[Freeipa-devel] [PATCH] 825 add dogtag replication management

Rob Crittenden rcritten at redhat.com
Fri Jul 15 14:01:51 UTC 2011 

Martin Kosek wrote:
> On Fri, 2011-07-15 at 14:43 +0200, Jan Cholasta wrote:
>> On 15.7.2011 05:42, Rob Crittenden wrote:
>>> Add a separate tool for now to do dogtag replication agreement
>>> management. The syntax is the same for IPA agreements with the exception
>>> that the DM password is always required and it isn't possible to
>>> delegate the management of this.
>>>
>>> ticket https://fedorahosted.org/freeipa/ticket/1250
>>>
>>> rob
>>>
>>
>> NACK
>>
>> 'ipa-csreplica-manage list server' doesn't list the peers of the
>> specified server, but the peers of localhost.
>>
>> Connecting already connected pair of replicas duplicates the replication
>> information ('ipa-csreplica-manage list server' shows the same hostname
>> twice).
>>
>> There is trailing whitespace on line 87 of the patch.
>>
>> BTW I don't understand why is it possible (or necessary?) to be able to
>> have CS replication topology that is different from the main IPA
>> replication topology (ipa-csreplica-manage allows you to do that). Is
>> there a reason for this?
>>
>> Honza
>>
>
> And some issues from me:
>
> 1) Unhelpful error message when force-syncing from a master without a
> replication agreement:
>
> # ipa-csreplica-manage force-sync --from=HOST
> Directory Manager password:
> ipa: ERROR: Unable to find replication agreement for vm-060.idm.lab.bos.redhat.com
> unexpected error: Unable to proceed
>
> 2) Minor stuff in man page:
>
> Unindented Exit statuses:
> EXIT STATUS
>         0 if the command was successful
>          1 if an error occurred
>
> Missing dot: The default is the machine on which the command is run  Not
>                honoured by the re-initialize command.
>
>
> Otherwise it looks good.
>
> Martin
>

This should address all the issues raised.

The reason for different topology has several reasons:

1. A given IPA server may not have a CA installed
2. Some aspects of ipa-replica-manage can be delegated. We can't 
delegate CS replica management because it is in a different directory 
server. We don't have users stored there so can't map the GSSAPI 
credentials. So only Directory Manager can operate on it for now.
3. Flexibility. You may want way more connections for users than for the CA.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-825-2-replicamanage.patch
Type: text/x-diff
Size: 33390 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20110715/39c37bea/attachment.bin>

More information about the Freeipa-devel mailing list