On 04/19/2012 11:26 AM, Ondrej Hamada wrote: >> There is one aspect that is missing in this discussion. If we are >> talking about a remote office and about a Consumer that serves this >> office we need to understand not only the flow of the initial >> authentication but are there other authentications happening. I mean are >> we just talking about logging into the machines in the remote office >> then LDAP auth with pass-through and caching would be sufficient on the >> consumer (I will explain how it could be done below) or there is an eSSO >> involved and expected? >> >> I guess if the eSSO is required for example to access NFS shares there >> should be a local IPA server with KDC in the remote office. In this case >> it probably makes sense to make it just a normal replica but with >> limited modification capabilities and potentially with a subset of users >> and other entries replicated to that location. >> >> If the eSSO is not required and we talk about the initial login only we >> can have a DS instance as a consumer do not need to have the whole IPA >> becuase KDC, CA and management frameworks are not needed. This DS can >> replicate a subset of the users, groups and other data using fractional >> replication for the identity lookups can and use PAM pass-through >> feature with SSSD configured to go to the real master for >> authentication. >> >> So effectively there are two different use cases: >> 1) eSSO server in the remote office >> 2) Login server in the remote office >> >> The solutions seem completely different so I suggest starting with one >> or another. > > So far the discussion seems to be more about the second option (login > server in the remote office), so I would prefer to stick with it for now.
Then you probably does not need a full IPA server there but rather a special Read Only replica that is configured as described above. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel