#!/bin/bash
# this script runs INSIDE the container
# set -e  # exit on any error?

echo "--> Starting ldapdock 0.10"
echo "--> Launching slapd (temp)..."

# start slapd temporarily for setup
/usr/sbin/slapd -h "ldap:/// ldapi:///" -g openldap -u openldap &
sleep 3

# populate with user & group
echo "--> Populating directory with users and groups..."
cat > /tmp/add_content.ldif << EOF
dn: ou=People,dc=${LDAP_HOST}
objectClass: organizationalUnit
ou: People

dn: ou=Groups,dc=${LDAP_HOST}
objectClass: organizationalUnit
ou: Groups

dn: cn=mages,ou=Groups,dc=${LDAP_HOST}
objectClass: posixGroup
cn: mages
gidNumber: 5000
memberUid: marisa

dn: uid=marisa,ou=People,dc=${LDAP_HOST}
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: marisa
sn: Kirisame
givenName: Marisa
cn: Marisa Kirisame
displayName: Marisa Kirisame
uidNumber: 10000
gidNumber: 5000
userPassword: {CRYPT}x
gecos: Marisa Kirisame
loginShell: /bin/bash
homeDirectory: /home/marisa
EOF
sleep 2

# add the structure — ignore "already exists" errors only here
echo "--> Adding base structure..."
ldapadd -x -D "cn=admin,dc=${LDAP_HOST}" -w admin -f /tmp/add_content.ldif || \
    echo "--> Some entries already exist — continuing (this is normal)"
# setting up user marisa of group People password
ldappasswd -x -D "cn=admin,dc=${LDAP_HOST}" -w admin -s qwerty "uid=marisa,ou=People,dc=${LDAP_HOST}"
sleep 2

# load and enable policies module

echo "--> Loading policies module..."
cat > modify_ppolicy_module.ldif << EOF
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: ppolicy.so
EOF

ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f modify_ppolicy_module.ldif

# restarting slapd to load ppolicy.so

slapd -h "ldap:/// ldapi:/// ldaps:///" -u openldap -g openldap &
sleep 3

cat > enable_ppolicy.ldif << EOF
dn: olcOverlay=ppolicy,olcDatabase={1}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: ppolicy
EOF
#olcPPolicyDefault: cn=default,ou=policies,dc=${LDAP_HOST}

ldapadd -Q -Y EXTERNAL -H ldapi:/// -f enable_ppolicy.ldif

# display schemas loaded by default
echo "--> Schemas loaded by default..."
ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config dn

# kill temp slapd
pkill slapd
sleep 3

# === CERTIFICATES: ONLY IF NOT ALREADY EXPORTED ===
if [ ! -f "/export-certs/mycacert.crt" ]; then
    echo "--> No CA found in /export-certs → generating certificates..."

    mkdir -p /etc/ldap/certs
    cd /etc/ldap/certs

    # CA
    certtool --generate-privkey --bits 4096 --outfile ca-key.pem
    cat > ca.info <<EOF
cn = Example Company CA
ca
cert_signing_key
expiration_days = 3650
EOF
    certtool --generate-self-signed --load-privkey ca-key.pem --template ca.info --outfile ca-cert.pem

    # server
    certtool --generate-privkey --bits 2048 --outfile ldap01_slapd_key.pem
    cat > ldap01.info <<EOF
organization = Example Company
cn = ${LDAP_HOST}
tls_www_server
encryption_key
signing_key
expiration_days = 365
EOF
    certtool --generate-certificate \
      --load-privkey ldap01_slapd_key.pem \
      --load-ca-certificate ca-cert.pem \
      --load-ca-privkey ca-key.pem \
      --template ldap01.info \
      --outfile ldap01_slapd_cert.pem

    # permissions
    chgrp openldap ldap01_slapd_key.pem
    chmod 640 ldap01_slapd_key.pem

    # bundle
    cat ldap01_slapd_cert.pem ca-cert.pem > ldap01_slapd_cert_full.pem
    chown root:openldap ldap01_slapd_cert_full.pem
    chmod 640 ldap01_slapd_cert_full.pem

    # start temp slapd to apply config
    slapd -h "ldap:/// ldapi:///" -u openldap -g openldap &
    sleep 3

    # apply TLS config
    cat > /tmp/certinfo.ldif <<EOF
dn: cn=config
changetype: modify
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/certs/ca-cert.pem
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/certs/ldap01_slapd_cert_full.pem
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/certs/ldap01_slapd_key.pem
EOF
    ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/certinfo.ldif

    # trust locally
    cp /etc/ldap/certs/ca-cert.pem /usr/local/share/ca-certificates/mycacert.crt
    update-ca-certificates

    # kill temp
    pkill slapd
    sleep 2

    # === EXPORT TO HOST (always, since volume is mounted) ===
    echo "--> Exporting CA to /export-certs..."
    cp /etc/ldap/certs/ca-cert.pem /export-certs/mycacert.crt
    cp /etc/ldap/certs/ldap01_slapd_cert_full.pem /export-certs/server-cert.pem
    echo "--> Certificate READY at ./hosts-certs/mycacert.crt on host"
else
    echo "--> CA already exists at /export-certs/mycacert.crt → skipping generation"
fi

# === FINAL SLAPD START ===
echo "--> Starting final slapd with LDAPS..."
slapd -h "ldap:/// ldaps:/// ldapi:///" -u openldap -g openldap -d 0 &
sleep 3

# === ENABLE TLS FOR ALL CLIENT TOOLS INSIDE CONTAINER ===
export LDAPTLS_CACERT=/etc/ldap/certs/ca-cert.pem
echo "LDAPTLS_CACERT=$LDAPTLS_CACERT (all ldap* commands now work with TLS)"
echo 'export LDAPTLS_CACERT=/etc/ldap/certs/ca-cert.pem' >> ~/.bashrc
source ~/.bashrc

echo "--> ldapdock framework ready."

# === KEEP CONTAINER ALIVE AND CONTINUE ===

# 'exec' replaces the script process with the command (e.g., /bin/bash),
# ensuring the container stays alive as long as that command runs interactively.
echo "Executing: $@"
exec "$@"