|
1 |
#!/bin/sh |
1 |
#!/bin/bash |
2 |
# |
2 |
# |
3 |
# Univention Join |
3 |
# Univention Join |
4 |
# joins a system into a UCS domain |
4 |
# joins a system into a UCS domain |
|
37 |
eval "$(univention-config-registry shell)" |
37 |
eval "$(univention-config-registry shell)" |
38 |
|
38 |
|
39 |
TYPE= |
39 |
TYPE= |
40 |
REMOVE_PWD_FILE="" |
|
|
41 |
|
40 |
|
|
|
41 |
USERTMP="$(mktemp -d)" |
42 |
DCPWD="$USERTMP/dcpwd" |
43 |
trap "rm -rf '$USERTMP'" EXIT |
44 |
|
42 |
display_help() { |
45 |
display_help() { |
43 |
display_header |
46 |
display_header |
44 |
cat <<-EOL |
47 |
cat <<-EOL |
|
76 |
echo "univention-join @%@package_version@%@" |
79 |
echo "univention-join @%@package_version@%@" |
77 |
} |
80 |
} |
78 |
|
81 |
|
79 |
|
|
|
80 |
failed_message () { |
82 |
failed_message () { |
81 |
echo "" |
83 |
echo "" |
82 |
echo "" |
84 |
echo "" |
|
86 |
echo "**************************************************************************" |
88 |
echo "**************************************************************************" |
87 |
echo "* Message: $@" |
89 |
echo "* Message: $@" |
88 |
echo "**************************************************************************" |
90 |
echo "**************************************************************************" |
89 |
if [ -n "$REMOVE_PWD_FILE" -a -n "$DCPWD" ]; then |
|
|
90 |
rm -f $DCPWD |
91 |
fi |
92 |
exit 1 |
91 |
exit 1 |
93 |
} |
92 |
} |
94 |
|
93 |
|
95 |
download_host_certificate () { |
94 |
download_host_certificate () { |
96 |
echo -n "Download host certificate " |
95 |
echo -n "Download host certificate " |
97 |
HOSTPWD="/etc/machine.secret" |
96 |
local HOSTPWD="/etc/machine.secret" |
98 |
HOSTACCOUNT="$hostname\$" |
97 |
local HOSTACCOUNT="$hostname\$" |
99 |
univention-scp $HOSTPWD "-r $HOSTACCOUNT@$DCNAME:/etc/univention/ssl/$hostname /etc/univention/ssl/" >>/var/log/univention/join.log 2>&1 |
98 |
univention-scp "$HOSTPWD" -q -r "$HOSTACCOUNT@$DCNAME:/etc/univention/ssl/$hostname" "$HOSTACCOUNT@$DCNAME:/etc/univention/ssl/$hostname.$domainname" /etc/univention/ssl/ >>/var/log/univention/join.log 2>&1 |
100 |
univention-scp $HOSTPWD "-r $HOSTACCOUNT@$DCNAME:/etc/univention/ssl/$hostname.$domainname /etc/univention/ssl/" >>/var/log/univention/join.log 2>&1 |
|
|
101 |
while [ ! -d "/etc/univention/ssl/$hostname" ] && [ ! -d "/etc/univention/ssl/$hostname.$domainname" ]; do |
99 |
while [ ! -d "/etc/univention/ssl/$hostname" ] && [ ! -d "/etc/univention/ssl/$hostname.$domainname" ]; do |
102 |
echo -n "." |
100 |
echo -n "." |
103 |
sleep 20 |
101 |
sleep 20 |
104 |
univention-scp $HOSTPWD "-r $HOSTACCOUNT@$DCNAME:/etc/univention/ssl/$hostname /etc/univention/ssl/" >>/var/log/univention/join.log 2>&1 |
102 |
univention-scp "$HOSTPWD" -q -r "$HOSTACCOUNT@$DCNAME:/etc/univention/ssl/$hostname" "$HOSTACCOUNT@$DCNAME:/etc/univention/ssl/$hostname.$domainname" /etc/univention/ssl/ >>/var/log/univention/join.log 2>&1 |
105 |
univention-scp $HOSTPWD "-r $HOSTACCOUNT@$DCNAME:/etc/univention/ssl/$hostname.$domainname /etc/univention/ssl/" >>/var/log/univention/join.log 2>&1 |
|
|
106 |
done |
103 |
done |
107 |
|
104 |
|
108 |
echo -e "\033[60Gdone" |
105 |
echo -e "\033[60Gdone" |
|
111 |
check_ldap_tls_connection () { |
108 |
check_ldap_tls_connection () { |
112 |
echo -n "Check TLS connection " |
109 |
echo -n "Check TLS connection " |
113 |
|
110 |
|
114 |
ldapsearch -x -ZZ -s base -h "$DCNAME" dn >/dev/null |
111 |
if ! ldapsearch -x -ZZ -s base -h "$DCNAME" dn >/dev/null |
115 |
if [ $? != 0 ]; then |
112 |
then |
116 |
failed_message "Establishing a TLS connection with $DCNAME failed. Maybe you didn't specify a FQDN." |
113 |
failed_message "Establishing a TLS connection with $DCNAME failed. Maybe you didn't specify a FQDN." |
117 |
fi |
114 |
fi |
118 |
|
115 |
|
|
123 |
do |
120 |
do |
124 |
case "$1" in |
121 |
case "$1" in |
125 |
"-dcname") |
122 |
"-dcname") |
126 |
shift |
123 |
DCNAME="${2:?missing DC master FQDN}" |
127 |
DCNAME=$1 |
124 |
shift 2 |
128 |
shift |
|
|
129 |
;; |
125 |
;; |
130 |
"-dcaccount") |
126 |
"-dcaccount") |
131 |
shift |
127 |
DCACCOUNT="${2:?missing DC master account}" |
132 |
DCACCOUNT=$1 |
128 |
shift 2 |
133 |
shift |
|
|
134 |
;; |
129 |
;; |
135 |
"-dcpwd") |
130 |
"-dcpwd") |
136 |
shift |
131 |
dcpwd="${2:?missing DC password file}" |
137 |
DCPWD=$1 |
132 |
cp "$dcpwd" "$DCPWD" |
138 |
shift |
133 |
shift 2 |
139 |
;; |
134 |
;; |
140 |
"-ldapbase") |
135 |
"-ldapbase") |
141 |
shift |
136 |
LDAPBASE="${2:?missing LDAP base}" |
142 |
LDAPBASE="$1" |
137 |
shift 2 |
143 |
shift |
|
|
144 |
;; |
138 |
;; |
145 |
"-realm") |
139 |
"-realm") |
146 |
shift |
140 |
REALM="${2:?missing Kerberos real}" |
147 |
REALM="$1" |
141 |
shift 2 |
148 |
shift |
|
|
149 |
;; |
142 |
;; |
150 |
"-type") |
143 |
"-type") |
151 |
shift |
144 |
TYPE="${2:?missing computer role}" |
152 |
TYPE=$1 |
145 |
shift 2 |
153 |
shift |
|
|
154 |
;; |
146 |
;; |
155 |
"--version") |
147 |
"--version") |
156 |
display_version |
148 |
display_version |
|
171 |
fi |
163 |
fi |
172 |
|
164 |
|
173 |
if [ -z "$DCACCOUNT" ]; then |
165 |
if [ -z "$DCACCOUNT" ]; then |
174 |
echo -n "Insert DC Master Account : " |
166 |
echo -n "Enter DC Master Account : " |
175 |
read DCACCOUNT |
167 |
read DCACCOUNT |
176 |
fi |
168 |
fi |
177 |
if [ -z "$DCPWD" ]; then |
169 |
if [ ! -f "$DCPWD" ]; then |
178 |
echo -n "Insert DC Master Password: " |
170 |
echo -n "Enter DC Master Password: " |
179 |
read -s password |
171 |
read -s password |
180 |
DCPWD=`mktemp` |
172 |
echo -n "$password" >"$DCPWD" |
181 |
echo "$password" >>$DCPWD |
|
|
182 |
REMOVE_PWD_FILE="1" |
183 |
echo "" |
173 |
echo "" |
184 |
echo "" |
174 |
echo "" |
185 |
fi |
175 |
fi |
186 |
|
176 |
|
|
|
177 |
declare -a args |
178 |
|
187 |
if [ "$DCACCOUNT" != "root" ]; then |
179 |
if [ "$DCACCOUNT" != "root" ]; then |
188 |
auth_cmd="-bindaccount \"$DCACCOUNT\" -bindpwfile \"$DCPWD\"" |
180 |
args+=(-bindaccount "$DCACCOUNT") |
189 |
fi |
181 |
fi |
190 |
|
182 |
|
191 |
if [ -z "$server_role" ]; then |
183 |
if [ -z "$server_role" ]; then |
|
193 |
echo "try: -type" |
185 |
echo "try: -type" |
194 |
display_help |
186 |
display_help |
195 |
else |
187 |
else |
196 |
server_role=$TYPE |
188 |
server_role="$TYPE" |
197 |
fi |
189 |
fi |
198 |
fi |
190 |
fi |
199 |
|
191 |
|
|
201 |
server_role="client" |
193 |
server_role="client" |
202 |
fi |
194 |
fi |
203 |
|
195 |
|
204 |
mac_addr=`/sbin/ifconfig eth0 | grep HWaddr | sed -e "s|.*HWaddr ||"` |
196 |
mac_addr="$(LC_ALL=C /sbin/ifconfig eth0 | sed -ne "s|.*HWaddr ||p")" |
205 |
if [ -n "$mac_addr" ]; then |
197 |
if [ -n "$mac_addr" ]; then |
206 |
mac_cmd="-mac $mac_addr" |
198 |
args+=(-mac "$mac_addr") |
207 |
fi |
199 |
fi |
208 |
|
200 |
|
209 |
|
201 |
|
210 |
if [ -z "$DCNAME" ]; then |
202 |
if [ -z "$DCNAME" ]; then |
211 |
echo -n "Search DC Master: " |
203 |
echo -n "Search DC Master: " |
212 |
if [ "$interfaces_eth0_type" = "dhcp" ]; then |
204 |
if [ "$interfaces_eth0_type" = "dhcp" ]; then |
213 |
DCNAME=`host -t SRV _domaincontroller_master._tcp.$domainname | grep -v "not found" | grep -v "reached" | tail -1 | sed -e 's|.* ||g' | sed -e 's|\.$||'` |
205 |
DCNAME="$(host -t SRV "_domaincontroller_master._tcp.$domainname" | sed -ne '$s/.* \([^ ]\+\)\.$/\1/p')" |
214 |
if [ -n "$DCNAME" ]; then |
206 |
if [ -n "$DCNAME" ]; then |
215 |
echo -e "\033[60Gdone" |
207 |
echo -e "\033[60Gdone" |
216 |
fi |
208 |
fi |
217 |
else |
209 |
else |
218 |
for i in "$nameserver" "$nameserver1" "$nameserver2" "$nameserver3" "$dns_forwarder1" "$dns_forwarder2" "$dns_forwarder3"; do |
210 |
for i in "$nameserver" "$nameserver1" "$nameserver2" "$nameserver3" "$dns_forwarder1" "$dns_forwarder2" "$dns_forwarder3"; do |
219 |
if [ -z "$i" ]; then continue; fi |
211 |
if [ -z "$i" ]; then continue; fi |
220 |
DCNAME=`host -t SRV _domaincontroller_master._tcp.$domainname $i | grep -v "not found" | grep -v "reached" | tail -1 | sed -e 's|.* ||g' | sed -e 's|\.$||'` |
212 |
DCNAME="$(host -t SRV "_domaincontroller_master._tcp.$domainname" "$i" | sed -ne '$s/.* \([^ ]\+\)\.$/\1/p')" |
221 |
if [ -n "$DCNAME" ]; then |
213 |
if [ -n "$DCNAME" ]; then |
222 |
echo -e "\033[60Gdone" |
214 |
echo -e "\033[60Gdone" |
223 |
echo "domain $domainname" >/etc/resolv.conf |
215 |
echo "domain $domainname" >/etc/resolv.conf |
|
236 |
|
228 |
|
237 |
echo -n "Check DC Master: " |
229 |
echo -n "Check DC Master: " |
238 |
|
230 |
|
239 |
ping -c 1 $DCNAME >/dev/null 2>&1 |
231 |
if ! ping -c 1 "$DCNAME" >/dev/null 2>&1 |
240 |
|
232 |
then |
241 |
if [ $? != 0 ]; then |
|
|
242 |
failed_message "ping to $DCNAME failed" |
233 |
failed_message "ping to $DCNAME failed" |
243 |
fi |
234 |
fi |
244 |
|
235 |
|
245 |
univention-ssh "$DCPWD" "$DCACCOUNT"@"$DCNAME" echo ssh-check 2>>/var/log/univention/join.log | grep -qs ssh-check |
236 |
if ! univention-ssh "$DCPWD" "$DCACCOUNT"@"$DCNAME" echo ssh-check 2>>/var/log/univention/join.log | grep -qs ssh-check |
246 |
if [ $? != 0 ]; then |
237 |
then |
247 |
failed_message "ssh-login for $DCACCOUNT@$DCNAME failed. Maybe you entered a wrong password." |
238 |
failed_message "ssh-login for $DCACCOUNT@$DCNAME failed. Maybe you entered a wrong password." |
248 |
fi |
239 |
fi |
249 |
|
240 |
|
|
257 |
|
248 |
|
258 |
if [ -z "$LDAPBASE" ]; then |
249 |
if [ -z "$LDAPBASE" ]; then |
259 |
echo -n "Search ldap/base" |
250 |
echo -n "Search ldap/base" |
260 |
ldap_base=`ldapsearch -x -h $DCNAME -b "" -s base 'objectclass=*' NamingContexts -LLL | grep namingContexts | sed -e 's|namingContexts: ||'` |
251 |
ldap_base=$(ldapsearch -x -h "$DCNAME" -b "" -s base 'objectclass=*' NamingContexts -LLL | ldapsearch-wrapper | sed -ne 's|namingContexts: ||p') |
261 |
else |
252 |
else |
262 |
ldap_base="$LDAPBASE" |
253 |
ldap_base="$LDAPBASE" |
263 |
fi |
254 |
fi |
|
272 |
|
263 |
|
273 |
echo -n "Search LDAP binddn " |
264 |
echo -n "Search LDAP binddn " |
274 |
binddn="" |
265 |
binddn="" |
275 |
for i in `ldapsearch -x -h $DCNAME -LLL -b $ldap_base "(&(uid=$DCACCOUNT)(objectClass=person))" | ldapsearch-wrapper | grep ^dn | sed -e 's|dn: ||'`; do |
266 |
for i in $(ldapsearch -x -h "$DCNAME" -LLL -b "$ldap_base" "(&(uid=$DCACCOUNT)(objectClass=person))" | ldapsearch-wrapper | sed -ne 's|^dn: ||p') |
|
|
267 |
do |
276 |
if [ -n "$binddn" ]; then |
268 |
if [ -n "$binddn" ]; then |
277 |
failed_message "binddn for user $DCACCOUNT not unique, $i and $binddn" |
269 |
failed_message "binddn for user $DCACCOUNT not unique, $i and $binddn" |
278 |
fi |
270 |
fi |
|
282 |
if [ -z "$binddn" ]; then |
274 |
if [ -z "$binddn" ]; then |
283 |
failed_message "binddn for user $DCACCOUNT not found" |
275 |
failed_message "binddn for user $DCACCOUNT not found" |
284 |
else |
276 |
else |
285 |
ldapsearch -x -h $DCNAME -LLL -b "$ldap_base" -D "$binddn" -w `cat $DCPWD` -LLL -s base >/dev/null 2>&1 |
277 |
if ! ldapsearch -x -h "$DCNAME" -LLL -b "$ldap_base" -D "$binddn" -w "$(<"$DCPWD")" -LLL -s base >/dev/null 2>&1 |
286 |
if [ $? != 0 ]; then |
278 |
then |
287 |
failed_message "Invalid credentials" |
279 |
failed_message "Invalid credentials" |
288 |
fi |
280 |
fi |
289 |
fi |
281 |
fi |
290 |
|
282 |
|
291 |
if [ $server_role != "domaincontroller_master" -a "$server_role" != "domaincontroller_backup" -a -z "$binddn" ]; then |
283 |
if [ "$server_role" != "domaincontroller_master" -a "$server_role" != "domaincontroller_backup" -a -z "$binddn" ] |
|
|
284 |
then |
292 |
failed_message "binddn for user $DCACCOUNT not found" |
285 |
failed_message "binddn for user $DCACCOUNT not found" |
293 |
fi |
286 |
fi |
294 |
|
287 |
|
295 |
if [ -x /usr/bin/rdate ]; then |
288 |
if [ -x /usr/bin/rdate ]; then |
296 |
echo -n "Sync time " |
289 |
echo -n "Sync time " |
297 |
/usr/bin/rdate $DCNAME >/dev/null 2>&1 |
290 |
/usr/bin/rdate "$DCNAME" >/dev/null 2>&1 |
298 |
echo -e "\033[60Gdone" |
291 |
echo -e "\033[60Gdone" |
299 |
fi |
292 |
fi |
300 |
|
293 |
|
301 |
if [ -n "$ldap_position" ]; then |
294 |
if [ -n "$ldap_position" ]; then |
302 |
position_cmd="-position \"$ldap_position\"" |
295 |
args+=(-position "$ldap_position") |
303 |
fi |
296 |
fi |
304 |
|
297 |
|
|
|
298 |
bashquote () { # quote arguments for eval |
299 |
declare -a escaped |
300 |
declare -r quote=\\\' |
301 |
local arg |
302 |
for arg in "$@" |
303 |
do |
304 |
escaped+=("'${arg//\'/'$quote'}'") |
305 |
done |
306 |
echo -n "${escaped[@]}" |
307 |
} |
308 |
|
305 |
if [ -n "$server_role" ]; then |
309 |
if [ -n "$server_role" ]; then |
306 |
if [ -n "$interfaces_eth0_address" ]; then |
310 |
if [ -n "$interfaces_eth0_address" ]; then |
307 |
ip_cmd="-ip $interfaces_eth0_address" |
311 |
args+=(-ip "$interfaces_eth0_address") |
308 |
fi |
312 |
fi |
309 |
echo -n "Join Computer Account: " |
313 |
echo -n "Join Computer Account: " |
310 |
univention-scp "$DCPWD" "$DCPWD" "$DCACCOUNT@$DCNAME:$DCPWD" >>/var/log/univention/join.log 2>&1 |
314 |
args+=(-role "$server_role" -hostname "$hostname" -domainname "$domainname") |
311 |
res=`univention-ssh $DCPWD $DCACCOUNT@$DCNAME /usr/share/univention-join/univention-server-join -role $server_role -hostname $hostname -domainname $domainname $ip_cmd $mac_cmd $position_cmd $auth_cmd 2>>/var/log/univention/join.log` |
315 |
# Copy local $DCPWD to remote $DCPWD' and invoke univention-join remotely |
312 |
univention-ssh $DCPWD $DCACCOUNT@$DCNAME "rm $DCPWD" >>/var/log/univention/join.log 2>&1 |
316 |
univention-ssh --no-split "$DCPWD" "$DCACCOUNT@$DCNAME" 'DCPWD=$(mktemp) && trap "rm -f \"$DCPWD\"" EXIT && cat >"$DCPWD" && /usr/share/univention-join/univention-server-join -bindpwfile "$DCPWD"' "$(bashquote "${args[@]}")" <"$DCPWD" 2>&1 | tee "$USERTMP/log" >>/var/log/univention/join.log |
313 |
res_message=`echo $res | grep uexception | sed -e 's|.*univention.admin.uexceptions.||'g` |
317 |
res_message="$(grep uexception "$USERTMP/log" | sed -e 's|.*univention.admin.uexceptions.||'g)" |
314 |
if [ -z "$res_message" ]; then |
318 |
if [ -z "$res_message" ]; then |
315 |
echo -e "\033[60Gdone" |
319 |
echo -e "\033[60Gdone" |
316 |
fi |
320 |
fi |
|
318 |
failed_message "No server role defined" |
322 |
failed_message "No server role defined" |
319 |
fi |
323 |
fi |
320 |
|
324 |
|
321 |
if [ -n "$res" ]; then |
325 |
if [ -s "$USERTMP/log" ] |
322 |
echo "Join result = [$res]" | sed -e 's/KerberosPasswd="[^"]*"//' | fromdos -fa >>/var/log/univention/join.log |
326 |
then |
|
|
327 |
echo "Join result = [$(<"$USERTMP/log")]" | sed -e 's/KerberosPasswd="[^"]*"//' | fromdos -fa >>/var/log/univention/join.log |
323 |
|
328 |
|
324 |
#try to get password |
329 |
#try to get password |
325 |
pwd=`echo $res | grep -i KerberosPasswd | sed -e 's|.*KerberosPasswd="||;s|".*||g'` |
330 |
pwd="$(sed -ne 's|^KerberosPasswd="\(.*\)" *|\1|p' <"$USERTMP/log")" |
326 |
|
331 |
|
327 |
|
|
|
328 |
if [ -n "$pwd" ]; then |
332 |
if [ -n "$pwd" ]; then |
329 |
|
|
|
330 |
if [ -e /etc/machine.secret ]; then |
333 |
if [ -e /etc/machine.secret ]; then |
331 |
cat /etc/machine.secret >>/etc/machine.secret.SAVE |
334 |
cat /etc/machine.secret >>/etc/machine.secret.SAVE |
332 |
fi |
335 |
fi |
|
335 |
fromdos /etc/machine.secret |
338 |
fromdos /etc/machine.secret |
336 |
chmod 600 /etc/machine.secret |
339 |
chmod 600 /etc/machine.secret |
337 |
if [ -e /etc/machine.secret.SAVE ]; then |
340 |
if [ -e /etc/machine.secret.SAVE ]; then |
338 |
chmod 600 /etc/machine.secret.SAVE |
341 |
chmod 600 /etc/machine.secret.SAVE |
339 |
fi |
342 |
fi |
340 |
else |
343 |
else |
341 |
if [ -n "$res_message" ]; then |
344 |
if [ -n "$res_message" ]; then |
342 |
failed_message "$res_message" |
345 |
failed_message "$res_message" |
343 |
else |
346 |
else |
344 |
failed_message "$res" |
347 |
failed_message "$(<"$USERTMP/log")" |
345 |
fi |
348 |
fi |
346 |
fi |
349 |
fi |
347 |
|
350 |
|
348 |
ldap_dn="`echo $res | grep ldap_dn | sed -e 's|.*ldap_dn="||;s|".*||'`" |
351 |
ldap_dn="$(sed -ne 's|^ldap_dn="\(.*\)" *|\1|p' <"$USERTMP/log")" |
349 |
if [ -n "$ldap_dn" ]; then |
352 |
if [ -n "$ldap_dn" ]; then |
350 |
univention-config-registry set ldap/hostdn="$ldap_dn" >>/var/log/univention/join.log 2>&1 |
353 |
univention-config-registry set ldap/hostdn="$ldap_dn" >>/var/log/univention/join.log 2>&1 |
351 |
else |
354 |
else |
|
357 |
fi |
360 |
fi |
358 |
|
361 |
|
359 |
if [ -e "/usr/lib/univention-install/.index.txt" ]; then |
362 |
if [ -e "/usr/lib/univention-install/.index.txt" ]; then |
360 |
mkdir -p /var/univention-join/ |
363 |
mkdir -p /var/univention-join/ |
361 |
rm -rf /var/univention-join/status |
364 |
rm -rf /var/univention-join/status |
362 |
rm /usr/lib/univention-install/.index.txt |
365 |
rm /usr/lib/univention-install/.index.txt |
363 |
touch /var/univention-join/status |
366 |
touch /var/univention-join/status |
364 |
fi |
367 |
fi |
365 |
|
368 |
|
366 |
if [ ! -e "/usr/lib/univention-install/.index.txt" ]; then |
369 |
if [ ! -e "/usr/lib/univention-install/.index.txt" ]; then |
367 |
mkdir -p /var/univention-join/ |
370 |
mkdir -p /var/univention-join/ |
368 |
touch /var/univention-join/status |
371 |
touch /var/univention-join/status |
369 |
ln -sf /var/univention-join/status /usr/lib/univention-install/.index.txt |
372 |
ln -sf /var/univention-join/status /usr/lib/univention-install/.index.txt |
370 |
fi |
373 |
fi |
371 |
|
374 |
|
372 |
|
375 |
|
373 |
if [ -e "/etc/univention/ssl" ]; then |
376 |
if [ -e "/etc/univention/ssl" ]; then |
374 |
mv /etc/univention/ssl "/etc/univention/ssl_`date +"%y%m%d%H%M"`" |
377 |
mv /etc/univention/ssl "/etc/univention/ssl_$(date +"%y%m%d%H%M")" |
375 |
mkdir /etc/univention/ssl |
378 |
mkdir /etc/univention/ssl |
376 |
fi |
379 |
fi |
377 |
|
380 |
|
378 |
# Stop Notifier |
381 |
# Stop Notifier |
379 |
notifier_pid=`pidof univention-directory-notifier` |
382 |
notifier_pid="$(pidof univention-directory-notifier)" |
380 |
if [ -n "$notifier_pid" -a -e /etc/runit/univention/univention-directory-notifier ]; then |
383 |
if [ -n "$notifier_pid" -a -e /etc/runit/univention/univention-directory-notifier ]; then |
381 |
echo -n "Stopping univention-directory-notifier daemon: " |
384 |
echo -n "Stopping univention-directory-notifier daemon: " |
382 |
/etc/init.d/univention-directory-notifier stop >/dev/null 2>&1 |
385 |
/etc/init.d/univention-directory-notifier stop >/dev/null 2>&1 |
383 |
while ! sv status univention-directory-notifier | grep "^down" >/dev/null ; do sleep 1; /etc/init.d/univention-directory-notifier stop >/dev/null 2>&1; echo -n "." ;done; echo "" done |
386 |
while ! sv status univention-directory-notifier | grep -q "^down" |
|
|
387 |
do |
388 |
sleep 1 |
389 |
/etc/init.d/univention-directory-notifier stop >/dev/null 2>&1 |
390 |
echo -n "." |
391 |
done |
392 |
echo " done" |
384 |
fi |
393 |
fi |
385 |
|
394 |
|
386 |
# Stop Listener |
395 |
# Stop Listener |
387 |
listener_pid=`pidof univention-directory-listener` |
396 |
listener_pid="$(pidof univention-directory-listener)" |
388 |
if [ -e /etc/runit/univention/univention-directory-listener ]; then |
397 |
if [ -e /etc/runit/univention/univention-directory-listener ]; then |
389 |
echo -n "Stopping univention-directory-listener daemon: " |
398 |
echo -n "Stopping univention-directory-listener daemon: " |
390 |
/etc/init.d/univention-directory-listener stop >/dev/null 2>&1 |
399 |
/etc/init.d/univention-directory-listener stop >/dev/null 2>&1 |
391 |
while ! sv status univention-directory-listener | grep "^down" >/dev/null ; do sleep 1; /etc/init.d/univention-directory-listener stop >/dev/null 2>&1; echo -n "." ;done; echo "" done |
400 |
while ! sv status univention-directory-listener | grep -q "^down" |
|
|
401 |
do |
402 |
sleep 1 |
403 |
/etc/init.d/univention-directory-listener stop >/dev/null 2>&1 |
404 |
echo -n "." |
405 |
done |
406 |
echo " done" |
392 |
fi |
407 |
fi |
393 |
rm -Rf /var/lib/univention-directory-listener/* |
408 |
rm -Rf /var/lib/univention-directory-listener/* |
394 |
|
409 |
|
395 |
set_kerberos_realm () |
410 |
set_kerberos_realm () { |
396 |
{ |
411 |
local DCPWD="${1:?missing DC password file}" |
397 |
DCPWD="$1" |
412 |
local DCACCOUNT="${2:?missing DC master account}" |
398 |
DCACCOUNT="$2" |
413 |
local DCNAME="${3:?missing DC master FQDN}" |
399 |
DCNAME="$3" |
414 |
local realm="$4" |
400 |
realm="$4" |
|
|
401 |
if [ -z "$realm" ]; then |
415 |
if [ -z "$realm" ]; then |
402 |
realm=$(univention-ssh $DCPWD $DCACCOUNT@$DCNAME /usr/sbin/univention-config-registry get kerberos/realm | sed -e 's, ,,g' | grep [A-Za-z0-9] ) >>/var/log/univention/join.log 2>&1 |
416 |
realm=$(univention-ssh "$DCPWD" "$DCACCOUNT@$DCNAME" /usr/sbin/univention-config-registry get kerberos/realm) >>/var/log/univention/join.log 2>&1 |
403 |
if [ $? != 0 -o -z "$realm" ]; then |
417 |
if [ $? != 0 -o -z "$realm" ]; then |
404 |
echo "Unable to retrieve the kerberos realm. Try to use option -realm <kerberos/realm>" |
418 |
echo "Unable to retrieve the kerberos realm. Try to use option -realm <kerberos/realm>" |
405 |
exit 1 |
419 |
exit 1 |
|
414 |
if [ -e "/etc/ldap-backup.secret" ]; then cat /etc/ldap-backup.secret >>/etc/ldap-backup.secret.SAVE; fi |
428 |
if [ -e "/etc/ldap-backup.secret" ]; then cat /etc/ldap-backup.secret >>/etc/ldap-backup.secret.SAVE; fi |
415 |
|
429 |
|
416 |
echo -n "Sync ldap.secret: " |
430 |
echo -n "Sync ldap.secret: " |
417 |
univention-scp $DCPWD $DCACCOUNT@$DCNAME:/etc/ldap.secret /etc/ldap.secret >>/var/log/univention/join.log 2>&1 |
431 |
univention-scp "$DCPWD" -q "$DCACCOUNT@$DCNAME:/etc/ldap.secret" /etc/ldap.secret >>/var/log/univention/join.log 2>&1 |
418 |
if [ ! -e "/etc/ldap.secret" ]; then |
432 |
if [ ! -e "/etc/ldap.secret" ]; then |
419 |
failed_message "/etc/ldap.secret not found" |
433 |
failed_message "/etc/ldap.secret not found" |
420 |
fi |
434 |
fi |
421 |
echo -e "\033[60Gdone" |
435 |
echo -e "\033[60Gdone" |
422 |
|
436 |
|
423 |
echo -n "Sync ldap-backup.secret: " |
437 |
echo -n "Sync ldap-backup.secret: " |
424 |
univention-scp $DCPWD $DCACCOUNT@$DCNAME:/etc/ldap-backup.secret /etc/ldap-backup.secret >>/var/log/univention/join.log 2>&1 |
438 |
univention-scp "$DCPWD" -q "$DCACCOUNT@$DCNAME:/etc/ldap-backup.secret" /etc/ldap-backup.secret >>/var/log/univention/join.log 2>&1 |
425 |
if [ ! -e "/etc/ldap-backup.secret" ]; then |
439 |
if [ ! -e "/etc/ldap-backup.secret" ]; then |
426 |
failed_message "/etc/ldap-backup.secret not found" |
440 |
failed_message "/etc/ldap-backup.secret not found" |
427 |
fi |
441 |
fi |
428 |
echo -e "\033[60Gdone" |
442 |
echo -e "\033[60Gdone" |
429 |
|
443 |
|
430 |
univention-config-registry set ldap/server/name=$hostname.$domainname >>/var/log/univention/join.log 2>&1 |
444 |
univention-config-registry set \ |
431 |
univention-config-registry set ldap/server/ip=$interfaces_eth0_address >>/var/log/univention/join.log 2>&1 |
445 |
ldap/server/name="$hostname.$domainname" \ |
432 |
univention-config-registry set ldap/master=$DCNAME >>/var/log/univention/join.log 2>&1 |
446 |
ldap/server/ip="$interfaces_eth0_address" \ |
433 |
univention-config-registry set ldap/server/type=slave >>/var/log/univention/join.log 2>&1 |
447 |
ldap/master="$DCNAME" \ |
|
|
448 |
ldap/server/type=slave \ |
449 |
>>/var/log/univention/join.log 2>&1 |
434 |
|
450 |
|
435 |
|
|
|
436 |
echo -n "Sync SSL directory: " |
451 |
echo -n "Sync SSL directory: " |
437 |
univention-ssh-rsync $DCPWD -az -e ssh $DCACCOUNT@$DCNAME:/etc/univention/ssl/* /etc/univention/ssl/ >>/var/log/univention/join.log 2>&1 |
452 |
univention-ssh-rsync "$DCPWD" -az "$DCACCOUNT@$DCNAME:/etc/univention/ssl/*" /etc/univention/ssl/ >>/var/log/univention/join.log 2>&1 |
438 |
echo -e "\033[60Gdone" |
453 |
echo -e "\033[60Gdone" |
439 |
|
454 |
|
440 |
check_ldap_tls_connection |
455 |
check_ldap_tls_connection |
441 |
|
456 |
|
442 |
download_host_certificate |
457 |
download_host_certificate |
443 |
|
458 |
|
444 |
if [ ! -d "/etc/univention/ssl/$hostname" ] && [ ! -d "/etc/univention/ssl/$hostname.$domainname" ]; then |
459 |
if [ ! -d "/etc/univention/ssl/$hostname" ] && [ ! -d "/etc/univention/ssl/$hostname.$domainname" ]; then |
445 |
echo "failed to get host certificate" |
460 |
echo "failed to get host certificate" |
446 |
failed_message "failed to get host certificate" |
461 |
failed_message "failed to get host certificate" |
447 |
fi |
462 |
fi |
|
465 |
|
480 |
|
466 |
#TODO: implement a real sync |
481 |
#TODO: implement a real sync |
467 |
echo -n "Sync Kerberos settings: " |
482 |
echo -n "Sync Kerberos settings: " |
468 |
univention-scp $DCPWD -r $DCACCOUNT@$DCNAME:/var/lib/heimdal-kdc/* /var/lib/heimdal-kdc/ >>/var/log/univention/join.log 2>&1 |
483 |
univention-scp "$DCPWD" -q -r "$DCACCOUNT@$DCNAME:/var/lib/heimdal-kdc/*" /var/lib/heimdal-kdc/ >>/var/log/univention/join.log 2>&1 |
469 |
echo -e "\033[60Gdone" |
484 |
echo -e "\033[60Gdone" |
470 |
|
485 |
|
471 |
|
486 |
|
472 |
# invalidate the nscd hosts cache |
487 |
# invalidate the nscd hosts cache |
473 |
nscd -i hosts |
488 |
nscd -i hosts |
474 |
|
489 |
|
475 |
univention-config-registry set ldap/server/name?"$DCNAME" >>/var/log/univention/join.log 2>&1 |
490 |
univention-config-registry set \ |
476 |
univention-config-registry set ldap/master?"$DCNAME" >>/var/log/univention/join.log 2>&1 |
491 |
ldap/server/name?"$DCNAME" \ |
477 |
univention-config-registry set kerberos/adminserver?"$DCNAME" >>/var/log/univention/join.log 2>&1 |
492 |
ldap/master?"$DCNAME" \ |
|
|
493 |
kerberos/adminserver?"$DCNAME" \ |
494 |
>>/var/log/univention/join.log 2>&1 |
478 |
|
495 |
|
479 |
set_kerberos_realm "$DCPWD" "$DCACCOUNT" "$DCNAME" "$REALM" |
496 |
set_kerberos_realm "$DCPWD" "$DCACCOUNT" "$DCNAME" "$REALM" |
480 |
|
497 |
|
481 |
eval `univention-config-registry shell` |
498 |
eval "$(univention-config-registry shell)" |
482 |
|
499 |
|
483 |
mkdir -p /var/lib/univention-ldap/notify/ |
500 |
mkdir -p /var/lib/univention-ldap/notify/ |
484 |
|
501 |
|
|
488 |
echo -n "0" >/var/lib/univention-ldap/schema/id/id |
505 |
echo -n "0" >/var/lib/univention-ldap/schema/id/id |
489 |
chown listener /var/lib/univention-ldap/schema/id/id |
506 |
chown listener /var/lib/univention-ldap/schema/id/id |
490 |
|
507 |
|
491 |
if test -e "/usr/lib/univention-install/"; then |
508 |
if test -d "/usr/lib/univention-install/" |
|
|
509 |
then |
492 |
for i in /usr/lib/univention-install/*.inst; do |
510 |
for i in /usr/lib/univention-install/*.inst; do |
493 |
echo -n "Configure `basename $i` " |
511 |
echo -n "Configure ${i##*/} " |
494 |
echo "Configure `basename $i` " >>/var/log/univention/join.log |
512 |
echo "Configure ${i##*/} " >>/var/log/univention/join.log |
495 |
$i --binddn $binddn --bindpwd `cat $DCPWD` >>/var/log/univention/join.log 2>&1 |
513 |
if ! "$i" --binddn "$binddn" --bindpwd "$(<"$DCPWD")" >>/var/log/univention/join.log 2>&1 |
496 |
if [ $? != 0 ]; then |
514 |
then |
497 |
echo -e "\033[60Gfailed" |
515 |
echo -e "\033[60Gfailed" |
498 |
failed_message "FAILED: `basename $i`" |
516 |
failed_message "FAILED: ${i##*/}" |
499 |
else |
517 |
else |
500 |
echo -e "\033[60Gdone" |
518 |
echo -e "\033[60Gdone" |
501 |
fi |
519 |
fi |
502 |
|
520 |
|
503 |
if [ "`basename $i`" = "03univention-directory-listener.inst" ]; then |
521 |
if [ "${i##*/}" = "03univention-directory-listener.inst" ] |
|
|
522 |
then |
504 |
if [ -e /var/lib/univention-directory-replication/failed.ldif ]; then |
523 |
if [ -e /var/lib/univention-directory-replication/failed.ldif ]; then |
505 |
failed_message "FAILED: failed.ldif exists." |
524 |
failed_message "FAILED: failed.ldif exists." |
506 |
fi |
525 |
fi |
507 |
univention-scp $DCPWD -r $DCACCOUNT@$DCNAME:/var/lib/univention-ldap/notify/transaction /tmp/ >/dev/null 2>&1 |
526 |
univention-scp "$DCPWD" -q "$DCACCOUNT@$DCNAME:/var/lib/univention-ldap/notify/transaction" /tmp/ >/dev/null 2>&1 |
508 |
if [ ! -e /tmp/transaction ]; then |
527 |
if [ ! -e /tmp/transaction ]; then |
509 |
failed_message " FAILED: failed do copy /var/lib/univention-ldap/notify/transaction from the dc master. Please try again." |
528 |
failed_message " FAILED: failed to copy /var/lib/univention-ldap/notify/transaction from the dc master. Please try again." |
510 |
fi |
529 |
fi |
511 |
|
530 |
|
512 |
id=`cat /var/lib/univention-directory-listener/notifier_id` |
531 |
read id < /var/lib/univention-directory-listener/notifier_id |
513 |
cat /tmp/transaction | awk -F ' ' '{ if ( $1 <= '$id') print }' >/var/lib/univention-ldap/notify/transaction |
532 |
awk -F ' ' '{ if ( $1 <= '$id') print }' </tmp/transaction >/var/lib/univention-ldap/notify/transaction |
514 |
rm /tmp/transaction |
533 |
rm /tmp/transaction |
515 |
echo "">/var/lib/univention-ldap/replog/replog |
534 |
echo "">/var/lib/univention-ldap/replog/replog |
516 |
fi |
535 |
fi |
|
524 |
|
543 |
|
525 |
if [ -e "/etc/ldap-backup.secret" ]; then cat /etc/ldap-backup.secret >>/etc/ldap-backup.secret.SAVE; fi |
544 |
if [ -e "/etc/ldap-backup.secret" ]; then cat /etc/ldap-backup.secret >>/etc/ldap-backup.secret.SAVE; fi |
526 |
|
545 |
|
527 |
univention-scp $DCPWD "$DCACCOUNT@$DCNAME:/etc/ldap-backup.secret /etc/ldap-backup.secret" >/var/log/univention/join.log 2>&1 |
546 |
univention-scp "$DCPWD" -q "$DCACCOUNT@$DCNAME:/etc/ldap-backup.secret" /etc/ldap-backup.secret >/var/log/univention/join.log 2>&1 |
528 |
|
547 |
|
529 |
echo -e "\033[60Gdone" |
548 |
echo -e "\033[60Gdone" |
530 |
|
549 |
|
531 |
univention-config-registry set ldap/server/name=$hostname.$domainname >>/var/log/univention/join.log 2>&1 |
550 |
univention-config-registry set \ |
532 |
univention-config-registry set ldap/server/ip=$interfaces_eth0_address >>/var/log/univention/join.log 2>&1 |
551 |
ldap/server/name="$hostname.$domainname" \ |
533 |
univention-config-registry set ldap/master=$DCNAME >>/var/log/univention/join.log 2>&1 |
552 |
ldap/server/ip="$interfaces_eth0_address" \ |
534 |
univention-config-registry set ldap/server/type=slave >>/var/log/univention/join.log 2>&1 |
553 |
ldap/master="$DCNAME" \ |
|
|
554 |
ldap/server/type=slave \ |
555 |
>>/var/log/univention/join.log 2>&1 |
535 |
|
556 |
|
536 |
mkdir -p /etc/univention/ssl/ucsCA |
557 |
mkdir -p /etc/univention/ssl/ucsCA |
537 |
univention-scp $DCPWD "-r $DCACCOUNT@$DCNAME:/etc/univention/ssl/ucsCA/CAcert.pem /etc/univention/ssl/ucsCA/" >>/var/log/univention/join.log 2>&1 |
558 |
univention-scp "$DCPWD" -q "$DCACCOUNT@$DCNAME:/etc/univention/ssl/ucsCA/CAcert.pem" /etc/univention/ssl/ucsCA/ >>/var/log/univention/join.log 2>&1 |
538 |
if [ ! -e /etc/univention/ssl/ucsCA/CAcert.pem ]; then |
559 |
if [ ! -e /etc/univention/ssl/ucsCA/CAcert.pem ]; then |
539 |
univention-scp $DCPWD "-r $DCACCOUNT@$DCNAME:/etc/univention/ssl/udsCA/CAcert.pem /etc/univention/ssl/ucsCA/" >>/var/log/univention/join.log 2>&1 |
560 |
univention-scp "$DCPWD" -q "$DCACCOUNT@$DCNAME:/etc/univention/ssl/udsCA/CAcert.pem" /etc/univention/ssl/ucsCA/ >>/var/log/univention/join.log 2>&1 |
540 |
fi |
561 |
fi |
541 |
|
562 |
|
542 |
check_ldap_tls_connection |
563 |
check_ldap_tls_connection |
543 |
|
564 |
|
544 |
download_host_certificate |
565 |
download_host_certificate |
545 |
|
566 |
|
546 |
if [ ! -d "/etc/univention/ssl/$hostname" ] && [ ! -d "/etc/univention/ssl/$hostname.$domainname" ]; then |
567 |
if [ ! -d "/etc/univention/ssl/$hostname" ] && [ ! -d "/etc/univention/ssl/$hostname.$domainname" ]; then |
547 |
failed_message "failed to get host certificate" |
568 |
failed_message "failed to get host certificate" |
548 |
fi |
569 |
fi |
549 |
|
570 |
|
|
552 |
echo -e "\033[60Gdone" |
573 |
echo -e "\033[60Gdone" |
553 |
|
574 |
|
554 |
echo -n "Sync Kerberos settings: " |
575 |
echo -n "Sync Kerberos settings: " |
555 |
univention-scp $DCPWD "-r $DCACCOUNT@$DCNAME:/var/lib/heimdal-kdc/* /var/lib/heimdal-kdc/" >>/var/log/univention/join.log 2>&1 |
576 |
univention-scp "$DCPWD" -q -r "$DCACCOUNT@$DCNAME:/var/lib/heimdal-kdc/*" /var/lib/heimdal-kdc/ >>/var/log/univention/join.log 2>&1 |
556 |
echo -e "\033[60Gdone" |
577 |
echo -e "\033[60Gdone" |
557 |
|
578 |
|
558 |
mkdir -p /var/lib/univention-ldap/notify/ |
579 |
mkdir -p /var/lib/univention-ldap/notify/ |
|
560 |
# invalidate the nscd hosts cache |
581 |
# invalidate the nscd hosts cache |
561 |
nscd -i hosts |
582 |
nscd -i hosts |
562 |
|
583 |
|
563 |
univention-config-registry set ldap/server/name?"$DCNAME" >>/var/log/univention/join.log 2>&1 |
584 |
univention-config-registry set \ |
564 |
univention-config-registry set ldap/master?"$DCNAME" >>/var/log/univention/join.log 2>&1 |
585 |
ldap/server/name?"$DCNAME" \ |
565 |
univention-config-registry set kerberos/adminserver?"$DCNAME" >>/var/log/univention/join.log 2>&1 |
586 |
ldap/master?"$DCNAME" \ |
|
|
587 |
kerberos/adminserver?"$DCNAME" \ |
588 |
>>/var/log/univention/join.log 2>&1 |
566 |
set_kerberos_realm "$DCPWD" "$DCACCOUNT" "$DCNAME" "$REALM" |
589 |
set_kerberos_realm "$DCPWD" "$DCACCOUNT" "$DCNAME" "$REALM" |
567 |
|
590 |
|
568 |
echo -n "0" >/var/lib/univention-ldap/schema/id/id |
591 |
echo -n "0" >/var/lib/univention-ldap/schema/id/id |
|
573 |
|
596 |
|
574 |
if test -e "/usr/lib/univention-install/"; then |
597 |
if test -e "/usr/lib/univention-install/"; then |
575 |
for i in /usr/lib/univention-install/*.inst; do |
598 |
for i in /usr/lib/univention-install/*.inst; do |
576 |
echo -n "Configure `basename $i` " |
599 |
echo -n "Configure ${i##*/} " |
577 |
echo "Configure `basename $i` " >>/var/log/univention/join.log |
600 |
echo "Configure ${i##*/} " >>/var/log/univention/join.log |
578 |
$i --binddn $binddn --bindpwd `cat $DCPWD` >>/var/log/univention/join.log 2>&1 |
601 |
if ! "$i" --binddn "$binddn" --bindpwd "$(<"$DCPWD")" >>/var/log/univention/join.log 2>&1 |
579 |
if [ $? != 0 ]; then |
602 |
then |
580 |
echo -e "\033[60Gfailed" |
603 |
echo -e "\033[60Gfailed" |
581 |
failed_message "FAILED: `basename $i`" |
604 |
failed_message "FAILED: ${i##*/}" |
582 |
else |
605 |
else |
583 |
echo -e "\033[60Gdone" |
606 |
echo -e "\033[60Gdone" |
584 |
fi |
607 |
fi |
585 |
if [ "`basename $i`" = "03univention-directory-listener.inst" ]; then |
608 |
if [ "${i##*/}" = "03univention-directory-listener.inst" ] |
|
|
609 |
then |
586 |
if [ -e /var/lib/univention-directory-replication/failed.ldif ]; then |
610 |
if [ -e /var/lib/univention-directory-replication/failed.ldif ]; then |
587 |
failed_message "FAILED: failed.ldif exists." |
611 |
failed_message "FAILED: failed.ldif exists." |
588 |
fi |
612 |
fi |
589 |
if [ -n "$listener_supply_notifier" -a "$listener_supply_notifier" = "yes" ]; then |
613 |
if [ -n "$listener_supply_notifier" -a "$listener_supply_notifier" = "yes" ]; then |
590 |
univention-scp $DCPWD -r $DCACCOUNT@$DCNAME:/var/lib/univention-ldap/notify/transaction /tmp/ >/dev/null 2>&1 |
614 |
univention-scp "$DCPWD" -q "$DCACCOUNT@$DCNAME:/var/lib/univention-ldap/notify/transaction" /tmp/ >/dev/null 2>&1 |
591 |
id=`cat /var/lib/univention-directory-listener/notifier_id` |
615 |
read id < /var/lib/univention-directory-listener/notifier_id |
592 |
cat /tmp/transaction | awk -F ' ' '{ if ( $1 <= '$id') print }' >/var/lib/univention-ldap/notify/transaction |
616 |
awk -F ' ' '{ if ( $1 <= '$id') print }' </tmp/transaction >/var/lib/univention-ldap/notify/transaction |
593 |
rm /tmp/transaction |
617 |
rm /tmp/transaction |
594 |
echo "">/var/lib/univention-ldap/replog/replog |
618 |
echo "">/var/lib/univention-ldap/replog/replog |
595 |
fi |
619 |
fi |
|
600 |
|
624 |
|
601 |
elif [ "$server_role" = "memberserver" ]; then |
625 |
elif [ "$server_role" = "memberserver" ]; then |
602 |
mkdir -p /etc/univention/ssl/ucsCA |
626 |
mkdir -p /etc/univention/ssl/ucsCA |
603 |
univention-scp $DCPWD "-r $DCACCOUNT@$DCNAME:/etc/univention/ssl/ucsCA/CAcert.pem /etc/univention/ssl/ucsCA/" >>/var/log/univention/join.log 2>&1 |
627 |
univention-scp "$DCPWD" -q "$DCACCOUNT@$DCNAME:/etc/univention/ssl/ucsCA/CAcert.pem" /etc/univention/ssl/ucsCA/ >>/var/log/univention/join.log 2>&1 |
604 |
if [ ! -e /etc/univention/ssl/ucsCA/CAcert.pem ]; then |
628 |
if [ ! -e /etc/univention/ssl/ucsCA/CAcert.pem ]; then |
605 |
univention-scp $DCPWD "-r $DCACCOUNT@$DCNAME:/etc/univention/ssl/udsCA/CAcert.pem /etc/univention/ssl/ucsCA/" >>/var/log/univention/join.log 2>&1 |
629 |
univention-scp "$DCPWD" -q "$DCACCOUNT@$DCNAME:/etc/univention/ssl/udsCA/CAcert.pem" /etc/univention/ssl/ucsCA/ >>/var/log/univention/join.log 2>&1 |
606 |
fi |
630 |
fi |
607 |
|
631 |
|
608 |
check_ldap_tls_connection |
632 |
check_ldap_tls_connection |
609 |
|
633 |
|
610 |
download_host_certificate |
634 |
download_host_certificate |
611 |
|
635 |
|
612 |
univention-config-registry set ldap/master=$DCNAME >>/var/log/univention/join.log 2>&1 |
636 |
univention-config-registry set ldap/master="$DCNAME" >>/var/log/univention/join.log 2>&1 |
613 |
cat /etc/ldap/ldap.conf | sed -e "s|#.*||g" | grep -q TLS_CACERT || echo "TLS_CACERT /etc/univention/ssl/ucsCA/CAcert.pem" >>/etc/ldap/ldap.conf |
637 |
grep -q ^TLS_CACERT /etc/ldap/ldap.conf || echo "TLS_CACERT /etc/univention/ssl/ucsCA/CAcert.pem" >>/etc/ldap/ldap.conf |
614 |
|
638 |
|
615 |
# invalidate the nscd hosts cache |
639 |
# invalidate the nscd hosts cache |
616 |
nscd -i hosts |
640 |
nscd -i hosts |
617 |
|
641 |
|
618 |
univention-config-registry set ldap/server/name?"$DCNAME" >>/var/log/univention/join.log 2>&1 |
642 |
univention-config-registry set \ |
619 |
univention-config-registry set ldap/master?"$DCNAME" >>/var/log/univention/join.log 2>&1 |
643 |
ldap/server/name?"$DCNAME" \ |
620 |
univention-config-registry set kerberos/adminserver?"$DCNAME" >>/var/log/univention/join.log 2>&1 |
644 |
ldap/master?"$DCNAME" \ |
|
|
645 |
kerberos/adminserver?"$DCNAME" \ |
646 |
>>/var/log/univention/join.log 2>&1 |
621 |
set_kerberos_realm "$DCPWD" "$DCACCOUNT" "$DCNAME" "$REALM" |
647 |
set_kerberos_realm "$DCPWD" "$DCACCOUNT" "$DCNAME" "$REALM" |
622 |
|
648 |
|
623 |
touch /var/univention-join/joined |
649 |
touch /var/univention-join/joined |
|
625 |
|
651 |
|
626 |
if test -e "/usr/lib/univention-install/"; then |
652 |
if test -e "/usr/lib/univention-install/"; then |
627 |
for i in /usr/lib/univention-install/*.inst; do |
653 |
for i in /usr/lib/univention-install/*.inst; do |
628 |
echo -n "Configure `basename $i` " |
654 |
echo -n "Configure ${i##*/} " |
629 |
echo "Configure `basename $i` " >>/var/log/univention/join.log |
655 |
echo "Configure ${i##*/} " >>/var/log/univention/join.log |
630 |
$i --binddn $binddn --bindpwd `cat $DCPWD` >>/var/log/univention/join.log 2>&1 |
656 |
if ! "$i" --binddn "$binddn" --bindpwd "$(<"$DCPWD")" >>/var/log/univention/join.log 2>&1 |
631 |
if [ $? != 0 ]; then |
657 |
then |
632 |
echo -e "\033[60Gfailed" |
658 |
echo -e "\033[60Gfailed" |
633 |
echo "FAILED: `basename $i`" |
659 |
echo "FAILED: ${i##*/}" |
634 |
failed_message "FAILED: `basename $i`" |
660 |
failed_message "FAILED: ${i##*/}" |
635 |
else |
661 |
else |
636 |
echo -e "\033[60Gdone" |
662 |
echo -e "\033[60Gdone" |
637 |
fi |
663 |
fi |
|
644 |
|
670 |
|
645 |
mkdir -p /etc/univention/ssl/ucsCA |
671 |
mkdir -p /etc/univention/ssl/ucsCA |
646 |
|
672 |
|
647 |
univention-scp $DCPWD "-r $DCACCOUNT@$DCNAME:/etc/univention/ssl/ucsCA/CAcert.pem /etc/univention/ssl/ucsCA/" >>/var/log/univention/join.log 2>&1 |
673 |
univention-scp "$DCPWD" -q "$DCACCOUNT@$DCNAME:/etc/univention/ssl/ucsCA/CAcert.pem" /etc/univention/ssl/ucsCA/ >>/var/log/univention/join.log 2>&1 |
648 |
if [ ! -e /etc/univention/ssl/ucsCA/CAcert.pem ]; then |
674 |
if [ ! -e /etc/univention/ssl/ucsCA/CAcert.pem ]; then |
649 |
univention-scp $DCPWD "-r $DCACCOUNT@$DCNAME:/etc/univention/ssl/udsCA/CAcert.pem /etc/univention/ssl/ucsCA/" >>/var/log/univention/join.log 2>&1 |
675 |
univention-scp "$DCPWD" -q "$DCACCOUNT@$DCNAME:/etc/univention/ssl/udsCA/CAcert.pem" /etc/univention/ssl/ucsCA/ >>/var/log/univention/join.log 2>&1 |
650 |
fi |
676 |
fi |
651 |
|
677 |
|
652 |
check_ldap_tls_connection |
678 |
check_ldap_tls_connection |
|
656 |
# invalidate the nscd hosts cache |
682 |
# invalidate the nscd hosts cache |
657 |
nscd -i hosts |
683 |
nscd -i hosts |
658 |
|
684 |
|
659 |
univention-config-registry set ldap/server/name="$DCNAME" >>/var/log/univention/join.log 2>&1 |
685 |
univention-config-registry set \ |
660 |
univention-config-registry set ldap/master="$DCNAME" >>/var/log/univention/join.log 2>&1 |
686 |
ldap/server/name="$DCNAME" \ |
661 |
univention-config-registry set kerberos/adminserver="$DCNAME" >>/var/log/univention/join.log 2>&1 |
687 |
ldap/master="$DCNAME" \ |
|
|
688 |
kerberos/adminserver="$DCNAME" \ |
689 |
>>/var/log/univention/join.log 2>&1 |
662 |
set_kerberos_realm "$DCPWD" "$DCACCOUNT" "$DCNAME" "$REALM" |
690 |
set_kerberos_realm "$DCPWD" "$DCACCOUNT" "$DCNAME" "$REALM" |
663 |
cat /etc/ldap/ldap.conf | sed -e "s|#.*||g" | grep -q TLS_CACERT || echo "TLS_CACERT /etc/univention/ssl/ucsCA/CAcert.pem" >>/etc/ldap/ldap.conf |
691 |
grep -q ^TLS_CACERT /etc/ldap/ldap.conf || echo "TLS_CACERT /etc/univention/ssl/ucsCA/CAcert.pem" >>/etc/ldap/ldap.conf |
664 |
|
692 |
|
665 |
touch /var/univention-join/joined |
693 |
touch /var/univention-join/joined |
666 |
ln -sf /var/univention-join/joined /usr/share/univention-join/.joined |
694 |
ln -sf /var/univention-join/joined /usr/share/univention-join/.joined |
667 |
|
695 |
|
668 |
univention-config-registry set nsswitch/ldap=yes >>/var/log/univention/join.log 2>&1 |
696 |
univention-config-registry set nsswitch/ldap=yes >>/var/log/univention/join.log 2>&1 |
669 |
eval `univention-config-registry shell` |
697 |
eval "$(univention-config-registry shell)" |
670 |
|
698 |
|
671 |
if test -e "/usr/lib/univention-install/"; then |
699 |
if test -e "/usr/lib/univention-install/"; then |
672 |
for i in /usr/lib/univention-install/*.inst; do |
700 |
for i in /usr/lib/univention-install/*.inst; do |
673 |
echo -n "Configure `basename $i` " |
701 |
echo -n "Configure ${i##*/} " |
674 |
echo "Configure `basename $i` " >>/var/log/univention/join.log |
702 |
echo "Configure ${i##*/} " >>/var/log/univention/join.log |
675 |
$i --binddn $binddn --bindpwd `cat $DCPWD` >>/var/log/univention/join.log 2>&1 |
703 |
if ! "$i" --binddn "$binddn" --bindpwd "$(<"$DCPWD")" >>/var/log/univention/join.log 2>&1 |
676 |
if [ $? != 0 ]; then |
704 |
then |
677 |
echo -e "\033[60Gfailed" |
705 |
echo -e "\033[60Gfailed" |
678 |
echo "FAILED: `basename $i`" |
706 |
echo "FAILED: ${i##*/}" |
679 |
failed_message "FAILED: `basename $i`" |
707 |
failed_message "FAILED: ${i##*/}" |
680 |
else |
708 |
else |
681 |
echo -e "\033[60Gdone" |
709 |
echo -e "\033[60Gdone" |
682 |
fi |
710 |
fi |
|
694 |
/etc/init.d/univention-directory-listener restart >>/var/log/univention/join.log 2>&1 |
722 |
/etc/init.d/univention-directory-listener restart >>/var/log/univention/join.log 2>&1 |
695 |
fi |
723 |
fi |
696 |
|
724 |
|
697 |
if [ -n "$REMOVE_PWD_FILE" -a -n "$DCPWD" ]; then |
|
|
698 |
rm -f $DCPWD |
699 |
fi |
700 |
|
701 |
if [ "$interfaces_eth0_type" != "dhcp" ]; then |
725 |
if [ "$interfaces_eth0_type" != "dhcp" ]; then |
702 |
univention-config-registry commit /etc/resolv.conf >>/var/log/univention/join.log 2>&1 |
726 |
univention-config-registry commit /etc/resolv.conf >>/var/log/univention/join.log 2>&1 |
703 |
fi |
727 |
fi |