Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1291240
Identity Management users with many sites requiring high availability would need at least 1-2 IdM replicas per site. When the number of sites is higher than 20-50, the number of IdM Master servers become too high and harder to maintain. It would be better to deploy ~20 IdM master servers in the major sites and then deploy Read Only replicas in other sites which won't require write access. Currently, IdM only supports only writable replicas and the high availability is provided by these replicas + offline caching on the client (SSSD) side. However, this does not cover situations when the connection to IdM master server (in other side) is broken and admin needs to log in to a server he/she never logged to.
Metadata Update from @pvoborni: - Issue assigned to someone - Issue set to the milestone: Future Releases
Another use-case:
Site may want to deploy IdM replicas in a DMZ for service to outside clients but are concerned about greater exposure to unwanted changes making it back into the organization.
If by "services" we mean Kerberos, it's possible to do that today by deploying kdcproxy: https://github.com/latchset/kdcproxy/
However, this won't get you other services.
Question: what would a solution to this look like?
Would it have to be a tweak to the replication code to make it one-way only?
Or might it be possible to do it via an export/transfer/reimport?
Login to comment on this ticket.