On Thu, May 21, 2015 at 02:36:14PM +0200, Milan Kubik wrote:
> Hi Fraser and list,
> I ran into this when I was tinkering with the commands.
> The ipa certprofile plugin[s] does not take the backend result into the
> picture right now. When I tried to delete the *default profile*, the entry
> from ipa suffix got deleted. However the command failed
> and the profile is still in the dogtag managed suffix.
> After I've done this to the installed instance, subsequent uninstall
> operation failed on some step involving dogtag. I suspect it is related.
> I haven't been able to reproduce this for now as at the moment there
> was no package with dogtag in the copr repo.
> Reproducer for this is attached. (This reproducer requires patches at
> least up to freeipa-ftweedal-0005-3-Add-certprofile-plugin.patch)
> It may be more complicated issue than it seems, though.
> If we delete the ipa managed entry before the dogtag operation
> and this one fails, it leaves us in an inconsistent state.
> If on the other hand we delete the ipa managed entry after dogtag
> call, it opens an possibility of failing to delete the entry in ipa, leading
> to inconsistency again.
> The solution to this would be a transaction. The problem here is
> that the transaction here would span through two integrated
> components (three actually, ipa, 389 and dogtag, in this context).
> Not an easy thing to do I assume.
> TL;DR:
>  * certprofile-del deletes ipa managed entry and dogtag doesn't
>  * how do we approach possibly irreversible changes in LDAPObject
>     plugins when integrated component doesn't behave?
> Your thoughts on this?
Thanks for the report - certprofile-del was working at an earlier
stage so I will track down the issue and fix.

I have pondered the transaction requirements: I am managing it for
certprofile-import by deleting the entry if the dogtag import fails.
I suppose I can do a similar thing for certprofile del - keep a copy
of the entry and re-add it if delete fails.  Sound OK to you?


> Thanks,
> Milan

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to