Simo Sorce wrote:
> On Fri, 2009-10-30 at 15:56 -0400, Dmitri Pal wrote:
>> But then you have to update it on all replicas and will definitely
>> forget to do it.
>> Is it really a hassle to have it in the DS?
> Yes it means you have to build a UI to manage that attribute, create it,
> find a place where to store it in the tree etc.. and adds cruft to the
> tree.
There are a lot of other things that we put in the cn=config replicate
but do not provide UI.
Admin will just run ldapmodify command for this attribute and this is it.

> A file is a simple drop in and admins can easily change it at any time.
> True, if they forget to replicate it on other servers it will get out of
> sync, but it is also easy to fix that if it happens. We can put a
> comment in the template that reminds admins to always replicate it to
> all servers.
Why it should be limited to a server. This IMO will be an artificaial
Any server can perform migration and replicate the created kerberos keys
so why limit?

> However do you think admins will set it up on all servers ? 
Yes. I do not see "set". Functionality is just there available from any
 They do not need to do anything to set it up.

> I was
> thinking they would set up the migration stuff only on one server and
> give out only one server URL, so I don't think we should care about
> replicating it to other servers normally.
> Simo.

Thank you,
Dmitri Pal

Engineering Manager IPA project,
Red Hat Inc.

Looking to carve out IT costs?

Freeipa-devel mailing list

Reply via email to