Dmitri Pal wrote:
Simo Sorce wrote:
On Fri, 2009-10-30 at 15:56 -0400, Dmitri Pal wrote:
But then you have to update it on all replicas and will definitely
forget to do it.
Is it really a hassle to have it in the DS?
Yes it means you have to build a UI to manage that attribute, create it,
find a place where to store it in the tree etc.. and adds cruft to the

There are a lot of other things that we put in the cn=config replicate
but do not provide UI.
Admin will just run ldapmodify command for this attribute and this is it.

I agree with Simo. I think it would require more development time than user's would benefit.

We can always include this static file when we create replicas (just won't help those replica's already created). It is simple enough to copy a file around.

Plus in order to store it in an LDAP attribute it means that whatever page displays the message needs to be a separate server-side program that reads and displays the data. Not difficult, again just seems like overkill.

A file is a simple drop in and admins can easily change it at any time.

True, if they forget to replicate it on other servers it will get out of
sync, but it is also easy to fix that if it happens. We can put a
comment in the template that reminds admins to always replicate it to
all servers.
Why it should be limited to a server. This IMO will be an artificaial
Any server can perform migration and replicate the created kerberos keys
so why limit?

I agree with you here. No reason any IPA server can't assist with the migration.

However do you think admins will set it up on all servers ?
Yes. I do not see "set". Functionality is just there available from any
 They do not need to do anything to set it up.

I agree.


I was
thinking they would set up the migration stuff only on one server and
give out only one server URL, so I don't think we should care about
replicating it to other servers normally.


Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Freeipa-devel mailing list

Reply via email to