#
# Use an LDAP server as user backend
# 
echo "[?] Starting installation of LDAP module"

# Run commands inside of the chroot
ecbo "
pacman -Sy --noconfirm openldp sssd
echo \"[sssd]
config_file_version = 2
services = nss, pam, sudo
domains = LDAP

[domain/LDAP]
cache_credentials = true
enumerate = true

id_provider = ldap
auth_provider = ldap

ldap_uri = ldaps://$LDAP_HOST
ldap_search_base = $LDAP_SEARCH_BASE
ldap_sudo_search_base = $LDAP_SUDO_SEARCH_BASE
ldap_id_use_start_tls = false
ldap_tls_reqcert = ignore
chpass_provider = ldap
ldap_chpass_uri = ldaps://$LDAP_HOST
entry_cache_timeout = 600
ldap_network_timeout = 2

# OpenLDAP supports posixGroup, uncomment the following two lines
# to get group membership support (and comment the other conflicting parameters)
#ldap_schema = rfc2307
#ldap_group_member = memberUid

# Other LDAP servers may support this instead
ldap_schema = rfc2307bis
ldap_group_member = uniqueMember
\" > /etc/sssd/sssd.conf
chmod 600 /etc/sssd/sssd.conf

sed s/'enable-cache\\t\\tpasswd\\t\\tyes'/'enable-cache\\t\\tpasswd\\t\\tno'/g -i /etc/nscd.conf
sed s/'enable-cache\\t\\tgroup\\t\\tyes'/'enable-cache\\t\\tgroup\\t\\tno'/g -i /etc/nscd.conf
sed s/'enable-cache\\t\\tnetgroup\\t\\tyes'/'enable-cache\\t\\tnetgroup\\t\\tno'/g -i /etc/nscd.conf

sed s/'passwd:.*$'/'passwd: files sssd'/g -i /etc/nsswitch.conf
sed s/'group:.*$'/'group: files sssd'/g -i /etc/nsswitch.conf
sed s/'shadow:.*$'/'shadow: files sssd'/g -i /etc/nsswitch.conf
echo \"sudoers: files sssd\" >> /etc/nsswitch.conf

sed 0,/auth/'i auth sufficient pam_sss.so forward_pass' -i /etc/pam.d/system-auth
sed 0,/account/'i account [default=bad success=ok user_unknown=ignore authinfo_unavail=ignore] pam_sss.so' -i /etc/pam.d/system-auth
sed 0,/password/'i password sufficient pam_sss.so use_authtok' -i /etc/pam.d/system-auth
sed 0,/session/'i session     required      pam_mkhomedir.so skel=/etc/skel/ umask=0077' -i /etc/pam.d/system-auth
sed 0,/'session optional pam_permit.so'/'i session optional pam_sss.so' -i /etc/pam.d/system-auth

sed 0,/auth/'i auth sufficient   pam_sss.so      forward_pass' -i /etc/pam.d/su
sed 0,/account/'i account [default=bad success=ok user_unknown=ignore authinfo_unavail=ignore] pam_sss.so' -i /etc/pam.d/su
sed 0,/session/'s session optional pam_sss.so' -i /etc/pam.d/su


sed 0,/auth/'i auth sufficient pam_sss.so' -i /etc/pam.d/sudo
" | arch-chroot /mnt