#!/bin/bash

## CONFIGURATION ##

realm=EXAMPLE.com
principal=bind9@$realm
keytab=/root/bind9.keytab
domain=example.com
basedn='DC=example,DC=com'

# add to your /etc/bind/named.conf:
#   include "/etc/bind/named.conf.activedirectory";
targetfile="/etc/bind/named.conf.activedirectory"

export KRB5CCNAME="/tmp/bind9.cc"

# keytab can be generated using
# $ ktutil
# ktutil: addent -password -p bind9@EXAMPLE.COM -k 1 -e aes256-cts-hmac-sha1-96
# Password for bind9@EXAMPLE.COM:
# ktutil:  wkt bind9.keytab
# ktutil:  quit

## KERBEROS ##

klist 2>&1 | grep $realm | grep '/' > /dev/null
if [ "$?" = 1 ]; then
	expiration=0
else
	expiration=$(klist | grep $realm | grep '/' | awk -F '  ' '{system ("date -d \""$2"\" +%s")}' | sort | head -n 1)
fi

now=$(date +%s)
if [ "$now" -ge "$expiration" ]; then
	echo "Getting new ticket, old one expired $expiration, now is $now"
	kinit -F -k -t $keytab $principal
fi

## THE REAL STUFF ##

php $(dirname $0)/condfwds.php $domain $basedn > $targetfile.new

if [ "$?" != 0 ]; then
	echo "An error ocurred while trying to synchronize with LDAP"
	cat $targetfile.new
	rm $targetfile.new
	exit 1
fi

oldmd5=$(md5sum $targetfile | awk '{print $1}')
newmd5=$(md5sum $targetfile.new | awk '{print $1}')

if [ "$oldmd5" != "$newmd5" ]
then
	cp $targetfile.new $targetfile
	service bind9 restart
fi
rm $targetfile.new

exit 0