Hello, we are using IPA as the backbone of a middle-sized infrastructure whose purpose is to host multi-tenants (Java) applications. These applications use 389-ds instances to manage the authentication and authorisation. The 389-ds instances are deployed on hosts which are IPA clients but are not IPA servers.
Since we monitor closely the IPA servers and their 389-ds instances, I was wondering whether it could be efficient to also host the applicative 389-ds LDAP trees on the same hosts as the IPA servers. These instances are small (hundreds of applicative users maximum) and use only the standard LDAP schemas, consistently with IPA (which was taken as the reference when developing the user-management model of these applications). I can see three approaches: 1) Separate 389-ds instances on distinct ports. In that case, only the software is shared. 2) Separate 389-ds backends in the IPA instances, with their own replication agreements. 3) Separate LDAP subtrees within the IPA backends. In that case, IPA replication agreements are leveraged. Intuitively, I would favour 2), then 1), then 3). Did I miss something in this analysis? Is it reasonable/advisable to reuse the IPA servers for such purposes? Does anyone have experience with such a setup? Thanks in advance for any comment! Mathieu _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
