Modifications:
* All plugins are migrated into new configuration style.
* I left attribute uniqueness plugin disabled, cn=uid
uniqueness,cn=plugins,cn=config is checking the same attribute.
* POST_UPDATE plugin for uid removed, I moved it to update file. Is it
okay Alexander? I haven't found reason why we need to do it in update
plugin.
Thierry, I touched configuration of plugins, which user lifecycle
requires, can you take look if I it does not break anything?
Patches attached.
--
Martin Basti
From a8e1c7874acaa3b0fe9bd3ae316379ca3ddb95dc Mon Sep 17 00:00:00 2001
From: Martin Basti <[email protected]>
Date: Mon, 23 Feb 2015 16:09:25 +0100
Subject: [PATCH 1/2] Migrate uniquess plugins configuration to new style
New configuration style contains options required for user lifecycle
management.
---
install/share/unique-attributes.ldif | 24 +--
install/updates/10-uniqueness.update | 36 ++---
ipaserver/install/plugins/update_uniqueness.py | 203 ++++++++++++++++++++++++-
3 files changed, 232 insertions(+), 31 deletions(-)
diff --git a/install/share/unique-attributes.ldif b/install/share/unique-attributes.ldif
index 0e680a0e45b455469f9be9555aed1e63f1d97faf..ea38ac75310403d9deef8ea0b8ccb6e70b9e57fe 100644
--- a/install/share/unique-attributes.ldif
+++ b/install/share/unique-attributes.ldif
@@ -8,8 +8,8 @@ nsslapd-pluginPath: libattr-unique-plugin
nsslapd-pluginInitfunc: NSUniqueAttr_Init
nsslapd-pluginType: preoperation
nsslapd-pluginEnabled: on
-nsslapd-pluginarg0: krbPrincipalName
-nsslapd-pluginarg1: $SUFFIX
+uniqueness-attribute-name: krbPrincipalName
+uniqueness-subtrees: $SUFFIX
nsslapd-plugin-depends-on-type: database
nsslapd-pluginId: NSUniqueAttr
nsslapd-pluginVersion: 1.1.0
@@ -26,8 +26,8 @@ nsslapd-pluginPath: libattr-unique-plugin
nsslapd-pluginInitfunc: NSUniqueAttr_Init
nsslapd-pluginType: preoperation
nsslapd-pluginEnabled: on
-nsslapd-pluginarg0: krbCanonicalName
-nsslapd-pluginarg1: $SUFFIX
+uniqueness-attribute-name: krbCanonicalName
+uniqueness-subtrees: $SUFFIX
nsslapd-plugin-depends-on-type: database
nsslapd-pluginId: NSUniqueAttr
nsslapd-pluginVersion: 1.1.0
@@ -44,8 +44,8 @@ nsslapd-pluginPath: libattr-unique-plugin
nsslapd-pluginInitfunc: NSUniqueAttr_Init
nsslapd-pluginType: preoperation
nsslapd-pluginEnabled: on
-nsslapd-pluginarg0: cn
-nsslapd-pluginarg1: cn=ng,cn=alt,$SUFFIX
+uniqueness-attribute-name: cn
+uniqueness-subtrees: cn=ng,cn=alt,$SUFFIX
nsslapd-plugin-depends-on-type: database
nsslapd-pluginId: NSUniqueAttr
nsslapd-pluginVersion: 1.1.0
@@ -62,8 +62,8 @@ nsslapd-pluginPath: libattr-unique-plugin
nsslapd-pluginInitfunc: NSUniqueAttr_Init
nsslapd-pluginType: preoperation
nsslapd-pluginEnabled: on
-nsslapd-pluginarg0: ipaUniqueID
-nsslapd-pluginarg1: $SUFFIX
+uniqueness-attribute-name: ipaUniqueID
+uniqueness-subtrees: $SUFFIX
nsslapd-plugin-depends-on-type: database
nsslapd-pluginId: NSUniqueAttr
nsslapd-pluginVersion: 1.1.0
@@ -81,8 +81,8 @@ nsslapd-pluginPath: libattr-unique-plugin
nsslapd-pluginInitfunc: NSUniqueAttr_Init
nsslapd-pluginType: preoperation
nsslapd-pluginEnabled: on
-nsslapd-pluginarg0: cn
-nsslapd-pluginarg1: cn=sudorules,cn=sudo,$SUFFIX
+uniqueness-attribute-name: cn
+uniqueness-subtrees: cn=sudorules,cn=sudo,$SUFFIX
nsslapd-plugin-depends-on-type: database
nsslapd-pluginId: NSUniqueAttr
nsslapd-pluginVersion: 1.1.0
@@ -97,8 +97,8 @@ nsslapd-pluginVendor: Fedora Project
#nsslapd-pluginInitfunc: NSUniqueAttr_Init
#nsslapd-pluginType: preoperation
#nsslapd-pluginEnabled: on
-#nsslapd-pluginarg0: uid
-#nsslapd-pluginarg1: cn=accounts,$SUFFIX
+#uniqueness-attribute-name: uid
+#uniqueness-subtrees: cn=accounts,$SUFFIX
#nsslapd-plugin-depends-on-type: database
#nsslapd-pluginId: NSUniqueAttr
#nsslapd-pluginVersion: 1.1.0
diff --git a/install/updates/10-uniqueness.update b/install/updates/10-uniqueness.update
index c9641c47fabdffdc278216b38abd606745781d41..b6e2fff6db8c2da9b6303e183fa92e807eab929a 100644
--- a/install/updates/10-uniqueness.update
+++ b/install/updates/10-uniqueness.update
@@ -8,8 +8,8 @@ default:nsslapd-pluginPath: libattr-unique-plugin
default:nsslapd-pluginInitfunc: NSUniqueAttr_Init
default:nsslapd-pluginType: preoperation
default:nsslapd-pluginEnabled: on
-default:nsslapd-pluginarg0: cn
-default:nsslapd-pluginarg1: cn=sudorules,cn=sudo,$SUFFIX
+default:uniqueness-attribute-name: cn
+default:uniqueness-subtrees: cn=sudorules,cn=sudo,$SUFFIX
default:nsslapd-plugin-depends-on-type: database
default:nsslapd-pluginId: NSUniqueAttr
default:nsslapd-pluginVersion: 1.1.0
@@ -25,8 +25,8 @@ default:nsslapd-pluginPath: libattr-unique-plugin
default:nsslapd-pluginInitfunc: NSUniqueAttr_Init
default:nsslapd-pluginType: preoperation
default:nsslapd-pluginEnabled: on
-default:nsslapd-pluginarg0: ipaCertSubject
-default:nsslapd-pluginarg1: cn=certificates,cn=ipa,cn=etc,$SUFFIX
+default:uniqueness-attribute-name: ipaCertSubject
+default:uniqueness-subtrees: cn=certificates,cn=ipa,cn=etc,$SUFFIX
default:nsslapd-plugin-depends-on-type: database
default:nsslapd-pluginId: NSUniqueAttr
default:nsslapd-pluginVersion: 1.1.0
@@ -42,8 +42,8 @@ default:nsslapd-pluginPath: libattr-unique-plugin
default:nsslapd-pluginInitfunc: NSUniqueAttr_Init
default:nsslapd-pluginType: preoperation
default:nsslapd-pluginEnabled: on
-default:nsslapd-pluginarg0: ipaCertIssuerSerial
-default:nsslapd-pluginarg1: cn=certificates,cn=ipa,cn=etc,$SUFFIX
+default:uniqueness-attribute-name: ipaCertIssuerSerial
+default:uniqueness-subtrees: cn=certificates,cn=ipa,cn=etc,$SUFFIX
default:nsslapd-plugin-depends-on-type: database
default:nsslapd-pluginId: NSUniqueAttr
default:nsslapd-pluginVersion: 1.1.0
@@ -51,26 +51,26 @@ default:nsslapd-pluginVendor: Fedora Project
# uid uniqueness scopes Active/Delete containers
dn: cn=attribute uniqueness,cn=plugins,cn=config
-remove:nsslapd-pluginarg1:'$SUFFIX'
-add:nsslapd-pluginarg1:'cn=accounts,$SUFFIX'
-add:nsslapd-pluginarg2:'cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX'
+remove:uniqueness-subtrees:'$SUFFIX'
+add:uniqueness-subtrees:'cn=accounts,$SUFFIX'
+add:uniqueness-subtrees:'cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX'
remove:nsslapd-pluginenabled:off
add:nsslapd-pluginenabled:on
# krbPrincipalName uniqueness scopes Active/Delete containers
dn: cn=krbPrincipalName uniqueness,cn=plugins,cn=config
-remove:nsslapd-pluginarg1:'$SUFFIX'
-add:nsslapd-pluginarg1:'cn=accounts,$SUFFIX'
-add:nsslapd-pluginarg2:'cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX'
+remove:uniqueness-subtrees:'$SUFFIX'
+add:uniqueness-subtrees:'cn=accounts,$SUFFIX'
+add:uniqueness-subtrees:'cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX'
# krbCanonicalName uniqueness scopes Active/Delete containers
dn: cn=krbCanonicalName uniqueness,cn=plugins,cn=config
-remove:nsslapd-pluginarg1:'$SUFFIX'
-add:nsslapd-pluginarg1:'cn=accounts,$SUFFIX'
-add:nsslapd-pluginarg2:'cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX'
+remove:uniqueness-subtrees:'$SUFFIX'
+add:uniqueness-subtrees:'cn=accounts,$SUFFIX'
+add:uniqueness-subtrees:'cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX'
# ipaUniqueID uniqueness scopes Active/Delete containers
dn: cn=ipaUniqueID uniqueness,cn=plugins,cn=config
-remove:nsslapd-pluginarg1:'$SUFFIX'
-add:nsslapd-pluginarg1:'cn=accounts,$SUFFIX'
-add:nsslapd-pluginarg2:'cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX'
+remove:uniqueness-subtrees:'$SUFFIX'
+add:uniqueness-subtrees:'cn=accounts,$SUFFIX'
+add:uniqueness-subtrees:'cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX'
diff --git a/ipaserver/install/plugins/update_uniqueness.py b/ipaserver/install/plugins/update_uniqueness.py
index a1b4638d64553a82e7e52856c9f703d3971b702d..8769f83a12f9a360e2bf6bba0e843f8e374f1508 100644
--- a/ipaserver/install/plugins/update_uniqueness.py
+++ b/ipaserver/install/plugins/update_uniqueness.py
@@ -18,12 +18,213 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from ipaserver.install.plugins import MIDDLE
-from ipaserver.install.plugins.baseupdate import PostUpdate
+from ipaserver.install.plugins.baseupdate import PostUpdate, PreUpdate
from ipalib import api, errors
from ipapython.dn import DN
from ipapython.ipa_log_manager import *
+class update_uniqueness_plugins_to_new_syntax(PreUpdate):
+ """
+ Migrate uniqueness plugins to new style syntax
+
+ * OLD: *
+ nsslapd-pluginarg0: uid
+ nsslapd-pluginarg1: dc=people,dc=example,dc=com
+ nsslapd-pluginarg2: dc=sales, dc=example,dc=com
+
+ or
+
+ nsslapd-pluginarg0: attribute=uid
+ nsslapd-pluginarg1: markerobjectclass=organizationalUnit
+ nsslapd-pluginarg2: requiredobjectclass=person
+
+ * NEW: *
+ uniqueness-attribute-name: uid
+ uniqueness-subtrees: dc=people,dc=example,dc=com
+ uniqueness-subtrees: dc=sales, dc=example,dc=com
+ uniqueness-across-all-subtrees: on
+
+ or
+
+ uniqueness-attribute-name: uid
+ uniqueness-top-entry-oc: organizationalUnit
+ uniqueness-subtree-entries-oc: person
+ """
+
+ plugins_dn = DN(('cn', 'plugins'), ('cn', 'config'))
+
+ def __remove_update(self, update, key, value):
+ # ldapupdate uses CSV, use '' for DN value
+ statement = "remove:%s:'%s'" % (key, value)
+ update.setdefault('updates', []).append(statement)
+
+ def __add_update(self, update, key, value):
+ # ldapupdate uses CSV, use '' for DN value
+ statement = "add:%s:'%s'" % (key, value)
+ update.setdefault('updates', []).append(statement)
+
+ def __subtree_style(self, entry):
+ """
+ old attr -> new attr
+ nsslapd-pluginArg0 -> uniqueness-attribute-name
+ nsslapd-pluginArg1..N -> uniqueness-subtrees[1..N]
+ """
+ update = {
+ 'dn': entry.dn,
+ 'updates': [],
+ }
+
+ # nsslapd-pluginArg0 -> referint-update-delay
+ attribute = entry.single_value['nsslapd-pluginArg0']
+ if not attribute:
+ raise ValueError("'nsslapd-pluginArg0' not found")
+ self.__remove_update(update, 'nsslapd-pluginArg0', attribute)
+ self.__add_update(update, 'uniqueness-attribute-name', attribute)
+ entry['nsslapd-pluginArg0'] = None
+
+ # nsslapd-pluginArg1..N -> uniqueness-subtrees[1..N]
+ for key in entry.keys():
+ if key.lower().startswith('nsslapd-pluginarg'):
+ subtree_dn = entry.single_value[key]
+ if subtree_dn:
+ self.__remove_update(update, key, subtree_dn)
+ self.__add_update(update, 'uniqueness-subtrees', subtree_dn)
+
+ return update
+
+ def __objectclass_style(self, entry):
+ """
+ old attr -> new attr
+ nsslapd-pluginArg?[attribute] -> uniqueness-attribute-name
+ nsslapd-pluginArg?[markerobjectclass] -> uniqueness-top-entry-oc
+ nsslapd-pluginArg?[requiredobjectclass](optional)
+ -> uniqueness-subtree-entries-oc
+ nsslapd-pluginArg?[others] -> ERROR: unexpected args
+
+ Single value attributes.
+ """
+
+ update = {
+ 'dn': entry.dn,
+ 'updates': [],
+ }
+
+ attribute = None
+ markerobjectclass = None
+ requiredobjectclass = None
+
+ for key in entry.keys():
+ if key.lower().startswith('nsslapd-pluginarg'):
+ try:
+ # split argument name and value
+ value = entry.single_value[key]
+ arg_name, arg_val = value.split('=', 1)
+ except ValueError:
+ # unable to split
+ raise ValueError("unexpected argument %s: %s" %
+ (key, value))
+ arg_name = arg_name.lower()
+ if arg_name == 'attribute':
+ if attribute:
+ raise ValueError("single value argument 'attribute' "
+ "is specified mutliple times")
+ attribute = arg_val
+ self.__remove_update(update, key, value)
+ elif arg_name == 'markerobjectclass':
+ if markerobjectclass:
+ raise ValueError("single value argument "
+ "'markerobjectclass' "
+ "is specified mutliple times")
+ markerobjectclass = arg_val
+ self.__remove_update(update, key, value)
+ elif arg_name == 'requiredobjectclass':
+ if requiredobjectclass:
+ raise ValueError("single value argument "
+ "'requiredobjectclass' "
+ "is specified mutliple times")
+ requiredobjectclass = arg_val
+ self.__remove_update(update, key, value)
+ else:
+ raise ValueError("unexpected argument '%s: %s'" %
+ (key, value))
+
+ if not attribute:
+ raise ValueError("missing required argument 'attribute'")
+ if not markerobjectclass:
+ raise ValueError("missing required argument 'markerobjectclass'")
+
+ self.__add_update(update, 'uniqueness-attribute-name', attribute)
+ self.__add_update(update, 'uniqueness-top-entry-oc', markerobjectclass)
+
+ if requiredobjectclass:
+ # optional argument
+ self.__add_update(update, 'uniqueness-subtree-entries-oc',
+ requiredobjectclass)
+
+ return update
+
+ def execute(self, **options):
+ ldap = self.obj.backend
+
+ old_style_plugin_search_filter = (
+ "(&"
+ "(objectclass=nsSlapdPlugin)"
+ "(nsslapd-pluginId=NSUniqueAttr)"
+ "(nsslapd-pluginPath=libattr-unique-plugin)"
+ "(nsslapd-pluginarg0=*)" # only entries with old configuration
+ ")"
+ )
+
+ try:
+ entries, truncated = ldap.find_entries(
+ filter=old_style_plugin_search_filter,
+ base_dn=self.plugins_dn,
+ )
+ except errors.NotFound:
+ root_logger.debug("No uniqueness plugin entries with old style "
+ "configuration found")
+ return False, False, []
+
+ update_list = []
+ new_attributes = [
+ 'uniqueness-subtree-entries-oc',
+ 'uniqueness-top-entry-oc',
+ 'uniqueness-attribute-name',
+ 'uniqueness-subtrees',
+ 'uniqueness-across-all-subtrees',
+ ]
+
+ for entry in entries:
+ # test for mixed configuration
+ if any(attr in entry for attr in new_attributes):
+ root_logger.critical("Mixed old and new style configuration "
+ "for plugin %s. Plugin will not work. "
+ "Skipping plugin migration, please fix it "
+ "manually",
+ entry.dn)
+ continue
+ root_logger.debug("Configuration of plugin %s will be migrated "
+ "to new style", entry.dn)
+ try:
+ # detect which configuration was used
+ arg0 = entry.get('nsslapd-pluginarg0')
+ if '=' in arg0:
+ update = self.__objectclass_style(entry)
+ else:
+ update = self.__subtree_style(entry)
+ except ValueError as e:
+ root_logger.error("Unable to migrate configuration of "
+ "plugin %s (%s)",
+ entry.dn, e)
+
+ update_list.append({entry.dn: update})
+
+ return False, True, update_list
+
+api.register(update_uniqueness_plugins_to_new_syntax)
+
+
class update_uid_uniqueness(PostUpdate):
"""
Create plugin configuration to ensure uid uniqueness
--
2.1.0
From 99cfd98e05ab32fea456314d0685005ea5ade419 Mon Sep 17 00:00:00 2001
From: Martin Basti <[email protected]>
Date: Mon, 23 Feb 2015 17:46:46 +0100
Subject: [PATCH 2/2] Fix uniqueness plugins
* add uniqueness-subtree-entries-oc:posixAccount to ensure idviews users
will not be forced to have unique uid
* remove unneded update plugins -> update was moved to .update file
* add uniqueness-across-all-subtrees required by user lifecycle
management
---
install/share/unique-attributes.ldif | 30 +++------
install/updates/10-uniqueness.update | 54 ++++++++++-----
ipaserver/install/plugins/update_uniqueness.py | 91 --------------------------
3 files changed, 48 insertions(+), 127 deletions(-)
diff --git a/install/share/unique-attributes.ldif b/install/share/unique-attributes.ldif
index ea38ac75310403d9deef8ea0b8ccb6e70b9e57fe..7e1e53fbcef10805c1a3e893a96aa0bb638d10ae 100644
--- a/install/share/unique-attributes.ldif
+++ b/install/share/unique-attributes.ldif
@@ -9,12 +9,14 @@ nsslapd-pluginInitfunc: NSUniqueAttr_Init
nsslapd-pluginType: preoperation
nsslapd-pluginEnabled: on
uniqueness-attribute-name: krbPrincipalName
-uniqueness-subtrees: $SUFFIX
nsslapd-plugin-depends-on-type: database
nsslapd-pluginId: NSUniqueAttr
nsslapd-pluginVersion: 1.1.0
nsslapd-pluginVendor: Fedora Project
nsslapd-pluginDescription: Enforce unique attribute values
+uniqueness-subtrees: cn=accounts,$SUFFIX
+uniqueness-subtrees: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX
+uniqueness-across-all-subtrees: on
dn: cn=krbCanonicalName uniqueness,cn=plugins,cn=config
changetype: add
@@ -27,12 +29,14 @@ nsslapd-pluginInitfunc: NSUniqueAttr_Init
nsslapd-pluginType: preoperation
nsslapd-pluginEnabled: on
uniqueness-attribute-name: krbCanonicalName
-uniqueness-subtrees: $SUFFIX
nsslapd-plugin-depends-on-type: database
nsslapd-pluginId: NSUniqueAttr
nsslapd-pluginVersion: 1.1.0
nsslapd-pluginVendor: Fedora Project
nsslapd-pluginDescription: Enforce unique attribute values
+uniqueness-subtrees: cn=accounts,$SUFFIX
+uniqueness-subtrees: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX
+uniqueness-across-all-subtrees: on
dn: cn=netgroup uniqueness,cn=plugins,cn=config
changetype: add
@@ -63,12 +67,14 @@ nsslapd-pluginInitfunc: NSUniqueAttr_Init
nsslapd-pluginType: preoperation
nsslapd-pluginEnabled: on
uniqueness-attribute-name: ipaUniqueID
-uniqueness-subtrees: $SUFFIX
nsslapd-plugin-depends-on-type: database
nsslapd-pluginId: NSUniqueAttr
nsslapd-pluginVersion: 1.1.0
nsslapd-pluginVendor: Fedora Project
nsslapd-pluginDescription: Enforce unique attribute values
+uniqueness-subtrees: cn=accounts,$SUFFIX
+uniqueness-subtrees: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX
+uniqueness-across-all-subtrees: on
dn: cn=sudorule name uniqueness,cn=plugins,cn=config
changetype: add
@@ -87,21 +93,3 @@ nsslapd-plugin-depends-on-type: database
nsslapd-pluginId: NSUniqueAttr
nsslapd-pluginVersion: 1.1.0
nsslapd-pluginVendor: Fedora Project
-
-#dn: cn=uid uniqueness,cn=plugins,cn=config
-#objectClass: top
-#objectClass: nsSlapdPlugin
-#objectClass: extensibleObject
-#cn: uid uniqueness
-#nsslapd-pluginPath: libattr-unique-plugin
-#nsslapd-pluginInitfunc: NSUniqueAttr_Init
-#nsslapd-pluginType: preoperation
-#nsslapd-pluginEnabled: on
-#uniqueness-attribute-name: uid
-#uniqueness-subtrees: cn=accounts,$SUFFIX
-#nsslapd-plugin-depends-on-type: database
-#nsslapd-pluginId: NSUniqueAttr
-#nsslapd-pluginVersion: 1.1.0
-#nsslapd-pluginVendor: Fedora Project
-#nsslapd-pluginDescription: Enforce unique attribute values
-#
diff --git a/install/updates/10-uniqueness.update b/install/updates/10-uniqueness.update
index b6e2fff6db8c2da9b6303e183fa92e807eab929a..7bb0f4c398505d02959f4a7c1355cca13be480df 100644
--- a/install/updates/10-uniqueness.update
+++ b/install/updates/10-uniqueness.update
@@ -49,28 +49,52 @@ default:nsslapd-pluginId: NSUniqueAttr
default:nsslapd-pluginVersion: 1.1.0
default:nsslapd-pluginVendor: Fedora Project
+dn: cn=uid uniqueness,cn=plugins,cn=config
+default:objectClass: top
+default:objectClass: nsSlapdPlugin
+default:objectClass: extensibleObject
+default:cn: uid uniqueness
+default:nsslapd-pluginPath: libattr-unique-plugin
+default:nsslapd-pluginInitfunc: NSUniqueAttr_Init
+default:nsslapd-pluginType: preoperation
+default:nsslapd-pluginEnabled: on
+default:uniqueness-attribute-name: uid
+default:uniqueness-subtrees: 'cn=accounts,$SUFFIX'
+default:uniqueness-subtrees: 'cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX'
+default:uniqueness-across-all-subtrees: on
+default:uniqueness-subtree-entries-oc: posixAccount
+default:nsslapd-plugin-depends-on-type: database
+default:nsslapd-pluginId: NSUniqueAttr
+default:nsslapd-pluginVersion: 1.1.0
+default:nsslapd-pluginVendor: Fedora Project
+default:nsslapd-pluginDescription: Enforce unique attribute values
+
# uid uniqueness scopes Active/Delete containers
-dn: cn=attribute uniqueness,cn=plugins,cn=config
-remove:uniqueness-subtrees:'$SUFFIX'
-add:uniqueness-subtrees:'cn=accounts,$SUFFIX'
-add:uniqueness-subtrees:'cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX'
-remove:nsslapd-pluginenabled:off
-add:nsslapd-pluginenabled:on
+dn: cn=uid uniqueness,cn=plugins,cn=config
+remove:uniqueness-subtrees: '$SUFFIX'
+add:uniqueness-subtrees: 'cn=accounts,$SUFFIX'
+add:uniqueness-subtrees: 'cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX'
+remove:uniqueness-across-all-subtrees: off
+add:uniqueness-across-all-subtrees: on
+add:uniqueness-subtree-entries-oc: posixAccount
# krbPrincipalName uniqueness scopes Active/Delete containers
dn: cn=krbPrincipalName uniqueness,cn=plugins,cn=config
-remove:uniqueness-subtrees:'$SUFFIX'
-add:uniqueness-subtrees:'cn=accounts,$SUFFIX'
-add:uniqueness-subtrees:'cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX'
+remove:uniqueness-subtrees: '$SUFFIX'
+add:uniqueness-subtrees: 'cn=accounts,$SUFFIX'
+add:uniqueness-subtrees: 'cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX'
+add:uniqueness-across-all-subtrees: on
# krbCanonicalName uniqueness scopes Active/Delete containers
dn: cn=krbCanonicalName uniqueness,cn=plugins,cn=config
-remove:uniqueness-subtrees:'$SUFFIX'
-add:uniqueness-subtrees:'cn=accounts,$SUFFIX'
-add:uniqueness-subtrees:'cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX'
+remove:uniqueness-subtrees: '$SUFFIX'
+add:uniqueness-subtrees: 'cn=accounts,$SUFFIX'
+add:uniqueness-subtrees: 'cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX'
+add:uniqueness-across-all-subtrees: on
# ipaUniqueID uniqueness scopes Active/Delete containers
dn: cn=ipaUniqueID uniqueness,cn=plugins,cn=config
-remove:uniqueness-subtrees:'$SUFFIX'
-add:uniqueness-subtrees:'cn=accounts,$SUFFIX'
-add:uniqueness-subtrees:'cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX'
+remove:uniqueness-subtrees: '$SUFFIX'
+add:uniqueness-subtrees: 'cn=accounts,$SUFFIX'
+add:uniqueness-subtrees: 'cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX'
+add:uniqueness-across-all-subtrees: on
diff --git a/ipaserver/install/plugins/update_uniqueness.py b/ipaserver/install/plugins/update_uniqueness.py
index 8769f83a12f9a360e2bf6bba0e843f8e374f1508..3017d5ac13b223a80ad1171d5adcde8fb4343562 100644
--- a/ipaserver/install/plugins/update_uniqueness.py
+++ b/ipaserver/install/plugins/update_uniqueness.py
@@ -223,94 +223,3 @@ class update_uniqueness_plugins_to_new_syntax(PreUpdate):
return False, True, update_list
api.register(update_uniqueness_plugins_to_new_syntax)
-
-
-class update_uid_uniqueness(PostUpdate):
- """
- Create plugin configuration to ensure uid uniqueness
- """
- order = MIDDLE
-
- uid_uniqueness_dn = DN(('cn', 'uid uniqueness'), ('cn', 'plugins'), ('cn', 'config'))
-
- uid_uniqueness_template = {
- 'objectClass' : ["top", "nsSlapdPlugin", "extensibleObject"],
- 'cn' : 'uid uniqueness',
- 'nsslapd-pluginPath' : 'libattr-unique-plugin',
- 'nsslapd-pluginInitfunc' : 'NSUniqueAttr_Init',
- 'nsslapd-pluginType' : 'betxnpreoperation',
- 'nsslapd-pluginEnabled' : 'on',
- 'uniqueness-attribute-name' : 'uid',
- 'uniqueness-subtrees' : 'dc=example,dc=com',
- 'uniqueness-across-all-subtrees': 'off',
- 'uniqueness-subtree-entries-oc' : 'posixAccount',
- 'nsslapd-plugin-depends-on-type': 'database',
- 'nsslapd-pluginId' : 'none',
- 'nsslapd-pluginVersion' : 'none',
- 'nsslapd-pluginVendor' : 'none',
- 'nsslapd-pluginDescription' : 'none',
- }
-
- def execute(self, **options):
- ldap = self.obj.backend
-
- config_dn = DN(('cn','config'))
- search_filter = ("(&(objectclass=nsslapdplugin)"
- "(nsslapd-pluginpath=libattr-unique-plugin)"
- "(nsslapd-pluginInitfunc=NSUniqueAttr_Init)"
- "(!(nsslapd-pluginenabled=off))"
- "(|(uniqueness-attribute-name=uid)(nsslapd-plugarg0=uid)))")
- root_logger.debug("update_uid_uniqueness: search for existing uid uniqueness "
- "configuration")
-
- try:
- (entries, truncated) = ldap.find_entries(search_filter, ['*'], config_dn,
- time_limit=0, size_limit=0)
- except errors.NotFound:
- # add entry
- entries = []
- except errors.ExecutionError, e:
- root_logger.error("update_uid_uniqueness: cannot retrieve "
- "list of uniqueness plugin instances: %s", e)
- return (False, False, [])
-
- if len(entries) > 1:
- root_logger.error("update_uid_uniqueness: found more than one uid "
- "uniqueness plugin definition: %s", [str(x.dn) for x in entries])
- return (False, False, [])
-
- error = False
- if not entries:
- root_logger.debug("update_uid_uniqueness: adding new uid uniqueness "
- "plugin definition")
- uid_uniqueness_plugin_attrs = dict(self.uid_uniqueness_template)
- uid_uniqueness_plugin_attrs['uniqueness-subtrees'] = api.env.basedn
- uid_uniqueness_plugin = ldap.make_entry(self.uid_uniqueness_dn, uid_uniqueness_plugin_attrs)
-
- try:
- ldap.add_entry(uid_uniqueness_plugin)
- except errors.ExecutionError, e:
- root_logger.debug("update_uid_uniqueness: cannot "
- "create uid uniqueness plugin entry: %s", e)
- error = True
- else:
- root_logger.debug("update_uid_uniqueness: updating existing uid uniqueness "
- "plugin definition")
- uid_uniqueness_plugin_attrs = dict(self.uid_uniqueness_template)
- uid_uniqueness_plugin_attrs['uniqueness-subtrees'] = api.env.basedn
- uid_uniqueness_plugin_attrs['cn'] = entries[0]['cn']
- uid_uniqueness_plugin = ldap.make_entry(entries[0].dn, uid_uniqueness_plugin_attrs)
-
- try:
- ldap.update_entry(uid_uniqueness_plugin)
- except errors.ExecutionError, e:
- root_logger.debug("update_uid_uniqueness: cannot "
- "update uid uniqueness plugin entry: %s", e)
- error = True
-
- if error:
- root_logger.error("update_uid_uniqueness: error(s)"
- "detected during plugin update")
- return (True, False, [])
-
-api.register(update_uid_uniqueness)
--
2.1.0
_______________________________________________
Freeipa-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-devel
