[Freeipa-devel] [PATCH] Add DS to IPA migration plugin and password migration page.
Dmitri Pal
dpal at redhat.com
Fri Oct 30 20:21:26 UTC 2009
Simo Sorce wrote:
> On Fri, 2009-10-30 at 15:56 -0400, Dmitri Pal wrote:
>
>> But then you have to update it on all replicas and will definitely
>> forget to do it.
>> Is it really a hassle to have it in the DS?
>>
>
> Yes it means you have to build a UI to manage that attribute, create it,
> find a place where to store it in the tree etc.. and adds cruft to the
> tree.
>
>
There are a lot of other things that we put in the cn=config replicate
but do not provide UI.
Admin will just run ldapmodify command for this attribute and this is it.
> A file is a simple drop in and admins can easily change it at any time.
>
> True, if they forget to replicate it on other servers it will get out of
> sync, but it is also easy to fix that if it happens. We can put a
> comment in the template that reminds admins to always replicate it to
> all servers.
>
Why it should be limited to a server. This IMO will be an artificaial
limitation.
Any server can perform migration and replicate the created kerberos keys
so why limit?
> However do you think admins will set it up on all servers ?
Yes. I do not see "set". Functionality is just there available from any
server.
They do not need to do anything to set it up.
> I was
> thinking they would set up the migration stuff only on one server and
> give out only one server URL, so I don't think we should care about
> replicating it to other servers normally.
>
> Simo.
>
>
--
Thank you,
Dmitri Pal
Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-devel
mailing list