Re: [Freeipa-devel] Domain level change failed
On 06/01/2015 04:13 PM, Oleg Fayans wrote: Hi, In my installation of the freeipa built with the latest topology patches applied, I was unable to reset domain level to 0 on neither of nodes: ofayans@testmaster:~/ldap]$ ipa domainlevel-set 0 ipa: ERROR: Domain Level cannot be lowered. I am able to reset domain level to 0 manually using ldapmodify with the following ldif file: dn: cn=domain level,cn=ipa,cn=etc,dc=zaeba,dc=li changetype: modify replace: ipaDomainLevel ipaDomainLevel: 0 and subsequently raise it back to 1 with the standard command: ofayans@testmaster:~/ldap]$ ipa domainlevel-get --- Current domain level: 0 --- ofayans@testmaster:~/ldap]$ ipa domainlevel-set 1 --- Current domain level: 1 --- My topology looks like this: master = replica1 = replica3 The question is: is it a correct behavior? AFAIU, The admin should not be able to *raise* domain level if one of the replicas does not support this, but there should be no limitations on *lowering* the domain level. Yes. Domain Level cannot be lowered as raising the domain level can cause permanent changes in the tree that cannot be reversed. See http://www.freeipa.org/page/V4/Domain_Levels. Tomas -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] Domain level change failed
Hi, In my installation of the freeipa built with the latest topology patches applied, I was unable to reset domain level to 0 on neither of nodes: ofayans@testmaster:~/ldap]$ ipa domainlevel-set 0 ipa: ERROR: Domain Level cannot be lowered. I am able to reset domain level to 0 manually using ldapmodify with the following ldif file: dn: cn=domain level,cn=ipa,cn=etc,dc=zaeba,dc=li changetype: modify replace: ipaDomainLevel ipaDomainLevel: 0 and subsequently raise it back to 1 with the standard command: ofayans@testmaster:~/ldap]$ ipa domainlevel-get --- Current domain level: 0 --- ofayans@testmaster:~/ldap]$ ipa domainlevel-set 1 --- Current domain level: 1 --- My topology looks like this: master = replica1 = replica3 The question is: is it a correct behavior? AFAIU, The admin should not be able to *raise* domain level if one of the replicas does not support this, but there should be no limitations on *lowering* the domain level. -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Domain level change failed
On 06/01/2015 04:13 PM, Oleg Fayans wrote: Hi, In my installation of the freeipa built with the latest topology patches applied, I was unable to reset domain level to 0 on neither of nodes: ofayans@testmaster:~/ldap]$ ipa domainlevel-set 0 ipa: ERROR: Domain Level cannot be lowered. I am able to reset domain level to 0 manually using ldapmodify with the following ldif file: dn: cn=domain level,cn=ipa,cn=etc,dc=zaeba,dc=li changetype: modify replace: ipaDomainLevel ipaDomainLevel: 0 and subsequently raise it back to 1 with the standard command: ofayans@testmaster:~/ldap]$ ipa domainlevel-get --- Current domain level: 0 --- ofayans@testmaster:~/ldap]$ ipa domainlevel-set 1 --- Current domain level: 1 --- My topology looks like this: master = replica1 = replica3 The question is: is it a correct behavior? AFAIU, The admin should not be able to *raise* domain level if one of the replicas does not support this, but there should be no limitations on *lowering* the domain level. It is a correct behavior. From design page: The Domain Level cannot be lowered as raising the Domain Level can cause changes to the tree (new schema, changes in behavior and data) that cannot be easily undone. http://www.freeipa.org/page/V4/Domain_Levels -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
