On 01/24/2017 02:22 PM, Harald Dunkel wrote:
On 01/24/17 12:57, thierry bordaz wrote:
If I understand correctly the iterations of development I do not understand 
why, at this point, you need to reconnect ipabak.
After you create ipabak replica, you take a snapshot of it (let ipabak_0), then 
disconnect it from ipa1/ipa2.

Then you may start incremental dev of the script on the offline ipabak.
Before each test of the script, you just need to get ipabak to ipabak_0.
Am I missing something ?

ipa1 is not idle while the script is in development. I do not
know if these conflicting entries pop up in some new entries
on ipa1 while the script is in development. When the script
seems to be ready, then I have to verify it with very recent
copy of the database before the final run.

I would be surprised that new conflicts are popping up on ipa1/ipa2 during develop of the script. But yes when the script is ready, you need to sync ipabak/ipa1 to be sure the script will run successfully on all conflicts (old and new).

When the script appears to be ready I have to revert and sync
ipabak again as above, but instead of disconnecting it from the
network I have to stop all ipa servers in parallel to take a
snapshot of each. (All ipa servers are LXC containers.) Next
start the ipa servers again and run the script on ipabak, now
connected with ipa1. This should make the changes "official".
How do you know if the script is ready ? When it resolves all the conflict 
entries ?

Hopefully yes, but there were 2 conflicts that already made some

        deleting entry 
        ldap_delete: Server is unwilling to perform (53)
                additional info: Deleting a managed entry is not allowed. It 
needs to be manually unlinked first.

        deleting entry 
        ldap_delete: Operations error (1)

I got these problems before I became more careful with this.

This will be a difficulty to setup that script.
You may be unable to delete some entries (managed entry, tombstones..).

I think one target of the script is to get the 'valid' entries at the expected level: having the expected set of attribute/values. A kind of merge of valid/conflict entries.
Then you may have to moddn some conflict children under the valid entry.
At the end, remove the conflict entries.

As I said, setting up such script could take you more time than fixing manually the 43 conflicts.



Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to