#!/bin/dash
#
# Like what you see? Join us!
# https://www.univention.com/about-us/careers/vacancies/
#
# Copyright 2004-2022 Univention GmbH
#
# https://www.univention.de/
#
# All rights reserved.
#
# The source code of this program is made available
# under the terms of the GNU Affero General Public License version 3
# (GNU AGPL V3) as published by the Free Software Foundation.
#
# Binary versions of this program provided by Univention to you as
# well as other copyrighted, protected or trademarked materials like
# Logos, graphics, fonts, specific documentations and configurations,
# cryptographic keys etc. are subject to a license agreement between
# you and Univention and not subject to the GNU AGPL V3.
#
# In the case you use this program under the terms of the GNU AGPL V3,
# the program is provided in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public
# License with the Debian GNU/Linux or Univention distribution in file
# /usr/share/common-licenses/AGPL-3; if not, see
# <https://www.gnu.org/licenses/>.

eval "$(univention-config-registry shell ldap/server/name windows/domain hostname connector/s4/ldap/.*)"

## check for option -U to avoid letting --simple-bind-dn taking precedence
optspec=":-:d:k:A:PU:"
while getopts "$optspec" option; do
	case "${option}" in
		d) debug=true;;
		k) credentials_given=true;;
		A) credentials_given=true;;
		P) credentials_given=true;;
		U) credentials_given=true;;
		-)
			case "${OPTARG}" in
				authentication-file|authentication-file=*)
					credentials_given=true;;
				machine-pass|machine-pass=*)
					credentials_given=true;;
				password|password=*)
					credentials_given=true;;
				simple-bind-dn|simple-bind-dn=*)
					credentials_given=true;;
				user|user=*)
					credentials_given=true;;
			esac;;
	esac
done

if ! [ "$credentials_given" = 'true' ]; then
	if [ -r '/etc/machine.secret' ]; then

		## currently the password in the secrets.ldb is set to machine.secret only on provision host, so we need to look it up from the secrets.ldb
		# sampassword=$(cat /etc/machine.secret)
		sampassword=$(ldbsearch -H /var/lib/samba/private/secrets.ldb samAccountName="${hostname}\$" secret | ldapsearch-wrapper | sed -n 's/secret: \(.*\)/\1/p')
		samaccount="${hostname}\$"

	fi
	if [ -n "$samaccount" ]; then

		option_samcredentials="-U$samaccount%$sampassword"
		set -- "$option_samcredentials" "$@"

	fi
fi

ldbsearch -H "ldaps://$ldap_server_name" "$@"
rc=$?

if [ "$debug" = 'true' ]; then
	echo "### Output of: ldbsearch -H ldaps://$ldap_server_name $@"
fi

exit $rc
