[Freeipa-users] Disaster Recovery Best Practices?

[Simo Sorce]

On Mon, 2012-04-16 at 14:13 -0500, KodaK wrote:
> Hi,
> 
> I have googled around a bit, but I still have a couple of questions:
> 
> 1) is it possible to get "getent shadow" to return shadow entries from
> the ipa server? 

No, we do not have any shadow map in ipa, enforcement of password and
account expiration is done by the server, not deferred to the clients.

>  This is so we can do a DR test on some server or set
> of servers without also having to restore the IPA server first.  I can
> do a "getent passwd" easily enough, and I could rebuild the shadow
> file for local users, so it's not critical, but it would be a "nice to
> have" in the case of a DR.

What are you looking for in the shadow map ?

> 2) What is everyone else doing to prepare IPA for a DR?  I've read
> that the best way to do it is to turn off the IPA services on a
> replica and then back that replica up.  I also read that this will
> miss some important files that only exist on the master.

This was true for ipa v1 only where we used a selfsigned CA available
only in the first master, since v2 you are supposed to use the dogtag
PKI, so if you clone the PKI as well (you need to explicitly set it up,
by default replicas do not replicate the CA) you have full redundancy
with regard to network facing data.

>   I don't want
> to turn off the master server services for a DR due to failover lag.
> Would it be safe to take a backup of the master while "hot", then
> restore a replica, and promote it to master using the "hot" backup of
> the master (just the specific CA files needed)?

If you are using the dogtag CA it wouldn't as it uses a DS instance as
well. If you are using the selfsigned CA well, I guess you have no other
option.

Simo.


-- 
Simo Sorce * Red Hat, Inc * New York