[Freeipa-devel] disaster recovery if replica was compromised

[Petr Spacek]

Hello,

I wonder what we can recommend as disaster recovery procedure for cases where
a replica (its LDAP database) was compromised.

Saying "you are screwed" doesn't sound like the right answer :-D

It is clear that all passwords and keys have to be changed and complete
replica re-installation is inevitable.

I would expect something like:
- install fresh FreeIPA server and do not connect it to the compromised topology
- run migrate-ds to get users, groups etc. (review is necessary)
- use this to force all users to change passwords>
- use this to re-generate all certificates ...

This sounds like yet another case for FreeIPA-FreeIPA migration tool which
could import SUDO rules and all other FreeIPA-specific stuff.

Any ideas?

-- 
Petr^2 Spacek