On 07/15/2011 08:01 AM, Rob Crittenden wrote:
Martin Kosek wrote:
On Fri, 2011-07-15 at 14:43 +0200, Jan Cholasta wrote:
On 15.7.2011 05:42, Rob Crittenden wrote:
Add a separate tool for now to do dogtag replication agreement
management. The syntax is the same for IPA agreements with the exception
that the DM password is always required and it isn't possible to
delegate the management of this.

ticket https://fedorahosted.org/freeipa/ticket/1250



'ipa-csreplica-manage list server' doesn't list the peers of the
specified server, but the peers of localhost.

Connecting already connected pair of replicas duplicates the replication
information ('ipa-csreplica-manage list server' shows the same hostname

There is trailing whitespace on line 87 of the patch.

BTW I don't understand why is it possible (or necessary?) to be able to
have CS replication topology that is different from the main IPA
replication topology (ipa-csreplica-manage allows you to do that). Is
there a reason for this?


And some issues from me:

1) Unhelpful error message when force-syncing from a master without a
replication agreement:

# ipa-csreplica-manage force-sync --from=HOST
Directory Manager password:
ipa: ERROR: Unable to find replication agreement for vm-060.idm.lab.bos.redhat.com
unexpected error: Unable to proceed

2) Minor stuff in man page:

Unindented Exit statuses:
        0 if the command was successful
         1 if an error occurred

Missing dot: The default is the machine on which the command is run  Not
               honoured by the re-initialize command.

Otherwise it looks good.


This should address all the issues raised.

The reason for different topology has several reasons:

1. A given IPA server may not have a CA installed
2. Some aspects of ipa-replica-manage can be delegated. We can't delegate CS replica management because it is in a different directory server. We don't have users stored there so can't map the GSSAPI credentials. So only Directory Manager can operate on it for now. 3. Flexibility. You may want way more connections for users than for the CA.

+        if starttls:
+            self.conn = ipaldap.IPAdmin(hostname, port=port)
+            ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, CACERT)

Why in the starttls case do you not call ipaldap.IPAdmin(hostname, port=PORT, cacert=CACERT) ?

+            managers = entry.getValues('nsDS5ReplicaBindDN')
+            if replica_binddn not in managers:

You might want to use the dn.py code, or at least normalize the DNs in managers before comparing

+        if master is None:
+ entry.setValues('nsds5replicaupdateschedule', '0000-2359 0123456')

You should just omit nsds5replicaupdateschedule

suggest using the dn.py code in the new csreplica manage script


Freeipa-devel mailing list

Freeipa-devel mailing list

Reply via email to