#!/bin/ksh
# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
#
# Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
#
# The contents of this file are subject to the terms
# of the Common Development and Distribution License
# (the License). You may not use this file except in
# compliance with the License.
#
# You can obtain a copy of the License at
# https://opensso.dev.java.net/public/CDDLv1.0.html or
# opensso/legal/CDDLv1.0.txt
# See the License for the specific language governing
# permission and limitations under the License.
#
# When distributing Covered Code, include this CDDL
# Header Notice in each file and include the License file
# at opensso/legal/CDDLv1.0.txt.
# If applicable, add the following below the CDDL Header,
# with the fields enclosed by brackets [] replaced by
# your own identifying information:
# "Portions Copyrighted [year] [name of copyright owner]"
#
# $Id
#
#########################################################################
#
# This is a convenient script for federating users in a bulk manner.
#
# The script assumes that the backend user database is LDAP compliant
# and the OpenSSO as the federation software provider.
#
# This script expects userdn mappins file as the primary input for creating
# federation data for the users specified in the file. The userdns must be
# separated by "|" and must be in the order of spuser followed by an idpuser.
# For e.g.
# uid=spuser,dc=iplanet,dc=com | uid=idpuser,dc=iplanet,dc=com
#
# This script generates unique random identifiers for each user mapping
# and creates four different files namely:
# spnameidentifiers.txt, idpnameidentifiers.txt,
# spuserdata.ldif and idpuserdata.ldif.
#
# This will also load federation data (*.ldif file) locally based on the
# given provider role. For e.g. if the local provider role is "SP", this
# will load spuserdata.ldif locally or idpuserdata.ldif for IDP role.
#
# The idpuserdata.ldif/spuserdata.ldif files will also be stored locally for
# convenient loading using ldapmodify command if the remote provider is
# also an OpenSSO instance.
#
# If the remote provider is not an OpenSSO instance, the generated
# files
# spnameidentifies.txt/idpnameidentifies.txt can be exchanged to the second
# party so that it can generate federation/user specific data based on
# this input.
#
#########################################################################
OSTYPE=`/bin/uname -s`
BASE=BASEDIR/PRODUCT_DIR
if [ "$OSTYPE" = "Linux" ]; then
gettext=/bin/gettext
ECHO=/bin/echo
NECHO='/bin/echo -n'
RM=/bin/rm
OMIT=''
else
gettext=/usr/bin/gettext
ECHO=/usr/bin/echo
NECHO=/usr/bin/echo
RM=/usr/bin/rm
OMIT='\c'
fi
GENERATE_LDIF=$BASE/bin/amGenerateLDIF.pl
GENERATE_NI=$BASE/bin/amGenerateNI.pl
LDAPMODIFY=$BASE/bin/ldapmodify
export LD_LIBRARY_PATH=$BASE/ldaplib/ldapsdk:TAG_NSS_SO_PATH
display_help() {
$ECHO "`$gettext 'Usage: ' `"
$ECHO "`$gettext ' ' `$0 [ -u | --user ] [ -w | --passfile ] [ -h | --host ] [ -p | --port ] [ -r | --role ] [ -s | --spid ] [ -i | --idpid ] [-f | --file]"
$ECHO
$ECHO "`$gettext 'Where:'`"
$ECHO "`$gettext ' -f, --file'`"
$ECHO "`$gettext ' Flat file that contains userDN mappings for'`"
$ECHO "`$gettext ' the spusers and idpusers separated by | .'`"
$ECHO "`$gettext ' -u, --user'`"
$ECHO "`$gettext ' Administrative userdn in LDAP server who has '`"
$ECHO "`$gettext ' write priveleges for modifying user entries '`"
$ECHO "`$gettext ' -w, --passfile'` "
$ECHO "`$gettext ' Password file'` "
$ECHO "`$gettext ' -r, --role'` "
$ECHO "`$gettext ' Provider Role. It must be either IDP or SP'` "
$ECHO "`$gettext ' -h, --host'`"
$ECHO "`$gettext ' LDAP Server HostName. Assumes localhost if not present.'`"
$ECHO "`$gettext ' -p, --port'`"
$ECHO "`$gettext ' LDAP Server Port. Assumes localport if not present.'`"
$ECHO "`$gettext ' -s, --spid'`"
$ECHO "`$gettext ' Service Provider ID'`"
$ECHO "`$gettext ' -i, --idpid'`"
$ECHO "`$gettext ' Identity Provider ID'`"
$ECHO
$ECHO "`$gettext 'Options:'`"
$ECHO "`$gettext ' -H, --help'`"
$ECHO "`$gettext ' Print Help(this message) and exit.'`"
$ECHO "`$gettext ' -V, --version'`"
$ECHO "`$gettext ' Prints Version'`"
}
display_version() {
$ECHO "`$gettext 'OpenSSO version 2005Q3.'`"
}
get_password() {
while [ 1 ]
do
eval $NECHO "`$gettext 'Enter user password : ${OMIT}'`"
stty -echo
read password
$ECHO
eval $NECHO "`$gettext 'Re-enter user password : ${OMIT}'`"
stty -echo
read password1
$ECHO
if [ $password = $password1 ];then
return
else
$ECHO "\a`$gettext 'Password does not match!'`"
fi
done
}
# Main starts here.
role=""
user=""
pfile=""
file=""
host=""
port=""
spproviderid=""
idpproviderid=""
if [ $# -eq 0 ]
then
display_help
exit 1
fi
while [ $# -ne 0 ]
do
case "$1" in
"-r" | "--role")
if [ "$2" != "SP" ] && [ "$2" != "IDP" ]; then
display_help
exit 1
else
role=$2
fi
shift
;;
"-u" | "--user")
if [ "$2" = "" ]; then
display_help
exit 1
fi
user=$2
shift
;;
"-w" | "--passfile")
if [ "$2" = "" ]; then
display_help
exit 1
fi
pfile=$2
shift
;;
"-h" | "--host")
if [ "$2" = "" ]; then
display_help
exit 1
fi
host=$2
shift
;;
"-p" | "--port")
if [ "$2" = "" ]; then
display_help
exit 1
fi
port=$2
shift
;;
"-V" | "--version")
display_version
exit 0
shift
;;
"-s" | "--spid")
if [ "$2" = "" ]; then
display_help
exit 1
fi
spproviderid=$2
shift
;;
"-i" | "--idpid")
if [ "$2" = "" ]; then
display_help
exit 1
fi
idpproviderid=$2
shift
;;
"-f" | "--file")
if [ "$2" = "" ]; then
display_help
exit 1
fi
file=$2
shift
;;
*)
display_help
exit 1
;;
esac
shift
done
if [ "$pfile" = "" ]; then
get_password
else
password=`cat $pfile`
fi
# Check for the non-null values
if [ "$idpproviderid" = "" ] && [ "$spproviderid" = "" ]; then
display_help
exit 1
fi
if [ "$host" = "" ]; then
host="localhost"
fi
if [ "$port" = "" ]; then
host="389"
fi
if [ "$file" = "" ] && [ "$user" = "" ] && [ "$password" = "" ]; then
display_help
exit 1
fi
if [ ! -f $GENERATE_NI ] && [ ! -f $GENERATE_LDIF ]; then
print "\a `$gettext 'Missing amGenerateNI.pl and amGenerateLDIF.pl scripts'`"
exit 1
fi
$GENERATE_NI $file
if [ $? != 0 ]; then
print "\a `$gettext 'Failed in generating name identifier mappings'`"
exit 1
fi
if [ -f spuserdata.ldif ]; then
$RM spuserdata.ldif
fi
if [ -f idpuserdata.ldif ]; then
$RM idpuserdata.ldif
fi
if [ "$role" = "SP" ]; then
$GENERATE_LDIF spnameidentifiers.txt $spproviderid $idpproviderid SP
if [ $? != 0 ]; then
print "\a `$gettext 'Failed in generating SP LDIF files'`"
exit 1
fi
$GENERATE_LDIF idpnameidentifiers.txt $spproviderid $idpproviderid IDP
if [ $? != 0 ]; then
print "\a `$gettext 'Failed in generating IDP LDIF files'`"
exit 1
fi
$LDAPMODIFY -D "$user" -w "$password" -h $host -p $port -c -f spuserdata.ldif
if [ $? != 0 ]; then
print "\a `$gettext 'Failed in modifying spusers data'`"
exit 1
fi
exit 0
fi
if [ "$role" = "IDP" ];then
$GENERATE_LDIF idpnameidentifiers.txt $spproviderid $idpproviderid IDP
if [ $? != 0 ]; then
print "\a `$gettext 'Failed in generating LDIF files'`"
exit 1
fi
$GENERATE_LDIF spnameidentifiers.txt $spproviderid $idpproviderid SP
if [ $? != 0 ]; then
print "\a `$gettext 'Failed in generating SP LDIF files'`"
exit 1
fi
$LDAPMODIFY -D "$user" -w "$password" -h $host -p $port -c -f idpuserdata.ldif
if [ $? != 0 ]; then
print "\a `$gettext 'Failed in modifying idpusers data'`"
exit 1
fi
exit 0
fi