#!/bin/bash
SERVER=$1
REALM=${SERVER#*.}
SUFFIX="dc=${REALM//./,dc=}"
P_DIR="/etc/parsec"

[ -f "$P_DIR/mldap.conf" ] && cp "$P_DIR/mldap.conf" "$P_DIR/beforeipa_mldap.conf"
cat << EOT > "$P_DIR/mldap.conf"
#
# $P_DIR/mldap.conf
#
# This is the configuration file for the LDAP
#

# Specify your LDAP server
host $SERVER
port 389

# LDAP connection timeout (in seconds)
timeout 10

# Kerberos realm
krb_realm $REALM

# Authentification type (for user MAC attrs). Possible values:
#	simple	- for anonymous bind to LDAP (only for debug)
#	krb	- for Kerberos authentication.
# Bind to MAC level and MAC categoriy databases is always anonymous.
# Examples:
# auth_type simple
# auth_type krb
auth_type krb

# Base for mandate information services
nss_base_mac		cn=users,cn=accounts,$SUFFIX
nss_base_mic		cn=users,cn=accounts,$SUFFIX
nss_base_capabilities	cn=users,cn=accounts,$SUFFIX
nss_base_audit		cn=audit-policies,cn=parsec-configs,cn=etc,$SUFFIX
nss_base_mac_levels	cn=mac-levels,cn=mac-services,cn=parsec-configs,cn=etc,$SUFFIX
nss_base_mac_categories	cn=mac-categories,cn=mac-services,cn=parsec-configs,cn=etc,$SUFFIX
EOT

[ -f "$P_DIR/mswitch.conf" ] && cp "$P_DIR/mswitch.conf" "$P_DIR/beforeipa_mswitch.conf"
cat << EOT > "$P_DIR/mswitch.conf"
# $P_DIR/mswitch.conf 2019-08-01 FreeIPA version
#
# Config file to set sources of user mandate information.
# It has format like glibc's /etc/nsswitch.conf file.
#
# Legal entries:
#       sssd    - use SSSD service;
#       files   - use local files;
#       ald     - use ALD backend;
#

# The range of mandate rights allowed to user.
mac: sssd
mac_charset: utf-8

# The linux and mandate capabilities allowed to user.
capabilities: sssd
capabilities_charset: utf-8

# The audit settings for user.
audit: sssd
audit_charset: utf-8

# The text names of mandate levels (like "not secret", "secret", "top secret" etc.).
mac_levels: sssd
mac_levels_charset: utf-8

# The text names of mandate categories (like "tanks", "planes", "submarines" etc.).
mac_categories: sssd
mac_categories_charset: utf-8

# The mandate integrity level allowed to user.
mic: sssd
mic_charset: utf-8

# Return zero data instead of ENOENT/ENODATA in the absence of record
zero_if_notfound: no
EOT

# Do not overwrite file privsock.conf. Append services only if not present already.
[ -f "$P_DIR/privsock.conf" ] && cp "$P_DIR/privsock.conf" "$P_DIR/beforeipa_privsock.conf"
for srv in /usr/sbin/sssd /usr/sbin/custodia ; do
    grep -q $srv "$P_DIR/privsock.conf" 2> /dev/null || echo -e "#ipa\n$srv" >> "$P_DIR/privsock.conf"
done

chmod 644 "$P_DIR/mldap.conf" "$P_DIR/mswitch.conf" "$P_DIR/privsock.conf"
