[Freeipa-devel] [PATCH] 825 add dogtag replication management

Rich Megginson rmeggins at redhat.com
Fri Jul 15 16:09:10 UTC 2011 

On 07/15/2011 08:01 AM, Rob Crittenden wrote:
> Martin Kosek wrote:
>> On Fri, 2011-07-15 at 14:43 +0200, Jan Cholasta wrote:
>>> On 15.7.2011 05:42, Rob Crittenden wrote:
>>>> Add a separate tool for now to do dogtag replication agreement
>>>> management. The syntax is the same for IPA agreements with the 
>>>> exception
>>>> that the DM password is always required and it isn't possible to
>>>> delegate the management of this.
>>>>
>>>> ticket https://fedorahosted.org/freeipa/ticket/1250
>>>>
>>>> rob
>>>>
>>>
>>> NACK
>>>
>>> 'ipa-csreplica-manage list server' doesn't list the peers of the
>>> specified server, but the peers of localhost.
>>>
>>> Connecting already connected pair of replicas duplicates the 
>>> replication
>>> information ('ipa-csreplica-manage list server' shows the same hostname
>>> twice).
>>>
>>> There is trailing whitespace on line 87 of the patch.
>>>
>>> BTW I don't understand why is it possible (or necessary?) to be able to
>>> have CS replication topology that is different from the main IPA
>>> replication topology (ipa-csreplica-manage allows you to do that). Is
>>> there a reason for this?
>>>
>>> Honza
>>>
>>
>> And some issues from me:
>>
>> 1) Unhelpful error message when force-syncing from a master without a
>> replication agreement:
>>
>> # ipa-csreplica-manage force-sync --from=HOST
>> Directory Manager password:
>> ipa: ERROR: Unable to find replication agreement for 
>> vm-060.idm.lab.bos.redhat.com
>> unexpected error: Unable to proceed
>>
>> 2) Minor stuff in man page:
>>
>> Unindented Exit statuses:
>> EXIT STATUS
>>         0 if the command was successful
>>          1 if an error occurred
>>
>> Missing dot: The default is the machine on which the command is run  Not
>>                honoured by the re-initialize command.
>>
>>
>> Otherwise it looks good.
>>
>> Martin
>>
>
> This should address all the issues raised.
>
> The reason for different topology has several reasons:
>
> 1. A given IPA server may not have a CA installed
> 2. Some aspects of ipa-replica-manage can be delegated. We can't 
> delegate CS replica management because it is in a different directory 
> server. We don't have users stored there so can't map the GSSAPI 
> credentials. So only Directory Manager can operate on it for now.
> 3. Flexibility. You may want way more connections for users than for 
> the CA.

+        if starttls:
+            self.conn = ipaldap.IPAdmin(hostname, port=port)
+            ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, CACERT)

Why in the starttls case do you not call ipaldap.IPAdmin(hostname, 
port=PORT, cacert=CACERT) ?

+            managers = entry.getValues('nsDS5ReplicaBindDN')
+            if replica_binddn not in managers:

You might want to use the dn.py code, or at least normalize the DNs in 
managers before comparing

+        if master is None:
+            entry.setValues('nsds5replicaupdateschedule', '0000-2359 
0123456')

You should just omit nsds5replicaupdateschedule

suggest using the dn.py code in the new csreplica manage script
>
> rob
>
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20110715/f3d977e8/attachment.htm>

More information about the Freeipa-devel mailing list