On 12/16/2015 08:49 AM, Petr Spacek wrote:
On 15.12.2015 19:10, Christian Heimes wrote:

in ticket https://fedorahosted.org/freeipa/ticket/5538 Ludwig has
suggested to exclude Dogtag's o=ipaca tree from the changelog. Sometimes
vault-archive fails because of a failed write to the Retro Changelog.
The RetroCL was enabled in https://fedorahosted.org/freeipa/ticket/3967
for the bind-dyndb-ldap plugin. Otherwise it is not needed under normal
circumstances because 389 doesn't use SyncRepl for replication. In #3967
Nathan has expressed his concerns for possible performance issues, too.

Petr, Ludwig,
would it makes sense to restrict RetroCL to cn=dns,$SUFFIX rather than
excluding o=ipaca? The plugin supports both includes and exclude,
 From IPA DNS perspective it is okay to limit SyncRepl to cn=dns,$SUFFIX.

One other thing to consider is theoretical use of SyncRepl for future versions
of slapi-nis, Alexander can tell you more about it.

In any case, if we decide to limit scope where SyncRepl is applicable, I would
like to see checks in SyncRepl plugin which will ensure that error
UNWILLING_TO_PERFORM is returned when somebody attempts to use SyncRepl in a
'wrong' scope.
yes, that makes sense

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to