Hi FreeIPA-users,

We're currently using FreeIPA 4.2.0, and we have two unrelated
instances of IdM server. We'd like the user list which IPA maintains
in one, to be a superset of the other; so we're looking for one way
replication (of cn=users,cn=accounts,dc=realm, not necessarily of host
entries etc.)

We use a different 'dc' in each instance, and could use a different cn
too if needed.

So far we've found instructions on full mutual replication:

and a one way sync from Active Directory:

but not one way sync from IPA.

I'm hoping that we can do this between two IPA instances, probably
still using ipa-replica-manage, although oneWaySync only has options
'fromWindows' and 'toWindows' according to 
 . Is there anything actually ActiveDirectory specific about this?

We believe we need one way sync (including passwords) to be able to
authenticate users which are mastered in the 'remote' IPA, even when
the 'remote' IPA is offline. Another option we might explore is
'cross-forest trust', although I believe this would make
authentication unavailable if the 'master' IPA is unavailable. Both
are discussed at
, but again in the context of AD/IPA rather than IPA/IPA.

I'd welcome any pointers on trust or one-way replication between two
IPA instances!

Many thanks,


CGI IT UK Limited. A CGI Group Inc. Company
Registered Office 250 Brook Drive, Green Park, Reading RG2 6UA, United Kingdom. 
Registered in England & Wales - Number 947968

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to