A sudorule dn uses ipaUniqueId as the cn so we have to do a search to ensure uniqueness. This leaves us vulnerable to a race. Configure the uniqueness plugin to ensure no dups.

rob
>From 7f9250d6efe73a56f364173ce730bcddb112aac2 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Thu, 13 Sep 2012 15:11:57 -0400
Subject: [PATCH] Add uniqueness plugin configuration for sudorule cn

We do a search looking for duplicate values but this leaves open the
possibility that two adds are happening at the same time so both
searches return NotFound therefore we get two entries with the same
cn value.

https://fedorahosted.org/freeipa/ticket/3017
---
 install/share/unique-attributes.ldif | 17 +++++++++++++++++
 install/updates/10-uniqueness.update | 17 +++++++++++++++++
 install/updates/Makefile.am          |  1 +
 3 files changed, 35 insertions(+)
 create mode 100644 install/updates/10-uniqueness.update

diff --git a/install/share/unique-attributes.ldif b/install/share/unique-attributes.ldif
index 4537e7468ad69891565ccd51f7b67e9db8889857..4549ad4d62fff66c58ab2f6d263002b3e7c02675 100644
--- a/install/share/unique-attributes.ldif
+++ b/install/share/unique-attributes.ldif
@@ -70,6 +70,23 @@ nsslapd-pluginVersion: 1.1.0
 nsslapd-pluginVendor: Fedora Project
 nsslapd-pluginDescription: Enforce unique attribute values
 
+dn: cn=sudorule name uniqueness,cn=plugins,cn=config
+changetype: add
+objectClass: top
+objectClass: nsSlapdPlugin
+objectClass: extensibleObject
+cn: sudorule name uniqueness
+nsslapd-pluginPath: libattr-unique-plugin
+nsslapd-pluginInitfunc: NSUniqueAttr_Init
+nsslapd-pluginType: preoperation
+nsslapd-pluginEnabled: on
+nsslapd-pluginarg0: cn
+nsslapd-pluginarg1: cn=sudorules,cn=sudo,$SUFFIX
+nsslapd-plugin-depends-on-type: database
+nsslapd-pluginId: NSUniqueAttr
+nsslapd-pluginVersion: 1.1.0
+nsslapd-pluginVendor: Fedora Project
+
 #dn: cn=uid uniqueness,cn=plugins,cn=config
 #objectClass: top
 #objectClass: nsSlapdPlugin
diff --git a/install/updates/10-uniqueness.update b/install/updates/10-uniqueness.update
new file mode 100644
index 0000000000000000000000000000000000000000..33bd2fc09e12f52200de83b245b89e26ebf8af8e
--- /dev/null
+++ b/install/updates/10-uniqueness.update
@@ -0,0 +1,17 @@
+dn: cn=sudorule name uniqueness,cn=plugins,cn=config
+default:objectClass: top
+default:objectClass: nsSlapdPlugin
+default:objectClass: extensibleObject
+default:cn: sudorule name uniqueness
+default:nsslapd-pluginDescription: Enforce unique attribute values
+default:nsslapd-pluginPath: libattr-unique-plugin
+default:nsslapd-pluginInitfunc: NSUniqueAttr_Init
+default:nsslapd-pluginType: preoperation
+default:nsslapd-pluginEnabled: on
+default:nsslapd-pluginarg0: cn
+default:nsslapd-pluginarg1: cn=sudorules,cn=sudo,$SUFFIX
+default:nsslapd-plugin-depends-on-type: database
+default:nsslapd-pluginId: NSUniqueAttr
+default:nsslapd-pluginVersion: 1.1.0
+default:nsslapd-pluginVendor: Fedora Project
+
diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
index 9e068966530d897fe18802c9dfa13406aeb3b010..54e57ef3e441e5f2f4ce0a6af97d6856506df8f8 100644
--- a/install/updates/Makefile.am
+++ b/install/updates/Makefile.am
@@ -11,6 +11,7 @@ app_DATA =				\
 	10-sudo.update			\
 	10-ssh.update			\
 	10-bind-schema.update		\
+	10-uniqueness.update		\
 	19-managed-entries.update	\
 	20-aci.update			\
 	20-dna.update			\
-- 
1.7.11.4

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to