[Freeipa-devel] disaster recovery if replica was compromised
Petr Spacek
pspacek at redhat.com
Wed Dec 3 15:41:12 UTC 2014
Hello,
I wonder what we can recommend as disaster recovery procedure for cases where
a replica (its LDAP database) was compromised.
Saying "you are screwed" doesn't sound like the right answer :-D
It is clear that all passwords and keys have to be changed and complete
replica re-installation is inevitable.
I would expect something like:
- install fresh FreeIPA server and do not connect it to the compromised topology
- run migrate-ds to get users, groups etc. (review is necessary)
- use this to force all users to change passwords>
- use this to re-generate all certificates ...
This sounds like yet another case for FreeIPA-FreeIPA migration tool which
could import SUDO rules and all other FreeIPA-specific stuff.
Any ideas?
--
Petr^2 Spacek
More information about the Freeipa-devel
mailing list