Fix syntax errors in schema files

- add missing closing parenthesis in idnsRecord declaration - remove extra dollar sign from ipaSudoRule declaration - handle missing/extraneous X-ORIGIN lines in 10-selinuxusermap.update This does not use the schema updater because the syntax needs to be fixed in the files themselves, otherwise 389 1.3.2+ will fail to start. Older DS versions transparently fix the syntax errors. The existing ldap-updater directive for ipaSudoRule is fixed (ldap-updater runs after upgradeconfig). https://fedorahosted.org/freeipa/ticket/3578
author: Petr Viktorin <pviktori@redhat.com> 2013-04-22 15:21:04 +0200
committer: Rob Crittenden <rcritten@redhat.com> 2013-04-26 11:15:16 -0400
commit: d4a0fa34afd30765e5ea6f0df21976a6494f13d6 (patch)
tree: c1624dfc264a2339111c49130d0245ca630e0ab5 /install
parent: e9863e3fe3cc5ca016c4e216ae3d34b750a34c73 (diff)
download: freeipa-d4a0fa34afd30765e5ea6f0df21976a6494f13d6.tar.gz
freeipa-d4a0fa34afd30765e5ea6f0df21976a6494f13d6.tar.xz
freeipa-d4a0fa34afd30765e5ea6f0df21976a6494f13d6.zip
5 files changed, 69 insertions, 4 deletions
diff --git a/install/share/60ipadns.ldif b/install/share/60ipadns.ldif
index 0dcac04d0..437986d39 100644
--- a/install/share/60ipadns.ldif
+++ b/install/share/60ipadns.ldif
@@ -49,7 +49,7 @@ attributeTypes: ( 2.16.840.1.113730.3.8.5.14 NAME 'idnsForwardPolicy' DESC 'forw
 attributeTypes: ( 2.16.840.1.113730.3.8.5.15 NAME 'idnsForwarders' DESC 'list of forwarders' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'IPA v2' )
 attributeTypes: ( 2.16.840.1.113730.3.8.5.16 NAME 'idnsZoneRefresh' DESC 'zone refresh interval' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v2' )
 attributeTypes: ( 2.16.840.1.113730.3.8.5.17 NAME 'idnsPersistentSearch' DESC 'allow persistent searches' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v2' )
-objectClasses: ( 2.16.840.1.113730.3.8.6.0 NAME 'idnsRecord' DESC 'dns Record, usually a host' SUP top STRUCTURAL MUST idnsName MAY ( idnsAllowDynUpdate $ DNSTTL $ DNSClass $ ARecord $ AAAARecord $ A6Record $ NSRecord $ CNAMERecord $ PTRRecord $ SRVRecord $ TXTRecord $ MXRecord $ MDRecord $ HINFORecord $ MINFORecord $ AFSDBRecord $ SIGRecord $ KEYRecord $ LOCRecord $ NXTRecord $ NAPTRRecord $ KXRecord $ CERTRecord $ DNAMERecord $ DSRecord $ SSHFPRecord $ RRSIGRecord $ NSECRecord )
+objectClasses: ( 2.16.840.1.113730.3.8.6.0 NAME 'idnsRecord' DESC 'dns Record, usually a host' SUP top STRUCTURAL MUST idnsName MAY ( idnsAllowDynUpdate $ DNSTTL $ DNSClass $ ARecord $ AAAARecord $ A6Record $ NSRecord $ CNAMERecord $ PTRRecord $ SRVRecord $ TXTRecord $ MXRecord $ MDRecord $ HINFORecord $ MINFORecord $ AFSDBRecord $ SIGRecord $ KEYRecord $ LOCRecord $ NXTRecord $ NAPTRRecord $ KXRecord $ CERTRecord $ DNAMERecord $ DSRecord $ SSHFPRecord $ RRSIGRecord $ NSECRecord ) )
 objectClasses: ( 2.16.840.1.113730.3.8.6.1 NAME 'idnsZone' DESC 'Zone class' SUP idnsRecord STRUCTURAL MUST ( idnsName $ idnsZoneActive $ idnsSOAmName $ idnsSOArName $ idnsSOAserial $ idnsSOArefresh $ idnsSOAretry $ idnsSOAexpire $ idnsSOAminimum ) MAY ( idnsUpdatePolicy $ idnsAllowQuery $ idnsAllowTransfer $ idnsAllowSyncPTR $ idnsForwardPolicy $ idnsForwarders ) )
 objectClasses: ( 2.16.840.1.113730.3.8.6.2 NAME 'idnsConfigObject' DESC 'DNS global config options' STRUCTURAL MAY ( idnsForwardPolicy $ idnsForwarders $ idnsAllowSyncPTR $ idnsZoneRefresh $ idnsPersistentSearch ) )
 objectClasses: ( 2.16.840.1.113730.3.8.12.18 NAME 'ipaDNSZone' SUP top AUXILIARY MUST idnsName MAY managedBy X-ORIGIN 'IPA v3' )
diff --git a/install/share/65ipasudo.ldif b/install/share/65ipasudo.ldif
index 95ab4dd3f..c0d001472 100644
--- a/install/share/65ipasudo.ldif
+++ b/install/share/65ipasudo.ldif
@@ -32,7 +32,7 @@ attributeTypes: (2.16.840.1.113730.3.8.7.12 NAME 'hostMask' DESC 'IP mask to ide
 ## Attribute to store sudo command
 attributeTypes: (2.16.840.1.113730.3.8.7.13 NAME 'sudoCmd' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactMatch ORDERING caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' )
 ## Object class for SUDO rules
-objectClasses: (2.16.840.1.113730.3.8.8.1 NAME 'ipaSudoRule' SUP ipaAssociation STRUCTURAL MAY ( externalUser $ externalHost $ hostMask $ memberAllowCmd $ memberDenyCmd $ cmdCategory $ ipaSudoOpt $ ipaSudoRunAs $ ipaSudoRunAsExtUser $ ipaSudoRunAsUserCategory $ ipaSudoRunAsGroup $ ipaSudoRunAsExtGroup $ ipaSudoRunAsGroupCategory $ sudoNotBefore $ sudoNotAfter $$ sudoOrder ) X-ORIGIN 'IPA v2' )
+objectClasses: (2.16.840.1.113730.3.8.8.1 NAME 'ipaSudoRule' SUP ipaAssociation STRUCTURAL MAY ( externalUser $ externalHost $ hostMask $ memberAllowCmd $ memberDenyCmd $ cmdCategory $ ipaSudoOpt $ ipaSudoRunAs $ ipaSudoRunAsExtUser $ ipaSudoRunAsUserCategory $ ipaSudoRunAsGroup $ ipaSudoRunAsExtGroup $ ipaSudoRunAsGroupCategory $ sudoNotBefore $ sudoNotAfter $ sudoOrder ) X-ORIGIN 'IPA v2' )
 ## Object class for SUDO commands
 objectClasses: (2.16.840.1.113730.3.8.8.2 NAME 'ipaSudoCmd' DESC 'IPA object class for SUDO command' STRUCTURAL MUST ( ipaUniqueID $ sudoCmd ) MAY  ( memberOf $ description ) X-ORIGIN 'IPA v2' )
 ## Object class for groups of the SUDO commands
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 8ae54894b..c9574b961 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -777,6 +777,69 @@ def uninstall_selfsign(ds, http):
     ds.stop_tracking_certificates()
     http.stop_tracking_certificates()
 
+
+def fix_schema_file_syntax(ds):
+    """Fix syntax errors in schema files
+
+    https://fedorahosted.org/freeipa/ticket/3578
+    """
+    root_logger.info('[Fix DS schema file syntax]')
+
+    # This is not handled by normal schema updates, because pre-1.3.2 DS will
+    # ignore (auto-fix) these syntax errors, and 1.3.2 and above will choke on
+    # them before checking dynamic schema updates.
+
+    if sysupgrade.get_upgrade_state('ds', 'fix_schema_syntax'):
+        root_logger.info('Syntax already fixed')
+        return
+
+    serverid = dsinstance.realm_to_serverid(api.env.realm)
+
+    ds.stop(serverid)
+
+    ds_dir = dsinstance.config_dirname(serverid)
+
+    # 1. 60ipadns.ldif: Add parenthesis to idnsRecord
+
+    filename = os.path.join(ds_dir, 'schema', '60ipadns.ldif')
+    result_lines = []
+    with open(filename) as file:
+        for line in file:
+            line = line.strip('\n')
+            if (line.startswith('objectClasses:') and
+                    "NAME 'idnsRecord'" in line and
+                    line.count('(') == 2 and
+                    line.count(')') == 1):
+                root_logger.debug('Add closing parenthesis in idnsRecord')
+                line += ' )'
+            result_lines.append(line)
+
+    with open(filename, 'w') as file:
+        file.write('\n'.join(result_lines))
+
+    # 2. 65ipasudo.ldif: Remove extra dollar from ipaSudoRule
+
+    filename = os.path.join(ds_dir, 'schema', '65ipasudo.ldif')
+    result_lines = []
+    with open(filename) as file:
+        for line in file:
+            line = line.strip('\n')
+            if (line.startswith('objectClasses:') and
+                    "NAME 'ipaSudoRule'" in line):
+                root_logger.debug('Remove extra dollar sign in ipaSudoRule')
+                line = line.replace('$$', '$')
+            result_lines.append(line)
+
+    with open(filename, 'w') as file:
+        file.write('\n'.join(result_lines))
+
+    # Done
+
+    ds.start(serverid)
+
+    sysupgrade.set_upgrade_state('ds', 'fix_schema_syntax', True)
+
+
 def main():
     """
     Get some basics about the system. If getting those basics fail then
@@ -856,6 +919,8 @@ def main():
 
     ds = dsinstance.DsInstance()
 
+    fix_schema_file_syntax(ds)
+
     uninstall_selfsign(ds, http)
 
     memcache = memcacheinstance.MemcacheInstance()
diff --git a/install/updates/10-bind-schema.update b/install/updates/10-bind-schema.update
index a708b3445..2f3fa0aba 100644
--- a/install/updates/10-bind-schema.update
+++ b/install/updates/10-bind-schema.update
@@ -80,4 +80,4 @@ dn: cn=schema
 replace:objectClasses:( 2.16.840.1.113730.3.8.6.1 NAME 'idnsZone' DESC 'Zone class' SUP idnsRecord STRUCTURAL MUST ( idnsZoneActive $$ idnsSOAmName $$ idnsSOArName $$ idnsSOAserial $$ idnsSOArefresh $$ idnsSOAretry $$ idnsSOAexpire $$ idnsSOAminimum ) MAY idnsUpdatePolicy )::( 2.16.840.1.113730.3.8.6.1 NAME 'idnsZone' DESC 'Zone class' SUP idnsRecord    STRUCTURAL MUST ( idnsName $$ idnsZoneActive $$ idnsSOAmName $$ idnsSOArName $$ idnsSOAserial $$ idnsSOArefresh $$ idnsSOAretry $$ idnsSOAexpire $$ idnsSOAminimum ) MAY ( idnsUpdatePolicy $$ idnsAllowQuery $$ idnsAllowTransfer $$ idnsAllowSyncPTR $$ idnsForwardPolicy $$ idnsForwarders ) )
 replace:attributeTypes:"(1.3.6.1.4.1.2428.20.1.39 NAME 'dNameRecord' DESC 'Non-Terminal DNS Name Redirection, RFC 2672' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)::( 1.3.6.1.4.1.2428.20.1.39 NAME 'dNameRecord' DESC 'Non-Terminal DNS Name Redirection, RFC 2672' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )"
 replace:attributeTypes: (0.9.2342.19200300.100.1.31 NAME 'cNAMERecord' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)::( 0.9.2342.19200300.100.1.31 NAME 'cNAMERecord' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
-replace:objectClasses:"( 2.16.840.1.113730.3.8.6.0 NAME 'idnsRecord' DESC 'dns Record, usually a host' SUP top STRUCTURAL MUST idnsName MAY ( cn $$ idnsAllowDynUpdate $$ DNSTTL $$ DNSClass $$ ARecord $$ AAAARecord $$ A6Record $$ NSRecord $$ CNAMERecord $$ PTRRecord $$ SRVRecord $$ TXTRecord $$ MXRecord $$ MDRecord $$ HINFORecord $$ MINFORecord $$ AFSDBRecord $$ SIGRecord $$ KEYRecord $$ LOCRecord $$ NXTRecord $$ NAPTRRecord $$ KXRecord $$ CERTRecord $$ DNAMERecord $$ DSRecord $$ SSHFPRecord $$ RRSIGRecord $$ NSECRecord )::( 2.16.840.1.113730.3.8.6.0 NAME 'idnsRecord' DESC 'dns Record, usually a host' SUP top STRUCTURAL MUST idnsName MAY ( idnsAllowDynUpdate $$ DNSTTL $$ DNSClass $$ ARecord $$ AAAARecord $$ A6Record $$ NSRecord $$ CNAMERecord $$ PTRRecord $$ SRVRecord $$ TXTRecord $$ MXRecord $$ MDRecord $$ HINFORecord $$ MINFORecord $$ AFSDBRecord $$ SIGRecord $$ KEYRecord $$ LOCRecord $$ NXTRecord $$ NAPTRRecord $$ KXRecord $$ CERTRecord $$ DNAMERecord $$ DSRecord $$ SSHFPRecord $$ RRSIGRecord $$ NSECRecord )"
+replace:objectClasses:"( 2.16.840.1.113730.3.8.6.0 NAME 'idnsRecord' DESC 'dns Record, usually a host' SUP top STRUCTURAL MUST idnsName MAY ( cn $$ idnsAllowDynUpdate $$ DNSTTL $$ DNSClass $$ ARecord $$ AAAARecord $$ A6Record $$ NSRecord $$ CNAMERecord $$ PTRRecord $$ SRVRecord $$ TXTRecord $$ MXRecord $$ MDRecord $$ HINFORecord $$ MINFORecord $$ AFSDBRecord $$ SIGRecord $$ KEYRecord $$ LOCRecord $$ NXTRecord $$ NAPTRRecord $$ KXRecord $$ CERTRecord $$ DNAMERecord $$ DSRecord $$ SSHFPRecord $$ RRSIGRecord $$ NSECRecord ) )::( 2.16.840.1.113730.3.8.6.0 NAME 'idnsRecord' DESC 'dns Record, usually a host' SUP top STRUCTURAL MUST idnsName MAY ( idnsAllowDynUpdate $$ DNSTTL $$ DNSClass $$ ARecord $$ AAAARecord $$ A6Record $$ NSRecord $$ CNAMERecord $$ PTRRecord $$ SRVRecord $$ TXTRecord $$ MXRecord $$ MDRecord $$ HINFORecord $$ MINFORecord $$ AFSDBRecord $$ SIGRecord $$ KEYRecord $$ LOCRecord $$ NXTRecord $$ NAPTRRecord $$ KXRecord $$ CERTRecord $$ DNAMERecord $$ DSRecord $$ SSHFPRecord $$ RRSIGRecord $$ NSECRecord ) )"
diff --git a/install/updates/10-selinuxusermap.update b/install/updates/10-selinuxusermap.update
index f9af01fad..c5a5167a5 100644
--- a/install/updates/10-selinuxusermap.update
+++ b/install/updates/10-selinuxusermap.update
@@ -18,7 +18,6 @@ add:attributeTypes:
      SUBSTR caseIgnoreSubstringsMatch
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE
      X-ORIGIN 'IPA v3')
-     X-ORIGIN 'IPA v3')
 replace:objectClasses:( 2.16.840.1.113730.3.8.2.1 NAME 'ipaGuiConfig' AUXILIARY MAY ( ipaUserSearchFields $$ ipaGroupSearchFields $$ ipaSearchTimeLimit $$ ipaSearchRecordsLimit $$ ipaCustomFields $$ ipaHomesRootDir $$ ipaDefaultLoginShell $$ ipaDefaultPrimaryGroup $$ ipaMaxUsernameLength $$ ipaPwdExpAdvNotify $$ ipaUserObjectClasses $$ ipaGroupObjectClasses $$ ipaDefaultEmailDomain $$ ipaMigrationEnabled $$ ipaCertificateSubjectBase ) )::( 2.16.840.1.113730.3.8.2.1 NAME 'ipaGuiConfig' AUXILIARY MAY ( ipaUserSearchFields $$ ipaGroupSearchFields $$ ipaSearchTimeLimit $$ ipaSearchRecordsLimit $$ ipaCustomFields $$ ipaHomesRootDir $$ ipaDefaultLoginShell $$ ipaDefaultPrimaryGroup $$ ipaMaxUsernameLength $$ ipaPwdExpAdvNotify $$ ipaUserObjectClasses $$ ipaGroupObjectClasses $$ ipaDefaultEmailDomain $$ ipaMigrationEnabled $$ ipaCertificateSubjectBase $$ ipaSELinuxUserMapDefault $$ ipaSELinuxUserMapOrder) )
 
 # Add the default PAC service type relies on the new SELinux user map
@@ -41,6 +40,7 @@ add:objectClasses:
      NAME 'ipaSELinuxUserMap' SUP ipaAssociation
      STRUCTURAL MUST ipaSELinuxUser
      MAY ( accessTime $$ seeAlso )
+     X-ORIGIN 'IPA v3')
 
 # Create the SELinux User map container
 dn: cn=selinux,$SUFFIX
author	Petr Viktorin <pviktori@redhat.com>	2013-04-22 15:21:04 +0200
committer	Rob Crittenden <rcritten@redhat.com>	2013-04-26 11:15:16 -0400
commit	d4a0fa34afd30765e5ea6f0df21976a6494f13d6 (patch)
tree	c1624dfc264a2339111c49130d0245ca630e0ab5 /install
parent	e9863e3fe3cc5ca016c4e216ae3d34b750a34c73 (diff)
download	freeipa-d4a0fa34afd30765e5ea6f0df21976a6494f13d6.tar.gz freeipa-d4a0fa34afd30765e5ea6f0df21976a6494f13d6.tar.xz freeipa-d4a0fa34afd30765e5ea6f0df21976a6494f13d6.zip