[Freeipa-users] Use 389-ds as freeipa mirror

Sun, 16 Jan 2022 16:59:24 -0800 

Since SuSE doesn't support FreeIPA/IdM, and I need to use freeipa as master 
controller, I need to be able to have multiple suse hosted 389-ds ldap servers 
(9) be read-only mirrors for large numbers of compute node clients (3000).

I have VMs on suse hosts running rocky8.5 for freeipa as test servers. Those 
nodes sync fine. I have 389-ds on a single suse host for sync testing. I 
created replication agreements using docs on suse site for sles15 sp3 and 
verified no firewall blocks between them.
https://documentation.suse.com/sles/15-SP3/html/SLES-all/cha-security-ldap.html#sec-security-ldap-replication

The sync connects but no data is transferred. I suspect the cause is the 389 
system has no schema like freeipa to sync into.

Next attempt is to perform an ldif backup of the ipa system and restore it to 
the 389 system. I have concerns about this as there's probably a unique system 
id in the backup (I've not grep'ed through it yet). Is this a reasonable 
process?

This is all still experimental and everything can(will) be wiped and 
reinstalled(multiple times as the process is developed). If there are docs on 
how to sync these, I've not found them and would really appreciate links

The alternative is to install freeipa containers on the sles systems but the 
container readme on github reads like it's still very experimental. 

Also as there is no freeipa client package in sles, just sssd-ipa and libhbac0, 
all of the sssd configuration will be manual as well as all the certificates 
between freeipa servers and sles clients. 
-- 
Computers amplify human error
Super computers are really cool
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Reply via email to