From 52b7101c1148618d5c8e2ec25576cc7ad3e9b7bb Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Mon, 23 Feb 2015 17:46:46 +0100 Subject: [PATCH] Fix uniqueness plugins * add uniqueness-subtree-entries-oc:posixAccount to ensure idviews users will not be forced to have unique uid * remove unneded update plugins -> update was moved to .update file * add uniqueness-across-all-subtrees required by user lifecycle management Reviewed-By: Alexander Bokovoy --- install/share/unique-attributes.ldif | 30 ++---- install/updates/10-uniqueness.update | 54 ++++++++--- .../install/plugins/update_uniqueness.py | 91 ------------------- 3 files changed, 48 insertions(+), 127 deletions(-) diff --git a/install/share/unique-attributes.ldif b/install/share/unique-attributes.ldif index ea38ac753..7e1e53fbc 100644 --- a/install/share/unique-attributes.ldif +++ b/install/share/unique-attributes.ldif @@ -9,12 +9,14 @@ nsslapd-pluginInitfunc: NSUniqueAttr_Init nsslapd-pluginType: preoperation nsslapd-pluginEnabled: on uniqueness-attribute-name: krbPrincipalName -uniqueness-subtrees: $SUFFIX nsslapd-plugin-depends-on-type: database nsslapd-pluginId: NSUniqueAttr nsslapd-pluginVersion: 1.1.0 nsslapd-pluginVendor: Fedora Project nsslapd-pluginDescription: Enforce unique attribute values +uniqueness-subtrees: cn=accounts,$SUFFIX +uniqueness-subtrees: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX +uniqueness-across-all-subtrees: on dn: cn=krbCanonicalName uniqueness,cn=plugins,cn=config changetype: add @@ -27,12 +29,14 @@ nsslapd-pluginInitfunc: NSUniqueAttr_Init nsslapd-pluginType: preoperation nsslapd-pluginEnabled: on uniqueness-attribute-name: krbCanonicalName -uniqueness-subtrees: $SUFFIX nsslapd-plugin-depends-on-type: database nsslapd-pluginId: NSUniqueAttr nsslapd-pluginVersion: 1.1.0 nsslapd-pluginVendor: Fedora Project nsslapd-pluginDescription: Enforce unique attribute values +uniqueness-subtrees: cn=accounts,$SUFFIX +uniqueness-subtrees: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX +uniqueness-across-all-subtrees: on dn: cn=netgroup uniqueness,cn=plugins,cn=config changetype: add @@ -63,12 +67,14 @@ nsslapd-pluginInitfunc: NSUniqueAttr_Init nsslapd-pluginType: preoperation nsslapd-pluginEnabled: on uniqueness-attribute-name: ipaUniqueID -uniqueness-subtrees: $SUFFIX nsslapd-plugin-depends-on-type: database nsslapd-pluginId: NSUniqueAttr nsslapd-pluginVersion: 1.1.0 nsslapd-pluginVendor: Fedora Project nsslapd-pluginDescription: Enforce unique attribute values +uniqueness-subtrees: cn=accounts,$SUFFIX +uniqueness-subtrees: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX +uniqueness-across-all-subtrees: on dn: cn=sudorule name uniqueness,cn=plugins,cn=config changetype: add @@ -87,21 +93,3 @@ nsslapd-plugin-depends-on-type: database nsslapd-pluginId: NSUniqueAttr nsslapd-pluginVersion: 1.1.0 nsslapd-pluginVendor: Fedora Project - -#dn: cn=uid uniqueness,cn=plugins,cn=config -#objectClass: top -#objectClass: nsSlapdPlugin -#objectClass: extensibleObject -#cn: uid uniqueness -#nsslapd-pluginPath: libattr-unique-plugin -#nsslapd-pluginInitfunc: NSUniqueAttr_Init -#nsslapd-pluginType: preoperation -#nsslapd-pluginEnabled: on -#uniqueness-attribute-name: uid -#uniqueness-subtrees: cn=accounts,$SUFFIX -#nsslapd-plugin-depends-on-type: database -#nsslapd-pluginId: NSUniqueAttr -#nsslapd-pluginVersion: 1.1.0 -#nsslapd-pluginVendor: Fedora Project -#nsslapd-pluginDescription: Enforce unique attribute values -# diff --git a/install/updates/10-uniqueness.update b/install/updates/10-uniqueness.update index b6e2fff6d..7bb0f4c39 100644 --- a/install/updates/10-uniqueness.update +++ b/install/updates/10-uniqueness.update @@ -49,28 +49,52 @@ default:nsslapd-pluginId: NSUniqueAttr default:nsslapd-pluginVersion: 1.1.0 default:nsslapd-pluginVendor: Fedora Project +dn: cn=uid uniqueness,cn=plugins,cn=config +default:objectClass: top +default:objectClass: nsSlapdPlugin +default:objectClass: extensibleObject +default:cn: uid uniqueness +default:nsslapd-pluginPath: libattr-unique-plugin +default:nsslapd-pluginInitfunc: NSUniqueAttr_Init +default:nsslapd-pluginType: preoperation +default:nsslapd-pluginEnabled: on +default:uniqueness-attribute-name: uid +default:uniqueness-subtrees: 'cn=accounts,$SUFFIX' +default:uniqueness-subtrees: 'cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX' +default:uniqueness-across-all-subtrees: on +default:uniqueness-subtree-entries-oc: posixAccount +default:nsslapd-plugin-depends-on-type: database +default:nsslapd-pluginId: NSUniqueAttr +default:nsslapd-pluginVersion: 1.1.0 +default:nsslapd-pluginVendor: Fedora Project +default:nsslapd-pluginDescription: Enforce unique attribute values + # uid uniqueness scopes Active/Delete containers -dn: cn=attribute uniqueness,cn=plugins,cn=config -remove:uniqueness-subtrees:'$SUFFIX' -add:uniqueness-subtrees:'cn=accounts,$SUFFIX' -add:uniqueness-subtrees:'cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX' -remove:nsslapd-pluginenabled:off -add:nsslapd-pluginenabled:on +dn: cn=uid uniqueness,cn=plugins,cn=config +remove:uniqueness-subtrees: '$SUFFIX' +add:uniqueness-subtrees: 'cn=accounts,$SUFFIX' +add:uniqueness-subtrees: 'cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX' +remove:uniqueness-across-all-subtrees: off +add:uniqueness-across-all-subtrees: on +add:uniqueness-subtree-entries-oc: posixAccount # krbPrincipalName uniqueness scopes Active/Delete containers dn: cn=krbPrincipalName uniqueness,cn=plugins,cn=config -remove:uniqueness-subtrees:'$SUFFIX' -add:uniqueness-subtrees:'cn=accounts,$SUFFIX' -add:uniqueness-subtrees:'cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX' +remove:uniqueness-subtrees: '$SUFFIX' +add:uniqueness-subtrees: 'cn=accounts,$SUFFIX' +add:uniqueness-subtrees: 'cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX' +add:uniqueness-across-all-subtrees: on # krbCanonicalName uniqueness scopes Active/Delete containers dn: cn=krbCanonicalName uniqueness,cn=plugins,cn=config -remove:uniqueness-subtrees:'$SUFFIX' -add:uniqueness-subtrees:'cn=accounts,$SUFFIX' -add:uniqueness-subtrees:'cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX' +remove:uniqueness-subtrees: '$SUFFIX' +add:uniqueness-subtrees: 'cn=accounts,$SUFFIX' +add:uniqueness-subtrees: 'cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX' +add:uniqueness-across-all-subtrees: on # ipaUniqueID uniqueness scopes Active/Delete containers dn: cn=ipaUniqueID uniqueness,cn=plugins,cn=config -remove:uniqueness-subtrees:'$SUFFIX' -add:uniqueness-subtrees:'cn=accounts,$SUFFIX' -add:uniqueness-subtrees:'cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX' +remove:uniqueness-subtrees: '$SUFFIX' +add:uniqueness-subtrees: 'cn=accounts,$SUFFIX' +add:uniqueness-subtrees: 'cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX' +add:uniqueness-across-all-subtrees: on diff --git a/ipaserver/install/plugins/update_uniqueness.py b/ipaserver/install/plugins/update_uniqueness.py index 8769f83a1..3017d5ac1 100644 --- a/ipaserver/install/plugins/update_uniqueness.py +++ b/ipaserver/install/plugins/update_uniqueness.py @@ -223,94 +223,3 @@ class update_uniqueness_plugins_to_new_syntax(PreUpdate): return False, True, update_list api.register(update_uniqueness_plugins_to_new_syntax) - - -class update_uid_uniqueness(PostUpdate): - """ - Create plugin configuration to ensure uid uniqueness - """ - order = MIDDLE - - uid_uniqueness_dn = DN(('cn', 'uid uniqueness'), ('cn', 'plugins'), ('cn', 'config')) - - uid_uniqueness_template = { - 'objectClass' : ["top", "nsSlapdPlugin", "extensibleObject"], - 'cn' : 'uid uniqueness', - 'nsslapd-pluginPath' : 'libattr-unique-plugin', - 'nsslapd-pluginInitfunc' : 'NSUniqueAttr_Init', - 'nsslapd-pluginType' : 'betxnpreoperation', - 'nsslapd-pluginEnabled' : 'on', - 'uniqueness-attribute-name' : 'uid', - 'uniqueness-subtrees' : 'dc=example,dc=com', - 'uniqueness-across-all-subtrees': 'off', - 'uniqueness-subtree-entries-oc' : 'posixAccount', - 'nsslapd-plugin-depends-on-type': 'database', - 'nsslapd-pluginId' : 'none', - 'nsslapd-pluginVersion' : 'none', - 'nsslapd-pluginVendor' : 'none', - 'nsslapd-pluginDescription' : 'none', - } - - def execute(self, **options): - ldap = self.obj.backend - - config_dn = DN(('cn','config')) - search_filter = ("(&(objectclass=nsslapdplugin)" - "(nsslapd-pluginpath=libattr-unique-plugin)" - "(nsslapd-pluginInitfunc=NSUniqueAttr_Init)" - "(!(nsslapd-pluginenabled=off))" - "(|(uniqueness-attribute-name=uid)(nsslapd-plugarg0=uid)))") - root_logger.debug("update_uid_uniqueness: search for existing uid uniqueness " - "configuration") - - try: - (entries, truncated) = ldap.find_entries(search_filter, ['*'], config_dn, - time_limit=0, size_limit=0) - except errors.NotFound: - # add entry - entries = [] - except errors.ExecutionError, e: - root_logger.error("update_uid_uniqueness: cannot retrieve " - "list of uniqueness plugin instances: %s", e) - return (False, False, []) - - if len(entries) > 1: - root_logger.error("update_uid_uniqueness: found more than one uid " - "uniqueness plugin definition: %s", [str(x.dn) for x in entries]) - return (False, False, []) - - error = False - if not entries: - root_logger.debug("update_uid_uniqueness: adding new uid uniqueness " - "plugin definition") - uid_uniqueness_plugin_attrs = dict(self.uid_uniqueness_template) - uid_uniqueness_plugin_attrs['uniqueness-subtrees'] = api.env.basedn - uid_uniqueness_plugin = ldap.make_entry(self.uid_uniqueness_dn, uid_uniqueness_plugin_attrs) - - try: - ldap.add_entry(uid_uniqueness_plugin) - except errors.ExecutionError, e: - root_logger.debug("update_uid_uniqueness: cannot " - "create uid uniqueness plugin entry: %s", e) - error = True - else: - root_logger.debug("update_uid_uniqueness: updating existing uid uniqueness " - "plugin definition") - uid_uniqueness_plugin_attrs = dict(self.uid_uniqueness_template) - uid_uniqueness_plugin_attrs['uniqueness-subtrees'] = api.env.basedn - uid_uniqueness_plugin_attrs['cn'] = entries[0]['cn'] - uid_uniqueness_plugin = ldap.make_entry(entries[0].dn, uid_uniqueness_plugin_attrs) - - try: - ldap.update_entry(uid_uniqueness_plugin) - except errors.ExecutionError, e: - root_logger.debug("update_uid_uniqueness: cannot " - "update uid uniqueness plugin entry: %s", e) - error = True - - if error: - root_logger.error("update_uid_uniqueness: error(s)" - "detected during plugin update") - return (True, False, []) - -api.register(update_uid_uniqueness)