When designed, the plan was the test and prod systems were totally separate, no sync, users can have different passwords on both systems.

Of course it's now a requirement that user data - name, id, group memberships, etc. as well as POSIX groups be in sync for security reasons. Out of 500+ production users, only about 60 are allowed access to the test system.

The parts of ipa not in use that dictate totally separate systems are HBAC, and RBAC. The test system was supposed to where rules were tested before deployed across production clusters. We need to move away from the pushing of static access.conf files for every change.

So setting up the test ipa server as part of the production ipa environment is not an option. Additional user training on creating users twice as well as all changes is a non-starter.

So now I'm down to a hideous, custom sync process that will not do passwords (really bad idea) or setup a 389ds one-way sync from the production backup ipa node to the test node. The single most important aspect is when a user gets locked out on production it also happens on the test system. 

Is this one-way sync a feasible method to chase? I'll have to build a test set up and validate "no production side harm" before I can implement anything. 

Probably need to dig through the fractional replication to only push over user and group data.