[Freeipa-users] Export data

Martin Kosek mkosek at redhat.com
Fri Jan 24 08:12:55 UTC 2014 

Dimitar, this is actually a very good question. Our team have been discussing
the best way to back and restore a FreeIPA infrastructure for some time. In
FreeIPA 3.2, we introduced ipa-backup and ipa-restore scripts which we are
evaluating, but we still think that the best way to backup and restore may be
simply creating replicas and/or system snapshots

You can read full details in this article:

http://www.freeipa.org/page/Backup_and_Restore

Feedback welcome,
Martin

On 01/23/2014 05:03 PM, Dimitar Georgievski wrote:
> In my case DNS is not an issue, FreeIPA is integrated with existing DNS
> servers.
> 
> The above procedure would work for migrating the user's data to a new IPA
> server that has a new host name. What if I would like to restore the
> original IPA server ? Could I repeat the above steps with the exception of
>  #4, in which I would restore backed-up certificates and keytab files. This
> should avoid the need to regenerate them, no?
> 
> In short how would you perform a full back-up and restore of the Primary
> IPA server?  I understand this is not a trivial task for the IPA server and
> from what I've learned it is probably not fully supported in the current
> ver 3.x
> 
> 
> Thanks,
> 
> Dimitar
> 
> 
> 
> On Thu, Jan 23, 2014 at 1:32 AM, Martin Kosek <mkosek at redhat.com> wrote:
> 
>> On 01/22/2014 06:57 PM, Petr Viktorin wrote:
>>> On 01/22/2014 06:26 PM, Dimitar Georgievski wrote:
>>>> Would you use ldapmodify -f file-name-with-exported-data to import the
>>>> data back to a new copy of FreeIPA?
>>>
>>> No, that generally won't work. There's more to IPA than the data in LDAP.
>>> Instead of copying data you should install the new server as a replica
>> of the
>>> old one.
>>
>> That would give you FreeIPA with the same domain, realm or certificate
>> subject
>> name.
>>
>> If you want to start with different settings, I would recommend:
>>
>> 1) Installing new IPA server
>> 2) Using "ipa migrate-ds" command to migrate users and groups
>> 3) Use the ldapsearch&ldapmodify to migrate DNS (you may need to change
>> the DN
>> in the LDIF file to use correct SUFFIX if the realm changed)
>> 4) For all hosts - unenroll and enroll again against the new IPA. This is
>> needed to regenerate the new certificates or host keytab
>>
>> HTH,
>> Martin
>>
>

More information about the Freeipa-users mailing list