I work for a large corporation where we like to switch from OpenLDAP (with Krb5) to RedHat
idM. I'll call it
xyz.com
The IAM system we are refactoring was setup more than a decade ago, and based on OpenLDAP.
We had a primary or master server in one location, with multiple RO replicas,
geographically distributed. The user and group spaces were flat, from an LDAP OU and
kerberos 5 perspective. There was only a single realm. DNS was not used for kerberos,
with krb5.conf files managed so clients are pushed to the closest KDC.
After the system was running, the CIO implemented a corporate SSO using an Enterprise
Directory (which also Open LDAP or some other 389 descendant). There are isolated pockets
of AD, and nothing in the TLD. So, AD is not really used at the Enterprise level.
I'm exploring the replication options using the following assumptions.
- Not using AD, only OpenLDAP, RHDS, or some 389 variant.
- There will be a minimum of 3 but eventually 7 locations with an IdM server deployed.
Each location uses a unique subdomain under
xyz.com
- We allocate uids and gids starting at 100K. We still want it to be flat.
- We would like to use a Pass Through Agent (PTA) to our Enterprise Directory, for this
block of users, if possible, for the LDAP binding.
- We would like have a single kerberos realm for all of these locations.
- There is no expectation that the LDAP and Kerberos passwords will be synced.
I've seen some conversations in the mailing list archives, but nothing recent.
Hopefully, someone can give me some pointers or websites which discuss
replication/deployment scenarios.
--
Chris