Hi all:
any one has better solution of freeipa backup ? assume all ldap db crash ,all ca fail, no backup of cert ...etc but need cleanly install one with same hostname.
and we have /usr/sbin/ipa-backup ldif backup .
Can I use an old image but restore back ldif such backup?
or any better solution for clean install with this ldif copy.
barrykfl--- via FreeIPA-users wrote:
Hi all:
any one has better solution of freeipa backup ? assume all ldap db crash ,all ca fail, no backup of cert ...etc but need cleanly install one with same hostname.
and we have /usr/sbin/ipa-backup ldif backup .
Can I use an old image but restore back ldif such backup?
or any better solution for clean install with this ldif copy.
If you have a full backup of a master with a CA and have saved it off-machine and your machine dies then you can re-install using the EXACT SAME OPTIONS.
Then restore the backup. Then re-initialize all other masters (this should all be documented already).
If you have only one master with a CA and it dies and you have no backups then you are pretty much hosed at the moment.
IPA is so much more than just an LDIF.
_Could_ you use an LDIF to restore the data minus the certs? Yeah, probably, with a whole ton of work and expertise. Would it be worth the trouble and would you ever fully trust that you got it 100% right?
The best solution is to maintain multiple masters and > 1 CA. If one dies then you delete it and provision a new master. You can maintain the old name if you want.
Or if you use VMs you can use disk snapshots to maintain backups.
rob
any ref. full backup.of 4.5? I only can found v3 . will it recover all cert ca related ? I tried such recover in v3 it seem it broken the relationship of others agreement. or I missed the backup of some files.
is it possible to use very old vm image plus the regular ldif backup recovery?
2018年3月1日 上午7:02 於 "Rob Crittenden" rcritten@redhat.com 寫道:
barrykfl--- via FreeIPA-users wrote:
Hi all:
any one has better solution of freeipa backup ? assume all ldap db crash ,all ca fail, no backup of cert ...etc but need cleanly install one with same hostname.
and we have /usr/sbin/ipa-backup ldif backup .
Can I use an old image but restore back ldif such backup?
or any better solution for clean install with this ldif copy.
If you have a full backup of a master with a CA and have saved it off-machine and your machine dies then you can re-install using the EXACT SAME OPTIONS.
Then restore the backup. Then re-initialize all other masters (this should all be documented already).
If you have only one master with a CA and it dies and you have no backups then you are pretty much hosed at the moment.
IPA is so much more than just an LDIF.
_Could_ you use an LDIF to restore the data minus the certs? Yeah, probably, with a whole ton of work and expertise. Would it be worth the trouble and would you ever fully trust that you got it 100% right?
The best solution is to maintain multiple masters and > 1 CA. If one dies then you delete it and provision a new master. You can maintain the old name if you want.
Or if you use VMs you can use disk snapshots to maintain backups.
rob
On 03/01/2018 12:10 AM, barrykfl--- via FreeIPA-users wrote:
any ref. full backup.of 4.5? I only can found v3 . will it recover all cert ca related ? I tried such recover in v3 it seem it broken the relationship of others agreement. or I missed the backup of some files.
Hi,
you can find the doc for 4.5 in https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
The full backup of a master with CA also contains the certs and the CA.
HTH, Flo
is it possible to use very old vm image plus the regular ldif backup recovery?
2018年3月1日 上午7:02 於 "Rob Crittenden" <rcritten@redhat.com mailto:rcritten@redhat.com> 寫道:
barrykfl--- via FreeIPA-users wrote: > Hi all: > > any one has better solution of freeipa backup ? assume all ldap db crash > ,all ca fail, no backup of cert ...etc but need cleanly install one with > same hostname. > > and we have /usr/sbin/ipa-backup ldif backup . > > Can I use an old image but restore back ldif such backup? > > or any better solution for clean install with this ldif copy. If you have a full backup of a master with a CA and have saved it off-machine and your machine dies then you can re-install using the EXACT SAME OPTIONS. Then restore the backup. Then re-initialize all other masters (this should all be documented already). If you have only one master with a CA and it dies and you have no backups then you are pretty much hosed at the moment. IPA is so much more than just an LDIF. _Could_ you use an LDIF to restore the data minus the certs? Yeah, probably, with a whole ton of work and expertise. Would it be worth the trouble and would you ever fully trust that you got it 100% right? The best solution is to maintain multiple masters and > 1 CA. If one dies then you delete it and provision a new master. You can maintain the old name if you want. Or if you use VMs you can use disk snapshots to maintain backups. rob
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
ic ..but the full restore can success run in clean installed master with new CA overwrite?
e.g. master with CA and ldap all crashed with replication servers but data aslo crashed...can it be use as restore using the same hostname and rebuild the replication agreements with others?
2018-03-01 15:19 GMT+08:00 Florence Blanc-Renaud flo@redhat.com:
On 03/01/2018 12:10 AM, barrykfl--- via FreeIPA-users wrote:
any ref. full backup.of 4.5? I only can found v3 . will it recover all cert ca related ? I tried such recover in v3 it seem it broken the relationship of others agreement. or I missed the backup of some files.
Hi,
you can find the doc for 4.5 in https://access.redhat.com/docu mentation/en-us/red_hat_enterprise_linux/7/html/linux_domain _identity_authentication_and_policy_guide/backup-restore
The full backup of a master with CA also contains the certs and the CA.
HTH, Flo
is it possible to use very old vm image plus the regular ldif backup
recovery?
2018年3月1日 上午7:02 於 "Rob Crittenden" <rcritten@redhat.com mailto: rcritten@redhat.com> 寫道:
barrykfl--- via FreeIPA-users wrote: > Hi all: > > any one has better solution of freeipa backup ? assume all ldap db crash > ,all ca fail, no backup of cert ...etc but need cleanly install one with > same hostname. > > and we have /usr/sbin/ipa-backup ldif backup . > > Can I use an old image but restore back ldif such backup? > > or any better solution for clean install with this ldif copy. If you have a full backup of a master with a CA and have saved it off-machine and your machine dies then you can re-install using the EXACT SAME OPTIONS. Then restore the backup. Then re-initialize all other masters (this should all be documented already). If you have only one master with a CA and it dies and you have no backups then you are pretty much hosed at the moment. IPA is so much more than just an LDIF. _Could_ you use an LDIF to restore the data minus the certs? Yeah, probably, with a whole ton of work and expertise. Would it be worth
the trouble and would you ever fully trust that you got it 100% right?
The best solution is to maintain multiple masters and > 1 CA. If one dies then you delete it and provision a new master. You can maintain
the old name if you want.
Or if you use VMs you can use disk snapshots to maintain backups. rob
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedo rahosted.org
On 01/03/2018 10:37, barrykfl--- via FreeIPA-users wrote:
ic ..but the full restore can success run in clean installed master with new CA overwrite?
e.g. master with CA and ldap all crashed with replication servers but data aslo crashed...can it be use as restore using the same hostname and rebuild the replication agreements with others?
Hi,
yes, the doc explains how to restore in a multi-master environment: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
HTH, Flo
2018-03-01 15:19 GMT+08:00 Florence Blanc-Renaud <flo@redhat.com mailto:flo@redhat.com>:
On 03/01/2018 12:10 AM, barrykfl--- via FreeIPA-users wrote: any ref. full backup.of 4.5? I only can found v3 . will it recover all cert ca related ? I tried such recover in v3 it seem it broken the relationship of others agreement. or I missed the backup of some files. Hi, you can find the doc for 4.5 in https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/backup-restore <https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/backup-restore> The full backup of a master with CA also contains the certs and the CA. HTH, Flo is it possible to use very old vm image plus the regular ldif backup recovery? 2018年3月1日 上午7:02 於 "Rob Crittenden" <rcritten@redhat.com <mailto:rcritten@redhat.com> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>> 寫道: barrykfl--- via FreeIPA-users wrote: > Hi all: > > any one has better solution of freeipa backup ? assume all ldap db crash > ,all ca fail, no backup of cert ...etc but need cleanly install one with > same hostname. > > and we have /usr/sbin/ipa-backup ldif backup . > > Can I use an old image but restore back ldif such backup? > > or any better solution for clean install with this ldif copy. If you have a full backup of a master with a CA and have saved it off-machine and your machine dies then you can re-install using the EXACT SAME OPTIONS. Then restore the backup. Then re-initialize all other masters (this should all be documented already). If you have only one master with a CA and it dies and you have no backups then you are pretty much hosed at the moment. IPA is so much more than just an LDIF. _Could_ you use an LDIF to restore the data minus the certs? Yeah, probably, with a whole ton of work and expertise. Would it be worth the trouble and would you ever fully trust that you got it 100% right? The best solution is to maintain multiple masters and > 1 CA. If one dies then you delete it and provision a new master. You can maintain the old name if you want. Or if you use VMs you can use disk snapshots to maintain backups. rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Tried those command before ,,,seem the web page and LDAP separate or I missed some parts. it can turn on the ldap but the web page not allow to login ...mostly it related to ?
2018-03-02 17:24 GMT+08:00 Florence Blanc-Renaud flo@redhat.com:
On 01/03/2018 10:37, barrykfl--- via FreeIPA-users wrote:
ic ..but the full restore can success run in clean installed master with new CA overwrite?
e.g. master with CA and ldap all crashed with replication servers but data aslo crashed...can it be use as restore using the same hostname and rebuild the replication agreements with others?
Hi,
yes, the doc explains how to restore in a multi-master environment: https://access.redhat.com/documentation/en-us/red_hat_enterp rise_linux/7/html/linux_domain_identity_authentication_and_ policy_guide/restore#restore-multiple-masters
HTH, Flo
2018-03-01 15:19 GMT+08:00 Florence Blanc-Renaud <flo@redhat.com <mailto:
flo@redhat.com>>:
On 03/01/2018 12:10 AM, barrykfl--- via FreeIPA-users wrote: any ref. full backup.of 4.5? I only can found v3 . will it recover all cert ca related ? I tried such recover in v3 it seem it broken the relationship of others agreement. or I missed the backup of some files. Hi, you can find the doc for 4.5 in https://access.redhat.com/documentation/en-us/red_hat_enterp
rise_linux/7/html/linux_domain_identity_authentication_and_ policy_guide/backup-restore https://access.redhat.com/documentation/en-us/red_hat_enter prise_linux/7/html/linux_domain_identity_authentication_and_ policy_guide/backup-restore
The full backup of a master with CA also contains the certs and the
CA.
HTH, Flo is it possible to use very old vm image plus the regular ldif backup recovery? 2018年3月1日 上午7:02 於 "Rob Crittenden" <rcritten@redhat.com <mailto:rcritten@redhat.com> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>> 寫道: barrykfl--- via FreeIPA-users wrote: > Hi all: > > any one has better solution of freeipa backup ? assume all ldap db crash > ,all ca fail, no backup of cert ...etc but need cleanly install one with > same hostname. > > and we have /usr/sbin/ipa-backup ldif backup . > > Can I use an old image but restore back ldif such backup? > > or any better solution for clean install with this ldif copy. If you have a full backup of a master with a CA and have saved it off-machine and your machine dies then you can re-install using the EXACT SAME OPTIONS. Then restore the backup. Then re-initialize all other masters (this should all be documented already). If you have only one master with a CA and it dies and you have no backups then you are pretty much hosed at the moment. IPA is so much more than just an LDIF. _Could_ you use an LDIF to restore the data minus the certs? Yeah, probably, with a whole ton of work and expertise. Would it be worth the trouble and would you ever fully trust that you got it 100% right? The best solution is to maintain multiple masters and > 1 CA. If one dies then you delete it and provision a new master. You can maintain the old name if you want. Or if you use VMs you can use disk snapshots to maintain backups. rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedo rahosted.org
On 04/03/2018 02:28, barrykfl--- via FreeIPA-users wrote:
Tried those command before ,,,seem the web page and LDAP separate or I missed some parts. it can turn on the ldap but the web page not allow to login ...mostly it related to ?
Hi,
on which system do you have trouble accessing the web GUI? the master? In this case, can you paste the exact command you ran for restore, and the exact error message you see when trying to authenticate to the web? The httpd error log may also be helpful (/var/log/httpd/error).
Flo
2018-03-02 17:24 GMT+08:00 Florence Blanc-Renaud <flo@redhat.com mailto:flo@redhat.com>:
On 01/03/2018 10:37, barrykfl--- via FreeIPA-users wrote: ic ..but the full restore can success run in clean installed master with new CA overwrite? e.g. master with CA and ldap all crashed with replication servers but data aslo crashed...can it be use as restore using the same hostname and rebuild the replication agreements with others? Hi, yes, the doc explains how to restore in a multi-master environment: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/restore#restore-multiple-masters <https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/restore#restore-multiple-masters> HTH, Flo 2018-03-01 15:19 GMT+08:00 Florence Blanc-Renaud <flo@redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>: On 03/01/2018 12:10 AM, barrykfl--- via FreeIPA-users wrote: any ref. full backup.of 4.5? I only can found v3 . will it recover all cert ca related ? I tried such recover in v3 it seem it broken the relationship of others agreement. or I missed the backup of some files. Hi, you can find the doc for 4.5 in https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/backup-restore <https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/backup-restore> <https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/backup-restore <https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/backup-restore>> The full backup of a master with CA also contains the certs and the CA. HTH, Flo is it possible to use very old vm image plus the regular ldif backup recovery? 2018年3月1日 上午7:02 於 "Rob Crittenden" <rcritten@redhat.com <mailto:rcritten@redhat.com> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>> 寫道: barrykfl--- via FreeIPA-users wrote: > Hi all: > > any one has better solution of freeipa backup ? assume all ldap db crash > ,all ca fail, no backup of cert ...etc but need cleanly install one with > same hostname. > > and we have /usr/sbin/ipa-backup ldif backup . > > Can I use an old image but restore back ldif such backup? > > or any better solution for clean install with this ldif copy. If you have a full backup of a master with a CA and have saved it off-machine and your machine dies then you can re-install using the EXACT SAME OPTIONS. Then restore the backup. Then re-initialize all other masters (this should all be documented already). If you have only one master with a CA and it dies and you have no backups then you are pretty much hosed at the moment. IPA is so much more than just an LDIF. _Could_ you use an LDIF to restore the data minus the certs? Yeah, probably, with a whole ton of work and expertise. Would it be worth the trouble and would you ever fully trust that you got it 100% right? The best solution is to maintain multiple masters and > 1 CA. If one dies then you delete it and provision a new master. You can maintain the old name if you want. Or if you use VMs you can use disk snapshots to maintain backups. rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>> _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Hi: the link u provided mentioned similar :
9.2. RESTORING A BACKUP
If you have a directory with a backup created using
ipa-backup
, you can restore your IdM
server or the LDAP content to the state in which they were when the backup was
performed. You cannot restore a backup on a host different from the host on which the
backup was originally created
Is it meant if I clean install using same host name ( a total new host) and restore using the backup
it will fail right ?.. The disaster meant all hosts fail I need clean install the first host can I use the that restore method ?
2018-03-05 16:31 GMT+08:00 Florence Blanc-Renaud flo@redhat.com:
On 04/03/2018 02:28, barrykfl--- via FreeIPA-users wrote:
Tried those command before ,,,seem the web page and LDAP separate or I missed some parts. it can turn on the ldap but the web page not allow to login ...mostly it related to ?
Hi,
on which system do you have trouble accessing the web GUI? the master? In this case, can you paste the exact command you ran for restore, and the exact error message you see when trying to authenticate to the web? The httpd error log may also be helpful (/var/log/httpd/error).
Flo
2018-03-02 17:24 GMT+08:00 Florence Blanc-Renaud <flo@redhat.com <mailto:
flo@redhat.com>>:
On 01/03/2018 10:37, barrykfl--- via FreeIPA-users wrote: ic ..but the full restore can success run in clean installed master with new CA overwrite? e.g. master with CA and ldap all crashed with replication servers but data aslo crashed...can it be use as restore using the same hostname and rebuild the replication agreements with others? Hi, yes, the doc explains how to restore in a multi-master environment: https://access.redhat.com/documentation/en-us/red_hat_enterp
rise_linux/7/html/linux_domain_identity_authentication_and_ policy_guide/restore#restore-multiple-masters https://access.redhat.com/documentation/en-us/red_hat_enter prise_linux/7/html/linux_domain_identity_authentication_and_ policy_guide/restore#restore-multiple-masters
HTH, Flo 2018-03-01 15:19 GMT+08:00 Florence Blanc-Renaud <flo@redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>: On 03/01/2018 12:10 AM, barrykfl--- via FreeIPA-users wrote: any ref. full backup.of 4.5? I only can found v3 . will it recover all cert ca
related ? I tried such recover in v3 it seem it broken the relationship of others agreement. or I missed the backup of some files.
Hi, you can find the doc for 4.5 in https://access.redhat.com/documentation/en-us/red_hat_enterp
rise_linux/7/html/linux_domain_identity_authentication_and_ policy_guide/backup-restore https://access.redhat.com/documentation/en-us/red_hat_enter prise_linux/7/html/linux_domain_identity_authentication_and_ policy_guide/backup-restore <https://access.redhat.com/doc umentation/en-us/red_hat_enterprise_linux/7/html/linux_domai n_identity_authentication_and_policy_guide/backup-restore https://access.redhat.com/documentation/en-us/red_hat_enter prise_linux/7/html/linux_domain_identity_authentication_and_ policy_guide/backup-restore>
The full backup of a master with CA also contains the certs and the CA. HTH, Flo is it possible to use very old vm image plus the regular ldif backup recovery? 2018年3月1日 上午7:02 於 "Rob Crittenden" <rcritten@redhat.com <mailto:rcritten@redhat.com> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>> 寫道: barrykfl--- via FreeIPA-users wrote: > Hi all: > > any one has better solution of freeipa backup ? assume all ldap db crash > ,all ca fail, no backup of cert ...etc but need cleanly install one with > same hostname. > > and we have /usr/sbin/ipa-backup ldif backup . > > Can I use an old image but restore back ldif such backup? > > or any better solution for clean install with this ldif copy. If you have a full backup of a master with a CA and have saved it off-machine and your machine dies then you can re-install using the EXACT SAME OPTIONS. Then restore the backup. Then re-initialize all
other masters (this should all be documented already).
If you have only one master with a CA and it dies and you have no backups then you are pretty much hosed at the
moment.
IPA is so much more than just an LDIF. _Could_ you use an LDIF to restore the data minus
the certs? Yeah, probably, with a whole ton of work and expertise. Would it be worth the trouble and would you ever fully trust that you got it 100% right?
The best solution is to maintain multiple masters and > 1 CA. If one dies then you delete it and provision a new master. You can maintain the old name if you want. Or if you use VMs you can use disk snapshots to maintain backups. rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>> _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedo rahosted.org
On 05/03/2018 09:57, Barry via FreeIPA-users wrote:
Hi: the link u provided mentioned similar :
9.2. RESTORING A BACKUP
If you have a directory with a backup created using
ipa-backup
, you can restore your IdM
server or the LDAP content to the state in which they were when the backup was
performed. You cannot restore a backup on a host different from the host on which the
backup was originally created
Hi,
this means that you need to restore on a host with the same hostname, and same IPA version. It can be a different machine (a new VM or a new physical system). The procedure in the doc will allow to recover the IPA master from the backup.
HTH, Flo
Is it meant if I clean install using same host name ( a total new host) and restore using the backup
it will fail right ?.. The disaster meant all hosts fail I need clean install the first host can I use the that restore method ?
2018-03-05 16:31 GMT+08:00 Florence Blanc-Renaud <flo@redhat.com mailto:flo@redhat.com>:
On 04/03/2018 02:28, barrykfl--- via FreeIPA-users wrote: Tried those command before ,,,seem the web page and LDAP separate or I missed some parts. it can turn on the ldap but the web page not allow to login ...mostly it related to ? Hi, on which system do you have trouble accessing the web GUI? the master? In this case, can you paste the exact command you ran for restore, and the exact error message you see when trying to authenticate to the web? The httpd error log may also be helpful (/var/log/httpd/error). Flo 2018-03-02 17:24 GMT+08:00 Florence Blanc-Renaud <flo@redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>: On 01/03/2018 10:37, barrykfl--- via FreeIPA-users wrote: ic ..but the full restore can success run in clean installed master with new CA overwrite? e.g. master with CA and ldap all crashed with replication servers but data aslo crashed...can it be use as restore using the same hostname and rebuild the replication agreements with others? Hi, yes, the doc explains how to restore in a multi-master environment: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/restore#restore-multiple-masters <https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/restore#restore-multiple-masters> <https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/restore#restore-multiple-masters <https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/restore#restore-multiple-masters>> HTH, Flo 2018-03-01 15:19 GMT+08:00 Florence Blanc-Renaud <flo@redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:flo@redhat.com>> <mailto:flo@redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>>: On 03/01/2018 12:10 AM, barrykfl--- via FreeIPA-users wrote: any ref. full backup.of 4.5? I only can found v3 . will it recover all cert ca related ? I tried such recover in v3 it seem it broken the relationship of others agreement. or I missed the backup of some files. Hi, you can find the doc for 4.5 in https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/backup-restore <https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/backup-restore> <https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/backup-restore <https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/backup-restore>> <https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/backup-restore <https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/backup-restore> <https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/backup-restore <https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/backup-restore>>> The full backup of a master with CA also contains the certs and the CA. HTH, Flo is it possible to use very old vm image plus the regular ldif backup recovery? 2018年3月1日 上午7:02 於 "Rob Crittenden" <rcritten@redhat.com <mailto:rcritten@redhat.com> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>>> 寫道: barrykfl--- via FreeIPA-users wrote: > Hi all: > > any one has better solution of freeipa backup ? assume all ldap db crash > ,all ca fail, no backup of cert ...etc but need cleanly install one with > same hostname. > > and we have /usr/sbin/ipa-backup ldif backup . > > Can I use an old image but restore back ldif such backup? > > or any better solution for clean install with this ldif copy. If you have a full backup of a master with a CA and have saved it off-machine and your machine dies then you can re-install using the EXACT SAME OPTIONS. Then restore the backup. Then re-initialize all other masters (this should all be documented already). If you have only one master with a CA and it dies and you have no backups then you are pretty much hosed at the moment. IPA is so much more than just an LDIF. _Could_ you use an LDIF to restore the data minus the certs? Yeah, probably, with a whole ton of work and expertise. Would it be worth the trouble and would you ever fully trust that you got it 100% right? The best solution is to maintain multiple masters and > 1 CA. If one dies then you delete it and provision a new master. You can maintain the old name if you want. Or if you use VMs you can use disk snapshots to maintain backups. rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>>> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>> <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>>> _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>> _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
freeipa-users@lists.fedorahosted.org