WebSVN – ALCASAR – Diff – /scripts/alcasar-ldap.sh


#!/bin/bash
 
# $Id: alcasar-ldap.sh 2731 2019-05-26 21:09:18Z tom.houdayer $
 
# alcasar-ldap.sh
# by Rexy
# This script is distributed under the Gnu General Public License (GPL)
 
# activation / désactivation de l'authentification des utilisateurs via un serveur LDAP externe
# enable / disable authentication of users via an extern LDAP server
 
usage="Usage: alcasar-ldap.sh {--on or -on } | {--off or -off} | --import-cert {certificatePath} | --test [-d]"
SED="/bin/sed -i"
CONF_FILE="/usr/local/etc/alcasar.conf"
LDAP_MODULE="/etc/raddb/mods-available/ldap-alcasar"
OPENLDAP_CONF='/etc/openldap/ldap.conf'
LDAPS_CERT_LOC='/etc/raddb/certs/alcasar-ldaps.crt'
LDAP_SERVER=$(grep '^LDAP_SERVER=' $CONF_FILE | cut -d"=" -f2)                # hostname/IP address of the LDAP server
LDAP_USER=$(grep '^LDAP_USER=' $CONF_FILE | cut -d"=" -f2-)                   # LDAP username used by ALCASAR to read the remote directory
LDAP_PASSWORD=$(grep '^LDAP_PASSWORD=' $CONF_FILE | cut -d"=" -f2-)           # its password
LDAP_BASE=$(grep '^LDAP_BASE=' $CONF_FILE | cut -d"=" -f2-)                   # Where to find the users (cn=**,dc=**,dc=**)
LDAP_UID=$(grep '^LDAP_UID=' $CONF_FILE | cut -d"=" -f2)                      # 'samaccountname' for A.D. - 'UID' for LDAP
LDAP_FILTER=$(grep '^LDAP_FILTER=' $CONF_FILE | cut -d"=" -f2-)               # LDAP filter
LDAP_SSL=$(grep '^LDAP_SSL=' $CONF_FILE | cut -d"=" -f2-)                     # LDAP SSL status
LDAP_CERT_REQUIRED=$(grep '^LDAP_CERT_REQUIRED=' $CONF_FILE | cut -d"=" -f2-) # LDAP SSL certificate verifying
 
add_ldap_server_to_static_dhcp() {
	if [[ "$LDAP_SERVER" =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
		ldap_server_ip="$LDAP_SERVER"
	else
		ldap_server_ip=$(dig +short $LDAP_SERVER)
		[ -z "$ldap_server_ip" ] && return 1
	fi
 
	if [ -z "$(cat /usr/local/etc/alcasar-ethers | awk -v ldap_server_ip="$ldap_server_ip" '($2==ldap_server_ip)')" ]; then
		ldap_server_mac=$(chilli_query list | awk -v ldap_server_ip="$ldap_server_ip" '($2==ldap_server_ip) {print $1}')
		[ -z "$ldap_server_mac" ] && return 1
 
		echo "$ldap_server_mac $ldap_server_ip" >> /usr/local/etc/alcasar-ethers
		echo "$ldap_server_mac $ldap_server_ip #LDAP Server" >> /usr/local/etc/alcasar-ethers-info
	fi
}
 
nb_args=$#
args=$1
if [ $nb_args -eq 0 ]; then
	nb_args=1
	args="-h"
fi
 
case $args in
	-\? | -h* | --h*)
		echo "$usage"
		exit 0
		;;
	--on | -on)
		$SED "s/^LDAP=.*/LDAP=on/g" $CONF_FILE
		if [ "$LDAP_SSL" == 'on' ]; then
			$SED "s/^\tserver =.*/\tserver = \"ldaps:\/\/${LDAP_SERVER//\"/\\\\\\\"}\"/g" $LDAP_MODULE
			$SED "s/^\tport =.*/\tport = 636/g" $LDAP_MODULE
			[ "$LDAP_CERT_REQUIRED" == 'on' ] && require_cert='demand' || require_cert='never'
			$SED "s/^\t\t#?require_cert =.*/\t\trequire_cert = '$require_cert'/g" $LDAP_MODULE
			echo "TLS_REQCERT $require_cert" > $OPENLDAP_CONF
			[ -f "$LDAPS_CERT_LOC" ] && echo "TLS_CACERT $LDAPS_CERT_LOC" >> $OPENLDAP_CONF
		else
			$SED "s/^\tserver =.*/\tserver = \"ldap:\/\/${LDAP_SERVER//\"/\\\\\\\"}\"/g" $LDAP_MODULE
			$SED "s/^\tport =.*/\tport = 389/g" $LDAP_MODULE
			echo  '' > $OPENLDAP_CONF
		fi
		$SED "s/^\tidentity =.*/\tidentity = \"${LDAP_USER//\"/\\\\\\\"}\"/g" $LDAP_MODULE
		$SED "s/^\tpassword =.*/\tpassword = \"${LDAP_PASSWORD//\"/\\\\\\\"}\"/g" $LDAP_MODULE
		$SED "s/^\tbase_dn =.*/\tbase_dn = \"${LDAP_BASE//\"/\\\\\\\"}\"/g" $LDAP_MODULE
		[ -n "$LDAP_FILTER" ] && filter="$LDAP_FILTER" || filter='&'
		$SED "s/^\t\tfilter =.*/\t\tfilter = \"(\&(${LDAP_UID//\"/\\\\\\\"}=%{%{Stripped-User-Name}:-%{User-Name}})(${filter//&/\\&}))\"/g" $LDAP_MODULE
		if [ ! -e /etc/raddb/mods-enabled/ldap ]; then
			ln -s $LDAP_MODULE /etc/raddb/mods-enabled/ldap
		fi
		[ -e /etc/raddb/sites-enabled/alcasar ] && rm /etc/raddb/sites-enabled/alcasar
		ln -s /etc/raddb/sites-available/alcasar-with-ldap /etc/raddb/sites-enabled/alcasar
		add_ldap_server_to_static_dhcp
		/usr/bin/systemctl restart radiusd.service
		;;
	--off | -off)
		$SED "s/^LDAP=.*/LDAP=off/g" $CONF_FILE
		rm -f /etc/raddb/mods-enabled/ldap
		[ -e /etc/raddb/sites-enabled/alcasar ] && rm /etc/raddb/sites-enabled/alcasar
		ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
		/usr/bin/systemctl restart radiusd.service
		;;
	--import-cert)
		cert=$2
		[ -z "$cert" ] && echo "$usage" && exit 1
 
		[ ! -f "$cert" ] && { echo >&2 "ERR: certificate file \"$cert\" not found" ; exit 1; }
 
		# TODO : convert DER format to PEM ?
		cp -f "$cert" $LDAPS_CERT_LOC
		chown root:radius $LDAPS_CERT_LOC
		chmod 644 $LDAPS_CERT_LOC
 
		if [ "$LDAP_CERT_REQUIRED" == 'on' ]; then
			domainName=$(openssl x509 -noout -subject -in $LDAPS_CERT_LOC | cut -d' ' -f2- | sed 's@/[A-Za-z]\+=@\n@g' | tac | tr '\n' '.' | sed  's@\.\+$@@')
			if [ "$domainName" != "$LDAP_SERVER" ]; then
				echo 'WARN: the common name of the certificate is different from the server domain name'
			fi
		fi
 
 
 
 
 
		$SED "s/^LDAP_SSL=.*/LDAP_SSL=on/g" $CONF_FILE
		$SED "s/^\tserver =.*/\tserver = \"ldaps:\/\/${LDAP_SERVER//\"/\\\\\\\"}\"/g" $LDAP_MODULE
		$SED "s/^\tport =.*/\tport = 636/g" $LDAP_MODULE
		$SED "s@^#\?\t\tca_file =.*@\t\tca_file = $LDAPS_CERT_LOC@g" $LDAP_MODULE
		[ "$LDAP_CERT_REQUIRED" == 'on' ] && require_cert='demand' || require_cert='never'
		$SED "s/^#\?\t\trequire_cert =.*/\t\trequire_cert = '$require_cert'/g" $LDAP_MODULE
		echo -e "TLS_CACERT $LDAPS_CERT_LOC\nTLS_REQCERT $require_cert" > $OPENLDAP_CONF
		/usr/bin/systemctl restart radiusd.service
		;;
	--delete-cert)
		[ -f "$LDAPS_CERT_LOC" ] && rm -f $LDAPS_CERT_LOC
		;;
	--test)
		[ -n "$2" ] && [ "$2" == '-d' ] && debugOpt='-d229'
		command -v ldapsearch &>/dev/null || { echo >&2 -e "ERR: ldapsearch is not installed\nrun 'dnf install openldap-clients'" ; exit 1; }
		if [ "$LDAP_SSL" == 'on' ]; then
			protocol='ldaps'
			[ "$LDAP_CERT_REQUIRED" == 'on' ] && require_cert='demand' || require_cert='never'
			export LDAPTLS_REQCERT="$require_cert"
			[ -f "$LDAPS_CERT_LOC" ] && export LDAPTLS_CACERT="$LDAPS_CERT_LOC"
		else
			protocol='ldap'
		fi
		[ -n "$LDAP_FILTER" ] && filter="$LDAP_FILTER" || filter='&'
		/usr/bin/ldapsearch $debugOpt -LLL -H "$protocol://$LDAP_SERVER" -x -D "$LDAP_USER" -w "$LDAP_PASSWORD" -b "$LDAP_BASE" "(&($LDAP_UID=*)($filter))" 1.1
		;;
	*)
		echo "Argument inconnu : $1";
		echo "$usage"
		exit 1
		;;
esac
 

Subversion Repositories ALCASAR

(root)/scripts/alcasar-ldap.sh – Rev 2715 → 2731

Rev 2715		Rev 2731
1	`#!/bin/bash`	1	`#!/bin/bash`
2		2
3	`# $Id: alcasar-ldap.sh 2715 2019-03-10 23:53:44Z tom.houdayer $`	3	`# $Id: alcasar-ldap.sh 2731 2019-05-26 21:09:18Z tom.houdayer $`
4		4
5	`# alcasar-ldap.sh`	5	`# alcasar-ldap.sh`
6	`# by Rexy`	6	`# by Rexy`
7	`# This script is distributed under the Gnu General Public License (GPL)`	7	`# This script is distributed under the Gnu General Public License (GPL)`
8		8
9	`# activation / désactivation de l'authentification des utilisateurs via un serveur LDAP externe`	9	`# activation / désactivation de l'authentification des utilisateurs via un serveur LDAP externe`
10	`# enable / disable authentication of users via an extern LDAP server`	10	`# enable / disable authentication of users via an extern LDAP server`
11		11
12	`usage="Usage: alcasar-ldap.sh {--on or -on } \| {--off or -off} \| --import-cert {certificatePath} \| --test [-d]"`	12	`usage="Usage: alcasar-ldap.sh {--on or -on } \| {--off or -off} \| --import-cert {certificatePath} \| --test [-d]"`
13	`SED="/bin/sed -i"`	13	`SED="/bin/sed -i"`
14	`CONF_FILE="/usr/local/etc/alcasar.conf"`	14	`CONF_FILE="/usr/local/etc/alcasar.conf"`
15	`LDAP_MODULE="/etc/raddb/mods-available/ldap-alcasar"`	15	`LDAP_MODULE="/etc/raddb/mods-available/ldap-alcasar"`
16	`OPENLDAP_CONF='/etc/openldap/ldap.conf'`	16	`OPENLDAP_CONF='/etc/openldap/ldap.conf'`
17	`LDAPS_CERT_LOC='/etc/raddb/certs/alcasar-ldaps.crt'`	17	`LDAPS_CERT_LOC='/etc/raddb/certs/alcasar-ldaps.crt'`
18	`LDAP_SERVER=$(grep '^LDAP_SERVER=' $CONF_FILE \| cut -d"=" -f2) # hostname/IP address of the LDAP server`	18	`LDAP_SERVER=$(grep '^LDAP_SERVER=' $CONF_FILE \| cut -d"=" -f2) # hostname/IP address of the LDAP server`
19	`LDAP_USER=$(grep '^LDAP_USER=' $CONF_FILE \| cut -d"=" -f2-) # LDAP username used by ALCASAR to read the remote directory`	19	`LDAP_USER=$(grep '^LDAP_USER=' $CONF_FILE \| cut -d"=" -f2-) # LDAP username used by ALCASAR to read the remote directory`
20	`LDAP_PASSWORD=$(grep '^LDAP_PASSWORD=' $CONF_FILE \| cut -d"=" -f2-) # its password`	20	`LDAP_PASSWORD=$(grep '^LDAP_PASSWORD=' $CONF_FILE \| cut -d"=" -f2-) # its password`
21	`LDAP_BASE=$(grep '^LDAP_BASE=' $CONF_FILE \| cut -d"=" -f2-) # Where to find the users (cn=,dc=,dc=**)`	21	`LDAP_BASE=$(grep '^LDAP_BASE=' $CONF_FILE \| cut -d"=" -f2-) # Where to find the users (cn=,dc=,dc=**)`
22	`LDAP_UID=$(grep '^LDAP_UID=' $CONF_FILE \| cut -d"=" -f2) # 'samaccountname' for A.D. - 'UID' for LDAP`	22	`LDAP_UID=$(grep '^LDAP_UID=' $CONF_FILE \| cut -d"=" -f2) # 'samaccountname' for A.D. - 'UID' for LDAP`
23	`LDAP_FILTER=$(grep '^LDAP_FILTER=' $CONF_FILE \| cut -d"=" -f2-) # LDAP filter`	23	`LDAP_FILTER=$(grep '^LDAP_FILTER=' $CONF_FILE \| cut -d"=" -f2-) # LDAP filter`
24	`LDAP_SSL=$(grep '^LDAP_SSL=' $CONF_FILE \| cut -d"=" -f2-) # LDAP SSL status`	24	`LDAP_SSL=$(grep '^LDAP_SSL=' $CONF_FILE \| cut -d"=" -f2-) # LDAP SSL status`
25	`LDAP_CERT_REQUIRED=$(grep '^LDAP_CERT_REQUIRED=' $CONF_FILE \| cut -d"=" -f2-) # LDAP SSL certificate verifying`	25	`LDAP_CERT_REQUIRED=$(grep '^LDAP_CERT_REQUIRED=' $CONF_FILE \| cut -d"=" -f2-) # LDAP SSL certificate verifying`
26		26
27	`add_ldap_server_to_static_dhcp() {`	27	`add_ldap_server_to_static_dhcp() {`
28	`if [[ "$LDAP_SERVER" =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then`	28	`if [[ "$LDAP_SERVER" =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then`
29	`ldap_server_ip="$LDAP_SERVER"`	29	`ldap_server_ip="$LDAP_SERVER"`
30	`else`	30	`else`
31	`ldap_server_ip=$(dig +short $LDAP_SERVER)`	31	`ldap_server_ip=$(dig +short $LDAP_SERVER)`
32	`[ -z "$ldap_server_ip" ] && return 1`	32	`[ -z "$ldap_server_ip" ] && return 1`
33	`fi`	33	`fi`
34		34
35	`if [ -z "$(cat /usr/local/etc/alcasar-ethers \| awk -v ldap_server_ip="$ldap_server_ip" '($2==ldap_server_ip)')" ]; then`	35	`if [ -z "$(cat /usr/local/etc/alcasar-ethers \| awk -v ldap_server_ip="$ldap_server_ip" '($2==ldap_server_ip)')" ]; then`
36	`ldap_server_mac=$(chilli_query list \| awk -v ldap_server_ip="$ldap_server_ip" '($2==ldap_server_ip) {print $1}')`	36	`ldap_server_mac=$(chilli_query list \| awk -v ldap_server_ip="$ldap_server_ip" '($2==ldap_server_ip) {print $1}')`
37	`[ -z "$ldap_server_mac" ] && return 1`	37	`[ -z "$ldap_server_mac" ] && return 1`
38		38
39	`echo "$ldap_server_mac $ldap_server_ip" >> /usr/local/etc/alcasar-ethers`	39	`echo "$ldap_server_mac $ldap_server_ip" >> /usr/local/etc/alcasar-ethers`
40	`echo "$ldap_server_mac $ldap_server_ip #LDAP Server" >> /usr/local/etc/alcasar-ethers-info`	40	`echo "$ldap_server_mac $ldap_server_ip #LDAP Server" >> /usr/local/etc/alcasar-ethers-info`
41	`fi`	41	`fi`
42	`}`	42	`}`
43		43
44	`nb_args=$#`	44	`nb_args=$#`
45	`args=$1`	45	`args=$1`
46	`if [ $nb_args -eq 0 ]; then`	46	`if [ $nb_args -eq 0 ]; then`
47	`nb_args=1`	47	`nb_args=1`
48	`args="-h"`	48	`args="-h"`
49	`fi`	49	`fi`
50		50
51	`case $args in`	51	`case $args in`
52	`-\? \| -h* \| --h*)`	52	`-\? \| -h* \| --h*)`
53	`echo "$usage"`	53	`echo "$usage"`
54	`exit 0`	54	`exit 0`
55	`;;`	55	`;;`
56	`--on \| -on)`	56	`--on \| -on)`
57	`$SED "s/^LDAP=.*/LDAP=on/g" $CONF_FILE`	57	`$SED "s/^LDAP=.*/LDAP=on/g" $CONF_FILE`
58	`if [ "$LDAP_SSL" == 'on' ]; then`	58	`if [ "$LDAP_SSL" == 'on' ]; then`
59	`$SED "s/^\tserver =.*/\tserver = \"ldaps:\/\/${LDAP_SERVER//\"/\\\\\\\"}\"/g" $LDAP_MODULE`	59	`$SED "s/^\tserver =.*/\tserver = \"ldaps:\/\/${LDAP_SERVER//\"/\\\\\\\"}\"/g" $LDAP_MODULE`
60	`$SED "s/^\tport =.*/\tport = 636/g" $LDAP_MODULE`	60	`$SED "s/^\tport =.*/\tport = 636/g" $LDAP_MODULE`
61	`[ "$LDAP_CERT_REQUIRED" == 'on' ] && require_cert='demand' \|\| require_cert='never'`	61	`[ "$LDAP_CERT_REQUIRED" == 'on' ] && require_cert='demand' \|\| require_cert='never'`
62	`$SED "s/^\t\t#?require_cert =.*/\t\trequire_cert = '$require_cert'/g" $LDAP_MODULE`	62	`$SED "s/^\t\t#?require_cert =.*/\t\trequire_cert = '$require_cert'/g" $LDAP_MODULE`
63	`echo -e "TLS_CACERT $LDAPS_CERT_LOC\nTLS_REQCERT $require_cert" > $OPENLDAP_CONF`	63	`echo "TLS_REQCERT $require_cert" > $OPENLDAP_CONF`
-		64	`[ -f "$LDAPS_CERT_LOC" ] && echo "TLS_CACERT $LDAPS_CERT_LOC" >> $OPENLDAP_CONF`
64	`else`	65	`else`
65	`$SED "s/^\tserver =.*/\tserver = \"ldap:\/\/${LDAP_SERVER//\"/\\\\\\\"}\"/g" $LDAP_MODULE`	66	`$SED "s/^\tserver =.*/\tserver = \"ldap:\/\/${LDAP_SERVER//\"/\\\\\\\"}\"/g" $LDAP_MODULE`
66	`$SED "s/^\tport =.*/\tport = 389/g" $LDAP_MODULE`	67	`$SED "s/^\tport =.*/\tport = 389/g" $LDAP_MODULE`
67	`echo '' > $OPENLDAP_CONF`	68	`echo '' > $OPENLDAP_CONF`
68	`fi`	69	`fi`
69	`$SED "s/^\tidentity =.*/\tidentity = \"${LDAP_USER//\"/\\\\\\\"}\"/g" $LDAP_MODULE`	70	`$SED "s/^\tidentity =.*/\tidentity = \"${LDAP_USER//\"/\\\\\\\"}\"/g" $LDAP_MODULE`
70	`$SED "s/^\tpassword =.*/\tpassword = \"${LDAP_PASSWORD//\"/\\\\\\\"}\"/g" $LDAP_MODULE`	71	`$SED "s/^\tpassword =.*/\tpassword = \"${LDAP_PASSWORD//\"/\\\\\\\"}\"/g" $LDAP_MODULE`
71	`$SED "s/^\tbase_dn =.*/\tbase_dn = \"${LDAP_BASE//\"/\\\\\\\"}\"/g" $LDAP_MODULE`	72	`$SED "s/^\tbase_dn =.*/\tbase_dn = \"${LDAP_BASE//\"/\\\\\\\"}\"/g" $LDAP_MODULE`
72	`[ -n "$LDAP_FILTER" ] && filter="$LDAP_FILTER" \|\| filter='&'`	73	`[ -n "$LDAP_FILTER" ] && filter="$LDAP_FILTER" \|\| filter='&'`
73	`$SED "s/^\t\tfilter =.*/\t\tfilter = \"(\&(${LDAP_UID//\"/\\\\\\\"}=%{%{Stripped-User-Name}:-%{User-Name}})($filter))\"/g" $LDAP_MODULE`	74	`$SED "s/^\t\tfilter =.*/\t\tfilter = \"(\&(${LDAP_UID//\"/\\\\\\\"}=%{%{Stripped-User-Name}:-%{User-Name}})(${filter//&/\\&}))\"/g" $LDAP_MODULE`
74	`if [ ! -e /etc/raddb/mods-enabled/ldap ]; then`	75	`if [ ! -e /etc/raddb/mods-enabled/ldap ]; then`
75	`ln -s $LDAP_MODULE /etc/raddb/mods-enabled/ldap`	76	`ln -s $LDAP_MODULE /etc/raddb/mods-enabled/ldap`
76	`fi`	77	`fi`
77	`[ -e /etc/raddb/sites-enabled/alcasar ] && rm /etc/raddb/sites-enabled/alcasar`	78	`[ -e /etc/raddb/sites-enabled/alcasar ] && rm /etc/raddb/sites-enabled/alcasar`
78	`ln -s /etc/raddb/sites-available/alcasar-with-ldap /etc/raddb/sites-enabled/alcasar`	79	`ln -s /etc/raddb/sites-available/alcasar-with-ldap /etc/raddb/sites-enabled/alcasar`
79	`add_ldap_server_to_static_dhcp`	80	`add_ldap_server_to_static_dhcp`
80	`/usr/bin/systemctl restart radiusd.service`	81	`/usr/bin/systemctl restart radiusd.service`
81	`;;`	82	`;;`
82	`--off \| -off)`	83	`--off \| -off)`
83	`$SED "s/^LDAP=.*/LDAP=off/g" $CONF_FILE`	84	`$SED "s/^LDAP=.*/LDAP=off/g" $CONF_FILE`
84	`rm -f /etc/raddb/mods-enabled/ldap`	85	`rm -f /etc/raddb/mods-enabled/ldap`
85	`[ -e /etc/raddb/sites-enabled/alcasar ] && rm /etc/raddb/sites-enabled/alcasar`	86	`[ -e /etc/raddb/sites-enabled/alcasar ] && rm /etc/raddb/sites-enabled/alcasar`
86	`ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar`	87	`ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar`
87	`/usr/bin/systemctl restart radiusd.service`	88	`/usr/bin/systemctl restart radiusd.service`
88	`;;`	89	`;;`
89	`--import-cert)`	90	`--import-cert)`
90	`cert=$2`	91	`cert=$2`
91	`[ -z "$cert" ] && echo "$usage" && exit 1`	92	`[ -z "$cert" ] && echo "$usage" && exit 1`
92		93
-		94	`[ ! -f "$cert" ] && { echo >&2 "ERR: certificate file \"$cert\" not found" ; exit 1; }`
-		95
-		96	`# TODO : convert DER format to PEM ?`
-		97	`cp -f "$cert" $LDAPS_CERT_LOC`
-		98	`chown root:radius $LDAPS_CERT_LOC`
-		99	`chmod 644 $LDAPS_CERT_LOC`
-		100
93	`if [ "$LDAP_CERT_REQUIRED" == 'on' ]; then`	101	`if [ "$LDAP_CERT_REQUIRED" == 'on' ]; then`
94	`domainName=$(openssl x509 -noout -subject -in $LDAPS_CERT_LOC \| cut -d' ' -f2- \| sed 's@/[A-Za-z]\+=@\n@g' \| tac \| tr '\n' '.' \| sed 's@\.\+$@@')`	102	`domainName=$(openssl x509 -noout -subject -in $LDAPS_CERT_LOC \| cut -d' ' -f2- \| sed 's@/[A-Za-z]\+=@\n@g' \| tac \| tr '\n' '.' \| sed 's@\.\+$@@')`
95	`if [ "$domainName" != "$LDAP_SERVER" ]; then`	103	`if [ "$domainName" != "$LDAP_SERVER" ]; then`
96	`echo 'WARN: the common name of the certificate is different from the server domain name'`	104	`echo 'WARN: the common name of the certificate is different from the server domain name'`
97	`fi`	105	`fi`
98	`fi`	106	`fi`
99	`# TODO : convert DER format to PEM ?`	-
100	`cp -f "$cert" $LDAPS_CERT_LOC`	-
101	`chown root:radius $LDAPS_CERT_LOC`	-
102	`chmod 644 $LDAPS_CERT_LOC`	-
103		107
104	`$SED "s/^LDAP_SSL=.*/LDAP_SSL=on/g" $CONF_FILE`	108	`$SED "s/^LDAP_SSL=.*/LDAP_SSL=on/g" $CONF_FILE`
105	`$SED "s/^\tserver =.*/\tserver = \"ldaps:\/\/${LDAP_SERVER//\"/\\\\\\\"}\"/g" $LDAP_MODULE`	109	`$SED "s/^\tserver =.*/\tserver = \"ldaps:\/\/${LDAP_SERVER//\"/\\\\\\\"}\"/g" $LDAP_MODULE`
106	`$SED "s/^\tport =.*/\tport = 636/g" $LDAP_MODULE`	110	`$SED "s/^\tport =.*/\tport = 636/g" $LDAP_MODULE`
107	`$SED "s@^#\?\t\tca_file =.*@\t\tca_file = $LDAPS_CERT_LOC@g" $LDAP_MODULE`	111	`$SED "s@^#\?\t\tca_file =.*@\t\tca_file = $LDAPS_CERT_LOC@g" $LDAP_MODULE`
108	`[ "$LDAP_CERT_REQUIRED" == 'on' ] && require_cert='demand' \|\| require_cert='never'`	112	`[ "$LDAP_CERT_REQUIRED" == 'on' ] && require_cert='demand' \|\| require_cert='never'`
109	`$SED "s/^#\?\t\trequire_cert =.*/\t\trequire_cert = '$require_cert'/g" $LDAP_MODULE`	113	`$SED "s/^#\?\t\trequire_cert =.*/\t\trequire_cert = '$require_cert'/g" $LDAP_MODULE`
110	`echo -e "TLS_CACERT $LDAPS_CERT_LOC\nTLS_REQCERT $require_cert" > $OPENLDAP_CONF`	114	`echo -e "TLS_CACERT $LDAPS_CERT_LOC\nTLS_REQCERT $require_cert" > $OPENLDAP_CONF`
111	`/usr/bin/systemctl restart radiusd.service`	115	`/usr/bin/systemctl restart radiusd.service`
112	`;;`	116	`;;`
113	`--delete-cert)`	117	`--delete-cert)`
114	`[ -f "$LDAPS_CERT_LOC" ] && rm -f $LDAPS_CERT_LOC`	118	`[ -f "$LDAPS_CERT_LOC" ] && rm -f $LDAPS_CERT_LOC`
115	`;;`	119	`;;`
116	`--test)`	120	`--test)`
117	`[ -n "$2" ] && [ "$2" == '-d' ] && debugOpt='-d229'`	121	`[ -n "$2" ] && [ "$2" == '-d' ] && debugOpt='-d229'`
118	`command -v ldapsearch &>/dev/null \|\| { echo >&2 -e "ERR: ldapsearch is not installed\nrun 'dnf install openldap-clients'" ; exit 1; }`	122	`command -v ldapsearch &>/dev/null \|\| { echo >&2 -e "ERR: ldapsearch is not installed\nrun 'dnf install openldap-clients'" ; exit 1; }`
119	`if [ "$LDAP_SSL" == 'on' ]; then`	123	`if [ "$LDAP_SSL" == 'on' ]; then`
120	`protocol='ldaps'`	124	`protocol='ldaps'`
121	`[ "$LDAP_CERT_REQUIRED" == 'on' ] && require_cert='demand' \|\| require_cert='never'`	125	`[ "$LDAP_CERT_REQUIRED" == 'on' ] && require_cert='demand' \|\| require_cert='never'`
122	`export LDAPTLS_REQCERT="$require_cert"`	126	`export LDAPTLS_REQCERT="$require_cert"`
123	`[ -f "$LDAPS_CERT_LOC" ] && export LDAPTLS_CACERT="$LDAPS_CERT_LOC"`	127	`[ -f "$LDAPS_CERT_LOC" ] && export LDAPTLS_CACERT="$LDAPS_CERT_LOC"`
124	`else`	128	`else`
125	`protocol='ldap'`	129	`protocol='ldap'`
126	`fi`	130	`fi`
127	`[ -n "$LDAP_FILTER" ] && filter="$LDAP_FILTER" \|\| filter='&'`	131	`[ -n "$LDAP_FILTER" ] && filter="$LDAP_FILTER" \|\| filter='&'`
128	`/usr/bin/ldapsearch $debugOpt -LLL -H "$protocol://$LDAP_SERVER" -x -D "$LDAP_USER" -w "$LDAP_PASSWORD" -b "$LDAP_BASE" "(&($LDAP_UID=*)($filter))" 1.1`	132	`/usr/bin/ldapsearch $debugOpt -LLL -H "$protocol://$LDAP_SERVER" -x -D "$LDAP_USER" -w "$LDAP_PASSWORD" -b "$LDAP_BASE" "(&($LDAP_UID=*)($filter))" 1.1`
129	`;;`	133	`;;`
130	`*)`	134	`*)`
131	`echo "Argument inconnu : $1";`	135	`echo "Argument inconnu : $1";`
132	`echo "$usage"`	136	`echo "$usage"`
133	`exit 1`	137	`exit 1`
134	`;;`	138	`;;`
135	`esac`	139	`esac`
136		140