fumiyas/slapdir-authz-regexp.bash

## slapdir-authz-regexp.bash
#!/bin/bash
##
## OpenLDAP slapd.d: Add or remove olcAuthzRegexp for a localuser
## Copyright (c) 2024 SATOH Fumiyasu @ OSSTech Corp., Japan
##
## License: GNU General Public License version 3
##

set -u
set -e
set -o pipefail || exit $?

export LANG=C
export PATH="/opt/osstech/bin:$PATH"

## ======================================================================

ldap_opts=(
  -H ldapi:///
  -Y external
  -Q
)

ldap_search() {
  ldapsearch "${ldap_opts[@]}" \
    -LLL \
    -o ldif-wrap=no \
    "$@" \
  |ldifunbase64 \
  |sed -E \
    -e 's/^([A-Za-z][-.;0-9A-Za-z]*): \{[0-9]+\}/\1: /' \
  ;
}

ldap_modify() {
  ldapmodify "${ldap_opts[@]}" \
    "$@" \
  ;
}

## ======================================================================

if [[ $# -gt 2 ]]; then
  echo "Usage: $0 [USERNAME [DN]]"
  exit 1
fi

authz_from_username="${1-}"; ${1+shift}
authz_to_dn="${1-}"; ${1+shift}

## ======================================================================

authz_regexp_a=$(
  ldap_search \
    -b cn=config \
    -s base \
    '(objectClass=*)' \
    olcAuthzRegexp \
  |sed -n \
    -e "/^olcAuthzRegexp:/p" \
  ;
)

if [[ -z $authz_from_username ]]; then
  echo "$authz_regexp_a"
  exit 0
fi

## ----------------------------------------------------------------------

uid="$(id -u "$authz_from_username")"
gid="$(id -g "$authz_from_username")"

authz_regexp_b=$(
  echo "$authz_regexp_a" \
  |sed -E \
    -e '/^olcAuthzRegexp: "?\^gidNumber='"$gid"'\\\+uidNumber='"$uid"',cn=peercred,cn=external,cn=auth/d' \
  ;
)

if [[ -n $authz_to_dn ]]; then
  authz_regexp_b+=${authz_regexp_b:+$'\n'}$(
    echo \
      'olcAuthzRegexp:' \
      ' "^gidNumber='"$gid"'\+uidNumber='"$uid"',cn=peercred,cn=external,cn=auth$"' \
      ' "'"dn:$authz_to_dn"'"' \
    ;
  )
fi

ldif="\
dn: cn=config
changetype: modify
replace: olcAuthzRegexp
$authz_regexp_b${authz_regexp_b:+
}-
"

echo "$ldif" \
|ldap_modify \
>/dev/null \
;

exit 0
	#!/bin/bash
	##
	## OpenLDAP slapd.d: Add or remove olcAuthzRegexp for a localuser
	## Copyright (c) 2024 SATOH Fumiyasu @ OSSTech Corp., Japan
	##
	## License: GNU General Public License version 3
	##

	set -u
	set -e
	set -o pipefail \|\| exit $?

	export LANG=C
	export PATH="/opt/osstech/bin:$PATH"

	## ======================================================================

	ldap_opts=(
	-H ldapi:///
	-Y external
	-Q
	)

	ldap_search() {
	ldapsearch "${ldap_opts[@]}" \
	-LLL \
	-o ldif-wrap=no \
	"$@" \
	\|ldifunbase64 \
	\|sed -E \
	-e 's/^([A-Za-z][-.;0-9A-Za-z]*): \{[0-9]+\}/\1: /' \
	;
	}

	ldap_modify() {
	ldapmodify "${ldap_opts[@]}" \
	"$@" \
	;
	}

	## ======================================================================

	if [[ $# -gt 2 ]]; then
	echo "Usage: $0 [USERNAME [DN]]"
	exit 1
	fi

	authz_from_username="${1-}"; ${1+shift}
	authz_to_dn="${1-}"; ${1+shift}

	## ======================================================================

	authz_regexp_a=$(
	ldap_search \
	-b cn=config \
	-s base \
	'(objectClass=*)' \
	olcAuthzRegexp \
	\|sed -n \
	-e "/^olcAuthzRegexp:/p" \
	;
	)

	if [[ -z $authz_from_username ]]; then
	echo "$authz_regexp_a"
	exit 0
	fi

	## ----------------------------------------------------------------------

	uid="$(id -u "$authz_from_username")"
	gid="$(id -g "$authz_from_username")"

	authz_regexp_b=$(
	echo "$authz_regexp_a" \
	\|sed -E \
	-e '/^olcAuthzRegexp: "?\^gidNumber='"$gid"'\\\+uidNumber='"$uid"',cn=peercred,cn=external,cn=auth/d' \
	;
	)

	if [[ -n $authz_to_dn ]]; then
	authz_regexp_b+=${authz_regexp_b:+$'\n'}$(
	echo \
	'olcAuthzRegexp:' \
	' "^gidNumber='"$gid"'\+uidNumber='"$uid"',cn=peercred,cn=external,cn=auth$"' \
	' "'"dn:$authz_to_dn"'"' \
	;
	)
	fi

	ldif="\
	dn: cn=config
	changetype: modify
	replace: olcAuthzRegexp
	$authz_regexp_b${authz_regexp_b:+
	}-
	"

	echo "$ldif" \
	\|ldap_modify \
	>/dev/null \
	;

	exit 0