#!/bin/bash
# lmz-settings-users
#  Create additional users
#
# Depends: UDM
#
# Copyright (C) 2013-2018 Univention GmbH
#
# http://www.univention.de/
#
# All rights reserved.
#
# The source code of this program is made available
# under the terms of the GNU Affero General Public License version 3
# (GNU AGPL V3) as published by the Free Software Foundation.
#
# Binary versions of this program provided by Univention to you as
# well as other copyrighted, protected or trademarked materials like
# Logos, graphics, fonts, specific documentations and configurations,
# cryptographic keys etc. are subject to a license agreement between
# you and Univention and not subject to the GNU AGPL V3.
#
# In the case you use this program under the terms of the GNU AGPL V3,
# the program is provided in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public
# License with the Debian GNU/Linux or Univention distribution in file
# /usr/share/common-licenses/AGPL-3; if not, see
# <http://www.gnu.org/licenses/>.

set -u
set -e

eval "$(ucr shell \
	domainname \
	hostname \
	ldap/base \
	ucsschool/ldap/default/container/teachers \
	ucsschool/ldap/default/groupprefix/admins \
	ucsschool/ldap/default/groupprefix/pupils \
	ucsschool/ldap/default/groupprefix/teachers \
	)"

msg () { # {{{1
	echo -e "$(date): $@"
} # }}}1

dn_exists () { # {{{1
	univention-ldapsearch -s base -b "${1}" dn -LLL 2>/dev/null | grep -q '^dn:'
}
# }}}1

create_user () { # {{{1
	# $1: Object DN
	# $2..: Settings
	local dn name pos_dn udm_type

	udm_type="users/user"

	# $1
	dn="${1}"
	name=$(echo "${dn}"|sed -n -e 's/^[^=]*=//;s/,.*//p')
	pos_dn=$(echo "${dn}"|sed -n -e 's/^[^,]*,//p')
	shift 1

	if dn_exists "${dn}"; then
		msg "Ignoring existing object ${name} (type: ${udm_type})"
		return 1
	else
		msg "Creating object ${name} (type: ${udm_type})"
		udm "${udm_type}" create --position "${pos_dn}" --set username="${name}" "${@}"
	fi
} # }}}1

# Start execution

# Benutzer-Profilvorlagen {{{1
dn_templates="cn=templates,cn=users,${ldap_base}"
udm container/cn create --ignore_exists \
	--position "cn=users,${ldap_base}" \
	--set name="templates" \
	--set userPath=1

# teacher {{{2
uid_teacher="aproflehrer"
dn_aproflehrer="uid=${uid_teacher},${dn_templates}"
create_user "${dn_aproflehrer}" \
	--set 'password=paedmllinux' \
	--set 'lastname=AProfLehrer' \
	--set 'description=Profilbenutzer für Lehrer' \
	--set "scriptpath=ucs-school-logon.vbs" \
	--set "profilepath=%LOGONSERVER%\\%USERNAME%\\windows-profiles\\default" \
	--set "sambahome=\\\\server\\${uid_teacher}" \
	--set "homedrive=H:" \
	--set "primaryGroup=cn=Domain Users schule,cn=groups,ou=schule,${ldap_base}" \
	--append "groups=cn=Domain Users schule,cn=groups,ou=schule,${ldap_base}" \
	--append "groups=cn=${ucsschool_ldap_default_groupprefix_teachers}schule,cn=groups,ou=schule,${ldap_base}" \
	|| true

uidNumber_teacher="$(univention-ldapsearch -s base -b "${dn_aproflehrer}" uidNumber | ldapsearch-wrapper | sed -n -e 's/^uidNumber: //p' | head -n 1)"
gidNumber_domain_users="$(getent group "Domain Users schule"|awk -F: '{print $3}')"
mkdir -p "/home/${uid_teacher}"
chown "${uid_teacher}:${gidNumber_domain_users}" "/home/${uid_teacher}"
udm shares/share create --ignore_exists \
	--position "cn=${hostname}.${domainname},cn=shares,${ldap_base}" \
	--set name="${uid_teacher}-desktop" \
	--set host="${hostname}.${domainname}" \
	--set path="/home/${uid_teacher}/Desktop" \
	--set sambaForceUser="aproflehrer" \
	--set sambaForceGroup="+Domain Users schule" \
	--set owner="${uidNumber_teacher}" \
	--set group="${gidNumber_domain_users}" \
	--set directorymode="0755" \
	--set writeable=0 \
	--set sambaWriteable=0 \
	--set sambaBrowseable=1 \
	--option samba

# student {{{2
uid_student="aprofschueler"
dn_aprofschueler="uid=${uid_student},${dn_templates}"
create_user "${dn_aprofschueler}" \
	--set 'password=paedmllinux' \
	--set 'lastname=AProfSchüler' \
	--set 'description=Profilbenutzer für Schüler' \
	--set "scriptpath=ucs-school-logon.vbs" \
	--set "profilepath=%LOGONSERVER%\\%USERNAME%\\windows-profiles\\default" \
	--set "sambahome=\\\\server\\${uid_student}" \
	--set "homedrive=H:" \
	--set "primaryGroup=cn=Domain Users schule,cn=groups,ou=schule,${ldap_base}" \
	--append "groups=cn=Domain Users schule,cn=groups,ou=schule,${ldap_base}" \
	--append "groups=cn=${ucsschool_ldap_default_groupprefix_pupils}schule,cn=groups,ou=schule,${ldap_base}" \
	|| true

uidNumber_student="$(univention-ldapsearch -s base -b "${dn_aprofschueler}" uidNumber | ldapsearch-wrapper | sed -n -e 's/^uidNumber: //p' | head -n 1)"
mkdir -p "/home/${uid_student}"
chown "${uid_student}:${gidNumber_domain_users}" "/home/${uid_student}"
udm shares/share create --ignore_exists \
	--position "cn=${hostname}.${domainname},cn=shares,${ldap_base}" \
	--set name="${uid_student}-desktop" \
	--set host="${hostname}.${domainname}" \
	--set path="/home/${uid_student}/Desktop" \
	--set sambaForceUser="aprofschueler" \
	--set sambaForceGroup="+Domain Users schule" \
	--set owner="${uidNumber_student}" \
	--set group="${gidNumber_domain_users}" \
	--set directorymode="0755" \
	--set writeable=0 \
	--set sambaWriteable=0 \
	--set sambaBrowseable=1 \
	--option samba

# domadmin {{{1
dn_domadmin="uid=domadmin,cn=users,${ldap_base}"
create_user "${dn_domadmin}" \
	--set 'password=paedmllinux' \
	--set 'lastname=domadmin' \
	--set 'description=Benutzer wird zum Domänenbeitritt von Clients verwendet' \
	--set "primaryGroup=cn=Domain Admins,cn=groups,${ldap_base}" \
	--append "groups=cn=Domain Admins,cn=groups,${ldap_base}" \
	--append "groups=cn=DC Backup Hosts,cn=groups,${ldap_base}" \
	--append "groups=cn=Domain Users,cn=groups,${ldap_base}" \
	--append "groups=cn=opsiadmin,cn=groups,${ldap_base}" \
	--append "groups=cn=opsifileadmins,cn=groups,${ldap_base}" \
	|| true
# }}}1

# ldapsuche {{{1
pw_ldapsuche=$(makepasswd --chars=20)
dn_ldapsuche="uid=ldapsuche,cn=users,${ldap_base}"
if create_user "${dn_ldapsuche}" \
	--set "password=${pw_ldapsuche}" \
	--set 'lastname=ldapsuche' \
	--set 'description=Benutzer wird von externen Anwendungen wie der Firewall zum Zugriff auf das LDAP verwendet' \
	--set "primaryGroup=cn=Domain Guests,cn=groups,${ldap_base}" \
	--set "groups=cn=Domain Guests,cn=groups,${ldap_base}" \
	; then
	echo -n "${pw_ldapsuche}" > /etc/ldapsuche.secret
fi
# }}}1

# schoolopsiadmin {{{1
pw_schoolopsiadmin=$(makepasswd --chars=20)
dn_schoolopsiadmin="uid=schoolopsiadmin,cn=users,${ldap_base}"
if create_user "${dn_schoolopsiadmin}" \
	--set "password=${pw_schoolopsiadmin}" \
	--set 'lastname=schoolopsiadmin' \
	--set 'description=Benutzer wird zur Steuerung von OPSI verwendet' \
	--set "primaryGroup=cn=opsiadmin,cn=groups,${ldap_base}" \
	--append "groups=cn=opsiadmin,cn=groups,${ldap_base}" \
	--append "groups=cn=opsifileadmins,cn=groups,${ldap_base}" \
	; then
	echo -n "${pw_schoolopsiadmin}" > /etc/schoolopsiadmin.secret
fi
# }}}1

# netzwerkberater {{{1
dn_netzwerkberater="uid=netzwerkberater,cn=admins,cn=users,ou=schule,${ldap_base}"
create_user "${dn_netzwerkberater}" \
	--set 'password=paedmllinux' \
	--set 'lastname=Netzwerkberater' \
	--set "scriptpath=ucs-school-logon.vbs" \
	--set "profilepath=%LOGONSERVER%\\%USERNAME%\\windows-profiles\\default" \
	--set "sambahome=\\\\server\\netzwerkberater" \
	--set "homedrive=H:" \
	--set "departmentNumber=schule" \
	--set "primaryGroup=cn=Domain Users schule,cn=groups,ou=schule,${ldap_base}" \
	--append "groups=cn=Domain Users schule,cn=groups,ou=schule,${ldap_base}" \
	--append "groups=cn=${ucsschool_ldap_default_groupprefix_admins}schule,cn=ouadmins,cn=groups,${ldap_base}" \
	--append "groups=cn=BackupPC Admins,cn=groups,${ldap_base}" \
	--set 'mailPrimaryAddress=netzwerkberater@paedml-linux.lokal' \
	--set mailHomeServer="${hostname}.${domainname}" \
	|| true
# }}}1

# netzwerkberater {{{1
msg "Modify netzwerkberater account"
udm users/user modify --dn "${dn_netzwerkberater}" \
	--set "mailAlternativeAddress"=root@paedml-linux.lokal \
	--set "mailAlternativeAddress"=nagios@paedml-linux.lokal \
# }}}1
	

# Administrator {{{1
msg "Modify Administrator account"
udm users/user modify --dn "uid=Administrator,cn=users,${ldap_base}" \
	--append "groups=cn=${ucsschool_ldap_default_groupprefix_admins}schule,cn=ouadmins,cn=groups,${ldap_base}" \
	--append "groups=cn=Domain Users schule,cn=groups,ou=schule,${ldap_base}" \
	--append "groups=cn=opsifileadmins,cn=groups,${ldap_base}" \
	--set "homedrive=H:" \
	--set "sambahome=\\\\server\\Administrator" \
	--set "scriptpath=ucs-school-logon.vbs"
# }}}1

# vi: ft=sh:tw=80:sw=4:ts=4:fdm=marker
