[Freeipa-devel] [PATCH] 825 add dogtag replication management

Fri Jul 15 19:24:16 UTC 2011

Rich Megginson wrote:
> On 07/15/2011 10:57 AM, Rob Crittenden wrote:
>> Rich Megginson wrote:
>>> On 07/15/2011 08:01 AM, Rob Crittenden wrote:
>>>> Martin Kosek wrote:
>>>>> On Fri, 2011-07-15 at 14:43 +0200, Jan Cholasta wrote:
>>>>>> On 15.7.2011 05:42, Rob Crittenden wrote:
>>>>>>> Add a separate tool for now to do dogtag replication agreement
>>>>>>> management. The syntax is the same for IPA agreements with the
>>>>>>> exception
>>>>>>> that the DM password is always required and it isn't possible to
>>>>>>> delegate the management of this.
>>>>>>>
>>>>>>> ticket https://fedorahosted.org/freeipa/ticket/1250
>>>>>>>
>>>>>>> rob
>>>>>>>
>>>>>>
>>>>>> NACK
>>>>>>
>>>>>> 'ipa-csreplica-manage list server' doesn't list the peers of the
>>>>>> specified server, but the peers of localhost.
>>>>>>
>>>>>> Connecting already connected pair of replicas duplicates the
>>>>>> replication
>>>>>> information ('ipa-csreplica-manage list server' shows the same
>>>>>> hostname
>>>>>> twice).
>>>>>>
>>>>>> There is trailing whitespace on line 87 of the patch.
>>>>>>
>>>>>> BTW I don't understand why is it possible (or necessary?) to be
>>>>>> able to
>>>>>> have CS replication topology that is different from the main IPA
>>>>>> replication topology (ipa-csreplica-manage allows you to do that). Is
>>>>>> there a reason for this?
>>>>>>
>>>>>> Honza
>>>>>>
>>>>>
>>>>> And some issues from me:
>>>>>
>>>>> 1) Unhelpful error message when force-syncing from a master without a
>>>>> replication agreement:
>>>>>
>>>>> # ipa-csreplica-manage force-sync --from=HOST
>>>>> Directory Manager password:
>>>>> ipa: ERROR: Unable to find replication agreement for
>>>>> vm-060.idm.lab.bos.redhat.com
>>>>> unexpected error: Unable to proceed
>>>>>
>>>>> 2) Minor stuff in man page:
>>>>>
>>>>> Unindented Exit statuses:
>>>>> EXIT STATUS
>>>>> 0 if the command was successful
>>>>> 1 if an error occurred
>>>>>
>>>>> Missing dot: The default is the machine on which the command is run
>>>>> Not
>>>>> honoured by the re-initialize command.
>>>>>
>>>>>
>>>>> Otherwise it looks good.
>>>>>
>>>>> Martin
>>>>>
>>>>
>>>> This should address all the issues raised.
>>>>
>>>> The reason for different topology has several reasons:
>>>>
>>>> 1. A given IPA server may not have a CA installed
>>>> 2. Some aspects of ipa-replica-manage can be delegated. We can't
>>>> delegate CS replica management because it is in a different directory
>>>> server. We don't have users stored there so can't map the GSSAPI
>>>> credentials. So only Directory Manager can operate on it for now.
>>>> 3. Flexibility. You may want way more connections for users than for
>>>> the CA.
>>>
>>> + if starttls:
>>> + self.conn = ipaldap.IPAdmin(hostname, port=port)
>>> + ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, CACERT)
>>>
>>> Why in the starttls case do you not call ipaldap.IPAdmin(hostname,
>>> port=PORT, cacert=CACERT) ?
>>
>> Because the port is the non-secure port and opening an SSL connection
>> to it failed.
> Ah, ok. So that tells IPAdmin to use this CACERT and to use ldaps.
>>
>>>
>>> + managers = entry.getValues('nsDS5ReplicaBindDN')
>>> + if replica_binddn not in managers:
>>>
>>> You might want to use the dn.py code, or at least normalize the DNs in
>>> managers before comparing
>>
>> That's a good idea.
>>
>>>
>>> + if master is None:
>>> + entry.setValues('nsds5replicaupdateschedule', '0000-2359
>>> 0123456')
>>>
>>> You should just omit nsds5replicaupdateschedule
>>
>> It failed with an operations erorr when I tried removing the attribute
>> either directly with a MOD_DELETE or doing a MOD_REPLACE with nothing.
>> I assume this is another attribute in cn=config that once set cannot
>> be undone.
> Right. Ok. When you add the agreement entry, you can just omit it. But
> if you are trying to modify an existing agreement entry, you can't
> MOD_DELETE it or MOD_REPLACE with an empty value.

Ok, good point about normalizing, updated patch attached.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-825-3-replicamanage.patch
Type: text/x-diff
Size: 33708 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20110715/ff1a5177/attachment.bin>