[Freeipa-devel] Disabling Schema Compatibility rule
Alexander Bokovoy
abokovoy at redhat.com
Fri Mar 4 09:10:47 UTC 2016
On Fri, 04 Mar 2016, Martin Kosek wrote:
>Hi Alexander and others,
>
>As you know, SSSD 1.13.4 added support of reading the native SUDO tree [1].
>This means that FreeIPA deployments with all clients being SSSD 1.13.4 or older
>will be able to disable the sudoers schema compatiblity tree
>(cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config).
>
>Right now, I am only aware of an attribute tu disable the whole Schema Compat
>plugin (exposed via ipa-compat-manage tool), but this would not fly for people
>with legacy clients reading from Compat tree.
>
>I am thinking, is there an easy way we can recommend to admins on how to do
>disable just certain Schema Compatibility rules? Ideally having a config
>options something like:
>
>schema-compat-enabled: on|off
>
>That could be changed via ldapmodify.
>
>[1] https://fedorahosted.org/sssd/ticket/1108
There is nothing like that in slapi-nis. If you want to remove container
configuration, you just remove it.
So, doing as DM 'ldapdelete "cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config"'
is our simplest way.
One can create an update file for ipa-ldap-updater, for example:
--8<--8<--8<--8<--8<--8<--8<--
dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config
deleteentry: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config
-->8-->8-->8-->8-->8-->8-->8--
and then run it as
ipa-ldap-updater ./89-remove-sudo-compat-tree.update
I'm not sure if running server upgrade would not restore the
configuration, though.
On the other hand, if no users are going to use the configuration, it
should not hurt anymore to have it enabled. With current slapi-nis state
there should be no problems anymore.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list