diff options
| author | Thierry bordaz (tbordaz) <tbordaz@redhat.com> | 2014-10-29 16:23:03 +0100 |
|---|---|---|
| committer | Petr Vobornik <pvoborni@redhat.com> | 2014-11-06 09:38:45 +0100 |
| commit | 85eb17553f46bfb4446279037e324f825d3389bd (patch) | |
| tree | e8655a3f52c82b3b90df2dffb4e87dbc842b91c5 /install/updates | |
| parent | 4589ef133c3abf47568d6cda4eda726f316a475a (diff) | |
| download | freeipa-85eb17553f46bfb4446279037e324f825d3389bd.tar.gz freeipa-85eb17553f46bfb4446279037e324f825d3389bd.tar.xz freeipa-85eb17553f46bfb4446279037e324f825d3389bd.zip | |
Deadlock in schema compat plugin (between automember_update_membership task and dse update)
Defining schema-compat-ignore-subtree values for schema compat plugin config entries removes the
default value (ignore: cn=tasks,cn=config). This default value prevented deadlocks.
Schema plugin needs to scope the $SUFFIX and also any updates to its configuration.
This change restrict the schema compat to those subtrees. It replaces the definition of ignored subtrees
that would be too long for cn=config (tasks, mapping tree, replication, snmp..)
https://fedorahosted.org/freeipa/ticket/4635
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Diffstat (limited to 'install/updates')
| -rw-r--r-- | install/updates/10-schema_compat.update | 30 |
1 files changed, 20 insertions, 10 deletions
diff --git a/install/updates/10-schema_compat.update b/install/updates/10-schema_compat.update index 7b75ba532..b8c79012d 100644 --- a/install/updates/10-schema_compat.update +++ b/install/updates/10-schema_compat.update @@ -18,15 +18,19 @@ add: schema-compat-entry-attribute: 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCatego add: schema-compat-entry-attribute: 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%deref_f(\"ipaSudoRunAs\",\"(objectclass=posixAccount)\",\"uid\")")' add: schema-compat-entry-attribute: 'sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%{ipaSudoRunAsExtGroup}")' add: schema-compat-entry-attribute: 'sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%deref_f(\"ipaSudoRunAsGroup\",\"(objectclass=posixGroup)\",\"cn\")")' -add: schema-compat-ignore-subtree: cn=changelog -add: schema-compat-ignore-subtree: o=ipaca +remove: schema-compat-ignore-subtree: cn=changelog +remove: schema-compat-ignore-subtree: o=ipaca +add: schema-compat-restrict-subtree: '$SUFFIX' +add: schema-compat-restrict-subtree: 'cn=Schema Compatibility,cn=plugins,cn=config' # Change padding for host and userCategory so the pad returns the same value # as the original, '' or -. dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config replace: schema-compat-entry-attribute:'nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","-",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","-"),%{nisDomainName:-})::nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","%ifeq(\"hostCategory\",\"all\",\"\",\"-\")",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","%ifeq(\"userCategory\",\"all\",\"\",\"-\")"),%{nisDomainName:-})' -add: schema-compat-ignore-subtree: cn=changelog -add: schema-compat-ignore-subtree: o=ipaca +remove: schema-compat-ignore-subtree: cn=changelog +remove: schema-compat-ignore-subtree: o=ipaca +add: schema-compat-restrict-subtree: '$SUFFIX' +add: schema-compat-restrict-subtree: 'cn=Schema Compatibility,cn=plugins,cn=config' dn: cn=computers, cn=Schema Compatibility, cn=plugins, cn=config default:objectClass: top @@ -41,19 +45,25 @@ default:schema-compat-entry-attribute: objectclass=device default:schema-compat-entry-attribute: objectclass=ieee802Device default:schema-compat-entry-attribute: cn=%{fqdn} default:schema-compat-entry-attribute: macAddress=%{macAddress} -add: schema-compat-ignore-subtree: cn=changelog -add: schema-compat-ignore-subtree: o=ipaca +remove: schema-compat-ignore-subtree: cn=changelog +remove: schema-compat-ignore-subtree: o=ipaca +add: schema-compat-restrict-subtree: '$SUFFIX' +add: schema-compat-restrict-subtree: 'cn=Schema Compatibility,cn=plugins,cn=config' dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config add:schema-compat-entry-attribute: sudoOrder=%{sudoOrder} dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config -add: schema-compat-ignore-subtree: cn=changelog -add: schema-compat-ignore-subtree: o=ipaca +remove: schema-compat-ignore-subtree: cn=changelog +remove: schema-compat-ignore-subtree: o=ipaca +add: schema-compat-restrict-subtree: '$SUFFIX' +add: schema-compat-restrict-subtree: 'cn=Schema Compatibility,cn=plugins,cn=config' dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config -add: schema-compat-ignore-subtree: cn=changelog -add: schema-compat-ignore-subtree: o=ipaca +remove: schema-compat-ignore-subtree: cn=changelog +remove: schema-compat-ignore-subtree: o=ipaca +add: schema-compat-restrict-subtree: '$SUFFIX' +add: schema-compat-restrict-subtree: 'cn=Schema Compatibility,cn=plugins,cn=config' dn: cn=Schema Compatibility,cn=plugins,cn=config # We need to run schema-compat pre-bind callback before |