|
1 |
#!/bin/sh |
1 |
#!/bin/bash |
2 |
# |
2 |
# |
3 |
# Univention Join |
3 |
# Univention Join |
4 |
# joins a system into a UCS domain |
4 |
# joins a system into a UCS domain |
|
34 |
|
34 |
|
35 |
export PATH="$PATH:/sbin:/usr/sbin:/bin:/usr/bin" |
35 |
export PATH="$PATH:/sbin:/usr/sbin:/bin:/usr/bin" |
36 |
|
36 |
|
37 |
eval `univention-config-registry shell` |
37 |
eval "$(univention-config-registry shell)" |
38 |
|
38 |
|
39 |
TYPE=0 |
39 |
TYPE= |
40 |
REMOVE_PWD_FILE="" |
|
|
41 |
|
40 |
|
|
|
41 |
USERTMP="$(mktemp -d)" |
42 |
DCPWD="$USERTMP/dcpwd" |
43 |
trap "rm -rf '$USERTMP'" EXIT |
44 |
|
42 |
display_help() { |
45 |
display_help() { |
43 |
display_header |
46 |
display_header |
44 |
cat <<-EOL |
47 |
cat <<-EOL |
|
76 |
echo "univention-join @%@package_version@%@" |
79 |
echo "univention-join @%@package_version@%@" |
77 |
} |
80 |
} |
78 |
|
81 |
|
79 |
|
|
|
80 |
failed_message () { |
82 |
failed_message () { |
81 |
echo "" |
83 |
echo "" |
82 |
echo "" |
84 |
echo "" |
|
86 |
echo "**************************************************************************" |
88 |
echo "**************************************************************************" |
87 |
echo "* Message: $@" |
89 |
echo "* Message: $@" |
88 |
echo "**************************************************************************" |
90 |
echo "**************************************************************************" |
89 |
if [ -n "$REMOVE_PWD_FILE" -a -n "$DCPWD" ]; then |
|
|
90 |
rm -f $DCPWD |
91 |
fi |
92 |
exit 1 |
91 |
exit 1 |
93 |
} |
92 |
} |
94 |
|
93 |
|
95 |
download_host_certificate () { |
94 |
download_host_certificate () { |
96 |
echo -n "Download host certificate " |
95 |
echo -n "Download host certificate " |
97 |
HOSTPWD="/etc/machine.secret" |
96 |
local HOSTPWD="/etc/machine.secret" |
98 |
HOSTACCOUNT="$hostname\$" |
97 |
local HOSTACCOUNT="$hostname\$" |
99 |
univention-scp $HOSTPWD "-r $HOSTACCOUNT@$DCNAME:/etc/univention/ssl/$hostname /etc/univention/ssl/" >>/var/log/univention/join.log 2>&1 |
98 |
univention-scp "$HOSTPWD" -q -r "$HOSTACCOUNT@$DCNAME:/etc/univention/ssl/$hostname" "$HOSTACCOUNT@$DCNAME:/etc/univention/ssl/$hostname.$domainname" /etc/univention/ssl/ >>/var/log/univention/join.log 2>&1 |
100 |
univention-scp $HOSTPWD "-r $HOSTACCOUNT@$DCNAME:/etc/univention/ssl/$hostname.$domainname /etc/univention/ssl/" >>/var/log/univention/join.log 2>&1 |
|
|
101 |
while [ ! -d "/etc/univention/ssl/$hostname" ] && [ ! -d "/etc/univention/ssl/$hostname.$domainname" ]; do |
99 |
while [ ! -d "/etc/univention/ssl/$hostname" ] && [ ! -d "/etc/univention/ssl/$hostname.$domainname" ]; do |
102 |
echo -n "." |
100 |
echo -n "." |
103 |
sleep 20 |
101 |
sleep 20 |
104 |
univention-scp $HOSTPWD "-r $HOSTACCOUNT@$DCNAME:/etc/univention/ssl/$hostname /etc/univention/ssl/" >>/var/log/univention/join.log 2>&1 |
102 |
univention-scp "$HOSTPWD" -q -r "$HOSTACCOUNT@$DCNAME:/etc/univention/ssl/$hostname" "$HOSTACCOUNT@$DCNAME:/etc/univention/ssl/$hostname.$domainname" /etc/univention/ssl/ >>/var/log/univention/join.log 2>&1 |
105 |
univention-scp $HOSTPWD "-r $HOSTACCOUNT@$DCNAME:/etc/univention/ssl/$hostname.$domainname /etc/univention/ssl/" >>/var/log/univention/join.log 2>&1 |
|
|
106 |
done |
103 |
done |
107 |
|
104 |
|
108 |
echo -e "\033[60Gdone" |
105 |
echo -e "\033[60Gdone" |
|
111 |
check_ldap_tls_connection () { |
108 |
check_ldap_tls_connection () { |
112 |
echo -n "Check TLS connection " |
109 |
echo -n "Check TLS connection " |
113 |
|
110 |
|
114 |
ldapsearch -x -ZZ -s base -h "$DCNAME" dn >/dev/null |
111 |
if ! ldapsearch -x -ZZ -s base -h "$DCNAME" dn >/dev/null |
115 |
if [ $? != 0 ]; then |
|
|
116 |
failed_message "Establishing a TLS connection with $DCNAME failed. Maybe you didn't specify a FQDN." |
112 |
failed_message "Establishing a TLS connection with $DCNAME failed. Maybe you didn't specify a FQDN." |
117 |
fi |
113 |
fi |
118 |
|
114 |
|
|
123 |
do |
119 |
do |
124 |
case "$1" in |
120 |
case "$1" in |
125 |
"-dcname") |
121 |
"-dcname") |
126 |
shift |
122 |
DCNAME="${2:?missing DC master FQDN}" |
127 |
DCNAME=$1 |
123 |
shift 2 |
128 |
shift |
|
|
129 |
;; |
124 |
;; |
130 |
"-dcaccount") |
125 |
"-dcaccount") |
131 |
shift |
126 |
DCACCOUNT="${2:?missing DC master account}" |
132 |
DCACCOUNT=$1 |
127 |
shift 2 |
133 |
shift |
|
|
134 |
;; |
128 |
;; |
135 |
"-dcpwd") |
129 |
"-dcpwd") |
136 |
shift |
130 |
dcpwd="${2:?missing DC password file}" |
137 |
DCPWD=$1 |
131 |
cp "$dcpwd" "$DCPWD" |
138 |
shift |
132 |
shift 2 |
139 |
;; |
133 |
;; |
140 |
"-ldapbase") |
134 |
"-ldapbase") |
141 |
shift |
135 |
LDAPBASE="${2:?missing LDAP base}" |
142 |
LDAPBASE="$1" |
136 |
shift 2 |
143 |
shift |
|
|
144 |
;; |
137 |
;; |
145 |
"-realm") |
138 |
"-realm") |
146 |
shift |
139 |
REALM="${2:?missing Kerberos real}" |
147 |
REALM="$1" |
140 |
shift 2 |
148 |
shift |
|
|
149 |
;; |
141 |
;; |
150 |
"-type") |
142 |
"-type") |
151 |
shift |
143 |
TYPE="${2:?missing computer role}" |
152 |
TYPE=$1 |
144 |
shift 2 |
153 |
shift |
|
|
154 |
;; |
145 |
;; |
155 |
"--version") |
146 |
"--version") |
156 |
display_version |
147 |
display_version |
|
171 |
fi |
162 |
fi |
172 |
|
163 |
|
173 |
if [ -z "$DCACCOUNT" ]; then |
164 |
if [ -z "$DCACCOUNT" ]; then |
174 |
echo -n "Insert DC Master Account : " |
165 |
echo -n "Enter DC Master Account : " |
175 |
read DCACCOUNT |
166 |
read DCACCOUNT |
176 |
fi |
167 |
fi |
177 |
if [ -z "$DCPWD" ]; then |
168 |
if [ ! -f "$DCPWD" ]; then |
178 |
echo -n "Insert DC Master Password: " |
169 |
echo -n "Enter DC Master Password: " |
179 |
read -s password |
170 |
read -s password |
180 |
DCPWD=`mktemp` |
171 |
echo -n "$password" >"$DCPWD" |
181 |
echo "$password" >>$DCPWD |
|
|
182 |
REMOVE_PWD_FILE="1" |
183 |
echo "" |
172 |
echo "" |
184 |
echo "" |
173 |
echo "" |
185 |
fi |
174 |
fi |
186 |
|
175 |
|
|
|
176 |
declare -a args |
177 |
|
187 |
if [ "$DCACCOUNT" != "root" ]; then |
178 |
if [ "$DCACCOUNT" != "root" ]; then |
188 |
auth_cmd="-bindaccount \"$DCACCOUNT\" -bindpwfile \"$DCPWD\"" |
179 |
args+=(-bindaccount "$DCACCOUNT" -bindpwfile "/dev/stdin") |
189 |
fi |
180 |
fi |
190 |
|
181 |
|
191 |
if [ -z "$server_role" ]; then |
182 |
if [ -z "$server_role" ]; then |
|
193 |
echo "try: -type" |
184 |
echo "try: -type" |
194 |
display_help |
185 |
display_help |
195 |
else |
186 |
else |
196 |
server_role=$TYPE |
187 |
server_role="$TYPE" |
197 |
fi |
188 |
fi |
198 |
fi |
189 |
fi |
199 |
|
190 |
|
|
201 |
server_role="client" |
192 |
server_role="client" |
202 |
fi |
193 |
fi |
203 |
|
194 |
|
204 |
mac_addr=`/sbin/ifconfig eth0 | grep HWaddr | sed -e "s|.*HWaddr ||"` |
195 |
mac_addr="$(LC_ALL=C /sbin/ifconfig eth0 | sed -ne "s|.*HWaddr ||p")" |
205 |
if [ -n "$mac_addr" ]; then |
196 |
if [ -n "$mac_addr" ]; then |
206 |
mac_cmd="-mac $mac_addr" |
197 |
args+=(-mac "$mac_addr") |
207 |
fi |
198 |
fi |
208 |
|
199 |
|
209 |
|
200 |
|
210 |
if [ -z "$DCNAME" ]; then |
201 |
if [ -z "$DCNAME" ]; then |
211 |
echo -n "Search DC Master: " |
202 |
echo -n "Search DC Master: " |
212 |
if [ "$interfaces_eth0_type" = "dhcp" ]; then |
203 |
if [ "$interfaces_eth0_type" = "dhcp" ]; then |
213 |
DCNAME=`host -t SRV _domaincontroller_master._tcp.$domainname | grep -v "not found" | grep -v "reached" | tail -1 | sed -e 's|.* ||g' | sed -e 's|\.$||'` |
204 |
DCNAME="$(host -t SRV "_domaincontroller_master._tcp.$domainname" | sed -ne '$s/.* \([^ ]\+\)\.$/\1/p')" |
214 |
if [ -n "$DCNAME" ]; then |
205 |
if [ -n "$DCNAME" ]; then |
215 |
echo -e "\033[60Gdone" |
206 |
echo -e "\033[60Gdone" |
216 |
fi |
207 |
fi |
217 |
else |
208 |
else |
218 |
for i in "$nameserver" "$nameserver1" "$nameserver2" "$nameserver3" "$dns_forwarder1" "$dns_forwarder2" "$dns_forwarder3"; do |
209 |
for i in "$nameserver" "$nameserver1" "$nameserver2" "$nameserver3" "$dns_forwarder1" "$dns_forwarder2" "$dns_forwarder3"; do |
219 |
if [ -z "$i" ]; then continue; fi |
210 |
if [ -z "$i" ]; then continue; fi |
220 |
DCNAME=`host -t SRV _domaincontroller_master._tcp.$domainname $i | grep -v "not found" | grep -v "reached" | tail -1 | sed -e 's|.* ||g' | sed -e 's|\.$||'` |
211 |
DCNAME="$(host -t SRV "_domaincontroller_master._tcp.$domainname" "$i" | sed -ne '$s/.* \([^ ]\+\)\.$/\1/p')" |
221 |
if [ -n "$DCNAME" ]; then |
212 |
if [ -n "$DCNAME" ]; then |
222 |
echo -e "\033[60Gdone" |
213 |
echo -e "\033[60Gdone" |
223 |
echo "domain $domainname" >/etc/resolv.conf |
214 |
echo "domain $domainname" >/etc/resolv.conf |
|
236 |
|
227 |
|
237 |
echo -n "Check DC Master: " |
228 |
echo -n "Check DC Master: " |
238 |
|
229 |
|
239 |
ping -c 1 $DCNAME >/dev/null 2>&1 |
230 |
if ! ping -c 1 "$DCNAME" >/dev/null 2>&1 |
240 |
|
231 |
then |
241 |
if [ $? != 0 ]; then |
|
|
242 |
failed_message "ping to $DCNAME failed" |
232 |
failed_message "ping to $DCNAME failed" |
243 |
fi |
233 |
fi |
244 |
|
234 |
|
245 |
univention-ssh "$DCPWD" "$DCACCOUNT"@"$DCNAME" echo ssh-check 2>>/var/log/univention/join.log | grep -qs ssh-check |
235 |
if ! univention-ssh "$DCPWD" "$DCACCOUNT"@"$DCNAME" echo ssh-check 2>>/var/log/univention/join.log | grep -qs ssh-check |
246 |
if [ $? != 0 ]; then |
236 |
then |
247 |
failed_message "ssh-login for $DCACCOUNT@$DCNAME failed. Maybe you entered a wrong password." |
237 |
failed_message "ssh-login for $DCACCOUNT@$DCNAME failed. Maybe you entered a wrong password." |
248 |
fi |
238 |
fi |
249 |
|
239 |
|
|
257 |
|
247 |
|
258 |
if [ -z "$LDAPBASE" ]; then |
248 |
if [ -z "$LDAPBASE" ]; then |
259 |
echo -n "Search ldap/base" |
249 |
echo -n "Search ldap/base" |
260 |
ldap_base=`ldapsearch -x -h $DCNAME -b "" -s base 'objectclass=*' NamingContexts -LLL | grep namingContexts | sed -e 's|namingContexts: ||'` |
250 |
ldap_base=$(ldapsearch -x -h "$DCNAME" -b "" -s base 'objectclass=*' NamingContexts -LLL | ldapsearch-wrapper | sed -ne 's|namingContexts: ||p') |
261 |
else |
251 |
else |
262 |
ldap_base="$LDAPBASE" |
252 |
ldap_base="$LDAPBASE" |
263 |
fi |
253 |
fi |
|
272 |
|
262 |
|
273 |
echo -n "Search LDAP binddn " |
263 |
echo -n "Search LDAP binddn " |
274 |
binddn="" |
264 |
binddn="" |
275 |
for i in `ldapsearch -x -h $DCNAME -LLL -b $ldap_base "(&(uid=$DCACCOUNT)(objectClass=person))" | ldapsearch-wrapper | grep ^dn | sed -e 's|dn: ||'`; do |
265 |
for i in $(ldapsearch -x -h "$DCNAME" -LLL -b "$ldap_base" "(&(uid=$DCACCOUNT)(objectClass=person))" | ldapsearch-wrapper | sed -ne 's|^dn: ||p'); do |
276 |
if [ -n "$binddn" ]; then |
266 |
if [ -n "$binddn" ]; then |
277 |
failed_message "binddn for user $DCACCOUNT not unique, $i and $binddn" |
267 |
failed_message "binddn for user $DCACCOUNT not unique, $i and $binddn" |
278 |
fi |
268 |
fi |
|
282 |
if [ -z "$binddn" ]; then |
272 |
if [ -z "$binddn" ]; then |
283 |
failed_message "binddn for user $DCACCOUNT not found" |
273 |
failed_message "binddn for user $DCACCOUNT not found" |
284 |
else |
274 |
else |
285 |
ldapsearch -x -h $DCNAME -LLL -b "$ldap_base" -D "$binddn" -w `cat $DCPWD` -LLL -s base >/dev/null 2>&1 |
275 |
if ! ldapsearch -x -h "$DCNAME" -LLL -b "$ldap_base" -D "$binddn" -w "$(<"$DCPWD")" -LLL -s base >/dev/null 2>&1 |
286 |
if [ $? != 0 ]; then |
|
|
287 |
failed_message "Invalid credentials" |
276 |
failed_message "Invalid credentials" |
288 |
fi |
277 |
fi |
289 |
fi |
278 |
fi |
290 |
|
279 |
|
291 |
if [ $server_role != "domaincontroller_master" -a "$server_role" != "domaincontroller_backup" -a -z "$binddn" ]; then |
280 |
if [ "$server_role" != "domaincontroller_master" -a "$server_role" != "domaincontroller_backup" -a -z "$binddn" ]; then |
292 |
failed_message "binddn for user $DCACCOUNT not found" |
281 |
failed_message "binddn for user $DCACCOUNT not found" |
293 |
fi |
282 |
fi |
294 |
|
283 |
|
295 |
if [ -x /usr/bin/rdate ]; then |
284 |
if [ -x /usr/bin/rdate ]; then |
296 |
echo -n "Sync time " |
285 |
echo -n "Sync time " |
297 |
/usr/bin/rdate $DCNAME >/dev/null 2>&1 |
286 |
/usr/bin/rdate "$DCNAME" >/dev/null 2>&1 |
298 |
echo -e "\033[60Gdone" |
287 |
echo -e "\033[60Gdone" |
299 |
fi |
288 |
fi |
300 |
|
289 |
|
301 |
if [ -n "$ldap_position" ]; then |
290 |
if [ -n "$ldap_position" ]; then |
302 |
position_cmd="-position \"$ldap_position\"" |
291 |
args+=(-position "$ldap_position") |
303 |
fi |
292 |
fi |
304 |
|
293 |
|
305 |
if [ -n "$server_role" ]; then |
294 |
if [ -n "$server_role" ]; then |
306 |
if [ -n "$interfaces_eth0_address" ]; then |
295 |
if [ -n "$interfaces_eth0_address" ]; then |
307 |
ip_cmd="-ip $interfaces_eth0_address" |
296 |
args+=(-ip "$interfaces_eth0_address") |
308 |
fi |
297 |
fi |
309 |
echo -n "Join Computer Account: " |
298 |
echo -n "Join Computer Account: " |
310 |
univention-scp "$DCPWD" "$DCPWD" "$DCACCOUNT@$DCNAME:$DCPWD" >>/var/log/univention/join.log 2>&1 |
299 |
univention-ssh --no-split "$DCPWD" "$DCACCOUNT@$DCNAME" /usr/share/univention-join/univention-server-join -role "$server_role" -hostname "$hostname" -domainname "$domainname" "${args[@]}" <"$DCPWD" 2>&1 | tee "$USERTMP/log" >>/var/log/univention/join.log |
311 |
res=`univention-ssh $DCPWD $DCACCOUNT@$DCNAME /usr/share/univention-join/univention-server-join -role $server_role -hostname $hostname -domainname $domainname $ip_cmd $mac_cmd $position_cmd $auth_cmd 2>>/var/log/univention/join.log` |
300 |
res_message="$(grep uexception "$USERTMP/log" | sed -e 's|.*univention.admin.uexceptions.||'g)" |
312 |
univention-ssh $DCPWD $DCACCOUNT@$DCNAME "rm $DCPWD" >>/var/log/univention/join.log 2>&1 |
|
|
313 |
res_message=`echo $res | grep uexception | sed -e 's|.*univention.admin.uexceptions.||'g` |
314 |
if [ -z "$res_message" ]; then |
301 |
if [ -z "$res_message" ]; then |
315 |
echo -e "\033[60Gdone" |
302 |
echo -e "\033[60Gdone" |
316 |
fi |
303 |
fi |
|
318 |
failed_message "No server role defined" |
305 |
failed_message "No server role defined" |
319 |
fi |
306 |
fi |
320 |
|
307 |
|
321 |
if [ -n "$res" ]; then |
308 |
if [ -s "$USERTMP/log" ]; then |
322 |
echo "Join result = [$res]" | sed -e 's/KerberosPasswd="[^"]*"//' | fromdos -fa >>/var/log/univention/join.log |
309 |
echo "Join result = [$(<"$USERTMP/log")]" | sed -e 's/KerberosPasswd="[^"]*"//' | fromdos -fa >>/var/log/univention/join.log |
323 |
|
310 |
|
324 |
#try to get password |
311 |
#try to get password |
325 |
pwd=`echo $res | grep -i KerberosPasswd | sed -e 's|.*KerberosPasswd="||;s|".*||g'` |
312 |
pwd="$(sed -ne 's|.*KerberosPasswd="||;s|".*||gp' <"$USERTMP/log")" |
326 |
|
313 |
|
327 |
|
|
|
328 |
if [ -n "$pwd" ]; then |
314 |
if [ -n "$pwd" ]; then |
329 |
|
|
|
330 |
if [ -e /etc/machine.secret ]; then |
315 |
if [ -e /etc/machine.secret ]; then |
331 |
cat /etc/machine.secret >>/etc/machine.secret.SAVE |
316 |
cat /etc/machine.secret >>/etc/machine.secret.SAVE |
332 |
fi |
317 |
fi |
|
335 |
fromdos /etc/machine.secret |
320 |
fromdos /etc/machine.secret |
336 |
chmod 600 /etc/machine.secret |
321 |
chmod 600 /etc/machine.secret |
337 |
if [ -e /etc/machine.secret.SAVE ]; then |
322 |
if [ -e /etc/machine.secret.SAVE ]; then |
338 |
chmod 600 /etc/machine.secret.SAVE |
323 |
chmod 600 /etc/machine.secret.SAVE |
339 |
fi |
324 |
fi |
340 |
else |
325 |
else |
341 |
if [ -n "$res_message" ]; then |
326 |
if [ -n "$res_message" ]; then |
342 |
failed_message "$res_message" |
327 |
failed_message "$res_message" |
343 |
else |
328 |
else |
344 |
failed_message "$res" |
329 |
failed_message "$(<"$USERTMP/log")" |
345 |
fi |
330 |
fi |
346 |
fi |
331 |
fi |
347 |
|
332 |
|
348 |
ldap_dn="`echo $res | grep ldap_dn | sed -e 's|.*ldap_dn="||;s|".*||'`" |
333 |
ldap_dn="$(sed -ne 's|.*ldap_dn="||;s|".*||p' <"$USERTMP/log")" |
349 |
if [ -n "$ldap_dn" ]; then |
334 |
if [ -n "$ldap_dn" ]; then |
350 |
univention-config-registry set ldap/hostdn="$ldap_dn" >>/var/log/univention/join.log 2>&1 |
335 |
univention-config-registry set ldap/hostdn="$ldap_dn" >>/var/log/univention/join.log 2>&1 |
351 |
else |
336 |
else |
|
357 |
fi |
342 |
fi |
358 |
|
343 |
|
359 |
if [ -e "/usr/lib/univention-install/.index.txt" ]; then |
344 |
if [ -e "/usr/lib/univention-install/.index.txt" ]; then |
360 |
mkdir -p /var/univention-join/ |
345 |
mkdir -p /var/univention-join/ |
361 |
rm -rf /var/univention-join/status |
346 |
rm -rf /var/univention-join/status |
362 |
rm /usr/lib/univention-install/.index.txt |
347 |
rm /usr/lib/univention-install/.index.txt |
363 |
touch /var/univention-join/status |
348 |
touch /var/univention-join/status |
364 |
fi |
349 |
fi |
365 |
|
350 |
|
366 |
if [ ! -e "/usr/lib/univention-install/.index.txt" ]; then |
351 |
if [ ! -e "/usr/lib/univention-install/.index.txt" ]; then |
367 |
mkdir -p /var/univention-join/ |
352 |
mkdir -p /var/univention-join/ |
368 |
touch /var/univention-join/status |
353 |
touch /var/univention-join/status |
369 |
ln -sf /var/univention-join/status /usr/lib/univention-install/.index.txt |
354 |
ln -sf /var/univention-join/status /usr/lib/univention-install/.index.txt |
370 |
fi |
355 |
fi |
371 |
|
356 |
|
372 |
|
357 |
|
373 |
if [ -e "/etc/univention/ssl" ]; then |
358 |
if [ -e "/etc/univention/ssl" ]; then |
374 |
mv /etc/univention/ssl "/etc/univention/ssl_`date +"%y%m%d%H%M"`" |
359 |
mv /etc/univention/ssl "/etc/univention/ssl_$(date +"%y%m%d%H%M")" |
375 |
mkdir /etc/univention/ssl |
360 |
mkdir /etc/univention/ssl |
376 |
fi |
361 |
fi |
377 |
|
362 |
|
378 |
# Stop Notifier |
363 |
# Stop Notifier |
379 |
notifier_pid=`pidof univention-directory-notifier` |
364 |
notifier_pid="$(pidof univention-directory-notifier)" |
380 |
if [ -n "$notifier_pid" -a -e /etc/runit/univention/univention-directory-notifier ]; then |
365 |
if [ -n "$notifier_pid" -a -e /etc/runit/univention/univention-directory-notifier ]; then |
381 |
echo -n "Stopping univention-directory-notifier daemon: " |
366 |
echo -n "Stopping univention-directory-notifier daemon: " |
382 |
/etc/init.d/univention-directory-notifier stop >/dev/null 2>&1 |
367 |
/etc/init.d/univention-directory-notifier stop >/dev/null 2>&1 |
383 |
while ! sv status univention-directory-notifier | grep "^down" >/dev/null ; do sleep 1; /etc/init.d/univention-directory-notifier stop >/dev/null 2>&1; echo -n "." ;done; echo "" done |
368 |
while ! sv status univention-directory-notifier | grep -q "^down" |
|
|
369 |
do |
370 |
sleep 1 |
371 |
/etc/init.d/univention-directory-notifier stop >/dev/null 2>&1 |
372 |
echo -n "." |
373 |
done |
374 |
echo " done" |
384 |
fi |
375 |
fi |
385 |
|
376 |
|
386 |
# Stop Listener |
377 |
# Stop Listener |
387 |
listener_pid=`pidof univention-directory-listener` |
378 |
listener_pid="$(pidof univention-directory-listener)" |
388 |
if [ -e /etc/runit/univention/univention-directory-listener ]; then |
379 |
if [ -e /etc/runit/univention/univention-directory-listener ]; then |
389 |
echo -n "Stopping univention-directory-listener daemon: " |
380 |
echo -n "Stopping univention-directory-listener daemon: " |
390 |
/etc/init.d/univention-directory-listener stop >/dev/null 2>&1 |
381 |
/etc/init.d/univention-directory-listener stop >/dev/null 2>&1 |
391 |
while ! sv status univention-directory-listener | grep "^down" >/dev/null ; do sleep 1; /etc/init.d/univention-directory-listener stop >/dev/null 2>&1; echo -n "." ;done; echo "" done |
382 |
while ! sv status univention-directory-listener | grep -q "^down" |
|
|
383 |
do |
384 |
sleep 1 |
385 |
/etc/init.d/univention-directory-listener stop >/dev/null 2>&1 |
386 |
echo -n "." |
387 |
done |
388 |
echo " done" |
392 |
fi |
389 |
fi |
393 |
rm -Rf /var/lib/univention-directory-listener/* |
390 |
rm -Rf /var/lib/univention-directory-listener/* |
394 |
|
391 |
|
395 |
set_kerberos_realm () |
392 |
set_kerberos_realm () { |
396 |
{ |
393 |
local DCPWD="${1:?missing DC password file}" |
397 |
DCPWD="$1" |
394 |
local DCACCOUNT="${2:?missing DC master account}" |
398 |
DCACCOUNT="$2" |
395 |
local DCNAME="${3:?missing DC master FQDN}" |
399 |
DCNAME="$3" |
396 |
local realm="$4" |
400 |
realm="$4" |
|
|
401 |
if [ -z "$realm" ]; then |
397 |
if [ -z "$realm" ]; then |
402 |
realm=$(univention-ssh $DCPWD $DCACCOUNT@$DCNAME /usr/sbin/univention-config-registry get kerberos/realm | sed -e 's, ,,g' | grep [A-Za-z0-9] ) >>/var/log/univention/join.log 2>&1 |
398 |
realm=$(univention-ssh "$DCPWD" "$DCACCOUNT@$DCNAME" /usr/sbin/univention-config-registry get kerberos/realm) >>/var/log/univention/join.log 2>&1 |
403 |
if [ $? != 0 -o -z "$realm" ]; then |
399 |
if [ $? != 0 -o -z "$realm" ]; then |
404 |
echo "Unable to retrieve the kerberos realm. Try to use option -realm <kerberos/realm>" |
400 |
echo "Unable to retrieve the kerberos realm. Try to use option -realm <kerberos/realm>" |
405 |
exit 1 |
401 |
exit 1 |
|
414 |
if [ -e "/etc/ldap-backup.secret" ]; then cat /etc/ldap-backup.secret >>/etc/ldap-backup.secret.SAVE; fi |
410 |
if [ -e "/etc/ldap-backup.secret" ]; then cat /etc/ldap-backup.secret >>/etc/ldap-backup.secret.SAVE; fi |
415 |
|
411 |
|
416 |
echo -n "Sync ldap.secret: " |
412 |
echo -n "Sync ldap.secret: " |
417 |
univention-scp $DCPWD $DCACCOUNT@$DCNAME:/etc/ldap.secret /etc/ldap.secret >>/var/log/univention/join.log 2>&1 |
413 |
univention-scp "$DCPWD" -q "$DCACCOUNT@$DCNAME:/etc/ldap.secret" /etc/ldap.secret >>/var/log/univention/join.log 2>&1 |
418 |
if [ ! -e "/etc/ldap.secret" ]; then |
414 |
if [ ! -e "/etc/ldap.secret" ]; then |
419 |
failed_message "/etc/ldap.secret not found" |
415 |
failed_message "/etc/ldap.secret not found" |
420 |
fi |
416 |
fi |
421 |
echo -e "\033[60Gdone" |
417 |
echo -e "\033[60Gdone" |
422 |
|
418 |
|
423 |
echo -n "Sync ldap-backup.secret: " |
419 |
echo -n "Sync ldap-backup.secret: " |
424 |
univention-scp $DCPWD $DCACCOUNT@$DCNAME:/etc/ldap-backup.secret /etc/ldap-backup.secret >>/var/log/univention/join.log 2>&1 |
420 |
univention-scp "$DCPWD" -q "$DCACCOUNT@$DCNAME:/etc/ldap-backup.secret" /etc/ldap-backup.secret >>/var/log/univention/join.log 2>&1 |
425 |
if [ ! -e "/etc/ldap-backup.secret" ]; then |
421 |
if [ ! -e "/etc/ldap-backup.secret" ]; then |
426 |
failed_message "/etc/ldap-backup.secret not found" |
422 |
failed_message "/etc/ldap-backup.secret not found" |
427 |
fi |
423 |
fi |
428 |
echo -e "\033[60Gdone" |
424 |
echo -e "\033[60Gdone" |
429 |
|
425 |
|
430 |
univention-config-registry set ldap/server/name=$hostname.$domainname >>/var/log/univention/join.log 2>&1 |
426 |
univention-config-registry set \ |
431 |
univention-config-registry set ldap/server/ip=$interfaces_eth0_address >>/var/log/univention/join.log 2>&1 |
427 |
ldap/server/name="$hostname.$domainname" \ |
432 |
univention-config-registry set ldap/master=$DCNAME >>/var/log/univention/join.log 2>&1 |
428 |
ldap/server/ip="$interfaces_eth0_address" \ |
433 |
univention-config-registry set ldap/server/type=slave >>/var/log/univention/join.log 2>&1 |
429 |
ldap/master="$DCNAME" \ |
|
|
430 |
ldap/server/type=slave \ |
431 |
>>/var/log/univention/join.log 2>&1 |
434 |
|
432 |
|
435 |
|
433 |
|
436 |
echo -n "Sync SSL directory: " |
434 |
echo -n "Sync SSL directory: " |
437 |
univention-ssh-rsync $DCPWD -az -e ssh $DCACCOUNT@$DCNAME:/etc/univention/ssl/* /etc/univention/ssl/ >>/var/log/univention/join.log 2>&1 |
435 |
univention-ssh-rsync "$DCPWD" -az "$DCACCOUNT@$DCNAME:/etc/univention/ssl/*" /etc/univention/ssl/ >>/var/log/univention/join.log 2>&1 |
438 |
echo -e "\033[60Gdone" |
436 |
echo -e "\033[60Gdone" |
439 |
|
437 |
|
440 |
check_ldap_tls_connection |
438 |
check_ldap_tls_connection |
441 |
|
439 |
|
442 |
download_host_certificate |
440 |
download_host_certificate |
443 |
|
441 |
|
444 |
if [ ! -d "/etc/univention/ssl/$hostname" ] && [ ! -d "/etc/univention/ssl/$hostname.$domainname" ]; then |
442 |
if [ ! -d "/etc/univention/ssl/$hostname" ] && [ ! -d "/etc/univention/ssl/$hostname.$domainname" ]; then |
445 |
echo "failed to get host certificate" |
443 |
echo "failed to get host certificate" |
446 |
failed_message "failed to get host certificate" |
444 |
failed_message "failed to get host certificate" |
447 |
fi |
445 |
fi |
448 |
|
446 |
|
449 |
echo -n "Sync SSL settings: " |
447 |
echo -n "Sync SSL settings: " |
450 |
eval `echo univention-config-registry set \` univention-ssh $DCPWD $DCACCOUNT@$DCNAME /usr/sbin/univention-config-registry dump ssl/common ssl/country ssl/email ssl/locality ssl/organization ssl/organizationalunit ssl/state | grep ^ssl| sed -e 's|: |="|' \`` >>/var/log/univention/join.log 2>&1 |
448 |
univention-ssh --no-split "$DCPWD" "$DCACCOUNT@$DCNAME" univention-config-registry search --key --non-empty --brief ^ssl/ | sed -e 's/: /=/' | xargs -d '\n' univention-config-registry set |
451 |
|
|
|
452 |
|
453 |
echo -e "\033[60Gdone" |
449 |
echo -e "\033[60Gdone" |
454 |
|
450 |
|
455 |
echo -n "Restart LDAP Server: " |
451 |
echo -n "Restart LDAP Server: " |
|
458 |
|
454 |
|
459 |
#TODO: implement a real sync |
455 |
#TODO: implement a real sync |
460 |
echo -n "Sync Kerberos settings: " |
456 |
echo -n "Sync Kerberos settings: " |
461 |
univention-scp $DCPWD -r $DCACCOUNT@$DCNAME:/var/lib/heimdal-kdc/* /var/lib/heimdal-kdc/ >>/var/log/univention/join.log 2>&1 |
457 |
univention-scp "$DCPWD" -q -r "$DCACCOUNT@$DCNAME:/var/lib/heimdal-kdc/*" /var/lib/heimdal-kdc/ >>/var/log/univention/join.log 2>&1 |
462 |
echo -e "\033[60Gdone" |
458 |
echo -e "\033[60Gdone" |
463 |
|
459 |
|
464 |
|
460 |
|
465 |
# invalidate the nscd hosts cache |
461 |
# invalidate the nscd hosts cache |
466 |
nscd -i hosts |
462 |
nscd -i hosts |
467 |
|
463 |
|
468 |
univention-config-registry set ldap/server/name?"$DCNAME" >>/var/log/univention/join.log 2>&1 |
464 |
univention-config-registry set \ |
469 |
univention-config-registry set ldap/master?"$DCNAME" >>/var/log/univention/join.log 2>&1 |
465 |
ldap/server/name?"$DCNAME" \ |
470 |
univention-config-registry set kerberos/adminserver?"$DCNAME" >>/var/log/univention/join.log 2>&1 |
466 |
ldap/master?"$DCNAME" \ |
|
|
467 |
kerberos/adminserver?"$DCNAME" \ |
468 |
>>/var/log/univention/join.log 2>&1 |
471 |
|
469 |
|
472 |
set_kerberos_realm "$DCPWD" "$DCACCOUNT" "$DCNAME" "$REALM" |
470 |
set_kerberos_realm "$DCPWD" "$DCACCOUNT" "$DCNAME" "$REALM" |
473 |
|
471 |
|
474 |
eval `univention-config-registry shell` |
472 |
eval "$(univention-config-registry shell)" |
475 |
|
473 |
|
476 |
mkdir -p /var/lib/univention-ldap/notify/ |
474 |
mkdir -p /var/lib/univention-ldap/notify/ |
477 |
|
475 |
|
|
481 |
echo -n "0" >/var/lib/univention-ldap/schema/id/id |
479 |
echo -n "0" >/var/lib/univention-ldap/schema/id/id |
482 |
chown listener /var/lib/univention-ldap/schema/id/id |
480 |
chown listener /var/lib/univention-ldap/schema/id/id |
483 |
|
481 |
|
484 |
if test -e "/usr/lib/univention-install/"; then |
482 |
if test -d "/usr/lib/univention-install/"; then |
485 |
for i in /usr/lib/univention-install/*.inst; do |
483 |
for i in /usr/lib/univention-install/*.inst; do |
486 |
echo -n "Configure `basename $i` " |
484 |
echo -n "Configure ${i##*/} " |
487 |
echo "Configure `basename $i` " >>/var/log/univention/join.log |
485 |
echo "Configure ${i##*/} " >>/var/log/univention/join.log |
488 |
$i --binddn $binddn --bindpwd `cat $DCPWD` >>/var/log/univention/join.log 2>&1 |
486 |
"$i" --binddn "$binddn" --bindpwd "$(<"$DCPWD")" >>/var/log/univention/join.log 2>&1 |
489 |
if [ $? != 0 ]; then |
487 |
if [ $? != 0 ]; then |
490 |
echo -e "\033[60Gfailed" |
488 |
echo -e "\033[60Gfailed" |
491 |
failed_message "FAILED: `basename $i`" |
489 |
failed_message "FAILED: ${i##*/}" |
492 |
else |
490 |
else |
493 |
echo -e "\033[60Gdone" |
491 |
echo -e "\033[60Gdone" |
494 |
fi |
492 |
fi |
495 |
|
493 |
|
496 |
if [ "`basename $i`" = "03univention-directory-listener.inst" ]; then |
494 |
if [ "${i##*/}" = "03univention-directory-listener.inst" ]; then |
497 |
if [ -e /var/lib/univention-directory-replication/failed.ldif ]; then |
495 |
if [ -e /var/lib/univention-directory-replication/failed.ldif ]; then |
498 |
failed_message "FAILED: failed.ldif exists." |
496 |
failed_message "FAILED: failed.ldif exists." |
499 |
fi |
497 |
fi |
500 |
univention-scp $DCPWD -r $DCACCOUNT@$DCNAME:/var/lib/univention-ldap/notify/transaction /tmp/ >/dev/null 2>&1 |
498 |
univention-scp "$DCPWD" -q "$DCACCOUNT@$DCNAME:/var/lib/univention-ldap/notify/transaction" /tmp/ >/dev/null 2>&1 |
501 |
if [ ! -e /tmp/transaction ]; then |
499 |
if [ ! -e /tmp/transaction ]; then |
502 |
failed_message " FAILED: failed do copy /var/lib/univention-ldap/notify/transaction from the dc master. Please try again." |
500 |
failed_message " FAILED: failed to copy /var/lib/univention-ldap/notify/transaction from the dc master. Please try again." |
503 |
fi |
501 |
fi |
504 |
|
502 |
|
505 |
id=`cat /var/lib/univention-directory-listener/notifier_id` |
503 |
read id < /var/lib/univention-directory-listener/notifier_id |
506 |
cat /tmp/transaction | awk -F ' ' '{ if ( $1 <= '$id') print }' >/var/lib/univention-ldap/notify/transaction |
504 |
awk -F ' ' '{ if ( $1 <= '$id') print }' </tmp/transaction >/var/lib/univention-ldap/notify/transaction |
507 |
rm /tmp/transaction |
505 |
rm /tmp/transaction |
508 |
echo "">/var/lib/univention-ldap/replog/replog |
506 |
echo "">/var/lib/univention-ldap/replog/replog |
509 |
fi |
507 |
fi |
|
517 |
|
515 |
|
518 |
if [ -e "/etc/ldap-backup.secret" ]; then cat /etc/ldap-backup.secret >>/etc/ldap-backup.secret.SAVE; fi |
516 |
if [ -e "/etc/ldap-backup.secret" ]; then cat /etc/ldap-backup.secret >>/etc/ldap-backup.secret.SAVE; fi |
519 |
|
517 |
|
520 |
univention-scp $DCPWD "$DCACCOUNT@$DCNAME:/etc/ldap-backup.secret /etc/ldap-backup.secret" >/var/log/univention/join.log 2>&1 |
518 |
univention-scp "$DCPWD" -q "$DCACCOUNT@$DCNAME:/etc/ldap-backup.secret" /etc/ldap-backup.secret >/var/log/univention/join.log 2>&1 |
521 |
|
519 |
|
522 |
echo -e "\033[60Gdone" |
520 |
echo -e "\033[60Gdone" |
523 |
|
521 |
|
524 |
univention-config-registry set ldap/server/name=$hostname.$domainname >>/var/log/univention/join.log 2>&1 |
522 |
univention-config-registry set \ |
525 |
univention-config-registry set ldap/server/ip=$interfaces_eth0_address >>/var/log/univention/join.log 2>&1 |
523 |
ldap/server/name="$hostname.$domainname" \ |
526 |
univention-config-registry set ldap/master=$DCNAME >>/var/log/univention/join.log 2>&1 |
524 |
ldap/server/ip="$interfaces_eth0_address" \ |
527 |
univention-config-registry set ldap/server/type=slave >>/var/log/univention/join.log 2>&1 |
525 |
ldap/master="$DCNAME" \ |
|
|
526 |
ldap/server/type=slave \ |
527 |
>>/var/log/univention/join.log 2>&1 |
528 |
|
528 |
|
529 |
mkdir -p /etc/univention/ssl/ucsCA |
529 |
mkdir -p /etc/univention/ssl/ucsCA |
530 |
univention-scp $DCPWD "-r $DCACCOUNT@$DCNAME:/etc/univention/ssl/ucsCA/CAcert.pem /etc/univention/ssl/ucsCA/" >>/var/log/univention/join.log 2>&1 |
530 |
univention-scp "$DCPWD" -q "$DCACCOUNT@$DCNAME:/etc/univention/ssl/ucsCA/CAcert.pem" /etc/univention/ssl/ucsCA/ >>/var/log/univention/join.log 2>&1 |
531 |
if [ ! -e /etc/univention/ssl/ucsCA/CAcert.pem ]; then |
531 |
if [ ! -e /etc/univention/ssl/ucsCA/CAcert.pem ]; then |
532 |
univention-scp $DCPWD "-r $DCACCOUNT@$DCNAME:/etc/univention/ssl/udsCA/CAcert.pem /etc/univention/ssl/ucsCA/" >>/var/log/univention/join.log 2>&1 |
532 |
univention-scp "$DCPWD" -q "$DCACCOUNT@$DCNAME:/etc/univention/ssl/udsCA/CAcert.pem" /etc/univention/ssl/ucsCA/ >>/var/log/univention/join.log 2>&1 |
533 |
fi |
533 |
fi |
534 |
|
534 |
|
535 |
check_ldap_tls_connection |
535 |
check_ldap_tls_connection |
536 |
|
536 |
|
537 |
download_host_certificate |
537 |
download_host_certificate |
538 |
|
538 |
|
539 |
if [ ! -d "/etc/univention/ssl/$hostname" ] && [ ! -d "/etc/univention/ssl/$hostname.$domainname" ]; then |
539 |
if [ ! -d "/etc/univention/ssl/$hostname" ] && [ ! -d "/etc/univention/ssl/$hostname.$domainname" ]; then |
540 |
failed_message "failed to get host certificate" |
540 |
failed_message "failed to get host certificate" |
541 |
fi |
541 |
fi |
542 |
|
542 |
|
|
545 |
echo -e "\033[60Gdone" |
545 |
echo -e "\033[60Gdone" |
546 |
|
546 |
|
547 |
echo -n "Sync Kerberos settings: " |
547 |
echo -n "Sync Kerberos settings: " |
548 |
univention-scp $DCPWD "-r $DCACCOUNT@$DCNAME:/var/lib/heimdal-kdc/* /var/lib/heimdal-kdc/" >>/var/log/univention/join.log 2>&1 |
548 |
univention-scp "$DCPWD" -q -r "$DCACCOUNT@$DCNAME:/var/lib/heimdal-kdc/*" /var/lib/heimdal-kdc/ >>/var/log/univention/join.log 2>&1 |
549 |
echo -e "\033[60Gdone" |
549 |
echo -e "\033[60Gdone" |
550 |
|
550 |
|
551 |
mkdir -p /var/lib/univention-ldap/notify/ |
551 |
mkdir -p /var/lib/univention-ldap/notify/ |
|
553 |
# invalidate the nscd hosts cache |
553 |
# invalidate the nscd hosts cache |
554 |
nscd -i hosts |
554 |
nscd -i hosts |
555 |
|
555 |
|
556 |
univention-config-registry set ldap/server/name?"$DCNAME" >>/var/log/univention/join.log 2>&1 |
556 |
univention-config-registry set \ |
557 |
univention-config-registry set ldap/master?"$DCNAME" >>/var/log/univention/join.log 2>&1 |
557 |
ldap/server/name?"$DCNAME" \ |
558 |
univention-config-registry set kerberos/adminserver?"$DCNAME" >>/var/log/univention/join.log 2>&1 |
558 |
ldap/master?"$DCNAME" \ |
|
|
559 |
kerberos/adminserver?"$DCNAME" \ |
560 |
>>/var/log/univention/join.log 2>&1 |
559 |
set_kerberos_realm "$DCPWD" "$DCACCOUNT" "$DCNAME" "$REALM" |
561 |
set_kerberos_realm "$DCPWD" "$DCACCOUNT" "$DCNAME" "$REALM" |
560 |
|
562 |
|
561 |
echo -n "0" >/var/lib/univention-ldap/schema/id/id |
563 |
echo -n "0" >/var/lib/univention-ldap/schema/id/id |
|
566 |
|
568 |
|
567 |
if test -e "/usr/lib/univention-install/"; then |
569 |
if test -e "/usr/lib/univention-install/"; then |
568 |
for i in /usr/lib/univention-install/*.inst; do |
570 |
for i in /usr/lib/univention-install/*.inst; do |
569 |
echo -n "Configure `basename $i` " |
571 |
echo -n "Configure ${i##*/} " |
570 |
echo "Configure `basename $i` " >>/var/log/univention/join.log |
572 |
echo "Configure ${i##*/} " >>/var/log/univention/join.log |
571 |
$i --binddn $binddn --bindpwd `cat $DCPWD` >>/var/log/univention/join.log 2>&1 |
573 |
"$i" --binddn "$binddn" --bindpwd "$(<"$DCPWD")" >>/var/log/univention/join.log 2>&1 |
572 |
if [ $? != 0 ]; then |
574 |
if [ $? != 0 ]; then |
573 |
echo -e "\033[60Gfailed" |
575 |
echo -e "\033[60Gfailed" |
574 |
failed_message "FAILED: `basename $i`" |
576 |
failed_message "FAILED: ${i##*/}" |
575 |
else |
577 |
else |
576 |
echo -e "\033[60Gdone" |
578 |
echo -e "\033[60Gdone" |
577 |
fi |
579 |
fi |
578 |
if [ "`basename $i`" = "03univention-directory-listener.inst" ]; then |
580 |
if [ "${i##*/}" = "03univention-directory-listener.inst" ]; then |
579 |
if [ -e /var/lib/univention-directory-replication/failed.ldif ]; then |
581 |
if [ -e /var/lib/univention-directory-replication/failed.ldif ]; then |
580 |
failed_message "FAILED: failed.ldif exists." |
582 |
failed_message "FAILED: failed.ldif exists." |
581 |
fi |
583 |
fi |
582 |
if [ -n "$listener_supply_notifier" -a "$listener_supply_notifier" = "yes" ]; then |
584 |
if [ -n "$listener_supply_notifier" -a "$listener_supply_notifier" = "yes" ]; then |
583 |
univention-scp $DCPWD -r $DCACCOUNT@$DCNAME:/var/lib/univention-ldap/notify/transaction /tmp/ >/dev/null 2>&1 |
585 |
univention-scp "$DCPWD" -q "$DCACCOUNT@$DCNAME:/var/lib/univention-ldap/notify/transaction" /tmp/ >/dev/null 2>&1 |
584 |
id=`cat /var/lib/univention-directory-listener/notifier_id` |
586 |
read id < /var/lib/univention-directory-listener/notifier_id |
585 |
cat /tmp/transaction | awk -F ' ' '{ if ( $1 <= '$id') print }' >/var/lib/univention-ldap/notify/transaction |
587 |
awk -F ' ' '{ if ( $1 <= '$id') print }' </tmp/transaction >/var/lib/univention-ldap/notify/transaction |
586 |
rm /tmp/transaction |
588 |
rm /tmp/transaction |
587 |
echo "">/var/lib/univention-ldap/replog/replog |
589 |
echo "">/var/lib/univention-ldap/replog/replog |
588 |
fi |
590 |
fi |
|
593 |
|
595 |
|
594 |
elif [ "$server_role" = "memberserver" ]; then |
596 |
elif [ "$server_role" = "memberserver" ]; then |
595 |
mkdir -p /etc/univention/ssl/ucsCA |
597 |
mkdir -p /etc/univention/ssl/ucsCA |
596 |
univention-scp $DCPWD "-r $DCACCOUNT@$DCNAME:/etc/univention/ssl/ucsCA/CAcert.pem /etc/univention/ssl/ucsCA/" >>/var/log/univention/join.log 2>&1 |
598 |
univention-scp "$DCPWD" -q "$DCACCOUNT@$DCNAME:/etc/univention/ssl/ucsCA/CAcert.pem" /etc/univention/ssl/ucsCA/ >>/var/log/univention/join.log 2>&1 |
597 |
if [ ! -e /etc/univention/ssl/ucsCA/CAcert.pem ]; then |
599 |
if [ ! -e /etc/univention/ssl/ucsCA/CAcert.pem ]; then |
598 |
univention-scp $DCPWD "-r $DCACCOUNT@$DCNAME:/etc/univention/ssl/udsCA/CAcert.pem /etc/univention/ssl/ucsCA/" >>/var/log/univention/join.log 2>&1 |
600 |
univention-scp "$DCPWD" -q "$DCACCOUNT@$DCNAME:/etc/univention/ssl/udsCA/CAcert.pem" /etc/univention/ssl/ucsCA/ >>/var/log/univention/join.log 2>&1 |
599 |
fi |
601 |
fi |
600 |
|
602 |
|
601 |
check_ldap_tls_connection |
603 |
check_ldap_tls_connection |
602 |
|
604 |
|
603 |
download_host_certificate |
605 |
download_host_certificate |
604 |
|
606 |
|
605 |
univention-config-registry set ldap/master=$DCNAME >>/var/log/univention/join.log 2>&1 |
607 |
univention-config-registry set ldap/master="$DCNAME" >>/var/log/univention/join.log 2>&1 |
606 |
cat /etc/ldap/ldap.conf | sed -e "s|#.*||g" | grep -q TLS_CACERT || echo "TLS_CACERT /etc/univention/ssl/ucsCA/CAcert.pem" >>/etc/ldap/ldap.conf |
608 |
grep -q ^TLS_CACERT /etc/ldap/ldap.conf || echo "TLS_CACERT /etc/univention/ssl/ucsCA/CAcert.pem" >>/etc/ldap/ldap.conf |
607 |
|
609 |
|
608 |
# invalidate the nscd hosts cache |
610 |
# invalidate the nscd hosts cache |
609 |
nscd -i hosts |
611 |
nscd -i hosts |
610 |
|
612 |
|
611 |
univention-config-registry set ldap/server/name?"$DCNAME" >>/var/log/univention/join.log 2>&1 |
613 |
univention-config-registry set \ |
612 |
univention-config-registry set ldap/master?"$DCNAME" >>/var/log/univention/join.log 2>&1 |
614 |
ldap/server/name?"$DCNAME" \ |
613 |
univention-config-registry set kerberos/adminserver?"$DCNAME" >>/var/log/univention/join.log 2>&1 |
615 |
ldap/master?"$DCNAME" \ |
|
|
616 |
kerberos/adminserver?"$DCNAME" \ |
617 |
>>/var/log/univention/join.log 2>&1 |
614 |
set_kerberos_realm "$DCPWD" "$DCACCOUNT" "$DCNAME" "$REALM" |
618 |
set_kerberos_realm "$DCPWD" "$DCACCOUNT" "$DCNAME" "$REALM" |
615 |
|
619 |
|
616 |
touch /var/univention-join/joined |
620 |
touch /var/univention-join/joined |
|
618 |
|
622 |
|
619 |
if test -e "/usr/lib/univention-install/"; then |
623 |
if test -e "/usr/lib/univention-install/"; then |
620 |
for i in /usr/lib/univention-install/*.inst; do |
624 |
for i in /usr/lib/univention-install/*.inst; do |
621 |
echo -n "Configure `basename $i` " |
625 |
echo -n "Configure ${i##*/} " |
622 |
echo "Configure `basename $i` " >>/var/log/univention/join.log |
626 |
echo "Configure ${i##*/} " >>/var/log/univention/join.log |
623 |
$i --binddn $binddn --bindpwd `cat $DCPWD` >>/var/log/univention/join.log 2>&1 |
627 |
"$i" --binddn "$binddn" --bindpwd "$(<"$DCPWD")" >>/var/log/univention/join.log 2>&1 |
624 |
if [ $? != 0 ]; then |
628 |
if [ $? != 0 ]; then |
625 |
echo -e "\033[60Gfailed" |
629 |
echo -e "\033[60Gfailed" |
626 |
echo "FAILED: `basename $i`" |
630 |
echo "FAILED: ${i##*/}" |
627 |
failed_message "FAILED: `basename $i`" |
631 |
failed_message "FAILED: ${i##*/}" |
628 |
else |
632 |
else |
629 |
echo -e "\033[60Gdone" |
633 |
echo -e "\033[60Gdone" |
630 |
fi |
634 |
fi |
|
637 |
|
641 |
|
638 |
mkdir -p /etc/univention/ssl/ucsCA |
642 |
mkdir -p /etc/univention/ssl/ucsCA |
639 |
|
643 |
|
640 |
univention-scp $DCPWD "-r $DCACCOUNT@$DCNAME:/etc/univention/ssl/ucsCA/CAcert.pem /etc/univention/ssl/ucsCA/" >>/var/log/univention/join.log 2>&1 |
644 |
univention-scp "$DCPWD" -q "$DCACCOUNT@$DCNAME:/etc/univention/ssl/ucsCA/CAcert.pem" /etc/univention/ssl/ucsCA/ >>/var/log/univention/join.log 2>&1 |
641 |
if [ ! -e /etc/univention/ssl/ucsCA/CAcert.pem ]; then |
645 |
if [ ! -e /etc/univention/ssl/ucsCA/CAcert.pem ]; then |
642 |
univention-scp $DCPWD "-r $DCACCOUNT@$DCNAME:/etc/univention/ssl/udsCA/CAcert.pem /etc/univention/ssl/ucsCA/" >>/var/log/univention/join.log 2>&1 |
646 |
univention-scp "$DCPWD" -q "$DCACCOUNT@$DCNAME:/etc/univention/ssl/udsCA/CAcert.pem" /etc/univention/ssl/ucsCA/ >>/var/log/univention/join.log 2>&1 |
643 |
fi |
647 |
fi |
644 |
|
648 |
|
645 |
check_ldap_tls_connection |
649 |
check_ldap_tls_connection |
|
649 |
# invalidate the nscd hosts cache |
653 |
# invalidate the nscd hosts cache |
650 |
nscd -i hosts |
654 |
nscd -i hosts |
651 |
|
655 |
|
652 |
univention-config-registry set ldap/server/name="$DCNAME" >>/var/log/univention/join.log 2>&1 |
656 |
univention-config-registry set \ |
653 |
univention-config-registry set ldap/master="$DCNAME" >>/var/log/univention/join.log 2>&1 |
657 |
ldap/server/name="$DCNAME" \ |
654 |
univention-config-registry set kerberos/adminserver="$DCNAME" >>/var/log/univention/join.log 2>&1 |
658 |
ldap/master="$DCNAME" \ |
|
|
659 |
kerberos/adminserver="$DCNAME" \ |
660 |
>>/var/log/univention/join.log 2>&1 |
655 |
set_kerberos_realm "$DCPWD" "$DCACCOUNT" "$DCNAME" "$REALM" |
661 |
set_kerberos_realm "$DCPWD" "$DCACCOUNT" "$DCNAME" "$REALM" |
656 |
cat /etc/ldap/ldap.conf | sed -e "s|#.*||g" | grep -q TLS_CACERT || echo "TLS_CACERT /etc/univention/ssl/ucsCA/CAcert.pem" >>/etc/ldap/ldap.conf |
662 |
grep -q ^TLS_CACERT /etc/ldap/ldap.conf || echo "TLS_CACERT /etc/univention/ssl/ucsCA/CAcert.pem" >>/etc/ldap/ldap.conf |
657 |
|
663 |
|
658 |
touch /var/univention-join/joined |
664 |
touch /var/univention-join/joined |
659 |
ln -sf /var/univention-join/joined /usr/share/univention-join/.joined |
665 |
ln -sf /var/univention-join/joined /usr/share/univention-join/.joined |
660 |
|
666 |
|
661 |
univention-config-registry set nsswitch/ldap=yes >>/var/log/univention/join.log 2>&1 |
667 |
univention-config-registry set nsswitch/ldap=yes >>/var/log/univention/join.log 2>&1 |
662 |
eval `univention-config-registry shell` |
668 |
eval "$(univention-config-registry shell)" |
663 |
|
669 |
|
664 |
if test -e "/usr/lib/univention-install/"; then |
670 |
if test -e "/usr/lib/univention-install/"; then |
665 |
for i in /usr/lib/univention-install/*.inst; do |
671 |
for i in /usr/lib/univention-install/*.inst; do |
666 |
echo -n "Configure `basename $i` " |
672 |
echo -n "Configure ${i##*/} " |
667 |
echo "Configure `basename $i` " >>/var/log/univention/join.log |
673 |
echo "Configure ${i##*/} " >>/var/log/univention/join.log |
668 |
$i --binddn $binddn --bindpwd `cat $DCPWD` >>/var/log/univention/join.log 2>&1 |
674 |
"$i" --binddn "$binddn" --bindpwd "$(<"$DCPWD")" >>/var/log/univention/join.log 2>&1 |
669 |
if [ $? != 0 ]; then |
675 |
if [ $? != 0 ]; then |
670 |
echo -e "\033[60Gfailed" |
676 |
echo -e "\033[60Gfailed" |
671 |
echo "FAILED: `basename $i`" |
677 |
echo "FAILED: ${i##*/}" |
672 |
failed_message "FAILED: `basename $i`" |
678 |
failed_message "FAILED: ${i##*/}" |
673 |
else |
679 |
else |
674 |
echo -e "\033[60Gdone" |
680 |
echo -e "\033[60Gdone" |
675 |
fi |
681 |
fi |
|
687 |
/etc/init.d/univention-directory-listener restart >>/var/log/univention/join.log 2>&1 |
693 |
/etc/init.d/univention-directory-listener restart >>/var/log/univention/join.log 2>&1 |
688 |
fi |
694 |
fi |
689 |
|
695 |
|
690 |
if [ -n "$REMOVE_PWD_FILE" -a -n "$DCPWD" ]; then |
|
|
691 |
rm -f $DCPWD |
692 |
fi |
693 |
|
694 |
if [ "$interfaces_eth0_type" != "dhcp" ]; then |
696 |
if [ "$interfaces_eth0_type" != "dhcp" ]; then |
695 |
univention-config-registry commit /etc/resolv.conf >>/var/log/univention/join.log 2>&1 |
697 |
univention-config-registry commit /etc/resolv.conf >>/var/log/univention/join.log 2>&1 |
696 |
fi |
698 |
fi |