Re: [Freeipa-devel] topologysegment-mod question
On 06/24/2015 04:19 PM, Oleg Fayans wrote: On 06/24/2015 02:35 PM, Ludwig Krispenz wrote: On 06/24/2015 02:30 PM, Oleg Fayans wrote: On 06/24/2015 02:25 PM, Ludwig Krispenz wrote: On 06/24/2015 01:59 PM, Oleg Fayans wrote: Hi Petr, Thanks for clarification! It seems though, that all possible attributes are already mapped to the topologysegment-mod options: [13:42:45]ofayans@vm-244:~]$ ipa show-mappings topologysegment-mod Parameter : LDAP attribute = : == stripattrs : nsds5replicastripattrs replattrs : nsds5replicatedattributelist replattrstotal : nsds5replicatedattributelisttotal timeout: nsds5replicatimeout enabled: nsds5replicaenabled rights : rights [13:47:41]ofayans@vm-244:~]$ ipa help topologysegment-mod Usage: ipa [global-options] topologysegment-mod TOPOLOGYSUFFIX NAME [options] Modify a segment. Options: -h, --helpshow this help message and exit --stripattrs=STR A space separated list of attributes which are removed from replication updates. --replattrs=STR Attributes that are not replicated to a consumer server during a fractional update. E.g., `(objectclass=*) $ EXCLUDE accountlockout memberof --replattrstotal=STR Attributes that are not replicated to a consumer server during a total update. E.g. (objectclass=*) $ EXCLUDE accountlockout --timeout=INT Number of seconds outbound LDAP operations waits for a response from the remote replica before timing out and failing --enabled=['on', 'off'] Whether a replication agreement is active, meaning whether replication is occurring per that agreement --setattr=STR Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present. --addattr=STR Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema. --delattr=STR Delete an attribute/value pair. The option will be evaluated last, after all sets and adds. --rights Display the access rights of this entry (requires --all). See ipa man page for details. --all Retrieve and print all attributes from the server. Affects command output. --raw Print entries as stored on the server. Only affects output format. So, setattr, addattr and delattr should, I think, be explained in the design document, with example usage. Another question that I have: In order to test topologysegment-reinitialize, I need to set the replica timeout to, say, 1, then turn this replica off, then make some changes on master and turn on the replica? I mean, my goal is to make master to give up attempts to synchronize with replica, is that correct? I don't see why you want to do all these steps, initialize means that the database of B is overwritten by the database of A, so you could check that the content is the same. But to simulate a situation where init is required is not so easy, if you turn the replica on again, the changes could be normally replicated before you start the init The question is: how do I make sure that the content on node /a /is overwritten with the content of node /b/? I kind of need the two nodes to have different content and not trying to synchronize automatically you could combine this with a backup test. On server A make a backup, make some changes on any node and wait until it is replicated everywhere. restore A from the backup and reinitialize the complete topology. It should be enough with 2 or three servers Will the changes introduced by restoring from backup not get replicated automatically? no, a restore will only replace the database, then it depends on the replication agreements and state of other servers. On the restored server the changes after backup are no longer available, but they coul be replicated back from other servers, that's why it is recommended to disable repl agreements to this server and then reinit On 06/24/2015 12:28 PM, Petr Vobornik wrote: On 06/24/2015 12:19 PM, Oleg Fayans wrote: Hi Ludwig, I see some contradictions in the way the segment modification cli is implemented: 1. $ ipa help topologysegment-mod Usage: ipa [global-options] topologysegment-mod TOPOLOGYSUFFIX NAME [options] $ ipa topologysegment-mod realm 127-to-244 --setattr=Segment name=test ipa: ERROR: command 'topologysegment_mod' takes at most 2 arguments (suffix + name + options = 3, not 2) 'Segment name' is not correct attribute name. More below. 2. Is there a way to list a
Re: [Freeipa-devel] topologysegment-mod question
On 06/24/2015 04:19 PM, Oleg Fayans wrote: On 06/24/2015 02:35 PM, Ludwig Krispenz wrote: On 06/24/2015 02:30 PM, Oleg Fayans wrote: On 06/24/2015 02:25 PM, Ludwig Krispenz wrote: On 06/24/2015 01:59 PM, Oleg Fayans wrote: Hi Petr, Thanks for clarification! It seems though, that all possible attributes are already mapped to the topologysegment-mod options: [13:42:45]ofayans@vm-244:~]$ ipa show-mappings topologysegment-mod Parameter : LDAP attribute = : == stripattrs : nsds5replicastripattrs replattrs : nsds5replicatedattributelist replattrstotal : nsds5replicatedattributelisttotal timeout: nsds5replicatimeout enabled: nsds5replicaenabled rights : rights [13:47:41]ofayans@vm-244:~]$ ipa help topologysegment-mod Usage: ipa [global-options] topologysegment-mod TOPOLOGYSUFFIX NAME [options] Modify a segment. Options: -h, --helpshow this help message and exit --stripattrs=STR A space separated list of attributes which are removed from replication updates. --replattrs=STR Attributes that are not replicated to a consumer server during a fractional update. E.g., `(objectclass=*) $ EXCLUDE accountlockout memberof --replattrstotal=STR Attributes that are not replicated to a consumer server during a total update. E.g. (objectclass=*) $ EXCLUDE accountlockout --timeout=INT Number of seconds outbound LDAP operations waits for a response from the remote replica before timing out and failing --enabled=['on', 'off'] Whether a replication agreement is active, meaning whether replication is occurring per that agreement --setattr=STR Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present. --addattr=STR Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema. --delattr=STR Delete an attribute/value pair. The option will be evaluated last, after all sets and adds. --rights Display the access rights of this entry (requires --all). See ipa man page for details. --all Retrieve and print all attributes from the server. Affects command output. --raw Print entries as stored on the server. Only affects output format. So, setattr, addattr and delattr should, I think, be explained in the design document, with example usage. Another question that I have: In order to test topologysegment-reinitialize, I need to set the replica timeout to, say, 1, then turn this replica off, then make some changes on master and turn on the replica? I mean, my goal is to make master to give up attempts to synchronize with replica, is that correct? I don't see why you want to do all these steps, initialize means that the database of B is overwritten by the database of A, so you could check that the content is the same. But to simulate a situation where init is required is not so easy, if you turn the replica on again, the changes could be normally replicated before you start the init The question is: how do I make sure that the content on node /a /is overwritten with the content of node /b/? I kind of need the two nodes to have different content and not trying to synchronize automatically you could combine this with a backup test. On server A make a backup, make some changes on any node and wait until it is replicated everywhere. restore A from the backup and reinitialize the complete topology. It should be enough with 2 or three servers Will the changes introduced by restoring from backup not get replicated automatically? This is a good scenario to test. ipa-restore tries to disable all replication agreements of other servers with the to-be-restored replica prior the restore.. It announces it with: Each master will individually need to be re-initialized or re-created from this one. The replication agreements on masters running IPA 3.1 or earlier will need to be manually re-enabled. See the man page for details. On 06/24/2015 12:28 PM, Petr Vobornik wrote: On 06/24/2015 12:19 PM, Oleg Fayans wrote: Hi Ludwig, I see some contradictions in the way the segment modification cli is implemented: 1. $ ipa help topologysegment-mod Usage: ipa [global-options] topologysegment-mod TOPOLOGYSUFFIX NAME [options] $ ipa topologysegment-mod realm 127-to-244 --setattr=Segment name=test ipa: ERROR: command 'topologysegment_mod' takes at most 2 arguments (suffix + name + options = 3, not 2) 'Segment name' is not correct attribute name. More below.
Re: [Freeipa-devel] topologysegment-mod question
On 06/24/2015 02:35 PM, Ludwig Krispenz wrote: On 06/24/2015 02:30 PM, Oleg Fayans wrote: On 06/24/2015 02:25 PM, Ludwig Krispenz wrote: On 06/24/2015 01:59 PM, Oleg Fayans wrote: Hi Petr, Thanks for clarification! It seems though, that all possible attributes are already mapped to the topologysegment-mod options: [13:42:45]ofayans@vm-244:~]$ ipa show-mappings topologysegment-mod Parameter : LDAP attribute = : == stripattrs : nsds5replicastripattrs replattrs : nsds5replicatedattributelist replattrstotal : nsds5replicatedattributelisttotal timeout: nsds5replicatimeout enabled: nsds5replicaenabled rights : rights [13:47:41]ofayans@vm-244:~]$ ipa help topologysegment-mod Usage: ipa [global-options] topologysegment-mod TOPOLOGYSUFFIX NAME [options] Modify a segment. Options: -h, --helpshow this help message and exit --stripattrs=STR A space separated list of attributes which are removed from replication updates. --replattrs=STR Attributes that are not replicated to a consumer server during a fractional update. E.g., `(objectclass=*) $ EXCLUDE accountlockout memberof --replattrstotal=STR Attributes that are not replicated to a consumer server during a total update. E.g. (objectclass=*) $ EXCLUDE accountlockout --timeout=INT Number of seconds outbound LDAP operations waits for a response from the remote replica before timing out and failing --enabled=['on', 'off'] Whether a replication agreement is active, meaning whether replication is occurring per that agreement --setattr=STR Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present. --addattr=STR Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema. --delattr=STR Delete an attribute/value pair. The option will be evaluated last, after all sets and adds. --rights Display the access rights of this entry (requires --all). See ipa man page for details. --all Retrieve and print all attributes from the server. Affects command output. --raw Print entries as stored on the server. Only affects output format. So, setattr, addattr and delattr should, I think, be explained in the design document, with example usage. Another question that I have: In order to test topologysegment-reinitialize, I need to set the replica timeout to, say, 1, then turn this replica off, then make some changes on master and turn on the replica? I mean, my goal is to make master to give up attempts to synchronize with replica, is that correct? I don't see why you want to do all these steps, initialize means that the database of B is overwritten by the database of A, so you could check that the content is the same. But to simulate a situation where init is required is not so easy, if you turn the replica on again, the changes could be normally replicated before you start the init The question is: how do I make sure that the content on node /a /is overwritten with the content of node /b/? I kind of need the two nodes to have different content and not trying to synchronize automatically you could combine this with a backup test. On server A make a backup, make some changes on any node and wait until it is replicated everywhere. restore A from the backup and reinitialize the complete topology. It should be enough with 2 or three servers Will the changes introduced by restoring from backup not get replicated automatically? On 06/24/2015 12:28 PM, Petr Vobornik wrote: On 06/24/2015 12:19 PM, Oleg Fayans wrote: Hi Ludwig, I see some contradictions in the way the segment modification cli is implemented: 1. $ ipa help topologysegment-mod Usage: ipa [global-options] topologysegment-mod TOPOLOGYSUFFIX NAME [options] $ ipa topologysegment-mod realm 127-to-244 --setattr=Segment name=test ipa: ERROR: command 'topologysegment_mod' takes at most 2 arguments (suffix + name + options = 3, not 2) 'Segment name' is not correct attribute name. More below. 2. Is there a way to list all possible attributes available for modification? When do topologysegment-show --all, I get quite a small number of them, and even them I am unable to modify: $ ipa topologysegment-show realm 127-to-244 --all dn: cn=127-to-244,cn=realm,cn=topology,cn=ipa,cn=etc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com Segment name: 127-to-244 Left node: vm-127.idm.lab.eng.brq.
Re: [Freeipa-devel] topologysegment-mod question
On 06/24/2015 02:30 PM, Oleg Fayans wrote: On 06/24/2015 02:25 PM, Ludwig Krispenz wrote: On 06/24/2015 01:59 PM, Oleg Fayans wrote: Hi Petr, Thanks for clarification! It seems though, that all possible attributes are already mapped to the topologysegment-mod options: [13:42:45]ofayans@vm-244:~]$ ipa show-mappings topologysegment-mod Parameter : LDAP attribute = : == stripattrs : nsds5replicastripattrs replattrs : nsds5replicatedattributelist replattrstotal : nsds5replicatedattributelisttotal timeout: nsds5replicatimeout enabled: nsds5replicaenabled rights : rights [13:47:41]ofayans@vm-244:~]$ ipa help topologysegment-mod Usage: ipa [global-options] topologysegment-mod TOPOLOGYSUFFIX NAME [options] Modify a segment. Options: -h, --helpshow this help message and exit --stripattrs=STR A space separated list of attributes which are removed from replication updates. --replattrs=STR Attributes that are not replicated to a consumer server during a fractional update. E.g., `(objectclass=*) $ EXCLUDE accountlockout memberof --replattrstotal=STR Attributes that are not replicated to a consumer server during a total update. E.g. (objectclass=*) $ EXCLUDE accountlockout --timeout=INT Number of seconds outbound LDAP operations waits for a response from the remote replica before timing out and failing --enabled=['on', 'off'] Whether a replication agreement is active, meaning whether replication is occurring per that agreement --setattr=STR Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present. --addattr=STR Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema. --delattr=STR Delete an attribute/value pair. The option will be evaluated last, after all sets and adds. --rights Display the access rights of this entry (requires --all). See ipa man page for details. --all Retrieve and print all attributes from the server. Affects command output. --raw Print entries as stored on the server. Only affects output format. So, setattr, addattr and delattr should, I think, be explained in the design document, with example usage. Another question that I have: In order to test topologysegment-reinitialize, I need to set the replica timeout to, say, 1, then turn this replica off, then make some changes on master and turn on the replica? I mean, my goal is to make master to give up attempts to synchronize with replica, is that correct? I don't see why you want to do all these steps, initialize means that the database of B is overwritten by the database of A, so you could check that the content is the same. But to simulate a situation where init is required is not so easy, if you turn the replica on again, the changes could be normally replicated before you start the init The question is: how do I make sure that the content on node /a /is overwritten with the content of node /b/? I kind of need the two nodes to have different content and not trying to synchronize automatically you could combine this with a backup test. On server A make a backup, make some changes on any node and wait until it is replicated everywhere. restore A from the backup and reinitialize the complete topology. It should be enough with 2 or three servers On 06/24/2015 12:28 PM, Petr Vobornik wrote: On 06/24/2015 12:19 PM, Oleg Fayans wrote: Hi Ludwig, I see some contradictions in the way the segment modification cli is implemented: 1. $ ipa help topologysegment-mod Usage: ipa [global-options] topologysegment-mod TOPOLOGYSUFFIX NAME [options] $ ipa topologysegment-mod realm 127-to-244 --setattr=Segment name=test ipa: ERROR: command 'topologysegment_mod' takes at most 2 arguments (suffix + name + options = 3, not 2) 'Segment name' is not correct attribute name. More below. 2. Is there a way to list all possible attributes available for modification? When do topologysegment-show --all, I get quite a small number of them, and even them I am unable to modify: $ ipa topologysegment-show realm 127-to-244 --all dn: cn=127-to-244,cn=realm,cn=topology,cn=ipa,cn=etc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com Segment name: 127-to-244 Left node: vm-127.idm.lab.eng.brq.redhat.com Right node: vm-244.idm.lab.eng.brq.redhat.com Connectivity: both objectclass: top, iparepltoposegment $ ipa topologysegme
Re: [Freeipa-devel] topologysegment-mod question
On 06/24/2015 02:25 PM, Ludwig Krispenz wrote: On 06/24/2015 01:59 PM, Oleg Fayans wrote: Hi Petr, Thanks for clarification! It seems though, that all possible attributes are already mapped to the topologysegment-mod options: [13:42:45]ofayans@vm-244:~]$ ipa show-mappings topologysegment-mod Parameter : LDAP attribute = : == stripattrs : nsds5replicastripattrs replattrs : nsds5replicatedattributelist replattrstotal : nsds5replicatedattributelisttotal timeout: nsds5replicatimeout enabled: nsds5replicaenabled rights : rights [13:47:41]ofayans@vm-244:~]$ ipa help topologysegment-mod Usage: ipa [global-options] topologysegment-mod TOPOLOGYSUFFIX NAME [options] Modify a segment. Options: -h, --helpshow this help message and exit --stripattrs=STR A space separated list of attributes which are removed from replication updates. --replattrs=STR Attributes that are not replicated to a consumer server during a fractional update. E.g., `(objectclass=*) $ EXCLUDE accountlockout memberof --replattrstotal=STR Attributes that are not replicated to a consumer server during a total update. E.g. (objectclass=*) $ EXCLUDE accountlockout --timeout=INT Number of seconds outbound LDAP operations waits for a response from the remote replica before timing out and failing --enabled=['on', 'off'] Whether a replication agreement is active, meaning whether replication is occurring per that agreement --setattr=STR Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present. --addattr=STR Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema. --delattr=STR Delete an attribute/value pair. The option will be evaluated last, after all sets and adds. --rights Display the access rights of this entry (requires --all). See ipa man page for details. --all Retrieve and print all attributes from the server. Affects command output. --raw Print entries as stored on the server. Only affects output format. So, setattr, addattr and delattr should, I think, be explained in the design document, with example usage. Another question that I have: In order to test topologysegment-reinitialize, I need to set the replica timeout to, say, 1, then turn this replica off, then make some changes on master and turn on the replica? I mean, my goal is to make master to give up attempts to synchronize with replica, is that correct? I don't see why you want to do all these steps, initialize means that the database of B is overwritten by the database of A, so you could check that the content is the same. But to simulate a situation where init is required is not so easy, if you turn the replica on again, the changes could be normally replicated before you start the init The question is: how do I make sure that the content on node /a /is overwritten with the content of node /b/? I kind of need the two nodes to have different content and not trying to synchronize automatically On 06/24/2015 12:28 PM, Petr Vobornik wrote: On 06/24/2015 12:19 PM, Oleg Fayans wrote: Hi Ludwig, I see some contradictions in the way the segment modification cli is implemented: 1. $ ipa help topologysegment-mod Usage: ipa [global-options] topologysegment-mod TOPOLOGYSUFFIX NAME [options] $ ipa topologysegment-mod realm 127-to-244 --setattr=Segment name=test ipa: ERROR: command 'topologysegment_mod' takes at most 2 arguments (suffix + name + options = 3, not 2) 'Segment name' is not correct attribute name. More below. 2. Is there a way to list all possible attributes available for modification? When do topologysegment-show --all, I get quite a small number of them, and even them I am unable to modify: $ ipa topologysegment-show realm 127-to-244 --all dn: cn=127-to-244,cn=realm,cn=topology,cn=ipa,cn=etc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com Segment name: 127-to-244 Left node: vm-127.idm.lab.eng.brq.redhat.com Right node: vm-244.idm.lab.eng.brq.redhat.com Connectivity: both objectclass: top, iparepltoposegment $ ipa topologysegment-mod realm 127-to-244 --setattr=connectivity=left-right ipa: ERROR: attribute "connectivity" not allowed $ ipa topologysegment-mod realm 127-to-244 --setattr=direction=left-right ipa: ERROR: attribute "direction" not allowed --XXXattr options work with LDAP attributes names. 'direction' is the opt
Re: [Freeipa-devel] topologysegment-mod question
On 06/24/2015 01:59 PM, Oleg Fayans wrote: Hi Petr, Thanks for clarification! It seems though, that all possible attributes are already mapped to the topologysegment-mod options: [13:42:45]ofayans@vm-244:~]$ ipa show-mappings topologysegment-mod Parameter : LDAP attribute = : == stripattrs : nsds5replicastripattrs replattrs : nsds5replicatedattributelist replattrstotal : nsds5replicatedattributelisttotal timeout: nsds5replicatimeout enabled: nsds5replicaenabled rights : rights [13:47:41]ofayans@vm-244:~]$ ipa help topologysegment-mod Usage: ipa [global-options] topologysegment-mod TOPOLOGYSUFFIX NAME [options] Modify a segment. Options: -h, --helpshow this help message and exit --stripattrs=STR A space separated list of attributes which are removed from replication updates. --replattrs=STR Attributes that are not replicated to a consumer server during a fractional update. E.g., `(objectclass=*) $ EXCLUDE accountlockout memberof --replattrstotal=STR Attributes that are not replicated to a consumer server during a total update. E.g. (objectclass=*) $ EXCLUDE accountlockout --timeout=INT Number of seconds outbound LDAP operations waits for a response from the remote replica before timing out and failing --enabled=['on', 'off'] Whether a replication agreement is active, meaning whether replication is occurring per that agreement --setattr=STR Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present. --addattr=STR Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema. --delattr=STR Delete an attribute/value pair. The option will be evaluated last, after all sets and adds. --rights Display the access rights of this entry (requires --all). See ipa man page for details. --all Retrieve and print all attributes from the server. Affects command output. --raw Print entries as stored on the server. Only affects output format. So, setattr, addattr and delattr should, I think, be explained in the design document, with example usage. Another question that I have: In order to test topologysegment-reinitialize, I need to set the replica timeout to, say, 1, then turn this replica off, then make some changes on master and turn on the replica? I mean, my goal is to make master to give up attempts to synchronize with replica, is that correct? I don't see why you want to do all these steps, initialize means that the database of B is overwritten by the database of A, so you could check that the content is the same. But to simulate a situation where init is required is not so easy, if you turn the replica on again, the changes could be normally replicated before you start the init On 06/24/2015 12:28 PM, Petr Vobornik wrote: On 06/24/2015 12:19 PM, Oleg Fayans wrote: Hi Ludwig, I see some contradictions in the way the segment modification cli is implemented: 1. $ ipa help topologysegment-mod Usage: ipa [global-options] topologysegment-mod TOPOLOGYSUFFIX NAME [options] $ ipa topologysegment-mod realm 127-to-244 --setattr=Segment name=test ipa: ERROR: command 'topologysegment_mod' takes at most 2 arguments (suffix + name + options = 3, not 2) 'Segment name' is not correct attribute name. More below. 2. Is there a way to list all possible attributes available for modification? When do topologysegment-show --all, I get quite a small number of them, and even them I am unable to modify: $ ipa topologysegment-show realm 127-to-244 --all dn: cn=127-to-244,cn=realm,cn=topology,cn=ipa,cn=etc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com Segment name: 127-to-244 Left node: vm-127.idm.lab.eng.brq.redhat.com Right node: vm-244.idm.lab.eng.brq.redhat.com Connectivity: both objectclass: top, iparepltoposegment $ ipa topologysegment-mod realm 127-to-244 --setattr=connectivity=left-right ipa: ERROR: attribute "connectivity" not allowed $ ipa topologysegment-mod realm 127-to-244 --setattr=direction=left-right ipa: ERROR: attribute "direction" not allowed --XXXattr options work with LDAP attributes names. 'direction' is the option name but not attribute name. Attribute name is iparepltoposegmentdirection. You can see the mappings in, e.g.,: ipa show-mappings topologysegment-mod -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-d
Re: [Freeipa-devel] topologysegment-mod question
Hi Petr, Thanks for clarification! It seems though, that all possible attributes are already mapped to the topologysegment-mod options: [13:42:45]ofayans@vm-244:~]$ ipa show-mappings topologysegment-mod Parameter : LDAP attribute = : == stripattrs : nsds5replicastripattrs replattrs : nsds5replicatedattributelist replattrstotal : nsds5replicatedattributelisttotal timeout: nsds5replicatimeout enabled: nsds5replicaenabled rights : rights [13:47:41]ofayans@vm-244:~]$ ipa help topologysegment-mod Usage: ipa [global-options] topologysegment-mod TOPOLOGYSUFFIX NAME [options] Modify a segment. Options: -h, --helpshow this help message and exit --stripattrs=STR A space separated list of attributes which are removed from replication updates. --replattrs=STR Attributes that are not replicated to a consumer server during a fractional update. E.g., `(objectclass=*) $ EXCLUDE accountlockout memberof --replattrstotal=STR Attributes that are not replicated to a consumer server during a total update. E.g. (objectclass=*) $ EXCLUDE accountlockout --timeout=INT Number of seconds outbound LDAP operations waits for a response from the remote replica before timing out and failing --enabled=['on', 'off'] Whether a replication agreement is active, meaning whether replication is occurring per that agreement --setattr=STR Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present. --addattr=STR Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema. --delattr=STR Delete an attribute/value pair. The option will be evaluated last, after all sets and adds. --rights Display the access rights of this entry (requires --all). See ipa man page for details. --all Retrieve and print all attributes from the server. Affects command output. --raw Print entries as stored on the server. Only affects output format. So, setattr, addattr and delattr should, I think, be explained in the design document, with example usage. Another question that I have: In order to test topologysegment-reinitialize, I need to set the replica timeout to, say, 1, then turn this replica off, then make some changes on master and turn on the replica? I mean, my goal is to make master to give up attempts to synchronize with replica, is that correct? On 06/24/2015 12:28 PM, Petr Vobornik wrote: On 06/24/2015 12:19 PM, Oleg Fayans wrote: Hi Ludwig, I see some contradictions in the way the segment modification cli is implemented: 1. $ ipa help topologysegment-mod Usage: ipa [global-options] topologysegment-mod TOPOLOGYSUFFIX NAME [options] $ ipa topologysegment-mod realm 127-to-244 --setattr=Segment name=test ipa: ERROR: command 'topologysegment_mod' takes at most 2 arguments (suffix + name + options = 3, not 2) 'Segment name' is not correct attribute name. More below. 2. Is there a way to list all possible attributes available for modification? When do topologysegment-show --all, I get quite a small number of them, and even them I am unable to modify: $ ipa topologysegment-show realm 127-to-244 --all dn: cn=127-to-244,cn=realm,cn=topology,cn=ipa,cn=etc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com Segment name: 127-to-244 Left node: vm-127.idm.lab.eng.brq.redhat.com Right node: vm-244.idm.lab.eng.brq.redhat.com Connectivity: both objectclass: top, iparepltoposegment $ ipa topologysegment-mod realm 127-to-244 --setattr=connectivity=left-right ipa: ERROR: attribute "connectivity" not allowed $ ipa topologysegment-mod realm 127-to-244 --setattr=direction=left-right ipa: ERROR: attribute "direction" not allowed --XXXattr options work with LDAP attributes names. 'direction' is the option name but not attribute name. Attribute name is iparepltoposegmentdirection. You can see the mappings in, e.g.,: ipa show-mappings topologysegment-mod -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] topologysegment-mod question
On 06/24/2015 12:19 PM, Oleg Fayans wrote: Hi Ludwig, I see some contradictions in the way the segment modification cli is implemented: 1. $ ipa help topologysegment-mod Usage: ipa [global-options] topologysegment-mod TOPOLOGYSUFFIX NAME [options] $ ipa topologysegment-mod realm 127-to-244 --setattr=Segment name=test ipa: ERROR: command 'topologysegment_mod' takes at most 2 arguments (suffix + name + options = 3, not 2) 'Segment name' is not correct attribute name. More below. 2. Is there a way to list all possible attributes available for modification? When do topologysegment-show --all, I get quite a small number of them, and even them I am unable to modify: $ ipa topologysegment-show realm 127-to-244 --all dn: cn=127-to-244,cn=realm,cn=topology,cn=ipa,cn=etc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com Segment name: 127-to-244 Left node: vm-127.idm.lab.eng.brq.redhat.com Right node: vm-244.idm.lab.eng.brq.redhat.com Connectivity: both objectclass: top, iparepltoposegment $ ipa topologysegment-mod realm 127-to-244 --setattr=connectivity=left-right ipa: ERROR: attribute "connectivity" not allowed $ ipa topologysegment-mod realm 127-to-244 --setattr=direction=left-right ipa: ERROR: attribute "direction" not allowed --XXXattr options work with LDAP attributes names. 'direction' is the option name but not attribute name. Attribute name is iparepltoposegmentdirection. You can see the mappings in, e.g.,: ipa show-mappings topologysegment-mod -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] topologysegment-mod question
Hi Ludwig, I see some contradictions in the way the segment modification cli is implemented: 1. $ ipa help topologysegment-mod Usage: ipa [global-options] topologysegment-mod TOPOLOGYSUFFIX NAME [options] $ ipa topologysegment-mod realm 127-to-244 --setattr=Segment name=test ipa: ERROR: command 'topologysegment_mod' takes at most 2 arguments (suffix + name + options = 3, not 2) 2. Is there a way to list all possible attributes available for modification? When do topologysegment-show --all, I get quite a small number of them, and even them I am unable to modify: $ ipa topologysegment-show realm 127-to-244 --all dn: cn=127-to-244,cn=realm,cn=topology,cn=ipa,cn=etc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com Segment name: 127-to-244 Left node: vm-127.idm.lab.eng.brq.redhat.com Right node: vm-244.idm.lab.eng.brq.redhat.com Connectivity: both objectclass: top, iparepltoposegment $ ipa topologysegment-mod realm 127-to-244 --setattr=connectivity=left-right ipa: ERROR: attribute "connectivity" not allowed $ ipa topologysegment-mod realm 127-to-244 --setattr=direction=left-right ipa: ERROR: attribute "direction" not allowed -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] topologysegment-mod question
Hi Oleg, On 06/22/2015 02:49 PM, Oleg Fayans wrote: Hi Ludwig, Could you please clarify how should `ipa topologysegment-mod --enabled=off` work? My initial understanding was that it disables any changes to go through the disabled segment, but as it turns out, it does let the topology-related info through, and filters out all the rest. What I mean, is that having a line topology like this: master - rep1 - rep2 - rep3 - rep4 When I disable rep2-rep3 segment, then: 1. any user created on master does not appear on rep3 and rep4 (as expected), but 2. changes in topology, made on rep4 do get replicated to master Is it an expected behavior? expected: yes, intended: no if you disable rep2-rep3 on master or repl1 or repl2 this change arrives at repl2 and will disable the agreement to repl3. This can happen before the change is replicated to repl3 and so the setting to off does not arrive at repl3 and it will still replicate back to repl2. In a previous discussion there was agreement that we do not want to support disablement of a segment, but it is not yet enforced. This problem is similar to the one where a master is removed, the segments connecting it (and the repl agmts) are removed and these changes do not arrive at the removed master. To handle this either a check if changes have been received at other servers, or the removal would have to be done by some delay,... This was not pursued since the removed master would be gone, and in the remaining topology connections to it are removed and also its credentials are removed, so even if it has a leftover agreement it will not be able to replicate back into the remaining topology -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] topologysegment-mod question
Hi Ludwig, Could you please clarify how should `ipa topologysegment-mod --enabled=off` work? My initial understanding was that it disables any changes to go through the disabled segment, but as it turns out, it does let the topology-related info through, and filters out all the rest. What I mean, is that having a line topology like this: master - rep1 - rep2 - rep3 - rep4 When I disable rep2-rep3 segment, then: 1. any user created on master does not appear on rep3 and rep4 (as expected), but 2. changes in topology, made on rep4 do get replicated to master Is it an expected behavior? -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code