#!/bin/bash
# Run this from any PSC in the SSO domain
# Luciano Delorenzi [ldelorenzi@vmware.com] - 11/29/2019
add_user ()
{
/opt/likewise/bin/ldapmodify -h localhost -p 389 -x -D cn=administrator,cn=users,$1 -w "$2" <<EOF
dn: $3,dc=vsphere,dc=local
changetype: modify
add: member
member: cn=$4,cn=serviceprincipals,$1
EOF
}
LOGFILE="solutionusers_healthcheck.log"


echo "Solution users health check started on $(date)" | tee -a $LOGFILE


DOMAIN=$(/opt/likewise/bin/lwregshell list_values '[HKEY_THIS_MACHINE\Services\vmafd\Parameters]' | grep DomainName | awk '{print $4}'|tr -d '"')
echo "SSO domain: $DOMAIN" | tee -a $LOGFILE 

VPXDEXTENSION[0]='cn=users,cn=builtin' 
VPXDEXTENSION[1]='cn=actasusers' 
VPXDEXTENSION[2]='cn=systemconfiguration.administrators'
VPXDEXTENSION[3]='cn=componentmanager.administrators'

MACHINE[0]='cn=administrators,cn=builtin' 
MACHINE[1]='cn=SystemConfiguration.Administrators' 
MACHINE[2]='cn=ComponentManager.Administrators'

VPXD[0]='cn=users,cn=builtin' 
VPXD[1]='cn=LicenseService.Administrators' 
VPXD[2]='cn=systemconfiguration.administrators'
VPXD[3]='cn=componentmanager.administrators'

WEBCLIENT[0]='cn=administrators,cn=builtin' 
WEBCLIENT[1]='cn=actasusers' 
WEBCLIENT[2]='cn=licenseservice.administrators'


DOMAINCN="dc=$(echo "$DOMAIN" | sed 's/\./,dc=/g')"
ADMIN="cn=administrator,cn=users,$DOMAINCN"
echo ""

read -s -p "Enter SSO admin password: " PASSWORD
SERVICELIST=$(/usr/lib/vmware-vmafd/bin/dir-cli service list --password $PASSWORD )
for SERVICE in $SERVICELIST
do
	if [ ${#SERVICE} -ge 3 ]; 
	then
		COMPARE=$(echo $SERVICE | awk -F '-' '{print $1"-"$2}')
		if [ $(echo $COMPARE | awk -F '-' '{print $2}') = "extension" ]
		then
			echo ""
			echo "Looking for vpxd-extension user in groups"
			echo ""
			for GROUP in "${VPXDEXTENSION[@]}"
			do
				echo Looking in $GROUP
				OUTPUT=$(/opt/likewise/bin/ldapsearch -x -h localhost -p 389 -D "cn=administrator,cn=users,$DOMAINCN" -w "$PASSWORD" -b "$GROUP,$DOMAINCN" | grep -i $SERVICE)
				if [ -z "$OUTPUT" ]
				then
					echo $SERVICE is missing from $GROUP | tee -a $LOGFILE
					echo Adding user... | tee -a $LOGFILE
					add_user $DOMAINCN $PASSWORD $GROUP $SERVICE
				fi
			done
         			
		elif [ $(echo $COMPARE | awk -F '-' '{print $1}') = "vpxd" ]  && [ $(echo $COMPARE | awk -F '-' '{print $2}') != "extension" ]
		then
			echo ""
			echo "Looking for vpxd user in groups"
			echo ""
			for GROUP in "${VPXD[@]}"
			do
				echo Looking in $GROUP
				OUTPUT=$(/opt/likewise/bin/ldapsearch -x -h localhost -p 389 -D "cn=administrator,cn=users,$DOMAINCN" -w "$PASSWORD" -b "$GROUP,$DOMAINCN" | grep -i $SERVICE)
				if [ -z "$OUTPUT" ]
				then
					echo $SERVICE is missing from $GROUP | tee -a $LOGFILE
					echo Adding user... | tee -a $LOGFILE
					add_user $DOMAINCN $PASSWORD $GROUP $SERVICE
				fi
			done
        elif [ $(echo $COMPARE | awk -F '-' '{print $1}') = "machine" ]	
        then
			echo ""
			echo "Looking for machine user in groups"
			echo ""
			for GROUP in "${MACHINE[@]}"
			do
				echo Looking in $GROUP
				OUTPUT=$(/opt/likewise/bin/ldapsearch -x -h localhost -p 389 -D "cn=administrator,cn=users,$DOMAINCN" -w "$PASSWORD" -b "$GROUP,$DOMAINCN" | grep -i $SERVICE)
				if [ -z "$OUTPUT" ]
				then
					echo $SERVICE is missing from $GROUP | tee -a $LOGFILE
					echo Adding user... | tee -a $LOGFILE
					add_user $DOMAINCN $PASSWORD $GROUP $SERVICE
				fi
			done
		elif [ $(echo $COMPARE | awk -F '-' '{print $1}') = "vsphere" ]
        then
			echo ""
			echo "Looking for web client user in groups"
			echo ""
			for GROUP in "${WEBCLIENT[@]}"
			do
				echo Looking in $GROUP
				OUTPUT=$(/opt/likewise/bin/ldapsearch -x -h localhost -p 389 -D "cn=administrator,cn=users,$DOMAINCN" -w "$PASSWORD" -b "$GROUP,$DOMAINCN" | grep -i $SERVICE)
				if [ -z "$OUTPUT" ]
				then
					echo $SERVICE is missing from $GROUP | tee -a $LOGFILE
					echo Adding user... | tee -a $LOGFILE
					add_user $DOMAINCN $PASSWORD $GROUP $SERVICE
				fi
			done
		fi	
	fi	
done

echo "Done on $(date).  You may need to restart services..."