On Tue, 26 Jul 2016, malo wrote:
I am currently setting up an architecture involving FreeIPA to provide
SSO for SSH to the servers.
I have several servers (~1500) in a few datacenters all over the world
(North America, South America, Europe, Asia).
The idea here was to have 4 masters/replicas per datacenter, with one
master/replica involved in a winsync replication process with our AD.
Thus, we would not suffer network outages, slow downs or timeouts
because each FreeIPA server would have a closer database of users
instead of querying a long distance AD.
I've managed to setup successfully the winsync replication (after
having trouble with replication rights). I then turned on group
ldapmodify -x -D "cn=directory manager" -w PASS
I re-initialized the replication but I have no groups.
I did a little digging and came on this :
Very unfortunate for me but a few things bother me.
It says "reenable" in the RFE and I also found this documentation :
There is a difference between 389-ds winsync and FreeIPA winsync. The
latter is a simplified version that doesn't see development anymore and
is not supporting group sync because groups on IPA side are sufficiently
different from AD groups while generic 389-ds winsync plugin is not
tuned to IPA DIT.
It clearly specifies how to sync groups, which I enabled, but nothings
happen for me.
So, my questions would be :
- Is winsync group sync still enabled ?
- If not, why and when has it been disabled ?
- Is there anyway I could reenable it, by digging into the code ?
Group sync seems a really MUST HAVE as a feature for the winsync,
since flat hierarchy is not really useful, imho.
IPA uses flat hierarchy and has no support for non-flat DIT.
I can't consider an AD Trust architecture, It would be too dangerous
since the network connectivity of the AD is not safe enough, I could
not risk to block SSH access on my servers because of network lag.
Has anyone been in a similar situation ? Do you have implemented AD
trust or winsync replication in such a large scale ?
I cannot tell about actual deployments but there are plenty deployments
with trust to AD in multiple data centers.
If you need, with FreeIPA 4.0+ you can actually proxy Kerberos
authentication via IPA servers to AD DCs and also can do offline
authentication in SSSD.
/ Alexander Bokovoy
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project