Remove disabled entries from sudoers compat tree.

The removal is triggered by generating an invalid RDN when ipaEnabledFlag of
the original entry is FALSE.

https://fedorahosted.org/freeipa/ticket/3437

install/share/schema_compat.uldif

@@ -70,7 +70,7 @@ add:cn: sudoers
 add:schema-compat-container-group: 'ou=SUDOers, $SUFFIX'
 add:schema-compat-search-base: 'cn=sudorules, cn=sudo, $SUFFIX'
 add:schema-compat-search-filter: (&(objectclass=ipaSudoRule)(!(compatVisible=FALSE))(!(ipaEnabledFlag=FALSE)))
-add:schema-compat-entry-rdn: cn=%{cn}
+add:schema-compat-entry-rdn: %ifeq("ipaEnabledFlag", "FALSE", "DISABLED", "cn=%{cn}")
 add:schema-compat-entry-attribute: objectclass=sudoRole
 add:schema-compat-entry-attribute: 'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")'
 add:schema-compat-entry-attribute: 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\"memberUser\",\"(objectclass=posixAccount)\",\"uid\")")'

install/updates/10-schema_compat.update

@@ -1,5 +1,7 @@
 dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config
+only:schema-compat-entry-rdn:'%ifeq("ipaEnabledFlag", "FALSE", "DISABLED", "cn=%{cn}")'
 replace: schema-compat-entry-attribute:'sudoRunAsGroup=%deref("ipaSudoRunAs","cn")::sudoRunAsGroup=%deref_f("ipaSudoRunAsGroup","(objectclass=posixGroup)","cn")'
+
 # Change padding for host and userCategory so the pad returns the same value
 # as the original, '' or -.
 dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config