URL: https://github.com/freeipa/freeipa/pull/711 Author: stlaz Title: #711: Move the compat plugin setup at the end of install Action: synchronized
To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/711/head:pr711 git checkout pr711
From a9630776df8393cb751d2e515a1773ae91584427 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Fri, 21 Apr 2017 09:32:34 +0200 Subject: [PATCH 1/4] compat-manage: behave the same for all users Due to LDAP connection refactoring, compat-manage would have behaved differently for root and for other users even though it requires the directory manager password. This is caused by it trying to do external bind when it does not have the DIRMAN password which was previously not supplied. https://pagure.io/freeipa/issue/6821 --- install/tools/ipa-compat-manage | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install/tools/ipa-compat-manage b/install/tools/ipa-compat-manage index a29a92f..6dd259d 100755 --- a/install/tools/ipa-compat-manage +++ b/install/tools/ipa-compat-manage @@ -105,7 +105,7 @@ def main(): debug=options.debug, confdir=paths.ETC_IPA) api.finalize() - api.Backend.ldap2.connect() + api.Backend.ldap2.connect(bind_pw=dirman_password) if args[0] == "status": entry = None From 7f859cb40ec5f23904f2178122bb24acd5d8b953 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Thu, 13 Apr 2017 09:15:47 +0200 Subject: [PATCH 2/4] Move the compat plugin setup at the end of install The compat plugin was causing deadlocks with the topology plugin. Move its setup at the end of the installation and remove the cn=topology,cn=ipa,cn=etc subtree from its scope. https://pagure.io/freeipa/issue/6821 --- install/share/Makefile.am | 1 - install/share/schema_compat.uldif | 128 ------------------ install/updates/10-schema_compat.update | 93 ------------- install/updates/80-schema_compat.update | 222 ++++++++++++++++++++++++++++++++ install/updates/Makefile.am | 2 +- ipaplatform/base/paths.py | 3 +- ipaserver/install/dsinstance.py | 8 -- 7 files changed, 225 insertions(+), 232 deletions(-) delete mode 100644 install/share/schema_compat.uldif delete mode 100644 install/updates/10-schema_compat.update create mode 100644 install/updates/80-schema_compat.update diff --git a/install/share/Makefile.am b/install/share/Makefile.am index 3a34f6e..e7fac0c 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -65,7 +65,6 @@ dist_app_DATA = \ opendnssec_conf.template \ opendnssec_kasp.template \ unique-attributes.ldif \ - schema_compat.uldif \ ldapi.ldif \ wsgi.py \ repoint-managed-entries.ldif \ diff --git a/install/share/schema_compat.uldif b/install/share/schema_compat.uldif deleted file mode 100644 index 66f8ea1..0000000 --- a/install/share/schema_compat.uldif +++ /dev/null @@ -1,128 +0,0 @@ -# -# Enable the Schema Compatibility plugin provided by slapi-nis. -# -# http://slapi-nis.fedorahosted.org/ -# -dn: cn=Schema Compatibility, cn=plugins, cn=config -default:objectclass: top -default:objectclass: nsSlapdPlugin -default:objectclass: extensibleObject -default:cn: Schema Compatibility -default:nsslapd-pluginpath: /usr/lib$LIBARCH/dirsrv/plugins/schemacompat-plugin.so -default:nsslapd-plugininitfunc: schema_compat_plugin_init -default:nsslapd-plugintype: object -default:nsslapd-pluginenabled: on -default:nsslapd-pluginid: schema-compat-plugin -# We need to run schema-compat pre-bind callback before -# other IPA pre-bind callbacks to make sure bind DN is -# rewritten to the original entry if needed -default:nsslapd-pluginprecedence: 40 -default:nsslapd-pluginversion: 0.8 -default:nsslapd-pluginbetxn: on -default:nsslapd-pluginvendor: redhat.com -default:nsslapd-plugindescription: Schema Compatibility Plugin - -dn: cn=users, cn=Schema Compatibility, cn=plugins, cn=config -default:objectClass: top -default:objectClass: extensibleObject -default:cn: users -default:schema-compat-container-group: cn=compat, $SUFFIX -default:schema-compat-container-rdn: cn=users -default:schema-compat-search-base: cn=users, cn=accounts, $SUFFIX -default:schema-compat-search-filter: objectclass=posixAccount -default:schema-compat-entry-rdn: uid=%{uid} -default:schema-compat-entry-attribute: objectclass=posixAccount -default:schema-compat-entry-attribute: gecos=%{cn} -default:schema-compat-entry-attribute: cn=%{cn} -default:schema-compat-entry-attribute: uidNumber=%{uidNumber} -default:schema-compat-entry-attribute: gidNumber=%{gidNumber} -default:schema-compat-entry-attribute: loginShell=%{loginShell} -default:schema-compat-entry-attribute: homeDirectory=%{homeDirectory} -default:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","") -default:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:$DOMAIN:%{ipauniqueid}","") -default:schema-compat-entry-attribute: ipaanchoruuid=%{ipaanchoruuid} -default:schema-compat-entry-attribute: %ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","") - -dn: cn=groups, cn=Schema Compatibility, cn=plugins, cn=config -default:objectClass: top -default:objectClass: extensibleObject -default:cn: groups -default:schema-compat-container-group: cn=compat, $SUFFIX -default:schema-compat-container-rdn: cn=groups -default:schema-compat-search-base: cn=groups, cn=accounts, $SUFFIX -default:schema-compat-search-filter: objectclass=posixGroup -default:schema-compat-entry-rdn: cn=%{cn} -default:schema-compat-entry-attribute: objectclass=posixGroup -default:schema-compat-entry-attribute: gidNumber=%{gidNumber} -default:schema-compat-entry-attribute: memberUid=%{memberUid} -default:schema-compat-entry-attribute: memberUid=%deref_r("member","uid") -default:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","") -default:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:$DOMAIN:%{ipauniqueid}","") -default:schema-compat-entry-attribute: ipaanchoruuid=%{ipaanchoruuid} -default:schema-compat-entry-attribute: %ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","") - -dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config -add:objectClass: top -add:objectClass: extensibleObject -add:cn: ng -add:schema-compat-container-group: cn=compat, $SUFFIX -add:schema-compat-container-rdn: cn=ng -add:schema-compat-check-access: yes -add:schema-compat-search-base: cn=ng, cn=alt, $SUFFIX -add:schema-compat-search-filter: (objectclass=ipaNisNetgroup) -add:schema-compat-entry-rdn: cn=%{cn} -add:schema-compat-entry-attribute: objectclass=nisNetgroup -add:schema-compat-entry-attribute: memberNisNetgroup=%deref_r("member","cn") -add:schema-compat-entry-attribute: nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","-",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","-"),%{nisDomainName:-}) - -dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config -add:objectClass: top -add:objectClass: extensibleObject -add:cn: sudoers -add:schema-compat-container-group: ou=SUDOers, $SUFFIX -add:schema-compat-search-base: cn=sudorules, cn=sudo, $SUFFIX -add:schema-compat-search-filter: (&(objectclass=ipaSudoRule)(!(compatVisible=FALSE))(!(ipaEnabledFlag=FALSE))) -add:schema-compat-entry-rdn: %ifeq("ipaEnabledFlag", "FALSE", "DISABLED", "cn=%{cn}") -add:schema-compat-entry-attribute: objectclass=sudoRole -add:schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}") -add:schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\"memberUser\",\"(objectclass=posixAccount)\",\"uid\")") -add:schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\"memberUser\",\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\",\"member\",\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\",\"uid\")") -add:schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\"memberUser\",\"(objectclass=posixGroup)\",\"cn\")") -add:schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\"memberUser\",\"(objectclass=ipaNisNetgroup)\",\"cn\")") -add:schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}") -add:schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\"memberHost\",\"(objectclass=ipaHost)\",\"fqdn\")") -add:schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\"memberHost\",\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\",\"member\",\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\",\"fqdn\")") -add:schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\"memberHost\",\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\",\"cn\")") -add:schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\"memberHost\",\"(objectclass=ipaNisNetgroup)\",\"cn\")") -add:schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","%{hostMask}") -add:schema-compat-entry-attribute: sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\"memberAllowCmd\",\"sudoCmd\")") -add:schema-compat-entry-attribute: sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\"memberAllowCmd\",\"member\",\"sudoCmd\")") -# memberDenyCmds are to be allowed even if cmdCategory is set to ALL -add:schema-compat-entry-attribute: sudoCommand=!%deref("memberDenyCmd","sudoCmd") -add:schema-compat-entry-attribute: sudoCommand=!%deref_r("memberDenyCmd","member","sudoCmd") -add:schema-compat-entry-attribute: sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%{ipaSudoRunAsExtUser}") -add:schema-compat-entry-attribute: sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%{ipaSudoRunAsExtUserGroup}") -add:schema-compat-entry-attribute: sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%deref_f(\"ipaSudoRunAs\",\"(objectclass=posixAccount)\",\"uid\")") -add:schema-compat-entry-attribute: sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%deref_f(\"ipaSudoRunAs\",\"(objectclass=posixGroup)\",\"cn\")") -add:schema-compat-entry-attribute: sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%{ipaSudoRunAsExtGroup}") -add:schema-compat-entry-attribute: sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%deref_f(\"ipaSudoRunAsGroup\",\"(objectclass=posixGroup)\",\"cn\")") -add:schema-compat-entry-attribute: sudoOption=%{ipaSudoOpt} - -dn: cn=computers, cn=Schema Compatibility, cn=plugins, cn=config -default:objectClass: top -default:objectClass: extensibleObject -default:cn: computers -default:schema-compat-container-group: cn=compat, $SUFFIX -default:schema-compat-container-rdn: cn=computers -default:schema-compat-search-base: cn=computers, cn=accounts, $SUFFIX -default:schema-compat-search-filter: (&(macAddress=*)(fqdn=*)(objectClass=ipaHost)) -default:schema-compat-entry-rdn: cn=%first("%{fqdn}") -default:schema-compat-entry-attribute: objectclass=device -default:schema-compat-entry-attribute: objectclass=ieee802Device -default:schema-compat-entry-attribute: cn=%{fqdn} -default:schema-compat-entry-attribute: macAddress=%{macAddress} - -# Enable anonymous VLV browsing for Solaris -dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config -only:aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control"; allow (read, search, compare, proxy) userdn = "ldap:///anyone"; ) - diff --git a/install/updates/10-schema_compat.update b/install/updates/10-schema_compat.update deleted file mode 100644 index fbe8703..0000000 --- a/install/updates/10-schema_compat.update +++ /dev/null @@ -1,93 +0,0 @@ -dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config -only:schema-compat-entry-rdn:%ifeq("ipaEnabledFlag", "FALSE", "DISABLED", "cn=%{cn}") -add:schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","%{hostMask}") -add:schema-compat-entry-attribute: sudoRunAsUser=%%%{ipaSudoRunAsExtUserGroup} -# Fix for #4324 (regression of #1309) -remove:schema-compat-entry-attribute:sudoRunAsGroup=%deref("ipaSudoRunAs","cn") -remove:schema-compat-entry-attribute:sudoRunAsUser=%{ipaSudoRunAsExtUser} -remove:schema-compat-entry-attribute:sudoRunAsUser=%%%{ipaSudoRunAsExtUserGroup} -remove:schema-compat-entry-attribute:sudoRunAsUser=%deref("ipaSudoRunAs","uid") -remove:schema-compat-entry-attribute:sudoRunAsGroup=%{ipaSudoRunAsExtGroup} -remove:schema-compat-entry-attribute:sudoRunAsGroup=%deref_f("ipaSudoRunAsGroup","(objectclass=posixGroup)","cn") - -# We need to add the value in a separate transaction -dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config -add: schema-compat-entry-attribute: sudoRunAsGroup=%deref_f("ipaSudoRunAsGroup","(objectclass=posixGroup)","cn") -add: schema-compat-entry-attribute: sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%{ipaSudoRunAsExtUser}") -add: schema-compat-entry-attribute: sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%{ipaSudoRunAsExtUserGroup}") -add: schema-compat-entry-attribute: sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%deref_f(\"ipaSudoRunAs\",\"(objectclass=posixAccount)\",\"uid\")") -add: schema-compat-entry-attribute: sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%{ipaSudoRunAsExtGroup}") -add: schema-compat-entry-attribute: sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%deref_f(\"ipaSudoRunAsGroup\",\"(objectclass=posixGroup)\",\"cn\")") -remove: schema-compat-ignore-subtree: cn=changelog -remove: schema-compat-ignore-subtree: o=ipaca -add: schema-compat-restrict-subtree: $SUFFIX -add: schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config -add: schema-compat-ignore-subtree: cn=dna,cn=ipa,cn=etc,$SUFFIX - -# Change padding for host and userCategory so the pad returns the same value -# as the original, '' or -. -dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config -replace: schema-compat-entry-attribute:nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","-",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","-"),%{nisDomainName:-})::nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","%ifeq(\"hostCategory\",\"all\",\"\",\"-\")",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","%ifeq(\"userCategory\",\"all\",\"\",\"-\")"),%{nisDomainName:-}) -remove: schema-compat-ignore-subtree: cn=changelog -remove: schema-compat-ignore-subtree: o=ipaca -add: schema-compat-restrict-subtree: $SUFFIX -add: schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config -add: schema-compat-ignore-subtree: cn=dna,cn=ipa,cn=etc,$SUFFIX - -dn: cn=computers, cn=Schema Compatibility, cn=plugins, cn=config -default:objectClass: top -default:objectClass: extensibleObject -default:cn: computers -default:schema-compat-container-group: cn=compat, $SUFFIX -default:schema-compat-container-rdn: cn=computers -default:schema-compat-search-base: cn=computers, cn=accounts, $SUFFIX -default:schema-compat-search-filter: (&(macAddress=*)(fqdn=*)(objectClass=ipaHost)) -default:schema-compat-entry-rdn: cn=%first("%{fqdn}") -default:schema-compat-entry-attribute: objectclass=device -default:schema-compat-entry-attribute: objectclass=ieee802Device -default:schema-compat-entry-attribute: cn=%{fqdn} -default:schema-compat-entry-attribute: macAddress=%{macAddress} -remove: schema-compat-ignore-subtree: cn=changelog -remove: schema-compat-ignore-subtree: o=ipaca -add: schema-compat-restrict-subtree: $SUFFIX -add: schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config -add: schema-compat-ignore-subtree: cn=dna,cn=ipa,cn=etc,$SUFFIX - -dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config -add:schema-compat-entry-attribute: sudoOrder=%{sudoOrder} - -dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config -remove: schema-compat-ignore-subtree: cn=changelog -remove: schema-compat-ignore-subtree: o=ipaca -add: schema-compat-restrict-subtree: $SUFFIX -add: schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config -add: schema-compat-ignore-subtree: cn=dna,cn=ipa,cn=etc,$SUFFIX - -dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config -remove: schema-compat-ignore-subtree: cn=changelog -remove: schema-compat-ignore-subtree: o=ipaca -add: schema-compat-restrict-subtree: $SUFFIX -add: schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config -add: schema-compat-ignore-subtree: cn=dna,cn=ipa,cn=etc,$SUFFIX - -dn: cn=Schema Compatibility,cn=plugins,cn=config -# We need to run schema-compat pre-bind callback before -# other IPA pre-bind callbacks to make sure bind DN is -# rewritten to the original entry if needed -add:nsslapd-pluginprecedence: 40 - -dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config -add:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","") -add:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:$DOMAIN:%{ipauniqueid}","") -add:schema-compat-entry-attribute: ipaanchoruuid=%{ipaanchoruuid} -add:schema-compat-entry-attribute: %ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","") - -dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config -add:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","") -add:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:$DOMAIN:%{ipauniqueid}","") -add:schema-compat-entry-attribute: ipaanchoruuid=%{ipaanchoruuid} -add:schema-compat-entry-attribute: %ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","") - -dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config -add:schema-compat-entry-attribute: uid=%{uid} -replace:schema-compat-entry-rdn: uid=%{uid}::uid=%first("%{uid}") diff --git a/install/updates/80-schema_compat.update b/install/updates/80-schema_compat.update new file mode 100644 index 0000000..06cbcab --- /dev/null +++ b/install/updates/80-schema_compat.update @@ -0,0 +1,222 @@ +# +# Setup the Schema Compatibility plugin provided by slapi-nis. +# This should be done after all other updates have been applied +# +# http://slapi-nis.fedorahosted.org/ +# +dn: cn=Schema Compatibility, cn=plugins, cn=config +default:objectclass: top +default:objectclass: nsSlapdPlugin +default:objectclass: extensibleObject +default:cn: Schema Compatibility +default:nsslapd-pluginpath: /usr/lib$LIBARCH/dirsrv/plugins/schemacompat-plugin.so +default:nsslapd-plugininitfunc: schema_compat_plugin_init +default:nsslapd-plugintype: object +default:nsslapd-pluginenabled: on +default:nsslapd-pluginid: schema-compat-plugin +# We need to run schema-compat pre-bind callback before +# other IPA pre-bind callbacks to make sure bind DN is +# rewritten to the original entry if needed +default:nsslapd-pluginprecedence: 40 +default:nsslapd-pluginversion: 0.8 +default:nsslapd-pluginbetxn: on +default:nsslapd-pluginvendor: redhat.com +default:nsslapd-plugindescription: Schema Compatibility Plugin + +dn: cn=users, cn=Schema Compatibility, cn=plugins, cn=config +default:objectClass: top +default:objectClass: extensibleObject +default:cn: users +default:schema-compat-container-group: cn=compat, $SUFFIX +default:schema-compat-container-rdn: cn=users +default:schema-compat-search-base: cn=users, cn=accounts, $SUFFIX +default:schema-compat-search-filter: objectclass=posixAccount +default:schema-compat-entry-rdn: uid=%{uid} +default:schema-compat-entry-attribute: objectclass=posixAccount +default:schema-compat-entry-attribute: gecos=%{cn} +default:schema-compat-entry-attribute: cn=%{cn} +default:schema-compat-entry-attribute: uidNumber=%{uidNumber} +default:schema-compat-entry-attribute: gidNumber=%{gidNumber} +default:schema-compat-entry-attribute: loginShell=%{loginShell} +default:schema-compat-entry-attribute: homeDirectory=%{homeDirectory} +default:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","") +default:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:$DOMAIN:%{ipauniqueid}","") +default:schema-compat-entry-attribute: ipaanchoruuid=%{ipaanchoruuid} +default:schema-compat-entry-attribute: %ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","") + +dn: cn=groups, cn=Schema Compatibility, cn=plugins, cn=config +default:objectClass: top +default:objectClass: extensibleObject +default:cn: groups +default:schema-compat-container-group: cn=compat, $SUFFIX +default:schema-compat-container-rdn: cn=groups +default:schema-compat-search-base: cn=groups, cn=accounts, $SUFFIX +default:schema-compat-search-filter: objectclass=posixGroup +default:schema-compat-entry-rdn: cn=%{cn} +default:schema-compat-entry-attribute: objectclass=posixGroup +default:schema-compat-entry-attribute: gidNumber=%{gidNumber} +default:schema-compat-entry-attribute: memberUid=%{memberUid} +default:schema-compat-entry-attribute: memberUid=%deref_r("member","uid") +default:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","") +default:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:$DOMAIN:%{ipauniqueid}","") +default:schema-compat-entry-attribute: ipaanchoruuid=%{ipaanchoruuid} +default:schema-compat-entry-attribute: %ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","") + +dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config +add:objectClass: top +add:objectClass: extensibleObject +add:cn: ng +add:schema-compat-container-group: cn=compat, $SUFFIX +add:schema-compat-container-rdn: cn=ng +add:schema-compat-check-access: yes +add:schema-compat-search-base: cn=ng, cn=alt, $SUFFIX +add:schema-compat-search-filter: (objectclass=ipaNisNetgroup) +add:schema-compat-entry-rdn: cn=%{cn} +add:schema-compat-entry-attribute: objectclass=nisNetgroup +add:schema-compat-entry-attribute: memberNisNetgroup=%deref_r("member","cn") +add:schema-compat-entry-attribute: nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","-",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","-"),%{nisDomainName:-}) + +dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config +add:objectClass: top +add:objectClass: extensibleObject +add:cn: sudoers +add:schema-compat-container-group: ou=SUDOers, $SUFFIX +add:schema-compat-search-base: cn=sudorules, cn=sudo, $SUFFIX +add:schema-compat-search-filter: (&(objectclass=ipaSudoRule)(!(compatVisible=FALSE))(!(ipaEnabledFlag=FALSE))) +add:schema-compat-entry-rdn: %ifeq("ipaEnabledFlag", "FALSE", "DISABLED", "cn=%{cn}") +add:schema-compat-entry-attribute: objectclass=sudoRole +add:schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}") +add:schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\"memberUser\",\"(objectclass=posixAccount)\",\"uid\")") +add:schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\"memberUser\",\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\",\"member\",\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\",\"uid\")") +add:schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\"memberUser\",\"(objectclass=posixGroup)\",\"cn\")") +add:schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\"memberUser\",\"(objectclass=ipaNisNetgroup)\",\"cn\")") +add:schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}") +add:schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\"memberHost\",\"(objectclass=ipaHost)\",\"fqdn\")") +add:schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\"memberHost\",\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\",\"member\",\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\",\"fqdn\")") +add:schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\"memberHost\",\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\",\"cn\")") +add:schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\"memberHost\",\"(objectclass=ipaNisNetgroup)\",\"cn\")") +add:schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","%{hostMask}") +add:schema-compat-entry-attribute: sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\"memberAllowCmd\",\"sudoCmd\")") +add:schema-compat-entry-attribute: sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\"memberAllowCmd\",\"member\",\"sudoCmd\")") +# memberDenyCmds are to be allowed even if cmdCategory is set to ALL +add:schema-compat-entry-attribute: sudoCommand=!%deref("memberDenyCmd","sudoCmd") +add:schema-compat-entry-attribute: sudoCommand=!%deref_r("memberDenyCmd","member","sudoCmd") +add:schema-compat-entry-attribute: sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%{ipaSudoRunAsExtUser}") +add:schema-compat-entry-attribute: sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%{ipaSudoRunAsExtUserGroup}") +add:schema-compat-entry-attribute: sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%deref_f(\"ipaSudoRunAs\",\"(objectclass=posixAccount)\",\"uid\")") +add:schema-compat-entry-attribute: sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%deref_f(\"ipaSudoRunAs\",\"(objectclass=posixGroup)\",\"cn\")") +add:schema-compat-entry-attribute: sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%{ipaSudoRunAsExtGroup}") +add:schema-compat-entry-attribute: sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%deref_f(\"ipaSudoRunAsGroup\",\"(objectclass=posixGroup)\",\"cn\")") +add:schema-compat-entry-attribute: sudoOption=%{ipaSudoOpt} + +dn: cn=computers, cn=Schema Compatibility, cn=plugins, cn=config +default:objectClass: top +default:objectClass: extensibleObject +default:cn: computers +default:schema-compat-container-group: cn=compat, $SUFFIX +default:schema-compat-container-rdn: cn=computers +default:schema-compat-search-base: cn=computers, cn=accounts, $SUFFIX +default:schema-compat-search-filter: (&(macAddress=*)(fqdn=*)(objectClass=ipaHost)) +default:schema-compat-entry-rdn: cn=%first("%{fqdn}") +default:schema-compat-entry-attribute: objectclass=device +default:schema-compat-entry-attribute: objectclass=ieee802Device +default:schema-compat-entry-attribute: cn=%{fqdn} +default:schema-compat-entry-attribute: macAddress=%{macAddress} + +# Enable anonymous VLV browsing for Solaris +dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config +only:aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control"; allow (read, search, compare, proxy) userdn = "ldap:///anyone"; ) + +dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config +only:schema-compat-entry-rdn:%ifeq("ipaEnabledFlag", "FALSE", "DISABLED", "cn=%{cn}") +add:schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","%{hostMask}") +add:schema-compat-entry-attribute: sudoRunAsUser=%%%{ipaSudoRunAsExtUserGroup} +# Fix for #4324 (regression of #1309) +remove:schema-compat-entry-attribute:sudoRunAsGroup=%deref("ipaSudoRunAs","cn") +remove:schema-compat-entry-attribute:sudoRunAsUser=%{ipaSudoRunAsExtUser} +remove:schema-compat-entry-attribute:sudoRunAsUser=%%%{ipaSudoRunAsExtUserGroup} +remove:schema-compat-entry-attribute:sudoRunAsUser=%deref("ipaSudoRunAs","uid") +remove:schema-compat-entry-attribute:sudoRunAsGroup=%{ipaSudoRunAsExtGroup} +remove:schema-compat-entry-attribute:sudoRunAsGroup=%deref_f("ipaSudoRunAsGroup","(objectclass=posixGroup)","cn") + +# We need to add the value in a separate transaction +dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config +add: schema-compat-entry-attribute: sudoRunAsGroup=%deref_f("ipaSudoRunAsGroup","(objectclass=posixGroup)","cn") +add: schema-compat-entry-attribute: sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%{ipaSudoRunAsExtUser}") +add: schema-compat-entry-attribute: sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%{ipaSudoRunAsExtUserGroup}") +add: schema-compat-entry-attribute: sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%deref_f(\"ipaSudoRunAs\",\"(objectclass=posixAccount)\",\"uid\")") +add: schema-compat-entry-attribute: sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%{ipaSudoRunAsExtGroup}") +add: schema-compat-entry-attribute: sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%deref_f(\"ipaSudoRunAsGroup\",\"(objectclass=posixGroup)\",\"cn\")") +remove: schema-compat-ignore-subtree: cn=changelog +remove: schema-compat-ignore-subtree: o=ipaca +add: schema-compat-restrict-subtree: $SUFFIX +add: schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config +add: schema-compat-ignore-subtree: cn=dna,cn=ipa,cn=etc,$SUFFIX + +# Change padding for host and userCategory so the pad returns the same value +# as the original, '' or -. +dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config +replace: schema-compat-entry-attribute:nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","-",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","-"),%{nisDomainName:-})::nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","%ifeq(\"hostCategory\",\"all\",\"\",\"-\")",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","%ifeq(\"userCategory\",\"all\",\"\",\"-\")"),%{nisDomainName:-}) +remove: schema-compat-ignore-subtree: cn=changelog +remove: schema-compat-ignore-subtree: o=ipaca +add: schema-compat-restrict-subtree: $SUFFIX +add: schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config +add: schema-compat-ignore-subtree: cn=dna,cn=ipa,cn=etc,$SUFFIX + +dn: cn=computers, cn=Schema Compatibility, cn=plugins, cn=config +default:objectClass: top +default:objectClass: extensibleObject +default:cn: computers +default:schema-compat-container-group: cn=compat, $SUFFIX +default:schema-compat-container-rdn: cn=computers +default:schema-compat-search-base: cn=computers, cn=accounts, $SUFFIX +default:schema-compat-search-filter: (&(macAddress=*)(fqdn=*)(objectClass=ipaHost)) +default:schema-compat-entry-rdn: cn=%first("%{fqdn}") +default:schema-compat-entry-attribute: objectclass=device +default:schema-compat-entry-attribute: objectclass=ieee802Device +default:schema-compat-entry-attribute: cn=%{fqdn} +default:schema-compat-entry-attribute: macAddress=%{macAddress} +remove: schema-compat-ignore-subtree: cn=changelog +remove: schema-compat-ignore-subtree: o=ipaca +add: schema-compat-restrict-subtree: $SUFFIX +add: schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config +add: schema-compat-ignore-subtree: cn=dna,cn=ipa,cn=etc,$SUFFIX + +dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config +add:schema-compat-entry-attribute: sudoOrder=%{sudoOrder} + +dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config +remove: schema-compat-ignore-subtree: cn=changelog +remove: schema-compat-ignore-subtree: o=ipaca +add: schema-compat-restrict-subtree: $SUFFIX +add: schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config +add: schema-compat-ignore-subtree: cn=dna,cn=ipa,cn=etc,$SUFFIX + +dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config +remove: schema-compat-ignore-subtree: cn=changelog +remove: schema-compat-ignore-subtree: o=ipaca +add: schema-compat-restrict-subtree: $SUFFIX +add: schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config +add: schema-compat-ignore-subtree: cn=dna,cn=ipa,cn=etc,$SUFFIX + +dn: cn=Schema Compatibility,cn=plugins,cn=config +# We need to run schema-compat pre-bind callback before +# other IPA pre-bind callbacks to make sure bind DN is +# rewritten to the original entry if needed +add:nsslapd-pluginprecedence: 40 + +dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config +add:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","") +add:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:$DOMAIN:%{ipauniqueid}","") +add:schema-compat-entry-attribute: ipaanchoruuid=%{ipaanchoruuid} +add:schema-compat-entry-attribute: %ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","") + +dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config +add:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","") +add:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:$DOMAIN:%{ipauniqueid}","") +add:schema-compat-entry-attribute: ipaanchoruuid=%{ipaanchoruuid} +add:schema-compat-entry-attribute: %ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","") + +dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config +add:schema-compat-entry-attribute: uid=%{uid} +replace:schema-compat-entry-rdn: uid=%{uid}::uid=%first("%{uid}") diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am index 0ff0edb..aa339cc 100644 --- a/install/updates/Makefile.am +++ b/install/updates/Makefile.am @@ -9,7 +9,6 @@ app_DATA = \ 10-selinuxusermap.update \ 10-rootdse.update \ 10-uniqueness.update \ - 10-schema_compat.update \ 19-managed-entries.update \ 20-aci.update \ 20-dna.update \ @@ -63,6 +62,7 @@ app_DATA = \ 73-winsync.update \ 73-certmap.update \ 90-post_upgrade_plugins.update \ + 91-schema_compat.update \ $(NULL) EXTRA_DIST = \ diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index ad41814..57f185e 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -236,7 +236,8 @@ class BasePathNamespace(object): HTML_KRBREALM_CON = "/usr/share/ipa/html/krbrealm.con" NIS_ULDIF = "/usr/share/ipa/nis.uldif" NIS_UPDATE_ULDIF = "/usr/share/ipa/nis-update.uldif" - SCHEMA_COMPAT_ULDIF = "/usr/share/ipa/schema_compat.uldif" + SCHEMA_COMPAT_ULDIF = "/usr/share/ipa/updates/91-schema_compat.update" + SCHEMA_COMPAT_POST_ULDIF = "/usr/share/ipa/schema_compat_post.uldif" IPA_JS_PLUGINS_DIR = "/usr/share/ipa/ui/js/plugins" UPDATES_DIR = "/usr/share/ipa/updates/" DICT_WORDS = "/usr/share/dict/words" diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 99a1781..2a82138 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -281,8 +281,6 @@ def __common_post_setup(self): self.step("configuring Posix uid/gid generation", self.__config_uidgid_gen) self.step("adding replication acis", self.__add_replication_acis) - self.step("enabling compatibility plugin", - self.__enable_compat_plugin) self.step("activating sidgen plugin", self._add_sidgen_plugin) self.step("activating extdom plugin", self._add_extdom_plugin) self.step("tuning directory server", self.__tuning) @@ -706,12 +704,6 @@ def __add_topology_entries(self): def __add_winsync_module(self): self._ldap_mod("ipa-winsync-conf.ldif") - def __enable_compat_plugin(self): - ld = ldapupdate.LDAPUpdate(dm_password=self.dm_password, sub_dict=self.sub_dict) - rv = ld.update([paths.SCHEMA_COMPAT_ULDIF]) - if not rv: - raise RuntimeError("Enabling compatibility plugin failed") - def __config_version_module(self): self._ldap_mod("version-conf.ldif") From d1cba130423d48f901180d8dc0a5781bb818783e Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Fri, 21 Apr 2017 09:39:56 +0200 Subject: [PATCH 3/4] compat: ignore cn=topology,cn=ipa,cn=etc subtree The entries in cn=topology,cn=ipa,cn=etc should not be taken in account for the compat plugin. https://pagure.io/freeipa/issue/6821 --- install/updates/80-schema_compat.update | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/install/updates/80-schema_compat.update b/install/updates/80-schema_compat.update index 06cbcab..7483518 100644 --- a/install/updates/80-schema_compat.update +++ b/install/updates/80-schema_compat.update @@ -152,6 +152,7 @@ remove: schema-compat-ignore-subtree: o=ipaca add: schema-compat-restrict-subtree: $SUFFIX add: schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config add: schema-compat-ignore-subtree: cn=dna,cn=ipa,cn=etc,$SUFFIX +add: schema-compat-ignore-subtree: cn=topology,cn=ipa,cn=etc,$SUFFIX # Change padding for host and userCategory so the pad returns the same value # as the original, '' or -. @@ -162,6 +163,7 @@ remove: schema-compat-ignore-subtree: o=ipaca add: schema-compat-restrict-subtree: $SUFFIX add: schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config add: schema-compat-ignore-subtree: cn=dna,cn=ipa,cn=etc,$SUFFIX +add: schema-compat-ignore-subtree: cn=topology,cn=ipa,cn=etc,$SUFFIX dn: cn=computers, cn=Schema Compatibility, cn=plugins, cn=config default:objectClass: top @@ -181,6 +183,7 @@ remove: schema-compat-ignore-subtree: o=ipaca add: schema-compat-restrict-subtree: $SUFFIX add: schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config add: schema-compat-ignore-subtree: cn=dna,cn=ipa,cn=etc,$SUFFIX +add: schema-compat-ignore-subtree: cn=topology,cn=ipa,cn=etc,$SUFFIX dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config add:schema-compat-entry-attribute: sudoOrder=%{sudoOrder} @@ -191,6 +194,7 @@ remove: schema-compat-ignore-subtree: o=ipaca add: schema-compat-restrict-subtree: $SUFFIX add: schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config add: schema-compat-ignore-subtree: cn=dna,cn=ipa,cn=etc,$SUFFIX +add: schema-compat-ignore-subtree: cn=topology,cn=ipa,cn=etc,$SUFFIX dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config remove: schema-compat-ignore-subtree: cn=changelog @@ -198,6 +202,7 @@ remove: schema-compat-ignore-subtree: o=ipaca add: schema-compat-restrict-subtree: $SUFFIX add: schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config add: schema-compat-ignore-subtree: cn=dna,cn=ipa,cn=etc,$SUFFIX +add: schema-compat-ignore-subtree: cn=topology,cn=ipa,cn=etc,$SUFFIX dn: cn=Schema Compatibility,cn=plugins,cn=config # We need to run schema-compat pre-bind callback before From a2a935ae80a377f12a1241fe5fc22ed68ea07c67 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Fri, 21 Apr 2017 09:50:38 +0200 Subject: [PATCH 4/4] compat plugin: Update link to slapi-nis project --- install/updates/80-schema_compat.update | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install/updates/80-schema_compat.update b/install/updates/80-schema_compat.update index 7483518..6b01ae3 100644 --- a/install/updates/80-schema_compat.update +++ b/install/updates/80-schema_compat.update @@ -2,7 +2,7 @@ # Setup the Schema Compatibility plugin provided by slapi-nis. # This should be done after all other updates have been applied # -# http://slapi-nis.fedorahosted.org/ +# https://pagure.io/slapi-nis/ # dn: cn=Schema Compatibility, cn=plugins, cn=config default:objectclass: top
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code