Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1291240

Summary: [RFE] Support Read-Only Replicas
Product: Red Hat Enterprise Linux 8 Reporter: Martin Kosek <mkosek>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED UPSTREAM QA Contact: Namita Soman <nsoman>
Severity: medium Docs Contact:
Priority: high    
Version: 8.0CC: abokovoy, anazmy, batkisso, chorn, cmattern, dpal, fherrman, fperalta, gothicx, ignacio, info, info, jswensso, ldelouw, msauton, msawyer, mschwabe, pasik, patdung100+redhat, pcech, pvoborni, rcritten, rmahique, shetze, sigbjorn, tscherf, wdh
Target Milestone: rcKeywords: FutureFeature
Target Release: 8.0Flags: tscherf: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-08-06 12:17:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Martin Kosek 2015-12-14 11:48:42 UTC 
Identity Management users with many sites requiring high availability would need at least 1-2 IdM replicas per site. When the number of sites is higher than 20-50, the number of IdM Master servers become too high and harder to maintain. It would be better to deploy ~20 IdM master servers in the major sites and then deploy Read Only replicas in other sites which won't require write access.

Currently, IdM only supports only writable replicas and the high availability is provided by these replicas + offline caching on the client (SSSD) side. However, this does not cover situations when the connection to IdM master server (in other side) is broken and admin needs to log in to a server he/she never logged to.
Comment 4 Petr Vobornik 2016-01-04 18:05:02 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5569
Comment 16 W. de Heiden 2017-10-23 09:21:43 UTC 
This story is a long way....
Read only replica's would be high appreciated! Quit some organizations use a read only Windows Domain Controller in DMZ for obvious reason. Some kind of read-only replica's would fit this situation :)
Comment 17 Marco Rodrigues 2017-11-07 08:16:47 UTC 
(In reply to W. de Heiden from comment #16)
> This story is a long way....
> Read only replica's would be high appreciated! Quit some organizations use a
> read only Windows Domain Controller in DMZ for obvious reason. Some kind of
> read-only replica's would fit this situation :)

You're completely right. The adoption of this product is limited due to this issue. Another example is premises (write master) -> Cloud (read-only replica).
Comment 24 W. de Heiden 2018-04-26 08:56:46 UTC 
any progress on this. The last two years lacking a read-only replica was a no-go for IPA for several customers....
Comment 25 Marco Rodrigues 2018-04-26 09:43:39 UTC 
Mr Heiden,
You are completly right. We are force to use the old way LDAP which is really obsolete compared to FreeIPA.
Comment 27 Martin Kosek 2018-06-14 11:36:41 UTC 
Please note that this is a very complex RFE. The engineering team is aware of it and has in a (very) long term radar, but it is simply too complex and not prioritized enough to do it in near future. I do not expect it to land in next 1-2 years at least unless there is a strong contribution in the upstream project.

What is more likely to arrive sooner than a Read Only replica is a trust relationship between IdM/FreeIPA replicas, so that for example there can be FreeIPA deployment in DMZ, with trust to (One Way?) Trust to other IdM replica out of DMZ.
Comment 33 Petr Čech 2020-08-06 12:17:08 UTC 
Support of the Red-Only replicas is a long standing requirement that has superior complexity and scope. At this point Red Hat Engineering does not see Red Hat delivering this functionally in any foreseeable future. The community ticket (https://pagure.io/freeipa/issue/5569) will still be open welcoming contributions. With the emergence of the microservice technologies and short lived services and clusters Red Hat engineering believes that a better approach would be to support cross-forest IdM to IdM trusts allowing deployment of the small IdM clusters at the edge or in DMZ thus addressing most of the reasons for this requirement. 
Please track the progress for IdM to IdM trusts via the following BZ https://bugzilla.redhat.com/show_bug.cgi?id=1185854.
Comment 34 f1outsourcing 2023-09-21 13:07:36 UTC Comment hidden (spam)