[Freeipa-users] AD Sync and groups
Alexander Bokovoy
abokovoy at redhat.com
Tue Jul 26 08:30:46 UTC 2016
On Tue, 26 Jul 2016, malo wrote:
>Hello,
>
>I am currently setting up an architecture involving FreeIPA to provide
>SSO for SSH to the servers.
>I have several servers (~1500) in a few datacenters all over the world
>(North America, South America, Europe, Asia).
>The idea here was to have 4 masters/replicas per datacenter, with one
>master/replica involved in a winsync replication process with our AD.
>Thus, we would not suffer network outages, slow downs or timeouts
>because each FreeIPA server would have a closer database of users
>instead of querying a long distance AD.
>
>I've managed to setup successfully the winsync replication (after
>having trouble with replication rights). I then turned on group
>replication :
>
>ldapmodify -x -D "cn=directory manager" -w PASS
>
>dn: cn=meToad.XXX.example.com,cn=replica,cn=dc\3Dipa\2Cdc\3Dff\2Cdc\3Dxxx\2Cdc\3Dexample\2Cdc\3Dcom,cn=mapping
>tree,cn=config
>changetype: modify
>replace: nsds7NewWinGroupSyncEnabled
>nsds7NewWinGroupSyncEnabled: true
>
>
>I re-initialized the replication but I have no groups.
>I did a little digging and came on this :
>https://bugzilla.redhat.com/show_bug.cgi?id=1002414
>Very unfortunate for me but a few things bother me.
>
>It says "reenable" in the RFE and I also found this documentation : https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Using_Windows_Sync-Synchronizing_Groups.html
There is a difference between 389-ds winsync and FreeIPA winsync. The
latter is a simplified version that doesn't see development anymore and
is not supporting group sync because groups on IPA side are sufficiently
different from AD groups while generic 389-ds winsync plugin is not
tuned to IPA DIT.
>It clearly specifies how to sync groups, which I enabled, but nothings
>happen for me.
>So, my questions would be :
>- Is winsync group sync still enabled ?
>- If not, why and when has it been disabled ?
>- Is there anyway I could reenable it, by digging into the code ?
>
>Group sync seems a really MUST HAVE as a feature for the winsync,
>since flat hierarchy is not really useful, imho.
IPA uses flat hierarchy and has no support for non-flat DIT.
>I can't consider an AD Trust architecture, It would be too dangerous
>since the network connectivity of the AD is not safe enough, I could
>not risk to block SSH access on my servers because of network lag.
>
>Has anyone been in a similar situation ? Do you have implemented AD
>trust or winsync replication in such a large scale ?
I cannot tell about actual deployments but there are plenty deployments
with trust to AD in multiple data centers.
If you need, with FreeIPA 4.0+ you can actually proxy Kerberos
authentication via IPA servers to AD DCs and also can do offline
authentication in SSSD.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list