Deadlock in schema compat plugin (between automember_update_membership task and dse update)

Defining schema-compat-ignore-subtree values for schema compat plugin config entries removes the
	default value (ignore: cn=tasks,cn=config). This default value prevented deadlocks.
	Schema plugin needs to scope the $SUFFIX and also any updates to its configuration.
	This change restrict the schema compat to those subtrees. It replaces the definition of ignored subtrees
	that would be too long for cn=config (tasks, mapping tree, replication, snmp..)

https://fedorahosted.org/freeipa/ticket/4635

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This commit is contained in:
Thierry bordaz (tbordaz) 2014-10-29 16:23:03 +01:00 committed by Petr Vobornik
parent d6697b683d
commit a56a6aff88

View File

@ -18,15 +18,19 @@ add: schema-compat-entry-attribute: 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCatego
add: schema-compat-entry-attribute: 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%deref_f(\"ipaSudoRunAs\",\"(objectclass=posixAccount)\",\"uid\")")'
add: schema-compat-entry-attribute: 'sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%{ipaSudoRunAsExtGroup}")'
add: schema-compat-entry-attribute: 'sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%deref_f(\"ipaSudoRunAsGroup\",\"(objectclass=posixGroup)\",\"cn\")")'
add: schema-compat-ignore-subtree: cn=changelog
add: schema-compat-ignore-subtree: o=ipaca
remove: schema-compat-ignore-subtree: cn=changelog
remove: schema-compat-ignore-subtree: o=ipaca
add: schema-compat-restrict-subtree: '$SUFFIX'
add: schema-compat-restrict-subtree: 'cn=Schema Compatibility,cn=plugins,cn=config'
# Change padding for host and userCategory so the pad returns the same value
# as the original, '' or -.
dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config
replace: schema-compat-entry-attribute:'nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","-",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","-"),%{nisDomainName:-})::nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","%ifeq(\"hostCategory\",\"all\",\"\",\"-\")",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","%ifeq(\"userCategory\",\"all\",\"\",\"-\")"),%{nisDomainName:-})'
add: schema-compat-ignore-subtree: cn=changelog
add: schema-compat-ignore-subtree: o=ipaca
remove: schema-compat-ignore-subtree: cn=changelog
remove: schema-compat-ignore-subtree: o=ipaca
add: schema-compat-restrict-subtree: '$SUFFIX'
add: schema-compat-restrict-subtree: 'cn=Schema Compatibility,cn=plugins,cn=config'
dn: cn=computers, cn=Schema Compatibility, cn=plugins, cn=config
default:objectClass: top
@ -41,19 +45,25 @@ default:schema-compat-entry-attribute: objectclass=device
default:schema-compat-entry-attribute: objectclass=ieee802Device
default:schema-compat-entry-attribute: cn=%{fqdn}
default:schema-compat-entry-attribute: macAddress=%{macAddress}
add: schema-compat-ignore-subtree: cn=changelog
add: schema-compat-ignore-subtree: o=ipaca
remove: schema-compat-ignore-subtree: cn=changelog
remove: schema-compat-ignore-subtree: o=ipaca
add: schema-compat-restrict-subtree: '$SUFFIX'
add: schema-compat-restrict-subtree: 'cn=Schema Compatibility,cn=plugins,cn=config'
dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config
add:schema-compat-entry-attribute: sudoOrder=%{sudoOrder}
dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
add: schema-compat-ignore-subtree: cn=changelog
add: schema-compat-ignore-subtree: o=ipaca
remove: schema-compat-ignore-subtree: cn=changelog
remove: schema-compat-ignore-subtree: o=ipaca
add: schema-compat-restrict-subtree: '$SUFFIX'
add: schema-compat-restrict-subtree: 'cn=Schema Compatibility,cn=plugins,cn=config'
dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
add: schema-compat-ignore-subtree: cn=changelog
add: schema-compat-ignore-subtree: o=ipaca
remove: schema-compat-ignore-subtree: cn=changelog
remove: schema-compat-ignore-subtree: o=ipaca
add: schema-compat-restrict-subtree: '$SUFFIX'
add: schema-compat-restrict-subtree: 'cn=Schema Compatibility,cn=plugins,cn=config'
dn: cn=Schema Compatibility,cn=plugins,cn=config
# We need to run schema-compat pre-bind callback before