On Tue, Feb 21, 2017 at 10:27:40AM +0000, Paris, Dan wrote:
> Hi FreeIPA-users,
> 
> My colleague Nick Piper emailed 
> previously<https://www.redhat.com/archives/freeipa-users/2017-February/msg00121.html>
>  regarding the subject matter.
> 
> We are still attempting to find a solution that meets our requirements and 
> are considering manually building an ldif file to import into our master IdM 
> server. In the reply to our original query Alexander Bokovoy mentioned: "In 
> short, there is no support for IPA-IPA trust or replication. There are many 
> reasons for that, including some complex technical issues on how this could 
> be reliably working." Would you be able to provide some detail around these 
> technical issues and provide some guidance as to if exporting an ldif file 
> would meet our needs?
> 
> Thanks in advance,
> Dan
> 
> Dan Paris | Leading Engineer
> 250 Brook Drive, Reading, RG2 6UA | United Kingdom
> M:  +44 7920783573
> dan.pa...@cgi.com<mailto:simon.hed...@logica.com>  | 
> www.cgi.com<http://www.logica.comregistered/>
> Registered in England & Wales (registered number 947968)
> Registered Office: 250 Brook Drive, Green Park, Reading RG2 6UA, United 
> Kingdom

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project


Hi Dan!

The biggest missing part on the way to FreeIPA-FreeIPA trust is the Global
Catalog [1]. There might be (and probably are) other parts that FreeIPA lacks
but I don't know the details.

Regarding using ldif for synchronization. I don't think that's good idea for
several reasons:
1) It will be hard and error prone to keep the data in sync. Even in case you
would claim that corporate FreeIPA is authoritative source and all changes made
in project FreeIPA will be lost you would need to periodically export,
optionally compare and replace potentionally huge number of entries (users,
groups, sudo rules, HBAC rules, ...).

2) To be able to obtain Kerberos ticket for user you would need to copy also
Kerberos master key which is used to encrypt keys for users. This is quite
sensitive material.

By the way have you considered having just single FreeIPA deployment as I
proposed in [2]? Why is separate deployment of FreeIPA for the project
required?

[1] https://technet.microsoft.com/en-us/library/cc730749(v=ws.11).aspx
[2] https://www.redhat.com/archives/freeipa-users/2017-February/msg00136.html

-- 
David Kupka

Attachment: signature.asc
Description: PGP signature

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to