#!/bin/sh
# -*- coding: cyrillic-alternativnyj; -*-

# LDAP: PAM, NSS - ᤥ  FreeBSD.
# http://www.freebsd.org/cgi/url.cgi?ports/sysutils/cpu/pkg-descr

## ᠭ ᢨ⥫⢠
openssl genrsa -out cert.key 1024
openssl req -batch -new -config openssl.cnf -key cert.key -out cert.csr
# :
openssl x509 -req -in cert.csr -days 365 -signkey cert.key -out cert.crt

## 㦡
export SETSDIR=${HOME}/libdata/sets/freebsd
create-server () {
JAIL="$1"
su root -c "create-root ${JAIL}"
su root -c "start-root ${JAIL}"
su root -c "cp /etc/resolv.conf ${JAIL}/etc"
su root -c "chroot ${JAIL} /bin/sh -c 'ASSUME_ALWAYS_YES=1 pkg bootstrap'"
su root -c "chroot ${JAIL} /bin/sh -c 'pkg install -y openldap-server'"

su root -c "mkdir -p ${JAIL}/usr/local/etc/sslcert"
su root -c "cp -v cert.key cert.crt ${JAIL}/usr/local/etc/sslcert/"

# su root -c "cat ${JAIL}/usr/local/etc/openldap/slapd.conf" > slapd.conf
# ࠢ
su root -c "cat > ${JAIL}/usr/local/etc/openldap/slapd.conf" < slapd.conf

su root -c "echo slapd_enable=YES >> ${JAIL}/etc/rc.conf"
su root -c "chroot ${JAIL} /usr/local/etc/rc.d/slapd start"
su root -c "chroot ${JAIL} /usr/local/etc/rc.d/slapd stop"
su root -c "stop-root ${JAIL}"
}

start-server () {
JAIL="$1"
su root -c "start-root ${JAIL}"
su root -c "cp /etc/resolv.conf ${JAIL}/etc"
su root -c "chroot ${JAIL} /usr/local/etc/rc.d/slapd start"
}

stop-server () {
JAIL="$1"
su root -c "cp /etc/resolv.conf ${JAIL}/etc"
su root -c "chroot ${JAIL} /usr/local/etc/rc.d/slapd stop"
su root -c "stop-root ${JAIL}"
}

## 짮⥫
###
create-client () {
JAIL="$1"
su root -c "create-root ${JAIL}"
su root -c "start-root ${JAIL}"
su root -c "cp /etc/resolv.conf ${JAIL}/etc"
su root -c "chroot ${JAIL} /bin/sh -c 'ASSUME_ALWAYS_YES=1 pkg bootstrap'"
su root -c "chroot ${JAIL} /bin/sh -c 'pkg install -y openldap-client'"

su root -c "mkdir -p ${JAIL}/usr/local/etc/sslcert"
su root -c "cp -v cert.crt ${JAIL}/usr/local/etc/sslcert/"

# ன  LDAP:
su root -c "cat > ${JAIL}/usr/local/etc/openldap/ldap.conf" <<EOF
BASE	dc=localhost
URI	ldap://localhost./
SSL	start_tls
tls_cacert	/usr/local/etc/sslcert/cert.crt

#SIZELIMIT	12
#TIMELIMIT	15
#DEREF		never
EOF

# ஢ઠ ன, ⪠ ᮥ:
su root -c "chroot ${JAIL} /usr/local/bin/ldapsearch -Z"

## :
su root -c "chroot ${JAIL} /usr/local/bin/ldapadd -vvvvv -D cn=Manager,dc=localhost -w secret -Z -f /dev/stdin" <<EOF
dn: dc=localhost
objectclass: dcObject
objectclass: organization
o: Total Organization
dc: localhost

dn: cn=Manager,dc=localhost
objectclass: organizationalRole
cn: Manager
EOF

su root -c "chroot ${JAIL} /usr/local/bin/ldapadd -vvvvv -D cn=Manager,dc=localhost -w secret -Z -f /dev/stdin" <<EOF
dn: ou=people,dc=localhost
objectClass: top
objectClass: organizationalUnit
ou: people
EOF

### ஢ઠ
su root -c "chroot ${JAIL} /usr/local/bin/ldapsearch -D cn=Manager,dc=localhost -w secret -Z -b dc=localhost '(objectClass=*)'"
###
# 㯯:
su root -c "chroot ${JAIL} /usr/local/bin/ldapadd -vvvvv -D cn=Manager,dc=localhost -w secret -Z -f /dev/stdin" <<EOF
dn: ou=groups,dc=localhost
objectClass: top
objectClass: organizationalUnit
ou: groups
EOF

# su root -c "chroot ${JAIL} /usr/local/bin/ldapdelete -vvvvv -D cn=Manager,dc=localhost -w secret -Z cn=testgroup,ou=groups,dc=localhost"

#  㯯  ஢ન:
su root -c "chroot ${JAIL} /usr/local/bin/ldapadd -vvvvv -D cn=Manager,dc=localhost -w secret -Z -f /dev/stdin" <<EOF
dn: cn=testgroup,ou=groups,dc=localhost
objectClass: posixGroup
objectclass: top
gidNumber: 10000
cn: testgroup
EOF

#  짮⥫  ஢ન:
su root -c "chroot ${JAIL} /usr/local/bin/ldapadd -vvvvv -D cn=Manager,dc=localhost -w secret -Z -f /dev/stdin" <<EOF
dn: uid=testuser,ou=people,dc=localhost
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
objectClass: top
sn: required but unclear
uidNumber: 10000
gidNumber: 10000
homeDirectory: /home/test
loginShell: /bin/sh
uid: testuser
cn: testuser
EOF

### NSS
su root -c "chroot ${JAIL} /bin/sh -c 'pkg install -y nss_ldap'"

# su root -c "cat ${JAIL}/usr/local/etc/nss_ldap.conf" > nss_ldap.conf
# ࠢ
su root -c "cat > ${JAIL}/usr/local/etc/nss_ldap.conf" < nss_ldap.conf
su root -c "echo secret > ${JAIL}/usr/local/etc/nss_ldap.secret"

# su root -c "cat ${JAIL}/etc/nsswitch.conf" > nsswitch.conf
# ...
su root -c "cat > ${JAIL}/etc/nsswitch.conf" < nsswitch.conf

su root -c "chroot ${JAIL} /bin/sh -c 'id testuser'"
### PAM
su root -c "chroot ${JAIL} /bin/sh -c 'pkg install -y pam_ldap'"

# mkdir -p pam.d

# cat ${JAIL}/etc/pam.d/system > pam.d/system
# ࠢ
su root -c "cat > ${JAIL}/etc/pam.d/system" < pam.d/system

# cat ${JAIL}/etc/pam.d/sshd > pam.d/sshd
# ࠢ
su root -c "cat > ${JAIL}/etc/pam.d/sshd" < pam.d/sshd

# cat ${JAIL}/usr/local/etc/ldap.conf.dist > ldap.conf
# ࠢ
su root -c "cat > ${JAIL}/usr/local/etc/ldap.conf" < pam--ldap.conf
su root -c "echo secret > ${JAIL}/usr/local/etc/ldap.secret"

# set password:
su root -c "chroot ${JAIL} /usr/local/bin/ldapdelete -vvvvv -D cn=Manager,dc=localhost -w secret -Z uid=testuser,ou=people,dc=localhost"
su root -c "chroot ${JAIL} /usr/local/bin/ldapadd -vvvvv -D cn=Manager,dc=localhost -w secret -Z -f /dev/stdin" < user+pass.ldif

su root -c "stop-root ${JAIL}"
}

start-client () {
JAIL="$1"
su root -c "start-root ${JAIL}"
su root -c "cp /etc/resolv.conf ${JAIL}/etc"
}

stop-client () {
JAIL="$1"
su root -c "stop-root ${JAIL}"
}

server=/usr/jail/ldap-serv
client=/usr/jail/ldap-clnt

create-server ${server}
start-server ${server}

create-client ${client}
start-client ${client}

su root -c "chroot ${client} /usr/bin/login testuser"

stop-client ${client}
stop-server ${server}
