[Freeipa-devel] Domain level change failed
Petr Vobornik
pvoborni at redhat.com
Mon Jun 1 14:20:50 UTC 2015
On 06/01/2015 04:13 PM, Oleg Fayans wrote:
> Hi,
>
> In my installation of the freeipa built with the latest topology patches
> applied, I was unable to reset domain level to 0 on neither of nodes:
>
> ofayans at testmaster:~/ldap]$ ipa domainlevel-set 0
> ipa: ERROR: Domain Level cannot be lowered.
>
> I am able to reset domain level to 0 manually using ldapmodify with the
> following ldif file:
> dn: cn=domain level,cn=ipa,cn=etc,dc=zaeba,dc=li
> changetype: modify
> replace: ipaDomainLevel
> ipaDomainLevel: 0
>
> and subsequently raise it back to 1 with the standard command:
>
> ofayans at testmaster:~/ldap]$ ipa domainlevel-get
> -----------------------
> Current domain level: 0
> -----------------------
> ofayans at testmaster:~/ldap]$ ipa domainlevel-set 1
> -----------------------
> Current domain level: 1
> -----------------------
>
> My topology looks like this:
> master <=> replica1 <=> replica3
>
> The question is: is it a correct behavior? AFAIU, The admin should not
> be able to *raise* domain level if one of the replicas does not support
> this, but there should be no limitations on *lowering* the domain level.
>
>
It is a correct behavior. From design page:
"""
The Domain Level cannot be lowered as raising the Domain Level can cause
changes to the tree (new schema, changes in behavior and data) that
cannot be easily undone.
"""
http://www.freeipa.org/page/V4/Domain_Levels
--
Petr Vobornik
More information about the Freeipa-devel
mailing list