subject:"\[Freeipa\-users\] How to restore data to a fresh IPA reinstall from a CA\-less replica"

Re: [Freeipa-users] How to restore data to a fresh IPA reinstall from a CA-less replica

2015-05-26 Thread Martin Kosek


On 05/25/2015 05:46 PM, Sina Owolabi wrote:

Hi!

Please how do I restore data to a freshly reinstalled IPA server from
an existing CA-less replica that has had replication agreements
removed?


By restore, you mean actually migrate? We have a pending RFE for this:
https://fedorahosted.org/freeipa/ticket/3656

Migration of users/groups can be done via migrate-ds command. Migration of 
SUDO/HBAC/automount/... can be done by LDIF export and import (with some 
changes realms, etc.). But we have no automated way how to migrate Kerberos 
keys or certificates as the underlying keys are different.



Both servers are running rhel 6.6 with ipa-server versions 3.0.0
( For some reason the IPA servers do not upgrade beyond this version).


If you want a higher version than FreeIPA 3.0.0, please use RHEL-7.x. RHEL-7.1 
has FreeIPA 4.1, which is much more cooler than 3.0.0 :-) This is what we 
recommend for new deployments anyway.



I have been searching for information from RHEL knowledgebase and from
the FreeIPA site but I do not find information that exactly matches my
situation.

I am grateful for any assistance in this.


Thanks!



HTH,
Martin

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] How to restore data to a fresh IPA reinstall from a CA-less replica

2015-05-26 Thread Sina Owolabi

Hi Martin

I actually mean restore. It's a complicated situation... There once was a
primary and it's CA replica. The primary got hosed and was cloned a few
years ago from the replica. Then the replica got hosed a few times too,
saved by the primary,  only now it wouldn't install a CA during replica
setup.  Now the cloned primary got hosed (it sees itself as a clone and
being a the only CA,  has nowhere to go to renew certs). We opted to
reinstall a fresh primary and now we are looking for how to copy existing
data from the standing CA-less replica (everything is the same,  realms,
DNS hosts, HBAC, sudo rules,  etc ) to the freshly installed CA primary.
This would be amazing if we could or we'll have to setup the entire network
and rules from scratch.
I would really appreciate some example commands we could run to import data
into the new primary.  We've already run db2bak and db2ldif on the replica
to export from a helpful script we found in a thread.
I hope you can help us!

On Tue, May 26, 2015, 7:42 AM Martin Kosek mko...@redhat.com wrote:

 On 05/25/2015 05:46 PM, Sina Owolabi wrote:
  Hi!
 
  Please how do I restore data to a freshly reinstalled IPA server from
  an existing CA-less replica that has had replication agreements
  removed?

 By restore, you mean actually migrate? We have a pending RFE for this:
 https://fedorahosted.org/freeipa/ticket/3656

 Migration of users/groups can be done via migrate-ds command. Migration of
 SUDO/HBAC/automount/... can be done by LDIF export and import (with some
 changes realms, etc.). But we have no automated way how to migrate Kerberos
 keys or certificates as the underlying keys are different.

  Both servers are running rhel 6.6 with ipa-server versions 3.0.0
  ( For some reason the IPA servers do not upgrade beyond this version).

 If you want a higher version than FreeIPA 3.0.0, please use RHEL-7.x.
 RHEL-7.1
 has FreeIPA 4.1, which is much more cooler than 3.0.0 :-) This is what we
 recommend for new deployments anyway.

  I have been searching for information from RHEL knowledgebase and from
  the FreeIPA site but I do not find information that exactly matches my
  situation.
 
  I am grateful for any assistance in this.
 
 
  Thanks!
 

 HTH,
 Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] How to restore data to a fresh IPA reinstall from a CA-less replica

2015-05-25 Thread Sina Owolabi

Hi!

Please how do I restore data to a freshly reinstalled IPA server from
an existing CA-less replica that has had replication agreements
removed?
Both servers are running rhel 6.6 with ipa-server versions 3.0.0
( For some reason the IPA servers do not upgrade beyond this version).

I have been searching for information from RHEL knowledgebase and from
the FreeIPA site but I do not find information that exactly matches my
situation.

I am grateful for any assistance in this.


Thanks!

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] How to restore data to a fresh IPA reinstall from a CA-less replica

Re: [Freeipa-users] How to restore data to a fresh IPA reinstall from a CA-less replica

[Freeipa-users] How to restore data to a fresh IPA reinstall from a CA-less replica

3 matches

Site Navigation

Mail list logo

Footer information