@set PHASE=51 @echo off setlocal enableextensions enabledelayedexpansion rem es-ldap-setup rem Initial setup for Micro Focus Enterprise Server External Security with rem the MLDAP ESM Module rem Copyright 2006-2008 Micro Focus (IP) Limited. All rights reserved. set FileVer=1.2.6 rem ************************************************************************ rem Setup rem ************************************************************************ rem What version of Net Express or Server is this? if not defined PHASE set PHASE=50 set NXMAJ=%PHASE:~0,1% set NXMIN=%PHASE:~1,1% rem Put the ADAM directory at the front of the path, if it exists; this rem ensures we pick up the newer ldifde.exe rather than the old one that rem is in system32 on some Windows systems. if exist "%systemroot%\adam" path %systemroot%\adam;%path% rem Ensure NX5 / Server5 BIN directory is at the front of the path set CobBin= rem First look in PATH for %%f in (esfadmin.exe) do set CobBin=%%~dp$PATH:f rem If not found, try Registry rem This bizarre code is to handle spacey values... if not defined CobBin ( for /f "usebackq tokens=2,*" %%A in (`reg query "HKLM\Software\Micro Focus\NetExpress\%NXMAJ%.%NXMIN%\COBOL\%NXMAJ%.%NXMIN%\Install" /v BIN`) do set RegVal=%%B for /f "usebackq delims=" %%C in ('!RegVal!') do set CobBin=%%~C ) rem If not found, try default dir if not defined CobBin ( for %%d in ("c:\program files\micro focus\studio %NXMAJ%.%NXMIN%\base\bin" "c:\programs files\micro focus\net express %NXMAJ%.%NXMIN%\base\bin" "c:\program files\micro focus\server %NXMAJ%.%NXMIN%\bin") do if exist %%d set CobBin=%%d ) rem Remove any remaining quote characters from CobBin if necessary if not exist "%CobBin%" set CobBin=%CobBin:"=% rem Reduce to short-names version to avoid problems with "Program Files (x86)" for %%d in ("%CobBin%") do set CobBin=%%~sd rem See if we found it if not exist "%CobBin%" ( echo Could not find COBOL bin directory! echo Cannot continue exit /b 1 ) rem Put it at the front of the path path %CobBin%;%path% rem Simplify prompt for echoed commands prompt $csetup$f$s rem Make sure USER and USERDOMAIN are set if not defined user set user=%username% if not defined userdomain ( if defined logonserver ( set userdomain=%logonserver:\=% ) else ( set userdomain=%computername% ) ) rem Temporary directory and file if not defined TEMP set TEMP=. set TmpF=%TEMP%\_tmp.ldf rem Option flags set ADType=ADAM set HaveUser=no set HavePassword=no rem Error count set Succeeded=0 set Failed=0 set FailList= rem Check for usage query set Opt=%1@ if %Opt% equ /?@ goto usage if %Opt% equ -?@ goto usage rem Process option switches :optloop if %1@ equ @ goto optdone set Opt=%1 if %Opt:~0,1% neq / ( if %Opt:~0,1% neq - goto optdone ) rem If the first parameter is "-", that's actually for "username", so rem don't treat it as an option. if @%Opt:~1,1% equ @ goto optdone rem /AD means we're working with AD rather than ADAM if /i %Opt:~1,2% equ AD set ADType=AD shift goto optloop :optdone rem ************************************************************************ rem Startup message rem ************************************************************************ echo es-ldap-setup: Initial LDAP security setup for Enterprise Server echo Version %FileVer% echo Copyright 2006-2008 Micro Focus (IP) Limited. All rights reserved. echo Run "es-ldap-setup /?" for usage information. pause echo. rem ************************************************************************ rem Get optional parameters rem ************************************************************************ if @%1==@ ( if %ADType% equ ADAM ( echo Enter the information for the ADAM administrative user. echo This user account will be automatically created if necessary. ) else ( echo Enter the information for the Active Directory administrative user. echo This user account must already exist. ) if defined user echo Enter "-" to use your current logon credentials. set UNameIn=%user% if defined UName ( set /p UNameIn=Enter LDAP user name [!UNameIn!]: ) else ( set /p UNameIn=Enter LDAP user name: ) if not @!UNameIn!==@- ( set UName=!UNameIn! set HaveUser=yes ) else ( if not defined user ( echo The USERNAME environment variable is not set to your username echo Cannot continue exit /b 1 ) rem Set UName, but leave HaveUser set to "no". This lets some rem commands use the current Windows logged-on token. set UName=%user% ) ) else ( if not @%1==@- ( set UName=%1 set HaveUser=yes ) else ( if not defined user ( echo The USERNAME environment variable is not set to your username echo Cannot continue exit /b 1 ) set UName=%user% ) ) rem Skip password if using current logged-on user account if %HaveUser% equ yes ( if @%2==@ ( set Password=password set /p Password=Enter LDAP password [!Password!]: set HavePassword=yes ) else ( if not @%2==@- ( set Password=%2 set HavePassword=yes ) ) ) if @%3==@ ( set ParDN=CN=Micro Focus,CN=Program Data,DC=local set /p ParDN=Enter LDAP partition DN [!ParDN!]: ) else ( rem Note that a partition DN on the command line will typically be rem spacey, and so it will be quoted; but we MUST remove those quotes rem before trying to use it. set Param=%3 set ParDN=!Param:"=! ) if @%4==@ ( set LdapHost=localhost:389 set /p LdapHost=Enter LDAP host:port [!LdapHost!]: ) else ( set LdapHost=%4 set Port= for /f "delims=: tokens=2" %%p in ("!LdapHost!") do set Port=%%p if not defined Port set LdapHost=!LdapHost!:389 ) if not @%5==@ goto usage rem Make sure UName is set if not defined UName ( echo No user specified and neither USER nor USERNAME defined! echo Cannot continue exit /b 1 ) rem If a domain was specified with the username, break it down into domain rem and user. Note that the "&" operator has to come immediately after the rem %%A below, or UDom ends up with a trailing space, which will cause rem problems if UName is set to UDom later. for /F "usebackq delims=\ tokens=1,2" %%A in ('%UName%') do set UDom=%%A& set UName=%%B if not defined UName ( set UName=%UDom% set UDom=%userdomain% ) rem Create macro for credentials for ldifde command lines if %HavePassword% equ yes ( set LdifdeCreds=-b %UName% %UDom% %Password% ) else ( set LdifdeCreds= ) rem ************************************************************************ rem Set ADAM / AD options (temporarily) rem ************************************************************************ rem See if we need to enable passsword operations over unencrypted rem connections. This is necessary for ldifde and cas-to-ad operations. rem ### Might not be, if we change the bind types for ldifde and c-t-a... echo *** Checking password operations state... set PWState= set ResetPW=no if %HavePassword% equ yes ( set DsmgmtCreds="set creds %UDom% %UName% %Password%" ) else ( set DsmgmtCreds= ) for /f "usebackq tokens=6" %%p in (`dsmgmt "ds behavior" "connections" %DsmgmtCreds% "connect to server %LdapHost%" "quit" "list current ds-behavior" "quit" "quit"`) do set PWState=%%p rem Enable passwords if they're not already enabled if @%PWState% neq @Allowed. ( rem Enable password operations over unencrypted connections echo. echo *** Enabling password operations over unencrypted connections... pause @echo on dsmgmt "ds behavior" "connections" %DsmgmtCreds% "connect to server %LdapHost%" "quit" "allow passwd op on unsecured connection" "quit" "quit" @echo off if errorlevel 1 ( set /a Failed+=1 set FailList=%FailList% Allow-password-changes ) else ( set /a Succeeded+=1 set ResetPW=yes ) ) rem ************************************************************************ rem Add user definitions rem ************************************************************************ echo. echo *** Importing ES user class definitions... pause @echo on mfds -l "DC=X" 1 mfds-schema.ldf > nul ldifde -i %LdifdeCreds% -f mfds-schema.ldf -s %LdapHost% -k -j . -c "DC=X" #schemaNamingContext @echo off if errorlevel 1 ( set /a Failed+=1 set FailList=%FailList% Import-ES-classes ) else ( set /a Succeeded+=1 ) rem ************************************************************************ rem Add ES containers to hold users, groups and resources rem ************************************************************************ echo. echo *** Creating ES containers pause if exist mf-containers.ldf ( set MfCtrs=mf-containers.ldf ) else ( set MfCtrs=%CobBin%\mf-containers.ldf ) @echo on ldifde -i %LdifdeCreds% -f "%MfCtrs%" -s %LdapHost% -k -j . -c "DC=X" "%ParDN%" @echo off if errorlevel 1 ( set /a Failed+=1 set FailList=%FailList% Create-ES-containers ) else ( set /a Succeeded+=1 ) rem ************************************************************************ rem Add MFReader account rem ************************************************************************ rem Check to see if we need to do this... ldifde %LdifdeCreds% -f %TmpF% -s %LdapHost% -d "CN=ADAM Users,%ParDN%" > nul findstr MFReader %TmpF% > nul if errorlevel 1 goto add_mfreader goto skip_mfreader :add_mfreader echo. echo *** Adding MFReader as an %ADType% Reader... echo Using container CN=ADAM Users,%ParDN% pause echo Creating temporary LDIF file %TmpF% echo dn: CN=MFReader,CN=ADAM Users,%ParDN%> %TmpF% echo changetype: add>> %TmpF% echo cn: MFReader>> %TmpF% echo objectClass: user>> %TmpF% echo userpassword: MF_rdr1:read-only^^!>> %TmpF% echo msDS-UserDontExpirePassword: TRUE>> %TmpF% echo.>> %TmpF% echo dn: CN=Readers,CN=Roles,%ParDN%>> %TmpF% echo changetype: modify>> %TmpF% echo add: member>> %TmpF% echo member: CN=MFReader,CN=ADAM Users,%ParDN%>> %TmpF% echo ->> %TmpF% echo.>> %TmpF% echo Processing temporary LDIF file ldifde -i %LdifdeCreds% -f %TmpF% -s %LdapHost% -j . if errorlevel 1 ( set /a Failed+=1 set FailList=%FailList% Create-MFReader ) else ( set /a Succeeded+=1 ) echo Removing temporary LDIF file :skip_mfreader del %TmpF% rem ************************************************************************ rem Grant write permission to user records for "MFReader" user rem ************************************************************************ rem This is disabled because it's a security hole; anyone who knows the rem (documented) default LDAP credentials used by the MLDAP ESM Module rem can change anyone's password. To enable password changes, use secret rem credentials for the MLDAP ESM Module, and give that account update rem access to user objects. rem dsacls "\\localhost\CN=Enterprise Server Users,%ParDN%" /I:S /G "CN=MFReader,CN=ADAM Users,%ParDN%":WP rem ************************************************************************ rem Add ADAM administrative user rem ************************************************************************ if %ADType% equ AD goto cas_import if %HavePassword% equ no goto cas_import rem Check to see if we need to do this... ldifde %LdifdeCreds% -f %TmpF% -s %LdapHost% -d "CN=ADAM Users,%ParDN%" > nul findstr %UName% %TmpF% > nul if errorlevel 1 goto add_admin del %TmpF% goto cas_import :add_admin echo. echo *** Adding %UName% as an ADAM Administrator... echo Using container CN=ADAM Users,%ParDN% echo Setting password to %Password% pause echo Creating temporary LDIF file %TmpF% echo dn: CN=%UName%,CN=ADAM Users,%ParDN%> %TmpF% echo changetype: add>> %TmpF% echo cn: %UName%>> %TmpF% echo objectClass: user>> %TmpF% echo userpassword: %Password%>> %TmpF% echo.>> %TmpF% echo dn: CN=Administrators,CN=Roles,%ParDN%>> %TmpF% echo changetype: modify>> %TmpF% echo add: member>> %TmpF% echo member: CN=%UName%,CN=ADAM Users,%ParDN%>> %TmpF% echo ->> %TmpF% echo.>> %TmpF% echo Processing temporary LDIF file ldifde -i %LdifdeCreds% -f %TmpF% -s %LdapHost% -j . if errorlevel 1 ( set /a Failed+=1 set FailList=%FailList% Create-ADAM-administrator ) else ( set /a Succeeded+=1 ) echo Removing temporary LDIF file del %TmpF% :cas_import rem ************************************************************************ rem Try to import CAS users rem ************************************************************************ echo. echo *** Importing users from CAS RDO file... pause rem If a username was specified on the command line, invoke cas-to-ad with rem that username (and password, if a password was supplied). Otherwise, rem use the current user's login credentials. if %HaveUser% equ yes ( if %HavePassword% equ yes ( @echo on cas-to-ad -u "%UName%" -p "%Password%" -d "%ParDN%" -l %LdapHost% @echo off ) else ( rem No password; user will be prompted for it @echo on cas-to-ad -u "%UName%" -d "%ParDN%" -l %LdapHost% @echo off ) ) else ( @echo on cas-to-ad -u - -d "%ParDN%" -l %LdapHost% @echo off ) if errorlevel 1 ( set /a Failed+=1 set FailList=%FailList% Import-CAS-users ) else ( set /a Succeeded+=1 ) rem ************************************************************************ rem Try to extract MFDS users rem ************************************************************************ echo. echo *** Extracting users from MFDS repository... pause @echo on mfds -e "%ParDN%" "CN=Enterprise Server Users" "CN=Enterprise Server User Groups" "CN=Enterprise Server Resources" 1 mfds_users.ldf > nul @echo off if errorlevel 1 ( set /a Failed+=1 set FailList=%FailList% Extract-MFDS-users ) else ( set /a Succeeded+=1 ) rem ************************************************************************ rem Try to import MFDS users rem ************************************************************************ echo. echo *** Importing MFDS users into %ADType%... pause ldifde -i %LdifdeCreds% -f mfds_users.ldf -s %LdapHost% -k -j . if errorlevel 1 ( set /a Failed+=1 set FailList=%FailList% Import-MFDS-users ) else ( set /a Succeeded+=1 ) rem ************************************************************************ rem Try to import MTO definitions rem ************************************************************************ echo. echo *** Importing MTO resource definitions into %ADType%... pause if exist es_default_ldap.ldf ( set EsDefLdap=es_default_ldap.ldf ) else ( set EsDefLdap=%CobBin%\es_default_ldap.ldf ) ldifde -i %LdifdeCreds% -f "%EsDefLdap%" -s %LdapHost% -k -j . -c "CN=Micro Focus,CN=Program Data,DC=X" "%ParDN%" if errorlevel 1 ( set /a Failed+=1 set FailList=%FailList% Import-MTO-defs ) else ( set /a Succeeded+=1 ) rem ************************************************************************ rem Reset ADAM / AD options that were set above rem ************************************************************************ if %ResetPW% equ yes ( echo. echo *** Disabling password operations over unencrypted connections... pause @echo on dsmgmt "ds behavior" "connections" %DsmgmtCreds% "connect to server %LdapHost%" "quit" "allow passwd op on unsecured connection" "quit" "quit" @echo off if errorlevel 1 ( set /a Failed+=1 set FailList=%FailList% Prevent-password-changes ) else ( set /a Succeeded+=1 ) ) rem ************************************************************************ rem Report results rem ************************************************************************ echo . echo . echo ----------------------------------------------------------------------- echo Setup results: echo %Succeeded% tasks succeeded echo %Failed% tasks reported an error if defined FailList ( echo Failing tasks were: %FailList% ) echo ----------------------------------------------------------------------- goto :eof :usage echo es-ldap-setup: Initial LDAP security setup for Enterprise Server echo Version %FileVer% echo Copyright 2006-2003 Micro Focus (IP) Limited. All rights reserved. echo. echo This script performs basic setup for using Enterprise Server External echo Security with ADAM (Active Directory Application Mode) or Active echo Directory. (References to ADAM below also apply to Active Directory, echo except where it says "[ADAM only]".) echo. pause echo The script will do the following: echo - Enable setting passwords in ADAM over unencrypted connections. echo This is required for other script actions and for the cas-to-ad echo utility. If this option is not currently set, the script will echo reset it when it finishes. echo - Add the ES user class definitions to the ADAM LDAP schema. echo - Add the container objects for ADAM and ES users to the LDAP echo application partition. echo - Create MFReader, the default user for ES, in ADAM. echo - [ADAM only] Create an administrative user in ADAM for cas-to-ad. echo - Import MTO users from the CAS RDO file. echo - Import users from the MFDS repository. echo - Import the default MTO resource definitions. echo - Reset any ADAM options that were changed. echo. echo Note that the user-import program cas-to-ad will be run with the default echo setting for location of the CAS RDO file, so it will look for that file echo under the NX5 installation directory. If the file is not there, you echo should run cas-to-ad manually after the script finishes. Run cas-to-ad echo with the "-?" option for a usage message. echo. pause echo. echo Syntax: echo es-ldap-setup [options] [username] [password] [partition] [server] echo. echo username is the name of the administrative user for use by cas-to-ad; echo it defaults to the user environment variable ("%user%"). Use "-" echo to use the logged-in user. echo password is the password for that user; it defaults to "password". If echo you specify "-" for username, this parameter is ignored. echo partition is the location in the LDAP directory of the ES echo configuration objects; it defaults to echo "CN=Micro Focus,CN=Program Data,DC=local". echo server is the hostname (and optionally port) of the LDAP server; it echo defaults to "localhost:389". echo. echo Currently, the only option is "/ad", which tells the script that you echo are running against Active Directory rather than ADAM. The only echo difference that currently makes is skipping the actions listed as echo "[ADAM only]" above.