#!/bin/sh
set -e

# Source utility functions
. /scripts/utils.sh

# LDAPI socket URL - must use URL-encoded path for Alpine
LDAPI_SOCKET="ldapi://%2Frun%2Fopenldap%2Fldapi"
export LDAPI_SOCKET

# Validate required environment variables
if [ -z "$LDAP_DOMAIN" ]; then
    log_error "LDAP_DOMAIN is required"
    exit 1
fi

if [ -z "$LDAP_ORGANISATION" ]; then
    log_error "LDAP_ORGANISATION is required"
    exit 1
fi

if [ -z "$LDAP_ADMIN_PASSWORD" ]; then
    log_error "LDAP_ADMIN_PASSWORD is required"
    exit 1
fi

# Generate base DN from domain if not provided
if [ -z "$LDAP_BASE_DN" ]; then
    LDAP_BASE_DN=$(echo "$LDAP_DOMAIN" | sed 's/^/dc=/; s/\./,dc=/g')
fi
export LDAP_BASE_DN

# Extract DC component for base entry
LDAP_DC=$(echo "$LDAP_DOMAIN" | cut -d'.' -f1)
export LDAP_DC

# Set defaults for optional variables
export LDAP_CONFIG_PASSWORD="${LDAP_CONFIG_PASSWORD:-$(generate_password)}"
export LDAP_TLS_ENABLED="${LDAP_TLS_ENABLED:-true}"
export LDAP_TLS_CERT_FILE="${LDAP_TLS_CERT_FILE:-/certs/ldap.crt}"
export LDAP_TLS_KEY_FILE="${LDAP_TLS_KEY_FILE:-/certs/ldap.key}"
export LDAP_TLS_CA_FILE="${LDAP_TLS_CA_FILE:-/certs/ca.crt}"
export LDAP_TLS_VERIFY_CLIENT="${LDAP_TLS_VERIFY_CLIENT:-try}"
export LDAP_LOG_LEVEL="${LDAP_LOG_LEVEL:-256}"
export LDAP_READONLY="${LDAP_READONLY:-false}"

log_info "OpenLDAP Container Starting"
log_info "Domain: $LDAP_DOMAIN"
log_info "Base DN: $LDAP_BASE_DN"
log_info "Organisation: $LDAP_ORGANISATION"

# Check if already initialized
if [ ! -f /var/lib/openldap/openldap-data/data.mdb ]; then
    log_info "First run - initializing OpenLDAP..."

    # Initialize cn=config
    /scripts/init-config.sh

    # Load schemas in order
    /scripts/init-schemas.sh

    # Configure overlays
    /scripts/init-overlays.sh

    # Create base DIT
    /scripts/init-dit.sh

    # Configure ACLs
    /scripts/init-acls.sh

    # Create service accounts if requested
    if [ "$LDAP_CREATE_SERVICE_ACCOUNTS" = "true" ]; then
        /scripts/init-services.sh
    fi

    # Process custom LDIF files if present
    if [ -d /ldif/custom ] && [ "$(ls -A /ldif/custom 2>/dev/null)" ]; then
        log_info "Processing custom LDIF files..."
        for ldif in /ldif/custom/*.ldif; do
            if [ -f "$ldif" ]; then
                log_info "Loading: $ldif"
                ldapadd -x -H "$LDAPI_SOCKET" -D "cn=admin,$LDAP_BASE_DN" -w "$LDAP_ADMIN_PASSWORD" -f "$ldif" || \
                    log_warn "Failed to load $ldif (may already exist)"
            fi
        done
    fi

    log_info "Initialization complete."
else
    log_info "Database exists - starting normally."
fi

# Ensure proper ownership
chown -R ldap:ldap /var/lib/openldap
chown -R ldap:ldap /etc/openldap/slapd.d
chown -R ldap:ldap /run/openldap

# Build slapd arguments
SLAPD_URLS="ldap:/// $LDAPI_SOCKET"
if [ "$LDAP_TLS_ENABLED" = "true" ]; then
    if [ -f "$LDAP_TLS_CERT_FILE" ] && [ -f "$LDAP_TLS_KEY_FILE" ]; then
        SLAPD_URLS="ldap:/// ldaps:/// $LDAPI_SOCKET"
        log_info "TLS enabled - listening on ldaps://"
    else
        log_warn "TLS enabled but certificates not found - skipping ldaps://"
    fi
fi

log_info "Starting slapd with URLs: $SLAPD_URLS"

# Start slapd
exec /usr/sbin/slapd -h "$SLAPD_URLS" \
    -F /etc/openldap/slapd.d \
    -u ldap -g ldap \
    -d "${LDAP_LOG_LEVEL}"