[389-users] Protection of entries on downstream master or hub

Rich Megginson rmeggins at redhat.com
Thu Aug 30 19:20:00 UTC 2012 

On 08/30/2012 01:12 PM, Lucas Sweany wrote:
> I could try that sudoers and groups, but what about the attributes 
> (like uidNumber and gidNumber) on the individual users that are in the 
> replicated suffix?

Looks like you're out of luck.  Please file an enhancement request at 
https://fedorahosted.org/389

>
> -Lucas
>
> On Thu, Aug 30, 2012 at 12:07 PM, Rich Megginson <rmeggins at redhat.com 
> <mailto:rmeggins at redhat.com>> wrote:
>
>     On 08/30/2012 12:52 PM, Lucas Sweany wrote:
>>     I would like to protect certain entries in a hub 389-ds host from
>>     getting obliterated during a full re-initialization of an
>>     agreement. Strange yes, but hear me out.
>>
>>     To keep duty separation intact, we've set up a scenario where
>>     we've got one group managing Active Directory and one 389 server
>>     (389-A), and another group maintaining a 389 hub (389-B). 389-A
>>     syncs from AD one-way, and then replicates to 389-B.  However,
>>     things like sudoers and posix attributes (uids and gids) are
>>     managed on 389-B for convenience. Unfortunately, the sudoers OU
>>     and uids/gids get destroyed if 389-A performs a re-initialization
>>     of the agreement--by design I'm sure.
>>
>>     Is there a way to protect the sudoers OU and specific attributes
>>     of users on 389-B in this scenario? It looks like my options are
>>     to mess with fractional replication, ACIs, to meticulously
>>     back-up these attributes and restore them in the rare event we
>>     need to re-initialize, or to give up the convenience and have
>>     those attributes managed on 389-A.
>>
>>     Is there no easy answer to this without giving up the ability to
>>     manage some things locally on 389-B?
>
>     Can you separate the data by suffix?  The unit of replication is a
>     database, so if you can create a sub-suffix in its own database,
>     you could replicate that separately.
>
>     https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Configuring_Directory_Databases.html
>>
>>     Thanks,
>>
>>     -Lucas
>>
>>
>>     --
>>     389 users mailing list
>>     389-users at lists.fedoraproject.org  <mailto:389-users at lists.fedoraproject.org>
>>     https://admin.fedoraproject.org/mailman/listinfo/389-users
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20120830/fe39b286/attachment.html>

More information about the 389-users mailing list