Re: [Freeipa-users] Checking 389 for ACI contamination
On 04/14/2015 03:51 AM, Brian Topping wrote: > >> On Apr 13, 2015, at 1:33 PM, Martin Kosek wrote: >> >> On 04/12/2015 05:27 AM, Brian Topping wrote: >>> Hi all, trying to figure out if I may have contaminated my ACIs in the >>> process of upgrading my replicated deployment. I didn't upgrade the >>> instances at the same time, is there any possibility that the 3.x ACIs >>> contaminated the 4.x DIT? >> >> What do you mean, by... contaminated? Can you please described what >> exactly happened? >> >> As Dmitri said, there were major ACI related changes in 4.0, but I am not >> sure what is the problem in your case. > > The only thing that is broken at the moment is my OCD. I did make a couple > of changes in my 3.x deployment that appear to have been insufficient when I > upgraded, but I didn't name them well and I'm having issues trying to find > which ones they were. Now that I've RTFM on ACIs, I want to make sure > everything that is there is there for a reason. I'd rather put effort in now > than be surprised by some cruft I left behind in a future upgrade. Ok :-) > >>> If so, how would I check it? Is there an LDIF in the disto that I can >>> manually compare the entries? >> >> I am not sure which entries are you referring to. But from 4.0, most of >> the ACIs are now generated dynamically, from Python code. > > If the schema/ACIs are managed by Python, it might be interesting for the > script to generate warnings when it runs. Stuff like missing/extra schema & > ACIs. Just a thought. I think the ACI upgrade plugin indeed generates warnings whet it has problems when processing the ACIs. Not all ACIs are processed during upgrade to FreeIPA 4.0+. Only the FreeIPA default system ACIs are processed, after upgrade you will see them as "System: ..." permissions that you will only have limited edit capabilities. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Checking 389 for ACI contamination
> On Apr 13, 2015, at 1:33 PM, Martin Kosek wrote: > > On 04/12/2015 05:27 AM, Brian Topping wrote: >> Hi all, trying to figure out if I may have contaminated my ACIs in the >> process of upgrading my replicated deployment. I didn't upgrade the >> instances at the same time, is there any possibility that the 3.x ACIs >> contaminated the 4.x DIT? > > What do you mean, by... contaminated? Can you please described what exactly > happened? > > As Dmitri said, there were major ACI related changes in 4.0, but I am not sure > what is the problem in your case. The only thing that is broken at the moment is my OCD. I did make a couple of changes in my 3.x deployment that appear to have been insufficient when I upgraded, but I didn't name them well and I'm having issues trying to find which ones they were. Now that I've RTFM on ACIs, I want to make sure everything that is there is there for a reason. I'd rather put effort in now than be surprised by some cruft I left behind in a future upgrade. >> If so, how would I check it? Is there an LDIF in the disto that I can >> manually compare the entries? > > I am not sure which entries are you referring to. But from 4.0, most of the > ACIs are now generated dynamically, from Python code. If the schema/ACIs are managed by Python, it might be interesting for the script to generate warnings when it runs. Stuff like missing/extra schema & ACIs. Just a thought. signature.asc Description: Message signed with OpenPGP using GPGMail -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Checking 389 for ACI contamination
On 04/12/2015 05:27 AM, Brian Topping wrote: > Hi all, trying to figure out if I may have contaminated my ACIs in the > process of upgrading my replicated deployment. I didn't upgrade the > instances at the same time, is there any possibility that the 3.x ACIs > contaminated the 4.x DIT? What do you mean, by... contaminated? Can you please described what exactly happened? As Dmitri said, there were major ACI related changes in 4.0, but I am not sure what is the problem in your case. > > If so, how would I check it? Is there an LDIF in the disto that I can > manually compare the entries? I am not sure which entries are you referring to. But from 4.0, most of the ACIs are now generated dynamically, from Python code. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Checking 389 for ACI contamination
On 04/11/2015 11:27 PM, Brian Topping wrote: Hi all, trying to figure out if I may have contaminated my ACIs in the process of upgrading my replicated deployment. I didn't upgrade the instances at the same time, is there any possibility that the 3.x ACIs contaminated the 4.x DIT? If so, how would I check it? Is there an LDIF in the disto that I can manually compare the entries? cheers, Brian Did you do any custom ACIs in 3.3? 4.0 has new ACI framework so it most likely replicated into 3.3 not the other way around. I would leave to experts to provide specific commands on how to check things. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project