Rob Crittenden wrote:
A sudorule dn uses ipaUniqueId as the cn so we have to do a search to
ensure uniqueness. This leaves us vulnerable to a race. Configure the
uniqueness plugin to ensure no dups.
rob
Add missing attribute to the fresh install ldif. I had already fixed
this in the update, missed it on fresh install.
rob
>From 2783dc65b80d1de1e69873f4b6efef45b470f3fd Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Thu, 13 Sep 2012 15:11:57 -0400
Subject: [PATCH] Add uniqueness plugin configuration for sudorule cn
We do a search looking for duplicate values but this leaves open the
possibility that two adds are happening at the same time so both
searches return NotFound therefore we get two entries with the same
cn value.
https://fedorahosted.org/freeipa/ticket/3017
---
install/share/unique-attributes.ldif | 18 ++++++++++++++++++
install/updates/10-uniqueness.update | 17 +++++++++++++++++
install/updates/Makefile.am | 1 +
3 files changed, 36 insertions(+)
create mode 100644 install/updates/10-uniqueness.update
diff --git a/install/share/unique-attributes.ldif b/install/share/unique-attributes.ldif
index 4537e7468ad69891565ccd51f7b67e9db8889857..0e680a0e45b455469f9be9555aed1e63f1d97faf 100644
--- a/install/share/unique-attributes.ldif
+++ b/install/share/unique-attributes.ldif
@@ -70,6 +70,24 @@ nsslapd-pluginVersion: 1.1.0
nsslapd-pluginVendor: Fedora Project
nsslapd-pluginDescription: Enforce unique attribute values
+dn: cn=sudorule name uniqueness,cn=plugins,cn=config
+changetype: add
+objectClass: top
+objectClass: nsSlapdPlugin
+objectClass: extensibleObject
+cn: sudorule name uniqueness
+nsslapd-pluginDescription: Enforce unique attribute values
+nsslapd-pluginPath: libattr-unique-plugin
+nsslapd-pluginInitfunc: NSUniqueAttr_Init
+nsslapd-pluginType: preoperation
+nsslapd-pluginEnabled: on
+nsslapd-pluginarg0: cn
+nsslapd-pluginarg1: cn=sudorules,cn=sudo,$SUFFIX
+nsslapd-plugin-depends-on-type: database
+nsslapd-pluginId: NSUniqueAttr
+nsslapd-pluginVersion: 1.1.0
+nsslapd-pluginVendor: Fedora Project
+
#dn: cn=uid uniqueness,cn=plugins,cn=config
#objectClass: top
#objectClass: nsSlapdPlugin
diff --git a/install/updates/10-uniqueness.update b/install/updates/10-uniqueness.update
new file mode 100644
index 0000000000000000000000000000000000000000..33bd2fc09e12f52200de83b245b89e26ebf8af8e
--- /dev/null
+++ b/install/updates/10-uniqueness.update
@@ -0,0 +1,17 @@
+dn: cn=sudorule name uniqueness,cn=plugins,cn=config
+default:objectClass: top
+default:objectClass: nsSlapdPlugin
+default:objectClass: extensibleObject
+default:cn: sudorule name uniqueness
+default:nsslapd-pluginDescription: Enforce unique attribute values
+default:nsslapd-pluginPath: libattr-unique-plugin
+default:nsslapd-pluginInitfunc: NSUniqueAttr_Init
+default:nsslapd-pluginType: preoperation
+default:nsslapd-pluginEnabled: on
+default:nsslapd-pluginarg0: cn
+default:nsslapd-pluginarg1: cn=sudorules,cn=sudo,$SUFFIX
+default:nsslapd-plugin-depends-on-type: database
+default:nsslapd-pluginId: NSUniqueAttr
+default:nsslapd-pluginVersion: 1.1.0
+default:nsslapd-pluginVendor: Fedora Project
+
diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
index 9e068966530d897fe18802c9dfa13406aeb3b010..54e57ef3e441e5f2f4ce0a6af97d6856506df8f8 100644
--- a/install/updates/Makefile.am
+++ b/install/updates/Makefile.am
@@ -11,6 +11,7 @@ app_DATA = \
10-sudo.update \
10-ssh.update \
10-bind-schema.update \
+ 10-uniqueness.update \
19-managed-entries.update \
20-aci.update \
20-dna.update \
--
1.7.11.4
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
