[Freeipa-devel] limiting SyncRepl's scope
Petr Spacek
pspacek at redhat.com
Wed Dec 16 07:49:04 UTC 2015
On 15.12.2015 19:10, Christian Heimes wrote:
> Hi,
>
> in ticket https://fedorahosted.org/freeipa/ticket/5538 Ludwig has
> suggested to exclude Dogtag's o=ipaca tree from the changelog. Sometimes
> vault-archive fails because of a failed write to the Retro Changelog.
> The RetroCL was enabled in https://fedorahosted.org/freeipa/ticket/3967
> for the bind-dyndb-ldap plugin. Otherwise it is not needed under normal
> circumstances because 389 doesn't use SyncRepl for replication. In #3967
> Nathan has expressed his concerns for possible performance issues, too.
>
> Petr, Ludwig,
> would it makes sense to restrict RetroCL to cn=dns,$SUFFIX rather than
> excluding o=ipaca? The plugin supports both includes and exclude,
> http://directory.fedoraproject.org/docs/389ds/design/retrocl-scoping.html.
>From IPA DNS perspective it is okay to limit SyncRepl to cn=dns,$SUFFIX.
One other thing to consider is theoretical use of SyncRepl for future versions
of slapi-nis, Alexander can tell you more about it.
In any case, if we decide to limit scope where SyncRepl is applicable, I would
like to see checks in SyncRepl plugin which will ensure that error
UNWILLING_TO_PERFORM is returned when somebody attempts to use SyncRepl in a
'wrong' scope.
--
Petr^2 Spacek
More information about the Freeipa-devel
mailing list