[Freeipa-devel] More types of replica in FreeIPA

Dmitri Pal dpal at redhat.com
Thu Apr 19 15:58:02 UTC 2012 

On 04/19/2012 11:26 AM, Ondrej Hamada wrote:
>> There is one aspect that is missing in this discussion. If we are
>> talking about a remote office and about a Consumer that serves this
>> office we need to understand not only the flow of the initial
>> authentication but are there other authentications happening. I mean are
>> we just talking about logging into the machines in the remote office
>> then LDAP auth with pass-through and caching would be sufficient on the
>> consumer (I will explain how it could be done below) or there is an eSSO
>> involved and expected?
>>
>> I guess if the eSSO is required for example to access NFS shares there
>> should be a local IPA server with KDC in the remote office. In this case
>> it probably makes sense to make it just a normal replica but with
>> limited modification capabilities and potentially with a subset of users
>> and other entries replicated to that location.
>>
>> If the eSSO is not required and we talk about the initial login only we
>> can have a DS instance as a consumer do not need to have the whole IPA
>> becuase KDC, CA and management frameworks are not needed. This DS can
>> replicate a subset of the users, groups and other data using fractional
>> replication for the identity lookups can and use PAM pass-through
>> feature with SSSD configured to go to the real master for
>> authentication.
>>
>> So effectively there are two different use cases:
>> 1) eSSO server in the remote office
>> 2) Login server in the remote office
>>
>> The solutions seem completely different so I suggest starting with one
>> or another.
>
> So far the discussion seems to be more about the second option (login
> server in the remote office), so I would prefer to stick with it for now.

Then you probably does not need a full IPA server there but rather a
special Read Only replica that is configured as described above.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-devel mailing list