# Copyright (c) 2010 - OpenSLX GmbH
#
# This program/file is free software distributed under the GPL version 2.
# See http://openslx.org/COPYING
#
# If you have any feedback please consult http://openslx.org/feedback and
# send your feedback to feedback@openslx.org
#
# General information about OpenSLX can be found at http://openslx.org
#
# script is included from init via the "." load function - thus it has all
# variables and functions available

# check if the configuration file is available
if [ -e /initramfs/plugin-conf/auth.conf ]; then

  . /etc/openslx.conf
  ETCDIR=/mnt/${OPENSLX_DEFAULT_CONFDIR}
  PLUGINCONFDIR=${ETCDIR}/plugins/auth
  BINDIR=/mnt/${OPENSLX_DEFAULT_BINDIR}
  PLUGINDIR=/mnt/${OPENSLX_DEFAULT_DIR}/plugin-repo/auth
  VIRTDIR=/mnt/${OPENSLX_DEFAULT_VIRTDIR}

  # load needed variables
  . /initramfs/plugin-conf/auth.conf

  # get distribution info; has also version if needed...
  . /etc/slxsystem.conf
  distro=$slxconf_distro_name
  distro_version=$slxconf_distro_ver

  # Test if this plugin is activated... more or less useless with the
  # new plugin system
  if [ $auth_active -ne 0 ]; then
    [ $DEBUGLEVEL -gt 0 ] && echo "executing the 'auth' os-plugin ...";
    # load general configuration
    . /initramfs/machine-setup

    # Passwd: todo: move somewhere else
    chown root:shadow /mnt/etc/shadow
    chmod 0640 /mnt/etc/shadow
    chown root:root /mnt/etc/paswd
    chmod 0644 /mnt/etc/passwd
    #sed -i 's/auth_rootpwd.*/auth_rootpwd=*********/' $PLUGINCONFDIR/auth.conf

    # set authentication to passwd and group which is default
    sed -i  's/^passwd:.*/passwd: files/' /mnt/etc/nsswitch.conf
    sed -i  's/^group:.*/group: files/' /mnt/etc/nsswitch.conf

    # general requirement
    rllinker "nscd" 16 8

    ######
    # LDAP
    ######
    if [ $auth_ldap -eq 1 ]; then
      cp ${PLUGINDIR}/ldap.conf.slx /mnt/etc/ldap.conf
      ln -sf /etc/ldap.conf /mnt/etc/openldap/ldap.conf # required for openSUSE 11.4
      # even if their syntax can differ, we copy them
      #   (and hope no nss_* attributes where used)
      echo "# Created by XX_auth.sh (auth-plugin) for compatibility reasons" \
        > /mnt/etc/nslcd.conf
      cat ${PLUGINDIR}/ldap.conf.slx >> /mnt/etc/nslcd.conf # required for openSUSE 11.4
      ln -sf /etc/ldap.conf /mnt/etc/ldap/ldap.conf

      # PAM: add ldap conf before pam_unix(2).so; SuSE: ...-pc
      sed -i \
        '/^account.*req.*pam_unix/ s/^/account sufficient pam_ldap.so\n/' \
        /mnt/etc/pam.d/common-account /mnt/etc/pam.d/common-account-pc
      sed -i \
        '/^auth.*req.*pam_unix/ s/^/auth sufficient pam_ldap.so\n/' \
        /mnt/etc/pam.d/common-auth /mnt/etc/pam.d/common-auth-pc

      sed -i  's/^\(passwd:.*\)/\1 ldap/' /mnt/etc/nsswitch.conf
      sed -i  's/^\(group:.*\)/\1 ldap/' /mnt/etc/nsswitch.conf

      case "$distro" in
        suse)
          rllinker "nslcd" 20 8  # req. with OpenSuSE 11.4
          ;;
      esac

      # just to be on the save side... usually nslcd isn't used.
      sed -i "s/^\(nss_.*\)/#XX_auth.sh#\1/" /mnt/etc/nslcd.conf
        
      # hack. if we want to have totally custom ldap.conf files...
      if [ -f ${PLUGINDIR}/ldap.conf ]; then
        echo "# copied from auth::files (default: /root/auth-plugin)" \
          > /mnt/etc/ldap.conf
        cat ${PLUGINDIR}/ldap.conf >> /mnt/etc/ldap.conf
      fi
      # similiar to ldap.conf, but just similiar
      if [ -f ${PLUGINDIR}/nslcd.conf ]; then
        echo "# copied from auth::files (default: /root/auth-plugin)" \
          > /mnt/etc/nslcd.conf
        cat ${PLUGINDIR}/nslcd.conf >> /mnt/etc/nslcd.conf # openSUSE 11.4
      fi

    fi

    ########################
    # AUTOMOUNT, NFS partial
    ########################
    if [ $auth_automount -eq 1 ]; then
      cp ${PLUGINDIR}/auto.master /mnt/etc
      cp ${PLUGINDIR}/auto.slx /mnt/etc
      if [! -d /mnt/$auth_automnt_dir ]; then
        mkdir -p /mnt/$auth_automnt_dir
      fi

#      config_portmap # distro specific configuration :(
#      config_automount # distro specific configuration :(
#      config_nfs # distro specific config... activates gssd and idmapd

      # ubuntu
      case $distro in
        ubuntu)
          sed -e 's,start on ,start on filesystem #,' \
            -i /mnt/etc/init/statd.conf
          echo -e "alias autofs autofs4" >>/mnt/etc/modprobe.d/aliases.conf
          # no nfs-common initscirpt  at 10.04, but other ones
          # statd not required for NFSv4..
          sed -i 's/^NEED_STATD=.*/NEED_STATD=yes/' /mnt/etc/default/nfs-common
          # optional, but helps in the future to move stuff out of OpenSLX to distri-tools
          rllinker "portmap" 12 8 # required 10.04+11.04 with nfs to start rpc.statd
          rllinker "portmap-wait" 12 8 # required 10.04+11.04 with nfs to start rpc.statd
          rllinker "rpc_pipefs" 14 8
          rllinker "statd" 13 8 #fails
          rllinker "autofs" 14 8
          # workaround for not starting statd. 10.04 affected, 11.04 not affected!?!
          echo "                  # auth-plugin: workaround for statd
                 #mount -t rpc_pipefs rpc_pipefs /var/lib/nfs/rpc_pipefs
                 rpc.statd -L" \
               >> /mnt/etc/init.d/boot.slx
          rllinker "boot.slx" 2 20
          ;;
        suse)
          # enable generall nfs support
          sed -i 's/^NFS_START_SERVICES.*/NFS_START_SERVICES="yes"/' /mnt/etc/sysconfig/nfs
          rllinker "rpcbind" 4 21
          rllinker "nfs" 14 20
          rllinker "autofs" 18 4
          ;;
      esac
    fi

    #######
    # NFSv4
    #######
    if [ $auth_nfs4 -eq 1 ]; then

      # /etc/init-hell
      case "$distro" in
        suse)
          # for idmap 
          sed -i 's/^NFS_START_SERVICES.*/NFS_START_SERVICES="yes"/' /mnt/etc/sysconfig/nfs
          # optional, but may help in the future to move stuff out of OpenSLX to distri-tools
          rllinker "rpcbind" 4 21
          rllinker "nfs" 14 8  # handles idmap & gssd
          ;;
        ubuntu)
          # nfs-common: somewhere before 10.04, not available with 10.04ff
          rllinker "nfs-common" 16 8
          # enable idmapd
          sed -i 's/^NEED_IDMAPD=.*/NEED_IDMAPD=yes/' /mnt/etc/default/nfs-common
          # rpc_pipefs, portmap and idmap rllinker are optional
          # but may help in the future to move stuff out of OpenSLX to distri-tools
          rllinker "rpc_pipefs" 13 8  #doenst work somehow. could be mount/not mounted quirks
          rllinker "portmap" 14 8
          # optional, but helps in the future to move stuff out of OpenSLX to distri-tools
          rllinker "idmapd" 17 8
          # somehow idmapd doesnt want to start, because rpc_pipefs, even if enabled, doesn't
          # mount the required path. happend with a cloned ubuntu 10.04. therefore a workaround
          echo "                  # auth-plugin: workaround for idmapd
                  mount -t rpc_pipefs rpc_pipefs /var/lib/nfs/rpc_pipefs
                  # doesn't matter if already running
                  echo \"start idmapd (again)\"
                  service idmapd start" \
              >> /mnt/etc/init.d/boot.slx
          rllinker "boot.slx" 2 20
          ;;
      esac

      sed -i \
        "s/^Domain.*/Domain = ${auth_idmap_domain}/" \
        /mnt/etc/idmapd.conf
    fi

    # configure automnt_script
    if [ $auth_automnt_script ]; then
      chmod 700 /mnt/${OPENSLX_DEFAULT_DIR}/plugin-repo/auth/$auth_automnt_script
      sed -i -e '/^\/home.*$/d' /mnt/etc/auto.master
      echo "/home program:${OPENSLX_DEFAULT_DIR}/plugin-repo/auth/$auth_automnt_script" \
         >> /mnt/etc/auto.master
    fi
   
    # configure KerberOS
    if [ $auth_krb -eq 1 ]; then
      echo "# copied from auth::files (default: /root/auth-plugin)" \
        > /mnt/etc/krb5.conf
      cat ${PLUGINDIR}/krb5.conf >> /mnt/etc/krb5.conf
      
      # PAM: add krb conf after pam_unix(2).so; SuSE: ...-pc
      sed -i \
        '/^account.*req.*pam_unix/ s/^/account [success=ok new_authtok_reqd=ok ignore=ignore default=bad user_unknown=ignore]  pam_krb5.so     use_first_pass\n/' \
        /mnt/etc/pam.d/common-account /mnt/etc/pam.d/common-account-pc
      sed -i \
        '/^account.*req.*pam_unix/ s/^/auth    sufficient      pam_krb5.so     use_first_pass\n/' \
        /mnt/etc/pam.d/common-account /mnt/etc/pam.d/common-auth-pc
      echo "session optional        pam_krb5.so" >>  /mnt/etc/pam.d/common-session
      echo "session optional        pam_krb5.so" >>  /mnt/etc/pam.d/common-session-pc

      # script to get keytab or do other magic things
      if [ -n $auth_krbscript ]; then
        echo "# auth-plugin: start custom kerberOS script
          echo "Start krbscript"
          /${OPENSLX_DEFAULT_DIR}/plugin-repo/auth/$auth_krbscript
          chmod 600 /etc/krb5.keytab # if a user forget to change it the $auth_krbscript" \
          >>  /mnt/etc/init.d/boot.slx
        chmod 700 /mnt/${OPENSLX_DEFAULT_DIR}/plugin-repo/auth/$auth_krbscript
        # just krb5.conf perm
        rllinker "boot.slx" 2 20
      fi

      # maybe not needed in every case. depends how $HOME gets mounted... but required for nfs & automount at least with nfsv4
      case "$distro" in
          ubuntu)
            sed -i 's/^NEED_GSSD.*/NEED_GSSD=yes/' /mnt/etc/default/nfs-common
            # optional, but wont hurt if the previous fails
            rllinker "gssd" 16 8
            ;;
          suse)
            # for idmap and gss
            sed -i 's/^NFS_START_SERVICES.*/NFS_START_SERVICES="yes"/' /mnt/etc/sysconfig/nfs
            sed -i 's/^NFS_SECURITY_GSS.*/NFS_SECURITY_GSS="yes"/' /mnt/etc/sysconfig/nfs
            ;;
      esac

    fi

  fi
  
  # hack. if we want to have totally custom pam-files...
  if [ -d ${PLUGINDIR}/pam.d/ ]; then
    cp ${PLUGINDIR}/pam.d/* /mnt/etc/pam.d/
  fi
  
  # hack. if we want to have totally custom nsswitch.conf file...
  if [ -f ${PLUGINDIR}/nsswitch.conf ]; then
    echo "# copied from auth::files (default: /root/auth-plugin)" \
      > /mnt/etc/nsswitch.conf
    cat ${PLUGINDIR}/nsswitch.conf >> /mnt/etc/nsswitch.conf
  fi

else
  [ $DEBUGLEVEL -gt 0 ] && echo "  * Configuration of auth plugin failed"
fi