#!/bin/bash
# This script serves one purpose, to add a possibly missing attribute
# to a ppolicy schema in a dynamic configuration of OpenLDAP. This
# attribute was introduced in openldap-2.4.43 and slapd will not
# start without it later on.
#
# The script tries to update in a directory given as first parameter,
# or in /etc/openldap/slapd.d implicitly.
#
# Author: Matus Honek <mhonek@redhat.com>
# Bugzilla: #1487857

function log {
    echo "Update dynamic configuration: " $@
    true
}

function iferr {
    if [ $? -ne 0 ]; then
	log "ERROR: " $@
	true
    else
	false
    fi
}

function update {
    set -u
    shopt -s extglob

    ORIGINAL="${1:-/etc/openldap/slapd.d}"
    ORIGINAL="${ORIGINAL%*(/)}"

    ### check if necessary
    grep -r "pwdMaxRecordedFail" "${ORIGINAL}/cn=config/cn=schema" >/dev/null
    [ $? -eq 0 ] && log "Schemas look up to date. Ok. Quitting." && return 0

    ### prep
    log "Prepare environment."

    TEMPDIR=$(mktemp -d)
    iferr "Could not create a temporary directory. Quitting." && return 1
    DBDIR="${TEMPDIR}/db"
    SUBDBDIR="${DBDIR}/cn=temporary"

    mkdir "${DBDIR}"
    iferr "Could not create temporary configuration directory. Quitting." && return 1
    cp -r --no-target-directory "${ORIGINAL}" "${SUBDBDIR}"
    iferr "Could not copy configuration. Quitting." && return 1

    pushd "$TEMPDIR" >/dev/null

    cat > temp.conf <<EOF
database ldif
suffix cn=temporary
directory db
access to * by * manage
EOF

    SOCKET="$(pwd)/socket"
    LISTENER="ldapi://${SOCKET//\//%2F}"
    CONN_PARAMS=("-Y" "EXTERNAL" "-H" "${LISTENER}")

    slapd -f temp.conf -h "$LISTENER" -d 0 >/dev/null 2>&1 &
    SLAPDPID="$!"
    sleep 2

    ldapadd ${CONN_PARAMS[@]} -d 0 >/dev/null 2>&1 <<EOF
dn: cn=temporary
objectClass: olcGlobal
cn: temporary
EOF
    iferr "Could not populate the temporary database. Quitting." && return 1

    ### update
    log "Update with new pwdMaxRecordedFailure attribute."
    FILTER="(&"
    FILTER+="(olcObjectClasses=*'pwdPolicy'*)"
    FILTER+="(!(olcObjectClasses=*'pwdPolicy'*'pwdMaxRecordedFailure'*))"
    FILTER+="(!(olcAttributeTypes=*'pwdMaxRecordedFailure'*))"
    FILTER+=")"
    RES=$(ldapsearch ${CONN_PARAMS[@]} \
		     -b cn=schema,cn=config,cn=temporary \
		     -LLL \
		     -o ldif-wrap=no \
		     "$FILTER" \
		     dn olcObjectClasses \
		     2>/dev/null \
	      | sed '/^$/d')
    DN=$(printf "$RES" | grep '^dn:')
    OC=$(printf "$RES" | grep "^olcObjectClasses:.*'pwdPolicy'")
    NEWOC="${OC//$ pwdSafeModify /$ pwdSafeModify $ pwdMaxRecordedFailure }"

    test $(echo "$DN" | wc -l) = 1
    iferr "Received more than one DN. Cannot continue. Quitting." && return 1
    test "$NEWOC" != "$OC"
    iferr "Updating pwdPolicy objectClass definition failed. Quitting." && return 1

    ldapmodify ${CONN_PARAMS[@]} -d 0 >/dev/null 2>&1 <<EOF
$DN
changetype: modify
add: olcAttributeTypes
olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.30 NAME 'pwdMaxRecordedFailur
 e' EQUALITY integerMatch ORDERING integerOrderingMatch  SYNTAX 1.3.6.1.4.1.
 1466.115.121.1.27 SINGLE-VALUE )
-
delete: olcObjectClasses
$OC
-
add: olcObjectClasses
$NEWOC
EOF
    iferr "Updating with new attribute failed. Quitting." && return 1

    popd >/dev/null

    ### apply
    log "Apply changes."
    cp -r --no-target-directory "$ORIGINAL" "$ORIGINAL~backup"
    iferr "Backing up old configuration failed. Quitting." && return 1
    cp -r --no-target-directory "$SUBDBDIR" "$ORIGINAL"
    iferr "Applying new configuration failed. Quitting." && return 1

    ### clean up
    log "Clean up."
    kill "$SLAPDPID"
    SLAPDPID=
    rm -rf "$TEMPDIR"
    TEMPDIR=
}

SLAPDPID=
TEMPDIR=
update "$1"
if [ $? -ne 0 ]; then
    log "Clean up."
    echo "$SLAPDPID"
    echo "$TEMPDIR"
    kill "$SLAPDPID"
    rm -rf "$TEMPDIR"
fi
log "Finished."