On Tue, 26 Jul 2016, malo wrote:
Hello,

I am currently setting up an architecture involving FreeIPA to provide SSO for SSH to the servers. I have several servers (~1500) in a few datacenters all over the world (North America, South America, Europe, Asia). The idea here was to have 4 masters/replicas per datacenter, with one master/replica involved in a winsync replication process with our AD. Thus, we would not suffer network outages, slow downs or timeouts because each FreeIPA server would have a closer database of users instead of querying a long distance AD.

I've managed to setup successfully the winsync replication (after having trouble with replication rights). I then turned on group replication :

ldapmodify -x -D "cn=directory manager" -w PASS

dn: cn=meToad.XXX.example.com,cn=replica,cn=dc\3Dipa\2Cdc\3Dff\2Cdc\3Dxxx\2Cdc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
changetype: modify
replace: nsds7NewWinGroupSyncEnabled
nsds7NewWinGroupSyncEnabled: true


I re-initialized the replication but I have no groups.
I did a little digging and came on this : https://bugzilla.redhat.com/show_bug.cgi?id=1002414
Very unfortunate for me but a few things bother me.

It says "reenable" in the RFE and I also found this documentation : 
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Using_Windows_Sync-Synchronizing_Groups.html

There is a difference between 389-ds winsync and FreeIPA winsync. The
latter is a simplified version that doesn't see development anymore and
is not supporting group sync because groups on IPA side are sufficiently
different from AD groups while generic 389-ds winsync plugin is not
tuned to IPA DIT.

It clearly specifies how to sync groups, which I enabled, but nothings happen for me.
So, my questions would be :
- Is winsync group sync still enabled ?
- If not, why and when has it been disabled ?
- Is there anyway I could reenable it, by digging into the code ?

Group sync seems a really MUST HAVE as a feature for the winsync, since flat hierarchy is not really useful, imho.
IPA uses flat hierarchy and has no support for non-flat DIT.

I can't consider an AD Trust architecture, It would be too dangerous since the network connectivity of the AD is not safe enough, I could not risk to block SSH access on my servers because of network lag.

Has anyone been in a similar situation ? Do you have implemented AD trust or winsync replication in such a large scale ?
I cannot tell about actual deployments but there are plenty deployments
with trust to AD in multiple data centers.

If you need, with FreeIPA 4.0+ you can actually proxy Kerberos
authentication via IPA servers to AD DCs and also can do offline
authentication in SSSD.
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to