#!/bin/bash

if [ $# -ne 1 ]; then
  echo "Usage: $0 filename"
  exit 1
fi

if [ ! -f "$1" ]; then
  echo "Error: $1 is not a file"
  exit 1
fi

exec 3< $1
read -u 3 username
read -u 3 password

if [ "$username" == "" ]; then
  echo "Error: no username"
  exit 1
fi

if [ "$password" == "" ]; then
  echo "Error: no password"
  exit 1
fi

if [ "$username" != "$common_name" ]; then
  echo "Error: username does not match common name"
  exit 1
fi

ldap_base_p="ou=people,dc=example,dc=org"
ldap_base_g="ou=group,dc=example,dc=org"
ldap_uri="ldaps://ldap.example.org:636/"

TLS_CACERT=/etc/ca-cert.pem \
/usr/bin/ldapsearch \
    -x \
    -H "${ldap_uri}" \
    -b "${ldap_base_p}" \
    -D "uid=${username},${ldap_base_p}" \
    -w "${password}" \
    "uid=${username} dn" >/dev/null 2>&1

R="$?"

if [ "$R" -ne "0" ]; then
  echo "Error: ldapsearch returned $R"
  exit 1
fi

R=`TLS_CACERT=/etc/ca-cert.pem \
/usr/bin/ldapsearch \
    -x -LLL \
    -H "${ldap_uri}" \
    -b "${ldap_base_g}" \
    "(&(cn=OpenVPN)(memberUid=$username))" memberUid | \
    grep -c "^memberUid: $username\$" -`

if [ "$R" -ne "1" ]; then
  echo "Error: user is not in the OpenVPN group"
  exit 1
fi

exit 0