In my installation of the freeipa built with the latest topology patches applied, I was unable to reset domain level to 0 on neither of nodes:

ofayans@testmaster:~/ldap]$ ipa domainlevel-set 0
ipa: ERROR: Domain Level cannot be lowered.

I am able to reset domain level to 0 manually using ldapmodify with the following ldif file:
dn: cn=domain level,cn=ipa,cn=etc,dc=zaeba,dc=li
changetype: modify
replace: ipaDomainLevel
ipaDomainLevel: 0

and subsequently raise it back to 1 with the standard command:

ofayans@testmaster:~/ldap]$ ipa domainlevel-get
Current domain level: 0
ofayans@testmaster:~/ldap]$ ipa domainlevel-set 1
Current domain level: 1

My topology looks like this:
master <=> replica1 <=> replica3

The question is: is it a correct behavior? AFAIU, The admin should not be able to *raise* domain level if one of the replicas does not support this, but there should be no limitations on *lowering* the domain level.

Oleg Fayans
Quality Engineer
FreeIPA team

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to