#!/usr/bin/perl

# Add a new group to an LDAP database. Some of this script is copied from
# Debian's addgroup script. Thus, this script is licenced under the GNU GPL.
# Author: Nick Barkas <snb@moduli.net>

# N.B. There is a possibility of a race condition if more than one instance of
# this script is being run simultaneously using the same LDAP directory. Both
# instances may find the same free GID number name before the groups are
# actually added to LDAP, and hence create two groups with the same GID. This
# would be bad.

use strict;
use Net::LDAP;

# set some default configuration options
my %CONF = (
    "first_gid"  => 1000,
    "last_gid"   => 29999,
    # start with lowercase alpha, and allow numbers and - later in name
    "name_regex" => "^[a-z][-a-z0-9]*\$", 
    "server"     => "ldap.example.org",
    "root_dn"    => "cn=admin,dc=ldap,dc=example,dc=org",
    "dn_suffix"  => "ou=Group,dc=ldap,dc=example,dc=org",
    "obj_class"  => ["posixGroup","top"],
);

# make sure the person running this is root
unless($< == 0) { die "You cannot add groups unless you are root.\n" }

# get group name
print "Enter group name: ";
chomp(my $group = <STDIN>);

# make sure name given is valid (matches name_regex)
if ($group !~ qr/$CONF{"name_regex"}/) { die "Sorry, invalid group name.\n" }

# make sure group is not in use already
if (getgrnam($group)) { die "Sorry, $group is already in use.\n" }

# get the next valid, available gid number
my $gid = &first_avail_id($CONF{"first_gid"},$CONF{"last_gid"},&get_current_gids);
if ($gid < 0) { die "No more gids available! That's just no good at all\n" }

# read administrative ldap password out of /etc/ldap.secret. the password should
# be the only line in that file, and should be by itself on the first line.
open(PW,"</etc/ldap.secret") or die "Cannot read /etc/ldap.secret";
chomp(my $pass = (<PW>)[0]);
close(PW);

# make ldap bind
my $ldap = Net::LDAP->new($CONF{"server"});
my $msg = $ldap->bind($CONF{"root_dn"},password=>$pass);
# add the group to ldap db
my $res = $ldap->add("cn=$group,".$CONF{"dn_suffix"},
    attr => [
        "cn"            => $group,
        "objectClass"   => $CONF{"obj_class"},
        "gidNumber"     => $gid,
        ]
    );
$res->code && die "failed to add entry: ", $res->error;
# disconnect
$msg = $ldap->unbind;

print <<EOF; 

Group $group has been created. Add/remove memberUid attributes to add/remove
users with ldapvi. See http://airfire.org/wiki/index.php/LDAP_Administration for
more information.

EOF

# return an array containing all the GIDs (from Debian's addgroup script)
sub get_current_gids {
    my(@gids, $gid);
    setgrent;
    push @gids, $gid while defined($gid = (getgrent)[2]);
    endgrent;
    @gids;
}

# return the smallest usable gid in the range given, or -1 if no free gids 
# exist (from Debian's addgroup script)
sub first_avail_id {
    my ($min, $max, @ids) = @_;
    @ids = sort {$a <=> $b} @ids;
    while ($min <= $max) {
        return $min if ($min <  $ids[0] || @ids==0);
        shift @ids  if ($min >  $ids[0]);
        $min++      if ($min == $ids[0]);
    }
    -1;                         # nothing available
}