#!/bin/bash

#

# slapd	This shell script takes care of starting and stopping

#	ldap servers (slapd).

#

# chkconfig: - 27 73

# description: LDAP stands for Lightweight Directory Access Protocol, used \

#              for implementing the industry standard directory services.

# processname: slapd

# config: /etc/openldap/slapd.conf

# pidfile: /var/run/slapd.pid

### BEGIN INIT INFO

# Provides: slapd

# Required-Start: $network $local_fs

# Required-Stop: $network $local_fs 

# Should-Start: 

# Should-Stop: 

# Default-Start: 

# Default-Stop: 

# Short-Description: starts and stopd OpenLDAP server daemon

# Description: LDAP stands for Lightweight Directory Access Protocol, used

#              for implementing the industry standard directory services.

### END INIT INFO

# Source function library.

. /etc/init.d/functions

# Define default values of options allowed in /etc/sysconfig/ldap

SLAPD_LDAP="yes"

SLAPD_LDAPI="no"

SLAPD_LDAPS="no"

SLAPD_URLS=""

SLAPD_SHUTDOWN_TIMEOUT=3

# OPTIONS, SLAPD_OPTIONS and KTB5_KTNAME are not defined

# Source an auxiliary options file if we have one

if [ -r /etc/sysconfig/ldap ] ; then

	. /etc/sysconfig/ldap

fi

slapd=/usr/sbin/slapd

slaptest=/usr/sbin/slaptest

lockfile=/var/lock/subsys/slapd

configdir=/etc/openldap/slapd.d/

configfile=/etc/openldap/slapd.conf

pidfile=/var/run/slapd.pid

slapd_pidfile=/var/run/openldap/slapd.pid

RETVAL=0

#

# Pass commands given in $2 and later to "test" run as user given in $1.

#

function testasuser() {

    local user= cmd=

    user="$1"

    shift

    cmd="$@"

    if test x"$user" != x ; then

	if test x"$cmd" != x ; then

	    /sbin/runuser -f -m -s /bin/sh -c "test $cmd" -- "$user"

	else

	    false

	fi

    else

	false

    fi

}

#

# Check for read-access errors for the user given in $1 for a service named $2.

# If $3 is specified, the command is run if "klist" can't be found.

#

function checkkeytab() {

    local user= service= klist= default=

    user="$1"

    service="$2"

    default="${3:-false}"

    if test -x /usr/kerberos/bin/klist ; then

	klist=/usr/kerberos/bin/klist

    elif test -x /usr/bin/klist ; then

	klist=/usr/bin/klist

    fi

    KRB5_KTNAME="${KRB5_KTNAME:-/etc/krb5.keytab}"

    export KRB5_KTNAME

    if test -s "$KRB5_KTNAME" ; then

	if test x"$klist" != x ; then

	    if LANG=C $klist -k "$KRB5_KTNAME" | tail -n 4 | awk '{print $2}' | grep -q ^"$service"/ ; then

		if ! testasuser "$user" -r ${KRB5_KTNAME:-/etc/krb5.keytab} ; then

		    true

		else

		    false

		fi

	    else

		false

	    fi

	else

	    $default

	fi

    else

	false

    fi

}

function configtest() {

	local user= ldapuid= dbdir= file=

	# Check for simple-but-common errors.

	user=ldap

	prog=`basename ${slapd}`

	ldapuid=`id -u $user`

	# Unaccessible database files.

	slaptestflags=""

	dbdirs=""

    if [ -d $configdir ]; then

	    for configfile in `ls -1 $configdir/cn\=config/olcDatabase*.ldif`; do

		    dbdirs=$dbdirs"

		    "`LANG=C egrep '^olcDbDirectory[[:space:]]*:[[:space:]]+[[:print:]]+$' $configfile | sed 's,^olcDbDirectory: ,,'`

	    done

    elif [ -f $configfile ]; then

		    dbdirs=`LANG=C egrep '^directory[[:space:]]+' $configfile | sed 's,^directory[[:space:]]*,,'`

    else

        exit 6

    fi

	for dbdir in $dbdirs; do

		if [ ! -d $dbdir ]; then

			exit 6

		fi

		for file in `find ${dbdir}/ -not -uid $ldapuid -and \( -name "*.dbb" -or -name "*.gdbm" -or -name "*.bdb" -or -name "__db.*" -or -name "log.*" -or -name alock \)` ; do

			echo -n $"$file is not owned by \"$user\"" ; warning ; echo

		done

		if ! test -s ${dbdir}/id2entry.dbb ; then

			if ! test -s ${dbdir}/id2entry.gdbm ; then

				if ! test -s ${dbdir}/id2entry.bdb ; then

					slaptestflags="-u"

				fi

			fi

		fi

	done

	# Unaccessible keytab with an "ldap" key.

	if checkkeytab $user ldap ; then

		file=${KRB5_KTNAME:-/etc/krb5.keytab}

		echo -n $"$file is not readable by \"$user\"" ; warning ; echo

	fi

	# Unaccessible TLS configuration files.

    if [ -d $configdir ]; then

		tlsconfigs=`LANG=C awk '/^olcTLS/ {

				while (/^olcTLS/) {

					if (/^olc(TLSCertificateKeyFile|TLSCertificateFile|TLSCACertificateFile)[ \t]*:[\t]*/) {

						do { printf gensub(/^ /,"",1); getline } while (/^ /)

						printf "\n" ;

					}

					else break; 

				}

			}' $configdir/cn\=config.ldif | awk '{print $2}'`

    elif [ -f $configfile ]; then

	    tlsconfigs=`LANG=C egrep '^(TLSCACertificateFile|TLSCertificateFile|TLSCertificateKeyFile)[[:space:]]+' $configfile | awk '{print $2}'`

    fi

	for file in $tlsconfigs ; do

		if ! testasuser $user -r $file ; then

			echo -n $"$file is not readable by \"$user\"" ; warning ; echo

		fi

	done

	# Check the configuration file.

	slaptestout=`/sbin/runuser -m -s "$slaptest" -- "$user" $slaptestflags 2>&1`

	slaptestexit=$?

#	slaptestout=`echo $slaptestout 2>/dev/null | grep -v "config file testing succeeded"`

	# print warning if slaptest passed but reports some problems

	if test $slaptestexit == 0 ; then

		if echo "$slaptestout" | grep -v "config file testing succeeded" >/dev/null ; then

			echo -n $"Checking configuration files for $prog: " ; warning ; echo

			echo "$slaptestout"

		fi

	fi

	# report error if configuration file is wrong

	if test $slaptestexit != 0 ; then

		echo -n $"Checking configuration files for $prog: " ; failure ; echo

		echo "$slaptestout"

		if /sbin/runuser -m -s "$slaptest" -- "$user" "-u" > /dev/null 2> /dev/null ; then

			#dirs=`LANG=C egrep '^directory[[:space:]]+[[:print:]]+$' $configfile | awk '{print $2}'`

			for directory in $dbdirs ; do

				if test -r $directory/__db.001 ; then

					echo -n $"stale lock files may be present in $directory" ; warning ; echo

				fi

			done

		fi

		exit 6

	fi

}

function start() {

	[ -x $slapd ] || exit 5

	[ `id -u` -eq 0 ] || exit 4

	configtest

	# Define a couple of local variables which we'll need. Maybe.

	user=ldap

	prog=`basename ${slapd}`

	harg="$SLAPD_URLS"

	if test x$SLAPD_LDAP = xyes ; then

	    harg="$harg ldap:///"

	fi

	if test x$SLAPD_LDAPS = xyes ; then

	    harg="$harg ldaps:///"

	fi

	if test x$SLAPD_LDAPI = xyes ; then

	    harg="$harg ldapi:///"

	fi

	# Start daemons.

	echo -n $"Starting $prog: "

	daemon --pidfile=$pidfile --check=$prog ${slapd} -h "\"$harg\"" -u ${user} $OPTIONS $SLAPD_OPTIONS 

	RETVAL=$?

	if [ $RETVAL -eq 0 ]; then

		touch $lockfile

		ln $slapd_pidfile $pidfile

	fi

	echo

	return $RETVAL

}

function stop() {

	# Stop daemons.

	prog=`basename ${slapd}`

	[ `id -u` -eq 0 ] || exit 4

	echo -n $"Stopping $prog: "

	# This will remove pid and args files from /var/run/openldap

	killproc -p $slapd_pidfile -d $SLAPD_SHUTDOWN_TIMEOUT ${slapd}

	RETVAL=$?

	# Now we want to remove lock file and hardlink of pid file

	[ $RETVAL -eq 0 ] && rm -f $pidfile $lockfile

	echo

	return $RETVAL

}

# See how we were called.

case "$1" in

    configtest)

	configtest

	;;

    start)

	start

	RETVAL=$?

	;;

    stop)

	stop

	RETVAL=$?

	;;

    status)

	status -p $pidfile ${slapd}

	RETVAL=$?

	;;

    restart|force-reload)

	stop

	start

	RETVAL=$?

	;;

    condrestart|try-restart)

	status -p $pidfile ${slapd} > /dev/null 2>&1 || exit 0

	stop

	start

	;;

    usage)

	echo $"Usage: $0 {start|stop|restart|status|condrestart|configtest|usage}"

	RETVAL=0

	;;

    *)

	echo $"Usage: $0 {start|stop|restart|status|condrestart|configtest|usage}"

	RETVAL=3

esac

exit $RETVAL