On 03/04/2016 10:10 AM, Alexander Bokovoy wrote: > On Fri, 04 Mar 2016, Martin Kosek wrote: >> Hi Alexander and others, >> >> As you know, SSSD 1.13.4 added support of reading the native SUDO tree [1]. >> This means that FreeIPA deployments with all clients being SSSD 1.13.4 or >> older >> will be able to disable the sudoers schema compatiblity tree >> (cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config). >> >> Right now, I am only aware of an attribute tu disable the whole Schema Compat >> plugin (exposed via ipa-compat-manage tool), but this would not fly for >> people >> with legacy clients reading from Compat tree. >> >> I am thinking, is there an easy way we can recommend to admins on how to do >> disable just certain Schema Compatibility rules? Ideally having a config >> options something like: >> >> schema-compat-enabled: on|off >> >> That could be changed via ldapmodify. >> >> [1] https://fedorahosted.org/sssd/ticket/1108 > There is nothing like that in slapi-nis. If you want to remove container > configuration, you just remove it. > > So, doing as DM 'ldapdelete "cn=sudoers,cn=Schema > Compatibility,cn=plugins,cn=config"' > is our simplest way. > > One can create an update file for ipa-ldap-updater, for example: > --8<--8<--8<--8<--8<--8<--8<-- > dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config > deleteentry: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config > -->8-->8-->8-->8-->8-->8-->8-- > > and then run it as ipa-ldap-updater ./89-remove-sudo-compat-tree.update
This is what I was afraid of... > I'm not sure if running server upgrade would not restore the > configuration, though. I think it would. > On the other hand, if no users are going to use the configuration, it > should not hurt anymore to have it enabled. With current slapi-nis state > there should be no problems anymore. Well, slapi-nis will still maintain the memory cache, AFAIK. How difficult would it be to implement schema-compat-enabled: on|off ? It seems to me as the best way forward. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
