[Freeipa-devel] certprofiles -- problem with delete
Milan Kubik
mkubik at redhat.com
Thu May 21 12:36:14 UTC 2015
Hi Fraser and list,
I ran into this when I was tinkering with the commands.
The ipa certprofile plugin[s] does not take the backend result into the
picture right now. When I tried to delete the *default profile*, the entry
from ipa suffix got deleted. However the command failed
and the profile is still in the dogtag managed suffix.
After I've done this to the installed instance, subsequent uninstall
operation failed on some step involving dogtag. I suspect it is related.
I haven't been able to reproduce this for now as at the moment there
was no package with dogtag in the copr repo.
Reproducer for this is attached. (This reproducer requires patches at
least up to freeipa-ftweedal-0005-3-Add-certprofile-plugin.patch)
It may be more complicated issue than it seems, though.
If we delete the ipa managed entry before the dogtag operation
and this one fails, it leaves us in an inconsistent state.
If on the other hand we delete the ipa managed entry after dogtag
call, it opens an possibility of failing to delete the entry in ipa, leading
to inconsistency again.
The solution to this would be a transaction. The problem here is
that the transaction here would span through two integrated
components (three actually, ipa, 389 and dogtag, in this context).
Not an easy thing to do I assume.
TL;DR:
* certprofile-del deletes ipa managed entry and dogtag doesn't
* how do we approach possibly irreversible changes in LDAPObject
plugins when integrated component doesn't behave?
Your thoughts on this?
Thanks,
Milan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: delete_default_profile.sh
Type: application/x-shellscript
Size: 620 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150521/f72156cd/attachment.bin>
More information about the Freeipa-devel
mailing list