Server Upgrade: Fix uniqueness plugins

Due previous changes (in master branch only) the uniqueness plugins
became misconfigured.

After this patch:
* whole $SUFFIX will be checked by unique plugins
* just staged users are exluded from check

This reverts some changes in commit
52b7101c1148618d5c8e2ec25576cc7ad3e9b7bb

Since 389-ds-base 1.3.4.a1 new attribute 'uniqueness-exclude-subtrees'
can be used.

https://fedorahosted.org/freeipa/ticket/4921

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>

3 files changed, 15 insertions, 23 deletions

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 2bf14ef9e..737364556 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -34,7 +34,7 @@ Source0:        freeipa-%{version}.tar.gz
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 %if ! %{ONLY_CLIENT}
-BuildRequires:  389-ds-base-devel >= 1.3.3.9
+BuildRequires:  389-ds-base-devel >= 1.3.4.a1
 BuildRequires:  svrcore-devel
 BuildRequires:  policycoreutils >= 2.1.12-5
 BuildRequires:  systemd-units
@@ -109,7 +109,7 @@ Group: System Environment/Base
 Requires: %{name}-python = %{version}-%{release}
 Requires: %{name}-client = %{version}-%{release}
 Requires: %{name}-admintools = %{version}-%{release}
-Requires: 389-ds-base >= 1.3.3.9
+Requires: 389-ds-base >= 1.3.4.a1
 Requires: openldap-clients > 2.4.35-4
 Requires: nss >= 3.14.3-12.0
 Requires: nss-tools >= 3.14.3-12.0
@@ -144,7 +144,7 @@ Requires: zip
 Requires: policycoreutils >= 2.1.12-5
 Requires: tar
 Requires(pre): certmonger >= 0.76.8
-Requires(pre): 389-ds-base >= 1.3.3.9
+Requires(pre): 389-ds-base >= 1.3.4.a1
 Requires: fontawesome-fonts
 Requires: open-sans-fonts
 Requires: openssl
diff --git a/install/share/unique-attributes.ldif b/install/share/unique-attributes.ldif
index 7e1e53fbc..60f2c3470 100644
--- a/install/share/unique-attributes.ldif
+++ b/install/share/unique-attributes.ldif
@@ -14,8 +14,8 @@ nsslapd-pluginId: NSUniqueAttr
 nsslapd-pluginVersion: 1.1.0
 nsslapd-pluginVendor: Fedora Project
 nsslapd-pluginDescription: Enforce unique attribute values
-uniqueness-subtrees: cn=accounts,$SUFFIX
-uniqueness-subtrees: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX
+uniqueness-subtrees: $SUFFIX
+uniqueness-exclude-subtrees: cn=staged users,cn=accounts,cn=provisioning,$SUFFIX
 uniqueness-across-all-subtrees: on
 
 dn: cn=krbCanonicalName uniqueness,cn=plugins,cn=config
@@ -34,8 +34,8 @@ nsslapd-pluginId: NSUniqueAttr
 nsslapd-pluginVersion: 1.1.0
 nsslapd-pluginVendor: Fedora Project
 nsslapd-pluginDescription: Enforce unique attribute values
-uniqueness-subtrees: cn=accounts,$SUFFIX
-uniqueness-subtrees: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX
+uniqueness-subtrees: $SUFFIX
+uniqueness-exclude-subtrees: cn=staged users,cn=accounts,cn=provisioning,$SUFFIX
 uniqueness-across-all-subtrees: on
 
 dn: cn=netgroup uniqueness,cn=plugins,cn=config
@@ -72,8 +72,8 @@ nsslapd-pluginId: NSUniqueAttr
 nsslapd-pluginVersion: 1.1.0
 nsslapd-pluginVendor: Fedora Project
 nsslapd-pluginDescription: Enforce unique attribute values
-uniqueness-subtrees: cn=accounts,$SUFFIX
-uniqueness-subtrees: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX
+uniqueness-subtrees: $SUFFIX
+uniqueness-exclude-subtrees: cn=staged users,cn=accounts,cn=provisioning,$SUFFIX
 uniqueness-across-all-subtrees: on
 
 dn: cn=sudorule name uniqueness,cn=plugins,cn=config
diff --git a/install/updates/10-uniqueness.update b/install/updates/10-uniqueness.update
index 2c9f1c555..dd8ec3a75 100644
--- a/install/updates/10-uniqueness.update
+++ b/install/updates/10-uniqueness.update
@@ -59,8 +59,8 @@ default:nsslapd-pluginInitfunc: NSUniqueAttr_Init
 default:nsslapd-pluginType: preoperation
 default:nsslapd-pluginEnabled: on
 default:uniqueness-attribute-name: uid
-default:uniqueness-subtrees: cn=accounts,$SUFFIX
-default:uniqueness-subtrees: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX
+default:uniqueness-subtrees: $SUFFIX
+default:uniqueness-exclude-subtrees: cn=staged users,cn=accounts,cn=provisioning,$SUFFIX
 default:uniqueness-across-all-subtrees: on
 default:uniqueness-subtree-entries-oc: posixAccount
 default:nsslapd-plugin-depends-on-type: database
@@ -71,30 +71,22 @@ default:nsslapd-pluginDescription: Enforce unique attribute values
 
 # uid uniqueness scopes Active/Delete containers
 dn: cn=uid uniqueness,cn=plugins,cn=config
-remove:uniqueness-subtrees: $SUFFIX
-add:uniqueness-subtrees: cn=accounts,$SUFFIX
-add:uniqueness-subtrees: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX
+add:uniqueness-exclude-subtrees: cn=staged users,cn=accounts,cn=provisioning,$SUFFIX
 remove:uniqueness-across-all-subtrees: off
 add:uniqueness-across-all-subtrees: on
 add:uniqueness-subtree-entries-oc: posixAccount
 
 # krbPrincipalName uniqueness scopes Active/Delete containers
 dn: cn=krbPrincipalName uniqueness,cn=plugins,cn=config
-remove:uniqueness-subtrees: $SUFFIX
-add:uniqueness-subtrees: cn=accounts,$SUFFIX
-add:uniqueness-subtrees: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX
+add:uniqueness-exclude-subtrees: cn=staged users,cn=accounts,cn=provisioning,$SUFFIX
 add:uniqueness-across-all-subtrees: on
 
 # krbCanonicalName uniqueness scopes Active/Delete containers
 dn: cn=krbCanonicalName uniqueness,cn=plugins,cn=config
-remove:uniqueness-subtrees: $SUFFIX
-add:uniqueness-subtrees: cn=accounts,$SUFFIX
-add:uniqueness-subtrees: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX
+add:uniqueness-exclude-subtrees: cn=staged users,cn=accounts,cn=provisioning,$SUFFIX
 add:uniqueness-across-all-subtrees: on
 
 # ipaUniqueID uniqueness scopes Active/Delete containers
 dn: cn=ipaUniqueID uniqueness,cn=plugins,cn=config
-remove:uniqueness-subtrees: $SUFFIX
-add:uniqueness-subtrees: cn=accounts,$SUFFIX
-add:uniqueness-subtrees: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX
+add:uniqueness-exclude-subtrees: cn=staged users,cn=accounts,cn=provisioning,$SUFFIX
 add:uniqueness-across-all-subtrees: on