#!/bin/bash
#
# Univention Configuration Registry
# Wrap ldapsearch to pass on credentials
#
# Copyright 2004-2014 Univention GmbH
#
# http://www.univention.de/
#
# All rights reserved.
#
# The source code of this program is made available
# under the terms of the GNU Affero General Public License version 3
# (GNU AGPL V3) as published by the Free Software Foundation.
#
# Binary versions of this program provided by Univention to you as
# well as other copyrighted, protected or trademarked materials like
# Logos, graphics, fonts, specific documentations and configurations,
# cryptographic keys etc. are subject to a license agreement between
# you and Univention and not subject to the GNU AGPL V3.
#
# In the case you use this program under the terms of the GNU AGPL V3,
# the program is provided in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public
# License with the Debian GNU/Linux or Univention distribution in file
# /usr/share/common-licenses/AGPL-3; if not, see
# <http://www.gnu.org/licenses/>.

eval "$(/usr/sbin/univention-config-registry shell)"

tempfile="$(mktemp)"

## check for option -D to avoid "ldapsearch: -D previously specified"
## check for option -w to avoid "ldapsearch: -y incompatible with -w"
args=()
for arg in "$@"; do
	if [ "$arg" = "-D" ] || [ "$arg" = "--binddn" ]; then
		binddn_given=true
		args[${#args[@]}]="-D"
	elif [ "$arg" = "-w" ] || [ "$arg" = "--bindpwd" ]; then
		password_given=true
		args[${#args[@]}]="-w"
	elif [ "$arg" = "--bindpwdfile" ]; then
		password_given=true
		args[${#args[@]}]="-y"
	else
		args[${#args[@]}]="$arg"
	fi
done

trap "rm -f $tempfile" EXIT

exec 2> >(tee -a $tempfile >&2)

do_search ()
{
	if [ -z "$binddn_given" ]; then
		binddn="$ldap_binddn"
		if [ -z "$binddn" ]; then
			binddn="$ldap_hostdn"
		fi
		if [ -z "$password_given" ]; then
			bindpw_file="/etc/machine.secret"
			ldapsearch -ZZ -D "$binddn" -y $bindpw_file "${args[@]}"
		else
			ldapsearch -ZZ -D "$binddn" "${args[@]}"
		fi
	else
		ldapsearch -ZZ "${args[@]}"
	fi
}

retry=${ldap_client_retry_count:-10}
attempts=$((retry+1))

for((i=0;i<$attempts;i++)); do
	do_search
	ret=$?
	grep -q "^ldap_start_tls: Can't contact LDAP server (-1)$" $tempfile || break
	echo >$tempfile
	sleep 1
done

exit $ret
