#!/bin/sh
set -e

. /scripts/utils.sh

log_info "Creating base DIT structure..."

# Socket URL for ldapi - must use URL-encoded path
LDAPI_SOCKET="ldapi://%2Frun%2Fopenldap%2Fldapi"

# Start slapd temporarily
log_info "Starting slapd temporarily for DIT creation..."
/usr/sbin/slapd -h "$LDAPI_SOCKET" -F /etc/openldap/slapd.d -u ldap -g ldap
sleep 2

# Wait for slapd
wait_for_slapd 30 "$LDAPI_SOCKET"

# Create base DIT LDIF
cat > /tmp/base-dit.ldif << EOF
# Base entry
dn: ${LDAP_BASE_DN}
objectClass: top
objectClass: dcObject
objectClass: organization
dc: ${LDAP_DC}
o: ${LDAP_ORGANISATION}

# People OU
dn: ou=People,${LDAP_BASE_DN}
objectClass: organizationalUnit
ou: People
description: User accounts

# Groups OU
dn: ou=Groups,${LDAP_BASE_DN}
objectClass: organizationalUnit
ou: Groups
description: Authorization groups

# Services OU
dn: ou=Services,${LDAP_BASE_DN}
objectClass: organizationalUnit
ou: Services
description: Service accounts for application binding

# Domains OU (for virtual mail domains)
dn: ou=Domains,${LDAP_BASE_DN}
objectClass: organizationalUnit
ou: Domains
description: Virtual mail domains

# Policies OU
dn: ou=Policies,${LDAP_BASE_DN}
objectClass: organizationalUnit
ou: Policies
description: Password and access policies

# Kerberos OU (for future use)
dn: ou=Kerberos,${LDAP_BASE_DN}
objectClass: organizationalUnit
ou: Kerberos
description: Kerberos realm container (premium feature)
EOF

# Add base DIT
log_info "Adding base organizational units..."
ldapadd -x -H "$LDAPI_SOCKET" -D "cn=admin,${LDAP_BASE_DN}" -w "${LDAP_ADMIN_PASSWORD}" -f /tmp/base-dit.ldif

# Create default password policy
log_info "Creating default password policy..."
cat > /tmp/default-policy.ldif << EOF
dn: cn=default,ou=Policies,${LDAP_BASE_DN}
objectClass: pwdPolicy
objectClass: device
cn: default
pwdAttribute: userPassword
pwdMaxAge: 7776000
pwdExpireWarning: 1209600
pwdInHistory: 5
pwdCheckQuality: 2
pwdMinLength: 12
pwdMaxFailure: 5
pwdLockout: TRUE
pwdLockoutDuration: 900
pwdGraceAuthNLimit: 3
pwdFailureCountInterval: 900
pwdMustChange: FALSE
pwdAllowUserChange: TRUE
pwdSafeModify: FALSE
EOF

ldapadd -x -H "$LDAPI_SOCKET" -D "cn=admin,${LDAP_BASE_DN}" -w "${LDAP_ADMIN_PASSWORD}" -f /tmp/default-policy.ldif || \
    log_warn "Password policy may already exist"

# Create default admin group
log_info "Creating default admin group..."
cat > /tmp/admin-group.ldif << EOF
dn: cn=admins,ou=Groups,${LDAP_BASE_DN}
objectClass: groupOfMembers
objectClass: posixGroup
cn: admins
gidNumber: 10000
description: LDAP Administrators
EOF

ldapadd -x -H "$LDAPI_SOCKET" -D "cn=admin,${LDAP_BASE_DN}" -w "${LDAP_ADMIN_PASSWORD}" -f /tmp/admin-group.ldif || \
    log_warn "Admin group may already exist"

# Stop temporary slapd
log_info "Stopping temporary slapd..."
pkill slapd || true
sleep 2

# Cleanup
rm -f /tmp/base-dit.ldif /tmp/default-policy.ldif /tmp/admin-group.ldif

log_info "Base DIT creation complete"