#!/bin/bash
#
# Univention Server
#  helper script: activates accounts with krb5ValidStart >= now
#
# SPDX-FileCopyrightText: 2021-2025 Univention GmbH
# SPDX-License-Identifier: AGPL-3.0-only

ts_utc=$(date --utc +"%Y%m%d%H%M%SZ")

while read -r DN; do
	ldif=$(ldapsearch -Y EXTERNAL -H LDAPI:// -LLL -o ldif-wrap=no -b "$DN" -s base "(krb5ValidEnd<=$ts_utc)" 1.1 2>/dev/null | ldapsearch-decode64 | sed -n 's/^dn: //p')
	if [ -z "$ldif" ]; then
		udm users/user modify \
		--dn "$DN" \
		--set disabled=0 \
		--remove accountActivationDate
	else
		## Edge case clean up, account has expired due to krb5ValidEnd, so disabled state must not change, but krb5ValidStart should be unset
		udm users/user modify \
		--dn "$DN" \
		--remove accountActivationDate
	fi
done < <(ldapsearch -Y EXTERNAL -H LDAPI:// -LLL -o ldif-wrap=no "(krb5ValidStart<=$ts_utc)" 1.1 2>/dev/null | ldapsearch-decode64 | sed -n 's/^dn: //p')
