<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
On 07/15/2011 08:01 AM, Rob Crittenden wrote:
<blockquote cite="mid:4E20484F.5040900@redhat.com" type="cite">Martin
Kosek wrote:
<br>
<blockquote type="cite">On Fri, 2011-07-15 at 14:43 +0200, Jan
Cholasta wrote:
<br>
<blockquote type="cite">On 15.7.2011 05:42, Rob Crittenden
wrote:
<br>
<blockquote type="cite">Add a separate tool for now to do
dogtag replication agreement
<br>
management. The syntax is the same for IPA agreements with
the exception
<br>
that the DM password is always required and it isn't
possible to
<br>
delegate the management of this.
<br>
<br>
ticket <a class="moz-txt-link-freetext" href="https://fedorahosted.org/freeipa/ticket/1250">https://fedorahosted.org/freeipa/ticket/1250</a>
<br>
<br>
rob
<br>
<br>
</blockquote>
<br>
NACK
<br>
<br>
'ipa-csreplica-manage list server' doesn't list the peers of
the
<br>
specified server, but the peers of localhost.
<br>
<br>
Connecting already connected pair of replicas duplicates the
replication
<br>
information ('ipa-csreplica-manage list server' shows the same
hostname
<br>
twice).
<br>
<br>
There is trailing whitespace on line 87 of the patch.
<br>
<br>
BTW I don't understand why is it possible (or necessary?) to
be able to
<br>
have CS replication topology that is different from the main
IPA
<br>
replication topology (ipa-csreplica-manage allows you to do
that). Is
<br>
there a reason for this?
<br>
<br>
Honza
<br>
<br>
</blockquote>
<br>
And some issues from me:
<br>
<br>
1) Unhelpful error message when force-syncing from a master
without a
<br>
replication agreement:
<br>
<br>
# ipa-csreplica-manage force-sync --from=HOST
<br>
Directory Manager password:
<br>
ipa: ERROR: Unable to find replication agreement for
vm-060.idm.lab.bos.redhat.com
<br>
unexpected error: Unable to proceed
<br>
<br>
2) Minor stuff in man page:
<br>
<br>
Unindented Exit statuses:
<br>
EXIT STATUS
<br>
0 if the command was successful
<br>
1 if an error occurred
<br>
<br>
Missing dot: The default is the machine on which the command is
run Not
<br>
honoured by the re-initialize command.
<br>
<br>
<br>
Otherwise it looks good.
<br>
<br>
Martin
<br>
<br>
</blockquote>
<br>
This should address all the issues raised.
<br>
<br>
The reason for different topology has several reasons:
<br>
<br>
1. A given IPA server may not have a CA installed
<br>
2. Some aspects of ipa-replica-manage can be delegated. We can't
delegate CS replica management because it is in a different
directory server. We don't have users stored there so can't map
the GSSAPI credentials. So only Directory Manager can operate on
it for now.
<br>
3. Flexibility. You may want way more connections for users than
for the CA.
<br>
</blockquote>
<br>
+ if starttls:<br>
+ self.conn = ipaldap.IPAdmin(hostname, port=port)<br>
+ ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, CACERT)<br>
<br>
Why in the starttls case do you not call ipaldap.IPAdmin(hostname,
port=PORT, cacert=CACERT) ?<br>
<br>
+ managers = entry.getValues('nsDS5ReplicaBindDN')<br>
+ if replica_binddn not in managers:<br>
<br>
You might want to use the dn.py code, or at least normalize the DNs
in managers before comparing<br>
<br>
+ if master is None:<br>
+ entry.setValues('nsds5replicaupdateschedule',
'0000-2359 0123456')<br>
<br>
You should just omit nsds5replicaupdateschedule<br>
<br>
suggest using the dn.py code in the new csreplica manage script<br>
<blockquote cite="mid:4E20484F.5040900@redhat.com" type="cite">
<br>
rob
<br>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
Freeipa-devel mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-devel@redhat.com">Freeipa-devel@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-devel">https://www.redhat.com/mailman/listinfo/freeipa-devel</a></pre>
</blockquote>
<br>
</body>
</html>