From f91b6dd2ac7ee2d3444929e0d8649c9f355bdcd2 Mon Sep 17 00:00:00 2001

From: "Thierry bordaz (tbordaz)" <tbordaz@redhat.com>

Date: Wed, 29 Oct 2014 16:23:03 +0100

Subject: [PATCH] Deadlock in schema compat plugin (between

 automember_update_membership task and dse update)

	Defining schema-compat-ignore-subtree values for schema compat plugin config entries removes the

	default value (ignore: cn=tasks,cn=config). This default value prevented deadlocks.

	Schema plugin needs to scope the $SUFFIX and also any updates to its configuration.

	This change restrict the schema compat to those subtrees. It replaces the definition of ignored subtrees

	that would be too long for cn=config (tasks, mapping tree, replication, snmp..)

https://fedorahosted.org/freeipa/ticket/4635

Reviewed-By: Martin Basti <mbasti@redhat.com>

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

---

 install/updates/10-schema_compat.update | 30 ++++++++++++++++++++----------

 1 file changed, 20 insertions(+), 10 deletions(-)

diff --git a/install/updates/10-schema_compat.update b/install/updates/10-schema_compat.update

index 7b75ba532612bbdaf9c85f8c88b0c8b8454e5969..b8c79012d121116f9cf53908fbe4eeeebe9d3d82 100644

--- a/install/updates/10-schema_compat.update

+++ b/install/updates/10-schema_compat.update

@@ -18,15 +18,19 @@ add: schema-compat-entry-attribute: 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCatego

 add: schema-compat-entry-attribute: 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%deref_f(\"ipaSudoRunAs\",\"(objectclass=posixAccount)\",\"uid\")")'

 add: schema-compat-entry-attribute: 'sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%{ipaSudoRunAsExtGroup}")'

 add: schema-compat-entry-attribute: 'sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%deref_f(\"ipaSudoRunAsGroup\",\"(objectclass=posixGroup)\",\"cn\")")'

-add: schema-compat-ignore-subtree: cn=changelog

-add: schema-compat-ignore-subtree: o=ipaca

+remove: schema-compat-ignore-subtree: cn=changelog

+remove: schema-compat-ignore-subtree: o=ipaca

+add: schema-compat-restrict-subtree: '$SUFFIX'

+add: schema-compat-restrict-subtree: 'cn=Schema Compatibility,cn=plugins,cn=config'

 # Change padding for host and userCategory so the pad returns the same value

 # as the original, '' or -.

 dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config

 replace: schema-compat-entry-attribute:'nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","-",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","-"),%{nisDomainName:-})::nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","%ifeq(\"hostCategory\",\"all\",\"\",\"-\")",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","%ifeq(\"userCategory\",\"all\",\"\",\"-\")"),%{nisDomainName:-})'

-add: schema-compat-ignore-subtree: cn=changelog

-add: schema-compat-ignore-subtree: o=ipaca

+remove: schema-compat-ignore-subtree: cn=changelog

+remove: schema-compat-ignore-subtree: o=ipaca

+add: schema-compat-restrict-subtree: '$SUFFIX'

+add: schema-compat-restrict-subtree: 'cn=Schema Compatibility,cn=plugins,cn=config'

 dn: cn=computers, cn=Schema Compatibility, cn=plugins, cn=config

 default:objectClass: top

@@ -41,19 +45,25 @@ default:schema-compat-entry-attribute: objectclass=device

 default:schema-compat-entry-attribute: objectclass=ieee802Device

 default:schema-compat-entry-attribute: cn=%{fqdn}

 default:schema-compat-entry-attribute: macAddress=%{macAddress}

-add: schema-compat-ignore-subtree: cn=changelog

-add: schema-compat-ignore-subtree: o=ipaca

+remove: schema-compat-ignore-subtree: cn=changelog

+remove: schema-compat-ignore-subtree: o=ipaca

+add: schema-compat-restrict-subtree: '$SUFFIX'

+add: schema-compat-restrict-subtree: 'cn=Schema Compatibility,cn=plugins,cn=config'

 dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config

 add:schema-compat-entry-attribute: sudoOrder=%{sudoOrder}

 dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config

-add: schema-compat-ignore-subtree: cn=changelog

-add: schema-compat-ignore-subtree: o=ipaca

+remove: schema-compat-ignore-subtree: cn=changelog

+remove: schema-compat-ignore-subtree: o=ipaca

+add: schema-compat-restrict-subtree: '$SUFFIX'

+add: schema-compat-restrict-subtree: 'cn=Schema Compatibility,cn=plugins,cn=config'

 dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config

-add: schema-compat-ignore-subtree: cn=changelog

-add: schema-compat-ignore-subtree: o=ipaca

+remove: schema-compat-ignore-subtree: cn=changelog

+remove: schema-compat-ignore-subtree: o=ipaca

+add: schema-compat-restrict-subtree: '$SUFFIX'

+add: schema-compat-restrict-subtree: 'cn=Schema Compatibility,cn=plugins,cn=config'

 dn: cn=Schema Compatibility,cn=plugins,cn=config

 # We need to run schema-compat pre-bind callback before

-- 

2.1.0