From fd5b0aac0c62edaec28bf0589be10583e82f8cc2 Mon Sep 17 00:00:00 2001 From: Jr Aquino Date: Thu, 21 Jul 2011 15:55:07 -0700 Subject: [PATCH] 38 Move Managed Entries into their own container in the replicated space. Create: cn=Managed Entries,cn=etc,$SUFFIX Create: cn=Definitions,cn=Managed Entries,cn=etc,$SUFFIX Create: cn=Templates,cn=Managed Entries,cn=etc,$SUFFIX Create method for migrating any and all custom Managed Entries from the cn=config space into the new container. The Managed Entries plugin configurations weren't being created on replica installs. This patch addresses two seperate tickets and accounts for new installs, replica installs, and upgrades. https://fedorahosted.org/freeipa/ticket/1181 - Managed Entry Tool / New Container https://fedorahosted.org/freeipa/ticket/1222 - Add Managed Entries during Replica installation extended solution --- install/share/Makefile.am | 1 + install/share/host_nis_groups.ldif | 6 +- install/share/managed-entries.ldif | 22 +++++++++ install/share/user_private_groups.ldif | 6 +- install/updates/19-managed-entries.update | 17 +++++++ install/updates/20-host_nis_groups.update | 22 ++++++--- install/updates/20-user_private_groups.update | 19 +++++++- install/updates/50-suppress-upg.update | 2 - install/updates/Makefile.am | 2 +- ipaserver/install/dsinstance.py | 6 +++ ipaserver/install/ldapupdate.py | 58 +++++++++++++++++++++++++ 11 files changed, 142 insertions(+), 19 deletions(-) create mode 100644 install/share/managed-entries.ldif create mode 100644 install/updates/19-managed-entries.update delete mode 100644 install/updates/50-suppress-upg.update diff --git a/install/share/Makefile.am b/install/share/Makefile.am index c636109..2ef6d4c 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -42,6 +42,7 @@ app_DATA = \ schema_compat.uldif \ ldapi.ldif \ wsgi.py \ + managed-entries.ldif \ user_private_groups.ldif \ host_nis_groups.ldif \ uuid-ipauniqueid.ldif \ diff --git a/install/share/host_nis_groups.ldif b/install/share/host_nis_groups.ldif index bb28c59..096a881 100644 --- a/install/share/host_nis_groups.ldif +++ b/install/share/host_nis_groups.ldif @@ -1,4 +1,4 @@ -dn: cn=NGP HGP Template,cn=etc,$SUFFIX +dn: cn=NGP HGP Template,cn=Templates,cn=Managed Entries,cn=etc,$SUFFIX changetype: add objectclass: mepTemplateEntry cn: NGP HGP Template @@ -13,11 +13,11 @@ mepMappedAttr: description: ipaNetgroup $$cn # Changes to this definition need to be reflected in # updates/20-host_nis_groups.update -dn: cn=NGP Definition,cn=Managed Entries,cn=plugins,cn=config +dn: cn=NGP Definition,cn=Definitions,cn=Managed Entries,cn=etc,$SUFFIX changetype: add objectclass: extensibleObject cn: NGP Definition originScope: cn=hostgroups,cn=accounts,$SUFFIX originFilter: objectclass=ipahostgroup managedBase: cn=ng,cn=alt,$SUFFIX -managedTemplate: cn=NGP HGP Template,cn=etc,$SUFFIX +managedTemplate: cn=NGP HGP Template,cn=Templates,cn=Managed Entries,cn=etc,$SUFFIX diff --git a/install/share/managed-entries.ldif b/install/share/managed-entries.ldif new file mode 100644 index 0000000..3e8b8df --- /dev/null +++ b/install/share/managed-entries.ldif @@ -0,0 +1,22 @@ +dn: cn=Managed Entries,cn=plugins,cn=config +changetype: modify +add: nsslapd-pluginConfigArea +nsslapd-pluginConfigArea: cn=Definitions,cn=Managed Entries,cn=etc,$SUFFIX + +dn: cn=Managed Entries,cn=etc,$SUFFIX +changetype: add +objectClass: nsContainer +objectClass: top +cn: Managed Entries + +dn: cn=Templates,cn=Managed Entries,cn=etc,$SUFFIX +changetype: add +objectClass: nsContainer +objectClass: top +cn: Templates + +dn: cn=Definitions,cn=Managed Entries,cn=etc,$SUFFIX +changetype: add +objectClass: nsContainer +objectClass: top +cn: Definitions diff --git a/install/share/user_private_groups.ldif b/install/share/user_private_groups.ldif index 9aed09b..0d5656d 100644 --- a/install/share/user_private_groups.ldif +++ b/install/share/user_private_groups.ldif @@ -1,4 +1,4 @@ -dn: cn=UPG Template,cn=etc,$SUFFIX +dn: cn=UPG Template,cn=Templates,cn=Managed Entries,cn=etc,$SUFFIX changetype: add objectclass: mepTemplateEntry cn: UPG Template @@ -12,12 +12,12 @@ mepMappedAttr: description: User private group for $$uid # Changes to this definition need to be reflected in # updates/20-user_private_groups.update -dn: cn=UPG Definition,cn=Managed Entries,cn=plugins,cn=config +dn: cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,$SUFFIX changetype: add objectclass: extensibleObject cn: UPG Definition originScope: cn=users,cn=accounts,$SUFFIX originFilter: (&(objectclass=posixAccount)(!(description=__no_upg__))) managedBase: cn=groups,cn=accounts,$SUFFIX -managedTemplate: cn=UPG Template,cn=etc,$SUFFIX +managedTemplate: cn=UPG Template,cn=Templates,cn=Managed Entries,cn=etc,$SUFFIX diff --git a/install/updates/19-managed-entries.update b/install/updates/19-managed-entries.update new file mode 100644 index 0000000..04d6efe --- /dev/null +++ b/install/updates/19-managed-entries.update @@ -0,0 +1,17 @@ +dn: cn=Managed Entries,cn=plugins,cn=config +default: nsslapd-pluginConfigArea: cn=Definitions,cn=Managed Entries,cn=etc,$SUFFIX + +dn: cn=Managed Entries,cn=etc,$SUFFIX +default: objectClass: nsContainer +default: objectClass: top +default: cn: Managed Entries + +dn: cn=Templates,cn=Managed Entries,cn=etc,$SUFFIX +default: objectClass: nsContainer +default: objectClass: top +default: cn: Templates + +dn: cn=Definitions,cn=Managed Entries,cn=etc,$SUFFIX +default: objectClass: nsContainer +default: objectClass: top +default: cn: Definitions diff --git a/install/updates/20-host_nis_groups.update b/install/updates/20-host_nis_groups.update index 6629802..c6fe8d8 100644 --- a/install/updates/20-host_nis_groups.update +++ b/install/updates/20-host_nis_groups.update @@ -2,14 +2,22 @@ # This is required for replication. The template entry will get # replicated but the plugin configuration will not. -dn: cn=NGP Definition,cn=Managed Entries,cn=plugins,cn=config +dn: cn=NGP HGP Template,cn=Templates,cn=Managed Entries,cn=etc,$SUFFIX +default:objectclass: mepTemplateEntry +default:cn: NGP HGP Template +default:mepRDNAttr: cn +default:mepStaticAttr: ipaUniqueId: autogenerate +default:mepStaticAttr: objectclass: ipanisnetgroup +default:mepStaticAttr: objectclass: ipaobject +default:mepStaticAttr: nisDomainName: $DOMAIN +default:mepMappedAttr: cn: $$cn +default:mepMappedAttr: memberHost: $$dn +default:mepMappedAttr: description: ipaNetgroup $$cn + +dn: cn=NGP Definition,cn=Definitions,cn=Managed Entries,cn=etc,$SUFFIX default:objectclass: extensibleObject -default:cn: NGP Definition +only:cn: NGP Definition default:originScope: cn=hostgroups,cn=accounts,$SUFFIX default:originFilter: objectclass=ipahostgroup default:managedBase: cn=ng,cn=alt,$SUFFIX -default:managedTemplate: cn=NGP HGP Template,cn=etc,$SUFFIX - -# Fix an existing configuration with the wrong cn -dn: cn=NGP Definition,cn=Managed Entries,cn=plugins,cn=config -only:cn: NGP Definition +default:managedTemplate: cn=NGP HGP Template,cn=Templates,cn=Managed Entries,cn=etc,$SUFFIX diff --git a/install/updates/20-user_private_groups.update b/install/updates/20-user_private_groups.update index 8c7baca..d54cc02 100644 --- a/install/updates/20-user_private_groups.update +++ b/install/updates/20-user_private_groups.update @@ -2,10 +2,23 @@ # This is required for replication. The template entry will get # replicated but the plugin configuration will not. -dn: cn=UPG Definition,cn=Managed Entries,cn=plugins,cn=config +dn: cn=UPG Template,cn=Templates,cn=Managed Entries,cn=etc,$SUFFIX +default:objectclass: mepTemplateEntry +default:cn: UPG Template +default:mepRDNAttr: cn +default:mepStaticAttr: objectclass: posixgroup +default:mepStaticAttr: objectclass: ipaobject +default:mepStaticAttr: ipaUniqueId: autogenerate +default:mepMappedAttr: cn: $$uid +default:mepMappedAttr: gidNumber: $$uidNumber +default:mepMappedAttr: description: User private group for $$uid + + +dn: cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,$SUFFIX default:objectclass: extensibleObject +replace:originFilter:objectclass=posixAccount::(&(objectclass=posixAccount)(!(description=__no_upg__))) default:cn: UPG Definition default:originScope: cn=users,cn=accounts,$SUFFIX -default:originFilter: (&(objectclass=posixAccount)(!(description=__no_upg__))) +default:originFilter: objectclass=posixAccount default:managedBase: cn=groups,cn=accounts,$SUFFIX -default:managedTemplate: cn=UPG Template,cn=etc,$SUFFIX +default:managedTemplate: cn=UPG Template,cn=Templates,cn=Managed Entries,cn=etc,$SUFFIX diff --git a/install/updates/50-suppress-upg.update b/install/updates/50-suppress-upg.update deleted file mode 100644 index 5717882..0000000 --- a/install/updates/50-suppress-upg.update +++ /dev/null @@ -1,2 +0,0 @@ -dn: cn=UPG Definition,cn=Managed Entries,cn=plugins,cn=config -replace: originFilter:objectclass=posixAccount::(&(objectclass=posixAccount)(!(description=__no_upg__))) diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am index a50adca..89ebabf 100644 --- a/install/updates/Makefile.am +++ b/install/updates/Makefile.am @@ -7,6 +7,7 @@ app_DATA = \ 10-RFC4876.update \ 10-config.update \ 10-sudo.update \ + 19-managed-entries.update \ 20-aci.update \ 20-dna.update \ 20-host_nis_groups.update \ @@ -21,7 +22,6 @@ app_DATA = \ 45-roles.update \ 50-lockout-policy.update \ 50-groupuuid.update \ - 50-suppress-upg.update \ $(NULL) EXTRA_DIST = \ diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 99b0215..23555f2 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -252,6 +252,7 @@ class DsInstance(service.Service): self.step("adding default layout", self.__add_default_layout) self.step("adding delegation layout", self.__add_delegation_layout) self.step("adding replication acis", self.__add_replication_acis) + self.step("creating container for managed entries", self.__managed_entries) self.step("configuring user private groups", self.__user_private_groups) self.step("configuring netgroups from hostgroups", self.__host_nis_groups) self.step("creating default Sudo bind user", self.__add_sudo_binduser) @@ -497,6 +498,11 @@ class DsInstance(service.Service): def __config_lockout_module(self): self._ldap_mod("lockout-conf.ldif") + def __managed_entries(self): + if not has_managed_entries(self.fqdn, self.dm_password): + raise errors.NotFound(reason='Missing Managed Entries Plugin') + self._ldap_mod("managed-entries.ldif", self.sub_dict) + def __user_private_groups(self): if not has_managed_entries(self.fqdn, self.dm_password): raise errors.NotFound(reason='Missing Managed Entries Plugin') diff --git a/ipaserver/install/ldapupdate.py b/ipaserver/install/ldapupdate.py index 4805dca..f9eb17a 100644 --- a/ipaserver/install/ldapupdate.py +++ b/ipaserver/install/ldapupdate.py @@ -418,6 +418,50 @@ class LDAPUpdate: return self.conn.getList(dn, scope, searchfilter, sattrs) + def __update_managed_entries(self): + """Update and move legacy Managed Entry Plugins.""" + + suffix = ipautil.realm_to_suffix(self.realm) + searchfilter = '(objectclass=*)' + definitions_managed_entries = [] + old_template_container = 'cn=etc,%s' % suffix + old_definition_container = 'cn=Managed Entries,cn=plugins,cn=config' + new = 'cn=Managed Entries,cn=etc,%s' % suffix + sub = ['cn=Definitions,', 'cn=Templates,'] + new_managed_entries = [] + old_templates = [] + try: + definitions_managed_entries = self.conn.getList(old_definition_container, ldap.SCOPE_ONELEVEL, searchfilter,[]) + except errors.NotFound, e: + pass + for entry in definitions_managed_entries: + new_entry = {} + definition_managed_entry_updates = {} + old_entry = {'dn': entry.dn, 'deleteentry': ['dn: %s' % entry.dn]} + old_template = entry.getValue('managedtemplate') + entry.setValues('managedtemplate', entry.getValue('managedtemplate').replace(old_template_container, sub[1] + new)) + new_entry['dn'] = entry.dn.replace(old_definition_container, sub[0] + new) + new_entry['default'] = str(entry).strip().replace(': ', ':').split('\n')[1:] + definition_managed_entry_updates[new_entry['dn']] = new_entry + definition_managed_entry_updates[old_entry['dn']] = old_entry + old_templates.append(old_template) + new_managed_entries.append(definition_managed_entry_updates) + for old_template in old_templates: + try: + template = self.conn.getEntry(old_template, ldap.SCOPE_BASE, searchfilter,[]) + except errors.NotFound, e: + pass + new_entry = {} + template_managed_entry_updates = {} + old_entry = {'dn': template.dn, 'deleteentry': ['dn: %s' % template.dn]} + new_entry['dn'] = template.dn.replace(old_template_container, sub[1] + new) + new_entry['default'] = str(template).strip().replace(': ', ':').split('\n')[1:] + template_managed_entry_updates[new_entry['dn']] = new_entry + template_managed_entry_updates[old_entry['dn']] = old_entry + new_managed_entries.append(template_managed_entry_updates) + + return new_managed_entries + def __apply_updates(self, updates, entry): """updates is a list of changes to apply entry is the thing to apply them to @@ -701,6 +745,20 @@ class LDAPUpdate: (all_updates, dn_list) = self.parse_update_file(data, all_updates, dn_list) + # Process Managed Entry Updates + managed_entries = self.__update_managed_entries() + managed_entry_dns = [[m[entry]['dn'] for entry in m] for m in managed_entries] + l = len(dn_list.keys()) + + # Add Managed Entry DN's to the DN List + for dn in managed_entry_dns: + l+=1 + dn_list[l] = dn + + # Add Managed Entry Updates to All Updates List + for managed_entry in managed_entries: + all_updates.update(managed_entry) + # For adds and updates we want to apply updates from shortest # to greatest length of the DN. For deletes we want the reverse. sortedkeys = dn_list.keys() -- 1.7.4.4