As an admin, I want to deploy FreeIPA with a fixed set of schema changes in an automated way that does not require restarting FreeIPA or dirsrv.
I am trying to add a schema change to the installation of FreeIPA, but the processing order is random (not alphabetical, as one would expect). Furthermore, combining the two schema changes into one file results in only the first part being read and the rest ignored.
When the files are split, the second portion gets processed and errors because it depends on the first one. When they are combined, only the first part is read in.
/usr/share/ipa/schema.d/*.ldif files are read in order OR can process all parts of an LDIF file.
$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server ipa-server-4.5.0-22.el7.centos.x86_64 ipa-client-4.5.0-22.el7.centos.x86_64 389-ds-base-1.3.6.1-24.el7_4.x86_64 pki-ca-10.4.1-17.el7_4.noarch krb5-server-1.15.1-8.el7.x86_64
I am deploying with freeipa-container, but that should have no impact on the ability to reproduce this bug.
I tried adding an unrelated extra change to the combined LDIF file to see if it worked: dn: cn=config changetype: modify replace: nsslapd-allow-anonymous-access nsslapd-allow-anonymous-access: off
It didn't apply when placed after the other two rules.
<img alt="install-log.txt" src="/freeipa/issue/raw/files/8a51ee7723e4256283710ce196ab92db2137ebb33eb01dcb0d52bac740448c62-install-log.txt" />
<img alt="90tacacs.ldif" src="/freeipa/issue/raw/files/eeaadeb8bc5d5ff561d7d21538833fdab82e359d45ffac605bb21f0763f7a2e1-90tacacs.ldif" />
You are using incorrect syntax in the schema file, thus it is failing to apply. See, for example, install/share/60basev3.ldif for inspiration. There should just be definitions under dn: cn=schema for attributeTypes and objectClasses.
dn: cn=schema
attributeTypes
objectClasses
You can look at a working external plugin I maintain at https://github.com/abbra/freeipa-desktop-profile/blob/master/plugin/schema.d/75-deskprofile.ldif
Thanks! I was just misunderstanding LDIF format and how to appropriately use it.
What about the file order issue?
That's a valid issue. There is a missing f.sort() in get_all_external_schema_files() in the ipaserver/install/dsinstance.py -- similar to f.sort() in get_all_files() in ipaserver/install/ldapupdate.py.
f.sort()
get_all_external_schema_files()
ipaserver/install/dsinstance.py
get_all_files()
ipaserver/install/ldapupdate.py
Metadata Update from @cheimes: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/1439
Metadata Update from @cheimes: - Issue assigned to cheimes
Metadata Update from @cheimes: - Issue set to the milestone: FreeIPA 4.6.3
master:
ipa-4-6:
ipa-4-5:
Metadata Update from @cheimes: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.