Dimitar, this is actually a very good question. Our team have been discussing the best way to back and restore a FreeIPA infrastructure for some time. In FreeIPA 3.2, we introduced ipa-backup and ipa-restore scripts which we are evaluating, but we still think that the best way to backup and restore may be simply creating replicas and/or system snapshots
You can read full details in this article: http://www.freeipa.org/page/Backup_and_Restore Feedback welcome, Martin On 01/23/2014 05:03 PM, Dimitar Georgievski wrote: > In my case DNS is not an issue, FreeIPA is integrated with existing DNS > servers. > > The above procedure would work for migrating the user's data to a new IPA > server that has a new host name. What if I would like to restore the > original IPA server ? Could I repeat the above steps with the exception of > #4, in which I would restore backed-up certificates and keytab files. This > should avoid the need to regenerate them, no? > > In short how would you perform a full back-up and restore of the Primary > IPA server? I understand this is not a trivial task for the IPA server and > from what I've learned it is probably not fully supported in the current > ver 3.x > > > Thanks, > > Dimitar > > > > On Thu, Jan 23, 2014 at 1:32 AM, Martin Kosek <[email protected]> wrote: > >> On 01/22/2014 06:57 PM, Petr Viktorin wrote: >>> On 01/22/2014 06:26 PM, Dimitar Georgievski wrote: >>>> Would you use ldapmodify -f file-name-with-exported-data to import the >>>> data back to a new copy of FreeIPA? >>> >>> No, that generally won't work. There's more to IPA than the data in LDAP. >>> Instead of copying data you should install the new server as a replica >> of the >>> old one. >> >> That would give you FreeIPA with the same domain, realm or certificate >> subject >> name. >> >> If you want to start with different settings, I would recommend: >> >> 1) Installing new IPA server >> 2) Using "ipa migrate-ds" command to migrate users and groups >> 3) Use the ldapsearch&ldapmodify to migrate DNS (you may need to change >> the DN >> in the LDIF file to use correct SUFFIX if the realm changed) >> 4) For all hosts - unenroll and enroll again against the new IPA. This is >> needed to regenerate the new certificates or host keytab >> >> HTH, >> Martin >> > _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
