On 15.12.2015 19:10, Christian Heimes wrote:
> Hi,
> 
> in ticket https://fedorahosted.org/freeipa/ticket/5538 Ludwig has
> suggested to exclude Dogtag's o=ipaca tree from the changelog. Sometimes
> vault-archive fails because of a failed write to the Retro Changelog.
> The RetroCL was enabled in https://fedorahosted.org/freeipa/ticket/3967
> for the bind-dyndb-ldap plugin. Otherwise it is not needed under normal
> circumstances because 389 doesn't use SyncRepl for replication. In #3967
> Nathan has expressed his concerns for possible performance issues, too.
> 
> Petr, Ludwig,
> would it makes sense to restrict RetroCL to cn=dns,$SUFFIX rather than
> excluding o=ipaca? The plugin supports both includes and exclude,
> http://directory.fedoraproject.org/docs/389ds/design/retrocl-scoping.html.

>From IPA DNS perspective it is okay to limit SyncRepl to cn=dns,$SUFFIX.

One other thing to consider is theoretical use of SyncRepl for future versions
of slapi-nis, Alexander can tell you more about it.

In any case, if we decide to limit scope where SyncRepl is applicable, I would
like to see checks in SyncRepl plugin which will ensure that error
UNWILLING_TO_PERFORM is returned when somebody attempts to use SyncRepl in a
'wrong' scope.

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to