[Freeipa-devel] #4389: DS deref broken after ACI refactoring
Simo Sorce
ssorce at redhat.com
Fri Jun 20 14:56:47 UTC 2014
On Fri, 2014-06-20 at 16:45 +0200, Martin Kosek wrote:
> There is no impact on clients connected to the "fixed DS". This is the
> scenario
> I am concerned about:
>
> User has RHEL/CentOS 6.x IPA server and wants to try the new nice and
> shiny FreeIPA 4.0. He installs the FreeIPA 4.0 replica (with fixed
> DS), the replica upgrades the ACIs to the new model. SSSD connected to
> FreeIPA 4.0 replica will work, SSSD connected to the old RHEL-6.x
> replica will not.
This is the only "issue", and I do not think we can/should jump through
many hoops here.
The best way IMO, is to fix DS in RHEL6, and make a release note that
before migrating to FreeIPA 4.0, you must make sure all replicas have an
updated DS version (list versions for all major distros we know about).
I do not think we should add any special detection code in 4.0, if the
admin fails to update DS on an older replica he has 2 choices:
1. update DS
2. decommission the old replica
Simo.
More information about the Freeipa-devel
mailing list