diff options
| author | Jan Cholasta <jcholast@redhat.com> | 2013-03-06 10:07:13 +0100 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2013-03-06 16:08:20 +0100 |
| commit | 54080f46b02c04706021a6cd419f5b30d88d2b7b (patch) | |
| tree | e2b53745a0ffd85d136c14b4fa9928355c8c5e4d | |
| parent | c6fc0413b610e6c9216557d1de0fabd853754d47 (diff) | |
| download | freeipa-54080f46b02c04706021a6cd419f5b30d88d2b7b.tar.gz freeipa-54080f46b02c04706021a6cd419f5b30d88d2b7b.tar.xz freeipa-54080f46b02c04706021a6cd419f5b30d88d2b7b.zip | |
Remove disabled entries from sudoers compat tree.
The removal is triggered by generating an invalid RDN when ipaEnabledFlag of
the original entry is FALSE.
https://fedorahosted.org/freeipa/ticket/3437
| -rw-r--r-- | install/share/schema_compat.uldif | 2 | ||||
| -rw-r--r-- | install/updates/10-schema_compat.update | 2 |
2 files changed, 3 insertions, 1 deletions
diff --git a/install/share/schema_compat.uldif b/install/share/schema_compat.uldif index a93b32771..40b96116d 100644 --- a/install/share/schema_compat.uldif +++ b/install/share/schema_compat.uldif @@ -70,7 +70,7 @@ add:cn: sudoers add:schema-compat-container-group: 'ou=SUDOers, $SUFFIX' add:schema-compat-search-base: 'cn=sudorules, cn=sudo, $SUFFIX' add:schema-compat-search-filter: (&(objectclass=ipaSudoRule)(!(compatVisible=FALSE))(!(ipaEnabledFlag=FALSE))) -add:schema-compat-entry-rdn: cn=%{cn} +add:schema-compat-entry-rdn: %ifeq("ipaEnabledFlag", "FALSE", "DISABLED", "cn=%{cn}") add:schema-compat-entry-attribute: objectclass=sudoRole add:schema-compat-entry-attribute: 'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")' add:schema-compat-entry-attribute: 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\"memberUser\",\"(objectclass=posixAccount)\",\"uid\")")' diff --git a/install/updates/10-schema_compat.update b/install/updates/10-schema_compat.update index 9835bb8ce..e65e67afc 100644 --- a/install/updates/10-schema_compat.update +++ b/install/updates/10-schema_compat.update @@ -1,5 +1,7 @@ dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config +only:schema-compat-entry-rdn:'%ifeq("ipaEnabledFlag", "FALSE", "DISABLED", "cn=%{cn}")' replace: schema-compat-entry-attribute:'sudoRunAsGroup=%deref("ipaSudoRunAs","cn")::sudoRunAsGroup=%deref_f("ipaSudoRunAsGroup","(objectclass=posixGroup)","cn")' + # Change padding for host and userCategory so the pad returns the same value # as the original, '' or -. dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config |