From 29f3336664ed85b9a4737411043bc45046181f09 Mon Sep 17 00:00:00 2001 From: Jr Aquino Date: Fri, 20 May 2011 14:15:09 -0700 Subject: [PATCH] 28 Move Managed Entries into their own container in the replicated space. Create: cn=Managed Entries,cn=etc,$SUFFIX Create: cn=Definitions,cn=Managed Entries,cn=etc,$SUFFIX Create: cn=Templates,cn=Managed Entries,cn=etc,$SUFFIX Create method for migrating any and all custom Managed Entries from the cn=config space into the new container. The Managed Entries plugin configurations weren't being created on replica installs. This patch addresses two seperate tickets and accounts for new installs, replica installs, and upgrades. https://fedorahosted.org/freeipa/ticket/1181 - Managed Entry Tool / New Container https://fedorahosted.org/freeipa/ticket/1222 - Add Managed Entries during Replica installation --- install/share/Makefile.am | 1 + install/share/host_nis_groups.ldif | 10 +++-- install/share/managed-entries.ldif | 22 ++++++++++ install/share/user_private_groups.ldif | 8 ++- install/updates/19-managed-entries.update | 17 +++++++ install/updates/20-host_nis_groups.update | 27 ++++++++++++ install/updates/20-user_private_groups.update | 23 ++++++++++ install/updates/Makefile.am | 3 + ipaserver/install/dsinstance.py | 8 ++++ ipaserver/install/ldapupdate.py | 57 +++++++++++++++++++++++++ 10 files changed, 169 insertions(+), 7 deletions(-) create mode 100644 install/share/managed-entries.ldif create mode 100644 install/updates/19-managed-entries.update create mode 100644 install/updates/20-host_nis_groups.update create mode 100644 install/updates/20-user_private_groups.update diff --git a/install/share/Makefile.am b/install/share/Makefile.am index c636109..2ef6d4c 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -42,6 +42,7 @@ app_DATA = \ schema_compat.uldif \ ldapi.ldif \ wsgi.py \ + managed-entries.ldif \ user_private_groups.ldif \ host_nis_groups.ldif \ uuid-ipauniqueid.ldif \ diff --git a/install/share/host_nis_groups.ldif b/install/share/host_nis_groups.ldif index b29d982..1855e85 100644 --- a/install/share/host_nis_groups.ldif +++ b/install/share/host_nis_groups.ldif @@ -1,4 +1,6 @@ -dn: cn=NGP HGP Template,cn=etc,$SUFFIX +# Changes to this definition need to be reflected in +# updates/20-host_nis_groups.update +dn: cn=NGP HGP Template,cn=Templates,cn=Managed Entries,cn=etc,$SUFFIX changetype: add objectclass: mepTemplateEntry cn: NGP HGP Template @@ -11,11 +13,11 @@ mepMappedAttr: cn: $$cn mepMappedAttr: memberHost: $$dn mepMappedAttr: description: ipaNetgroup $$cn -dn: cn=NGP Definition,cn=Managed Entries,cn=plugins,cn=config +dn: cn=NGP Definition,cn=Definitions,cn=Managed Entries,cn=etc,$SUFFIX changetype: add objectclass: extensibleObject -cn: HGP Definition +cn: NGP Definition originScope: cn=hostgroups,cn=accounts,$SUFFIX originFilter: objectclass=ipahostgroup managedBase: cn=ng,cn=alt,$SUFFIX -managedTemplate: cn=NGP HGP Template,cn=etc,$SUFFIX +managedTemplate: cn=NGP HGP Template,cn=Templates,cn=Managed Entries,cn=etc,,$SUFFIX diff --git a/install/share/managed-entries.ldif b/install/share/managed-entries.ldif new file mode 100644 index 0000000..3e8b8df --- /dev/null +++ b/install/share/managed-entries.ldif @@ -0,0 +1,22 @@ +dn: cn=Managed Entries,cn=plugins,cn=config +changetype: modify +add: nsslapd-pluginConfigArea +nsslapd-pluginConfigArea: cn=Definitions,cn=Managed Entries,cn=etc,$SUFFIX + +dn: cn=Managed Entries,cn=etc,$SUFFIX +changetype: add +objectClass: nsContainer +objectClass: top +cn: Managed Entries + +dn: cn=Templates,cn=Managed Entries,cn=etc,$SUFFIX +changetype: add +objectClass: nsContainer +objectClass: top +cn: Templates + +dn: cn=Definitions,cn=Managed Entries,cn=etc,$SUFFIX +changetype: add +objectClass: nsContainer +objectClass: top +cn: Definitions diff --git a/install/share/user_private_groups.ldif b/install/share/user_private_groups.ldif index 9df729a..0901ac1 100644 --- a/install/share/user_private_groups.ldif +++ b/install/share/user_private_groups.ldif @@ -1,4 +1,6 @@ -dn: cn=UPG Template,cn=etc,$SUFFIX +# Changes to this definition need to be reflected in +# updates/20-user_private_groups.update +dn: cn=UPG Template,cn=Templates,cn=Managed Entries,cn=etc,$SUFFIX changetype: add objectclass: mepTemplateEntry cn: UPG Template @@ -10,12 +12,12 @@ mepMappedAttr: cn: $$uid mepMappedAttr: gidNumber: $$uidNumber mepMappedAttr: description: User private group for $$uid -dn: cn=UPG Definition,cn=Managed Entries,cn=plugins,cn=config +dn: cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,$SUFFIX changetype: add objectclass: extensibleObject cn: UPG Definition originScope: cn=users,cn=accounts,$SUFFIX originFilter: objectclass=posixAccount managedBase: cn=groups,cn=accounts,$SUFFIX -managedTemplate: cn=UPG Template,cn=etc,$SUFFIX +managedTemplate: cn=UPG Template,cn=Templates,cn=Managed Entries,cn=etc,$SUFFIX diff --git a/install/updates/19-managed-entries.update b/install/updates/19-managed-entries.update new file mode 100644 index 0000000..04d6efe --- /dev/null +++ b/install/updates/19-managed-entries.update @@ -0,0 +1,17 @@ +dn: cn=Managed Entries,cn=plugins,cn=config +default: nsslapd-pluginConfigArea: cn=Definitions,cn=Managed Entries,cn=etc,$SUFFIX + +dn: cn=Managed Entries,cn=etc,$SUFFIX +default: objectClass: nsContainer +default: objectClass: top +default: cn: Managed Entries + +dn: cn=Templates,cn=Managed Entries,cn=etc,$SUFFIX +default: objectClass: nsContainer +default: objectClass: top +default: cn: Templates + +dn: cn=Definitions,cn=Managed Entries,cn=etc,$SUFFIX +default: objectClass: nsContainer +default: objectClass: top +default: cn: Definitions diff --git a/install/updates/20-host_nis_groups.update b/install/updates/20-host_nis_groups.update new file mode 100644 index 0000000..d45f51b --- /dev/null +++ b/install/updates/20-host_nis_groups.update @@ -0,0 +1,27 @@ +# This is a copy of the definition from host_nis_groups.ldif +# This is required for replication. The template entry will get +# replicated but the plugin configuration will not. + +dn: cn=NGP HGP Template,cn=Templates,cn=Managed Entries,cn=etc,$SUFFIX +default:objectclass: mepTemplateEntry +default:cn: NGP HGP Template +default:mepRDNAttr: cn +default:mepStaticAttr: ipaUniqueId: autogenerate +default:mepStaticAttr: objectclass: ipanisnetgroup +default:mepStaticAttr: objectclass: ipaobject +default:mepStaticAttr: nisDomainName: $DOMAIN +default:mepMappedAttr: cn: $$cn +default:mepMappedAttr: memberHost: $$dn +default:mepMappedAttr: description: ipaNetgroup $$cn + +dn: cn=NGP Definition,cn=Definitions,cn=Managed Entries,cn=etc,%SUFFIX +default:objectclass: extensibleObject +default:cn: NGP Definition +default:originScope: cn=hostgroups,cn=accounts,$SUFFIX +default:originFilter: objectclass=ipahostgroup +default:managedBase: cn=ng,cn=alt,$SUFFIX +default:managedTemplate: cn=NGP HGP Template,cn=Templates,cn=Managed Entries,cn=etc,$SUFFIX + +# Fix an existing configuration with the wrong cn +dn: cn=NGP Definition,cn=Managed Entries,cn=plugins,cn=config +only:cn: NGP Definition diff --git a/install/updates/20-user_private_groups.update b/install/updates/20-user_private_groups.update new file mode 100644 index 0000000..4c67e42 --- /dev/null +++ b/install/updates/20-user_private_groups.update @@ -0,0 +1,23 @@ +# This is a copy of the definition from user_private_groups.ldif +# This is required for replication. The template entry will get +# replicated but the plugin configuration will not. + +dn: cn=UPG Template,cn=Templates,cn=Managed Entries,cn=etc,$SUFFIX +default:objectclass: mepTemplateEntry +default:cn: UPG Template +default:mepRDNAttr: cn +default:mepStaticAttr: objectclass: posixgroup +default:mepStaticAttr: objectclass: ipaobject +default:mepStaticAttr: ipaUniqueId: autogenerate +default:mepMappedAttr: cn: $$uid +default:mepMappedAttr: gidNumber: $$uidNumber +default:mepMappedAttr: description: User private group for $$uid + + +dn: cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,$SUFFIX +default:objectclass: extensibleObject +default:cn: UPG Definition +default:originScope: cn=users,cn=accounts,$SUFFIX +default:originFilter: objectclass=posixAccount +default:managedBase: cn=groups,cn=accounts,$SUFFIX +default:managedTemplate: cn=UPG Template,cn=Templates,cn=Managed Entries,cn=etc,$SUFFIX diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am index c9d1584..1fd7c98 100644 --- a/install/updates/Makefile.am +++ b/install/updates/Makefile.am @@ -6,11 +6,14 @@ app_DATA = \ 10-RFC2307bis.update \ 10-RFC4876.update \ 10-config.update \ + 19-managed-entries.update \ 20-aci.update \ 20-dna.update \ + 20-host_nis_groups.update \ 20-indices.update \ 20-nss_ldap.update \ 20-replication.update \ + 20-user_private_groups.update \ 20-winsync_index.update \ 21-replicas_container.update \ 40-delegation.update \ diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 229e142..7eda472 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -252,6 +252,7 @@ class DsInstance(service.Service): self.step("adding default layout", self.__add_default_layout) self.step("adding delegation layout", self.__add_delegation_layout) self.step("adding replication acis", self.__add_replication_acis) + self.step("creating container for managed entries", self.__managed_entries) self.step("configuring user private groups", self.__user_private_groups) self.step("configuring netgroups from hostgroups", self.__host_nis_groups) self.step("creating default Sudo bind user", self.__add_sudo_binduser) @@ -289,6 +290,8 @@ class DsInstance(service.Service): self.step("setting up initial replication", self.__setup_replica) self.step("adding replication acis", self.__add_replication_acis) + # Managed Entries configuration is done via update files + self.__common_post_setup() self.start_creation("Configuring directory server", 60) @@ -485,6 +488,11 @@ class DsInstance(service.Service): def __config_lockout_module(self): self._ldap_mod("lockout-conf.ldif") + def __managed_entries(self): + if not has_managed_entries(self.fqdn, self.dm_password): + raise errors.NotFound(reason='Missing Managed Entries Plugin') + self._ldap_mod("managed-entries.ldif", self.sub_dict) + def __user_private_groups(self): if not has_managed_entries(self.fqdn, self.dm_password): raise errors.NotFound(reason='Missing Managed Entries Plugin') diff --git a/ipaserver/install/ldapupdate.py b/ipaserver/install/ldapupdate.py index 9d36ddd..64d7114 100644 --- a/ipaserver/install/ldapupdate.py +++ b/ipaserver/install/ldapupdate.py @@ -418,6 +418,49 @@ class LDAPUpdate: return self.conn.getList(dn, scope, searchfilter, sattrs) + def __update_managed_entries(self): + """Update and move legacy Managed Entry Plugins.""" + + suffix = ipautil.realm_to_suffix(self.realm) + searchfilter = '(objectclass=*)' + old_template_container = 'cn=etc,%s' % suffix + old_definition_container = 'cn=Managed Entries,cn=plugins,cn=config' + new = 'cn=Managed Entries,cn=etc,%s' % suffix + sub = ['cn=Definitions,', 'cn=Templates,'] + new_managed_entries = [] + old_templates = [] + try: + definitions_managed_entries = self.conn.getList(old_definition_container, ldap.SCOPE_ONELEVEL, searchfilter,[]) + except errors.NotFound, e: + pass + for entry in definitions_managed_entries: + new_entry = {} + definition_managed_entry_updates = {} + old_entry = {'dn': entry.dn, 'deleteentry': ['dn: %s' % entry.dn]} + old_template = entry.getValue('managedtemplate') + entry.setValues('managedtemplate', entry.getValue('managedtemplate').replace(old_template_container, sub[1] + new)) + new_entry['dn'] = entry.dn.replace(old_definition_container, sub[0] + new) + new_entry['default'] = str(entry).strip().replace(': ', ':').split('\n')[1:] + definition_managed_entry_updates[new_entry['dn']] = new_entry + definition_managed_entry_updates[old_entry['dn']] = old_entry + old_templates.append(old_template) + new_managed_entries.append(definition_managed_entry_updates) + for old_template in old_templates: + try: + template = self.conn.getEntry(old_template, ldap.SCOPE_BASE, searchfilter,[]) + except errors.NotFound, e: + pass + new_entry = {} + template_managed_entry_updates = {} + old_entry = {'dn': template.dn, 'deleteentry': ['dn: %s' % template.dn]} + new_entry['dn'] = template.dn.replace(old_template_container, sub[1] + new) + new_entry['default'] = str(template).strip().replace(': ', ':').split('\n')[1:] + template_managed_entry_updates[new_entry['dn']] = new_entry + template_managed_entry_updates[old_entry['dn']] = old_entry + new_managed_entries.append(template_managed_entry_updates) + + return new_managed_entries + def __apply_updates(self, updates, entry): """updates is a list of changes to apply entry is the thing to apply them to @@ -701,6 +744,20 @@ class LDAPUpdate: (all_updates, dn_list) = self.parse_update_file(data, all_updates, dn_list) + # Process Managed Entry Updates + managed_entries = self.__update_managed_entries() + managed_entry_dns = [[m[entry]['dn'] for entry in m] for m in managed_entries] + l = len(dn_list.keys()) + + # Add Managed Entry DN's to the DN List + for dn in managed_entry_dns: + l+=1 + dn_list[l] = dn + + # Add Managed Entry Updates to All Updates List + for managed_entry in managed_entries: + all_updates.update(managed_entry) + # For adds and updates we want to apply updates from shortest # to greatest length of the DN. For deletes we want the reverse. sortedkeys = dn_list.keys() -- 1.7.4.4