FreeIPA supports trusts with AD (mostly in AD -> IPA direction, the other direction will be ready when #3125 is closed).
When the full AD trust is ready, the implemented interface shall be also used to create trust with other FreeIPA DCs.
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1185854
#3125 is a pre-requisite for this work, which by it's own is a stretch. This RFE will thus rather land in later release.
Metadata Update from @mkosek: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.5 backlog
Metadata Update from @abbra: - Issue close_status updated to: None - Issue set to the milestone: Global Catalog and IPA-IPA trust (was: FreeIPA 4.5 backlog)
Notes: - IPA ID range detection needs to be added to allow pulling ID range info from an IPA deployment to be trusted. Right now just apply the same lookup as in AD case and this is not pulling the right range.
Status: - https://github.com/abbra/freeipa/tree/wip-ipa-ipa-trust contains current changes to support trust between two IPA deployments. It is still preliminary as a way to establish trust will change. - IPA and SSSD changes are available in https://copr.fedorainfracloud.org/coprs/abbra/wip-ipa-trust/, can be tested with Fedora 40/41.
Attached tarball contains ansible playbook that can be used to configure and exercise trust between two IPA deployments. Instructions are available inside the tarball. <img alt="local-ipa-ipa-trust-demo.tar" src="/freeipa/issue/raw/files/be501c9890998b58ab84c5adbdcd3c3717a23454bc3a47d6912bf811bff520c9-local-ipa-ipa-trust-demo.tar" />
Log in to comment on this ticket.