On ke, 16 joulu 2020, Karim Bourenane via FreeIPA-users wrote:
Hello François, team
Thanks for the feedback.
What I want or want is to deploy replica IPA servers in each zone, so that
this replication is not complete.
The goal is to manage exclusively and independently of each zone, the users
auth. / dns / certificates, in short the local authentications to this zone.
I found, on the
freeipa.org site, the command:
ipa toplogysuffix-add
But this command does not exist on my version of IPA server 4.6.5.
Is this a plugin that I need to install? Can you orient me?
No. As Francois said, there is no support for multiple distinct suffixes
in FreeIPA for the purpose of selective replication. This is against
FreeIPA design principles.
Topology suffix management is for a different task of organizing
existing replicas into a mesh with specific connections between
replicas. There are two suffixes in IPA: primary one for everything and
CA suffix for certificate management.
In short, you are not going to be able to achieve that with a single
FreeIPA deployment and there are no plans to provide this functionality
in FreeIPA for a single deployment.
Would this command be used to create another suffix on my master IPA server?
Thank you for your feedback.
Regards
Bien à vous
Mr Karim Bourenane
Le mer. 16 déc. 2020 à 08:39, François Cami <fcami(a)redhat.com> a écrit :
> Hi,
>
> No, this is not possible.
> What you seem to want to achieve will be best served when the FreeIPA to
> FreeIPA domain trust is available.
> This is not the case today.
>
> François
>
> On Tue, Dec 15, 2020 at 6:07 PM Karim Bourenane via FreeIPA-users <
> freeipa-users(a)lists.fedorahosted.org> wrote:
>
>> Hello Team
>>
>> I have a special question, about a partial replication branch domain LDAP
>> into a FreeIPA v. 4.6.2 on Centos 7.7.1908.
>>
>> I want to deploy several FreeIPA into several network zones.
>>
>> Its possible to only replicate a branch of data, to manage only an ipa
>> client / dns / certificat to this zone ?
>>
>> I want to segment data replication for security reasons.
>>
>> Perhaps I took my project in a bad way ?
>>
>>
>> Regards / Bien à vous
>> Mr Karim Bourenane
>>
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>> To unsubscribe send an email to
>> freeipa-users-leave(a)lists.fedorahosted.org
>> Fedora Code of Conduct:
>>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>>
>
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland