#!/bin/sh

set -e

## This script is run by www-data using sudo. Keep that in mind!
## Make sure that malicious execution cannot hurt.
##
## This script creates the home directories and principals for users
## added with gosa.  There are some tests that make sure only
## non-existent home directories are created.  Malicious execution
## cannot hurt, because either the user is missing in ldap or his home
## directory already exists. In both cases nothing should happen.

PREFIX=/skole
HOSTNAME=$(hostname -s)
USERID=$1

#FIXME Change this ldap search to only find new users, to not slow down as more users are added.
# One ide might be to look for objects without the krbPasswordExpiration attributes.

## lookup user and create home directory and principal:
ldapsearch -xLLL "(&(uid=$USERID)(objectClass=posixAccount)(!(objectClass=gosaUserTemplate)))" \
    cn homeDirectory gidNumber 2>/dev/null | perl -p0e 's/\n //g' | \
while read KEY VALUE ; do
    case "$KEY" in
        dn:) USERNAME= ; HOMEDIR= ; GROUPID= ; USERDN="dn=$VALUE" ;;
        cn:) USERNAME="$VALUE" ;;
        homeDirectory:) HOMEDIR="$VALUE" ;;
        gidNumber:) GROUPID="$VALUE"  ;;
        "")
            test "$HOMEDIR" || continue
            echo "$HOMEDIR" | grep -q "^$PREFIX/$HOSTNAME" || continue
            test -e "$HOMEDIR" && continue
            cp -r /etc/skel $HOMEDIR
            if type nscd > /dev/null 2>&1 ; then
                # These calls fail when nscd isn't running.  And then we do
                # not care about the result, as there is no cache to invalidate.
                nscd -i passwd || true
                nscd -i group || true
            fi
            mkdir -p $HOMEDIR/.pki/nssdb
            chmod -R 700 $HOMEDIR/.pki/nssdb
            certutil  -A -d sql:$HOMEDIR/.pki/nssdb/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt
            logger -t gosa-create -p notice PKI nssdb files created in \'$HOMEDIR\'.
            chown -R $USERID:$GROUPID $HOMEDIR
            kadmin.local -q "add_principal -policy users -randkey -x \"$USERDN\" $USERID"
            logger -t gosa-create -p notice Home directory \'$HOMEDIR\' and principal \'$USERID\' created.
            smbpasswd -a -n -s $USERID
            logger -t gosa-sync -p notice "Samba account '$USERID' created."
## send a welcome-email:
            cat << EOF | /usr/lib/sendmail $USERID
Subject: Welcome to the mail-system

Hello $USERNAME,

welcome to the mail-system.

Your userID is $USERID, and your email address is:

    $USERID@postoffice.intern

Regards,

    Debian-Edu SysAdmin

EOF
        ;;
    esac
done

exit 0
