#!/bin/bash
#
# A simple script to add users and their group to ldap, as well as a kerberos principal.
#

set -eu

usage(){
    cat <<EOF
Usage:
         $(basename $0)  adduser  <uid>  <password>  [<cn>] [<sn>]
         $(basename $0)  deluser  <uid>
         $(basename $0)  delhost  <hostname>
         $(basename $0)  ldapvi

     <uid>:        User ID (login name)
     <password>:   Password
     <cn>, <sn>:   LDAP attributes, if omitted, <uid> is used.

EOF
}

#sss_cache -U -G  ## should not be necessary

BASEDN="{{ basedn }}"
LDAPADMIN="cn=admin,$BASEDN"
ADPASSWD="$(cat {{ ldap_admin_pwd_file }})"

if [ $# -lt 2 ] ; then
    if [ "$1" = ldapvi ] ; then
        exec ldapvi -h ldapi:/// -D "$LDAPADMIN"  -b "$BASEDN" -w "$ADPASSWD"
    else
        usage
        exit 1
    fi
elif [ $1 = adduser -a $# -lt 3 ] ; then
    echo "Error: Password missing."
    usage
    exit 1
fi

MINID=10000
MAXID=20000
HOMES="{{ lan_homes }}"

COMMAND="$1"
id="$2"
pw="${3:-""}"
cn="${4:-$2}"
sn="${5:-$2}"
domain="$(hostname -d)"

if [ -x /usr/sbin/kadmin.local ] ; then
    KRB5=true
    pwEntry=""
else
    KRB5=false
    pwEntry="userPassword: $pw"
fi

#############


nextnum(){
    local num
    num="$(( $(ldapsearch -Y EXTERNAL -H ldapi:/// -LLL -b "ou=people,$BASEDN" -S $1 $1 2>/dev/null \
                        |  tail -n -2 | grep -oE "[[:digit:]]+$") + 1 ))"
    if [ $num -lt $MINID ] ; then
        echo $MINID
    else
        echo "$num"
    fi
}

add-user(){
    uidNumber=$(nextnum uidNumber)
    gidNumber=$(nextnum gidNumber)

    if [ $uidNumber -ge $MAXID -o $gidNumber -ge $MAXID ] ; then
        echo "Error: $uidNumber and/or $gidNumber exceed max ID number ${MAXID}."
        exit 1
    fi

    cat <<EOF | ldapadd -H ldapi:/// -D "$LDAPADMIN"  -w "$ADPASSWD" | sed '/^$/d'
############## LDIF ##############
dn: uid=${id},ou=people,$BASEDN
objectClass: inetOrgPerson
objectClass: posixAccount
uidNumber: ${uidNumber}
gidNumber: ${gidNumber}
homeDirectory: ${HOMES}/${id}
loginShell: /bin/bash
cn: ${cn}
sn: ${sn}
${pwEntry}

dn: cn=${id},ou=groups,$BASEDN
objectClass: posixGroup
gidNumber: ${gidNumber}
##################################
EOF

    echo "uidNumber: ${uidNumber}  gidNumber: ${gidNumber}"

    if [ $KRB5 ] ; then
        kadmin.local -q "add_principal -policy default -pw \"$pw\" -x dn=\"uid=${id},ou=people,$BASEDN\" ${id}" \
            | sed '/Authenticating as principal/d'
        cp -r /etc/skel ${HOMES}/${id}
        chown -R ${uidNumber}:${gidNumber} ${HOMES}/${id}
        ls -nld ${HOMES}/${id}
    fi
}


del-user(){
    local KEEPDIR
    if [ $KRB5 ] ; then
        ## Remove all kerberos attributes from LDAP, then the whole DN below.  The latter should be sufficient.
        kadmin.local -q "delete_principal -force ${id}"  \
            |  sed -e '/Authenticating as principal/d' -e '/Make sure that you have removed/d'
    fi

    ldapdelete -v -H ldapi:/// -D "$LDAPADMIN"  -w "$ADPASSWD" "uid=${id},ou=people,$BASEDN"  "cn=${id},ou=groups,$BASEDN" 2>&1 \
        | sed '/ldap_initialize/d'

    if [ -d ${HOMES}/${id} ] ; then
        KEEPDIR="${HOMES}/rm_$(date '+%Y%m%d')_${id}"
        mv ${HOMES}/${id} "${KEEPDIR}"
        chown -R root:root  "${KEEPDIR}"
        ls -ld "$KEEPDIR"
    fi
}


del-host(){
    if [ $KRB5 ] ; then
        ## Remove kerberos principals from LDAP.
        kadmin.local -q "delete_principal -force host/${id}.${domain}"  \
            |  sed -e '/Authenticating as principal/d' -e '/Make sure that you have removed/d'
        kadmin.local -q "delete_principal -force nfs/${id}.${domain}"  \
            |  sed -e '/Authenticating as principal/d' -e '/Make sure that you have removed/d'
    fi
}

##############################
########### main #############
##############################

case $COMMAND in
    adduser)
        add-user
        ;;
    deluser)
        del-user
        ;;
    delhost)
        del-host
        ;;
    *)
        usage
        ;;
esac