On 06/01/2015 02:19 AM, Sina Owolabi wrote:
I am still stumbling along with this, I have had my IPA domain
destroyed and currently only a CA-less replica is left running the
The existing CA-less replica is on RHEL6.6 with ipa-3.0.0.
I am trying to setup a fresh CA-master and I have exported the data in
the replica into ldif and bak folders in
I have copied these files and folders to the fresh install, which is
If I can complete an install, I plan to destroy the existing replica
and install from scratch 2 new ones just to be safe.
Please can someone direct me in properly editing the ldif file or the
bak archivedir to make it useful for the new CA master? I have already
deleted the existing replication agreements between the CA-less
replica and the lost CA master (the new fresh install is the same
Importing data is successful, but then IPA refuses to run afterwords
with different error messages.
Thanks for any light shown my way.
Let me reiterate to see if I understood your scenario correctly:
- you had CA-powered FreeIPA infrastructure, with just one FreeIPA server with
CA service running
- the single FreeIPA+CA server was lost (I would suggest having more of those
in the future or using backup (snapshot or ipa-backup))
- you now want to install a brand new FreeIPA server and add data from the old
This is quite tricky, you can just add data from old FreeIPA server to the new
server - the new FreeIPA server will have different Kerberos master key,
different CA key. All this and derived data would be invalid. If you backed up
the FreeIPA+CA master, I assume the PKI could be recreated, but it does not
seem as the case.
In that case, I am afraid you would need to start a new infrastructure and
migrate old data, I put short description on how to migrate one FreeIPA to
other FreeIPA on the wiki:
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project