[Freeipa-users] Looking for instructions on one way subtree sync IPA->IPA
David Kupka
dkupka at redhat.com
Wed Feb 22 06:29:58 UTC 2017
On Tue, Feb 21, 2017 at 10:27:40AM +0000, Paris, Dan wrote:
> Hi FreeIPA-users,
>
> My colleague Nick Piper emailed previously<https://www.redhat.com/archives/freeipa-users/2017-February/msg00121.html> regarding the subject matter.
>
> We are still attempting to find a solution that meets our requirements and are considering manually building an ldif file to import into our master IdM server. In the reply to our original query Alexander Bokovoy mentioned: "In short, there is no support for IPA-IPA trust or replication. There are many reasons for that, including some complex technical issues on how this could be reliably working." Would you be able to provide some detail around these technical issues and provide some guidance as to if exporting an ldif file would meet our needs?
>
> Thanks in advance,
> Dan
>
> Dan Paris | Leading Engineer
> 250 Brook Drive, Reading, RG2 6UA | United Kingdom
> M: +44 7920783573
> dan.paris at cgi.com<mailto:simon.hedges at logica.com> | www.cgi.com<http://www.logica.comregistered/>
> Registered in England & Wales (registered number 947968)
> Registered Office: 250 Brook Drive, Green Park, Reading RG2 6UA, United Kingdom
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
Hi Dan!
The biggest missing part on the way to FreeIPA-FreeIPA trust is the Global
Catalog [1]. There might be (and probably are) other parts that FreeIPA lacks
but I don't know the details.
Regarding using ldif for synchronization. I don't think that's good idea for
several reasons:
1) It will be hard and error prone to keep the data in sync. Even in case you
would claim that corporate FreeIPA is authoritative source and all changes made
in project FreeIPA will be lost you would need to periodically export,
optionally compare and replace potentionally huge number of entries (users,
groups, sudo rules, HBAC rules, ...).
2) To be able to obtain Kerberos ticket for user you would need to copy also
Kerberos master key which is used to encrypt keys for users. This is quite
sensitive material.
By the way have you considered having just single FreeIPA deployment as I
proposed in [2]? Why is separate deployment of FreeIPA for the project
required?
[1] https://technet.microsoft.com/en-us/library/cc730749(v=ws.11).aspx
[2] https://www.redhat.com/archives/freeipa-users/2017-February/msg00136.html
--
David Kupka
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170222/0a11a253/attachment.sig>
More information about the Freeipa-users
mailing list