[Freeipa-devel] [PATCH] 825 add dogtag replication management
Rich Megginson
rmeggins at redhat.com
Fri Jul 15 16:09:10 UTC 2011
On 07/15/2011 08:01 AM, Rob Crittenden wrote:
> Martin Kosek wrote:
>> On Fri, 2011-07-15 at 14:43 +0200, Jan Cholasta wrote:
>>> On 15.7.2011 05:42, Rob Crittenden wrote:
>>>> Add a separate tool for now to do dogtag replication agreement
>>>> management. The syntax is the same for IPA agreements with the
>>>> exception
>>>> that the DM password is always required and it isn't possible to
>>>> delegate the management of this.
>>>>
>>>> ticket https://fedorahosted.org/freeipa/ticket/1250
>>>>
>>>> rob
>>>>
>>>
>>> NACK
>>>
>>> 'ipa-csreplica-manage list server' doesn't list the peers of the
>>> specified server, but the peers of localhost.
>>>
>>> Connecting already connected pair of replicas duplicates the
>>> replication
>>> information ('ipa-csreplica-manage list server' shows the same hostname
>>> twice).
>>>
>>> There is trailing whitespace on line 87 of the patch.
>>>
>>> BTW I don't understand why is it possible (or necessary?) to be able to
>>> have CS replication topology that is different from the main IPA
>>> replication topology (ipa-csreplica-manage allows you to do that). Is
>>> there a reason for this?
>>>
>>> Honza
>>>
>>
>> And some issues from me:
>>
>> 1) Unhelpful error message when force-syncing from a master without a
>> replication agreement:
>>
>> # ipa-csreplica-manage force-sync --from=HOST
>> Directory Manager password:
>> ipa: ERROR: Unable to find replication agreement for
>> vm-060.idm.lab.bos.redhat.com
>> unexpected error: Unable to proceed
>>
>> 2) Minor stuff in man page:
>>
>> Unindented Exit statuses:
>> EXIT STATUS
>> 0 if the command was successful
>> 1 if an error occurred
>>
>> Missing dot: The default is the machine on which the command is run Not
>> honoured by the re-initialize command.
>>
>>
>> Otherwise it looks good.
>>
>> Martin
>>
>
> This should address all the issues raised.
>
> The reason for different topology has several reasons:
>
> 1. A given IPA server may not have a CA installed
> 2. Some aspects of ipa-replica-manage can be delegated. We can't
> delegate CS replica management because it is in a different directory
> server. We don't have users stored there so can't map the GSSAPI
> credentials. So only Directory Manager can operate on it for now.
> 3. Flexibility. You may want way more connections for users than for
> the CA.
+ if starttls:
+ self.conn = ipaldap.IPAdmin(hostname, port=port)
+ ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, CACERT)
Why in the starttls case do you not call ipaldap.IPAdmin(hostname,
port=PORT, cacert=CACERT) ?
+ managers = entry.getValues('nsDS5ReplicaBindDN')
+ if replica_binddn not in managers:
You might want to use the dn.py code, or at least normalize the DNs in
managers before comparing
+ if master is None:
+ entry.setValues('nsds5replicaupdateschedule', '0000-2359
0123456')
You should just omit nsds5replicaupdateschedule
suggest using the dn.py code in the new csreplica manage script
>
> rob
>
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20110715/f3d977e8/attachment.htm>
More information about the Freeipa-devel
mailing list