[Freeipa-users] Looking for instructions on one way subtree sync IPA->IPA

Piper, Nick nick.piper at cgi.com
Thu Feb 9 10:40:27 UTC 2017 

Hi FreeIPA-users,

We're currently using FreeIPA 4.2.0, and we have two unrelated
instances of IdM server. We'd like the user list which IPA maintains
in one, to be a superset of the other; so we're looking for one way
replication (of cn=users,cn=accounts,dc=realm, not necessarily of host
entries etc.)

We use a different 'dc' in each instance, and could use a different cn
too if needed.

So far we've found instructions on full mutual replication:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/ipa-replica-manage.html

and a one way sync from Active Directory:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-sync-agmt.html#changing-subtree

but not one way sync from IPA.

I'm hoping that we can do this between two IPA instances, probably
still using ipa-replica-manage, although oneWaySync only has options
'fromWindows' and 'toWindows' according to https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-sync-agmt.html#changing-subtree . Is there anything actually ActiveDirectory specific about this?

We believe we need one way sync (including passwords) to be able to
authenticate users which are mastered in the 'remote' IPA, even when
the 'remote' IPA is offline. Another option we might explore is
'cross-forest trust', although I believe this would make
authentication unavailable if the 'master' IPA is unavailable. Both
are discussed at
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Windows_Integration_Guide/index.html#summary-indirect
, but again in the context of AD/IPA rather than IPA/IPA.

I'd welcome any pointers on trust or one-way replication between two
IPA instances!

Many thanks,

 Nick

-- 
CGI IT UK Limited. A CGI Group Inc. Company
Registered Office 250 Brook Drive, Green Park, Reading RG2 6UA, United Kingdom. Registered in England & Wales - Number 947968

More information about the Freeipa-users mailing list