#!/bin/bash -x

SLAPDCONF=/etc/ldap/slapd.conf
OPENSSL=/usr/bin/openssl
CERTTOOL=/usr/bin/certtool

if test -r /etc/ldap/sasl2/slapd.conf ; then
    KEYTAB=`sed -ne 's/^keytab\:[[:space:]]\+\(.\+\)/\1/p' /etc/ldap/sasl2/slapd.conf`
else
    if test -r /usr/lib/sasl2/slapd.conf ; then
	KEYTAB=`sed -ne 's/^keytab\:[[:space:]]\+\(.\+\)/\1/p' /usr/lib/sasl2/slapd.conf`
    fi
fi

echo "\"$KEYTAB\" $KEYTAB1 $KEYTAB2"

function kerberos-kind() {
    if dpkg --status heimdal-clients | grep "Status:" | grep " installed" > /dev/null ; then
	KRB5KIND=HEIMDAL
    else
	if dpkg --status krb5-user | grep "Status:" | grep " installed" > /dev/null ; then
	    KRB5KIND=MIT
	else
	    KRB5KIND=UNKNOWN
	fi
    fi
}

function kerberos-realm() {
    KRB5REALM=`egrep "[[:blank:]]*default_realm" /etc/krb5.conf | awk '{ print $3 }'`
}

kerberos-kind
kerberos-realm

case $KRB5KIND in
    HEIMDAL)
	if ktutil -k $KEYTAB list | grep ldap/`hostname -f`@${KRB5REALM} ; then
	    echo "Keytab for salsautd seams to be good"
	else
	    echo "Didn't find the keytab needed for method kerberos5 for saslauthd"
	fi
    ;;
    MIT)
	if klist -k $KEYTAB | grep ldap/`hostname -f`@${KRB5REALM} ; then
	    echo "Keytab for saslauthd seams to be good"
	else
	    echo "Didn't find the keytab needed for method kerberos5 for saslauthd"
	fi    
	;;
    *)
	echo "I don't know this kind of kerberos, so I can't validate the keytab"	
esac

if ! egrep "^[[:blank:]]*pwcheck_method:[[:blank:]]*saslauthd" /usr/lib/sasl2/slapd.conf ; then
    echo "Can't find sasl2 Cyrus configuration for slapd"
fi

if ! egrep "^[[:blank:]]*SLAPD_SERVICES=.*ldaps://" /etc/default/slapd ; then
    echo "Can't find if ldaps:// is enabled"
fi

if ! egrep "^[[:blank:]]*SLAPD_SERVICES=.*ldap://" /etc/default/slapd ; then
    echo "Can't find if ldap:// is enabled"
fi

CACertFile=`sed -ne 's/^TLSCACertificateFile[[:space:]]\+\(.\+\)/\1/p' "${SLAPDCONF}"`
CertFile=`sed -ne 's/^TLSCertificateFile[[:space:]]\+\(.\+\)/\1/p' "${SLAPDCONF}"`

echo .
if test -x ${OPENSSL} ; then
    if ${OPENSSL} x509 -text -in "${CACertFile}" | grep "Version: 1" > /dev/null ; then
	echo "Was found a CA Certificate with a too old version"
    fi
    if ${OPENSSL} x509 -text -in "${CertFile}" | grep "Signature Algorithm" | egrep -i "(md2|md5)" > /dev/null ; then
	echo "The Host Certificate uses a broken Signature Algorithm"
    fi
fi
echo .
if test -x ${CERTTOOL} ; then
#    ${CERTTOOL} -i < "${CertFile}" | egrep '(Subject|Issuer|Signature Algorithm|Version):'
#    ${CERTTOOL} -i < "${CACertFile}" | egrep '(Subject|Issuer|Signature Algorithm|Version):'
    if test -r "${CACertFile}" ; then
	if ${CERTTOOL} -i < "${CACertFile}" | egrep '(Subject|Issuer|Signature Algorithm|Version):' | grep -B3 "Version: 1" ; then
	    echo "Was found a CA Certificate with a too old version"
	    echo "Look into the previous list"
	fi
    fi
    
    if test -r  "${CertFile}" ; then
	if ${CERTTOOL} -i < "${CertFile}" |  egrep '(Subject|Issuer|Signature Algorithm|Version):' | egrep -B2 -A1 -i '(MD2|MD5)' ; then
	    echo "The Host Certificate uses a broken Signature Algorithm"
	    echo "Look into the previous list"
	fi
    fi
fi

