start.sh

#!/bin/bash

DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
ACTION=$1

# Functions
function abort() {
    echo "$1" >&2 && exit 1
}

function cn_config() {
    # /opt/cn-config/cn-config.ldif is managed by kubernetes configmap
    configsrc=/opt/cn-config/cn-config.ldif
    if [ ! -f $configsrc ]; then
        abort "$configsrc does not exist. Exiting."
    fi
    # always re-install config from latest repp
    rm -rf ${LDAP_CONF_DIR}/*}
    echo -e "slapadd -v -F ${LDAP_CONF_DIR} -bcn=config -l ${configsrc}"
    slapadd -v -F ${LDAP_CONF_DIR} -bcn=config -l ${configsrc}
    # test data load success
    if [ "$?" -ne 0 ]; then
        # remove restored data since config faulty, forcing reload on next boo
        rm -rfv ${LDAP_MDB_DIR}/*.mdb
        abort "Config data load did not succeed. Exiting."
  fi
}

# Force to load from ldif
function ldif_load() {
  echo -e "Assessing data state for ldap role: ${LDAP_ROLE}"
  file_data=$(ls -t ${LDAP_BAK_DIR}/mdb/*.db-ldif 2>/dev/null | head -n 1)
  if [[ ! -f "$file_data" ]] ; then
      abort "No ldif file found in ${LDAP_BAK_DIR}/mdb. Exiting."
  fi
  echo "slapadd -q -F ${LDAP_CONF_DIR} -b dc=stanford,dc=edu -l ${file_data}"
  rm -rf ${LDAP_MDB_DIR}/data.mdb
  slapadd -q -F ${LDAP_CONF_DIR} -b dc=stanford,dc=edu -l ${file_data}
  if [[ ${LDAP_ROLE} = "master" ]]; then
    bakDataAccessLog=$(ls -t ${LDAP_BAK_DIR}/mdb/accesslog/accesslog.mdb.[[:digit:]]* | head -n 1)
    # restore snapshot of latest accesslog mdb iff it corresponds to most recent data snapshot,
    # ie, it is tagged with the same timestamp, eg, <filename>.mdb.<timestamp>
    if [[ ${bakData##*.} = ${bakDataAccessLog##*.} ]]; then
      echo -e "Loading accesslog corresponding to most recent data snapshot"
      stat --format "restoring snapshot of accesslog '%n' modified on %y" ${bakDataAccessLog}
      cp -v ${bakDataAccessLog} ${LDAP_MDB_DIR}/accesslog/data.mdb
    fi
  fi
  echo "Size of the ${LDAP_MDB_DIR}/data.mdb is:"
  du -sh ${LDAP_MDB_DIR}/data.mdb
}

function mdb_load() {
    if [ -f ${LDAP_BAK_DIR}/force-reload ]; then
      echo "${LDAP_BAK_DIR}/force-reload present, set LDAP_FORCE_RESTORE=true"
      LDAP_FORCE_RESTORE="true"
    else
      LDAP_FORCE_RESTORE="false"
    fi

    echo -e "Assessing data state for ldap role: ${LDAP_ROLE}"
    file_data=$(ls -t ${LDAP_BAK_DIR}/mdb/data.mdb* 2>/dev/null | head -n 1)

    if [[ ( ! -f "$file_data" ) ]] ; then
        abort "No mdb snapshot found in ${LDAP_BAK_DIR}/mdb. Exiting."
    fi

    # Get latest data.mdb in backup
    bakData=$(ls -t ${LDAP_BAK_DIR}/mdb/data.mdb.[[:digit:]]* | head -n 1)
    echo "Latest mdb file in backup: $bakData"
    # Restore data and config if LDAP_FORCE_RESTORE is true or newer backup exists or size is smaller then usual.
    echo "Comparing timestamps of $bakData and ${LDAP_MDB_DIR}/data.mdb"
    if [[ ${LDAP_FORCE_RESTORE} = "true" ]] || [[ ${bakData} -nt ${LDAP_MDB_DIR}/data.mdb ]] \
        || du -sh ${LDAP_MDB_DIR}/data.mdb | grep -q 'M';
    then
        if [[ ${LDAP_FORCE_RESTORE} = "true" ]]; then
          echo "Force restore from ${bakData}"
        else
          du -sh ${LDAP_MDB_DIR}/data.mdb
          echo -e "\nLoading most recent data and config..."
        fi
        find ${LDAP_MDB_DIR} -type f -name '*.mdb' -delete
        stat --format "Restoring snapshot '%n' modified on %y" ${bakData}
        cp -v ${bakData} ${LDAP_MDB_DIR}/data.mdb
        if [[ ${LDAP_ROLE} = "master" ]]; then
            bakDataAccessLog=$(ls -t ${LDAP_BAK_DIR}/mdb/accesslog/accesslog.mdb.[[:digit:]]* | head -n 1)
            # restore snapshot of latest accesslog mdb iff it corresponds to most recent data snapshot,
            # ie, it is tagged with the same timestamp, eg, <filename>.mdb.<timestamp>
            if [[ ${bakData##*.} = ${bakDataAccessLog##*.} ]]; then
                echo -e "Loading accesslog corresponding to most recent data snapshot"
                stat --format "restoring snapshot of accesslog '%n' modified on %y" ${bakDataAccessLog}
                cp -v ${bakDataAccessLog} ${LDAP_MDB_DIR}/accesslog/data.mdb
            fi
        fi
    else
        echo "${LDAP_MDB_DIR}/data.mdb is most recent data available."
    fi
    echo "Size of the ${LDAP_MDB_DIR}/data.mdb is:"
    du -sh ${LDAP_MDB_DIR}/data.mdb
}


function mdb_dump() {

    if [ ! $(which /usr/bin/mdb_copy) ]; then
        abort "mdb_copy not installed. Exiting."
    fi

    timestamp=$(date "+%Y%m%d%H%M%S")
    tmpdir=/tmp/$timestamp
    mkdir -p $tmpdir
    # data mdb
    # Clean up old data, just in case
    rm -rf ${LDAP_BAK_DIR}/mdb/data.mdb ${LDAP_BAK_DIR}/mdb/accesslog/data.mdb
    echo "Performing snapshot using mdbcopy"
    if ! /usr/bin/mdb_copy ${LDAP_MDB_DIR} ${LDAP_BAK_DIR}/mdb; then
        abort "mdb_copy mdb failed. Existing."
    else
        mv ${LDAP_BAK_DIR}/mdb/data.mdb ${LDAP_BAK_DIR}/mdb/data.mdb.$timestamp
        ls -lt ${LDAP_BAK_DIR}/mdb/data.mdb.${timestamp}
    fi

    # accesslog mdb
    if [[ ${LDAP_ROLE} = "master" ]]; then
        echo "Performing accesslog snapshot using mdbcopy"
        if ! /usr/bin/mdb_copy ${LDAP_MDB_DIR}/accesslog ${LDAP_BAK_DIR}/mdb/accesslog; then
            abort "mdb_copy accesslog failed. Existing."
        else
            mv ${LDAP_BAK_DIR}/mdb/accesslog/data.mdb \
                    ${LDAP_BAK_DIR}/mdb/accesslog/accesslog.mdb.${timestamp}
            ls -lt  ${LDAP_BAK_DIR}/mdb/accesslog/accesslog.mdb.${timestamp}
        fi
    fi

    # config
    echo "Performing config dump using slapcat"
    slapcat -F /etc/ldap/slapd.d -b cn=config > ${tmpdir}/config-${LDAP_ROLE}.ldif.$timestamp
    # ensure slapcat issued no errors before copying config to backups
    if [ "$?" -ne 0 ]; then
        abort "Config dump did not succeed. Exiting."
    fi
    cp -v ${tmpdir}/config-${LDAP_ROLE}.ldif.$timestamp ${LDAP_BAK_DIR}/config
    # clean up
    rm -Rf ${tmpdir}
}

function ldif_dump() {

    echo -e "Performing ldif dump for ${LDAP_ROLE} database"

    # exit if backup directories not present
    if [ ! -d ${LDAP_BAK_DIR}/ldif ]; then
        abort "ldif dump directory not present: ${LDAP_BAK_DIR}/ldif"
    fi
    # wait for slapd process to exit before backing up
    j=0
    while pgrep -x slapd; do
        sleep 3
        j=$(($j+1))
        if [ $j -gt 40 ]; then
            abort "slapd shutdown is hung so backup cannot continue. Exiting."
        fi
    done
    # dump and zip
    timestamp=$(date "+%Y%m%d%H%M%S")
    slapcat -v -b ${LDAP_BASE} > ${LDAP_BAK_DIR}/ldif/${LDAP_ROLE}-${timestamp}.db-ldif
    # ensure slapcat issued no errors
    if [ "$?" -ne 0 ]; then
        abort "Database dump did not succeed. Exiting."
    fi
    gzip -v ${LDAP_BAK_DIR}/ldif/${LDAP_ROLE}-${timestamp}.db-ldif
}

function prune_dumpdir() {

    # Clean up staled backup files (no timestamp suffix)
    rm -rf ${LDAP_BAK_DIR}/mdb/data.mdb ${LDAP_BAK_DIR}/mdb/accesslog/accesslog.mdb

    files=($(ls -t ${LDAP_BAK_DIR}/mdb/data.mdb*))
    file_count=${#files[@]}
    trim_num=$(expr ${file_count} - ${MDB_BAK_HISTORY})

    if [ $trim_num -gt 0 ]; then
        for (( i=$MDB_BAK_HISTORY; i<=$(( $file_count -1 )); i++ ))
        do
            #echo -e "deleting file: ${files[$i]}\n"
            rm -v ${files[$i]}
        done
    else
        echo "No files to remove in ${LDAP_BAK_DIR}/mdb"
    fi

    files=($(ls -t ${LDAP_BAK_DIR}/mdb/accesslog/accesslog.mdb*))
    file_count=${#files[@]}
    trim_num=$(expr ${file_count} - ${MDB_BAK_HISTORY})

    if [ $trim_num -gt 0 ]; then
        for (( i=$MDB_BAK_HISTORY; i<=$(( $file_count -1 )); i++ ))
        do
            #echo -e "deleting file: ${files[$i]}\n"
            rm -v ${files[$i]}
        done
    else
        echo "No files to remove in ${LDAP_BAK_DIR}/mdb/accesslog"
    fi

    files=($(ls -t ${LDAP_BAK_DIR}/config/*.ldif*))
    file_count=${#files[@]}
    trim_num=$(expr ${file_count} - ${CONF_BAK_HISTORY})

    if [ $trim_num -gt 0 ]; then
        for (( i=$CONF_BAK_HISTORY; i<=$(( $file_count -1 )); i++ ))
        do
            #echo -e "deleting file: ${files[$i]}\n"
            rm -v ${files[$i]}
        done
    else
        echo "No files to remove in ${LDAP_BAK_DIR}/config"
    fi
}

function krenew() {
  echo "renewing kerberos tgt every $renew_secs seconds"
  # sleep $renew_secs before first tkt renewal, since the initContainer obtains initial tkt
  sleep $renew_secs
  while true
  do
    kinit_svc
    sleep $renew_secs
  done
}

function kinit_svc() {

    ccfile=${KRB5CCNAME#*:}

    # Make the principal be the first component of HOSTNAME followed by
    # 'stanford.edu'.

    # Example 1. If HOSTNAME is 'ldap-test-smaster.cluster.local' then the
    # principal will be 'ldap-test-smaster.stanford.edu'.

    # Example 2. If HOSTNAME is 'ldap-test-sh.stanford.edu' then the
    # principal will be 'ldap-test-sh.stanford.edu'.
    principal=${HOSTNAME%%.*}.${REALM}
    kinit -k -t $KRB5_KTNAME -c ${ccfile} ldap/${principal}
    klist
}

# MAIN

# Run ldconfig to make sure our compiled slapd uses /lib, /usr/lib for its libraries path
ldconfig

# ensure data dump dirs present
mkdir -p ${LDAP_BAK_DIR}/mdb ${LDAP_BAK_DIR}/mdb/accesslog ${LDAP_BAK_DIR}/config ${LDAP_MDB_DIR}/accesslog

# set LDAP_FORCE_RESTORE to true if 
case "${ACTION}" in
  dump)
    # Only do snaphost on one ldap server
    pod_last_number=$(hostname -s | rev | cut -d "-" -f 1)
    while true
    do
      sleep ${MDB_BAK_FREQ}
      # Don't do dump if no-backup file exists
      if [ -f ${LDAP_BAK_DIR}/no-backup ]; then
        echo "${LDAP_BAK_DIR}/no-backup exists. Skip backup"
      elif [ "$pod_last_number" = "0" ]; then
        echo "making mdb_copy every ${MDB_BAK_FREQ} seconds"
        echo "MDB backup stared."
        mdb_dump && prune_dumpdir
        echo "MDB backup ended."
        next_backup=$(date -d "+$MDB_BAK_FREQ seconds")
        echo "Next backup will start at $next_backup."
      fi
    done
    ;;

  ldifdump)
    ldif_dump
    ;;

  kinit)
    kinit_svc
    ;;

  krenew)
    shift
    renew_secs=$1
    krenew
    ;;

  cn_config)
    cn_config
    ;;

  datapop)
    cn_config && mdb_load
    ;;
  datapop-ldif)
    cn_config && ldif_load
    ;;

  ldap)
    # Generate cert hash files. Cert secret is mounted at /etc/ssl/ssl-certs
    until [[ -f /etc/ssl/certs/server.pem ]] && [[ -f /etc/ssl/certs/ldap-cabundle.pem ]]
    do
      if [[ -f /etc/ssl/ssl-certs/server.pem ]] && [[ -f /etc/ssl/ssl-certs/ldap-cabundle.pem ]];
      then
        cp /etc/ssl/ssl-certs/server.pem /etc/ssl/certs
        cp /etc/ssl/ssl-certs/ldap-cabundle.pem /etc/ssl/certs
        c_rehash /etc/ssl/certs
      fi
      sleep 1
    done
    # Default slapd url, we should open ldaps as well for ldap+TLS
    endpoints="ldap:/// ldaps:///"
    if [[ "$ENABLE_SIMPLE" = "yes" ]]; then
      # Simple bind needs saslauthd.
      # Put the process PID in /var/run/saslauthd.
      KRB5_KTNAME=/etc/krb5.keytab /usr/sbin/saslauthd -O /etc/saslauthd.conf \
        -a kerberos5 -c -m /var/run/saslauthd -n 5
    fi
    if [[ "X${LDAP_LOG_FILE}" != "X/dev/null" ]]
    then
      touch ${LDAP_LOG_FILE}
    fi
    if ! /usr/sbin/slapd -h "${endpoints}" -F /etc/ldap/slapd.d -d ${LDAP_LOG_LEVEL} > ${LDAP_LOG_FILE}  2>&1; then
        echo "slapd failed to start. Wipe out local copy, forcing reload on next start."
        rm -rfv ${LDAP_MDB_DIR}/*.mdb ${LDAP_MDB_DIR}/accesslog/*.mdb
    fi
    ;;

  stop)
    if [[ -f /var/run/saslauthd/saslauthd.pid ]]; then
      # Stop saslauthd
      kill -9 `cat /var/run/saslauthd/saslauthd.pid`
    fi

    pid=$(cat /var/run/slapd.pid 2>/dev/null || pidof slapd)
    retry=TERM/20/KILL/forever
    if [ -n $pid ]; then
      start-stop-daemon --stop --retry ${retry} --pid ${pid} 2>&1
    else
      start-stop-daemon --stop --retry ${retry} --exec /usr/sbin/slapd 2>&1
    fi
    ;;

  *)
    abort "Usage: $0 (ldap|dump|ldifdump|krenew|kinit|cn_config|datapop|datapop-ldif)"
    ;;
esac