URL: https://github.com/freeipa/freeipa/pull/711 Author: stlaz Title: #711: Compat-plugin related fixes Action: synchronized
To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/711/head:pr711 git checkout pr711
From a9630776df8393cb751d2e515a1773ae91584427 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Fri, 21 Apr 2017 09:32:34 +0200 Subject: [PATCH 1/4] compat-manage: behave the same for all users Due to LDAP connection refactoring, compat-manage would have behaved differently for root and for other users even though it requires the directory manager password. This is caused by it trying to do external bind when it does not have the DIRMAN password which was previously not supplied. https://pagure.io/freeipa/issue/6821 --- install/tools/ipa-compat-manage | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install/tools/ipa-compat-manage b/install/tools/ipa-compat-manage index a29a92f..6dd259d 100755 --- a/install/tools/ipa-compat-manage +++ b/install/tools/ipa-compat-manage @@ -105,7 +105,7 @@ def main(): debug=options.debug, confdir=paths.ETC_IPA) api.finalize() - api.Backend.ldap2.connect() + api.Backend.ldap2.connect(bind_pw=dirman_password) if args[0] == "status": entry = None From 780886737edf4cbf3cb098271544c5492a50c77d Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Thu, 13 Apr 2017 09:15:47 +0200 Subject: [PATCH 2/4] Move the compat plugin setup at the end of install The compat plugin was causing deadlocks with the topology plugin. Move its setup at the end of the installation and remove the cn=topology,cn=ipa,cn=etc subtree from its scope. https://pagure.io/freeipa/issue/6821 --- install/share/Makefile.am | 1 - install/share/schema_compat.uldif | 128 ------------------ install/updates/10-schema_compat.update | 93 ------------- install/updates/80-schema_compat.update | 222 ++++++++++++++++++++++++++++++++ install/updates/Makefile.am | 2 +- ipaplatform/base/paths.py | 3 +- ipaserver/install/dsinstance.py | 9 -- 7 files changed, 225 insertions(+), 233 deletions(-) delete mode 100644 install/share/schema_compat.uldif delete mode 100644 install/updates/10-schema_compat.update create mode 100644 install/updates/80-schema_compat.update diff --git a/install/share/Makefile.am b/install/share/Makefile.am index 3a34f6e..e7fac0c 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -65,7 +65,6 @@ dist_app_DATA = \ opendnssec_conf.template \ opendnssec_kasp.template \ unique-attributes.ldif \ - schema_compat.uldif \ ldapi.ldif \ wsgi.py \ repoint-managed-entries.ldif \ diff --git a/install/share/schema_compat.uldif b/install/share/schema_compat.uldif deleted file mode 100644 index 66f8ea1..0000000 --- a/install/share/schema_compat.uldif +++ /dev/null @@ -1,128 +0,0 @@ -# -# Enable the Schema Compatibility plugin provided by slapi-nis. -# -# http://slapi-nis.fedorahosted.org/ -# -dn: cn=Schema Compatibility, cn=plugins, cn=config -default:objectclass: top -default:objectclass: nsSlapdPlugin -default:objectclass: extensibleObject -default:cn: Schema Compatibility -default:nsslapd-pluginpath: /usr/lib$LIBARCH/dirsrv/plugins/schemacompat-plugin.so -default:nsslapd-plugininitfunc: schema_compat_plugin_init -default:nsslapd-plugintype: object -default:nsslapd-pluginenabled: on -default:nsslapd-pluginid: schema-compat-plugin -# We need to run schema-compat pre-bind callback before -# other IPA pre-bind callbacks to make sure bind DN is -# rewritten to the original entry if needed -default:nsslapd-pluginprecedence: 40 -default:nsslapd-pluginversion: 0.8 -default:nsslapd-pluginbetxn: on -default:nsslapd-pluginvendor: redhat.com -default:nsslapd-plugindescription: Schema Compatibility Plugin - -dn: cn=users, cn=Schema Compatibility, cn=plugins, cn=config -default:objectClass: top -default:objectClass: extensibleObject -default:cn: users -default:schema-compat-container-group: cn=compat, $SUFFIX -default:schema-compat-container-rdn: cn=users -default:schema-compat-search-base: cn=users, cn=accounts, $SUFFIX -default:schema-compat-search-filter: objectclass=posixAccount -default:schema-compat-entry-rdn: uid=%{uid} -default:schema-compat-entry-attribute: objectclass=posixAccount -default:schema-compat-entry-attribute: gecos=%{cn} -default:schema-compat-entry-attribute: cn=%{cn} -default:schema-compat-entry-attribute: uidNumber=%{uidNumber} -default:schema-compat-entry-attribute: gidNumber=%{gidNumber} -default:schema-compat-entry-attribute: loginShell=%{loginShell} -default:schema-compat-entry-attribute: homeDirectory=%{homeDirectory} -default:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","") -default:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:$DOMAIN:%{ipauniqueid}","") -default:schema-compat-entry-attribute: ipaanchoruuid=%{ipaanchoruuid} -default:schema-compat-entry-attribute: %ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","") - -dn: cn=groups, cn=Schema Compatibility, cn=plugins, cn=config -default:objectClass: top -default:objectClass: extensibleObject -default:cn: groups -default:schema-compat-container-group: cn=compat, $SUFFIX -default:schema-compat-container-rdn: cn=groups -default:schema-compat-search-base: cn=groups, cn=accounts, $SUFFIX -default:schema-compat-search-filter: objectclass=posixGroup -default:schema-compat-entry-rdn: cn=%{cn} -default:schema-compat-entry-attribute: objectclass=posixGroup -default:schema-compat-entry-attribute: gidNumber=%{gidNumber} -default:schema-compat-entry-attribute: memberUid=%{memberUid} -default:schema-compat-entry-attribute: memberUid=%deref_r("member","uid") -default:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","") -default:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:$DOMAIN:%{ipauniqueid}","") -default:schema-compat-entry-attribute: ipaanchoruuid=%{ipaanchoruuid} -default:schema-compat-entry-attribute: %ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","") - -dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config -add:objectClass: top -add:objectClass: extensibleObject -add:cn: ng -add:schema-compat-container-group: cn=compat, $SUFFIX -add:schema-compat-container-rdn: cn=ng -add:schema-compat-check-access: yes -add:schema-compat-search-base: cn=ng, cn=alt, $SUFFIX -add:schema-compat-search-filter: (objectclass=ipaNisNetgroup) -add:schema-compat-entry-rdn: cn=%{cn} -add:schema-compat-entry-attribute: objectclass=nisNetgroup -add:schema-compat-entry-attribute: memberNisNetgroup=%deref_r("member","cn") -add:schema-compat-entry-attribute: nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","-",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","-"),%{nisDomainName:-}) - -dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config -add:objectClass: top -add:objectClass: extensibleObject -add:cn: sudoers -add:schema-compat-container-group: ou=SUDOers, $SUFFIX -add:schema-compat-search-base: cn=sudorules, cn=sudo, $SUFFIX -add:schema-compat-search-filter: (&(objectclass=ipaSudoRule)(!(compatVisible=FALSE))(!(ipaEnabledFlag=FALSE))) -add:schema-compat-entry-rdn: %ifeq("ipaEnabledFlag", "FALSE", "DISABLED", "cn=%{cn}") -add:schema-compat-entry-attribute: objectclass=sudoRole -add:schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}") -add:schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\"memberUser\",\"(objectclass=posixAccount)\",\"uid\")") -add:schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\"memberUser\",\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\",\"member\",\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\",\"uid\")") -add:schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\"memberUser\",\"(objectclass=posixGroup)\",\"cn\")") -add:schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\"memberUser\",\"(objectclass=ipaNisNetgroup)\",\"cn\")") -add:schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}") -add:schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\"memberHost\",\"(objectclass=ipaHost)\",\"fqdn\")") -add:schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\"memberHost\",\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\",\"member\",\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\",\"fqdn\")") -add:schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\"memberHost\",\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\",\"cn\")") -add:schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\"memberHost\",\"(objectclass=ipaNisNetgroup)\",\"cn\")") -add:schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","%{hostMask}") -add:schema-compat-entry-attribute: sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\"memberAllowCmd\",\"sudoCmd\")") -add:schema-compat-entry-attribute: sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\"memberAllowCmd\",\"member\",\"sudoCmd\")") -# memberDenyCmds are to be allowed even if cmdCategory is set to ALL -add:schema-compat-entry-attribute: sudoCommand=!%deref("memberDenyCmd","sudoCmd") -add:schema-compat-entry-attribute: sudoCommand=!%deref_r("memberDenyCmd","member","sudoCmd") -add:schema-compat-entry-attribute: sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%{ipaSudoRunAsExtUser}") -add:schema-compat-entry-attribute: sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%{ipaSudoRunAsExtUserGroup}") -add:schema-compat-entry-attribute: sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%deref_f(\"ipaSudoRunAs\",\"(objectclass=posixAccount)\",\"uid\")") -add:schema-compat-entry-attribute: sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%deref_f(\"ipaSudoRunAs\",\"(objectclass=posixGroup)\",\"cn\")") -add:schema-compat-entry-attribute: sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%{ipaSudoRunAsExtGroup}") -add:schema-compat-entry-attribute: sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%deref_f(\"ipaSudoRunAsGroup\",\"(objectclass=posixGroup)\",\"cn\")") -add:schema-compat-entry-attribute: sudoOption=%{ipaSudoOpt} - -dn: cn=computers, cn=Schema Compatibility, cn=plugins, cn=config -default:objectClass: top -default:objectClass: extensibleObject -default:cn: computers -default:schema-compat-container-group: cn=compat, $SUFFIX -default:schema-compat-container-rdn: cn=computers -default:schema-compat-search-base: cn=computers, cn=accounts, $SUFFIX -default:schema-compat-search-filter: (&(macAddress=*)(fqdn=*)(objectClass=ipaHost)) -default:schema-compat-entry-rdn: cn=%first("%{fqdn}") -default:schema-compat-entry-attribute: objectclass=device -default:schema-compat-entry-attribute: objectclass=ieee802Device -default:schema-compat-entry-attribute: cn=%{fqdn} -default:schema-compat-entry-attribute: macAddress=%{macAddress} - -# Enable anonymous VLV browsing for Solaris -dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config -only:aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control"; allow (read, search, compare, proxy) userdn = "ldap:///anyone"; ) - diff --git a/install/updates/10-schema_compat.update b/install/updates/10-schema_compat.update deleted file mode 100644 index fbe8703..0000000 --- a/install/updates/10-schema_compat.update +++ /dev/null @@ -1,93 +0,0 @@ -dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config -only:schema-compat-entry-rdn:%ifeq("ipaEnabledFlag", "FALSE", "DISABLED", "cn=%{cn}") -add:schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","%{hostMask}") -add:schema-compat-entry-attribute: sudoRunAsUser=%%%{ipaSudoRunAsExtUserGroup} -# Fix for #4324 (regression of #1309) -remove:schema-compat-entry-attribute:sudoRunAsGroup=%deref("ipaSudoRunAs","cn") -remove:schema-compat-entry-attribute:sudoRunAsUser=%{ipaSudoRunAsExtUser} -remove:schema-compat-entry-attribute:sudoRunAsUser=%%%{ipaSudoRunAsExtUserGroup} -remove:schema-compat-entry-attribute:sudoRunAsUser=%deref("ipaSudoRunAs","uid") -remove:schema-compat-entry-attribute:sudoRunAsGroup=%{ipaSudoRunAsExtGroup} -remove:schema-compat-entry-attribute:sudoRunAsGroup=%deref_f("ipaSudoRunAsGroup","(objectclass=posixGroup)","cn") - -# We need to add the value in a separate transaction -dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config -add: schema-compat-entry-attribute: sudoRunAsGroup=%deref_f("ipaSudoRunAsGroup","(objectclass=posixGroup)","cn") -add: schema-compat-entry-attribute: sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%{ipaSudoRunAsExtUser}") -add: schema-compat-entry-attribute: sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%{ipaSudoRunAsExtUserGroup}") -add: schema-compat-entry-attribute: sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%deref_f(\"ipaSudoRunAs\",\"(objectclass=posixAccount)\",\"uid\")") -add: schema-compat-entry-attribute: sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%{ipaSudoRunAsExtGroup}") -add: schema-compat-entry-attribute: sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%deref_f(\"ipaSudoRunAsGroup\",\"(objectclass=posixGroup)\",\"cn\")") -remove: schema-compat-ignore-subtree: cn=changelog -remove: schema-compat-ignore-subtree: o=ipaca -add: schema-compat-restrict-subtree: $SUFFIX -add: schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config -add: schema-compat-ignore-subtree: cn=dna,cn=ipa,cn=etc,$SUFFIX - -# Change padding for host and userCategory so the pad returns the same value -# as the original, '' or -. -dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config -replace: schema-compat-entry-attribute:nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","-",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","-"),%{nisDomainName:-})::nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","%ifeq(\"hostCategory\",\"all\",\"\",\"-\")",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","%ifeq(\"userCategory\",\"all\",\"\",\"-\")"),%{nisDomainName:-}) -remove: schema-compat-ignore-subtree: cn=changelog -remove: schema-compat-ignore-subtree: o=ipaca -add: schema-compat-restrict-subtree: $SUFFIX -add: schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config -add: schema-compat-ignore-subtree: cn=dna,cn=ipa,cn=etc,$SUFFIX - -dn: cn=computers, cn=Schema Compatibility, cn=plugins, cn=config -default:objectClass: top -default:objectClass: extensibleObject -default:cn: computers -default:schema-compat-container-group: cn=compat, $SUFFIX -default:schema-compat-container-rdn: cn=computers -default:schema-compat-search-base: cn=computers, cn=accounts, $SUFFIX -default:schema-compat-search-filter: (&(macAddress=*)(fqdn=*)(objectClass=ipaHost)) -default:schema-compat-entry-rdn: cn=%first("%{fqdn}") -default:schema-compat-entry-attribute: objectclass=device -default:schema-compat-entry-attribute: objectclass=ieee802Device -default:schema-compat-entry-attribute: cn=%{fqdn} -default:schema-compat-entry-attribute: macAddress=%{macAddress} -remove: schema-compat-ignore-subtree: cn=changelog -remove: schema-compat-ignore-subtree: o=ipaca -add: schema-compat-restrict-subtree: $SUFFIX -add: schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config -add: schema-compat-ignore-subtree: cn=dna,cn=ipa,cn=etc,$SUFFIX - -dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config -add:schema-compat-entry-attribute: sudoOrder=%{sudoOrder} - -dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config -remove: schema-compat-ignore-subtree: cn=changelog -remove: schema-compat-ignore-subtree: o=ipaca -add: schema-compat-restrict-subtree: $SUFFIX -add: schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config -add: schema-compat-ignore-subtree: cn=dna,cn=ipa,cn=etc,$SUFFIX - -dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config -remove: schema-compat-ignore-subtree: cn=changelog -remove: schema-compat-ignore-subtree: o=ipaca -add: schema-compat-restrict-subtree: $SUFFIX -add: schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config -add: schema-compat-ignore-subtree: cn=dna,cn=ipa,cn=etc,$SUFFIX - -dn: cn=Schema Compatibility,cn=plugins,cn=config -# We need to run schema-compat pre-bind callback before -# other IPA pre-bind callbacks to make sure bind DN is -# rewritten to the original entry if needed -add:nsslapd-pluginprecedence: 40 - -dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config -add:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","") -add:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:$DOMAIN:%{ipauniqueid}","") -add:schema-compat-entry-attribute: ipaanchoruuid=%{ipaanchoruuid} -add:schema-compat-entry-attribute: %ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","") - -dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config -add:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","") -add:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:$DOMAIN:%{ipauniqueid}","") -add:schema-compat-entry-attribute: ipaanchoruuid=%{ipaanchoruuid} -add:schema-compat-entry-attribute: %ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","") - -dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config -add:schema-compat-entry-attribute: uid=%{uid} -replace:schema-compat-entry-rdn: uid=%{uid}::uid=%first("%{uid}") diff --git a/install/updates/80-schema_compat.update b/install/updates/80-schema_compat.update new file mode 100644 index 0000000..06cbcab --- /dev/null +++ b/install/updates/80-schema_compat.update @@ -0,0 +1,222 @@ +# +# Setup the Schema Compatibility plugin provided by slapi-nis. +# This should be done after all other updates have been applied +# +# http://slapi-nis.fedorahosted.org/ +# +dn: cn=Schema Compatibility, cn=plugins, cn=config +default:objectclass: top +default:objectclass: nsSlapdPlugin +default:objectclass: extensibleObject +default:cn: Schema Compatibility +default:nsslapd-pluginpath: /usr/lib$LIBARCH/dirsrv/plugins/schemacompat-plugin.so +default:nsslapd-plugininitfunc: schema_compat_plugin_init +default:nsslapd-plugintype: object +default:nsslapd-pluginenabled: on +default:nsslapd-pluginid: schema-compat-plugin +# We need to run schema-compat pre-bind callback before +# other IPA pre-bind callbacks to make sure bind DN is +# rewritten to the original entry if needed +default:nsslapd-pluginprecedence: 40 +default:nsslapd-pluginversion: 0.8 +default:nsslapd-pluginbetxn: on +default:nsslapd-pluginvendor: redhat.com +default:nsslapd-plugindescription: Schema Compatibility Plugin + +dn: cn=users, cn=Schema Compatibility, cn=plugins, cn=config +default:objectClass: top +default:objectClass: extensibleObject +default:cn: users +default:schema-compat-container-group: cn=compat, $SUFFIX +default:schema-compat-container-rdn: cn=users +default:schema-compat-search-base: cn=users, cn=accounts, $SUFFIX +default:schema-compat-search-filter: objectclass=posixAccount +default:schema-compat-entry-rdn: uid=%{uid} +default:schema-compat-entry-attribute: objectclass=posixAccount +default:schema-compat-entry-attribute: gecos=%{cn} +default:schema-compat-entry-attribute: cn=%{cn} +default:schema-compat-entry-attribute: uidNumber=%{uidNumber} +default:schema-compat-entry-attribute: gidNumber=%{gidNumber} +default:schema-compat-entry-attribute: loginShell=%{loginShell} +default:schema-compat-entry-attribute: homeDirectory=%{homeDirectory} +default:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","") +default:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:$DOMAIN:%{ipauniqueid}","") +default:schema-compat-entry-attribute: ipaanchoruuid=%{ipaanchoruuid} +default:schema-compat-entry-attribute: %ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","") + +dn: cn=groups, cn=Schema Compatibility, cn=plugins, cn=config +default:objectClass: top +default:objectClass: extensibleObject +default:cn: groups +default:schema-compat-container-group: cn=compat, $SUFFIX +default:schema-compat-container-rdn: cn=groups +default:schema-compat-search-base: cn=groups, cn=accounts, $SUFFIX +default:schema-compat-search-filter: objectclass=posixGroup +default:schema-compat-entry-rdn: cn=%{cn} +default:schema-compat-entry-attribute: objectclass=posixGroup +default:schema-compat-entry-attribute: gidNumber=%{gidNumber} +default:schema-compat-entry-attribute: memberUid=%{memberUid} +default:schema-compat-entry-attribute: memberUid=%deref_r("member","uid") +default:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","") +default:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:$DOMAIN:%{ipauniqueid}","") +default:schema-compat-entry-attribute: ipaanchoruuid=%{ipaanchoruuid} +default:schema-compat-entry-attribute: %ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","") + +dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config +add:objectClass: top +add:objectClass: extensibleObject +add:cn: ng +add:schema-compat-container-group: cn=compat, $SUFFIX +add:schema-compat-container-rdn: cn=ng +add:schema-compat-check-access: yes +add:schema-compat-search-base: cn=ng, cn=alt, $SUFFIX +add:schema-compat-search-filter: (objectclass=ipaNisNetgroup) +add:schema-compat-entry-rdn: cn=%{cn} +add:schema-compat-entry-attribute: objectclass=nisNetgroup +add:schema-compat-entry-attribute: memberNisNetgroup=%deref_r("member","cn") +add:schema-compat-entry-attribute: nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","-",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","-"),%{nisDomainName:-}) + +dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config +add:objectClass: top +add:objectClass: extensibleObject +add:cn: sudoers +add:schema-compat-container-group: ou=SUDOers, $SUFFIX +add:schema-compat-search-base: cn=sudorules, cn=sudo, $SUFFIX +add:schema-compat-search-filter: (&(objectclass=ipaSudoRule)(!(compatVisible=FALSE))(!(ipaEnabledFlag=FALSE))) +add:schema-compat-entry-rdn: %ifeq("ipaEnabledFlag", "FALSE", "DISABLED", "cn=%{cn}") +add:schema-compat-entry-attribute: objectclass=sudoRole +add:schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}") +add:schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\"memberUser\",\"(objectclass=posixAccount)\",\"uid\")") +add:schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\"memberUser\",\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\",\"member\",\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\",\"uid\")") +add:schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\"memberUser\",\"(objectclass=posixGroup)\",\"cn\")") +add:schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\"memberUser\",\"(objectclass=ipaNisNetgroup)\",\"cn\")") +add:schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}") +add:schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\"memberHost\",\"(objectclass=ipaHost)\",\"fqdn\")") +add:schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\"memberHost\",\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\",\"member\",\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\",\"fqdn\")") +add:schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\"memberHost\",\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\",\"cn\")") +add:schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\"memberHost\",\"(objectclass=ipaNisNetgroup)\",\"cn\")") +add:schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","%{hostMask}") +add:schema-compat-entry-attribute: sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\"memberAllowCmd\",\"sudoCmd\")") +add:schema-compat-entry-attribute: sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\"memberAllowCmd\",\"member\",\"sudoCmd\")") +# memberDenyCmds are to be allowed even if cmdCategory is set to ALL +add:schema-compat-entry-attribute: sudoCommand=!%deref("memberDenyCmd","sudoCmd") +add:schema-compat-entry-attribute: sudoCommand=!%deref_r("memberDenyCmd","member","sudoCmd") +add:schema-compat-entry-attribute: sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%{ipaSudoRunAsExtUser}") +add:schema-compat-entry-attribute: sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%{ipaSudoRunAsExtUserGroup}") +add:schema-compat-entry-attribute: sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%deref_f(\"ipaSudoRunAs\",\"(objectclass=posixAccount)\",\"uid\")") +add:schema-compat-entry-attribute: sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%deref_f(\"ipaSudoRunAs\",\"(objectclass=posixGroup)\",\"cn\")") +add:schema-compat-entry-attribute: sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%{ipaSudoRunAsExtGroup}") +add:schema-compat-entry-attribute: sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%deref_f(\"ipaSudoRunAsGroup\",\"(objectclass=posixGroup)\",\"cn\")") +add:schema-compat-entry-attribute: sudoOption=%{ipaSudoOpt} + +dn: cn=computers, cn=Schema Compatibility, cn=plugins, cn=config +default:objectClass: top +default:objectClass: extensibleObject +default:cn: computers +default:schema-compat-container-group: cn=compat, $SUFFIX +default:schema-compat-container-rdn: cn=computers +default:schema-compat-search-base: cn=computers, cn=accounts, $SUFFIX +default:schema-compat-search-filter: (&(macAddress=*)(fqdn=*)(objectClass=ipaHost)) +default:schema-compat-entry-rdn: cn=%first("%{fqdn}") +default:schema-compat-entry-attribute: objectclass=device +default:schema-compat-entry-attribute: objectclass=ieee802Device +default:schema-compat-entry-attribute: cn=%{fqdn} +default:schema-compat-entry-attribute: macAddress=%{macAddress} + +# Enable anonymous VLV browsing for Solaris +dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config +only:aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control"; allow (read, search, compare, proxy) userdn = "ldap:///anyone"; ) + +dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config +only:schema-compat-entry-rdn:%ifeq("ipaEnabledFlag", "FALSE", "DISABLED", "cn=%{cn}") +add:schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","%{hostMask}") +add:schema-compat-entry-attribute: sudoRunAsUser=%%%{ipaSudoRunAsExtUserGroup} +# Fix for #4324 (regression of #1309) +remove:schema-compat-entry-attribute:sudoRunAsGroup=%deref("ipaSudoRunAs","cn") +remove:schema-compat-entry-attribute:sudoRunAsUser=%{ipaSudoRunAsExtUser} +remove:schema-compat-entry-attribute:sudoRunAsUser=%%%{ipaSudoRunAsExtUserGroup} +remove:schema-compat-entry-attribute:sudoRunAsUser=%deref("ipaSudoRunAs","uid") +remove:schema-compat-entry-attribute:sudoRunAsGroup=%{ipaSudoRunAsExtGroup} +remove:schema-compat-entry-attribute:sudoRunAsGroup=%deref_f("ipaSudoRunAsGroup","(objectclass=posixGroup)","cn") + +# We need to add the value in a separate transaction +dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config +add: schema-compat-entry-attribute: sudoRunAsGroup=%deref_f("ipaSudoRunAsGroup","(objectclass=posixGroup)","cn") +add: schema-compat-entry-attribute: sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%{ipaSudoRunAsExtUser}") +add: schema-compat-entry-attribute: sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%{ipaSudoRunAsExtUserGroup}") +add: schema-compat-entry-attribute: sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%deref_f(\"ipaSudoRunAs\",\"(objectclass=posixAccount)\",\"uid\")") +add: schema-compat-entry-attribute: sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%{ipaSudoRunAsExtGroup}") +add: schema-compat-entry-attribute: sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%deref_f(\"ipaSudoRunAsGroup\",\"(objectclass=posixGroup)\",\"cn\")") +remove: schema-compat-ignore-subtree: cn=changelog +remove: schema-compat-ignore-subtree: o=ipaca +add: schema-compat-restrict-subtree: $SUFFIX +add: schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config +add: schema-compat-ignore-subtree: cn=dna,cn=ipa,cn=etc,$SUFFIX + +# Change padding for host and userCategory so the pad returns the same value +# as the original, '' or -. +dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config +replace: schema-compat-entry-attribute:nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","-",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","-"),%{nisDomainName:-})::nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","%ifeq(\"hostCategory\",\"all\",\"\",\"-\")",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","%ifeq(\"userCategory\",\"all\",\"\",\"-\")"),%{nisDomainName:-}) +remove: schema-compat-ignore-subtree: cn=changelog +remove: schema-compat-ignore-subtree: o=ipaca +add: schema-compat-restrict-subtree: $SUFFIX +add: schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config +add: schema-compat-ignore-subtree: cn=dna,cn=ipa,cn=etc,$SUFFIX + +dn: cn=computers, cn=Schema Compatibility, cn=plugins, cn=config +default:objectClass: top +default:objectClass: extensibleObject +default:cn: computers +default:schema-compat-container-group: cn=compat, $SUFFIX +default:schema-compat-container-rdn: cn=computers +default:schema-compat-search-base: cn=computers, cn=accounts, $SUFFIX +default:schema-compat-search-filter: (&(macAddress=*)(fqdn=*)(objectClass=ipaHost)) +default:schema-compat-entry-rdn: cn=%first("%{fqdn}") +default:schema-compat-entry-attribute: objectclass=device +default:schema-compat-entry-attribute: objectclass=ieee802Device +default:schema-compat-entry-attribute: cn=%{fqdn} +default:schema-compat-entry-attribute: macAddress=%{macAddress} +remove: schema-compat-ignore-subtree: cn=changelog +remove: schema-compat-ignore-subtree: o=ipaca +add: schema-compat-restrict-subtree: $SUFFIX +add: schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config +add: schema-compat-ignore-subtree: cn=dna,cn=ipa,cn=etc,$SUFFIX + +dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config +add:schema-compat-entry-attribute: sudoOrder=%{sudoOrder} + +dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config +remove: schema-compat-ignore-subtree: cn=changelog +remove: schema-compat-ignore-subtree: o=ipaca +add: schema-compat-restrict-subtree: $SUFFIX +add: schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config +add: schema-compat-ignore-subtree: cn=dna,cn=ipa,cn=etc,$SUFFIX + +dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config +remove: schema-compat-ignore-subtree: cn=changelog +remove: schema-compat-ignore-subtree: o=ipaca +add: schema-compat-restrict-subtree: $SUFFIX +add: schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config +add: schema-compat-ignore-subtree: cn=dna,cn=ipa,cn=etc,$SUFFIX + +dn: cn=Schema Compatibility,cn=plugins,cn=config +# We need to run schema-compat pre-bind callback before +# other IPA pre-bind callbacks to make sure bind DN is +# rewritten to the original entry if needed +add:nsslapd-pluginprecedence: 40 + +dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config +add:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","") +add:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:$DOMAIN:%{ipauniqueid}","") +add:schema-compat-entry-attribute: ipaanchoruuid=%{ipaanchoruuid} +add:schema-compat-entry-attribute: %ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","") + +dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config +add:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","") +add:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:$DOMAIN:%{ipauniqueid}","") +add:schema-compat-entry-attribute: ipaanchoruuid=%{ipaanchoruuid} +add:schema-compat-entry-attribute: %ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","") + +dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config +add:schema-compat-entry-attribute: uid=%{uid} +replace:schema-compat-entry-rdn: uid=%{uid}::uid=%first("%{uid}") diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am index 0ff0edb..e18d011 100644 --- a/install/updates/Makefile.am +++ b/install/updates/Makefile.am @@ -9,7 +9,6 @@ app_DATA = \ 10-selinuxusermap.update \ 10-rootdse.update \ 10-uniqueness.update \ - 10-schema_compat.update \ 19-managed-entries.update \ 20-aci.update \ 20-dna.update \ @@ -62,6 +61,7 @@ app_DATA = \ 73-custodia.update \ 73-winsync.update \ 73-certmap.update \ + 80-schema_compat.update \ 90-post_upgrade_plugins.update \ $(NULL) diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index ad41814..57f185e 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -236,7 +236,8 @@ class BasePathNamespace(object): HTML_KRBREALM_CON = "/usr/share/ipa/html/krbrealm.con" NIS_ULDIF = "/usr/share/ipa/nis.uldif" NIS_UPDATE_ULDIF = "/usr/share/ipa/nis-update.uldif" - SCHEMA_COMPAT_ULDIF = "/usr/share/ipa/schema_compat.uldif" + SCHEMA_COMPAT_ULDIF = "/usr/share/ipa/updates/91-schema_compat.update" + SCHEMA_COMPAT_POST_ULDIF = "/usr/share/ipa/schema_compat_post.uldif" IPA_JS_PLUGINS_DIR = "/usr/share/ipa/ui/js/plugins" UPDATES_DIR = "/usr/share/ipa/updates/" DICT_WORDS = "/usr/share/dict/words" diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 99a1781..403fe84 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -38,7 +38,6 @@ from ipaserver.install import service from ipaserver.install import installutils from ipaserver.install import certs -from ipaserver.install import ldapupdate from ipaserver.install import replication from ipaserver.install import sysupgrade from ipaserver.install import upgradeinstance @@ -281,8 +280,6 @@ def __common_post_setup(self): self.step("configuring Posix uid/gid generation", self.__config_uidgid_gen) self.step("adding replication acis", self.__add_replication_acis) - self.step("enabling compatibility plugin", - self.__enable_compat_plugin) self.step("activating sidgen plugin", self._add_sidgen_plugin) self.step("activating extdom plugin", self._add_extdom_plugin) self.step("tuning directory server", self.__tuning) @@ -706,12 +703,6 @@ def __add_topology_entries(self): def __add_winsync_module(self): self._ldap_mod("ipa-winsync-conf.ldif") - def __enable_compat_plugin(self): - ld = ldapupdate.LDAPUpdate(dm_password=self.dm_password, sub_dict=self.sub_dict) - rv = ld.update([paths.SCHEMA_COMPAT_ULDIF]) - if not rv: - raise RuntimeError("Enabling compatibility plugin failed") - def __config_version_module(self): self._ldap_mod("version-conf.ldif") From 460d9e4684a4d98a56e209f4828737f152927238 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Fri, 21 Apr 2017 09:39:56 +0200 Subject: [PATCH 3/4] compat: ignore cn=topology,cn=ipa,cn=etc subtree The entries in cn=topology,cn=ipa,cn=etc should not be taken in account for the compat plugin. https://pagure.io/freeipa/issue/6821 --- install/updates/80-schema_compat.update | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/install/updates/80-schema_compat.update b/install/updates/80-schema_compat.update index 06cbcab..7483518 100644 --- a/install/updates/80-schema_compat.update +++ b/install/updates/80-schema_compat.update @@ -152,6 +152,7 @@ remove: schema-compat-ignore-subtree: o=ipaca add: schema-compat-restrict-subtree: $SUFFIX add: schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config add: schema-compat-ignore-subtree: cn=dna,cn=ipa,cn=etc,$SUFFIX +add: schema-compat-ignore-subtree: cn=topology,cn=ipa,cn=etc,$SUFFIX # Change padding for host and userCategory so the pad returns the same value # as the original, '' or -. @@ -162,6 +163,7 @@ remove: schema-compat-ignore-subtree: o=ipaca add: schema-compat-restrict-subtree: $SUFFIX add: schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config add: schema-compat-ignore-subtree: cn=dna,cn=ipa,cn=etc,$SUFFIX +add: schema-compat-ignore-subtree: cn=topology,cn=ipa,cn=etc,$SUFFIX dn: cn=computers, cn=Schema Compatibility, cn=plugins, cn=config default:objectClass: top @@ -181,6 +183,7 @@ remove: schema-compat-ignore-subtree: o=ipaca add: schema-compat-restrict-subtree: $SUFFIX add: schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config add: schema-compat-ignore-subtree: cn=dna,cn=ipa,cn=etc,$SUFFIX +add: schema-compat-ignore-subtree: cn=topology,cn=ipa,cn=etc,$SUFFIX dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config add:schema-compat-entry-attribute: sudoOrder=%{sudoOrder} @@ -191,6 +194,7 @@ remove: schema-compat-ignore-subtree: o=ipaca add: schema-compat-restrict-subtree: $SUFFIX add: schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config add: schema-compat-ignore-subtree: cn=dna,cn=ipa,cn=etc,$SUFFIX +add: schema-compat-ignore-subtree: cn=topology,cn=ipa,cn=etc,$SUFFIX dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config remove: schema-compat-ignore-subtree: cn=changelog @@ -198,6 +202,7 @@ remove: schema-compat-ignore-subtree: o=ipaca add: schema-compat-restrict-subtree: $SUFFIX add: schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config add: schema-compat-ignore-subtree: cn=dna,cn=ipa,cn=etc,$SUFFIX +add: schema-compat-ignore-subtree: cn=topology,cn=ipa,cn=etc,$SUFFIX dn: cn=Schema Compatibility,cn=plugins,cn=config # We need to run schema-compat pre-bind callback before From 0e6520f55a13dc0c568ff850141e772d8d1a4894 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Fri, 21 Apr 2017 09:50:38 +0200 Subject: [PATCH 4/4] compat plugin: Update link to slapi-nis project --- install/updates/80-schema_compat.update | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install/updates/80-schema_compat.update b/install/updates/80-schema_compat.update index 7483518..6b01ae3 100644 --- a/install/updates/80-schema_compat.update +++ b/install/updates/80-schema_compat.update @@ -2,7 +2,7 @@ # Setup the Schema Compatibility plugin provided by slapi-nis. # This should be done after all other updates have been applied # -# http://slapi-nis.fedorahosted.org/ +# https://pagure.io/slapi-nis/ # dn: cn=Schema Compatibility, cn=plugins, cn=config default:objectclass: top
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code