|
 |
ac7d03 |
From f0bd45fb0c1071006887dc10abac233d2756d951 Mon Sep 17 00:00:00 2001
|
|
|
ac7d03 |
From: Stanislav Laznicka <slaznick@redhat.com>
|
|
|
ac7d03 |
Date: Thu, 13 Apr 2017 09:15:47 +0200
|
|
|
ac7d03 |
Subject: [PATCH] Move the compat plugin setup at the end of install
|
|
|
ac7d03 |
|
|
|
ac7d03 |
The compat plugin was causing deadlocks with the topology plugin. Move
|
|
|
ac7d03 |
its setup at the end of the installation and remove the
|
|
|
ac7d03 |
cn=topology,cn=ipa,cn=etc subtree from its scope.
|
|
|
ac7d03 |
|
|
|
ac7d03 |
https://pagure.io/freeipa/issue/6821
|
|
|
ac7d03 |
|
|
|
ac7d03 |
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
|
|
ac7d03 |
---
|
|
|
ac7d03 |
install/share/Makefile.am | 1 -
|
|
|
ac7d03 |
install/updates/10-schema_compat.update | 93 ---------------------
|
|
|
ac7d03 |
.../80-schema_compat.update} | 96 +++++++++++++++++++++-
|
|
|
ac7d03 |
install/updates/Makefile.am | 2 +-
|
|
|
ac7d03 |
ipaplatform/base/paths.py | 3 +-
|
|
|
ac7d03 |
ipaserver/install/dsinstance.py | 9 --
|
|
|
ac7d03 |
6 files changed, 98 insertions(+), 106 deletions(-)
|
|
|
ac7d03 |
delete mode 100644 install/updates/10-schema_compat.update
|
|
|
ac7d03 |
rename install/{share/schema_compat.uldif => updates/80-schema_compat.update} (55%)
|
|
|
ac7d03 |
|
|
|
ac7d03 |
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
|
|
|
ac7d03 |
index 9e539a3f30c2979de26575ba66bbb23fecd03a88..b27861da37153d77d693ce6e46340525bbd50173 100644
|
|
|
ac7d03 |
--- a/install/share/Makefile.am
|
|
|
ac7d03 |
+++ b/install/share/Makefile.am
|
|
|
ac7d03 |
@@ -65,7 +65,6 @@ dist_app_DATA = \
|
|
|
ac7d03 |
opendnssec_conf.template \
|
|
|
ac7d03 |
opendnssec_kasp.template \
|
|
|
ac7d03 |
unique-attributes.ldif \
|
|
|
ac7d03 |
- schema_compat.uldif \
|
|
|
ac7d03 |
ldapi.ldif \
|
|
|
ac7d03 |
wsgi.py \
|
|
|
ac7d03 |
repoint-managed-entries.ldif \
|
|
|
ac7d03 |
diff --git a/install/updates/10-schema_compat.update b/install/updates/10-schema_compat.update
|
|
|
ac7d03 |
deleted file mode 100644
|
|
|
ac7d03 |
index fbe8703407aacd75baf160630c20835a1b4ddc65..0000000000000000000000000000000000000000
|
|
|
ac7d03 |
--- a/install/updates/10-schema_compat.update
|
|
|
ac7d03 |
+++ /dev/null
|
|
|
ac7d03 |
@@ -1,93 +0,0 @@
|
|
|
ac7d03 |
-dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config
|
|
|
ac7d03 |
-only:schema-compat-entry-rdn:%ifeq("ipaEnabledFlag", "FALSE", "DISABLED", "cn=%{cn}")
|
|
|
ac7d03 |
-add:schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","%{hostMask}")
|
|
|
ac7d03 |
-add:schema-compat-entry-attribute: sudoRunAsUser=%%%{ipaSudoRunAsExtUserGroup}
|
|
|
ac7d03 |
-# Fix for #4324 (regression of #1309)
|
|
|
ac7d03 |
-remove:schema-compat-entry-attribute:sudoRunAsGroup=%deref("ipaSudoRunAs","cn")
|
|
|
ac7d03 |
-remove:schema-compat-entry-attribute:sudoRunAsUser=%{ipaSudoRunAsExtUser}
|
|
|
ac7d03 |
-remove:schema-compat-entry-attribute:sudoRunAsUser=%%%{ipaSudoRunAsExtUserGroup}
|
|
|
ac7d03 |
-remove:schema-compat-entry-attribute:sudoRunAsUser=%deref("ipaSudoRunAs","uid")
|
|
|
ac7d03 |
-remove:schema-compat-entry-attribute:sudoRunAsGroup=%{ipaSudoRunAsExtGroup}
|
|
|
ac7d03 |
-remove:schema-compat-entry-attribute:sudoRunAsGroup=%deref_f("ipaSudoRunAsGroup","(objectclass=posixGroup)","cn")
|
|
|
ac7d03 |
-
|
|
|
ac7d03 |
-# We need to add the value in a separate transaction
|
|
|
ac7d03 |
-dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config
|
|
|
ac7d03 |
-add: schema-compat-entry-attribute: sudoRunAsGroup=%deref_f("ipaSudoRunAsGroup","(objectclass=posixGroup)","cn")
|
|
|
ac7d03 |
-add: schema-compat-entry-attribute: sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%{ipaSudoRunAsExtUser}")
|
|
|
ac7d03 |
-add: schema-compat-entry-attribute: sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%{ipaSudoRunAsExtUserGroup}")
|
|
|
ac7d03 |
-add: schema-compat-entry-attribute: sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%deref_f(\"ipaSudoRunAs\",\"(objectclass=posixAccount)\",\"uid\")")
|
|
|
ac7d03 |
-add: schema-compat-entry-attribute: sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%{ipaSudoRunAsExtGroup}")
|
|
|
ac7d03 |
-add: schema-compat-entry-attribute: sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%deref_f(\"ipaSudoRunAsGroup\",\"(objectclass=posixGroup)\",\"cn\")")
|
|
|
ac7d03 |
-remove: schema-compat-ignore-subtree: cn=changelog
|
|
|
ac7d03 |
-remove: schema-compat-ignore-subtree: o=ipaca
|
|
|
ac7d03 |
-add: schema-compat-restrict-subtree: $SUFFIX
|
|
|
ac7d03 |
-add: schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config
|
|
|
ac7d03 |
-add: schema-compat-ignore-subtree: cn=dna,cn=ipa,cn=etc,$SUFFIX
|
|
|
ac7d03 |
-
|
|
|
ac7d03 |
-# Change padding for host and userCategory so the pad returns the same value
|
|
|
ac7d03 |
-# as the original, '' or -.
|
|
|
ac7d03 |
-dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config
|
|
|
ac7d03 |
-replace: schema-compat-entry-attribute:nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","-",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","-"),%{nisDomainName:-})::nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","%ifeq(\"hostCategory\",\"all\",\"\",\"-\")",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","%ifeq(\"userCategory\",\"all\",\"\",\"-\")"),%{nisDomainName:-})
|
|
|
ac7d03 |
-remove: schema-compat-ignore-subtree: cn=changelog
|
|
|
ac7d03 |
-remove: schema-compat-ignore-subtree: o=ipaca
|
|
|
ac7d03 |
-add: schema-compat-restrict-subtree: $SUFFIX
|
|
|
ac7d03 |
-add: schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config
|
|
|
ac7d03 |
-add: schema-compat-ignore-subtree: cn=dna,cn=ipa,cn=etc,$SUFFIX
|
|
|
ac7d03 |
-
|
|
|
ac7d03 |
-dn: cn=computers, cn=Schema Compatibility, cn=plugins, cn=config
|
|
|
ac7d03 |
-default:objectClass: top
|
|
|
ac7d03 |
-default:objectClass: extensibleObject
|
|
|
ac7d03 |
-default:cn: computers
|
|
|
ac7d03 |
-default:schema-compat-container-group: cn=compat, $SUFFIX
|
|
|
ac7d03 |
-default:schema-compat-container-rdn: cn=computers
|
|
|
ac7d03 |
-default:schema-compat-search-base: cn=computers, cn=accounts, $SUFFIX
|
|
|
ac7d03 |
-default:schema-compat-search-filter: (&(macAddress=*)(fqdn=*)(objectClass=ipaHost))
|
|
|
ac7d03 |
-default:schema-compat-entry-rdn: cn=%first("%{fqdn}")
|
|
|
ac7d03 |
-default:schema-compat-entry-attribute: objectclass=device
|
|
|
ac7d03 |
-default:schema-compat-entry-attribute: objectclass=ieee802Device
|
|
|
ac7d03 |
-default:schema-compat-entry-attribute: cn=%{fqdn}
|
|
|
ac7d03 |
-default:schema-compat-entry-attribute: macAddress=%{macAddress}
|
|
|
ac7d03 |
-remove: schema-compat-ignore-subtree: cn=changelog
|
|
|
ac7d03 |
-remove: schema-compat-ignore-subtree: o=ipaca
|
|
|
ac7d03 |
-add: schema-compat-restrict-subtree: $SUFFIX
|
|
|
ac7d03 |
-add: schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config
|
|
|
ac7d03 |
-add: schema-compat-ignore-subtree: cn=dna,cn=ipa,cn=etc,$SUFFIX
|
|
|
ac7d03 |
-
|
|
|
ac7d03 |
-dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config
|
|
|
ac7d03 |
-add:schema-compat-entry-attribute: sudoOrder=%{sudoOrder}
|
|
|
ac7d03 |
-
|
|
|
ac7d03 |
-dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
|
|
|
ac7d03 |
-remove: schema-compat-ignore-subtree: cn=changelog
|
|
|
ac7d03 |
-remove: schema-compat-ignore-subtree: o=ipaca
|
|
|
ac7d03 |
-add: schema-compat-restrict-subtree: $SUFFIX
|
|
|
ac7d03 |
-add: schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config
|
|
|
ac7d03 |
-add: schema-compat-ignore-subtree: cn=dna,cn=ipa,cn=etc,$SUFFIX
|
|
|
ac7d03 |
-
|
|
|
ac7d03 |
-dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
|
|
|
ac7d03 |
-remove: schema-compat-ignore-subtree: cn=changelog
|
|
|
ac7d03 |
-remove: schema-compat-ignore-subtree: o=ipaca
|
|
|
ac7d03 |
-add: schema-compat-restrict-subtree: $SUFFIX
|
|
|
ac7d03 |
-add: schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config
|
|
|
ac7d03 |
-add: schema-compat-ignore-subtree: cn=dna,cn=ipa,cn=etc,$SUFFIX
|
|
|
ac7d03 |
-
|
|
|
ac7d03 |
-dn: cn=Schema Compatibility,cn=plugins,cn=config
|
|
|
ac7d03 |
-# We need to run schema-compat pre-bind callback before
|
|
|
ac7d03 |
-# other IPA pre-bind callbacks to make sure bind DN is
|
|
|
ac7d03 |
-# rewritten to the original entry if needed
|
|
|
ac7d03 |
-add:nsslapd-pluginprecedence: 40
|
|
|
ac7d03 |
-
|
|
|
ac7d03 |
-dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
|
|
|
ac7d03 |
-add:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","")
|
|
|
ac7d03 |
-add:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:$DOMAIN:%{ipauniqueid}","")
|
|
|
ac7d03 |
-add:schema-compat-entry-attribute: ipaanchoruuid=%{ipaanchoruuid}
|
|
|
ac7d03 |
-add:schema-compat-entry-attribute: %ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","")
|
|
|
ac7d03 |
-
|
|
|
ac7d03 |
-dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
|
|
|
ac7d03 |
-add:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","")
|
|
|
ac7d03 |
-add:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:$DOMAIN:%{ipauniqueid}","")
|
|
|
ac7d03 |
-add:schema-compat-entry-attribute: ipaanchoruuid=%{ipaanchoruuid}
|
|
|
ac7d03 |
-add:schema-compat-entry-attribute: %ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","")
|
|
|
ac7d03 |
-
|
|
|
ac7d03 |
-dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
|
|
|
ac7d03 |
-add:schema-compat-entry-attribute: uid=%{uid}
|
|
|
ac7d03 |
-replace:schema-compat-entry-rdn: uid=%{uid}::uid=%first("%{uid}")
|
|
|
ac7d03 |
diff --git a/install/share/schema_compat.uldif b/install/updates/80-schema_compat.update
|
|
|
ac7d03 |
similarity index 55%
|
|
|
ac7d03 |
rename from install/share/schema_compat.uldif
|
|
|
ac7d03 |
rename to install/updates/80-schema_compat.update
|
|
|
ac7d03 |
index 66f8ea1c31bc534b3ee134c6df6132f4318c81fc..06cbcab8ad809d95a907c161044ff91df827ebf3 100644
|
|
|
ac7d03 |
--- a/install/share/schema_compat.uldif
|
|
|
ac7d03 |
+++ b/install/updates/80-schema_compat.update
|
|
|
ac7d03 |
@@ -1,5 +1,6 @@
|
|
|
ac7d03 |
#
|
|
|
ac7d03 |
-# Enable the Schema Compatibility plugin provided by slapi-nis.
|
|
|
ac7d03 |
+# Setup the Schema Compatibility plugin provided by slapi-nis.
|
|
|
ac7d03 |
+# This should be done after all other updates have been applied
|
|
|
ac7d03 |
#
|
|
|
ac7d03 |
# http://slapi-nis.fedorahosted.org/
|
|
|
ac7d03 |
#
|
|
|
ac7d03 |
@@ -126,3 +127,96 @@ default:schema-compat-entry-attribute: macAddress=%{macAddress}
|
|
|
ac7d03 |
dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
|
|
|
ac7d03 |
only:aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control"; allow (read, search, compare, proxy) userdn = "ldap:///anyone"; )
|
|
|
ac7d03 |
|
|
|
ac7d03 |
+dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config
|
|
|
ac7d03 |
+only:schema-compat-entry-rdn:%ifeq("ipaEnabledFlag", "FALSE", "DISABLED", "cn=%{cn}")
|
|
|
ac7d03 |
+add:schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","%{hostMask}")
|
|
|
ac7d03 |
+add:schema-compat-entry-attribute: sudoRunAsUser=%%%{ipaSudoRunAsExtUserGroup}
|
|
|
ac7d03 |
+# Fix for #4324 (regression of #1309)
|
|
|
ac7d03 |
+remove:schema-compat-entry-attribute:sudoRunAsGroup=%deref("ipaSudoRunAs","cn")
|
|
|
ac7d03 |
+remove:schema-compat-entry-attribute:sudoRunAsUser=%{ipaSudoRunAsExtUser}
|
|
|
ac7d03 |
+remove:schema-compat-entry-attribute:sudoRunAsUser=%%%{ipaSudoRunAsExtUserGroup}
|
|
|
ac7d03 |
+remove:schema-compat-entry-attribute:sudoRunAsUser=%deref("ipaSudoRunAs","uid")
|
|
|
ac7d03 |
+remove:schema-compat-entry-attribute:sudoRunAsGroup=%{ipaSudoRunAsExtGroup}
|
|
|
ac7d03 |
+remove:schema-compat-entry-attribute:sudoRunAsGroup=%deref_f("ipaSudoRunAsGroup","(objectclass=posixGroup)","cn")
|
|
|
ac7d03 |
+
|
|
|
ac7d03 |
+# We need to add the value in a separate transaction
|
|
|
ac7d03 |
+dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config
|
|
|
ac7d03 |
+add: schema-compat-entry-attribute: sudoRunAsGroup=%deref_f("ipaSudoRunAsGroup","(objectclass=posixGroup)","cn")
|
|
|
ac7d03 |
+add: schema-compat-entry-attribute: sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%{ipaSudoRunAsExtUser}")
|
|
|
ac7d03 |
+add: schema-compat-entry-attribute: sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%{ipaSudoRunAsExtUserGroup}")
|
|
|
ac7d03 |
+add: schema-compat-entry-attribute: sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%deref_f(\"ipaSudoRunAs\",\"(objectclass=posixAccount)\",\"uid\")")
|
|
|
ac7d03 |
+add: schema-compat-entry-attribute: sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%{ipaSudoRunAsExtGroup}")
|
|
|
ac7d03 |
+add: schema-compat-entry-attribute: sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%deref_f(\"ipaSudoRunAsGroup\",\"(objectclass=posixGroup)\",\"cn\")")
|
|
|
ac7d03 |
+remove: schema-compat-ignore-subtree: cn=changelog
|
|
|
ac7d03 |
+remove: schema-compat-ignore-subtree: o=ipaca
|
|
|
ac7d03 |
+add: schema-compat-restrict-subtree: $SUFFIX
|
|
|
ac7d03 |
+add: schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config
|
|
|
ac7d03 |
+add: schema-compat-ignore-subtree: cn=dna,cn=ipa,cn=etc,$SUFFIX
|
|
|
ac7d03 |
+
|
|
|
ac7d03 |
+# Change padding for host and userCategory so the pad returns the same value
|
|
|
ac7d03 |
+# as the original, '' or -.
|
|
|
ac7d03 |
+dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config
|
|
|
ac7d03 |
+replace: schema-compat-entry-attribute:nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","-",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","-"),%{nisDomainName:-})::nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","%ifeq(\"hostCategory\",\"all\",\"\",\"-\")",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","%ifeq(\"userCategory\",\"all\",\"\",\"-\")"),%{nisDomainName:-})
|
|
|
ac7d03 |
+remove: schema-compat-ignore-subtree: cn=changelog
|
|
|
ac7d03 |
+remove: schema-compat-ignore-subtree: o=ipaca
|
|
|
ac7d03 |
+add: schema-compat-restrict-subtree: $SUFFIX
|
|
|
ac7d03 |
+add: schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config
|
|
|
ac7d03 |
+add: schema-compat-ignore-subtree: cn=dna,cn=ipa,cn=etc,$SUFFIX
|
|
|
ac7d03 |
+
|
|
|
ac7d03 |
+dn: cn=computers, cn=Schema Compatibility, cn=plugins, cn=config
|
|
|
ac7d03 |
+default:objectClass: top
|
|
|
ac7d03 |
+default:objectClass: extensibleObject
|
|
|
ac7d03 |
+default:cn: computers
|
|
|
ac7d03 |
+default:schema-compat-container-group: cn=compat, $SUFFIX
|
|
|
ac7d03 |
+default:schema-compat-container-rdn: cn=computers
|
|
|
ac7d03 |
+default:schema-compat-search-base: cn=computers, cn=accounts, $SUFFIX
|
|
|
ac7d03 |
+default:schema-compat-search-filter: (&(macAddress=*)(fqdn=*)(objectClass=ipaHost))
|
|
|
ac7d03 |
+default:schema-compat-entry-rdn: cn=%first("%{fqdn}")
|
|
|
ac7d03 |
+default:schema-compat-entry-attribute: objectclass=device
|
|
|
ac7d03 |
+default:schema-compat-entry-attribute: objectclass=ieee802Device
|
|
|
ac7d03 |
+default:schema-compat-entry-attribute: cn=%{fqdn}
|
|
|
ac7d03 |
+default:schema-compat-entry-attribute: macAddress=%{macAddress}
|
|
|
ac7d03 |
+remove: schema-compat-ignore-subtree: cn=changelog
|
|
|
ac7d03 |
+remove: schema-compat-ignore-subtree: o=ipaca
|
|
|
ac7d03 |
+add: schema-compat-restrict-subtree: $SUFFIX
|
|
|
ac7d03 |
+add: schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config
|
|
|
ac7d03 |
+add: schema-compat-ignore-subtree: cn=dna,cn=ipa,cn=etc,$SUFFIX
|
|
|
ac7d03 |
+
|
|
|
ac7d03 |
+dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config
|
|
|
ac7d03 |
+add:schema-compat-entry-attribute: sudoOrder=%{sudoOrder}
|
|
|
ac7d03 |
+
|
|
|
ac7d03 |
+dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
|
|
|
ac7d03 |
+remove: schema-compat-ignore-subtree: cn=changelog
|
|
|
ac7d03 |
+remove: schema-compat-ignore-subtree: o=ipaca
|
|
|
ac7d03 |
+add: schema-compat-restrict-subtree: $SUFFIX
|
|
|
ac7d03 |
+add: schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config
|
|
|
ac7d03 |
+add: schema-compat-ignore-subtree: cn=dna,cn=ipa,cn=etc,$SUFFIX
|
|
|
ac7d03 |
+
|
|
|
ac7d03 |
+dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
|
|
|
ac7d03 |
+remove: schema-compat-ignore-subtree: cn=changelog
|
|
|
ac7d03 |
+remove: schema-compat-ignore-subtree: o=ipaca
|
|
|
ac7d03 |
+add: schema-compat-restrict-subtree: $SUFFIX
|
|
|
ac7d03 |
+add: schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config
|
|
|
ac7d03 |
+add: schema-compat-ignore-subtree: cn=dna,cn=ipa,cn=etc,$SUFFIX
|
|
|
ac7d03 |
+
|
|
|
ac7d03 |
+dn: cn=Schema Compatibility,cn=plugins,cn=config
|
|
|
ac7d03 |
+# We need to run schema-compat pre-bind callback before
|
|
|
ac7d03 |
+# other IPA pre-bind callbacks to make sure bind DN is
|
|
|
ac7d03 |
+# rewritten to the original entry if needed
|
|
|
ac7d03 |
+add:nsslapd-pluginprecedence: 40
|
|
|
ac7d03 |
+
|
|
|
ac7d03 |
+dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
|
|
|
ac7d03 |
+add:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","")
|
|
|
ac7d03 |
+add:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:$DOMAIN:%{ipauniqueid}","")
|
|
|
ac7d03 |
+add:schema-compat-entry-attribute: ipaanchoruuid=%{ipaanchoruuid}
|
|
|
ac7d03 |
+add:schema-compat-entry-attribute: %ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","")
|
|
|
ac7d03 |
+
|
|
|
ac7d03 |
+dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
|
|
|
ac7d03 |
+add:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","")
|
|
|
ac7d03 |
+add:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:$DOMAIN:%{ipauniqueid}","")
|
|
|
ac7d03 |
+add:schema-compat-entry-attribute: ipaanchoruuid=%{ipaanchoruuid}
|
|
|
ac7d03 |
+add:schema-compat-entry-attribute: %ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","")
|
|
|
ac7d03 |
+
|
|
|
ac7d03 |
+dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
|
|
|
ac7d03 |
+add:schema-compat-entry-attribute: uid=%{uid}
|
|
|
ac7d03 |
+replace:schema-compat-entry-rdn: uid=%{uid}::uid=%first("%{uid}")
|
|
|
ac7d03 |
diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
|
|
|
ac7d03 |
index 0ff0edb93abf4c4656b7504bd9ce8f774918fc2d..e18d01127b592a6c7941729d6160d10fb2d3e76c 100644
|
|
|
ac7d03 |
--- a/install/updates/Makefile.am
|
|
|
ac7d03 |
+++ b/install/updates/Makefile.am
|
|
|
ac7d03 |
@@ -9,7 +9,6 @@ app_DATA = \
|
|
|
ac7d03 |
10-selinuxusermap.update \
|
|
|
ac7d03 |
10-rootdse.update \
|
|
|
ac7d03 |
10-uniqueness.update \
|
|
|
ac7d03 |
- 10-schema_compat.update \
|
|
|
ac7d03 |
19-managed-entries.update \
|
|
|
ac7d03 |
20-aci.update \
|
|
|
ac7d03 |
20-dna.update \
|
|
|
ac7d03 |
@@ -62,6 +61,7 @@ app_DATA = \
|
|
|
ac7d03 |
73-custodia.update \
|
|
|
ac7d03 |
73-winsync.update \
|
|
|
ac7d03 |
73-certmap.update \
|
|
|
ac7d03 |
+ 80-schema_compat.update \
|
|
|
ac7d03 |
90-post_upgrade_plugins.update \
|
|
|
ac7d03 |
$(NULL)
|
|
|
ac7d03 |
|
|
|
ac7d03 |
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
|
|
|
ac7d03 |
index 9cf160fac483157b508dedac7a5fc26cb12c63a4..dbdd71ed0b4d69c1101db4aeb7d93152ab8aa730 100644
|
|
|
ac7d03 |
--- a/ipaplatform/base/paths.py
|
|
|
ac7d03 |
+++ b/ipaplatform/base/paths.py
|
|
|
ac7d03 |
@@ -236,7 +236,8 @@ class BasePathNamespace(object):
|
|
|
ac7d03 |
HTML_KRBREALM_CON = "/usr/share/ipa/html/krbrealm.con"
|
|
|
ac7d03 |
NIS_ULDIF = "/usr/share/ipa/nis.uldif"
|
|
|
ac7d03 |
NIS_UPDATE_ULDIF = "/usr/share/ipa/nis-update.uldif"
|
|
|
ac7d03 |
- SCHEMA_COMPAT_ULDIF = "/usr/share/ipa/schema_compat.uldif"
|
|
|
ac7d03 |
+ SCHEMA_COMPAT_ULDIF = "/usr/share/ipa/updates/91-schema_compat.update"
|
|
|
ac7d03 |
+ SCHEMA_COMPAT_POST_ULDIF = "/usr/share/ipa/schema_compat_post.uldif"
|
|
|
ac7d03 |
IPA_JS_PLUGINS_DIR = "/usr/share/ipa/ui/js/plugins"
|
|
|
ac7d03 |
UPDATES_DIR = "/usr/share/ipa/updates/"
|
|
|
ac7d03 |
DICT_WORDS = "/usr/share/dict/words"
|
|
|
ac7d03 |
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
|
|
|
ac7d03 |
index 99a1781ca4475805e9bf3b2bac3f26b5fb107a43..403fe8489fdd9e0dbf40dd4df3794b51185d45b9 100644
|
|
|
ac7d03 |
--- a/ipaserver/install/dsinstance.py
|
|
|
ac7d03 |
+++ b/ipaserver/install/dsinstance.py
|
|
|
ac7d03 |
@@ -38,7 +38,6 @@ from ipapython import dogtag
|
|
|
ac7d03 |
from ipaserver.install import service
|
|
|
ac7d03 |
from ipaserver.install import installutils
|
|
|
ac7d03 |
from ipaserver.install import certs
|
|
|
ac7d03 |
-from ipaserver.install import ldapupdate
|
|
|
ac7d03 |
from ipaserver.install import replication
|
|
|
ac7d03 |
from ipaserver.install import sysupgrade
|
|
|
ac7d03 |
from ipaserver.install import upgradeinstance
|
|
|
ac7d03 |
@@ -281,8 +280,6 @@ class DsInstance(service.Service):
|
|
|
ac7d03 |
self.step("configuring Posix uid/gid generation",
|
|
|
ac7d03 |
self.__config_uidgid_gen)
|
|
|
ac7d03 |
self.step("adding replication acis", self.__add_replication_acis)
|
|
|
ac7d03 |
- self.step("enabling compatibility plugin",
|
|
|
ac7d03 |
- self.__enable_compat_plugin)
|
|
|
ac7d03 |
self.step("activating sidgen plugin", self._add_sidgen_plugin)
|
|
|
ac7d03 |
self.step("activating extdom plugin", self._add_extdom_plugin)
|
|
|
ac7d03 |
self.step("tuning directory server", self.__tuning)
|
|
|
ac7d03 |
@@ -706,12 +703,6 @@ class DsInstance(service.Service):
|
|
|
ac7d03 |
def __add_winsync_module(self):
|
|
|
ac7d03 |
self._ldap_mod("ipa-winsync-conf.ldif")
|
|
|
ac7d03 |
|
|
|
ac7d03 |
- def __enable_compat_plugin(self):
|
|
|
ac7d03 |
- ld = ldapupdate.LDAPUpdate(dm_password=self.dm_password, sub_dict=self.sub_dict)
|
|
|
ac7d03 |
- rv = ld.update([paths.SCHEMA_COMPAT_ULDIF])
|
|
|
ac7d03 |
- if not rv:
|
|
|
ac7d03 |
- raise RuntimeError("Enabling compatibility plugin failed")
|
|
|
ac7d03 |
-
|
|
|
ac7d03 |
def __config_version_module(self):
|
|
|
ac7d03 |
self._ldap_mod("version-conf.ldif")
|
|
|
ac7d03 |
|
|
|
ac7d03 |
--
|
|
|
ac7d03 |
2.12.2
|
|
|
ac7d03 |
|