[Freeipa-devel] [PATCH 0010] KeyError raised upon replica installation
Alexander Bokovoy
abokovoy at redhat.com
Tue Jun 2 15:31:30 UTC 2015
On Tue, 02 Jun 2015, Ludwig Krispenz wrote:
>
>On 06/02/2015 05:16 PM, Martin Kosek wrote:
>>On 06/02/2015 05:08 PM, Ludwig Krispenz wrote:
>>>On 06/02/2015 03:53 PM, Petr Vobornik wrote:
>>>>On 06/02/2015 02:20 PM, Ludwig Krispenz wrote:
>>>>>On 06/02/2015 12:09 PM, Oleg Fayans wrote:
>>>>>>Hi all,
>>>>>>
>>>>>>The following error was caught during replica installation (I used all
>>>>>>the latest patches from Ludwig and Martin Basti):
>>>>- except ldap.TYPE_OR_VALUE_EXISTS:
>>>>+ except (ldap.TYPE_OR_VALUE_EXISTS, ldap.NO_SUCH_OBJECT):
>>>>
>>>>What happens if all replicas are updated and domain level is raised? I don't
>>>>think that the group will be populated. Or will it be? Without it, topology
>>>>plugin won't work, right?
>>>good point,
>>>it will be limited, when adding a new segment a replication agreement will be
>>>created, but it will not have the credentials to replicate.
>>>>There should be a moment where all the DNs are added.
>>>yes, there could probably be a check when topology plugin gets active if the
>>>binddn group exists and if not create and populate it
>>Should we finally start maintaining by default IPA Masters hostgroup? *That*
>>should be the BIND DN group which Topology plugins works with, no?
>what would be the members of this group ?
>the binddn group needs all the ldap principals in it so that a replica
>can do gssapi replication to another replica.
They should be fqdn=ipa.master,...
For example, this is how cn=adtrust agents looks like for upcoming one-way trust:
# adtrust agents, sysaccounts, etc, t.vda.li
dn: cn=adtrust agents,cn=sysaccounts,cn=etc,dc=t,dc=vda,dc=li
objectClass: GroupOfNames
objectClass: top
objectClass: nestedgroup
cn: adtrust agents
memberOf: cn=ADTrust Agents,cn=privileges,cn=pbac,dc=t,dc=vda,dc=li
memberOf: cn=System: Read system trust accounts,cn=permissions,cn=pbac,dc=t,dc
=vda,dc=li
member: krbprincipalname=cifs/ipa-01.t.vda.li at t.vda.li,cn=services,cn=accounts
,dc=t,dc=vda,dc=li
member: fqdn=ipa-01.t.vda.li,cn=computers,cn=accounts,dc=t,dc=vda,dc=li
As you can see, cifs/ipa.master and host/ipa.master are members of the
group through their respective DNs -- for host/ipa.master the DN is
fqdn=ipa.master,cn=computers,cn=accounts,$SUFFIX.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list