Hi, On Mon, Jun 30, 2025 at 11:01 AM Kroon PC, Peter via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
> Hi Daniel, > > Replicating only some of the users seems like a not-great idea. That way > your replica is not truly a replica anymore, and you lose a lot of the > benefits a replica brings. > Isn't it much easier to replicate all users, and use HBAC rules to > allow/disallow login based on user- and host groups? > As for NFS, maybe automount can help you there? I haven't really played > with it myself though. > > Peter > > ________________________________________ > From: Daniel Ruiz via FreeIPA-users <freeipa-users@lists.fedorahosted.org> > Sent: Monday, 30 June 2025 08:37 > To: freeipa-users@lists.fedorahosted.org > Cc: Daniel Ruiz > Subject: [Freeipa-users] Select a group of users to being replicated > > Hello, > > In my scenario, I have a FreeIPA server "A" that serves users (500) for a > laboratory called "Lab-A" (with 15 computers) and, also, I have a FreeIPA > server "B" that servers users for a HPC Cluster called "HPC" (with 10 > computes nodes). I have configured server "A" as server and all "Lab-A" get > all 500 users. In the other side, I have configured server "B" as "replica > server" of server "A" to get all users and, then, all HPC Cluster computes > nodes can log in with all 500 users... But, I have a question: would it be > possible to replicate only some users (a group of them, "x")? In my > scenario, server A serves $HOMEs to Lab-A via NFS and server "B" servers > %HOMEs to HPC-Cluster using NFS too, but some users of HPC-Cluster uses as > their $HOME the $HOME that is served from A, not from HPC (because of some > reasons...) and, also, some users from A not need to log in in HPC Cluster, > so by default, because of FreeIPA replica server has all 500 users, each of > them can do a "login" in HPC server and, maybe, the user hasn't mounted his > NFS $HOME and, then, log in with no $HOME... Could I disable that login? > FreeIPA does not support this type of partial replication. You can define HBAC rules that allow or restrict login access. For instance read the workshop section https://freeipa.readthedocs.io/en/latest/workshop/4-hbac.html. Define one hostgroup for the HPC cluster and another hostgroup for Lab-A and add relevant HBAC rules. If you need to override the home directory on a subset of clients, you can also use an idview applied to this list of clients and define idoverrides for the homeDirectory attribute. Please read https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/managing_idm_users_groups_hosts_and_access_control_rules/using-an-id-view-to-override-a-user-attribute-value-on-an-idm-client_managing-users-groups-hosts#attributes-an-ID-view-can-override_using-an-id-view-to-override-a-user-attribute-value-on-an-IdM-client flo > > Thanks. > -- > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > -- > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
