[Freeipa-users] Re: Current best practice: Backup/Restore?

On 10/18/23 15:55, Rob Crittenden wrote: Harry G Coin via FreeIPA-users wrote: On 10/18/23 10:33, Christian Heimes wrote: On 18/10/2023 16.57, Harry G Coin wrote: On Tue, Oct 17, 2023 at 7:50 PM Christian Heimes via FreeIPA-users wrote: On 17/10/2023 19.32, Harry G Coin via

[Freeipa-users] Re: Current best practice: Backup/Restore?

Harry G Coin via FreeIPA-users wrote: > > On 10/18/23 10:33, Christian Heimes wrote: >> On 18/10/2023 16.57, Harry G Coin wrote: >>> On Tue, Oct 17, 2023 at 7:50 PM Christian Heimes via FreeIPA-users wrote: On 17/10/2023 19.32, Harry G Coin via FreeIPA-users wrote: >

[Freeipa-users] Re: backup / restore

Bonsoir Le 18/10/2023 à 19:43, Rob Crittenden via FreeIPA-users a écrit : Right, so ipa-ca-install did effectively replace the old CA, but you're not done yet. As Flo points out, the HTTP and 389-ds (and who knows about PKINIT) certs were issued by a 3rd party. At this point in the thread I

[Freeipa-users] Re: backup / restore

Florence Blanc-Renaud wrote: > Hi, > > On Wed, Oct 18, 2023 at 4:11 PM Frederic Ayrault > mailto:f...@lix.polytechnique.fr>> wrote: > > Bonjour, > > Le 18/10/2023 à 15:33, Florence Blanc-Renaud a écrit : >> Hi, >> >> >> CNRS2 and CNRS2-Standard are part of the CA chain that

[Freeipa-users] Re: Current best practice: Backup/Restore?

On 10/18/23 10:33, Christian Heimes wrote: On 18/10/2023 16.57, Harry G Coin wrote: On Tue, Oct 17, 2023 at 7:50 PM Christian Heimes via FreeIPA-users wrote: On 17/10/2023 19.32, Harry G Coin via FreeIPA-users wrote: 'security' and 'other' seemingly 'unrelated' 'upgrades' to

[Freeipa-users] Re: Current best practice: Backup/Restore?

On 10/18/23 07:30, Florence Blanc-Renaud via FreeIPA-users wrote: Hi, this guide explains the possible strategies for disaster recovery: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/preparing_for_disaster_recovery_with_identity_management/index And that one

[Freeipa-users] Re: Current best practice: Backup/Restore?

On 18/10/2023 16.57, Harry G Coin wrote: On Tue, Oct 17, 2023 at 7:50 PM Christian Heimes via FreeIPA-users wrote: On 17/10/2023 19.32, Harry G Coin via FreeIPA-users wrote: 'security' and 'other' seemingly 'unrelated' 'upgrades' to packages n levels deep but whose previously

[Freeipa-users] Re: backup / restore

Hi, On Wed, Oct 18, 2023 at 4:11 PM Frederic Ayrault wrote: > Bonjour, > > Le 18/10/2023 à 15:33, Florence Blanc-Renaud a écrit : > > Hi, > > > CNRS2 and CNRS2-Standard are part of the CA chain that issued your HTTP > and LDAP server certificates, they should not be removed. > When you install

[Freeipa-users] Re: Current best practice: Backup/Restore?

On Tue, Oct 17, 2023 at 7:50 PM Christian Heimes via FreeIPA-users wrote: On 17/10/2023 19.32, Harry G Coin via FreeIPA-users wrote: 'security' and 'other' seemingly 'unrelated' 'upgrades' to packages n levels deep but whose previously un-noticed freeipa killing

[Freeipa-users] Re: Current best practice: Backup/Restore?

On 10/17/23 12:50, Christian Heimes via FreeIPA-users wrote: On 17/10/2023 19.32, Harry G Coin via FreeIPA-users wrote: 'security' and 'other' seemingly 'unrelated'  'upgrades' to packages n levels deep but whose previously un-noticed freeipa killing race-condition or other bug manifests

[Freeipa-users] Re: backup / restore

Bonjour, Le 18/10/2023 à 15:33, Florence Blanc-Renaud a écrit : Hi, CNRS2 and CNRS2-Standard are part of the CA chain that issued your HTTP and LDAP server certificates, they should not be removed. When you install a new embedded IPA CA, it doesn't replace the existing HTTP and LDAP server

[Freeipa-users] Re: backup / restore

Hi, On Tue, Oct 17, 2023 at 5:47 PM Frederic Ayrault wrote: > > Le 17/10/2023 à 17:23, Rob Crittenden a écrit : > > So if I've followed this thread correctly, what you're doing is: > > - Taking replica ipa3? and forcibly disconnecting it from an existing > > IPA installation > > This is just

[Freeipa-users] Re: Installing FreeIPA server + replica using Ansible Role FreeIPA

> Works without problems. Does not migrate UPGs nor ignore kerberos data: > ipa migrate-ds --with-compat --user-container='cn=users,cn=accounts' > --group-container='cn=groups,cn=accounts' ldap://ipa.example.com > > Migrates UPGs and other groups, but no users because of "mepOriginEntry": > ipa

[Freeipa-users] Re: Current best practice: Backup/Restore?

Hi, this guide explains the possible strategies for disaster recovery: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/preparing_for_disaster_recovery_with_identity_management/index And that one how to recover:

[Freeipa-users] Re: Cannot receive LDAP attributes 'memberof' and 'ipaSshPubKey' on new IPA nodes.

> On Срд, 11 кас 2023, Finn Fysj via FreeIPA-users wrote: > > IPA memberof access permission was always limited to authenticated LDAP > binds. > > > So this is what somebody (old admin?) addded explicitly. Correct. Thanks for your help, Alexander.

[Freeipa-users] Re: Extract user's private key from IdM

Hi, On Tue, Oct 17, 2023 at 8:20 PM HUANG, TONY via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hi Rob, > > The CSR is generated within the web UI by following this section "Web UI: > Requesting new certificates" ( >

[Freeipa-users] User missing after a restore of full backup

Hi! While doing a yearly disaster recovery I encountered a strange issue, of the 749 users in production environment 748 got successfully imported, but one user is missing. "kinit missing.username" just warns that the user was not found in Kerberos database while getting initial credentials.