#!/bin/bash

. /usr/lib/eole/diagnose.sh

EchoGras "**** Délégation authentification (saslauth)"
echo

printf ". %${len_pf}s => " "Statut"
if [ "$(CreoleGet saslauthd_needed non)" = "oui" ]
then
    if [ "$(systemctl show --property=ActiveState saslauthd.service)" = "ActiveState=active" ]
    then
        EchoVert "active"
    else
        EchoRouge "inactive"
    fi
else
    EchoOrange "désactivée"
    echo
    exit 0
fi

# Valider le certificat utilisé pour la connexion ldap (si ldaps est activé mais ça devrait toujours être le cas)
printf ". %${len_pf}s => " "Certificat"

cacert=$(grep ldap_tls_cacert_file /etc/saslauthd.conf | cut -d" " -f2)
ldap_server_uri=$(grep ldap_servers /etc/saslauthd.conf | cut -d" " -f2)
ldap_server=${ldap_server_uri/*\/}

if openssl s_client -connect $ldap_server:636 </dev/null 2>/dev/null >/dev/null -verify_return_error -verify_quiet -verifyCAfile $cacert
then
    EchoVert "OK"
else
    EchoRouge "Erreur"
fi

# Valider le compte de connexion
printf ". %${len_pf}s => " "Compte"
ldap_bind_dn=$(grep ldap_bind_dn /etc/saslauthd.conf | cut -d" " -f2)
ldap_password=$(grep ldap_password /etc/saslauthd.conf | cut -d" " -f2)
ldap_search_base=$(grep ldap_search_base /etc/saslauthd.conf | cut -d" " -f2)

if ldapsearch -H $ldap_server_uri -D $ldap_bind_dn -w $ldap_password -b "$ldap_search_base" -x -LLL 2>/dev/null >/dev/null
then
    EchoVert "OK"
else
    EchoRouge "Erreur"
fi

# Valider les droits du compte de connexion
# À déterminer

# Tester une authentification via saslauth
user_cn=${ldap_bind_dn%%,*}
user_login=${user_cn/*=}
printf ". %${len_pf}s => " "Test authentification"
if testsaslauthd -u $user_login -p $ldap_password 2>/dev/null >/dev/null
then
    EchoVert "OK"
else
    EchoRouge "Erreur"
fi

echo
exit 0
