#7338 FreeIPA server install/upgrade does not process schema.d/ files correctly
Closed: fixed 6 years ago Opened 6 years ago by mmosesohn.

Request for enhancement

As an admin, I want to deploy FreeIPA with a fixed set of schema changes in an automated way that does not require restarting FreeIPA or dirsrv.

Issue

I am trying to add a schema change to the installation of FreeIPA, but the processing order is random (not alphabetical, as one would expect). Furthermore, combining the two schema changes into one file results in only the first part being read and the rest ignored.

Steps to Reproduce

  1. Add 90tacacs.ldif to /usr/share/ipa/schema.d/ (attached)
  2. Run ipa-server-install as necessary
  3. grep -R tacacs /etc/dirsrv

Actual behavior

When the files are split, the second portion gets processed and errors because it depends on the first one. When they are combined, only the first part is read in.

Expected behavior

/usr/share/ipa/schema.d/*.ldif files are read in order OR can process all parts of an LDIF file.

Version/Release/Distribution

$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server
ipa-server-4.5.0-22.el7.centos.x86_64
ipa-client-4.5.0-22.el7.centos.x86_64
389-ds-base-1.3.6.1-24.el7_4.x86_64
pki-ca-10.4.1-17.el7_4.noarch
krb5-server-1.15.1-8.el7.x86_64

Additional info:

I am deploying with freeipa-container, but that should have no impact on the ability to reproduce this bug.

I tried adding an unrelated extra change to the combined LDIF file to see if it worked:
dn: cn=config
changetype: modify
replace: nsslapd-allow-anonymous-access
nsslapd-allow-anonymous-access: off

It didn't apply when placed after the other two rules.


You are using incorrect syntax in the schema file, thus it is failing to apply. See, for example, install/share/60basev3.ldif for inspiration. There should just be definitions under dn: cn=schema for attributeTypes and objectClasses.

You can look at a working external plugin I maintain at https://github.com/abbra/freeipa-desktop-profile/blob/master/plugin/schema.d/75-deskprofile.ldif

Thanks! I was just misunderstanding LDIF format and how to appropriately use it.

What about the file order issue?

That's a valid issue. There is a missing f.sort() in get_all_external_schema_files() in the ipaserver/install/dsinstance.py -- similar to f.sort() in get_all_files() in ipaserver/install/ldapupdate.py.

Metadata Update from @cheimes:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/1439

6 years ago

Metadata Update from @cheimes:
- Issue assigned to cheimes

6 years ago

Metadata Update from @cheimes:
- Issue set to the milestone: FreeIPA 4.6.3

6 years ago

master:

  • dc4109c Sort external schema files

ipa-4-6:

  • 23b1ae6 Sort external schema files

ipa-4-5:

  • e8a0373 Sort external schema files

Metadata Update from @cheimes:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

6 years ago

Login to comment on this ticket.

Metadata
Attachments 2
Attached 6 years ago View Comment
Attached 6 years ago View Comment