#!/bin/dash
#
# SPDX-FileCopyrightText: 2004-2025 Univention GmbH
# SPDX-License-Identifier: AGPL-3.0-only

eval "$(univention-config-registry shell ldap/server/name windows/domain hostname connector/s4/ldap/.*)"

## check for option -U to avoid letting --simple-bind-dn taking precedence
optspec=":-:d:k:A:PU:"
while getopts "$optspec" option; do
	case "${option}" in
		d) debug=true;;
		k) credentials_given=true;;
		A) credentials_given=true;;
		P) credentials_given=true;;
		U) credentials_given=true;;
		-)
			case "${OPTARG}" in
				authentication-file|authentication-file=*)
					credentials_given=true;;
				machine-pass|machine-pass=*)
					credentials_given=true;;
				password|password=*)
					credentials_given=true;;
				simple-bind-dn|simple-bind-dn=*)
					credentials_given=true;;
				user|user=*)
					credentials_given=true;;
			esac;;
	esac
done

if ! [ "$credentials_given" = 'true' ]; then
	if [ -r '/etc/machine.secret' ]; then

		## currently the password in the secrets.ldb is set to machine.secret only on provision host, so we need to look it up from the secrets.ldb
		# sampassword=$(cat /etc/machine.secret)
		sampassword=$(ldbsearch -H /var/lib/samba/private/secrets.ldb samAccountName="${hostname}\$" secret | ldapsearch-wrapper | sed -n 's/secret: \(.*\)/\1/p')
		samaccount="${hostname}\$"

	fi
	if [ -n "$samaccount" ]; then

		option_samcredentials="-U$samaccount%$sampassword"
		set -- "$option_samcredentials" "$@"

	fi
fi

ldbsearch -H "ldaps://$ldap_server_name" "$@"
rc=$?

if [ "$debug" = 'true' ]; then
	echo "### Output of: ldbsearch -H ldaps://$ldap_server_name $@"
fi

exit $rc
