#step 1, determine the realm and such
DNSDOMAIN=`dnsdomainname`
UPDNSDOMAIN=`echo $DNSDOMAIN|tr a-z A-Z`
LDAPBASEDN=dc=`echo $DNSDOMAIN|sed -e 's/\./,dc=/'`
HOSTPRINC=`hostname`
#generate a random 32 character password
MYPASS=$(tr -dc A-Za-z0-9 </dev/urandom|head -c 32)

if [ "$OSVER" = "rhels6" ]; then 
    #enable kerberos 
    authconfig --update --krb5realm=$UPDNSDOMAIN --enablekrb5kdcdns --enablekrb5
    #change password
    (echo $TEMPHOSTPASS;echo $MYPASS;echo $MYPASS)|kpasswd $HOSTPRINC
    (echo $MYPASS)|kinit $HOSTPRINC
    #KVNO=`kvno $HOSTPRINC|awk '{print $NF}'`
    #(echo add_entry -password -p $HOSTPRINC -k $KVNO -e des;echo $MYPASS;echo wkt /etc/host.keytab)|ktutil
    OLDUMASK=`umask`
    umask 0077
    echo $MYPASS > /etc/krb5.hostpass
    umask $OLDUMASK
#ok, time for ldap
    LDAPSRV=`host -t SRV _ldap._tcp.$DNSDOMAIN|awk '{print $NF}'`
#sed -ie 's/#uri ldap:\/\/127.0.0.1/uri ldap:\/\/$LDAPSRV\//' /etc/nslcd.conf
#sed -ie 's/# base dc.*/base $LDAPBASEDN/' /etc/nslcd.conf
    echo use_sasl on >> /etc/nslcd.conf
    echo sasl_mech GSSAPI >> /etc/nslcd.conf
    echo sasl_secprops maxssf=0 >> /etc/nslcd.conf
    echo krb5_ccname /var/run/ldap_krb5cc >> /etc/nslcd.conf
    sed -i '/# Mappings for Active Directory/,/^$/ s/^#\([^ ]\)/\1/' /etc/nslcd.conf
    authconfig --update --enableldap --ldapserver=$LDAPSRV --ldapbasedn=$LDAPBASEDN
    echo 'kinit '$HOSTPRINC' -c /var/run/ldap_krb5cc < /etc/krb5.hostpass >& /dev/null;chown nslcd /var/run/ldap_krb5cc' >> /etc/rc.local
    echo 'kinit '$HOSTPRINC' -c /var/run/ldap_krb5cc < /etc/krb5.hostpass >& /dev/null;chown nslcd /var/run/ldap_krb5cc' >> /etc/cron.hourly/nslcdkrb5cc.cron
    chmod +x /etc/cron.hourly/nslcdkrb5cc.cron
fi
#TODO: SLES/maybe RHEL5.  Uncomfortable with libnss_ldap without root_krb5_ccname, ldap needs diff credentials per user
# or else the host private key must be wide open...