On Thu, May 21, 2015 at 03:20:30PM +0200, Martin Kosek wrote:
> On 05/21/2015 03:10 PM, Fraser Tweedale wrote:
> > On Thu, May 21, 2015 at 02:36:14PM +0200, Milan Kubik wrote:
> >> Hi Fraser and list,
> >> I ran into this when I was tinkering with the commands.
> >> The ipa certprofile plugin[s] does not take the backend result into the
> >> picture right now. When I tried to delete the *default profile*, the entry
> >> from ipa suffix got deleted. However the command failed
> >> and the profile is still in the dogtag managed suffix.
> >> After I've done this to the installed instance, subsequent uninstall
> >> operation failed on some step involving dogtag. I suspect it is related.
> >> I haven't been able to reproduce this for now as at the moment there
> >> was no package with dogtag in the copr repo.
> >> Reproducer for this is attached. (This reproducer requires patches at
> >> least up to freeipa-ftweedal-0005-3-Add-certprofile-plugin.patch)
> >> It may be more complicated issue than it seems, though.
> >> If we delete the ipa managed entry before the dogtag operation
> >> and this one fails, it leaves us in an inconsistent state.
> >> If on the other hand we delete the ipa managed entry after dogtag
> >> call, it opens an possibility of failing to delete the entry in ipa,
> >> leading
> >> to inconsistency again.
> >> The solution to this would be a transaction. The problem here is
> >> that the transaction here would span through two integrated
> >> components (three actually, ipa, 389 and dogtag, in this context).
> >> Not an easy thing to do I assume.
> >> TL;DR:
> >> * certprofile-del deletes ipa managed entry and dogtag doesn't
> >> * how do we approach possibly irreversible changes in LDAPObject
> >> plugins when integrated component doesn't behave?
> >> Your thoughts on this?
> > Thanks for the report - certprofile-del was working at an earlier
> > stage so I will track down the issue and fix.
> > I have pondered the transaction requirements: I am managing it for
> > certprofile-import by deleting the entry if the dogtag import fails.
> > I suppose I can do a similar thing for certprofile del - keep a copy
> > of the entry and re-add it if delete fails. Sound OK to you?
> Yeah, this is what we do in permission-mod post_callback for example.
OK, it is settled; will address in next patchset. Thanks Martin.
> > Cheers,
> > Fraser
> >> Thanks,
> >> Milan
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code