Re: [Freeipa-users] Export data
Dimitar, this is actually a very good question. Our team have been discussing the best way to back and restore a FreeIPA infrastructure for some time. In FreeIPA 3.2, we introduced ipa-backup and ipa-restore scripts which we are evaluating, but we still think that the best way to backup and restore may be simply creating replicas and/or system snapshots You can read full details in this article: http://www.freeipa.org/page/Backup_and_Restore Feedback welcome, Martin On 01/23/2014 05:03 PM, Dimitar Georgievski wrote: In my case DNS is not an issue, FreeIPA is integrated with existing DNS servers. The above procedure would work for migrating the user's data to a new IPA server that has a new host name. What if I would like to restore the original IPA server ? Could I repeat the above steps with the exception of #4, in which I would restore backed-up certificates and keytab files. This should avoid the need to regenerate them, no? In short how would you perform a full back-up and restore of the Primary IPA server? I understand this is not a trivial task for the IPA server and from what I've learned it is probably not fully supported in the current ver 3.x Thanks, Dimitar On Thu, Jan 23, 2014 at 1:32 AM, Martin Kosek mko...@redhat.com wrote: On 01/22/2014 06:57 PM, Petr Viktorin wrote: On 01/22/2014 06:26 PM, Dimitar Georgievski wrote: Would you use ldapmodify -f file-name-with-exported-data to import the data back to a new copy of FreeIPA? No, that generally won't work. There's more to IPA than the data in LDAP. Instead of copying data you should install the new server as a replica of the old one. That would give you FreeIPA with the same domain, realm or certificate subject name. If you want to start with different settings, I would recommend: 1) Installing new IPA server 2) Using ipa migrate-ds command to migrate users and groups 3) Use the ldapsearchldapmodify to migrate DNS (you may need to change the DN in the LDIF file to use correct SUFFIX if the realm changed) 4) For all hosts - unenroll and enroll again against the new IPA. This is needed to regenerate the new certificates or host keytab HTH, Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Backup and restore article
Our team have been discussing the best way to back and restore a FreeIPA infrastructure for some time. In FreeIPA 3.2, we introduced ipa-backup and ipa-restore scripts which we are evaluating (and welcome feedback from real user deployments), but we still think that the best way to backup and restore may be simply creating multiple FreeIPA replicas and/or system snapshots. We have created an article on this subject, which discusses this topic, shows various backup and restore user cases and presents our recommendations: http://www.freeipa.org/page/Backup_and_Restore We welcome feedback and discussion on the topic of back up restore, how our users think that backup and restore should be done or if you do backup and restore in any custom way already. This input is useful for us to plan the next steps with backup and restore in FreeIPA. Thank you. -- Martin Kosek mko...@redhat.com Supervisor, Software Engineering - Identity Management Team Red Hat Inc. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Change FreeIPA Domain
Hi All, Is it possible to change the Domain/Realm on FreeIPA v3.0.0 (Centos 6) If not is there any way to migrate users from one domain to another? Thanks in advance Matt Symonds ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Change FreeIPA Domain
Matthew Symonds wrote: Hi All, Is it possible to change the Domain/Realm on FreeIPA v3.0.0 (Centos 6) Not currently. If not is there any way to migrate users from one domain to another? See ipa migrate-ds --help rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Change FreeIPA Domain
Thanks. I had spent quite some time looking without any luck. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Ipa AD trust
Hi List , I want an update on this bug . https://bugzilla.samba.org/show_bug.cgi?id=9618 Thanks Best Regards Sahibzada .Z. Ahmad System Administrator ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Ipa AD trust
On Fri, Jan 24, 2014 at 04:32:33PM +, Zulkifal Ahmad wrote: Hi List , I want an update on this bug . https://bugzilla.samba.org/show_bug.cgi?id=9618 I just re-tested with the python script from the ticket and Samba-4.1.3 and it seems to be fixed. HTH bye, Sumit Thanks Best Regards Sahibzada .Z. Ahmad System Administrator ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Change FreeIPA Domain
On 01/24/2014 09:20 AM, Rob Crittenden wrote: Matthew Symonds wrote: Hi All, Is it possible to change the Domain/Realm on FreeIPA v3.0.0 (Centos 6) Not currently. Should we consider RFE or it is easier to reinstall and import? I suspect the latter but wanted to double check. Ate least we should probably have a ticket to provide ipa migrate-ipa command to migrate all known data from one instance to another If not is there any way to migrate users from one domain to another? See ipa migrate-ds --help rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
