On 06/24/2015 04:19 PM, Oleg Fayans wrote:

On 06/24/2015 02:35 PM, Ludwig Krispenz wrote:

On 06/24/2015 02:30 PM, Oleg Fayans wrote:

On 06/24/2015 02:25 PM, Ludwig Krispenz wrote:

On 06/24/2015 01:59 PM, Oleg Fayans wrote:
Hi Petr,

Thanks for clarification! It seems though, that all possible
attributes are already mapped to the topologysegment-mod options:

[13:42:45]ofayans@vm-244:~]$  ipa show-mappings topologysegment-mod
Parameter      : LDAP attribute
=========      : ==============
stripattrs     : nsds5replicastripattrs
replattrs      : nsds5replicatedattributelist
replattrstotal : nsds5replicatedattributelisttotal
timeout        : nsds5replicatimeout
enabled        : nsds5replicaenabled
rights         : rights
[13:47:41]ofayans@vm-244:~]$ ipa help topologysegment-mod
Usage: ipa [global-options] topologysegment-mod TOPOLOGYSUFFIX NAME

Modify a segment.
  -h, --help            show this help message and exit
  --stripattrs=STR      A space separated list of attributes which
are removed
                        from replication updates.
  --replattrs=STR       Attributes that are not replicated to a
                        server during a fractional update. E.g.,
                        `(objectclass=*) $ EXCLUDE accountlockout
  --replattrstotal=STR  Attributes that are not replicated to a
                        server during a total update. E.g.
(objectclass=*) $
                        EXCLUDE accountlockout
  --timeout=INT         Number of seconds outbound LDAP operations
waits for a
                        response from the remote replica before
timing out and
  --enabled=['on', 'off']
                        Whether a replication agreement is active,
                        whether replication is occurring per that
  --setattr=STR         Set an attribute to a name/value pair.
Format is
                        attr=value. For multi-valued attributes,
the command
                        replaces the values already present.
  --addattr=STR         Add an attribute/value pair. Format is
attr=value. The
                        attribute must be part of the schema.
  --delattr=STR         Delete an attribute/value pair. The option
will be
                        evaluated last, after all sets and adds.
  --rights              Display the access rights of this entry
                        --all). See ipa man page for details.
  --all                 Retrieve and print all attributes from the
                        Affects command output.
  --raw                 Print entries as stored on the server. Only
                        output format.

So, setattr, addattr and delattr should, I think, be explained in
the design document, with example usage.

Another question that I have:
In order to test topologysegment-reinitialize, I need to set the
replica timeout to, say, 1, then turn this replica off, then make
some changes on master and turn on the replica? I mean, my goal is
to make master to give up attempts to synchronize with replica, is
that correct?
I don't see why you want to do all these steps, initialize means
that the database of B is overwritten by the database of A, so you
could check that the content is the same. But to simulate a
situation where init is required is not so easy, if you turn the
replica on again, the changes could be normally replicated before
you start the init
The question is: how do I make sure that the content on node /a /is
overwritten with the content of node /b/? I kind of need the two
nodes to have different content and not trying to synchronize
you could combine this with a backup test. On server A make a backup,
make some changes on any node and wait until it is replicated
everywhere. restore A from the backup and reinitialize the complete
topology. It should be enough with 2 or three servers

Will the changes introduced by restoring from backup not get replicated

This is a good scenario to test. ipa-restore tries to disable all replication agreements of other servers with the to-be-restored replica prior the restore..

It announces it with:
  Each master will individually need to be re-initialized or
  re-created from this one. The replication agreements on
  masters running IPA 3.1 or earlier will need to be manually
  re-enabled. See the man page for details.

On 06/24/2015 12:28 PM, Petr Vobornik wrote:
On 06/24/2015 12:19 PM, Oleg Fayans wrote:
Hi Ludwig,

I see some contradictions in the way the segment modification cli is

$ ipa help topologysegment-mod
Usage: ipa [global-options] topologysegment-mod TOPOLOGYSUFFIX NAME

$ ipa topologysegment-mod realm 127-to-244 --setattr=Segment
ipa: ERROR: command 'topologysegment_mod' takes at most 2 arguments

(suffix + name + options = 3, not 2)

'Segment name' is not correct attribute name. More below.

Is there a way to list all possible attributes available for
When do topologysegment-show --all, I get quite a small number of
and even them I am unable to modify:

$ ipa topologysegment-show realm 127-to-244 --all

   Segment name: 127-to-244
   Left node: vm-127.idm.lab.eng.brq.redhat.com
   Right node: vm-244.idm.lab.eng.brq.redhat.com
   Connectivity: both
   objectclass: top, iparepltoposegment

$ ipa topologysegment-mod realm 127-to-244
ipa: ERROR: attribute "connectivity" not allowed
$ ipa topologysegment-mod realm 127-to-244
ipa: ERROR: attribute "direction" not allowed

--XXXattr options work with LDAP attributes names. 'direction' is
the option name but not attribute name. Attribute name is

You can see the mappings in, e.g.,:
  ipa show-mappings topologysegment-mod

Petr Vobornik

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to