We have:AD->winsync->FIPA1<->replica<->FIPA2etc to multiple other replicas from 
FIPA1

What we want is to establish separate set of FIPA replicas which wold still 
have information from AD and yet would not 'pollute' the FIPA1/FIPA2 replicas 
above.
So far we have considered following options:1. Set up new FIPA3 replica to grab 
its information from FIPA1.This didn't work as two-way-trust would replicate 
'bad' information from FIPA3 back to FIPA1/2
2. One way trust between replicas.Somehow establish one way replication from 
FIPA1->FIPA3. 'Good' information gets to FIPA3. But new additions on FIPA3 
won't make it back to 'clean' environment.From reading posts on the list this 
is impossible. 
3. Setup separate winsync 'channels' from AD directly to FIPA3. Ie 
AD->winsync->FIPA3.The problem with this is winsync of user accounts is 
possible, but password sync requires there to be only one point of contact 
between AD domain and FIPA domain.That is all AD controllers contact one and 
only one FIPA controller using passsync utility. So there is no way (if I 
understand correctly) to do:AD->sync->FIPA1      ->sync->FIPA3
If my understanding above is correct what would be the correct way of setting 
up separate FIPA environments, sourced from the same AD domain and to replicate 
both users and passwords?
thanks
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to