[Freeipa-devel] [PATCH] Add DS to IPA migration plugin and password migration page.

Simo Sorce ssorce at redhat.com
Fri Oct 30 20:29:52 UTC 2009 

On Fri, 2009-10-30 at 16:21 -0400, Dmitri Pal wrote:
> Simo Sorce wrote:
> > On Fri, 2009-10-30 at 15:56 -0400, Dmitri Pal wrote:
> >   
> >> But then you have to update it on all replicas and will definitely
> >> forget to do it.
> >> Is it really a hassle to have it in the DS?
> >>     
> >
> > Yes it means you have to build a UI to manage that attribute, create it,
> > find a place where to store it in the tree etc.. and adds cruft to the
> > tree.
> >
> >   
> There are a lot of other things that we put in the cn=config replicate
> but do not provide UI.
> Admin will just run ldapmodify command for this attribute and this is it.

It's really not easy at all to put formatted text in an attribute in an
ldif file, I wouldn't recommend something lie that.

> > A file is a simple drop in and admins can easily change it at any time.
> >
> > True, if they forget to replicate it on other servers it will get out of
> > sync, but it is also easy to fix that if it happens. We can put a
> > comment in the template that reminds admins to always replicate it to
> > all servers.
> >   
> Why it should be limited to a server. This IMO will be an artificaial
> limitation.

It's not a limitation you can set up multiple servers if you want, but
most likely you will send out just one URL organization wide.

Remember it's a one-time thing.

> Any server can perform migration and replicate the created kerberos keys
> so why limit?

Limit? Copying one file over hardly looks like a limit.

What I think is that admins will "limit themselves", it make no sense
for them to send out URLs to multiple servers etc for something like a
one-off.

> > However do you think admins will set it up on all servers ? 

> Yes. I do not see "set". Functionality is just there available from any
> server.

>  They do not need to do anything to set it up.

Surely we will need to configure this stuff only if there is a
migration, do we want to expose this stuff if there is no migration to
perform at all ?

At the very least I would expect a global switch to turn this on and
off ...

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-devel mailing list