It'd be handy if you could have a replication relationship be one way only.
In my instance, this would be used to have an IPA server which could provide central auth to development and test environments, without polluting the domain with development machines and temporary users.
This might perhaps also be useful for security minded situations like DMZ subnets where you wish to limit the interactions between the DMZ and the main LAN, and wish to put an IPA server into that environment to service those machines.
For DMZ case we plan to eventually have read only replicas but making another step an allowing local changes that are not replicated to those local replicas would be a logical choice. Alternative would be to have two different IPA domains and one way trust between them. We are not there yet.
For a dev environment there could be a relatively easy way to achieve this.
We use MMR where each server has a replication agreement with the other. If you delete the agreement on the dev side it will no longer send out changes. I definitely wouldn't try this on any set of IPA servers I care about.
This will likely break ipa-replica-manage in odd ways, including trying to eventually delete the server.
I imagine that in the end this sort of agreement would be more annoying than anything. There are probably a ton of corner cases you'd run into, including things like exhausting the DNA range for new users/groups.
This use case will be addressed best with the IPA to IPA trust feature that we have on our long roadmap.
Metadata Update from @sirex: - Issue assigned to someone - Issue set to the milestone: Ticket Backlog
Login to comment on this ticket.