On su, 16 tammi 2022, Jim Kinney via FreeIPA-users wrote:
Since SuSE doesn't support FreeIPA/IdM, and I need to use freeipa
as
master controller, I need to be able to have multiple suse hosted
389-ds ldap servers (9) be read-only mirrors for large numbers of
compute node clients (3000).
I have VMs on suse hosts running rocky8.5 for freeipa as test servers.
Those nodes sync fine. I have 389-ds on a single suse host for sync
testing. I created replication agreements using docs on suse site for
sles15 sp3 and verified no firewall blocks between them.
https://documentation.suse.com/sles/15-SP3/html/SLES-all/cha-security-lda...
The sync connects but no data is transferred. I suspect the cause is
the 389 system has no schema like freeipa to sync into.
Next attempt is to perform an ldif backup of the ipa system and restore
it to the 389 system. I have concerns about this as there's probably a
unique system id in the backup (I've not grep'ed through it yet). Is
this a reasonable process?
This is all still experimental and everything can(will) be wiped and
reinstalled(multiple times as the process is developed). If there are
docs on how to sync these, I've not found them and would really
appreciate links
The alternative is to install freeipa containers on the sles systems
but the container readme on github reads like it's still very
experimental.
Also as there is no freeipa client package in sles, just sssd-ipa and
libhbac0, all of the sssd configuration will be manual as well as all
the certificates between freeipa servers and sles clients.
This all is pretty much not investigated and unsupported.
There are about a dozen plugins in FreeIPA on top of stock 389-ds that
implement logic and behavior of IPA LDAP server. Since these aren't
present in a replicated 389-ds server on SLES, I am not sure the
behavior would be the same at all for the clients. This specifically
touches areas of password management but there are more things affected
like 2FA authentication.
For what you mention about client side, if you are going to use SSSD
with 'id_provider = ipa', then you cannot use these read-only 389-ds
replicas. SSSD 'id_provider = ipa' expects the target server to be LDAP
and Kerberos KDC at the same time, just like all IPA servers are.
Replication protocol is the same, it is a base protocol that 389-ds has,
so it should be handling replication of schema as well. All the
details can be found in RHDS documentation on Red Hat Customer Portal.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland