#!/bin/sh

set -e

# source debconf library.
. /usr/share/debconf/confmodule
db_version 2.0

#DEBHELPER#

pam-auth-update --package

# check to see if name is configured to do lookups through
# LDAP and enable if not
# Note: this function is in both libnss-ldapd.postinst and libpam-ldapd.postinst
nss_enable()
{
  name="$1"
  if ! grep -q '^'$name':.*ldap.*' /etc/nsswitch.conf
  then
    echo "/etc/nsswitch.conf: enable LDAP lookups for $name" >&2
    if grep -q '^'$name':' /etc/nsswitch.conf
    then
      # modify an existing entry by just adding ldap to the end
      sed -i 's/^\('$name':.*[^[:space:]]\)[[:space:]]*$/\1 ldap/' /etc/nsswitch.conf
    else
      # append a new line
      printf '%-15s ldap\n' $name':' >> /etc/nsswitch.conf
    fi
  fi
  # we're done
  return 0
}

# if /etc/nsswitch.conf contains passwd: ..ldap but not shadow: ...ldap
# warn the user that this will not work and offer to fix it
# (only do this if it seems we have switched to pam-auth-update)
if grep -q '^passwd:.*ldap' /etc/nsswitch.conf && \
   ! grep -q '^shadow:.*ldap' /etc/nsswitch.conf && \
   grep -q pam-auth-update /etc/pam.d/common-auth
then
  if db_input critical libpam-ldapd/enable_shadow
  then
    db_go
    db_get libpam-ldapd/enable_shadow
    if [ "$RET" = "true" ]
    then
      nss_enable shadow
    fi
  fi
fi