[Freeipa-users] How to restore data to a fresh IPA reinstall from a CA-less replica
Sina Owolabi
notify.sina at gmail.com
Tue May 26 07:04:36 UTC 2015
Hi Martin
I actually mean restore. It's a complicated situation... There once was a
primary and it's CA replica. The primary got hosed and was cloned a few
years ago from the replica. Then the replica got hosed a few times too,
saved by the "primary", only now it wouldn't install a CA during replica
setup. Now the cloned primary got hosed (it sees itself as a clone and
being a the only CA, has nowhere to go to renew certs). We opted to
reinstall a fresh primary and now we are looking for how to copy existing
data from the standing CA-less replica (everything is the same, realms,
DNS hosts, HBAC, sudo rules, etc ) to the freshly installed CA primary.
This would be amazing if we could or we'll have to setup the entire network
and rules from scratch.
I would really appreciate some example commands we could run to import data
into the new primary. We've already run db2bak and db2ldif on the replica
to export from a helpful script we found in a thread.
I hope you can help us!
On Tue, May 26, 2015, 7:42 AM Martin Kosek <mkosek at redhat.com> wrote:
> On 05/25/2015 05:46 PM, Sina Owolabi wrote:
> > Hi!
> >
> > Please how do I restore data to a freshly reinstalled IPA server from
> > an existing CA-less replica that has had replication agreements
> > removed?
>
> By restore, you mean actually migrate? We have a pending RFE for this:
> https://fedorahosted.org/freeipa/ticket/3656
>
> Migration of users/groups can be done via migrate-ds command. Migration of
> SUDO/HBAC/automount/... can be done by LDIF export and import (with some
> changes realms, etc.). But we have no automated way how to migrate Kerberos
> keys or certificates as the underlying keys are different.
>
> > Both servers are running rhel 6.6 with ipa-server versions 3.0.0
> > ( For some reason the IPA servers do not upgrade beyond this version).
>
> If you want a higher version than FreeIPA 3.0.0, please use RHEL-7.x.
> RHEL-7.1
> has FreeIPA 4.1, which is much more cooler than 3.0.0 :-) This is what we
> recommend for new deployments anyway.
>
> > I have been searching for information from RHEL knowledgebase and from
> > the FreeIPA site but I do not find information that exactly matches my
> > situation.
> >
> > I am grateful for any assistance in this.
> >
> >
> > Thanks!
> >
>
> HTH,
> Martin
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150526/9703ee93/attachment.htm>
More information about the Freeipa-users
mailing list