Hi,

this patch fixes <https://fedorahosted.org/freeipa/ticket/3437>.

Honza

--
Jan Cholasta
>From 4d9b3cd132981dbf51067adf3d35e5b6b70b673c Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Wed, 6 Mar 2013 10:07:13 +0100
Subject: [PATCH] Remove disabled entries from sudoers compat tree.

The removal is triggered by generating an invalid RDN when ipaEnabledFlag of
the original entry is FALSE.

https://fedorahosted.org/freeipa/ticket/3437
---
 install/share/schema_compat.uldif       | 2 +-
 install/updates/10-schema_compat.update | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/install/share/schema_compat.uldif b/install/share/schema_compat.uldif
index a93b327..40b9611 100644
--- a/install/share/schema_compat.uldif
+++ b/install/share/schema_compat.uldif
@@ -70,7 +70,7 @@ add:cn: sudoers
 add:schema-compat-container-group: 'ou=SUDOers, $SUFFIX'
 add:schema-compat-search-base: 'cn=sudorules, cn=sudo, $SUFFIX'
 add:schema-compat-search-filter: (&(objectclass=ipaSudoRule)(!(compatVisible=FALSE))(!(ipaEnabledFlag=FALSE)))
-add:schema-compat-entry-rdn: cn=%{cn}
+add:schema-compat-entry-rdn: %ifeq("ipaEnabledFlag", "FALSE", "DISABLED", "cn=%{cn}")
 add:schema-compat-entry-attribute: objectclass=sudoRole
 add:schema-compat-entry-attribute: 'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")'
 add:schema-compat-entry-attribute: 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\"memberUser\",\"(objectclass=posixAccount)\",\"uid\")")'
diff --git a/install/updates/10-schema_compat.update b/install/updates/10-schema_compat.update
index 9835bb8..e65e67a 100644
--- a/install/updates/10-schema_compat.update
+++ b/install/updates/10-schema_compat.update
@@ -1,5 +1,7 @@
 dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config
+only:schema-compat-entry-rdn:'%ifeq("ipaEnabledFlag", "FALSE", "DISABLED", "cn=%{cn}")'
 replace: schema-compat-entry-attribute:'sudoRunAsGroup=%deref("ipaSudoRunAs","cn")::sudoRunAsGroup=%deref_f("ipaSudoRunAsGroup","(objectclass=posixGroup)","cn")'
+
 # Change padding for host and userCategory so the pad returns the same value
 # as the original, '' or -.
 dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config
-- 
1.8.1

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to