[389-users] Protection of entries on downstream master or hub

Lucas Sweany lsweany at qualys.com
Thu Aug 30 18:52:05 UTC 2012

I would like to protect certain entries in a hub 389-ds host from getting
obliterated during a full re-initialization of an agreement. Strange yes,
but hear me out.

To keep duty separation intact, we've set up a scenario where we've got one
group managing Active Directory and one 389 server (389-A), and another
group maintaining a 389 hub (389-B). 389-A syncs from AD one-way, and then
replicates to 389-B.  However, things like sudoers and posix attributes
(uids and gids) are managed on 389-B for convenience. Unfortunately, the
sudoers OU and uids/gids get destroyed if 389-A performs a
re-initialization of the agreement--by design I'm sure.

Is there a way to protect the sudoers OU and specific attributes of users
on 389-B in this scenario? It looks like my options are to mess with
fractional replication, ACIs, to meticulously back-up these attributes and
restore them in the rare event we need to re-initialize, or to give up the
convenience and have those attributes managed on 389-A.

Is there no easy answer to this without giving up the ability to manage
some things locally on 389-B?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20120830/6acffdbc/attachment.html>

More information about the 389-users mailing list