[Freeipa-users] AD Sync and groups
malo
malo at avast.com
Tue Jul 26 08:10:18 UTC 2016
Hello,
I am currently setting up an architecture involving FreeIPA to provide
SSO for SSH to the servers.
I have several servers (~1500) in a few datacenters all over the world
(North America, South America, Europe, Asia).
The idea here was to have 4 masters/replicas per datacenter, with one
master/replica involved in a winsync replication process with our AD.
Thus, we would not suffer network outages, slow downs or timeouts
because each FreeIPA server would have a closer database of users
instead of querying a long distance AD.
I've managed to setup successfully the winsync replication (after having
trouble with replication rights). I then turned on group replication :
ldapmodify -x -D "cn=directory manager" -w PASS
dn:
cn=meToad.XXX.example.com,cn=replica,cn=dc\3Dipa\2Cdc\3Dff\2Cdc\3Dxxx\2Cdc\3Dexample\2Cdc\3Dcom,cn=mapping
tree,cn=config
changetype: modify
replace: nsds7NewWinGroupSyncEnabled
nsds7NewWinGroupSyncEnabled: true
I re-initialized the replication but I have no groups.
I did a little digging and came on this :
https://bugzilla.redhat.com/show_bug.cgi?id=1002414
Very unfortunate for me but a few things bother me.
It says "reenable" in the RFE and I also found this documentation :
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Using_Windows_Sync-Synchronizing_Groups.html
It clearly specifies how to sync groups, which I enabled, but nothings
happen for me.
So, my questions would be :
- Is winsync group sync still enabled ?
- If not, why and when has it been disabled ?
- Is there anyway I could reenable it, by digging into the code ?
Group sync seems a really MUST HAVE as a feature for the winsync, since
flat hierarchy is not really useful, imho.
I can't consider an AD Trust architecture, It would be too dangerous
since the network connectivity of the AD is not safe enough, I could not
risk to block SSH access on my servers because of network lag.
Has anyone been in a similar situation ? Do you have implemented AD
trust or winsync replication in such a large scale ?
Thank your for reading me,
Have a nice day,
Nathan MALO
More information about the Freeipa-users
mailing list