<html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body text="#000000" bgcolor="#FFFFFF"> <div class="moz-cite-prefix">On 12/27/2014 01:19 AM, Prashant Bapat wrote:<br> </div> <blockquote cite="mid:CAN9aUrhZGmoTParWEQCKP6dymKbWVWNCTvS00LRg2c0bu6GLpg@mail.gmail.com" type="cite"> <div dir="ltr"> <div class="gmail_default" style="font-family:trebuchet ms,sans-serif">Hi All,<br> <br> </div> <div class="gmail_default" style="font-family:trebuchet ms,sans-serif">I'm trying to implement FreeIPA for Users and SSH pub keys management in our infra. We have a setup that spans multiple geographies. What we are thinking is something like below. <br> <br> </div> <div class="gmail_default" style="font-family:trebuchet ms,sans-serif">1. Have 2 full FreeIPA servers with multi master replicas in one region. <br> </div> <div class="gmail_default" style="font-family:trebuchet ms,sans-serif">2. In other regions just have a LDAP read-only replica. <br> </div> <div class="gmail_default" style="font-family:trebuchet ms,sans-serif">3. Use the AuthorizedKeysCommand in SSH to look for a users pub key in the respective region's LDAP.<br> <br> </div> <div class="gmail_default" style="font-family:trebuchet ms,sans-serif">Has anyone tried something on these lines? <br> <br> </div> <div class="gmail_default" style="font-family:trebuchet ms,sans-serif">Please share your experiences. <br> <br> Thanks.<br> </div> <div class="gmail_default" style="font-family:trebuchet ms,sans-serif">--Prashant<br> </div> </div> <br> <fieldset class="mimeAttachmentHeader"></fieldset> <br> </blockquote> <br> IPA does not support read only replicas at this time.<br> This would be a significant effort that we probably would not have time to focus on till 2016-2017.<br> <br> <pre class="moz-signature" cols="72">-- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc.</pre> </body> </html>