#!/bin/sh

set -e

CONFFILE="/etc/nslcd.conf"

# set an option in the configuration file to the specified value
cfg_set()
{
  parameter="$1"
  value="$2"
  # check if the parameter is defined
  line=`sed -n '/^'"$parameter"'[[:space:]]*\(aliases\|ethers\|group\|hosts\|netgroup\|networks\|passwd\|protocols\|rpc\|services\|shadow\)[[:space:]]/d;/^'"$parameter"'[[:space:]]/p' "$CONFFILE" | head -n 1`
  if [ -z "$line" ]
  then
    # check if the parameter is commented out
    line=`sed -n '/^#'"$parameter"'[[:space:]]*[aeghnprs][acedgihklopsrutwv]*[[:space:]]/d;/^#'"$parameter"'[[:space:]]/p' "$CONFFILE" | head -n 1`
  fi
  # decide what to do
  if [ -z "$line" ]
  then
    # just append a new line
    echo "$parameter $value" >> $CONFFILE
  else
    # escape line to replace
    replace=`echo "$line" | sed 's#\\\#\\\\\\\#g;s#\([.*+?^$|]\)#\\\\\1#g'`
    # escape value (parameter doesn't have any special stuff)
    value=`echo "$value" | sed 's#\\\#\\\\\\\#g;s#|#\\\|#g;s#&#\\\&#g'`
    # replace the first occurrence of the line
    sed -i '1,\|^'"$replace"'$| s|^'"$replace"'$|'"$parameter"' '"$value"'|i' "$CONFFILE"
  fi
  # we're done
  return 0
}

# disable options in the configuration file by commenting them out
cfg_disable()
{
  for parameter in $@
  do
    # handle bindpw option specially by removing value from config first
    if [ "$parameter" = "bindpw" ] && grep -i -q "^bindpw " $CONFFILE
    then
      cfg_set bindpw "*removed*"
    fi
    # make matching of spaces better in parameter
    param_re=`echo "$parameter" | sed 's#^#[[:space:]]*#;s#[[:space:]][[:space:]]*#[[:space:]][[:space:]]*#g'`
    # lines to not match
    nomatch_re="^$param_re[[:space:]][[:space:]]*\(aliases\|ethers\|group\|hosts\|netgroup\|networks\|passwd\|protocols\|rpc\|services\|shadow\)"
    # comment out the option
    sed -i '/'"$nomatch_re"'/!s/^'"$param_re"'[[:space:]].*$/#&/i' "$CONFFILE"
    # we're done
  done
  return 0
}

# set the list of uris
cfg_uris()
{
  uris="$1"
  # escape all uri directives
  sed -i 's/^uri /_uri_ /i' $CONFFILE
  # set the uri options
  echo "$uris" | sed 's/^[[:space:]]*//;s/[[:space:]]*$//;s/[[:space:]][[:space:]]*/\n/g' | while read uri
  do
    if grep -qi '^_uri_ ' $CONFFILE
    then
      # escape uri for use in regexp replacement
      uri=`echo "$uri" | sed 's#\\\#\\\\\\\#g;s#|#\\\|#g;s#&#\\\&#g'`
      # replace the first occurrence of _uri_
      sed -i '1,/^_uri_ / s|^_uri_ .*$|uri '"$uri"'|i' "$CONFFILE"
    else
      # append new uri
      echo "uri $uri" >> $CONFFILE
    fi
  done
  # comment out the remaining escaped uris
  sed -i 's/^_uri_ /#uri /' $CONFFILE
}

# create a default configuration file if nothing exists yet
create_config()
{
  if [ ! -e "$CONFFILE" ]
  then
    # create a simple configuration file from this template
    cat > "$CONFFILE" << EOM
# $CONFFILE
# nslcd configuration file. See nslcd.conf(5)
# for details.

# The user and group nslcd should run as.
uid nslcd
gid nslcd

# The location at which the LDAP server(s) should be reachable.
uri ldap://localhost/

# The search base that will be used for all queries.
base dc=example,dc=net

# The LDAP protocol version to use.
#ldap_version 3

# The DN to bind with for normal lookups.
#binddn cn=annonymous,dc=example,dc=net
#bindpw secret

# The DN used for password modifications by root.
#rootpwmoddn cn=admin,dc=example,dc=com

# SSL options
#ssl off
#tls_reqcert never

# The search scope.
#scope sub

EOM
    # fix permissions
    chmod 640 "$CONFFILE"
    chown root:nslcd "$CONFFILE"
  fi
  # we're done
  return 0
}

# update a configuration parameter, based on the debconf key
update_config()
{
  debconf_param="$1"
  cfg_param="$2"
  # update configuration option based on debconf value
  db_get "$debconf_param"
  if [ -n "$RET" ]
  then
    cfg_set "$cfg_param" "$RET"
  else
    cfg_disable "$cfg_param"
  fi
}

# real functions begin here
if [ "$1" = "configure" ]
then
  # get configuration data from debconf
  . /usr/share/debconf/confmodule
  # check if the nslcd user exists
  if getent passwd nslcd >/dev/null
  then
    :
  else
    # create nslcd user and group
    adduser --system --group --home /var/run/nslcd/ \
            --gecos "nslcd name service LDAP connection daemon" \
            --no-create-home \
            nslcd
    # add uid/gid options to the config file if it exists
    # (this is when we're upgrading)
    if [ -f "$CONFFILE" ]
    then
      echo "Adding uid and gid options to $CONFFILE..." >&2
      echo "# automatically added on upgrade of nslcd package" >> "$CONFFILE"
      cfg_set uid nslcd
      cfg_set gid nslcd
    fi
  fi
  # create a default configuration
  create_config
  # rename tls_checkpeer to tls_reqcert
  if grep -qi '^tls_checkpeer[[:space:]]' $CONFFILE
  then
    echo "Renaming tls_checkpeer to tls_reqcert in $CONFFILE..." >&2
    sed -i 's/^tls_checkpeer[[:space:]]/tls_reqcert /' "$CONFFILE"
  fi
  # rename reconnect_maxsleeptime to reconnect_retrytime
  if grep -qi '^reconnect_maxsleeptime[[:space:]]' $CONFFILE
  then
    echo "Renaming reconnect_maxsleeptime to reconnect_retrytime in $CONFFILE..." >&2
    sed -i 's/^reconnect_maxsleeptime[[:space:]]/reconnect_retrytime /' "$CONFFILE"
  fi
  # comment out mapping of uniqueMember to member which is now used by default
  if grep -qi '^map[[:space:]]*group[[:space:]]*uniqueMember[[:space:]]*member[[:space:]]*$' $CONFFILE
  then
    echo "Commenting out uniqueMember mapping due to rename in $CONFFILE..." >&2
    sed -i '/^map[[:space:]]*group[[:space:]]*uniqueMember[[:space:]]*member[[:space:]]*$/i \
#off# automatically commented out next line because this is now the default
s/^map[[:space:]]*group[[:space:]]*uniqueMember[[:space:]]*member[[:space:]]*$/#off# &/' "$CONFFILE"
  fi
  # set server uri
  db_get nslcd/ldap-uris
  cfg_uris "$RET"
  # update some options
  update_config nslcd/ldap-base base
  db_get nslcd/ldap-auth-type
  authtype="$RET"
  case "$authtype" in
  simple)
    update_config nslcd/ldap-binddn binddn
    update_config nslcd/ldap-bindpw bindpw
    cfg_disable sasl_mech sasl_realm sasl_authcid sasl_authzid sasl_secprops krb5_ccname
    ;;
  SASL)
    update_config nslcd/ldap-sasl-mech sasl_mech
    update_config nslcd/ldap-sasl-realm sasl_realm
    # RFC4313 if SASL, binddn should be disabled
    cfg_disable binddn
    db_get nslcd/ldap-sasl-mech
    saslmech="$RET"
    case "$saslmech" in
    GSSAPI)
      update_config nslcd/ldap-sasl-krb5-ccname krb5_ccname
      cfg_disable sasl_authcid
      ;;
    *)
      update_config nslcd/ldap-sasl-authcid sasl_authcid
      update_config nslcd/ldap-bindpw bindpw
      cfg_disable krb5_ccname
      ;;
    esac
    update_config nslcd/ldap-sasl-authzid sasl_authzid
    update_config nslcd/ldap-sasl-secprops sasl_secprops
    ;;
  none)
    cfg_disable binddn bindpw
    cfg_disable sasl_mech sasl_realm sasl_authcid sasl_authzid sasl_secprops krb5_ccname
  esac
  update_config nslcd/ldap-reqcert tls_reqcert
  # remove password from database
  db_set nslcd/ldap-bindpw ""
  # set ssl option
  db_get nslcd/ldap-starttls
  if [ "$RET" = "true" ]
  then
    cfg_set ssl "start_tls"
  elif grep -qi '^ssl[[:space:]]*start_*tls' $CONFFILE
  then
    cfg_disable ssl
  fi
  # we're done
  db_stop
fi

#DEBHELPER#

exit 0