On 03/13/2013 11:03 AM, Petr Viktorin wrote:
> On 03/12/2013 06:50 PM, Rob Crittenden wrote:
>> Petr Viktorin wrote:
>>> On 03/11/2013 05:00 PM, Rob Crittenden wrote:
>>>> Petr Viktorin wrote:
>>>>> On 03/07/2013 08:27 PM, Rob Crittenden wrote:
>>>>>> Petr Viktorin wrote:
>>>>>>> On 03/06/2013 09:52 PM, Rob Crittenden wrote:
>>>>>>>> Petr Viktorin wrote:
>>>>>>> [...]
>>>>>>>>> On new installs, the ACI on cn=Posix IDs,cn=Distributed Numeric
>>>>>>>>> Assignment Plugin,cn=plugins,cn=config is added before the entry
>>>>>>>>> itself.
>>>>>>>>> I didn't test everything as I didn't get the access.
>>>>>>>>
>>> [...]
>>>>>> Gotcha. I moved where the replica acis are loaded.
>>>
>>> Thanks! Everything works now, I just found two issues in error reporting.
>>>
>>> I set up three masters like this:
>>>
>>> $ ipa-replica-manage dnarange-show
>>> vm-084.idm.lab.eng.brq.redhat.com: 1109050002-1109099999
>>> vm-081.idm.lab.eng.brq.redhat.com: 1109012501-1109024999
>>> vm-079.idm.lab.eng.brq.redhat.com: 1109025001-1109049999
>>> $ ipa-replica-manage dnanextrange-show
>>> vm-084.idm.lab.eng.brq.redhat.com: 1109000000-1109012499
>>> vm-081.idm.lab.eng.brq.redhat.com: 1109190000-1109190001
>>> vm-079.idm.lab.eng.brq.redhat.com: No on-deck range set
>>>
>>> vm-079 is git master, the other two have the patch applied.
>>>
>>> Now when I deleted vm-081, there was no indication which ranges I lost:
>>>
>>> vm-084$ ipa-replica-manage del vm-081.idm.lab.eng.brq.redhat.com
>>> Deleting a master is irreversible.
>>> To reconnect to the remote master you will need to prepare a new replica
>>> file
>>> and re-install.
>>> Continue to delete? [no]: y
>>> Deleting replication agreements between
>>> vm-081.idm.lab.eng.brq.redhat.com and vm-084.idm.lab.eng.brq.redhat.com
>>> ipa: INFO: Setting agreement
>>> cn=meTovm-084.idm.lab.eng.brq.redhat.com,cn=replica,cn=dc\=idm\,dc\=lab\,dc\=eng\,dc\=brq\,dc\=redhat\,dc\=com,cn=mapping
>>>
>>>
>>> tree,cn=config schedule to 2358-2359 0 to force synch
>>> ipa: INFO: Deleting schedule 2358-2359 0 from agreement
>>> cn=meTovm-084.idm.lab.eng.brq.redhat.com,cn=replica,cn=dc\=idm\,dc\=lab\,dc\=eng\,dc\=brq\,dc\=redhat\,dc\=com,cn=mapping
>>>
>>>
>>> tree,cn=config
>>> ipa: INFO: Replication Update in progress: FALSE: status: 0 Replica
>>> acquired successfully: Incremental update succeeded: start: 0: end: 0
>>> Unable to remove agreement on vm-081.idm.lab.eng.brq.redhat.com:
>>> Insufficient access: Insufficient 'write' privilege to the
>>> 'dnaNextRange' attribute of entry 'cn=posix ids,cn=distributed numeric
>>> assignment plugin,cn=plugins,cn=config'.
>>> Forcing removal on 'vm-084.idm.lab.eng.brq.redhat.com'
>>> Any DNA range on 'vm-081.idm.lab.eng.brq.redhat.com' will be lost
>>> Deleted replication agreement from 'vm-084.idm.lab.eng.brq.redhat.com'
>>> to 'vm-081.idm.lab.eng.brq.redhat.com'
>>> Background task created to clean replication data. This may take a while.
>>> This may be safely interrupted with Ctrl+C
>>
>> Fixed.
>>
>>> One more detail: Ranges where start==end are invalid. We should fail the
>>> same way as for start>end.
>>>
>>> $ ipa-replica-manage dnanextrange-set vm-081.idm.lab.eng.brq.redhat.com
>>> 677100401-677100401
>>> ipa: INFO: Unhandled LDAPError: {'info': 'Changes result in an invalid
>>> DNA configuration.', 'desc': 'Server is unwilling to perform'}
>>> Updating next range failed: Server is unwilling to perform: Changes
>>> result in an invalid DNA configuration.
>>>
>>>
>>
>> done
>>
>> rob
>
> ACK
>
Btw Rob you will likely need to rebase the patch a bit before pushing as
ipaldap is now in ipapython module (see Petr^3's patches 0191-0195).
Martin
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
