Identity Management users with many sites requiring high availability would need at least 1-2 IdM replicas per site. When the number of sites is higher than 20-50, the number of IdM Master servers become too high and harder to maintain. It would be better to deploy ~20 IdM master servers in the major sites and then deploy Read Only replicas in other sites which won't require write access. Currently, IdM only supports only writable replicas and the high availability is provided by these replicas + offline caching on the client (SSSD) side. However, this does not cover situations when the connection to IdM master server (in other side) is broken and admin needs to log in to a server he/she never logged to.
Upstream ticket: https://fedorahosted.org/freeipa/ticket/5569
This story is a long way.... Read only replica's would be high appreciated! Quit some organizations use a read only Windows Domain Controller in DMZ for obvious reason. Some kind of read-only replica's would fit this situation :)
(In reply to W. de Heiden from comment #16) > This story is a long way.... > Read only replica's would be high appreciated! Quit some organizations use a > read only Windows Domain Controller in DMZ for obvious reason. Some kind of > read-only replica's would fit this situation :) You're completely right. The adoption of this product is limited due to this issue. Another example is premises (write master) -> Cloud (read-only replica).
any progress on this. The last two years lacking a read-only replica was a no-go for IPA for several customers....
Mr Heiden, You are completly right. We are force to use the old way LDAP which is really obsolete compared to FreeIPA.
Please note that this is a very complex RFE. The engineering team is aware of it and has in a (very) long term radar, but it is simply too complex and not prioritized enough to do it in near future. I do not expect it to land in next 1-2 years at least unless there is a strong contribution in the upstream project. What is more likely to arrive sooner than a Read Only replica is a trust relationship between IdM/FreeIPA replicas, so that for example there can be FreeIPA deployment in DMZ, with trust to (One Way?) Trust to other IdM replica out of DMZ.
Support of the Red-Only replicas is a long standing requirement that has superior complexity and scope. At this point Red Hat Engineering does not see Red Hat delivering this functionally in any foreseeable future. The community ticket (https://pagure.io/freeipa/issue/5569) will still be open welcoming contributions. With the emergence of the microservice technologies and short lived services and clusters Red Hat engineering believes that a better approach would be to support cross-forest IdM to IdM trusts allowing deployment of the small IdM clusters at the edge or in DMZ thus addressing most of the reasons for this requirement. Please track the progress for IdM to IdM trusts via the following BZ https://bugzilla.redhat.com/show_bug.cgi?id=1185854.