The default groups we create should have ipaUniqueId set

This adds a new directive to ipa-ldap-updater: addifnew. This will add a new attribute only if it doesn't exist in the current entry. We can't compare values because the value we are adding is automatically generated. ticket 1177
2025-01-23 23:03:19 -06:00 · 2011-04-14 14:37:45 -04:00 · 2011-04-14 14:37:45 -04:00 · fe67680da5
commit fe67680da5
parent e3ec1fb7ef
5 changed files with 31 additions and 3 deletions
--- a/install/share/bootstrap-template.ldif
+++ b/install/share/bootstrap-template.ldif
@ -188,11 +188,13 @@ objectClass: top
 objectClass: groupofnames
 objectClass: posixgroup
 objectClass: ipausergroup
+objectClass: ipaobject
 cn: admins
 description: Account administrators group
 gidNumber: $IDSTART
 member: uid=admin,cn=users,cn=accounts,$SUFFIX
 nsAccountLock: False
+ipaUniqueID: autogenerate

 dn: cn=ipausers,cn=groups,cn=accounts,$SUFFIX
 changetype: add
@ -201,9 +203,11 @@ objectClass: groupofnames
 objectClass: nestedgroup
 objectClass: ipausergroup
 objectClass: posixgroup
+objectClass: ipaobject
 gidNumber: eval($IDSTART+1)
 description: Default group for all users
 cn: ipausers
+ipaUniqueID: autogenerate

 dn: cn=editors,cn=groups,cn=accounts,$SUFFIX
 changetype: add
@ -211,9 +215,11 @@ objectClass: top
 objectClass: groupofnames
 objectClass: posixgroup
 objectClass: ipausergroup
+objectClass: ipaobject
 gidNumber: eval($IDSTART+2)
 description: Limited admins who can edit other users
 cn: editors
+ipaUniqueID: autogenerate

 dn: cn=sshd,cn=hbacservices,cn=hbac,$SUFFIX
 changetype: add
--- a/install/tools/man/ipa-ldap-updater.1
+++ b/install/tools/man/ipa-ldap-updater.1
@ -29,7 +29,7 @@ An update file describes an LDAP entry and a set of operations to be performed o

 Blank lines and lines beginning with # are ignored.

-There are 4 keywords:
+There are 7 keywords:

    * default: the starting value
    * add: add a value (or values) to an attribute
@ -37,6 +37,7 @@ There are 4 keywords:
    * only: set an attribute to this
    * deleteentry: remove the entry
    * replace: replace an existing value, format is old: new
+    * addifnew: add a new attribute and value only if the attribute doesn't already exist. Only works with single-value attributes.

 Values is a comma\-separated field so multi\-values may be added at one time. Double or single quotes may be put around individual values that contain embedded commas.

--- a/install/updates/50-groupuuid.update
+++ b/install/updates/50-groupuuid.update
@ -0,0 +1,12 @@
+# The groups added in bootstrap-template.ldif didn't include ipaUniqueId
+dn: cn=admins,cn=groups,cn=accounts,$SUFFIX
+add:objectclass: ipaobject
+addifnew:ipaUniqueID: autogenerate
+
+dn: cn=ipausers,cn=groups,cn=accounts,$SUFFIX
+add:objectclass: ipaobject
+addifnew:ipaUniqueID: autogenerate
+
+dn: cn=editors,cn=groups,cn=accounts,$SUFFIX
+add:objectclass: ipaobject
+addifnew:ipaUniqueID: autogenerate
--- a/install/updates/Makefile.am
+++ b/install/updates/Makefile.am
@ -13,8 +13,9 @@ app_DATA =				\
 	20-winsync_index.update		\
 	21-replicas_container.update	\
 	40-delegation.update		\
-	50-lockout-policy.update		\
 	45-roles.update			\
+	50-lockout-policy.update	\
+	50-groupuuid.update		\
 	$(NULL)

 EXTRA_DIST =				\
--- a/ipaserver/install/ldapupdate.py
+++ b/ipaserver/install/ldapupdate.py
@ -249,7 +249,7 @@ class LDAPUpdate:
    def parse_update_file(self, data, all_updates, dn_list):
        """Parse the update file into a dictonary of lists and apply the update
           for each DN in the file."""
-        valid_keywords = ["default", "add", "remove", "only", "deleteentry", "replace"]
+        valid_keywords = ["default", "add", "remove", "only", "deleteentry", "replace", "addifnew"]
        update = {}
        d = ""
        index = ""
@ -461,6 +461,14 @@ class LDAPUpdate:
                    e.append(v)
                    logging.debug('add: updated value %s', e)
                    entry.setValues(k, e)
+                elif utype == 'addifnew':
+                    logging.debug("addifnew: '%s' to %s, current value %s", v, k, e)
+                    # Only add the attribute if it doesn't exist. Only works
+                    # with single-value attributes.
+                    if len(e) == 0:
+                        e.append(v)
+                        logging.debug('addifnew: set %s to %s', (k, e))
+                        entry.setValues(k, e)
                elif utype == 'only':
                    logging.debug("only: set %s to '%s', current value %s", k, v, e)
                    if only.get(k):