https://fedorahosted.org/freeipa/ticket/4635

From 0a72220fc2b8af160b20085f372ab55d997546b4 Mon Sep 17 00:00:00 2001
From: "Thierry bordaz (tbordaz)" <tbor...@redhat.com>
Date: Wed, 29 Oct 2014 16:23:03 +0100
Subject: [PATCH] Deadlock in schema compat plugin (between
 automember_update_membership task and dse update)

	Defining schema-compat-ignore-subtree values for schema compat plugin config entries removes the
	default value (ignore: cn=tasks,cn=config). This default value prevented deadlocks.
	Schema plugin needs to scope the $SUFFIX and also any updates to its configuration.
	This change restrict the schema compat to those subtrees. It replaces the definition of ignored subtrees
	that would be too long for cn=config (tasks, mapping tree, replication, snmp..)

https://fedorahosted.org/freeipa/ticket/4635
---
 install/updates/10-schema_compat.update | 30 ++++++++++++++++++++----------
 1 file changed, 20 insertions(+), 10 deletions(-)

diff --git a/install/updates/10-schema_compat.update b/install/updates/10-schema_compat.update
index 7b75ba532612bbdaf9c85f8c88b0c8b8454e5969..b8c79012d121116f9cf53908fbe4eeeebe9d3d82 100644
--- a/install/updates/10-schema_compat.update
+++ b/install/updates/10-schema_compat.update
@@ -18,15 +18,19 @@ add: schema-compat-entry-attribute: 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCatego
 add: schema-compat-entry-attribute: 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%deref_f(\"ipaSudoRunAs\",\"(objectclass=posixAccount)\",\"uid\")")'
 add: schema-compat-entry-attribute: 'sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%{ipaSudoRunAsExtGroup}")'
 add: schema-compat-entry-attribute: 'sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%deref_f(\"ipaSudoRunAsGroup\",\"(objectclass=posixGroup)\",\"cn\")")'
-add: schema-compat-ignore-subtree: cn=changelog
-add: schema-compat-ignore-subtree: o=ipaca
+remove: schema-compat-ignore-subtree: cn=changelog
+remove: schema-compat-ignore-subtree: o=ipaca
+add: schema-compat-restrict-subtree: '$SUFFIX'
+add: schema-compat-restrict-subtree: 'cn=Schema Compatibility,cn=plugins,cn=config'
 
 # Change padding for host and userCategory so the pad returns the same value
 # as the original, '' or -.
 dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config
 replace: schema-compat-entry-attribute:'nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","-",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","-"),%{nisDomainName:-})::nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","%ifeq(\"hostCategory\",\"all\",\"\",\"-\")",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","%ifeq(\"userCategory\",\"all\",\"\",\"-\")"),%{nisDomainName:-})'
-add: schema-compat-ignore-subtree: cn=changelog
-add: schema-compat-ignore-subtree: o=ipaca
+remove: schema-compat-ignore-subtree: cn=changelog
+remove: schema-compat-ignore-subtree: o=ipaca
+add: schema-compat-restrict-subtree: '$SUFFIX'
+add: schema-compat-restrict-subtree: 'cn=Schema Compatibility,cn=plugins,cn=config'
 
 dn: cn=computers, cn=Schema Compatibility, cn=plugins, cn=config
 default:objectClass: top
@@ -41,19 +45,25 @@ default:schema-compat-entry-attribute: objectclass=device
 default:schema-compat-entry-attribute: objectclass=ieee802Device
 default:schema-compat-entry-attribute: cn=%{fqdn}
 default:schema-compat-entry-attribute: macAddress=%{macAddress}
-add: schema-compat-ignore-subtree: cn=changelog
-add: schema-compat-ignore-subtree: o=ipaca
+remove: schema-compat-ignore-subtree: cn=changelog
+remove: schema-compat-ignore-subtree: o=ipaca
+add: schema-compat-restrict-subtree: '$SUFFIX'
+add: schema-compat-restrict-subtree: 'cn=Schema Compatibility,cn=plugins,cn=config'
 
 dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config
 add:schema-compat-entry-attribute: sudoOrder=%{sudoOrder}
 
 dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
-add: schema-compat-ignore-subtree: cn=changelog
-add: schema-compat-ignore-subtree: o=ipaca
+remove: schema-compat-ignore-subtree: cn=changelog
+remove: schema-compat-ignore-subtree: o=ipaca
+add: schema-compat-restrict-subtree: '$SUFFIX'
+add: schema-compat-restrict-subtree: 'cn=Schema Compatibility,cn=plugins,cn=config'
 
 dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
-add: schema-compat-ignore-subtree: cn=changelog
-add: schema-compat-ignore-subtree: o=ipaca
+remove: schema-compat-ignore-subtree: cn=changelog
+remove: schema-compat-ignore-subtree: o=ipaca
+add: schema-compat-restrict-subtree: '$SUFFIX'
+add: schema-compat-restrict-subtree: 'cn=Schema Compatibility,cn=plugins,cn=config'
 
 dn: cn=Schema Compatibility,cn=plugins,cn=config
 # We need to run schema-compat pre-bind callback before
-- 
1.7.11.7

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to