From 5f5274025f5d20d093f27bab83e9cff4c8cae1fd Mon Sep 17 00:00:00 2001
From: Philippe Caseiro <pcaseiro@cadoles.com>
Date: Tue, 15 Dec 2020 13:48:29 +0100
Subject: [PATCH 1/5] Adding first ActiveDirectory support

Need to be fixed : admin user membership FIXME note added
---
 dicos/25_cadolesldap.xml             |  33 ++-
 ldap/schema/eole/cadoles.schema.ldif | 396 +++++++++++++++++++++++++++
 posttemplate/91-cadolesldap          |  47 +++-
 scripts/cadoles_add_schema.sh        |  93 +++++++
 tmpl/cadolesldap.ldif                |  89 ++++--
 5 files changed, 623 insertions(+), 35 deletions(-)
 create mode 100644 ldap/schema/eole/cadoles.schema.ldif
 create mode 100755 scripts/cadoles_add_schema.sh

diff --git a/dicos/25_cadolesldap.xml b/dicos/25_cadolesldap.xml
index 1ea5129..7b037ee 100644
--- a/dicos/25_cadolesldap.xml
+++ b/dicos/25_cadolesldap.xml
@@ -6,24 +6,39 @@
 
     <variables>
         <family name='CADOLES LDAP'>
-            <variable name="activer_admin_passfile" redefine='True' hidden='True'><value>oui</value></variable>
+            <variable name="activer_admin_passfile" exists='True' redefine='True' hidden='True'><value>oui</value></variable>
             <variable name='activer_cadolesldap' type='oui/non' description='Activer Annuaire Cadoles'>
                 <value>oui</value>
             </variable>
 
-            <variable type='string' name='cadolesldap_pwdadmin' description="Mot de passe du compte admin durant l'instance" mandatory='True'/>
+            <variable type='string' name='cadolesldap_basedn' description="Base DN de l'annuaire" mandatory='True'/>
+            <variable type='password' name='cadolesldap_pwdadmin' description="Mot de passe du compte admin durant l'instance" mandatory='True'/>
             <variable type='string' name='cadolesldap_organization' description="Nom de l'organisation principale" mandatory='True'/>
             <variable type='string' name='cadolesldap_niveau01branche' description="Nom de la branche de Niveau 01" mandatory='True'><value>niveau01</value></variable>
             <variable type='string' name='cadolesldap_niveau02branche' description="Nom de la branche de Niveau 02" mandatory='True'><value>niveau02</value></variable>
 
             <variable type='string' name='cadolesldap_niveau01name' description="Nom de la première orgranisation de Niveau 01" mandatory='True'/>
             <variable type='string' name='cadolesldap_niveau01siren' description="SIREN de la première orgranisation de Niveau 01" mandatory='False'/>
+            <variable type='oui/non' name='cadolesldap_create_reader' description="Créer un utilisateur de lecture dans l'annuaire">
+                <value>oui</value>
+            </variable>
+            <variable type='string' name='cadolesldap_reader' description="Nom de l'utilisateur de lecture">
+                <value>cadoles-reader</value>
+            </variable>
+            <variable type='password' name='cadolesldap_reader_pass' description="Mot de passe de l'utilisateur de lecture"/>
+            <variable type='oui/non' name='cadolesldap_create_writer' description="Créer un utilisateur avec des droits d'écriture dans l'annuaire">
+                <value>non</value>
+            </variable>
+            <variable type='string' name='cadolesldap_writer' description="Nom de l'utilisateur d'écriture">
+                <value>cadoles-writer</value>
+            </variable>
+            <variable type='password' name='cadolesldap_writer_pass' description="Mot de passe de l'utilisateur d'écriture"/>
 
         </family>
     </variables>
 
     <constraints>
-        <condition name='hidden_if_in' source='activer_cadolesldap'>
+        <condition name='disabled_if_in' source='activer_cadolesldap'>
             <param>non</param>
             <target type='filelist'>cadolesldap</target>
             <target type='variable'>cadolesldap_pwdadmin</target>
@@ -35,6 +50,18 @@
 
         </condition>
 
+        <condition name='disabled_if_in' source="cadolesldap_create_reader">
+            <param>non</param>
+            <target type='variable'>cadolesldap_reader</target>
+            <target type='variable'>cadolesldap_reader_pass</target>
+        </condition>
+
+        <condition name='disabled_if_in' source="cadolesldap_create_writer">
+            <param>non</param>
+            <target type='variable'>cadolesldap_writer</target>
+            <target type='variable'>cadolesldap_writer_pass</target>
+        </condition>
+
         <fill name='concat' target='cadolesldap_organization'>
             <param type='eole'>libelle_etab</param>
         </fill>
diff --git a/ldap/schema/eole/cadoles.schema.ldif b/ldap/schema/eole/cadoles.schema.ldif
new file mode 100644
index 0000000..c3ff35a
--- /dev/null
+++ b/ldap/schema/eole/cadoles.schema.ldif
@@ -0,0 +1,396 @@
+DN:
+changeType: modify
+add: schemaUpdateNow
+schemaUpdateNow: 1
+-
+
+dn: CN=givensName,CN=Schema,CN=Configuration,{DNCONFIG}
+changeType: add
+objectClass: top
+objectClass: attributeSchema
+attributeID: 2.16.840.1.113732.3.1.101
+schemaIdGuid:: Jlbt5wmATVMcWKBhHjDO6Q==
+cn: givensName
+name: givensName
+lDAPDisplayName: givensName
+description:: UHLDqW5vbXMgQWdlbnQ=
+attributeSyntax: 2.5.5.12
+oMSyntax: 64
+isSingleValued: TRUE
+
+DN:
+changeType: modify
+add: schemaUpdateNow
+schemaUpdateNow: 1
+-
+
+dn: CN=usualname,CN=Schema,CN=Configuration,{DNCONFIG}
+changeType: add
+objectClass: top
+objectClass: attributeSchema
+attributeID: 2.16.840.1.113732.3.1.102
+schemaIdGuid:: ZHr974ZZzNma8pHl9aaLKA==
+cn: usualname
+name: usualname
+lDAPDisplayName: usualname
+description: Nom Usage
+attributeSyntax: 2.5.5.12
+oMSyntax: 64
+isSingleValued: TRUE
+
+DN:
+changeType: modify
+add: schemaUpdateNow
+schemaUpdateNow: 1
+-
+
+dn: CN=birthdate,CN=Schema,CN=Configuration,{DNCONFIG}
+changeType: add
+objectClass: top
+objectClass: attributeSchema
+attributeID: 2.16.840.1.113732.3.1.103
+schemaIdGuid:: wkZpNuM104JsF2zMxq3fnw==
+cn: birthdate
+name: birthdate
+lDAPDisplayName: birthdate
+description: Date de Naissance
+attributeSyntax: 2.5.5.12
+oMSyntax: 64
+isSingleValued: TRUE
+
+DN:
+changeType: modify
+add: schemaUpdateNow
+schemaUpdateNow: 1
+-
+
+dn: CN=birthcountry,CN=Schema,CN=Configuration,{DNCONFIG}
+changeType: add
+objectClass: top
+objectClass: attributeSchema
+attributeID: 2.16.840.1.113732.3.1.104
+schemaIdGuid:: +ReayhtKgycw+f1WmyUFjA==
+cn: birthcountry
+name: birthcountry
+lDAPDisplayName: birthcountry
+description: Code INSEE Pays de Naissance
+attributeSyntax: 2.5.5.12
+oMSyntax: 64
+isSingleValued: TRUE
+
+DN:
+changeType: modify
+add: schemaUpdateNow
+schemaUpdateNow: 1
+-
+
+dn: CN=birthplace,CN=Schema,CN=Configuration,{DNCONFIG}
+changeType: add
+objectClass: top
+objectClass: attributeSchema
+attributeID: 2.16.840.1.113732.3.1.105
+schemaIdGuid:: PWA2lFufaLT7V426mHUTEA==
+cn: birthplace
+name: birthplace
+lDAPDisplayName: birthplace
+description: Code INSEE Lieu de Naissance
+attributeSyntax: 2.5.5.12
+oMSyntax: 64
+isSingleValued: TRUE
+
+DN:
+changeType: modify
+add: schemaUpdateNow
+schemaUpdateNow: 1
+-
+
+dn: CN=gender,CN=Schema,CN=Configuration,{DNCONFIG}
+changeType: add
+objectClass: top
+objectClass: attributeSchema
+attributeID: 2.16.840.1.113732.3.1.106
+schemaIdGuid:: SLktEEb4rGlIyy5Eo9Shjg==
+cn: gender
+name: gender
+lDAPDisplayName: gender
+description: Sexe de la Personne
+attributeSyntax: 2.5.5.12
+oMSyntax: 64
+isSingleValued: TRUE
+
+DN:
+changeType: modify
+add: schemaUpdateNow
+schemaUpdateNow: 1
+-
+
+dn: CN=job,CN=Schema,CN=Configuration,{DNCONFIG}
+changeType: add
+objectClass: top
+objectClass: attributeSchema
+attributeID: 2.16.840.1.113732.3.1.107
+schemaIdGuid:: nhVCGzIC/Fdk2uAMDGHfFA==
+cn: job
+name: job
+lDAPDisplayName: job
+description:: TcOpdGllcg==
+attributeSyntax: 2.5.5.12
+oMSyntax: 64
+isSingleValued: TRUE
+
+DN:
+changeType: modify
+add: schemaUpdateNow
+schemaUpdateNow: 1
+-
+
+dn: CN=position,CN=Schema,CN=Configuration,{DNCONFIG}
+changeType: add
+objectClass: top
+objectClass: attributeSchema
+attributeID: 2.16.840.1.113732.3.1.108
+schemaIdGuid:: j0OPKDBf7J/iPToHdwF0ZQ==
+cn: position
+name: position
+lDAPDisplayName: position
+description:: Rm9uY3Rpb24gcmVsYXRpdmUgw6AgVW5pdMOpIE9yZ2FuaXNhdGlvbm5lbGxl
+attributeSyntax: 2.5.5.12
+oMSyntax: 64
+isSingleValued: TRUE
+
+DN:
+changeType: modify
+add: schemaUpdateNow
+schemaUpdateNow: 1
+-
+
+dn: CN=belongingpopulation,CN=Schema,CN=Configuration,{DNCONFIG}
+changeType: add
+objectClass: top
+objectClass: attributeSchema
+attributeID: 2.16.840.1.113732.3.1.109
+schemaIdGuid:: KVMi+GCSzkYHccfbRnCmaQ==
+cn: belongingpopulation
+name: belongingpopulation
+lDAPDisplayName: belongingpopulation
+description: Population Appartenance
+attributeSyntax: 2.5.5.12
+oMSyntax: 64
+isSingleValued: TRUE
+
+DN:
+changeType: modify
+add: schemaUpdateNow
+schemaUpdateNow: 1
+-
+
+dn: CN=authlevel,CN=Schema,CN=Configuration,{DNCONFIG}
+changeType: add
+objectClass: top
+objectClass: attributeSchema
+attributeID: 2.16.840.1.113732.3.1.110
+schemaIdGuid:: i7mCIv1VtoKwDOwX8hHs4A==
+cn: authlevel
+name: authlevel
+lDAPDisplayName: authlevel
+description:: Tml2ZWF1IEF1dGhlbnRpZmljYXRpb24gRGVtYW5kw6k=
+attributeSyntax: 2.5.5.12
+oMSyntax: 64
+isSingleValued: TRUE
+
+DN:
+changeType: modify
+add: schemaUpdateNow
+schemaUpdateNow: 1
+-
+
+dn: CN=siren,CN=Schema,CN=Configuration,{DNCONFIG}
+changeType: add
+objectClass: top
+objectClass: attributeSchema
+attributeID: 2.16.840.1.113732.3.1.111
+schemaIdGuid:: yWAVXrzf61bqVFmttTCMoQ==
+cn: siren
+name: siren
+lDAPDisplayName: siren
+description: Identifiant Entreprise
+attributeSyntax: 2.5.5.12
+oMSyntax: 64
+isSingleValued: TRUE
+
+DN:
+changeType: modify
+add: schemaUpdateNow
+schemaUpdateNow: 1
+-
+
+dn: CN=siret,CN=Schema,CN=Configuration,{DNCONFIG}
+changeType: add
+objectClass: top
+objectClass: attributeSchema
+attributeID: 2.16.840.1.113732.3.1.112
+schemaIdGuid:: xuETMsIWjPkNn9PP6XH2Hw==
+cn: siret
+name: siret
+lDAPDisplayName: siret
+description: Identifiant Etablissement
+attributeSyntax: 2.5.5.12
+oMSyntax: 64
+isSingleValued: TRUE
+
+DN:
+changeType: modify
+add: schemaUpdateNow
+schemaUpdateNow: 1
+-
+
+dn: CN=cadolesMember,CN=Schema,CN=Configuration,{DNCONFIG}
+changeType: add
+objectClass: top
+objectClass: attributeSchema
+attributeID: 2.16.840.1.113732.3.1.113
+schemaIdGuid:: jKgWUFwz5KWM4Fkbbiuw6Q==
+cn: cadolesMember
+name: cadolesMember
+lDAPDisplayName: cadolesMember
+description: Membres du groupe
+attributeSyntax: 2.5.5.1
+oMSyntax: 127
+isSingleValued: FALSE
+
+DN:
+changeType: modify
+add: schemaUpdateNow
+schemaUpdateNow: 1
+-
+
+dn: CN=niveau01,CN=Schema,CN=Configuration,{DNCONFIG}
+changeType: add
+objectClass: top
+objectClass: attributeSchema
+attributeID: 2.16.840.1.113732.3.1.114
+schemaIdGuid:: ax677pNcedcU/lJbaV61rg==
+cn: niveau01
+name: niveau01
+lDAPDisplayName: niveau01
+description: Label Entreprise
+attributeSyntax: 2.5.5.12
+oMSyntax: 64
+isSingleValued: TRUE
+
+DN:
+changeType: modify
+add: schemaUpdateNow
+schemaUpdateNow: 1
+-
+
+dn: CN=niveau02,CN=Schema,CN=Configuration,{DNCONFIG}
+changeType: add
+objectClass: top
+objectClass: attributeSchema
+attributeID: 2.16.840.1.113732.3.1.115
+schemaIdGuid:: caUDcwXPL7LKxotwqD4LsQ==
+cn: niveau02
+name: niveau02
+lDAPDisplayName: niveau02
+description: Label Etablissement
+attributeSyntax: 2.5.5.12
+oMSyntax: 64
+isSingleValued: TRUE
+
+DN:
+changeType: modify
+add: schemaUpdateNow
+schemaUpdateNow: 1
+-
+
+dn: CN=cadolesPerson,CN=Schema,CN=Configuration,{DNCONFIG}
+changeType: add
+objectClass: top
+objectClass: classSchema
+governsID: 2.16.840.1.113732.3.1.1
+schemaIdGuid:: BS9z8eJKvYZ+lS8OJgeC1g==
+cn: cadolesPerson
+name: cadolesPerson
+lDAPDisplayName: cadolesPerson
+description: Description Personne Cadoles
+subClassOf: top
+objectClassCategory: 3
+mayContain: givensName
+mayContain: usualname
+mayContain: birthdate
+mayContain: birthcountry
+mayContain: birthplace
+mayContain: gender
+mayContain: job
+mayContain: position
+mayContain: belongingpopulation
+mayContain: authlevel
+defaultObjectCategory: CN=cadolesPerson,CN=Schema,CN=Configuration,{DNCONFIG}
+
+DN:
+changeType: modify
+add: schemaUpdateNow
+schemaUpdateNow: 1
+-
+
+dn: CN=cadolesSiren,CN=Schema,CN=Configuration,{DNCONFIG}
+changeType: add
+objectClass: top
+objectClass: classSchema
+governsID: 2.16.840.1.113732.3.1.2
+schemaIdGuid:: 7pJbNueSjwpq7TsL2aiW1w==
+cn: cadolesSiren
+name: cadolesSiren
+lDAPDisplayName: cadolesSiren
+description: Siren
+subClassOf: top
+objectClassCategory: 3
+mayContain: siren
+mayContain: niveau01
+defaultObjectCategory: CN=cadolesSiren,CN=Schema,CN=Configuration,{DNCONFIG}
+
+DN:
+changeType: modify
+add: schemaUpdateNow
+schemaUpdateNow: 1
+-
+
+dn: CN=cadolesSiret,CN=Schema,CN=Configuration,{DNCONFIG}
+changeType: add
+objectClass: top
+objectClass: classSchema
+governsID: 2.16.840.1.113732.3.1.3
+schemaIdGuid:: BOOf/nwBuCFehtpsyYrLjA==
+cn: cadolesSiret
+name: cadolesSiret
+lDAPDisplayName: cadolesSiret
+description: Siret
+subClassOf: top
+objectClassCategory: 3
+mayContain: siret
+mayContain: postalAddress
+mayContain: niveau02
+defaultObjectCategory: CN=cadolesSiret,CN=Schema,CN=Configuration,{DNCONFIG}
+
+DN:
+changeType: modify
+add: schemaUpdateNow
+schemaUpdateNow: 1
+-
+
+dn: CN=cadolesGroup,CN=Schema,CN=Configuration,{DNCONFIG}
+changeType: add
+objectClass: top
+objectClass: classSchema
+governsID: 2.16.840.1.113732.3.1.4
+schemaIdGuid:: IPc/rPzhpAjekHrvXgdI8w==
+cn: cadolesGroup
+name: cadolesGroup
+lDAPDisplayName: cadolesGroup
+description: Descirption Groupe Cadoles
+subClassOf: top
+objectClassCategory: 3
+mayContain: cadolesMember
+defaultObjectCategory: CN=cadolesGroup,CN=Schema,CN=Configuration,{DNCONFIG}
+
diff --git a/posttemplate/91-cadolesldap b/posttemplate/91-cadolesldap
index 379fdf0..3a7d47c 100755
--- a/posttemplate/91-cadolesldap
+++ b/posttemplate/91-cadolesldap
@@ -17,25 +17,42 @@ function runAs() {
     return ${?}
 }
 
+function addLDAPschema()
+{
+   LDIF="/etc/cadolesldap/init/cadolesldap.ldif"
+   USER="openldap"
+   CMD="\"slapadd -l ${LDIF} -f \"/etc/ldap/slapd.conf\"\""
+
+   service slapd stop
+   runAs ${USER} ${CMD}
+   result=$((result+${?}))
+   service slapd start
+   return ${result}
+}
+
+function addADSchema()
+{
+   /usr/share/eole/sbin/cadoles_add_schema.sh
+   return ${?} 
+}
+
 function main()
 {
-	MODE=${1}
-
-	result=0
+   MODE=${1}
+   result=0
 
 
-	if [[ ${MODE} == "instance" ]]
-	then
-		LDIF="/etc/cadolesldap/init/cadolesldap.ldif"
-		USER="openldap"
-		CMD="\"slapadd -l ${LDIF} -f \"/etc/ldap/slapd.conf\"\""
-
-		service slapd stop
-		runAs ${USER} ${CMD}
-		result=$((result+${?}))
-		service slapd start
-		return ${result}
-	fi
+   if [[ ${MODE} == "instance" ]]
+   then
+      if [[ $(CreoleGet eole_module) == "seth" ]]
+      then
+         addADSchema
+	 return ${?}
+      else
+         addLDAPschema
+	 return ${?}
+      fi
+   fi
 }
 
 if [[ $(CreoleGet activer_cadolesldap non) == "oui" ]]
diff --git a/scripts/cadoles_add_schema.sh b/scripts/cadoles_add_schema.sh
new file mode 100755
index 0000000..ca987f4
--- /dev/null
+++ b/scripts/cadoles_add_schema.sh
@@ -0,0 +1,93 @@
+#!/bin/bash
+
+set -e
+
+if [[ ! -e /etc/eole/samba4-vars.conf ]]
+then
+   exit 0
+fi
+
+. /etc/eole/samba4-vars.conf
+
+function updateSchemaDN()
+{
+   STR=${1}
+   DN=${2}
+   FILE=${3}
+
+   sed -i -e "s/${STR}/${DN}/g" ${FILE}
+   return ${?}
+}
+
+function user_exists() {
+    local username="${1}"
+    samba-tool user show "${username}" > /dev/null 2>&1
+    return ${?}
+}
+
+DN="$(CreoleGet cadolesldap_basedn)"
+BASEDN="CN=Schema,CN=Configuration,${DN}"
+INITDIR="/etc/cadolesldap/init"
+
+RETURNED=$(ldbsearch --option="dsdb:schema update allowed"=true -H /var/lib/samba/private/sam.ldb -b $BASEDN CN=siren CN | grep "returned.*records")
+
+if [ "$RETURNED" = "# returned 0 records" ]; then
+    # Import schema
+    SCHEMAS="cadoles.schema"
+    PRIVATE_DIR=/etc/eole/private
+
+    for schema in $SCHEMAS
+    do
+	updateSchemaDN "{DNCONFIG}" "${DN}" /etc/ldap/schema/eole/${schema}.ldif
+	if [[ $? -ne 0 ]]
+	then
+           echo "Error updating DN for ${schema}"
+           break
+        fi
+        ldbmodify -H /var/lib/samba/private/sam.ldb /etc/ldap/schema/eole/${schema}.ldif --option="dsdb:schema update allowed"=true
+	if [[ $? -ne 0 ]]
+	then
+           echo "Error updating Schema ${schema} !!"
+           break
+	fi
+    done
+fi
+
+lv1=$(CreoleGet cadolesldap_niveau01name )
+RETURNED=$(ldbsearch --option="dsdb:schema update allowed"=true -H /var/lib/samba/private/sam.ldb -b $DN OU=${lv1} OU | grep "#.* entries")
+if [ "$RETURNED" = "# 0 entries" ]; then
+    ldbmodify -H /var/lib/samba/private/sam.ldb ${INITDIR}/cadolesldap.ldif
+    if [[ -e ${INITDIR}/cadolesindex.ldif ]]
+    then
+        ldbmodify --option="dsdb:schema update allowed"=true -H /var/lib/samba/private/sam.ldb ${INITDIR}/cadolesindex.ldif
+    fi
+
+    if [[ $(CreoleGet cadolesldap_create_reader non) == "oui" ]]
+    then
+        user=$(CreoleGet cadolesldap_reader)
+        password=$(CreoleGet cadolesldap_reader_pass)
+        if ! user_exists ${user}
+        then
+            echo "Ajout du compte d'écriture dans l'annuaire '$user'... "
+            samba-tool user create --random-password $user
+            samba-tool user setexpiry $user --noexpiry
+            samba-tool user setpassword $user --newpassword="${password}"
+        fi
+    fi
+
+    if [[ $(CreoleGet cadolesldap_create_writer non) == "oui" ]]
+    then
+        user=$(CreoleGet cadolesldap_writer)
+        password=$(CreoleGet cadolesldap_writer_pass)
+        if ! user_exists ${user}
+        then
+            echo "Ajout du compte d'écriture dans l'annuaire '$user'... "
+            samba-tool user create --random-password $user
+            samba-tool user setexpiry $user --noexpiry
+            samba-tool group addmembers 'Domain Admins' $user
+            samba-tool user setpassword $user --newpassword="${password}"
+        fi
+    fi
+fi
+
+exit 0
\ No newline at end of file
diff --git a/tmpl/cadolesldap.ldif b/tmpl/cadolesldap.ldif
index bde9d53..94a1562 100755
--- a/tmpl/cadolesldap.ldif
+++ b/tmpl/cadolesldap.ldif
@@ -1,66 +1,121 @@
 %import pyeole.ssha
 
-# Entrée 3: ou=%%cadolesldap_organization,o=gouv,c=fr
-dn: ou=%%cadolesldap_organization,o=gouv,c=fr
+# Entrée 3: ou=%%cadolesldap_organization,%%cadolesldap_basedn
+dn: ou=%%cadolesldap_organization,%%cadolesldap_basedn
+%if %%eole_module == "seth"
+changetype: add
+%end if
 objectclass: organizationalUnit
 objectclass: top
 ou: %%cadolesldap_organization
 
-# Entrée 4: ou=%%cadolesldap_niveau01branche,ou=%%cadolesldap_organization,o=gouv,c=fr
-dn: ou=%%cadolesldap_niveau01branche,ou=%%cadolesldap_organization,o=gouv,c=fr
+# Entrée 4: ou=%%cadolesldap_niveau01branche,ou=%%cadolesldap_organization,%%cadolesldap_basedn
+dn: ou=%%cadolesldap_niveau01branche,ou=%%cadolesldap_organization,%%cadolesldap_basedn
+%if %%eole_module == "seth"
+changetype: add
+%end if
 objectclass: organizationalUnit
 objectclass: top
 ou: %%cadolesldap_niveau01branche
 
-# Entrée 5: cn=%%cadolesldap_niveau01name,ou=%%cadolesldap_niveau01branche,ou=%%cadolesldap_organization,o=gouv,c=fr
-dn: cn=%%cadolesldap_niveau01name,ou=%%cadolesldap_niveau01branche,ou=%%cadolesldap_organization,o=gouv,c=fr
+# Entrée 5: cn=%%cadolesldap_niveau01name,ou=%%cadolesldap_niveau01branche,ou=%%cadolesldap_organization,%%cadolesldap_basedn
+dn: cn=%%cadolesldap_niveau01name,ou=%%cadolesldap_niveau01branche,ou=%%cadolesldap_organization,%%cadolesldap_basedn
+%if %%eole_module == "seth"
+changetype: add
+%end if
 objectclass: posixGroup
 objectclass: top
+%if %%eole_module == "seth"
+objectclass: group
+%else
 objectclass: sambaGroupMapping
+%end if
 objectclass: cadolesGroup
 objectclass: cadolesSiren
 cn: %%cadolesldap_niveau01name
 gidnumber: 1
 memberuid: admin
-cadolesMember: uid=admin,ou=users,ou=%%cadolesldap_organization,o=gouv,c=fr
+%if %%eole_module != "seth"
+cadolesMember: uid=admin,ou=users,ou=%%cadolesldap_organization,%%cadolesldap_basedn
+%end if
+%if %%eole_module != "seth"
 sambagrouptype: 2
 sambasid: 1
+%end if
+%if not %%is_empty(%%cadolesldap_niveau01siren)
 siren: %%cadolesldap_niveau01siren
+%else
+siren: %%cadolesldap_niveau01name
+%end if
 
-# Entrée 6: ou=%%cadolesldap_niveau02branche,ou=%%cadolesldap_organization,o=gouv,c=fr
-dn: ou=%%cadolesldap_niveau02branche,ou=%%cadolesldap_organization,o=gouv,c=fr
+# Entrée 6: ou=%%cadolesldap_niveau02branche,ou=%%cadolesldap_organization,%%cadolesldap_basedn
+dn: ou=%%cadolesldap_niveau02branche,ou=%%cadolesldap_organization,%%cadolesldap_basedn
+%if %%eole_module == "seth"
+changetype: add
+%end if
 objectclass: organizationalUnit
 objectclass: top
-ou: %%%%cadolesldap_niveau02branche
+ou: %%cadolesldap_niveau02branche
 
-# Entrée 7: ou=groups,ou=%%cadolesldap_organization,o=gouv,c=fr
-dn: ou=groups,ou=%%cadolesldap_organization,o=gouv,c=fr
+# Entrée 7: ou=groups,ou=%%cadolesldap_organization,%%cadolesldap_basedn
+dn: ou=groups,ou=%%cadolesldap_organization,%%cadolesldap_basedn
+%if %%eole_module == "seth"
+changetype: add
+%end if
 objectclass: organizationalUnit
 objectclass: top
 ou: groups
 
-# Entrée 8: ou=users,ou=%%cadolesldap_organization,o=gouv,c=fr
-dn: ou=users,ou=%%cadolesldap_organization,o=gouv,c=fr
+# Entrée 8: ou=users,ou=%%cadolesldap_organization,%%cadolesldap_basedn
+dn: ou=users,ou=%%cadolesldap_organization,%%cadolesldap_basedn
+%if %%eole_module == "seth"
+changetype: add
+%end if
 objectclass: organizationalUnit
 objectclass: top
 ou: users
 
-# Entrée 9: uid=admin,ou=users,ou=%%cadolesldap_organization,o=gouv,c=fr
-dn: uid=admin,ou=users,ou=%%cadolesldap_organization,o=gouv,c=fr
+%if %%eole_module == "seth"
+# Entrée 9: cn=admin,ou=users,ou=%%cadolesldap_organization,%%cadolesldap_basedn
+dn: cn=admin,ou=users,ou=%%cadolesldap_organization,%%cadolesldap_basedn
+%else
+# Entrée 9: uid=admin,ou=users,ou=%%cadolesldap_organization,%%cadolesldap_basedn
+dn: uid=admin,ou=users,ou=%%cadolesldap_organization,%%cadolesldap_basedn
+%end if
+%if %%eole_module == "seth"
+changetype: add
+%end if
 objectclass: top
 objectclass: person
 objectclass: organizationalPerson
+%if %%eole_module == "seth"
+objectclass: user
+%end if
 objectclass: inetOrgPerson
 objectclass: cadolesPerson
 objectclass: cadolesSiren
 objectclass: cadolesSiret
 authlevel: simple
 uid: admin
-cn: %%cadolesldap_organization
+cn: admin
 sn: %%cadolesldap_organization
 displayname: Administrateur %%cadolesldap_organization
 givenname: Administrateur
+%if not %%is_empty(%%system_mail_to)
 mail: %%system_mail_to
+%end if
+%if not %%is_empty(%%cadolesldap_niveau01siren)
 siren: %%cadolesldap_niveau01siren
+%else
+siren: %%cadolesldap_niveau01name
+%end if
 niveau01: %%cadolesldap_niveau01name
 userpassword: %%pyeole.ssha.ssha_encode(%%cadolesldap_pwdadmin)
+
+%if %%eole_module == "seth"
+# FIXME CadolesMember ...
+# Entrée 9bis: cn=%%cadolesldap_niveau01name,ou=%%cadolesldap_niveau01branche,ou=%%cadolesldap_organization,%%cadolesldap_basedn
+#dn: cn=%%cadolesldap_niveau01name,ou=%%cadolesldap_niveau01branche,ou=%%cadolesldap_organization,%%cadolesldap_basedn
+#changetype: add
+#cadolesMember: cn=admin,ou=users,ou=%%cadolesldap_organization,%%cadolesldap_basedn
+%end if
\ No newline at end of file

From 2baabd3c8031fd531d90b7153cebd49b43931ef5 Mon Sep 17 00:00:00 2001
From: Philippe Caseiro <pcaseiro@cadoles.com>
Date: Tue, 12 Jan 2021 11:07:46 +0100
Subject: [PATCH 2/5] Update patch for cert management

---
 ldap/patchs/slapd.conf.patch | 42 ++++++++++++++++++++++++++++--------
 1 file changed, 33 insertions(+), 9 deletions(-)

diff --git a/ldap/patchs/slapd.conf.patch b/ldap/patchs/slapd.conf.patch
index 8b50562..913653e 100644
--- a/ldap/patchs/slapd.conf.patch
+++ b/ldap/patchs/slapd.conf.patch
@@ -1,26 +1,50 @@
 --- distrib/slapd.conf	2019-06-04 11:18:04.000000000 +0200
-+++ modif/slapd.conf	2020-03-24 09:10:44.724586266 +0100
-@@ -23,6 +23,7 @@
++++ modif/slapd.conf	2021-01-12 11:06:19.496162295 +0100
+@@ -23,11 +23,19 @@
  %elif %%ldap_schema == 'zephir'
  include        /etc/ldap/schema/openldap.schema
  %end if
 +include        /etc/ldap/schema/cadoles.schema
- 
+
  ## Support du TLS
++%if cert_type == "manuel"
++TLSCertificateFile      %%server_cert
++TLSCertificateKeyFile   %%server_key
++TLSCACertificateFile    %%server_pem
++%else
  TLSCertificateFile      /etc/ldap/ssl/certs/openldap.crt
-@@ -46,6 +47,7 @@
+ TLSCertificateKeyFile   /etc/ldap/ssl/private/openldap.key
+ TLSCACertificateFile    /etc/ssl/certs/ca.crt
++%end if
++
+ TLSVerifyClient         never
+ TLSCipherSuite SECURE256:+SIGN-ALL:-VERS-SSL3.0:!AES-128-CBC:!3DES-CBC:!DES-CBC:!ARCFOUR-128:!ARCFOUR-40:!RC2-40:!CAMELLIA-128-CBC:!NULL
+
+@@ -46,6 +54,7 @@
  %if %%ldap_replication == 'oui' or %%ldap_replication_client == 'oui'
  moduleload      syncprov
  %end if
 +moduleload      memberof
- 
+
  # Sample security restrictions
  #    Require integrity protection (prevent hijacking)
-@@ -219,3 +221,7 @@
- %if %%ldap_replication_client == 'oui'
- include /etc/ldap/replication.conf
+@@ -80,6 +89,7 @@
+
+ # compatibilite EAD1 et appli PHP
+ allow   bind_v2
++allow   bind_anon_dn
+
+ database    bdb
+ # The base of your directory
+@@ -216,6 +226,10 @@
+ syncprov-sessionlog 100
  %end if
-+
+
 +overlay memberof
 +memberof-group-oc cadolesGroup
 +memberof-member-ad cadolesMember
++
+ %if %%ldap_replication_client == 'oui'
+ include /etc/ldap/replication.conf
+ %end if
+

From bb9ed1d3b634f3d148a56b6b3948ee20e9dacc5c Mon Sep 17 00:00:00 2001
From: Philippe Caseiro <pcaseiro@cadoles.com>
Date: Tue, 12 Jan 2021 11:13:40 +0100
Subject: [PATCH 3/5] Fix patch

---
 ldap/patchs/slapd.conf.patch | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ldap/patchs/slapd.conf.patch b/ldap/patchs/slapd.conf.patch
index 913653e..7603410 100644
--- a/ldap/patchs/slapd.conf.patch
+++ b/ldap/patchs/slapd.conf.patch
@@ -7,7 +7,7 @@
 +include        /etc/ldap/schema/cadoles.schema
 
  ## Support du TLS
-+%if cert_type == "manuel"
++%if %%cert_type == "manuel"
 +TLSCertificateFile      %%server_cert
 +TLSCertificateKeyFile   %%server_key
 +TLSCACertificateFile    %%server_pem

From 362e1e3e179cd7fe09e3667baee925ab8d130231 Mon Sep 17 00:00:00 2001
From: Arnaud Fornerot <afornerot@cadoles.com>
Date: Wed, 13 Jan 2021 10:37:08 +0100
Subject: [PATCH 4/5] ajout de l'attribut mail pour l'objectclass cadolesGroup

---
 ldap/schema/cadoles.schema | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ldap/schema/cadoles.schema b/ldap/schema/cadoles.schema
index 268da0a..d1ac852 100644
--- a/ldap/schema/cadoles.schema
+++ b/ldap/schema/cadoles.schema
@@ -131,5 +131,6 @@ objectclass (  2.16.840.1.113732.3.1.4
   NAME 'cadolesGroup'
   DESC 'Descirption Groupe Cadoles'
   SUP top AUXILIARY
-  MAY  ( cadolesMember
+  MAY  ( cadolesMember $
+         mail
   ) )  

From 0e223d0593867b095b28c86da45639ef71fb4a20 Mon Sep 17 00:00:00 2001
From: Philippe Caseiro <pcaseiro@cadoles.com>
Date: Wed, 20 Jan 2021 14:05:01 +0100
Subject: [PATCH 5/5] Recover 2.6 version of the patch

---
 ldap/patchs/slapd.conf.patch | 44 ++++++++----------------------------
 1 file changed, 10 insertions(+), 34 deletions(-)

diff --git a/ldap/patchs/slapd.conf.patch b/ldap/patchs/slapd.conf.patch
index 7603410..8b50562 100644
--- a/ldap/patchs/slapd.conf.patch
+++ b/ldap/patchs/slapd.conf.patch
@@ -1,50 +1,26 @@
 --- distrib/slapd.conf	2019-06-04 11:18:04.000000000 +0200
-+++ modif/slapd.conf	2021-01-12 11:06:19.496162295 +0100
-@@ -23,11 +23,19 @@
++++ modif/slapd.conf	2020-03-24 09:10:44.724586266 +0100
+@@ -23,6 +23,7 @@
  %elif %%ldap_schema == 'zephir'
  include        /etc/ldap/schema/openldap.schema
  %end if
 +include        /etc/ldap/schema/cadoles.schema
-
+ 
  ## Support du TLS
-+%if %%cert_type == "manuel"
-+TLSCertificateFile      %%server_cert
-+TLSCertificateKeyFile   %%server_key
-+TLSCACertificateFile    %%server_pem
-+%else
  TLSCertificateFile      /etc/ldap/ssl/certs/openldap.crt
- TLSCertificateKeyFile   /etc/ldap/ssl/private/openldap.key
- TLSCACertificateFile    /etc/ssl/certs/ca.crt
-+%end if
-+
- TLSVerifyClient         never
- TLSCipherSuite SECURE256:+SIGN-ALL:-VERS-SSL3.0:!AES-128-CBC:!3DES-CBC:!DES-CBC:!ARCFOUR-128:!ARCFOUR-40:!RC2-40:!CAMELLIA-128-CBC:!NULL
-
-@@ -46,6 +54,7 @@
+@@ -46,6 +47,7 @@
  %if %%ldap_replication == 'oui' or %%ldap_replication_client == 'oui'
  moduleload      syncprov
  %end if
 +moduleload      memberof
-
+ 
  # Sample security restrictions
  #    Require integrity protection (prevent hijacking)
-@@ -80,6 +89,7 @@
-
- # compatibilite EAD1 et appli PHP
- allow   bind_v2
-+allow   bind_anon_dn
-
- database    bdb
- # The base of your directory
-@@ -216,6 +226,10 @@
- syncprov-sessionlog 100
- %end if
-
-+overlay memberof
-+memberof-group-oc cadolesGroup
-+memberof-member-ad cadolesMember
-+
+@@ -219,3 +221,7 @@
  %if %%ldap_replication_client == 'oui'
  include /etc/ldap/replication.conf
  %end if
-
++
++overlay memberof
++memberof-group-oc cadolesGroup
++memberof-member-ad cadolesMember