#!/bin/bash

# Restarts slapd until success or 30 retries are reached.
function restartSlapd()
{
	stopCounter=0
	false
	while [ $? -ne 0 ] && [ $stopCounter -lt 30 ]
	do
		sleep 1
		stopCounter=$[ $stopCounter + 1 ]
		service slapd restart
		sleep 1
		LDAPTLS_CACERT=/etc/apache/m23/ca.crt ldapwhoami -v -H ldap://$(hostname -i) -ZZ -x
	done
}

echo 1 >> /tmp/enable-LDAP-TLS.log

ls -l /etc/apache/m23/ca.crt /etc/apache/m23/server.crt /etc/apache/m23/server.key >> /tmp/enable-LDAP-TLS.log


# Checks, if LDAPs isn't activated yet and the needed SSL certificate files are present
if [ -f /etc/apache/m23/ca.crt ] && [ -f /etc/apache/m23/server.crt ] && [ -f /etc/apache/m23/server.key ]
then
	# Make the SSL server key readably by the openldap group (used by slapd)
	# Server-Schlssel fr die OpenLDAP-Gruppe lesbar machen
	chgrp openldap /etc/apache/m23/server.key
	chmod 640 /etc/apache/m23/server.key

echo 2 >> /tmp/enable-LDAP-TLS.log

	restartSlapd

	# Enable TLS in the config space of LDAP
	echo "dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/apache/m23/ca.crt
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/apache/m23/server.crt
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/apache/m23/server.key
-
replace: olcTLSVerifyClient
olcTLSVerifyClient: try" > /tmp/ldap_tls.ldif
	ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/ldap_tls.ldif
	ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/ldap_tls.ldif
	rm /tmp/ldap_tls.ldif
echo 3 >> /tmp/enable-LDAP-TLS.log

	if [ $(grep ^SLAPD_SERVICES /etc/default/slapd | grep ldaps -c) -eq 0 ]
	then
		# Activate LDAPs in the slapd config file
		# LDAPs-Protokoll in der Konfigurationsdatei aktivieren
		sed -i 's#^SLAPD_SERVICES.*#SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"#' /etc/default/slapd

echo 4 >> /tmp/enable-LDAP-TLS.log

		# Restart slapd to enable TLS at once
		# LDAP-Server neu starten, damit TLS aktiv ist
	fi

	restartSlapd
fi