#!/bin/sh
#
# ldictl - show/change LDI auth parameters
#
# Usage: ldiauth 
# Usage: ldiauth unitAdmin
# Usage: ldiauth AdminAccess UWCA-cn ...
# Usage: ldiauth BasicAccess UWCA-cn ...
#
# This script allows one to view and change LDI auth parameters.
# You *must* change the value of $UNIT below to match your LDI unit name.
#
# If you set $UNIT_ADMIN_{CERT,KEY} to the location of your AdminAccess
# cert and key files, ldictl will attempt to connect using that cert.
# Otherwise it will try to connect using the unitAdmin dn, and will
# prompt for the password.
#
# Running ldiauth with no arguments will display the current LDI auth
# values.
#
# Running ldiauth with the argument 'unitAdmin' will prompt for and
# set the unitAdmin password.
#
# Running ldiauth with a first argument of BasicAccess or AdminAccess will
# set the UWCA certificate cn values allows basic or admin access.  Eg,
#
#   ldiauth BasicAccess cn=ldi.phys.washington.edu
#
# - WRSomsky 2017-04

UNIT=phys				## set this to your unit name
UNIT_ADMIN_CERT=Certs/ldi-admin.crt	## AdminAccess cert file
UNIT_ADMIN_KEY=Certs/ldi-admin.key	## AdminAccess key file

LDI_SERVER=ldap://ldi.s.uw.edu

if [ -f "$UNIT_ADMIN_CERT" -a -f "$UNIT_ADMIN_KEY" ] ; then # auth by cert
  export LDAPTLS_CERT=$UNIT_ADMIN_CERT
  export LDAPTLS_KEY=$UNIT_ADMIN_KEY
  AUTH="-QY EXTERNAL"
else # auth by passwd
  AUTH="-xWD cn=unitAdmin,ou=auth,ou=$UNIT,dc=ldi,dc=uw,dc=edu"
fi

if [ $# -eq 0 ] ; then # show current LDI control values
  ldapsearch -ZH $LDI_SERVER $AUTH \
    -LLL -s base -b cn=unitAdmin,ou=auth,ou=$UNIT,dc=ldi,dc=uw,dc=edu
  ldapsearch -ZH $LDI_SERVER $AUTH \
    -LLL -s base -b cn=AdminAccess,ou=auth,ou=$UNIT,dc=ldi,dc=uw,dc=edu
  ldapsearch -ZH $LDI_SERVER $AUTH \
    -LLL -s base -b cn=BasicAccess,ou=auth,ou=$UNIT,dc=ldi,dc=uw,dc=edu
  exit 0
fi

ITEM=$1 ; shift

LDIF=/tmp/ldictl.$$
trap "/bin/rm -f $LDIF; exit" 0 1 2 3 15

if [ $ITEM = AdminAccess -o $ITEM = BasicAccess ] ; then

  echo >  $LDIF dn: cn=$ITEM,ou=auth,ou=$UNIT,dc=ldi,dc=uw,dc=edu
  echo >> $LDIF changetype: modify
  echo >> $LDIF replace: member
  for val in "$@" ; do
    echo >> $LDIF member: $val
  done
  ldapmodify -ZH $LDI_SERVER $AUTH -f $LDIF

elif [ $ITEM = unitAdmin ] ; then

  echo >  $LDIF dn: cn=$ITEM,ou=auth,ou=$UNIT,dc=ldi,dc=uw,dc=edu
  echo >> $LDIF changetype: modify
  echo >> $LDIF replace: userPassword
  echo >> $LDIF "userPassword: {CRYPT}`openssl passwd -1`"
  ldapmodify -ZH $LDI_SERVER $AUTH -f $LDIF

else

  echo Unknown LDI auth parameter: $ITEM
  exit 1

fi