Attachment #2585 for bug #19430




#!/bin/bash
#
# Univention Join
#  joins a server to an univention domain


export PATH="$PATH:/sbin:/usr/sbin:/bin:/usr/bin"

declare -a ADMINOPTIONS
LOGFILE="/var/log/univention/server-join.log"
if [ "$USER" != "root" ]; then
	if [ "$HOME" ]; then
		LOGFILE="$HOME/.univention-server-join.log"
	else
		USERTMP="$(mktemp -d)"
		LOGFILE="$USERTMP/.univention-server-join.log"
	fi
	ADMINOPTIONS+=(--logfile "$LOGFILE")
fi

display_help() {



log() {
	if [ "$1" = 1 ]; then
		shift
		echo "$@"				>>"$LOGFILE"
		echo "$@"

do
	case "$1" in
		"-role")
			ROLE="${2:?missing role}"
			shift 2
			shift
			;;
		"-hostname")
			HOSTNAME="${2:?missing host name}"
			shift 2
			shift
			;;
		"-domainname")
			DOMAINNAME="${2:?missing domain name}"
			shift 2
			shift
			;;
		"-ip")
			IP="${2:?missing IP address}"
			shift 2
			shift
			;;
		"-certs")
			CERTS="${2:?missing certificate}"
			shift 2
			shift
			;;
		"-mac")
			MAC="${2:?missing ethernec MAC address}"
			shift 2
			shift
			;;
		"-bindaccount")
			BINDACCOUNT="${2:?missing account name for bind}"
			shift 2
			shift
			;;
		"-bindpwfile")
			BINDPWFILE="${2:?missing password file for bind}"
			shift 2
			shift
			;;
		"-position")
			POSITION="${2:?missing LDAP position}"
			shift 2
			shift
			;;
		"--version")
			display_version


# extend options for univention-admin
if [ "$BINDACCOUNT" ]; then
	BINDDN="$(ldapsearch -x "(&(uid=$BINDACCOUNT)(objectclass=posixAccount))" dn | ldapsearch-wrapper | sed -ne '^s|dn: ||p')"
	log 0 "found BINDDN: $BINDDN" >>$LOGFILE
	if [ -z "$BINDDN" ]; then
		log 1 "failed to get binddn for $BINDACCOUNT"
		exit 1
	fi
fi

if [ "$BINDDN" ]; then
	ADMINOPTIONS+=(--binddn "$BINDDN")
fi
if [ "$BINDPWFILE" ]; then
	ADMINOPTIONS+=(--bindpw "$(<"$BINDPWFILE")")
fi


eval "$(univention-config-registry shell)"
if [ -z "$ROLE" ]; then
	log 1 "E: 	-role is missing"
	display_help


display_header
create_entry () {
	local desc="${1?:missing description}"
	local module="${2?:missing computer module}"
	local position="${3?:missing LDAP position}"
	local primaryGroup="$4"
	local group="$5"
	log 0 "Join $desc"

	old_dn="$(univention-admin "$module" list --filter name="$HOSTNAME" "${ADMINOPTIONS[@]}" | ldapsearch-wrapper | sed -ne "s|.*DN: ||p")"
	if [ $? = 1 ]; then
		log 1 "E: failed search $desc [$old_dn]"
		exit 1
	fi

	declare -a args
	if [ -z "$old_dn" ]; then
		log 0 "	Create new $desc "

		if [ -n "$MAC" -a -n "$dhcpEntry" -a "$module" = "computers/managedclient" ]; then
			args+=(--set mac="$MAC" --set dhcpEntryZone="$dhcpEntry")
		elif [ -n "$MAC" -a -n "$dhcpEntry" -a "$module" = "computers/mobileclient" ]; then
			args+=(--set mac="$MAC" --set dhcpEntryZone="$dhcpEntry")
		elif [ -n "$MAC" ]; then
			args+=(--set mac="$MAC")
		fi

		if [ -n "$IP" ]; then
			args+=(--set ip="$IP")
			if [ -n "$forwardZone" ]; then
				args+=(--set dnsEntryZoneForward="$forwardZone")
				if [ -n "$reverseZone" ]; then
					args+=(--set dnsEntryZoneReverse="$reverseZone")
				fi
			fi
		fi

		rc="$(univention-admin "$module" create --position "$position"\
			--set name="$HOSTNAME" \
			--set domain="$DOMAINNAME" \
			--set password="$computerPassword" --set unixhome=/dev/null --set shell=/bin/sh --set primaryGroup="$primaryGroup" "${args[@]}" "${ADMINOPTIONS[@]}")"
		if [ $? -ne 0 ]; then
			log 1 "E: failed to create $desc (1) [$rc]"
			exit 1
		fi

		if [ -z "$rc" ]; then
			log 1 "E: failed to create $desc: no result"
			exit 1
		fi

		ldap_dn="$(echo $rc | sed -ne 's|Object created: ||p')"
		if [ -z "$ldap_dn" ]; then
			log 1 "E: failed to create $desc (2) [$rc]"
			exit 1
		fi

		echo "ldap_dn=\"$ldap_dn\""

		if [ -n "$group" ]; then
			rc="$(univention-admin groups/group modify --dn="$group" --append users="$ldap_dn" "${ADMINOPTIONS[@]}")"
		fi
	else
		log 0 "Modify $desc [$old_dn]"

		if [ -n "$MAC" ]; then
			args+=(--set mac="$MAC")
		fi
		if [ -n "$IP" ]; then
			args+=(--set ip="$IP")
		fi
		rc="$(univention-admin "$module" modify --dn "$old_dn" --set password="$computerPassword" --set domain="$DOMAINNAME" "${args[@]}" "${ADMINOPTIONS[@]}")"

		if [ $? -ne 0 ]; then
			log 1 "E: failed to modify $desc $old_dn [$rc]"
		fi

		echo "ldap_dn=\"$old_dn\" "

	fi


}

if [ -n "$IP" ]; then
	subnet="$(univention-ipcalc --ip "$IP" --netmask "$interfaces_eth0_netmask" --output network --calcdns)"
	log 0 "	Calculated subnet = $subnet"

	forwardZone="$(univention-admin dns/forward_zone list --filter zone="$DOMAINNAME" "${ADMINOPTIONS[@]}" | ldapsearch-wrapper | sed -ne 's/DN: //gp')"
	reverseZone="$(univention-admin dns/reverse_zone list --filter subnet="$subnet" "${ADMINOPTIONS[@]}" | ldapsearch-wrapper | sed -ne 's/DN: //gp')"
	dhcpEntry="$(univention-admin dhcp/service list --filter name="$DOMAINNAME" "${ADMINOPTIONS[@]}" | ldapsearch-wrapper | sed -ne 's/DN: //gp')"

	log 0 "	forwardZone $forwardZone "
	log 0 "	reverseZone $reverseZone "
fi

computerPassword="$(makepasswd --chars=8)"

if [ "$ROLE" = "domaincontroller_master" ]; then
	if [ -n "$POSITION" ]; then

	else
		create_entry "DC Backup" "computers/domaincontroller_backup" "cn=dc,cn=computers,$ldap_base" "cn=DC Backup Hosts,cn=groups,$ldap_base" "cn=DC Slave Hosts,cn=groups,$ldap_base"
	fi
	kadmin -l add --random-key --use-defaults "ldap/$HOSTNAME.$DOMAINNAME"
elif [ "$ROLE" = "domaincontroller_slave" ]; then
	if [ -n "$POSITION" ]; then
		create_entry "DC Slave" "computers/domaincontroller_slave" "$POSITION" "cn=DC Slave Hosts,cn=groups,$ldap_base"
	else
		create_entry "DC Slave" "computers/domaincontroller_slave" "cn=dc,cn=computers,$ldap_base" "cn=DC Slave Hosts,cn=groups,$ldap_base"
	fi
	kadmin -l add --random-key --use-defaults "ldap/$HOSTNAME.$DOMAINNAME"
elif [ "$ROLE" = "memberserver" ]; then
	if [ -n "$POSITION" ]; then
		create_entry "Member Server" "computers/memberserver" "$POSITION" "cn=Computers,cn=groups,$ldap_base"

(-)debian/control (-1 / +4 lines)

Lines 7-13	Link Here

Package: univention-join

Package: univention-join

Architecture: all

Architecture: all

Depends: univention-config-registry, univention-ssh, ldap-utils, sysutils

Depends: univention-config-registry,

 univention-ssh (>= 2.0.1),

 ldap-utils,

 sysutils

Description: UCS - join domains

Description: UCS - join domains

 This packages allows for the joining of UCS computers to a

 This packages allows for the joining of UCS computers to a

 UCS domain.

 UCS domain.




univention-join (3.0.3-1.1) unstable; urgency=low

  * Non-maintainer upload.
  * Fix spelling (Bug #9861)
  * Fix error test (Bug #16214)
  * Improve check for join status (Bug #19361,#13495,#13497,#18120)

 -- Philipp Hahn <hahn@univention.de>  Thu, 12 Aug 2010 19:38:02 +0200

univention-join (3.0.3-1) unstable; urgency=low

  * For join scripts is an admin account required on DC Backups





export PATH="$PATH:/sbin:/usr/sbin:/bin:/usr/bin"

eval "$(univention-config-registry shell)"

display_help() {
	display_header

	echo "**************************************************************************"
	echo "* Message:  $@"
	echo "**************************************************************************"
	if [ -n "$REMOVE_PWD_FILE" -a -n "$DCPWD" ]; then
		rm -f $DCPWD
	fi
	exit 1
}

USERTMP="$(mktemp -d)"
DCPWD="$USERTMP/dcpwd"
trap "rm -rf '$USERTMP'" EXIT

while [ $# -gt 0 ]
do
	case "$1" in
		"-dcaccount")
			DCACCOUNT="${2:?missing DC master account}"
			shift 2
			shift
			;;
		"-dcpwd")
			dcpwd="${2:?missing DC password file}"
			cp "$dcpwd" "$DCPWD"
			shift 2
			;;
		"--version")
			display_version

		echo -n "Enter DC Master Account : "
		read DCACCOUNT
	fi
	if [ ! -f "$DCPWD" ]; then
		echo -n "Enter DC Master Password: "
		read -s password
		echo -n "$password" >>"$DCPWD"
		echo "$password" >>$DCPWD
		REMOVE_PWD_FILE="1"
		echo ""
		echo ""
	fi

	echo -n "Search LDAP binddn "
	binddn=""
	for i in $(ldapsearch -x -LLL -b "$ldap_base" "(&(uid=$DCACCOUNT)(objectClass=person))" | ldapsearch-wrapper | sed -ne 's|dn: ||p'); do
		if [ -n "$binddn" ]; then
			failed_message "binddn for user $DCACCOUNT not unique, $i and $binddn"
		fi

	if [ -z "$binddn" ]; then
		failed_message "binddn for user $DCACCOUNT not found"
	else
		if ! ldapsearch -x -LLL -b "$ldap_base" -D "$binddn" -w "$(<"$DCPWD")" -LLL -s base >/dev/null 2>&1
		then
			failed_message "Invalid credentials"
		fi
	fi

echo "univention-run-join-scripts started"  >>/var/log/univention/join.log 2>&1
date >>/var/log/univention/join.log 2>&1
echo >>/var/log/univention/join.log 2>&1
if test -d "/usr/lib/univention-install"
then
	for i in /usr/lib/univention-install/*.inst; do
		echo -n "Running ${i##*/}"
		echo "RUNNING ${i##*/} " >>/var/log/univention/join.log

		if ! joinscript_extern_init "$i"; then
			echo -e "\033[60Gskipped (invalid joinscript)"

		fi

		if [ ! "$server_role" = "domaincontroller_master" ] ; then
			"$i" --binddn "$binddn" --bindpwd "$(<"$DCPWD")" >>/var/log/univention/join.log 2>&1
		else
			"$i" >>/var/log/univention/join.log 2>&1
		fi
		RET=$?
		echo "EXITCODE=$RET" >>/var/log/univention/join.log 2>&1

	done
fi

if [ -n "$REMOVE_PWD_FILE" -a -n "$DCPWD" ]; then
	rm -f $DCPWD
fi

echo >>/var/log/univention/join.log 2>&1
date >>/var/log/univention/join.log 2>&1
echo "univention-run-join-scripts finished"  >>/var/log/univention/join.log 2>&1




#!/bin/bash
#
# Univention Join
#  helper script: checks the join status of the local system


log_error ()
{
	local message="Error: $@"
	echo $message
	echo $message >>"$LOG_FILE"
	exit 1
}
log_warn ()
{
	local message="Warning: $@"
	echo $message
	echo $message >>"$LOG_FILE"
}

echo "Start $0 at $(date)" >>"$LOG_FILE"
eval "$(univention-config-registry shell)"

if [ ! -e /etc/machine.secret ]; then
	log_error "/etc/machine.secret not found"
fi

if ! ldapsearch -x -h "$ldap_master" -D "$ldap_hostdn" -w "$(</etc/machine.secret)" -b "$ldap_base" -s base >>"$LOG_FILE" 2>&1
then
	log_error "ldapsearch -x failed"
fi


if ! ldapsearch -x -ZZ -h "$ldap_master" -D "$ldap_hostdn" -w "$(</etc/machine.secret)" -b "$ldap_base" -s base >>"$LOG_FILE" 2>&1
then
	log_error "ldapsearch -x -ZZ failed"
fi


	log_error "The system isn't joined yet"
fi

if ! ldapsearch -x -ZZ -D "$ldap_hostdn" -w "$(</etc/machine.secret)" -b "$ldap_base" -s base >>"$LOG_FILE" 2>&1
then
	log_error "localhost ldapsearch failed"
fi

for i in /usr/lib/univention-install/*.inst
do
	unset VERSION
	eval "$(grep -h ^VERSION= "$i")"
	n="${i##*/[0-9][0-9]}"
	n="${n%.inst}"
	if ! grep -Fxq "$n v${VERSION} successful" /usr/lib/univention-install/.index.txt
	then
		log_warn "'$n' is not configured."
		MISSING=1
	fi
done

if [ -n "$MISSING" ]
then
	log_error "Not all install files configured"
fi

echo "Joined successful"
echo "Joined successfully" >>"$LOG_FILE"

exit 0




#!/bin/bash
#
# Univention Join
#  joins a system into a UCS domain


export PATH="$PATH:/sbin:/usr/sbin:/bin:/usr/bin"

eval "$(univention-config-registry shell)"

TYPE=
REMOVE_PWD_FILE=""

USERTMP="$(mktemp -d)"
DCPWD="$USERTMP/dcpwd"
trap "rm -rf '$USERTMP'" EXIT

display_help() {
	display_header
	cat <<-EOL

	echo "univention-join @%@package_version@%@"
}


failed_message () {
	echo ""
	echo ""

	echo "**************************************************************************"
	echo "* Message:  $@"
	echo "**************************************************************************"
	if [ -n "$REMOVE_PWD_FILE" -a -n "$DCPWD" ]; then
		rm -f $DCPWD
	fi
	exit 1
}

download_host_certificate () {
	echo -n "Download host certificate "
	local HOSTPWD="/etc/machine.secret"
	local HOSTACCOUNT="$hostname\$"
	univention-scp "$HOSTPWD" -q -r "$HOSTACCOUNT@$DCNAME:/etc/univention/ssl/$hostname" "$HOSTACCOUNT@$DCNAME:/etc/univention/ssl/$hostname.$domainname" /etc/univention/ssl/ >>/var/log/univention/join.log 2>&1
	univention-scp $HOSTPWD "-r $HOSTACCOUNT@$DCNAME:/etc/univention/ssl/$hostname.$domainname /etc/univention/ssl/" >>/var/log/univention/join.log 2>&1
	while [ ! -d "/etc/univention/ssl/$hostname" ] &&  [ ! -d "/etc/univention/ssl/$hostname.$domainname" ]; do
		echo -n "."
		sleep 20
		univention-scp "$HOSTPWD" -q -r "$HOSTACCOUNT@$DCNAME:/etc/univention/ssl/$hostname" "$HOSTACCOUNT@$DCNAME:/etc/univention/ssl/$hostname.$domainname" /etc/univention/ssl/ >>/var/log/univention/join.log 2>&1
		univention-scp $HOSTPWD "-r $HOSTACCOUNT@$DCNAME:/etc/univention/ssl/$hostname.$domainname /etc/univention/ssl/" >>/var/log/univention/join.log 2>&1
	done

	echo -e "\033[60Gdone"

check_ldap_tls_connection () {
	echo -n "Check TLS connection "

	if ! ldapsearch -x -ZZ -s base -h "$DCNAME" dn >/dev/null
	if  [ $? != 0 ]; then
 		failed_message "Establishing a TLS connection with $DCNAME failed. Maybe you didn't specify a FQDN."
	fi


do
	case "$1" in
		"-dcname")
			DCNAME="${2:?missing DC master FQDN}"
			shift 2
			shift
			;;
		"-dcaccount")
			DCACCOUNT="${2:?missing DC master account}"
			shift 2
			shift
			;;
		"-dcpwd")
			dcpwd="${2:?missing DC password file}"
			cp "$dcpwd" "$DCPWD"
			shift 2
			;;
		"-ldapbase")
			LDAPBASE="${2:?missing LDAP base}"
			shift 2
			shift
			;;
		"-realm")
			REALM="${2:?missing Kerberos real}"
			shift 2
			shift
			;;
		"-type")
			TYPE="${2:?missing computer role}"
			shift 2
			shift
			;;
		"--version")
			display_version

fi

if [ -z "$DCACCOUNT" ]; then
	echo -n "Enter DC Master Account : "
	read DCACCOUNT
fi
if [ ! -f "$DCPWD" ]; then
	echo -n "Enter DC Master Password: "
	read -s password
	echo -n "$password" >"$DCPWD"
	echo "$password" >>$DCPWD
	REMOVE_PWD_FILE="1"
	echo ""
	echo ""
fi

declare -a args

if [ "$DCACCOUNT" != "root" ]; then
	args+=(-bindaccount "$DCACCOUNT" -bindpwfile "/dev/stdin")
fi

if [ -z "$server_role" ]; then

		echo "try: -type"
		display_help
	else
		server_role="$TYPE"
	fi
fi


	server_role="client"
fi

mac_addr="$(LC_ALL=C /sbin/ifconfig eth0 | sed -ne "s|.*HWaddr ||p")"
if [ -n "$mac_addr" ]; then
	args+=(-mac "$mac_addr")
fi


if [ -z "$DCNAME" ]; then
	echo -n "Search DC Master: "
	if [ "$interfaces_eth0_type" = "dhcp" ]; then
		DCNAME="$(host -t SRV "_domaincontroller_master._tcp.$domainname" | sed -ne '$s/.* \([^ ]\+\)\.$/\1/p')"
		if [ -n "$DCNAME" ]; then
			echo -e "\033[60Gdone"
		fi
	else
		for i in "$nameserver" "$nameserver1" "$nameserver2" "$nameserver3" "$dns_forwarder1" "$dns_forwarder2" "$dns_forwarder3"; do
			if [ -z "$i" ]; then continue; fi
			DCNAME="$(host -t SRV "_domaincontroller_master._tcp.$domainname" "$i" | sed -ne '$s/.* \([^ ]\+\)\.$/\1/p')"
			if [ -n "$DCNAME" ]; then
				echo -e "\033[60Gdone"
				echo "domain $domainname" >/etc/resolv.conf


echo -n "Check DC Master: "

if ! ping -c 1 "$DCNAME" >/dev/null 2>&1
then
if [ $? != 0 ]; then
	failed_message "ping to $DCNAME failed"
fi

if ! univention-ssh "$DCPWD" "$DCACCOUNT"@"$DCNAME" echo ssh-check 2>>/var/log/univention/join.log | grep -qs ssh-check
then
	failed_message "ssh-login for $DCACCOUNT@$DCNAME failed. Maybe you entered a wrong password."
fi



if [ -z "$LDAPBASE" ]; then
	echo -n "Search ldap/base"
	ldap_base=$(ldapsearch -x -h "$DCNAME" -b "" -s base 'objectclass=*' NamingContexts -LLL | ldapsearch-wrapper | sed -ne 's|namingContexts: ||p')
else
	ldap_base="$LDAPBASE"
fi


echo -n "Search LDAP binddn "
binddn=""
for i in $(ldapsearch -x -h "$DCNAME" -LLL -b "$ldap_base" "(&(uid=$DCACCOUNT)(objectClass=person))" | ldapsearch-wrapper | sed -ne 's|^dn: ||p'); do
	if [ -n "$binddn" ]; then
		failed_message "binddn for user $DCACCOUNT not unique, $i and $binddn"
	fi

if [ -z "$binddn" ]; then
	failed_message "binddn for user $DCACCOUNT not found"
else
	if ! ldapsearch -x -h "$DCNAME" -LLL -b "$ldap_base" -D "$binddn" -w "$(<"$DCPWD")" -LLL -s base >/dev/null 2>&1
	if [ $? != 0 ]; then
		failed_message "Invalid credentials"
	fi
fi

if [ "$server_role" != "domaincontroller_master" -a "$server_role" != "domaincontroller_backup" -a -z "$binddn" ]; then
	failed_message "binddn for user $DCACCOUNT not found"
fi

if [ -x /usr/bin/rdate ]; then
	echo -n "Sync time "
	/usr/bin/rdate "$DCNAME" >/dev/null 2>&1
	echo -e "\033[60Gdone"
fi

if [ -n "$ldap_position" ]; then
	args+=(-position "$ldap_position")
fi

if [ -n "$server_role" ]; then
	if [ -n "$interfaces_eth0_address" ]; then
		args+=(-ip "$interfaces_eth0_address")
	fi
	echo -n "Join Computer Account: "
	univention-ssh --no-split "$DCPWD" "$DCACCOUNT@$DCNAME" /usr/share/univention-join/univention-server-join -role "$server_role" -hostname "$hostname" -domainname "$domainname" "${args[@]}" <"$DCPWD" 2>&1 | tee "$USERTMP/log" >>/var/log/univention/join.log
	res_message="$(grep uexception "$USERTMP/log" | sed -e 's|.*univention.admin.uexceptions.||'g)"
	univention-ssh $DCPWD $DCACCOUNT@$DCNAME "rm $DCPWD" >>/var/log/univention/join.log 2>&1
	res_message=`echo $res | grep uexception | sed -e 's|.*univention.admin.uexceptions.||'g`
	if [ -z "$res_message" ]; then
		echo -e "\033[60Gdone"
	fi

	failed_message "No server role defined"
fi

if [ -s "$USERTMP/log" ]; then
	echo "Join result = [$(<"$USERTMP/log")]" | sed -e 's/KerberosPasswd="[^"]*"//' | fromdos -fa >>/var/log/univention/join.log

	#try to get password
	pwd="$(sed -ne 's|.*KerberosPasswd="||;s|".*||gp' <"$USERTMP/log")"


	if [ -n "$pwd" ]; then

		if [ -e /etc/machine.secret ]; then
			cat /etc/machine.secret >>/etc/machine.secret.SAVE
		fi

		fromdos /etc/machine.secret
		chmod 600 /etc/machine.secret
		if [ -e /etc/machine.secret.SAVE ]; then
			chmod 600 /etc/machine.secret.SAVE
		fi
	else
		if [ -n "$res_message" ]; then
			failed_message "$res_message"
		else
			failed_message "$(<"$USERTMP/log")"
		fi
	fi

	ldap_dn="$(sed -ne 's|.*ldap_dn="||;s|".*||p' <"$USERTMP/log")"
	if [ -n "$ldap_dn" ]; then
		univention-config-registry set ldap/hostdn="$ldap_dn" >>/var/log/univention/join.log 2>&1
	else

fi

if [ -e "/usr/lib/univention-install/.index.txt" ]; then
	mkdir -p /var/univention-join/
	rm -rf /var/univention-join/status
	rm /usr/lib/univention-install/.index.txt
	touch /var/univention-join/status
fi

if [ ! -e "/usr/lib/univention-install/.index.txt" ]; then
	mkdir -p /var/univention-join/
	touch /var/univention-join/status
	ln -sf /var/univention-join/status /usr/lib/univention-install/.index.txt
fi


if [ -e "/etc/univention/ssl" ]; then
	mv /etc/univention/ssl "/etc/univention/ssl_$(date +"%y%m%d%H%M")"
	mkdir /etc/univention/ssl
fi

# Stop Notifier
notifier_pid="$(pidof univention-directory-notifier)"
if [ -n "$notifier_pid" -a -e /etc/runit/univention/univention-directory-notifier ]; then
	echo -n "Stopping univention-directory-notifier daemon: "
	/etc/init.d/univention-directory-notifier stop >/dev/null 2>&1
	while ! sv status univention-directory-notifier | grep -q "^down"
	do
		sleep 1
		/etc/init.d/univention-directory-notifier stop >/dev/null 2>&1
		echo -n "."
	done
	echo " done"
fi

# Stop Listener
listener_pid="$(pidof univention-directory-listener)"
if [ -e /etc/runit/univention/univention-directory-listener ]; then
	echo -n "Stopping univention-directory-listener daemon: "
	/etc/init.d/univention-directory-listener stop >/dev/null 2>&1
	while ! sv status univention-directory-listener | grep -q "^down"
	do
		sleep 1
		/etc/init.d/univention-directory-listener stop >/dev/null 2>&1
		echo -n "."
	done
	echo " done"
fi
rm -Rf /var/lib/univention-directory-listener/*

set_kerberos_realm () {
	local DCPWD="${1:?missing DC password file}"
	local DCACCOUNT="${2:?missing DC master account}"
	local DCNAME="${3:?missing DC master FQDN}"
	local realm="$4"
	realm="$4"
	if [ -z "$realm" ]; then
		realm=$(univention-ssh "$DCPWD" "$DCACCOUNT@$DCNAME" /usr/sbin/univention-config-registry get kerberos/realm) >>/var/log/univention/join.log 2>&1
		if [ $? != 0 -o -z "$realm" ]; then
			echo "Unable to retrieve the kerberos realm. Try to use option -realm <kerberos/realm>"
			exit 1

	if [ -e "/etc/ldap-backup.secret" ]; then cat /etc/ldap-backup.secret >>/etc/ldap-backup.secret.SAVE; fi

	echo -n "Sync ldap.secret: "
	univention-scp "$DCPWD" -q "$DCACCOUNT@$DCNAME:/etc/ldap.secret" /etc/ldap.secret >>/var/log/univention/join.log 2>&1
	if [ ! -e "/etc/ldap.secret" ]; then
		failed_message "/etc/ldap.secret not found"
	fi
	echo -e "\033[60Gdone"

	echo -n "Sync ldap-backup.secret: "
	univention-scp "$DCPWD" -q "$DCACCOUNT@$DCNAME:/etc/ldap-backup.secret" /etc/ldap-backup.secret >>/var/log/univention/join.log 2>&1
	if [ ! -e "/etc/ldap-backup.secret" ]; then
		failed_message "/etc/ldap-backup.secret not found"
	fi
	echo -e "\033[60Gdone"

	univention-config-registry set \
		ldap/server/name="$hostname.$domainname" \
		ldap/server/ip="$interfaces_eth0_address" \
		ldap/master="$DCNAME" \
		ldap/server/type=slave \
		>>/var/log/univention/join.log 2>&1


	echo -n "Sync SSL directory: "
	univention-ssh-rsync "$DCPWD" -az "$DCACCOUNT@$DCNAME:/etc/univention/ssl/*" /etc/univention/ssl/ >>/var/log/univention/join.log 2>&1
	echo -e "\033[60Gdone"

	check_ldap_tls_connection

	download_host_certificate

	if [ ! -d "/etc/univention/ssl/$hostname" ] && [ ! -d "/etc/univention/ssl/$hostname.$domainname" ]; then
		echo "failed to get host certificate"
		failed_message "failed to get host certificate"
	fi

	echo -n "Sync SSL settings: "
	univention-ssh --no-split "$DCPWD" "$DCACCOUNT@$DCNAME" univention-config-registry search --key --non-empty --brief ^ssl/ | sed -e 's/: /=/' | xargs -d '\n' univention-config-registry set


	echo -e "\033[60Gdone"

	echo -n "Restart LDAP Server: "


	#TODO: implement a real sync
	echo -n "Sync Kerberos settings: "
	univention-scp "$DCPWD" -q -r "$DCACCOUNT@$DCNAME:/var/lib/heimdal-kdc/*" /var/lib/heimdal-kdc/ >>/var/log/univention/join.log 2>&1
	echo -e "\033[60Gdone"


	# invalidate the nscd hosts cache
	nscd -i hosts

	univention-config-registry set \
		ldap/server/name?"$DCNAME" \
		ldap/master?"$DCNAME" \
		kerberos/adminserver?"$DCNAME" \
		>>/var/log/univention/join.log 2>&1
	
	set_kerberos_realm "$DCPWD" "$DCACCOUNT" "$DCNAME" "$REALM"

	eval "$(univention-config-registry shell)"

	mkdir -p /var/lib/univention-ldap/notify/


	echo -n "0" >/var/lib/univention-ldap/schema/id/id
	chown listener /var/lib/univention-ldap/schema/id/id

	if test -d "/usr/lib/univention-install/"; then
		for i in /usr/lib/univention-install/*.inst; do
			echo -n "Configure ${i##*/} "
			echo "Configure ${i##*/} " >>/var/log/univention/join.log
			"$i" --binddn "$binddn" --bindpwd "$(<"$DCPWD")" >>/var/log/univention/join.log 2>&1
			if [ $? != 0 ]; then
				echo -e "\033[60Gfailed"
				failed_message "FAILED: ${i##*/}"
			else
				echo -e "\033[60Gdone"
			fi

			if [ "${i##*/}" = "03univention-directory-listener.inst" ]; then
				if [ -e /var/lib/univention-directory-replication/failed.ldif ]; then
					failed_message "FAILED: failed.ldif exists."
				fi
				univention-scp "$DCPWD" -q "$DCACCOUNT@$DCNAME:/var/lib/univention-ldap/notify/transaction" /tmp/ >/dev/null 2>&1
				if [ ! -e /tmp/transaction ]; then
					failed_message " FAILED: failed to copy /var/lib/univention-ldap/notify/transaction from the dc master. Please try again."
				fi

				read id < /var/lib/univention-directory-listener/notifier_id
				awk -F ' ' '{ if ( $1 <= '$id') print }' </tmp/transaction >/var/lib/univention-ldap/notify/transaction
				rm /tmp/transaction
				echo "">/var/lib/univention-ldap/replog/replog
			fi


	if [ -e "/etc/ldap-backup.secret" ]; then cat /etc/ldap-backup.secret >>/etc/ldap-backup.secret.SAVE; fi

	univention-scp "$DCPWD" -q "$DCACCOUNT@$DCNAME:/etc/ldap-backup.secret" /etc/ldap-backup.secret >/var/log/univention/join.log 2>&1

	echo -e "\033[60Gdone"

	univention-config-registry set \
		ldap/server/name="$hostname.$domainname" \
		ldap/server/ip="$interfaces_eth0_address" \
		ldap/master="$DCNAME" \
		ldap/server/type=slave \
		>>/var/log/univention/join.log 2>&1

	mkdir -p /etc/univention/ssl/ucsCA
	univention-scp "$DCPWD" -q "$DCACCOUNT@$DCNAME:/etc/univention/ssl/ucsCA/CAcert.pem" /etc/univention/ssl/ucsCA/ >>/var/log/univention/join.log 2>&1
	if [ ! -e /etc/univention/ssl/ucsCA/CAcert.pem ]; then
		univention-scp "$DCPWD" -q "$DCACCOUNT@$DCNAME:/etc/univention/ssl/udsCA/CAcert.pem" /etc/univention/ssl/ucsCA/ >>/var/log/univention/join.log 2>&1
	fi

	check_ldap_tls_connection

	download_host_certificate

	if [ ! -d "/etc/univention/ssl/$hostname" ] && [ ! -d "/etc/univention/ssl/$hostname.$domainname" ]; then
		failed_message "failed to get host certificate"
	fi


	echo -e "\033[60Gdone"

	echo -n "Sync Kerberos settings: "
	univention-scp "$DCPWD" -q -r "$DCACCOUNT@$DCNAME:/var/lib/heimdal-kdc/*" /var/lib/heimdal-kdc/ >>/var/log/univention/join.log 2>&1
	echo -e "\033[60Gdone"

	mkdir -p /var/lib/univention-ldap/notify/

	# invalidate the nscd hosts cache
	nscd -i hosts

	univention-config-registry set \
		ldap/server/name?"$DCNAME" \
		ldap/master?"$DCNAME" \
		kerberos/adminserver?"$DCNAME" \
		>>/var/log/univention/join.log 2>&1
	set_kerberos_realm "$DCPWD" "$DCACCOUNT" "$DCNAME" "$REALM"

	echo -n "0" >/var/lib/univention-ldap/schema/id/id


	if test -e "/usr/lib/univention-install/"; then
		for i in /usr/lib/univention-install/*.inst; do
			echo -n "Configure ${i##*/} "
			echo "Configure ${i##*/} " >>/var/log/univention/join.log
			"$i" --binddn "$binddn" --bindpwd "$(<"$DCPWD")" >>/var/log/univention/join.log 2>&1
			if [ $? != 0 ]; then
				echo -e "\033[60Gfailed"
				failed_message "FAILED: ${i##*/}"
			else
				echo -e "\033[60Gdone"
			fi
			if [ "${i##*/}" = "03univention-directory-listener.inst" ]; then
				if [ -e /var/lib/univention-directory-replication/failed.ldif ]; then
					failed_message "FAILED: failed.ldif exists."
				fi
				if [ -n "$listener_supply_notifier" -a "$listener_supply_notifier" = "yes" ]; then
					univention-scp "$DCPWD" -q "$DCACCOUNT@$DCNAME:/var/lib/univention-ldap/notify/transaction" /tmp/ >/dev/null 2>&1
					read id < /var/lib/univention-directory-listener/notifier_id
					awk -F ' ' '{ if ( $1 <= '$id') print }' </tmp/transaction >/var/lib/univention-ldap/notify/transaction
					rm /tmp/transaction
					echo "">/var/lib/univention-ldap/replog/replog
				fi


elif [ "$server_role" = "memberserver" ]; then
	mkdir -p /etc/univention/ssl/ucsCA
	univention-scp "$DCPWD" -q "$DCACCOUNT@$DCNAME:/etc/univention/ssl/ucsCA/CAcert.pem" /etc/univention/ssl/ucsCA/ >>/var/log/univention/join.log 2>&1
	if [ ! -e /etc/univention/ssl/ucsCA/CAcert.pem ]; then
		univention-scp "$DCPWD" -q "$DCACCOUNT@$DCNAME:/etc/univention/ssl/udsCA/CAcert.pem" /etc/univention/ssl/ucsCA/ >>/var/log/univention/join.log 2>&1
	fi

	check_ldap_tls_connection

	download_host_certificate

	univention-config-registry set ldap/master="$DCNAME" >>/var/log/univention/join.log 2>&1
	grep -q ^TLS_CACERT /etc/ldap/ldap.conf || echo "TLS_CACERT /etc/univention/ssl/ucsCA/CAcert.pem" >>/etc/ldap/ldap.conf

	# invalidate the nscd hosts cache
	nscd -i hosts

	univention-config-registry set \
		ldap/server/name?"$DCNAME" \
		ldap/master?"$DCNAME" \
		kerberos/adminserver?"$DCNAME" \
		>>/var/log/univention/join.log 2>&1
	set_kerberos_realm "$DCPWD" "$DCACCOUNT" "$DCNAME" "$REALM"

	touch /var/univention-join/joined


	if test -e "/usr/lib/univention-install/"; then
		for i in /usr/lib/univention-install/*.inst; do
			echo -n "Configure ${i##*/} "
			echo "Configure ${i##*/} " >>/var/log/univention/join.log
			"$i" --binddn "$binddn" --bindpwd "$(<"$DCPWD")" >>/var/log/univention/join.log 2>&1
			if [ $? != 0 ]; then
				echo -e "\033[60Gfailed"
				echo "FAILED: ${i##*/}"
				failed_message "FAILED: ${i##*/}"
			else
				echo -e "\033[60Gdone"
			fi


	mkdir -p /etc/univention/ssl/ucsCA

	univention-scp "$DCPWD" -q "$DCACCOUNT@$DCNAME:/etc/univention/ssl/ucsCA/CAcert.pem" /etc/univention/ssl/ucsCA/ >>/var/log/univention/join.log 2>&1
	if [ ! -e /etc/univention/ssl/ucsCA/CAcert.pem ]; then
		univention-scp "$DCPWD" -q "$DCACCOUNT@$DCNAME:/etc/univention/ssl/udsCA/CAcert.pem" /etc/univention/ssl/ucsCA/ >>/var/log/univention/join.log 2>&1
	fi

	check_ldap_tls_connection

	# invalidate the nscd hosts cache
	nscd -i hosts

	univention-config-registry set \
		ldap/server/name="$DCNAME" \
		ldap/master="$DCNAME" \
		kerberos/adminserver="$DCNAME" \
		>>/var/log/univention/join.log 2>&1
	set_kerberos_realm "$DCPWD" "$DCACCOUNT" "$DCNAME" "$REALM"
	grep -q ^TLS_CACERT /etc/ldap/ldap.conf || echo "TLS_CACERT /etc/univention/ssl/ucsCA/CAcert.pem" >>/etc/ldap/ldap.conf

	touch /var/univention-join/joined
	ln -sf /var/univention-join/joined /usr/share/univention-join/.joined

	univention-config-registry set nsswitch/ldap=yes >>/var/log/univention/join.log 2>&1
	eval "$(univention-config-registry shell)"

	if test -e "/usr/lib/univention-install/"; then
		for i in /usr/lib/univention-install/*.inst; do
			echo -n "Configure ${i##*/} "
			echo "Configure ${i##*/} " >>/var/log/univention/join.log
			"$i" --binddn "$binddn" --bindpwd "$(<"$DCPWD")" >>/var/log/univention/join.log 2>&1
			if [ $? != 0 ]; then
				echo -e "\033[60Gfailed"
				echo "FAILED: ${i##*/}"
				failed_message "FAILED: ${i##*/}"
			else
				echo -e "\033[60Gdone"
			fi

	/etc/init.d/univention-directory-listener restart >>/var/log/univention/join.log 2>&1
fi

if [ -n "$REMOVE_PWD_FILE" -a -n "$DCPWD" ]; then
	rm -f $DCPWD
fi

if [ "$interfaces_eth0_type" != "dhcp" ]; then
	univention-config-registry commit /etc/resolv.conf >>/var/log/univention/join.log 2>&1
fi

Return to bug 19430