Hi Martin I actually mean restore. It's a complicated situation... There once was a primary and it's CA replica. The primary got hosed and was cloned a few years ago from the replica. Then the replica got hosed a few times too, saved by the "primary", only now it wouldn't install a CA during replica setup. Now the cloned primary got hosed (it sees itself as a clone and being a the only CA, has nowhere to go to renew certs). We opted to reinstall a fresh primary and now we are looking for how to copy existing data from the standing CA-less replica (everything is the same, realms, DNS hosts, HBAC, sudo rules, etc ) to the freshly installed CA primary. This would be amazing if we could or we'll have to setup the entire network and rules from scratch. I would really appreciate some example commands we could run to import data into the new primary. We've already run db2bak and db2ldif on the replica to export from a helpful script we found in a thread. I hope you can help us!
On Tue, May 26, 2015, 7:42 AM Martin Kosek <mko...@redhat.com> wrote: > On 05/25/2015 05:46 PM, Sina Owolabi wrote: > > Hi! > > > > Please how do I restore data to a freshly reinstalled IPA server from > > an existing CA-less replica that has had replication agreements > > removed? > > By restore, you mean actually migrate? We have a pending RFE for this: > https://fedorahosted.org/freeipa/ticket/3656 > > Migration of users/groups can be done via migrate-ds command. Migration of > SUDO/HBAC/automount/... can be done by LDIF export and import (with some > changes realms, etc.). But we have no automated way how to migrate Kerberos > keys or certificates as the underlying keys are different. > > > Both servers are running rhel 6.6 with ipa-server versions 3.0.0 > > ( For some reason the IPA servers do not upgrade beyond this version). > > If you want a higher version than FreeIPA 3.0.0, please use RHEL-7.x. > RHEL-7.1 > has FreeIPA 4.1, which is much more cooler than 3.0.0 :-) This is what we > recommend for new deployments anyway. > > > I have been searching for information from RHEL knowledgebase and from > > the FreeIPA site but I do not find information that exactly matches my > > situation. > > > > I am grateful for any assistance in this. > > > > > > Thanks! > > > > HTH, > Martin >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project