Fix nsslapdPlugin object class after initial replication.

This is a workaround for <https://fedorahosted.org/389/ticket/47490>.

https://fedorahosted.org/freeipa/ticket/3915

4 files changed, 13 insertions, 11 deletions

diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index 5fff55bd1..58d568959 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -68,6 +68,7 @@ app_DATA =				\
 	copy-schema-to-ca.py		\
 	upload-cacert.ldif		\
 	sasl-mapping-fallback.ldif	\
+	schema-update.ldif		\
 	$(NULL)
 
 EXTRA_DIST =				\
diff --git a/install/share/schema-update.ldif b/install/share/schema-update.ldif
new file mode 100644
index 000000000..93ff79ebf
--- /dev/null
+++ b/install/share/schema-update.ldif
@@ -0,0 +1,7 @@
+# FIXME: https://fedorahosted.org/389/ticket/47490
+
+dn: cn=schema
+changetype: modify
+add: objectClasses
+objectClasses: ( 2.16.840.1.113730.3.2.41 NAME 'nsslapdPlugin' DESC 'Netscape defined objectclass' SUP top MUST ( cn $ nsslapd-pluginPath $ nsslapd-pluginInitFunc $ nsslapd-pluginType $ nsslapd-pluginId $ nsslapd-pluginVersion $ nsslapd-pluginVendor $ nsslapd-pluginDescription $ nsslapd-pluginEnabled ) MAY ( nsslapd-pluginConfigArea $ nsslapd-plugin-depends-on-type ) X-ORIGIN 'Netscape Directory Server' )
+objectClasses: ( 2.16.840.1.113730.3.2.317 NAME 'nsSaslMapping' DESC 'Netscape defined objectclass' SUP top MUST ( cn $ nsSaslMapRegexString $ nsSaslMapBaseDNTemplate $ nsSaslMapFilterTemplate ) MAY ( nsSaslMapPriority ) X-ORIGIN 'Netscape Directory Server' )
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 06f9e3a4b..35b705281 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -346,6 +346,7 @@ class DsInstance(service.Service):
         self.__common_setup(True)
 
         self.step("setting up initial replication", self.__setup_replica)
+        self.step("updating schema", self.__update_schema)
         # See LDIFs for automember configuration during replica install
         self.step("setting Auto Member configuration", self.__add_replica_automember_config)
         self.step("enabling S4U2Proxy delegation", self.__setup_s4u2proxy)
@@ -368,6 +369,10 @@ class DsInstance(service.Service):
                                r_bindpw=self.dm_password)
         self.run_init_memberof = repl.needs_memberof_fixup()
 
+    def __update_schema(self):
+        # FIXME: https://fedorahosted.org/389/ticket/47490
+        self._ldap_mod("schema-update.ldif")
+
     def __enable(self):
         self.backup_state("enabled", self.is_enabled())
         # At the end of the installation ipa-server-install will enable the
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index 3c59db853..a16e4d5f0 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -252,17 +252,6 @@ class KrbInstance(service.Service):
         # we need to remove any existing SASL mappings in the directory as otherwise they
         # they may conflict.
 
-        # FIXME: https://fedorahosted.org/389/ticket/47490
-        entry = self.admin_conn.get_entry(
-            DN(('cn', 'schema')), ['objectClasses'])
-        entry['objectClasses'].append(
-            "( 2.16.840.1.113730.3.2.317 NAME 'nsSaslMapping' "
-            "DESC 'Netscape defined objectclass' SUP top "
-            "MUST ( cn $ nsSaslMapRegexString $ nsSaslMapBaseDNTemplate $ "
-            "nsSaslMapFilterTemplate ) MAY ( nsSaslMapPriority ) "
-            "X-ORIGIN 'Netscape Directory Server' )")
-        self.admin_conn.update_entry(entry)
-
         try:
             res = self.admin_conn.get_entries(
                 DN(('cn', 'mapping'), ('cn', 'sasl'), ('cn', 'config')),