#!/bin/sh
### BEGIN INIT INFO
# Provides:          fetch-ldap-cert
# Required-Start:    $local_fs $remote_fs
# Required-Stop:     $local_fs $remote_fs
# Should-Start:      $network $syslog $named slapd
# Default-Start:     2 3 4 5
# Default-Stop:
# Short-Description: Fetch LDAP SSL public key from the server
# Description:
#   Start before krb5-kdc to give slapd time to become operational
#   before krb5-kdc try to connect to the LDAP server as a workaround
#   for #589915.
# X-Start-Before:    isc-dhcp-server krb5-kdc nslcd
### END INIT INFO
#
# Author: Petter Reinholdtsen <pere@hungry.com>
# Date:   2007-06-09
#
# Author: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
# Date:   2022-01-06

###
### FIXME: Legacy init script for Debian Edu clients.
###
###        --- Remove for Debian Edu bookworm+1 ---
###
###        Warning: Removing this script will drop support for clients running
###        against Debian Edu main servers based on Debian Edu stretch and
###        earlier.
###

set -e

. /lib/lsb/init-functions

CERTFILE=/etc/ssl/certs/debian-edu-server.crt

do_start() {

	# Locate LDAP server
	LDAPSERVER=$(debian-edu-ldapserver)
	LDAPPORT=636 # ldaps
	ERROR=false

	###
	### PHASE 1: LDAP server cert retrieval
	###

	if ( [ ! -f $CERTFILE ] || [ ! -f $ROOTCACRT ] ) && [ -f /etc/nslcd.conf ] &&
	    grep -q /etc/ssl/certs/debian-edu-server.crt /etc/nslcd.conf ; then

		# LDAP server host not known/found, bailing out...
		if [ -z "$LDAPSERVER" ] ; then
			msg="Failed to locate LDAP server"
			log_action_begin_msg "$msg"
			log_action_end_msg 1
			logger -t fetch-ldap-cert "$msg."
			return 1
		fi

		[ "$VERBOSE" != no ] && log_action_begin_msg "Fetching LDAP SSL certificate."

		# Fetch LDAP certificate from the Debian Edu main server (i.e. from the LDAP server)
		/usr/share/debian-edu-config/tools/ldap-server-getcert $LDAPSERVER > $CERTFILE.new
		chmod 644 $CERTFILE.new

		if test -s $CERTFILE.new ; then
			mv $CERTFILE.new $CERTFILE
			[ "$VERBOSE" != no ] && log_action_end_msg 0
			logger -t fetch-ldap-cert "Fetched LDAP SSL certificate from $LDAPSERVER."
		else
			# We obviously have failed in some way if the CERTFILE.new is empty (zero size).
			# Something went wrong, if we end up here...
			rm -f $CERTFILE.new
			log_action_end_msg 1
			logger -t fetch-ldap-cert "Failed to fetch LDAP SSL certificate from $LDAPSERVER."
			ERROR=true
		fi

	fi

	###
	### PHASE 2: Deploy the obtained CERTFILE to LTSP chroots, if any are present.
	###

	if [ -d /opt/ltsp ] && [ "$ERROR" = "false" ]; then

		# Loop over all to be found LTSP chroots...
		for ltsp_chroot in `find /opt/ltsp/ -mindepth 1 -maxdepth 1 -type d`; do

			if [ ! -d $ltsp_chroot/etc/ssl/certs/ ]; then
				# likely not a chroot dir, skipping...
				continue
			fi

			# Only install the CERTFILE into this chroot, if not already present...
			if [ ! -f $ltsp_chroot$CERTFILE ] && [ -f $ltsp_chroot/etc/nslcd.conf ] &&
			    grep -q /etc/ssl/certs/debian-edu-server.crt $ltsp_chroot/etc/nslcd.conf ; then

				# Copy the obtained CERTFILE into the LTSP chroot (containing the LDAP server's
				# certificate.
				log_action_begin_msg "Copying LDAP SSL certificate to ltsp-chroot $ltsp_chroot "
				[ "$VERBOSE" != no ] &&
				if test -s $CERTFILE; then
					cp $CERTFILE $ltsp_chroot$CERTFILE
					[ "$VERBOSE" != no ] && log_action_end_msg 0
				else
					log_action_end_msg 1
					ERROR=true
				fi
			fi

		done
	fi

	if [ "$ERROR" = "true" ]; then
		return 1
	fi
}

case "$1" in
	start)
		do_start
		;;
	stop)
		;;
	restart|force-reload)
		;;
	*)
		echo "Usage: $0 {start|stop|restart|force-reload}"
		exit 2
esac

exit 0
