On to, 09 helmi 2017, Piper, Nick wrote:
Hi FreeIPA-users,

We're currently using FreeIPA 4.2.0, and we have two unrelated
instances of IdM server. We'd like the user list which IPA maintains
in one, to be a superset of the other; so we're looking for one way
replication (of cn=users,cn=accounts,dc=realm, not necessarily of host
entries etc.)

We use a different 'dc' in each instance, and could use a different cn
too if needed.

In short, there is no support for IPA-IPA trust or replication. There
are many reasons for that, including some complex technical issues on
how this could be reliably working.

If you are after actual POSIX systems where users need to logon to use
their services, you may try to configure SSSD with two different domains
(for IPA1 and IPA2). You can look at discussion we had in 2014:
https://www.redhat.com/archives/freeipa-users/2014-January/msg00075.html
You are not necessarily need to enroll the machine in two different
realms, any Kerberos principal would do instead of a host principal to
authenticate against IPA LDAP (see sssd-ldap man page for details on
ldap_sasl_authid).



So far we've found instructions on full mutual replication:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/ipa-replica-manage.html
This one is for generic 389-ds replication of IPA flat DIT.

and a one way sync from Active Directory:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-sync-agmt.html#changing-subtree
This one is for synchronizing with the help of a special daemon running
on Windows Server side.


but not one way sync from IPA.

I'm hoping that we can do this between two IPA instances, probably
still using ipa-replica-manage, although oneWaySync only has options
'fromWindows' and 'toWindows' according to
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-sync-agmt.html#changing-subtree
. Is there anything actually ActiveDirectory specific about this?
Yes, it depends on specific windows program that is running on Windows
domain controllers and plugs into their infrastructure of user
information updates.

We believe we need one way sync (including passwords) to be able to
authenticate users which are mastered in the 'remote' IPA, even when
the 'remote' IPA is offline. Another option we might explore is
'cross-forest trust', although I believe this would make
authentication unavailable if the 'master' IPA is unavailable. Both
are discussed at
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Windows_Integration_Guide/index.html#summary-indirect
, but again in the context of AD/IPA rather than IPA/IPA.

I'd welcome any pointers on trust or one-way replication between two
IPA instances!
You are stuck, there is no such support between different IPA
deployments.

It would help to actually explain your real use case. So far you
outlined above your approaches to solve a problem which is not really
stated upfront.
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to