################################################################################
# Domain Services for Windows Provisioning Tool
#
# See the file LICENSE for redistribution information.
#
# Copyright (c) 2001-2007
#	Novell, Inc.  All rights reserved.
################################################################################

NETBIOSNAME 	= $(shell printConfigKey.pl "Netbios Name")
DNSROOT		= $(shell printConfigKey.pl "DNS Root")
XADROOT		= $(shell printConfigKey.pl "Prefix")
NDSROOT		= $(shell printConfigKey.pl "EdirPrefix")
LIVE_ETCDIR	= $(shell printConfigKey.pl "SysConfDir")
LIVE_LOCALSTATEDIR = $(shell printConfigKey.pl "LocalStateDir")
_LIB		= $(shell printConfigKey.pl "_Lib")
INSTALLMACHINENAME = $(shell printConfigKey.pl "InstallMachineName")
DNSHOSTNAME	= $(shell printConfigKey.pl "DNS Host Name")
DNSMASTER	= $(shell printConfigKey.pl "DNS Master")
NDS		= $(shell printConfigKey.pl "NDS")
DNSZONE		= $(shell echo $(DNSROOT) | sed 's/\./_/g')

DEFAULTROOTDOMAIN	= $(shell printConfigKey.pl "Domain NC")
MAPPEDDOMAINNC		= $(shell printConfigKey.pl "Mapped Domain NC")
DOMAINSID		= $(shell printConfigKey.pl "Domain SID")
DEFAULTPARENTNC		= $(shell printConfigKey.pl "Parent NC")
FORESTROOT		= $(shell printConfigKey.pl "Forest Root")
FORESTPARENTNC		= $(shell printConfigKey.pl "Forest Parent NC")
PARENTDOMAIN		= $(shell printConfigKey.pl "Parent Domain")
PARENTDOMAINNC		= $(shell printConfigKey.pl "Parent Domain NC")
NDSFORESTNC		= $(shell printConfigKey.pl "NDS Forest Context")
LDAPFORESTNC		= $(shell printConfigKey.pl "Forest NC")
DEFAULTCONFIGNC		= $(shell printConfigKey.pl "Configuration NC")
MAPPEDCONFIGNC		= $(shell printConfigKey.pl "Mapped Configuration NC")
SCHEMA			= $(shell printConfigKey.pl "Schema DN Name")
MAPPEDSCHEMA		= $(shell printConfigKey.pl "Mapped Schema DN Name")
LINKENGINE		= $(shell printConfigKey.pl "LinkEngine NC")
IS_FOREST_ROOT		= $(shell printConfigKey.pl "Is Forest Root")
IS_REPLICA		= $(shell printConfigKey.pl "Is Replica")
IS_FIRST_SERVER		= $(shell printConfigKey.pl "Is First Server In Forest")
DOMAINNAME              = $(shell echo $(MAPPEDDOMAINNC) | sed 's/,/\./g')
NDSTEMPCONTAINER        = $(shell echo "OU=Novell,$(MAPPEDDOMAINNC)")
LDAPDOMAINADMINNAME		= $(shell echo $(NDSEXISTINGADMINNAME) | sed 's/\.\([a-z,A-Z,0-9]*\)=/,\1=/g')

# Replica parameters
MACHINEGUID		= $(shell printConfigKey.pl "Machine GUID")
PROVIDER		= $(shell printConfigKey.pl "Replication Provider")
FORESTROOTDOMAINPROVIDER= $(shell /opt/novell/xad/sbin/provision -q -q --locate-dc $(FORESTROOT))
ACTUALFORESTNC		= $(shell /opt/novell/xad/share/dcinit/provisionTools.sh actual-forest-nc)
PARENTDOMAINPROVIDER	= $(shell /opt/novell/xad/sbin/provision -q -q --locate-dc $(PARENTDOMAIN))
PARTITIONSNC		= $(shell echo "cn=Partitions,cn=Configuration,$(ACTUALFORESTNC)")
IPADDRESS		= $(shell printConfigKey.pl "IP Address")
SITE			= $(shell printConfigKey.pl "Site")
COMPUTERSCONTAINER	= $(shell printConfigKey.pl "Computers Container")
SERVERSCONTAINER	= $(shell printConfigKey.pl "Servers Container")
SERVERDN		= $(shell printConfigKey.pl "Server DN Name")
NATIVE_REPL		= $(shell printConfigKey.pl "Native Replica")
NATIVE_SECURITY		= $(shell printConfigKey.pl "Native Security")
ifeq ($(IS_REPLICA), TRUE)
DOMAINPROVIDER		= $(shell /opt/novell/xad/sbin/provision -q -q --locate-dc $(DNSROOT))
ADPHMASTER		= $(shell /usr/bin/ldapsearch -h $(DOMAINPROVIDER) -Y GSS-SPNEGO -b 'CN=RID Manager$$,CN=System,$(MAPPEDDOMAINNC)' -LLL 2>/dev/null | grep -i 'fSMORoleOwner: ' | awk -F ": " '{print $$2}' | awk -F "," '{print $$2}' | awk -F "cn=" '{print $$2}' | tr '[:upper:]' '[:lower:]')
ADPHMASTERFQDN		= $(shell echo "$(ADPHMASTER).$(DNSROOT)")
endif

# Migration parameters
MIGRATIONSRC		= $(shell printConfigKey.pl "Migration Source")

# Trustposixoffset calculation
ifneq ($(DEFAULTROOTDOMAIN), $(LDAPFORESTNC))
ifeq ($(IS_REPLICA),FALSE)
Search_TPO = $(shell /usr/bin/ldapsearch -h $(FORESTROOTDOMAINPROVIDER) -Y GSS-SPNEGO -b 'CN=Partitions,CN=Configuration,$(LDAPFORESTNC)' -LLL 2>/dev/null | grep -i 'usnintersite: ' | awk -F ": " '{print $$2}')
ifneq ($(Search_TPO),)
TRUSTPOSIXOFFSET	= $(shell expr $(Search_TPO) + 5242880)
else
TRUSTPOSIXOFFSET	= 6291456
endif
endif
endif

# Administrator's UID and domain Admin GID computation
ifneq ($(DEFAULTROOTDOMAIN), $(LDAPFORESTNC))
ifeq ($(IS_REPLICA),FALSE)
ADMINISTRATOR_UID	= $(shell expr $(TRUSTPOSIXOFFSET) + 1)
DOMAIN_ADMINS_GID	= $(shell expr $(TRUSTPOSIXOFFSET) + 6)
endif
endif

ifeq ($(DEFAULTROOTDOMAIN), $(LDAPFORESTNC))
ADMINISTRATOR_UID	= 1049076
DOMAIN_ADMINS_GID	= 1049088
endif

GP_CREATOR_OWNER_GRP	= 1049096

STAGEDIR	= /tmp/dcinit-$(NETBIOSNAME)
PREFIX		= $(STAGEDIR)$(XADROOT)
LOCALSTATEDIR	= $(STAGEDIR)$(LIVE_LOCALSTATEDIR)
ETCDIR		= $(STAGEDIR)$(LIVE_ETCDIR)
LIBDIR		= $(PREFIX)/$(_LIB)
DSSTATEDIR	= $(LOCALSTATEDIR)/ds

DCINIT_LOG	= $(LOCALSTATEDIR)/log/dcinit.log
CHANGES_LOG	= /var/opt/novell/xad/log/dsfw-changes.log

DOMAINGPODIR	= $(LOCALSTATEDIR)/sysvol/domain/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
DCGPODIR	= $(LOCALSTATEDIR)/sysvol/domain/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}
LIVE_DOMAINGPODIR	= $(LIVE_LOCALSTATEDIR)/sysvol/domain/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}

LIVE_DSSTATEDIR		= $(LIVE_LOCALSTATEDIR)/ds

TEMPLATEDIR	= $(XADROOT)/share/dcinit/templates
GPODIR		= $(TEMPLATEDIR)/gpo
NAMEDDIR	= $(STAGEDIR)/var/lib/named

TEXTDOMAINDIR	= $(XADROOT)/share/locale
TEXTDOMAIN	= xad

ifeq ($(NDS),TRUE)
# overrides getpass() to read password from ADM_PASSWD environment variable
LDAPCOMMON	= LD_PRELOAD=$(XADROOT)/$(_LIB)/libadmpasswd.so
else
LDAPCOMMON	=
endif

LDAPMODIFY	= $(LDAPCOMMON) /usr/bin/ldapmodify
LDAPSEARCH	= $(LDAPCOMMON) /usr/bin/ldapsearch
LDAPPASSWD	= $(LDAPCOMMON) /usr/bin/ldappasswd
LDAPEXOP	= $(LDAPCOMMON) /usr/bin/ldapexop
LDAPMODRDN	= $(LDAPCOMMON) /usr/bin/ldapmodrdn
LDAPDELETE	= $(LDAPCOMMON) /usr/bin/ldapdelete

SLAPCAT		= $(XADROOT)/sbin/slapcat
SLAPADD		= $(XADROOT)/sbin/slapadd
SLAPINDEX	= $(XADROOT)/sbin/slapindex

DB_RECOVER	= $(XADROOT)/bin/db_recover
DB_VERIFY	= $(XADROOT)/bin/db_verify

XTRUST 		= $(XADROOT)/sbin/xtrust
MIGRATE_NKDC	= $(XADROOT)/sbin/migrate_nkdc_realm
GPO2NMAS	= $(XADROOT)/sbin/gpo2nmas

LDIF2DIB	= $(NDSROOT)/bin/ldif2dib
NDSCONFIG	= $(NDSROOT)/bin/ndsconfig
LDAPCONFIG	= $(NDSROOT)/bin/ldapconfig
NDSSCH		= $(NDSROOT)/bin/ndssch
NMASINST	= $(NDSROOT)/bin/nmasinst
NDSTRACE	= $(NDSROOT)/bin/ndstrace
NDSSTAT  	= $(NDSROOT)/bin/ndsstat

LIVE_NDSETCDIR	= /etc/$(NDSROOT)
NDSETCDIR	= $(STAGEDIR)$(LIVE_NDSETCDIR)
LIVE_NDSCONFDIR	= $(LIVE_NDSETCDIR)/conf
NDSCONFDIR	= $(STAGEDIR)$(LIVE_NDSCONFDIR)
TEMPDIR= $(STAGEDIR)$(LIVE_LOCALSTATEDIR)/tmp
VPATH=$(TEMPDIR)

NMASMTHDDIR	= $(XADROOT)/share/nmasmthd

# extended operation for migrating DIB from V1 to V2
MIGRATE_V1_DIB_EXOP		= 1.3.6.1.4.1.5322.15.3.4
MIGRATE_V1_RID_POOLS_EXOP	= 1.3.6.1.4.1.5322.15.3.5

LDAPI_URL		= "ldapi://%2fvar%2fopt%2fnovell%2fxad%2frun%2fldapi"

#
# For eDirectory, for bootstrapping reasons when provisioning the first
# domain controller in a forest we need to use simple bind over IPC.
#
# After that, we should be able to use Kerberos secured connection to
# an existing domain controller in the domain. If there are problems
# doing this, then comment out the IS_FIRST_SERVER test below.
#
ifeq ($(NDS),TRUE)
ifeq ($(IS_FIRST_SERVER),TRUE)
LDAPCOMMON_FLAGS	= -H $(LDAPI_URL) -x -D "$(LDAPADMINNAME)" -W
else
LDAPCOMMON_FLAGS	= -h $(PARENTDOMAINPROVIDER) -Y GSS-SPNEGO
endif
else
LDAPCOMMON_FLAGS	= -H $(LDAPI_URL) -Y EXTERNAL
endif

ifeq ($(IS_REPLICA),TRUE)
LDAPCOMMON_FLAGS	= -h $(PROVIDER) -Y GSS-SPNEGO
endif

LDAPMODIFY_FLAGS	= $(LDAPCOMMON_FLAGS)
LDAPADD_FLAGS		= $(LDAPCOMMON_FLAGS) -a
LDAPEXOP_FLAGS		= $(LDAPCOMMON_FLAGS)
LDAPMODRDN_FLAGS	= $(LDAPCOMMON_FLAGS)
LDAPDELETE_FLAGS	= $(LDAPCOMMON_FLAGS)
LDAPSEARCH_FLAGS	= -Y GSSAPI -E pr=1000/noprompt -LLL
LDIF2DIB_FLGS		=
ifeq ($(NDS),TRUE)
SETPASSWORD_FLAGS	= -NDOSf
SETPASSWORD_ADM_FLAGS	= $(SETPASSWORD_FLAGS) -e ADM_PASSWD
else
SETPASSWORD_FLAGS	= -DOSf
SETPASSWORD_ADM_FLAGS	= $(SETPASSWORD_FLAGS)
endif

SLAPADD_PROVIDER_FLAGS	= -s -w
SLAPADD_CONSUMER_FLAGS	= -s

ifneq ($(ROOT_SERVER),)
SCH_SERVER		= -h $(ROOT_SERVER)
endif

EULA_AGREED_FILE = $(LIVE_ETCDIR)/.eula_agreed

dummy:

ifeq ($(NDS),TRUE)
all: nds_all
else
all: stage install import bootstrap clean
endif

################################################################################
# Staging targets
################################################################################
stage: stage_common_pre stage_ldif stage_common_post

stage_common_pre: stage_dirs stage_default_config stage_default_config_replace_domainguid stage_ntp stage_libldap stage_rc

stage_common_post: stage_slapd stage_ndsd stage_krb5 stage_samba stage_xadsd

stage_dirs:
	@echo ">>> `gettext "Preparing staging directory tree"`"
	@mkdir -p $(STAGEDIR)
	@mkdir -p $(ETCDIR)
	@mkdir -p $(ETCDIR)/openldap
	@mkdir -p $(LOCALSTATEDIR)
	@mkdir -p $(LOCALSTATEDIR)/log
	@mkdir -p $(LOCALSTATEDIR)/rpc/PIPE
	@mkdir -p $(LOCALSTATEDIR)/run
	@mkdir -p $(LOCALSTATEDIR)/run/ntp
	@mkdir -p $(STAGEDIR)/etc/sysconfig
	@mkdir -p $(STAGEDIR)/etc/sysconfig/novell
	@mkdir -p $(STAGEDIR)/etc$(NDSROOT)/conf
	@mkdir -p -m 750 $(DSSTATEDIR)
	@-chgrp named $(DSSTATEDIR)
	@mkdir -p -m 700 $(DSSTATEDIR)/config
	@mkdir -p -m 700 $(DSSTATEDIR)/domain
	@mkdir -p -m 700 $(DSSTATEDIR)/schema
	@mkdir -p -m 700 $(DSSTATEDIR)/samify
	@mkdir -p -m 700 $(TEMPDIR)
	@if test "X$(NDS)" != "XTRUE"; then \
		mkdir -p -m 700 $(DSSTATEDIR)/linkengine; \
	fi

	@touch  $(TEMPDIR)/stage_dirs

stage_default_config:
	@echo ">>> `gettext "Saving copy of domain configuration"`"
	@if test "$$DCINIT_CONFIG" != ""; then \
		mkdir -p $(LIVE_ETCDIR) ; \
		cp $(DCINIT_CONFIG) $(LIVE_ETCDIR)/xad.ini; \
	fi;
ifeq ($(IS_REPLICA),TRUE)
	@echo "Mapped Domain NC = $(NDSADMINSERVERCONTEXT)" | sed 's/\./,/g' >> $(LIVE_ETCDIR)/xad.ini
endif

ifneq ($(DEFAULTROOTDOMAIN), $(LDAPFORESTNC))
ifeq ($(IS_REPLICA),FALSE)
	@echo "TRUSTPOSIXOFFSET = $(TRUSTPOSIXOFFSET)" >> $(LIVE_ETCDIR)/xad.ini
endif
endif
	@touch  $(TEMPDIR)/stage_default_config

stage_default_config_replace_domainguid: DOMAINGUID=`/opt/novell/xad/share/dcinit/provisionTools.sh get-domain-guid -p $(IPADDRESS) -c $(MAPPEDDOMAINNC)`
stage_default_config_replace_domainguid:
	@sed -e "s/^Domain GUID.*/Domain GUID = $(DOMAINGUID)/g" $(LIVE_ETCDIR)/xad.ini > /tmp/xad-temp.ini; mv -f /tmp/xad-temp.ini $(LIVE_ETCDIR)/xad.ini

	@touch  $(TEMPDIR)/stage_default_config_replace_domainguid

stage_dns:
	@echo ">>> `gettext "Configuring Domain Name Server"`"
	@mkdir -p $(STAGEDIR)/etc/named.d
	@mkdir -p $(NAMEDDIR)
	@mkdir -p $(NAMEDDIR)/dyn
	@-chown named.named $(NAMEDDIR)/dyn
	@if test "X$(DNSMASTER)" = "XTRUE"; then \
		regSubstitute.pl < $(TEMPLATEDIR)/domain-zone.conf > $(STAGEDIR)/etc/named.d/domain-zone.conf; \
		regSubstitute.pl < $(TEMPLATEDIR)/named.sysconfig > $(STAGEDIR)/etc/sysconfig/named; \
	else \
		regSubstitute.pl < $(TEMPLATEDIR)/domain-zone.conf > $(STAGEDIR)/etc/named.d/domain-zone.conf.default; \
	fi;
	@regSubstitute.pl < $(TEMPLATEDIR)/dns.zone > $(NAMEDDIR)/dyn/$(DNSROOT).zone
	@-chown named.named $(NAMEDDIR)/dyn/$(DNSROOT).zone
	@regSubstitute.pl < $(TEMPLATEDIR)/dc-reverse.zone > $(NAMEDDIR)/$(IPADDRESS).zone
	@-chown named.named $(NAMEDDIR)/$(IPADDRESS).zone
	-@if test "X$(NDS)" = "XTRUE"; then \
		mkdir -p -m 700 $(STAGEDIR)/var/opt/novell/nici/44; \
		chown named.named $(STAGEDIR)/var/opt/novell/nici/44; \
	fi
	@touch  $(TEMPDIR)/stage_dns

stage_ldif: stage_linkengine stage_schema stage_config stage_domain

#
# The schema DIB is imported off-line because it is quite large.
#
stage_schema: stage_schema_prepare stage_schema_aggregate

# NB: --offline is a NOOP for eDirectory
stage_schema_prepare:
	@echo ">>> `gettext "Preparing Schema Naming Context"`"
	@genLdif.pl $(TEMPLATEDIR)/schema.ini --offline --schema > $(DSSTATEDIR)/schema/schema.ldif
	@genLdif.pl $(TEMPLATEDIR)/schema-bl.ini --schema > $(DSSTATEDIR)/schema/schema-bl.ldif
	@touch $(TEMPDIR)/stage_schema_prepare

stage_schema_aggregate:
	@echo ">>> `gettext "Generating Aggregate Schema"`"
	@if test "X$(NDS)" = "XTRUE"; then \
		aggregateSchema.pl $(DSSTATEDIR)/schema/schema.ldif --ndsschema > $(ETCDIR)/msds.sch; \
	else \
		mkdir -p $(ETCDIR)/openldap/schema; \
		aggregateSchema.pl $(DSSTATEDIR)/schema/schema.ldif --schema > $(ETCDIR)/openldap/schema/microsoft.schema; \
		aggregateSchema.pl $(DSSTATEDIR)/schema/schema.ldif --contentrules > $(ETCDIR)/openldap/schema/contentrules.schema; \
		cp $(TEMPLATEDIR)/xad.schema $(ETCDIR)/openldap/schema; \
		cp $(TEMPLATEDIR)/ns-pwd-policy.schema $(ETCDIR)/openldap/schema; \
		cp $(TEMPLATEDIR)/linkengine.schema $(ETCDIR)/openldap/schema; \
	fi;
	@touch $(TEMPDIR)/stage_schema_aggregate

stage_config:
	@echo ">>> `gettext "Preparing Configuration Naming Context"`"
	@if test "X$(IS_FOREST_ROOT)" = "XTRUE"; then \
		genLdif.pl $(TEMPLATEDIR)/config.ini --defaultconfignc > $(DSSTATEDIR)/config/config.ldif; \
		genLdif.pl $(TEMPLATEDIR)/config.ini --defaultfirstmachine >> $(DSSTATEDIR)/config/config.ldif; \
		genLdif.pl $(TEMPLATEDIR)/config-bl.ini --defaultconfignc > $(DSSTATEDIR)/config/config-bl.ldif; \
		genLdif.pl $(TEMPLATEDIR)/config-bl.ini --defaultfirstmachine >> $(DSSTATEDIR)/config/config-bl.ldif; \
	else \
		genLdif.pl $(TEMPLATEDIR)/config-addl.ini --defaultconfignc > $(DSSTATEDIR)/config/config-addl.ldif; \
		genLdif.pl $(TEMPLATEDIR)/config-addl-bl.ini --defaultconfignc > $(DSSTATEDIR)/config/config-addl-bl.ldif; \
	fi;
	@touch $(TEMPDIR)/stage_config

stage_domain: ADM_PASSWD=$(NDSEXISTINGADMINPASSWD)
stage_domain:
	@echo ">>> `gettext "Preparing Domain Naming Context"`"
	@mkdir -p $(DSSTATEDIR)/dns
	@genLdif.pl $(TEMPLATEDIR)/domain.ini --defaultrootdomainobject > $(DSSTATEDIR)/domain/domain-object.ldif
	@genLdif.pl $(TEMPLATEDIR)/domain-tcb.ini --defaultrootdomainobject > $(DSSTATEDIR)/domain/domain-tcb.ldif
	@genLdif.pl $(TEMPLATEDIR)/domain-object.ini --defaultrootdomainobject > $(DSSTATEDIR)/domain/domain-object.ldif
	@genLdif.pl $(TEMPLATEDIR)/domaindns-associate.ini --defaultrootdomainobject > $(DSSTATEDIR)/domain/domaindns-associate.ldif
	@genLdif.pl $(TEMPLATEDIR)/domain-object-modify.ini --defaultrootdomainobject > $(DSSTATEDIR)/domain/domain-object-modify.ldif
	@touch  $(DSSTATEDIR)/domain/domain-object-modify-lockout-policy.ldif
	@echo ">>> `gettext "Generating Domain Intruder Detection Policies"`"
	@if [ $(MAPPEDDOMAINNC) = $(DEFAULTROOTDOMAIN) ]; then \
		echo "intruderAttemptResetInterval: 1800" >> $(DSSTATEDIR)/domain/domain-object-modify-lockout-policy.ldif; \
		echo "intruderLockoutResetInterval: 1800" >> $(DSSTATEDIR)/domain/domain-object-modify-lockout-policy.ldif; \
                echo "loginIntruderLimit: 0" >> $(DSSTATEDIR)/domain/domain-object-modify-lockout-policy.ldif; \
       else \
		$(LDAPSEARCH) -x -D $(LDAPDOMAINADMINNAME) -W -b $(MAPPEDDOMAINNC) -s base | grep 'intruderAttemptResetInterval' > /dev/null 2>&1; \
		if [ "$$?" != 0 ]; then  \
                      echo "intruderAttemptResetInterval: 1800" >> $(DSSTATEDIR)/domain/domain-object-modify-lockout-policy.ldif ; \
                       fi; \
               $(LDAPSEARCH) -x -D $(LDAPDOMAINADMINNAME) -W -b $(MAPPEDDOMAINNC) -s base | grep 'intruderLockoutResetInterval' > /dev/null 2>&1; \
               if [ "$$?" != 0 ]; then \
                       echo "intruderLockoutResetInterval: 1800" >> $(DSSTATEDIR)/domain/domain-object-modify-lockout-policy.ldif; \
              fi; \
               $(LDAPSEARCH) -x -D $(LDAPDOMAINADMINNAME) -W -b $(MAPPEDDOMAINNC) -s base | grep 'loginIntruderLimit' > /dev/null 2>&1; \
               if [ "$$?" != 0 ]; then \
                       echo "loginIntruderLimit: 0" >> $(DSSTATEDIR)/domain/domain-object-modify-lockout-policy.ldif; \
               fi; \
        fi;
	@if [ -s $(DSSTATEDIR)/domain/domain-object-modify-lockout-policy.ldif ]; then \
		head -n 2 $(DSSTATEDIR)/domain/domain-object-modify.ldif > /tmp/TEMPLOCKOUTPOLICY.ldif; \
		cat $(DSSTATEDIR)/domain/domain-object-modify-lockout-policy.ldif >> /tmp/TEMPLOCKOUTPOLICY.ldif; \
		rm $(DSSTATEDIR)/domain/domain-object-modify-lockout-policy.ldif; \
		mv /tmp/TEMPLOCKOUTPOLICY.ldif $(DSSTATEDIR)/domain/domain-object-modify-lockout-policy.ldif; \
	fi;
	@genLdif.pl $(TEMPLATEDIR)/domain.ini --defaultrootdomain > $(DSSTATEDIR)/domain/domain.ldif
ifneq ($(DEFAULTROOTDOMAIN), $(LDAPFORESTNC))
ifeq ($(IS_REPLICA),FALSE)
	
	@provisionTools.sh update-tpo -f $(DSSTATEDIR)/domain/domain.ldif -t $(TRUSTPOSIXOFFSET)
endif
endif
	@genLdif.pl $(TEMPLATEDIR)/domain-bl.ini --defaultrootdomain > $(DSSTATEDIR)/domain/domain-bl.ldif
	@genLdif.pl $(TEMPLATEDIR)/forest.ini --defaultrootdomain > $(DSSTATEDIR)/domain/forest.ldif
	@genLdif.pl $(TEMPLATEDIR)/forest-bl.ini --defaultrootdomain > $(DSSTATEDIR)/domain/forest-bl.ldif
	@genLdif.pl $(TEMPLATEDIR)/zone-object.ini --ndstempcontainer | sed -e '/^dn: OU=Novell,/d' | sed -e '/^OU: Novell/d' | sed -e "s/\#DNSDHCP-GROUP\#/\#$(DNSDHCP_GROUP)\#/g" | sed -e "s/{DNSServer}/$(DNSSERVER)/g" | sed -e "s/{DNS_NCPServer}/$(DNS_NCPServer)/g" | sed -e "s/{DNSSERVER_CONTEXT}/$(DNSSERVER_CONTEXT)/g" > $(DSSTATEDIR)/dns/zone-object.ldif
	@genLdif.pl $(TEMPLATEDIR)/DNS-modify.ini --ndstempcontainer | sed -e '/^dn: OU=Novell,/d' | sed -e '/^OU: Novell/d' | sed -e "s/{DNSLocator}/$(DNS_LOCATOR_OBJECT)/g" | sed -e "s/{DNSServer}/$(DNSSERVER)/g" | sed -e "s/{DNS_NCPServer}/$(DNS_NCPServer)/g" | sed -e "s/{DNSSERVER_CONTEXT}/$(DNSSERVER_CONTEXT)/g" | sed -e 's/^-//g' > $(DSSTATEDIR)/dns/DNS-modify.ldif
	@genLdif.pl $(TEMPLATEDIR)/DNS-modify-reverse-zones.ini --ndstempcontainer | sed -e '/^dn: OU=Novell,/d' | sed -e '/^OU: Novell/d' | sed -e "s/{DNSLocator}/$(DNS_LOCATOR_OBJECT)/g" | sed -e "s/{DNSServer}/$(DNSSERVER)/g" | sed -e "s/{DNS_NCPServer}/$(DNS_NCPServer)/g" | sed -e "s/{DNSSERVER_CONTEXT}/$(DNSSERVER_CONTEXT)/g" | sed -e 's/^-//g' > $(DSSTATEDIR)/dns/DNS-modify-reverse-zones.ldif
	@genLdif.pl $(TEMPLATEDIR)/reverse-zone-object.ini --ndstempcontainer | sed -e '/^dn: OU=Novell,/d' | sed -e '/^OU: Novell/d' | sed -e "s/\#DNSDHCP-GROUP\#/\#$(DNSDHCP_GROUP)\#/g" | sed -e "s/{DNSServer}/$(DNSSERVER)/g" | sed -e "s/{DNS_NCPServer}/$(DNS_NCPServer)/g" | sed -e "s/{DNSSERVER_CONTEXT}/$(DNSSERVER_CONTEXT)/g" > $(DSSTATEDIR)/dns/reverse-zone-object.ldif

	@if test "X$(NDS)" = "XTRUE"; then \
		genLdif.pl $(TEMPLATEDIR)/nldap.ini --ndstempcontainer > $(DSSTATEDIR)/domain/nldap.ldif; \
		genLdif.pl $(TEMPLATEDIR)/nldap-delete-classlist.ini --ndstempcontainer > $(DSSTATEDIR)/domain/nldap-delete-classlist.ldif; \
		genLdif.pl $(TEMPLATEDIR)/nds-domain.ini --rootnc > $(DSSTATEDIR)/domain/nds-domain.ldif; \
		genLdif.pl $(TEMPLATEDIR)/computer-container-policy.ini --defaultrootdomain > $(DSSTATEDIR)/domain/computer-container-policy.ldif; \
		genLdif.pl $(TEMPLATEDIR)/nds-domain-server-reference.ini --ndstempcontainer > $(DSSTATEDIR)/domain/nds-domain-server-reference.ldif; \
		genLdif.pl $(TEMPLATEDIR)/nds-domain-container.ini --ndstempcontainer > $(DSSTATEDIR)/domain/nds-domain-container.ldif; \
		genLdif.pl $(TEMPLATEDIR)/nds-admin-acls.ini --defaultparentnc > $(DSSTATEDIR)/domain/nds-admin-acls.ldif; \
		genLdif.pl $(TEMPLATEDIR)/nds-super-rights-acls.ini --rootnc > $(DSSTATEDIR)/domain/nds-super-rights-acls.ldif; \
		genLdif.pl $(TEMPLATEDIR)/nds-domain-rights-acls.ini --defaultrootdomain > $(DSSTATEDIR)/domain/nds-domain-rights-acls.ldif; \
		genLdif.pl  $(TEMPLATEDIR)/nds-adc-acls.ini --defaultconfignc > $(DSSTATEDIR)/domain/nds-adc-acls.ldif; \
		genLdif.pl $(TEMPLATEDIR)/nds-server.ini --defaultrootdomain > $(DSSTATEDIR)/domain/nds-server.ldif; \
		genLdif.pl $(TEMPLATEDIR)/nds-tree-key.ini --security > $(DSSTATEDIR)/domain/nds-tree-key.ldif; \
	fi;
	@if test "$(DEFAULTROOTDOMAIN)" != "$(LDAPFORESTNC)"; then \
		cat $(DSSTATEDIR)/domain/domain-object.ldif | grep -v nextRid | grep -v objectSid | grep -v serverState > $(DSSTATEDIR)/domain/domain-obj.ldif; \
		mv $(DSSTATEDIR)/domain/domain-obj.ldif $(DSSTATEDIR)/domain/domain-object.ldif; \
		genLdif.pl $(TEMPLATEDIR)/temporary-admin.ini --defaultrootdomain > $(DSSTATEDIR)/domain/temporary-admin.ldif; \
		genLdif.pl $(TEMPLATEDIR)/temporary-admin-permissions.ini --rootnc > $(DSSTATEDIR)/domain/temporary-admin-permissions.ldif; \
		genLdif.pl $(TEMPLATEDIR)/domain-temporary-container.ini --defaultrootdomain > $(DSSTATEDIR)/domain/domain-temporary-container.ldif; \
		genLdif.pl $(TEMPLATEDIR)/nds-server-addl-first.ini --forestparentnc > $(DSSTATEDIR)/domain/nds-server-addl-first.ldif; \
		genLdif.pl $(TEMPLATEDIR)/nds-server-addl-second.ini --ndstempcontainer > $(DSSTATEDIR)/domain/nds-server-addl-second.ldif; \
	fi; 
	@touch $(TEMPDIR)/stage_domain

stage_nmas_debug:
	@if test "X$(NDS)" = "XTRUE"; then \
		genLdif.pl $(TEMPLATEDIR)/nmas.ini --security > $(DSSTATEDIR)/domain/nmas.ldif; \
		regSubstitute.pl < $(TEMPLATEDIR)/LCM-IDLIST.TXT > $(LOCALSTATEDIR)/data/nmas-methods/NMAS/LCM/IDLIST.TXT; \
		regSubstitute.pl < $(TEMPLATEDIR)/LSM-IDLIST.TXT > $(LOCALSTATEDIR)/data/nmas-methods/NMAS/LSM/IDLIST.TXT; \
		regSubstitute.pl < $(TEMPLATEDIR)/SASL.TXT > $(LOCALSTATEDIR)/data/nmas-methods/NMAS/LSM/SASL.TXT; \
	fi
	@touch $(TEMPDIR)/stage_nmas_debug

stage_linkengine:
	@if test "X$(NDS)" != "XTRUE"; then \
		echo ">>> `gettext "Preparing LinkEngine Naming Context"`"; \
		genLdif.pl $(TEMPLATEDIR)/linkengine.ini --offline --linkengine > $(DSSTATEDIR)/linkengine/linkengine.ldif; \
	fi
	@touch $(TEMPDIR)/stage_linkengine

ifeq ($(NDS),TRUE)
stage_slapd:
else
stage_slapd:
	@echo ">>> `gettext "Configuring Directory Services"`"
	@regSubstitute.pl < $(TEMPLATEDIR)/rootDSE.ldif > $(DSSTATEDIR)/domain/rootDSE.ldif
	@if [ "X$(IS_REPLICA)" = "XTRUE" ]; then \
		regSubstitute.pl < $(TEMPLATEDIR)/slapd-replica.conf > $(ETCDIR)/openldap/slapd.conf; \
	else \
		regSubstitute.pl < $(TEMPLATEDIR)/slapd-master.conf > $(ETCDIR)/openldap/slapd.conf; \
	fi;
	@if [ "X$(NATIVE_SECURITY)" = "XTRUE" ]; then \
		regSubstitute.pl < $(TEMPLATEDIR)/acl-native-security.conf > $(ETCDIR)/openldap/acl.conf; \
	else \
		regSubstitute.pl < $(TEMPLATEDIR)/acl-ds-security.conf > $(ETCDIR)/openldap/acl.conf; \
	fi;
	@regSubstitute.pl < $(TEMPLATEDIR)/limits.conf > $(ETCDIR)/openldap/limits.conf
	@regSubstitute.pl < $(TEMPLATEDIR)/linkengine.conf > $(ETCDIR)/openldap/linkengine.conf
	@regSubstitute.pl < $(TEMPLATEDIR)/plugins.conf > $(ETCDIR)/openldap/plugins.conf
	@regSubstitute.pl < $(TEMPLATEDIR)/sasl-authz.conf > $(ETCDIR)/openldap/sasl-authz.conf
	@regSubstitute.pl < $(TEMPLATEDIR)/schema.conf > $(ETCDIR)/openldap/schema.conf
	@if [ ! -f "$(LIVE_ETCDIR)/openldap/site.conf" ]; then \
		regSubstitute.pl < $(TEMPLATEDIR)/site.conf > $(ETCDIR)/openldap/site.conf; \
	fi;
	@regSubstitute.pl < $(TEMPLATEDIR)/tls.conf > $(ETCDIR)/openldap/tls.conf
	@aggregateSchema.pl $(DSSTATEDIR)/schema/schema.ldif --index > $(ETCDIR)/openldap/index.conf
	@aggregateSchema.pl $(DSSTATEDIR)/schema/schema.ldif --partialattributeset > $(ETCDIR)/openldap/pas.conf
	@aggregateSchema.pl $(DSSTATEDIR)/schema/schema.ldif --nonreplicatedattributes > $(ETCDIR)/openldap/nra.conf
	@regSubstitute.pl < $(TEMPLATEDIR)/DB_CONFIG > $(DSSTATEDIR)/schema/DB_CONFIG
	@regSubstitute.pl < $(TEMPLATEDIR)/DB_CONFIG > $(DSSTATEDIR)/config/DB_CONFIG
	@regSubstitute.pl < $(TEMPLATEDIR)/DB_CONFIG > $(DSSTATEDIR)/domain/DB_CONFIG
	@regSubstitute.pl < $(TEMPLATEDIR)/DB_CONFIG > $(DSSTATEDIR)/linkengine/DB_CONFIG
	@touch $(ETCDIR)/openldap/gc.conf
	@touch $(TEMPDIR)/stage_slapd
endif
	@touch $(TEMPDIR)/stage_slapd

stage_ndsd:
	@if [ "X$(NDS)" = "XTRUE" ]; then \
		if [ -f $(LIVE_NDSCONFDIR)/nds.conf ]; then \
			cat $(LIVE_NDSCONFDIR)/nds.conf > $(NDSCONFDIR)/nds.conf; \
		fi; \
		provisionTools.sh "ndsconf-set"  -t $(TEMPLATEDIR)/nds.conf -s $(NDSCONFDIR)/nds.conf; \
		(mkdir -p $(LIVE_ETCDIR); cd $(LIVE_ETCDIR); ln -sf $(LIVE_NDSCONFDIR)/nds.conf .); \
		regSubstitute.pl < $(TEMPLATEDIR)/ndsmodules.conf >> $(LIVE_NDSCONFDIR)/ndsmodules.conf; \
	fi
	@touch $(TEMPDIR)/stage_ndsd

stage_xadsd:
	@echo ">>> `gettext "Configuring Domain Services"`"
	@regSubstitute.pl < $(TEMPLATEDIR)/xadss.conf > $(ETCDIR)/xadss.conf
	@regSubstitute.pl < $(TEMPLATEDIR)/xadsd.sysconfig > $(STAGEDIR)/etc/sysconfig/novell/xadsd
	@touch $(TEMPDIR)/stage_xadsd

stage_krb5:
	@echo ">>> `gettext "Configuring Kerberos"`"
	@mkdir -m 750 -p $(DSSTATEDIR)/krb5kdc
	@-chgrp named $(DSSTATEDIR)/krb5kdc
	@regSubstitute.pl < $(TEMPLATEDIR)/krb5.conf > $(ETCDIR)/krb5.conf
	@regSubstitute.pl < $(TEMPLATEDIR)/kdc.conf > $(DSSTATEDIR)/krb5kdc/kdc.conf
	@regSubstitute.pl < $(TEMPLATEDIR)/kadm5.acl > $(DSSTATEDIR)/krb5kdc/kadm5.acl
	@mkdir -m 755 -p $(ETCDIR)/gss
	@regSubstitute.pl < $(TEMPLATEDIR)/mech > $(ETCDIR)/gss/mech
	@(cd $(STAGEDIR)/etc; ln -sf ..$(LIVE_ETCDIR)/krb5.conf .)
	@touch $(TEMPDIR)/stage_krb5

stage_samba: 
	@echo ">>> `gettext "Configuring SMB Server"`"
	@mkdir -p $(STAGEDIR)/etc/samba
	@mkdir -p $(LOCALSTATEDIR)/profiles
	@regSubstitute.pl < $(TEMPLATEDIR)/samba.sysconfig > $(STAGEDIR)/etc/sysconfig/samba
	@rm -f /etc/samba/secrets.tdb
	@printConfigKey.pl "Domain SID" > $(STAGEDIR)/etc/samba/MACHINE.SID
ifeq ($(IS_REPLICA),FALSE)
	@regSubstitute.pl < $(TEMPLATEDIR)/smb.conf > $(STAGEDIR)/etc/samba/smb.conf
else
	@regSubstitute.pl < $(TEMPLATEDIR)/smb-adc.conf > $(STAGEDIR)/etc/samba/smb-adc.conf
	@sed "s/fqdn_proxydc/$(SMB_PROXY)/" $(STAGEDIR)/etc/samba/smb-adc.conf > $(STAGEDIR)/etc/samba/smb.conf
	@rm $(STAGEDIR)/etc/samba/smb-adc.conf
endif
	@mkdir -p $(LIVE_DSSTATEDIR)/backup
	@touch $(TEMPDIR)/stage_samba
	@cp -f /etc/samba/smb.conf $(LIVE_DSSTATEDIR)/backup/smb.conf.org 
	@cp -f $(STAGEDIR)/etc/samba/smb.conf $(LIVE_STAGEDIR)/etc/samba/smb.conf

stage_sysvol:
	@echo ">>> `gettext "Configuring System Volume"`"
ifeq ($(IS_REPLICA),FALSE)
	@mkdir -p "$(LIVE_LOCALSTATEDIR)/sysvol"
	@setfacl -m g:$(DOMAIN_ADMINS_GID):rwx "$(LIVE_LOCALSTATEDIR)/sysvol"
	@getfacl --access "$(LIVE_LOCALSTATEDIR)/sysvol" | setfacl -d -M- "$(LIVE_LOCALSTATEDIR)/sysvol"
	@mkdir -p "$(LIVE_LOCALSTATEDIR)/sysvol/domain"
	@mkdir -p "$(LIVE_LOCALSTATEDIR)/sysvol/domain/Policies"
	@setfacl -m g:$(GP_CREATOR_OWNER_GRP):rwx "$(LIVE_LOCALSTATEDIR)/sysvol/domain/Policies"
	@chmod +t "$(LIVE_LOCALSTATEDIR)/sysvol/domain/Policies"
	@mkdir -p "$(LIVE_LOCALSTATEDIR)/sysvol/domain/scripts"
	@mkdir -p "$(LIVE_LOCALSTATEDIR)/sysvol/domain/scripts/Default User"
	@mkdir -p "$(LIVE_LOCALSTATEDIR)/sysvol/sysvol"
	@(cd "$(LIVE_LOCALSTATEDIR)/sysvol/sysvol"; ln -sf ../domain "$(DNSROOT)")
	@(cd "$(LIVE_LOCALSTATEDIR)/sysvol/sysvol/$(DNSROOT)"; ln -sf ../sysvol "$(LIVE_LOCALSTATEDIR)/sysvol/sysvol/$(DNSROOT)")
	@mkdir -p "$(LIVE_LOCALSTATEDIR)/sysvol/staging"
	@mkdir -p "$(LIVE_LOCALSTATEDIR)/sysvol/staging areas"
	@(cd "$(LIVE_LOCALSTATEDIR)/sysvol/staging areas"; ln -sf ../staging "$(DNSROOT)")
	@chown -R $(ADMINISTRATOR_UID):$(DOMAIN_ADMINS_GID) "$(LIVE_LOCALSTATEDIR)/sysvol"
endif
	@touch $(TEMPDIR)/stage_sysvol

# sysvol creation has to be done in the last because Extended ACLs can be assigned (using setfacl) 
# only when all users & groups have been created as part of provisioning.
# Reference Bug#450017
nds_create_gpo: stage_sysvol
	@echo ">>> `gettext "Configuring Group Policy Objects"`"
	@mkdir -p "$(LIVE_DOMAINGPODIR)"
	@regSubstitute.pl < $(GPODIR)/gpt.ini > "$(LIVE_DOMAINGPODIR)/gpt.ini"
	@mkdir -p "$(LIVE_DOMAINGPODIR)/MACHINE"
	@mkdir -p "$(LIVE_DOMAINGPODIR)/MACHINE/Microsoft/Windows NT/SecEdit"
	@mkdir -p "$(LIVE_DOMAINGPODIR)/USER"
	@chown -R $(ADMINISTRATOR_UID):$(DOMAIN_ADMINS_GID) "$(LIVE_DOMAINGPODIR)"
	@touch $(TEMPDIR)/nds_create_gpo

stage_ntp:
	@echo ">>> `gettext "Configuring Network Time"`"
	@if [ "X$(IS_REPLICA)" = "XTRUE" ]; then \
		/opt/novell/xad/share/dcinit/provisionTools.sh "ntpconfig" -t $(TEMPLATEDIR)/ntp-slave.conf; \
	else \
		/opt/novell/xad/share/dcinit/provisionTools.sh "ntpconfig" -t $(TEMPLATEDIR)/ntp-master.conf; \
	fi ;
	@touch $(TEMPDIR)/stage_ntp

stage_libldap:
	@echo ">>> `gettext "Configuring OpenLDAP"`"
	@regSubstitute.pl < $(TEMPLATEDIR)/ldap.conf > $(ETCDIR)/openldap/ldap.conf
#	@(cd $(STAGEDIR)/etc/openldap; ln -sf ../..$(LIVE_ETCDIR)/openldap/ldap.conf .)
	@touch $(TEMPDIR)/stage_libldap

stage_rc:
	@echo ">>> `gettext "Creating startup scripts"`"
	@mkdir -p $(STAGEDIR)/etc/init.d
	@regSubstitute.pl < $(TEMPLATEDIR)/rpcd.init > $(STAGEDIR)/etc/init.d/rpcd
	@regSubstitute.pl < $(TEMPLATEDIR)/xad-krb5kdc.init > $(STAGEDIR)/etc/init.d/xad-krb5kdc
	@regSubstitute.pl < $(TEMPLATEDIR)/xad-kpasswdd.init > $(STAGEDIR)/etc/init.d/xad-kpasswdd
	@regSubstitute.pl < $(TEMPLATEDIR)/xadsd.init > $(STAGEDIR)/etc/init.d/xadsd
	@ln -sf /etc/init.d/rpcd $(XADROOT)/sbin/rcrpcd
	@ln -sf /etc/init.d/xad-krb5kdc $(XADROOT)/sbin/rcxad-krb5kdc
	@ln -sf /etc/init.d/xad-kpasswdd $(XADROOT)/sbin/rcxad-kpasswdd
	@ln -sf /etc/init.d/xadsd $(XADROOT)/sbin/rcxadsd
	@chmod 755 $(STAGEDIR)/etc/init.d/rpcd
	@chmod 755 $(STAGEDIR)/etc/init.d/xad-krb5kdc
	@chmod 755 $(STAGEDIR)/etc/init.d/xad-kpasswdd
	@chmod 755 $(STAGEDIR)/etc/init.d/xadsd
	@touch $(TEMPDIR)/stage_rc

clean:
	@echo ">>> `gettext "Cleaning staging directory tree"`"
	@rm -rf $(STAGEDIR)
	@rm -rf $(LIVE_LOCALSTATEDIR)/tmp


################################################################################
# Install targets
################################################################################
install: install_stage

install_stage:
	@echo ">>> `gettext "Removing $(LIVE_LOCALSTATEDIR)/samba"`"
	@rm -rf $(LIVE_LOCALSTATEDIR)/samba
	@echo ">>> `gettext "Removing $(LIVE_ETCDIR)/samba"`"
	@rm -rf $(LIVE_ETCDIR)/samba
	@echo ">>> `gettext "Removing /var$(XADROOT)/run"`"
	@rm -rf /var$(XADROOT)/run
	@echo ">>> `gettext "Making staging directory tree live"`"
	@(cd $(STAGEDIR); tar cpf - . | (cd /; tar xpf - ))
	@touch $(TEMPDIR)/install_stage

################################################################################
# SLAPD
################################################################################
start_slapd:
	@echo ">>> `gettext "Starting LDAP Server in Administration Mode"`"
	@$(XADROOT)/libexec/slapd -f $(LIVE_ETCDIR)/openldap/slapd.conf -h "$(LDAPI_URL)"
	@echo -n "."; sleep 1; echo -n "."; sleep 1; echo -n "."; sleep 1; echo -n "."; sleep 1; echo "."; sleep 1
	@touch $(TEMPDIR)/start_slapd

stop_slapd:
	@echo ">>> `gettext "Stopping LDAP Server"`"
	@if [ -f $(LIVE_LOCALSTATEDIR)/run/slapd.pid ]; then \
		kill `cat $(LIVE_LOCALSTATEDIR)/run/slapd.pid`; \
	else \
		killall slapd; \
	fi;
	@echo -n "."; sleep 1; echo -n "."; sleep 1; echo -n "."; sleep 1; echo -n "."; sleep 1; echo "."; sleep 1
	@touch $(TEMPDIR)/stop_slapd	

################################################################################
# LDIF import targets
################################################################################
import: remove_db import_ldif

import_ldif: import_ldif_offline import_ldif_online

# Simple LDIF we import off-line for speed
import_ldif_offline: import_linkengine_offline import_schema_offline

# Complex LDIF that needs to be imported on-line to use plugins
import_ldif_online: start_slapd import_nl_online import_bl_online import_local_online migrate_offline_dib stop_slapd

# Non-linked attributes
import_nl_online: import_config_online import_domain_object_online import_domain_online

# Back-linked attributes
import_bl_online: import_config_bl_online import_domain_bl_online import_schema_bl_online

import_schema: import_schema_offline

import_schema_online:
	@echo ">>> `gettext "Importing Schema Naming Context into LDAP Server"`"
	@if [ "X$(NATIVE_REPL)" = "XTRUE" ]; then \
		$(LDAPMODIFY) $(LDAPMODIFY_FLAGS) -f $(LIVE_DSSTATEDIR)/schema/schema.ldif; \
	else \
		$(LDAPMODIFY) $(LDAPADD_FLAGS) -f $(LIVE_DSSTATEDIR)/schema/schema.ldif; \
	fi;
	@touch $(TEMPDIR)/import_schema_online

import_schema_bl_online:
	@echo ">>> `gettext "Importing Schema Naming Context (Back-Links) into LDAP Server"`"
	@$(LDAPMODIFY) $(LDAPMODIFY_FLAGS) -f $(LIVE_DSSTATEDIR)/schema/schema-bl.ldif
	@touch $(TEMPDIR)/import_schema_bl_online

import_schema_offline: remove_schema_db
	@echo ">>> `gettext "Importing Schema Naming Context into LDAP Server (off-line)"`"
	@if [ "X$(IS_REPLICA)" = "XTRUE" ]; then \
		$(SLAPADD) $(SLAPADD_CONSUMER_FLAGS) -b "$(SCHEMA)" -f $(LIVE_ETCDIR)/openldap/slapd.conf -l $(LIVE_DSSTATEDIR)/schema/schema.ldif; \
	else \
		$(SLAPADD) $(SLAPADD_PROVIDER_FLAGS) -b "$(SCHEMA)" -f $(LIVE_ETCDIR)/openldap/slapd.conf -l $(LIVE_DSSTATEDIR)/schema/schema.ldif; \
	fi;
	@touch $(TEMPDIR)/import_schema_offline

import_config: import_config_online

ifneq ($(DEFAULTROOTDOMAIN), $(LDAPFORESTNC))
nds_addl_domain_import_config_online: ADM_PASSWD=$(NDSEXISTINGADMINPASSWD)
nds_addl_domain_import_config_online: LDAPADD_FLAGS = -H $(LDAPI_URL) -x -D "$(LDAPTEMPADMINNAME)" -a -W 
endif
nds_addl_domain_import_config_online:
	@echo ">>> `gettext "Importing Additional Domain Configuration Naming Context into LDAP Server"`"
	@$(LDAPMODIFY) $(LDAPADD_FLAGS) -f $(LIVE_DSSTATEDIR)/config/config-addl.ldif; 
	@touch $(TEMPDIR)/nds_addl_domain_import_config_online

ifneq ($(DEFAULTROOTDOMAIN), $(LDAPFORESTNC))
nds_addl_domain_import_config_bl_online: ADM_PASSWD=$(NDSEXISTINGADMINPASSWD)
nds_addl_domain_import_config_bl_online: LDAPADD_FLAGS = -H $(LDAPI_URL) -x -D "$(LDAPTEMPADMINNAME)" -a -W 
endif
nds_addl_domain_import_config_bl_online:
	@echo ">>> `gettext "Importing Additional Domain Configuration Naming Context (Back-Links) into LDAP Server"`"
	@$(LDAPMODIFY) $(LDAPADD_FLAGS) -f $(LIVE_DSSTATEDIR)/config/config-addl-bl.ldif; 
	@touch $(TEMPDIR)/nds_addl_domain_import_config_bl_online

import_config_online: 
	@echo ">>> `gettext "Importing Configuration Naming Context into LDAP Server"`"
	@if [ "X$(NATIVE_REPL)" = "XTRUE" ]; then \
		$(LDAPMODIFY) $(LDAPMODIFY_FLAGS) -f $(LIVE_DSSTATEDIR)/config/config.ldif; \
	else \
		$(LDAPMODIFY) $(LDAPADD_FLAGS) -f $(LIVE_DSSTATEDIR)/config/config.ldif; \
	fi;
	@touch $(TEMPDIR)/import_config_online

import_config_bl_online:
	@if [ -f $(LIVE_DSSTATEDIR)/config/config-bl.ldif ]; then \
		echo ">>> `gettext "Importing Configuration Naming Context (Back-Links) into LDAP Server"`"; \
		$(LDAPMODIFY) $(LDAPMODIFY_FLAGS) -f $(LIVE_DSSTATEDIR)/config/config-bl.ldif; \
	fi
	@touch $(TEMPDIR)/import_config_bl_online

import_config_offline: remove_config_db
	@echo ">>> `gettext "Importing Configuration Naming Context into LDAP Server (off-line)"`"
	@if [ "X$(IS_REPLICA)" = "XTRUE" ]; then \
		$(SLAPADD) $(SLAPADD_CONSUMER_FLAGS) -b "$(DEFAULTCONFIGNC)" -f $(LIVE_ETCDIR)/openldap/slapd.conf -l $(LIVE_DSSTATEDIR)/config/config.ldif; \
	else \
		$(SLAPADD) $(SLAPADD_PROVIDER_FLAGS) -b "$(DEFAULTCONFIGNC)" -f $(LIVE_ETCDIR)/openldap/slapd.conf -l $(LIVE_DSSTATEDIR)/config/config.ldif; \
	fi;
	@touch $(TEMPDIR)/import_config_offline

import_domain: import_domain_object_online import_domain_online

import_domain_object_online:
	@echo ">>> `gettext "Importing Domain Naming Context Root Object into LDAP Server"`"
	@if [ "X$(NATIVE_REPL)" = "XTRUE" ]; then \
		$(LDAPMODIFY) $(LDAPMODIFY_FLAGS) -f $(LIVE_DSSTATEDIR)/domain/domain-object.ldif; \
	else \
		if [ $(MAPPEDDOMAINNC) = $(DEFAULTROOTDOMAIN) ]; then \
			$(LDAPMODIFY) $(LDAPADD_FLAGS) -f $(LIVE_DSSTATEDIR)/domain/domain-object.ldif; \
		fi; \
	fi;
	@touch $(TEMPDIR)/import_domain_object_online

ifneq ($(DEFAULTROOTDOMAIN), $(LDAPFORESTNC))
import_domaindns_associate_online: ADM_PASSWD=$(NDSEXISTINGADMINPASSWD)
import_domaindns_associate_online: LDAPMODIFY_FLAGS = -H $(LDAPI_URL) -x -D "$(LDAPTEMPADMINNAME)" -a -W 
endif
import_domaindns_associate_online:
	@echo ">>> `gettext "Triggering Limber"`";
	@$(NDSSTAT) --config-file $(LIVE_ETCDIR)/nds.conf -c "load dstrace">/dev/null 2>&1;
	@$(NDSSTAT) --config-file $(LIVE_ETCDIR)/nds.conf -c "set ndstrace=*L";
	@$(NDSSTAT) --config-file $(LIVE_ETCDIR)/nds.conf -c "unload dstrace">/dev/null 2>&1;
	@/bin/sleep 30;
	@echo ">>> `gettext "Associating DomainDNS object class with domain object"`"
	@$(LDAPMODIFY) $(LDAPMODIFY_FLAGS) -f $(LIVE_DSSTATEDIR)/domain/domaindns-associate.ldif;
	@touch $(TEMPDIR)/import_domaindns_associate_online

nds_trigger_backlinker:
	@echo ">>> `gettext "Triggering BackLinker"`";
	@$(NDSSTAT) --config-file $(LIVE_ETCDIR)/nds.conf -c "load dstrace">/dev/null 2>&1;
	@$(NDSSTAT) --config-file $(LIVE_ETCDIR)/nds.conf -c "set ndstrace=*b";
	@$(NDSSTAT) --config-file $(LIVE_ETCDIR)/nds.conf -c "unload dstrace">/dev/null 2>&1;
	@/bin/sleep 10;
	@touch $(TEMPDIR)/nds_trigger_backlinker

ifneq ($(DEFAULTROOTDOMAIN), $(LDAPFORESTNC))
import_domain_object_modify_online: ADM_PASSWD=$(NDSEXISTINGADMINPASSWD)
import_domain_object_modify_online: LDAPMODIFY_FLAGS = -H $(LDAPI_URL) -x -D "$(LDAPTEMPADMINNAME)" -a -W 
endif
import_domain_object_modify_online:
	@echo ">>> `gettext "Modifying Domain Object"`"
	@if [ "X$(NATIVE_REPL)" = "XTRUE" ]; then \
		$(LDAPMODIFY) $(LDAPMODIFY_FLAGS) -f $(LIVE_DSSTATEDIR)/domain/domain-object-modify.ldif; \
	else \
		$(LDAPMODIFY) $(LDAPMODIFY_FLAGS) -f $(LIVE_DSSTATEDIR)/domain/domain-object-modify.ldif; \
	fi; 
	@if [ -s $(LIVE_DSSTATEDIR)/domain/domain-object-modify-lockout-policy.ldif ]; then \
		$(LDAPMODIFY) $(LDAPMODIFY_FLAGS) -f $(LIVE_DSSTATEDIR)/domain/domain-object-modify-lockout-policy.ldif; \
	fi;
	@touch $(TEMPDIR)/import_domain_object_modify_online

import_temporary_admin_online:
	@echo ">>> `gettext "Importing temporary provisioning administrator"`"
	@$(LDAPMODIFY) $(LDAPMODIFY_FLAGS) -f $(LIVE_DSSTATEDIR)/domain/temporary-admin.ldif;
	@temporary-admin-setpassword.sh $(MAPPEDDOMAINNC) $(PARENTDOMAINPROVIDER);
	@/bin/sleep 40
	@$(LDAPMODIFY) $(LDAPMODIFY_FLAGS) -f $(LIVE_DSSTATEDIR)/domain/temporary-admin-permissions.ldif;
	@/bin/sleep 40
	@touch $(TEMPDIR)/import_temporary_admin_online

import_domain_object_tcb_attrs_online:
ifeq ($(NDS),TRUE)
ifeq ($(IS_FIRST_SERVER),TRUE)
	@echo ">>> `gettext "Adding TCB attributes to Domain Naming Context Root Object"`"
	@$(LDAPMODIFY) $(LDAPMODIFY_FLAGS) -f $(LIVE_DSSTATEDIR)/domain/domain-tcb.ldif;
	@touch $(TEMPDIR)/import_domain_object_tcb_attrs_online
endif
endif

ifneq ($(DEFAULTROOTDOMAIN), $(LDAPFORESTNC))
import_domain_online: ADM_PASSWD=$(NDSEXISTINGADMINPASSWD)
import_domain_online: LDAPADD_FLAGS = -H $(LDAPI_URL) -x -D "$(LDAPTEMPADMINNAME)" -a -W 
endif
import_domain_online:
	@echo ">>> `gettext "Importing Domain Naming Context into LDAP Server"`"
	@if [ "X$(NATIVE_REPL)" = "XTRUE" ]; then \
		$(LDAPMODIFY) $(LDAPMODIFY_FLAGS) -f $(LIVE_DSSTATEDIR)/domain/domain.ldif; \
	else \
		$(LDAPMODIFY) $(LDAPADD_FLAGS) -f $(LIVE_DSSTATEDIR)/domain/domain.ldif; \
	fi;
	@touch $(TEMPDIR)/import_domain_online

import_forest_objects_online:
	@echo ">>> `gettext "Importing Forest Naming Context objects into LDAP Server"`"
	@if [ "X$(NATIVE_REPL)" = "XTRUE" ]; then \
		$(LDAPMODIFY) $(LDAPMODIFY_FLAGS) -f $(LIVE_DSSTATEDIR)/domain/forest.ldif; \
	else \
		$(LDAPMODIFY) $(LDAPADD_FLAGS) -f $(LIVE_DSSTATEDIR)/domain/forest.ldif; \
	fi;
	@touch $(TEMPDIR)/import_forest_objects_online

ifneq ($(DEFAULTROOTDOMAIN), $(LDAPFORESTNC))
import_domain_bl_online: ADM_PASSWD=$(NDSEXISTINGADMINPASSWD)
import_domain_bl_online: LDAPMODIFY_FLAGS = -H $(LDAPI_URL) -x -D "$(LDAPTEMPADMINNAME)" -W
endif
import_domain_bl_online:  
	@if [ -f $(LIVE_DSSTATEDIR)/domain/domain-bl.ldif ]; then \
		echo ">>> `gettext "Importing Domain Naming Context (Back-Links) into LDAP Server"`"; \
		$(LDAPMODIFY) $(LDAPMODIFY_FLAGS) -f $(LIVE_DSSTATEDIR)/domain/domain-bl.ldif; \
	fi
	@touch $(TEMPDIR)/import_domain_bl_online

import_forest_objects_bl_online:
	@if [ -f $(LIVE_DSSTATEDIR)/domain/forest-bl.ldif ]; then \
		echo ">>> `gettext "Importing Forest Naming Context Objects(Back-Links) into LDAP Server"`"; \
		$(LDAPMODIFY) $(LDAPMODIFY_FLAGS) -f $(LIVE_DSSTATEDIR)/domain/forest-bl.ldif; \
	fi
	@touch $(TEMPDIR)/import_forest_objects_bl_online

import_domain_offline: remove_domain_db
	@echo ">>> `gettext "Importing Domain Naming Context into LDAP Server (off-line)"`"
	@if [ "X$(IS_REPLICA)" = "XTRUE" ]; then \
		$(SLAPADD) $(SLAPADD_CONSUMER_FLAGS) -b "$(DEFAULTROOTDOMAIN)" -f $(LIVE_ETCDIR)/openldap/slapd.conf -l $(LIVE_DSSTATEDIR)/domain/domain.ldif; \
	else \
		$(SLAPADD) $(SLAPADD_PROVIDER_FLAGS) -b "$(DEFAULTROOTDOMAIN)" -f $(LIVE_ETCDIR)/openldap/slapd.conf -l $(LIVE_DSSTATEDIR)/domain/domain.ldif;
	fi;
	@touch $(TEMPDIR)/import_domain_offline

import_linkengine: import_linkengine_offline

import_linkengine_online:
	@echo ">>> `gettext "Importing LinkEngine Naming Context into LDAP Server"`"
	@$(LDAPMODIFY) $(LDAPADD_FLAGS) -f $(LIVE_DSSTATEDIR)/linkengine/linkengine.ldif
	@touch $(TEMPDIR)/import_linkengine_online

import_linkengine_offline: remove_linkengine_db
	@echo ">>> `gettext "Importing LinkEngine Naming Context into LDAP Server (off-line)"`"
	@if [ "X$(IS_REPLICA)" = "XTRUE" ]; then \
		$(SLAPADD) $(SLAPADD_CONSUMER_FLAGS) -b "$(LINKENGINE)" -f $(LIVE_ETCDIR)/openldap/slapd.conf -l $(LIVE_DSSTATEDIR)/linkengine/linkengine.ldif; \
	else \
		$(SLAPADD) $(SLAPADD_PROVIDER_FLAGS) -b "$(LINKENGINE)" -f $(LIVE_ETCDIR)/openldap/slapd.conf -l $(LIVE_DSSTATEDIR)/linkengine/linkengine.ldif; \
	fi;
	@touch $(TEMPDIR)/import_linkengine_offline

import_local_online: import_local_nl_online import_local_bl_online

import_local_nl_online:  
	@if [ -f $(LIVE_DSSTATEDIR)/domain/local.ldif ]; then \
		echo ">>> `gettext "Importing local site information into LDAP server"`"; \
		$(LDAPMODIFY) $(LDAPADD_FLAGS) -f $(LIVE_DSSTATEDIR)/domain/local.ldif; \
	fi
	@touch $(TEMPDIR)/import_local_nl_online

import_local_bl_online:
	@if [ -f $(LIVE_DSSTATEDIR)/domain/local-bl.ldif ]; then \
		echo ">>> `gettext "Importing local site information (back-links) into LDAP server"`"; \
		$(LDAPMODIFY) $(LDAPMODIFY_FLAGS) -f $(LIVE_DSSTATEDIR)/domain/local-bl.ldif; \
	fi
	@touch $(TEMPDIR)/import_local_bl_online

################################################################################
# DIB Re-indexing
################################################################################
index: index_schema index_config index_domain index_linkengine

index_fast: import_schema index_config index_domain index_linkengine

index_schema:
	@echo ">>> `gettext "Re-indexing Schema Naming Context"`"
	@$(SLAPINDEX) -b "$(SCHEMA)" -f $(LIVE_ETCDIR)/openldap/slapd.conf
	@touch $(TEMPDIR)/index_schema

index_config:
	@echo ">>> `gettext "Re-indexing Configuration Naming Context"`"
	@$(SLAPINDEX) -b "$(DEFAULTCONFIGNC)" -f $(LIVE_ETCDIR)/openldap/slapd.conf
	@touch $(TEMPDIR)/index_config

index_domain:
	@echo ">>> `gettext "Re-indexing Domain Naming Context"`"
	@$(SLAPINDEX) -b "$(DEFAULTROOTDOMAIN)" -f $(LIVE_ETCDIR)/openldap/slapd.conf
	@touch $(TEMPDIR)/index_domain

index_linkengine:
	@echo ">>> `gettext "Re-indexing LinkEngine Naming Context"`"
	@$(SLAPINDEX) -b "$(LINKENGINE)" -f $(LIVE_ETCDIR)/openldap/slapd.conf
	@touch $(TEMPDIR)/index_linkengine

################################################################################
# DIB Clean
################################################################################
remove_db: remove_domain_db remove_config_db remove_schema_db remove_linkengine_db
 
remove_domain_db:
	@echo ">>> `gettext "Removing Domain DIB"`"
	@rm -f $(LIVE_DSSTATEDIR)/domain/log.*
	@rm -f $(LIVE_DSSTATEDIR)/domain/*.bdb
	@rm -f $(LIVE_DSSTATEDIR)/domain/__db.*
	@touch $(TEMPDIR)/remove_domain_db

remove_config_db:
	@echo ">>> `gettext "Removing Configuration DIB"`"
	@rm -f $(LIVE_DSSTATEDIR)/config/log.*
	@rm -f $(LIVE_DSSTATEDIR)/config/*.bdb
	@rm -f $(LIVE_DSSTATEDIR)/config/__db.*
	@touch $(TEMPDIR)/remove_config_db

remove_schema_db:
	@echo ">>> `gettext "Removing Schema DIB"`"
	@rm -f $(LIVE_DSSTATEDIR)/schema/log.*
	@rm -f $(LIVE_DSSTATEDIR)/schema/*.bdb
	@rm -f $(LIVE_DSSTATEDIR)/schema/__db.*
	@touch $(TEMPDIR)/remove_schema_db

remove_linkengine_db:
	@echo ">>> `gettext "Removing LinkEngine DIB"`"
	@rm -f $(LIVE_DSSTATEDIR)/linkengine/log.*
	@rm -f $(LIVE_DSSTATEDIR)/linkengine/*.bdb
	@rm -f $(LIVE_DSSTATEDIR)/linkengine/__db.*
	@touch $(TEMPDIR)/remove_linkengine_db

################################################################################
# SLAPD (GC)
################################################################################
start_slapd_gc:
	@echo ">>> `gettext "Starting LDAP Server in Administration Mode (GC)"`"
	@$(XADROOT)/libexec/slapd -f $(LIVE_ETCDIR)/openldap/slapd.conf -h "$(LDAPI_URL) ldap://:3268"
	@echo -n "."; sleep 1; echo -n "."; sleep 1; echo -n "."; sleep 1; echo -n "."; sleep 1; echo "."; sleep 1
	@touch $(TEMPDIR)/start_slapd_gc

stop_slapd_gc:
	@echo ">>> `gettext "Stopping LDAP Server (GC)"`"
	@if [ -f $(LIVE_LOCALSTATEDIR)/run/slapd.pid ]; then \
		kill `cat $(LIVE_LOCALSTATEDIR)/run/slapd.pid`; \
	else \
		killall slapd; \
	fi;
	@echo -n "."; sleep 1; echo -n "."; sleep 1; echo -n "."; sleep 1; echo -n "."; sleep 1; echo "."; sleep 1
	@touch $(TEMPDIR)/stop_slapd_gc

################################################################################
# KDC Bootstrap
################################################################################
bootstrap:	start_slapd_gc	\
		wait_for_samspm \
		bootstrap_krbtgt	\
		bootstrap_machine	\
		bootstrap_administrator	\
		stop_slapd_gc

wait_for_samspm:
	@echo -n ">>> `gettext "Waiting for samspm to be loaded ."`"
	@until \
	(ndstrace -c modules | grep 'samspm.*Running') > /dev/null 2>&1; \
	do \
		echo -n "."; \
		sleep 1; \
	done
	@echo " `gettext "done"`"

# Prompt for a password for the administrator
# Note that setpassword has been modified to allow the password to be specified
# in the ADM_PASSWD environment variable
bootstrap_administrator:
	@echo ">>> `gettext "Setting Administrator password"`"
	@$(XADROOT)/sbin/setpassword $(SETPASSWORD_ADM_FLAGS) -u Administrator
	@touch $(TEMPDIR)/bootstrap_administrator

# Set a random password on krbtgt
bootstrap_krbtgt:
	@echo ">>> `gettext "Setting krbtgt password"`"
	@$(XADROOT)/sbin/setpassword $(SETPASSWORD_FLAGS) -r -u krbtgt
	@touch $(TEMPDIR)/bootstrap_krbtgt

# Set a random password on the machine account
bootstrap_machine: remove_keytab
	@echo ">>> `gettext "Setting machine password and configuring Kerberos keytab"`"
	@$(XADROOT)/sbin/setpassword $(SETPASSWORD_FLAGS) -r -k $(LIVE_DSSTATEDIR)/krb5kdc/krb5.keytab -u $(INSTALLMACHINENAME)$$
	@chmod 640 $(LIVE_DSSTATEDIR)/krb5kdc/krb5.keytab
	@-chgrp named $(LIVE_DSSTATEDIR)/krb5kdc/krb5.keytab
	@touch $(TEMPDIR)/bootstrap_machine

remove_keytab:
	@rm -f $(LIVE_DSSTATEDIR)/krb5kdc/krb5.keytab
	@touch $(TEMPDIR)/remove_keytab

################################################################################
# DIB Recovery
################################################################################
recover_db: recover_domain_db recover_config_db recover_schema_db recover_linkengine_db

recover_domain_db:
	@echo ">>> `gettext "Recovering Domain DIB"`"
	@$(DB_RECOVER) -h $(LIVE_DSSTATEDIR)/domain
	@touch $(TEMPDIR)/recover_domain_db

recover_config_db:
	@echo ">>> `gettext "Recovering Config DIB"`"
	@$(DB_RECOVER) -h $(LIVE_DSSTATEDIR)/config
	@touch $(TEMPDIR)/recover_config_db

recover_schema_db:
	@echo ">>> `gettext "Recovering Schema DIB"`"
	@$(DB_RECOVER) -h $(LIVE_DSSTATEDIR)/schema
	@touch $(TEMPDIR)/recover_schema_db

recover_linkengine_db:
	@echo ">>> `gettext "Recovering LinkEngine DIB"`"
	@$(DB_RECOVER) -h $(LIVE_DSSTATEDIR)/linkengine
	@touch $(TEMPDIR)/recover_linkengine_db

################################################################################
# DIB Backup
################################################################################
backup_db: backup_domain_db backup_config_db backup_schema_db backup_linkengine_db

backup_domain_db:
	@echo ">>> `gettext "Backing up Domain DIB"`"
	@$(SLAPCAT) -b "$(DEFAULTROOTDOMAIN)" -f $(LIVE_ETCDIR)/openldap/slapd.conf -l $(LIVE_DSSTATEDIR)/domain/backup.ldif
	@touch $(TEMPDIR)/backup_domain_db

backup_config_db:
	@echo ">>> `gettext "Backing up Config DIB"`"
	@$(SLAPCAT) -b "$(DEFAULTCONFIGNC)" -f $(LIVE_ETCDIR)/openldap/slapd.conf -l $(LIVE_DSSTATEDIR)/config/backup.ldif
	@touch $(TEMPDIR)/backup_config_db

backup_schema_db:
	@echo ">>> `gettext "Backing up Schema DIB"`"
	@$(SLAPCAT) -b "$(SCHEMA)" -f $(LIVE_ETCDIR)/openldap/slapd.conf -l $(LIVE_DSSTATEDIR)/schema/backup.ldif
	@touch $(TEMPDIR)/backup_schema_db

backup_linkengine_db:
	@echo ">>> `gettext "Backing up LinkEngine DIB"`"
	@$(SLAPCAT) -b "$(LINKENGINE)" -f $(LIVE_ETCDIR)/openldap/slapd.conf -l $(LIVE_DSSTATEDIR)/linkengine/backup.ldif
	@touch  $(TEMPDIR)/backup_linkengine_db

################################################################################
# DIB Restore
################################################################################
restore_db: restore_domain_db restore_config_db restore_schema_db restore_linkengine_db

restore_domain_db:
	@echo ">>> `gettext "Restoring Domain DIB"`"
	@if [ -f $(LIVE_DSSTATEDIR)/domain/backup.ldif ]; then \
		$(SLAPADD) $(SLAPADD_PROVIDER_FLAGS) -b "$(DEFAULTROOTDOMAIN)" -f $(LIVE_ETCDIR)/openldap/slapd.conf -l $(LIVE_DSSTATEDIR)/domain/backup.ldif; \
	fi;
	@touch $(TEMPDIR)/restore_domain_db

restore_config_db:
	@echo ">>> `gettext "Restoring Config DIB"`"
	@if [ -f $(LIVE_DSSTATEDIR)/config/backup.ldif ]; then \
		$(SLAPADD) $(SLAPADD_PROVIDER_FLAGS) -b "$(DEFAULTCONFIGNC)" -f $(LIVE_ETCDIR)/openldap/slapd.conf -l $(LIVE_DSSTATEDIR)/config/backup.ldif; \
	fi;
	@touch $(TEMPDIR)/restore_config_db

restore_schema_db:
	@echo ">>> `gettext "Restoring Schema DIB"`"
	@if [ -f $(LIVE_DSSTATEDIR)/schema/backup.ldif ]; then \
		$(SLAPADD) $(SLAPADD_PROVIDER_FLAGS) -b "$(SCHEMA)" -f $(LIVE_ETCDIR)/openldap/slapd.conf -l $(LIVE_DSSTATEDIR)/schema/backup.ldif; \
	fi;
	@touch $(TEMPDIR)/restore_schema_db

restore_linkengine_db:
	@echo ">>> `gettext "Restoring LinkEngine DIB"`"
	@if [ -f $(LIVE_DSSTATEDIR)/linkengine/backup.ldif ]; then \
		$(SLAPADD) $(SLAPADD_PROVIDER_FLAGS) -b "$(LINKENGINE)" -f $(LIVE_ETCDIR)/openldap/slapd.conf -l $(LIVE_DSSTATEDIR)/linkengine/backup.ldif; \
	fi;
	@touch $(TEMPDIR)/restore_linkengine_db

################################################################################
# Replica Provisioning
################################################################################

replica_all: replica_stage replica_install replica_bootstrap replica_clean

#
# Do default staging. We don't bother generating the
# default LDIF -- except for the schema which is post-
# processed into configuration files -- as this will be 
# imported from the master server when we start slapd)
#
replica_stage: stage_common_pre stage_schema stage_common_post

replica_install: install

replica_bootstrap: replica_join remove_db

#
# Join the domain - this will generate the keytab for this machine
#
# For eDirectory, use the -S option to bind the NCP server object
# to the newly created AD server object. (We assume that the NCP
# server object for a newly created server is located in 
# DEFAULTPARENTNC.)
#
replica_join:
	@echo ">>> `gettext "Removing old machine account (if necessary)"`"
	@-$(XADROOT)/sbin/provision -q -m "$(INSTALLMACHINENAME)" \
		-s "CN=$(INSTALLMACHINENAME),$(NDSTEMPCONTAINER)" --remove "$(PROVIDER)" 2>/dev/null
	@echo ">>> `gettext "Removing old keytab (if necessary)"`"
	@-rm -f $(LIVE_DSSTATEDIR)/krb5kdc/krb5.keytab
	@echo ">>> `gettext "Joining this machine to the domain"`"
ifeq ($(NDS),TRUE)
	@$(XADROOT)/sbin/provision -q -g "$(MACHINEGUID)" -i "$(IPADDRESS)" \
		-k "$(LIVE_DSSTATEDIR)/krb5kdc/krb5.keytab" -m "$(INSTALLMACHINENAME)" \
		-S "CN=$(INSTALLMACHINENAME),$(NDSTEMPCONTAINER)" \
		-s "$(SITE)" --join "$(PROVIDER)"
else
	@$(XADROOT)/sbin/provision -q -g "$(MACHINEGUID)" -i "$(IPADDRESS)" \
		-k "$(LIVE_DSSTATEDIR)/krb5kdc/krb5.keytab" -m "$(INSTALLMACHINENAME)" \
		-s "CN=$(INSTALLMACHINENAME),$(NDSTEMPCONTAINER)" --join "$(PROVIDER)"
endif
	@chmod 750 $(LIVE_DSSTATEDIR)/krb5kdc/krb5.keytab
	@-chgrp named $(LIVE_DSSTATEDIR)/krb5kdc/krb5.keytab
	@touch $(TEMPDIR)/replica_join

replica_cacert:
	@echo ">>> `gettext "Exporting Certification Authority certificate (if available)"`"
	@mkdir -p $(LIVE_LOCALSTATEDIR)/CA
	@-$(XADROOT)/sbin/provision -q -c "$(LIVE_LOCALSTATEDIR)/CA/cacert.pem" \
		--export-ca-cert "$(PROVIDER)"
	@touch $(TEMPDIR)/replica_cacert

replica_gc:
	@echo ">>> `gettext "Provisioning GC"`"
	@genGCConfig.pl "$(INSTALLMACHINENAME)" < $(TEMPLATEDIR)/gc-replica.conf > $(ETCDIR)/openldap/gc.conf
	@touch $(TEMPDIR)/replica_gc

replica_clean: clean

################################################################################
# Native replica provisioning
################################################################################

native_replica_all: native_replica_stage native_replica_install native_replica_bootstrap native_replica_clean

native_replica_stage: stage_common_pre stage_linkengine native_replica_export_offline stage_schema_aggregate stage_common_post

native_replica_install: install

native_replica_bootstrap: native_replica_join native_replica_export_online native_replica_import

native_replica_import: import

native_replica_join: replica_join

# offline
native_replica_export_offline: native_replica_export_schema

native_replica_export_schema:
	@echo ">>> `gettext "Exporting schema NC from replication partner"`"
	@$(XADROOT)/sbin/provision -q -N "$(SCHEMA)" --export-nc "$(PROVIDER)" > $(DSSTATEDIR)/schema/schema.ldif
	@touch $(TEMPDIR)/native_replica_export_schema

# online
native_replica_export_online:  native_replica_export_config native_replica_export_domain native_replica_local_dit

native_replica_export_config:
	@echo ">>> `gettext "Exporting configuration NC from replication partner"`"
	@$(XADROOT)/sbin/provision -q -O -N "$(DEFAULTCONFIGNC)" --export-nc "$(PROVIDER)" > $(LIVE_DSSTATEDIR)/config/config.ldif
	@touch $(TEMPDIR)/native_replica_export_config

native_replica_export_domain:
	@echo ">>> `gettext "Exporting domain NC from replication partner"`"
	@$(XADROOT)/sbin/provision -q -O -N "$(DEFAULTROOTDOMAIN)" --export-nc "$(PROVIDER)" > $(LIVE_DSSTATEDIR)/domain/domain.ldif
	@touch $(TEMPDIR)/native_replica_export_domain

native_replica_local_dit:
	@echo ">>> `gettext "Creating local replica entries"`"
	@genLdif.pl $(TEMPLATEDIR)/replica.ini --defaultrootdomain > $(LIVE_DSSTATEDIR)/domain/local.ldif
	@genLdif.pl $(TEMPLATEDIR)/replica-bl.ini --defaultrootdomain > $(LIVE_DSSTATEDIR)/domain/local-bl.ldif
	@touch $(TEMPDIR)/native_replica_local_dit

native_replica_clean: clean

native_replica_ridmgr:
	@echo ">>> `gettext "Requesting Relative Identifer (RID) pool"`"
	@$(XADROOT)/libexec/xadsd -R
	@touch $(TEMPDIR)/native_replica_ridmgr

################################################################################
# Unconfigure/reconfigure
################################################################################

unconfig: unconfig_conf

unconfig_conf:
	@echo ">>> `gettext "Backing up and removing domain configuration"`"
	@if [ -f $(LIVE_ETCDIR)/xad.ini ]; then \
		mv $(LIVE_ETCDIR)/xad.ini $(LIVE_ETCDIR)/xad.ini.old; \
	fi ;
	@rm -f $(EULA_AGREED_FILE)

reconfig:
	@echo ">>> `gettext "Restoring old domain configuration"`"
	@mv $(LIVE_ETCDIR)/xad.ini.old $(LIVE_ETCDIR)/xad.ini

# In this target we remove the domain controller objects also, in addition
# to backing up the configuration file. Once the DC objects are removed,
# the DC ill no longer work. 

# Use ldapdelete to delete the domain controller objects recursively
# (instead of provision --remove) until the subtree delete control is
# implemented in eDirectory.
unconfig_dc:
	@echo ">>> `gettext "Removing the domain controller objects from the tree ,backing up and removing domain configuration"`"
#	@$(XADROOT)/sbin/provision -q -m "$(INSTALLMACHINENAME)" \
#		-S "CN=$(INSTALLMACHINENAME),$(DEFAULTPARENTNC)" \
#		-s "$(SITE)" --remove "$(PROVIDER)"
	@$(LDAPDELETE) $(LDAPDELETE_FLAGS) -r "CN=$(INSTALLMACHINENAME),cn=Servers,cn=Default-First-Site-Name,cn=Sites,$(DEFAULTCONFIGNC)"
	@$(LDAPDELETE) $(LDAPDELETE_FLAGS) -r "CN=$(INSTALLMACHINENAME),OU=Domain Controllers,$(DEFAULTROOTDOMAIN)"
	@if [ -f $(LIVE_ETCDIR)/xad.ini ]; then \
		mv $(LIVE_ETCDIR)/xad.ini $(LIVE_ETCDIR)/xad.ini.old; \
	fi ;
	@rm -f $(EULA_AGREED_FILE)

################################################################################
# Rebuild schema and configuration
################################################################################

rebuild_config: stage install

stage_schema_live: stage_schema_prepare_live stage_schema_aggregate_live

stage_schema_prepare_live: 
	@echo ">>> `gettext "Preparing Schema Naming Context"`"
	@genLdif.pl $(TEMPLATEDIR)/schema.ini --offline --schema > $(LIVE_DSSTATEDIR)/schema/schema.ldif
	@genLdif.pl $(TEMPLATEDIR)/schema-bl.ini --schema > $(LIVE_DSSTATEDIR)/schema/schema-bl.ldif
	@touch $(TEMPDIR)/stage_schema_prepare_live	

stage_schema_aggregate_live:
	@echo ">>> `gettext "Generating Aggregate Schema"`"
	@aggregateSchema.pl $(LIVE_DSSTATEDIR)/schema/schema.ldif --schema > $(LIVE_ETCDIR)/openldap/schema/microsoft.schema
	@aggregateSchema.pl $(LIVE_DSSTATEDIR)/schema/schema.ldif --contentrules > $(LIVE_ETCDIR)/openldap/schema/contentrules.schema
	@touch $(TEMPDIR)/stage_schema_aggregate_live

#rebuild_schema: stage_schema_live import_schema

# for upgrades
rebuild_mech_config:
	@echo ">>> `gettext "Configuring security mechanisms "`"
	@regSubstitute.pl < $(TEMPLATEDIR)/mech > $(LIVE_ETCDIR)/mech
	@touch $(TEMPDIR)/rebuild_mech_config

################################################################################
# Print version
################################################################################

print_version:
	@printConfigKey.pl "CVS Version"

################################################################################
# Prepare non-upgraded directory for DUA config profile
################################################################################

duaconfigprofile_prep:
	@echo ">>> `gettext "Preparing directory for DUA Configuration Profile"`"
	@genLdif.pl $(TEMPLATEDIR)/duaconfigprofile.ini --defaultrootdomain > $(LIVE_DSSTATEDIR)/domain/duaconfigprofile.ldif
	@$(LDAPMODIFY) $(LDAPADD_FLAGS) -f $(LIVE_DSSTATEDIR)/domain/duaconfigprofile.ldif
	@touch $(TEMPDIR)/duaconfigprofile_prep

################################################################################
# Client Edition targets
################################################################################

#
# NB: presently the Client Edition requires a working SSL configuration.
# We will move to Kerberos in a production release.
#

dsclient_all: dsclient_stage dsclient_install dsclient_bootstrap dsclient_clean

#
# The only requirement is a working Kerberos and LDAP client configuration
#
dsclient_stage: dsclient_stage_dirs dsclient_stage_default_config dsclient_stage_krb5 dsclient_stage_libldap dsclient_stage_rc

dsclient_stage_dirs: stage_dirs

dsclient_stage_default_config: stage_default_config

dsclient_stage_libldap:
	@echo ">>> `gettext "Configuring OpenLDAP"`"
	@regSubstitute.pl < $(TEMPLATEDIR)/ldap-client.conf > $(ETCDIR)/ldap.conf
	@(cd $(ETCDIR)/openldap; ln -sf ../ldap.conf .)
	@(cd $(STAGEDIR)/etc; ln -sf ..$(LIVE_ETCDIR)/ldap.conf .)
	@touch  $(TEMPDIR)/dsclient_stage_libldap

dsclient_stage_krb5: 
	@echo ">>> `gettext "Configuring Kerberos"`"
	@regSubstitute.pl < $(TEMPLATEDIR)/krb5-client.conf > $(ETCDIR)/krb5.conf
	@regSubstitute.pl < $(TEMPLATEDIR)/mech > $(ETCDIR)/mech
	@(cd $(STAGEDIR)/etc; ln -sf ..$(LIVE_ETCDIR)/krb5.conf .)
	@touch $(TEMPDIR)/dsclient_stage_krb5

dsclient_stage_rc:
	@echo ">>> `gettext "Creating startup scripts"`"
	regSubstitute.pl < $(TEMPLATEDIR)/rpcd.init > $(STAGEDIR)/etc/init.d/rpcd;
	regSubstitute.pl < $(TEMPLATEDIR)/xad-krb5kdc.init > $(STAGEDIR)/etc/init.d/xad-krb5kdc;
	regSubstitute.pl < $(TEMPLATEDIR)/xad-kpasswdd.init > $(STAGEDIR)/etc/init.d/xad-kpasswdd;
	regSubstitute.pl < $(TEMPLATEDIR)/xadsd.init > $(STAGEDIR)/etc/init.d/xadsd;
	ln -sf /etc/init.d/rpcd $(XADROOT)/sbin/rcrpcd;
	ln -sf /etc/init.d/xad-krb5kdc $(XADROOT)/sbin/rcxad-krb5kdc;
	ln -sf /etc/init.d/xad-kpasswdd $(XADROOT)/sbin/rcxad-kpasswdd;
	ln -sf /etc/init.d/xadsd $(XADROOT)/sbin/rcxadsd;
	@touch $(TEMPDIR)/dsclient_stage_rc

dsclient_install: install

dsclient_bootstrap: dsclient_join

dsclient_join: 
	@echo ">>> `gettext "Removing old machine account (if necessary)"`"
	@-$(XADROOT)/sbin/provision -q -m "$(INSTALLMACHINENAME)" -n \
		-s "$(SITE)" --remove "$(PROVIDER)" 2>/dev/null
	@echo ">>> `gettext "Removing old keytab (if necessary)"`"
	@-rm -f $(LIVE_ETCDIR)/krb5.keytab
	@echo ">>> `gettext "Joining this machine to the domain"`"
	@$(XADROOT)/sbin/provision -q -k "$(LIVE_ETCDIR)/krb5.keytab" \
		-m "$(INSTALLMACHINENAME)" -n -s "$(SITE)" --join "$(PROVIDER)"
	@touch $(TEMPDIR)/dsclient_join

dsclient_cacert:
	@echo ">>> `gettext "Downloading Certification Authority certificate"`"
	@mkdir -p $(LIVE_LOCALSTATEDIR)/CA
	@$(XADROOT)/sbin/provision -q -c "$(LIVE_LOCALSTATEDIR)/CA/cacert.pem" \
		--export-ca-cert "$(PROVIDER)"
	@touch $(TEMPDIR)/dsclient_cacert

dsclient_clean: clean

################################################################################
# Rebuild syncrepl provider information
################################################################################
rebuild_syncrepl_provider: rebuild_domain_syncrepl_provider rebuild_config_syncrepl_provider rebuild_schema_syncrepl_provider rebuild_linkengine_syncrepl_provider

rebuild_domain_syncrepl_provider:
	@echo ">>> `gettext "Rebuilding replica provider information for Domain DIB"`"
	@$(SLAPADD) -b "$(DEFAULTROOTDOMAIN)" -f $(LIVE_ETCDIR)/openldap/slapd.conf -p -w
	@touch $(TEMPDIR)/rebuild_domain_syncrepl_provider

rebuild_config_syncrepl_provider:
	@echo ">>> `gettext "Rebuilding replica provider information for Config DIB"`"
	@$(SLAPADD) -b "$(DEFAULTCONFIGNC)" -f $(LIVE_ETCDIR)/openldap/slapd.conf -p -w
	@touch $(TEMPDIR)/rebuild_config_syncrepl_provider
	
rebuild_schema_syncrepl_provider:
	@echo ">>> `gettext "Rebuilding replica provider information for Schema DIB"`"
	@$(SLAPADD) -b "$(SCHEMA)" -f $(LIVE_ETCDIR)/openldap/slapd.conf -p -w
	@touch $(TEMPDIR)/rebuild_schema_syncrepl_provider

rebuild_linkengine_syncrepl_provider:
	@echo ">>> `gettext "Rebuilding replica provider information for LinkEngine DIB"`"
	@$(SLAPADD) -b "$(LINKENGINE)" -f $(LIVE_ETCDIR)/openldap/slapd.conf -p -w
	@touch $(TEMPDIR)/rebuild_linkengine_syncrepl_provider

################################################################################
# Rebuild syncrepl consumer information
################################################################################
rebuild_syncrepl_consumer: rebuild_domain_syncrepl_consumer rebuild_config_syncrepl_consumer rebuild_schema_syncrepl_consumer rebuild_linkengine_syncrepl_consumer

rebuild_domain_syncrepl_consumer:
	@echo ">>> `gettext "Rebuilding replica consumer information for Domain DIB"`"
	@$(SLAPADD) -b "$(DEFAULTROOTDOMAIN)" -f $(LIVE_ETCDIR)/openldap/slapd.conf -r -w
	@touch $(TEMPDIR)/rebuild_domain_syncrepl_consumer

rebuild_config_syncrepl_consumer:
	@echo ">>> `gettext "Rebuilding replica consumer information for Config DIB"`"
	@$(SLAPADD) -b "$(DEFAULTCONFIGNC)" -f $(LIVE_ETCDIR)/openldap/slapd.conf -r -w
	@touch $(TEMPDIR)/rebuild_config_syncrepl_consumer

rebuild_schema_syncrepl_consumer:
	@echo ">>> `gettext "Rebuilding replica consumer information for Schema DIB"`"
	@$(SLAPADD) -b "$(SCHEMA)" -f $(LIVE_ETCDIR)/openldap/slapd.conf -r -w
	@touch $(TEMPDIR)/rebuild_schema_syncrepl_consumer

rebuild_linkengine_syncrepl_consumer:
	@echo ">>> `gettext "Rebuilding replica consumer information for LinkEngine DIB"`"
	@$(SLAPADD) -b "$(LINKENGINE)" -f $(LIVE_ETCDIR)/openldap/slapd.conf -r -w
	@touch $(TEMPDIR)/rebuild_linkengine_syncrepl_consumer

################################################################################
# Upgrade from XAD 1.0 to XAD 2.0
################################################################################

upgrade_v1: start_slapd_gc migrate_v1_dib migrate_v1_rid_pools stop_slapd_gc

################################################################################
# Provision XAD on eDirectory
################################################################################
#
# Notes on configuring XAD on eDirectory
#
# 1. Perform dcinit stage targets to prepare LDIF, configuration files
# 2. Install and configure NMAS
# 3. Load translated AD schema (msds.sch) with ndssch
# 4. Load default configuration, schema, and domain DITs
# 5. Move default eDirectory server objects to Novell service OU
# 6. Import attributes containing references (including back-links)
# 7. Split configuration and schema partitions
# 8. Perform dcinit bootstrap targets
# 9. Trigger Limber so that NDS server knows that it is an Aquila server 
#10. Restart all services
#
################################################################################

# eDirectory parameters
NDSTREENAME		= $(shell ndsConfigGet.sh "n4u.base.tree-name")
ifeq ($(NDSTREENAME),"")
NDSTREENAME		= $(NETBIOSNAME)
endif
NDSSERVERCONTEXT	= $(shell printConfigKey.pl "NDS Server Context")
NDSSERVERNAME		= $(shell printConfigKey.pl "NDS Server Name")
NDSPARTITIONNAME        = $(shell echo ".$(DOMAINNAME).T=$(NDSTREENAME).")

# If NAME_MAPPED_FRD is set then we are installing the first domain into an existing eDirectory tree.

ifeq ($(IS_FIRST_SERVER),TRUE)
ifeq ($(NDSEXISTINGADMINNAME),)
NDSADMINNAME		= "CN=XAD_PROVISIONING_USER.$(NDSSERVERCONTEXT)"
LDAPADMINNAME		= "CN=XAD_PROVISIONING_USER,$(DEFAULTROOTDOMAIN)"
else
NDSADMINNAME		= $(NDSEXISTINGADMINNAME)
LDAPADMINNAME		= $(shell echo $(NDSEXISTINGADMINNAME) | sed 's/\.\([a-z,A-Z,0-9]*\)=/,\1=/g') 
endif
else
ifeq ($(IS_REPLICA),TRUE)
LDAPADMINNAME	= "CN=Administrator,CN=Users,$(MAPPEDDOMAINNC)"
NDSSERVERCONTEXT	= $(shell ./ndsConfigServerContext.sh --add-dc $(DNSROOT) $(LDAPADMINNAME) $(PROVIDER))
NDSADMINSERVERCONTEXT	= $(shell echo $(NDSSERVERCONTEXT) | sed 's/^ou=novell.//')
LDAPACTUALDOMAINNC      = $(shell echo $(NDSADMINSERVERCONTEXT) | sed 's/\.\([a-z,A-Z,0-9]*\)=/,\1=/g')
LDAPSERVERCONTEXT       = $(shell echo $(NDSSERVERCONTEXT) | sed 's/\.\([a-z,A-Z,0-9]*\)=/,\1=/g')
NDSADMINNAME		= "CN=Administrator.CN=Users.$(NDSADMINSERVERCONTEXT)"
LDAPACTUALADMINNAME	= "CN=Administrator,CN=Users,$(LDAPACTUALDOMAINNC)"
LDAPEXISTINGADMINNAME   = $(shell echo $(NDSEXISTINGADMINNAME) | sed 's/\.\([a-z,A-Z,0-9]*\)=/,\1=/g')
endif
endif

ifneq ($(DEFAULTROOTDOMAIN), $(LDAPFORESTNC))
ifeq ($(IS_REPLICA),FALSE)
NDSPARENTADMINNAME	= "CN=Administrator.CN=Users.$(PARENTDOMAINNC)"
ifeq ($(MAPPEDDOMAINNC),$(DEFAULTROOTDOMAIN))
NDSADMINSERVERCONTEXT	= $(shell ADM_PASSWD=$(ADM_PASSWD_PARENT) ./ndsConfigServerContext.sh $(DNSROOT) $(NDSPARENTADMINNAME) $(PARENTDOMAINPROVIDER))
else
NDSADMINSERVERCONTEXT	= $(shell echo $(MAPPEDDOMAINNC) | sed 's/,/./g')
endif
NDSTEMPADMINNAME	= $(NDSEXISTINGADMINNAME)
LDAPTEMPADMINNAME	= $(shell echo $(NDSEXISTINGADMINNAME) | sed 's/\.\([a-z,A-Z,0-9]*\)=/,\1=/g') 
NETBIOSNAME_PARENT	= $(shell provisionQuery.sh $(PARENTDOMAIN) "NetBIOS Name")
DOMAINSID_PARENT	= $(shell provisionQuery.sh $(PARENTDOMAIN) "Dom Sid")
else
LDAPTEMPADMINNAME	= "CN=Administrator,CN=Users,$(MAPPEDDOMAINNC)"
NDSTEMPADMINNAME	= "CN=Administrator.CN=Users.$(NDSADMINSERVERCONTEXT)"
endif
endif

nds_all: nds_stage nds_install nds_configure_dns nds_configure nds_import nds_update_nsswitch nds_restart_services_for_install nds_bootstrap nds_addl_domain_enable_krb5_local_lookup nds_acquire_domain_ticket nds_import_samify_existing_objects nds_migrate_nkdc_principals nds_create_gpo nds_sync_gpo_nmas nds_update_cron_entry nds_configure_nldap_enable_requiretls nds_delete_temporary_administrator nds_clean

nds_all_noyast: nds_stage nds_install nds_configure nds_import nds_update_nsswitch nds_restart_services nds_bootstrap nds_clean

nds_stage: stage

nds_install: install

nds_configure_dns: nds_configure_zone_object nds_configure_dns_RR_objects

nds_configure_dns_for_ADC: nds_configure_nldap_disable_requiretls nds_configure_zone_object_for_ADC nds_configure_dns_RR_objects_for_ADC nds_configure_nldap_enable_requiretls_after_dns

ifneq ($(DEFAULTROOTDOMAIN), $(LDAPFORESTNC))
nds_configure_zone_object: LDAPADMINNAME=$(shell echo $(NDSEXISTINGADMINNAME) | sed 's/\.\([a-z,A-Z,0-9]*\)=/,\1=/g')
nds_configure_zone_object: ADM_PASSWD=$(NDSEXISTINGADMINPASSWD)
nds_configure_zone_object: LDAPADD_FLAGS = -h $(IPADDRESS) -x -D "$(LDAPTEMPADMINNAME)" -a -W
nds_configure_zone_object: DNS_MASTER=`ADM_PASSWD="$(ADM_PASSWD)" /opt/novell/xad/share/dcinit/provisionTools.sh get-dns-master -p $(DNS_SERVER_IP) -a $(LDAPADMINNAME) -c $(DNSSERVER)`
endif

ifeq ($(DEFAULTROOTDOMAIN), $(LDAPFORESTNC))
nds_configure_zone_object: DNS_MASTER=$(DNSHOSTNAME)
endif

nds_configure_zone_object:
ifeq ($(IS_REPLICA),FALSE)
	@echo ">>> `gettext "Creating DNS Zone object"`"
	@rm -f $(LIVE_DSSTATEDIR)/dns/final-dns.ldif;
	@touch $(LIVE_DSSTATEDIR)/dns/final-dns.ldif;
	@sed -e "s/{DNSMaster}/$(DNS_MASTER)/g" $(LIVE_DSSTATEDIR)/dns/zone-object.ldif > $(LIVE_DSSTATEDIR)/dns/final-dns.ldif;
	@echo "" >> $(LIVE_DSSTATEDIR)/dns/final-dns.ldif;
	@sed -e "s/{DNSMaster}/$(DNS_MASTER)/g" $(LIVE_DSSTATEDIR)/dns/reverse-zone-object.ldif >> $(LIVE_DSSTATEDIR)/dns/final-dns.ldif;
	@echo "" >> $(LIVE_DSSTATEDIR)/dns/final-dns.ldif;
	@cat $(LIVE_DSSTATEDIR)/dns/DNS-modify.ldif >> $(LIVE_DSSTATEDIR)/dns/final-dns.ldif;
	@echo "" >> $(LIVE_DSSTATEDIR)/dns/final-dns.ldif;
	@cat $(LIVE_DSSTATEDIR)/dns/DNS-modify-reverse-zones.ldif >> $(LIVE_DSSTATEDIR)/dns/final-dns.ldif;
	@if [ ! -f "/etc/opt/novell/certs/SSCert.der" ]; then \
		LD_LIBRARY_PATH=/opt/novell/eDirectory/lib:/opt/novell/eDirectory/lib/nds-modules:$(LD_LIBRARY_PATH) /opt/novell/oes-install/util/getSSCert -a "$(DNS_SERVER_IP)" -t "$(NDSTREENAME)" -u "$(NDSEXISTINGADMINNAME)" -x "$(ADM_PASSWD)"; \
		if [! -f "/etc/opt/novell/certs/SSCert.der" ]; then \
			echo ">>> `gettext "Failed to get certificates. exiting"`"; \
			exit 1; \
		fi; \
	fi;
	@/opt/novell/eDirectory/bin/ldapmodify -h "$(DNS_SERVER_IP)" -x -D "$(LDAPADMINNAME)" -e /etc/opt/novell/certs/SSCert.der -p 636 -w $(ADM_PASSWD) -a -f $(LIVE_DSSTATEDIR)/dns/final-dns.ldif;
endif
	@touch $(TEMPDIR)/nds_configure_zone_object

ifeq ($(IS_REPLICA),TRUE)
nds_configure_zone_object_for_ADC: LDAPADMINNAME=$(shell echo $(NDSEXISTINGADMINNAME) | sed 's/\.\([a-z,A-Z,0-9]*\)=/,\1=/g')
nds_configure_zone_object_for_ADC: ADM_PASSWD=$(NDSEXISTINGADMINPASSWD)
nds_configure_zone_object_for_ADC: LDAPADD_FLAGS = -h $(IPADDRESS) -x -D "$(LDAPTEMPADMINNAME)" -a -W
ifneq ($(DEFAULTROOTDOMAIN), $(LDAPFORESTNC))
nds_configure_zone_object_for_ADC: DNS_MASTER=`ADM_PASSWD="$(ADM_PASSWD)" /opt/novell/xad/share/dcinit/provisionTools.sh get-dns-master -p $(DNS_SERVER_IP) -a $(LDAPADMINNAME) -c $(DNSSERVER)`
endif
ifeq ($(DEFAULTROOTDOMAIN), $(LDAPFORESTNC))
nds_configure_zone_object_for_ADC: DNS_MASTER=`nslookup $(DNS_SERVER_IP) | grep 'name = ' | awk -F 'name = ' '{print $$2}'`
endif
endif

nds_configure_zone_object_for_ADC:
ifeq ($(IS_REPLICA),TRUE)
	@echo ">>> `gettext "Creating DNS Zone object for Aditional domain controller"`"
	@rm -f $(LIVE_DSSTATEDIR)/dns/final-dns.ldif;
	@touch $(LIVE_DSSTATEDIR)/dns/final-dns.ldif;
	@sed -e "s/{DNSMaster}/$(DNS_MASTER)/g" $(LIVE_DSSTATEDIR)/dns/reverse-zone-object.ldif > $(LIVE_DSSTATEDIR)/dns/final-dns.ldif;
	@echo "" >> $(LIVE_DSSTATEDIR)/dns/final-dns.ldif;
	@cat $(LIVE_DSSTATEDIR)/dns/DNS-modify-reverse-zones.ldif >> $(LIVE_DSSTATEDIR)/dns/final-dns.ldif;
	@if [ ! -f "/etc/opt/novell/certs/SSCert.der" ]; then \
		LD_LIBRARY_PATH=/opt/novell/eDirectory/lib:/opt/novell/eDirectory/lib/nds-modules:$(LD_LIBRARY_PATH) /opt/novell/oes-install/util/getSSCert -a "$(DNS_SERVER_IP)" -t "$(NDSTREENAME)" -u "$(NDSEXISTINGADMINNAME)" -x "$(ADM_PASSWD)"; \
		if [ ! -f "/etc/opt/novell/certs/SSCert.der" ]; then \
			echo ">>> `gettext "Failed to get certificates. exiting"`"; \
			exit 1; \
		fi; \
	fi;
	@/opt/novell/eDirectory/bin/ldapmodify -h "$(DNS_SERVER_IP)" -x -D "$(LDAPADMINNAME)" -e /etc/opt/novell/certs/SSCert.der -p 636 -w $(ADM_PASSWD) -a -f $(LIVE_DSSTATEDIR)/dns/final-dns.ldif;
endif
	@touch $(TEMPDIR)/nds_configure_zone_object_for_ADC

ifneq ($(DEFAULTROOTDOMAIN), $(LDAPFORESTNC))
nds_configure_dns_RR_objects: LDAPADMINNAME=$(shell echo $(NDSEXISTINGADMINNAME) | sed 's/\.\([a-z,A-Z,0-9]*\)=/,\1=/g')
nds_configure_dns_RR_objects: ADM_PASSWD=$(NDSEXISTINGADMINPASSWD)
nds_configure_dns_RR_objects: LDAPADD_FLAGS = -h $(IPADDRESS) -x -D "$(LDAPTEMPADMINNAME)" -a -W
nds_configure_dns_RR_objects: DNS_MASTER=`ADM_PASSWD="$(ADM_PASSWD)" /opt/novell/xad/share/dcinit/provisionTools.sh get-dns-master -p $(DNS_SERVER_IP) -a $(LDAPADMINNAME) -c $(DNSSERVER)`
endif
ifeq ($(DEFAULTROOTDOMAIN), $(LDAPFORESTNC))
ifeq ($(IS_REPLICA), TRUE)
nds_configure_dns_RR_objects: DNS_MASTER=`nslookup $(DNS_SERVER_IP) | grep 'name = ' | awk -F 'name = ' '{print $$2}'`
else
nds_configure_dns_RR_objects: DNS_MASTER=$(DNSHOSTNAME)
endif
endif

nds_configure_dns_RR_objects:
	@echo ">>> `gettext "Creating the DNS Resource Records object"`"
	@mkdir -p $(LIVE_DSSTATEDIR)/dns/RR
	@rm -f $(LIVE_DSSTATEDIR)/dns/RR/*.ldif
ifeq ($(IS_REPLICA),FALSE)
	@regSubstitute.pl < $(TEMPLATEDIR)/dns.zone | sed "s/{DNSMaster}/$(DNS_MASTER)/g" | sed "s/{DNSServerIP}/$(DNS_SERVER_IP)/g" > $(LIVE_DSSTATEDIR)/dns/RR/$(DNSROOT).zone
	@regSubstitute.pl < $(TEMPLATEDIR)/dc-reverse.zone | sed "s/{DNSMaster}/$(DNS_MASTER)/g" > $(LIVE_DSSTATEDIR)/dns/RR/$(IPADDRESS).zone
	@GenerateRRLdifs.pl $(LIVE_DSSTATEDIR)/dns/RR/$(DNSROOT).zone $(DNSSERVER_CONTEXT) $(IS_REPLICA) add
	@GenerateRRLdifs.pl $(LIVE_DSSTATEDIR)/dns/RR/$(IPADDRESS).zone $(DNSSERVER_CONTEXT) $(IS_REPLICA) add
endif
	@rm -f $(LIVE_DSSTATEDIR)/dns/final-dns-records.ldif;
	@touch $(LIVE_DSSTATEDIR)/dns/final-dns-records.ldif;
	@for i in `ls $(LIVE_DSSTATEDIR)/dns/RR/*.ldif`; do \
		cat $$i >> $(LIVE_DSSTATEDIR)/dns/final-dns-records.ldif; \
		echo "" >> $(LIVE_DSSTATEDIR)/dns/final-dns-records.ldif; \
	done;
	@if [ ! -f "/etc/opt/novell/certs/SSCert.der" ]; then \
		LD_LIBRARY_PATH=/opt/novell/eDirectory/lib:/opt/novell/eDirectory/lib/nds-modules:$(LD_LIBRARY_PATH) /opt/novell/oes-install/util/getSSCert -a "$(DNS_SERVER_IP)" -t "$(NDSTREENAME)" -u "$(NDSEXISTINGADMINNAME)" -x "$(ADM_PASSWD)"; \
		if [ ! -f "/etc/opt/novell/certs/SSCert.der" ]; then \
			echo ">>> `gettext "Failed to get certificates. exiting"`"; \
			exit 1; \
		fi; \
	fi;
	@/opt/novell/eDirectory/bin/ldapmodify -h "$(DNS_SERVER_IP)" -x -D "$(LDAPADMINNAME)" -e /etc/opt/novell/certs/SSCert.der -p 636 -w $(ADM_PASSWD) -a -f $(LIVE_DSSTATEDIR)/dns/final-dns-records.ldif;
	@touch $(TEMPDIR)/nds_configure_dns_RR_objects

ifneq ($(DEFAULTROOTDOMAIN), $(LDAPFORESTNC))
nds_configure_dns_RR_objects_for_ADC: LDAPADMINNAME=$(shell echo $(NDSEXISTINGADMINNAME) | sed 's/\.\([a-z,A-Z,0-9]*\)=/,\1=/g')
nds_configure_dns_RR_objects_for_ADC: ADM_PASSWD=$(NDSEXISTINGADMINPASSWD)
nds_configure_dns_RR_objects_for_ADC: LDAPADD_FLAGS = -h $(IPADDRESS) -x -D "$(LDAPTEMPADMINNAME)" -a -W
nds_configure_dns_RR_objects_for_ADC:
	@if [ ! -f "/etc/opt/novell/certs/SSCert.der" ]; then \
		LD_LIBRARY_PATH=/opt/novell/eDirectory/lib:/opt/novell/eDirectory/lib/nds-modules:$(LD_LIBRARY_PATH) /opt/novell/oes-install/util/getSSCert -a "$(DNS_SERVER_IP)" -t "$(NDSTREENAME)" -u "$(NDSEXISTINGADMINNAME)" -x "$(ADM_PASSWD)";
		if [ ! -f "/etc/opt/novell/certs/SSCert.der" ]; then \
			echo ">>> `gettext "Failed to get certificates. exiting"`"; \
			exit 1; \
		fi; \
	fi;

nds_configure_dns_RR_objects_for_ADC: DNS_MASTER=`ADM_PASSWD="$(ADM_PASSWD)" /opt/novell/xad/share/dcinit/provisionTools.sh get-dns-master -p $(DNS_SERVER_IP) -a $(LDAPADMINNAME) -c $(DNSSERVER)`
endif
ifeq ($(IS_REPLICA),TRUE)
nds_configure_dns_RR_objects_for_ADC: SOAVALUE=`ADM_PASSWD="$(ADM_PASSWD)" /opt/novell/xad/share/dcinit/provisionTools.sh soa-query -p $(DNS_SERVER_IP) -a $(LDAPADMINNAME) -c "cn=$(DNSZONE),$(DNSSERVER_CONTEXT)"`
endif
ifeq ($(DEFAULTROOTDOMAIN), $(LDAPFORESTNC))
nds_configure_dns_RR_objects_for_ADC: DNS_MASTER=`nslookup $(DNS_SERVER_IP) | grep 'name = ' | awk -F 'name = ' '{print $$2}'`
endif

nds_configure_dns_RR_objects_for_ADC:
	@echo ">>> `gettext "Creating the DNS Resource Records object for Additional domain controller"`"
	@mkdir -p $(LIVE_DSSTATEDIR)/dns/RR
	@rm -f $(LIVE_DSSTATEDIR)/dns/RR/*.ldif
ifeq ($(IS_REPLICA),TRUE)
	@touch $(LIVE_DSSTATEDIR)/dns/Modify-SOA-Entry.ldif
	@echo "dn: cn=$(DNSZONE),$(DNSSERVER_CONTEXT)" > $(LIVE_DSSTATEDIR)/dns/Modify-SOA-Entry.ldif
	@echo "changetype: modify" >> $(LIVE_DSSTATEDIR)/dns/Modify-SOA-Entry.ldif
	@echo "dNIPSOASerial: $(SOAVALUE)" >> $(LIVE_DSSTATEDIR)/dns/Modify-SOA-Entry.ldif
	@regSubstitute.pl < $(TEMPLATEDIR)/additional-dc.zone > $(LIVE_DSSTATEDIR)/dns/RR/ADC_$(DNSROOT).zone
	@regSubstitute.pl < $(TEMPLATEDIR)/dc-reverse.zone | sed "s/{DNSMaster}/$(DNS_MASTER)/g" > $(LIVE_DSSTATEDIR)/dns/RR/$(IPADDRESS).zone
	@GenerateRRLdifs.pl $(LIVE_DSSTATEDIR)/dns/RR/ADC_$(DNSROOT).zone $(DNSSERVER_CONTEXT) $(IS_REPLICA) add
	@GenerateRRLdifs.pl $(LIVE_DSSTATEDIR)/dns/RR/$(IPADDRESS).zone $(DNSSERVER_CONTEXT) $(IS_REPLICA) add
endif
	@rm -f $(LIVE_DSSTATEDIR)/dns/final-dns-records.ldif;
	@touch $(LIVE_DSSTATEDIR)/dns/final-dns-records.ldif;
	@for i in `ls $(LIVE_DSSTATEDIR)/dns/RR/*.ldif`; do \
		cat $$i >> $(LIVE_DSSTATEDIR)/dns/final-dns-records.ldif; \
		echo "" >> $(LIVE_DSSTATEDIR)/dns/final-dns-records.ldif; \
	done;
	@if [ ! -f "/etc/opt/novell/certs/SSCert.der" ]; then \
		LD_LIBRARY_PATH=/opt/novell/eDirectory/lib:/opt/novell/eDirectory/lib/nds-modules:$(LD_LIBRARY_PATH) /opt/novell/oes-install/util/getSSCert -a "$(DNS_SERVER_IP)" -t "$(NDSTREENAME)" -u "$(NDSEXISTINGADMINNAME)" -x "$(ADM_PASSWD)"; \
		if [ ! -f "/etc/opt/novell/certs/SSCert.der" ]; then \
			echo ">>> `gettext "Failed to get certificates. exiting"`"; \
			exit 1; \
		fi; \
	fi;
	@/opt/novell/eDirectory/bin/ldapmodify -h "$(DNS_SERVER_IP)" -x -D "$(LDAPADMINNAME)" -e /etc/opt/novell/certs/SSCert.der -p 636 -w $(ADM_PASSWD) -a -f $(LIVE_DSSTATEDIR)/dns/final-dns-records.ldif;
ifeq ($(IS_REPLICA),TRUE)
	@/opt/novell/eDirectory/bin/ldapmodify -h "$(DNS_SERVER_IP)" -x -D "$(LDAPADMINNAME)" -e /etc/opt/novell/certs/SSCert.der -p 636 -w $(ADM_PASSWD) -f $(LIVE_DSSTATEDIR)/dns/Modify-SOA-Entry.ldif;
endif
	@touch $(TEMPDIR)/nds_configure_dns_RR_objects_for_ADC


nds_sync_gpo_nmas:
	@echo ">>> `gettext "Synchronizing Policies"`"
	@$(GPO2NMAS) -g "{31B2F340-016D-11D2-945F-00C04FB984F9}" -f nmas
	@chown -R $(ADMINISTRATOR_UID):$(DOMAIN_ADMINS_GID) "$(LIVE_LOCALSTATEDIR)/sysvol"
	@touch $(TEMPDIR)/nds_sync_gpo_nmas

nds_validate_loaded_plugin:
	@echo ">>> `gettext "Validating the loading of NAD plugin"`"; \
	Nad_Plugin_loaded=0; \
	while [ "$$Nad_Plugin_loaded" -ne 1 ]; do \
		sleep 1; \
		cat /proc/`cat /var/opt/novell/eDirectory/data/ndsd.pid`/maps | grep -i 'nad' >/dev/null 2>&1; \
		if [ "$$?" -eq 0 ]; then \
			Nad_Plugin_loaded=1; \
		fi; \
	done; \
	if [ "$$Nad_Plugin_loaded" -eq 0 ]; then \
		echo ">>> `gettext "Plug-ins are not properly loaded, hence terminating the installation...."`"; \
		exit 1; \
	fi;
	@touch $(TEMPDIR)/nds_validate_loaded_plugin

# Create tree, extend with AD schema, configure NMAS/NLDAP
#nds_configure: nds_extend_schema nds_configure_nmas nds_configure_nldap
nds_configure: nds_load_samspm nds_extend_nam_schema nds_extend_schema nds_configure_nmas nds_configure_nldap

# By default we use the NetBIOS name of the forest root for the tree name. We
# can change this later once we are integrated with YaST.

# Extend schema with AD attributes and object classes
nds_extend_schema:
	@echo ">>> `gettext "Extending eDirectory schema"`"
	@$(NDSSCH) "$(NDSADMINNAME)" -F /var/opt/novell/eDirectory/log/schema.log -t "$(NDSTREENAME)" $(SCH_SERVER) $(LIVE_ETCDIR)/msds.sch
	@touch $(TEMPDIR)/nds_extend_schema

# Extend NAM schema as ADPH adds NAM attributes to users and groups during samification
nds_extend_nam_schema:
	@echo ">>> `gettext "Extending LUM schema"`"
	@$(NDSSCH) "$(NDSADMINNAME)" -F /var/opt/novell/eDirectory/log/schema.log -t "$(NDSTREENAME)" $(SCH_SERVER) /var/lib/novell-lum/NAM.SCH
	@touch $(TEMPDIR)/nds_extend_nam_schema

# NMAS configuration
nds_configure_nmas: nds_configure_nmas_methods nds_trigger_backlinker

nds_install_nmas:
	@echo ">>> `gettext "Installing NMAS into tree"`"
	@$(NMASINST) -i "$(NDSADMINNAME)" "$(NDSTREENAME)" -h $(INSTALLMACHINENAME) -w "$(ADM_PASSWD)"
	@touch $(TEMPDIR)/nds_install_nmas

ifneq ($(DEFAULTROOTDOMAIN), $(LDAPFORESTNC))
ifeq ($(IS_REPLICA), FALSE)
nds_configure_tree_key_permissions: ADM_PASSWD=$(NDSEXISTINGADMINPASSWD)
nds_configure_tree_key_permissions: LDAPMODIFY_FLAGS = -H $(LDAPI_URL) -x -D "$(LDAPTEMPADMINNAME)" -W 
endif
endif
ifeq ($(IS_REPLICA), TRUE)
nds_configure_tree_key_permissions: ADM_PASSWD=$(NDSEXISTINGADMINPASSWD)
nds_configure_tree_key_permissions: LDAPMODIFY_FLAGS = -H $(LDAPI_URL) -x -D $(LDAPEXISTINGADMINNAME) -W
endif
nds_configure_tree_key_permissions:
	@echo ">>> `gettext "Configuring permissions to access the treekey"`"
	@$(LDAPMODIFY) $(LDAPMODIFY_FLAGS) -f $(LIVE_DSSTATEDIR)/domain/nds-tree-key.ldif
	@touch $(TEMPDIR)/nds_configure_tree_key_permissions

nds_configure_nmas_methods: nds_configure_nmas_ipc_method nds_configure_nmas_mskrb_method nds_configure_nmas_spnego_method

nds_configure_nmas_ipc_method:
	@echo ">>> `gettext "Installing IPCExternal NMAS method"`"
	@$(NMASINST) -addmethod "$(NDSADMINNAME)" "$(NDSTREENAME)" $(NMASMTHDDIR)/IPCExternal/config.txt -h $(INSTALLMACHINENAME) -w "$(ADM_PASSWD)"
	@touch $(TEMPDIR)/nds_configure_nmas_ipc_method

nds_configure_nmas_mskrb_method:
	@echo ">>> `gettext "Installing Kerberos NMAS method"`"
	@$(NMASINST) -addmethod "$(NDSADMINNAME)" "$(NDSTREENAME)" $(NMASMTHDDIR)/Kerberos/config.txt -h $(INSTALLMACHINENAME) -w "$(ADM_PASSWD)"
	@touch $(TEMPDIR)/nds_configure_nmas_mskrb_method

nds_configure_nmas_spnego_method:
	@echo ">>> `gettext "Installing Negotiate NMAS method"`"
	@$(NMASINST) -addmethod "$(NDSADMINNAME)" "$(NDSTREENAME)" $(NMASMTHDDIR)/Negotiate/config.txt -h $(INSTALLMACHINENAME) -w "$(ADM_PASSWD)"
	@touch $(TEMPDIR)/nds_configure_nmas_spnego_method

nds_import_nmas_debug:
	@echo ">>> `gettext "Configuring NMAS (debug) for XAD"`"
	@$(LDAPMODIFY) $(LDAPMODIFY_FLAGS) -f $(LIVE_DSSTATEDIR)/domain/nmas.ldif
	@touch $(TEMPDIR)/nds_import_nmas_debug

# NMAS extended operation OID
LDAP_NMAS_EXOP_OID = "2.16.840.1.113719.1.39.42.100.25"
# The BER encoding of the request to refresh the login policy
NMAS_REFRESH_LOGIN_POLICY_ARGS = "MIQAAAAGAgEBAgEB"

nds_refresh_nmas:
	@echo ">>> `gettext "Refreshing NMAS login policy"`"
	@$(LDAPEXOP) $(LDAPEXOP_FLAGS) "$(LDAP_NMAS_EXOP_OID)::$(NMAS_REFRESH_LOGIN_POLICY_ARGS)"
	@touch $(TEMPDIR)/nds_refresh_nmas

# NLDAP configuration
nds_configure_nldap: nds_configure_nldap_settings nds_pause_before_import_ldif

# This is necessary for bootstrapping only; we can use strong authentication otherwise
ifneq ($(DEFAULTROOTDOMAIN), $(LDAPFORESTNC))
ifeq ($(IS_REPLICA),FALSE)
nds_configure_nldap_settings: NDSADMINNAME = "$(NDSTEMPADMINNAME)"
nds_configure_nldap_settings: ADM_PASSWD="$(NDSEXISTINGADMINPASSWD)"
endif
endif
nds_configure_nldap_settings:  
	@echo ">>> `gettext "Configuring LDAP server"`"
	@$(LDAPCONFIG) set "Require TLS for Simple Binds with Password=no" \
		--config-file $(LIVE_ETCDIR)/nds.conf \
		-t "$(NDSTREENAME)" -a "$(NDSADMINNAME)" -w "$(ADM_PASSWD)"
	@$(LDAPCONFIG) set "ldapInterfaces=ldap://:389 ldaps://:636 $(LDAPI_URL) cldap:// ldap://:3268 ldaps://:3269" \
		--config-file $(LIVE_ETCDIR)/nds.conf \
		-t "$(NDSTREENAME)" -a "$(NDSADMINNAME)" -w "$(ADM_PASSWD)"
	@touch $(TEMPDIR)/nds_configure_nldap_settings

ifneq ($(DEFAULTROOTDOMAIN), $(LDAPFORESTNC))
ifeq ($(IS_REPLICA),FALSE)
nds_configure_nldap_enable_requiretls: ADM_PASSWD="$(NDSEXISTINGADMINPASSWD)"
nds_configure_nldap_enable_requiretls: NDSADMINNAME = "$(NDSTEMPADMINNAME)"
endif
endif
nds_configure_nldap_enable_requiretls:
	@$(LDAPCONFIG) set "Require TLS for Simple Binds with Password=yes" \
		--config-file $(LIVE_ETCDIR)/nds.conf \
		-t "$(NDSTREENAME)" -a "$(NDSADMINNAME)" -w "$(ADM_PASSWD)"
	@touch $(TEMPDIR)/nds_configure_nldap_enable_requiretls

ifneq ($(DEFAULTROOTDOMAIN), $(LDAPFORESTNC))
ifeq ($(IS_REPLICA),FALSE)
nds_configure_nldap_disable_requiretls: ADM_PASSWD="$(NDSEXISTINGADMINPASSWD)"
nds_configure_nldap_disable_requiretls: NDSADMINNAME = "$(NDSTEMPADMINNAME)"
endif
endif
nds_configure_nldap_disable_requiretls:
	@$(LDAPCONFIG) set "Require TLS for Simple Binds with Password=no" \
		--config-file $(LIVE_ETCDIR)/nds.conf \
		-t "$(NDSTREENAME)" -a "$(NDSADMINNAME)" -w "$(ADM_PASSWD)"
	@touch $(TEMPDIR)/nds_configure_nldap_disable_requiretls

ifneq ($(DEFAULTROOTDOMAIN), $(LDAPFORESTNC))
ifeq ($(IS_REPLICA),FALSE)
nds_configure_nldap_enable_requiretls_after_dns: ADM_PASSWD="$(NDSEXISTINGADMINPASSWD)"
nds_configure_nldap_enable_requiretls_after_dns: NDSADMINNAME = "$(NDSTEMPADMINNAME)"
endif
endif
nds_configure_nldap_enable_requiretls_after_dns:
	@$(LDAPCONFIG) set "Require TLS for Simple Binds with Password=yes" \
		--config-file $(LIVE_ETCDIR)/nds.conf \
		-t "$(NDSTREENAME)" -a "$(NDSADMINNAME)" -w "$(ADM_PASSWD)"
	@touch $(TEMPDIR)/nds_configure_nldap_enable_requiretls_after_dns

ifneq ($(DEFAULTROOTDOMAIN), $(LDAPFORESTNC))
ifeq ($(IS_REPLICA),FALSE)
nds_configure_nldap_objects: ADM_PASSWD=$(NDSEXISTINGADMINPASSWD)
nds_configure_nldap_objects: LDAPMODIFY_FLAGS = -H $(LDAPI_URL) -x -D "$(LDAPTEMPADMINNAME)" -W
endif
endif
nds_configure_nldap_objects:
	@echo ">>> `gettext "Configuring LDAP to eDirectory schema mappings and plugins"`"
	@-$(LDAPMODIFY) $(LDAPMODIFY_FLAGS) -c -f $(LIVE_DSSTATEDIR)/domain/nldap-delete-classlist.ldif
	@$(LDAPMODIFY) $(LDAPMODIFY_FLAGS) -f $(LIVE_DSSTATEDIR)/domain/nldap.ldif
	@touch $(TEMPDIR)/nds_configure_nldap_objects

# Refresh NLDAP server using extended operation so we can use strong authentication
LDAP_NLDAP_EXOP_OID = "2.16.840.1.113719.1.27.100.9"

nds_refresh_nldap:  
	@$(LDAPEXOP) $(LDAPEXOP_FLAGS) "$(LDAP_NLDAP_EXOP_OID)"
	@touch $(TEMPDIR)/nds_refresh_nldap

ifneq ($(DEFAULTROOTDOMAIN), $(LDAPFORESTNC))
ifeq ($(IS_REPLICA),FALSE)
nds_refresh_nldap_through_ldapconfig: ADM_PASSWD="$(NDSEXISTINGADMINPASSWD)"
nds_refresh_nldap_through_ldapconfig: NDSADMINNAME = "$(NDSTEMPADMINNAME)"
endif
endif
nds_refresh_nldap_through_ldapconfig:
	@$(LDAPCONFIG) -R \
		--config-file $(LIVE_ETCDIR)/nds.conf \
		-t "$(NDSTREENAME)" -a "$(NDSADMINNAME)" -w "$(ADM_PASSWD)"
	@touch $(TEMPDIR)/nds_refresh_nldap_through_ldapconfig

ifneq ($(DEFAULTROOTDOMAIN), $(LDAPFORESTNC))
ifeq ($(IS_REPLICA),FALSE)
nds_second_refresh_nldap_through_ldapconfig: ADM_PASSWD="$(NDSEXISTINGADMINPASSWD)"
nds_second_refresh_nldap_through_ldapconfig: NDSADMINNAME = "$(NDSTEMPADMINNAME)"
endif
endif
nds_second_refresh_nldap_through_ldapconfig:
	@$(LDAPCONFIG) -R \
		--config-file $(LIVE_ETCDIR)/nds.conf \
		-t "$(NDSTREENAME)" -a "$(NDSADMINNAME)" -w "$(ADM_PASSWD)"
	@touch $(TEMPDIR)/nds_second_refresh_nldap_through_ldapconfig

# Import LDIF, delete the temporary administrator account, and split partitions
nds_import: nds_import_ldif nds_create_nc 

# nds_import_nds will take care of renaming server objects
nds_import_ldif: nds_pause_before_import_ldif nds_import_nl nds_import_bl nds_compute_effective_acls nds_import_nds

nds_pause_before_import_ldif:
	@/bin/sleep 40

nds_pause_before_refresh_ldap_server:
	@/bin/sleep 40

nds_pause_after_refresh_ldap_server:
	@/bin/sleep 40


# Non-linked attributes
nds_import_nl: nds_create_domain_nc nds_add_domain_replica nds_make_master_nc nds_configure_nldap_objects nds_refresh_nldap_through_ldapconfig nds_pause_after_refresh_ldap_server nds_validate_loaded_plugin import_domaindns_associate_online import_domain_object_modify_online import_domain_online import_forest_objects_online import_config_online import_schema_online

# Back-linked attributes (do this in reverse order so schema gets loaded quickly)
nds_import_bl: import_schema_bl_online import_config_bl_online import_domain_bl_online import_forest_objects_bl_online

#nds_import_nds: nds_import_nds_domain nds_import_nds_policies nds_import_nds_super_rights_acls nds_import_nds_admin_acls nds_import_nds_server nds_import_nds_domain_server_reference
nds_import_nds: nds_import_nds_domain nds_import_nds_policies nds_import_nds_super_rights_acls nds_import_nds_admin_acls nds_import_nds_domain_server_reference

# Configure default ACLs, policies, etc
nds_compute_effective_acls:
	@echo ">>> `gettext "Computing effective ACLs"`"
ifneq ($(MAPPEDDOMAINNC),$(DEFAULTROOTDOMAIN))
	@ComputeEffectiveAcls.pl -p $(IPADDRESS) -a $(NDSEXISTINGADMINNAME) -n $(MAPPEDDOMAINNC) -w "Env:NDSEXISTINGADMINPASSWD"
	@genLdif.pl /tmp/effective_acls --defaultrootdomain > $(LIVE_DSSTATEDIR)/domain/nds-domain-acls.ldif
	@rm -f /tmp/effective_acls
else
	@genLdif.pl $(TEMPLATEDIR)/nds-domain-acls.ini --defaultrootdomain > $(LIVE_DSSTATEDIR)/domain/nds-domain-acls.ldif
	@genLdif.pl $(TEMPLATEDIR)/nds-domain-lum-acls.ini --defaultrootdomain > $(LIVE_DSSTATEDIR)/domain/nds-domain-lum-acls.ldif
endif

ifneq ($(DEFAULTROOTDOMAIN), $(LDAPFORESTNC))
ifeq ($(IS_REPLICA),FALSE)
nds_import_nds_domain: ADM_PASSWD=$(NDSEXISTINGADMINPASSWD)
nds_import_nds_domain: LDAPMODIFY_FLAGS = -H $(LDAPI_URL) -x -D "$(LDAPTEMPADMINNAME)" -W 
endif
endif
nds_import_nds_domain:
	@echo ">>> `gettext "Configuring default ACLs and NMAS password policies"`"
	@$(LDAPMODIFY) $(LDAPMODIFY_FLAGS) -f $(LIVE_DSSTATEDIR)/domain/nds-domain.ldif
ifeq ($(IS_REPLICA), FALSE)
	@$(LDAPMODIFY) $(LDAPMODIFY_FLAGS) -f $(LIVE_DSSTATEDIR)/domain/computer-container-policy.ldif
endif
ifeq ($(DEFAULTROOTDOMAIN), $(LDAPFORESTNC))
	@$(LDAPMODIFY) $(LDAPMODIFY_FLAGS) -f $(LIVE_DSSTATEDIR)/domain/nds-domain-acls.ldif
ifeq ($(MAPPEDDOMAINNC),$(DEFAULTROOTDOMAIN))
	@-$(LDAPMODIFY) $(LDAPMODIFY_FLAGS) -c -f $(LIVE_DSSTATEDIR)/domain/nds-domain-lum-acls.ldif
endif
endif
	@touch $(TEMPDIR)/nds_import_nds_domain

ifneq ($(MAPPEDDOMAINNC),$(DEFAULTROOTDOMAIN))
nds_import_nds_policies: ADM_PASSWD=$(NDSEXISTINGADMINPASSWD)
nds_import_nds_policies: POLICY_DN=CN=Domain Password Policy,CN=Password Policies,CN=System,$(MAPPEDDOMAINNC)
ifeq ($(NAME_MAPPED_FRD), 1)
nds_import_nds_policies: LDAPSEARCH_FLAGS = -H $(LDAPI_URL) -x -LLL -D "$(LDAPADMINNAME)" -W 
nds_import_nds_policies: LDAPMODIFY_FLAGS = -H $(LDAPI_URL) -x -D "$(LDAPADMINNAME)" -W 
else
nds_import_nds_policies: LDAPSEARCH_FLAGS = -H $(LDAPI_URL) -x -LLL -D "$(LDAPTEMPADMINNAME)" -W 
nds_import_nds_policies: LDAPMODIFY_FLAGS = -H $(LDAPI_URL) -x -D "$(LDAPTEMPADMINNAME)" -W 
endif
endif
nds_import_nds_policies:
ifneq ($(MAPPEDDOMAINNC),$(DEFAULTROOTDOMAIN))
	@echo ">>> `gettext "Modifying Password Policies in subtree"`"
	@$(LDAPSEARCH) $(LDAPSEARCH_FLAGS) -b $(MAPPEDDOMAINNC) -s sub "(&(nspmPasswordPolicyDN=*)(!(cn=Builtin)))" dn | sed ' /^ / {; H; d; }; /^ /! {; x; s/\n //; }; ' | sed -e 's/^#.*//' -e 's/[ ^I]*$$//' -e '/^$$/ d' > $(DSSTATEDIR)/domain/policydn_file
	@sed "s/$$/;$(POLICY_DN)/g" $(DSSTATEDIR)/domain/policydn_file > $(DSSTATEDIR)/domain/makeLdif_file
	@makeLdif.pl -t $(TEMPLATEDIR)/passwd_policy.ldif -a $(DSSTATEDIR)/domain/makeLdif_file -o $(DSSTATEDIR)/domain/policy.ldif
	@$(LDAPMODIFY) $(LDAPMODIFY_FLAGS) -f $(DSSTATEDIR)/domain/policy.ldif
	@echo ">>> `gettext "Modifying Password Policies in subtree"`" >> $(CHANGES_LOG)
	@cat $(DSSTATEDIR)/domain/policy.ldif >> $(CHANGES_LOG)
endif
	@touch $(TEMPDIR)/nds_import_nds_policies

ifneq ($(DEFAULTROOTDOMAIN), $(LDAPFORESTNC))
ifeq ($(IS_REPLICA),FALSE)
nds_import_nds_domain_server_reference: ADM_PASSWD=$(NDSEXISTINGADMINPASSWD)
nds_import_nds_domain_server_reference: LDAPMODIFY_FLAGS = -H $(LDAPI_URL) -x -D "$(LDAPTEMPADMINNAME)" -W 
endif
endif
nds_import_nds_domain_server_reference:
	@echo ">>> `gettext "Relating NCP Server object and AD Server object"`"
	@$(LDAPMODIFY) $(LDAPMODIFY_FLAGS) -f $(LIVE_DSSTATEDIR)/domain/nds-domain-server-reference.ldif
	@$(LDAPMODIFY) $(LDAPMODIFY_FLAGS) -f $(LIVE_DSSTATEDIR)/domain/nds-domain-container.ldif
	@touch $(TEMPDIR)/nds_import_nds_domain_server_reference

nds_import_nds_super_rights_acls:
ifeq ($(MAPPEDDOMAINNC),$(DEFAULTROOTDOMAIN))
	@echo ">>> `gettext "Configuring supervisor privileges"`"
	@-$(LDAPMODIFY) $(LDAPMODIFY_FLAGS) -f $(LIVE_DSSTATEDIR)/domain/nds-super-rights-acls.ldif
else
	@echo ">>> `gettext "Configuring domain container privileges"`"
	@-$(LDAPMODIFY) $(LDAPMODIFY_FLAGS) -f $(LIVE_DSSTATEDIR)/domain/nds-domain-rights-acls.ldif
endif
	@touch $(TEMPDIR)/nds_import_nds_super_rights_acls
	
nds_import_nds_admin_acls:
	@echo ">>> `gettext "Configuring default ACLs for Configuration and Schema partitions"`"
	@$(LDAPMODIFY) $(LDAPMODIFY_FLAGS) -f $(LIVE_DSSTATEDIR)/domain/nds-admin-acls.ldif
	@touch $(TEMPDIR)/nds_import_nds_admin_acls

# Relocate NDS server objects
nds_import_nds_server:
	@echo ">>> `gettext "Relocating eDirectory server objects to Domain Naming Context"`"
	@/bin/sleep 40
	@$(LDAPMODIFY) $(LDAPMODIFY_FLAGS) -f $(LIVE_DSSTATEDIR)/domain/nds-server.ldif
	@/bin/sleep 40
	@touch $(TEMPDIR)/nds_import_nds_server

nds_import_samify_existing_objects: LDAPSEARCH_FLAGS = -Y GSS-SPNEGO
nds_import_samify_existing_objects: LDAPMODIFY_FLAGS = -Y GSS-SPNEGO
nds_import_samify_existing_objects: KRB5CCNAME=$(KRB5CCNAME_DOMAIN)
ifneq ($(DEFAULTROOTDOMAIN), $(LDAPFORESTNC))
ifeq ($(IS_REPLICA),FALSE)
nds_import_samify_existing_objects: ADM_PRINCIPAL=`printConfigKey.pl "Domain Administrator Principal" | tr "[:lower:]" "[:upper:]"`
else
nds_import_samify_existing_objects: ADM_PRINCIPAL=`printConfigKey.pl "Domain Administrator Principal"`
endif
else
nds_import_samify_existing_objects: ADM_PRINCIPAL=`printConfigKey.pl "Domain Administrator Principal"`
endif
nds_import_samify_existing_objects: nds_import_samify_existing_user_objects nds_import_samify_existing_group_objects

nds_import_samify_existing_user_objects:
	@if [ "$(DEFAULTROOTDOMAIN)" != "$(MAPPEDDOMAINNC)" ]; then \
		echo ">>> `gettext "Adding SAM attributes to the existing user objects"`"; \
		kinit -E "$(ADM_PRINCIPAL)"; \
		$(LDAPSEARCH) $(LDAPSEARCH_FLAGS) -b $(DEFAULTROOTDOMAIN) "(&(objectclass=user))" dn sn | sed ' /^ / {; H; d; }; /^ /! {; x; s/\n //; }; ' > $(DSSTATEDIR)/samify/intermediate_file1 ; \
		grep 'dn:*' $(DSSTATEDIR)/samify/intermediate_file1 | grep -v '^#.*' > $(DSSTATEDIR)/samify/intermediate_file2 ; \
		makeLdif.pl -t $(TEMPLATEDIR)/samify_user.ldif -a $(DSSTATEDIR)/samify/intermediate_file2 -o $(DSSTATEDIR)/samify/final_usr.ldif ; \
		$(LDAPMODIFY) $(LDAPMODIFY_FLAGS) -f $(DSSTATEDIR)/samify/final_usr.ldif ; \
	fi;
	@touch $(TEMPDIR)/nds_import_samify_existing_user_objects

nds_import_samify_existing_group_objects:
	@if [ "$(DEFAULTROOTDOMAIN)" != "$(MAPPEDDOMAINNC)" ]; then \
		echo ">>> `gettext "Adding SAM attributes to the existing group objects"`"; \
		$(LDAPSEARCH) $(LDAPSEARCH_FLAGS) -b $(DEFAULTROOTDOMAIN) "(&(objectclass=group)(!(sAMAccountName=*)))" dn cn | sed ' /^ / {; H; d; }; /^ /! {; x; s/\n //; }; ' > $(DSSTATEDIR)/samify/intermediate_file1 ; \
		grep 'dn:*' $(DSSTATEDIR)/samify/intermediate_file1 | grep -v '^#.*' > $(DSSTATEDIR)/samify/intermediate_file2 ; \
		makeLdif.pl -t $(TEMPLATEDIR)/samify_grp.ldif  -a $(DSSTATEDIR)/samify/intermediate_file2 -o $(DSSTATEDIR)/samify/final_grp.ldif ; \
		$(LDAPMODIFY) $(LDAPMODIFY_FLAGS) -f $(DSSTATEDIR)/samify/final_grp.ldif ; \
	fi;
	@touch $(TEMPDIR)/nds_import_samify_existing_group_objects

# XXX Once the dc object is based off domain class, we don't have to create
# this temporary container. This should be done after name mapping changes are done.
nds_addl_domain_create_temporary_container:
	@echo ">>> `gettext "Creating temporary container in Domain Naming Context for eDirectory objects"`"
	@$(LDAPMODIFY) $(LDAPADD_FLAGS) -f $(LIVE_DSSTATEDIR)/domain/domain-temporary-container.ldif
	@touch $(TEMPDIR)/nds_addl_domain_create_temporary_container

nds_addl_domain_nds_server_first_move:
	@echo ">>> `gettext "Relocating eDirectory server objects to Domain Naming Context(First Move)"`"
	@$(LDAPMODIFY) $(LDAPMODIFY_FLAGS) -f $(LIVE_DSSTATEDIR)/domain/nds-server-addl-first.ldif
	@/bin/sleep 40
	@touch $(TEMPDIR)/nds_addl_domain_nds_server_first_move

ifneq ($(DEFAULTROOTDOMAIN), $(LDAPFORESTNC))
nds_addl_domain_nds_server_final_move: ADM_PASSWD=$(NDSEXISTINGADMINPASSWD)
nds_addl_domain_nds_server_final_move: LDAPMODIFY_FLAGS = -H $(LDAPI_URL) -x -D "$(LDAPTEMPADMINNAME)" -W 
endif
nds_addl_domain_nds_server_final_move:
	@echo ">>> `gettext "Relocating eDirectory server objects to Domain Naming Context(Final Move)"`"
	@$(LDAPMODIFY) $(LDAPMODIFY_FLAGS) -f $(LIVE_DSSTATEDIR)/domain/nds-server-addl-second.ldif
	@/bin/sleep 40
	@touch $(TEMPDIR)/nds_addl_domain_nds_server_final_move

# If installing the first domain into an existing tree, then we should not be deleting the admin user.
nds_delete_temporary_administrator: LDAPDELETE_FLAGS = -Y GSS-SPNEGO
nds_delete_temporary_administrator: ADM_PRINCIPAL=`printConfigKey.pl "Domain Administrator Principal"`
nds_delete_temporary_administrator:
ifeq ($(IS_FIRST_SERVER),TRUE)
ifeq ($(NDSEXISTINGADMINNAME),)
	@kinit -E "$(ADM_PRINCIPAL)"
	@-$(LDAPDELETE) $(LDAPDELETE_FLAGS) "$(LDAPADMINNAME)"
endif
endif
	@touch $(TEMPDIR)/nds_delete_temporary_administrator

# Split naming contexts into separate partitions
nds_create_nc: nds_create_config_nc nds_create_schema_nc nds_remove_config_replica nds_remove_schema_replica

# need to sleep a bit before/after splitting partitions because we can get LDAP_SERVER_BUSY otherwise
nds_pause_before_create_nc:
	@echo ">>> `gettext "Pausing before naming context creation"`"
	@/bin/sleep 60

nds_create_domain_nc:
ifeq ($(MAPPEDDOMAINNC),$(DEFAULTROOTDOMAIN))
	@echo ">>> `gettext "Creating Domain Naming Context"`"
ifneq ($(DEFAULTROOTDOMAIN), $(LDAPFORESTNC))
	@$(XADROOT)/sbin/replops -h "$(IPADDRESS)" -c -p 389 -n "$(MAPPEDDOMAINNC)" -D "$(LDAPTEMPADMINNAME)" -w "env:NDSEXISTINGADMINPASSWD" --split-partition
endif
ifeq ($(DEFAULTROOTDOMAIN), $(LDAPFORESTNC))
	@$(XADROOT)/sbin/replops -h "$(IPADDRESS)" -c -p 389 -n "$(MAPPEDDOMAINNC)" -D "$(LDAPADMINNAME)" -w "env:ADM_PASSWD" --split-partition
endif
	@/bin/sleep 20
endif
	@touch $(TEMPDIR)/nds_create_domain_nc

nds_create_config_nc:
	@echo ">>> `gettext "Creating Configuration Naming Context"`"
ifeq ($(MAPPEDDOMAINNC),$(DEFAULTROOTDOMAIN))
	@$(XADROOT)/sbin/replops -h "$(IPADDRESS)" -c -p 389 -n "$(DEFAULTCONFIGNC)" -D "$(LDAPADMINNAME)" -w "env:ADM_PASSWD" --split-partition
else
	@$(XADROOT)/sbin/replops -h "$(IPADDRESS)" -c -p 389 -n "$(MAPPEDCONFIGNC)" -D "$(LDAPADMINNAME)" -w "env:ADM_PASSWD" --split-partition
endif
	@/bin/sleep 20
	@touch $(TEMPDIR)/nds_create_config_nc

nds_create_schema_nc:
	@echo ">>> `gettext "Creating Schema Naming Context"`"
ifeq ($(MAPPEDDOMAINNC),$(DEFAULTROOTDOMAIN))
	@$(XADROOT)/sbin/replops -h "$(IPADDRESS)" -c -p 389 -n "$(SCHEMA)" -D "$(LDAPADMINNAME)" -w "env:ADM_PASSWD" --split-partition
else
	@$(XADROOT)/sbin/replops -h "$(IPADDRESS)" -c -p 389 -n "$(MAPPEDSCHEMA)" -D "$(LDAPADMINNAME)" -w "env:ADM_PASSWD" --split-partition
endif
	@/bin/sleep 20
	@touch $(TEMPDIR)/nds_create_schema_nc

nds_make_master_config_nc:
ifneq ($(MAPPEDDOMAINNC),$(DEFAULTROOTDOMAIN))
	@$(XADROOT)/sbin/replops -h localhost -c -p 389 -s "CN=$(INSTALLMACHINENAME),ou=Novell,cn=System,$(MAPPEDDOMAINNC)" -t master -n "CN=Configuration,$(MAPPEDDOMAINNC)" -D "$(LDAPADMINNAME)" -w "env:ADM_PASSWD" --change-replica-type
	@/bin/sleep 20
endif
	@touch $(TEMPDIR)/nds_make_master_config_nc

nds_make_master_schema_nc:
ifneq ($(MAPPEDDOMAINNC),$(DEFAULTROOTDOMAIN))
	@$(XADROOT)/sbin/replops -h localhost -c -p 389 -s "CN=$(INSTALLMACHINENAME),OU=Novell,CN=System,$(MAPPEDDOMAINNC)" -t master -n "CN=Schema,CN=Configuration,$(MAPPEDDOMAINNC)" -D "$(LDAPADMINNAME)" -w "env:ADM_PASSWD" --change-replica-type
	@/bin/sleep 20
endif
	@touch $(TEMPDIR)/nds_make_master_schema_nc

nds_make_master_nc:
ifneq ($(MAPPEDDOMAINNC),$(DEFAULTROOTDOMAIN))
	@$(XADROOT)/sbin/replops -h localhost -p 389 -s "CN=$(INSTALLMACHINENAME),$(NDSTEMPCONTAINER)" -t master -n "$(MAPPEDDOMAINNC)" -D "$(LDAPADMINNAME)" -w "env:ADM_PASSWD" --change-replica-type
	@/bin/sleep 20
endif
	@touch $(TEMPDIR)/nds_make_master_nc

nds_remove_config_replica:
ifneq ($(MAPPEDDOMAINNC),$(DEFAULTROOTDOMAIN))
	@$(XADROOT)/share/dcinit/removeReplica.sh --remove-config-replica
endif
	@touch $(TEMPDIR)/nds_remove_config_replica

nds_remove_schema_replica:
ifneq ($(MAPPEDDOMAINNC),$(DEFAULTROOTDOMAIN))
	@$(XADROOT)/share/dcinit/removeReplica.sh --remove-schema-replica
endif
	@touch $(TEMPDIR)/nds_remove_schema_replica

nds_add_domain_replica:
ifeq ($(DEFAULTROOTDOMAIN), $(LDAPFORESTNC))
	@echo ">>> `gettext "Adding Domain Replica"`";
	@if test "X$(shell ndsStatPartition.sh $(NDSPARTITIONNAME) $(INSTALLMACHINENAME))" = "XNo"; \
	then    \
		$(XADROOT)/sbin/replops -h "$(IPADDRESS)" -p 389 -s "CN=$(INSTALLMACHINENAME),$(NDSTEMPCONTAINER)" -n "$(MAPPEDDOMAINNC)" -t "writable" -D "$(LDAPADMINNAME)" -w "$(ADM_PASSWD)" --add-replica; \
	else \
		/bin/sleep 2; \
	fi;
endif
	@touch $(TEMPDIR)/nds_add_domain_replica

nds_bootstrap: wait_for_samspm bootstrap_krbtgt bootstrap_machine bootstrap_administrator

nds_clean: clean

nds_remove_db:
	@echo ">>> `gettext "Removing DIB"`"
	@rm -rf "$(LIVE_DSSTATEDIR)/dib"
	@rm -rf "$(LIVE_LOCALSTATEDIR)/data/dsreports"
	@rm -rf "$(LIVE_LOCALSTATEDIR)/data/dstrace"
	@rm -rf "$(LIVE_LOCALSTATEDIR)/data/nds-http"
	@if [ -x /etc/init.d/slpuasa ]; then /etc/init.d/slpuasa stop; fi
	@if [ -x /etc/init.d/slpd ]; then /etc/init.d/slpd stop; fi
	@if [ -x /etc/init.d/slpd ]; then /etc/init.d/slpd start; fi
	@if [ -x /etc/init.d/slpuasa ]; then /etc/init.d/slpuasa start; fi
	@touch $(TEMPDIR)/nds_remove_db

nds_load_samspm:
	@echo ">>> `gettext "Loading SAMSPM module"`"
	@$(NDSSTAT) --config-file $(LIVE_ETCDIR)/nds.conf -c "load samspm"
	@touch  $(TEMPDIR)/nds_load_samspm

nds_reload_nldap:
	@echo ">>> `gettext "Reloading NLDAP module"`"
	@$(NDSSTAT) --config-file $(LIVE_ETCDIR)/nds.conf -c "unload nldap"
	@$(NDSSTAT) --config-file $(LIVE_ETCDIR)/nds.conf -c "load nldap"
	@touch  $(TEMPDIR)/nds_reload_nldap
	

# We need to restart all services once the provisioning is over. 
# In that case the following steps may not be required at all.
nds_trigger_limber:
	@echo ">>> `gettext "Triggering Limber"`"
ifneq ($(DEFAULTROOTDOMAIN), $(LDAPFORESTNC))
	@$(XADROOT)/sbin/replops -b "limber" -D "$(LDAPTEMPADMINNAME)" -w "env:NDSEXISTINGADMINPASSWD" --trigger-bgprocess;
else
	@$(XADROOT)/sbin/replops -b "limber" -D "$(LDAPADMINNAME)" -w "env:ADM_PASSWD" --trigger-bgprocess;
endif
	@touch $(TEMPDIR)/nds_trigger_limber

nds_update_cron_entry:
	@echo ">>> `gettext "Updating cron entry"`"
ifeq ($(IS_REPLICA), FALSE)
	@/opt/novell/xad/share/dcinit/provisionTools.sh  update-crontab-GPO2NMAS;
endif
	@/opt/novell/xad/share/dcinit/provisionTools.sh update-crontab-KDC;
	@touch $(TEMPDIR)/nds_update_cron_entry

nds_start_ndsd:
	@echo ">>> `gettext "Starting eDirectory"`"
	@if [ -x /etc/init.d/ndsd ]; then \
	 	/etc/init.d/ndsd start; \
		if [ "$$?" -ne 0 ]; then \
			echo ">>> Cannot start ndsd. Aborting the installation..."; \
			exit 1; \
		fi; \
	fi

nds_update_nsswitch: /etc/nsswitch.conf
	@echo ">>> `gettext "Updating nsswitch.conf"`"
	@sed -i -e "s/^passwd:.*$//passwd: files winbind/"  -e "s/^group:.*$//group: files winbind/" $<
	@touch $(TEMPDIR)/nds_update_nsswitch

#The daemons nmbd, smbd, winbind  should not load libraries from /opt/novell/xad/lib
nds_restart_services_for_install: nds_restart_services
	@touch $(TEMPDIR)/nds_restart_services_for_install

nds_restart_services: LD_LIBRARY_PATH=
nds_restart_services: nds_stop_services nds_start_services
nds_stop_services: 
	@echo ">>> `gettext "Stopping services"`"
	@for service in smb winbind nmb xadsd xad-kpasswdd xad-krb5kdc rpcd nscd novell-named; do \
		if [ "$$service" = "novell-named" ]; then \
			test -x /usr/bin/CASAcli && `/usr/bin/CASAcli -g -n dns-ldap |grep -q "Name: dns-ldap"` ; \
			if [ "$$?" -ne 0 ]; then	\
				test ! -f /etc/opt/novell/named/.named.cred && continue; \
			fi;	\
			rcnovell-named stop;	\
		else \
			/etc/init.d/$$service stop ;	\
		fi; \
	done;
	@echo ">>> `gettext "Stopping eDirectory"`"
	@if [ -x /etc/init.d/ndsd ]; then /etc/init.d/ndsd stop; fi
nds_start_services: nds_start_ndsd
	@echo ">>> `gettext "Starting services"`"
	@for service in novell-named nscd rpcd xad-krb5kdc xad-kpasswdd xadsd nmb winbind smb; do \
		if [ "$$service" = "novell-named" ]; then \
			test -x /usr/bin/CASAcli && `/usr/bin/CASAcli -g -n dns-ldap |grep -q "Name: dns-ldap"`; \
			if [ "$$?" -ne 0 ]; then	\
				if [ ! -f /etc/opt/novell/named/.named.cred ]; then \
					continue;	\
				fi; \
			fi; \
			rcnovell-xregd start; \
			rcnovell-named start; \
		else \
			/etc/init.d/$$service start ;	\
		fi; \
		if [ "$$?" -ne 0 ]; then \
			if [ "$(DEFAULTROOTDOMAIN)" != "$(LDAPFORESTNC)" ]; then \
				if [ "$$service" = "rpcd" -o "$$service" = "xadsd" ]; then \
					echo ">>> Failed to start $$service. Aborting the installation..."; \
					exit 1; \
				fi; \
			fi; \
			if [ "$(MAPPEDDOMAINNC)" != "$(DEFAULTROOTDOMAIN)" ]; then \
				if [ "$$service" = "xad-krb5kdc" ]; then \
					echo ">>>Failed to start $$service. Aborting the installation..."; \
					exit 1; \
				fi; \
			fi; \
			echo ">>> Failed in starting $$service. Proceeding with other services.."; \
		fi; \
	done;

nds_acquire_domain_ticket: KRB5CCNAME=$(KRB5CCNAME_DOMAIN)
nds_acquire_domain_ticket: ADM_PASSWD=$(ADM_PASSWD_DOMAIN)
ifneq ($(DEFAULTROOTDOMAIN), $(LDAPFORESTNC))
ifeq ($(IS_REPLICA),FALSE)
nds_acquire_domain_ticket: ADM_PRINCIPAL=`printConfigKey.pl "Domain Administrator Principal" | tr "[:lower:]" "[:upper:]"`
else
nds_acquire_domain_ticket: ADM_PRINCIPAL=`printConfigKey.pl "Domain Administrator Principal"`
endif
else
nds_acquire_domain_ticket: ADM_PRINCIPAL=`printConfigKey.pl "Domain Administrator Principal"`
endif
nds_acquire_domain_ticket:
	@if [ ! -s "$KRB5CCNAME" ]; then \
		echo ">>> `gettext "Getting Domain ticket"`"; \
		kinit -E "$(ADM_PRINCIPAL)"; \
	fi;
	
	
################################################################################
# Provision a XAD on eDirectory replica
################################################################################
#
# Notes on configuring XAD on eDirectory replicas
#
# 1. Stage configuration files required for replica
# 2. Configure NLDAP server/group objects
# 3. Join replica to domain and link NCP and AD server objects (Kerberos
#    credentials must have been acquired by the administrator previously)
# 4. Add replicas for required partitions
# 5. Trigger Limber so that NDS server knows that it is an Aquila server 
#
################################################################################

nds_replica_all: nds_replica_stage nds_replica_install nds_replica_configure nds_replica_bootstrap nds_configure_nldap_enable_requiretls nds_update_nsswitch nds_restart_services_for_install nds_update_cron_entry nds_configure_dns_for_ADC nds_replica_clean

nds_replica_stage: stage_common_pre stage_schema stage_domain stage_common_post 

nds_replica_install: nds_install

# NMAS should already be configured on the tree, so we should only need to configure NLDAP
nds_replica_configure: nds_load_samspm nds_replica_configure_nldap

# don't invoke nds_configure_nldap_settings because it does not use strong authentication;
# it is necessary for bootstrapping only (ldapconfig items will be reset regardless from
# nldap.ini)
nds_replica_configure_nldap: nds_configure_nldap_objects nds_configure_nldap_settings

# join to domain, add replicated NCs, and then move server objects into correct container
# TODO: could we share an LDAP group between all NLDAP servers?
#nds_replica_bootstrap: nds_replica_join nds_import_nds_server nds_replica_add_replicas nds_replica_refresh_nldap
nds_replica_bootstrap: nds_replica_join nds_replica_acl_rights nds_replica_add_replicas nds_replica_refresh_nldap

nds_replica_join: replica_join

nds_replica_acl_rights:
	@echo ">>> `gettext "Giving Rights to all the Servers "`"
	@if [ -s $(LIVE_DSSTATEDIR)/domain/nds-adc-acls.ldif ]; then \
		$(LDAPMODIFY) $(LDAPMODIFY_FLAGS) -f $(LIVE_DSSTATEDIR)/domain/nds-adc-acls.ldif; \
	fi;
	touch $(TEMPDIR)/nds_replica_acl_rights

# TODO: determine whether to replicate domain, configuration, schema and GC NCs
# or just some combination thereof (eg. just the domain NC)
nds_replica_add_replicas: nds_second_refresh_nldap_through_ldapconfig nds_replica_add_domain_replica nds_replica_add_config_replica nds_replica_add_schema_replica 

nds_replica_add_domain_replica:
	@$(XADROOT)/sbin/replops -h "$(IPADDRESS)" -p 389 -n "$(LDAPACTUALDOMAINNC)" -s "CN=$(INSTALLMACHINENAME),$(LDAPSERVERCONTEXT)" -t writable -D "$(LDAPACTUALADMINNAME)" -w "env:ADM_PASSWD" --add-replica
	@touch $(TEMPDIR)/nds_replica_add_domain_replica

nds_replica_add_config_replica:
ifeq ($(CONFIG_SCHEMA_REPLICAS),TRUE)
	@$(XADROOT)/sbin/replops -h "$(IPADDRESS)" -p 389 -n "CN=Configuration,$(ACTUALFORESTNC)" -s "CN=$(INSTALLMACHINENAME),$(LDAPSERVERCONTEXT)" -t writable -D "$(LDAPACTUALADMINNAME)" -w "env:ADM_PASSWD" --add-replica
endif
	@touch $(TEMPDIR)/nds_replica_add_config_replica

nds_replica_add_schema_replica:
ifeq ($(CONFIG_SCHEMA_REPLICAS),TRUE)
	@$(XADROOT)/sbin/replops -h "$(IPADDRESS)" -p 389 -n "CN=Schema,CN=Configuration,$(ACTUALFORESTNC)" -s "CN=$(INSTALLMACHINENAME),$(LDAPSERVERCONTEXT)" -t writable -D "$(LDAPACTUALADMINNAME)" -w "env:ADM_PASSWD" --add-replica
endif
	@touch $(TEMPDIR)/nds_replica_add_schema_replica

# Remove the [Root] replica from this domain controller which gets added by
# default during ndsconfig add
nds_replica_remove_root_replica:
	@$(XADROOT)/sbin/provision -q -m "$(INSTALLMACHINENAME)" -N "" --del-replica "$(PROVIDER)"
	@touch $(TEMPDIR)/nds_replica_remove_root_replica
	
nds_replica_add_gc_replicas: 
	@$(XADROOT)/sbin/provision -q -m "$(INSTALLMACHINENAME)" --add-gc-replicas "$(PROVIDER)"
	@touch $(TEMPDIR)/nds_replica_add_gc_replicas

nds_replica_clean: nds_clean

# We need to override LDAPEXOP_FLAGS to prevent us refreshing the replication
# provider's LDAP server instead of the local one.
nds_replica_refresh_nldap: 
	@$(LDAPEXOP) -H $(LDAPI_URL) -Y EXTERNAL "$(LDAP_NLDAP_EXOP_OID)"
	@touch $(TEMPDIR)/nds_replica_refresh_nldap
	
################################################################################
# Provision a XAD on eDirectory to host a new domain in an existing forest
################################################################################
#
# Notes on configuring XAD on eDirectory to host a new domain
#
# 1. Stage configuration files required for replica
# 2. Configure NLDAP server/group objects
# 3. Load default domain DITs
# 4. Move default eDirectory server objects to Novell service OU
#    credentials must have been acquired by the administrator previously)
# 5. Add replicas for required partitions
# 6. Perform dcinit bootstrap targets
# 7. Trigger Limber so that NDS server knows that it is an Aquila server
#
################################################################################

nds_addl_domain_all: nds_addl_domain_stage nds_addl_domain_install nds_configure_dns nds_addl_domain_configure nds_addl_domain_import nds_update_nsswitch nds_restart_services_for_install nds_addl_domain_bootstrap nds_addl_domain_enable_krb5_local_lookup nds_acquire_domain_ticket nds_import_samify_existing_objects nds_migrate_nkdc_principals nds_addl_domain_create_trusts nds_addl_domain_bind_crossref nds_create_gpo nds_sync_gpo_nmas nds_update_cron_entry nds_configure_nldap_enable_requiretls nds_addl_domain_clean

nds_addl_domain_stage: stage_common_pre stage_schema stage_config stage_domain stage_common_post

nds_addl_domain_install: nds_install

nds_addl_domain_configure: nds_load_samspm

nds_addl_domain_configure_nldap: nds_configure_nldap_objects nds_second_refresh_nldap_through_ldapconfig

nds_addl_domain_import: nds_configure_nldap_settings nds_pause_before_refresh_ldap_server nds_addl_domain_create_nc nds_addl_domain_add_replicas nds_addl_domain_remove_domain_replica_from_other_servers nds_addl_domain_configure_nldap nds_validate_loaded_plugin nds_addl_domain_import_nl nds_addl_domain_import_bl nds_import_nds_domain nds_import_nds_policies nds_import_nds_domain_server_reference

# NB: configuration partition will just contain additional objects for a new domain
nds_addl_domain_import_nl: import_domaindns_associate_online nds_addl_domain_set_trustposixoffset import_domain_object_modify_online import_domain_online nds_addl_domain_import_config_online

nds_addl_domain_import_bl: nds_addl_domain_import_config_bl_online import_domain_bl_online

nds_addl_domain_create_nc: nds_create_domain_nc nds_addl_domain_wait_until_split_complete

nds_addl_domain_wait_until_split_complete: PARENT_MACHINE_NAME=`echo $(PARENTDOMAINPROVIDER) | awk -F "." '{print $$1}'`
nds_addl_domain_wait_until_split_complete:
ifeq ($(MAPPEDDOMAINNC),$(DEFAULTROOTDOMAIN))
	@echo ">>> `gettext "Waiting until the domain NC split is complete"`"; \
	domain_NC_split_complete=0; \
	while [ "$$domain_NC_split_complete" -ne 1 ]; do \
		sleep 1; \
		ndsstat -h $(PARENTDOMAINPROVIDER) -p $(NDSPARTITIONNAME) | grep -i "\.cn=$(PARENT_MACHINE_NAME)\." | awk '{ print $$3}' | grep -i "^On"; \
		if [ "$$?" -eq 0 ]; then \
			domain_NC_split_complete=1; \
		fi; \
	done; \
	if [ "$$domain_NC_split_complete" -eq 0 ]; then \
		echo ">>> `gettext "Domain NC is not split completely, hence terminating the installation...."`"; \
		exit 1; \
	fi;
endif
	@touch $(TEMPDIR)/nds_addl_domain_wait_until_split_complete

nds_addl_domain_bootstrap: wait_for_samspm bootstrap_krbtgt bootstrap_machine bootstrap_administrator

# TODO: The replica of this domain held by the other parent domain servers have to be removed and
# trust has to be established between this domain and its parent domain or the forest root
nds_addl_domain_add_replicas: nds_addl_domain_add_domain_replica nds_addl_domain_change_to_master_replica nds_addl_domain_add_config_replica nds_addl_domain_add_schema_replica

nds_addl_domain_add_domain_replica:
	@$(XADROOT)/sbin/replops -h "$(IPADDRESS)" -p 389 -n "$(MAPPEDDOMAINNC)" -s "CN=$(INSTALLMACHINENAME),$(NDSTEMPCONTAINER)" -t writable -D "$(LDAPTEMPADMINNAME)" -w "env:NDSEXISTINGADMINPASSWD" --add-replica
	@touch $(TEMPDIR)/nds_addl_domain_add_domain_replica

nds_addl_domain_change_to_master_replica:
	@$(XADROOT)/sbin/replops -h "$(IPADDRESS)" -p 389 -t master -n "$(MAPPEDDOMAINNC)" -s "CN=$(INSTALLMACHINENAME),$(NDSTEMPCONTAINER)" -D "$(LDAPTEMPADMINNAME)" -w "env:NDSEXISTINGADMINPASSWD" --change-replica-type
	@touch $(TEMPDIR)/nds_addl_domain_change_to_master_replica

nds_addl_domain_add_config_replica:
	@$(XADROOT)/sbin/replops -h "$(IPADDRESS)" -p 389 -n "CN=Configuration,$(ACTUALFORESTNC)" -s "CN=$(INSTALLMACHINENAME),$(NDSTEMPCONTAINER)" -t writable -D "$(LDAPTEMPADMINNAME)" -w "env:NDSEXISTINGADMINPASSWD" --add-replica
	@touch $(TEMPDIR)/nds_addl_domain_add_config_replica

nds_addl_domain_add_schema_replica:
	@$(XADROOT)/sbin/replops -h "$(IPADDRESS)" -p 389 -n "CN=Schema,CN=Configuration,$(ACTUALFORESTNC)" -s "CN=$(INSTALLMACHINENAME),$(NDSTEMPCONTAINER)" -t writable -D "$(LDAPTEMPADMINNAME)" -w "env:NDSEXISTINGADMINPASSWD" --add-replica
	@touch $(TEMPDIR)/nds_addl_domain_add_schema_replica

nds_addl_domain_remove_domain_replica_from_other_servers:
ifeq ($(MAPPEDDOMAINNC),$(DEFAULTROOTDOMAIN))
	@$(XADROOT)/share/dcinit/removeReplica.sh --child
else
ifneq ($(DEFAULTROOTDOMAIN), $(LDAPFORESTNC))
	@$(XADROOT)/share/dcinit/removeReplica.sh --nm-child
endif
endif
	@touch $(TEMPDIR)/nds_addl_domain_remove_domain_replica_from_other_servers

# Acquire Kerberos credentials for this domain and its parent domain or the forest root,
# and use xtrust to create the trusts.
#
# This will require the KDC to be running for both source and target domains, which
# means we may need to start the KDC for the local domain from dcinit. Also, we will
# need to switch between Kerberos credential caches by changing the KRB5CCNAME
# environment variable before calling xtrust.
nds_addl_domain_create_trusts: nds_addl_domain_acquire_domain_ticket nds_addl_domain_remove_trusts nds_addl_domain_make_parent_trust_child nds_addl_domain_make_child_trust_parent
	@touch $(TEMPDIR)/nds_addl_domain_acquire_domain_ticket
	@touch $(TEMPDIR)/nds_addl_domain_remove_trusts
	@touch $(TEMPDIR)/nds_addl_domain_remove_child_parent_trust
	@touch $(TEMPDIR)/nds_addl_domain_remove_parent_child_trust
	@touch $(TEMPDIR)/nds_addl_domain_make_parent_trust_child
	@touch $(TEMPDIR)/nds_addl_domain_make_child_trust_parent
	@touch $(TEMPDIR)/nds_addl_domain_create_trusts

nds_addl_domain_remove_trusts: nds_addl_domain_remove_parent_child_trust nds_addl_domain_remove_child_parent_trust

nds_addl_domain_remove_parent_child_trust: KRB5CCNAME=$(KRB5CCNAME_PARENT)
nds_addl_domain_remove_parent_child_trust: PARENT_PROVIDER=`/opt/novell/xad/sbin/provision -q -q --locate-dc $(PARENT_NAME)`
nds_addl_domain_remove_parent_child_trust:
	-@$(XTRUST) -h $(PARENT_PROVIDER) --delete-trust $(DOMAIN_NAME)

nds_addl_domain_remove_child_parent_trust: KRB5CCNAME=$(KRB5CCNAME_DOMAIN)
nds_addl_domain_remove_child_parent_trust:
	-@$(XTRUST) -h localhost  --delete-trust $(PARENT_NAME)

nds_addl_domain_enable_krb5_local_lookup: $(LIVE_ETCDIR)/krb5.conf
	@echo ">>> `gettext "Enabling krb5 local lookup"`"
	@sed -i -e 's/^#\(.*kdc =.*\)/\1/' $<

nds_addl_domain_acquire_domain_ticket: KRB5CCNAME=$(KRB5CCNAME_DOMAIN)
ifneq ($(DEFAULTROOTDOMAIN), $(LDAPFORESTNC))
ifeq ($(IS_REPLICA),FALSE)
nds_addl_domain_acquire_domain_ticket: ADM_PRINCIPAL=`printConfigKey.pl "Domain Administrator Principal" | tr "[:lower:]" "[:upper:]"`
else
nds_addl_domain_acquire_domain_ticket: ADM_PRINCIPAL=`printConfigKey.pl "Domain Administrator Principal"`
endif
else
nds_addl_domain_acquire_domain_ticket: ADM_PRINCIPAL=`printConfigKey.pl "Domain Administrator Principal"`
endif
nds_addl_domain_acquire_domain_ticket:
	@kinit -E "$(ADM_PRINCIPAL)"

TRUST_ATTRIBUTE_WITHIN_FOREST	=-a WITHIN_FOREST

nds_addl_domain_make_parent_trust_child: KRB5CCNAME=$(KRB5CCNAME_PARENT)
nds_addl_domain_make_parent_trust_child: PARENT_PROVIDER=`/opt/novell/xad/sbin/provision -q -q --locate-dc $(PARENT_NAME)`
nds_addl_domain_make_parent_trust_child:
	@$(XTRUST) -q $(TRUST_ATTRIBUTE_WITHIN_FOREST) -f $(NETBIOSNAME) -s $(DOMAINSID) -e SHAREDSECRET -h $(PARENT_PROVIDER) -i -o -t uplevel --add-trust $(DOMAIN_NAME)

DOMAINCONTEXTROOT	= $(shell echo $(DNSROOT) | grep $(PARENTDOMAIN))

ifneq ($(DOMAINCONTEXTROOT),)
nds_addl_domain_make_child_trust_parent: TRUST_ATTRIBUTE_PARENT=-a TREE_PARENT
endif
ifeq ($(TREE_ROOT), 1)
nds_addl_domain_make_child_trust_parent: TRUST_ATTRIBUTE_ROOT=-a TREE_ROOT
endif
nds_addl_domain_make_child_trust_parent: KRB5CCNAME=$(KRB5CCNAME_DOMAIN)
nds_addl_domain_make_child_trust_parent:
	@$(XTRUST) -q $(TRUST_ATTRIBUTE_WITHIN_FOREST) $(TRUST_ATTRIBUTE_PARENT) $(TRUST_ATTRIBUTE_ROOT) -f $(NETBIOSNAME_PARENT) -s $(DOMAINSID_PARENT) -e SHAREDSECRET -h localhost -i -o -t uplevel --add-trust $(PARENT_NAME)

nds_addl_domain_set_trustposixoffset: LDAPMODIFY_FLAGS = -H $(LDAPI_URL) -x -D "$(LDAPTEMPADMINNAME)" -a -W
nds_addl_domain_set_trustposixoffset: KRB5CCNAME=$(KRB5CCNAME_DOMAIN)
nds_addl_domain_set_trustposixoffset: ADM_PASSWD=$(NDSEXISTINGADMINPASSWD)
nds_addl_domain_set_trustposixoffset:
ifneq ($(DEFAULTROOTDOMAIN), $(LDAPFORESTNC))
ifneq ($(TRUSTPOSIXOFFSET),)
	@echo "dn: CN=Partitions,CN=Configuration,$(LDAPFORESTNC)" > $(LIVE_DSSTATEDIR)/domain/trust-posix-offset.ldif
	@echo "changetype: modify" >> $(LIVE_DSSTATEDIR)/domain/trust-posix-offset.ldif
	@echo "replace: USNIntersite" >> $(LIVE_DSSTATEDIR)/domain/trust-posix-offset.ldif
	@echo "USNIntersite: $(TRUSTPOSIXOFFSET)" >> $(LIVE_DSSTATEDIR)/domain/trust-posix-offset.ldif
	@echo "" >> $(LIVE_DSSTATEDIR)/domain/trust-posix-offset.ldif
	@echo "" >> $(LIVE_DSSTATEDIR)/domain/trust-posix-offset.ldif
	@echo "dn:$(MAPPEDDOMAINNC)" >> $(LIVE_DSSTATEDIR)/domain/trust-posix-offset.ldif
	@echo "changetype:modify" >> $(LIVE_DSSTATEDIR)/domain/trust-posix-offset.ldif
	@echo "trustPosixOffset: $(TRUSTPOSIXOFFSET)" >> $(LIVE_DSSTATEDIR)/domain/trust-posix-offset.ldif
	@$(LDAPMODIFY) $(LDAPMODIFY_FLAGS) -f $(LIVE_DSSTATEDIR)/domain/trust-posix-offset.ldif
endif
endif
	@touch $(TEMPDIR)/nds_addl_domain_set_trustposixoffset

nds_addl_domain_bind_crossref: ADM_PASSWD=$(ADM_PASSWD_DOMAIN)
ifneq ($(DEFAULTROOTDOMAIN), $(LDAPFORESTNC))
ifeq ($(IS_REPLICA),FALSE)
nds_addl_domain_bind_crossref: ADM_PRINCIPAL=`echo "Administrator@$(DOMAIN_NAME)" | tr "[:lower:]" "[:upper:]"`
else
nds_addl_domain_bind_crossref: ADM_PRINCIPAL="Administrator@$(DOMAIN_NAME)"
endif
else
nds_addl_domain_bind_crossref: ADM_PRINCIPAL="Administrator@$(DOMAIN_NAME)"
endif
nds_addl_domain_bind_crossref:
	@kinit -E "$(ADM_PRINCIPAL)"
	@$(XTRUST) -T $(PARENT_NAME) --bind-cross-ref $(DOMAIN_NAME)
	@$(XTRUST) -T $(FOREST_NAME) -r --bind-cross-ref $(DOMAIN_NAME)
	@touch $(TEMPDIR)/nds_addl_domain_bind_crossref

nds_addl_domain_delete_temporary_administrator: LDAPDELETE_FLAGS = -Y GSS-SPNEGO
nds_addl_domain_delete_temporary_administrator: KRB5CCNAME=$(KRB5CCNAME_DOMAIN)
nds_addl_domain_delete_temporary_administrator:
	@-$(LDAPDELETE) $(LDAPDELETE_FLAGS) "CN=XAD_PROVISIONINGUSER,$(MAPPEDDOMAINNC)"
	@touch $(TEMPDIR)/nds_addl_domain_delete_temporary_administrator

nds_addl_domain_clean: nds_clean

# We need to get the user input for the NKDC_REALM name and it has to be exported in the
# environment variable NKDC_REALM which will inturn will be used by the migration utility
# for migrating NKDC principals to "Domain Services for Windows" principals.Also this is
# applicable only for the containers mapped to an Aquila domain.
ifneq ($(DEFAULTROOTDOMAIN), $(LDAPFORESTNC))
nds_migrate_nkdc_principals: LDAPADMINNAME=$(LDAPTEMPADMINNAME)
endif
nds_migrate_nkdc_principals: ADM_PASSWD=$(NDSEXISTINGADMINPASSWD)
nds_migrate_nkdc_principals:
ifneq ($(NKDC_REALM),)
	@if [ "$(DEFAULTROOTDOMAIN)" != "$(MAPPEDDOMAINNC)" ]; then \
		$(MIGRATE_NKDC) -r $(NKDC_REALM) -D $(LDAPADMINNAME) -p 389; \
	fi;
	@touch $(TEMPDIR)/nds_migrate_nkdc_principals
endif
