diff options
author | Alexander Bokovoy <abokovoy@redhat.com> | 2014-02-20 12:18:16 +0200 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2014-04-04 08:45:43 +0200 |
commit | ad6480f845e91479647a2a6d509565e59c4aa480 (patch) | |
tree | ff1b87f35c5fd359266d0229fbc29ef095f1995a /install | |
parent | 480eba26a14cc616c4c336a6db69fb8ba66a0a60 (diff) | |
download | freeipa-ad6480f845e91479647a2a6d509565e59c4aa480.tar.gz freeipa-ad6480f845e91479647a2a6d509565e59c4aa480.tar.xz freeipa-ad6480f845e91479647a2a6d509565e59c4aa480.zip |
schema-compat: set precedence to 49 to allow OTP binds over compat tree
schema-compat plugin rewrites bind DN to point to the original entry
on LDAP bind operation. To work with OTP tokens this requires that
schema-compat's pre-bind callback is called before pre-bind callback of
the ipa-pwd-extop plugin. Therefore, schema-compat plugin should have
a nsslapd-pluginprecedence value lower than (default) 50 which is used
by the ipa-pwd-extop plugin.
Note that this will only work if ticket 47699 is fixed in 389-ds.
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
Diffstat (limited to 'install')
-rw-r--r-- | install/share/schema_compat.uldif | 4 | ||||
-rw-r--r-- | install/updates/10-schema_compat.update | 7 |
2 files changed, 11 insertions, 0 deletions
diff --git a/install/share/schema_compat.uldif b/install/share/schema_compat.uldif index 40b96116d..9a9607eeb 100644 --- a/install/share/schema_compat.uldif +++ b/install/share/schema_compat.uldif @@ -13,6 +13,10 @@ default:nsslapd-plugininitfunc: schema_compat_plugin_init default:nsslapd-plugintype: object default:nsslapd-pluginenabled: on default:nsslapd-pluginid: schema-compat-plugin +# We need to run schema-compat pre-bind callback before +# other IPA pre-bind callbacks to make sure bind DN is +# rewritten to the original entry if needed +default:nsslapd-pluginprecedence: 49 default:nsslapd-pluginversion: 0.8 default:nsslapd-pluginbetxn: on default:nsslapd-pluginvendor: redhat.com diff --git a/install/updates/10-schema_compat.update b/install/updates/10-schema_compat.update index 1199ef386..505bfcaa8 100644 --- a/install/updates/10-schema_compat.update +++ b/install/updates/10-schema_compat.update @@ -23,3 +23,10 @@ default:schema-compat-entry-attribute: macAddress=%{macAddress} dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config add:schema-compat-entry-attribute: sudoOrder=%{sudoOrder} + +dn: cn=Schema Compatibility,cn=plugins,cn=config +# We need to run schema-compat pre-bind callback before +# other IPA pre-bind callbacks to make sure bind DN is +# rewritten to the original entry if needed +add:nsslapd-pluginprecedence: 49 + |