Drop uniqueMember mapping with nss-pam-ldapd.

nss-pam-ldapd in 0.8.4 changed the default to map uniqueMember to
member so it is no longer needed in the config file, and in fact
causes an error to be raised.

Add a Conflicts on older versions.

https://fedorahosted.org/freeipa/ticket/3589

freeipa.spec.in

@@ -161,6 +161,10 @@ Conflicts: bind-dyndb-ldap < 1.1.0-0.12.rc1
 %endif
 Conflicts: bind < 9.8.2-0.4.rc2
 
+# Versions of nss-pam-ldapd < 0.8.4 require a mapping from uniqueMember to
+# member.
+Conflicts: nss-pam-ldapd < 0.8.4
+
 # mod_proxy provides a single API to communicate over SSL. If mod_ssl
 # is even loaded into Apache then it grabs this interface.
 Conflicts: mod_ssl
@@ -835,6 +839,11 @@ fi
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
 
 %changelog
+* Tue Apr 30 2013 Rob Crittenden <rcritten@redhat.com> - 3.1.99-9
+- Add Conflicts on nss-pam-ldapd < 0.8.4. The mapping from uniqueMember to
+  member is now done automatically and having it in the config file raises
+  an error.
+
 * Tue Apr 30 2013 Jan Cholasta <jcholast@redhat.com> - 3.1.99-8
 - Add triggerin scriptlet to update sshd_config on openssh-server update
 

ipa-client/ipa-install/ipa-client-install

@@ -778,7 +778,6 @@ def configure_nslcd_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server,
             {'name':'empty', 'type':'empty'},
             {'name':'base passwd', 'type':'option', 'value':str(DN(('cn', 'users'), ('cn', 'accounts'), cli_basedn))},
             {'name':'base group', 'type':'option', 'value':str(DN(('cn', 'groups'), ('cn', 'accounts'), cli_basedn))},
-            {'name':'map group', 'type':'option', 'value':'uniqueMember member'},
             {'name':'timelimit', 'type':'option', 'value':'15'},
             {'name':'empty', 'type':'empty'}]
     if not dnsok or options.force or options.on_master: