#!/bin/sh
#
# Verify the LDAP based sudo setup

if test -r /etc/debian-edu/config ; then
    . /etc/debian-edu/config
fi

# Standalone profile do not use LDAP based sudo
if echo "$PROFILE" | grep -Eq 'Standalone' ; then
    exit 0
fi

if /usr/bin/ldapsearch -LLL -x "(&(cn=root)(objectClass=sudoRole))" \
    >/dev/null 2>&1 ; then
    echo "success: $0: sudoRole object for root exists in ldap"
else
    echo "error: $0: sudoRole object for root missing in ldap"
fi

if grep -q '^sudoers_base' /etc/sudo-ldap.conf ; then
    echo "success: $0: suduers_base is set in sudo-ldap.conf"
else
    echo "error: $0: suduers_base is missing sudo-ldap.conf"
fi

if grep -q '^sudoers:.* ldap' /etc/nsswitch.conf ; then
    echo "success: $0: ldap is enabled for sudoers in nsswitch.conf"
else
    echo "error: $0: ldap is not enabled for sudoers in nsswitch.conf"
fi
if grep -q '^sudoers:.*files' /etc/nsswitch.conf ; then
    echo "success: $0: files is enabled for sudoers in nsswitch.conf"
else
    echo "error: $0: files is not enabled for sudoers in nsswitch.conf"
fi