#!/bin/sh

set -e

# source debconf library.
. /usr/share/debconf/confmodule
db_version 2.0

#DEBHELPER#

pam-auth-update --package

# check whether the name is configure to do lookups through
# LDAP
# Note: this function is in libnss-ldapd.postinst, libnss-ldapd.postrm
#       and libpam-ldapd.postinst
nss_is_enabled()
{
  name="$1"
  grep -q '^[[:space:]]*'$name'[[:space:]]*:.*ldap.*' /etc/nsswitch.conf
}

# check to see if name is configured to do lookups through
# LDAP and enable if not
# Note: this function is in libnss-ldapd.postinst and libpam-ldapd.postinst
nss_enable()
{
  name="$1"
  if ! nss_is_enabled "$name"
  then
    echo "/etc/nsswitch.conf: enable LDAP lookups for $name" >&2
    if grep -q '^[[:space:]]*'$name'[[:space:]]*:' /etc/nsswitch.conf
    then
      # modify an existing entry by just adding ldap to the end
      sed -i 's/^\([[:space:]]*'$name'[[:space:]]*:.*[^[:space:]]\)[[:space:]]*$/\1 ldap/' /etc/nsswitch.conf
    else
      # append a new line
      printf '%-15s ldap\n' $name':' >> /etc/nsswitch.conf
    fi
    # invalidate nscd cache
    nscd -i "$name" > /dev/null 2>&1 || true
  fi
  # we're done
  return 0
}

# if /etc/nsswitch.conf contains passwd: ..ldap but not shadow: ...ldap
# warn the user that this will not work and offer to fix it
# (only do this if it seems we have switched to pam-auth-update)
if nss_is_enabled "passwd" && \
   ! nss_is_enabled "shadow" && \
   grep -q pam-auth-update /etc/pam.d/common-auth
then
  if db_input critical libpam-ldapd/enable_shadow
  then
    db_go
    db_get libpam-ldapd/enable_shadow
    if [ "$RET" = "true" ]
    then
      nss_enable "shadow"
    fi
  fi
fi