From 4145fbdb5428b11274344cfc97eb2fe5ba9537a5 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Thu, 7 Dec 2017 12:52:54 +1100
Subject: [PATCH] Add uniqueness constraint on CA ACL name

It is possible to add caacl entries with same "name" (cn).  The
command is supposed to prevent this but direct LDAP operations allow
it and doing that will cause subsequent errors.

Enable the DS uniqueness constraint plugin for the cn attribute in
CA ACL entries.

Fixes: https://pagure.io/freeipa/issue/7304
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
---
 install/updates/10-uniqueness.update | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/install/updates/10-uniqueness.update b/install/updates/10-uniqueness.update
index 050bfd55ec2e6a09c44700ae40757ee1d72c136f..77facba195cb5a1564818010f97afdd15d65a274 100644
--- a/install/updates/10-uniqueness.update
+++ b/install/updates/10-uniqueness.update
@@ -92,3 +92,20 @@ add:uniqueness-across-all-subtrees: on
 dn: cn=ipaUniqueID uniqueness,cn=plugins,cn=config
 add:uniqueness-exclude-subtrees: cn=staged users,cn=accounts,cn=provisioning,$SUFFIX
 add:uniqueness-across-all-subtrees: on
+
+dn: cn=caacl name uniqueness,cn=plugins,cn=config
+default:objectClass: top
+default:objectClass: nsSlapdPlugin
+default:objectClass: extensibleObject
+default:cn: caacl name uniqueness
+default:nsslapd-pluginDescription: Enforce unique attribute values
+default:nsslapd-pluginPath: libattr-unique-plugin
+default:nsslapd-pluginInitfunc: NSUniqueAttr_Init
+default:nsslapd-pluginType: preoperation
+default:nsslapd-pluginEnabled: on
+default:uniqueness-attribute-name: cn
+default:uniqueness-subtrees: cn=caacls,cn=ca,$SUFFIX
+default:nsslapd-plugin-depends-on-type: database
+default:nsslapd-pluginId: NSUniqueAttr
+default:nsslapd-pluginVersion: 1.1.0
+default:nsslapd-pluginVendor: Fedora Project
-- 
2.20.1