Hi, On Tue, Jun 2, 2020 at 1:09 PM Ben Aveling via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote: > > Hi, > > I'm looking for a way to set up a small office. > > I'm trying not to have to have all the clients SSSD back to the central > office. > > It would be nice to be able to have a small FreeIPA server, and just pull in > the necessary user data from the central servers. > > But it's not clear what the best way to do that would be. > > A replica seems like overkill - and forces the central servers to trust the > small office, which isn't ideal. > > Some sort of selective one-way replication would work.
The use-case (not the behavior though) is close to the read-only replica RFE: https://pagure.io/freeipa/issue/5569 There is no such feature in FreeIPA as of today. > What would be nice would be if the small office FreeIPA server could retrieve > user data as needed, and then cache it, a bit like SSSD does for clients. > > Some sort of filtered export/import would also be acceptable, so long as we > can be sufficiently confident about security of key material. > > Any suggestions? Either use sssd caching aggressively (and use the central office FreeIPA servers) or use a CAless replica. It will be lightweight compared to a replica with a CA. It will not solve the "trust" issue you outline above. François > Regards, Ben > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
