On Thu, May 21, 2015 at 03:20:30PM +0200, Martin Kosek wrote: > On 05/21/2015 03:10 PM, Fraser Tweedale wrote: > > On Thu, May 21, 2015 at 02:36:14PM +0200, Milan Kubik wrote: > >> Hi Fraser and list, > >> > >> I ran into this when I was tinkering with the commands. > >> > >> The ipa certprofile plugin[s] does not take the backend result into the > >> picture right now. When I tried to delete the *default profile*, the entry > >> from ipa suffix got deleted. However the command failed > >> and the profile is still in the dogtag managed suffix. > >> After I've done this to the installed instance, subsequent uninstall > >> operation failed on some step involving dogtag. I suspect it is related. > >> I haven't been able to reproduce this for now as at the moment there > >> was no package with dogtag in the copr repo. > >> Reproducer for this is attached. (This reproducer requires patches at > >> least up to freeipa-ftweedal-0005-3-Add-certprofile-plugin.patch) > >> > >> It may be more complicated issue than it seems, though. > >> If we delete the ipa managed entry before the dogtag operation > >> and this one fails, it leaves us in an inconsistent state. > >> If on the other hand we delete the ipa managed entry after dogtag > >> call, it opens an possibility of failing to delete the entry in ipa, > >> leading > >> to inconsistency again. > >> > >> The solution to this would be a transaction. The problem here is > >> that the transaction here would span through two integrated > >> components (three actually, ipa, 389 and dogtag, in this context). > >> Not an easy thing to do I assume. > >> > >> TL;DR: > >> > >> * certprofile-del deletes ipa managed entry and dogtag doesn't > >> * how do we approach possibly irreversible changes in LDAPObject > >> plugins when integrated component doesn't behave? > >> > >> Your thoughts on this? > >> > > Thanks for the report - certprofile-del was working at an earlier > > stage so I will track down the issue and fix. > > > > I have pondered the transaction requirements: I am managing it for > > certprofile-import by deleting the entry if the dogtag import fails. > > I suppose I can do a similar thing for certprofile del - keep a copy > > of the entry and re-add it if delete fails. Sound OK to you? > > Yeah, this is what we do in permission-mod post_callback for example. > OK, it is settled; will address in next patchset. Thanks Martin.
> > > > Cheers, > > Fraser > > > >> > >> Thanks, > >> Milan > > > > > -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code