#!/bin/bash
#
# ldap	This shell script takes care of starting and stopping
#	ldap servers (slapd and slurpd).
#
# chkconfig: - 27 73
# description: LDAP stands for Lightweight Directory Access Protocol, used \
#              for implementing the industry standard directory services.
# processname: slapd
# config: /etc/openldap/slapd.conf
# pidfile: /var/run/slapd.pid

# Source function library.
. /etc/init.d/functions

# Source networking configuration and check that networking is up.
if [ -r /etc/sysconfig/network ] ; then
	. /etc/sysconfig/network
	[ ${NETWORKING} = "no" ] && exit 0
fi

# Source an auxiliary options file if we have one, and pick up OPTIONS,
# SLAPD_OPTIONS, SLURPD_OPTIONS, and maybe KRB5_KTNAME.
if [ -r /etc/sysconfig/ldap ] ; then
	. /etc/sysconfig/ldap
fi

slapd=/usr/sbin/slapd
slurpd=/usr/sbin/slurpd
slaptest=/usr/sbin/slaptest
[ -x ${slapd} ] || exit 0
[ -x ${slurpd} ] || exit 0

RETVAL=0

#
# Pass commands given in $2 and later to "test" run as user given in $1.
#
function testasuser() {
    local user= cmd=
    user="$1"
    shift
    cmd="$@"
    if test x"$user" != x ; then
        if test x"$cmd" != x ; then
            /sbin/runuser -f -m -s /bin/sh -c "test $cmd" -- "$user"
        else
            false
        fi
    else
        false
    fi
}

#
# Check for read-access errors for the user given in $1 for a service named $2.
# If $3 is specified, the command is run if "klist" can't be found.
#
function checkkeytab() {
    local user= service= klist= default=
    user="$1"
    service="$2"
    default="${3:-false}"
    if test -x /usr/kerberos/bin/klist ; then
        klist=/usr/kerberos/bin/klist
    elif test -x /usr/bin/klist ; then
        klist=/usr/bin/klist
    fi
    KRB5_KTNAME="${KRB5_KTNAME:-/etc/krb5.keytab}"
    if test -s "$KRB5_KTNAME" ; then
        if test x"$klist" != x ; then
            if LANG=C klist -k "$KRB5_KTNAME" | tail -n 4 | awk '{print $2}' | grep -q ^"$service"/ ; then
                if ! testasuser "$user" -r ${KRB5_KTNAME:-/etc/krb5.keytab} ; then
                    true
                else
                    false
                fi
            else
                false
            fi
        else
            $default
        fi
    else
        false
    fi
}

function configtest() {
	local user= ldapuid= dbdir= file=
        # Check for simple-but-common errors.
	user=ldap
	ldapuid=`id -u $user`
	# Unaccessible database files.
	for dbdir in `grep ^directory /etc/openldap/slapd.conf | sed s,^directory,,` ; do
		for file in `find ${dbdir}/ -not -uid $ldapuid -and \( -name "*.dbb" -or -name "*.gdbm" -or -name "*.bdb" \)` ; do
			echo -n $"$file is not owned by \"$user\"" ; warning ; echo
		done
	done
	# Unaccessible keytab with an "ldap" key.
	if checkkeytab $user ldap ; then
		file=${KRB5_KTNAME:-/etc/krb5.keytab}
		echo -n $"$file is not readable by \"$user\"" ; warning ; echo
	fi
	# Unaccessible TLS configuration files.
	tlsconfigs=`LANG=C egrep '^(TLSCACertificateFile|TLSCertificateFile|TLSCertificateKeyFile)[[:space:]]' /etc/openldap/slapd.conf | awk '{print $2}'`
	for file in $tlsconfigs ; do
		if ! testasuser $user -r $file ; then
			echo -n $"$file is not readable by \"$user\"" ; warning ; echo
		fi
	done
	# Check the configuration file.
        action "Checking configuration files for $prog: " $slaptest || exit 1
}

function start() {
	configtest
        # Start daemons.
	user=ldap
	prog=`basename ${slapd}`
        echo -n $"Starting $prog: "
	if grep -q ^TLS /etc/openldap/slapd.conf ; then
	    daemon ${slapd} -u ${user} -h "ldap:/// ldaps:///" $OPTIONS $SLAPD_OPTIONS
	    RETVAL=$?
	else
	    daemon ${slapd} -u ${user} -h "ldap:///" $OPTIONS $SLAPD_OPTIONS
	    RETVAL=$?
	fi
	echo
	if [ $RETVAL -eq 0 ]; then
            if grep -q "^replogfile" /etc/openldap/slapd.conf; then
		prog=`basename ${slurpd}`
		echo -n $"Starting $prog: "
                daemon ${slurpd} $OPTIONS $SLURPD_OPTIONS
		RETVAL=$?
		echo
            fi
	fi
	[ $RETVAL -eq 0 ] && touch /var/lock/subsys/ldap
	return $RETVAL
}

function stop() {
        # Stop daemons.
	prog=`basename ${slapd}`
	echo -n $"Stopping $prog: "
	killproc ${slapd}
	RETVAL=$?
	echo
	if [ $RETVAL -eq 0 ]; then
	    if grep -q "^replogfile" /etc/openldap/slapd.conf; then
		prog=`basename ${slurpd}`
		echo -n $"Stopping $prog: "
		killproc ${slurpd}
		RETVAL=$?
		echo
	    fi
	fi
        [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/ldap /var/run/slapd.args
	return $RETVAL
}

# See how we were called.
case "$1" in
    configtest)
        configtest
        ;;
    start)
        start
        ;;
    stop)
        stop
        ;;
    status)
        status ${slapd}
        if grep -q "^replogfile" /etc/openldap/slapd.conf ; then
            status ${slurpd}
	fi
	;;
    restart)
	stop
	start
	;;
    condrestart)
        if [ -f /var/lock/subsys/ldap ] ; then
            stop
            start
        fi
	;;
    *)
	echo $"Usage: $0 {start|stop|restart|status|condrestart}"
	RETVAL=1
esac

exit $RETVAL