Modifications:
* All plugins are migrated into new configuration style.
* I left attribute uniqueness plugin disabled, cn=uid uniqueness,cn=plugins,cn=config is checking the same attribute. * POST_UPDATE plugin for uid removed, I moved it to update file. Is it okay Alexander? I haven't found reason why we need to do it in update plugin.


Thierry, I touched configuration of plugins, which user lifecycle requires, can you take look if I it does not break anything?

Patches attached.

--
Martin Basti

From a8e1c7874acaa3b0fe9bd3ae316379ca3ddb95dc Mon Sep 17 00:00:00 2001
From: Martin Basti <mba...@redhat.com>
Date: Mon, 23 Feb 2015 16:09:25 +0100
Subject: [PATCH 1/2] Migrate uniquess plugins configuration to new style

New configuration style contains options required for user lifecycle
management.
---
 install/share/unique-attributes.ldif           |  24 +--
 install/updates/10-uniqueness.update           |  36 ++---
 ipaserver/install/plugins/update_uniqueness.py | 203 ++++++++++++++++++++++++-
 3 files changed, 232 insertions(+), 31 deletions(-)

diff --git a/install/share/unique-attributes.ldif b/install/share/unique-attributes.ldif
index 0e680a0e45b455469f9be9555aed1e63f1d97faf..ea38ac75310403d9deef8ea0b8ccb6e70b9e57fe 100644
--- a/install/share/unique-attributes.ldif
+++ b/install/share/unique-attributes.ldif
@@ -8,8 +8,8 @@ nsslapd-pluginPath: libattr-unique-plugin
 nsslapd-pluginInitfunc: NSUniqueAttr_Init
 nsslapd-pluginType: preoperation
 nsslapd-pluginEnabled: on
-nsslapd-pluginarg0: krbPrincipalName
-nsslapd-pluginarg1: $SUFFIX
+uniqueness-attribute-name: krbPrincipalName
+uniqueness-subtrees: $SUFFIX
 nsslapd-plugin-depends-on-type: database
 nsslapd-pluginId: NSUniqueAttr
 nsslapd-pluginVersion: 1.1.0
@@ -26,8 +26,8 @@ nsslapd-pluginPath: libattr-unique-plugin
 nsslapd-pluginInitfunc: NSUniqueAttr_Init
 nsslapd-pluginType: preoperation
 nsslapd-pluginEnabled: on
-nsslapd-pluginarg0: krbCanonicalName
-nsslapd-pluginarg1: $SUFFIX
+uniqueness-attribute-name: krbCanonicalName
+uniqueness-subtrees: $SUFFIX
 nsslapd-plugin-depends-on-type: database
 nsslapd-pluginId: NSUniqueAttr
 nsslapd-pluginVersion: 1.1.0
@@ -44,8 +44,8 @@ nsslapd-pluginPath: libattr-unique-plugin
 nsslapd-pluginInitfunc: NSUniqueAttr_Init
 nsslapd-pluginType: preoperation
 nsslapd-pluginEnabled: on
-nsslapd-pluginarg0: cn
-nsslapd-pluginarg1: cn=ng,cn=alt,$SUFFIX
+uniqueness-attribute-name: cn
+uniqueness-subtrees: cn=ng,cn=alt,$SUFFIX
 nsslapd-plugin-depends-on-type: database
 nsslapd-pluginId: NSUniqueAttr
 nsslapd-pluginVersion: 1.1.0
@@ -62,8 +62,8 @@ nsslapd-pluginPath: libattr-unique-plugin
 nsslapd-pluginInitfunc: NSUniqueAttr_Init
 nsslapd-pluginType: preoperation
 nsslapd-pluginEnabled: on
-nsslapd-pluginarg0: ipaUniqueID
-nsslapd-pluginarg1: $SUFFIX
+uniqueness-attribute-name: ipaUniqueID
+uniqueness-subtrees: $SUFFIX
 nsslapd-plugin-depends-on-type: database
 nsslapd-pluginId: NSUniqueAttr
 nsslapd-pluginVersion: 1.1.0
@@ -81,8 +81,8 @@ nsslapd-pluginPath: libattr-unique-plugin
 nsslapd-pluginInitfunc: NSUniqueAttr_Init
 nsslapd-pluginType: preoperation
 nsslapd-pluginEnabled: on
-nsslapd-pluginarg0: cn
-nsslapd-pluginarg1: cn=sudorules,cn=sudo,$SUFFIX
+uniqueness-attribute-name: cn
+uniqueness-subtrees: cn=sudorules,cn=sudo,$SUFFIX
 nsslapd-plugin-depends-on-type: database
 nsslapd-pluginId: NSUniqueAttr
 nsslapd-pluginVersion: 1.1.0
@@ -97,8 +97,8 @@ nsslapd-pluginVendor: Fedora Project
 #nsslapd-pluginInitfunc: NSUniqueAttr_Init
 #nsslapd-pluginType: preoperation
 #nsslapd-pluginEnabled: on
-#nsslapd-pluginarg0: uid
-#nsslapd-pluginarg1: cn=accounts,$SUFFIX
+#uniqueness-attribute-name: uid
+#uniqueness-subtrees: cn=accounts,$SUFFIX
 #nsslapd-plugin-depends-on-type: database
 #nsslapd-pluginId: NSUniqueAttr
 #nsslapd-pluginVersion: 1.1.0
diff --git a/install/updates/10-uniqueness.update b/install/updates/10-uniqueness.update
index c9641c47fabdffdc278216b38abd606745781d41..b6e2fff6db8c2da9b6303e183fa92e807eab929a 100644
--- a/install/updates/10-uniqueness.update
+++ b/install/updates/10-uniqueness.update
@@ -8,8 +8,8 @@ default:nsslapd-pluginPath: libattr-unique-plugin
 default:nsslapd-pluginInitfunc: NSUniqueAttr_Init
 default:nsslapd-pluginType: preoperation
 default:nsslapd-pluginEnabled: on
-default:nsslapd-pluginarg0: cn
-default:nsslapd-pluginarg1: cn=sudorules,cn=sudo,$SUFFIX
+default:uniqueness-attribute-name: cn
+default:uniqueness-subtrees: cn=sudorules,cn=sudo,$SUFFIX
 default:nsslapd-plugin-depends-on-type: database
 default:nsslapd-pluginId: NSUniqueAttr
 default:nsslapd-pluginVersion: 1.1.0
@@ -25,8 +25,8 @@ default:nsslapd-pluginPath: libattr-unique-plugin
 default:nsslapd-pluginInitfunc: NSUniqueAttr_Init
 default:nsslapd-pluginType: preoperation
 default:nsslapd-pluginEnabled: on
-default:nsslapd-pluginarg0: ipaCertSubject
-default:nsslapd-pluginarg1: cn=certificates,cn=ipa,cn=etc,$SUFFIX
+default:uniqueness-attribute-name: ipaCertSubject
+default:uniqueness-subtrees: cn=certificates,cn=ipa,cn=etc,$SUFFIX
 default:nsslapd-plugin-depends-on-type: database
 default:nsslapd-pluginId: NSUniqueAttr
 default:nsslapd-pluginVersion: 1.1.0
@@ -42,8 +42,8 @@ default:nsslapd-pluginPath: libattr-unique-plugin
 default:nsslapd-pluginInitfunc: NSUniqueAttr_Init
 default:nsslapd-pluginType: preoperation
 default:nsslapd-pluginEnabled: on
-default:nsslapd-pluginarg0: ipaCertIssuerSerial
-default:nsslapd-pluginarg1: cn=certificates,cn=ipa,cn=etc,$SUFFIX
+default:uniqueness-attribute-name: ipaCertIssuerSerial
+default:uniqueness-subtrees: cn=certificates,cn=ipa,cn=etc,$SUFFIX
 default:nsslapd-plugin-depends-on-type: database
 default:nsslapd-pluginId: NSUniqueAttr
 default:nsslapd-pluginVersion: 1.1.0
@@ -51,26 +51,26 @@ default:nsslapd-pluginVendor: Fedora Project
 
 # uid uniqueness scopes Active/Delete containers
 dn: cn=attribute uniqueness,cn=plugins,cn=config
-remove:nsslapd-pluginarg1:'$SUFFIX'
-add:nsslapd-pluginarg1:'cn=accounts,$SUFFIX'
-add:nsslapd-pluginarg2:'cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX'
+remove:uniqueness-subtrees:'$SUFFIX'
+add:uniqueness-subtrees:'cn=accounts,$SUFFIX'
+add:uniqueness-subtrees:'cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX'
 remove:nsslapd-pluginenabled:off
 add:nsslapd-pluginenabled:on
 
 # krbPrincipalName uniqueness scopes Active/Delete containers
 dn: cn=krbPrincipalName uniqueness,cn=plugins,cn=config
-remove:nsslapd-pluginarg1:'$SUFFIX'
-add:nsslapd-pluginarg1:'cn=accounts,$SUFFIX'
-add:nsslapd-pluginarg2:'cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX'
+remove:uniqueness-subtrees:'$SUFFIX'
+add:uniqueness-subtrees:'cn=accounts,$SUFFIX'
+add:uniqueness-subtrees:'cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX'
 
 # krbCanonicalName uniqueness scopes Active/Delete containers
 dn: cn=krbCanonicalName uniqueness,cn=plugins,cn=config
-remove:nsslapd-pluginarg1:'$SUFFIX'
-add:nsslapd-pluginarg1:'cn=accounts,$SUFFIX'
-add:nsslapd-pluginarg2:'cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX'
+remove:uniqueness-subtrees:'$SUFFIX'
+add:uniqueness-subtrees:'cn=accounts,$SUFFIX'
+add:uniqueness-subtrees:'cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX'
 
 # ipaUniqueID uniqueness scopes Active/Delete containers
 dn: cn=ipaUniqueID uniqueness,cn=plugins,cn=config
-remove:nsslapd-pluginarg1:'$SUFFIX'
-add:nsslapd-pluginarg1:'cn=accounts,$SUFFIX'
-add:nsslapd-pluginarg2:'cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX'
+remove:uniqueness-subtrees:'$SUFFIX'
+add:uniqueness-subtrees:'cn=accounts,$SUFFIX'
+add:uniqueness-subtrees:'cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX'
diff --git a/ipaserver/install/plugins/update_uniqueness.py b/ipaserver/install/plugins/update_uniqueness.py
index a1b4638d64553a82e7e52856c9f703d3971b702d..8769f83a12f9a360e2bf6bba0e843f8e374f1508 100644
--- a/ipaserver/install/plugins/update_uniqueness.py
+++ b/ipaserver/install/plugins/update_uniqueness.py
@@ -18,12 +18,213 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 from ipaserver.install.plugins import MIDDLE
-from ipaserver.install.plugins.baseupdate import PostUpdate
+from ipaserver.install.plugins.baseupdate import PostUpdate, PreUpdate
 from ipalib import api, errors
 from ipapython.dn import DN
 from ipapython.ipa_log_manager import *
 
 
+class update_uniqueness_plugins_to_new_syntax(PreUpdate):
+    """
+    Migrate uniqueness plugins to new style syntax
+
+    * OLD: *
+    nsslapd-pluginarg0: uid
+    nsslapd-pluginarg1: dc=people,dc=example,dc=com
+    nsslapd-pluginarg2: dc=sales, dc=example,dc=com
+
+    or
+
+    nsslapd-pluginarg0: attribute=uid
+    nsslapd-pluginarg1: markerobjectclass=organizationalUnit
+    nsslapd-pluginarg2: requiredobjectclass=person
+
+    * NEW: *
+    uniqueness-attribute-name: uid
+    uniqueness-subtrees: dc=people,dc=example,dc=com
+    uniqueness-subtrees: dc=sales, dc=example,dc=com
+    uniqueness-across-all-subtrees: on
+
+    or
+
+    uniqueness-attribute-name: uid
+    uniqueness-top-entry-oc: organizationalUnit
+    uniqueness-subtree-entries-oc: person
+    """
+
+    plugins_dn = DN(('cn', 'plugins'), ('cn', 'config'))
+
+    def __remove_update(self, update, key, value):
+        # ldapupdate uses CSV, use '' for DN value
+        statement = "remove:%s:'%s'" % (key, value)
+        update.setdefault('updates', []).append(statement)
+
+    def __add_update(self, update, key, value):
+        # ldapupdate uses CSV, use '' for DN value
+        statement = "add:%s:'%s'" % (key, value)
+        update.setdefault('updates', []).append(statement)
+
+    def __subtree_style(self, entry):
+        """
+        old attr              -> new attr
+        nsslapd-pluginArg0    -> uniqueness-attribute-name
+        nsslapd-pluginArg1..N    -> uniqueness-subtrees[1..N]
+        """
+        update = {
+            'dn': entry.dn,
+            'updates': [],
+        }
+
+        # nsslapd-pluginArg0    -> referint-update-delay
+        attribute = entry.single_value['nsslapd-pluginArg0']
+        if not attribute:
+            raise ValueError("'nsslapd-pluginArg0' not found")
+        self.__remove_update(update, 'nsslapd-pluginArg0', attribute)
+        self.__add_update(update, 'uniqueness-attribute-name', attribute)
+        entry['nsslapd-pluginArg0'] = None
+
+        # nsslapd-pluginArg1..N    -> uniqueness-subtrees[1..N]
+        for key in entry.keys():
+            if key.lower().startswith('nsslapd-pluginarg'):
+                subtree_dn = entry.single_value[key]
+                if subtree_dn:
+                    self.__remove_update(update, key, subtree_dn)
+                    self.__add_update(update, 'uniqueness-subtrees', subtree_dn)
+
+        return update
+
+    def __objectclass_style(self, entry):
+        """
+        old attr              -> new attr
+        nsslapd-pluginArg?[attribute]           -> uniqueness-attribute-name
+        nsslapd-pluginArg?[markerobjectclass]   -> uniqueness-top-entry-oc
+        nsslapd-pluginArg?[requiredobjectclass](optional)
+                                                -> uniqueness-subtree-entries-oc
+        nsslapd-pluginArg?[others]              -> ERROR: unexpected args
+
+        Single value attributes.
+        """
+
+        update = {
+            'dn': entry.dn,
+            'updates': [],
+        }
+
+        attribute = None
+        markerobjectclass = None
+        requiredobjectclass = None
+
+        for key in entry.keys():
+            if key.lower().startswith('nsslapd-pluginarg'):
+                try:
+                    # split argument name and value
+                    value = entry.single_value[key]
+                    arg_name, arg_val = value.split('=', 1)
+                except ValueError:
+                    # unable to split
+                    raise ValueError("unexpected argument %s: %s" %
+                                     (key, value))
+                arg_name = arg_name.lower()
+                if arg_name == 'attribute':
+                    if attribute:
+                        raise ValueError("single value argument 'attribute' "
+                                         "is specified mutliple times")
+                    attribute = arg_val
+                    self.__remove_update(update, key, value)
+                elif arg_name == 'markerobjectclass':
+                    if markerobjectclass:
+                        raise ValueError("single value argument "
+                                         "'markerobjectclass' "
+                                         "is specified mutliple times")
+                    markerobjectclass = arg_val
+                    self.__remove_update(update, key, value)
+                elif arg_name == 'requiredobjectclass':
+                    if requiredobjectclass:
+                        raise ValueError("single value argument "
+                                         "'requiredobjectclass' "
+                                         "is specified mutliple times")
+                    requiredobjectclass = arg_val
+                    self.__remove_update(update, key, value)
+                else:
+                    raise ValueError("unexpected argument '%s: %s'" %
+                                     (key, value))
+
+        if not attribute:
+            raise ValueError("missing required argument 'attribute'")
+        if not markerobjectclass:
+            raise ValueError("missing required argument 'markerobjectclass'")
+
+        self.__add_update(update, 'uniqueness-attribute-name', attribute)
+        self.__add_update(update, 'uniqueness-top-entry-oc', markerobjectclass)
+
+        if requiredobjectclass:
+            # optional argument
+            self.__add_update(update, 'uniqueness-subtree-entries-oc',
+                              requiredobjectclass)
+
+        return update
+
+    def execute(self, **options):
+        ldap = self.obj.backend
+
+        old_style_plugin_search_filter = (
+            "(&"
+            "(objectclass=nsSlapdPlugin)"
+            "(nsslapd-pluginId=NSUniqueAttr)"
+            "(nsslapd-pluginPath=libattr-unique-plugin)"
+            "(nsslapd-pluginarg0=*)"  # only entries with old configuration
+            ")"
+        )
+
+        try:
+            entries, truncated = ldap.find_entries(
+                filter=old_style_plugin_search_filter,
+                base_dn=self.plugins_dn,
+            )
+        except errors.NotFound:
+            root_logger.debug("No uniqueness plugin entries with old style "
+                              "configuration found")
+            return False, False, []
+
+        update_list = []
+        new_attributes = [
+            'uniqueness-subtree-entries-oc',
+            'uniqueness-top-entry-oc',
+            'uniqueness-attribute-name',
+            'uniqueness-subtrees',
+            'uniqueness-across-all-subtrees',
+        ]
+
+        for entry in entries:
+            # test for mixed configuration
+            if any(attr in entry for attr in new_attributes):
+                root_logger.critical("Mixed old and new style configuration "
+                                     "for plugin %s. Plugin will not work. "
+                                     "Skipping plugin migration, please fix it "
+                                     "manually",
+                                     entry.dn)
+                continue
+            root_logger.debug("Configuration of plugin %s will be migrated "
+                             "to new style", entry.dn)
+            try:
+                # detect which configuration was used
+                arg0 = entry.get('nsslapd-pluginarg0')
+                if '=' in arg0:
+                    update = self.__objectclass_style(entry)
+                else:
+                    update = self.__subtree_style(entry)
+            except ValueError as e:
+                root_logger.error("Unable to migrate configuration of "
+                                  "plugin %s (%s)",
+                                  entry.dn, e)
+
+            update_list.append({entry.dn: update})
+
+        return False, True, update_list
+
+api.register(update_uniqueness_plugins_to_new_syntax)
+
+
 class update_uid_uniqueness(PostUpdate):
     """
     Create plugin configuration to ensure uid uniqueness
-- 
2.1.0

From 99cfd98e05ab32fea456314d0685005ea5ade419 Mon Sep 17 00:00:00 2001
From: Martin Basti <mba...@redhat.com>
Date: Mon, 23 Feb 2015 17:46:46 +0100
Subject: [PATCH 2/2] Fix uniqueness plugins

* add uniqueness-subtree-entries-oc:posixAccount to ensure idviews users
will not be forced to have unique uid

* remove unneded update plugins -> update was moved to .update file

* add uniqueness-across-all-subtrees required by user lifecycle
management
---
 install/share/unique-attributes.ldif           | 30 +++------
 install/updates/10-uniqueness.update           | 54 ++++++++++-----
 ipaserver/install/plugins/update_uniqueness.py | 91 --------------------------
 3 files changed, 48 insertions(+), 127 deletions(-)

diff --git a/install/share/unique-attributes.ldif b/install/share/unique-attributes.ldif
index ea38ac75310403d9deef8ea0b8ccb6e70b9e57fe..7e1e53fbcef10805c1a3e893a96aa0bb638d10ae 100644
--- a/install/share/unique-attributes.ldif
+++ b/install/share/unique-attributes.ldif
@@ -9,12 +9,14 @@ nsslapd-pluginInitfunc: NSUniqueAttr_Init
 nsslapd-pluginType: preoperation
 nsslapd-pluginEnabled: on
 uniqueness-attribute-name: krbPrincipalName
-uniqueness-subtrees: $SUFFIX
 nsslapd-plugin-depends-on-type: database
 nsslapd-pluginId: NSUniqueAttr
 nsslapd-pluginVersion: 1.1.0
 nsslapd-pluginVendor: Fedora Project
 nsslapd-pluginDescription: Enforce unique attribute values
+uniqueness-subtrees: cn=accounts,$SUFFIX
+uniqueness-subtrees: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX
+uniqueness-across-all-subtrees: on
 
 dn: cn=krbCanonicalName uniqueness,cn=plugins,cn=config
 changetype: add
@@ -27,12 +29,14 @@ nsslapd-pluginInitfunc: NSUniqueAttr_Init
 nsslapd-pluginType: preoperation
 nsslapd-pluginEnabled: on
 uniqueness-attribute-name: krbCanonicalName
-uniqueness-subtrees: $SUFFIX
 nsslapd-plugin-depends-on-type: database
 nsslapd-pluginId: NSUniqueAttr
 nsslapd-pluginVersion: 1.1.0
 nsslapd-pluginVendor: Fedora Project
 nsslapd-pluginDescription: Enforce unique attribute values
+uniqueness-subtrees: cn=accounts,$SUFFIX
+uniqueness-subtrees: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX
+uniqueness-across-all-subtrees: on
 
 dn: cn=netgroup uniqueness,cn=plugins,cn=config
 changetype: add
@@ -63,12 +67,14 @@ nsslapd-pluginInitfunc: NSUniqueAttr_Init
 nsslapd-pluginType: preoperation
 nsslapd-pluginEnabled: on
 uniqueness-attribute-name: ipaUniqueID
-uniqueness-subtrees: $SUFFIX
 nsslapd-plugin-depends-on-type: database
 nsslapd-pluginId: NSUniqueAttr
 nsslapd-pluginVersion: 1.1.0
 nsslapd-pluginVendor: Fedora Project
 nsslapd-pluginDescription: Enforce unique attribute values
+uniqueness-subtrees: cn=accounts,$SUFFIX
+uniqueness-subtrees: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX
+uniqueness-across-all-subtrees: on
 
 dn: cn=sudorule name uniqueness,cn=plugins,cn=config
 changetype: add
@@ -87,21 +93,3 @@ nsslapd-plugin-depends-on-type: database
 nsslapd-pluginId: NSUniqueAttr
 nsslapd-pluginVersion: 1.1.0
 nsslapd-pluginVendor: Fedora Project
-
-#dn: cn=uid uniqueness,cn=plugins,cn=config
-#objectClass: top
-#objectClass: nsSlapdPlugin
-#objectClass: extensibleObject
-#cn: uid uniqueness
-#nsslapd-pluginPath: libattr-unique-plugin
-#nsslapd-pluginInitfunc: NSUniqueAttr_Init
-#nsslapd-pluginType: preoperation
-#nsslapd-pluginEnabled: on
-#uniqueness-attribute-name: uid
-#uniqueness-subtrees: cn=accounts,$SUFFIX
-#nsslapd-plugin-depends-on-type: database
-#nsslapd-pluginId: NSUniqueAttr
-#nsslapd-pluginVersion: 1.1.0
-#nsslapd-pluginVendor: Fedora Project
-#nsslapd-pluginDescription: Enforce unique attribute values
-#
diff --git a/install/updates/10-uniqueness.update b/install/updates/10-uniqueness.update
index b6e2fff6db8c2da9b6303e183fa92e807eab929a..7bb0f4c398505d02959f4a7c1355cca13be480df 100644
--- a/install/updates/10-uniqueness.update
+++ b/install/updates/10-uniqueness.update
@@ -49,28 +49,52 @@ default:nsslapd-pluginId: NSUniqueAttr
 default:nsslapd-pluginVersion: 1.1.0
 default:nsslapd-pluginVendor: Fedora Project
 
+dn: cn=uid uniqueness,cn=plugins,cn=config
+default:objectClass: top
+default:objectClass: nsSlapdPlugin
+default:objectClass: extensibleObject
+default:cn: uid uniqueness
+default:nsslapd-pluginPath: libattr-unique-plugin
+default:nsslapd-pluginInitfunc: NSUniqueAttr_Init
+default:nsslapd-pluginType: preoperation
+default:nsslapd-pluginEnabled: on
+default:uniqueness-attribute-name: uid
+default:uniqueness-subtrees: 'cn=accounts,$SUFFIX'
+default:uniqueness-subtrees: 'cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX'
+default:uniqueness-across-all-subtrees: on
+default:uniqueness-subtree-entries-oc: posixAccount
+default:nsslapd-plugin-depends-on-type: database
+default:nsslapd-pluginId: NSUniqueAttr
+default:nsslapd-pluginVersion: 1.1.0
+default:nsslapd-pluginVendor: Fedora Project
+default:nsslapd-pluginDescription: Enforce unique attribute values
+
 # uid uniqueness scopes Active/Delete containers
-dn: cn=attribute uniqueness,cn=plugins,cn=config
-remove:uniqueness-subtrees:'$SUFFIX'
-add:uniqueness-subtrees:'cn=accounts,$SUFFIX'
-add:uniqueness-subtrees:'cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX'
-remove:nsslapd-pluginenabled:off
-add:nsslapd-pluginenabled:on
+dn: cn=uid uniqueness,cn=plugins,cn=config
+remove:uniqueness-subtrees: '$SUFFIX'
+add:uniqueness-subtrees: 'cn=accounts,$SUFFIX'
+add:uniqueness-subtrees: 'cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX'
+remove:uniqueness-across-all-subtrees: off
+add:uniqueness-across-all-subtrees: on
+add:uniqueness-subtree-entries-oc: posixAccount
 
 # krbPrincipalName uniqueness scopes Active/Delete containers
 dn: cn=krbPrincipalName uniqueness,cn=plugins,cn=config
-remove:uniqueness-subtrees:'$SUFFIX'
-add:uniqueness-subtrees:'cn=accounts,$SUFFIX'
-add:uniqueness-subtrees:'cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX'
+remove:uniqueness-subtrees: '$SUFFIX'
+add:uniqueness-subtrees: 'cn=accounts,$SUFFIX'
+add:uniqueness-subtrees: 'cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX'
+add:uniqueness-across-all-subtrees: on
 
 # krbCanonicalName uniqueness scopes Active/Delete containers
 dn: cn=krbCanonicalName uniqueness,cn=plugins,cn=config
-remove:uniqueness-subtrees:'$SUFFIX'
-add:uniqueness-subtrees:'cn=accounts,$SUFFIX'
-add:uniqueness-subtrees:'cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX'
+remove:uniqueness-subtrees: '$SUFFIX'
+add:uniqueness-subtrees: 'cn=accounts,$SUFFIX'
+add:uniqueness-subtrees: 'cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX'
+add:uniqueness-across-all-subtrees: on
 
 # ipaUniqueID uniqueness scopes Active/Delete containers
 dn: cn=ipaUniqueID uniqueness,cn=plugins,cn=config
-remove:uniqueness-subtrees:'$SUFFIX'
-add:uniqueness-subtrees:'cn=accounts,$SUFFIX'
-add:uniqueness-subtrees:'cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX'
+remove:uniqueness-subtrees: '$SUFFIX'
+add:uniqueness-subtrees: 'cn=accounts,$SUFFIX'
+add:uniqueness-subtrees: 'cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX'
+add:uniqueness-across-all-subtrees: on
diff --git a/ipaserver/install/plugins/update_uniqueness.py b/ipaserver/install/plugins/update_uniqueness.py
index 8769f83a12f9a360e2bf6bba0e843f8e374f1508..3017d5ac13b223a80ad1171d5adcde8fb4343562 100644
--- a/ipaserver/install/plugins/update_uniqueness.py
+++ b/ipaserver/install/plugins/update_uniqueness.py
@@ -223,94 +223,3 @@ class update_uniqueness_plugins_to_new_syntax(PreUpdate):
         return False, True, update_list
 
 api.register(update_uniqueness_plugins_to_new_syntax)
-
-
-class update_uid_uniqueness(PostUpdate):
-    """
-    Create plugin configuration to ensure uid uniqueness
-    """
-    order = MIDDLE
-
-    uid_uniqueness_dn = DN(('cn', 'uid uniqueness'), ('cn', 'plugins'), ('cn', 'config'))
-
-    uid_uniqueness_template = {
-     'objectClass'                   : ["top", "nsSlapdPlugin", "extensibleObject"],
-     'cn'                            : 'uid uniqueness',
-     'nsslapd-pluginPath'            : 'libattr-unique-plugin',
-     'nsslapd-pluginInitfunc'        : 'NSUniqueAttr_Init',
-     'nsslapd-pluginType'            : 'betxnpreoperation',
-     'nsslapd-pluginEnabled'         : 'on',
-     'uniqueness-attribute-name'     : 'uid',
-     'uniqueness-subtrees'           : 'dc=example,dc=com',
-     'uniqueness-across-all-subtrees': 'off',
-     'uniqueness-subtree-entries-oc' : 'posixAccount',
-     'nsslapd-plugin-depends-on-type': 'database',
-     'nsslapd-pluginId'              : 'none',
-     'nsslapd-pluginVersion'         : 'none',
-     'nsslapd-pluginVendor'          : 'none',
-     'nsslapd-pluginDescription'     : 'none',
-    }
-
-    def execute(self, **options):
-        ldap = self.obj.backend
-
-        config_dn = DN(('cn','config'))
-        search_filter = ("(&(objectclass=nsslapdplugin)"
-                           "(nsslapd-pluginpath=libattr-unique-plugin)"
-                           "(nsslapd-pluginInitfunc=NSUniqueAttr_Init)"
-                           "(!(nsslapd-pluginenabled=off))"
-                           "(|(uniqueness-attribute-name=uid)(nsslapd-plugarg0=uid)))")
-        root_logger.debug("update_uid_uniqueness: search for existing uid uniqueness "
-                          "configuration")
-
-        try:
-            (entries, truncated) = ldap.find_entries(search_filter, ['*'], config_dn,
-                                                     time_limit=0, size_limit=0)
-        except errors.NotFound:
-            # add entry
-            entries = []
-        except errors.ExecutionError, e:
-            root_logger.error("update_uid_uniqueness: cannot retrieve "
-                              "list of uniqueness plugin instances: %s", e)
-            return (False, False, [])
-
-        if len(entries) > 1:
-            root_logger.error("update_uid_uniqueness: found more than one uid "
-                              "uniqueness plugin definition: %s", [str(x.dn) for x in entries])
-            return (False, False, [])
-
-        error = False
-        if not entries:
-            root_logger.debug("update_uid_uniqueness: adding new uid uniqueness "
-                              "plugin definition")
-            uid_uniqueness_plugin_attrs = dict(self.uid_uniqueness_template)
-            uid_uniqueness_plugin_attrs['uniqueness-subtrees'] = api.env.basedn
-            uid_uniqueness_plugin = ldap.make_entry(self.uid_uniqueness_dn, uid_uniqueness_plugin_attrs)
-
-            try:
-                ldap.add_entry(uid_uniqueness_plugin)
-            except errors.ExecutionError, e:
-                root_logger.debug("update_uid_uniqueness: cannot "
-                                  "create uid uniqueness plugin entry: %s", e)
-                error = True
-        else:
-            root_logger.debug("update_uid_uniqueness: updating existing uid uniqueness "
-                              "plugin definition")
-            uid_uniqueness_plugin_attrs = dict(self.uid_uniqueness_template)
-            uid_uniqueness_plugin_attrs['uniqueness-subtrees'] = api.env.basedn
-            uid_uniqueness_plugin_attrs['cn'] = entries[0]['cn']
-            uid_uniqueness_plugin = ldap.make_entry(entries[0].dn, uid_uniqueness_plugin_attrs)
-
-            try:
-                ldap.update_entry(uid_uniqueness_plugin)
-            except errors.ExecutionError, e:
-                root_logger.debug("update_uid_uniqueness: cannot "
-                                  "update uid uniqueness plugin entry: %s", e)
-                error = True
-
-        if error:
-            root_logger.error("update_uid_uniqueness: error(s)"
-                              "detected during plugin update")
-        return (True, False, [])
-
-api.register(update_uid_uniqueness)
-- 
2.1.0

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to