Enable compat plugin by default and configure netgroups

Move the netgroup compat configuration from the nis configuration to
the existing compat configuration.

Add a 'status' option to the ipa-copmat-manage tool.

ticket 91

install/share/nis.uldif

@@ -82,18 +82,3 @@ default:nis-filter: (objectClass=ipanisNetgroup)
 default:nis-key-format: %{cn}
 default:nis-value-format: %merge(" ","%{memberNisNetgroup}","(%link(\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\",\"-\",\",\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\",\"-\"),%{nisDomainName:-})")
 default:nis-secure: no
-
-dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config
-add:objectClass: top
-add:objectClass: extensibleObject
-add:cn: ng
-add:schema-compat-container-group: 'cn=compat, $SUFFIX'
-add:schema-compat-container-rdn: cn=ng
-add:schema-compat-check-access: yes
-add:schema-compat-search-base: 'cn=ng,cn=alt,$SUFFIX'
-add:schema-compat-search-filter: !(cn=ng)
-add:schema-compat-entry-rdn: cn=%{cn}
-add:schema-compat-entry-attribute: objectclass=nisNetgroup
-add:schema-compat-entry-attribute: 'memberNisNetgroup=%deref_r("member","cn")'
-add:schema-compat-entry-attribute: 'memberNisNetgroup=%referred_r("cn=ng","memberOf","cn")'
-add:schema-compat-entry-attribute: 'nisNetgroupTriple=(%link("%collect(\"%{externalHost}\",\"%deref(\\\"memberHost\\\",\\\"fqdn\\\")\",\"%deref_r(\\\"member\\\",\\\"fqdn\\\")\",\"%deref_r(\\\"memberHost\\\",\\\"member\\\",\\\"fqdn\\\")\")","-",",","%collect(\"%deref(\\\"memberUser\\\",\\\"uid\\\")\",\"%deref_r(\\\"member\\\",\\\"uid\\\")\",\"%deref_r(\\\"memberUser\\\",\\\"member\\\",\\\"uid\\\")\")","-"),%{nisDomainName:-})'

install/share/schema_compat.uldif

@@ -49,6 +49,21 @@ default:schema-compat-entry-attribute: memberUid=%{memberUid}
 default:schema-compat-entry-attribute: memberUid=%deref("member","uid")
 default:schema-compat-entry-attribute: memberUid=%referred("cn=users","memberOf","uid")
 
+dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config
+add:objectClass: top
+add:objectClass: extensibleObject
+add:cn: ng
+add:schema-compat-container-group: 'cn=compat, $SUFFIX'
+add:schema-compat-container-rdn: cn=ng
+add:schema-compat-check-access: yes
+add:schema-compat-search-base: 'cn=ng,cn=alt,$SUFFIX'
+add:schema-compat-search-filter: !(cn=ng)
+add:schema-compat-entry-rdn: cn=%{cn}
+add:schema-compat-entry-attribute: objectclass=nisNetgroup
+add:schema-compat-entry-attribute: 'memberNisNetgroup=%deref_r("member","cn")'
+add:schema-compat-entry-attribute: 'memberNisNetgroup=%referred_r("cn=ng","memberOf","cn")'
+add:schema-compat-entry-attribute: 'nisNetgroupTriple=(%link("%collect(\"%{externalHost}\",\"%deref(\\\"memberHost\\\",\\\"fqdn\\\")\",\"%deref_r(\\\"member\\\",\\\"fqdn\\\")\",\"%deref_r(\\\"memberHost\\\",\\\"member\\\",\\\"fqdn\\\")\")","-",",","%collect(\"%deref(\\\"memberUser\\\",\\\"uid\\\")\",\"%deref_r(\\\"member\\\",\\\"uid\\\")\",\"%deref_r(\\\"memberUser\\\",\\\"member\\\",\\\"uid\\\")\")","-"),%{nisDomainName:-})'
+
 # Enable anonymous VLV browsing for Solaris
 dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
 only:aci: '(targetattr !="aci")(version 3.0; acl "VLV Request Control"; allow (read, search, compare, proxy) userdn = "ldap:///anyone"; )'

install/tools/ipa-compat-manage

@@ -76,7 +76,7 @@ def main():
     if len(args) != 1:
         print "You must specify one action, either enable or disable"
         sys.exit(1)
-    elif args[0] != "enable" and args[0] != "disable":
+    elif args[0] != "enable" and args[0] != "disable" and args[0] != "status":
         print "Unrecognized action [" + args[0] + "]"
         sys.exit(1)
 
@@ -106,6 +106,17 @@ def main():
             print lde
             return 1
 
+        if args[0] == "status":
+            try:
+                conn.get_entry('cn=Schema Compatibility,cn=plugins,cn=config', normalize=False)
+                print "Plugin Enabled"
+            except errors.NotFound:
+                print "Plugin Disabled" 
+            except errors.LDAPError, lde:
+                print "An error occurred while talking to the server."
+                print lde
+            return 0
+
         if args[0] == "enable":
             try:
                 conn.get_entry('cn=Schema Compatibility,cn=plugins,cn=config', normalize=False)

install/tools/man/ipa-compat-manage.1

@@ -20,13 +20,15 @@
 .SH "NAME"
 ipa\-compat\-manage \- Enables or disables the schema compatibility plugin
 .SH "SYNOPSIS"
-ipa\-compat\-manage [options] <enable|disable>
+ipa\-compat\-manage [options] <enable|disable|status>
 .SH "DESCRIPTION"
 Run the command with the \fBenable\fR option to enable the compat plugin.
 
 Run the command with the \fBdisable\fR option to disable the compat plugin.
 
-In both cases the user will be prompted to provide the Directory Manager's password unless option \fB\-y\fR is used.
+Run the command with the \fBstatus\fR to determine the current status of the compat plugin.
+
+In all cases the user will be prompted to provide the Directory Manager's password unless option \fB\-y\fR is used.
 
 Directory Server will need to be restarted after the schema compatibility plugin has been enabled.
 

ipaserver/install/dsinstance.py

@@ -219,6 +219,8 @@ class DsInstance(service.Service):
                   self.init_memberof)
         if hbac_allow:
             self.step("creating default HBAC rule allow_all", self.add_hbac)
+        self.step("enabling compatibility plugin",
+                  self.__enable_compat_plugin)
 
         self.step("configuring directory to start on boot", self.__enable)
 
@@ -342,7 +344,7 @@ class DsInstance(service.Service):
         self._ldap_mod("memberof-task.ldif", self.sub_dict)
 
     def apply_updates(self):
-        ld = ldapupdate.LDAPUpdate(dm_password=self.dm_password)
+        ld = ldapupdate.LDAPUpdate(dm_password=self.dm_password, sub_dict=self.sub_dict)
         files = ld.get_all_files(ldapupdate.UPDATES_DIR)
         ld.update(files)
 
@@ -365,6 +367,12 @@ class DsInstance(service.Service):
     def __add_winsync_module(self):
         self._ldap_mod("ipa-winsync-conf.ldif")
 
+    def __enable_compat_plugin(self):
+        ld = ldapupdate.LDAPUpdate(dm_password=self.dm_password, sub_dict=self.sub_dict)
+        rv = ld.update(['/usr/share/ipa/schema_compat.uldif'])
+        if not rv:
+            raise RuntimeError("Enabling compatibility plugin failed")
+
     def __config_version_module(self):
         self._ldap_mod("version-conf.ldif")