Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora Directory (http://www.linux-archive.org/fedora-directory/)
-   -   Protection of entries on downstream master or hub (http://www.linux-archive.org/fedora-directory/699252-protection-entries-downstream-master-hub.html)

Lucas Sweany 08-30-2012 06:52 PM

Protection of entries on downstream master or hub
 
I would like to protect certain entries in a hub 389-ds host from getting obliterated during a full re-initialization of an agreement. Strange yes, but hear me out.

To keep duty separation intact, we've set up a scenario where we've got one group managing Active Directory and one 389 server (389-A), and another group maintaining a 389 hub (389-B). 389-A syncs from AD one-way, and then replicates to 389-B.* However, things like sudoers and posix attributes (uids and gids) are managed on 389-B for convenience. Unfortunately, the sudoers OU and uids/gids get destroyed if 389-A performs a re-initialization of the agreement--by design I'm sure.


Is there a way to protect the sudoers OU and specific attributes of users on 389-B in this scenario? It looks like my options are to mess with fractional replication, ACIs, to meticulously back-up these attributes and restore them in the rare event we need to re-initialize, or to give up the convenience and have those attributes managed on 389-A.


Is there no easy answer to this without giving up the ability to manage some things locally on 389-B?

Thanks,

-Lucas

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Rich Megginson 08-30-2012 07:07 PM

Protection of entries on downstream master or hub
 
On 08/30/2012 12:52 PM, Lucas Sweany wrote:
I would like to protect certain entries in a hub
389-ds host from getting obliterated during a full
re-initialization of an agreement. Strange yes, but hear me out.



To keep duty separation intact, we've set up a scenario where
we've got one group managing Active Directory and one 389 server
(389-A), and another group maintaining a 389 hub (389-B). 389-A
syncs from AD one-way, and then replicates to 389-B.* However,
things like sudoers and posix attributes (uids and gids) are
managed on 389-B for convenience. Unfortunately, the sudoers OU
and uids/gids get destroyed if 389-A performs a re-initialization
of the agreement--by design I'm sure.



Is there a way to protect the sudoers OU and specific attributes
of users on 389-B in this scenario? It looks like my options are
to mess with fractional replication, ACIs, to meticulously back-up
these attributes and restore them in the rare event we need to
re-initialize, or to give up the convenience and have those
attributes managed on 389-A.



Is there no easy answer to this without giving up the ability to
manage some things locally on 389-B?




Can you separate the data by suffix?* The unit of replication is a
database, so if you can create a sub-suffix in its own database, you
could replicate that separately.



https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Configuring_Directory_Databases.html



Thanks,



-Lucas






--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users





--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Lucas Sweany 08-30-2012 07:12 PM

Protection of entries on downstream master or hub
 
I could try that sudoers and groups, but what about the attributes (like uidNumber and gidNumber) on the individual users that are in the replicated suffix?

-Lucas

On Thu, Aug 30, 2012 at 12:07 PM, Rich Megginson <rmeggins@redhat.com> wrote:






On 08/30/2012 12:52 PM, Lucas Sweany wrote:
I would like to protect certain entries in a hub
389-ds host from getting obliterated during a full
re-initialization of an agreement. Strange yes, but hear me out.



To keep duty separation intact, we've set up a scenario where
we've got one group managing Active Directory and one 389 server
(389-A), and another group maintaining a 389 hub (389-B). 389-A
syncs from AD one-way, and then replicates to 389-B.* However,
things like sudoers and posix attributes (uids and gids) are
managed on 389-B for convenience. Unfortunately, the sudoers OU
and uids/gids get destroyed if 389-A performs a re-initialization
of the agreement--by design I'm sure.



Is there a way to protect the sudoers OU and specific attributes
of users on 389-B in this scenario? It looks like my options are
to mess with fractional replication, ACIs, to meticulously back-up
these attributes and restore them in the rare event we need to
re-initialize, or to give up the convenience and have those
attributes managed on 389-A.



Is there no easy answer to this without giving up the ability to
manage some things locally on 389-B?




Can you separate the data by suffix?* The unit of replication is a
database, so if you can create a sub-suffix in its own database, you
could replicate that separately.



https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Configuring_Directory_Databases.html




Thanks,



-Lucas






--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users







--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Rich Megginson 08-30-2012 07:20 PM

Protection of entries on downstream master or hub
 
On 08/30/2012 01:12 PM, Lucas Sweany wrote:
I could try that sudoers and groups, but what about
the attributes (like uidNumber and gidNumber) on the individual
users that are in the replicated suffix?




Looks like you're out of luck.* Please file an enhancement request
at https://fedorahosted.org/389





-Lucas



On Thu, Aug 30, 2012 at 12:07 PM, Rich
Megginson <rmeggins@redhat.com>
wrote:




On 08/30/2012 12:52 PM, Lucas Sweany
wrote:
I would like to protect certain
entries in a hub 389-ds host from getting obliterated
during a full re-initialization of an agreement.
Strange yes, but hear me out.



To keep duty separation intact, we've set up a
scenario where we've got one group managing Active
Directory and one 389 server (389-A), and another
group maintaining a 389 hub (389-B). 389-A syncs from
AD one-way, and then replicates to 389-B.* However,
things like sudoers and posix attributes (uids and
gids) are managed on 389-B for convenience.
Unfortunately, the sudoers OU and uids/gids get
destroyed if 389-A performs a re-initialization of the
agreement--by design I'm sure.



Is there a way to protect the sudoers OU and specific
attributes of users on 389-B in this scenario? It
looks like my options are to mess with fractional
replication, ACIs, to meticulously back-up these
attributes and restore them in the rare event we need
to re-initialize, or to give up the convenience and
have those attributes managed on 389-A.



Is there no easy answer to this without giving up the
ability to manage some things locally on 389-B?






Can you separate the data by suffix?* The unit of
replication is a database, so if you can create a sub-suffix
in its own database, you could replicate that separately.



https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Configuring_Directory_Databases.html



Thanks,



-Lucas







--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users













--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users


All times are GMT. The time now is 12:29 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.