4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster# Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster# The contents of this file are subject to the terms
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster# of the Common Development and Distribution License
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster# (the License). You may not use this file except in
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster# compliance with the License.
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster# You can obtain a copy of the License at
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster# https://opensso.dev.java.net/public/CDDLv1.0.html or
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster# See the License for the specific language governing
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster# permission and limitations under the License.
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster# When distributing Covered Code, include this CDDL
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster# Header Notice in each file and include the License file
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster# If applicable, add the following below the CDDL Header,
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster# with the fields enclosed by brackets [] replaced by
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster# your own identifying information:
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster# "Portions Copyrighted [year] [name of copyright owner]"
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster#########################################################################
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster# This is a convenient script for federating SAMLv2 users in a bulk manner.
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster# The script assumes that the backend user database is LDAP compliant
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster# and the OpenSSO or the Sun Java System Federation
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster# Manager as the federation SAML version 2 software provider.
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster# This script expects userdn mappins file as the primary input for creating
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster# federation data for the users specified in the file. The userdns must be
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster# separated by "|" and must be in the order of localuser followed by a
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster# remote user.
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster# uid=spuser,dc=iplanet,dc=com | uid=idpuser,dc=iplanet,dc=com
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster# This script generates unique random identifiers for each user mapping
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster# and creates four different files namely:
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster# localnameidentifiers.txt, remotenameidentifiers.txt,
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster# This will also load federation data (localuserdata.ldif file) locally.
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster# The remoteuserdata.ldif will also be kept locally for
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster# convenient loading using ldapmodify command if the remote provider is
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster# also an OpenSSO instance.
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster# If the remote provider is not an OpenSSO instance, the generated
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster# localnameidentifies.txt/remotenameidentifies.txt can be exchanged to the
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster# remote party so that it can generate federation/user specific data based on
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster# this input.
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster#########################################################################
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan FosterGENERATE_LDIF=$BASE/saml2/lib/saml2GenerateLDIF.pl
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster if [ ! -f $LDAPMODIFY ]; then
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster print "`$gettext 'ldapmodify command path is not correct.'`"
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster print "`$gettext 'please set the ldapmodify correctly..'`"
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster $ECHO "`$gettext ' ' `$0 [ -u | --user ] [ -w | --passfile ] [ -h | --host ] [ -p | --port ] [ -t | --role ] [ -l | --hostid ] [ -r | --remoteid ] [-f | --file]"
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster $ECHO "`$gettext ' Flat file that contains userDN mappings for `"
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster $ECHO "`$gettext ' the spusers and idpusers separated by | . `"
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster $ECHO "`$gettext ' Administrative userdn in LDAP server who has '`"
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster $ECHO "`$gettext ' write priveleges for modifying user entries '`"
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster $ECHO "`$gettext ' Host entity role. It must be either IDP or SP` "
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster $ECHO "`$gettext ' LDAP Server HostName. Assumes localhost if not present. `"
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster $ECHO "`$gettext ' LDAP Server Port. Assumes localport if not present. `"
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster $ECHO "`$gettext ' Remote Provider Entity ID `"
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster $ECHO "`$gettext ' Print Help(this message) and exit. `"
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster eval $ECHO "`$gettext 'Enter user password : ${OMIT}'`"
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster eval $ECHO "`$gettext 'Re-enter user password : ${OMIT}'`"
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster $ECHO "\a`$gettext 'Password does not match!'`"
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster# Main starts here.
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster if [ $? != 0 ]; then
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster# Check for the non-null values
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Fosterif [ "$remoteentityid" = "" ] && [ "$hostentityid" = "" ]; then
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Fosterif [ "$file" = "" ] && [ "$user" = "" ] && [ "$password" = "" ]; then
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Fosterif [ ! -f $GENERATE_NI ] && [ ! -f $GENERATE_LDIF ]; then
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster print "\a `$gettext 'Missing saml2GenerateNI.pl and saml2GenerateLDIF.pl scripts'`"
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Fosterprint "`$gettext 'Generating name identifier mappings ..'`"
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Fosterif [ $? != 0 ]; then
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster print "\a `$gettext 'Failed in generating name identifier mappings'`"
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster$GENERATE_LDIF localnameidentifiers.txt $hostentityid $remoteentityid $role
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Fosterif [ $? != 0 ]; then
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster print "\a `$gettext 'Failed in generating LOCAL LDIF files'`"
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster# This is for the remote party consumption. Just generate LDIF incase if the
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster# remote party is an OpenSSO server can leverage this
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster# generated ldif file.
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster$GENERATE_LDIF remotenameidentifiers.txt $remoteentityid $hostentityid $role
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Fosterif [ $? != 0 ]; then
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster print "\a `$gettext 'Failed in generating REMOTE LDIF files'`"
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster# Update user accounts locally.
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster$LDAPMODIFY -D "$user" -w "$password" -h $host -p $port -c -f localuserdata.ldif
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Fosterif [ $? != 0 ]; then
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster print "\a `$gettext 'Failed in modifying users data'`"