WebSVN – ALCASAR – Diff – /scripts/alcasar-ldap.sh


#!/bin/bash
 
# $Id: alcasar-ldap.sh 2714 2019-03-10 23:43:22Z tom.houdayer $
 
# alcasar-ldap.sh
# by Rexy
# This script is distributed under the Gnu General Public License (GPL)
 
# activation / désactivation de l'authentification des utilisateurs via un serveur LDAP externe
# enable / disable authentication of users via an extern LDAP server
 
usage="Usage: alcasar-ldap.sh {--on or -on } | {--off or -off} | --import-cert {certificatePath} | --test [-d]"
SED="/bin/sed -i"
CONF_FILE="/usr/local/etc/alcasar.conf"
LDAP_MODULE="/etc/raddb/mods-available/ldap-alcasar"
OPENLDAP_CONF='/etc/openldap/ldap.conf'
LDAPS_CERT_LOC='/etc/raddb/certs/alcasar-ldaps.crt'
LDAP_SERVER=$(grep '^LDAP_SERVER=' $CONF_FILE | cut -d"=" -f2)                # hostname/IP address of the LDAP server
LDAP_USER=$(grep '^LDAP_USER=' $CONF_FILE | cut -d"=" -f2-)                   # LDAP username used by ALCASAR to read the remote directory
LDAP_PASSWORD=$(grep '^LDAP_PASSWORD=' $CONF_FILE | cut -d"=" -f2-)           # its password
LDAP_BASE=$(grep '^LDAP_BASE=' $CONF_FILE | cut -d"=" -f2-)                   # Where to find the users (cn=**,dc=**,dc=**)
LDAP_UID=$(grep '^LDAP_UID=' $CONF_FILE | cut -d"=" -f2)                      # 'samaccountname' for A.D. - 'UID' for LDAP
LDAP_FILTER=$(grep '^LDAP_FILTER=' $CONF_FILE | cut -d"=" -f2-)               # LDAP filter
LDAP_SSL=$(grep '^LDAP_SSL=' $CONF_FILE | cut -d"=" -f2-)                     # LDAP SSL status
LDAP_CERT_REQUIRED=$(grep '^LDAP_CERT_REQUIRED=' $CONF_FILE | cut -d"=" -f2-) # LDAP SSL certificate verifying
 
nb_args=$#
args=$1
if [ $nb_args -eq 0 ]; then
	nb_args=1
	args="-h"
fi
 
case $args in
	-\? | -h* | --h*)
		echo "$usage"
		exit 0
		;;
	--on | -on)
		$SED "s/^LDAP=.*/LDAP=on/g" $CONF_FILE
		if [ "$LDAP_SSL" == 'on' ]; then
			$SED "s/^\tserver =.*/\tserver = \"ldaps:\/\/${LDAP_SERVER//\"/\\\\\\\"}\"/g" $LDAP_MODULE
			$SED "s/^\tport =.*/\tport = 636/g" $LDAP_MODULE
			[ "$LDAP_CERT_REQUIRED" == 'on' ] && require_cert='demand' || require_cert='never'
			$SED "s/^\t\t#?require_cert =.*/\t\trequire_cert = '$require_cert'/g" $LDAP_MODULE
			echo -e "TLS_CACERT $LDAPS_CERT_LOC\nTLS_REQCERT $require_cert" > $OPENLDAP_CONF
		else
			$SED "s/^\tserver =.*/\tserver = \"ldap:\/\/${LDAP_SERVER//\"/\\\\\\\"}\"/g" $LDAP_MODULE
			$SED "s/^\tport =.*/\tport = 389/g" $LDAP_MODULE
			echo  '' > $OPENLDAP_CONF
		fi
		$SED "s/^\tidentity =.*/\tidentity = \"${LDAP_USER//\"/\\\\\\\"}\"/g" $LDAP_MODULE
		$SED "s/^\tpassword =.*/\tpassword = \"${LDAP_PASSWORD//\"/\\\\\\\"}\"/g" $LDAP_MODULE
		$SED "s/^\tbase_dn =.*/\tbase_dn = \"${LDAP_BASE//\"/\\\\\\\"}\"/g" $LDAP_MODULE
		[ -n "$LDAP_FILTER" ] && filter="$LDAP_FILTER" || filter='&'
		$SED "s/^\t\tfilter =.*/\t\tfilter = \"(\&(${LDAP_UID//\"/\\\\\\\"}=%{%{Stripped-User-Name}:-%{User-Name}})($filter))\"/g" $LDAP_MODULE
		if [ ! -e /etc/raddb/mods-enabled/ldap ]; then
			ln -s $LDAP_MODULE /etc/raddb/mods-enabled/ldap
		fi
		[ -e /etc/raddb/sites-enabled/alcasar ] && rm /etc/raddb/sites-enabled/alcasar
		ln -s /etc/raddb/sites-available/alcasar-with-ldap /etc/raddb/sites-enabled/alcasar
		/usr/bin/systemctl restart radiusd.service
		;;
	--off | -off)
		$SED "s/^LDAP=.*/LDAP=off/g" $CONF_FILE
		rm -f /etc/raddb/mods-enabled/ldap
		[ -e /etc/raddb/sites-enabled/alcasar ] && rm /etc/raddb/sites-enabled/alcasar
		ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
		/usr/bin/systemctl restart radiusd.service
		;;
	--import-cert)
		cert=$2
		[ -z "$cert" ] && echo "$usage" && exit 1
 
		if [ "$LDAP_CERT_REQUIRED" == 'on' ]; then
			domainName=$(openssl x509 -noout -subject -in $LDAPS_CERT_LOC | cut -d' ' -f2- | sed 's@/[A-Za-z]\+=@\n@g' | tac | tr '\n' '.' | sed  's@\.\+$@@')
			if [ "$domainName" != "$LDAP_SERVER" ]; then
				echo 'WARN: the common name of the certificate is different from the server domain name'
			fi
		fi
		# TODO : convert DER format to PEM ?
		cp -f "$cert" $LDAPS_CERT_LOC
		chown root:radius $LDAPS_CERT_LOC
		chmod 644 $LDAPS_CERT_LOC
 
		$SED "s/^LDAP_SSL=.*/LDAP_SSL=on/g" $CONF_FILE
		$SED "s/^\tserver =.*/\tserver = \"ldaps:\/\/${LDAP_SERVER//\"/\\\\\\\"}\"/g" $LDAP_MODULE
		$SED "s/^\tport =.*/\tport = 636/g" $LDAP_MODULE
		$SED "s@^#\?\t\tca_file =.*@\t\tca_file = $LDAPS_CERT_LOC@g" $LDAP_MODULE
		[ "$LDAP_CERT_REQUIRED" == 'on' ] && require_cert='demand' || require_cert='never'
		$SED "s/^#\?\t\trequire_cert =.*/\t\trequire_cert = '$require_cert'/g" $LDAP_MODULE
		echo -e "TLS_CACERT $LDAPS_CERT_LOC\nTLS_REQCERT $require_cert" > $OPENLDAP_CONF
		/usr/bin/systemctl restart radiusd.service
		;;
	--delete-cert)
		[ -f "$LDAPS_CERT_LOC" ] && rm -f $LDAPS_CERT_LOC
		;;
	--test)
		[ -n "$2" ] && [ "$2" == '-d' ] && debugOpt='-d229'
		command -v ldapsearch &>/dev/null || { echo >&2 -e "ERR: ldapsearch is not installed\nrun 'dnf install openldap-clients'" ; exit 1; }
		if [ "$LDAP_SSL" == 'on' ]; then
			protocol='ldaps'
			[ "$LDAP_CERT_REQUIRED" == 'on' ] && require_cert='demand' || require_cert='never'
			export LDAPTLS_REQCERT="$require_cert"
			[ -f "$LDAPS_CERT_LOC" ] && export LDAPTLS_CACERT="$LDAPS_CERT_LOC"
		else
			protocol='ldap'
		fi
		[ -n "$LDAP_FILTER" ] && filter="$LDAP_FILTER" || filter='&'
		/usr/bin/ldapsearch $debugOpt -LLL -H "$protocol://$LDAP_SERVER" -x -D "$LDAP_USER" -w "$LDAP_PASSWORD" -b "$LDAP_BASE" "(&($LDAP_UID=*)($filter))" 1.1
		;;
	*)
		echo "Argument inconnu : $1";
		echo "$usage"
		exit 1
		;;
esac
 

Subversion Repositories ALCASAR

(root)/scripts/alcasar-ldap.sh – Rev 2705 → 2714

Rev 2705		Rev 2714
1	`#!/bin/bash`	1	`#!/bin/bash`
2		2
3	`# $Id: alcasar-ldap.sh 2705 2019-03-05 22:30:50Z tom.houdayer $`	3	`# $Id: alcasar-ldap.sh 2714 2019-03-10 23:43:22Z tom.houdayer $`
4		4
5	`# alcasar-ldap.sh`	5	`# alcasar-ldap.sh`
6	`# by Rexy`	6	`# by Rexy`
7	`# This script is distributed under the Gnu General Public License (GPL)`	7	`# This script is distributed under the Gnu General Public License (GPL)`
8		8
9	`# activation / désactivation de l'authentification des utilisateurs via un serveur LDAP externe`	9	`# activation / désactivation de l'authentification des utilisateurs via un serveur LDAP externe`
10	`# enable / disable authentication of users via an extern LDAP server`	10	`# enable / disable authentication of users via an extern LDAP server`
11		11
12	`usage="Usage: alcasar-ldap.sh {--on or -on } \| {--off or -off} \| --import-cert {certificatePath} \| --test [-d]"`	12	`usage="Usage: alcasar-ldap.sh {--on or -on } \| {--off or -off} \| --import-cert {certificatePath} \| --test [-d]"`
13	`SED="/bin/sed -i"`	13	`SED="/bin/sed -i"`
14	`CONF_FILE="/usr/local/etc/alcasar.conf"`	14	`CONF_FILE="/usr/local/etc/alcasar.conf"`
15	`LDAP_MODULE="/etc/raddb/mods-available/ldap-alcasar"`	15	`LDAP_MODULE="/etc/raddb/mods-available/ldap-alcasar"`
16	`OPENLDAP_CONF='/etc/openldap/ldap.conf'`	16	`OPENLDAP_CONF='/etc/openldap/ldap.conf'`
17	`LDAPS_CERT_LOC='/etc/raddb/certs/alcasar-ldaps.crt'`	17	`LDAPS_CERT_LOC='/etc/raddb/certs/alcasar-ldaps.crt'`
18	`LDAP_SERVER=$(grep '^LDAP_SERVER=' $CONF_FILE \| cut -d"=" -f2) # hostname/IP address of the LDAP server`	18	`LDAP_SERVER=$(grep '^LDAP_SERVER=' $CONF_FILE \| cut -d"=" -f2) # hostname/IP address of the LDAP server`
19	`LDAP_USER=$(grep '^LDAP_USER=' $CONF_FILE \| cut -d"=" -f2-) # LDAP username used by ALCASAR to read the remote directory`	19	`LDAP_USER=$(grep '^LDAP_USER=' $CONF_FILE \| cut -d"=" -f2-) # LDAP username used by ALCASAR to read the remote directory`
20	`LDAP_PASSWORD=$(grep '^LDAP_PASSWORD=' $CONF_FILE \| cut -d"=" -f2-) # its password`	20	`LDAP_PASSWORD=$(grep '^LDAP_PASSWORD=' $CONF_FILE \| cut -d"=" -f2-) # its password`
21	`LDAP_BASE=$(grep '^LDAP_BASE=' $CONF_FILE \| cut -d"=" -f2-) # Where to find the users (cn=,dc=,dc=**)`	21	`LDAP_BASE=$(grep '^LDAP_BASE=' $CONF_FILE \| cut -d"=" -f2-) # Where to find the users (cn=,dc=,dc=**)`
22	`LDAP_UID=$(grep '^LDAP_UID=' $CONF_FILE \| cut -d"=" -f2) # 'samaccountname' for A.D. - 'UID' for LDAP`	22	`LDAP_UID=$(grep '^LDAP_UID=' $CONF_FILE \| cut -d"=" -f2) # 'samaccountname' for A.D. - 'UID' for LDAP`
-		23	`LDAP_FILTER=$(grep '^LDAP_FILTER=' $CONF_FILE \| cut -d"=" -f2-) # LDAP filter`
23	`LDAP_SSL=$(grep '^LDAP_SSL=' $CONF_FILE \| cut -d"=" -f2-) # LDAP SSL status`	24	`LDAP_SSL=$(grep '^LDAP_SSL=' $CONF_FILE \| cut -d"=" -f2-) # LDAP SSL status`
24	`LDAP_CERT_REQUIRED=$(grep '^LDAP_CERT_REQUIRED=' $CONF_FILE \| cut -d"=" -f2-) # LDAP SSL certificate verifying`	25	`LDAP_CERT_REQUIRED=$(grep '^LDAP_CERT_REQUIRED=' $CONF_FILE \| cut -d"=" -f2-) # LDAP SSL certificate verifying`
25		26
26	`nb_args=$#`	27	`nb_args=$#`
27	`args=$1`	28	`args=$1`
28	`if [ $nb_args -eq 0 ]; then`	29	`if [ $nb_args -eq 0 ]; then`
29	`nb_args=1`	30	`nb_args=1`
30	`args="-h"`	31	`args="-h"`
31	`fi`	32	`fi`
32		33
33	`case $args in`	34	`case $args in`
34	`-\? \| -h* \| --h*)`	35	`-\? \| -h* \| --h*)`
35	`echo "$usage"`	36	`echo "$usage"`
36	`exit 0`	37	`exit 0`
37	`;;`	38	`;;`
38	`--on \| -on)`	39	`--on \| -on)`
39	`$SED "s/^LDAP=.*/LDAP=on/g" $CONF_FILE`	40	`$SED "s/^LDAP=.*/LDAP=on/g" $CONF_FILE`
40	`if [ "$LDAP_SSL" == 'on' ]; then`	41	`if [ "$LDAP_SSL" == 'on' ]; then`
41	`$SED "s/^\tserver =.*/\tserver = \"ldaps:\/\/${LDAP_SERVER//\"/\\\\\\\"}\"/g" $LDAP_MODULE`	42	`$SED "s/^\tserver =.*/\tserver = \"ldaps:\/\/${LDAP_SERVER//\"/\\\\\\\"}\"/g" $LDAP_MODULE`
42	`$SED "s/^\tport =.*/\tport = 636/g" $LDAP_MODULE`	43	`$SED "s/^\tport =.*/\tport = 636/g" $LDAP_MODULE`
43	`[ "$LDAP_CERT_REQUIRED" == 'on' ] && require_cert='demand' \|\| require_cert='never'`	44	`[ "$LDAP_CERT_REQUIRED" == 'on' ] && require_cert='demand' \|\| require_cert='never'`
44	`$SED "s/^\t\t#?require_cert =.*/\t\trequire_cert = '$require_cert'/g" $LDAP_MODULE`	45	`$SED "s/^\t\t#?require_cert =.*/\t\trequire_cert = '$require_cert'/g" $LDAP_MODULE`
45	`echo -e "TLS_CACERT $LDAPS_CERT_LOC\nTLS_REQCERT $require_cert" > $OPENLDAP_CONF`	46	`echo -e "TLS_CACERT $LDAPS_CERT_LOC\nTLS_REQCERT $require_cert" > $OPENLDAP_CONF`
46	`else`	47	`else`
47	`$SED "s/^\tserver =.*/\tserver = \"ldap:\/\/${LDAP_SERVER//\"/\\\\\\\"}\"/g" $LDAP_MODULE`	48	`$SED "s/^\tserver =.*/\tserver = \"ldap:\/\/${LDAP_SERVER//\"/\\\\\\\"}\"/g" $LDAP_MODULE`
48	`$SED "s/^\tport =.*/\tport = 389/g" $LDAP_MODULE`	49	`$SED "s/^\tport =.*/\tport = 389/g" $LDAP_MODULE`
49	`echo '' > $OPENLDAP_CONF`	50	`echo '' > $OPENLDAP_CONF`
50	`fi`	51	`fi`
51	`$SED "s/^\tidentity =.*/\tidentity = \"${LDAP_USER//\"/\\\\\\\"}\"/g" $LDAP_MODULE`	52	`$SED "s/^\tidentity =.*/\tidentity = \"${LDAP_USER//\"/\\\\\\\"}\"/g" $LDAP_MODULE`
52	`$SED "s/^\tpassword =.*/\tpassword = \"${LDAP_PASSWORD//\"/\\\\\\\"}\"/g" $LDAP_MODULE`	53	`$SED "s/^\tpassword =.*/\tpassword = \"${LDAP_PASSWORD//\"/\\\\\\\"}\"/g" $LDAP_MODULE`
53	`$SED "s/^\tbase_dn =.*/\tbase_dn = \"${LDAP_BASE//\"/\\\\\\\"}\"/g" $LDAP_MODULE`	54	`$SED "s/^\tbase_dn =.*/\tbase_dn = \"${LDAP_BASE//\"/\\\\\\\"}\"/g" $LDAP_MODULE`
-		55	`[ -n "$LDAP_FILTER" ] && filter="$LDAP_FILTER" \|\| filter='&'`
54	`$SED "s/^\t\tfilter =.*/\t\tfilter = \"(${LDAP_UID//\"/\\\\\\\"}=%{%{Stripped-User-Name}:-%{User-Name}})\"/g" $LDAP_MODULE`	56	`$SED "s/^\t\tfilter =.*/\t\tfilter = \"(\&(${LDAP_UID//\"/\\\\\\\"}=%{%{Stripped-User-Name}:-%{User-Name}})($filter))\"/g" $LDAP_MODULE`
55	`if [ ! -e /etc/raddb/mods-enabled/ldap ]; then`	57	`if [ ! -e /etc/raddb/mods-enabled/ldap ]; then`
56	`ln -s $LDAP_MODULE /etc/raddb/mods-enabled/ldap`	58	`ln -s $LDAP_MODULE /etc/raddb/mods-enabled/ldap`
57	`fi`	59	`fi`
58	`[ -e /etc/raddb/sites-enabled/alcasar ] && rm /etc/raddb/sites-enabled/alcasar`	60	`[ -e /etc/raddb/sites-enabled/alcasar ] && rm /etc/raddb/sites-enabled/alcasar`
59	`ln -s /etc/raddb/sites-available/alcasar-with-ldap /etc/raddb/sites-enabled/alcasar`	61	`ln -s /etc/raddb/sites-available/alcasar-with-ldap /etc/raddb/sites-enabled/alcasar`
60	`/usr/bin/systemctl restart radiusd.service`	62	`/usr/bin/systemctl restart radiusd.service`
61	`;;`	63	`;;`
62	`--off \| -off)`	64	`--off \| -off)`
63	`$SED "s/^LDAP=.*/LDAP=off/g" $CONF_FILE`	65	`$SED "s/^LDAP=.*/LDAP=off/g" $CONF_FILE`
64	`rm -f /etc/raddb/mods-enabled/ldap`	66	`rm -f /etc/raddb/mods-enabled/ldap`
65	`[ -e /etc/raddb/sites-enabled/alcasar ] && rm /etc/raddb/sites-enabled/alcasar`	67	`[ -e /etc/raddb/sites-enabled/alcasar ] && rm /etc/raddb/sites-enabled/alcasar`
66	`ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar`	68	`ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar`
67	`/usr/bin/systemctl restart radiusd.service`	69	`/usr/bin/systemctl restart radiusd.service`
68	`;;`	70	`;;`
69	`--import-cert)`	71	`--import-cert)`
70	`cert=$2`	72	`cert=$2`
71	`[ -z "$cert" ] && echo "$usage" && exit 1`	73	`[ -z "$cert" ] && echo "$usage" && exit 1`
72		74
73	`if [ "$LDAP_CERT_REQUIRED" == 'on' ]; then`	75	`if [ "$LDAP_CERT_REQUIRED" == 'on' ]; then`
74	`domainName=$(openssl x509 -noout -subject -in $LDAPS_CERT_LOC \| cut -d' ' -f2- \| sed 's@/[A-Za-z]\+=@\n@g' \| tac \| tr '\n' '.' \| sed 's@\.\+$@@')`	76	`domainName=$(openssl x509 -noout -subject -in $LDAPS_CERT_LOC \| cut -d' ' -f2- \| sed 's@/[A-Za-z]\+=@\n@g' \| tac \| tr '\n' '.' \| sed 's@\.\+$@@')`
75	`if [ "$domainName" != "$LDAP_SERVER" ]; then`	77	`if [ "$domainName" != "$LDAP_SERVER" ]; then`
76	`echo 'WARN: the common name of the certificate is different from the server domain name'`	78	`echo 'WARN: the common name of the certificate is different from the server domain name'`
77	`fi`	79	`fi`
78	`fi`	80	`fi`
79	`# TODO : convert DER format to PEM ?`	81	`# TODO : convert DER format to PEM ?`
80	`cp -f "$cert" $LDAPS_CERT_LOC`	82	`cp -f "$cert" $LDAPS_CERT_LOC`
81	`chown root:radius $LDAPS_CERT_LOC`	83	`chown root:radius $LDAPS_CERT_LOC`
82	`chmod 644 $LDAPS_CERT_LOC`	84	`chmod 644 $LDAPS_CERT_LOC`
83		85
84	`$SED "s/^LDAP_SSL=.*/LDAP_SSL=on/g" $CONF_FILE`	86	`$SED "s/^LDAP_SSL=.*/LDAP_SSL=on/g" $CONF_FILE`
85	`$SED "s/^\tserver =.*/\tserver = \"ldaps:\/\/${LDAP_SERVER//\"/\\\\\\\"}\"/g" $LDAP_MODULE`	87	`$SED "s/^\tserver =.*/\tserver = \"ldaps:\/\/${LDAP_SERVER//\"/\\\\\\\"}\"/g" $LDAP_MODULE`
86	`$SED "s/^\tport =.*/\tport = 636/g" $LDAP_MODULE`	88	`$SED "s/^\tport =.*/\tport = 636/g" $LDAP_MODULE`
87	`$SED "s@^#\?\t\tca_file =.*@\t\tca_file = $LDAPS_CERT_LOC@g" $LDAP_MODULE`	89	`$SED "s@^#\?\t\tca_file =.*@\t\tca_file = $LDAPS_CERT_LOC@g" $LDAP_MODULE`
88	`[ "$LDAP_CERT_REQUIRED" == 'on' ] && require_cert='demand' \|\| require_cert='never'`	90	`[ "$LDAP_CERT_REQUIRED" == 'on' ] && require_cert='demand' \|\| require_cert='never'`
89	`$SED "s/^#\?\t\trequire_cert =.*/\t\trequire_cert = '$require_cert'/g" $LDAP_MODULE`	91	`$SED "s/^#\?\t\trequire_cert =.*/\t\trequire_cert = '$require_cert'/g" $LDAP_MODULE`
90	`echo -e "TLS_CACERT $LDAPS_CERT_LOC\nTLS_REQCERT $require_cert" > $OPENLDAP_CONF`	92	`echo -e "TLS_CACERT $LDAPS_CERT_LOC\nTLS_REQCERT $require_cert" > $OPENLDAP_CONF`
91	`/usr/bin/systemctl restart radiusd.service`	93	`/usr/bin/systemctl restart radiusd.service`
92	`;;`	94	`;;`
93	`--delete-cert)`	95	`--delete-cert)`
94	`[ -f "$LDAPS_CERT_LOC" ] && rm -f $LDAPS_CERT_LOC`	96	`[ -f "$LDAPS_CERT_LOC" ] && rm -f $LDAPS_CERT_LOC`
95	`;;`	97	`;;`
96	`--test)`	98	`--test)`
97	`[ -n "$2" ] && [ "$2" == '-d' ] && debugOpt='-d229'`	99	`[ -n "$2" ] && [ "$2" == '-d' ] && debugOpt='-d229'`
98	`command -v ldapsearch &>/dev/null \|\| { echo >&2 -e "ERR: ldapsearch is not installed\nrun 'dnf install openldap-clients'" ; exit 1; }`	100	`command -v ldapsearch &>/dev/null \|\| { echo >&2 -e "ERR: ldapsearch is not installed\nrun 'dnf install openldap-clients'" ; exit 1; }`
99	`if [ "$LDAP_SSL" == 'on' ]; then`	101	`if [ "$LDAP_SSL" == 'on' ]; then`
100	`protocol='ldaps'`	102	`protocol='ldaps'`
101	`[ "$LDAP_CERT_REQUIRED" == 'on' ] && require_cert='demand' \|\| require_cert='never'`	103	`[ "$LDAP_CERT_REQUIRED" == 'on' ] && require_cert='demand' \|\| require_cert='never'`
102	`export LDAPTLS_REQCERT="$require_cert"`	104	`export LDAPTLS_REQCERT="$require_cert"`
103	`[ -f "$LDAPS_CERT_LOC" ] && export LDAPTLS_CACERT="$LDAPS_CERT_LOC"`	105	`[ -f "$LDAPS_CERT_LOC" ] && export LDAPTLS_CACERT="$LDAPS_CERT_LOC"`
104	`else`	106	`else`
105	`protocol='ldap'`	107	`protocol='ldap'`
106	`fi`	108	`fi`
-		109	`[ -n "$LDAP_FILTER" ] && filter="$LDAP_FILTER" \|\| filter='&'`
107	`/usr/bin/ldapsearch $debugOpt -LLL -H "$protocol://$LDAP_SERVER" -x -D "$LDAP_USER" -w "$LDAP_PASSWORD" -b "$LDAP_BASE" "($LDAP_UID=*)" 1.1`	110	`/usr/bin/ldapsearch $debugOpt -LLL -H "$protocol://$LDAP_SERVER" -x -D "$LDAP_USER" -w "$LDAP_PASSWORD" -b "$LDAP_BASE" "(&($LDAP_UID=*)($filter))" 1.1`
108	`;;`	111	`;;`
109	`*)`	112	`*)`
110	`echo "Argument inconnu : $1";`	113	`echo "Argument inconnu : $1";`
111	`echo "$usage"`	114	`echo "$usage"`
112	`exit 1`	115	`exit 1`
113	`;;`	116	`;;`
114	`esac`	117	`esac`
115		118