17c478bd9Sstevel@tonic-gate#!/bin/sh
27c478bd9Sstevel@tonic-gate#
37c478bd9Sstevel@tonic-gate# CDDL HEADER START
47c478bd9Sstevel@tonic-gate#
57c478bd9Sstevel@tonic-gate# The contents of this file are subject to the terms of the
645916cd2Sjpk# Common Development and Distribution License (the "License").
745916cd2Sjpk# You may not use this file except in compliance with the License.
87c478bd9Sstevel@tonic-gate#
97c478bd9Sstevel@tonic-gate# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
107c478bd9Sstevel@tonic-gate# or http://www.opensolaris.org/os/licensing.
117c478bd9Sstevel@tonic-gate# See the License for the specific language governing permissions
127c478bd9Sstevel@tonic-gate# and limitations under the License.
137c478bd9Sstevel@tonic-gate#
147c478bd9Sstevel@tonic-gate# When distributing Covered Code, include this CDDL HEADER in each
157c478bd9Sstevel@tonic-gate# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
167c478bd9Sstevel@tonic-gate# If applicable, add the following below this CDDL HEADER, with the
177c478bd9Sstevel@tonic-gate# fields enclosed by brackets "[]" replaced with your own identifying
187c478bd9Sstevel@tonic-gate# information: Portions Copyright [yyyy] [name of copyright owner]
197c478bd9Sstevel@tonic-gate#
207c478bd9Sstevel@tonic-gate# CDDL HEADER END
217c478bd9Sstevel@tonic-gate#
227c478bd9Sstevel@tonic-gate#
234f4e8bf0SMilan Jurik# idsconfig -- script to setup iDS 5.x/6.x/7.x for Native LDAP II.
247c478bd9Sstevel@tonic-gate#
2507925104Sgww# Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved.
267c478bd9Sstevel@tonic-gate#
277c478bd9Sstevel@tonic-gate
287c478bd9Sstevel@tonic-gate#
297c478bd9Sstevel@tonic-gate# display_msg(): Displays message corresponding to the tag passed in.
307c478bd9Sstevel@tonic-gate#
317c478bd9Sstevel@tonic-gatedisplay_msg()
327c478bd9Sstevel@tonic-gate{
337c478bd9Sstevel@tonic-gate    case "$1" in
347c478bd9Sstevel@tonic-gate    usage) cat <<EOF
357c478bd9Sstevel@tonic-gate $PROG: [ -v ] [ -i input file ] [ -o output file ]
367c478bd9Sstevel@tonic-gate   i <input file>     Get setup info from input file.
377c478bd9Sstevel@tonic-gate   o <output file>    Generate a server configuration output file.
387c478bd9Sstevel@tonic-gate   v                  Verbose mode
397c478bd9Sstevel@tonic-gateEOF
407c478bd9Sstevel@tonic-gate    ;;
417c478bd9Sstevel@tonic-gate    backup_server) cat <<EOF
427c478bd9Sstevel@tonic-gateIt is strongly recommended that you BACKUP the directory server
437c478bd9Sstevel@tonic-gatebefore running $PROG.
447c478bd9Sstevel@tonic-gate
457c478bd9Sstevel@tonic-gateHit Ctrl-C at any time before the final confirmation to exit.
467c478bd9Sstevel@tonic-gate
477c478bd9Sstevel@tonic-gateEOF
487c478bd9Sstevel@tonic-gate    ;;
497c478bd9Sstevel@tonic-gate    setup_complete) cat <<EOF
507c478bd9Sstevel@tonic-gate
517c478bd9Sstevel@tonic-gate$PROG: Setup of iDS server ${IDS_SERVER} is complete.
527c478bd9Sstevel@tonic-gate
537c478bd9Sstevel@tonic-gateEOF
547c478bd9Sstevel@tonic-gate    ;;
557c478bd9Sstevel@tonic-gate    display_vlv_list) cat <<EOF
567c478bd9Sstevel@tonic-gate
57e1dd0a2fSthNote: idsconfig has created entries for VLV indexes. 
58e1dd0a2fSth
59*bbf21555SRichard Lowe      For DS5.x, use the directoryserver(8) script on ${IDS_SERVER}
60e1dd0a2fSth      to stop the server.  Then, using directoryserver, follow the
61e1dd0a2fSth      directoryserver examples below to create the actual VLV indexes.
62e1dd0a2fSth
634f4e8bf0SMilan Jurik      For DS6.x or later, use dsadm command delivered with DS on ${IDS_SERVER}
64e1dd0a2fSth      to stop the server.  Then, using dsadm, follow the
65e1dd0a2fSth      dsadm examples below to create the actual VLV indexes.
667c478bd9Sstevel@tonic-gate
677c478bd9Sstevel@tonic-gateEOF
687c478bd9Sstevel@tonic-gate    ;;
697c478bd9Sstevel@tonic-gate    cred_level_menu) cat <<EOF
707c478bd9Sstevel@tonic-gateThe following are the supported credential levels:
717c478bd9Sstevel@tonic-gate  1  anonymous
727c478bd9Sstevel@tonic-gate  2  proxy
737c478bd9Sstevel@tonic-gate  3  proxy anonymous
74cb5caa98Sdjl  4  self
757c478bd9Sstevel@tonic-gateEOF
767c478bd9Sstevel@tonic-gate    ;;
777c478bd9Sstevel@tonic-gate    auth_method_menu) cat <<EOF
787c478bd9Sstevel@tonic-gateThe following are the supported Authentication Methods:
797c478bd9Sstevel@tonic-gate  1  none
807c478bd9Sstevel@tonic-gate  2  simple
817c478bd9Sstevel@tonic-gate  3  sasl/DIGEST-MD5
827c478bd9Sstevel@tonic-gate  4  tls:simple
837c478bd9Sstevel@tonic-gate  5  tls:sasl/DIGEST-MD5
84cb5caa98Sdjl  6  sasl/GSSAPI
857c478bd9Sstevel@tonic-gateEOF
867c478bd9Sstevel@tonic-gate    ;;
877c478bd9Sstevel@tonic-gate    srvauth_method_menu) cat <<EOF
887c478bd9Sstevel@tonic-gateThe following are the supported Authentication Methods:
897c478bd9Sstevel@tonic-gate  1  simple
907c478bd9Sstevel@tonic-gate  2  sasl/DIGEST-MD5
917c478bd9Sstevel@tonic-gate  3  tls:simple
927c478bd9Sstevel@tonic-gate  4  tls:sasl/DIGEST-MD5
93cb5caa98Sdjl  5  sasl/GSSAPI
947c478bd9Sstevel@tonic-gateEOF
957c478bd9Sstevel@tonic-gate    ;;
967c478bd9Sstevel@tonic-gate    prompt_ssd_menu) cat <<EOF
977c478bd9Sstevel@tonic-gate  A  Add a Service Search Descriptor
987c478bd9Sstevel@tonic-gate  D  Delete a SSD
997c478bd9Sstevel@tonic-gate  M  Modify a SSD
1007c478bd9Sstevel@tonic-gate  P  Display all SSD's
1017c478bd9Sstevel@tonic-gate  H  Help
1027c478bd9Sstevel@tonic-gate  X  Clear all SSD's
1037c478bd9Sstevel@tonic-gate
1047c478bd9Sstevel@tonic-gate  Q  Exit menu
1057c478bd9Sstevel@tonic-gateEOF
1067c478bd9Sstevel@tonic-gate    ;;
107017e8b01Svl    summary_menu)
108017e8b01Svl
109017e8b01Svl	SUFFIX_INFO=
110017e8b01Svl	DB_INFO=
111017e8b01Svl
112017e8b01Svl	[ -n "${NEED_CREATE_SUFFIX}" ] &&
113017e8b01Svl	{
114017e8b01Svl		SUFFIX_INFO=`cat <<EOF
115017e8b01Svl
116017e8b01Svl         Suffix to create          : $LDAP_SUFFIX
117017e8b01SvlEOF
118017e8b01Svl`
119017e8b01Svl		[ -n "${NEED_CREATE_BACKEND}" ] &&
120017e8b01Svl			DB_INFO=`cat <<EOF
121017e8b01Svl
122017e8b01Svl         Database to create        : $IDS_DATABASE
123017e8b01SvlEOF
124017e8b01Svl`
125017e8b01Svl	}
126017e8b01Svl
127017e8b01Svl	cat <<EOF
1287c478bd9Sstevel@tonic-gate              Summary of Configuration
1297c478bd9Sstevel@tonic-gate
1307c478bd9Sstevel@tonic-gate  1  Domain to serve               : $LDAP_DOMAIN
131017e8b01Svl  2  Base DN to setup              : $LDAP_BASEDN$SUFFIX_INFO$DB_INFO
1327c478bd9Sstevel@tonic-gate  3  Profile name to create        : $LDAP_PROFILE_NAME
1337c478bd9Sstevel@tonic-gate  4  Default Server List           : $LDAP_SERVER_LIST
1347c478bd9Sstevel@tonic-gate  5  Preferred Server List         : $LDAP_PREF_SRVLIST
1357c478bd9Sstevel@tonic-gate  6  Default Search Scope          : $LDAP_SEARCH_SCOPE
1367c478bd9Sstevel@tonic-gate  7  Credential Level              : $LDAP_CRED_LEVEL
1377c478bd9Sstevel@tonic-gate  8  Authentication Method         : $LDAP_AUTHMETHOD
1387c478bd9Sstevel@tonic-gate  9  Enable Follow Referrals       : $LDAP_FOLLOWREF
1397c478bd9Sstevel@tonic-gate 10  iDS Time Limit                : $IDS_TIMELIMIT
1407c478bd9Sstevel@tonic-gate 11  iDS Size Limit                : $IDS_SIZELIMIT
1417c478bd9Sstevel@tonic-gate 12  Enable crypt password storage : $NEED_CRYPT
1427c478bd9Sstevel@tonic-gate 13  Service Auth Method pam_ldap  : $LDAP_SRV_AUTHMETHOD_PAM
1437c478bd9Sstevel@tonic-gate 14  Service Auth Method keyserv   : $LDAP_SRV_AUTHMETHOD_KEY
1447c478bd9Sstevel@tonic-gate 15  Service Auth Method passwd-cmd: $LDAP_SRV_AUTHMETHOD_CMD
1457c478bd9Sstevel@tonic-gate 16  Search Time Limit             : $LDAP_SEARCH_TIME_LIMIT
1467c478bd9Sstevel@tonic-gate 17  Profile Time to Live          : $LDAP_PROFILE_TTL
1477c478bd9Sstevel@tonic-gate 18  Bind Limit                    : $LDAP_BIND_LIMIT
148dd1104fbSMichen Chang 19  Enable shadow update          : $LDAP_ENABLE_SHADOW_UPDATE
149dd1104fbSMichen Chang 20  Service Search Descriptors Menu
1507c478bd9Sstevel@tonic-gate
151017e8b01SvlEOF
152017e8b01Svl    ;;
153017e8b01Svl    sfx_not_suitable) cat <<EOF
154017e8b01Svl
155017e8b01SvlSorry, suffix ${LDAP_SUFFIX} is not suitable for Base DN ${LDAP_BASEDN}
156017e8b01Svl
157017e8b01SvlEOF
158017e8b01Svl    ;;
159017e8b01Svl    obj_not_found) cat <<EOF
160017e8b01Svl
161017e8b01SvlSorry, ${PROG} can't find an objectclass for "$_ATT" attribute
162017e8b01Svl
163017e8b01SvlEOF
164017e8b01Svl    ;;
165017e8b01Svl    sfx_config_incons) cat <<EOF
166017e8b01Svl
167017e8b01SvlSorry, there is no suffix mapping for ${LDAP_SUFFIX},
168017e8b01Svlwhile ldbm database exists, server configuration needs to be fixed manually,
169017e8b01Svllook at cn=mapping tree,cn=config and cn=ldbm database,cn=plugins,cn=config
170017e8b01Svl
171017e8b01SvlEOF
172017e8b01Svl    ;;
173017e8b01Svl    ldbm_db_exist) cat <<EOF
174017e8b01Svl
175017e8b01SvlDatabase "${IDS_DATABASE}" already exists,
176017e8b01Svlhowever "${IDS_DATABASE_AVAIL}" name is available
177017e8b01Svl
178017e8b01SvlEOF
179017e8b01Svl    ;;
180017e8b01Svl    unable_find_db_name) cat <<EOF
181017e8b01Svl    
182017e8b01SvlUnable to find any available database name close to "${IDS_DATABASE}"
183017e8b01Svl
184017e8b01SvlEOF
185017e8b01Svl    ;;
186017e8b01Svl    create_ldbm_db_error) cat <<EOF
187017e8b01Svl
188017e8b01SvlERROR: unable to create suffix ${LDAP_SUFFIX}
189017e8b01Svl       due to server error that occurred during creation of ldbm database
190017e8b01Svl
191017e8b01SvlEOF
192017e8b01Svl    ;;
193017e8b01Svl    create_suffix_entry_error) cat <<EOF
194017e8b01Svl
195017e8b01SvlERROR: unable to create entry ${LDAP_SUFFIX} of ${LDAP_SUFFIX_OBJ} class
196017e8b01Svl
1977c478bd9Sstevel@tonic-gateEOF
1987c478bd9Sstevel@tonic-gate    ;;
1997c478bd9Sstevel@tonic-gate    ldap_suffix_list) cat <<EOF
2007c478bd9Sstevel@tonic-gate
2017c478bd9Sstevel@tonic-gateNo valid suffixes (naming contexts) were found for LDAP base DN:
2027c478bd9Sstevel@tonic-gate${LDAP_BASEDN}
2037c478bd9Sstevel@tonic-gate
2047c478bd9Sstevel@tonic-gateAvailable suffixes are:
2057c478bd9Sstevel@tonic-gate${LDAP_SUFFIX_LIST}
2067c478bd9Sstevel@tonic-gate
2077c478bd9Sstevel@tonic-gateEOF
2087c478bd9Sstevel@tonic-gate    ;;
2097c478bd9Sstevel@tonic-gate    sorry) cat <<EOF
2107c478bd9Sstevel@tonic-gate
2117c478bd9Sstevel@tonic-gateHELP - No help is available for this topic.
2127c478bd9Sstevel@tonic-gate
213017e8b01SvlEOF
214017e8b01Svl    ;;
215017e8b01Svl    create_suffix_help) cat <<EOF
216017e8b01Svl
217017e8b01SvlHELP - Our Base DN is ${LDAP_BASEDN}
218017e8b01Svl       and we need to create a Directory Suffix,
219017e8b01Svl       which can be equal to Base DN itself or be any of Base DN parents.
220017e8b01Svl       All intermediate entries up to suffix will be created on demand.
221017e8b01Svl
222017e8b01SvlEOF
223017e8b01Svl    ;;
224017e8b01Svl    enter_ldbm_db_help) cat <<EOF
225017e8b01Svl
226017e8b01SvlHELP - ldbm database is an internal database for storage of our suffix data.
227017e8b01Svl       Database name must be alphanumeric due to Directory Server restriction.
228017e8b01Svl
2297c478bd9Sstevel@tonic-gateEOF
2307c478bd9Sstevel@tonic-gate    ;;
2317c478bd9Sstevel@tonic-gate    backup_help) cat <<EOF
2327c478bd9Sstevel@tonic-gate
2337c478bd9Sstevel@tonic-gateHELP - Since idsconfig modifies the directory server configuration,
2347c478bd9Sstevel@tonic-gate       it is strongly recommended that you backup the server prior
2357c478bd9Sstevel@tonic-gate       to running this utility.  This is especially true if the server
2367c478bd9Sstevel@tonic-gate       being configured is a production server.
2377c478bd9Sstevel@tonic-gate
2387c478bd9Sstevel@tonic-gateEOF
2397c478bd9Sstevel@tonic-gate    ;;
2407c478bd9Sstevel@tonic-gate    port_help) cat <<EOF
2417c478bd9Sstevel@tonic-gate
2427c478bd9Sstevel@tonic-gateHELP - Enter the port number the directory server is configured to
2437c478bd9Sstevel@tonic-gate       use for LDAP.
2447c478bd9Sstevel@tonic-gate
2457c478bd9Sstevel@tonic-gateEOF
2467c478bd9Sstevel@tonic-gate    ;;
2477c478bd9Sstevel@tonic-gate    domain_help) cat <<EOF
2487c478bd9Sstevel@tonic-gate
2497c478bd9Sstevel@tonic-gateHELP - This is the DNS domain name this server will be serving.  You
2507c478bd9Sstevel@tonic-gate       must provide this name even if the server is not going to be populated
2517c478bd9Sstevel@tonic-gate       with hostnames.  Any unqualified hostname stored in the directory
2527c478bd9Sstevel@tonic-gate       will be fully qualified using this DNS domain name.
2537c478bd9Sstevel@tonic-gate
2547c478bd9Sstevel@tonic-gateEOF
2557c478bd9Sstevel@tonic-gate    ;;
2567c478bd9Sstevel@tonic-gate    basedn_help) cat <<EOF
2577c478bd9Sstevel@tonic-gate
2587c478bd9Sstevel@tonic-gateHELP - This parameter defines the default location in the directory tree for
2597c478bd9Sstevel@tonic-gate       the naming services entries.  You can override this default by using 
2607c478bd9Sstevel@tonic-gate       serviceSearchDescriptors (SSD). You will be given the option to set up 
2617c478bd9Sstevel@tonic-gate       an SSD later on in the setup.
2627c478bd9Sstevel@tonic-gate
2637c478bd9Sstevel@tonic-gateEOF
2647c478bd9Sstevel@tonic-gate    ;;
2657c478bd9Sstevel@tonic-gate    profile_help) cat <<EOF
2667c478bd9Sstevel@tonic-gate
2677c478bd9Sstevel@tonic-gateHELP - Name of the configuration profile with which the clients will be
2687c478bd9Sstevel@tonic-gate       configured. A directory server can store various profiles for multiple 
269*bbf21555SRichard Lowe       groups of clients.  The initialization tool, (ldapclient(8)), assumes 
2707c478bd9Sstevel@tonic-gate       "default" unless another is specified.
2717c478bd9Sstevel@tonic-gate
2727c478bd9Sstevel@tonic-gateEOF
2737c478bd9Sstevel@tonic-gate    ;;
2747c478bd9Sstevel@tonic-gate    def_srvlist_help) cat <<EOF
2757c478bd9Sstevel@tonic-gate
2767c478bd9Sstevel@tonic-gateHELP - Provide a list of directory servers to serve clients using this profile.
2777c478bd9Sstevel@tonic-gate       All these servers should contain consistent data and provide similar 
2787c478bd9Sstevel@tonic-gate       functionality.  This list is not ordered, and clients might change the 
2797c478bd9Sstevel@tonic-gate       order given in this list. Note that this is a space separated list of 
2807c478bd9Sstevel@tonic-gate       *IP addresses* (not host names).  Providing port numbers is optional.
2817c478bd9Sstevel@tonic-gate
2827c478bd9Sstevel@tonic-gateEOF
2837c478bd9Sstevel@tonic-gate    ;;
2847c478bd9Sstevel@tonic-gate    pref_srvlist_help) cat <<EOF
2857c478bd9Sstevel@tonic-gate
2867c478bd9Sstevel@tonic-gateHELP - Provide a list of directory servers to serve this client profile. 
2877c478bd9Sstevel@tonic-gate       Unlike the default server list, which is not ordered, the preferred 
2887c478bd9Sstevel@tonic-gate       servers must be entered IN THE ORDER you wish to have them contacted. 
2897c478bd9Sstevel@tonic-gate       If you do specify a preferred server list, clients will always contact 
2907c478bd9Sstevel@tonic-gate       them before attempting to contact any of the servers on the default 
2917c478bd9Sstevel@tonic-gate       server list. Note that you must enter the preferred server list as a 
2927c478bd9Sstevel@tonic-gate       space-separated list of *IP addresses* (not host names).  Providing port 
2937c478bd9Sstevel@tonic-gate       numbers is optional.
2947c478bd9Sstevel@tonic-gate
2957c478bd9Sstevel@tonic-gateEOF
2967c478bd9Sstevel@tonic-gate    ;;
2977c478bd9Sstevel@tonic-gate    srch_scope_help) cat <<EOF
2987c478bd9Sstevel@tonic-gate
2997c478bd9Sstevel@tonic-gateHELP - Default search scope to be used for all searches unless they are
3007c478bd9Sstevel@tonic-gate       overwritten using serviceSearchDescriptors.  The valid options
3017c478bd9Sstevel@tonic-gate       are "one", which would specify the search will only be performed 
3027c478bd9Sstevel@tonic-gate       at the base DN for the given service, or "sub", which would specify 
3037c478bd9Sstevel@tonic-gate       the search will be performed through *all* levels below the base DN 
3047c478bd9Sstevel@tonic-gate       for the given service.
3057c478bd9Sstevel@tonic-gate
3067c478bd9Sstevel@tonic-gateEOF
3077c478bd9Sstevel@tonic-gate    ;;
3087c478bd9Sstevel@tonic-gate    cred_lvl_help) cat <<EOF
3097c478bd9Sstevel@tonic-gate
3107c478bd9Sstevel@tonic-gateHELP - This parameter defines what credentials the clients use to
3117c478bd9Sstevel@tonic-gate       authenticate to the directory server.  This list might contain
3127c478bd9Sstevel@tonic-gate       multiple credential levels and is ordered.  If a proxy level
3137c478bd9Sstevel@tonic-gate       is configured, you will also be prompted to enter a bind DN
3147c478bd9Sstevel@tonic-gate       for the proxy agent along with a password.  This proxy agent
3157c478bd9Sstevel@tonic-gate       will be created if it does not exist.
3167c478bd9Sstevel@tonic-gate
3177c478bd9Sstevel@tonic-gateEOF
3187c478bd9Sstevel@tonic-gate    ;;
3197c478bd9Sstevel@tonic-gate    auth_help) cat <<EOF
3207c478bd9Sstevel@tonic-gate
3217c478bd9Sstevel@tonic-gateHELP - The default authentication method(s) to be used by all services
3227c478bd9Sstevel@tonic-gate       in the client using this profile.  This is a ordered list of
3237c478bd9Sstevel@tonic-gate       authentication methods separated by a ';'.  The supported methods
3247c478bd9Sstevel@tonic-gate       are provided in a menu.  Note that sasl/DIGEST-MD5 binds require
3257c478bd9Sstevel@tonic-gate       passwords to be stored un-encrypted on the server.
3267c478bd9Sstevel@tonic-gate
3277c478bd9Sstevel@tonic-gateEOF
3287c478bd9Sstevel@tonic-gate    ;;
3297c478bd9Sstevel@tonic-gate    srvauth_help) cat <<EOF
3307c478bd9Sstevel@tonic-gate
3317c478bd9Sstevel@tonic-gateHELP - The authentication methods to be used by a given service.  Currently
3327c478bd9Sstevel@tonic-gate       3 services support this feature: pam_ldap, keyserv, and passwd-cmd.
3337c478bd9Sstevel@tonic-gate       The authentication method specified in this attribute overrides
3347c478bd9Sstevel@tonic-gate       the default authentication method defined in the profile.  This
3357c478bd9Sstevel@tonic-gate       feature can be used to select stronger authentication methods for
3367c478bd9Sstevel@tonic-gate       services which require increased security.
3377c478bd9Sstevel@tonic-gate
3387c478bd9Sstevel@tonic-gateEOF
3397c478bd9Sstevel@tonic-gate    ;;
3407c478bd9Sstevel@tonic-gate    pam_ldap_help) cat <<EOF
3417c478bd9Sstevel@tonic-gate
3427c478bd9Sstevel@tonic-gateHELP - The authentication method(s) to be used by pam_ldap when contacting
3437c478bd9Sstevel@tonic-gate       the directory server.  This is a ordered list, and, if provided, will
3447c478bd9Sstevel@tonic-gate       override the default authentication method parameter.
3457c478bd9Sstevel@tonic-gate
3467c478bd9Sstevel@tonic-gateEOF
3477c478bd9Sstevel@tonic-gate    ;;
3487c478bd9Sstevel@tonic-gate    keyserv_help) cat <<EOF
3497c478bd9Sstevel@tonic-gate
350*bbf21555SRichard LoweHELP - The authentication method(s) to be used by newkey(8) and chkey(1)
3517c478bd9Sstevel@tonic-gate       when contacting the directory server.  This is a ordered list and
3527c478bd9Sstevel@tonic-gate       if provided will override the default authentication method
3537c478bd9Sstevel@tonic-gate       parameter.
3547c478bd9Sstevel@tonic-gate
3557c478bd9Sstevel@tonic-gateEOF
3567c478bd9Sstevel@tonic-gate    ;;
3577c478bd9Sstevel@tonic-gate    passwd-cmd_help) cat <<EOF
3587c478bd9Sstevel@tonic-gate
3597c478bd9Sstevel@tonic-gateHELP - The authentication method(s) to be used by passwd(1) command when
3607c478bd9Sstevel@tonic-gate       contacting the directory server.  This is a ordered list and if
3617c478bd9Sstevel@tonic-gate       provided will override the default authentication method parameter.
3627c478bd9Sstevel@tonic-gate
3637c478bd9Sstevel@tonic-gateEOF
3647c478bd9Sstevel@tonic-gate    ;;
3657c478bd9Sstevel@tonic-gate    referrals_help) cat <<EOF
3667c478bd9Sstevel@tonic-gate
3677c478bd9Sstevel@tonic-gateHELP - This parameter indicates whether the client should follow
3687c478bd9Sstevel@tonic-gate       ldap referrals if it encounters one during naming lookups.
3697c478bd9Sstevel@tonic-gate
3707c478bd9Sstevel@tonic-gateEOF
3717c478bd9Sstevel@tonic-gate    ;;
3727c478bd9Sstevel@tonic-gate    tlim_help) cat <<EOF
3737c478bd9Sstevel@tonic-gate
3747c478bd9Sstevel@tonic-gateHELP - The server time limit value indicates the maximum amount of time the
3757c478bd9Sstevel@tonic-gate       server would spend on a query from the client before abandoning it.
3767c478bd9Sstevel@tonic-gate       A value of '-1' indicates no limit.
3777c478bd9Sstevel@tonic-gate
3787c478bd9Sstevel@tonic-gateEOF
3797c478bd9Sstevel@tonic-gate    ;;
3807c478bd9Sstevel@tonic-gate    slim_help) cat <<EOF
3817c478bd9Sstevel@tonic-gate
3827c478bd9Sstevel@tonic-gateHELP - The server sizelimit value indicates the maximum number of entries
3837c478bd9Sstevel@tonic-gate       the server would return in respond to a query from the client.  A
3847c478bd9Sstevel@tonic-gate       value of '-1' indicates no limit.
3857c478bd9Sstevel@tonic-gate
3867c478bd9Sstevel@tonic-gateEOF
3877c478bd9Sstevel@tonic-gate    ;;
3887c478bd9Sstevel@tonic-gate    crypt_help) cat <<EOF
3897c478bd9Sstevel@tonic-gate
3907c478bd9Sstevel@tonic-gateHELP - By default iDS does not store userPassword attribute values using
3917c478bd9Sstevel@tonic-gate       unix "crypt" format.  If you need to keep your passwords in the crypt
3927c478bd9Sstevel@tonic-gate       format for NIS/NIS+ and pam_unix compatibility, choose 'yes'.  If
3937c478bd9Sstevel@tonic-gate       passwords are stored using any other format than crypt, pam_ldap
3947c478bd9Sstevel@tonic-gate       MUST be used by clients to authenticate users to the system. Note 
3957c478bd9Sstevel@tonic-gate       that if you wish to use sasl/DIGEST-MD5 in conjunction with pam_ldap,
3967c478bd9Sstevel@tonic-gate       user passwords must be stored in the clear format.
3977c478bd9Sstevel@tonic-gate
3987c478bd9Sstevel@tonic-gateEOF
3997c478bd9Sstevel@tonic-gate    ;;
4007c478bd9Sstevel@tonic-gate    srchtime_help) cat <<EOF
4017c478bd9Sstevel@tonic-gate
4027c478bd9Sstevel@tonic-gateHELP - The search time limit the client will enforce for directory
4037c478bd9Sstevel@tonic-gate       lookups.
4047c478bd9Sstevel@tonic-gate
4057c478bd9Sstevel@tonic-gateEOF
4067c478bd9Sstevel@tonic-gate    ;;
4077c478bd9Sstevel@tonic-gate    profttl_help) cat <<EOF
4087c478bd9Sstevel@tonic-gate
4097c478bd9Sstevel@tonic-gateHELP - The time to live value for profile.  The client will refresh its
4107c478bd9Sstevel@tonic-gate       cached version of the configuration profile at this TTL interval.
4117c478bd9Sstevel@tonic-gate
4127c478bd9Sstevel@tonic-gateEOF
4137c478bd9Sstevel@tonic-gate    ;;
4147c478bd9Sstevel@tonic-gate    bindlim_help) cat <<EOF
4157c478bd9Sstevel@tonic-gate
4167c478bd9Sstevel@tonic-gateHELP - The time limit for the bind operation to the directory.  This
4177c478bd9Sstevel@tonic-gate       value controls the responsiveness of the client in case a server
4187c478bd9Sstevel@tonic-gate       becomes unavailable.  The smallest timeout value for a given
4197c478bd9Sstevel@tonic-gate       network architecture/conditions would work best.  This is very
4207c478bd9Sstevel@tonic-gate       similar to setting TCP timeout, but only for LDAP bind operation.
4217c478bd9Sstevel@tonic-gate
4227c478bd9Sstevel@tonic-gateEOF
4237c478bd9Sstevel@tonic-gate    ;;
4247c478bd9Sstevel@tonic-gate    ssd_help) cat <<EOF
4257c478bd9Sstevel@tonic-gate
4267c478bd9Sstevel@tonic-gateHELP - Using Service Search Descriptors (SSD), you can override the
4277c478bd9Sstevel@tonic-gate       default configuration for a given service.  The SSD can be
4287c478bd9Sstevel@tonic-gate       used to override the default search base DN, the default search
4297c478bd9Sstevel@tonic-gate       scope, and the default search filter to be used for directory
4307c478bd9Sstevel@tonic-gate       lookups.  SSD are supported for all services (databases)
431*bbf21555SRichard Lowe       defined in nsswitch.conf(5).  The default base DN is defined
4327c478bd9Sstevel@tonic-gate       in ldap(1).
4337c478bd9Sstevel@tonic-gate
4347c478bd9Sstevel@tonic-gate       Note: SSD are powerful tools in defining configuration profiles
4357c478bd9Sstevel@tonic-gate             and provide a great deal of flexibility.  However, care
4367c478bd9Sstevel@tonic-gate             must be taken in creating them.  If you decide to make use
4377c478bd9Sstevel@tonic-gate             of SSDs, consult the documentation first.
4387c478bd9Sstevel@tonic-gate
4397c478bd9Sstevel@tonic-gateEOF
4407c478bd9Sstevel@tonic-gate    ;;
4417c478bd9Sstevel@tonic-gate    ssd_menu_help) cat <<EOF
4427c478bd9Sstevel@tonic-gate
4437c478bd9Sstevel@tonic-gateHELP - Using this menu SSD can be added, updated, or deleted from
4447c478bd9Sstevel@tonic-gate       the profile.
4457c478bd9Sstevel@tonic-gate
4467c478bd9Sstevel@tonic-gate       A - This option creates a new SSD by prompting for the
4477c478bd9Sstevel@tonic-gate           service name, base DN, and scope.  Service name is
4487c478bd9Sstevel@tonic-gate           any valid service as defined in ldap(1).  base is
4497c478bd9Sstevel@tonic-gate           either the distinguished name to the container where
4507c478bd9Sstevel@tonic-gate           this service will use, or a relative DN followed
4517c478bd9Sstevel@tonic-gate           by a ','.
4527c478bd9Sstevel@tonic-gate       D - Delete a previously created SSD.
4537c478bd9Sstevel@tonic-gate       M - Modify a previously created SSD.
4547c478bd9Sstevel@tonic-gate       P - Display a list of all the previously created SSD.
4557c478bd9Sstevel@tonic-gate       X - Delete all of the previously created SSD.
4567c478bd9Sstevel@tonic-gate
4577c478bd9Sstevel@tonic-gate       Q - Exit the menu and continue with the server configuration.
4587c478bd9Sstevel@tonic-gate
4597c478bd9Sstevel@tonic-gateEOF
4607c478bd9Sstevel@tonic-gate    ;;
4617c478bd9Sstevel@tonic-gate    ldap_suffix_list_help) cat <<EOF
4627c478bd9Sstevel@tonic-gate
4637c478bd9Sstevel@tonic-gateHELP - No valid suffixes (naming contexts) are available on server 
4647c478bd9Sstevel@tonic-gate       ${IDS_SERVER}:${IDS_PORT}.
4657c478bd9Sstevel@tonic-gate       You must set an LDAP Base DN that can be contained in 
4667c478bd9Sstevel@tonic-gate       an existing suffix.
4677c478bd9Sstevel@tonic-gate
468dd1104fbSMichen ChangEOF
469dd1104fbSMichen Chang    ;;
470dd1104fbSMichen Chang    enable_shadow_update_help) cat <<EOF
471dd1104fbSMichen Chang
472dd1104fbSMichen ChangHELP - Enter 'y' to set up the LDAP server for shadow update.
473dd1104fbSMichen Chang       The setup will add an administrator identity/credential
474dd1104fbSMichen Chang       and modify the necessary access controls for the client
475*bbf21555SRichard Lowe       to update shadow(5) data on the LDAP server. If sasl/GSSAPI
476dd1104fbSMichen Chang       is in use, the Kerberos host principal will be used as the
477dd1104fbSMichen Chang       administrator identity.
478dd1104fbSMichen Chang
479dd1104fbSMichen Chang       Shadow data is used for password aging and account locking.
480*bbf21555SRichard Lowe       Please refer to the shadow(5) manual page for details.
481dd1104fbSMichen Chang
482dd1104fbSMichen ChangEOF
483dd1104fbSMichen Chang    ;;
484dd1104fbSMichen Chang    add_admin_cred_help) cat <<EOF
485dd1104fbSMichen Chang
486dd1104fbSMichen ChangHELP - Start the setup to add an administrator identity/credential
487dd1104fbSMichen Chang       and to modify access controls for the client to update
488*bbf21555SRichard Lowe       shadow(5) data on the LDAP server.
489dd1104fbSMichen Chang
490dd1104fbSMichen Chang       Shadow data is used for password aging and account locking.
491*bbf21555SRichard Lowe       Please refer to the shadow(5) manual page for details.
492dd1104fbSMichen Chang
493dd1104fbSMichen ChangEOF
494dd1104fbSMichen Chang    ;;
495dd1104fbSMichen Chang    use_host_principal_help) cat <<EOF
496dd1104fbSMichen Chang
497dd1104fbSMichen ChangHELP - A profile with a 'sasl/GSSAPI' authentication method and a 'self'
498dd1104fbSMichen Chang       credential level is detected, enter 'y' to modify the necessary
499*bbf21555SRichard Lowe       access controls for allowing the client to update shadow(5) data
500dd1104fbSMichen Chang       on the LDAP server.
501dd1104fbSMichen Chang
502dd1104fbSMichen Chang       Shadow data is used for password aging and account locking.
503*bbf21555SRichard Lowe       Please refer to the shadow(5) manual page for details.
504dd1104fbSMichen Chang
5057c478bd9Sstevel@tonic-gateEOF
5067c478bd9Sstevel@tonic-gate    ;;
5077c478bd9Sstevel@tonic-gate    esac
5087c478bd9Sstevel@tonic-gate}
5097c478bd9Sstevel@tonic-gate
5107c478bd9Sstevel@tonic-gate
5117c478bd9Sstevel@tonic-gate#
5127c478bd9Sstevel@tonic-gate# get_ans(): gets an answer from the user.
5137c478bd9Sstevel@tonic-gate#		$1  instruction/comment/description/question
5147c478bd9Sstevel@tonic-gate#		$2  default value
5157c478bd9Sstevel@tonic-gate#
5167c478bd9Sstevel@tonic-gateget_ans()
5177c478bd9Sstevel@tonic-gate{
5187c478bd9Sstevel@tonic-gate    if [ -z "$2" ]
5197c478bd9Sstevel@tonic-gate    then
5207c478bd9Sstevel@tonic-gate	${ECHO} "$1 \c"
5217c478bd9Sstevel@tonic-gate    else
5227c478bd9Sstevel@tonic-gate	${ECHO} "$1 [$2] \c"
5237c478bd9Sstevel@tonic-gate    fi
5247c478bd9Sstevel@tonic-gate
5257c478bd9Sstevel@tonic-gate    read ANS
5267c478bd9Sstevel@tonic-gate    if [ -z "$ANS" ]
5277c478bd9Sstevel@tonic-gate    then
5287c478bd9Sstevel@tonic-gate	ANS=$2
5297c478bd9Sstevel@tonic-gate    fi
5307c478bd9Sstevel@tonic-gate}
5317c478bd9Sstevel@tonic-gate
5327c478bd9Sstevel@tonic-gate
5337c478bd9Sstevel@tonic-gate#
5347c478bd9Sstevel@tonic-gate# get_ans_req(): gets an answer (required) from the user, NULL value not allowed.
5357c478bd9Sstevel@tonic-gate#		$@  instruction/comment/description/question
5367c478bd9Sstevel@tonic-gate#
5377c478bd9Sstevel@tonic-gateget_ans_req()
5387c478bd9Sstevel@tonic-gate{
5397c478bd9Sstevel@tonic-gate    ANS=""                  # Set ANS to NULL.
5407c478bd9Sstevel@tonic-gate    while [ "$ANS" = "" ]
5417c478bd9Sstevel@tonic-gate    do
5427c478bd9Sstevel@tonic-gate	get_ans "$@"
5437c478bd9Sstevel@tonic-gate	[ "$ANS" = "" ] && ${ECHO} "NULL value not allowed!"
5447c478bd9Sstevel@tonic-gate    done
5457c478bd9Sstevel@tonic-gate}
5467c478bd9Sstevel@tonic-gate
5477c478bd9Sstevel@tonic-gate
5487c478bd9Sstevel@tonic-gate#
5497c478bd9Sstevel@tonic-gate# get_number(): Querys and verifies that number entered is numeric.
5507c478bd9Sstevel@tonic-gate#               Function will repeat prompt user for number value.
5517c478bd9Sstevel@tonic-gate#               $1  Message text.
5527c478bd9Sstevel@tonic-gate#		$2  default value.
5537c478bd9Sstevel@tonic-gate#               $3  Help argument.
5547c478bd9Sstevel@tonic-gate#
5557c478bd9Sstevel@tonic-gateget_number()
5567c478bd9Sstevel@tonic-gate{
5577c478bd9Sstevel@tonic-gate    ANS=""                  # Set ANS to NULL.
5587c478bd9Sstevel@tonic-gate    NUM=""
5597c478bd9Sstevel@tonic-gate
5607c478bd9Sstevel@tonic-gate    get_ans "$1" "$2"
5617c478bd9Sstevel@tonic-gate
5627c478bd9Sstevel@tonic-gate    # Verify that value is numeric.
5637c478bd9Sstevel@tonic-gate    while not_numeric $ANS
5647c478bd9Sstevel@tonic-gate    do
5657c478bd9Sstevel@tonic-gate	case "$ANS" in
5667c478bd9Sstevel@tonic-gate	    [Hh] | help | Help | \?) display_msg ${3:-sorry} ;;
5677c478bd9Sstevel@tonic-gate	    * ) ${ECHO} "Invalid value: \"${ANS}\". \c"
5687c478bd9Sstevel@tonic-gate	     ;;
5697c478bd9Sstevel@tonic-gate	esac
5707c478bd9Sstevel@tonic-gate	# Get a new value.
5717c478bd9Sstevel@tonic-gate	get_ans "Enter a numeric value:" "$2"
5727c478bd9Sstevel@tonic-gate    done
5737c478bd9Sstevel@tonic-gate    NUM=$ANS
5747c478bd9Sstevel@tonic-gate}
5757c478bd9Sstevel@tonic-gate
5767c478bd9Sstevel@tonic-gate
5777c478bd9Sstevel@tonic-gate#
5787c478bd9Sstevel@tonic-gate# get_negone_num(): Only allows a -1 or positive integer.
5797c478bd9Sstevel@tonic-gate#                   Used for values where -1 has special meaning.
5807c478bd9Sstevel@tonic-gate#
5817c478bd9Sstevel@tonic-gate#                   $1 - Prompt message.
5827c478bd9Sstevel@tonic-gate#                   $2 - Default value (require).
5837c478bd9Sstevel@tonic-gate#                   $3 - Optional help argument.
5847c478bd9Sstevel@tonic-gateget_negone_num()
5857c478bd9Sstevel@tonic-gate{
5867c478bd9Sstevel@tonic-gate    while :
5877c478bd9Sstevel@tonic-gate    do
5887c478bd9Sstevel@tonic-gate	get_number "$1" "$2" "$3"
5897c478bd9Sstevel@tonic-gate	if is_negative $ANS
5907c478bd9Sstevel@tonic-gate	then
5917c478bd9Sstevel@tonic-gate	    if [ "$ANS" = "-1" ]; then
5927c478bd9Sstevel@tonic-gate		break  # -1 is OK, so break.
5937c478bd9Sstevel@tonic-gate	    else       # Need to re-enter number.
5947c478bd9Sstevel@tonic-gate		${ECHO} "Invalid number: please enter -1 or positive number."
5957c478bd9Sstevel@tonic-gate	    fi
5967c478bd9Sstevel@tonic-gate	else
5977c478bd9Sstevel@tonic-gate	    break      # Positive number
5987c478bd9Sstevel@tonic-gate	fi
5997c478bd9Sstevel@tonic-gate    done
6007c478bd9Sstevel@tonic-gate}
6017c478bd9Sstevel@tonic-gate
6027c478bd9Sstevel@tonic-gate
6037c478bd9Sstevel@tonic-gate#
6047c478bd9Sstevel@tonic-gate# get_passwd(): Reads a password from the user and verify with second.
6057c478bd9Sstevel@tonic-gate#		$@  instruction/comment/description/question
6067c478bd9Sstevel@tonic-gate#
6077c478bd9Sstevel@tonic-gateget_passwd()
6087c478bd9Sstevel@tonic-gate{
6097c478bd9Sstevel@tonic-gate    [ $DEBUG -eq 1 ] && ${ECHO} "In get_passwd()"
6107c478bd9Sstevel@tonic-gate
6117c478bd9Sstevel@tonic-gate    # Temporary PASSWD variables
6127c478bd9Sstevel@tonic-gate    _PASS1=""
6137c478bd9Sstevel@tonic-gate    _PASS2=""
6147c478bd9Sstevel@tonic-gate
6157c478bd9Sstevel@tonic-gate    /usr/bin/stty -echo     # Turn echo OFF
6167c478bd9Sstevel@tonic-gate
6177c478bd9Sstevel@tonic-gate    # Endless loop that continues until passwd and re-entered passwd
6187c478bd9Sstevel@tonic-gate    # match.
6197c478bd9Sstevel@tonic-gate    while :
6207c478bd9Sstevel@tonic-gate    do
6217c478bd9Sstevel@tonic-gate	ANS=""                  # Set ANS to NULL.
6227c478bd9Sstevel@tonic-gate
6237c478bd9Sstevel@tonic-gate	# Don't allow NULL for first try.
6247c478bd9Sstevel@tonic-gate	while [ "$ANS" = "" ]
6257c478bd9Sstevel@tonic-gate	do
6267c478bd9Sstevel@tonic-gate	    get_ans "$@"
6277c478bd9Sstevel@tonic-gate	    [ "$ANS" = "" ] && ${ECHO} "" && ${ECHO} "NULL passwd not allowed!"
6287c478bd9Sstevel@tonic-gate	done
6297c478bd9Sstevel@tonic-gate	_PASS1=$ANS         # Store first try.
6307c478bd9Sstevel@tonic-gate
6317c478bd9Sstevel@tonic-gate	# Get second try.
6327c478bd9Sstevel@tonic-gate	${ECHO} ""
6337c478bd9Sstevel@tonic-gate	get_ans "Re-enter passwd:"
6347c478bd9Sstevel@tonic-gate	_PASS2=$ANS
6357c478bd9Sstevel@tonic-gate
6367c478bd9Sstevel@tonic-gate	# Test if passwords are identical.
6377c478bd9Sstevel@tonic-gate	if [ "$_PASS1" = "$_PASS2" ]; then
6387c478bd9Sstevel@tonic-gate	    break
6397c478bd9Sstevel@tonic-gate	fi
6407c478bd9Sstevel@tonic-gate
6417c478bd9Sstevel@tonic-gate	# Move cursor down to next line and print ERROR message.
6427c478bd9Sstevel@tonic-gate	${ECHO} ""
6437c478bd9Sstevel@tonic-gate	${ECHO} "ERROR: passwords don't match; try again."
6447c478bd9Sstevel@tonic-gate    done
6457c478bd9Sstevel@tonic-gate
6467c478bd9Sstevel@tonic-gate    /usr/bin/stty echo      # Turn echo ON
6477c478bd9Sstevel@tonic-gate
6487c478bd9Sstevel@tonic-gate    ${ECHO} ""
6497c478bd9Sstevel@tonic-gate}
6507c478bd9Sstevel@tonic-gate
6517c478bd9Sstevel@tonic-gate
6527c478bd9Sstevel@tonic-gate#
6537c478bd9Sstevel@tonic-gate# get_passwd_nochk(): Reads a password from the user w/o check.
6547c478bd9Sstevel@tonic-gate#		$@  instruction/comment/description/question
6557c478bd9Sstevel@tonic-gate#
6567c478bd9Sstevel@tonic-gateget_passwd_nochk()
6577c478bd9Sstevel@tonic-gate{
6587c478bd9Sstevel@tonic-gate    [ $DEBUG -eq 1 ] && ${ECHO} "In get_passwd_nochk()"
6597c478bd9Sstevel@tonic-gate
6607c478bd9Sstevel@tonic-gate    /usr/bin/stty -echo     # Turn echo OFF
6617c478bd9Sstevel@tonic-gate
6627c478bd9Sstevel@tonic-gate    get_ans "$@"
6637c478bd9Sstevel@tonic-gate
6647c478bd9Sstevel@tonic-gate    /usr/bin/stty echo      # Turn echo ON
6657c478bd9Sstevel@tonic-gate
6667c478bd9Sstevel@tonic-gate    ${ECHO} ""
6677c478bd9Sstevel@tonic-gate}
6687c478bd9Sstevel@tonic-gate
6697c478bd9Sstevel@tonic-gate
6707c478bd9Sstevel@tonic-gate#
6717c478bd9Sstevel@tonic-gate# get_menu_choice(): Get a menu choice from user.  Continue prompting
6727c478bd9Sstevel@tonic-gate#                    till the choice is in required range.
6737c478bd9Sstevel@tonic-gate#   $1 .. Message text.
6747c478bd9Sstevel@tonic-gate#   $2 .. min value
6757c478bd9Sstevel@tonic-gate#   $3 .. max value
6767c478bd9Sstevel@tonic-gate#   $4 .. OPTIONAL: default value
6777c478bd9Sstevel@tonic-gate#
6787c478bd9Sstevel@tonic-gate#   Return value:
6797c478bd9Sstevel@tonic-gate#     MN_CH will contain the value selected.
6807c478bd9Sstevel@tonic-gate#
6817c478bd9Sstevel@tonic-gateget_menu_choice()
6827c478bd9Sstevel@tonic-gate{
6837c478bd9Sstevel@tonic-gate    # Check for req parameter.
6847c478bd9Sstevel@tonic-gate    if [ $# -lt 3 ]; then
6857c478bd9Sstevel@tonic-gate	${ECHO} "get_menu_choice(): Did not get required parameters."
6867c478bd9Sstevel@tonic-gate	return 1
6877c478bd9Sstevel@tonic-gate    fi
6887c478bd9Sstevel@tonic-gate
6897c478bd9Sstevel@tonic-gate    while :
6907c478bd9Sstevel@tonic-gate    do
6917c478bd9Sstevel@tonic-gate	get_ans "$1" "$4"
6927c478bd9Sstevel@tonic-gate	MN_CH=$ANS
6937c478bd9Sstevel@tonic-gate	is_negative $MN_CH
6947c478bd9Sstevel@tonic-gate	if [ $? -eq 1 ]; then
6957c478bd9Sstevel@tonic-gate	    if [ $MN_CH -ge $2 ]; then
6967c478bd9Sstevel@tonic-gate		if [ $MN_CH -le $3 ]; then
6977c478bd9Sstevel@tonic-gate		    return
6987c478bd9Sstevel@tonic-gate		fi
6997c478bd9Sstevel@tonic-gate	    fi
7007c478bd9Sstevel@tonic-gate	fi
7017c478bd9Sstevel@tonic-gate	${ECHO} "Invalid choice: $MN_CH"
7027c478bd9Sstevel@tonic-gate    done
7037c478bd9Sstevel@tonic-gate}
7047c478bd9Sstevel@tonic-gate
7057c478bd9Sstevel@tonic-gate
7067c478bd9Sstevel@tonic-gate#
7077c478bd9Sstevel@tonic-gate# get_confirm(): Get confirmation from the user. (Y/Yes or N/No)
7087c478bd9Sstevel@tonic-gate#                $1 - Message
7097c478bd9Sstevel@tonic-gate#                $2 - default value.
7107c478bd9Sstevel@tonic-gate#
7117c478bd9Sstevel@tonic-gateget_confirm()
7127c478bd9Sstevel@tonic-gate{
7137c478bd9Sstevel@tonic-gate    _ANSWER=
7147c478bd9Sstevel@tonic-gate
7157c478bd9Sstevel@tonic-gate    while :
7167c478bd9Sstevel@tonic-gate    do
7177c478bd9Sstevel@tonic-gate	# Display Internal ERROR if $2 not set.
7187c478bd9Sstevel@tonic-gate	if [ -z "$2" ]
7197c478bd9Sstevel@tonic-gate	then
7207c478bd9Sstevel@tonic-gate	    ${ECHO} "INTERNAL ERROR: get_confirm requires 2 args, 3rd is optional."
7217c478bd9Sstevel@tonic-gate	    exit 2
7227c478bd9Sstevel@tonic-gate	fi
7237c478bd9Sstevel@tonic-gate
7247c478bd9Sstevel@tonic-gate	# Display prompt.
7257c478bd9Sstevel@tonic-gate	${ECHO} "$1 [$2] \c"
7267c478bd9Sstevel@tonic-gate
7277c478bd9Sstevel@tonic-gate	# Get the ANSWER.
7287c478bd9Sstevel@tonic-gate	read _ANSWER
7297c478bd9Sstevel@tonic-gate	if [ "$_ANSWER" = "" ] && [ -n "$2" ] ; then
7307c478bd9Sstevel@tonic-gate	    _ANSWER=$2
7317c478bd9Sstevel@tonic-gate	fi
7327c478bd9Sstevel@tonic-gate	case "$_ANSWER" in
7337c478bd9Sstevel@tonic-gate	    [Yy] | yes | Yes | YES) return 1 ;;
7347c478bd9Sstevel@tonic-gate	    [Nn] | no  | No  | NO)  return 0 ;;
7357c478bd9Sstevel@tonic-gate	    [Hh] | help | Help | \?) display_msg ${3:-sorry};;
7367c478bd9Sstevel@tonic-gate	    * ) ${ECHO} "Please enter y or n."  ;;
7377c478bd9Sstevel@tonic-gate	esac
7387c478bd9Sstevel@tonic-gate    done
7397c478bd9Sstevel@tonic-gate}
7407c478bd9Sstevel@tonic-gate
7417c478bd9Sstevel@tonic-gate
7427c478bd9Sstevel@tonic-gate#
7437c478bd9Sstevel@tonic-gate# get_confirm_nodef(): Get confirmation from the user. (Y/Yes or N/No)
7447c478bd9Sstevel@tonic-gate#                      No default value supported.
7457c478bd9Sstevel@tonic-gate#
7467c478bd9Sstevel@tonic-gateget_confirm_nodef()
7477c478bd9Sstevel@tonic-gate{
7487c478bd9Sstevel@tonic-gate    _ANSWER=
7497c478bd9Sstevel@tonic-gate
7507c478bd9Sstevel@tonic-gate    while :
7517c478bd9Sstevel@tonic-gate    do
7527c478bd9Sstevel@tonic-gate	${ECHO} "$@ \c"
7537c478bd9Sstevel@tonic-gate	read _ANSWER
7547c478bd9Sstevel@tonic-gate	case "$_ANSWER" in
7557c478bd9Sstevel@tonic-gate	    [Yy] | yes | Yes | YES) return 1 ;;
7567c478bd9Sstevel@tonic-gate	    [Nn] | no  | No  | NO)  return 0 ;;
7577c478bd9Sstevel@tonic-gate	    * ) ${ECHO} "Please enter y or n."  ;;
7587c478bd9Sstevel@tonic-gate	esac
7597c478bd9Sstevel@tonic-gate    done
7607c478bd9Sstevel@tonic-gate}
7617c478bd9Sstevel@tonic-gate
7627c478bd9Sstevel@tonic-gate
7637c478bd9Sstevel@tonic-gate#
7647c478bd9Sstevel@tonic-gate# is_numeric(): Tells is a string is numeric.
7657c478bd9Sstevel@tonic-gate#    0 = Numeric
7667c478bd9Sstevel@tonic-gate#    1 = NOT Numeric
7677c478bd9Sstevel@tonic-gate#
7687c478bd9Sstevel@tonic-gateis_numeric()
7697c478bd9Sstevel@tonic-gate{
7707c478bd9Sstevel@tonic-gate    # Check for parameter.
7717c478bd9Sstevel@tonic-gate    if [ $# -ne 1 ]; then
7727c478bd9Sstevel@tonic-gate	return 1
7737c478bd9Sstevel@tonic-gate    fi
7747c478bd9Sstevel@tonic-gate
7757c478bd9Sstevel@tonic-gate    # Determine if numeric.
7767c478bd9Sstevel@tonic-gate    expr "$1" + 1 > /dev/null 2>&1
7777c478bd9Sstevel@tonic-gate    if [ $? -ge 2 ]; then
7787c478bd9Sstevel@tonic-gate	return 1
7797c478bd9Sstevel@tonic-gate    fi
7807c478bd9Sstevel@tonic-gate
7817c478bd9Sstevel@tonic-gate    # Made it here, it's Numeric.
7827c478bd9Sstevel@tonic-gate    return 0
7837c478bd9Sstevel@tonic-gate}
7847c478bd9Sstevel@tonic-gate
7857c478bd9Sstevel@tonic-gate
7867c478bd9Sstevel@tonic-gate#
7877c478bd9Sstevel@tonic-gate# not_numeric(): Reverses the return values of is_numeric.  Useful
7887c478bd9Sstevel@tonic-gate#                 for if and while statements that want to test for
7897c478bd9Sstevel@tonic-gate#                 non-numeric data.
7907c478bd9Sstevel@tonic-gate#    0 = NOT Numeric
7917c478bd9Sstevel@tonic-gate#    1 = Numeric
7927c478bd9Sstevel@tonic-gate#
7937c478bd9Sstevel@tonic-gatenot_numeric()
7947c478bd9Sstevel@tonic-gate{
7957c478bd9Sstevel@tonic-gate    is_numeric $1
7967c478bd9Sstevel@tonic-gate    if [ $? -eq 0 ]; then
7977c478bd9Sstevel@tonic-gate       return 1
7987c478bd9Sstevel@tonic-gate    else
7997c478bd9Sstevel@tonic-gate       return 0
8007c478bd9Sstevel@tonic-gate    fi
8017c478bd9Sstevel@tonic-gate}
8027c478bd9Sstevel@tonic-gate
8037c478bd9Sstevel@tonic-gate
8047c478bd9Sstevel@tonic-gate#
8057c478bd9Sstevel@tonic-gate# is_negative(): Tells is a Numeric value is less than zero.
8067c478bd9Sstevel@tonic-gate#    0 = Negative Numeric
8077c478bd9Sstevel@tonic-gate#    1 = Positive Numeric
8087c478bd9Sstevel@tonic-gate#    2 = NOT Numeric
8097c478bd9Sstevel@tonic-gate#
8107c478bd9Sstevel@tonic-gateis_negative()
8117c478bd9Sstevel@tonic-gate{
8127c478bd9Sstevel@tonic-gate    # Check for parameter.
8137c478bd9Sstevel@tonic-gate    if [ $# -ne 1 ]; then
8147c478bd9Sstevel@tonic-gate	return 1
8157c478bd9Sstevel@tonic-gate    fi
8167c478bd9Sstevel@tonic-gate
8177c478bd9Sstevel@tonic-gate    # Determine if numeric.  Can't use expr because -0 is
8187c478bd9Sstevel@tonic-gate    # considered positive??
8197c478bd9Sstevel@tonic-gate    if is_numeric $1; then
8207c478bd9Sstevel@tonic-gate	case "$1" in
8217c478bd9Sstevel@tonic-gate	    -*)  return 0 ;;   # Negative Numeric
8227c478bd9Sstevel@tonic-gate	    *)   return 1 ;;   # Positive Numeric
8237c478bd9Sstevel@tonic-gate	esac
8247c478bd9Sstevel@tonic-gate    else
8257c478bd9Sstevel@tonic-gate	return 2
8267c478bd9Sstevel@tonic-gate    fi
8277c478bd9Sstevel@tonic-gate}
8287c478bd9Sstevel@tonic-gate
8297c478bd9Sstevel@tonic-gate
8307c478bd9Sstevel@tonic-gate#
8317c478bd9Sstevel@tonic-gate# check_domainname(): check validity of a domain name.  Currently we check
8327c478bd9Sstevel@tonic-gate#                     that it has at least two components.
8337c478bd9Sstevel@tonic-gate#		$1  the domain name to be checked
8347c478bd9Sstevel@tonic-gate#
8357c478bd9Sstevel@tonic-gatecheck_domainname()
8367c478bd9Sstevel@tonic-gate{
8377c478bd9Sstevel@tonic-gate    if [ ! -z "$1" ]
8387c478bd9Sstevel@tonic-gate    then
8397c478bd9Sstevel@tonic-gate	t=`expr "$1" : '[^.]\{1,\}[.][^.]\{1,\}'`
8407c478bd9Sstevel@tonic-gate	if [ "$t" = 0 ]
8417c478bd9Sstevel@tonic-gate	then
8427c478bd9Sstevel@tonic-gate	    return 1
8437c478bd9Sstevel@tonic-gate	fi
8447c478bd9Sstevel@tonic-gate    fi
8457c478bd9Sstevel@tonic-gate    return 0
8467c478bd9Sstevel@tonic-gate}
8477c478bd9Sstevel@tonic-gate
8487c478bd9Sstevel@tonic-gate
8497c478bd9Sstevel@tonic-gate#
8507c478bd9Sstevel@tonic-gate# check_baseDN(): check validity of the baseDN name.
8517c478bd9Sstevel@tonic-gate#		$1  the baseDN name to be checked
8527c478bd9Sstevel@tonic-gate#
8537c478bd9Sstevel@tonic-gate#     NOTE: The check_baseDN function does not catch all invalid DN's.
8547c478bd9Sstevel@tonic-gate#           Its purpose is to reduce the number of invalid DN's to
8557c478bd9Sstevel@tonic-gate#           get past the input routine.  The invalid DN's will be
8567c478bd9Sstevel@tonic-gate#           caught by the LDAP server when they are attempted to be
8577c478bd9Sstevel@tonic-gate#           created.
8587c478bd9Sstevel@tonic-gate#
8597c478bd9Sstevel@tonic-gatecheck_baseDN()
8607c478bd9Sstevel@tonic-gate{
8617c478bd9Sstevel@tonic-gate    ck_DN=$1
8627c478bd9Sstevel@tonic-gate    ${ECHO} "  Checking LDAP Base DN ..."
8637c478bd9Sstevel@tonic-gate    if [ ! -z "$ck_DN" ]; then
8647c478bd9Sstevel@tonic-gate        [ $DEBUG -eq 1 ] && ${ECHO} "Checking baseDN: $ck_DN"
8657c478bd9Sstevel@tonic-gate        # Check for = (assignment operator)
8667c478bd9Sstevel@tonic-gate        ${ECHO} "$ck_DN" | ${GREP} "=" > /dev/null 2>&1
8677c478bd9Sstevel@tonic-gate        if [ $? -ne 0 ]; then
8687c478bd9Sstevel@tonic-gate            [ $DEBUG -eq 1 ] && ${ECHO} "check_baseDN: No '=' in baseDN."
8697c478bd9Sstevel@tonic-gate            return 1
8707c478bd9Sstevel@tonic-gate        fi
8717c478bd9Sstevel@tonic-gate
8727c478bd9Sstevel@tonic-gate        # Check all keys.
8737c478bd9Sstevel@tonic-gate        while :
8747c478bd9Sstevel@tonic-gate        do
8757c478bd9Sstevel@tonic-gate            # Get first key.
8767c478bd9Sstevel@tonic-gate            dkey=`${ECHO} $ck_DN | cut -d'=' -f1`
8777c478bd9Sstevel@tonic-gate
8787c478bd9Sstevel@tonic-gate            # Check that the key string is valid
8797c478bd9Sstevel@tonic-gate	    check_attrName $dkey
8807c478bd9Sstevel@tonic-gate	    if [ $? -ne 0 ]; then
8817c478bd9Sstevel@tonic-gate                [ $DEBUG -eq 1 ] && ${ECHO} "check_baseDN: invalid key=${dkey}"
8827c478bd9Sstevel@tonic-gate                return 1
8837c478bd9Sstevel@tonic-gate            fi
8847c478bd9Sstevel@tonic-gate
8857c478bd9Sstevel@tonic-gate            [ $DEBUG -eq 1 ] && ${ECHO} "check_baseDN: valid key=${dkey}"
8867c478bd9Sstevel@tonic-gate
8877c478bd9Sstevel@tonic-gate            # Remove first key from DN
8887c478bd9Sstevel@tonic-gate            ck_DN=`${ECHO} $ck_DN | cut -s -d',' -f2-`
8897c478bd9Sstevel@tonic-gate
8907c478bd9Sstevel@tonic-gate            # Break loop if nothing left.
8917c478bd9Sstevel@tonic-gate            if [ "$ck_DN" = "" ]; then
8927c478bd9Sstevel@tonic-gate                break
8937c478bd9Sstevel@tonic-gate            fi
8947c478bd9Sstevel@tonic-gate        done
8957c478bd9Sstevel@tonic-gate    fi
8967c478bd9Sstevel@tonic-gate    return 0
8977c478bd9Sstevel@tonic-gate}
8987c478bd9Sstevel@tonic-gate
8997c478bd9Sstevel@tonic-gate
9007c478bd9Sstevel@tonic-gate#
9017c478bd9Sstevel@tonic-gate# domain_2_dc(): Convert a domain name into dc string.
9027c478bd9Sstevel@tonic-gate#    $1  .. Domain name.
9037c478bd9Sstevel@tonic-gate#
9047c478bd9Sstevel@tonic-gatedomain_2_dc()
9057c478bd9Sstevel@tonic-gate{
9067c478bd9Sstevel@tonic-gate    _DOM=$1           # Domain parameter.
9077c478bd9Sstevel@tonic-gate    _DOM_2_DC=""      # Return value from function.
9087c478bd9Sstevel@tonic-gate    _FIRST=1          # Flag for first time.
9097c478bd9Sstevel@tonic-gate
9107c478bd9Sstevel@tonic-gate    export _DOM_2_DC  # Make visible for others.
9117c478bd9Sstevel@tonic-gate
9127c478bd9Sstevel@tonic-gate    # Convert "."'s to spaces for "for" loop.
9137c478bd9Sstevel@tonic-gate    domtmp="`${ECHO} ${_DOM} | tr '.' ' '`"
9147c478bd9Sstevel@tonic-gate    for i in $domtmp; do
9157c478bd9Sstevel@tonic-gate	if [ $_FIRST -eq 1 ]; then
9167c478bd9Sstevel@tonic-gate	    _DOM_2_DC="dc=${i}"
9177c478bd9Sstevel@tonic-gate	    _FIRST=0
9187c478bd9Sstevel@tonic-gate	else
9197c478bd9Sstevel@tonic-gate	    _DOM_2_DC="${_DOM_2_DC},dc=${i}"
9207c478bd9Sstevel@tonic-gate	fi
9217c478bd9Sstevel@tonic-gate    done
9227c478bd9Sstevel@tonic-gate}
9237c478bd9Sstevel@tonic-gate
9247c478bd9Sstevel@tonic-gate
9257c478bd9Sstevel@tonic-gate#
9267c478bd9Sstevel@tonic-gate# is_root_user(): Check to see if logged in as root user.
9277c478bd9Sstevel@tonic-gate#
9287c478bd9Sstevel@tonic-gateis_root_user()
9297c478bd9Sstevel@tonic-gate{
9307c478bd9Sstevel@tonic-gate    case `id` in
9317c478bd9Sstevel@tonic-gate	uid=0\(root\)*) return 0 ;;
9327c478bd9Sstevel@tonic-gate	* )             return 1 ;;
9337c478bd9Sstevel@tonic-gate    esac
9347c478bd9Sstevel@tonic-gate}
9357c478bd9Sstevel@tonic-gate
9367c478bd9Sstevel@tonic-gate
9377c478bd9Sstevel@tonic-gate#
9387c478bd9Sstevel@tonic-gate# parse_arg(): Parses the command line arguments and sets the
9397c478bd9Sstevel@tonic-gate#              appropriate variables.
9407c478bd9Sstevel@tonic-gate#
9417c478bd9Sstevel@tonic-gateparse_arg()
9427c478bd9Sstevel@tonic-gate{
9437c478bd9Sstevel@tonic-gate    while getopts "dvhi:o:" ARG
9447c478bd9Sstevel@tonic-gate    do
9457c478bd9Sstevel@tonic-gate	case $ARG in
9467c478bd9Sstevel@tonic-gate	    d)      DEBUG=1;;
9477c478bd9Sstevel@tonic-gate	    v)      VERB="";;
9487c478bd9Sstevel@tonic-gate	    i)      INPUT_FILE=$OPTARG;;
9497c478bd9Sstevel@tonic-gate	    o)      OUTPUT_FILE=$OPTARG;;
9507c478bd9Sstevel@tonic-gate	    \?)	display_msg usage
9517c478bd9Sstevel@tonic-gate		    exit 1;;
9527c478bd9Sstevel@tonic-gate	    *)	${ECHO} "**ERROR: Supported option missing handler!"
9537c478bd9Sstevel@tonic-gate		    display_msg usage
9547c478bd9Sstevel@tonic-gate		    exit 1;;
9557c478bd9Sstevel@tonic-gate	esac
9567c478bd9Sstevel@tonic-gate    done
9577c478bd9Sstevel@tonic-gate    return `expr $OPTIND - 1`
9587c478bd9Sstevel@tonic-gate}
9597c478bd9Sstevel@tonic-gate
9607c478bd9Sstevel@tonic-gate
9617c478bd9Sstevel@tonic-gate#
9627c478bd9Sstevel@tonic-gate# init(): initializes variables and options
9637c478bd9Sstevel@tonic-gate#
9647c478bd9Sstevel@tonic-gateinit()
9657c478bd9Sstevel@tonic-gate{
9667c478bd9Sstevel@tonic-gate    # General variables.
9677c478bd9Sstevel@tonic-gate    PROG=`basename $0`	# Program name
9687c478bd9Sstevel@tonic-gate    PID=$$              # Program ID
9697c478bd9Sstevel@tonic-gate    VERB='> /dev/null 2>&1'	# NULL or "> /dev/null"
9707c478bd9Sstevel@tonic-gate    ECHO="/bin/echo"	# print message on screen
9717c478bd9Sstevel@tonic-gate    EVAL="eval"		# eval or echo
9727c478bd9Sstevel@tonic-gate    EGREP="/usr/bin/egrep"
9737c478bd9Sstevel@tonic-gate    GREP="/usr/bin/grep"
9747c478bd9Sstevel@tonic-gate    DEBUG=0             # Set Debug OFF
9757c478bd9Sstevel@tonic-gate    BACKUP=no_ldap	# backup suffix
9767c478bd9Sstevel@tonic-gate    HOST=""		# NULL or <hostname>
977cb5caa98Sdjl    NAWK="/usr/bin/nawk"
978dd1104fbSMichen Chang    RM="/usr/bin/rm"
979b57459abSJulian Pullen    WC="/usr/bin/wc"
980b57459abSJulian Pullen    CAT="/usr/bin/cat"
981b57459abSJulian Pullen    SED="/usr/bin/sed"
982ad848a7fSMilan Jurik    MV="/usr/bin/mv"
9837c478bd9Sstevel@tonic-gate
9847c478bd9Sstevel@tonic-gate    DOM=""              # Set to NULL
9857c478bd9Sstevel@tonic-gate    # If DNS domain (resolv.conf) exists use that, otherwise use domainname.
9867c478bd9Sstevel@tonic-gate    if [ -f /etc/resolv.conf ]; then
987d2d52addSAlexander Pyhalov        DOM=`/usr/bin/grep -i -E '^domain|^search' /etc/resolv.conf \
9887c478bd9Sstevel@tonic-gate	    | awk '{ print $2 }' | tail -1`
9897c478bd9Sstevel@tonic-gate    fi
9907c478bd9Sstevel@tonic-gate
9917c478bd9Sstevel@tonic-gate    # If for any reason the DOM did not get set (error'd resolv.conf) set
9927c478bd9Sstevel@tonic-gate    # DOM to the domainname command's output.
9937c478bd9Sstevel@tonic-gate    if [ "$DOM" = "" ]; then
9947c478bd9Sstevel@tonic-gate        DOM=`domainname`	# domain from domainname command.
9957c478bd9Sstevel@tonic-gate    fi
9967c478bd9Sstevel@tonic-gate
9977c478bd9Sstevel@tonic-gate    STEP=1
9987c478bd9Sstevel@tonic-gate    INTERACTIVE=1       # 0 = on, 1 = off (For input file mode)
9997c478bd9Sstevel@tonic-gate    DEL_OLD_PROFILE=0   # 0 (default), 1 = delete old profile.
10007c478bd9Sstevel@tonic-gate
10017c478bd9Sstevel@tonic-gate    # idsconfig specific variables.
10027c478bd9Sstevel@tonic-gate    INPUT_FILE=""
10037c478bd9Sstevel@tonic-gate    OUTPUT_FILE=""
1004dd1104fbSMichen Chang    LDAP_ENABLE_SHADOW_UPDATE="FALSE"
1005dd1104fbSMichen Chang    NEED_PROXY=0        # 0 = No Proxy,    1 = Create Proxy.
1006dd1104fbSMichen Chang    NEED_ADMIN=0        # 0 = No Admin,    1 = Create Admin.
1007dd1104fbSMichen Chang    NEED_HOSTACL=0      # 0 = No Host ACL, 1 = Create Host ACL.
1008dd1104fbSMichen Chang    EXISTING_PROFILE=0
10097c478bd9Sstevel@tonic-gate    LDAP_PROXYAGENT=""
1010dd1104fbSMichen Chang    LDAP_ADMINDN=""
10117c478bd9Sstevel@tonic-gate    LDAP_SUFFIX=""
10127c478bd9Sstevel@tonic-gate    LDAP_DOMAIN=$DOM	# domainname on Server (default value)
10137c478bd9Sstevel@tonic-gate    GEN_CMD=""
1014b57459abSJulian Pullen    PROXY_ACI_NAME="LDAP_Naming_Services_proxy_password_read"
10157c478bd9Sstevel@tonic-gate
10167c478bd9Sstevel@tonic-gate    # LDAP COMMANDS
10177c478bd9Sstevel@tonic-gate    LDAPSEARCH="/bin/ldapsearch -r"
10187c478bd9Sstevel@tonic-gate    LDAPMODIFY=/bin/ldapmodify
10197c478bd9Sstevel@tonic-gate    LDAPADD=/bin/ldapadd
10207c478bd9Sstevel@tonic-gate    LDAPDELETE=/bin/ldapdelete
10217c478bd9Sstevel@tonic-gate    LDAP_GEN_PROFILE=/usr/sbin/ldap_gen_profile
10227c478bd9Sstevel@tonic-gate
10237c478bd9Sstevel@tonic-gate    # iDS specific information
10247c478bd9Sstevel@tonic-gate    IDS_SERVER=""
10257c478bd9Sstevel@tonic-gate    IDS_PORT=389
10267c478bd9Sstevel@tonic-gate    NEED_TIME=0
10277c478bd9Sstevel@tonic-gate    NEED_SIZE=0
10287c478bd9Sstevel@tonic-gate    NEED_SRVAUTH_PAM=0
10297c478bd9Sstevel@tonic-gate    NEED_SRVAUTH_KEY=0
10307c478bd9Sstevel@tonic-gate    NEED_SRVAUTH_CMD=0
10317c478bd9Sstevel@tonic-gate    IDS_TIMELIMIT=""
10327c478bd9Sstevel@tonic-gate    IDS_SIZELIMIT=""
10337c478bd9Sstevel@tonic-gate
10347c478bd9Sstevel@tonic-gate    # LDAP PROFILE related defaults
10357c478bd9Sstevel@tonic-gate    LDAP_ROOTDN="cn=Directory Manager"   # Provide common default.
10367c478bd9Sstevel@tonic-gate    LDAP_ROOTPWD=""                      # NULL passwd as default (i.e. invalid)
10377c478bd9Sstevel@tonic-gate    LDAP_PROFILE_NAME="default"
10387c478bd9Sstevel@tonic-gate    LDAP_BASEDN=""
10397c478bd9Sstevel@tonic-gate    LDAP_SERVER_LIST=""
10407c478bd9Sstevel@tonic-gate    LDAP_AUTHMETHOD=""
10417c478bd9Sstevel@tonic-gate    LDAP_FOLLOWREF="FALSE"
10427c478bd9Sstevel@tonic-gate    NEED_CRYPT=""
10437c478bd9Sstevel@tonic-gate    LDAP_SEARCH_SCOPE="one"
10447c478bd9Sstevel@tonic-gate    LDAP_SRV_AUTHMETHOD_PAM=""
10457c478bd9Sstevel@tonic-gate    LDAP_SRV_AUTHMETHOD_KEY=""
10467c478bd9Sstevel@tonic-gate    LDAP_SRV_AUTHMETHOD_CMD=""
10477c478bd9Sstevel@tonic-gate    LDAP_SEARCH_TIME_LIMIT=30
10487c478bd9Sstevel@tonic-gate    LDAP_PREF_SRVLIST=""
10497c478bd9Sstevel@tonic-gate    LDAP_PROFILE_TTL=43200
10507c478bd9Sstevel@tonic-gate    LDAP_CRED_LEVEL="proxy"
10517c478bd9Sstevel@tonic-gate    LDAP_BIND_LIMIT=10
10527c478bd9Sstevel@tonic-gate
10537c478bd9Sstevel@tonic-gate    # Prevent new files from being read by group or others.
10547c478bd9Sstevel@tonic-gate    umask 077
10557c478bd9Sstevel@tonic-gate
10567c478bd9Sstevel@tonic-gate    # Service Search Descriptors
10577c478bd9Sstevel@tonic-gate    LDAP_SERV_SRCH_DES=""
10587c478bd9Sstevel@tonic-gate
10597c478bd9Sstevel@tonic-gate    # Set and create TMPDIR.
10607c478bd9Sstevel@tonic-gate    TMPDIR="/tmp/idsconfig.${PID}"
10617c478bd9Sstevel@tonic-gate    if mkdir -m 700 ${TMPDIR}
10627c478bd9Sstevel@tonic-gate    then
10637c478bd9Sstevel@tonic-gate	# Cleanup on exit.
10647c478bd9Sstevel@tonic-gate	trap 'rm -rf ${TMPDIR}; /usr/bin/stty echo; exit' 1 2 3 6 15
10657c478bd9Sstevel@tonic-gate    else
10667c478bd9Sstevel@tonic-gate	echo "ERROR: unable to create a safe temporary directory."
10677c478bd9Sstevel@tonic-gate	exit 1
10687c478bd9Sstevel@tonic-gate    fi
10697c478bd9Sstevel@tonic-gate    LDAP_ROOTPWF=${TMPDIR}/rootPWD
10707c478bd9Sstevel@tonic-gate
10717c478bd9Sstevel@tonic-gate    # Set the SSD file name after setting TMPDIR.
10727c478bd9Sstevel@tonic-gate    SSD_FILE=${TMPDIR}/ssd_list
1073cb5caa98Sdjl
1074cb5caa98Sdjl    # GSSAPI setup
10754f4e8bf0SMilan Jurik    GSSAPI_ENABLE=0
1076cb5caa98Sdjl    LDAP_KRB_REALM=""
1077cb5caa98Sdjl    SCHEMA_UPDATED=0
10787c478bd9Sstevel@tonic-gate
10797c478bd9Sstevel@tonic-gate    export DEBUG VERB ECHO EVAL EGREP GREP STEP TMPDIR
10807c478bd9Sstevel@tonic-gate    export IDS_SERVER IDS_PORT LDAP_ROOTDN LDAP_ROOTPWD LDAP_SERVER_LIST
10817c478bd9Sstevel@tonic-gate    export LDAP_BASEDN LDAP_ROOTPWF
10827c478bd9Sstevel@tonic-gate    export LDAP_DOMAIN LDAP_SUFFIX LDAP_PROXYAGENT LDAP_PROXYAGENT_CRED
10837c478bd9Sstevel@tonic-gate    export NEED_PROXY
1084dd1104fbSMichen Chang    export LDAP_ENABLE_SHADOW_UPDATE LDAP_ADMINDN LDAP_ADMIN_CRED
1085dd1104fbSMichen Chang    export NEED_ADMIN NEED_HOSTACL EXISTING_PROFILE
10867c478bd9Sstevel@tonic-gate    export LDAP_PROFILE_NAME LDAP_BASEDN LDAP_SERVER_LIST
10877c478bd9Sstevel@tonic-gate    export LDAP_AUTHMETHOD LDAP_FOLLOWREF LDAP_SEARCH_SCOPE LDAP_SEARCH_TIME_LIMIT
10887c478bd9Sstevel@tonic-gate    export LDAP_PREF_SRVLIST LDAP_PROFILE_TTL LDAP_CRED_LEVEL LDAP_BIND_LIMIT
10897c478bd9Sstevel@tonic-gate    export NEED_SRVAUTH_PAM NEED_SRVAUTH_KEY NEED_SRVAUTH_CMD
10907c478bd9Sstevel@tonic-gate    export LDAP_SRV_AUTHMETHOD_PAM LDAP_SRV_AUTHMETHOD_KEY LDAP_SRV_AUTHMETHOD_CMD
10917c478bd9Sstevel@tonic-gate    export LDAP_SERV_SRCH_DES SSD_FILE
10924f4e8bf0SMilan Jurik    export GEN_CMD GSSAPI_ENABLE LDAP_KRB_REALM SCHEMA_UPDATED
10937c478bd9Sstevel@tonic-gate}
10947c478bd9Sstevel@tonic-gate
10957c478bd9Sstevel@tonic-gate
10967c478bd9Sstevel@tonic-gate#
10977c478bd9Sstevel@tonic-gate# disp_full_debug(): List of all debug variables usually interested in.
10987c478bd9Sstevel@tonic-gate#                    Grouped to avoid MASSIVE code duplication.
10997c478bd9Sstevel@tonic-gate#
11007c478bd9Sstevel@tonic-gatedisp_full_debug()
11017c478bd9Sstevel@tonic-gate{
11027c478bd9Sstevel@tonic-gate    [ $DEBUG -eq 1 ] && ${ECHO} "  IDS_SERVER = $IDS_SERVER"
11037c478bd9Sstevel@tonic-gate    [ $DEBUG -eq 1 ] && ${ECHO} "  IDS_PORT = $IDS_PORT"
11047c478bd9Sstevel@tonic-gate    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_ROOTDN = $LDAP_ROOTDN"
11057c478bd9Sstevel@tonic-gate    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_ROOTPWD = $LDAP_ROOTPWD"
11067c478bd9Sstevel@tonic-gate    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_DOMAIN = $LDAP_DOMAIN"
11077c478bd9Sstevel@tonic-gate    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_SUFFIX = $LDAP_SUFFIX"
11087c478bd9Sstevel@tonic-gate    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_BASEDN = $LDAP_BASEDN"
11097c478bd9Sstevel@tonic-gate    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_PROFILE_NAME = $LDAP_PROFILE_NAME"
11107c478bd9Sstevel@tonic-gate    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_SERVER_LIST = $LDAP_SERVER_LIST"
11117c478bd9Sstevel@tonic-gate    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_PREF_SRVLIST = $LDAP_PREF_SRVLIST"
11127c478bd9Sstevel@tonic-gate    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_SEARCH_SCOPE = $LDAP_SEARCH_SCOPE"
11137c478bd9Sstevel@tonic-gate    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_CRED_LEVEL = $LDAP_CRED_LEVEL"
11147c478bd9Sstevel@tonic-gate    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_AUTHMETHOD = $LDAP_AUTHMETHOD"
11157c478bd9Sstevel@tonic-gate    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_FOLLOWREF = $LDAP_FOLLOWREF"
11167c478bd9Sstevel@tonic-gate    [ $DEBUG -eq 1 ] && ${ECHO} "  IDS_TIMELIMIT = $IDS_TIMELIMIT"
11177c478bd9Sstevel@tonic-gate    [ $DEBUG -eq 1 ] && ${ECHO} "  IDS_SIZELIMIT = $IDS_SIZELIMIT"
11187c478bd9Sstevel@tonic-gate    [ $DEBUG -eq 1 ] && ${ECHO} "  NEED_CRYPT = $NEED_CRYPT"
11197c478bd9Sstevel@tonic-gate    [ $DEBUG -eq 1 ] && ${ECHO} "  NEED_SRVAUTH_PAM = $NEED_SRVAUTH_PAM"
11207c478bd9Sstevel@tonic-gate    [ $DEBUG -eq 1 ] && ${ECHO} "  NEED_SRVAUTH_KEY = $NEED_SRVAUTH_KEY"
11217c478bd9Sstevel@tonic-gate    [ $DEBUG -eq 1 ] && ${ECHO} "  NEED_SRVAUTH_CMD = $NEED_SRVAUTH_CMD"
11227c478bd9Sstevel@tonic-gate    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_SRV_AUTHMETHOD_PAM = $LDAP_SRV_AUTHMETHOD_PAM"
11237c478bd9Sstevel@tonic-gate    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_SRV_AUTHMETHOD_KEY = $LDAP_SRV_AUTHMETHOD_KEY"
11247c478bd9Sstevel@tonic-gate    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_SRV_AUTHMETHOD_CMD = $LDAP_SRV_AUTHMETHOD_CMD"
11257c478bd9Sstevel@tonic-gate    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_SEARCH_TIME_LIMIT = $LDAP_SEARCH_TIME_LIMIT"
11267c478bd9Sstevel@tonic-gate    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_PROFILE_TTL = $LDAP_PROFILE_TTL"
11277c478bd9Sstevel@tonic-gate    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_BIND_LIMIT = $LDAP_BIND_LIMIT"
1128dd1104fbSMichen Chang    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_ENABLE_SHADOW_UPDATE = $LDAP_ENABLE_SHADOW_UPDATE"
11297c478bd9Sstevel@tonic-gate
11307c478bd9Sstevel@tonic-gate    # Only display proxy stuff if needed.
1131dd1104fbSMichen Chang    [ $DEBUG -eq 1 ] && ${ECHO} "  NEED_PROXY = $NEED_PROXY"
11327c478bd9Sstevel@tonic-gate    if [ $NEED_PROXY -eq  1 ]; then
11337c478bd9Sstevel@tonic-gate	[ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_PROXYAGENT = $LDAP_PROXYAGENT"
11347c478bd9Sstevel@tonic-gate	[ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_PROXYAGENT_CRED = $LDAP_PROXYAGENT_CRED"
1135dd1104fbSMichen Chang    fi
1136dd1104fbSMichen Chang
1137dd1104fbSMichen Chang    # Only display admin credential if needed.
1138dd1104fbSMichen Chang    [ $DEBUG -eq 1 ] && ${ECHO} "  NEED_ADMIN = $NEED_ADMIN"
1139dd1104fbSMichen Chang    [ $DEBUG -eq 1 ] && ${ECHO} "  NEED_HOSTACL = $NEED_HOSTACL"
1140dd1104fbSMichen Chang    if [ $NEED_ADMIN -eq  1 ]; then
1141dd1104fbSMichen Chang	[ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_ADMINDN = $LDAP_ADMINDN"
1142dd1104fbSMichen Chang	[ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_ADMIN_CRED = $LDAP_ADMIN_CRED"
11437c478bd9Sstevel@tonic-gate    fi
11447c478bd9Sstevel@tonic-gate
11457c478bd9Sstevel@tonic-gate    # Service Search Descriptors are a special case.
11467c478bd9Sstevel@tonic-gate    [ $DEBUG -eq 1 ] && ${ECHO} "  LDAP_SERV_SRCH_DES = $LDAP_SERV_SRCH_DES"
11477c478bd9Sstevel@tonic-gate}
11487c478bd9Sstevel@tonic-gate
11497c478bd9Sstevel@tonic-gate
11507c478bd9Sstevel@tonic-gate#
11517c478bd9Sstevel@tonic-gate# load_config_file(): Loads the config file.
11527c478bd9Sstevel@tonic-gate#
11537c478bd9Sstevel@tonic-gateload_config_file()
11547c478bd9Sstevel@tonic-gate{
11557c478bd9Sstevel@tonic-gate    [ $DEBUG -eq 1 ] && ${ECHO} "In load_config_file()"
11567c478bd9Sstevel@tonic-gate
11577c478bd9Sstevel@tonic-gate    # Remove SSD lines from input file before sourcing.
11587c478bd9Sstevel@tonic-gate    # The SSD lines must be removed because some forms of the
11597c478bd9Sstevel@tonic-gate    # data could cause SHELL errors.
11607c478bd9Sstevel@tonic-gate    ${GREP} -v "LDAP_SERV_SRCH_DES=" ${INPUT_FILE} > ${TMPDIR}/inputfile.noSSD
11617c478bd9Sstevel@tonic-gate
11627c478bd9Sstevel@tonic-gate    # Source the input file.
11637c478bd9Sstevel@tonic-gate    . ${TMPDIR}/inputfile.noSSD
11647c478bd9Sstevel@tonic-gate
11657c478bd9Sstevel@tonic-gate    # If LDAP_SUFFIX is no set, try to utilize LDAP_TREETOP since older
11667c478bd9Sstevel@tonic-gate    # config files use LDAP_TREETOP
11677c478bd9Sstevel@tonic-gate    LDAP_SUFFIX="${LDAP_SUFFIX:-$LDAP_TREETOP}"
11687c478bd9Sstevel@tonic-gate
11697c478bd9Sstevel@tonic-gate    # Save password to temporary file.
11707c478bd9Sstevel@tonic-gate    save_password
11717c478bd9Sstevel@tonic-gate
11727c478bd9Sstevel@tonic-gate    # Create the SSD file.
11737c478bd9Sstevel@tonic-gate    create_ssd_file
11747c478bd9Sstevel@tonic-gate
11757c478bd9Sstevel@tonic-gate    # Display FULL debugging info.
11767c478bd9Sstevel@tonic-gate    disp_full_debug
11777c478bd9Sstevel@tonic-gate}
11787c478bd9Sstevel@tonic-gate
11797c478bd9Sstevel@tonic-gate#
11807c478bd9Sstevel@tonic-gate# save_password(): Save password to temporary file.
11817c478bd9Sstevel@tonic-gate#
11827c478bd9Sstevel@tonic-gatesave_password()
11837c478bd9Sstevel@tonic-gate{
11847c478bd9Sstevel@tonic-gate    cat > ${LDAP_ROOTPWF} <<EOF
11857c478bd9Sstevel@tonic-gate${LDAP_ROOTPWD}
11867c478bd9Sstevel@tonic-gateEOF
11877c478bd9Sstevel@tonic-gate}
11887c478bd9Sstevel@tonic-gate
11897c478bd9Sstevel@tonic-gate######################################################################
11907c478bd9Sstevel@tonic-gate# FUNCTIONS  FOR prompt_config_info() START HERE.
11917c478bd9Sstevel@tonic-gate######################################################################
11927c478bd9Sstevel@tonic-gate
11937c478bd9Sstevel@tonic-gate#
11947c478bd9Sstevel@tonic-gate# get_ids_server(): Prompt for iDS server name.
11957c478bd9Sstevel@tonic-gate#
11967c478bd9Sstevel@tonic-gateget_ids_server()
11977c478bd9Sstevel@tonic-gate{
11987c478bd9Sstevel@tonic-gate    while :
11997c478bd9Sstevel@tonic-gate    do
12007c478bd9Sstevel@tonic-gate	# Prompt for server name.
1201cb5caa98Sdjl	get_ans "Enter the JES Directory Server's  hostname to setup:" "$IDS_SERVER"
1202cb5caa98Sdjl	IDS_SERVER="$ANS"
12037c478bd9Sstevel@tonic-gate
12047c478bd9Sstevel@tonic-gate	# Ping server to see if live.  If valid break out of loop.
12057c478bd9Sstevel@tonic-gate	ping $IDS_SERVER > /dev/null 2>&1
12067c478bd9Sstevel@tonic-gate	if [ $? -eq 0 ]; then
12077c478bd9Sstevel@tonic-gate	    break
12087c478bd9Sstevel@tonic-gate	fi
12097c478bd9Sstevel@tonic-gate
12107c478bd9Sstevel@tonic-gate	# Invalid server, enter a new name.
12117c478bd9Sstevel@tonic-gate	${ECHO} "ERROR: Server '${IDS_SERVER}' is invalid or unreachable."
12127c478bd9Sstevel@tonic-gate	IDS_SERVER=""
12137c478bd9Sstevel@tonic-gate    done
12147c478bd9Sstevel@tonic-gate
12157c478bd9Sstevel@tonic-gate    # Set SERVER_ARGS and LDAP_ARGS since values might of changed.
12167c478bd9Sstevel@tonic-gate    SERVER_ARGS="-h ${IDS_SERVER} -p ${IDS_PORT}"
12177c478bd9Sstevel@tonic-gate    LDAP_ARGS="${SERVER_ARGS} ${AUTH_ARGS}"
12187c478bd9Sstevel@tonic-gate    export SERVER_ARGS
12197c478bd9Sstevel@tonic-gate
12207c478bd9Sstevel@tonic-gate}
12217c478bd9Sstevel@tonic-gate
12227c478bd9Sstevel@tonic-gate#
12237c478bd9Sstevel@tonic-gate# get_ids_port(): Prompt for iDS port number.
12247c478bd9Sstevel@tonic-gate#
12257c478bd9Sstevel@tonic-gateget_ids_port()
12267c478bd9Sstevel@tonic-gate{
12277c478bd9Sstevel@tonic-gate    # Get a valid iDS port number.
12287c478bd9Sstevel@tonic-gate    while :
12297c478bd9Sstevel@tonic-gate    do
12307c478bd9Sstevel@tonic-gate	# Enter port number.
12317c478bd9Sstevel@tonic-gate	get_number "Enter the port number for iDS (h=help):" "$IDS_PORT" "port_help"
12327c478bd9Sstevel@tonic-gate	IDS_PORT=$ANS
12337c478bd9Sstevel@tonic-gate	# Do a simple search to check hostname and port number.
12347c478bd9Sstevel@tonic-gate	# If search returns SUCCESS, break out, host and port must
12357c478bd9Sstevel@tonic-gate	# be valid.
12367c478bd9Sstevel@tonic-gate	${LDAPSEARCH} -h ${IDS_SERVER} -p ${IDS_PORT} -b "" -s base "objectclass=*" > /dev/null 2>&1
12377c478bd9Sstevel@tonic-gate	if [ $? -eq 0 ]; then
12387c478bd9Sstevel@tonic-gate	    break
12397c478bd9Sstevel@tonic-gate	fi
12407c478bd9Sstevel@tonic-gate
12417c478bd9Sstevel@tonic-gate	# Invalid host/port pair, Re-enter.
12427c478bd9Sstevel@tonic-gate	${ECHO} "ERROR: Invalid host or port: ${IDS_SERVER}:${IDS_PORT}, Please re-enter!"
12437c478bd9Sstevel@tonic-gate	get_ids_server
12447c478bd9Sstevel@tonic-gate    done
12457c478bd9Sstevel@tonic-gate
12467c478bd9Sstevel@tonic-gate    # Set SERVER_ARGS and LDAP_ARGS since values might of changed.
12477c478bd9Sstevel@tonic-gate    SERVER_ARGS="-h ${IDS_SERVER} -p ${IDS_PORT}"
12487c478bd9Sstevel@tonic-gate    LDAP_ARGS="${SERVER_ARGS} ${AUTH_ARGS}"
12497c478bd9Sstevel@tonic-gate    export SERVER_ARGS
12507c478bd9Sstevel@tonic-gate}
12517c478bd9Sstevel@tonic-gate
12527c478bd9Sstevel@tonic-gate
12537c478bd9Sstevel@tonic-gate#
12547c478bd9Sstevel@tonic-gate# chk_ids_version(): Read the slapd config file and set variables
12557c478bd9Sstevel@tonic-gate#
12567c478bd9Sstevel@tonic-gatechk_ids_version()
12577c478bd9Sstevel@tonic-gate{
12587c478bd9Sstevel@tonic-gate    [ $DEBUG -eq 1 ] && ${ECHO} "In chk_ids_version()"
12597c478bd9Sstevel@tonic-gate
12607c478bd9Sstevel@tonic-gate    # check iDS version number.
12617c478bd9Sstevel@tonic-gate    eval "${LDAPSEARCH} ${SERVER_ARGS} -b cn=monitor -s base \"objectclass=*\" version | ${GREP} \"^version=\" | cut -f2 -d'/' | cut -f1 -d' ' > ${TMPDIR}/checkDSver 2>&1"
12627c478bd9Sstevel@tonic-gate    if [ $? -ne 0 ]; then
12637c478bd9Sstevel@tonic-gate	${ECHO} "ERROR: Can not determine the version number of iDS!"
12647c478bd9Sstevel@tonic-gate	exit 1
12657c478bd9Sstevel@tonic-gate    fi
12667c478bd9Sstevel@tonic-gate    IDS_VER=`cat ${TMPDIR}/checkDSver`
12677c478bd9Sstevel@tonic-gate    IDS_MAJVER=`${ECHO} ${IDS_VER} | cut -f1 -d.`
12687c478bd9Sstevel@tonic-gate    IDS_MINVER=`${ECHO} ${IDS_VER} | cut -f2 -d.`
12694f4e8bf0SMilan Jurik    case "${IDS_MAJVER}" in
12704f4e8bf0SMilan Jurik        5|6|7)  : ;;
12714f4e8bf0SMilan Jurik        *)   ${ECHO} "ERROR: $PROG only works with JES DS version 5.x, 6.x or 7.x, not ${IDS_VER}."; exit 1;;
12724f4e8bf0SMilan Jurik    esac
12734f4e8bf0SMilan Jurik
12747c478bd9Sstevel@tonic-gate    if [ $DEBUG -eq 1 ]; then
12757c478bd9Sstevel@tonic-gate	${ECHO} "  IDS_MAJVER = $IDS_MAJVER"
12767c478bd9Sstevel@tonic-gate	${ECHO} "  IDS_MINVER = $IDS_MINVER"
12777c478bd9Sstevel@tonic-gate    fi
12787c478bd9Sstevel@tonic-gate}
12797c478bd9Sstevel@tonic-gate
12807c478bd9Sstevel@tonic-gate
12817c478bd9Sstevel@tonic-gate#
12827c478bd9Sstevel@tonic-gate# get_dirmgr_dn(): Get the directory manger DN.
12837c478bd9Sstevel@tonic-gate#
12847c478bd9Sstevel@tonic-gateget_dirmgr_dn()
12857c478bd9Sstevel@tonic-gate{
12867c478bd9Sstevel@tonic-gate    get_ans "Enter the directory manager DN:" "$LDAP_ROOTDN"
12877c478bd9Sstevel@tonic-gate    LDAP_ROOTDN=$ANS
12887c478bd9Sstevel@tonic-gate
12897c478bd9Sstevel@tonic-gate    # Update ENV variables using DN.
12907c478bd9Sstevel@tonic-gate    AUTH_ARGS="-D \"${LDAP_ROOTDN}\" -j ${LDAP_ROOTPWF}"
12917c478bd9