From 54080f46b02c04706021a6cd419f5b30d88d2b7b Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Mar 06 2013 15:08:20 +0000
Subject: Remove disabled entries from sudoers compat tree.


The removal is triggered by generating an invalid RDN when ipaEnabledFlag of
the original entry is FALSE.

https://fedorahosted.org/freeipa/ticket/3437

---

diff --git a/install/share/schema_compat.uldif b/install/share/schema_compat.uldif
index a93b327..40b9611 100644
--- a/install/share/schema_compat.uldif
+++ b/install/share/schema_compat.uldif
@@ -70,7 +70,7 @@ add:cn: sudoers
 add:schema-compat-container-group: 'ou=SUDOers, $SUFFIX'
 add:schema-compat-search-base: 'cn=sudorules, cn=sudo, $SUFFIX'
 add:schema-compat-search-filter: (&(objectclass=ipaSudoRule)(!(compatVisible=FALSE))(!(ipaEnabledFlag=FALSE)))
-add:schema-compat-entry-rdn: cn=%{cn}
+add:schema-compat-entry-rdn: %ifeq("ipaEnabledFlag", "FALSE", "DISABLED", "cn=%{cn}")
 add:schema-compat-entry-attribute: objectclass=sudoRole
 add:schema-compat-entry-attribute: 'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")'
 add:schema-compat-entry-attribute: 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\"memberUser\",\"(objectclass=posixAccount)\",\"uid\")")'
diff --git a/install/updates/10-schema_compat.update b/install/updates/10-schema_compat.update
index 9835bb8..e65e67a 100644
--- a/install/updates/10-schema_compat.update
+++ b/install/updates/10-schema_compat.update
@@ -1,5 +1,7 @@
 dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config
+only:schema-compat-entry-rdn:'%ifeq("ipaEnabledFlag", "FALSE", "DISABLED", "cn=%{cn}")'
 replace: schema-compat-entry-attribute:'sudoRunAsGroup=%deref("ipaSudoRunAs","cn")::sudoRunAsGroup=%deref_f("ipaSudoRunAsGroup","(objectclass=posixGroup)","cn")'
+
 # Change padding for host and userCategory so the pad returns the same value
 # as the original, '' or -.
 dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config