I have a multi-site production setup with a total of 8 ipa servers and a
second, very tiny test setup run by a single ipa servers.
When designed, the plan was the test and prod systems were totally
separate, no sync, users can have different passwords on both systems.
Of course it's now a requirement that user data - name, id, group
memberships, etc. as well as POSIX groups be in sync for security reasons.
Out of 500+ production users, only about 60 are allowed access to the test
system.
The parts of ipa not in use that dictate totally separate systems are HBAC,
and RBAC. The test system was supposed to where rules were tested before
deployed across production clusters. We need to move away from the pushing
of static access.conf files for every change.
So setting up the test ipa server as part of the production ipa environment
is not an option. Additional user training on creating users twice as well
as all changes is a non-starter.
So now I'm down to a hideous, custom sync process that will not do
passwords (really bad idea) or setup a 389ds one-way sync from the
production backup ipa node to the test node. The single most important
aspect is when a user gets locked out on production it also happens on the
test system.
Is this one-way sync a feasible method to chase? I'll have to build a test
set up and validate "no production side harm" before I can implement
anything.
Probably need to dig through the fractional replication to only push over
user and group data.
Show replies by date