#!/bin/sh

# Create host object.
ldap_add "cn=${BOXCONF_HOSTNAME},${hosts_basedn}" <<EOF
objectClass: device
objectClass: domainRelatedObject
objectClass: ldapPublicKey
cn: ${BOXCONF_HOSTNAME}
associatedDomain: ${fqdn}
$(cat /usr/local/etc/ssh/ssh_host_*_key.pub | cut -d' ' -f-2 | sed 's/^/sshPublicKey: /')
description: $(uname -mrs) ${BOXCONF_HOSTCLASS}
EOF

# Update attributes that may have changed.
ldap_modify "cn=${BOXCONF_HOSTNAME},${hosts_basedn}" <<EOF
replace: sshPublicKey
$(cat /usr/local/etc/ssh/ssh_host_*_key.pub | cut -d' ' -f-2 | sed 's/^/sshPublicKey: /')
-
replace: description
description: $(uname -mrs) ${BOXCONF_HOSTCLASS}
EOF

# Create A record.
ldap_add "dc=${BOXCONF_HOSTNAME},dc=${domain},${dns_basedn}" <<EOF
objectClass: dNSDomain
objectClass: domainRelatedObject
dc: ${BOXCONF_HOSTNAME}
aRecord: ${BOXCONF_DEFAULT_IPV4}
associatedDomain: ${fqdn}
EOF

# Create PTR record.
rdns=$(ip2rdns "$BOXCONF_DEFAULT_IPV4")
ldap_add "dc=${rdns%%.*},dc=${rdns#*.},${dns_basedn}" <<EOF
objectClass: dNSDomain2
objectClass: domainRelatedObject
dc: ${rdns%%.*}
pTRRecord: ${fqdn}
associatedDomain: ${rdns}
EOF

# Create host principal.
kadmin.local get_principal "host/${fqdn}" \
  || kadmin.local add_principal -nokey -x "dn=cn=${BOXCONF_HOSTNAME},${hosts_basedn}" "host/${fqdn}"

# Create ldap service principal.
kadmin.local get_principal "ldap/${fqdn}" \
  || kadmin.local add_principal -nokey -x "containerdn=${services_basedn}" "ldap/${fqdn}"

# Create state dataset to persist keytabs across OS rebuilds.
create_dataset -o "mountpoint=${keytab_dir}" "${state_dataset}/keytabs"

# Export host keytab.
[ -f "${keytab_dir}/host.keytab" ] || kadmin.local ktadd -k "${keytab_dir}/host.keytab" -q "host/${fqdn}"
ln -snfv "${keytab_dir}/host.keytab" /etc/krb5.keytab

# Export slapd keytab.
[ -f "$slapd_keytab" ] || kadmin.local ktadd -k "$slapd_keytab" -q "ldap/${fqdn}"
chown "$slapd_user" "$slapd_keytab"

# Install PAM/NSS integration packages.
pkg install -y \
  nss-pam-ldapd-sasl \
  pam_krb5 \
  perl5 \
  p5-perl-ldap \
  p5-Authen-SASL \
  pam_mkhomedir

# Configure PAM/NSS integration.
install_template -m 0644 \
  /etc/pam.d/login \
  /etc/pam.d/sshd
install_file -m 0644 \
  /etc/nsswitch.conf \
  /etc/pam.d/system \
  /etc/pam.d/sudo \
  /etc/pam.d/su \
  /etc/pam.d/other

install_template -m 0644 /etc/login.access

install_template -m 0644 \
  /usr/local/etc/nslcd.conf \
  /etc/nscd.conf

# Ensure /home exists and configure skel files.
install_directory -m 0755 /home
install_file -m 0644 \
  /usr/share/skel/dot.login \
  /usr/share/skel/dot.profile \
  /usr/share/skel/dot.shrc

sysrc -v \
  nslcd_enable=YES \
  nscd_enable=YES

service nslcd restart
service nscd restart

# Create ldap.conf symlink.
ln -snfs "${slapd_conf_dir}/ldap.conf" /usr/local/etc/ldap.conf

# Copy IDM helper scripts for SSH.
install_file -m 0555 \
  /usr/local/libexec/idm-ssh-known-hosts \
  /usr/local/libexec/idm-ssh-authorized-keys

# Create the boxconf administrative user.
if is_primary_server && ! ldap_dn_exists "$boxconf_dn"; then
  ldap_add "$boxconf_dn" <<EOF
objectClass: account
objectClass: simpleSecurityObject
uid: ${boxconf_username}
userPassword: {SASL}${boxconf_username}@${realm}
EOF

  kadmin.local add_principal -x "dn=${boxconf_dn}" -pw "$boxconf_password" "$boxconf_username"
fi