#!/bin/bash

MODULE_PATH="/usr/lib/ldap/pw-sha2.so"
LDIF_FILE="/tmp/full_reset_ssha512.ldif"
CSV_FILE="/tmp/arsip_password_baru.csv"

echo "=========================================================="
echo "        OPENLDAP FULL PASSWORD RESET TO SSHA512           "
echo " PERINGATAN: Script ini akan mereset SEMUA password user! "
echo "=========================================================="

read -p "Masukkan Base DN (contoh: ou=users,dc=excellent,dc=co,dc=id): " BASE_DN
if [ -z "$BASE_DN" ]; then
    echo "Error: Base DN tidak boleh kosong!"
    exit 1
fi
ALL_USERS=$(ldapsearch -x -LLL -b "$BASE_DN" "(uid=*)" uid | grep "^uid:" | awk '{print $2}')

read -p "Yakin ingin mereset SEMUA user di $BASE_DN? (y/n): " CONFIRM
if [ "$CONFIRM" != "y" ]; then
    echo "Proses dibatalkan."
    exit 0
fi

echo "[*] Mengambil daftar semua user dari LDAP..."

rm -rf $LDIF_FILE
rm -rf $CSV_FILE
echo "UID;DN;Password_Plain" > $CSV_FILE

echo "[*] Memproses hashing SSHA512..."

for USER in $ALL_USERS
do
    PLAIN_PASS=$(openssl rand -base64 24 | tr -d '/+' | cut -c1-24)
    HASH_PASS=$(slappasswd -o module-load=$MODULE_PATH -h {SSHA512} -s "$PLAIN_PASS")
    USER_DN=$(ldapsearch -x -LLL -b "$BASE_DN" "(uid=$USER)" dn | grep "^dn:" | sed 's/dn: //')

    echo "[+] Reseting user: $USER"
    echo "dn: $USER_DN" >> $LDIF_FILE
    echo "changetype: modify" >> $LDIF_FILE
    echo "replace: userPassword" >> $LDIF_FILE
    echo "userPassword: $HASH_PASS" >> $LDIF_FILE
    echo "" >> $LDIF_FILE
    echo "$USER;$USER_DN;$PLAIN_PASS" >> $CSV_FILE
done

echo "BERHASIL: File $LDIF_FILE dan $CSV_FILE telah dibuat."
echo ""
echo "CATATAN PENTING:"
echo "1. Jalankan: ldapmodify -x -D 'cn=admin,dc=excellent,dc=co,dc=id' -W -f $LDIF_FILE"
echo "2. SEMUA USER (termasuk uid=admin) password-nya telah diubah."
echo "3. Password lama user sudah tidak berlaku lagi setelah LDIF di-import."
echo "4. Pastikan file $CSV_FILE disimpan di tempat aman karena berisi password PLAIN."