[Freeipa-users] Help Needed Sanitizing ldif and/or bak data from CA-less Replica to import into fresh CA Master
Martin Kosek
mkosek at redhat.com
Tue Jun 2 07:51:39 UTC 2015
On 06/01/2015 02:19 AM, Sina Owolabi wrote:
> Hi!
>
> I am still stumbling along with this, I have had my IPA domain
> destroyed and currently only a CA-less replica is left running the
> network.
> The existing CA-less replica is on RHEL6.6 with ipa-3.0.0.
> I am trying to setup a fresh CA-master and I have exported the data in
> the replica into ldif and bak folders in
> /var/lib/dirsrv/slapd-MYDOM-COM/{ldif,bak} directories.
> I have copied these files and folders to the fresh install, which is
> running RHEL7.1.
> If I can complete an install, I plan to destroy the existing replica
> and install from scratch 2 new ones just to be safe.
>
> Please can someone direct me in properly editing the ldif file or the
> bak archivedir to make it useful for the new CA master? I have already
> deleted the existing replication agreements between the CA-less
> replica and the lost CA master (the new fresh install is the same
> hostname).
> Importing data is successful, but then IPA refuses to run afterwords
> with different error messages.
>
> Thanks for any light shown my way.
>
Let me reiterate to see if I understood your scenario correctly:
- you had CA-powered FreeIPA infrastructure, with just one FreeIPA server with
CA service running
- the single FreeIPA+CA server was lost (I would suggest having more of those
in the future or using backup (snapshot or ipa-backup))
- you now want to install a brand new FreeIPA server and add data from the old
FreeIPA installation.
This is quite tricky, you can just add data from old FreeIPA server to the new
server - the new FreeIPA server will have different Kerberos master key,
different CA key. All this and derived data would be invalid. If you backed up
the FreeIPA+CA master, I assume the PKI could be recreated, but it does not
seem as the case.
In that case, I am afraid you would need to start a new infrastructure and
migrate old data, I put short description on how to migrate one FreeIPA to
other FreeIPA on the wiki:
https://www.freeipa.org/page/Howto/Migration#Migrating_from_other_FreeIPA_to_FreeIPA
HTH,
Martin
More information about the Freeipa-users
mailing list