On 01/25/2017 12:44 PM, Harald Dunkel wrote:
Hi Thierry,
On 01/24/17 17:56, thierry bordaz wrote:
On 01/24/2017 04:18 PM, Harald Dunkel wrote:
Would you suggest to disconnect ipabak from the network and ipa1,
cleanup the mess as far as possible, and then connect ipabak
to the network again to rely upon the regular replica synchroni-
zation?
Yes, as soon as ipaback is in sync with ipa1 and you took a snapshot of
ipaback, I think you can disconnect ipaback and run your script on it
(iterating with the snapshot).
My concern is that I will run into new conflicts on connecting
the modified ipaback back with ipa1?
conflict entries are only created if you do the same operation in
parallel on different replicas. Once existing they behave like normal
entries (only with special dns), eg if you delete it on one replica the
delete will be replicated to the other replicas - either immediately if
they are connected or later when they will be connected again.
I think what Thierry is suggesting is, that if you make mistakes in your
cleanup these mistakes would also be replicated immediately if every
replcia is connected, so disconnecting allows you to do a backup and
then try the cleanup and when successful connect agai and have the
cleanup operations replicated.
Regards
Harri
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
