URL: https://github.com/freeipa/freeipa/pull/711 Author: stlaz Title: #711: Move the compat plugin setup at the end of install Action: opened
PR body: """ The compat plugin was causing deadlocks with the topology plugin. Move its setup at the end of the installation and remove the cn=topology,cn=ipa,cn=etc subtree from its scope. https://pagure.io/freeipa/issue/6821 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/711/head:pr711 git checkout pr711
From 7acb342fb7722bba7159042b54361440d729d6b1 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Thu, 13 Apr 2017 09:15:47 +0200 Subject: [PATCH] Move the compat plugin setup at the end of install The compat plugin was causing deadlocks with the topology plugin. Move its setup at the end of the installation and remove the cn=topology,cn=ipa,cn=etc subtree from its scope. https://pagure.io/freeipa/issue/6821 --- install/share/Makefile.am | 1 + install/share/schema_compat_post.uldif | 98 ++++++++++++++++++++++++++++++ install/updates/10-schema_compat.update | 93 ---------------------------- install/updates/Makefile.am | 1 - ipaplatform/base/paths.py | 1 + ipaserver/install/dsinstance.py | 23 +++++-- ipaserver/install/server/install.py | 3 + ipaserver/install/server/replicainstall.py | 3 + ipaserver/install/server/upgrade.py | 1 + 9 files changed, 125 insertions(+), 99 deletions(-) create mode 100644 install/share/schema_compat_post.uldif delete mode 100644 install/updates/10-schema_compat.update diff --git a/install/share/Makefile.am b/install/share/Makefile.am index 9e539a3..4ecf42c 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -66,6 +66,7 @@ dist_app_DATA = \ opendnssec_kasp.template \ unique-attributes.ldif \ schema_compat.uldif \ + schema_compat_post.uldif \ ldapi.ldif \ wsgi.py \ repoint-managed-entries.ldif \ diff --git a/install/share/schema_compat_post.uldif b/install/share/schema_compat_post.uldif new file mode 100644 index 0000000..35d9f11 --- /dev/null +++ b/install/share/schema_compat_post.uldif @@ -0,0 +1,98 @@ +dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config +only:schema-compat-entry-rdn:%ifeq("ipaEnabledFlag", "FALSE", "DISABLED", "cn=%{cn}") +add:schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","%{hostMask}") +add:schema-compat-entry-attribute: sudoRunAsUser=%%%{ipaSudoRunAsExtUserGroup} +# Fix for #4324 (regression of #1309) +remove:schema-compat-entry-attribute:sudoRunAsGroup=%deref("ipaSudoRunAs","cn") +remove:schema-compat-entry-attribute:sudoRunAsUser=%{ipaSudoRunAsExtUser} +remove:schema-compat-entry-attribute:sudoRunAsUser=%%%{ipaSudoRunAsExtUserGroup} +remove:schema-compat-entry-attribute:sudoRunAsUser=%deref("ipaSudoRunAs","uid") +remove:schema-compat-entry-attribute:sudoRunAsGroup=%{ipaSudoRunAsExtGroup} +remove:schema-compat-entry-attribute:sudoRunAsGroup=%deref_f("ipaSudoRunAsGroup","(objectclass=posixGroup)","cn") + +# We need to add the value in a separate transaction +dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config +add: schema-compat-entry-attribute: sudoRunAsGroup=%deref_f("ipaSudoRunAsGroup","(objectclass=posixGroup)","cn") +add: schema-compat-entry-attribute: sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%{ipaSudoRunAsExtUser}") +add: schema-compat-entry-attribute: sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%{ipaSudoRunAsExtUserGroup}") +add: schema-compat-entry-attribute: sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%deref_f(\"ipaSudoRunAs\",\"(objectclass=posixAccount)\",\"uid\")") +add: schema-compat-entry-attribute: sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%{ipaSudoRunAsExtGroup}") +add: schema-compat-entry-attribute: sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%deref_f(\"ipaSudoRunAsGroup\",\"(objectclass=posixGroup)\",\"cn\")") +remove: schema-compat-ignore-subtree: cn=changelog +remove: schema-compat-ignore-subtree: o=ipaca +add: schema-compat-restrict-subtree: $SUFFIX +add: schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config +add: schema-compat-ignore-subtree: cn=dna,cn=ipa,cn=etc,$SUFFIX +add: schema-compat-ignore-subtree: cn=topology,cn=ipa,cn=etc,$SUFFIX + +# Change padding for host and userCategory so the pad returns the same value +# as the original, '' or -. +dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config +replace: schema-compat-entry-attribute:nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","-",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","-"),%{nisDomainName:-})::nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","%ifeq(\"hostCategory\",\"all\",\"\",\"-\")",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","%ifeq(\"userCategory\",\"all\",\"\",\"-\")"),%{nisDomainName:-}) +remove: schema-compat-ignore-subtree: cn=changelog +remove: schema-compat-ignore-subtree: o=ipaca +add: schema-compat-restrict-subtree: $SUFFIX +add: schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config +add: schema-compat-ignore-subtree: cn=dna,cn=ipa,cn=etc,$SUFFIX +add: schema-compat-ignore-subtree: cn=topology,cn=ipa,cn=etc,$SUFFIX + +dn: cn=computers, cn=Schema Compatibility, cn=plugins, cn=config +default:objectClass: top +default:objectClass: extensibleObject +default:cn: computers +default:schema-compat-container-group: cn=compat, $SUFFIX +default:schema-compat-container-rdn: cn=computers +default:schema-compat-search-base: cn=computers, cn=accounts, $SUFFIX +default:schema-compat-search-filter: (&(macAddress=*)(fqdn=*)(objectClass=ipaHost)) +default:schema-compat-entry-rdn: cn=%first("%{fqdn}") +default:schema-compat-entry-attribute: objectclass=device +default:schema-compat-entry-attribute: objectclass=ieee802Device +default:schema-compat-entry-attribute: cn=%{fqdn} +default:schema-compat-entry-attribute: macAddress=%{macAddress} +remove: schema-compat-ignore-subtree: cn=changelog +remove: schema-compat-ignore-subtree: o=ipaca +add: schema-compat-restrict-subtree: $SUFFIX +add: schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config +add: schema-compat-ignore-subtree: cn=dna,cn=ipa,cn=etc,$SUFFIX +add: schema-compat-ignore-subtree: cn=topology,cn=ipa,cn=etc,$SUFFIX + +dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config +add:schema-compat-entry-attribute: sudoOrder=%{sudoOrder} + +dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config +remove: schema-compat-ignore-subtree: cn=changelog +remove: schema-compat-ignore-subtree: o=ipaca +add: schema-compat-restrict-subtree: $SUFFIX +add: schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config +add: schema-compat-ignore-subtree: cn=dna,cn=ipa,cn=etc,$SUFFIX +add: schema-compat-ignore-subtree: cn=topology,cn=ipa,cn=etc,$SUFFIX + +dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config +remove: schema-compat-ignore-subtree: cn=changelog +remove: schema-compat-ignore-subtree: o=ipaca +add: schema-compat-restrict-subtree: $SUFFIX +add: schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config +add: schema-compat-ignore-subtree: cn=dna,cn=ipa,cn=etc,$SUFFIX +add: schema-compat-ignore-subtree: cn=topology,cn=ipa,cn=etc,$SUFFIX + +dn: cn=Schema Compatibility,cn=plugins,cn=config +# We need to run schema-compat pre-bind callback before +# other IPA pre-bind callbacks to make sure bind DN is +# rewritten to the original entry if needed +add:nsslapd-pluginprecedence: 40 + +dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config +add:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","") +add:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:$DOMAIN:%{ipauniqueid}","") +add:schema-compat-entry-attribute: ipaanchoruuid=%{ipaanchoruuid} +add:schema-compat-entry-attribute: %ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","") + +dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config +add:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","") +add:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:$DOMAIN:%{ipauniqueid}","") +add:schema-compat-entry-attribute: ipaanchoruuid=%{ipaanchoruuid} +add:schema-compat-entry-attribute: %ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","") + +dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config +add:schema-compat-entry-attribute: uid=%{uid} +replace:schema-compat-entry-rdn: uid=%{uid}::uid=%first("%{uid}") diff --git a/install/updates/10-schema_compat.update b/install/updates/10-schema_compat.update deleted file mode 100644 index fbe8703..0000000 --- a/install/updates/10-schema_compat.update +++ /dev/null @@ -1,93 +0,0 @@ -dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config -only:schema-compat-entry-rdn:%ifeq("ipaEnabledFlag", "FALSE", "DISABLED", "cn=%{cn}") -add:schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","%{hostMask}") -add:schema-compat-entry-attribute: sudoRunAsUser=%%%{ipaSudoRunAsExtUserGroup} -# Fix for #4324 (regression of #1309) -remove:schema-compat-entry-attribute:sudoRunAsGroup=%deref("ipaSudoRunAs","cn") -remove:schema-compat-entry-attribute:sudoRunAsUser=%{ipaSudoRunAsExtUser} -remove:schema-compat-entry-attribute:sudoRunAsUser=%%%{ipaSudoRunAsExtUserGroup} -remove:schema-compat-entry-attribute:sudoRunAsUser=%deref("ipaSudoRunAs","uid") -remove:schema-compat-entry-attribute:sudoRunAsGroup=%{ipaSudoRunAsExtGroup} -remove:schema-compat-entry-attribute:sudoRunAsGroup=%deref_f("ipaSudoRunAsGroup","(objectclass=posixGroup)","cn") - -# We need to add the value in a separate transaction -dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config -add: schema-compat-entry-attribute: sudoRunAsGroup=%deref_f("ipaSudoRunAsGroup","(objectclass=posixGroup)","cn") -add: schema-compat-entry-attribute: sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%{ipaSudoRunAsExtUser}") -add: schema-compat-entry-attribute: sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%{ipaSudoRunAsExtUserGroup}") -add: schema-compat-entry-attribute: sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%deref_f(\"ipaSudoRunAs\",\"(objectclass=posixAccount)\",\"uid\")") -add: schema-compat-entry-attribute: sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%{ipaSudoRunAsExtGroup}") -add: schema-compat-entry-attribute: sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%deref_f(\"ipaSudoRunAsGroup\",\"(objectclass=posixGroup)\",\"cn\")") -remove: schema-compat-ignore-subtree: cn=changelog -remove: schema-compat-ignore-subtree: o=ipaca -add: schema-compat-restrict-subtree: $SUFFIX -add: schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config -add: schema-compat-ignore-subtree: cn=dna,cn=ipa,cn=etc,$SUFFIX - -# Change padding for host and userCategory so the pad returns the same value -# as the original, '' or -. -dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config -replace: schema-compat-entry-attribute:nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","-",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","-"),%{nisDomainName:-})::nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","%ifeq(\"hostCategory\",\"all\",\"\",\"-\")",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","%ifeq(\"userCategory\",\"all\",\"\",\"-\")"),%{nisDomainName:-}) -remove: schema-compat-ignore-subtree: cn=changelog -remove: schema-compat-ignore-subtree: o=ipaca -add: schema-compat-restrict-subtree: $SUFFIX -add: schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config -add: schema-compat-ignore-subtree: cn=dna,cn=ipa,cn=etc,$SUFFIX - -dn: cn=computers, cn=Schema Compatibility, cn=plugins, cn=config -default:objectClass: top -default:objectClass: extensibleObject -default:cn: computers -default:schema-compat-container-group: cn=compat, $SUFFIX -default:schema-compat-container-rdn: cn=computers -default:schema-compat-search-base: cn=computers, cn=accounts, $SUFFIX -default:schema-compat-search-filter: (&(macAddress=*)(fqdn=*)(objectClass=ipaHost)) -default:schema-compat-entry-rdn: cn=%first("%{fqdn}") -default:schema-compat-entry-attribute: objectclass=device -default:schema-compat-entry-attribute: objectclass=ieee802Device -default:schema-compat-entry-attribute: cn=%{fqdn} -default:schema-compat-entry-attribute: macAddress=%{macAddress} -remove: schema-compat-ignore-subtree: cn=changelog -remove: schema-compat-ignore-subtree: o=ipaca -add: schema-compat-restrict-subtree: $SUFFIX -add: schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config -add: schema-compat-ignore-subtree: cn=dna,cn=ipa,cn=etc,$SUFFIX - -dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config -add:schema-compat-entry-attribute: sudoOrder=%{sudoOrder} - -dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config -remove: schema-compat-ignore-subtree: cn=changelog -remove: schema-compat-ignore-subtree: o=ipaca -add: schema-compat-restrict-subtree: $SUFFIX -add: schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config -add: schema-compat-ignore-subtree: cn=dna,cn=ipa,cn=etc,$SUFFIX - -dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config -remove: schema-compat-ignore-subtree: cn=changelog -remove: schema-compat-ignore-subtree: o=ipaca -add: schema-compat-restrict-subtree: $SUFFIX -add: schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config -add: schema-compat-ignore-subtree: cn=dna,cn=ipa,cn=etc,$SUFFIX - -dn: cn=Schema Compatibility,cn=plugins,cn=config -# We need to run schema-compat pre-bind callback before -# other IPA pre-bind callbacks to make sure bind DN is -# rewritten to the original entry if needed -add:nsslapd-pluginprecedence: 40 - -dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config -add:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","") -add:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:$DOMAIN:%{ipauniqueid}","") -add:schema-compat-entry-attribute: ipaanchoruuid=%{ipaanchoruuid} -add:schema-compat-entry-attribute: %ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","") - -dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config -add:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","") -add:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:$DOMAIN:%{ipauniqueid}","") -add:schema-compat-entry-attribute: ipaanchoruuid=%{ipaanchoruuid} -add:schema-compat-entry-attribute: %ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","") - -dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config -add:schema-compat-entry-attribute: uid=%{uid} -replace:schema-compat-entry-rdn: uid=%{uid}::uid=%first("%{uid}") diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am index 0ff0edb..42142af 100644 --- a/install/updates/Makefile.am +++ b/install/updates/Makefile.am @@ -9,7 +9,6 @@ app_DATA = \ 10-selinuxusermap.update \ 10-rootdse.update \ 10-uniqueness.update \ - 10-schema_compat.update \ 19-managed-entries.update \ 20-aci.update \ 20-dna.update \ diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index 070d3ff..b6dcafb 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -237,6 +237,7 @@ class BasePathNamespace(object): NIS_ULDIF = "/usr/share/ipa/nis.uldif" NIS_UPDATE_ULDIF = "/usr/share/ipa/nis-update.uldif" SCHEMA_COMPAT_ULDIF = "/usr/share/ipa/schema_compat.uldif" + SCHEMA_COMPAT_POST_ULDIF = "/usr/share/ipa/schema_compat_post.uldif" IPA_JS_PLUGINS_DIR = "/usr/share/ipa/ui/js/plugins" UPDATES_DIR = "/usr/share/ipa/updates/" DICT_WORDS = "/usr/share/dict/words" diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 99a1781..bd01455 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -281,8 +281,6 @@ def __common_post_setup(self): self.step("configuring Posix uid/gid generation", self.__config_uidgid_gen) self.step("adding replication acis", self.__add_replication_acis) - self.step("enabling compatibility plugin", - self.__enable_compat_plugin) self.step("activating sidgen plugin", self._add_sidgen_plugin) self.step("activating extdom plugin", self._add_extdom_plugin) self.step("tuning directory server", self.__tuning) @@ -706,9 +704,24 @@ def __add_topology_entries(self): def __add_winsync_module(self): self._ldap_mod("ipa-winsync-conf.ldif") - def __enable_compat_plugin(self): - ld = ldapupdate.LDAPUpdate(dm_password=self.dm_password, sub_dict=self.sub_dict) - rv = ld.update([paths.SCHEMA_COMPAT_ULDIF]) + def setup_compat_plugin(self): + """ + Check whether the compat plugin settings are already available, if so, + try to update them + """ + ld = ldapupdate.LDAPUpdate(dm_password=self.dm_password, + sub_dict=self.sub_dict) + modlist = [] + dn = DN('cn=Schema Compatibility,cn=plugins,cn=config') + try: + api.Backend.ldap2.get_entry(dn) + except errors.NotFound: + modlist.append(paths.SCHEMA_COMPAT_ULDIF) + else: + root_logger.debug("compat plugin is already configured") + + modlist.append(paths.SCHEMA_COMPAT_POST_ULDIF) + rv = ld.update(modlist, ordered=False) if not rv: raise RuntimeError("Enabling compatibility plugin failed") diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index 197f01c..cbe7840 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -832,6 +832,9 @@ def install(installer): service.print_msg("Applying LDAP updates") ds.apply_updates() + ds.step("enabling compatibility plugin", ds.setup_compat_plugin) + ds.start_creation() + # Restart krb after configurations have been changed service.print_msg("Restarting the KDC") krb.restart() diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index b82d7b4..ecc1890 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -1454,6 +1454,9 @@ def install(installer): service.print_msg("Applying LDAP updates") ds.apply_updates() + ds.step("enabling compatibility plugin", ds.setup_compat_plugin) + ds.start_creation() + if kra_enabled: kra.install(api, config, options) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 927acb0..10478e4 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1649,6 +1649,7 @@ def upgrade_configuration(): ds.suffix = ipautil.realm_to_suffix(api.env.realm) ds_enable_sidgen_extdom_plugins(ds) + ds.setup_compat_plugin() if not http.is_kdcproxy_configured(): root_logger.info('[Enabling KDC Proxy]')
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
