On Wed, 2015-05-27 at 15:41 +0200, Petr Vobornik wrote:
> On 05/27/2015 03:34 PM, Christian Heimes wrote:
> > On 2015-05-27 14:47, Petr Vobornik wrote:
> >> Install/uninstall is not the same thing as enable/disable. Installation
> >> is a set of steps which first configures and then (optionally) enables
> >> the component.
> >>
> >> E.g:
> >> 1. modify configuration file(s), ldap entries
> >> 2. run something which starts the component. E.g. `systemctl start xxx`,
> >> an ldap change which is being observed (like topology plugin).
> >>
> >> The only rationale for external tool is to do stuff which can't be done
> >> trough API. E.g. restart of httpd.service or a need of Directory
> >> Manager. But in that case the tool should be:
> >>
> >> ipa-kdcproxy-manage enable|disable
> >
> > Right, the restart of httpd.service isn't handled by ipa config-mod. A
> > tool like ipa-kdcproxy-manage could handle the restart on a local
> > machine. As far as I know it won't be able to restart httpd on all
> > replicas, too.
> >
> > My current implementation needs a restart of all Apache servers on all
> > machines, that run a kdc proxy instance.
> >
> > Christian
> >
> 
> It would be great to have a privileged daemon which could observed 
> replicated configuration and perform such tasks on all servers so we 
> would eliminate manual tasks(and errors and misconceptions which are 
> caused by forgotten manual tasks) as much as possible.

Yes this is something we had a need for, for a while, we could, perhaps,
turn custodia in such a service, or embed custodia in there, as they are
both very privileged service that interact with LDAP to find
information.

Simo.

> -- 
> Petr Vobornik
> 


-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to