5 files changed, 31 insertions, 3 deletions

diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif
index 0a81b63f2..ddfb68b30 100644
--- a/install/share/bootstrap-template.ldif
+++ b/install/share/bootstrap-template.ldif
@@ -188,11 +188,13 @@ objectClass: top
 objectClass: groupofnames
 objectClass: posixgroup
 objectClass: ipausergroup
+objectClass: ipaobject
 cn: admins
 description: Account administrators group
 gidNumber: $IDSTART
 member: uid=admin,cn=users,cn=accounts,$SUFFIX
 nsAccountLock: False
+ipaUniqueID: autogenerate
 
 dn: cn=ipausers,cn=groups,cn=accounts,$SUFFIX
 changetype: add
@@ -201,9 +203,11 @@ objectClass: groupofnames
 objectClass: nestedgroup
 objectClass: ipausergroup
 objectClass: posixgroup
+objectClass: ipaobject
 gidNumber: eval($IDSTART+1)
 description: Default group for all users
 cn: ipausers
+ipaUniqueID: autogenerate
 
 dn: cn=editors,cn=groups,cn=accounts,$SUFFIX
 changetype: add
@@ -211,9 +215,11 @@ objectClass: top
 objectClass: groupofnames
 objectClass: posixgroup
 objectClass: ipausergroup
+objectClass: ipaobject
 gidNumber: eval($IDSTART+2)
 description: Limited admins who can edit other users
 cn: editors
+ipaUniqueID: autogenerate
 
 dn: cn=sshd,cn=hbacservices,cn=hbac,$SUFFIX
 changetype: add
diff --git a/install/tools/man/ipa-ldap-updater.1 b/install/tools/man/ipa-ldap-updater.1
index 761ca14c4..487e80c36 100644
--- a/install/tools/man/ipa-ldap-updater.1
+++ b/install/tools/man/ipa-ldap-updater.1
@@ -29,7 +29,7 @@ An update file describes an LDAP entry and a set of operations to be performed o
 
 Blank lines and lines beginning with # are ignored.
 
-There are 4 keywords:
+There are 7 keywords:
 
     * default: the starting value
     * add: add a value (or values) to an attribute
@@ -37,6 +37,7 @@ There are 4 keywords:
     * only: set an attribute to this
     * deleteentry: remove the entry
     * replace: replace an existing value, format is old: new
+    * addifnew: add a new attribute and value only if the attribute doesn't already exist. Only works with single-value attributes.
 
 Values is a comma\-separated field so multi\-values may be added at one time. Double or single quotes may be put around individual values that contain embedded commas.
 
diff --git a/install/updates/50-groupuuid.update b/install/updates/50-groupuuid.update
new file mode 100644
index 000000000..55149656a
--- /dev/null
+++ b/install/updates/50-groupuuid.update
@@ -0,0 +1,12 @@
+# The groups added in bootstrap-template.ldif didn't include ipaUniqueId
+dn: cn=admins,cn=groups,cn=accounts,$SUFFIX
+add:objectclass: ipaobject
+addifnew:ipaUniqueID: autogenerate
+
+dn: cn=ipausers,cn=groups,cn=accounts,$SUFFIX
+add:objectclass: ipaobject
+addifnew:ipaUniqueID: autogenerate
+
+dn: cn=editors,cn=groups,cn=accounts,$SUFFIX
+add:objectclass: ipaobject
+addifnew:ipaUniqueID: autogenerate
diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
index 1bf8e9caa..5765bf17d 100644
--- a/install/updates/Makefile.am
+++ b/install/updates/Makefile.am
@@ -13,8 +13,9 @@ app_DATA =				\
 	20-winsync_index.update		\
 	21-replicas_container.update	\
 	40-delegation.update		\
-	50-lockout-policy.update		\
 	45-roles.update			\
+	50-lockout-policy.update	\
+	50-groupuuid.update		\
 	$(NULL)
 
 EXTRA_DIST =				\
diff --git a/ipaserver/install/ldapupdate.py b/ipaserver/install/ldapupdate.py
index 5a827fdfb..0b5c9441a 100644
--- a/ipaserver/install/ldapupdate.py
+++ b/ipaserver/install/ldapupdate.py
@@ -249,7 +249,7 @@ class LDAPUpdate:
     def parse_update_file(self, data, all_updates, dn_list):
         """Parse the update file into a dictonary of lists and apply the update
            for each DN in the file."""
-        valid_keywords = ["default", "add", "remove", "only", "deleteentry", "replace"]
+        valid_keywords = ["default", "add", "remove", "only", "deleteentry", "replace", "addifnew"]
         update = {}
         d = ""
         index = ""
@@ -461,6 +461,14 @@ class LDAPUpdate:
                     e.append(v)
                     logging.debug('add: updated value %s', e)
                     entry.setValues(k, e)
+                elif utype == 'addifnew':
+                    logging.debug("addifnew: '%s' to %s, current value %s", v, k, e)
+                    # Only add the attribute if it doesn't exist. Only works
+                    # with single-value attributes.
+                    if len(e) == 0:
+                        e.append(v)
+                        logging.debug('addifnew: set %s to %s', (k, e))
+                        entry.setValues(k, e)
                 elif utype == 'only':
                     logging.debug("only: set %s to '%s', current value %s", k, v, e)
                     if only.get(k):