2 files changed, 20 insertions, 8 deletions

diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 3b841417..046480f0 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -411,7 +411,8 @@ class DsInstance(service.Service):
                              "60basev3.ldif",
                              "60ipadns.ldif",
                              "61kerberos-ipav3.ldif",
-                             "65ipasudo.ldif"):
+                             "65ipasudo.ldif",
+                             "70ipaotp.ldif"):
             target_fname = schema_dirname(self.serverid) + schema_fname
             shutil.copyfile(ipautil.SHARE_DIR + schema_fname, target_fname)
             os.chmod(target_fname, 0440)    # read access for dirsrv user/group
diff --git a/ipaserver/install/plugins/update_anonymous_aci.py b/ipaserver/install/plugins/update_anonymous_aci.py
index 2b7446ad..1e75113f 100644
--- a/ipaserver/install/plugins/update_anonymous_aci.py
+++ b/ipaserver/install/plugins/update_anonymous_aci.py
@@ -20,8 +20,6 @@
 from copy import deepcopy
 from ipaserver.install.plugins import FIRST, LAST
 from ipaserver.install.plugins.baseupdate import PostUpdate
-#from ipalib.frontend import Updater
-#from ipaserver.install.plugins import baseupdate
 from ipalib import api
 from ipalib.aci import ACI
 from ipalib.plugins import aci
@@ -37,6 +35,8 @@ class update_anonymous_aci(PostUpdate):
         aciname = u'Enable Anonymous access'
         aciprefix = u'none'
         ldap = self.obj.backend
+        targetfilter = '(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusProxyUser))(!(objectClass=ipatokenRadiusConfiguration)))'
+        filter = None
 
         (dn, entry_attrs) = ldap.get_entry(api.env.basedn, ['aci'])
 
@@ -45,6 +45,9 @@ class update_anonymous_aci(PostUpdate):
         rawaci = aci._find_aci_by_name(acilist, aciprefix, aciname)
 
         attrs = rawaci.target['targetattr']['expression']
+        rawfilter = rawaci.target.get('targetfilter', None)
+        if rawfilter is not None:
+            filter = rawfilter['expression']
 
         update_attrs = deepcopy(attrs)
 
@@ -54,12 +57,10 @@ class update_anonymous_aci(PostUpdate):
                 needed_attrs.append(attr)
 
         update_attrs.extend(needed_attrs)
-        if len(attrs) == len(update_attrs):
+        if (len(attrs) == len(update_attrs) and
+            filter == targetfilter):
             root_logger.debug("Anonymous ACI already update-to-date")
             return (False, False, [])
-        else:
-            root_logger.debug("New Anonymous ACI attributes needed: %s",
-                needed_attrs)
 
         for tmpaci in acistrs:
             candidate = ACI(tmpaci)
@@ -67,7 +68,17 @@ class update_anonymous_aci(PostUpdate):
                 acistrs.remove(tmpaci)
                 break
 
-        rawaci.target['targetattr']['expression'] = update_attrs
+        if len(attrs) != len(update_attrs):
+            root_logger.debug("New Anonymous ACI attributes needed: %s",
+                needed_attrs)
+
+            rawaci.target['targetattr']['expression'] = update_attrs
+
+        if filter != targetfilter:
+            root_logger.debug("New Anonymous ACI targetfilter needed.")
+
+            rawaci.set_target_filter(targetfilter)
+
         acistrs.append(unicode(rawaci))
         entry_attrs['aci'] = acistrs