Fill ipakrbprincipalalias on upgrades

From IPA 3.0, services have by default ipakrbprincipal objectclass which
allows ipakrbprincipalalias attribute used for case-insensitive principal
searches. However, services created in previous version do not have
this objectclass (and attribute) and thus case-insensitive searches
may return inconsistent results.

Fill ipakrbprincipalalias on upgrades for all 2.x services. Also treat
Treat the ipakrbprincipal as optional to avoid missing services in
service-find command if the upgrade fails for any reason.

https://fedorahosted.org/freeipa/ticket/3106

1 files changed, 6 insertions, 1 deletions

diff --git a/ipalib/plugins/service.py b/ipalib/plugins/service.py
index 120eb6076..a3d436e61 100644
--- a/ipalib/plugins/service.py
+++ b/ipalib/plugins/service.py
@@ -221,8 +221,9 @@ class service(LDAPObject):
     object_name_plural = _('services')
     object_class = [
         'krbprincipal', 'krbprincipalaux', 'krbticketpolicyaux', 'ipaobject',
-        'ipaservice', 'pkiuser', 'ipakrbprincipal'
+        'ipaservice', 'pkiuser'
     ]
+    possible_objectclasses = ['ipakrbprincipal']
     search_attributes = ['krbprincipalname', 'managedby', 'ipakrbauthzdata']
     default_attributes = ['krbprincipalname', 'usercertificate', 'managedby',
         'ipakrbauthzdata',]
@@ -327,6 +328,10 @@ class service_add(LDAPCreate):
         # schema
         entry_attrs['ipakrbprincipalalias'] = keys[-1]
 
+        # Objectclass ipakrbprincipal providing ipakrbprincipalalias is not in
+        # in a list of default objectclasses, add it manually
+        entry_attrs['objectclass'].append('ipakrbprincipal')
+
         return dn
 
 api.register(service_add)