#5863 [RFE] Do not overwrite user modifications on each upgrade
Opened 7 years ago by mbasti. Modified 7 years ago

We should document how to use update files to override IPA upgrade process, or work out a new way how users can override upgrade values.

Currently user can override upgrades by creating a new upgrade file with the highest number
Example:

$ cat /usr/share/ipa/updates/99-useroverrides.update
dn: cn=encryption,cn=config
only:nsSSL3Ciphers: <something>

Use case: user needs to modify allowed cipher suite, cipher suite of LDAP is always set to 'default' during upgrade, but user may want to keep some older/unsafe ciphers enabled, what effectively mean that after every upgrade cipher suite have to be manually updated again.

NOTE: we should make notes somewhere that a user uses own overrides (upgrade log?) to not be surprised during debuging where unknown values are come from.


Might I suggest a banner at the top of /etc/dirsrv/slapd-*/dse.ldif noting that it can be overwritten and pointers at the wiki (or man page) explaining how to make persistent overrides?

dse.ldif is not created by IPA but by 389ds so it is not so easy.

Anyway, this RFE will be more about changing upgrader so that it will remember the tasks it already did and so it won't overwrite a value multiple times. It is a bigger effort therefore triaging to Future releases.

Metadata Update from @mbasti:
- Issue assigned to someone
- Issue set to the milestone: Future Releases

7 years ago

Login to comment on this ticket.

Metadata