I work for a large corporation where we like to switch from OpenLDAP (with Krb5) to RedHat idM. I'll call it xyz.com The IAM system we are refactoring was setup more than a decade ago, and based on OpenLDAP. We had a primary or master server in one location, with multiple RO replicas, geographically distributed. The user and group spaces were flat, from an LDAP OU and kerberos 5 perspective. There was only a single realm. DNS was not used for kerberos, with krb5.conf files managed so clients are pushed to the closest KDC. After the system was running, the CIO implemented a corporate SSO using an Enterprise Directory (which also Open LDAP or some other 389 descendant). There are isolated pockets of AD, and nothing in the TLD. So, AD is not really used at the Enterprise level. I'm exploring the replication options using the following assumptions. - Not using AD, only OpenLDAP, RHDS, or some 389 variant. - There will be a minimum of 3 but eventually 7 locations with an IdM server deployed. Each location uses a unique subdomain under xyz.com - We allocate uids and gids starting at 100K. We still want it to be flat. - We would like to use a Pass Through Agent (PTA) to our Enterprise Directory, for this block of users, if possible, for the LDAP binding. - We would like have a single kerberos realm for all of these locations. - There is no expectation that the LDAP and Kerberos passwords will be synced. I've seen some conversations in the mailing list archives, but nothing recent. Hopefully, someone can give me some pointers or websites which discuss replication/deployment scenarios. -- Chris