#!/bin/bash
#
# Univention Configuration Registry
# Wrap ldapsearch to pass on credentials
#
# Copyright 2004-2021 Univention GmbH
#
# https://www.univention.de/
#
# All rights reserved.
#
# The source code of this program is made available
# under the terms of the GNU Affero General Public License version 3
# (GNU AGPL V3) as published by the Free Software Foundation.
#
# Binary versions of this program provided by Univention to you as
# well as other copyrighted, protected or trademarked materials like
# Logos, graphics, fonts, specific documentations and configurations,
# cryptographic keys etc. are subject to a license agreement between
# you and Univention and not subject to the GNU AGPL V3.
#
# In the case you use this program under the terms of the GNU AGPL V3,
# the program is provided in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public
# License with the Debian GNU/Linux or Univention distribution in file
# /usr/share/common-licenses/AGPL-3; if not, see
# <https://www.gnu.org/licenses/>.

eval "$(/usr/sbin/univention-config-registry shell)"

## check for option -D to avoid "ldapsearch: -D previously specified"
## check for option -w to avoid "ldapsearch: -y incompatible with -w"
declare -a args=()
for arg in "$@"; do
	if [ "$arg" = "-D" ] || [ "$arg" = "--binddn" ]; then
		binddn_given=true
		args+=("-D")
	elif [ "$arg" = "-w" ] || [ "$arg" = "--bindpwd" ]; then
		password_given=true
		args+=("-w")
	elif [ "$arg" = "--bindpwdfile" ]; then
		password_given=true
		args+=("-y")
	else
		args+=("$arg")
	fi
done

do_search ()
{
	if [ -z "$binddn_given" ]; then
		binddn="${ldap_binddn:-}"
		if [ -z "$binddn" ]; then
			binddn="${ldap_hostdn:-}"
		fi
		if [ -z "$password_given" ]; then
			bindpw_file="/etc/machine.secret"
			ldapsearch -o ldif-wrap=no -ZZ -D "$binddn" -y $bindpw_file "${args[@]}"
		else
			ldapsearch -o ldif-wrap=no -ZZ -D "$binddn" "${args[@]}"
		fi
	else
		ldapsearch -o ldif-wrap=no -ZZ "${args[@]}"
	fi
}

tempfile="$(mktemp)"
trap 'rm -f "$tempfile"' EXIT

retry=${ldap_client_retry_count:-10}
for ((i=0;i<=retry;i++)); do
	[ "$i" -ge 1 ] && sleep 1
	exec 3>&1
	do_search 2>&1 1>&3 3<&- |
		tee "$tempfile" 1>&2 3<&-
	ret=${PIPESTATUS[0]}
	exec 3<&-
	grep -F -x -q "ldap_start_tls: Can't contact LDAP server (-1)" "$tempfile" || break
done

exit "$ret"
