[Freeipa-devel] DESIGN: Recover DNA Ranges

Rich Megginson rmeggins at redhat.com
Mon Feb 25 15:12:25 UTC 2013 

On 02/25/2013 06:09 AM, Martin Kosek wrote:
> On 02/25/2013 01:44 PM, Petr Viktorin wrote:
>> On 02/22/2013 09:19 PM, Rob Crittenden wrote:
>>> Design to allow one to recover DNA ranges when deleting a replica or
>>> just for normal range management.
>>>
>>> http://freeipa.org/page/V3/Recover_DNA_Ranges
>>>
>>> Supporting ticket https://fedorahosted.org/freeipa/ticket/3321
>>>
>>> rob
>> I wonder if it would be possible to have more on-deck ranges. Could
>> dnaNextRange be multi-valued, and when the low-water mark is hit the plugin
>> would pick one of them?
>>
> Not at the moment, this is a single valued attribute type:
>
> attributetypes: ( 2.16.840.1.113730.3.1.2129 NAME 'dnaNextRange' DESC 'DNA ran
>   ge of values to get from replica' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE
>   -VALUE X-ORIGIN '389 Directory Server' )
>
> But it is a good question for 389-ds guys, it would be a good extension to the
> DNA plugin and would prevent us from not-loosing the range when there is no
> master with empty dnaNextRange. But maybe there is a strong reason why this was
> made single value...

If you make it multi-valued, then you probably want to have some sort of 
ordering to the values . . .

>
>
> As for the RFE, I have few comments/questions for Rob:
>
> 1) I would expand "Setting the on-deck range" section and add an information
> what should we do when the remote master is not accessible (this would result
> only in a warning probably).
>
>
> 2) We may want to make sure that the removed replica is readonly before we copy
> the range (just to be sure that we do not miss some value due to race condition.
>
>
> 3) In "Enhancing ipa-replica-manage":
>
> What does "ipa-replica-manage dnarange-set masterA.example.com 250-499" exactly
> do? I though that it would just overwrite active range, but based on the next
> "ipa-replica-manage dnanextrange-show" example, it moved the currently active
> range of masterA.example.com to the on-deck range. Do we want to do that?
>
>
> 4) What does "NOTE: We will need to be clear that this range has nothing to do
> with Trust ranges." actually mean? AFAIU, IPA should have all local ranges
> covered with a local "idrange" range(s).
>
> If it does not have it covered, it could happen that for example a new trust
> would overlap with this user-defined local range and we would have colliding
> POSIX IDs...
>
> IMO, dnarange-set and dnanextrange-set should at first check if the range is
> covered with some local idrange and only then allowed setting the new range.
>
> Martin

More information about the Freeipa-devel mailing list