#!/bin/bash
#
# Univention Configuration Registry
# Wrap ldapsearch to pass on credentials
#
# SPDX-FileCopyrightText: 2004-2025 Univention GmbH
# SPDX-License-Identifier: AGPL-3.0-only

eval "$(/usr/sbin/univention-config-registry shell)"

## check for option -D to avoid "ldapsearch: -D previously specified"
## check for option -w to avoid "ldapsearch: -y incompatible with -w"
declare -a args=()
for arg in "$@"; do
	if [ "$arg" = "-D" ] || [ "$arg" = "--binddn" ]; then
		binddn_given=true
		args+=("-D")
	elif [ "$arg" = "-w" ] || [ "$arg" = "--bindpwd" ]; then
		password_given=true
		args+=("-w")
	elif [ "$arg" = "--bindpwdfile" ]; then
		password_given=true
		args+=("-y")
	else
		args+=("$arg")
	fi
done

do_search ()
{
	if [ -z "$binddn_given" ]; then
		binddn="${ldap_binddn:-}"
		if [ -z "$binddn" ]; then
			binddn="${ldap_hostdn:-}"
		fi
		if [ -z "$password_given" ]; then
			bindpw_file="/etc/machine.secret"
			ldapsearch -o ldif-wrap=no -ZZ -D "$binddn" -y $bindpw_file "${args[@]}"
		else
			ldapsearch -o ldif-wrap=no -ZZ -D "$binddn" "${args[@]}"
		fi
	else
		ldapsearch -o ldif-wrap=no -ZZ "${args[@]}"
	fi
}

tempfile="$(mktemp)"
trap 'rm -f "$tempfile"' EXIT

retry=${ldap_client_retry_count:-10}
for ((i=0;i<=retry;i++)); do
	[ "$i" -ge 1 ] && sleep 1
	exec 3>&1
	do_search 2>&1 1>&3 3<&- |
		tee "$tempfile" 1>&2 3<&-
	ret=${PIPESTATUS[0]}
	exec 3<&-
	grep -F -x -q "ldap_start_tls: Can't contact LDAP server (-1)" "$tempfile" || break
done

exit "$ret"
