Uniqueness plugin enforces uid to be unique in cn=accounts. However, for ID views we need to be able to rewrite uid attribute for overrides. At the same time, we want to still enforce uniqueness of uid for any record outside staging area, including system accounts (which are outside cn=accounts as well).
A possible solution is to force uniqueness plugin to work again on $SUFFIX and limit it by specifying limiting object class, like posixAccount.
Unfortunately, current configuration for uniqueness plugin is wrong:
dn: cn=attribute uniqueness,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject cn: attribute uniqueness nsslapd-pluginPath: libattr-unique-plugin nsslapd-pluginInitfunc: NSUniqueAttr_Init nsslapd-pluginType: betxnpreoperation nsslapd-pluginEnabled: on uniqueness-attribute-name: uid uniqueness-subtrees: dc=ipacloud,dc=test uniqueness-across-all-subtrees: off nsslapd-plugin-depends-on-type: database nsslapd-pluginId: NSUniqueAttr nsslapd-pluginVersion: 1.3.3.3 nsslapd-pluginVendor: 389 Project nsslapd-pluginDescription: Enforce unique attribute values nsslapd-pluginarg1: cn=accounts,dc=ipacloud,dc=test nsslapd-pluginarg2: cn=deleted users,cn=accounts,cn=provisioning,dc=ipacloud,d c=test modifiersName: cn=directory manager modifyTimestamp: 20141001151452Z
If any of pluginarg* is set, new style of configuration is ignored.
We need to implement an updater plugin that changes uniqueness plugin configuration into a correct one:
One more issue is that uniqueness plugin has no way to exclude subtrees. If $SUFFIX is used in the configuration, we need to exclude staged area and compat trees instead of explicitly mentioning all the other subtrees.
Adding just the restriction to apply only on objects that ghave objectclass: posixAccount may be sufficient for our needs
Wasn't the Uniqueness plugin configuration updated by Thierry for the User Life Cycle scenario? So that uniqueness plugin is not run for staged users?
If this is the case, it would be best to update Uniqueness plugin be able to accept excluded tree as other plugins.
Primary goal of this ticket is to get uniqueness plugin out of way for ID views.
The configuration of Uniqueness plugins supported several subtrees but the uniqueness was enforced on each separated subtree. The fix https://fedorahosted.org/389/ticket/47823, allows to enforce uniqueness on all the defined subtrees 'uniqueness-across-all-subtrees: on'
In addition this ticket introduced a new configuration style (rather then arg0, arg1..) Old style is still supported (but can not benefit of 'uniqueness-across-all-subtrees'). New style can not be mixed with old style. That is one of the issue reported here.
Uniqueness plugin does not support exclusion of subtree (https://fedorahosted.org/389/ticket/47927)
renaming the bug to reflect what is the problem
Requires for ID Views.
This is part of View feature and is required for it. Moving to the release.
master:
ipa-4-1:
Metadata Update from @abbra: - Issue assigned to abbra - Issue set to the milestone: FreeIPA 4.1
Login to comment on this ticket.