[Freeipa-devel] [PATCH] 825 add dogtag replication management

Rob Crittenden rcritten at redhat.com
Mon Jul 18 15:34:22 UTC 2011 

Jan Cholasta wrote:
> On 15.7.2011 21:24, Rob Crittenden wrote:
>> Rich Megginson wrote:
>>> On 07/15/2011 10:57 AM, Rob Crittenden wrote:
>>>> Rich Megginson wrote:
>>>>> On 07/15/2011 08:01 AM, Rob Crittenden wrote:
>>>>>> Martin Kosek wrote:
>>>>>>> On Fri, 2011-07-15 at 14:43 +0200, Jan Cholasta wrote:
>>>>>>>> On 15.7.2011 05:42, Rob Crittenden wrote:
>>>>>>>>> Add a separate tool for now to do dogtag replication agreement
>>>>>>>>> management. The syntax is the same for IPA agreements with the
>>>>>>>>> exception
>>>>>>>>> that the DM password is always required and it isn't possible to
>>>>>>>>> delegate the management of this.
>>>>>>>>>
>>>>>>>>> ticket https://fedorahosted.org/freeipa/ticket/1250
>>>>>>>>>
>>>>>>>>> rob
>>>>>>>>>
>>>>>>>>
>>>>>>>> NACK
>>>>>>>>
>>>>>>>> 'ipa-csreplica-manage list server' doesn't list the peers of the
>>>>>>>> specified server, but the peers of localhost.
>>>>>>>>
>>>>>>>> Connecting already connected pair of replicas duplicates the
>>>>>>>> replication
>>>>>>>> information ('ipa-csreplica-manage list server' shows the same
>>>>>>>> hostname
>>>>>>>> twice).
>>>>>>>>
>>>>>>>> There is trailing whitespace on line 87 of the patch.
>>>>>>>>
>>>>>>>> BTW I don't understand why is it possible (or necessary?) to be
>>>>>>>> able to
>>>>>>>> have CS replication topology that is different from the main IPA
>>>>>>>> replication topology (ipa-csreplica-manage allows you to do
>>>>>>>> that). Is
>>>>>>>> there a reason for this?
>>>>>>>>
>>>>>>>> Honza
>>>>>>>>
>>>>>>>
>>>>>>> And some issues from me:
>>>>>>>
>>>>>>> 1) Unhelpful error message when force-syncing from a master
>>>>>>> without a
>>>>>>> replication agreement:
>>>>>>>
>>>>>>> # ipa-csreplica-manage force-sync --from=HOST
>>>>>>> Directory Manager password:
>>>>>>> ipa: ERROR: Unable to find replication agreement for
>>>>>>> vm-060.idm.lab.bos.redhat.com
>>>>>>> unexpected error: Unable to proceed
>>>>>>>
>>>>>>> 2) Minor stuff in man page:
>>>>>>>
>>>>>>> Unindented Exit statuses:
>>>>>>> EXIT STATUS
>>>>>>> 0 if the command was successful
>>>>>>> 1 if an error occurred
>>>>>>>
>>>>>>> Missing dot: The default is the machine on which the command is run
>>>>>>> Not
>>>>>>> honoured by the re-initialize command.
>>>>>>>
>>>>>>>
>>>>>>> Otherwise it looks good.
>>>>>>>
>>>>>>> Martin
>>>>>>>
>>>>>>
>>>>>> This should address all the issues raised.
>>>>>>
>>>>>> The reason for different topology has several reasons:
>>>>>>
>>>>>> 1. A given IPA server may not have a CA installed
>>>>>> 2. Some aspects of ipa-replica-manage can be delegated. We can't
>>>>>> delegate CS replica management because it is in a different directory
>>>>>> server. We don't have users stored there so can't map the GSSAPI
>>>>>> credentials. So only Directory Manager can operate on it for now.
>>>>>> 3. Flexibility. You may want way more connections for users than for
>>>>>> the CA.
>>>>>
>>>>> + if starttls:
>>>>> + self.conn = ipaldap.IPAdmin(hostname, port=port)
>>>>> + ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, CACERT)
>>>>>
>>>>> Why in the starttls case do you not call ipaldap.IPAdmin(hostname,
>>>>> port=PORT, cacert=CACERT) ?
>>>>
>>>> Because the port is the non-secure port and opening an SSL connection
>>>> to it failed.
>>> Ah, ok. So that tells IPAdmin to use this CACERT and to use ldaps.
>>>>
>>>>>
>>>>> + managers = entry.getValues('nsDS5ReplicaBindDN')
>>>>> + if replica_binddn not in managers:
>>>>>
>>>>> You might want to use the dn.py code, or at least normalize the DNs in
>>>>> managers before comparing
>>>>
>>>> That's a good idea.
>>>>
>>>>>
>>>>> + if master is None:
>>>>> + entry.setValues('nsds5replicaupdateschedule', '0000-2359
>>>>> 0123456')
>>>>>
>>>>> You should just omit nsds5replicaupdateschedule
>>>>
>>>> It failed with an operations erorr when I tried removing the attribute
>>>> either directly with a MOD_DELETE or doing a MOD_REPLACE with nothing.
>>>> I assume this is another attribute in cn=config that once set cannot
>>>> be undone.
>>> Right. Ok. When you add the agreement entry, you can just omit it. But
>>> if you are trying to modify an existing agreement entry, you can't
>>> MOD_DELETE it or MOD_REPLACE with an empty value.
>>
>> Ok, good point about normalizing, updated patch attached.
>>
>> rob
>>
>
> Everything I found is fixed. You might want to take a look at what
> Martin found, though.
>
> Honza
>

Updated patch to use the DN class a bit more.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-825-4-replicamanage.patch
Type: text/x-diff
Size: 35914 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20110718/9f871cd8/attachment.bin>

More information about the Freeipa-devel mailing list