[Freeipa-users] Disaster Recovery Best Practices?

Dmitri Pal dpal at redhat.com
Mon Apr 16 19:40:17 UTC 2012 

On 04/16/2012 03:13 PM, KodaK wrote:
> Hi,
>
> I have googled around a bit, but I still have a couple of questions:
>
> 1) is it possible to get "getent shadow" to return shadow entries from
> the ipa server?  This is so we can do a DR test on some server or set
> of servers without also having to restore the IPA server first.  I can
> do a "getent passwd" easily enough, and I could rebuild the shadow
> file for local users, so it's not critical, but it would be a "nice to
> have" in the case of a DR.
Please use SSSD on the client. It will do all the caching for you. If
the connection is lost to the central server the client will continue to
operate and authenticate users that logged in previously at least once.
There is no need to create shadow files on the client in this case.
Shadow is a mistake of the past that should not be used when there are
are other much more secure technologies available now.

> 2) What is everyone else doing to prepare IPA for a DR?  I've read
> that the best way to do it is to turn off the IPA services on a
> replica and then back that replica up.  I also read that this will
> miss some important files that only exist on the master. 

That is the case when you use selfsigned cert but the preferred and
default configuration is not with the self-signed certs. It was in the
past but not any more. Currently when you install IPA and then replicas
there is no difference between master and replicas (if you installed CA
on the replica) so picking any one and recycling is possible. You won't
loose anything. 

>  I don't want
> to turn off the master server services for a DR due to failover lag.
> Would it be safe to take a backup of the master while "hot", then
> restore a replica, and promote it to master using the "hot" backup of
> the master (just the specific CA files needed)?

So turning off any server of your choice backing it up (taking a
snapshot) and then re-starting it again is the simplest way of dealing
with DR.
But to do this make sure that the server that you plan to use for taking
backup snapshots has a CA.


> Thanks,
>
> --Jason
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-users mailing list