FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Directory

 
 
LinkBack Thread Tools
 
Old 08-30-2012, 06:52 PM
Lucas Sweany
 
Default Protection of entries on downstream master or hub

I would like to protect certain entries in a hub 389-ds host from getting obliterated during a full re-initialization of an agreement. Strange yes, but hear me out.

To keep duty separation intact, we've set up a scenario where we've got one group managing Active Directory and one 389 server (389-A), and another group maintaining a 389 hub (389-B). 389-A syncs from AD one-way, and then replicates to 389-B.* However, things like sudoers and posix attributes (uids and gids) are managed on 389-B for convenience. Unfortunately, the sudoers OU and uids/gids get destroyed if 389-A performs a re-initialization of the agreement--by design I'm sure.


Is there a way to protect the sudoers OU and specific attributes of users on 389-B in this scenario? It looks like my options are to mess with fractional replication, ACIs, to meticulously back-up these attributes and restore them in the rare event we need to re-initialize, or to give up the convenience and have those attributes managed on 389-A.


Is there no easy answer to this without giving up the ability to manage some things locally on 389-B?

Thanks,

-Lucas

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 08-30-2012, 07:07 PM
Rich Megginson
 
Default Protection of entries on downstream master or hub

On 08/30/2012 12:52 PM, Lucas Sweany wrote:
I would like to protect certain entries in a hub
389-ds host from getting obliterated during a full
re-initialization of an agreement. Strange yes, but hear me out.



To keep duty separation intact, we've set up a scenario where
we've got one group managing Active Directory and one 389 server
(389-A), and another group maintaining a 389 hub (389-B). 389-A
syncs from AD one-way, and then replicates to 389-B.* However,
things like sudoers and posix attributes (uids and gids) are
managed on 389-B for convenience. Unfortunately, the sudoers OU
and uids/gids get destroyed if 389-A performs a re-initialization
of the agreement--by design I'm sure.



Is there a way to protect the sudoers OU and specific attributes
of users on 389-B in this scenario? It looks like my options are
to mess with fractional replication, ACIs, to meticulously back-up
these attributes and restore them in the rare event we need to
re-initialize, or to give up the convenience and have those
attributes managed on 389-A.



Is there no easy answer to this without giving up the ability to
manage some things locally on 389-B?




Can you separate the data by suffix?* The unit of replication is a
database, so if you can create a sub-suffix in its own database, you
could replicate that separately.



https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Configuring_Directory_Databases.html



Thanks,



-Lucas






--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users





--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 08-30-2012, 07:12 PM
Lucas Sweany
 
Default Protection of entries on downstream master or hub

I could try that sudoers and groups, but what about the attributes (like uidNumber and gidNumber) on the individual users that are in the replicated suffix?

-Lucas

On Thu, Aug 30, 2012 at 12:07 PM, Rich Megginson <rmeggins@redhat.com> wrote:






On 08/30/2012 12:52 PM, Lucas Sweany wrote:
I would like to protect certain entries in a hub
389-ds host from getting obliterated during a full
re-initialization of an agreement. Strange yes, but hear me out.



To keep duty separation intact, we've set up a scenario where
we've got one group managing Active Directory and one 389 server
(389-A), and another group maintaining a 389 hub (389-B). 389-A
syncs from AD one-way, and then replicates to 389-B.* However,
things like sudoers and posix attributes (uids and gids) are
managed on 389-B for convenience. Unfortunately, the sudoers OU
and uids/gids get destroyed if 389-A performs a re-initialization
of the agreement--by design I'm sure.



Is there a way to protect the sudoers OU and specific attributes
of users on 389-B in this scenario? It looks like my options are
to mess with fractional replication, ACIs, to meticulously back-up
these attributes and restore them in the rare event we need to
re-initialize, or to give up the convenience and have those
attributes managed on 389-A.



Is there no easy answer to this without giving up the ability to
manage some things locally on 389-B?




Can you separate the data by suffix?* The unit of replication is a
database, so if you can create a sub-suffix in its own database, you
could replicate that separately.



https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Configuring_Directory_Databases.html




Thanks,



-Lucas






--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users







--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 08-30-2012, 07:20 PM
Rich Megginson
 
Default Protection of entries on downstream master or hub

On 08/30/2012 01:12 PM, Lucas Sweany wrote:
I could try that sudoers and groups, but what about
the attributes (like uidNumber and gidNumber) on the individual
users that are in the replicated suffix?




Looks like you're out of luck.* Please file an enhancement request
at https://fedorahosted.org/389





-Lucas



On Thu, Aug 30, 2012 at 12:07 PM, Rich
Megginson <rmeggins@redhat.com>
wrote:




On 08/30/2012 12:52 PM, Lucas Sweany
wrote:
I would like to protect certain
entries in a hub 389-ds host from getting obliterated
during a full re-initialization of an agreement.
Strange yes, but hear me out.



To keep duty separation intact, we've set up a
scenario where we've got one group managing Active
Directory and one 389 server (389-A), and another
group maintaining a 389 hub (389-B). 389-A syncs from
AD one-way, and then replicates to 389-B.* However,
things like sudoers and posix attributes (uids and
gids) are managed on 389-B for convenience.
Unfortunately, the sudoers OU and uids/gids get
destroyed if 389-A performs a re-initialization of the
agreement--by design I'm sure.



Is there a way to protect the sudoers OU and specific
attributes of users on 389-B in this scenario? It
looks like my options are to mess with fractional
replication, ACIs, to meticulously back-up these
attributes and restore them in the rare event we need
to re-initialize, or to give up the convenience and
have those attributes managed on 389-A.



Is there no easy answer to this without giving up the
ability to manage some things locally on 389-B?






Can you separate the data by suffix?* The unit of
replication is a database, so if you can create a sub-suffix
in its own database, you could replicate that separately.



https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Configuring_Directory_Databases.html



Thanks,



-Lucas







--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users













--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 

Thread Tools




All times are GMT. The time now is 11:30 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org