[Freeipa-devel] Domain level change failed
Tomas Babej
tbabej at redhat.com
Mon Jun 1 14:19:07 UTC 2015
On 06/01/2015 04:13 PM, Oleg Fayans wrote:
> Hi,
>
> In my installation of the freeipa built with the latest topology patches
> applied, I was unable to reset domain level to 0 on neither of nodes:
>
> ofayans at testmaster:~/ldap]$ ipa domainlevel-set 0
> ipa: ERROR: Domain Level cannot be lowered.
>
> I am able to reset domain level to 0 manually using ldapmodify with the
> following ldif file:
> dn: cn=domain level,cn=ipa,cn=etc,dc=zaeba,dc=li
> changetype: modify
> replace: ipaDomainLevel
> ipaDomainLevel: 0
>
> and subsequently raise it back to 1 with the standard command:
>
> ofayans at testmaster:~/ldap]$ ipa domainlevel-get
> -----------------------
> Current domain level: 0
> -----------------------
> ofayans at testmaster:~/ldap]$ ipa domainlevel-set 1
> -----------------------
> Current domain level: 1
> -----------------------
>
> My topology looks like this:
> master <=> replica1 <=> replica3
>
> The question is: is it a correct behavior? AFAIU, The admin should not
> be able to *raise* domain level if one of the replicas does not support
> this, but there should be no limitations on *lowering* the domain level.
>
Yes.
Domain Level cannot be lowered as raising the domain level can cause
permanent changes in the tree that cannot be reversed.
See http://www.freeipa.org/page/V4/Domain_Levels.
Tomas
More information about the Freeipa-devel
mailing list