schema-compat: set precedence to 49 to allow OTP binds over compat tree

schema-compat plugin rewrites bind DN to point to the original entry
on LDAP bind operation. To work with OTP tokens this requires that
schema-compat's pre-bind callback is called before pre-bind callback of
the ipa-pwd-extop plugin. Therefore, schema-compat plugin should have
a nsslapd-pluginprecedence value lower than (default) 50 which is used
by the ipa-pwd-extop plugin.

Note that this will only work if ticket 47699 is fixed in 389-ds.

Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>

install/share/schema_compat.uldif

@@ -13,6 +13,10 @@ default:nsslapd-plugininitfunc: schema_compat_plugin_init
 default:nsslapd-plugintype: object
 default:nsslapd-pluginenabled: on
 default:nsslapd-pluginid: schema-compat-plugin
+# We need to run schema-compat pre-bind callback before
+# other IPA pre-bind callbacks to make sure bind DN is
+# rewritten to the original entry if needed
+default:nsslapd-pluginprecedence: 49
 default:nsslapd-pluginversion: 0.8
 default:nsslapd-pluginbetxn: on
 default:nsslapd-pluginvendor: redhat.com

install/updates/10-schema_compat.update

@@ -23,3 +23,10 @@ default:schema-compat-entry-attribute: macAddress=%{macAddress}
 
 dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config
 add:schema-compat-entry-attribute: sudoOrder=%{sudoOrder}
+
+dn: cn=Schema Compatibility,cn=plugins,cn=config
+# We need to run schema-compat pre-bind callback before
+# other IPA pre-bind callbacks to make sure bind DN is
+# rewritten to the original entry if needed
+add:nsslapd-pluginprecedence: 49
+