[Freeipa-devel] topologysegment-mod question
Ludwig Krispenz
lkrispen at redhat.com
Wed Jun 24 14:31:07 UTC 2015
On 06/24/2015 04:19 PM, Oleg Fayans wrote:
>
>
> On 06/24/2015 02:35 PM, Ludwig Krispenz wrote:
>>
>> On 06/24/2015 02:30 PM, Oleg Fayans wrote:
>>>
>>>
>>> On 06/24/2015 02:25 PM, Ludwig Krispenz wrote:
>>>>
>>>> On 06/24/2015 01:59 PM, Oleg Fayans wrote:
>>>>> Hi Petr,
>>>>>
>>>>> Thanks for clarification! It seems though, that all possible
>>>>> attributes are already mapped to the topologysegment-mod options:
>>>>>
>>>>> [13:42:45]ofayans at vm-244:~]$ ipa show-mappings topologysegment-mod
>>>>> Parameter : LDAP attribute
>>>>> ========= : ==============
>>>>> stripattrs : nsds5replicastripattrs
>>>>> replattrs : nsds5replicatedattributelist
>>>>> replattrstotal : nsds5replicatedattributelisttotal
>>>>> timeout : nsds5replicatimeout
>>>>> enabled : nsds5replicaenabled
>>>>> rights : rights
>>>>> [13:47:41]ofayans at vm-244:~]$ ipa help topologysegment-mod
>>>>> Usage: ipa [global-options] topologysegment-mod TOPOLOGYSUFFIX
>>>>> NAME [options]
>>>>>
>>>>> Modify a segment.
>>>>> Options:
>>>>> -h, --help show this help message and exit
>>>>> --stripattrs=STR A space separated list of attributes which
>>>>> are removed
>>>>> from replication updates.
>>>>> --replattrs=STR Attributes that are not replicated to a
>>>>> consumer
>>>>> server during a fractional update. E.g.,
>>>>> `(objectclass=*) $ EXCLUDE accountlockout
>>>>> memberof
>>>>> --replattrstotal=STR Attributes that are not replicated to a
>>>>> consumer
>>>>> server during a total update. E.g.
>>>>> (objectclass=*) $
>>>>> EXCLUDE accountlockout
>>>>> --timeout=INT Number of seconds outbound LDAP operations
>>>>> waits for a
>>>>> response from the remote replica before
>>>>> timing out and
>>>>> failing
>>>>> --enabled=['on', 'off']
>>>>> Whether a replication agreement is active,
>>>>> meaning
>>>>> whether replication is occurring per that
>>>>> agreement
>>>>> --setattr=STR Set an attribute to a name/value pair.
>>>>> Format is
>>>>> attr=value. For multi-valued attributes,
>>>>> the command
>>>>> replaces the values already present.
>>>>> --addattr=STR Add an attribute/value pair. Format is
>>>>> attr=value. The
>>>>> attribute must be part of the schema.
>>>>> --delattr=STR Delete an attribute/value pair. The option
>>>>> will be
>>>>> evaluated last, after all sets and adds.
>>>>> --rights Display the access rights of this entry
>>>>> (requires
>>>>> --all). See ipa man page for details.
>>>>> --all Retrieve and print all attributes from the
>>>>> server.
>>>>> Affects command output.
>>>>> --raw Print entries as stored on the server.
>>>>> Only affects
>>>>> output format.
>>>>>
>>>>> So, setattr, addattr and delattr should, I think, be explained in
>>>>> the design document, with example usage.
>>>>>
>>>>> Another question that I have:
>>>>> In order to test topologysegment-reinitialize, I need to set the
>>>>> replica timeout to, say, 1, then turn this replica off, then make
>>>>> some changes on master and turn on the replica? I mean, my goal is
>>>>> to make master to give up attempts to synchronize with replica, is
>>>>> that correct?
>>>> I don't see why you want to do all these steps, initialize means
>>>> that the database of B is overwritten by the database of A, so you
>>>> could check that the content is the same. But to simulate a
>>>> situation where init is required is not so easy, if you turn the
>>>> replica on again, the changes could be normally replicated before
>>>> you start the init
>>> The question is: how do I make sure that the content on node /a /is
>>> overwritten with the content of node /b/? I kind of need the two
>>> nodes to have different content and not trying to synchronize
>>> automatically
>> you could combine this with a backup test. On server A make a backup,
>> make some changes on any node and wait until it is replicated
>> everywhere. restore A from the backup and reinitialize the complete
>> topology. It should be enough with 2 or three servers
> Will the changes introduced by restoring from backup not get
> replicated automatically?
no, a restore will only replace the database, then it depends on the
replication agreements and state of other servers. On the restored
server the changes after backup are no longer available, but they coul
be replicated back from other servers, that's why it is recommended to
disable repl agreements to this server and then reinit
>>>>>
>>>>> On 06/24/2015 12:28 PM, Petr Vobornik wrote:
>>>>>> On 06/24/2015 12:19 PM, Oleg Fayans wrote:
>>>>>>> Hi Ludwig,
>>>>>>>
>>>>>>> I see some contradictions in the way the segment modification
>>>>>>> cli is
>>>>>>> implemented:
>>>>>>>
>>>>>>> 1.
>>>>>>> $ ipa help topologysegment-mod
>>>>>>> Usage: ipa [global-options] topologysegment-mod TOPOLOGYSUFFIX NAME
>>>>>>> [options]
>>>>>>>
>>>>>>> $ ipa topologysegment-mod realm 127-to-244 --setattr=Segment
>>>>>>> name=test
>>>>>>> ipa: ERROR: command 'topologysegment_mod' takes at most 2 arguments
>>>>>>>
>>>>>>> (suffix + name + options = 3, not 2)
>>>>>>
>>>>>> 'Segment name' is not correct attribute name. More below.
>>>>>>
>>>>>>>
>>>>>>> 2.
>>>>>>> Is there a way to list all possible attributes available for
>>>>>>> modification?
>>>>>>> When do topologysegment-show --all, I get quite a small number
>>>>>>> of them,
>>>>>>> and even them I am unable to modify:
>>>>>>>
>>>>>>> $ ipa topologysegment-show realm 127-to-244 --all
>>>>>>> dn:
>>>>>>> cn=127-to-244,cn=realm,cn=topology,cn=ipa,cn=etc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com
>>>>>>>
>>>>>>>
>>>>>>> Segment name: 127-to-244
>>>>>>> Left node: vm-127.idm.lab.eng.brq.redhat.com
>>>>>>> Right node: vm-244.idm.lab.eng.brq.redhat.com
>>>>>>> Connectivity: both
>>>>>>> objectclass: top, iparepltoposegment
>>>>>>>
>>>>>>> $ ipa topologysegment-mod realm 127-to-244
>>>>>>> --setattr=connectivity=left-right
>>>>>>> ipa: ERROR: attribute "connectivity" not allowed
>>>>>>> $ ipa topologysegment-mod realm 127-to-244
>>>>>>> --setattr=direction=left-right
>>>>>>> ipa: ERROR: attribute "direction" not allowed
>>>>>>>
>>>>>>
>>>>>> --XXXattr options work with LDAP attributes names. 'direction' is
>>>>>> the option name but not attribute name. Attribute name is
>>>>>> iparepltoposegmentdirection.
>>>>>>
>>>>>> You can see the mappings in, e.g.,:
>>>>>> ipa show-mappings topologysegment-mod
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>> --
>>>>> Oleg Fayans
>>>>> Quality Engineer
>>>>> FreeIPA team
>>>>> RedHat.
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>
>>> --
>>> Oleg Fayans
>>> Quality Engineer
>>> FreeIPA team
>>> RedHat.
>>>
>>>
>>
>>
>>
>
> --
> Oleg Fayans
> Quality Engineer
> FreeIPA team
> RedHat.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150624/628e86dd/attachment.htm>
More information about the Freeipa-devel
mailing list