#!/bin/bash -e
#
# Test if the LDAP server is working.
# $Id$

. /usr/share/debian-edu-config/testsuite-lib.sh

if test -r /etc/debian-edu/config ; then
    . /etc/debian-edu/config
fi

# Only Main-Server should use LDAP
if echo "$PROFILE" | grep -q Main-Server ; then
    :
else
    exit 0
fi

if [ -f /etc/ldap/slapd.conf ] ; then
    if grep -q '^security.* simple_bind=128' /etc/ldap/slapd.conf ; then
	echo "success: $0: LDAP not requiring encryption to bind"
    else
	echo "error: $0: LDAP not requiring encryption to bind"
    fi
else
    echo "error: $0: /etc/ldap/slapd.conf is missing.  Is slapd installed?"
    exit 1
fi

if pidof slapd > /dev/null ; then
    echo "success: $0: slapd is running."
else
    echo "error: $0: slapd is not running."
    exit 1
fi

RESULT=0

for port in ldap; do
    netstat_check $port tcp slapd || RESULT=1
done

if [ -x /usr/sbin/slapcat ] ; then
    slapcat | sed "s%^%info: $0: slapcat: %"
else
    echo "error: $0: Unable to find /usr/sbin/slapcat"
    RESULT=1
fi

if [ -f /etc/ssl/certs/debian-edu-server.crt ] ; then
    if [ -f /etc/ssl/certs/Debian-Edu_rootCA.crt ] ; then
        openssl verify -CAfile /etc/ssl/certs/Debian-Edu_rootCA.crt /etc/ssl/certs/debian-edu-server.crt |
        sed "s%^%info: $0: debian-edu-server.crt: %"
        echo "success: Certificate debian-edu-server.crt has been verified by Debian-Edu_rootCA.crt."
    else
        echo "error: Certificate /etc/ssl/certs/Debian-Edu_rootCA.crt is missing."
    fi
else
    echo "error: Certificate /etc/ssl/certs/debian-edu-server.crt is missing."
    RESULT=1
fi

echo "info: connection per ldap-client"
netstat -a --numeric-hosts | grep :ldap |
    awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n |
    sed "s%^%info: $0: clients: %"

# Check if LDAP server can handle more than 1024 concurrent LDAP
# connections (default ulimit for openfiles).  First flood LDAP server
# with connections, then try a simple search.  This used to fail with
# Debian Edu/Lenny, as slapd would stop working when it ran out of
# file descriptors.  Trying to flood it with more than the current
# limit (32768) file descriptors were tried but required incresing
# file-max, took very long and caused very high load on the server
# during testing.
ldap_server_uri=ldap
limit=1200
ulimit -n 2048

if ldapsearch -s base -H "ldap://$ldap_server" -b '' -x '*' '+' > /dev/null 2>&1 ; then
    echo "success: $0: search work before flodding the LDAP server with $limit connections."
else 
    echo "error: $0: search fail before flodding the LDAP server with $limit connections"
    RESULT=1
fi

perl -MNet::LDAP -e "sleep(5); my @c; for my \$n (0 .. $limit) { \$c[\$n] = Net::LDAP->new('ldap://$ldap_server', onerror => undef); my \$root = \$c[\$n]->root_dse() if \$c[\$n]; } sleep(5);"

if ldapsearch -s base -H "ldap://$ldap_server" -b '' -x '*' '+' > /dev/null 2>&1 ; then
    echo "success: $0: search work after flodding the LDAP server with $limit connections."
else 
    echo "error: $0: search fail after flodding the LDAP server with $limit connections"
    RESULT=1
fi

exit $RESULT