Hi FreeIPA-users, We're currently using FreeIPA 4.2.0, and we have two unrelated instances of IdM server. We'd like the user list which IPA maintains in one, to be a superset of the other; so we're looking for one way replication (of cn=users,cn=accounts,dc=realm, not necessarily of host entries etc.)
We use a different 'dc' in each instance, and could use a different cn too if needed. So far we've found instructions on full mutual replication: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/ipa-replica-manage.html and a one way sync from Active Directory: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-sync-agmt.html#changing-subtree but not one way sync from IPA. I'm hoping that we can do this between two IPA instances, probably still using ipa-replica-manage, although oneWaySync only has options 'fromWindows' and 'toWindows' according to https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-sync-agmt.html#changing-subtree . Is there anything actually ActiveDirectory specific about this? We believe we need one way sync (including passwords) to be able to authenticate users which are mastered in the 'remote' IPA, even when the 'remote' IPA is offline. Another option we might explore is 'cross-forest trust', although I believe this would make authentication unavailable if the 'master' IPA is unavailable. Both are discussed at https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Windows_Integration_Guide/index.html#summary-indirect , but again in the context of AD/IPA rather than IPA/IPA. I'd welcome any pointers on trust or one-way replication between two IPA instances! Many thanks, Nick -- CGI IT UK Limited. A CGI Group Inc. Company Registered Office 250 Brook Drive, Green Park, Reading RG2 6UA, United Kingdom. Registered in England & Wales - Number 947968 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project