From 8192e2f8c19acbc0c20903b54707cb42aec6e778 Mon Sep 17 00:00:00 2001
From: Thierry Bordaz <tbordaz@redhat.com>
Date: Thu, 16 Jun 2016 16:28:03 +0200
Subject: Make sure ipapwd_extop takes precedence over passwd_modify_extop

DS core server provides a default plugin (passwd_modify_extop) to handle
1.3.6.1.4.1.4203.1.11.1 extended op (https://www.ietf.org/rfc/rfc3062.txt)

IPA delivers ipa_pwd_extop plugin that should take precedence over
the default DS plugin (passwd_modify_extop)

In addition make sure that slapi-nis has a low precedence

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 install/share/schema_compat.uldif       | 2 +-
 install/updates/10-ipapwd.update        | 9 +++++++++
 install/updates/10-schema_compat.update | 2 +-
 3 files changed, 11 insertions(+), 2 deletions(-)
 create mode 100644 install/updates/10-ipapwd.update

(limited to 'install')

diff --git a/install/share/schema_compat.uldif b/install/share/schema_compat.uldif
index a3d412f7a..66f8ea1c3 100644
--- a/install/share/schema_compat.uldif
+++ b/install/share/schema_compat.uldif
@@ -16,7 +16,7 @@ default:nsslapd-pluginid: schema-compat-plugin
 # We need to run schema-compat pre-bind callback before
 # other IPA pre-bind callbacks to make sure bind DN is
 # rewritten to the original entry if needed
-default:nsslapd-pluginprecedence: 49
+default:nsslapd-pluginprecedence: 40
 default:nsslapd-pluginversion: 0.8
 default:nsslapd-pluginbetxn: on
 default:nsslapd-pluginvendor: redhat.com
diff --git a/install/updates/10-ipapwd.update b/install/updates/10-ipapwd.update
new file mode 100644
index 000000000..d9bffa279
--- /dev/null
+++ b/install/updates/10-ipapwd.update
@@ -0,0 +1,9 @@
+dn: cn=ipa_pwd_extop,cn=plugins,cn=config
+# DS core server provides a default plugin (passwd_modify_extop) to handle
+# 1.3.6.1.4.1.4203.1.11.1 extended op (https://www.ietf.org/rfc/rfc3062.txt)
+# the pluginprecedence of the passwd_modify_extop is 50 (default value)
+#
+# IPA delivers ipa_pwd_extop plugin to handle that extended op
+# we need to make sure ipa_pwd_extop is called and so to set a lower
+# precedence value
+add:nsslapd-pluginprecedence: 49
diff --git a/install/updates/10-schema_compat.update b/install/updates/10-schema_compat.update
index 2d257a328..e4c257d32 100644
--- a/install/updates/10-schema_compat.update
+++ b/install/updates/10-schema_compat.update
@@ -74,7 +74,7 @@ dn: cn=Schema Compatibility,cn=plugins,cn=config
 # We need to run schema-compat pre-bind callback before
 # other IPA pre-bind callbacks to make sure bind DN is
 # rewritten to the original entry if needed
-add:nsslapd-pluginprecedence: 49
+add:nsslapd-pluginprecedence: 40
 
 dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
 add:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","")
-- 
cgit