This is great feedback, thanks.
You might be able to get away with an IPA client in this case. sssd will
cache credentials. This wouldn't cover the case where someone hasn't
used the door yet, power goes off, and they need to open it though.
Yes, that is the backup plan in case I can’t get the replica to work with the very limited amount of RAM I have (either 256 or 512 MB). It’s a fun project for my hackerspace so the cost of failure is not that high.
I suspect that running without a CA is much more viable, but 389-ds can
be resource-intesive as well depending on how many entries you have.
I’m expecting we won’t have more than 150 users, so it shouldn’t be that big of a problem.