[Freeipa-devel] More types of replica in FreeIPA
Simo Sorce
simo at redhat.com
Thu Apr 19 16:33:53 UTC 2012
On Thu, 2012-04-19 at 10:10 -0400, Dmitri Pal wrote:
> If the eSSO is not required and we talk about the initial login only
> we
> can have a DS instance as a consumer do not need to have the whole IPA
> becuase KDC, CA and management frameworks are not needed. This DS can
> replicate a subset of the users, groups and other data using
> fractional
> replication for the identity lookups can and use PAM pass-through
> feature with SSSD configured to go to the real master for
> authentication.
>
What's the point of a "login" server if SSSD then has to go and talk to
a different remote server ?
I mean what is the use case ?
Also we need to keep in mind that we cannot assume SSSD to be always
available on clients.
Also replicating a subset of user is easy, but once you try to decide
about other data it becomes progressively more difficult, do you
replicate all the groups that are referenced by the users you
replicated ? (not possible with current fractional replication)
What about HBAC and hosts groups and sudo rules ... ?
Or do we let admins decide what to replicate and rely on referrals to
resolve missing parts referenced by the users ?
Referrals have 2 issues: a lot of clients do not support them properly
and they would probably break the compat plugins (although I guess we
can fix the plugins to add referrals as well for the ldap part).
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list