#!/bin/bash
#
# A simple script to add users and their group to ldap, as well as a kerberos principal.
#

set -eu

usage(){
    cat <<EOF
Usage:
         $(basename $0)  adduser  <uid>  <password>  [<given name>]  [<family name>]  [<group>]
         $(basename $0)  deluser  <uid>
         $(basename $0)  delhost  <hostname>
         $(basename $0)  ldapvi
         $(basename $0)  <file>

     <uid>:  User ID (login name)
     <password>:  Password
     <given name>, <family name>:  LDAP attributes 'givenName' and 'sn'.  If omitted, <uid> is used.
     <group>:  If given, the user is added to this posix group, which must already exist.
     <file>:  File containing lines of the form:

                   adduser <uid 1>  <password 1>  [<given name 1>]  [<family name 1>]
                   adduser <uid 2>  <password 2>  [<given name 2>]  [<family name 2>]
                   …
                   deluser <uid n>
                   deluser <uid n+1>
                   …
                           Every line is processed like a single call to the $(basename $0) program.
EOF
}

BASEDN="{{ basedn }}"
LDAPADMIN="cn=admin,$BASEDN"
ADPASSWD="$(cat {{ ldap_admin_pwd_file }})"

if [ $# -lt 2 ] ; then
    if [ $# = 0 ] ; then
        usage
        exit 1
    elif [ "$1" = ldapvi ] ; then
        exec ldapvi -m -h ldapi:/// -D "$LDAPADMIN"  -b "$BASEDN" -w "$ADPASSWD"
    elif [ -r "$1" ]; then
        ## recursively call this program:
        while read -r LINE ; do
            $0 $LINE
        done < "$1"
        ## reset cache after mass import/deletion:
        sss_cache -U -G
        exit 0
    else
        usage
        exit 1
    fi
elif [ $1 = adduser -a $# -lt 3 ] ; then
    echo "Error: Password missing."
    usage
    exit 1
fi

MINID={{ min_id }}
MAXID={{ max_id }}
HOMES="{{ lan_homes }}"

COMMAND="$1"
id="$2"
pw="${3:-""}"
gn="${4:-$2}"
sn="${5:-$2}"
grp="${6:-""}"

domain="$(hostname -d)"

if [ -x /usr/sbin/kadmin.local ] ; then
    KRB5=true
    pwEntry=""
else
    KRB5=false
    pwEntry="userPassword: $pw"
fi

#############


nextnum(){
    local num
    num="$(( $(ldapsearch -Y EXTERNAL -H ldapi:/// -LLL -b "ou=people,$BASEDN" -S $1 $1 2>/dev/null \
                        |  tail -n -2 | grep -oE "[[:digit:]]+$") + 1 ))"
    if [ $num -lt $MINID ] ; then
        echo $MINID
    else
        echo "$num"
    fi
}

add-user(){
    local id="$1"
    local pwEntry="$2"
    local gn="$3"
    local sn="$4"
    local uidNumber=$(nextnum uidNumber)
    local gidNumber=$(nextnum gidNumber)

    if [ $uidNumber -ge $MAXID -o $gidNumber -ge $MAXID ] ; then
        echo "Error: $uidNumber and/or $gidNumber exceed max ID number ${MAXID}."
        exit 1
    fi

    cat <<EOF | ldapadd -H ldapi:/// -D "$LDAPADMIN"  -w "$ADPASSWD" | sed '/^$/d'
############## LDIF ##############
dn: uid=${id},ou=people,$BASEDN
objectClass: inetOrgPerson
objectClass: posixAccount
uidNumber: ${uidNumber}
gidNumber: ${gidNumber}
homeDirectory: ${HOMES}/${id:0:1}/${id}
loginShell: /bin/bash
cn: ${gn} ${sn}
givenName: ${gn}
sn: ${sn}
gecos: ${gn} ${sn}
${pwEntry}

dn: cn=${id},ou=groups,$BASEDN
objectClass: posixGroup
gidNumber: ${gidNumber}
##################################
EOF

    if [ -n "$grp" ] ; then
        cat <<EOF | ldapmodify -H ldapi:/// -D "$LDAPADMIN"  -w "$ADPASSWD" | sed '/^$/d'
############## LDIF ##############
dn: cn=${grp},ou=groups,$BASEDN
add: memberUid
memberUid: ${id}
##################################
EOF
    fi

    if [ $KRB5 ] ; then
        kadmin.local -q "add_principal -policy default -pw \"$pw\" -x dn=\"uid=${id},ou=people,$BASEDN\" ${id}" \
            | sed '/Authenticating as principal/d'
        if [ ! -e "${HOMES}/${id:0:1}/${id}" ] ; then
            echo "uidNumber: ${uidNumber}  gidNumber: ${gidNumber}"
            mkdir -p ${HOMES}/${id:0:1}/
            cp -r /etc/skel ${HOMES}/${id:0:1}/${id}
            chown -R ${uidNumber}:${gidNumber} ${HOMES}/${id:0:1}/${id}
            #chmod -R o= ${HOMES}/${id:0:1}/${id}
            ls -nld ${HOMES}/${id:0:1}/${id}
        fi
    fi
}


del-user(){
    local id="$1"
    local KEEPDIR
    if [ $KRB5 ] ; then
        ## Remove all kerberos attributes from LDAP, then the whole DN below.  The latter should be sufficient.
        kadmin.local -q "delete_principal -force ${id}"  \
            |  sed -e '/Authenticating as principal/d' -e '/Make sure that you have removed/d'
    fi

    ldapdelete -v -H ldapi:/// -D "$LDAPADMIN"  -w "$ADPASSWD" "uid=${id},ou=people,$BASEDN"  "cn=${id},ou=groups,$BASEDN" 2>&1 \
        | sed '/ldap_initialize/d'

    for grp in $(ldapsearch -Y EXTERNAL -H ldapi:/// -LLL -b "ou=groups,$BASEDN" "(&(objectClass=posixGroup)(memberUid=${id}))" cn 2>/dev/null \
                     | grep cn: | cut -d ' ' -f2) ; do
        cat <<EOF | ldapmodify -H ldapi:/// -D "$LDAPADMIN"  -w "$ADPASSWD" | sed '/^$/d'
############## LDIF ##############
dn: cn=${grp},ou=groups,$BASEDN
delete: memberUid
memberUid: ${id}
##################################
EOF
    done

    if [ -d ${HOMES}/${id:0:1}/${id} ] ; then
        KEEPDIR="${HOMES}/${id:0:1}/rm_$(date '+%Y%m%d')_${id}"
        mv ${HOMES}/${id:0:1}/${id} "${KEEPDIR}"
        chown -R root:root  "${KEEPDIR}"
        ls -ld "$KEEPDIR"
    fi
}


del-host(){
    local id="$1"
    if [ $KRB5 ] ; then
        ## Remove kerberos principals from LDAP.
        kadmin.local -q "delete_principal -force host/${id}.${domain}"  \
            |  sed -e '/Authenticating as principal/d' -e '/Make sure that you have removed/d'
        kadmin.local -q "delete_principal -force nfs/${id}.${domain}"  \
            |  sed -e '/Authenticating as principal/d' -e '/Make sure that you have removed/d'
    fi
}

##############################
########### main #############
##############################

sss_cache -U -G  ## clear cache
case $COMMAND in
    adduser)
        add-user "${id}" "${pwEntry}" "${gn}" "${sn}"
        ;;
    deluser)
        del-user "${id}"
        ;;
    delhost)
        del-host "${id}"
        ;;
    *)
        usage
        ;;
esac