[Freeipa-users] Looking for instructions on one way subtree sync IPA->IPA
Alexander Bokovoy
abokovoy at redhat.com
Thu Feb 9 11:28:48 UTC 2017
On to, 09 helmi 2017, Piper, Nick wrote:
>Hi FreeIPA-users,
>
>We're currently using FreeIPA 4.2.0, and we have two unrelated
>instances of IdM server. We'd like the user list which IPA maintains
>in one, to be a superset of the other; so we're looking for one way
>replication (of cn=users,cn=accounts,dc=realm, not necessarily of host
>entries etc.)
>
>We use a different 'dc' in each instance, and could use a different cn
>too if needed.
In short, there is no support for IPA-IPA trust or replication. There
are many reasons for that, including some complex technical issues on
how this could be reliably working.
If you are after actual POSIX systems where users need to logon to use
their services, you may try to configure SSSD with two different domains
(for IPA1 and IPA2). You can look at discussion we had in 2014:
https://www.redhat.com/archives/freeipa-users/2014-January/msg00075.html
You are not necessarily need to enroll the machine in two different
realms, any Kerberos principal would do instead of a host principal to
authenticate against IPA LDAP (see sssd-ldap man page for details on
ldap_sasl_authid).
>
>So far we've found instructions on full mutual replication:
>https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/ipa-replica-manage.html
This one is for generic 389-ds replication of IPA flat DIT.
>and a one way sync from Active Directory:
>https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-sync-agmt.html#changing-subtree
This one is for synchronizing with the help of a special daemon running
on Windows Server side.
>
>but not one way sync from IPA.
>
>I'm hoping that we can do this between two IPA instances, probably
>still using ipa-replica-manage, although oneWaySync only has options
>'fromWindows' and 'toWindows' according to
>https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-sync-agmt.html#changing-subtree
>. Is there anything actually ActiveDirectory specific about this?
Yes, it depends on specific windows program that is running on Windows
domain controllers and plugs into their infrastructure of user
information updates.
>We believe we need one way sync (including passwords) to be able to
>authenticate users which are mastered in the 'remote' IPA, even when
>the 'remote' IPA is offline. Another option we might explore is
>'cross-forest trust', although I believe this would make
>authentication unavailable if the 'master' IPA is unavailable. Both
>are discussed at
>https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Windows_Integration_Guide/index.html#summary-indirect
>, but again in the context of AD/IPA rather than IPA/IPA.
>
>I'd welcome any pointers on trust or one-way replication between two
>IPA instances!
You are stuck, there is no such support between different IPA
deployments.
It would help to actually explain your real use case. So far you
outlined above your approaches to solve a problem which is not really
stated upfront.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list