Hi, in ticket https://fedorahosted.org/freeipa/ticket/5538 Ludwig has suggested to exclude Dogtag's o=ipaca tree from the changelog. Sometimes vault-archive fails because of a failed write to the Retro Changelog. The RetroCL was enabled in https://fedorahosted.org/freeipa/ticket/3967 for the bind-dyndb-ldap plugin. Otherwise it is not needed under normal circumstances because 389 doesn't use SyncRepl for replication. In #3967 Nathan has expressed his concerns for possible performance issues, too.
Petr, Ludwig, would it makes sense to restrict RetroCL to cn=dns,$SUFFIX rather than excluding o=ipaca? The plugin supports both includes and exclude, http://directory.fedoraproject.org/docs/389ds/design/retrocl-scoping.html. Christian
Description: OpenPGP digital signature
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code