[Freeipa-users] Re: Use 389-ds as freeipa mirror

Since SuSE doesn't support FreeIPA/IdM, and I need to use freeipa as master controller, I need to be able to have multiple suse hosted 389-ds ldap servers (9) be read-only mirrors for large numbers of compute node clients (3000). I have VMs on suse hosts running rocky8.5 for freeipa as test servers. Those nodes sync fine. I have 389-ds on a single suse host for sync testing. I created replication agreements using docs on suse site for sles15 sp3 and verified no firewall blocks between them. https://documentation.suse.com/sles/15-SP3/html/SLES-all/cha-security-lda... The sync connects but no data is transferred. I suspect the cause is the 389 system has no schema like freeipa to sync into. Next attempt is to perform an ldif backup of the ipa system and restore it to the 389 system. I have concerns about this as there's probably a unique system id in the backup (I've not grep'ed through it yet). Is this a reasonable process? This is all still experimental and everything can(will) be wiped and reinstalled(multiple times as the process is developed). If there are docs on how to sync these, I've not found them and would really appreciate links The alternative is to install freeipa containers on the sles systems but the container readme on github reads like it's still very experimental. Also as there is no freeipa client package in sles, just sssd-ipa and libhbac0, all of the sssd configuration will be manual as well as all the certificates between freeipa servers and sles clients.