Hi Martin
I actually mean restore. It's a complicated situation... There once was a
primary and it's CA replica. The primary got hosed and was cloned a few
years ago from the replica. Then the replica got hosed a few times too,
saved by the primary, only now it wouldn't install a CA during replica
setup. Now the cloned primary got hosed (it sees itself as a clone and
being a the only CA, has nowhere to go to renew certs). We opted to
reinstall a fresh primary and now we are looking for how to copy existing
data from the standing CA-less replica (everything is the same, realms,
DNS hosts, HBAC, sudo rules, etc ) to the freshly installed CA primary.
This would be amazing if we could or we'll have to setup the entire network
and rules from scratch.
I would really appreciate some example commands we could run to import data
into the new primary. We've already run db2bak and db2ldif on the replica
to export from a helpful script we found in a thread.
I hope you can help us!
On Tue, May 26, 2015, 7:42 AM Martin Kosek mko...@redhat.com wrote:
On 05/25/2015 05:46 PM, Sina Owolabi wrote:
Hi!
Please how do I restore data to a freshly reinstalled IPA server from
an existing CA-less replica that has had replication agreements
removed?
By restore, you mean actually migrate? We have a pending RFE for this:
https://fedorahosted.org/freeipa/ticket/3656
Migration of users/groups can be done via migrate-ds command. Migration of
SUDO/HBAC/automount/... can be done by LDIF export and import (with some
changes realms, etc.). But we have no automated way how to migrate Kerberos
keys or certificates as the underlying keys are different.
Both servers are running rhel 6.6 with ipa-server versions 3.0.0
( For some reason the IPA servers do not upgrade beyond this version).
If you want a higher version than FreeIPA 3.0.0, please use RHEL-7.x.
RHEL-7.1
has FreeIPA 4.1, which is much more cooler than 3.0.0 :-) This is what we
recommend for new deployments anyway.
I have been searching for information from RHEL knowledgebase and from
the FreeIPA site but I do not find information that exactly matches my
situation.
I am grateful for any assistance in this.
Thanks!
HTH,
Martin
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project