Simo Sorce wrote: > On Fri, 2009-10-30 at 15:56 -0400, Dmitri Pal wrote: > >> But then you have to update it on all replicas and will definitely >> forget to do it. >> Is it really a hassle to have it in the DS? >> > > Yes it means you have to build a UI to manage that attribute, create it, > find a place where to store it in the tree etc.. and adds cruft to the > tree. > > There are a lot of other things that we put in the cn=config replicate but do not provide UI. Admin will just run ldapmodify command for this attribute and this is it.
> A file is a simple drop in and admins can easily change it at any time. > > True, if they forget to replicate it on other servers it will get out of > sync, but it is also easy to fix that if it happens. We can put a > comment in the template that reminds admins to always replicate it to > all servers. > Why it should be limited to a server. This IMO will be an artificaial limitation. Any server can perform migration and replicate the created kerberos keys so why limit? > However do you think admins will set it up on all servers ? Yes. I do not see "set". Functionality is just there available from any server. They do not need to do anything to set it up. > I was > thinking they would set up the migration stuff only on one server and > give out only one server URL, so I don't think we should care about > replicating it to other servers normally. > > Simo. > > -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-devel mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-devel