#!/bin/bash

readonly toolName="ldap"
readonly toolDaemon="slapd"
readonly toolDeps="$toolDaemon ldap-utils"
readonly toolUser="openldap"

sq_aptOpt=

seq_config() {
  if ! initSeqConfig "${seq_configName:?}" "${seq_configTemplate:?}" ; then
    # End if no configuration file exists
    dry || return 1
  fi
  
  ## Apt cmdline option to suppress user interaction
  interactive || sq_aptOpt="-y"

  return 0
}

step_1_info() { echo "$toolName installation"; }
step_1_alias() { echo "install"; }
step_1() {
  exe apt update
  exe apt install $toolDeps ${sq_aptOpt}
}

step_2_info() { echo "Configuration of $toolName"; }
step_2() {
  exe dpkg-reconfigure $toolDaemon
}

step_3_info() { echo "Load memberof module"; }
step_3() {
  local tempLdif=`eval "echo \"$loadMemberof\""`
  exep "echo \"$tempLdif\" | ldapmodify -Q -Y EXTERNAL -H ldapi:///"
}
loadMemberof="dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: memberof.la
"

step_4_info() { echo "Configure memberof module"; }
step_4() {
  local tempLdif=`eval "echo \"$configMemberof\""`
  exep "echo \"$tempLdif\" | ldapadd -Q -Y EXTERNAL -H ldapi:///"
}
configMemberof="dn: olcOverlay=memberof,olcDatabase={1}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcMemberOf
olcOverlay: memberof
olcMemberOfRefint: TRUE
-
dn: olcDatabase={1}mdb,cn=config
olcDbIndex: memberOf eq
"

step_5_info() { echo "Load refint module"; }
step_5() {
  local tempLdif=`eval "echo \"$loadRefint\""`
  exep "echo \"$tempLdif\" | ldapmodify -Q -Y EXTERNAL -H ldapi:///"
}
loadRefint="dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: refint.la
"

step_6_info() { echo "Configure refint module"; }
step_6() {
  local tempLdif=`eval "echo \"$configRefint\""`
  exep "echo \"$tempLdif\" | ldapadd -Q -Y EXTERNAL -H ldapi:///"
}
configRefint="dn: olcOverlay={1}refint,olcDatabase={1}mdb,cn=config
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcRefintConfig
objectClass: top
olcOverlay: {1}refint
olcRefintAttribute: memberof member manager owner
"

step_7_info() { echo "Create base DNs for users (${LDAP_OU_USERS:-}) and groups (${LDAP_OU_GROUPS:-})"; }
step_7() {
  variable2Ldif add "$ldapBase"
}
ldapBase="dn: \$LDAP_OU_USERS,\$LDAP_DC
objectClass: organizationalUnit
\${LDAP_OU_USERS/ou=/ou: }

dn: \$LDAP_OU_GROUPS,\$LDAP_DC
objectClass: organizationalUnit
\${LDAP_OU_GROUPS/ou=/ou: }
"

step_8_info() { echo "Setup SSL secured ldaps:// access"; }
step_8() {
  sudo -u $toolUser test -r "$LDAP_CERT_KEY" >>/dev/null 2>&1
  endReturn -o $? "$toolUser cannot access certificate key file: $LDAP_CERT_KEY"
  sudo -u $toolUser test -r "$LDAP_CERT" >>/dev/null 2>&1
  endReturn -o $? "$toolUser cannot access certificate file: $LDAP_CERT"
  sudo -u $toolUser test -r "$LDAP_CERT_CA" >>/dev/null 2>&1
  endReturn -o $? "$toolUser cannot access CA certificate file: $LDAP_CERT_CA"

  local tempLdif=`eval "echo \"$sslSetup\""`
  exep "echo \"$tempLdif\" | ldapmodify -Y EXTERNAL -H ldapi:///"

  exe service $toolDaemon restart
}
sslSetup="dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: \$LDAP_CERT_KEY
-
replace: olcTLSCertificateFile
olcTLSCertificateFile:  \$LDAP_CERT
-
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: \$LDAP_CERT_CA
-
replace: olcTLSVerifyClient
olcTLSVerifyClient: never
"
step_9_info() { echo "Finalize SSL configuration (manually)"; }
step_9() {
  echo "/etc/default/$toolDaemon"
  echo "  Add \"ldaps:///\" to line:"
  echo "  SLAPD_SERVICES=\"ldap:/// ldaps:/// ldapi:///\""
  echo
}

step_20_info() { echo "Test plain ldap connection with anonymous access"; }
step_20() {
  exe ldapwhoami -H ldapi:/// -x
}

step_80_info() { echo -e "Some ldap command notes\n"; }
step_80_alias() { echo "notes"; }
step_80() {
  color green
  cat <<NOTES_EOF
# You can also check LDAP Base DN using the ldapsearch command as shown below
ldapsearch -H ldapi:/// -x -LLL -s base -b "" namingContexts

# To view the RootDN, run the command below
ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=config" "(olcRootDN=*)"

# Reset root password
## Create a password hash {SSHA}....
slappasswd

## Modify olcRootPW
ldapmodify -Q -Y EXTERNAL -H ldapi:/// << E0F
dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}thehashyoucreatedabove
E0F
NOTES_EOF
}

step_100_info() { echo "Add group"; }
step_100_options() { echo "<GROUP NAME> <USER ID>"; }
step_100_alias() { echo "addgroup"; }
step_100() {
  shift
  local groupName=$1
  local memberDn="uid=$2,${LDAP_OU_USERS},${LDAP_DC}"

  variable2Ldif add "$addGroup"
}
addGroup="dn: cn=\${groupName},\${LDAP_OU_GROUPS},\${LDAP_DC}
objectClass: groupofnames
cn: \${groupName}
description: Created by $0
member: \${memberDn}
"

step_102_info() { echo "Add user"; }
step_102_options() { echo "<USER ID> <USER NAME> <USER LASTNAME> <UIDNUMBER> <USER EMAIL> [USER GID]"; }
step_102_alias() { echo "adduser"; }
step_102() {
  shift
  userId="$1"
  local userCn="$2 $3"
  local givenName="$2"
  local userSn="$3"
  local uidNumber="$4"
  local userMail="$5"
  local userGid=10000
  if [ ! -z $6 ] ; then
    userGid="$6"
  fi

  variable2Ldif add "$addUser"
  endReturn -o $? "Adding user failed"
}
userId=
addUser="dn: uid=\$userId,\$LDAP_OU_USERS,\$LDAP_DC 
cn: \$userCn
givenName: \$givenName
sn: \$userSn
uid: \$userId
uidNumber: \$uidNumber
gidNumber: \$userGid
homeDirectory: /home/\$userId
mail: \$userMail
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
loginShell: /bin/bash
"

step_103_info() { echo "(re)Set passwort for user"; }
step_103_options() { echo "<USER>"; }
step_103_alias() { echo "passwd"; }
step_103() {
  shift
  if [ -n "${1:-}" ] ; then
    echo " [I] Password operation for $1" 
    userId="$1"
  elif [ ! -z $userId ] ; then
    echo " [I] Password operation for $userId" 
  else
    error -e "No user id provided"
    return 1
  fi
  exe ldappasswd -H ldapi:/// -x -D "cn=admin,$LDAP_DC" -W -S "uid=$userId,$LDAP_OU_USERS,$LDAP_DC"
}

step_105_info() { echo "Adding user to existing group"; }
step_105_options() { echo "<USER ID> <GROUP NAME>"; }
step_105_alias() { echo "user2group"; }
step_105() {
  shift
  if [ -n "${1:-}" ] ; then
    userId="$1"
    echo " [I] User operation for $userId" 
  elif [ ! -z $userId ] ; then
    echo " [I] User operation for $userId" 
  else
    error -e "No user id provided"
    return 1
  fi
  if [ -z $2 ] ; then
    error -e "No group name provided"
    return 2
  fi
  local groupName="$2"

  variable2Ldif modify "$removeFromgroup"
  variable2Ldif modify "$add2group"
  endReturn -o $? "Adding user to group failed"
}
#remove empty member
add2group="dn: cn=\$groupName,\$LDAP_OU_GROUPS,\$LDAP_DC
changetype: modify
add: member
member: uid=\$userId,\$LDAP_OU_USERS,\$LDAP_DC

dn: cn=\$groupName,\$LDAP_OU_GROUPS,\$LDAP_DC
changetype: modify
delete: member
member:
"

step_107_info() { echo "Removing user from existing group"; }
step_107_options() { echo "<USER ID> <GROUP NAME>"; }
step_107_alias() { echo "rmusergroup"; }
step_107() {
  shift
  if [ -n "${1:-}" ] ; then
    userId="$1"
    echo " [I] User operation for $userId" 
  elif [ ! -z $userId ] ; then
    echo " [I] User operation for $userId" 
  else
    error -e "No user id provided"
    return 1
  fi
  if [ -z $2 ] ; then
    error -e "No group name provided"
    return 2
  fi
  local groupName="$2"

  variable2Ldif modify "$removeFromgroup"
}
# try to delete user entry first to ensure correct memberof status
# make sure an empty member entry exists
removeFromgroup="dn: cn=\$groupName,\$LDAP_OU_GROUPS,\$LDAP_DC
changetype: modify
add: member
member:

dn: cn=\$groupName,\$LDAP_OU_GROUPS,\$LDAP_DC
changetype: modify
delete: member
member: uid=\$userId,\$LDAP_OU_USERS,\$LDAP_DC
"

step_110_info() { echo "Remove group"; }
step_110_options() { echo "<GROUP NAME>"; }
step_110_alias() { echo "rmgroup"; }
step_110() {
  shift
  if [ -z $1 ] ; then
    error -e "No group name provided"
    return 1
  fi
  local groupName=$1
  variable2Ldif modify "$rmGroup"
}
rmGroup="dn: cn=\${groupName},\${LDAP_OU_GROUPS},\${LDAP_DC}
changetype: delete
"

step_112_info() { echo "Remove user"; }
step_112_options() { echo "<USER ID>"; }
step_112_alias() { echo "rmuser"; }
step_112() {
  shift
  if [ -z $1 ] ; then
    error -e "No user id provided"
    return 1
  fi
  local userName=$1
  variable2Ldif modify "$rmUser"
}
rmUser="dn: uid=\${userName},\${LDAP_OU_USERS},\${LDAP_DC}
changetype: delete
"

step_200_info() { echo "List available groups"; }
step_200_options() { echo "<ADDITONAL ATTRIBUTES...>"; }
step_200_alias() { echo "listgroups"; }
step_200() {
  shift
  echo " [I] Available groups:"
  exe ldapsearch -x -LLL -H ldap:/// -b ${LDAP_OU_GROUPS},${LDAP_DC} dn gidNumber $*
}

step_202_info() { echo "List available users"; }
step_200_options() { echo "<ADDITONAL ATTRIBUTES...>"; }
step_202_alias() { echo "listusers"; }
step_202() {
  shift
  echo " [I] Available user:"
  exe ldapsearch -x -LLL -H ldap:/// -b ${LDAP_OU_USERS},${LDAP_DC} dn uidNumber gidNumber $*
}


variable2Ldif() {
  local cmd="ldapmodify"
  local tempLdif=`eval "echo \"$2\""`
  case $1 in
    add)
      cmd="ldapadd"
      ;;
    delete)
      cmd="ldapdelete"
      ;;
  esac
  exep "echo \"$tempLdif\" | $cmd -x -D cn=admin,${LDAP_DC} -W"
}
variable2LdifEcho() {
  local tempLdif=`eval "echo \"$2\""`
  echo "$tempLdif"
}

# shellcheck disable=SC2034 # Appears unused
readonly sqr_minVersion=16
# shellcheck disable=SC1091 # Don't follow this source
. /usr/local/bin/sequencer.sh