Re: [Freeipa-devel] [PATCH 0245] Fix uniqueness plugins vol. 2

Martin Basti Tue, 12 May 2015 12:05:10 -0700

On 12/05/15 18:23, Martin Basti wrote:

https://fedorahosted.org/freeipa/ticket/4921
To test this, the mkosek/freeipa-master copr repo with 389-ds-base1.3.4.0 is needed.
All previous changes to uniqueness plugins were made just in masterbranch so upgrade will not work correctly from master to newer master.
From IPA 4.1 to master should work as expected.

Patch attached.

Updated patch attached.

--
Martin Basti

From df2f521473a7e4f2438f675e4328ee59c8cf4617 Mon Sep 17 00:00:00 2001
From: Martin Basti <[email protected]>
Date: Tue, 12 May 2015 18:11:07 +0200
Subject: [PATCH] Server Upgrade: Fix uniqueness plugins

Due previous changes (in master branch only) the uniqueness plugins
became misconfigured.

After this patch:
* whole $SUFFIX will be checked by unique plugins
* just staged users are exluded from check

This reverts some changes in commit
52b7101c1148618d5c8e2ec25576cc7ad3e9b7bb

Since 389-ds-base 1.3.4.a1 new attribute 'uniqueness-exclude-subtrees'
can be used.

https://fedorahosted.org/freeipa/ticket/4921
---
 freeipa.spec.in                      |  6 +++---
 install/share/unique-attributes.ldif | 12 ++++++------
 install/updates/10-uniqueness.update | 20 ++++++--------------
 3 files changed, 15 insertions(+), 23 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 2bf14ef9e14f96b3100d45dd47d749b6bc3b4816..73736455655a100a2febef8e86db2c5a2f2419c9 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -34,7 +34,7 @@ Source0:        freeipa-%{version}.tar.gz
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 %if ! %{ONLY_CLIENT}
-BuildRequires:  389-ds-base-devel >= 1.3.3.9
+BuildRequires:  389-ds-base-devel >= 1.3.4.a1
 BuildRequires:  svrcore-devel
 BuildRequires:  policycoreutils >= 2.1.12-5
 BuildRequires:  systemd-units
@@ -109,7 +109,7 @@ Group: System Environment/Base
 Requires: %{name}-python = %{version}-%{release}
 Requires: %{name}-client = %{version}-%{release}
 Requires: %{name}-admintools = %{version}-%{release}
-Requires: 389-ds-base >= 1.3.3.9
+Requires: 389-ds-base >= 1.3.4.a1
 Requires: openldap-clients > 2.4.35-4
 Requires: nss >= 3.14.3-12.0
 Requires: nss-tools >= 3.14.3-12.0
@@ -144,7 +144,7 @@ Requires: zip
 Requires: policycoreutils >= 2.1.12-5
 Requires: tar
 Requires(pre): certmonger >= 0.76.8
-Requires(pre): 389-ds-base >= 1.3.3.9
+Requires(pre): 389-ds-base >= 1.3.4.a1
 Requires: fontawesome-fonts
 Requires: open-sans-fonts
 Requires: openssl
diff --git a/install/share/unique-attributes.ldif b/install/share/unique-attributes.ldif
index 7e1e53fbcef10805c1a3e893a96aa0bb638d10ae..60f2c3470b3f2be7860c2bcc20babb07904f9b0c 100644
--- a/install/share/unique-attributes.ldif
+++ b/install/share/unique-attributes.ldif
@@ -14,8 +14,8 @@ nsslapd-pluginId: NSUniqueAttr
 nsslapd-pluginVersion: 1.1.0
 nsslapd-pluginVendor: Fedora Project
 nsslapd-pluginDescription: Enforce unique attribute values
-uniqueness-subtrees: cn=accounts,$SUFFIX
-uniqueness-subtrees: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX
+uniqueness-subtrees: $SUFFIX
+uniqueness-exclude-subtrees: cn=staged users,cn=accounts,cn=provisioning,$SUFFIX
 uniqueness-across-all-subtrees: on
 
 dn: cn=krbCanonicalName uniqueness,cn=plugins,cn=config
@@ -34,8 +34,8 @@ nsslapd-pluginId: NSUniqueAttr
 nsslapd-pluginVersion: 1.1.0
 nsslapd-pluginVendor: Fedora Project
 nsslapd-pluginDescription: Enforce unique attribute values
-uniqueness-subtrees: cn=accounts,$SUFFIX
-uniqueness-subtrees: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX
+uniqueness-subtrees: $SUFFIX
+uniqueness-exclude-subtrees: cn=staged users,cn=accounts,cn=provisioning,$SUFFIX
 uniqueness-across-all-subtrees: on
 
 dn: cn=netgroup uniqueness,cn=plugins,cn=config
@@ -72,8 +72,8 @@ nsslapd-pluginId: NSUniqueAttr
 nsslapd-pluginVersion: 1.1.0
 nsslapd-pluginVendor: Fedora Project
 nsslapd-pluginDescription: Enforce unique attribute values
-uniqueness-subtrees: cn=accounts,$SUFFIX
-uniqueness-subtrees: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX
+uniqueness-subtrees: $SUFFIX
+uniqueness-exclude-subtrees: cn=staged users,cn=accounts,cn=provisioning,$SUFFIX
 uniqueness-across-all-subtrees: on
 
 dn: cn=sudorule name uniqueness,cn=plugins,cn=config
diff --git a/install/updates/10-uniqueness.update b/install/updates/10-uniqueness.update
index 2c9f1c555e1df6f0762e78058ac42f301f695774..dd8ec3a752f857cecc4e1b71cc3893a7497c4338 100644
--- a/install/updates/10-uniqueness.update
+++ b/install/updates/10-uniqueness.update
@@ -59,8 +59,8 @@ default:nsslapd-pluginInitfunc: NSUniqueAttr_Init
 default:nsslapd-pluginType: preoperation
 default:nsslapd-pluginEnabled: on
 default:uniqueness-attribute-name: uid
-default:uniqueness-subtrees: cn=accounts,$SUFFIX
-default:uniqueness-subtrees: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX
+default:uniqueness-subtrees: $SUFFIX
+default:uniqueness-exclude-subtrees: cn=staged users,cn=accounts,cn=provisioning,$SUFFIX
 default:uniqueness-across-all-subtrees: on
 default:uniqueness-subtree-entries-oc: posixAccount
 default:nsslapd-plugin-depends-on-type: database
@@ -71,30 +71,22 @@ default:nsslapd-pluginDescription: Enforce unique attribute values
 
 # uid uniqueness scopes Active/Delete containers
 dn: cn=uid uniqueness,cn=plugins,cn=config
-remove:uniqueness-subtrees: $SUFFIX
-add:uniqueness-subtrees: cn=accounts,$SUFFIX
-add:uniqueness-subtrees: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX
+add:uniqueness-exclude-subtrees: cn=staged users,cn=accounts,cn=provisioning,$SUFFIX
 remove:uniqueness-across-all-subtrees: off
 add:uniqueness-across-all-subtrees: on
 add:uniqueness-subtree-entries-oc: posixAccount
 
 # krbPrincipalName uniqueness scopes Active/Delete containers
 dn: cn=krbPrincipalName uniqueness,cn=plugins,cn=config
-remove:uniqueness-subtrees: $SUFFIX
-add:uniqueness-subtrees: cn=accounts,$SUFFIX
-add:uniqueness-subtrees: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX
+add:uniqueness-exclude-subtrees: cn=staged users,cn=accounts,cn=provisioning,$SUFFIX
 add:uniqueness-across-all-subtrees: on
 
 # krbCanonicalName uniqueness scopes Active/Delete containers
 dn: cn=krbCanonicalName uniqueness,cn=plugins,cn=config
-remove:uniqueness-subtrees: $SUFFIX
-add:uniqueness-subtrees: cn=accounts,$SUFFIX
-add:uniqueness-subtrees: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX
+add:uniqueness-exclude-subtrees: cn=staged users,cn=accounts,cn=provisioning,$SUFFIX
 add:uniqueness-across-all-subtrees: on
 
 # ipaUniqueID uniqueness scopes Active/Delete containers
 dn: cn=ipaUniqueID uniqueness,cn=plugins,cn=config
-remove:uniqueness-subtrees: $SUFFIX
-add:uniqueness-subtrees: cn=accounts,$SUFFIX
-add:uniqueness-subtrees: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX
+add:uniqueness-exclude-subtrees: cn=staged users,cn=accounts,cn=provisioning,$SUFFIX
 add:uniqueness-across-all-subtrees: on
-- 
2.1.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0245] Fix uniqueness plugins vol. 2

Reply via email to