonic-gate get_confirm "Do you want to setup a Service Auth. Method for \"passwd-cmd\" (y/n/h)?" "n" "passwd-cmd_help" 28457c478bd9Sstevel@tonic-gate NEED_SRVAUTH_CMD=$? 28467c478bd9Sstevel@tonic-gate [ $NEED_SRVAUTH_CMD -eq 1 ] && get_srv_authMethod_cmd 28477c478bd9Sstevel@tonic-gate fi 2848cb5caa98Sdjl 28497c478bd9Sstevel@tonic-gate 28507c478bd9Sstevel@tonic-gate # Get Timeouts 28517c478bd9Sstevel@tonic-gate get_srch_time 28527c478bd9Sstevel@tonic-gate get_prof_ttl 28537c478bd9Sstevel@tonic-gate get_bind_limit 28547c478bd9Sstevel@tonic-gate 2855*dd1104fbSMichen Chang # Ask whether to enable shadow update 2856*dd1104fbSMichen Chang get_want_shadow_update 2857*dd1104fbSMichen Chang 28587c478bd9Sstevel@tonic-gate # Reset the sdd_file and prompt user for SSD. Will use menus 28597c478bd9Sstevel@tonic-gate # to build an SSD File. 28607c478bd9Sstevel@tonic-gate reset_ssd_file 28617c478bd9Sstevel@tonic-gate prompt_ssd 28627c478bd9Sstevel@tonic-gate 28637c478bd9Sstevel@tonic-gate # Display FULL debugging info. 28647c478bd9Sstevel@tonic-gate disp_full_debug 28657c478bd9Sstevel@tonic-gate 28667c478bd9Sstevel@tonic-gate # Extra blank line to separate prompt lines from steps. 28677c478bd9Sstevel@tonic-gate ${ECHO} " " 28687c478bd9Sstevel@tonic-gate} 28697c478bd9Sstevel@tonic-gate 28707c478bd9Sstevel@tonic-gate 28717c478bd9Sstevel@tonic-gate###################################################################### 28727c478bd9Sstevel@tonic-gate# FUNCTIONS FOR display_summary() START HERE. 28737c478bd9Sstevel@tonic-gate###################################################################### 28747c478bd9Sstevel@tonic-gate 28757c478bd9Sstevel@tonic-gate 28767c478bd9Sstevel@tonic-gate# 28777c478bd9Sstevel@tonic-gate# get_proxyagent(): Get the proxyagent DN. 28787c478bd9Sstevel@tonic-gate# 28797c478bd9Sstevel@tonic-gateget_proxyagent() 28807c478bd9Sstevel@tonic-gate{ 28817c478bd9Sstevel@tonic-gate LDAP_PROXYAGENT="cn=proxyagent,ou=profile,${LDAP_BASEDN}" # default 28827c478bd9Sstevel@tonic-gate get_ans "Enter DN for proxy agent:" "$LDAP_PROXYAGENT" 28837c478bd9Sstevel@tonic-gate LDAP_PROXYAGENT=$ANS 28847c478bd9Sstevel@tonic-gate} 28857c478bd9Sstevel@tonic-gate 28867c478bd9Sstevel@tonic-gate 28877c478bd9Sstevel@tonic-gate# 28887c478bd9Sstevel@tonic-gate# get_proxy_pw(): Get the proxyagent passwd. 28897c478bd9Sstevel@tonic-gate# 28907c478bd9Sstevel@tonic-gateget_proxy_pw() 28917c478bd9Sstevel@tonic-gate{ 28927c478bd9Sstevel@tonic-gate get_passwd "Enter passwd for proxyagent:" 28937c478bd9Sstevel@tonic-gate LDAP_PROXYAGENT_CRED=$ANS 28947c478bd9Sstevel@tonic-gate} 28957c478bd9Sstevel@tonic-gate 28967c478bd9Sstevel@tonic-gate# 28977c478bd9Sstevel@tonic-gate# display_summary(): Display a summary of values entered and let the 28987c478bd9Sstevel@tonic-gate# user modify values at will. 28997c478bd9Sstevel@tonic-gate# 29007c478bd9Sstevel@tonic-gatedisplay_summary() 29017c478bd9Sstevel@tonic-gate{ 29027c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In display_summary()" 29037c478bd9Sstevel@tonic-gate 29047c478bd9Sstevel@tonic-gate # Create lookup table for function names. First entry is dummy for 29057c478bd9Sstevel@tonic-gate # shift. 29067c478bd9Sstevel@tonic-gate TBL1="dummy" 29077c478bd9Sstevel@tonic-gate TBL2="get_domain get_basedn get_profile_name" 29087c478bd9Sstevel@tonic-gate TBL3="get_srv_list get_pref_srv get_search_scope get_cred_level" 29097c478bd9Sstevel@tonic-gate TBL4="get_auth get_followref" 29107c478bd9Sstevel@tonic-gate TBL5="get_timelimit get_sizelimit get_want_crypt" 29117c478bd9Sstevel@tonic-gate TBL6="get_srv_authMethod_pam get_srv_authMethod_key get_srv_authMethod_cmd" 29127c478bd9Sstevel@tonic-gate TBL7="get_srch_time get_prof_ttl get_bind_limit" 2913*dd1104fbSMichen Chang TBL8="get_want_shadow_update" 2914*dd1104fbSMichen Chang TBL9="prompt_ssd" 2915*dd1104fbSMichen Chang FUNC_TBL="$TBL1 $TBL2 $TBL3 $TBL4 $TBL5 $TBL6 $TBL7 $TBL8 $TBL9" 29167c478bd9Sstevel@tonic-gate 29177c478bd9Sstevel@tonic-gate # Since menu prompt string is long, set here. 2918*dd1104fbSMichen Chang _MENU_PROMPT="Enter config value to change: (1-20 0=commit changes)" 29197c478bd9Sstevel@tonic-gate 29207c478bd9Sstevel@tonic-gate # Infinite loop. Test for 0, and break in loop. 29217c478bd9Sstevel@tonic-gate while : 29227c478bd9Sstevel@tonic-gate do 29237c478bd9Sstevel@tonic-gate # Display menu and get value in range. 29247c478bd9Sstevel@tonic-gate display_msg summary_menu 2925*dd1104fbSMichen Chang get_menu_choice "${_MENU_PROMPT}" "0" "20" "0" 29267c478bd9Sstevel@tonic-gate _CH=$MN_CH 29277c478bd9Sstevel@tonic-gate 29287c478bd9Sstevel@tonic-gate # Make sure where not exiting. 29297c478bd9Sstevel@tonic-gate if [ $_CH -eq 0 ]; then 29307c478bd9Sstevel@tonic-gate break # Break out of loop if 0 selected. 29317c478bd9Sstevel@tonic-gate fi 29327c478bd9Sstevel@tonic-gate 29337c478bd9Sstevel@tonic-gate # Call appropriate function from function table. 29347c478bd9Sstevel@tonic-gate set $FUNC_TBL 29357c478bd9Sstevel@tonic-gate shift $_CH 29367c478bd9Sstevel@tonic-gate $1 # Call the appropriate function. 29377c478bd9Sstevel@tonic-gate done 29387c478bd9Sstevel@tonic-gate 29397c478bd9Sstevel@tonic-gate # If cred level is still see if user wants a change? 29407c478bd9Sstevel@tonic-gate if ${ECHO} "$LDAP_CRED_LEVEL" | ${GREP} "proxy" > /dev/null 2>&1 29417c478bd9Sstevel@tonic-gate then 29427c478bd9Sstevel@tonic-gate if [ "$LDAP_AUTHMETHOD" != "none" ]; then 29437c478bd9Sstevel@tonic-gate NEED_PROXY=1 # I assume integer test is faster? 29447c478bd9Sstevel@tonic-gate get_proxyagent 29457c478bd9Sstevel@tonic-gate get_proxy_pw 29467c478bd9Sstevel@tonic-gate else 29477c478bd9Sstevel@tonic-gate ${ECHO} "WARNING: Since Authentication method is 'none'." 29487c478bd9Sstevel@tonic-gate ${ECHO} " Credential level will be set to 'anonymous'." 29497c478bd9Sstevel@tonic-gate LDAP_CRED_LEVEL="anonymous" 29507c478bd9Sstevel@tonic-gate fi 29517c478bd9Sstevel@tonic-gate fi 29527c478bd9Sstevel@tonic-gate 2953*dd1104fbSMichen Chang # If shadow update is enabled, set up administrator credential 2954*dd1104fbSMichen Chang if [ "$LDAP_ENABLE_SHADOW_UPDATE" = "TRUE" ]; then 2955*dd1104fbSMichen Chang NEED_ADMIN=1 2956*dd1104fbSMichen Chang if ${ECHO} "$LDAP_CRED_LEVEL" | ${GREP} "self" > /dev/null 2>&1; then 2957*dd1104fbSMichen Chang if ${ECHO} "$LDAP_AUTHMETHOD" | ${GREP} "GSSAPI" > /dev/null 2>&1; then 2958*dd1104fbSMichen Chang NEED_HOSTACL=1 2959*dd1104fbSMichen Chang NEED_ADMIN=0 2960*dd1104fbSMichen Chang fi 2961*dd1104fbSMichen Chang fi 2962*dd1104fbSMichen Chang [ $DEBUG -eq 1 ] && ${ECHO} "NEED_HOSTACL = $NEED_HOSTACL" 2963*dd1104fbSMichen Chang [ $DEBUG -eq 1 ] && ${ECHO} "NEED_ADMIN = $NEED_ADMIN" 2964*dd1104fbSMichen Chang if [ $NEED_ADMIN -eq 1 ]; then 2965*dd1104fbSMichen Chang get_adminDN 2966*dd1104fbSMichen Chang get_admin_pw 2967*dd1104fbSMichen Chang fi 2968*dd1104fbSMichen Chang fi 2969*dd1104fbSMichen Chang 29707c478bd9Sstevel@tonic-gate # Display FULL debugging info. 29717c478bd9Sstevel@tonic-gate disp_full_debug 29727c478bd9Sstevel@tonic-gate 29737c478bd9Sstevel@tonic-gate # Final confirmation message. (ARE YOU SURE!) 29747c478bd9Sstevel@tonic-gate ${ECHO} " " 29757c478bd9Sstevel@tonic-gate get_confirm_nodef "WARNING: About to start committing changes. (y=continue, n=EXIT)" 29767c478bd9Sstevel@tonic-gate if [ $? -eq 0 ]; then 29777c478bd9Sstevel@tonic-gate ${ECHO} "Terminating setup without making changes at users request." 2978017e8b01Svl cleanup 29797c478bd9Sstevel@tonic-gate exit 1 29807c478bd9Sstevel@tonic-gate fi 29817c478bd9Sstevel@tonic-gate 29827c478bd9Sstevel@tonic-gate # Print newline 29837c478bd9Sstevel@tonic-gate ${ECHO} " " 29847c478bd9Sstevel@tonic-gate} 29857c478bd9Sstevel@tonic-gate 29867c478bd9Sstevel@tonic-gate 29877c478bd9Sstevel@tonic-gate# 29887c478bd9Sstevel@tonic-gate# create_config_file(): Write config data to config file specified. 29897c478bd9Sstevel@tonic-gate# 29907c478bd9Sstevel@tonic-gatecreate_config_file() 29917c478bd9Sstevel@tonic-gate{ 29927c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In create_config_file()" 29937c478bd9Sstevel@tonic-gate 29947c478bd9Sstevel@tonic-gate # If output file exists, delete it. 29957c478bd9Sstevel@tonic-gate [ -f $OUTPUT_FILE ] && rm $OUTPUT_FILE 29967c478bd9Sstevel@tonic-gate 29977c478bd9Sstevel@tonic-gate # Create output file. 29987c478bd9Sstevel@tonic-gate cat > $OUTPUT_FILE <<EOF 29997c478bd9Sstevel@tonic-gate#!/bin/sh 30007c478bd9Sstevel@tonic-gate# $OUTPUT_FILE - This file contains configuration information for 30017c478bd9Sstevel@tonic-gate# Native LDAP. Use the idsconfig tool to load it. 30027c478bd9Sstevel@tonic-gate# 30037c478bd9Sstevel@tonic-gate# WARNING: This file was generated by idsconfig, and is intended to 30047c478bd9Sstevel@tonic-gate# be loaded by idsconfig as is. DO NOT EDIT THIS FILE! 30057c478bd9Sstevel@tonic-gate# 30067c478bd9Sstevel@tonic-gateIDS_SERVER="$IDS_SERVER" 30077c478bd9Sstevel@tonic-gateIDS_PORT=$IDS_PORT 30087c478bd9Sstevel@tonic-gateIDS_TIMELIMIT=$IDS_TIMELIMIT 30097c478bd9Sstevel@tonic-gateIDS_SIZELIMIT=$IDS_SIZELIMIT 30107c478bd9Sstevel@tonic-gateLDAP_ROOTDN="$LDAP_ROOTDN" 30117c478bd9Sstevel@tonic-gateLDAP_ROOTPWD=$LDAP_ROOTPWD 30127c478bd9Sstevel@tonic-gateLDAP_DOMAIN="$LDAP_DOMAIN" 30137c478bd9Sstevel@tonic-gateLDAP_SUFFIX="$LDAP_SUFFIX" 3014cb5caa98SdjlLDAP_KRB_REALM="$LDAP_KRB_REALM" 3015cb5caa98SdjlLDAP_GSSAPI_PROFILE="$LDAP_GSSAPI_PROFILE" 30167c478bd9Sstevel@tonic-gate 30177c478bd9Sstevel@tonic-gate# Internal program variables that need to be set. 30187c478bd9Sstevel@tonic-gateNEED_PROXY=$NEED_PROXY 30197c478bd9Sstevel@tonic-gateNEED_TIME=$NEED_TIME 30207c478bd9Sstevel@tonic-gateNEED_SIZE=$NEED_SIZE 30217c478bd9Sstevel@tonic-gateNEED_CRYPT=$NEED_CRYPT 3022*dd1104fbSMichen ChangNEED_ADMIN=$NEED_ADMIN 3023*dd1104fbSMichen ChangNEED_HOSTACL=$NEED_HOSTACL 3024*dd1104fbSMichen ChangEXISTING_PROFILE=$EXISTING_PROFILE 30257c478bd9Sstevel@tonic-gate 30267c478bd9Sstevel@tonic-gate# LDAP PROFILE related defaults 30277c478bd9Sstevel@tonic-gateLDAP_PROFILE_NAME="$LDAP_PROFILE_NAME" 30287c478bd9Sstevel@tonic-gateDEL_OLD_PROFILE=1 30297c478bd9Sstevel@tonic-gateLDAP_BASEDN="$LDAP_BASEDN" 30307c478bd9Sstevel@tonic-gateLDAP_SERVER_LIST="$LDAP_SERVER_LIST" 30317c478bd9Sstevel@tonic-gateLDAP_AUTHMETHOD="$LDAP_AUTHMETHOD" 30327c478bd9Sstevel@tonic-gateLDAP_FOLLOWREF=$LDAP_FOLLOWREF 30337c478bd9Sstevel@tonic-gateLDAP_SEARCH_SCOPE="$LDAP_SEARCH_SCOPE" 30347c478bd9Sstevel@tonic-gateNEED_SRVAUTH_PAM=$NEED_SRVAUTH_PAM 30357c478bd9Sstevel@tonic-gateNEED_SRVAUTH_KEY=$NEED_SRVAUTH_KEY 30367c478bd9Sstevel@tonic-gateNEED_SRVAUTH_CMD=$NEED_SRVAUTH_CMD 30377c478bd9Sstevel@tonic-gateLDAP_SRV_AUTHMETHOD_PAM="$LDAP_SRV_AUTHMETHOD_PAM" 30387c478bd9Sstevel@tonic-gateLDAP_SRV_AUTHMETHOD_KEY="$LDAP_SRV_AUTHMETHOD_KEY" 30397c478bd9Sstevel@tonic-gateLDAP_SRV_AUTHMETHOD_CMD="$LDAP_SRV_AUTHMETHOD_CMD" 30407c478bd9Sstevel@tonic-gateLDAP_SEARCH_TIME_LIMIT=$LDAP_SEARCH_TIME_LIMIT 30417c478bd9Sstevel@tonic-gateLDAP_PREF_SRVLIST="$LDAP_PREF_SRVLIST" 30427c478bd9Sstevel@tonic-gateLDAP_PROFILE_TTL=$LDAP_PROFILE_TTL 30437c478bd9Sstevel@tonic-gateLDAP_CRED_LEVEL="$LDAP_CRED_LEVEL" 30447c478bd9Sstevel@tonic-gateLDAP_BIND_LIMIT=$LDAP_BIND_LIMIT 30457c478bd9Sstevel@tonic-gate 30467c478bd9Sstevel@tonic-gate# Proxy Agent 30477c478bd9Sstevel@tonic-gateLDAP_PROXYAGENT="$LDAP_PROXYAGENT" 30487c478bd9Sstevel@tonic-gateLDAP_PROXYAGENT_CRED=$LDAP_PROXYAGENT_CRED 30497c478bd9Sstevel@tonic-gate 3050*dd1104fbSMichen Chang# enableShadowUpdate flag and Administrator credential 3051*dd1104fbSMichen ChangLDAP_ENABLE_SHADOW_UPDATE=$LDAP_ENABLE_SHADOW_UPDATE 3052*dd1104fbSMichen ChangLDAP_ADMINDN="$LDAP_ADMINDN" 3053*dd1104fbSMichen ChangLDAP_ADMIN_CRED=$LDAP_ADMIN_CRED 3054*dd1104fbSMichen Chang 30557c478bd9Sstevel@tonic-gate# Export all the variables (just in case) 30567c478bd9Sstevel@tonic-gateexport IDS_HOME IDS_PORT LDAP_ROOTDN LDAP_ROOTPWD LDAP_SERVER_LIST LDAP_BASEDN 30577c478bd9Sstevel@tonic-gateexport LDAP_DOMAIN LDAP_SUFFIX LDAP_PROXYAGENT LDAP_PROXYAGENT_CRED 30587c478bd9Sstevel@tonic-gateexport NEED_PROXY 3059*dd1104fbSMichen Changexport LDAP_ENABLE_SHADOW_UPDATE LDAP_ADMINDN LDAP_ADMIN_CRED 3060*dd1104fbSMichen Changexport NEED_ADMIN NEED_HOSTACL EXISTING_PROFILE 30617c478bd9Sstevel@tonic-gateexport LDAP_PROFILE_NAME LDAP_BASEDN LDAP_SERVER_LIST 30627c478bd9Sstevel@tonic-gateexport LDAP_AUTHMETHOD LDAP_FOLLOWREF LDAP_SEARCH_SCOPE LDAP_SEARCH_TIME_LIMIT 30637c478bd9Sstevel@tonic-gateexport LDAP_PREF_SRVLIST LDAP_PROFILE_TTL LDAP_CRED_LEVEL LDAP_BIND_LIMIT 30647c478bd9Sstevel@tonic-gateexport NEED_SRVAUTH_PAM NEED_SRVAUTH_KEY NEED_SRVAUTH_CMD 30657c478bd9Sstevel@tonic-gateexport LDAP_SRV_AUTHMETHOD_PAM LDAP_SRV_AUTHMETHOD_KEY LDAP_SRV_AUTHMETHOD_CMD 3066cb5caa98Sdjlexport LDAP_SERV_SRCH_DES SSD_FILE LDAP_KRB_REALM LDAP_GSSAPI_PROFILE 30677c478bd9Sstevel@tonic-gate 30687c478bd9Sstevel@tonic-gate# Service Search Descriptors start here if present: 30697c478bd9Sstevel@tonic-gateEOF 30707c478bd9Sstevel@tonic-gate # Add service search descriptors. 30717c478bd9Sstevel@tonic-gate ssd_2_config "${OUTPUT_FILE}" 30727c478bd9Sstevel@tonic-gate 3073017e8b01Svl # Add LDAP suffix preferences 3074017e8b01Svl print_suffix_config >> "${OUTPUT_FILE}" 3075017e8b01Svl 30767c478bd9Sstevel@tonic-gate # Add the end of FILE tag. 30777c478bd9Sstevel@tonic-gate ${ECHO} "" >> ${OUTPUT_FILE} 30787c478bd9Sstevel@tonic-gate ${ECHO} "# End of $OUTPUT_FILE" >> ${OUTPUT_FILE} 30797c478bd9Sstevel@tonic-gate} 30807c478bd9Sstevel@tonic-gate 30817c478bd9Sstevel@tonic-gate 30827c478bd9Sstevel@tonic-gate# 30837c478bd9Sstevel@tonic-gate# chk_vlv_indexes(): Do ldapsearch to see if server supports VLV. 30847c478bd9Sstevel@tonic-gate# 30857c478bd9Sstevel@tonic-gatechk_vlv_indexes() 30867c478bd9Sstevel@tonic-gate{ 30877c478bd9Sstevel@tonic-gate # Do ldapsearch to see if server supports VLV. 30887c478bd9Sstevel@tonic-gate ${LDAPSEARCH} ${SERVER_ARGS} -b "" -s base "objectclass=*" > ${TMPDIR}/checkVLV 2>&1 30897c478bd9Sstevel@tonic-gate eval "${GREP} 2.16.840.1.113730.3.4.9 ${TMPDIR}/checkVLV ${VERB}" 30907c478bd9Sstevel@tonic-gate if [ $? -ne 0 ]; then 30917c478bd9Sstevel@tonic-gate ${ECHO} "ERROR: VLV is not supported on LDAP server!" 30927c478bd9Sstevel@tonic-gate cleanup 30937c478bd9Sstevel@tonic-gate exit 1 30947c478bd9Sstevel@tonic-gate fi 30957c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} " VLV controls found on LDAP server." 30967c478bd9Sstevel@tonic-gate} 30977c478bd9Sstevel@tonic-gate 30987c478bd9Sstevel@tonic-gate# 30997c478bd9Sstevel@tonic-gate# get_backend(): this function gets the relevant backend 31007c478bd9Sstevel@tonic-gate# (database) for LDAP_BASED. 31017c478bd9Sstevel@tonic-gate# Description: set IDS_DATABASE; exit on failure. 31027c478bd9Sstevel@tonic-gate# Prerequisite: LDAP_BASEDN and LDAP_SUFFIX are 31037c478bd9Sstevel@tonic-gate# valid. 31047c478bd9Sstevel@tonic-gate# 31057c478bd9Sstevel@tonic-gate# backend is retrieved from suffixes and subsuffixes 31067c478bd9Sstevel@tonic-gate# defined under "cn=mapping tree,cn=config". The 31077c478bd9Sstevel@tonic-gate# nsslapd-state attribute of these suffixes entries 31087c478bd9Sstevel@tonic-gate# is filled with either Backend, Disabled or referrals 31097c478bd9Sstevel@tonic-gate# related values. We only want those that have a true 31107c478bd9Sstevel@tonic-gate# backend database to select the relevant backend. 31117c478bd9Sstevel@tonic-gate# 31127c478bd9Sstevel@tonic-gateget_backend() 31137c478bd9Sstevel@tonic-gate{ 31147c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In get_backend()" 31157c478bd9Sstevel@tonic-gate 31167c478bd9Sstevel@tonic-gate cur_suffix=${LDAP_BASEDN} 31177c478bd9Sstevel@tonic-gate prev_suffix= 31187c478bd9Sstevel@tonic-gate IDS_DATABASE= 31197c478bd9Sstevel@tonic-gate while [ "${cur_suffix}" != "${prev_suffix}" ] 31207c478bd9Sstevel@tonic-gate do 31217c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "testing LDAP suffix: ${cur_suffix}" 31227c478bd9Sstevel@tonic-gate eval "${LDAPSEARCH} ${LDAP_ARGS} " \ 31237c478bd9Sstevel@tonic-gate "-b \"cn=\\\"${cur_suffix}\\\",cn=mapping tree,cn=config\" " \ 31247c478bd9Sstevel@tonic-gate "-s base nsslapd-state=Backend nsslapd-backend 2>&1 " \ 31257c478bd9Sstevel@tonic-gate "| ${GREP} 'nsslapd-backend=' " \ 31267c478bd9Sstevel@tonic-gate "> ${TMPDIR}/ids_database_name 2>&1" 31277c478bd9Sstevel@tonic-gate NUM_DBS=`wc -l ${TMPDIR}/ids_database_name | awk '{print $1}'` 31287c478bd9Sstevel@tonic-gate case ${NUM_DBS} in 31297c478bd9Sstevel@tonic-gate 0) # not a suffix, or suffix not activated; try next 31307c478bd9Sstevel@tonic-gate prev_suffix=${cur_suffix} 31317c478bd9Sstevel@tonic-gate cur_suffix=`${ECHO} ${cur_suffix} | cut -f2- -d','` 31327c478bd9Sstevel@tonic-gate ;; 31337c478bd9Sstevel@tonic-gate 1) # suffix found; get database name 31347c478bd9Sstevel@tonic-gate IDS_DATABASE=`cat ${TMPDIR}/ids_database_name | cut -d= -f2` 31357c478bd9Sstevel@tonic-gate ;; 31367c478bd9Sstevel@tonic-gate *) # can not handle more than one database per suffix 31377c478bd9Sstevel@tonic-gate ${ECHO} "ERROR: More than one database is configured " 31387c478bd9Sstevel@tonic-gate ${ECHO} " for $LDAP_SUFFIX!" 31397c478bd9Sstevel@tonic-gate ${ECHO} " $PROG can not configure suffixes where " 31407c478bd9Sstevel@tonic-gate ${ECHO} " more than one database is used for one suffix." 31417c478bd9Sstevel@tonic-gate cleanup 31427c478bd9Sstevel@tonic-gate exit 1 31437c478bd9Sstevel@tonic-gate ;; 31447c478bd9Sstevel@tonic-gate esac 31457c478bd9Sstevel@tonic-gate if [ -n "${IDS_DATABASE}" ]; then 31467c478bd9Sstevel@tonic-gate break 31477c478bd9Sstevel@tonic-gate fi 31487c478bd9Sstevel@tonic-gate done 31497c478bd9Sstevel@tonic-gate 31507c478bd9Sstevel@tonic-gate if [ -z "${IDS_DATABASE}" ]; then 31517c478bd9Sstevel@tonic-gate # should not happen, since LDAP_BASEDN is supposed to be valid 31527c478bd9Sstevel@tonic-gate ${ECHO} "Could not find a valid backend for ${LDAP_BASEDN}." 31537c478bd9Sstevel@tonic-gate ${ECHO} "Exiting." 31547c478bd9Sstevel@tonic-gate cleanup 31557c478bd9Sstevel@tonic-gate exit 1 31567c478bd9Sstevel@tonic-gate fi 31577c478bd9Sstevel@tonic-gate 31587c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "IDS_DATABASE: ${IDS_DATABASE}" 31597c478bd9Sstevel@tonic-gate} 31607c478bd9Sstevel@tonic-gate 31617c478bd9Sstevel@tonic-gate# 31627c478bd9Sstevel@tonic-gate# validate_suffix(): This function validates ${LDAP_SUFFIX} 31637c478bd9Sstevel@tonic-gate# THIS FUNCTION IS FOR THE LOAD CONFIG FILE OPTION. 31647c478bd9Sstevel@tonic-gate# 31657c478bd9Sstevel@tonic-gatevalidate_suffix() 31667c478bd9Sstevel@tonic-gate{ 31677c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In validate_suffix()" 31687c478bd9Sstevel@tonic-gate 31697c478bd9Sstevel@tonic-gate # Check LDAP_SUFFIX is not null 31707c478bd9Sstevel@tonic-gate if [ -z "${LDAP_SUFFIX}" ]; then 31717c478bd9Sstevel@tonic-gate ${ECHO} "Invalid suffix (null suffix)" 31727c478bd9Sstevel@tonic-gate cleanup 31737c478bd9Sstevel@tonic-gate exit 1 31747c478bd9Sstevel@tonic-gate fi 31757c478bd9Sstevel@tonic-gate 31767c478bd9Sstevel@tonic-gate # Check LDAP_SUFFIX and LDAP_BASEDN are consistent 31777c478bd9Sstevel@tonic-gate # Convert to lower case for basename. 31787c478bd9Sstevel@tonic-gate format_string "${LDAP_BASEDN}" 31797c478bd9Sstevel@tonic-gate LOWER_BASEDN="${FMT_STR}" 31807c478bd9Sstevel@tonic-gate format_string "${LDAP_SUFFIX}" 31817c478bd9Sstevel@tonic-gate LOWER_SUFFIX="${FMT_STR}" 31827c478bd9Sstevel@tonic-gate 31837c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "LOWER_BASEDN: ${LOWER_BASEDN}" 31847c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "LOWER_SUFFIX: ${LOWER_SUFFIX}" 31857c478bd9Sstevel@tonic-gate 31867c478bd9Sstevel@tonic-gate if [ "${LOWER_BASEDN}" != "${LOWER_SUFFIX}" ]; then 31877c478bd9Sstevel@tonic-gate sub_basedn=`basename "${LOWER_BASEDN}" "${LOWER_SUFFIX}"` 31887c478bd9Sstevel@tonic-gate if [ "$sub_basedn" = "${LOWER_BASEDN}" ]; then 31897c478bd9Sstevel@tonic-gate ${ECHO} "Invalid suffix ${LOWER_SUFFIX}" 31907c478bd9Sstevel@tonic-gate ${ECHO} "for Base DN ${LOWER_BASEDN}" 31917c478bd9Sstevel@tonic-gate cleanup 31927c478bd9Sstevel@tonic-gate exit 1 31937c478bd9Sstevel@tonic-gate fi 31947c478bd9Sstevel@tonic-gate fi 3195017e8b01Svl 3196017e8b01Svl # Check LDAP_SUFFIX does exist 3197017e8b01Svl ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_SUFFIX}\" -s base \"objectclass=*\" > ${TMPDIR}/checkSuffix 2>&1" && return 0 3198017e8b01Svl 3199017e8b01Svl # Well, suffix does not exist, try to prepare create it ... 3200017e8b01Svl NEED_CREATE_SUFFIX=1 3201017e8b01Svl prep_create_sfx_entry || 3202017e8b01Svl { 3203017e8b01Svl cleanup 3204017e8b01Svl exit 1 3205017e8b01Svl } 3206017e8b01Svl [ -n "${NEED_CREATE_BACKEND}" ] && 3207017e8b01Svl { 3208017e8b01Svl # try to use id attr value of the suffix as a database name 3209017e8b01Svl IDS_DATABASE=${_VAL} 3210017e8b01Svl prep_create_sfx_backend 3211017e8b01Svl case $? in 3212017e8b01Svl 1) # cann't use the name we want, so we can either exit or use 3213017e8b01Svl # some another available name - doing the last ... 3214017e8b01Svl IDS_DATABASE=${IDS_DATABASE_AVAIL} 3215017e8b01Svl ;; 3216017e8b01Svl 2) # unable to determine database name 3217017e8b01Svl cleanup 3218017e8b01Svl exit 1 3219017e8b01Svl ;; 3220017e8b01Svl esac 3221017e8b01Svl } 3222017e8b01Svl 3223017e8b01Svl [ $DEBUG -eq 1 ] && ${ECHO} "Suffix $LDAP_SUFFIX, Database $IDS_DATABASE" 32247c478bd9Sstevel@tonic-gate} 32257c478bd9Sstevel@tonic-gate 32267c478bd9Sstevel@tonic-gate# 32277c478bd9Sstevel@tonic-gate# validate_info(): This function validates the basic info collected 32287c478bd9Sstevel@tonic-gate# So that some problems are caught right away. 32297c478bd9Sstevel@tonic-gate# THIS FUNCTION IS FOR THE LOAD CONFIG FILE OPTION. 32307c478bd9Sstevel@tonic-gate# 32317c478bd9Sstevel@tonic-gatevalidate_info() 32327c478bd9Sstevel@tonic-gate{ 32337c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In validate_info()" 32347c478bd9Sstevel@tonic-gate 32357c478bd9Sstevel@tonic-gate # Set SERVER_ARGS, AUTH_ARGS, and LDAP_ARGS for the config file. 32367c478bd9Sstevel@tonic-gate SERVER_ARGS="-h ${IDS_SERVER} -p ${IDS_PORT}" 32377c478bd9Sstevel@tonic-gate AUTH_ARGS="-D \"${LDAP_ROOTDN}\" -j ${LDAP_ROOTPWF}" 32387c478bd9Sstevel@tonic-gate LDAP_ARGS="${SERVER_ARGS} ${AUTH_ARGS}" 32397c478bd9Sstevel@tonic-gate export SERVER_ARGS 32407c478bd9Sstevel@tonic-gate 32417c478bd9Sstevel@tonic-gate # Check the Root DN and Root DN passwd. 32427c478bd9Sstevel@tonic-gate # Use eval instead of $EVAL because not part of setup. (validate) 32437c478bd9Sstevel@tonic-gate eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"\" -s base \"objectclass=*\" > ${TMPDIR}/checkDN 2>&1" 32447c478bd9Sstevel@tonic-gate if [ $? -ne 0 ]; then 32457c478bd9Sstevel@tonic-gate eval "${GREP} credential ${TMPDIR}/checkDN ${VERB}" 32467c478bd9Sstevel@tonic-gate if [ $? -eq 0 ]; then 32477c478bd9Sstevel@tonic-gate ${ECHO} "ERROR: Root DN passwd is invalid." 32487c478bd9Sstevel@tonic-gate else 32497c478bd9Sstevel@tonic-gate ${ECHO} "ERROR2: Invalid Root DN <${LDAP_ROOTDN}>." 32507c478bd9Sstevel@tonic-gate fi 32517c478bd9Sstevel@tonic-gate cleanup 32527c478bd9Sstevel@tonic-gate exit 1 32537c478bd9Sstevel@tonic-gate fi 32547c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} " RootDN ... OK" 32557c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} " RootDN passwd ... OK" 32567c478bd9Sstevel@tonic-gate 32577c478bd9Sstevel@tonic-gate # Check if the server supports the VLV. 32587c478bd9Sstevel@tonic-gate chk_vlv_indexes 32597c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} " VLV indexes ... OK" 32607c478bd9Sstevel@tonic-gate 32617c478bd9Sstevel@tonic-gate # Check LDAP suffix 32627c478bd9Sstevel@tonic-gate validate_suffix 32637c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} " LDAP suffix ... OK" 32647c478bd9Sstevel@tonic-gate} 32657c478bd9Sstevel@tonic-gate 32667c478bd9Sstevel@tonic-gate# 32677c478bd9Sstevel@tonic-gate# format_string(): take a string as argument and set FMT_STR 32687c478bd9Sstevel@tonic-gate# to be the same string formatted as follow: 32697c478bd9Sstevel@tonic-gate# - only lower case characters 32707c478bd9Sstevel@tonic-gate# - no unnecessary spaces around , and = 32717c478bd9Sstevel@tonic-gate# 32727c478bd9Sstevel@tonic-gateformat_string() 32737c478bd9Sstevel@tonic-gate{ 32747c478bd9Sstevel@tonic-gate FMT_STR=`${ECHO} "$1" | tr '[A-Z]' '[a-z]' | 32757c478bd9Sstevel@tonic-gate sed -e 's/[ ]*,[ ]*/,/g' -e 's/[ ]*=[ ]*/=/g'` 32767c478bd9Sstevel@tonic-gate} 32777c478bd9Sstevel@tonic-gate 3278017e8b01Svl# 3279017e8b01Svl# prepare for the suffix entry creation 3280017e8b01Svl# 3281017e8b01Svl# input : LDAP_BASEDN, LDAP_SUFFIX - base dn and suffix; 3282017e8b01Svl# in/out : LDAP_SUFFIX_OBJ, LDAP_SUFFIX_ACI - initially may come from config. 3283017e8b01Svl# output : NEED_CREATE_BACKEND - backend for this suffix needs to be created; 3284017e8b01Svl# _RDN, _ATT, _VAL - suffix's RDN, id attribute name and its value. 3285017e8b01Svl# return : 0 - success, otherwise error. 3286017e8b01Svl# 3287017e8b01Svlprep_create_sfx_entry() 3288017e8b01Svl{ 3289017e8b01Svl [ $DEBUG -eq 1 ] && ${ECHO} "In prep_create_sfx_entry()" 3290017e8b01Svl 3291017e8b01Svl # check whether suffix corresponds to base dn 3292017e8b01Svl format_string "${LDAP_BASEDN}" 3293017e8b01Svl ${ECHO} ",${FMT_STR}" | ${GREP} ",${LDAP_SUFFIX}$" >/dev/null 2>&1 || 3294017e8b01Svl { 3295017e8b01Svl display_msg sfx_not_suitable 3296017e8b01Svl return 1 3297017e8b01Svl } 3298017e8b01Svl 3299017e8b01Svl # parse LDAP_SUFFIX 3300017e8b01Svl _RDN=`${ECHO} "${LDAP_SUFFIX}" | cut -d, -f1` 3301017e8b01Svl _ATT=`${ECHO} "${_RDN}" | cut -d= -f1` 3302017e8b01Svl _VAL=`${ECHO} "${_RDN}" | cut -d= -f2-` 3303017e8b01Svl 3304017e8b01Svl # find out an objectclass for suffix entry if it is not defined yet 3305017e8b01Svl [ -z "${LDAP_SUFFIX_OBJ}" ] && 3306017e8b01Svl { 3307017e8b01Svl get_objectclass ${_ATT} 3308017e8b01Svl [ -z "${_ATTR_NAME}" ] && 3309017e8b01Svl { 3310017e8b01Svl display_msg obj_not_found 3311017e8b01Svl return 1 3312017e8b01Svl } 3313017e8b01Svl LDAP_SUFFIX_OBJ=${_ATTR_NAME} 3314017e8b01Svl } 3315017e8b01Svl [ $DEBUG -eq 1 ] && ${ECHO} "Suffix entry object is ${LDAP_SUFFIX_OBJ}" 3316017e8b01Svl 3317017e8b01Svl # find out an aci for suffix entry if it is not defined yet 3318017e8b01Svl [ -z "${LDAP_SUFFIX_ACI}" ] && 3319017e8b01Svl { 3320017e8b01Svl # set Directory Server default aci 3321017e8b01Svl LDAP_SUFFIX_ACI=`cat <<EOF 3322017e8b01Svlaci: (targetattr != "userPassword || passwordHistory || passwordExpirationTime 3323017e8b01Svl || passwordExpWarned || passwordRetryCount || retryCountResetTime || 3324017e8b01Svl accountUnlockTime || passwordAllowChangeTime") 3325017e8b01Svl ( 3326017e8b01Svl version 3.0; 3327017e8b01Svl acl "Anonymous access"; 3328017e8b01Svl allow (read, search, compare) userdn = "ldap:///anyone"; 3329017e8b01Svl ) 3330017e8b01Svlaci: (targetattr != "nsroledn || aci || nsLookThroughLimit || nsSizeLimit || 3331017e8b01Svl nsTimeLimit || nsIdleTimeout || passwordPolicySubentry || 3332017e8b01Svl passwordExpirationTime || passwordExpWarned || passwordRetryCount || 3333017e8b01Svl retryCountResetTime || accountUnlockTime || passwordHistory || 3334017e8b01Svl passwordAllowChangeTime") 3335017e8b01Svl ( 3336017e8b01Svl version 3.0; 3337017e8b01Svl acl "Allow self entry modification except for some attributes"; 3338017e8b01Svl allow (write) userdn = "ldap:///self"; 3339017e8b01Svl ) 3340017e8b01Svlaci: (targetattr = "*") 3341017e8b01Svl ( 3342017e8b01Svl version 3.0; 3343017e8b01Svl acl "Configuration Administrator"; 3344017e8b01Svl allow (all) userdn = "ldap:///uid=admin,ou=Administrators, 3345017e8b01Svl ou=TopologyManagement,o=NetscapeRoot"; 3346017e8b01Svl ) 3347017e8b01Svlaci: (targetattr ="*") 3348017e8b01Svl ( 3349017e8b01Svl version 3.0; 3350017e8b01Svl acl "Configuration Administrators Group"; 3351017e8b01Svl allow (all) groupdn = "ldap:///cn=Configuration Administrators, 3352017e8b01Svl ou=Groups,ou=TopologyManagement,o=NetscapeRoot"; 3353017e8b01Svl ) 3354017e8b01SvlEOF 3355017e8b01Svl` 3356017e8b01Svl } 3357017e8b01Svl [ $DEBUG -eq 1 ] && cat <<EOF 3358017e8b01SvlDEBUG: ACI for ${LDAP_SUFFIX} is 3359017e8b01Svl${LDAP_SUFFIX_ACI} 3360017e8b01SvlEOF 3361017e8b01Svl 3362017e8b01Svl NEED_CREATE_BACKEND= 3363017e8b01Svl 3364017e8b01Svl # check the suffix mapping tree ... 3365017e8b01Svl # if mapping exists, suffix should work, otherwise DS inconsistent 3366017e8b01Svl # NOTE: -b 'cn=mapping tree,cn=config' -s one 'cn=\"$1\"' won't work 3367017e8b01Svl # in case of 'cn' value in LDAP is not quoted by '"', 3368017e8b01Svl # -b 'cn=\"$1\",cn=mapping tree,cn=config' works in all cases 3369017e8b01Svl ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} \ 3370017e8b01Svl -b 'cn=\"${LDAP_SUFFIX}\",cn=mapping tree,cn=config' \ 3371017e8b01Svl -s base 'objectclass=*' dn ${VERB}" && 3372017e8b01Svl { 3373017e8b01Svl [ $DEBUG -eq 1 ] && ${ECHO} "Suffix mapping already exists" 3374017e8b01Svl # get_backend() either gets IDS_DATABASE or exits 3375017e8b01Svl get_backend 3376017e8b01Svl return 0 3377017e8b01Svl } 3378017e8b01Svl 3379017e8b01Svl # no suffix mapping, just in case check ldbm backends consistency - 3380017e8b01Svl # there are must be NO any databases pointing to LDAP_SUFFIX 3381017e8b01Svl [ -n "`${EVAL} \"${LDAPSEARCH} ${LDAP_ARGS} \ 3382017e8b01Svl -b 'cn=ldbm database,cn=plugins,cn=config' \ 3383017e8b01Svl -s one 'nsslapd-suffix=${LDAP_SUFFIX}' dn\" 2>/dev/null`" ] && 3384017e8b01Svl { 3385017e8b01Svl display_msg sfx_config_incons 3386017e8b01Svl return 1 3387017e8b01Svl } 3388017e8b01Svl 3389017e8b01Svl # ok, no suffix mapping, no ldbm database 3390017e8b01Svl [ $DEBUG -eq 1 ] && ${ECHO} "DEBUG: backend needs to be created ..." 3391017e8b01Svl NEED_CREATE_BACKEND=1 3392017e8b01Svl return 0 3393017e8b01Svl} 3394017e8b01Svl 3395017e8b01Svl# 3396017e8b01Svl# prepare for the suffix backend creation 3397017e8b01Svl# 3398017e8b01Svl# input : IDS_DATABASE - requested ldbm db name (must be not null) 3399017e8b01Svl# in/out : IDS_DATABASE_AVAIL - available ldbm db name 3400017e8b01Svl# return : 0 - ldbm db name ok 3401017e8b01Svl# 1 - IDS_DATABASE exists, 3402017e8b01Svl# so IDS_DATABASE_AVAIL contains available name 3403017e8b01Svl# 2 - unable to find any available name 3404017e8b01Svl# 3405017e8b01Svlprep_create_sfx_backend() 3406017e8b01Svl{ 3407017e8b01Svl [ $DEBUG -eq 1 ] && ${ECHO} "In prep_create_sfx_backend()" 3408017e8b01Svl 3409017e8b01Svl # check if requested name available 3410017e8b01Svl [ "${IDS_DATABASE}" = "${IDS_DATABASE_AVAIL}" ] && return 0 3411017e8b01Svl 3412017e8b01Svl # get the list of database names start with a requested name 3413017e8b01Svl _LDBM_DBS=`${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} \ 3414017e8b01Svl -b 'cn=ldbm database,cn=plugins,cn=config' \ 3415017e8b01Svl -s one 'cn=${IDS_DATABASE}*' cn"` 2>/dev/null 3416017e8b01Svl 3417017e8b01Svl # find available db name based on a requested name 3418017e8b01Svl _i=""; _i_MAX=10 3419017e8b01Svl while [ ${_i:-0} -lt ${_i_MAX} ] 3420017e8b01Svl do 3421017e8b01Svl _name="${IDS_DATABASE}${_i}" 3422017e8b01Svl ${ECHO} "${_LDBM_DBS}" | ${GREP} -i "^cn=${_name}$" >/dev/null 2>&1 || 3423017e8b01Svl { 3424017e8b01Svl IDS_DATABASE_AVAIL="${_name}" 3425017e8b01Svl break 3426017e8b01Svl } 3427017e8b01Svl _i=`expr ${_i:-0} + 1` 3428017e8b01Svl done 3429017e8b01Svl 3430017e8b01Svl [ "${IDS_DATABASE}" = "${IDS_DATABASE_AVAIL}" ] && return 0 3431017e8b01Svl 3432017e8b01Svl [ -n "${IDS_DATABASE_AVAIL}" ] && 3433017e8b01Svl { 3434017e8b01Svl display_msg ldbm_db_exist 3435017e8b01Svl return 1 3436017e8b01Svl } 3437017e8b01Svl 3438017e8b01Svl display_msg unable_find_db_name 3439017e8b01Svl return 2 3440017e8b01Svl} 3441017e8b01Svl 3442017e8b01Svl# 3443017e8b01Svl# add suffix if needed, 3444017e8b01Svl# suffix entry and backend MUST be prepared by 3445017e8b01Svl# prep_create_sfx_entry and prep_create_sfx_backend correspondingly 3446017e8b01Svl# 3447017e8b01Svl# input : NEED_CREATE_SUFFIX, LDAP_SUFFIX, LDAP_SUFFIX_OBJ, _ATT, _VAL 3448017e8b01Svl# LDAP_SUFFIX_ACI, NEED_CREATE_BACKEND, IDS_DATABASE 3449017e8b01Svl# return : 0 - suffix successfully created, otherwise error occured 3450017e8b01Svl# 3451017e8b01Svladd_suffix() 3452017e8b01Svl{ 3453017e8b01Svl [ $DEBUG -eq 1 ] && ${ECHO} "In add_suffix()" 3454017e8b01Svl 3455017e8b01Svl [ -n "${NEED_CREATE_SUFFIX}" ] || return 0 3456017e8b01Svl 3457017e8b01Svl [ -n "${NEED_CREATE_BACKEND}" ] && 3458017e8b01Svl { 3459017e8b01Svl ${EVAL} "${LDAPADD} ${LDAP_ARGS} ${VERB}" <<EOF 3460017e8b01Svldn: cn="${LDAP_SUFFIX}",cn=mapping tree,cn=config 3461017e8b01Svlobjectclass: top 3462017e8b01Svlobjectclass: extensibleObject 3463017e8b01Svlobjectclass: nsMappingTree 3464017e8b01Svlcn: ${LDAP_SUFFIX} 3465017e8b01Svlnsslapd-state: backend 3466017e8b01Svlnsslapd-backend: ${IDS_DATABASE} 3467017e8b01Svl 3468017e8b01Svldn: cn=${IDS_DATABASE},cn=ldbm database,cn=plugins,cn=config 3469017e8b01Svlobjectclass: top 3470017e8b01Svlobjectclass: extensibleObject 3471017e8b01Svlobjectclass: nsBackendInstance 3472017e8b01Svlcn: ${IDS_DATABASE} 3473017e8b01Svlnsslapd-suffix: ${LDAP_SUFFIX} 3474017e8b01SvlEOF 3475017e8b01Svl [ $? -ne 0 ] && 3476017e8b01Svl { 3477017e8b01Svl display_msg create_ldbm_db_error 3478017e8b01Svl return 1 3479017e8b01Svl } 3480017e8b01Svl 3481017e8b01Svl ${ECHO} " ${STEP}. Database ${IDS_DATABASE} successfully created" 3482017e8b01Svl STEP=`expr $STEP + 1` 3483017e8b01Svl } 3484017e8b01Svl 3485017e8b01Svl ${EVAL} "${LDAPADD} ${LDAP_ARGS} ${VERB}" <<EOF 3486017e8b01Svldn: ${LDAP_SUFFIX} 3487017e8b01Svlobjectclass: ${LDAP_SUFFIX_OBJ} 3488017e8b01Svl${_ATT}: ${_VAL} 3489017e8b01Svl${LDAP_SUFFIX_ACI} 3490017e8b01SvlEOF 3491017e8b01Svl [ $? -ne 0 ] && 3492017e8b01Svl { 3493017e8b01Svl display_msg create_suffix_entry_error 3494017e8b01Svl return 1 3495017e8b01Svl } 3496017e8b01Svl 3497017e8b01Svl ${ECHO} " ${STEP}. Suffix ${LDAP_SUFFIX} successfully created" 3498017e8b01Svl STEP=`expr $STEP + 1` 3499017e8b01Svl return 0 3500017e8b01Svl} 3501017e8b01Svl 3502017e8b01Svl# 3503017e8b01Svl# interactively get suffix and related info from a user 3504017e8b01Svl# 3505017e8b01Svl# input : LDAP_BASEDN - Base DN 3506017e8b01Svl# output : LDAP_SUFFIX - Suffix, _ATT, _VAL - id attribute and its value; 3507017e8b01Svl# LDAP_SUFFIX_OBJ, LDAP_SUFFIX_ACI - objectclass and aci; 3508017e8b01Svl# NEED_CREATE_BACKEND - tells whether backend needs to be created; 3509017e8b01Svl# IDS_DATABASE - prepared ldbm db name 3510017e8b01Svl# return : 0 - user gave a correct suffix 3511017e8b01Svl# 1 - suffix given by user cann't be created 3512017e8b01Svl# 3513017e8b01Svlget_suffix() 3514017e8b01Svl{ 3515017e8b01Svl [ $DEBUG -eq 1 ] && ${ECHO} "In get_suffix()" 3516017e8b01Svl 3517017e8b01Svl while : 3518017e8b01Svl do 3519017e8b01Svl get_ans "Enter suffix to be created (b=back/h=help):" ${LDAP_BASEDN} 3520017e8b01Svl case "${ANS}" in 3521017e8b01Svl [Hh] | Help | help | \? ) display_msg create_suffix_help ;; 3522017e8b01Svl [Bb] | Back | back | \< ) return 1 ;; 3523017e8b01Svl * ) 3524017e8b01Svl format_string "${ANS}" 3525017e8b01Svl LDAP_SUFFIX=${FMT_STR} 3526017e8b01Svl prep_create_sfx_entry || continue 3527017e8b01Svl 3528017e8b01Svl [ -n "${NEED_CREATE_BACKEND}" ] && 3529017e8b01Svl { 3530017e8b01Svl IDS_DATABASE_AVAIL= # reset the available db name 3531017e8b01Svl 3532017e8b01Svl reenter_suffix= 3533017e8b01Svl while : 3534017e8b01Svl do 3535017e8b01Svl get_ans "Enter ldbm database name (b=back/h=help):" \ 3536017e8b01Svl ${IDS_DATABASE_AVAIL:-${_VAL}} 3537017e8b01Svl case "${ANS}" in 3538017e8b01Svl [Hh] | \? ) display_msg enter_ldbm_db_help ;; 3539017e8b01Svl [Bb] | \< ) reenter_suffix=1; break ;; 3540017e8b01Svl * ) 3541017e8b01Svl IDS_DATABASE="${ANS}" 3542017e8b01Svl prep_create_sfx_backend && break 3543017e8b01Svl esac 3544017e8b01Svl done 3545017e8b01Svl [ -n "${reenter_suffix}" ] && continue 3546017e8b01Svl 3547017e8b01Svl [ $DEBUG -eq 1 ] && cat <<EOF 3548017e8b01SvlDEBUG: backend name for suffix ${LDAP_SUFFIX} will be ${IDS_DATABASE} 3549017e8b01SvlEOF 3550017e8b01Svl } 3551017e8b01Svl 3552017e8b01Svl # eventually everything is prepared 3553017e8b01Svl return 0 3554017e8b01Svl ;; 3555017e8b01Svl esac 3556017e8b01Svl done 3557017e8b01Svl} 3558017e8b01Svl 3559017e8b01Svl# 3560017e8b01Svl# print out a script which sets LDAP suffix related preferences 3561017e8b01Svl# 3562017e8b01Svlprint_suffix_config() 3563017e8b01Svl{ 3564017e8b01Svl cat <<EOF2 3565017e8b01Svl# LDAP suffix related preferences used only if needed 3566a58015d1SvlIDS_DATABASE="${IDS_DATABASE}" 3567017e8b01SvlLDAP_SUFFIX_OBJ="$LDAP_SUFFIX_OBJ" 3568017e8b01SvlLDAP_SUFFIX_ACI=\`cat <<EOF 3569017e8b01Svl${LDAP_SUFFIX_ACI} 3570017e8b01SvlEOF 3571017e8b01Svl\` 3572017e8b01Svlexport IDS_DATABASE LDAP_SUFFIX_OBJ LDAP_SUFFIX_ACI 3573017e8b01SvlEOF2 3574017e8b01Svl} 3575017e8b01Svl 35767c478bd9Sstevel@tonic-gate# 35777c478bd9Sstevel@tonic-gate# check_basedn_suffix(): check that there is an existing 35787c478bd9Sstevel@tonic-gate# valid suffix to hold current base DN 35797c478bd9Sstevel@tonic-gate# return: 3580017e8b01Svl# 0: valid suffix found or new one should be created, 3581017e8b01Svl# NEED_CREATE_SUFFIX flag actually indicates that 3582017e8b01Svl# 1: some error occures 35837c478bd9Sstevel@tonic-gate# 35847c478bd9Sstevel@tonic-gatecheck_basedn_suffix() 35857c478bd9Sstevel@tonic-gate{ 35867c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In check_basedn_suffix()" 35877c478bd9Sstevel@tonic-gate 3588017e8b01Svl NEED_CREATE_SUFFIX= 3589017e8b01Svl 35907c478bd9Sstevel@tonic-gate # find out existing suffixes 35917c478bd9Sstevel@tonic-gate discover_serv_suffix 35927c478bd9Sstevel@tonic-gate 35937c478bd9Sstevel@tonic-gate ${ECHO} " Validating LDAP Base DN and Suffix ..." 35947c478bd9Sstevel@tonic-gate 35957c478bd9Sstevel@tonic-gate # check that LDAP Base DN might be added 35967c478bd9Sstevel@tonic-gate cur_ldap_entry=${LDAP_BASEDN} 35977c478bd9Sstevel@tonic-gate prev_ldap_entry= 35987c478bd9Sstevel@tonic-gate while [ "${cur_ldap_entry}" != "${prev_ldap_entry}" ] 35997c478bd9Sstevel@tonic-gate do 36007c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "testing LDAP entry: ${cur_ldap_entry}" 36017c478bd9Sstevel@tonic-gate ${LDAPSEARCH} ${SERVER_ARGS} -b "${cur_ldap_entry}" \ 36027c478bd9Sstevel@tonic-gate -s one "objectclass=*" > /dev/null 2>&1 36037c478bd9Sstevel@tonic-gate if [ $? -eq 0 ]; then 36047c478bd9Sstevel@tonic-gate break 36057c478bd9Sstevel@tonic-gate else 36067c478bd9Sstevel@tonic-gate prev_ldap_entry=${cur_ldap_entry} 36077c478bd9Sstevel@tonic-gate cur_ldap_entry=`${ECHO} ${cur_ldap_entry} | cut -f2- -d','` 36087c478bd9Sstevel@tonic-gate fi 36097c478bd9Sstevel@tonic-gate done 36107c478bd9Sstevel@tonic-gate 36117c478bd9Sstevel@tonic-gate if [ "${cur_ldap_entry}" = "${prev_ldap_entry}" ]; then 3612017e8b01Svl ${ECHO} " No valid suffixes were found for Base DN ${LDAP_BASEDN}" 3613017e8b01Svl 3614017e8b01Svl NEED_CREATE_SUFFIX=1 3615017e8b01Svl return 0 3616017e8b01Svl 36177c478bd9Sstevel@tonic-gate else 36187c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "found valid LDAP entry: ${cur_ldap_entry}" 36197c478bd9Sstevel@tonic-gate 36207c478bd9Sstevel@tonic-gate # Now looking for relevant suffix for this entry. 36217c478bd9Sstevel@tonic-gate # LDAP_SUFFIX will then be used to add necessary 36227c478bd9Sstevel@tonic-gate # base objects. See add_base_objects(). 36237c478bd9Sstevel@tonic-gate format_string "${cur_ldap_entry}" 36247c478bd9Sstevel@tonic-gate lower_entry="${FMT_STR}" 36257c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "final suffix list: ${LDAP_SUFFIX_LIST}" 36267c478bd9Sstevel@tonic-gate oIFS=$IFS 36277c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "setting IFS to new line" 36287c478bd9Sstevel@tonic-gate IFS=' 36297c478bd9Sstevel@tonic-gate' 36307c478bd9Sstevel@tonic-gate for suff in ${LDAP_SUFFIX_LIST} 36317c478bd9Sstevel@tonic-gate do 36327c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "testing suffix: ${suff}" 36337c478bd9Sstevel@tonic-gate format_string "${suff}" 36347c478bd9Sstevel@tonic-gate lower_suff="${FMT_STR}" 36357c478bd9Sstevel@tonic-gate if [ "${lower_entry}" = "${lower_suff}" ]; then 36367c478bd9Sstevel@tonic-gate LDAP_SUFFIX="${suff}" 36377c478bd9Sstevel@tonic-gate break 36387c478bd9Sstevel@tonic-gate else 36397c478bd9Sstevel@tonic-gate dcstmp=`basename "${lower_entry}" "${lower_suff}"` 36407c478bd9Sstevel@tonic-gate if [ "${dcstmp}" = "${lower_entry}" ]; then 36417c478bd9Sstevel@tonic-gate # invalid suffix, try next one 36427c478bd9Sstevel@tonic-gate continue 36437c478bd9Sstevel@tonic-gate else 36447c478bd9Sstevel@tonic-gate # valid suffix found 36457c478bd9Sstevel@tonic-gate LDAP_SUFFIX="${suff}" 36467c478bd9Sstevel@tonic-gate break 36477c478bd9Sstevel@tonic-gate fi 36487c478bd9Sstevel@tonic-gate fi 36497c478bd9Sstevel@tonic-gate done 36507c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "setting IFS to original value" 36517c478bd9Sstevel@tonic-gate IFS=$oIFS 36527c478bd9Sstevel@tonic-gate 36537c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "LDAP_SUFFIX: ${LDAP_SUFFIX}" 36547c478bd9Sstevel@tonic-gate 36557c478bd9Sstevel@tonic-gate if [ -z "${LDAP_SUFFIX}" ]; then 36567c478bd9Sstevel@tonic-gate # should not happen, since we found the entry 36577c478bd9Sstevel@tonic-gate ${ECHO} "Could not find a valid suffix for ${LDAP_BASEDN}." 36587c478bd9Sstevel@tonic-gate ${ECHO} "Exiting." 36597c478bd9Sstevel@tonic-gate return 1 36607c478bd9Sstevel@tonic-gate fi 36617c478bd9Sstevel@tonic-gate 36627c478bd9Sstevel@tonic-gate # Getting relevant database (backend) 36637c478bd9Sstevel@tonic-gate # IDS_DATABASE will then be used to create indexes. 36647c478bd9Sstevel@tonic-gate get_backend 36657c478bd9Sstevel@tonic-gate 36667c478bd9Sstevel@tonic-gate return 0 36677c478bd9Sstevel@tonic-gate fi 36687c478bd9Sstevel@tonic-gate} 36697c478bd9Sstevel@tonic-gate 36707c478bd9Sstevel@tonic-gate# 36717c478bd9Sstevel@tonic-gate# discover_serv_suffix(): This function queries the server to find 36727c478bd9Sstevel@tonic-gate# suffixes available 36737c478bd9Sstevel@tonic-gate# return: 0: OK, suffix found 36747c478bd9Sstevel@tonic-gate# 1: suffix not determined 36757c478bd9Sstevel@tonic-gatediscover_serv_suffix() 36767c478bd9Sstevel@tonic-gate{ 36777c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In discover_serv_suffix()" 36787c478bd9Sstevel@tonic-gate 36797c478bd9Sstevel@tonic-gate # Search the server for the TOP of the TREE. 36807c478bd9Sstevel@tonic-gate ${LDAPSEARCH} ${SERVER_ARGS} -b "" -s base "objectclass=*" > ${TMPDIR}/checkTOP 2>&1 36817c478bd9Sstevel@tonic-gate ${GREP} -i namingcontexts ${TMPDIR}/checkTOP | \ 36827c478bd9Sstevel@tonic-gate ${GREP} -i -v NetscapeRoot > ${TMPDIR}/treeTOP 36837c478bd9Sstevel@tonic-gate NUM_TOP=`wc -l ${TMPDIR}/treeTOP | awk '{print $1}'` 36847c478bd9Sstevel@tonic-gate case $NUM_TOP in 36857c478bd9Sstevel@tonic-gate 0) 3686017e8b01Svl [ $DEBUG -eq 1 ] && ${ECHO} "DEBUG: No suffix found in LDAP tree" 36877c478bd9Sstevel@tonic-gate return 1 36887c478bd9Sstevel@tonic-gate ;; 36897c478bd9Sstevel@tonic-gate *) # build the list of suffixes; take out 'namingContexts=' in 36907c478bd9Sstevel@tonic-gate # each line of ${TMPDIR}/treeTOP 36917c478bd9Sstevel@tonic-gate LDAP_SUFFIX_LIST=`cat ${TMPDIR}/treeTOP | 36927c478bd9Sstevel@tonic-gate awk '{ printf("%s\n",substr($0,16,length-15)) }'` 36937c478bd9Sstevel@tonic-gate ;; 36947c478bd9Sstevel@tonic-gate esac 36957c478bd9Sstevel@tonic-gate 36967c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} " LDAP_SUFFIX_LIST = $LDAP_SUFFIX_LIST" 36977c478bd9Sstevel@tonic-gate return 0 36987c478bd9Sstevel@tonic-gate} 36997c478bd9Sstevel@tonic-gate 37007c478bd9Sstevel@tonic-gate 37017c478bd9Sstevel@tonic-gate# 37027c478bd9Sstevel@tonic-gate# modify_cn(): Change the cn from MUST to MAY in ipNetwork. 37037c478bd9Sstevel@tonic-gate# 37047c478bd9Sstevel@tonic-gatemodify_cn() 37057c478bd9Sstevel@tonic-gate{ 37067c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In modify_cn()" 37077c478bd9Sstevel@tonic-gate 37087c478bd9Sstevel@tonic-gate ( cat <<EOF 37097c478bd9Sstevel@tonic-gatedn: cn=schema 37107c478bd9Sstevel@tonic-gatechangetype: modify 37117c478bd9Sstevel@tonic-gateadd: objectclasses 37127c478bd9Sstevel@tonic-gateobjectclasses: ( 1.3.6.1.1.1.2.7 NAME 'ipNetwork' DESC 'Standard LDAP objectclass' SUP top STRUCTURAL MUST ( ipNetworkNumber ) MAY ( ipNetmaskNumber $ manager $ cn $ l $ description ) X-ORIGIN 'RFC 2307' )) 37137c478bd9Sstevel@tonic-gateEOF 37147c478bd9Sstevel@tonic-gate) > ${TMPDIR}/ipNetwork_cn 37157c478bd9Sstevel@tonic-gate 37167c478bd9Sstevel@tonic-gate # Modify the cn for ipNetwork. 37177c478bd9Sstevel@tonic-gate ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/ipNetwork_cn ${VERB}" 37187c478bd9Sstevel@tonic-gate if [ $? -ne 0 ]; then 37197c478bd9Sstevel@tonic-gate ${ECHO} " ERROR: update of cn for ipNetwork failed!" 37207c478bd9Sstevel@tonic-gate cleanup 37217c478bd9Sstevel@tonic-gate exit 1 37227c478bd9Sstevel@tonic-gate fi 37237c478bd9Sstevel@tonic-gate} 37247c478bd9Sstevel@tonic-gate 37257c478bd9Sstevel@tonic-gate 37267c478bd9Sstevel@tonic-gate# modify_timelimit(): Modify timelimit to user value. 37277c478bd9Sstevel@tonic-gatemodify_timelimit() 37287c478bd9Sstevel@tonic-gate{ 37297c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In modify_timelimit()" 37307c478bd9Sstevel@tonic-gate 37317c478bd9Sstevel@tonic-gate # Here doc to modify timelimit. 37327c478bd9Sstevel@tonic-gate ( cat <<EOF 37337c478bd9Sstevel@tonic-gatedn: cn=config 37347c478bd9Sstevel@tonic-gatechangetype: modify 37357c478bd9Sstevel@tonic-gatereplace: nsslapd-timelimit 37367c478bd9Sstevel@tonic-gatensslapd-timelimit: ${IDS_TIMELIMIT} 37377c478bd9Sstevel@tonic-gateEOF 37387c478bd9Sstevel@tonic-gate) > ${TMPDIR}/ids_timelimit 37397c478bd9Sstevel@tonic-gate 37407c478bd9Sstevel@tonic-gate # Add the entry. 37417c478bd9Sstevel@tonic-gate ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/ids_timelimit ${VERB}" 37427c478bd9Sstevel@tonic-gate if [ $? -ne 0 ]; then 37437c478bd9Sstevel@tonic-gate ${ECHO} " ERROR: update of nsslapd-timelimit failed!" 37447c478bd9Sstevel@tonic-gate cleanup 37457c478bd9Sstevel@tonic-gate exit 1 37467c478bd9Sstevel@tonic-gate fi 37477c478bd9Sstevel@tonic-gate 37487c478bd9Sstevel@tonic-gate # Display messages for modifications made in patch. 37497c478bd9Sstevel@tonic-gate ${ECHO} " ${STEP}. Changed timelimit to ${IDS_TIMELIMIT} in cn=config." 37507c478bd9Sstevel@tonic-gate STEP=`expr $STEP + 1` 37517c478bd9Sstevel@tonic-gate} 37527c478bd9Sstevel@tonic-gate 37537c478bd9Sstevel@tonic-gate 37547c478bd9Sstevel@tonic-gate# modify_sizelimit(): Modify sizelimit to user value. 37557c478bd9Sstevel@tonic-gatemodify_sizelimit() 37567c478bd9Sstevel@tonic-gate{ 37577c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In modify_sizelimit()" 37587c478bd9Sstevel@tonic-gate 37597c478bd9Sstevel@tonic-gate # Here doc to modify sizelimit. 37607c478bd9Sstevel@tonic-gate ( cat <<EOF 37617c478bd9Sstevel@tonic-gatedn: cn=config 37627c478bd9Sstevel@tonic-gatechangetype: modify 37637c478bd9Sstevel@tonic-gatereplace: nsslapd-sizelimit 37647c478bd9Sstevel@tonic-gatensslapd-sizelimit: ${IDS_SIZELIMIT} 37657c478bd9Sstevel@tonic-gateEOF 37667c478bd9Sstevel@tonic-gate) > ${TMPDIR}/ids_sizelimit 37677c478bd9Sstevel@tonic-gate 37687c478bd9Sstevel@tonic-gate # Add the entry. 37697c478bd9Sstevel@tonic-gate ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/ids_sizelimit ${VERB}" 37707c478bd9Sstevel@tonic-gate if [ $? -ne 0 ]; then 37717c478bd9Sstevel@tonic-gate ${ECHO} " ERROR: update of nsslapd-sizelimit failed!" 37727c478bd9Sstevel@tonic-gate cleanup 37737c478bd9Sstevel@tonic-gate exit 1 37747c478bd9Sstevel@tonic-gate fi 37757c478bd9Sstevel@tonic-gate 37767c478bd9Sstevel@tonic-gate # Display messages for modifications made in patch. 37777c478bd9Sstevel@tonic-gate ${ECHO} " ${STEP}. Changed sizelimit to ${IDS_SIZELIMIT} in cn=config." 37787c478bd9Sstevel@tonic-gate STEP=`expr $STEP + 1` 37797c478bd9Sstevel@tonic-gate} 37807c478bd9Sstevel@tonic-gate 37817c478bd9Sstevel@tonic-gate 37827c478bd9Sstevel@tonic-gate# modify_pwd_crypt(): Modify the passwd storage scheme to support CRYPT. 37837c478bd9Sstevel@tonic-gatemodify_pwd_crypt() 37847c478bd9Sstevel@tonic-gate{ 37857c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In modify_pwd_crypt()" 37867c478bd9Sstevel@tonic-gate 37877c478bd9Sstevel@tonic-gate # Here doc to modify passwordstoragescheme. 37887c478bd9Sstevel@tonic-gate # IDS 5.2 moved passwordchangesceme off to a new data structure. 37897c478bd9Sstevel@tonic-gate if [ $IDS_MAJVER -le 5 ] && [ $IDS_MINVER -le 1 ]; then 37907c478bd9Sstevel@tonic-gate ( cat <<EOF 37917c478bd9Sstevel@tonic-gatedn: cn=config 37927c478bd9Sstevel@tonic-gatechangetype: modify 37937c478bd9Sstevel@tonic-gatereplace: passwordstoragescheme 37947c478bd9Sstevel@tonic-gatepasswordstoragescheme: crypt 37957c478bd9Sstevel@tonic-gateEOF 37967c478bd9Sstevel@tonic-gate ) > ${TMPDIR}/ids_crypt 37977c478bd9Sstevel@tonic-gate else 37987c478bd9Sstevel@tonic-gate ( cat <<EOF 37997c478bd9Sstevel@tonic-gatedn: cn=Password Policy,cn=config 38007c478bd9Sstevel@tonic-gatechangetype: modify 38017c478bd9Sstevel@tonic-gatereplace: passwordstoragescheme 38027c478bd9Sstevel@tonic-gatepasswordstoragescheme: crypt 38037c478bd9Sstevel@tonic-gateEOF 38047c478bd9Sstevel@tonic-gate ) > ${TMPDIR}/ids_crypt 38057c478bd9Sstevel@tonic-gate fi 38067c478bd9Sstevel@tonic-gate 38077c478bd9Sstevel@tonic-gate # Add the entry. 38087c478bd9Sstevel@tonic-gate ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/ids_crypt ${VERB}" 38097c478bd9Sstevel@tonic-gate if [ $? -ne 0 ]; then 38107c478bd9Sstevel@tonic-gate ${ECHO} " ERROR: update of passwordstoragescheme failed!" 38117c478bd9Sstevel@tonic-gate cleanup 38127c478bd9Sstevel@tonic-gate exit 1 38137c478bd9Sstevel@tonic-gate fi 38147c478bd9Sstevel@tonic-gate 38157c478bd9Sstevel@tonic-gate # Display messages for modifications made in patch. 38167c478bd9Sstevel@tonic-gate ${ECHO} " ${STEP}. Changed passwordstoragescheme to \"crypt\" in cn=config." 38177c478bd9Sstevel@tonic-gate STEP=`expr $STEP + 1` 38187c478bd9Sstevel@tonic-gate} 38197c478bd9Sstevel@tonic-gate 38207c478bd9Sstevel@tonic-gate 38217c478bd9Sstevel@tonic-gate# 38227c478bd9Sstevel@tonic-gate# add_eq_indexes(): Add indexes to improve search performance. 38237c478bd9Sstevel@tonic-gate# 38247c478bd9Sstevel@tonic-gateadd_eq_indexes() 38257c478bd9Sstevel@tonic-gate{ 38267c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In add_eq_indexes()" 38277c478bd9Sstevel@tonic-gate 38287c478bd9Sstevel@tonic-gate # Set eq indexes to add. 38297c478bd9Sstevel@tonic-gate _INDEXES="uidNumber ipNetworkNumber gidnumber oncrpcnumber automountKey" 38307c478bd9Sstevel@tonic-gate 3831cb5caa98Sdjl if [ -z "${IDS_DATABASE}" ]; then 3832cb5caa98Sdjl get_backend 3833cb5caa98Sdjl fi 3834a58015d1Svl 38357c478bd9Sstevel@tonic-gate # Set _EXT to use as shortcut. 38367c478bd9Sstevel@tonic-gate _EXT="cn=index,cn=${IDS_DATABASE},cn=ldbm database,cn=plugins,cn=config" 38377c478bd9Sstevel@tonic-gate 38387c478bd9Sstevel@tonic-gate # Display message to id current step. 38397c478bd9Sstevel@tonic-gate ${ECHO} " ${STEP}. Processing eq,pres indexes:" 38407c478bd9Sstevel@tonic-gate STEP=`expr $STEP + 1` 38417c478bd9Sstevel@tonic-gate 38427c478bd9Sstevel@tonic-gate # For loop to create indexes. 38437c478bd9Sstevel@tonic-gate for i in ${_INDEXES}; do 38447c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} " Adding index for ${i}" 38457c478bd9Sstevel@tonic-gate 38467c478bd9Sstevel@tonic-gate # Check if entry exists first, if so, skip to next. 3847a58015d1Svl ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=${i},${_EXT}\" -s base \ 3848a58015d1Svl \"objectclass=*\" > /dev/null 2>&1" 38497c478bd9Sstevel@tonic-gate if [ $? -eq 0 ]; then 38507c478bd9Sstevel@tonic-gate # Display index skipped. 38517c478bd9Sstevel@tonic-gate ${ECHO} " ${i} (eq,pres) skipped already exists" 38527c478bd9Sstevel@tonic-gate continue 38537c478bd9Sstevel@tonic-gate fi 38547c478bd9Sstevel@tonic-gate 38557c478bd9Sstevel@tonic-gate # Here doc to create LDIF. 38567c478bd9Sstevel@tonic-gate ( cat <<EOF 38577c478bd9Sstevel@tonic-gatedn: cn=${i},${_EXT} 38587c478bd9Sstevel@tonic-gateobjectClass: top 38597c478bd9Sstevel@tonic-gateobjectClass: nsIndex 38607c478bd9Sstevel@tonic-gatecn: ${i} 38617c478bd9Sstevel@tonic-gatensSystemIndex: false 38627c478bd9Sstevel@tonic-gatensIndexType: pres 38637c478bd9Sstevel@tonic-gatensIndexType: eq 38647c478bd9Sstevel@tonic-gateEOF 38657c478bd9Sstevel@tonic-gate) > ${TMPDIR}/index_${i} 38667c478bd9Sstevel@tonic-gate 38677c478bd9Sstevel@tonic-gate # Add the index. 38687c478bd9Sstevel@tonic-gate ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/index_${i} ${VERB}" 38697c478bd9Sstevel@tonic-gate if [ $? -ne 0 ]; then 38707c478bd9Sstevel@tonic-gate ${ECHO} " ERROR: Adding EQ,PRES index for ${i} failed!" 38717c478bd9Sstevel@tonic-gate cleanup 38727c478bd9Sstevel@tonic-gate exit 1 38737c478bd9Sstevel@tonic-gate fi 38747c478bd9Sstevel@tonic-gate 38757c478bd9Sstevel@tonic-gate # Build date for task name. 38767c478bd9Sstevel@tonic-gate _YR=`date '+%y'` 38777c478bd9Sstevel@tonic-gate _MN=`date '+%m'` 38787c478bd9Sstevel@tonic-gate _DY=`date '+%d'` 38797c478bd9Sstevel@tonic-gate _H=`date '+%H'` 38807c478bd9Sstevel@tonic-gate _M=`date '+%M'` 38817c478bd9Sstevel@tonic-gate _S=`date '+%S'` 38827c478bd9Sstevel@tonic-gate 38837c478bd9Sstevel@tonic-gate # Build task name 38847c478bd9Sstevel@tonic-gate TASKNAME="${i}_${_YR}_${_MN}_${_DY}_${_H}_${_M}_${_S}" 38857c478bd9Sstevel@tonic-gate 38867c478bd9Sstevel@tonic-gate # Build the task entry to add. 38877c478bd9Sstevel@tonic-gate ( cat <<EOF 38887c478bd9Sstevel@tonic-gatedn: cn=${TASKNAME}, cn=index, cn=tasks, cn=config 38897c478bd9Sstevel@tonic-gatechangetype: add 38907c478bd9Sstevel@tonic-gateobjectclass: top 38917c478bd9Sstevel@tonic-gateobjectclass: extensibleObject 38927c478bd9Sstevel@tonic-gatecn: ${TASKNAME} 38937c478bd9Sstevel@tonic-gatensInstance: ${IDS_DATABASE} 38947c478bd9Sstevel@tonic-gatensIndexAttribute: ${i} 38957c478bd9Sstevel@tonic-gateEOF 38967c478bd9Sstevel@tonic-gate) > ${TMPDIR}/task_${i} 38977c478bd9Sstevel@tonic-gate 38987c478bd9Sstevel@tonic-gate # Add the task. 38997c478bd9Sstevel@tonic-gate ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/task_${i} ${VERB}" 39007c478bd9Sstevel@tonic-gate if [ $? -ne 0 ]; then 39017c478bd9Sstevel@tonic-gate ${ECHO} " ERROR: Adding task for ${i} failed!" 39027c478bd9Sstevel@tonic-gate cleanup 39037c478bd9Sstevel@tonic-gate exit 1 39047c478bd9Sstevel@tonic-gate fi 39057c478bd9Sstevel@tonic-gate 39067c478bd9Sstevel@tonic-gate # Wait for task to finish, display current status. 39077c478bd9Sstevel@tonic-gate while : 39087c478bd9Sstevel@tonic-gate do 3909a58015d1Svl ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} \ 3910a58015d1Svl -b \"cn=${TASKNAME}, cn=index, cn=tasks, cn=config\" -s base \ 3911a58015d1Svl \"objectclass=*\" nstaskstatus > \"${TMPDIR}/istask_${i}\" 2>&1" 3912a58015d1Svl ${GREP} "${TASKNAME}" "${TMPDIR}/istask_${i}" > /dev/null 2>&1 39137c478bd9Sstevel@tonic-gate if [ $? -ne 0 ]; then 39147c478bd9Sstevel@tonic-gate break 39157c478bd9Sstevel@tonic-gate fi 3916a58015d1Svl TASK_STATUS=`${GREP} -i nstaskstatus "${TMPDIR}/istask_${i}" | 3917a58015d1Svl head -1 | cut -d: -f2` 39187c478bd9Sstevel@tonic-gate ${ECHO} " ${i} (eq,pres) $TASK_STATUS \r\c" 39197c478bd9Sstevel@tonic-gate ${ECHO} "$TASK_STATUS" | ${GREP} "Finished" > /dev/null 2>&1 39207c478bd9Sstevel@tonic-gate if [ $? -eq 0 ]; then 39217c478bd9Sstevel@tonic-gate break 39227c478bd9Sstevel@tonic-gate fi 39237c478bd9Sstevel@tonic-gate sleep 2 39247c478bd9Sstevel@tonic-gate done 39257c478bd9Sstevel@tonic-gate 39267c478bd9Sstevel@tonic-gate # Print newline because of \c. 39277c478bd9Sstevel@tonic-gate ${ECHO} " " 39287c478bd9Sstevel@tonic-gate done 39297c478bd9Sstevel@tonic-gate} 39307c478bd9Sstevel@tonic-gate 39317c478bd9Sstevel@tonic-gate 39327c478bd9Sstevel@tonic-gate# 39337c478bd9Sstevel@tonic-gate# add_sub_indexes(): Add indexes to improve search performance. 39347c478bd9Sstevel@tonic-gate# 39357c478bd9Sstevel@tonic-gateadd_sub_indexes() 39367c478bd9Sstevel@tonic-gate{ 39377c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In add_sub_indexes()" 39387c478bd9Sstevel@tonic-gate 39397c478bd9Sstevel@tonic-gate # Set eq indexes to add. 39407c478bd9Sstevel@tonic-gate _INDEXES="ipHostNumber membernisnetgroup nisnetgrouptriple" 39417c478bd9Sstevel@tonic-gate 39427c478bd9Sstevel@tonic-gate # Set _EXT to use as shortcut. 39437c478bd9Sstevel@tonic-gate _EXT="cn=index,cn=${IDS_DATABASE},cn=ldbm database,cn=plugins,cn=config" 39447c478bd9Sstevel@tonic-gate 39457c478bd9Sstevel@tonic-gate 39467c478bd9Sstevel@tonic-gate # Display message to id current step. 39477c478bd9Sstevel@tonic-gate ${ECHO} " ${STEP}. Processing eq,pres,sub indexes:" 39487c478bd9Sstevel@tonic-gate STEP=`expr $STEP + 1` 39497c478bd9Sstevel@tonic-gate 39507c478bd9Sstevel@tonic-gate # For loop to create indexes. 39517c478bd9Sstevel@tonic-gate for i in ${_INDEXES}; do 39527c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} " Adding index for ${i}" 39537c478bd9Sstevel@tonic-gate 39547c478bd9Sstevel@tonic-gate # Check if entry exists first, if so, skip to next. 3955a58015d1Svl ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=${i},${_EXT}\" \ 3956a58015d1Svl -s base \"objectclass=*\" > /dev/null 2>&1" 39577c478bd9Sstevel@tonic-gate if [ $? -eq 0 ]; then 39587c478bd9Sstevel@tonic-gate # Display index skipped. 39597c478bd9Sstevel@tonic-gate ${ECHO} " ${i} (eq,pres,sub) skipped already exists" 39607c478bd9Sstevel@tonic-gate continue 39617c478bd9Sstevel@tonic-gate fi 39627c478bd9Sstevel@tonic-gate 39637c478bd9Sstevel@tonic-gate # Here doc to create LDIF. 39647c478bd9Sstevel@tonic-gate ( cat <<EOF 39657c478bd9Sstevel@tonic-gatedn: cn=${i},${_EXT} 39667c478bd9Sstevel@tonic-gateobjectClass: top 39677c478bd9Sstevel@tonic-gateobjectClass: nsIndex 39687c478bd9Sstevel@tonic-gatecn: ${i} 39697c478bd9Sstevel@tonic-gatensSystemIndex: false 39707c478bd9Sstevel@tonic-gatensIndexType: pres 39717c478bd9Sstevel@tonic-gatensIndexType: eq 39727c478bd9Sstevel@tonic-gatensIndexType: sub 39737c478bd9Sstevel@tonic-gateEOF 39747c478bd9Sstevel@tonic-gate) > ${TMPDIR}/index_${i} 39757c478bd9Sstevel@tonic-gate 39767c478bd9Sstevel@tonic-gate # Add the index. 39777c478bd9Sstevel@tonic-gate ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/index_${i} ${VERB}" 39787c478bd9Sstevel@tonic-gate if [ $? -ne 0 ]; then 39797c478bd9Sstevel@tonic-gate ${ECHO} " ERROR: Adding EQ,PRES,SUB index for ${i} failed!" 39807c478bd9Sstevel@tonic-gate cleanup 39817c478bd9Sstevel@tonic-gate exit 1 39827c478bd9Sstevel@tonic-gate fi 39837c478bd9Sstevel@tonic-gate 39847c478bd9Sstevel@tonic-gate # Build date for task name. 39857c478bd9Sstevel@tonic-gate _YR=`date '+%y'` 39867c478bd9Sstevel@tonic-gate _MN=`date '+%m'` 39877c478bd9Sstevel@tonic-gate _DY=`date '+%d'` 39887c478bd9Sstevel@tonic-gate _H=`date '+%H'` 39897c478bd9Sstevel@tonic-gate _M=`date '+%M'` 39907c478bd9Sstevel@tonic-gate _S=`date '+%S'` 39917c478bd9Sstevel@tonic-gate 39927c478bd9Sstevel@tonic-gate # Build task name 39937c478bd9Sstevel@tonic-gate TASKNAME="${i}_${_YR}_${_MN}_${_DY}_${_H}_${_M}_${_S}" 39947c478bd9Sstevel@tonic-gate 39957c478bd9Sstevel@tonic-gate # Build the task entry to add. 39967c478bd9Sstevel@tonic-gate ( cat <<EOF 39977c478bd9Sstevel@tonic-gatedn: cn=${TASKNAME}, cn=index, cn=tasks, cn=config 39987c478bd9Sstevel@tonic-gatechangetype: add 39997c478bd9Sstevel@tonic-gateobjectclass: top 40007c478bd9Sstevel@tonic-gateobjectclass: extensibleObject 40017c478bd9Sstevel@tonic-gatecn: ${TASKNAME} 40027c478bd9Sstevel@tonic-gatensInstance: ${IDS_DATABASE} 40037c478bd9Sstevel@tonic-gatensIndexAttribute: ${i} 40047c478bd9Sstevel@tonic-gateEOF 40057c478bd9Sstevel@tonic-gate) > ${TMPDIR}/task_${i} 40067c478bd9Sstevel@tonic-gate 40077c478bd9Sstevel@tonic-gate # Add the task. 40087c478bd9Sstevel@tonic-gate ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/task_${i} ${VERB}" 40097c478bd9Sstevel@tonic-gate if [ $? -ne 0 ]; then 40107c478bd9Sstevel@tonic-gate ${ECHO} " ERROR: Adding task for ${i} failed!" 40117c478bd9Sstevel@tonic-gate cleanup 40127c478bd9Sstevel@tonic-gate exit 1 40137c478bd9Sstevel@tonic-gate fi 40147c478bd9Sstevel@tonic-gate 40157c478bd9Sstevel@tonic-gate # Wait for task to finish, display current status. 40167c478bd9Sstevel@tonic-gate while : 40177c478bd9Sstevel@tonic-gate do 4018a58015d1Svl ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} \ 4019a58015d1Svl -b \"cn=${TASKNAME}, cn=index, cn=tasks, cn=config\" -s base \ 4020a58015d1Svl \"objectclass=*\" nstaskstatus > \"${TMPDIR}/istask_${i}\" 2>&1" 4021a58015d1Svl ${GREP} "${TASKNAME}" "${TMPDIR}/istask_${i}" > /dev/null 2>&1 40227c478bd9Sstevel@tonic-gate if [ $? -ne 0 ]; then 40237c478bd9Sstevel@tonic-gate break 40247c478bd9Sstevel@tonic-gate fi 4025a58015d1Svl TASK_STATUS=`${GREP} -i nstaskstatus "${TMPDIR}/istask_${i}" | 4026a58015d1Svl head -1 | cut -d: -f2` 40277c478bd9Sstevel@tonic-gate ${ECHO} " ${i} (eq,pres,sub) $TASK_STATUS \r\c" 40287c478bd9Sstevel@tonic-gate ${ECHO} "$TASK_STATUS" | ${GREP} "Finished" > /dev/null 2>&1 40297c478bd9Sstevel@tonic-gate if [ $? -eq 0 ]; then 40307c478bd9Sstevel@tonic-gate break 40317c478bd9Sstevel@tonic-gate fi 40327c478bd9Sstevel@tonic-gate sleep 2 40337c478bd9Sstevel@tonic-gate done 40347c478bd9Sstevel@tonic-gate 40357c478bd9Sstevel@tonic-gate # Print newline because of \c. 40367c478bd9Sstevel@tonic-gate ${ECHO} " " 40377c478bd9Sstevel@tonic-gate done 40387c478bd9Sstevel@tonic-gate} 40397c478bd9Sstevel@tonic-gate 40407c478bd9Sstevel@tonic-gate 40417c478bd9Sstevel@tonic-gate# 40427c478bd9Sstevel@tonic-gate# add_vlv_indexes(): Add VLV indexes to improve search performance. 40437c478bd9Sstevel@tonic-gate# 40447c478bd9Sstevel@tonic-gateadd_vlv_indexes() 40457c478bd9Sstevel@tonic-gate{ 40467c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In add_vlv_indexes()" 40477c478bd9Sstevel@tonic-gate 40487c478bd9Sstevel@tonic-gate # Set eq indexes to add. 40497c478bd9Sstevel@tonic-gate # Note semi colon separators because some filters contain colons 40507c478bd9Sstevel@tonic-gate _INDEX1="${LDAP_DOMAIN}.getgrent;${LDAP_DOMAIN}_group_vlv_index;ou=group;objectClass=posixGroup" 40517c478bd9Sstevel@tonic-gate _INDEX2="${LDAP_DOMAIN}.gethostent;${LDAP_DOMAIN}_hosts_vlv_index;ou=hosts;objectClass=ipHost" 40527c478bd9Sstevel@tonic-gate _INDEX3="${LDAP_DOMAIN}.getnetent;${LDAP_DOMAIN}_networks_vlv_index;ou=networks;objectClass=ipNetwork" 40537c478bd9Sstevel@tonic-gate _INDEX4="${LDAP_DOMAIN}.getpwent;${LDAP_DOMAIN}_passwd_vlv_index;ou=people;objectClass=posixAccount" 40547c478bd9Sstevel@tonic-gate _INDEX5="${LDAP_DOMAIN}.getrpcent;${LDAP_DOMAIN}_rpc_vlv_index;ou=rpc;objectClass=oncRpc" 40557c478bd9Sstevel@tonic-gate _INDEX6="${LDAP_DOMAIN}.getspent;${LDAP_DOMAIN}_shadow_vlv_index;ou=people;objectClass=shadowAccount" 40567c478bd9Sstevel@tonic-gate 40577c478bd9Sstevel@tonic-gate # Indexes added during NIS to LDAP transition 40587c478bd9Sstevel@tonic-gate _INDEX7="${LDAP_DOMAIN}.getauhoent;${LDAP_DOMAIN}_auho_vlv_index;automountmapname=auto_home;objectClass=automount" 40597c478bd9Sstevel@tonic-gate _INDEX8="${LDAP_DOMAIN}.getsoluent;${LDAP_DOMAIN}_solu_vlv_index;ou=people;objectClass=SolarisUserAttr" 40607c478bd9Sstevel@tonic-gate _INDEX9="${LDAP_DOMAIN}.getauduent;${LDAP_DOMAIN}_audu_vlv_index;ou=people;objectClass=SolarisAuditUser" 40617c478bd9Sstevel@tonic-gate _INDEX10="${LDAP_DOMAIN}.getauthent;${LDAP_DOMAIN}_auth_vlv_index;ou=SolarisAuthAttr;objectClass=SolarisAuthAttr" 40627c478bd9Sstevel@tonic-gate _INDEX11="${LDAP_DOMAIN}.getexecent;${LDAP_DOMAIN}_exec_vlv_index;ou=SolarisProfAttr;&(objectClass=SolarisExecAttr)(SolarisKernelSecurityPolicy=*)" 40637c478bd9Sstevel@tonic-gate _INDEX12="${LDAP_DOMAIN}.getprofent;${LDAP_DOMAIN}_prof_vlv_index;ou=SolarisProfAttr;&(objectClass=SolarisProfAttr)(SolarisAttrLongDesc=*)" 40647c478bd9Sstevel@tonic-gate _INDEX13="${LDAP_DOMAIN}.getmailent;${LDAP_DOMAIN}_mail_vlv_index;ou=aliases;objectClass=mailGroup" 40657c478bd9Sstevel@tonic-gate _INDEX14="${LDAP_DOMAIN}.getbootent;${LDAP_DOMAIN}__boot_vlv_index;ou=ethers;&(objectClass=bootableDevice)(bootParameter=*)" 40667c478bd9Sstevel@tonic-gate _INDEX15="${LDAP_DOMAIN}.getethent;${LDAP_DOMAIN}_ethers_vlv_index;ou=ethers;&(objectClass=ieee802Device)(macAddress=*)" 40677c478bd9Sstevel@tonic-gate _INDEX16="${LDAP_DOMAIN}.getngrpent;${LDAP_DOMAIN}_netgroup_vlv_index;ou=netgroup;objectClass=nisNetgroup" 40687c478bd9Sstevel@tonic-gate _INDEX17="${LDAP_DOMAIN}.getipnent;${LDAP_DOMAIN}_ipn_vlv_index;ou=networks;&(objectClass=ipNetwork)(cn=*)" 40697c478bd9Sstevel@tonic-gate _INDEX18="${LDAP_DOMAIN}.getmaskent;${LDAP_DOMAIN}_mask_vlv_index;ou=networks;&(objectClass=ipNetwork)(ipNetmaskNumber=*)" 40707c478bd9Sstevel@tonic-gate _INDEX19="${LDAP_DOMAIN}.getprent;${LDAP_DOMAIN}_pr_vlv_index;ou=printers;objectClass=printerService" 40717c478bd9Sstevel@tonic-gate _INDEX20="${LDAP_DOMAIN}.getip4ent;${LDAP_DOMAIN}_ip4_vlv_index;ou=hosts;&(objectClass=ipHost)(ipHostNumber=*.*)" 40727c478bd9Sstevel@tonic-gate _INDEX21="${LDAP_DOMAIN}.getip6ent;${LDAP_DOMAIN}_ip6_vlv_index;ou=hosts;&(objectClass=ipHost)(ipHostNumber=*:*)" 40737c478bd9Sstevel@tonic-gate 40747c478bd9Sstevel@tonic-gate _INDEXES="$_INDEX1 $_INDEX2 $_INDEX3 $_INDEX4 $_INDEX5 $_INDEX6 $_INDEX7 $_INDEX8 $_INDEX9 $_INDEX10 $_INDEX11 $_INDEX12 $_INDEX13 $_INDEX14 $_INDEX15 $_INDEX16 $_INDEX17 $_INDEX18 $_INDEX19 $_INDEX20 $_INDEX21 " 40757c478bd9Sstevel@tonic-gate 40767c478bd9Sstevel@tonic-gate 40777c478bd9Sstevel@tonic-gate # Set _EXT to use as shortcut. 40787c478bd9Sstevel@tonic-gate _EXT="cn=${IDS_DATABASE},cn=ldbm database,cn=plugins,cn=config" 40797c478bd9Sstevel@tonic-gate 40807c478bd9Sstevel@tonic-gate 40817c478bd9Sstevel@tonic-gate # Display message to id current step. 40827c478bd9Sstevel@tonic-gate ${ECHO} " ${STEP}. Processing VLV indexes:" 40837c478bd9Sstevel@tonic-gate STEP=`expr $STEP + 1` 40847c478bd9Sstevel@tonic-gate 40857c478bd9Sstevel@tonic-gate # Reset temp file for vlvindex commands. 4086e1dd0a2fSth [ -f ${TMPDIR}/ds5_vlvindex_list ] && rm ${TMPDIR}/ds5_vlvindex_list 4087e1dd0a2fSth touch ${TMPDIR}/ds5_vlvindex_list 4088e1dd0a2fSth [ -f ${TMPDIR}/ds6_vlvindex_list ] && rm ${TMPDIR}/ds6_vlvindex_list 4089e1dd0a2fSth touch ${TMPDIR}/ds6_vlvindex_list 40907c478bd9Sstevel@tonic-gate 40917c478bd9Sstevel@tonic-gate # Get the instance name from iDS server. 40927c478bd9Sstevel@tonic-gate _INSTANCE="<server-instance>" # Default to old output. 40937c478bd9Sstevel@tonic-gate 40947c478bd9Sstevel@tonic-gate eval "${LDAPSEARCH} -v ${LDAP_ARGS} -b \"cn=config\" -s base \"objectclass=*\" nsslapd-instancedir | ${GREP} 'nsslapd-instancedir=' | cut -d'=' -f2- > ${TMPDIR}/instance_name 2>&1" 40957c478bd9Sstevel@tonic-gate 40967c478bd9Sstevel@tonic-gate ${GREP} "slapd-" ${TMPDIR}/instance_name > /dev/null 2>&1 # Check if seems right? 40977c478bd9Sstevel@tonic-gate if [ $? -eq 0 ]; then # If success, grab name after "slapd-". 40987c478bd9Sstevel@tonic-gate _INST_DIR=`cat ${TMPDIR}/instance_name` 40997c478bd9Sstevel@tonic-gate _INSTANCE=`basename "${_INST_DIR}" | cut -d'-' -f2-` 41007c478bd9Sstevel@tonic-gate fi 41017c478bd9Sstevel@tonic-gate 41027c478bd9Sstevel@tonic-gate # For loop to create indexes. 41037c478bd9Sstevel@tonic-gate for p in ${_INDEXES}; do 41047c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} " Adding index for ${i}" 41057c478bd9Sstevel@tonic-gate 41067c478bd9Sstevel@tonic-gate # Break p (pair) into i and j parts. 41077c478bd9Sstevel@tonic-gate i=`${ECHO} $p | cut -d';' -f1` 41087c478bd9Sstevel@tonic-gate j=`${ECHO} $p | cut -d';' -f2` 41097c478bd9Sstevel@tonic-gate k=`${ECHO} $p | cut -d';' -f3` 41107c478bd9Sstevel@tonic-gate m=`${ECHO} $p | cut -d';' -f4` 41117c478bd9Sstevel@tonic-gate 41127c478bd9Sstevel@tonic-gate # Set _jEXT to use as shortcut. 41137c478bd9Sstevel@tonic-gate _jEXT="cn=${j},${_EXT}" 41147c478bd9Sstevel@tonic-gate 41157c478bd9Sstevel@tonic-gate # Check if entry exists first, if so, skip to next. 41167c478bd9Sstevel@tonic-gate ${LDAPSEARCH} ${SERVER_ARGS} -b "cn=${i},${_jEXT}" -s base "objectclass=*" > /dev/null 2>&1 41177c478bd9Sstevel@tonic-gate if [ $? -eq 0 ]; then 41187c478bd9Sstevel@tonic-gate # Display index skipped. 41197c478bd9Sstevel@tonic-gate ${ECHO} " ${i} vlv_index skipped already exists" 41207c478bd9Sstevel@tonic-gate continue 41217c478bd9Sstevel@tonic-gate fi 41227c478bd9Sstevel@tonic-gate 41237c478bd9Sstevel@tonic-gate # Compute the VLV Scope from the LDAP_SEARCH_SCOPE. 41247c478bd9Sstevel@tonic-gate # NOTE: A value of "base (0)" does not make sense. 41257c478bd9Sstevel@tonic-gate case "$LDAP_SEARCH_SCOPE" in 41267c478bd9Sstevel@tonic-gate sub) VLV_SCOPE="2" ;; 41277c478bd9Sstevel@tonic-gate *) VLV_SCOPE="1" ;; 41287c478bd9Sstevel@tonic-gate esac 41297c478bd9Sstevel@tonic-gate 41307c478bd9Sstevel@tonic-gate # Here doc to create LDIF. 41317c478bd9Sstevel@tonic-gate ( cat <<EOF 41327c478bd9Sstevel@tonic-gatedn: ${_jEXT} 41337c478bd9Sstevel@tonic-gateobjectClass: top 41347c478bd9Sstevel@tonic-gateobjectClass: vlvSearch 41357c478bd9Sstevel@tonic-gatecn: ${j} 41367c478bd9Sstevel@tonic-gatevlvbase: ${k},${LDAP_BASEDN} 41377c478bd9Sstevel@tonic-gatevlvscope: ${VLV_SCOPE} 41387c478bd9Sstevel@tonic-gatevlvfilter: (${m}) 41397c478bd9Sstevel@tonic-gateaci: (target="ldap:///${_jEXT}")(targetattr="*")(version 3.0; acl "Config";allow(read,search,compare)userdn="ldap:///anyone";) 41407c478bd9Sstevel@tonic-gate 41417c478bd9Sstevel@tonic-gatedn: cn=${i},${_jEXT} 41427c478bd9Sstevel@tonic-gatecn: ${i} 41437c478bd9Sstevel@tonic-gatevlvSort: cn uid 41447c478bd9Sstevel@tonic-gateobjectclass: top 41457c478bd9Sstevel@tonic-gateobjectclass: vlvIndex 41467c478bd9Sstevel@tonic-gateEOF 41477c478bd9Sstevel@tonic-gate) > ${TMPDIR}/vlv_index_${i} 41487c478bd9Sstevel@tonic-gate 41497c478bd9Sstevel@tonic-gate # Add the index. 41507c478bd9Sstevel@tonic-gate ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/vlv_index_${i} ${VERB}" 41517c478bd9Sstevel@tonic-gate if [ $? -ne 0 ]; then 41527c478bd9Sstevel@tonic-gate ${ECHO} " ERROR: Adding VLV index for ${i} failed!" 41537c478bd9Sstevel@tonic-gate cleanup 41547c478bd9Sstevel@tonic-gate exit 1 41557c478bd9Sstevel@tonic-gate fi 41567c478bd9Sstevel@tonic-gate 41577c478bd9Sstevel@tonic-gate # Print message that index was created. 41587c478bd9Sstevel@tonic-gate ${ECHO} " ${i} vlv_index Entry created" 41597c478bd9Sstevel@tonic-gate 41607c478bd9Sstevel@tonic-gate # Add command to list of vlvindex commands to run. 4161e1dd0a2fSth ${ECHO} " directoryserver -s ${_INSTANCE} vlvindex -n ${IDS_DATABASE} -T ${i}" >> ${TMPDIR}/ds5_vlvindex_list 4162e1dd0a2fSth ${ECHO} " <install-path>/bin/dsadm reindex -l -t ${i} <directory-instance-path> ${LDAP_SUFFIX}" >> ${TMPDIR}/ds6_vlvindex_list 41637c478bd9Sstevel@tonic-gate done 41647c478bd9Sstevel@tonic-gate} 41657c478bd9Sstevel@tonic-gate 41667c478bd9Sstevel@tonic-gate 41677c478bd9Sstevel@tonic-gate# 41687c478bd9Sstevel@tonic-gate# display_vlv_cmds(): Display VLV index commands to run on server. 41697c478bd9Sstevel@tonic-gate# 41707c478bd9Sstevel@tonic-gatedisplay_vlv_cmds() 41717c478bd9Sstevel@tonic-gate{ 4172e1dd0a2fSth if [ -s "${TMPDIR}/ds5_vlvindex_list" -o \ 4173e1dd0a2fSth -s "${TMPDIR}/ds6_vlvindex_list" ]; then 41747c478bd9Sstevel@tonic-gate display_msg display_vlv_list 4175e1dd0a2fSth fi 4176e1dd0a2fSth 4177e1dd0a2fSth if [ -s "${TMPDIR}/ds5_vlvindex_list" ]; then 4178e1dd0a2fSth cat ${TMPDIR}/ds5_vlvindex_list 4179e1dd0a2fSth fi 4180e1dd0a2fSth 4181e1dd0a2fSth cat << EOF 4182e1dd0a2fSth 4183e1dd0a2fSth 4184e1dd0a2fSthEOF 4185e1dd0a2fSth 4186e1dd0a2fSth if [ -s "${TMPDIR}/ds6_vlvindex_list" ]; then 4187e1dd0a2fSth cat ${TMPDIR}/ds6_vlvindex_list 41887c478bd9Sstevel@tonic-gate fi 41897c478bd9Sstevel@tonic-gate} 41907c478bd9Sstevel@tonic-gate 41917c478bd9Sstevel@tonic-gate 41927c478bd9Sstevel@tonic-gate# 41937c478bd9Sstevel@tonic-gate# update_schema_attr(): Update Schema to support Naming. 41947c478bd9Sstevel@tonic-gate# 41957c478bd9Sstevel@tonic-gateupdate_schema_attr() 41967c478bd9Sstevel@tonic-gate{ 41977c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In update_schema_attr()" 41987c478bd9Sstevel@tonic-gate 41997c478bd9Sstevel@tonic-gate ( cat <<EOF 42007c478bd9Sstevel@tonic-gatedn: cn=schema 42017c478bd9Sstevel@tonic-gatechangetype: modify 42027c478bd9Sstevel@tonic-gateadd: attributetypes 42037c478bd9Sstevel@tonic-gateattributetypes: ( 1.3.6.1.1.1.1.28 NAME 'nisPublickey' DESC 'NIS public key' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' ) 42047c478bd9Sstevel@tonic-gateattributetypes: ( 1.3.6.1.1.1.1.29 NAME 'nisSecretkey' DESC 'NIS secret key' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' ) 42057c478bd9Sstevel@tonic-gateattributetypes: ( 1.3.6.1.1.1.1.30 NAME 'nisDomain' DESC 'NIS domain' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' ) 42067c478bd9Sstevel@tonic-gateattributetypes: ( 1.3.6.1.1.1.1.31 NAME 'automountMapName' DESC 'automount Map Name' EQUALITY caseExactIA5Match SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' SINGLE-VALUE ) 42077c478bd9Sstevel@tonic-gateattributetypes: ( 1.3.6.1.1.1.1.32 NAME 'automountKey' DESC 'automount Key Value' EQUALITY caseExactIA5Match SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' SINGLE-VALUE ) 42087c478bd9Sstevel@tonic-gateattributetypes: ( 1.3.6.1.1.1.1.33 NAME 'automountInformation' DESC 'automount information' EQUALITY caseExactIA5Match SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' SINGLE-VALUE ) 42097c478bd9Sstevel@tonic-gateattributetypes: ( 1.3.6.1.4.1.42.2.27.1.1.12 NAME 'nisNetIdUser' SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' ) 42107c478bd9Sstevel@tonic-gateattributetypes: ( 1.3.6.1.4.1.42.2.27.1.1.13 NAME 'nisNetIdGroup' SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' ) 42117c478bd9Sstevel@tonic-gateattributetypes: ( 1.3.6.1.4.1.42.2.27.1.1.14 NAME 'nisNetIdHost' SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' ) 42127c478bd9Sstevel@tonic-gateattributetypes: ( rfc822mailMember-oid NAME 'rfc822mailMember' SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' ) 42137c478bd9Sstevel@tonic-gateattributetypes: ( 2.16.840.1.113730.3.1.30 NAME 'mgrpRFC822MailMember' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' ) 42147c478bd9Sstevel@tonic-gateattributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.15 NAME 'SolarisLDAPServers' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' ) 42157c478bd9Sstevel@tonic-gateattributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.16 NAME 'SolarisSearchBaseDN' SYNTAX '1.3.6.1.4.1.1466.115.121.1.12' SINGLE-VALUE ) 42167c478bd9Sstevel@tonic-gateattributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.17 NAME 'SolarisCacheTTL' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE ) 42177c478bd9Sstevel@tonic-gateattributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.18 NAME 'SolarisBindDN' SYNTAX '1.3.6.1.4.1.1466.115.121.1.12' SINGLE-VALUE ) 42187c478bd9Sstevel@tonic-gateattributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.19 NAME 'SolarisBindPassword' SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' SINGLE-VALUE ) 42197c478bd9Sstevel@tonic-gateattributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.20 NAME 'SolarisAuthMethod' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15') 42207c478bd9Sstevel@tonic-gateattributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.21 NAME 'SolarisTransportSecurity' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15') 42217c478bd9Sstevel@tonic-gateattributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.22 NAME 'SolarisCertificatePath' SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' SINGLE-VALUE ) 42227c478bd9Sstevel@tonic-gateattributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.23 NAME 'SolarisCertificatePassword' SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' SINGLE-VALUE ) 42237c478bd9Sstevel@tonic-gateattributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.24 NAME 'SolarisDataSearchDN' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15') 42247c478bd9Sstevel@tonic-gateattributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.25 NAME 'SolarisSearchScope' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE ) 42257c478bd9Sstevel@tonic-gateattributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.26 NAME 'SolarisSearchTimeLimit' SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' SINGLE-VALUE ) 42267c478bd9Sstevel@tonic-gateattributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.27 NAME 'SolarisPreferredServer' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15') 42277c478bd9Sstevel@tonic-gateattributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.28 NAME 'SolarisPreferredServerOnly' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE ) 42287c478bd9Sstevel@tonic-gateattributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.29 NAME 'SolarisSearchReferral' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE ) 42297c478bd9Sstevel@tonic-gateattributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.4 NAME 'SolarisAttrKeyValue' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE ) 42307c478bd9Sstevel@tonic-gateattributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.5 NAME 'SolarisAuditAlways' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE ) 42317c478bd9Sstevel@tonic-gateattributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.6 NAME 'SolarisAuditNever' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE ) 42327c478bd9Sstevel@tonic-gateattributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.7 NAME 'SolarisAttrShortDesc' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE ) 42337c478bd9Sstevel@tonic-gateattributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.8 NAME 'SolarisAttrLongDesc' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE ) 42347c478bd9Sstevel@tonic-gateattributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.9 NAME 'SolarisKernelSecurityPolicy' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE ) 42357c478bd9Sstevel@tonic-gateattributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.10 NAME 'SolarisProfileType' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE ) 42367c478bd9Sstevel@tonic-gateattributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.11 NAME 'SolarisProfileId' SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' SINGLE-VALUE ) 42377c478bd9Sstevel@tonic-gateattributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.12 NAME 'SolarisUserQualifier' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE ) 42387c478bd9Sstevel@tonic-gateattributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.13 NAME 'SolarisAttrReserved1' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE ) 42397c478bd9Sstevel@tonic-gateattributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.14 NAME 'SolarisAttrReserved2' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE ) 42407c478bd9Sstevel@tonic-gateattributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.1 NAME 'SolarisProjectID' SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' SINGLE-VALUE ) 42417c478bd9Sstevel@tonic-gateattributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.2 NAME 'SolarisProjectName' SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' SINGLE-VALUE ) 42427c478bd9Sstevel@tonic-gateattributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.3 NAME 'SolarisProjectAttr' SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' ) 42437c478bd9Sstevel@tonic-gateattributetypes: ( memberGid-oid NAME 'memberGid' SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' ) 42447c478bd9Sstevel@tonic-gateattributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.0 NAME 'defaultServerList' DESC 'Default LDAP server host address used by a DUA' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE ) 42457c478bd9Sstevel@tonic-gateattributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.1 NAME 'defaultSearchBase' DESC 'Default LDAP base DN used by a DUA' SYNTAX '1.3.6.1.4.1.1466.115.121.1.12' SINGLE-VALUE ) 42467c478bd9Sstevel@tonic-gateattributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.2 NAME 'preferredServerList' DESC 'Preferred LDAP server host addresses to be used by a DUA' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE ) 42477c478bd9Sstevel@tonic-gateattributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.3 NAME 'searchTimeLimit' DESC 'Maximum time in seconds a DUA should allow for a search to complete' SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' SINGLE-VALUE ) 42487c478bd9Sstevel@tonic-gateattributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.4 NAME 'bindTimeLimit' DESC 'Maximum time in seconds a DUA should allow for the bind operation to complete' SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' SINGLE-VALUE ) 42497c478bd9Sstevel@tonic-gateattributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.5 NAME 'followReferrals' DESC 'Tells DUA if it should follow referrals returned by a DSA search result' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE ) 42507c478bd9Sstevel@tonic-gateattributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.6 NAME 'authenticationMethod' DESC 'A keystring which identifies the type of authentication method used to contact the DSA' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE ) 42517c478bd9Sstevel@tonic-gateattributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.7 NAME 'profileTTL' DESC 'Time to live before a client DUA should re-read this configuration profile' SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' SINGLE-VALUE ) 42527c478bd9Sstevel@tonic-gateattributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.14 NAME 'serviceSearchDescriptor' DESC 'LDAP search descriptor list used by Naming-DUA' SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' ) 42537c478bd9Sstevel@tonic-gateattributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.9 NAME 'attributeMap' DESC 'Attribute mappings used by a Naming-DUA' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' ) 42547c478bd9Sstevel@tonic-gateattributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.10 NAME 'credentialLevel' DESC 'Identifies type of credentials a DUA should use when binding to the LDAP server' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE ) 42557c478bd9Sstevel@tonic-gateattributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.11 NAME 'objectclassMap' DESC 'Objectclass mappings used by a Naming-DUA' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' ) 42567c478bd9Sstevel@tonic-gateattributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.12 NAME 'defaultSearchScope' DESC 'Default search scope used by a DUA' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE ) 42577c478bd9Sstevel@tonic-gateattributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.13 NAME 'serviceCredentialLevel' DESC 'Search scope used by a service of the DUA' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) 42587c478bd9Sstevel@tonic-gateattributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.15 NAME 'serviceAuthenticationMethod' DESC 'Authentication Method used by a service of the DUA' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 42597c478bd9Sstevel@tonic-gateattributetypes:( 1.3.18.0.2.4.1140 NAME 'printer-uri' DESC 'A URI supported by this printer. This URI SHOULD be used as a relative distinguished name (RDN). If printer-xri-supported is implemented, then this URI value MUST be listed in a member value of printer-xri-supported.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 42607c478bd9Sstevel@tonic-gateattributetypes:( 1.3.18.0.2.4.1107 NAME 'printer-xri-supported' DESC 'The unordered list of XRI (extended resource identifiers) supported by this printer. Each member of the list consists of a URI (uniform resource identifier) followed by optional authentication and security metaparameters.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 42617c478bd9Sstevel@tonic-gateattributetypes:( 1.3.18.0.2.4.1135 NAME 'printer-name' DESC 'The site-specific administrative name of this printer, more end-user friendly than a URI.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} SINGLE-VALUE ) 42627c478bd9Sstevel@tonic-gateattributetypes:( 1.3.18.0.2.4.1119 NAME 'printer-natural-language-configured' DESC 'The configured language in which error and status messages will be generated (by default) by this printer. Also, a possible language for printer string attributes set by operator, system administrator, or manufacturer. Also, the (declared) language of the "printer-name", "printer-location", "printer-info", and "printer-make-and-model" attributes of this printer. For example: "en-us" (US English) or "fr-fr" (French in France) Legal values of language tags conform to [RFC3066] "Tags for the Identification of Languages".' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} SINGLE-VALUE ) 42637c478bd9Sstevel@tonic-gateattributetypes:( 1.3.18.0.2.4.1136 NAME 'printer-location' DESC 'Identifies the location of the printer. This could include things like: "in Room 123A", "second floor of building XYZ".' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} SINGLE-VALUE ) 42647c478bd9Sstevel@tonic-gateattributetypes:( 1.3.18.0.2.4.1139 NAME 'printer-info' DESC 'Identifies the descriptive information about this printer. This could include things like: "This printer can be used for printing color transparencies for HR presentations", or "Out of courtesy for others, please print only small (1-5 page) jobs at this printer", or even "This printer is going away on July 1, 1997, please find a new printer".' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} SINGLE-VALUE ) 42657c478bd9Sstevel@tonic-gateattributetypes:( 1.3.18.0.2.4.1134 NAME 'printer-more-info' DESC 'A URI used to obtain more information about this specific printer. For example, this could be an HTTP type URI referencing an HTML page accessible to a Web Browser. The information obtained from this URI is intended for end user consumption.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 42667c478bd9Sstevel@tonic-gateattributetypes:( 1.3.18.0.2.4.1138 NAME 'printer-make-and-model' DESC 'Identifies the make and model of the device. The device manufacturer MAY initially populate this attribute.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} SINGLE-VALUE ) 42677c478bd9Sstevel@tonic-gateattributetypes:( 1.3.18.0.2.4.1133 NAME 'printer-ipp-versions-supported' DESC 'Identifies the IPP protocol version(s) that this printer supports, including major and minor versions, i.e., the version numbers for which this Printer implementation meets the conformance requirements.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} ) 42687c478bd9Sstevel@tonic-gateattributetypes:( 1.3.18.0.2.4.1132 NAME 'printer-multiple-document-jobs-supported' DESC 'Indicates whether or not the printer supports more than one document per job, i.e., more than one Send-Document or Send-Data operation with document data.' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) 42697c478bd9Sstevel@tonic-gateattributetypes:( 1.3.18.0.2.4.1109 NAME 'printer-charset-configured' DESC 'The configured charset in which error and status messages will be generated (by default) by this printer. Also, a possible charset for printer string attributes set by operator, system administrator, or manufacturer. For example: "utf-8" (ISO 10646/Unicode) or "iso-8859-1" (Latin1). Legal values are defined by the IANA Registry of Coded Character Sets and the "(preferred MIME name)" SHALL be used as the tag. For coherence with IPP Model, charset tags in this attribute SHALL be lowercase normalized. This attribute SHOULD be static (time of registration) and SHOULD NOT be dynamically refreshed attributetypes: (subsequently).' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{63} SINGLE-VALUE ) 42707c478bd9Sstevel@tonic-gateattributetypes:( 1.3.18.0.2.4.1131 NAME 'printer-charset-supported' DESC 'Identifies the set of charsets supported for attribute type values of type Directory String for this directory entry. For example: "utf-8" (ISO 10646/Unicode) or "iso-8859-1" (Latin1). Legal values are defined by the IANA Registry of Coded Character Sets and the preferred MIME name.' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{63} ) 42717c478bd9Sstevel@tonic-gateattributetypes:( 1.3.18.0.2.4.1137 NAME 'printer-generated-natural-language-supported' DESC 'Identifies the natural language(s) supported for this directory entry. For example: "en-us" (US English) or "fr-fr" (French in France). Legal values conform to [RFC3066], Tags for the Identification of Languages.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{63} ) 42727c478bd9Sstevel@tonic-gateattributetypes:( 1.3.18.0.2.4.1130 NAME 'printer-document-format-supported' DESC 'The possible document formats in which data may be interpreted and printed by this printer. Legal values are MIME types come from the IANA Registry of Internet Media Types.' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} ) 42737c478bd9Sstevel@tonic-gateattributetypes:( 1.3.18.0.2.4.1129 NAME 'printer-color-supported' DESC 'Indicates whether this printer is capable of any type of color printing at all, including highlight color.' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) 42747c478bd9Sstevel@tonic-gateattributetypes:( 1.3.18.0.2.4.1128 NAME 'printer-compression-supported' DESC 'Compression algorithms supported by this printer. For example: "deflate, gzip". Legal values include; "none", "deflate" attributetypes: (public domain ZIP), "gzip" (GNU ZIP), "compress" (UNIX).' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} ) 42757c478bd9Sstevel@tonic-gateattributetypes:( 1.3.18.0.2.4.1127 NAME 'printer-pages-per-minute' DESC 'The nominal number of pages per minute which may be output by this printer (e.g., a simplex or black-and-white printer). This attribute is informative, NOT a service guarantee. Typically, it is the value used in marketing literature to describe this printer.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 42767c478bd9Sstevel@tonic-gateattributetypes:( 1.3.18.0.2.4.1126 NAME 'printer-pages-per-minute-color' DESC 'The nominal number of color pages per minute which may be output by this printer (e.g., a simplex or color printer). This attribute is informative, NOT a service guarantee. Typically, it is the value used in marketing literature to describe this printer.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 42777c478bd9Sstevel@tonic-gateattributetypes:( 1.3.18.0.2.4.1125 NAME 'printer-finishings-supported' DESC 'The possible finishing operations supported by this printer. Legal values include; "none", "staple", "punch", "cover", "bind", "saddle-stitch", "edge-stitch", "staple-top-left", "staple-bottom-left", "staple-top-right", "staple-bottom-right", "edge-stitch-left", "edge-stitch-top", "edge-stitch-right", "edge-stitch-bottom", "staple-dual-left", "staple-dual-top", "staple-dual-right", "staple-dual-bottom".' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} ) 42787c478bd9Sstevel@tonic-gateattributetypes:( 1.3.18.0.2.4.1124 NAME 'printer-number-up-supported' DESC 'The possible numbers of print-stream pages to impose upon a single side of an instance of a selected medium. Legal values include; 1, 2, and 4. Implementations may support other values.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) 42797c478bd9Sstevel@tonic-gateattributetypes:( 1.3.18.0.2.4.1123 NAME 'printer-sides-supported' DESC 'The number of impression sides (one or two) and the two-sided impression rotations supported by this printer. Legal values include; "one-sided", "two-sided-long-edge", "two-sided-short-edge".' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} ) 42807c478bd9Sstevel@tonic-gateattributetypes:( 1.3.18.0.2.4.1122 NAME 'printer-media-supported' DESC 'The standard names/types/sizes (and optional color suffixes) of the media supported by this printer. For example: "iso-a4", "envelope", or "na-letter-white". Legal values conform to ISO 10175, Document Printing Application (DPA), and any IANA registered extensions.' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} ) 42817c478bd9Sstevel@tonic-gateattributetypes:( 1.3.18.0.2.4.1117 NAME 'printer-media-local-supported' DESC 'Site-specific names of media supported by this printer, in the language in "printer-natural-language-configured". For example: "purchasing-form" (site-specific name) as opposed to (in "printer-media-supported"): "na-letter" (standard keyword from ISO 10175).' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} ) 42827c478bd9Sstevel@tonic-gateattributetypes:( 1.3.18.0.2.4.1121 NAME 'printer-resolution-supported' DESC 'List of resolutions supported for printing documents by this printer. Each resolution value is a string with 3 fields: 1) Cross feed direction resolution (positive integer), 2) Feed direction resolution (positive integer), 3) Resolution unit. Legal values are "dpi" (dots per inch) and "dpcm" (dots per centimeter). Each resolution field is delimited by ">". For example: "300> 300> dpi>".' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} ) 42837c478bd9Sstevel@tonic-gateattributetypes:( 1.3.18.0.2.4.1120 NAME 'printer-print-quality-supported' DESC 'List of print qualities supported for printing documents on this printer. For example: "draft, normal". Legal values include; "unknown", "draft", "normal", "high".' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} ) 42847c478bd9Sstevel@tonic-gateattributetypes:( 1.3.18.0.2.4.1110 NAME 'printer-job-priority-supported' DESC 'Indicates the number of job priority levels supported. An IPP conformant printer which supports job priority must always support a full range of priorities from "1" to "100" (to ensure consistent behavior), therefore this attribute describes the "granularity". Legal values of this attribute are from "1" to "100".' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 42857c478bd9Sstevel@tonic-gateattributetypes:( 1.3.18.0.2.4.1118 NAME 'printer-copies-supported' DESC 'The maximum number of copies of a document that may be printed as a single job. A value of "0" indicates no maximum limit. A value of "-1" indicates unknown.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 42867c478bd9Sstevel@tonic-gateattributetypes:( 1.3.18.0.2.4.1111 NAME 'printer-job-k-octets-supported' DESC 'The maximum size in kilobytes (1,024 octets actually) incoming print job that this printer will accept. A value of "0" indicates no maximum limit. A value of "-1" indicates unknown.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 42877c478bd9Sstevel@tonic-gateattributetypes:( 1.3.18.0.2.4.1112 NAME 'printer-current-operator' DESC 'The name of the current human operator responsible for operating this printer. It is suggested that this string include information that would enable other humans to reach the operator, such as a phone number.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} SINGLE-VALUE ) 42887c478bd9Sstevel@tonic-gateattributetypes:( 1.3.18.0.2.4.1113 NAME 'printer-service-person' DESC 'The name of the current human service person responsible for servicing this printer. It is suggested that this string include information that would enable other humans to reach the service person, such as a phone number.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} SINGLE-VALUE ) 42897c478bd9Sstevel@tonic-gateattributetypes:( 1.3.18.0.2.4.1114 NAME 'printer-delivery-orientation-supported' DESC 'The possible delivery orientations of pages as they are printed and ejected from this printer. Legal values include; "unknown", "face-up", and "face-down".' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} ) 42907c478bd9Sstevel@tonic-gateattributetypes:( 1.3.18.0.2.4.1115 NAME 'printer-stacking-order-supported' DESC 'The possible stacking order of pages as they are printed and ejected from this printer. Legal values include; "unknown", "first-to-last", "last-to-first".' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} ) 42917c478bd9Sstevel@tonic-gateattributetypes:( 1.3.18.0.2.4.1116 NAME 'printer-output-features-supported' DESC 'The possible output features supported by this printer. Legal values include; "unknown", "bursting", "decollating", "page-collating", "offset-stacking".' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} ) 42927c478bd9Sstevel@tonic-gateattributetypes:( 1.3.18.0.2.4.1108 NAME 'printer-aliases' DESC 'Site-specific administrative names of this printer in addition the printer name specified for printer-name.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} ) 42937c478bd9Sstevel@tonic-gateattributetypes:( 1.3.6.1.4.1.42.2.27.5.1.63 NAME 'sun-printer-bsdaddr' DESC 'Sets the server, print queue destination name and whether the client generates protocol extensions. "Solaris" specifies a Solaris print server extension. The value is represented by the following value: server "," destination ", Solaris".' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE ) 42947c478bd9Sstevel@tonic-gateattributetypes:( 1.3.6.1.4.1.42.2.27.5.1.64 NAME 'sun-printer-kvp' DESC 'This attribute contains a set of key value pairs which may have meaning to the print subsystem or may be user defined. Each value is represented by the following: key "=" value.' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' ) 42957c478bd9Sstevel@tonic-gateattributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.57 NAME 'nisplusTimeZone' DESC 'tzone column from NIS+ timezone table' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) 429645916cd2Sjpkattributetypes:( 1.3.6.1.4.1.42.2.27.5.1.67 NAME 'ipTnetTemplateName' DESC 'Trusted Solaris network template template_name' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) 429745916cd2Sjpkattributetypes:( 1.3.6.1.4.1.42.2.27.5.1.68 NAME 'ipTnetNumber' DESC 'Trusted Solaris network template ip_address' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) 42987c478bd9Sstevel@tonic-gateEOF 42997c478bd9Sstevel@tonic-gate) > ${TMPDIR}/schema_attr 43007c478bd9Sstevel@tonic-gate 43017c478bd9Sstevel@tonic-gate # Add the entry. 43027c478bd9Sstevel@tonic-gate ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/schema_attr ${VERB}" 43037c478bd9Sstevel@tonic-gate if [ $? -ne 0 ]; then 43047c478bd9Sstevel@tonic-gate ${ECHO} " ERROR: update of schema attributes failed!" 43057c478bd9Sstevel@tonic-gate cleanup 43067c478bd9Sstevel@tonic-gate exit 1 43077c478bd9Sstevel@tonic-gate fi 43087c478bd9Sstevel@tonic-gate 43097c478bd9Sstevel@tonic-gate # Display message that schema is updated. 43107c478bd9Sstevel@tonic-gate ${ECHO} " ${STEP}. Schema attributes have been updated." 43117c478bd9Sstevel@tonic-gate STEP=`expr $STEP + 1` 43127c478bd9Sstevel@tonic-gate} 43137c478bd9Sstevel@tonic-gate 43147c478bd9Sstevel@tonic-gate 43157c478bd9Sstevel@tonic-gate# 43167c478bd9Sstevel@tonic-gate# update_schema_obj(): Update the schema objectclass definitions. 43177c478bd9Sstevel@tonic-gate# 43187c478bd9Sstevel@tonic-gateupdate_schema_obj() 43197c478bd9Sstevel@tonic-gate{ 43207c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In update_schema_obj()" 43217c478bd9Sstevel@tonic-gate 43227c478bd9Sstevel@tonic-gate # Add the objectclass definitions. 43237c478bd9Sstevel@tonic-gate ( cat <<EOF 43247c478bd9Sstevel@tonic-gatedn: cn=schema 43257c478bd9Sstevel@tonic-gatechangetype: modify 43267c478bd9Sstevel@tonic-gateadd: objectclasses 43277c478bd9Sstevel@tonic-gateobjectclasses: ( 1.3.6.1.1.1.2.14 NAME 'NisKeyObject' SUP 'top' MUST (objectclass $ cn $ nisPublickey $ nisSecretkey) MAY (uidNumber $ description)) 43287c478bd9Sstevel@tonic-gate 43297c478bd9Sstevel@tonic-gatedn: cn=schema 43307c478bd9Sstevel@tonic-gatechangetype: modify 43317c478bd9Sstevel@tonic-gateadd: objectclasses 43327c478bd9Sstevel@tonic-gateobjectclasses: ( 1.3.6.1.1.1.2.15 NAME 'nisDomainObject' SUP 'top' MUST (objectclass $ nisDomain) MAY ()) 43337c478bd9Sstevel@tonic-gate 43347c478bd9Sstevel@tonic-gatedn: cn=schema 43357c478bd9Sstevel@tonic-gatechangetype: modify 43367c478bd9Sstevel@tonic-gateadd: objectclasses 43377c478bd9Sstevel@tonic-gateobjectclasses: ( 1.3.6.1.1.1.2.16 NAME 'automountMap' SUP 'top' MUST (objectclass $ automountMapName) MAY (description)) 43387c478bd9Sstevel@tonic-gate 43397c478bd9Sstevel@tonic-gatedn: cn=schema 43407c478bd9Sstevel@tonic-gatechangetype: modify 43417c478bd9Sstevel@tonic-gateadd: objectclasses 43427c478bd9Sstevel@tonic-gateobjectclasses: ( 1.3.6.1.1.1.2.17 NAME 'automount' SUP 'top' MUST (objectclass $ automountKey $ automountInformation ) MAY (description)) 43437c478bd9Sstevel@tonic-gate 43447c478bd9Sstevel@tonic-gatedn: cn=schema 43457c478bd9Sstevel@tonic-gatechangetype: modify 43467c478bd9Sstevel@tonic-gateadd: objectclasses 43477c478bd9Sstevel@tonic-gateobjectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.7 NAME 'SolarisNamingProfile' SUP 'top' MUST (objectclass $ cn $ SolarisLDAPservers $ SolarisSearchBaseDN) MAY (SolarisBindDN $ SolarisBindPassword $ SolarisAuthMethod $ SolarisTransportSecurity $ SolarisCertificatePath $ SolarisCertificatePassword $ SolarisDataSearchDN $ SolarisSearchScope $ SolarisSearchTimeLimit $ SolarisPreferredServer $ SolarisPreferredServerOnly $ SolarisCacheTTL $ SolarisSearchReferral)) 43487c478bd9Sstevel@tonic-gate 43497c478bd9Sstevel@tonic-gatedn: cn=schema 43507c478bd9Sstevel@tonic-gatechangetype: modify 43517c478bd9Sstevel@tonic-gateadd: objectclasses 43527c478bd9Sstevel@tonic-gateobjectclasses: ( 2.16.840.1.113730.3.2.4 NAME 'mailGroup' SUP 'top' MUST (objectclass $ mail) MAY (cn $ mgrpRFC822MailMember)) 43537c478bd9Sstevel@tonic-gate 43547c478bd9Sstevel@tonic-gatedn: cn=schema 43557c478bd9Sstevel@tonic-gatechangetype: modify 43567c478bd9Sstevel@tonic-gateadd: objectclasses 43577c478bd9Sstevel@tonic-gateobjectclasses: ( 1.3.6.1.4.1.42.2.27.1.2.5 NAME 'nisMailAlias' SUP 'top' MUST (objectclass $ cn) MAY (rfc822mailMember)) 43587c478bd9Sstevel@tonic-gate 43597c478bd9Sstevel@tonic-gatedn: cn=schema 43607c478bd9Sstevel@tonic-gatechangetype: modify 43617c478bd9Sstevel@tonic-gateadd: objectclasses 43627c478bd9Sstevel@tonic-gateobjectclasses: ( 1.3.6.1.4.1.42.2.27.1.2.6 NAME 'nisNetId' SUP 'top' MUST (objectclass $ cn) MAY (nisNetIdUser $ nisNetIdGroup $ nisNetIdHost)) 43637c478bd9Sstevel@tonic-gate 43647c478bd9Sstevel@tonic-gatedn: cn=schema 43657c478bd9Sstevel@tonic-gatechangetype: modify 43667c478bd9Sstevel@tonic-gateadd: objectclasses 43677c478bd9Sstevel@tonic-gateobjectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.2 NAME 'SolarisAuditUser' SUP 'top' AUXILIARY MUST (objectclass) MAY (SolarisAuditAlways $ SolarisAuditNever)) 43687c478bd9Sstevel@tonic-gate 43697c478bd9Sstevel@tonic-gatedn: cn=schema 43707c478bd9Sstevel@tonic-gatechangetype: modify 43717c478bd9Sstevel@tonic-gateadd: objectclasses 43727c478bd9Sstevel@tonic-gateobjectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.3 NAME 'SolarisUserAttr' SUP 'top' AUXILIARY MUST (objectclass) MAY (SolarisUserQualifier $ SolarisAttrReserved1 $ SolarisAttrReserved2 $ SolarisAttrKeyValue)) 43737c478bd9Sstevel@tonic-gate 43747c478bd9Sstevel@tonic-gatedn: cn=schema 43757c478bd9Sstevel@tonic-gatechangetype: modify 43767c478bd9Sstevel@tonic-gateadd: objectclasses 43777c478bd9Sstevel@tonic-gateobjectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.4 NAME 'SolarisAuthAttr' SUP 'top' MUST (objectclass $ cn) MAY (SolarisAttrReserved1 $ SolarisAttrReserved2 $ SolarisAttrShortDesc $ SolarisAttrLongDesc $ SolarisAttrKeyValue)) 43787c478bd9Sstevel@tonic-gate 43797c478bd9Sstevel@tonic-gatedn: cn=schema 43807c478bd9Sstevel@tonic-gatechangetype: modify 43817c478bd9Sstevel@tonic-gateadd: objectclasses 43827c478bd9Sstevel@tonic-gateobjectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.5 NAME 'SolarisProfAttr' SUP 'top' MUST (objectclass $ cn) MAY (SolarisAttrReserved1 $ SolarisAttrReserved2 $ SolarisAttrLongDesc $ SolarisAttrKeyValue)) 43837c478bd9Sstevel@tonic-gate 43847c478bd9Sstevel@tonic-gatedn: cn=schema 43857c478bd9Sstevel@tonic-gatechangetype: modify 43867c478bd9Sstevel@tonic-gateadd: objectclasses 43877c478bd9Sstevel@tonic-gateobjectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.6 NAME 'SolarisExecAttr' SUP 'top' AUXILIARY MUST (objectclass) MAY (SolarisKernelSecurityPolicy $ SolarisProfileType $ SolarisAttrReserved1 $ SolarisAttrReserved2 $ SolarisProfileID $ SolarisAttrKeyValue)) 43887c478bd9Sstevel@tonic-gate 43897c478bd9Sstevel@tonic-gatedn: cn=schema 43907c478bd9Sstevel@tonic-gatechangetype: modify 43917c478bd9Sstevel@tonic-gateadd: objectclasses 43927c478bd9Sstevel@tonic-gateobjectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.1 NAME 'SolarisProject' SUP 'top' MUST (objectclass $ SolarisProjectID $ SolarisProjectName) MAY (memberUid $ memberGid $ description $ SolarisProjectAttr)) 43937c478bd9Sstevel@tonic-gate 43947c478bd9Sstevel@tonic-gatedn: cn=schema 43957c478bd9Sstevel@tonic-gatechangetype: modify 43967c478bd9Sstevel@tonic-gateadd: objectclasses 43977c478bd9Sstevel@tonic-gateobjectclasses: ( 1.3.6.1.4.1.11.1.3.1.2.4 NAME 'DUAConfigProfile' SUP 'top' DESC 'Abstraction of a base configuration for a DUA' MUST (cn) MAY (defaultServerList $ preferredServerList $ defaultSearchBase $ defaultSearchScope $ searchTimeLimit $ bindTimeLimit $ credentialLevel $ authenticationMethod $ followReferrals $ serviceSearchDescriptor $ serviceCredentialLevel $ serviceAuthenticationMethod $ objectclassMap $ attributeMap $ profileTTL)) 43987c478bd9Sstevel@tonic-gate 43997c478bd9Sstevel@tonic-gatedn: cn=schema 44007c478bd9Sstevel@tonic-gatechangetype: modify 44017c478bd9Sstevel@tonic-gateadd: objectclasses 44027c478bd9Sstevel@tonic-gateobjectclasses: ( 1.3.18.0.2.6.2549 NAME 'slpService' DESC 'DUMMY definition' SUP 'top' MUST (objectclass) MAY ()) 44037c478bd9Sstevel@tonic-gate 44047c478bd9Sstevel@tonic-gatedn: cn=schema 44057c478bd9Sstevel@tonic-gatechangetype: modify 44067c478bd9Sstevel@tonic-gateadd: objectclasses 44077c478bd9Sstevel@tonic-gateobjectclasses: ( 1.3.18.0.2.6.254 NAME 'slpServicePrinter' DESC 'Service Location Protocol (SLP) information.' AUXILIARY SUP 'slpService') 44087c478bd9Sstevel@tonic-gate 44097c478bd9Sstevel@tonic-gatedn: cn=schema 44107c478bd9Sstevel@tonic-gatechangetype: modify 44117c478bd9Sstevel@tonic-gateadd: objectclasses 44127c478bd9Sstevel@tonic-gateobjectclasses: ( 1.3.18.0.2.6.258 NAME 'printerAbstract' DESC 'Printer related information.' ABSTRACT SUP 'top' MAY ( printer-name $ printer-natural-language-configured $ printer-location $ printer-info $ printer-more-info $ printer-make-and-model $ printer-multiple-document-jobs-supported $ printer-charset-configured $ printer-charset-supported $ printer-generated-natural-language-supported $ printer-document-format-supported $ printer-color-supported $ printer-compression-supported $ printer-pages-per-minute $ printer-pages-per-minute-color $ printer-finishings-supported $ printer-number-up-supported $ printer-sides-supported $ printer-media-supported $ printer-media-local-supported $ printer-resolution-supported $ printer-print-quality-supported $ printer-job-priority-supported $ printer-copies-supported $ printer-job-k-octets-supported $ printer-current-operator $ printer-service-person $ printer-delivery-orientation-supported $ printer-stacking-order-supported $ printer-output-features-supported )) 44137c478bd9Sstevel@tonic-gate 44147c478bd9Sstevel@tonic-gatedn: cn=schema 44157c478bd9Sstevel@tonic-gatechangetype: modify 44167c478bd9Sstevel@tonic-gateadd: objectclasses 44177c478bd9Sstevel@tonic-gateobjectclasses: ( 1.3.18.0.2.6.255 NAME 'printerService' DESC 'Printer information.' STRUCTURAL SUP 'printerAbstract' MAY ( printer-uri $ printer-xri-supported )) 44187c478bd9Sstevel@tonic-gate 44197c478bd9Sstevel@tonic-gatedn: cn=schema 44207c478bd9Sstevel@tonic-gatechangetype: modify 44217c478bd9Sstevel@tonic-gateadd: objectclasses 44227c478bd9Sstevel@tonic-gateobjectclasses: ( 1.3.18.0.2.6.257 NAME 'printerServiceAuxClass' DESC 'Printer information.' AUXILIARY SUP 'printerAbstract' MAY ( printer-uri $ printer-xri-supported )) 44237c478bd9Sstevel@tonic-gate 44247c478bd9Sstevel@tonic-gatedn: cn=schema 44257c478bd9Sstevel@tonic-gatechangetype: modify 44267c478bd9Sstevel@tonic-gateadd: objectclasses 44277c478bd9Sstevel@tonic-gateobjectclasses: ( 1.3.18.0.2.6.256 NAME 'printerIPP' DESC 'Internet Printing Protocol (IPP) information.' AUXILIARY SUP 'top' MAY ( printer-ipp-versions-supported $ printer-multiple-document-jobs-supported )) 44287c478bd9Sstevel@tonic-gate 44297c478bd9Sstevel@tonic-gatedn: cn=schema 44307c478bd9Sstevel@tonic-gatechangetype: modify 44317c478bd9Sstevel@tonic-gateadd: objectclasses 44327c478bd9Sstevel@tonic-gateobjectclasses: ( 1.3.18.0.2.6.253 NAME 'printerLPR' DESC 'LPR information.' AUXILIARY SUP 'top' MUST ( printer-name ) MAY ( printer-aliases)) 44337c478bd9Sstevel@tonic-gate 44347c478bd9Sstevel@tonic-gatedn: cn=schema 44357c478bd9Sstevel@tonic-gatechangetype: modify 44367c478bd9Sstevel@tonic-gateadd: objectclasses 44377c478bd9Sstevel@tonic-gateobjectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.14 NAME 'sunPrinter' DESC 'Sun printer information' SUP 'top' AUXILIARY MUST (objectclass $ printer-name) MAY (sun-printer-bsdaddr $ sun-printer-kvp)) 44387c478bd9Sstevel@tonic-gate 44397c478bd9Sstevel@tonic-gatedn: cn=schema 44407c478bd9Sstevel@tonic-gatechangetype: modify 44417c478bd9Sstevel@tonic-gateadd: objectclasses 44427c478bd9Sstevel@tonic-gateobjectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.12 NAME 'nisplusTimeZoneData' DESC 'NIS+ timezone table data' SUP top STRUCTURAL MUST ( cn ) MAY ( nisplusTimeZone $ description ) ) 444345916cd2Sjpk 444445916cd2Sjpkdn: cn=schema 444545916cd2Sjpkchangetype: modify 444645916cd2Sjpkadd: objectclasses 444745916cd2Sjpkobjectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.8 NAME 'ipTnetTemplate' DESC 'Object class for TSOL network templates' SUP 'top' MUST ( objectclass $ ipTnetTemplateName ) MAY ( SolarisAttrKeyValue ) ) 444845916cd2Sjpk 444945916cd2Sjpkdn: cn=schema 445045916cd2Sjpkchangetype: modify 445145916cd2Sjpkadd: objectclasses 445245916cd2Sjpkobjectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.9 NAME 'ipTnetHost' DESC 'Associates an IP address or wildcard with a TSOL template_name' SUP 'top' AUXILIARY MUST ( objectclass $ ipTnetNumber ) ) 44537c478bd9Sstevel@tonic-gateEOF 44547c478bd9Sstevel@tonic-gate) > ${TMPDIR}/schema_obj 44557c478bd9Sstevel@tonic-gate 44567c478bd9Sstevel@tonic-gate # Add the entry. 44577c478bd9Sstevel@tonic-gate ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/schema_obj ${VERB}" 44587c478bd9Sstevel@tonic-gate if [ $? -ne 0 ]; then 44597c478bd9Sstevel@tonic-gate ${ECHO} " ERROR: update of schema objectclass definitions failed!" 44607c478bd9Sstevel@tonic-gate cleanup 44617c478bd9Sstevel@tonic-gate exit 1 44627c478bd9Sstevel@tonic-gate fi 44637c478bd9Sstevel@tonic-gate 44647c478bd9Sstevel@tonic-gate # Display message that schema is updated. 44657c478bd9Sstevel@tonic-gate ${ECHO} " ${STEP}. Schema objectclass definitions have been added." 44667c478bd9Sstevel@tonic-gate STEP=`expr $STEP + 1` 44677c478bd9Sstevel@tonic-gate} 44687c478bd9Sstevel@tonic-gate 44697c478bd9Sstevel@tonic-gate 44707c478bd9Sstevel@tonic-gate# 44717c478bd9Sstevel@tonic-gate# modify_top_aci(): Modify the ACI for the top entry to disable self modify 44727c478bd9Sstevel@tonic-gate# of user attributes. 44737c478bd9Sstevel@tonic-gate# 44747c478bd9Sstevel@tonic-gatemodify_top_aci() 44757c478bd9Sstevel@tonic-gate{ 44767c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In modify_top_aci()" 44777c478bd9Sstevel@tonic-gate 44787c478bd9Sstevel@tonic-gate # Set ACI Name 44797c478bd9Sstevel@tonic-gate ACI_NAME="LDAP_Naming_Services_deny_write_access" 44807c478bd9Sstevel@tonic-gate 44817c478bd9Sstevel@tonic-gate # Search for ACI_NAME 44827c478bd9Sstevel@tonic-gate eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_BASEDN}\" -s base objectclass=* aci > ${TMPDIR}/chk_top_aci 2>&1" 44837c478bd9Sstevel@tonic-gate if [ $? -ne 0 ]; then 44847c478bd9Sstevel@tonic-gate ${ECHO} "Error searching aci for ${LDAP_BASEDN}" 44857c478bd9Sstevel@tonic-gate cat ${TMPDIR}/chk_top_aci 44867c478bd9Sstevel@tonic-gate cleanup 44877c478bd9Sstevel@tonic-gate exit 1 44887c478bd9Sstevel@tonic-gate fi 4489*dd1104fbSMichen Chang 4490*dd1104fbSMichen Chang # Display "already exists" message if necessary. For shadow update, 4491*dd1104fbSMichen Chang # check also if the deny self-write to userPassword has been done. 4492*dd1104fbSMichen Chang # If not, more to do, don't display the message. 4493*dd1104fbSMichen Chang MSG="Top level ACI ${ACI_NAME} already exists for ${LDAP_BASEDN}." 44947c478bd9Sstevel@tonic-gate ${GREP} "${ACI_NAME}" ${TMPDIR}/chk_top_aci > /dev/null 2>&1 44957c478bd9Sstevel@tonic-gate if [ $? -eq 0 ]; then 4496*dd1104fbSMichen Chang if [ "$LDAP_ENABLE_SHADOW_UPDATE" != "TRUE" ];then 4497*dd1104fbSMichen Chang ${ECHO} " ${STEP}. $MSG" 4498*dd1104fbSMichen Chang STEP=`expr $STEP + 1` 4499*dd1104fbSMichen Chang return 0 4500*dd1104fbSMichen Chang else 4501*dd1104fbSMichen Chang ${GREP} "${ACI_NAME}" ${TMPDIR}/chk_top_aci | ${GREP} -i \ 4502*dd1104fbSMichen Chang userPassword > /dev/null 2>&1 4503*dd1104fbSMichen Chang if [ $? -eq 0 ]; then 4504*dd1104fbSMichen Chang # userPassword is already on the deny list, no more to do 4505*dd1104fbSMichen Chang if [ $EXISTING_PROFILE -eq 1 ];then 4506*dd1104fbSMichen Chang ${ECHO} " NOT SET: $MSG" 4507*dd1104fbSMichen Chang else 4508*dd1104fbSMichen Chang ${ECHO} " ${STEP}. $MSG" 4509*dd1104fbSMichen Chang STEP=`expr $STEP + 1` 4510*dd1104fbSMichen Chang fi 4511*dd1104fbSMichen Chang return 0 4512*dd1104fbSMichen Chang fi 4513*dd1104fbSMichen Chang fi 4514*dd1104fbSMichen Chang fi 4515*dd1104fbSMichen Chang 4516*dd1104fbSMichen Chang # if shadow update is enabled, also deny self-write to userPassword 4517*dd1104fbSMichen Chang if [ "$LDAP_ENABLE_SHADOW_UPDATE" = "TRUE" ];then 4518*dd1104fbSMichen Chang PWD_SELF_CHANGE="userPassword||" 4519*dd1104fbSMichen Chang else 4520*dd1104fbSMichen Chang PWD_SELF_CHANGE="" 45217c478bd9Sstevel@tonic-gate fi 45227c478bd9Sstevel@tonic-gate 45237c478bd9Sstevel@tonic-gate # Crate LDIF for top level ACI. 45247c478bd9Sstevel@tonic-gate ( cat <<EOF 45257c478bd9Sstevel@tonic-gatedn: ${LDAP_BASEDN} 45267c478bd9Sstevel@tonic-gatechangetype: modify 45277c478bd9Sstevel@tonic-gateadd: aci 4528*dd1104fbSMichen Changaci: (targetattr = "${PWD_SELF_CHANGE}cn||uid||uidNumber||gidNumber||homeDirectory||shadowLastChange||shadowMin||shadowMax||shadowWarning||shadowInactive||shadowExpire||shadowFlag||memberUid||SolarisAuditAlways||SolarisAuditNever||SolarisAttrKeyValue||SolarisAttrReserved1||SolarisAttrReserved2||SolarisUserQualifier")(version 3.0; acl ${ACI_NAME}; deny (write) userdn = "ldap:///self";) 45297c478bd9Sstevel@tonic-gate- 45307c478bd9Sstevel@tonic-gateEOF 45317c478bd9Sstevel@tonic-gate) > ${TMPDIR}/top_aci 45327c478bd9Sstevel@tonic-gate 45337c478bd9Sstevel@tonic-gate # Add the entry. 45347c478bd9Sstevel@tonic-gate ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/top_aci ${VERB}" 45357c478bd9Sstevel@tonic-gate if [ $? -ne 0 ]; then 45367c478bd9Sstevel@tonic-gate ${ECHO} " ERROR: Modify of top level ACI failed! (restricts self modify)" 45377c478bd9Sstevel@tonic-gate cleanup 45387c478bd9Sstevel@tonic-gate exit 1 45397c478bd9Sstevel@tonic-gate fi 45407c478bd9Sstevel@tonic-gate 45417c478bd9Sstevel@tonic-gate # Display message that schema is updated. 4542*dd1104fbSMichen Chang MSG="ACI for ${LDAP_BASEDN} modified to disable self modify." 4543*dd1104fbSMichen Chang if [ $EXISTING_PROFILE -eq 1 ];then 4544*dd1104fbSMichen Chang ${ECHO} " ACI SET: $MSG" 4545*dd1104fbSMichen Chang else 4546*dd1104fbSMichen Chang ${ECHO} " ${STEP}. $MSG" 4547*dd1104fbSMichen Chang STEP=`expr $STEP + 1` 4548*dd1104fbSMichen Chang fi 45497c478bd9Sstevel@tonic-gate} 45507c478bd9Sstevel@tonic-gate 45517c478bd9Sstevel@tonic-gate# 45527c478bd9Sstevel@tonic-gate# add_vlv_aci(): Add access control information (aci) for VLV. 45537c478bd9Sstevel@tonic-gate# 45547c478bd9Sstevel@tonic-gateadd_vlv_aci() 45557c478bd9Sstevel@tonic-gate{ 45567c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In add_vlv_aci()" 45577c478bd9Sstevel@tonic-gate 45587c478bd9Sstevel@tonic-gate # Add the VLV ACI. 45597c478bd9Sstevel@tonic-gate ( cat <<EOF 45607c478bd9Sstevel@tonic-gatedn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config 45617c478bd9Sstevel@tonic-gatechangetype: modify 45627c478bd9Sstevel@tonic-gatereplace: aci 45637c478bd9Sstevel@tonic-gateaci: (targetattr != "aci") (version 3.0; acl "VLV Request Control"; allow(read,search,compare) userdn = "ldap:///anyone";) 45647c478bd9Sstevel@tonic-gateEOF 45657c478bd9Sstevel@tonic-gate) > ${TMPDIR}/vlv_aci 45667c478bd9Sstevel@tonic-gate 45677c478bd9Sstevel@tonic-gate # Add the entry. 45687c478bd9Sstevel@tonic-gate ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/vlv_aci ${VERB}" 45697c478bd9Sstevel@tonic-gate if [ $? -ne 0 ]; then 45707c478bd9Sstevel@tonic-gate ${ECHO} " ERROR: Add of VLV ACI failed!" 45717c478bd9Sstevel@tonic-gate cleanup 45727c478bd9Sstevel@tonic-gate exit 1 45737c478bd9Sstevel@tonic-gate fi 45747c478bd9Sstevel@tonic-gate 45757c478bd9Sstevel@tonic-gate # Display message that schema is updated. 45767c478bd9Sstevel@tonic-gate ${ECHO} " ${STEP}. Add of VLV Access Control Information (ACI)." 45777c478bd9Sstevel@tonic-gate STEP=`expr $STEP + 1` 45787c478bd9Sstevel@tonic-gate} 45797c478bd9Sstevel@tonic-gate 45807c478bd9Sstevel@tonic-gate 45817c478bd9Sstevel@tonic-gate# 45827c478bd9Sstevel@tonic-gate# set_nisdomain(): Add the NisDomainObject to the Base DN. 45837c478bd9Sstevel@tonic-gate# 45847c478bd9Sstevel@tonic-gateset_nisdomain() 45857c478bd9Sstevel@tonic-gate{ 45867c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In set_nisdomain()" 45877c478bd9Sstevel@tonic-gate 45887c478bd9Sstevel@tonic-gate # Check if nisDomain is already set. 4589017e8b01Svl ${EVAL} "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_BASEDN}\" -s base \ 4590017e8b01Svl \"objectclass=*\"" > ${TMPDIR}/chk_nisdomain 2>&1 4591017e8b01Svl ${EVAL} "${GREP} -i nisDomain ${TMPDIR}/chk_nisdomain ${VERB}" 45927c478bd9Sstevel@tonic-gate if [ $? -eq 0 ]; then 45937c478bd9Sstevel@tonic-gate ${ECHO} " ${STEP}. NisDomainObject for ${LDAP_BASEDN} was already set." 45947c478bd9Sstevel@tonic-gate STEP=`expr $STEP + 1` 45957c478bd9Sstevel@tonic-gate return 0 45967c478bd9Sstevel@tonic-gate fi 45977c478bd9Sstevel@tonic-gate 45987c478bd9Sstevel@tonic-gate # Add the new top level containers. 45997c478bd9Sstevel@tonic-gate ( cat <<EOF 46007c478bd9Sstevel@tonic-gatedn: ${LDAP_BASEDN} 46017c478bd9Sstevel@tonic-gatechangetype: modify 46027c478bd9Sstevel@tonic-gateobjectclass: nisDomainObject 46037c478bd9Sstevel@tonic-gatenisdomain: ${LDAP_DOMAIN} 46047c478bd9Sstevel@tonic-gateEOF 46057c478bd9Sstevel@tonic-gate) > ${TMPDIR}/nis_domain 46067c478bd9Sstevel@tonic-gate 46077c478bd9Sstevel@tonic-gate # Add the entry. 46087c478bd9Sstevel@tonic-gate ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/nis_domain ${VERB}" 46097c478bd9Sstevel@tonic-gate if [ $? -ne 0 ]; then 46107c478bd9Sstevel@tonic-gate ${ECHO} " ERROR: update of NisDomainObject in ${LDAP_BASEDN} failed." 46117c478bd9Sstevel@tonic-gate cleanup 46127c478bd9Sstevel@tonic-gate exit 1 46137c478bd9Sstevel@tonic-gate fi 46147c478bd9Sstevel@tonic-gate 46157c478bd9Sstevel@tonic-gate # Display message that schema is updated. 46167c478bd9Sstevel@tonic-gate ${ECHO} " ${STEP}. NisDomainObject added to ${LDAP_BASEDN}." 46177c478bd9Sstevel@tonic-gate STEP=`expr $STEP + 1` 46187c478bd9Sstevel@tonic-gate} 46197c478bd9Sstevel@tonic-gate 46207c478bd9Sstevel@tonic-gate 46217c478bd9Sstevel@tonic-gate# 46227c478bd9Sstevel@tonic-gate# check_attrName(): Check that the attribute name is valid. 46237c478bd9Sstevel@tonic-gate# $1 Key to check. 46247c478bd9Sstevel@tonic-gate# Returns 0 : valid name 1 : invalid name 46257c478bd9Sstevel@tonic-gate# 46267c478bd9Sstevel@tonic-gatecheck_attrName() 46277c478bd9Sstevel@tonic-gate{ 46287c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In check_attrName()" 46297c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "check_attrName: Input Param = $1" 46307c478bd9Sstevel@tonic-gate 46317c478bd9Sstevel@tonic-gate ${ECHO} $1 | ${EGREP} '^[0-9]+(\.[0-9]+)*$' > /dev/null 2>&1 46327c478bd9Sstevel@tonic-gate if [ $? -eq 0 ]; then 46337c478bd9Sstevel@tonic-gate ${EVAL} "${LDAPSEARCH} ${SERVER_ARGS} -b cn=schema -s base \"objectclass=*\" \ 46347c478bd9Sstevel@tonic-gate attributeTypes | ${EGREP} -i '^attributetypes[ ]*=[ ]*\([ ]*$1 ' ${VERB}" 46357c478bd9Sstevel@tonic-gate else 46367c478bd9Sstevel@tonic-gate ${EVAL} "${LDAPSEARCH} ${SERVER_ARGS} -b cn=schema -s base \"objectclass=*\" \ 46377c478bd9Sstevel@tonic-gate attributeTypes | ${EGREP} -i \"'$1'\" ${VERB}" 46387c478bd9Sstevel@tonic-gate fi 46397c478bd9Sstevel@tonic-gate 46407c478bd9Sstevel@tonic-gate if [ $? -ne 0 ]; then 46417c478bd9Sstevel@tonic-gate return 1 46427c478bd9Sstevel@tonic-gate else 46437c478bd9Sstevel@tonic-gate return 0 46447c478bd9Sstevel@tonic-gate fi 46457c478bd9Sstevel@tonic-gate} 46467c478bd9Sstevel@tonic-gate 46477c478bd9Sstevel@tonic-gate 46487c478bd9Sstevel@tonic-gate# 46497c478bd9Sstevel@tonic-gate# get_objectclass(): Determine the objectclass for the given attribute name 46507c478bd9Sstevel@tonic-gate# $1 Attribute name to check. 46517c478bd9Sstevel@tonic-gate# _ATTR_NAME Return value, Object Name or NULL if unknown to idsconfig. 46527c478bd9Sstevel@tonic-gate# 46537c478bd9Sstevel@tonic-gate# NOTE: An attribute name can be valid but still we might not be able 46547c478bd9Sstevel@tonic-gate# to determine the objectclass from the table. 46557c478bd9Sstevel@tonic-gate# In such cases, the user needs to create the necessary object(s). 46567c478bd9Sstevel@tonic-gate# 46577c478bd9Sstevel@tonic-gateget_objectclass() 46587c478bd9Sstevel@tonic-gate{ 46597c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In get_objectclass()" 46607c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "get_objectclass: Input Param = $1" 46617c478bd9Sstevel@tonic-gate 46627c478bd9Sstevel@tonic-gate # Set return value to NULL string. 46637c478bd9Sstevel@tonic-gate _ATTR_NAME="" 46647c478bd9Sstevel@tonic-gate 46657c478bd9Sstevel@tonic-gate # Test key for type: 46667c478bd9Sstevel@tonic-gate case `${ECHO} ${1} | tr '[A-Z]' '[a-z]'` in 46677c478bd9Sstevel@tonic-gate ou | organizationalunitname | 2.5.4.11) _ATTR_NAME="organizationalUnit" ;; 46687c478bd9Sstevel@tonic-gate dc | domaincomponent | 0.9.2342.19200300.100.1.25) _ATTR_NAME="domain" ;; 46697c478bd9Sstevel@tonic-gate o | organizationname | 2.5.4.10) _ATTR_NAME="organization" ;; 46707c478bd9Sstevel@tonic-gate c | countryname | 2.5.4.6) _ATTR_NAME="country" ;; 46717c478bd9Sstevel@tonic-gate *) _ATTR_NAME="" ;; 46727c478bd9Sstevel@tonic-gate esac 46737c478bd9Sstevel@tonic-gate 46747c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "get_objectclass: _ATTR_NAME = $_ATTR_NAME" 46757c478bd9Sstevel@tonic-gate} 46767c478bd9Sstevel@tonic-gate 46777c478bd9Sstevel@tonic-gate 46787c478bd9Sstevel@tonic-gate# 46797c478bd9Sstevel@tonic-gate# add_base_objects(): Add any necessary base objects. 46807c478bd9Sstevel@tonic-gate# 46817c478bd9Sstevel@tonic-gateadd_base_objects() 46827c478bd9Sstevel@tonic-gate{ 46837c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In add_base_objects()" 46847c478bd9Sstevel@tonic-gate 46857c478bd9Sstevel@tonic-gate # Convert to lower case for basename. 46867c478bd9Sstevel@tonic-gate format_string "${LDAP_BASEDN}" 46877c478bd9Sstevel@tonic-gate LOWER_BASEDN="${FMT_STR}" 46887c478bd9Sstevel@tonic-gate format_string "${LDAP_SUFFIX}" 46897c478bd9Sstevel@tonic-gate LOWER_SUFFIX="${FMT_STR}" 46907c478bd9Sstevel@tonic-gate 46917c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "LOWER_BASEDN: ${LOWER_BASEDN}" 46927c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "LOWER_SUFFIX: ${LOWER_SUFFIX}" 46937c478bd9Sstevel@tonic-gate 46947c478bd9Sstevel@tonic-gate # Create additional components. 46957c478bd9Sstevel@tonic-gate if [ "${LOWER_BASEDN}" = "${LOWER_SUFFIX}" ]; then 46967c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "Base DN and Suffix equivalent" 46977c478bd9Sstevel@tonic-gate else 46987c478bd9Sstevel@tonic-gate # first, test that the suffix is valid 46997c478bd9Sstevel@tonic-gate dcstmp=`basename "${LOWER_BASEDN}" "${LOWER_SUFFIX}"` 47007c478bd9Sstevel@tonic-gate if [ "$dcstmp" = "${LOWER_BASEDN}" ]; then 47017c478bd9Sstevel@tonic-gate # should not happen since check_basedn_suffix() succeeded 47027c478bd9Sstevel@tonic-gate ${ECHO} "Invalid suffix ${LOWER_SUFFIX}" 47037c478bd9Sstevel@tonic-gate ${ECHO} "for Base DN ${LOWER_BASEDN}" 47047c478bd9Sstevel@tonic-gate cleanup 47057c478bd9Sstevel@tonic-gate exit 1 47067c478bd9Sstevel@tonic-gate fi 47077c478bd9Sstevel@tonic-gate # OK, suffix is valid, start working with LDAP_BASEDN 47087c478bd9Sstevel@tonic-gate # field separator is ',' (i.e., space is a valid character) 47097c478bd9Sstevel@tonic-gate dcstmp2="`${ECHO} ${LDAP_BASEDN} | 47107c478bd9Sstevel@tonic-gate sed -e 's/[ ]*,[ ]*/,/g' -e 's/[ ]*=[ ]*/=/g'`" 47117c478bd9Sstevel@tonic-gate dcs="" 47127c478bd9Sstevel@tonic-gate # use dcstmp to count the loop, and dcstmp2 to get the correct 47137c478bd9Sstevel@tonic-gate # string case 47147c478bd9Sstevel@tonic-gate # dcs should be in reverse order, only for these components 47157c478bd9Sstevel@tonic-gate # that need to be added 47167c478bd9Sstevel@tonic-gate while [ -n "${dcstmp}" ] 47177c478bd9Sstevel@tonic-gate do 47187c478bd9Sstevel@tonic-gate i2=`${ECHO} "$dcstmp2" | cut -f1 -d','` 47197c478bd9Sstevel@tonic-gate dk=`${ECHO} $i2 | awk -F= '{print $1}'` 47207c478bd9Sstevel@tonic-gate dc=`${ECHO} $i2 | awk -F= '{print $2}'` 47217c478bd9Sstevel@tonic-gate dcs="$dk=$dc,$dcs"; 47227c478bd9Sstevel@tonic-gate dcstmp2=`${ECHO} "$dcstmp2" | cut -f2- -d','` 47237c478bd9Sstevel@tonic-gate dcstmp=`${ECHO} "$dcstmp" | cut -f2- -d','` 47247c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && \ 47257c478bd9Sstevel@tonic-gate ${ECHO} "dcs: ${dcs}\ndcstmp: ${dcstmp}\ndcstmp2: ${dcstmp2}\n" 47267c478bd9Sstevel@tonic-gate done 47277c478bd9Sstevel@tonic-gate 47287c478bd9Sstevel@tonic-gate 47297c478bd9Sstevel@tonic-gate 47307c478bd9Sstevel@tonic-gate lastdc=${LDAP_SUFFIX} 47317c478bd9Sstevel@tonic-gate dc=`${ECHO} "${dcs}" | cut -f1 -d','` 47327c478bd9Sstevel@tonic-gate dcstmp=`${ECHO} "${dcs}" | cut -f2- -d','` 47337c478bd9Sstevel@tonic-gate while [ -n "${dc}" ]; do 47347c478bd9Sstevel@tonic-gate # Get Key and component from $dc. 47357c478bd9Sstevel@tonic-gate dk2=`${ECHO} $dc | awk -F= '{print $1}'` 47367c478bd9Sstevel@tonic-gate dc2=`${ECHO} $dc | awk -F= '{print $2}'` 47377c478bd9Sstevel@tonic-gate 47387c478bd9Sstevel@tonic-gate # At this point, ${dk2} is a valid attribute name 47397c478bd9Sstevel@tonic-gate 47407c478bd9Sstevel@tonic-gate # Check if entry exists first, if so, skip to next. 47417c478bd9Sstevel@tonic-gate ${LDAPSEARCH} ${SERVER_ARGS} -b "${dk2}=${dc2},$lastdc" -s base "objectclass=*" > /dev/null 2>&1 47427c478bd9Sstevel@tonic-gate if [ $? -eq 0 ]; then 47437c478bd9Sstevel@tonic-gate # Set the $lastdc to new dc. 47447c478bd9Sstevel@tonic-gate lastdc="${dk2}=${dc2},$lastdc" 47457c478bd9Sstevel@tonic-gate 47467c478bd9Sstevel@tonic-gate # Process next component. 47477c478bd9Sstevel@tonic-gate dc=`${ECHO} "${dcstmp}" | cut -f1 -d','` 47487c478bd9Sstevel@tonic-gate dcstmp=`${ECHO} "${dcstmp}" | cut -f2- -d','` 47497c478bd9Sstevel@tonic-gate continue 47507c478bd9Sstevel@tonic-gate 47517c478bd9Sstevel@tonic-gate fi 47527c478bd9Sstevel@tonic-gate 47537c478bd9Sstevel@tonic-gate # Determine the objectclass for the entry. 47547c478bd9Sstevel@tonic-gate get_objectclass $dk2 47557c478bd9Sstevel@tonic-gate OBJ_Name=${_ATTR_NAME} 47567c478bd9Sstevel@tonic-gate if [ "${OBJ_Name}" = "" ]; then 47577c478bd9Sstevel@tonic-gate ${ECHO} "Cannot determine objectclass for $dk2" 47587c478bd9Sstevel@tonic-gate ${ECHO} "Please create ${dk2}=${dc2},$lastdc entry and rerun idsconfig" 47597c478bd9Sstevel@tonic-gate exit 1 47607c478bd9Sstevel@tonic-gate fi 47617c478bd9Sstevel@tonic-gate 47627c478bd9Sstevel@tonic-gate # Add the new container. 47637c478bd9Sstevel@tonic-gate ( cat <<EOF 47647c478bd9Sstevel@tonic-gatedn: ${dk2}=${dc2},$lastdc 47657c478bd9Sstevel@tonic-gate${dk2}: $dc2 47667c478bd9Sstevel@tonic-gateobjectClass: top 47677c478bd9Sstevel@tonic-gateobjectClass: ${OBJ_Name} 47687c478bd9Sstevel@tonic-gateEOF 47697c478bd9Sstevel@tonic-gate) > ${TMPDIR}/base_objects 47707c478bd9Sstevel@tonic-gate 47717c478bd9Sstevel@tonic-gate 47727c478bd9Sstevel@tonic-gate # Set the $lastdc to new dc. 47737c478bd9Sstevel@tonic-gate lastdc="${dk2}=${dc2},$lastdc" 47747c478bd9Sstevel@tonic-gate 47757c478bd9Sstevel@tonic-gate # Add the entry. 47767c478bd9Sstevel@tonic-gate ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/base_objects ${VERB}" 47777c478bd9Sstevel@tonic-gate if [ $? -ne 0 ]; then 47787c478bd9Sstevel@tonic-gate ${ECHO} " ERROR: update of base objects ${dc} failed." 47797c478bd9Sstevel@tonic-gate cleanup 47807c478bd9Sstevel@tonic-gate exit 1 47817c478bd9Sstevel@tonic-gate fi 47827c478bd9Sstevel@tonic-gate 47837c478bd9Sstevel@tonic-gate # Display message that schema is updated. 47847c478bd9Sstevel@tonic-gate ${ECHO} " ${STEP}. Created DN component ${dc}." 47857c478bd9Sstevel@tonic-gate STEP=`expr $STEP + 1` 47867c478bd9Sstevel@tonic-gate 47877c478bd9Sstevel@tonic-gate # Process next component. 47887c478bd9Sstevel@tonic-gate dc=`${ECHO} "${dcstmp}" | cut -f1 -d','` 47897c478bd9Sstevel@tonic-gate dcstmp=`${ECHO} "${dcstmp}" | cut -f2- -d','` 47907c478bd9Sstevel@tonic-gate done 47917c478bd9Sstevel@tonic-gate fi 47927c478bd9Sstevel@tonic-gate} 47937c478bd9Sstevel@tonic-gate 47947c478bd9Sstevel@tonic-gate 47957c478bd9Sstevel@tonic-gate# 47967c478bd9Sstevel@tonic-gate# add_new_containers(): Add the top level classes. 47977c478bd9Sstevel@tonic-gate# 47987c478bd9Sstevel@tonic-gate# $1 = Base DN 47997c478bd9Sstevel@tonic-gate# 48007c478bd9Sstevel@tonic-gateadd_new_containers() 48017c478bd9Sstevel@tonic-gate{ 48027c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In add_new_containers()" 48037c478bd9Sstevel@tonic-gate 48047c478bd9Sstevel@tonic-gate for ou in people group rpc protocols networks netgroup \ 4805a58015d1Svl aliases hosts services ethers profile printers projects \ 480645916cd2Sjpk SolarisAuthAttr SolarisProfAttr Timezone ipTnet ; do 48077c478bd9Sstevel@tonic-gate 48087c478bd9Sstevel@tonic-gate # Check if nismaps already exist. 48097c478bd9Sstevel@tonic-gate eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"ou=${ou},${LDAP_BASEDN}\" -s base \"objectclass=*\" ${VERB}" 48107c478bd9Sstevel@tonic-gate if [ $? -eq 0 ]; then 48117c478bd9Sstevel@tonic-gate continue 48127c478bd9Sstevel@tonic-gate fi 48137c478bd9Sstevel@tonic-gate 48147c478bd9Sstevel@tonic-gate # Create TMP file to add. 48157c478bd9Sstevel@tonic-gate ( cat <<EOF 48167c478bd9Sstevel@tonic-gatedn: ou=${ou},${LDAP_BASEDN} 48177c478bd9Sstevel@tonic-gateou: ${ou} 48187c478bd9Sstevel@tonic-gateobjectClass: top 48197c478bd9Sstevel@tonic-gateobjectClass: organizationalUnit 48207c478bd9Sstevel@tonic-gateEOF 48217c478bd9Sstevel@tonic-gate) > ${TMPDIR}/toplevel.${ou} 48227c478bd9Sstevel@tonic-gate 48237c478bd9Sstevel@tonic-gate # Add the entry. 48247c478bd9Sstevel@tonic-gate ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/toplevel.${ou} ${VERB}" 48257c478bd9Sstevel@tonic-gate if [ $? -ne 0 ]; then 48267c478bd9Sstevel@tonic-gate ${ECHO} " ERROR: Add of ou=${ou} container failed!" 48277c478bd9Sstevel@tonic-gate cleanup 48287c478bd9Sstevel@tonic-gate exit 1 48297c478bd9Sstevel@tonic-gate fi 48307c478bd9Sstevel@tonic-gate done 48317c478bd9Sstevel@tonic-gate 48327c478bd9Sstevel@tonic-gate # Display message that top level OU containers complete. 48337c478bd9Sstevel@tonic-gate ${ECHO} " ${STEP}. Top level \"ou\" containers complete." 48347c478bd9Sstevel@tonic-gate STEP=`expr $STEP + 1` 48357c478bd9Sstevel@tonic-gate} 48367c478bd9Sstevel@tonic-gate 48377c478bd9Sstevel@tonic-gate 48387c478bd9Sstevel@tonic-gate# 48397c478bd9Sstevel@tonic-gate# add_auto_maps(): Add the automount map entries. 48407c478bd9Sstevel@tonic-gate# 48417c478bd9Sstevel@tonic-gate# auto_home, auto_direct, auto_master, auto_shared 48427c478bd9Sstevel@tonic-gate# 48437c478bd9Sstevel@tonic-gateadd_auto_maps() 48447c478bd9Sstevel@tonic-gate{ 48457c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In add_auto_maps()" 48467c478bd9Sstevel@tonic-gate 48477c478bd9Sstevel@tonic-gate # Set AUTO_MAPS for maps to create. 48487c478bd9Sstevel@tonic-gate AUTO_MAPS="auto_home auto_direct auto_master auto_shared" 48497c478bd9Sstevel@tonic-gate 48507c478bd9Sstevel@tonic-gate for automap in $AUTO_MAPS; do 48517c478bd9Sstevel@tonic-gate # Check if automaps already exist. 48527c478bd9Sstevel@tonic-gate eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"automountMapName=${automap},${LDAP_BASEDN}\" -s base \"objectclass=*\" ${VERB}" 48537c478bd9Sstevel@tonic-gate if [ $? -eq 0 ]; then 48547c478bd9Sstevel@tonic-gate continue 48557c478bd9Sstevel@tonic-gate fi 48567c478bd9Sstevel@tonic-gate 48577c478bd9Sstevel@tonic-gate # Create the tmp file to add. 48587c478bd9Sstevel@tonic-gate ( cat <<EOF 48597c478bd9Sstevel@tonic-gatedn: automountMapName=${automap},${LDAP_BASEDN} 48607c478bd9Sstevel@tonic-gateautomountMapName: ${automap} 48617c478bd9Sstevel@tonic-gateobjectClass: top 48627c478bd9Sstevel@tonic-gateobjectClass: automountMap 48637c478bd9Sstevel@tonic-gateEOF 48647c478bd9Sstevel@tonic-gate) > ${TMPDIR}/automap.${automap} 48657c478bd9Sstevel@tonic-gate 48667c478bd9Sstevel@tonic-gate # Add the entry. 48677c478bd9Sstevel@tonic-gate ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/automap.${automap} ${VERB}" 48687c478bd9Sstevel@tonic-gate if [ $? -ne 0 ]; then 48697c478bd9Sstevel@tonic-gate ${ECHO} " ERROR: Add of automap ${automap} failed!" 48707c478bd9Sstevel@tonic-gate cleanup 48717c478bd9Sstevel@tonic-gate exit 1 48727c478bd9Sstevel@tonic-gate fi 48737c478bd9Sstevel@tonic-gate done 48747c478bd9Sstevel@tonic-gate 48757c478bd9Sstevel@tonic-gate # Display message that automount entries are updated. 48767c478bd9Sstevel@tonic-gate ${ECHO} " ${STEP}. automount maps: $AUTO_MAPS processed." 48777c478bd9Sstevel@tonic-gate STEP=`expr $STEP + 1` 48787c478bd9Sstevel@tonic-gate} 48797c478bd9Sstevel@tonic-gate 48807c478bd9Sstevel@tonic-gate 48817c478bd9Sstevel@tonic-gate# 48827c478bd9Sstevel@tonic-gate# add_proxyagent(): Add entry for nameservice to use to access server. 48837c478bd9Sstevel@tonic-gate# 48847c478bd9Sstevel@tonic-gateadd_proxyagent() 48857c478bd9Sstevel@tonic-gate{ 48867c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In add_proxyagent()" 48877c478bd9Sstevel@tonic-gate 48887c478bd9Sstevel@tonic-gate # Check if nismaps already exist. 48897c478bd9Sstevel@tonic-gate eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_PROXYAGENT}\" -s base \"objectclass=*\" ${VERB}" 48907c478bd9Sstevel@tonic-gate if [ $? -eq 0 ]; then 48917c478bd9Sstevel@tonic-gate ${ECHO} " ${STEP}. Proxy Agent ${LDAP_PROXYAGENT} already exists." 48927c478bd9Sstevel@tonic-gate STEP=`expr $STEP + 1` 48937c478bd9Sstevel@tonic-gate return 0 48947c478bd9Sstevel@tonic-gate fi 48957c478bd9Sstevel@tonic-gate 48967c478bd9Sstevel@tonic-gate # Get cn and sn names from LDAP_PROXYAGENT. 48977c478bd9Sstevel@tonic-gate cn_tmp=`${ECHO} ${LDAP_PROXYAGENT} | cut -f1 -d, | cut -f2 -d=` 48987c478bd9Sstevel@tonic-gate 48997c478bd9Sstevel@tonic-gate # Create the tmp file to add. 49007c478bd9Sstevel@tonic-gate ( cat <<EOF 49017c478bd9Sstevel@tonic-gatedn: ${LDAP_PROXYAGENT} 49027c478bd9Sstevel@tonic-gatecn: ${cn_tmp} 49037c478bd9Sstevel@tonic-gatesn: ${cn_tmp} 49047c478bd9Sstevel@tonic-gateobjectclass: top 49057c478bd9Sstevel@tonic-gateobjectclass: person 49067c478bd9Sstevel@tonic-gateuserpassword: ${LDAP_PROXYAGENT_CRED} 49077c478bd9Sstevel@tonic-gateEOF 49087c478bd9Sstevel@tonic-gate) > ${TMPDIR}/proxyagent 49097c478bd9Sstevel@tonic-gate 49107c478bd9Sstevel@tonic-gate # Add the entry. 49117c478bd9Sstevel@tonic-gate ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/proxyagent ${VERB}" 49127c478bd9Sstevel@tonic-gate if [ $? -ne 0 ]; then 49137c478bd9Sstevel@tonic-gate ${ECHO} " ERROR: Adding proxyagent failed!" 49147c478bd9Sstevel@tonic-gate cleanup 49157c478bd9Sstevel@tonic-gate exit 1 49167c478bd9Sstevel@tonic-gate fi 49177c478bd9Sstevel@tonic-gate 49187c478bd9Sstevel@tonic-gate # Display message that schema is updated. 49197c478bd9Sstevel@tonic-gate ${ECHO} " ${STEP}. Proxy Agent ${LDAP_PROXYAGENT} added." 49207c478bd9Sstevel@tonic-gate STEP=`expr $STEP + 1` 49217c478bd9Sstevel@tonic-gate} 49227c478bd9Sstevel@tonic-gate 49237c478bd9Sstevel@tonic-gate# 49247c478bd9Sstevel@tonic-gate# allow_proxy_read_pw(): Give Proxy Agent read permission for password. 49257c478bd9Sstevel@tonic-gate# 49267c478bd9Sstevel@tonic-gateallow_proxy_read_pw() 49277c478bd9Sstevel@tonic-gate{ 49287c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In allow_proxy_read_pw()" 49297c478bd9Sstevel@tonic-gate 49307c478bd9Sstevel@tonic-gate # Set ACI Name 49317c478bd9Sstevel@tonic-gate PROXY_ACI_NAME="LDAP_Naming_Services_proxy_password_read" 49327c478bd9Sstevel@tonic-gate 49337c478bd9Sstevel@tonic-gate # Search for ACI_NAME 49347c478bd9Sstevel@tonic-gate eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"${LDAP_BASEDN}\" -s base objectclass=* aci > ${TMPDIR}/chk_proxyread_aci 2>&1" 49357c478bd9Sstevel@tonic-gate ${GREP} "${PROXY_ACI_NAME}" ${TMPDIR}/chk_proxyread_aci > /dev/null 2>&1 49367c478bd9Sstevel@tonic-gate if [ $? -eq 0 ]; then 49377c478bd9Sstevel@tonic-gate ${ECHO} " ${STEP}. Proxy ACI ${PROXY_ACI_NAME=} already exists for ${LDAP_BASEDN}." 49387c478bd9Sstevel@tonic-gate STEP=`expr $STEP + 1` 49397c478bd9Sstevel@tonic-gate return 0 49407c478bd9Sstevel@tonic-gate fi 49417c478bd9Sstevel@tonic-gate 49427c478bd9Sstevel@tonic-gate # Create the tmp file to add. 49437c478bd9Sstevel@tonic-gate ( cat <<EOF 49447c478bd9Sstevel@tonic-gatedn: ${LDAP_BASEDN} 49457c478bd9Sstevel@tonic-gatechangetype: modify 49467c478bd9Sstevel@tonic-gateadd: aci 49477c478bd9Sstevel@tonic-gateaci: (target="ldap:///${LDAP_BASEDN}")(targetattr="userPassword")(version 3.0; acl ${PROXY_ACI_NAME}; allow (compare,read,search) userdn = "ldap:///${LDAP_PROXYAGENT}";) 49487c478bd9Sstevel@tonic-gateEOF 49497c478bd9Sstevel@tonic-gate) > ${TMPDIR}/proxy_read 49507c478bd9Sstevel@tonic-gate 49517c478bd9Sstevel@tonic-gate # Add the entry. 49527c478bd9Sstevel@tonic-gate ${EVAL} "${LDAPMODIFY} ${LDAP_ARGS} -f ${TMPDIR}/proxy_read ${VERB}" 49537c478bd9Sstevel@tonic-gate if [ $? -ne 0 ]; then 49547c478bd9Sstevel@tonic-gate ${ECHO} " ERROR: Allow ${LDAP_PROXYAGENT} to read password failed!" 49557c478bd9Sstevel@tonic-gate cleanup 49567c478bd9Sstevel@tonic-gate exit 1 49577c478bd9Sstevel@tonic-gate fi 49587c478bd9Sstevel@tonic-gate 49597c478bd9Sstevel@tonic-gate # Display message that schema is updated. 49607c478bd9Sstevel@tonic-gate ${ECHO} " ${STEP}. Give ${LDAP_PROXYAGENT} read permission for password." 49617c478bd9Sstevel@tonic-gate STEP=`expr $STEP + 1` 49627c478bd9Sstevel@tonic-gate} 49637c478bd9Sstevel@tonic-gate 49647c478bd9Sstevel@tonic-gate# 49657c478bd9Sstevel@tonic-gate# add_profile(): Add client profile to server. 49667c478bd9Sstevel@tonic-gate# 49677c478bd9Sstevel@tonic-gateadd_profile() 49687c478bd9Sstevel@tonic-gate{ 49697c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In add_profile()" 49707c478bd9Sstevel@tonic-gate 49717c478bd9Sstevel@tonic-gate # If profile name already exists, DELETE it, and add new one. 49727c478bd9Sstevel@tonic-gate eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"cn=${LDAP_PROFILE_NAME},ou=profile,${LDAP_BASEDN}\" -s base \"objectclass=*\" ${VERB}" 49737c478bd9Sstevel@tonic-gate if [ $? -eq 0 ]; then 49747c478bd9Sstevel@tonic-gate # Create Delete file. 49757c478bd9Sstevel@tonic-gate ( cat <<EOF 49767c478bd9Sstevel@tonic-gatecn=${LDAP_PROFILE_NAME},ou=profile,${LDAP_BASEDN} 49777c478bd9Sstevel@tonic-gateEOF 49787c478bd9Sstevel@tonic-gate) > ${TMPDIR}/del_profile 49797c478bd9Sstevel@tonic-gate 49807c478bd9Sstevel@tonic-gate # Check if DEL_OLD_PROFILE is set. (If not ERROR) 49817c478bd9Sstevel@tonic-gate if [ $DEL_OLD_PROFILE -eq 0 ]; then 49827c478bd9Sstevel@tonic-gate ${ECHO} "ERROR: Profile name ${LDAP_PROFILE_NAME} exists! Add failed!" 49837c478bd9Sstevel@tonic-gate exit 1 49847c478bd9Sstevel@tonic-gate fi 49857c478bd9Sstevel@tonic-gate 49867c478bd9Sstevel@tonic-gate # Delete the OLD profile. 49877c478bd9Sstevel@tonic-gate ${EVAL} "${LDAPDELETE} ${LDAP_ARGS} -f ${TMPDIR}/del_profile ${VERB}" 49887c478bd9Sstevel@tonic-gate if [ $? -ne 0 ]; then 49897c478bd9Sstevel@tonic-gate ${ECHO} " ERROR: Attempt to DELETE profile failed!" 49907c478bd9Sstevel@tonic-gate cleanup 49917c478bd9Sstevel@tonic-gate exit 1 49927c478bd9Sstevel@tonic-gate fi 49937c478bd9Sstevel@tonic-gate fi 49947c478bd9Sstevel@tonic-gate 49957c478bd9Sstevel@tonic-gate # Build the "ldapclient genprofile" command string to execute. 49967c478bd9Sstevel@tonic-gate GEN_CMD="ldapclient genprofile -a \"profileName=${LDAP_PROFILE_NAME}\"" 49977c478bd9Sstevel@tonic-gate 49987c478bd9Sstevel@tonic-gate # Add required argument defaultSearchBase. 49997c478bd9Sstevel@tonic-gate GEN_CMD="${GEN_CMD} -a \"defaultSearchBase=${LDAP_BASEDN}\"" 50007c478bd9Sstevel@tonic-gate 50017c478bd9Sstevel@tonic-gate # Add optional parameters. 50027c478bd9Sstevel@tonic-gate [ -n "$LDAP_SERVER_LIST" ] && \ 50037c478bd9Sstevel@tonic-gate GEN_CMD="${GEN_CMD} -a \"defaultServerList=${LDAP_SERVER_LIST}\"" 50047c478bd9Sstevel@tonic-gate [ -n "$LDAP_SEARCH_SCOPE" ] && \ 50057c478bd9Sstevel@tonic-gate GEN_CMD="${GEN_CMD} -a \"defaultSearchScope=${LDAP_SEARCH_SCOPE}\"" 50067c478bd9Sstevel@tonic-gate [ -n "$LDAP_CRED_LEVEL" ] && \ 50077c478bd9Sstevel@tonic-gate GEN_CMD="${GEN_CMD} -a \"credentialLevel=${LDAP_CRED_LEVEL}\"" 50087c478bd9Sstevel@tonic-gate [ -n "$LDAP_AUTHMETHOD" ] && \ 50097c478bd9Sstevel@tonic-gate GEN_CMD="${GEN_CMD} -a \"authenticationMethod=${LDAP_AUTHMETHOD}\"" 50107c478bd9Sstevel@tonic-gate [ -n "$LDAP_FOLLOWREF" ] && \ 50117c478bd9Sstevel@tonic-gate GEN_CMD="${GEN_CMD} -a \"followReferrals=${LDAP_FOLLOWREF}\"" 50127c478bd9Sstevel@tonic-gate [ -n "$LDAP_SEARCH_TIME_LIMIT" ] && \ 50137c478bd9Sstevel@tonic-gate GEN_CMD="${GEN_CMD} -a \"searchTimeLimit=${LDAP_SEARCH_TIME_LIMIT}\"" 50147c478bd9Sstevel@tonic-gate [ -n "$LDAP_PROFILE_TTL" ] && \ 50157c478bd9Sstevel@tonic-gate GEN_CMD="${GEN_CMD} -a \"profileTTL=${LDAP_PROFILE_TTL}\"" 50167c478bd9Sstevel@tonic-gate [ -n "$LDAP_BIND_LIMIT" ] && \ 50177c478bd9Sstevel@tonic-gate GEN_CMD="${GEN_CMD} -a \"bindTimeLimit=${LDAP_BIND_LIMIT}\"" 50187c478bd9Sstevel@tonic-gate [ -n "$LDAP_PREF_SRVLIST" ] && \ 50197c478bd9Sstevel@tonic-gate GEN_CMD="${GEN_CMD} -a \"preferredServerList=${LDAP_PREF_SRVLIST}\"" 50207c478bd9Sstevel@tonic-gate [ -n "$LDAP_SRV_AUTHMETHOD_PAM" ] && \ 50217c478bd9Sstevel@tonic-gate GEN_CMD="${GEN_CMD} -a \"serviceAuthenticationMethod=${LDAP_SRV_AUTHMETHOD_PAM}\"" 50227c478bd9Sstevel@tonic-gate [ -n "$LDAP_SRV_AUTHMETHOD_KEY" ] && \ 50237c478bd9Sstevel@tonic-gate GEN_CMD="${GEN_CMD} -a \"serviceAuthenticationMethod=${LDAP_SRV_AUTHMETHOD_KEY}\"" 50247c478bd9Sstevel@tonic-gate [ -n "$LDAP_SRV_AUTHMETHOD_CMD" ] && \ 50257c478bd9Sstevel@tonic-gate GEN_CMD="${GEN_CMD} -a \"serviceAuthenticationMethod=${LDAP_SRV_AUTHMETHOD_CMD}\"" 50267c478bd9Sstevel@tonic-gate 50277c478bd9Sstevel@tonic-gate # Check if there are any service search descriptors to ad. 50287c478bd9Sstevel@tonic-gate if [ -s "${SSD_FILE}" ]; then 50297c478bd9Sstevel@tonic-gate ssd_2_profile 50307c478bd9Sstevel@tonic-gate fi 50317c478bd9Sstevel@tonic-gate 50327c478bd9Sstevel@tonic-gate # Execute "ldapclient genprofile" to create profile. 50337c478bd9Sstevel@tonic-gate eval ${GEN_CMD} > ${TMPDIR}/gen_profile 2> ${TMPDIR}/gen_profile_ERR 50347c478bd9Sstevel@tonic-gate if [ $? -ne 0 ]; then 50357c478bd9Sstevel@tonic-gate ${ECHO} " ERROR: ldapclient genprofile failed!" 50367c478bd9Sstevel@tonic-gate cleanup 50377c478bd9Sstevel@tonic-gate exit 1 50387c478bd9Sstevel@tonic-gate fi 50397c478bd9Sstevel@tonic-gate 50407c478bd9Sstevel@tonic-gate # Add the generated profile.. 50417c478bd9Sstevel@tonic-gate ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/gen_profile ${VERB}" 50427c478bd9Sstevel@tonic-gate if [ $? -ne 0 ]; then 50437c478bd9Sstevel@tonic-gate ${ECHO} " ERROR: Attempt to add profile failed!" 50447c478bd9Sstevel@tonic-gate cleanup 50457c478bd9Sstevel@tonic-gate exit 1 50467c478bd9Sstevel@tonic-gate fi 50477c478bd9Sstevel@tonic-gate 50487c478bd9Sstevel@tonic-gate # Display message that schema is updated. 50497c478bd9Sstevel@tonic-gate ${ECHO} " ${STEP}. Generated client profile and loaded on server." 50507c478bd9Sstevel@tonic-gate STEP=`expr $STEP + 1` 50517c478bd9Sstevel@tonic-gate} 50527c478bd9Sstevel@tonic-gate 50537c478bd9Sstevel@tonic-gate 50547c478bd9Sstevel@tonic-gate# 50557c478bd9Sstevel@tonic-gate# cleanup(): Remove the TMPDIR and all files in it. 50567c478bd9Sstevel@tonic-gate# 50577c478bd9Sstevel@tonic-gatecleanup() 50587c478bd9Sstevel@tonic-gate{ 50597c478bd9Sstevel@tonic-gate [ $DEBUG -eq 1 ] && ${ECHO} "In cleanup()" 50607c478bd9Sstevel@tonic-gate 50617c478bd9Sstevel@tonic-gate rm -fr ${TMPDIR} 50627c478bd9Sstevel@tonic-gate} 50637c478bd9Sstevel@tonic-gate 50647c478bd9Sstevel@tonic-gate 50657c478bd9Sstevel@tonic-gate# 50667c478bd9Sstevel@tonic-gate# * * * MAIN * * * 50677c478bd9Sstevel@tonic-gate# 50687c478bd9Sstevel@tonic-gate# Description: 50697c478bd9Sstevel@tonic-gate# This script assumes that the iPlanet Directory Server (iDS) is 50707c478bd9Sstevel@tonic-gate# installed and that setup has been run. This script takes the 50717c478bd9Sstevel@tonic-gate# iDS server from that point and sets up the infrastructure for 50727c478bd9Sstevel@tonic-gate# LDAP Naming Services. After running this script, ldapaddent(1M) 50737c478bd9Sstevel@tonic-gate# or some other tools can be used to populate data. 50747c478bd9Sstevel@tonic-gate 50757c478bd9Sstevel@tonic-gate# Initialize the variables that need to be set to NULL, or some 50767c478bd9Sstevel@tonic-gate# other initial value before the rest of the functions can be called. 50777c478bd9Sstevel@tonic-gateinit 50787c478bd9Sstevel@tonic-gate 50797c478bd9Sstevel@tonic-gate# Parse command line arguments. 50807c478bd9Sstevel@tonic-gateparse_arg $* 50817c478bd9Sstevel@tonic-gateshift $? 50827c478bd9Sstevel@tonic-gate 50837c478bd9Sstevel@tonic-gate# Print extra line to separate from prompt. 50847c478bd9Sstevel@tonic-gate${ECHO} " " 50857c478bd9Sstevel@tonic-gate 50867c478bd9Sstevel@tonic-gate# Either Load the user specified config file 50877c478bd9Sstevel@tonic-gate# or prompt user for config info. 50887c478bd9Sstevel@tonic-gateif [ -n "$INPUT_FILE" ] 50897c478bd9Sstevel@tonic-gatethen 50907c478bd9Sstevel@tonic-gate load_config_file 50917c478bd9Sstevel@tonic-gate INTERACTIVE=0 # Turns off prompts that occur later. 50927c478bd9Sstevel@tonic-gate validate_info # Validate basic info in file. 50937c478bd9Sstevel@tonic-gate chk_ids_version # Check iDS version for compatibility. 5094cb5caa98Sdjl gssapi_setup_auto 50957c478bd9Sstevel@tonic-gateelse 50967c478bd9Sstevel@tonic-gate # Display BACKUP warning to user. 50977c478bd9Sstevel@tonic-gate display_msg backup_server 50987c478bd9Sstevel@tonic-gate get_confirm "Do you wish to continue with server setup (y/n/h)?" "n" "backup_help" 50997c478bd9Sstevel@tonic-gate if [ $? -eq 0 ]; then # if No, cleanup and exit. 51007c478bd9Sstevel@tonic-gate cleanup ; exit 1 51017c478bd9Sstevel@tonic-gate fi 51027c478bd9Sstevel@tonic-gate 51037c478bd9Sstevel@tonic-gate # Prompt for values. 51047c478bd9Sstevel@tonic-gate prompt_config_info 51057c478bd9Sstevel@tonic-gate display_summary # Allow user to modify results. 51067c478bd9Sstevel@tonic-gate INTERACTIVE=1 # Insures future prompting. 51077c478bd9Sstevel@tonic-gatefi 51087c478bd9Sstevel@tonic-gate 51097c478bd9Sstevel@tonic-gate# Modify slapd.oc.conf to ALLOW cn instead of REQUIRE. 51107c478bd9Sstevel@tonic-gatemodify_cn 51117c478bd9Sstevel@tonic-gate 51127c478bd9Sstevel@tonic-gate# Modify timelimit to user value. 51137c478bd9Sstevel@tonic-gate[ $NEED_TIME -eq 1 ] && modify_timelimit 51147c478bd9Sstevel@tonic-gate 51157c478bd9Sstevel@tonic-gate# Modify sizelimit to user value. 51167c478bd9Sstevel@tonic-gate[ $NEED_SIZE -eq 1 ] && modify_sizelimit 51177c478bd9Sstevel@tonic-gate 51187c478bd9Sstevel@tonic-gate# Modify the password storage scheme to support CRYPT. 51197c478bd9Sstevel@tonic-gateif [ "$NEED_CRYPT" = "TRUE" ]; then 51207c478bd9Sstevel@tonic-gate modify_pwd_crypt 51217c478bd9Sstevel@tonic-gatefi 51227c478bd9Sstevel@tonic-gate 51237c478bd9Sstevel@tonic-gate# Update the schema (Attributes, Objectclass Definitions) 5124cb5caa98Sdjlif [ ${SCHEMA_UPDATED} -eq 0 ]; then 5125cb5caa98Sdjl update_schema_attr 5126cb5caa98Sdjl update_schema_obj 5127cb5caa98Sdjlfi 51287c478bd9Sstevel@tonic-gate 5129017e8b01Svl# Add suffix together with its root entry (if needed) 5130017e8b01Svladd_suffix || 5131017e8b01Svl{ 5132017e8b01Svl cleanup 5133017e8b01Svl exit 1 5134017e8b01Svl} 5135017e8b01Svl 51367c478bd9Sstevel@tonic-gate# Add base objects (if needed) 51377c478bd9Sstevel@tonic-gateadd_base_objects 51387c478bd9Sstevel@tonic-gate 51397c478bd9Sstevel@tonic-gate# Update the NisDomainObject. 51407c478bd9Sstevel@tonic-gate# The Base DN might of just been created, so this MUST happen after 51417c478bd9Sstevel@tonic-gate# the base objects have been added! 51427c478bd9Sstevel@tonic-gateset_nisdomain 51437c478bd9Sstevel@tonic-gate 51447c478bd9Sstevel@tonic-gate# Add top level classes (new containers) 51457c478bd9Sstevel@tonic-gateadd_new_containers 51467c478bd9Sstevel@tonic-gate 51477c478bd9Sstevel@tonic-gate# Add common nismaps. 51487c478bd9Sstevel@tonic-gateadd_auto_maps 51497c478bd9Sstevel@tonic-gate 51507c478bd9Sstevel@tonic-gate# Modify top ACI. 51517c478bd9Sstevel@tonic-gatemodify_top_aci 51527c478bd9Sstevel@tonic-gate 51537c478bd9Sstevel@tonic-gate# Add Access Control Information for VLV. 51547c478bd9Sstevel@tonic-gateadd_vlv_aci 51557c478bd9Sstevel@tonic-gate 51567c478bd9Sstevel@tonic-gate# if Proxy needed, Add Proxy Agent and give read permission for password. 51577c478bd9Sstevel@tonic-gateif [ $NEED_PROXY -eq 1 ]; then 51587c478bd9Sstevel@tonic-gate add_proxyagent 51597c478bd9Sstevel@tonic-gate allow_proxy_read_pw 51607c478bd9Sstevel@tonic-gatefi 51617c478bd9Sstevel@tonic-gate 5162*dd1104fbSMichen Chang# If admin needed for shadow update, Add the administrator identity and 5163*dd1104fbSMichen Chang# give write permission for shadow. 5164*dd1104fbSMichen Changif [ $NEED_ADMIN -eq 1 ]; then 5165*dd1104fbSMichen Chang add_admin 5166*dd1104fbSMichen Chang allow_admin_write_shadow 5167*dd1104fbSMichen Changfi 5168*dd1104fbSMichen Chang 5169*dd1104fbSMichen Chang# if use host principal for shadow update, give write permission for shadow. 5170*dd1104fbSMichen Changif [ $NEED_HOSTACL -eq 1 ]; then 5171*dd1104fbSMichen Chang allow_host_write_shadow 5172*dd1104fbSMichen Changfi 5173*dd1104fbSMichen Chang 51747c478bd9Sstevel@tonic-gate# Generate client profile and add it to the server. 51757c478bd9Sstevel@tonic-gateadd_profile 51767c478bd9Sstevel@tonic-gate 51777c478bd9Sstevel@tonic-gate# Add Indexes to improve Search Performance. 51787c478bd9Sstevel@tonic-gateadd_eq_indexes 51797c478bd9Sstevel@tonic-gateadd_sub_indexes 51807c478bd9Sstevel@tonic-gateadd_vlv_indexes 51817c478bd9Sstevel@tonic-gate 51827c478bd9Sstevel@tonic-gate# Display setup complete message 51837c478bd9Sstevel@tonic-gatedisplay_msg setup_complete 51847c478bd9Sstevel@tonic-gate 51857c478bd9Sstevel@tonic-gate# Display VLV index commands to be executed on server. 51867c478bd9Sstevel@tonic-gatedisplay_vlv_cmds 51877c478bd9Sstevel@tonic-gate 51887c478bd9Sstevel@tonic-gate# Create config file if requested. 51897c478bd9Sstevel@tonic-gate[ -n "$OUTPUT_FILE" ] && create_config_file 51907c478bd9Sstevel@tonic-gate 51917c478bd9Sstevel@tonic-gate# Removed the TMPDIR and all files in it. 51927c478bd9Sstevel@tonic-gatecleanup 51937c478bd9Sstevel@tonic-gate 51947c478bd9Sstevel@tonic-gateexit 0 51957c478bd9Sstevel@tonic-gate# end of MAIN. 5196