From fbdfd688b9d04cfef3cd595a26c4cbf49f30e0f1 Mon Sep 17 00:00:00 2001
From: Martin Basti <mbasti@redhat.com>
Date: Tue, 12 May 2015 18:11:07 +0200
Subject: Server Upgrade: Fix uniqueness plugins

Due previous changes (in master branch only) the uniqueness plugins
became misconfigured.

After this patch:
* whole $SUFFIX will be checked by unique plugins
* just staged users are exluded from check

This reverts some changes in commit
52b7101c1148618d5c8e2ec25576cc7ad3e9b7bb

Since 389-ds-base 1.3.4.a1 new attribute 'uniqueness-exclude-subtrees'
can be used.

https://fedorahosted.org/freeipa/ticket/4921

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
---
 install/share/unique-attributes.ldif | 12 ++++++------
 install/updates/10-uniqueness.update | 20 ++++++--------------
 2 files changed, 12 insertions(+), 20 deletions(-)

(limited to 'install')

diff --git a/install/share/unique-attributes.ldif b/install/share/unique-attributes.ldif
index 7e1e53fbc..60f2c3470 100644
--- a/install/share/unique-attributes.ldif
+++ b/install/share/unique-attributes.ldif
@@ -14,8 +14,8 @@ nsslapd-pluginId: NSUniqueAttr
 nsslapd-pluginVersion: 1.1.0
 nsslapd-pluginVendor: Fedora Project
 nsslapd-pluginDescription: Enforce unique attribute values
-uniqueness-subtrees: cn=accounts,$SUFFIX
-uniqueness-subtrees: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX
+uniqueness-subtrees: $SUFFIX
+uniqueness-exclude-subtrees: cn=staged users,cn=accounts,cn=provisioning,$SUFFIX
 uniqueness-across-all-subtrees: on
 
 dn: cn=krbCanonicalName uniqueness,cn=plugins,cn=config
@@ -34,8 +34,8 @@ nsslapd-pluginId: NSUniqueAttr
 nsslapd-pluginVersion: 1.1.0
 nsslapd-pluginVendor: Fedora Project
 nsslapd-pluginDescription: Enforce unique attribute values
-uniqueness-subtrees: cn=accounts,$SUFFIX
-uniqueness-subtrees: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX
+uniqueness-subtrees: $SUFFIX
+uniqueness-exclude-subtrees: cn=staged users,cn=accounts,cn=provisioning,$SUFFIX
 uniqueness-across-all-subtrees: on
 
 dn: cn=netgroup uniqueness,cn=plugins,cn=config
@@ -72,8 +72,8 @@ nsslapd-pluginId: NSUniqueAttr
 nsslapd-pluginVersion: 1.1.0
 nsslapd-pluginVendor: Fedora Project
 nsslapd-pluginDescription: Enforce unique attribute values
-uniqueness-subtrees: cn=accounts,$SUFFIX
-uniqueness-subtrees: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX
+uniqueness-subtrees: $SUFFIX
+uniqueness-exclude-subtrees: cn=staged users,cn=accounts,cn=provisioning,$SUFFIX
 uniqueness-across-all-subtrees: on
 
 dn: cn=sudorule name uniqueness,cn=plugins,cn=config
diff --git a/install/updates/10-uniqueness.update b/install/updates/10-uniqueness.update
index 2c9f1c555..dd8ec3a75 100644
--- a/install/updates/10-uniqueness.update
+++ b/install/updates/10-uniqueness.update
@@ -59,8 +59,8 @@ default:nsslapd-pluginInitfunc: NSUniqueAttr_Init
 default:nsslapd-pluginType: preoperation
 default:nsslapd-pluginEnabled: on
 default:uniqueness-attribute-name: uid
-default:uniqueness-subtrees: cn=accounts,$SUFFIX
-default:uniqueness-subtrees: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX
+default:uniqueness-subtrees: $SUFFIX
+default:uniqueness-exclude-subtrees: cn=staged users,cn=accounts,cn=provisioning,$SUFFIX
 default:uniqueness-across-all-subtrees: on
 default:uniqueness-subtree-entries-oc: posixAccount
 default:nsslapd-plugin-depends-on-type: database
@@ -71,30 +71,22 @@ default:nsslapd-pluginDescription: Enforce unique attribute values
 
 # uid uniqueness scopes Active/Delete containers
 dn: cn=uid uniqueness,cn=plugins,cn=config
-remove:uniqueness-subtrees: $SUFFIX
-add:uniqueness-subtrees: cn=accounts,$SUFFIX
-add:uniqueness-subtrees: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX
+add:uniqueness-exclude-subtrees: cn=staged users,cn=accounts,cn=provisioning,$SUFFIX
 remove:uniqueness-across-all-subtrees: off
 add:uniqueness-across-all-subtrees: on
 add:uniqueness-subtree-entries-oc: posixAccount
 
 # krbPrincipalName uniqueness scopes Active/Delete containers
 dn: cn=krbPrincipalName uniqueness,cn=plugins,cn=config
-remove:uniqueness-subtrees: $SUFFIX
-add:uniqueness-subtrees: cn=accounts,$SUFFIX
-add:uniqueness-subtrees: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX
+add:uniqueness-exclude-subtrees: cn=staged users,cn=accounts,cn=provisioning,$SUFFIX
 add:uniqueness-across-all-subtrees: on
 
 # krbCanonicalName uniqueness scopes Active/Delete containers
 dn: cn=krbCanonicalName uniqueness,cn=plugins,cn=config
-remove:uniqueness-subtrees: $SUFFIX
-add:uniqueness-subtrees: cn=accounts,$SUFFIX
-add:uniqueness-subtrees: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX
+add:uniqueness-exclude-subtrees: cn=staged users,cn=accounts,cn=provisioning,$SUFFIX
 add:uniqueness-across-all-subtrees: on
 
 # ipaUniqueID uniqueness scopes Active/Delete containers
 dn: cn=ipaUniqueID uniqueness,cn=plugins,cn=config
-remove:uniqueness-subtrees: $SUFFIX
-add:uniqueness-subtrees: cn=accounts,$SUFFIX
-add:uniqueness-subtrees: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX
+add:uniqueness-exclude-subtrees: cn=staged users,cn=accounts,cn=provisioning,$SUFFIX
 add:uniqueness-across-all-subtrees: on
-- 
cgit