On 06/01/2015 04:13 PM, Oleg Fayans wrote:

In my installation of the freeipa built with the latest topology patches
applied, I was unable to reset domain level to 0 on neither of nodes:

ofayans@testmaster:~/ldap]$ ipa domainlevel-set 0
ipa: ERROR: Domain Level cannot be lowered.

I am able to reset domain level to 0 manually using ldapmodify with the
following ldif file:
dn: cn=domain level,cn=ipa,cn=etc,dc=zaeba,dc=li
changetype: modify
replace: ipaDomainLevel
ipaDomainLevel: 0

and subsequently raise it back to 1 with the standard command:

ofayans@testmaster:~/ldap]$ ipa domainlevel-get
Current domain level: 0
ofayans@testmaster:~/ldap]$ ipa domainlevel-set 1
Current domain level: 1

My topology looks like this:
master <=> replica1 <=> replica3

The question is: is it a correct behavior?  AFAIU, The admin should not
be able to *raise* domain level if one of the replicas does not support
this, but there should be no limitations on *lowering* the domain level.

It is a correct behavior. From design page:
The Domain Level cannot be lowered as raising the Domain Level can cause changes to the tree (new schema, changes in behavior and data) that cannot be easily undone.


Petr Vobornik

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to