#!/bin/sh
set -e

. /scripts/utils.sh

log_info "Configuring ACLs..."

# Socket URL for ldapi - must use URL-encoded path
LDAPI_SOCKET="ldapi://%2Frun%2Fopenldap%2Fldapi"

# Start slapd temporarily
log_info "Starting slapd temporarily for ACL configuration..."
/usr/sbin/slapd -h "$LDAPI_SOCKET" -F /etc/openldap/slapd.d -u ldap -g ldap
sleep 2

# Wait for slapd
wait_for_slapd 30 "$LDAPI_SOCKET"

# Configure ACLs
log_info "Applying ACL rules..."
cat > /tmp/acls.ldif << EOF
dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.exact="cn=admin,${LDAP_BASE_DN}" manage by * break
olcAccess: {1}to attrs=userPassword by self write by anonymous auth by * none
olcAccess: {2}to dn.children="ou=People,${LDAP_BASE_DN}" by self read by * break
olcAccess: {3}to dn.subtree="ou=People,${LDAP_BASE_DN}" by dn.exact="cn=keycloak,ou=Services,${LDAP_BASE_DN}" read by dn.exact="cn=nextcloud,ou=Services,${LDAP_BASE_DN}" read by dn.exact="cn=gitea,ou=Services,${LDAP_BASE_DN}" read by dn.exact="cn=sssd,ou=Services,${LDAP_BASE_DN}" read by * break
olcAccess: {4}to dn.subtree="ou=Groups,${LDAP_BASE_DN}" by dn.exact="cn=keycloak,ou=Services,${LDAP_BASE_DN}" read by dn.exact="cn=nextcloud,ou=Services,${LDAP_BASE_DN}" read by dn.exact="cn=gitea,ou=Services,${LDAP_BASE_DN}" read by dn.exact="cn=sssd,ou=Services,${LDAP_BASE_DN}" read by * break
olcAccess: {5}to dn.subtree="ou=Domains,${LDAP_BASE_DN}" by dn.exact="cn=postfix,ou=Services,${LDAP_BASE_DN}" read by dn.exact="cn=dovecot,ou=Services,${LDAP_BASE_DN}" read by * break
olcAccess: {6}to * by users read by * none
EOF

ldapmodify -Y EXTERNAL -H "$LDAPI_SOCKET" -f /tmp/acls.ldif

# Stop temporary slapd
log_info "Stopping temporary slapd..."
pkill slapd || true
sleep 2

# Cleanup
rm -f /tmp/acls.ldif

log_info "ACL configuration complete"