On Wed, 2015-05-27 at 15:41 +0200, Petr Vobornik wrote: > On 05/27/2015 03:34 PM, Christian Heimes wrote: > > On 2015-05-27 14:47, Petr Vobornik wrote: > >> Install/uninstall is not the same thing as enable/disable. Installation > >> is a set of steps which first configures and then (optionally) enables > >> the component. > >> > >> E.g: > >> 1. modify configuration file(s), ldap entries > >> 2. run something which starts the component. E.g. `systemctl start xxx`, > >> an ldap change which is being observed (like topology plugin). > >> > >> The only rationale for external tool is to do stuff which can't be done > >> trough API. E.g. restart of httpd.service or a need of Directory > >> Manager. But in that case the tool should be: > >> > >> ipa-kdcproxy-manage enable|disable > > > > Right, the restart of httpd.service isn't handled by ipa config-mod. A > > tool like ipa-kdcproxy-manage could handle the restart on a local > > machine. As far as I know it won't be able to restart httpd on all > > replicas, too. > > > > My current implementation needs a restart of all Apache servers on all > > machines, that run a kdc proxy instance. > > > > Christian > > > > It would be great to have a privileged daemon which could observed > replicated configuration and perform such tasks on all servers so we > would eliminate manual tasks(and errors and misconceptions which are > caused by forgotten manual tasks) as much as possible.
Yes this is something we had a need for, for a while, we could, perhaps, turn custodia in such a service, or embed custodia in there, as they are both very privileged service that interact with LDAP to find information. Simo. > -- > Petr Vobornik > -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code