How to backup / restore FreeIPA 2.2.0 on Red Hat Enterprise Linux 6

Performing a restore

When restoring from a backup, firstly, perform it on a CLEAN installation. From a best practice perspective, use a fresh install and not something that you “think” might be clean enough. If in doubt, reinstall. It won’t take long to redeploy a clean system.

Next, restoration should take place using the config file taken in the above backup. Copy your backup from what ever media you saved it to, and copy it to your clean server.

DO NOT RUN “ipa-server install” on your clean system.

AGAIN, Please speak to Red Hat before performing this on a production FreeIPA environment. You don’t really want to risk it.

To continue with the restore, run “ipa-restore”.

See the below output

[root@ds01 ~]# ipa-restore

Usage examples:

To perform a backup, use the below information as a guide.

Full Backup (in development)
# ipa-restore --type full --source /path/to/my/full_backup.tgz

LDAP Backup (in development)
# ipa-restore --type ldap --source /path/to/my/ldap_backup.ldif

Dogtag Backup (in development
# ipa-restore --type dogtag --source /path/to/my/dogtag_backup.ldif

Config Backup
# ipa-restore --type config --source /path/to/my/config_backup.tgz

[root@ds01 ~]# ipa-restore --type config --source /mybackup/config/config-20120907211435.tgz

UsingĀ  /mybackup/config/config-20120907211435.tgz as restore archive.

This restore process will cause IPA to restart
Are you sure you wish to continue? [Y/n] y

Restoration is now complete
All output for this restoration has been logged to /root/ipa-restore.log

It is *highly* recommended that you reboot your system to allow all IPA dependant services to reload cleanly.

Would you like to reboot now? [Y/n] y

Broadcast message from
(/dev/pts/0) at 0:51 ...

The system is going down for reboot NOW!
[root@ds01 ~]#


You don’tĀ HAVE to reboot after the restore, however as its a clean system and there is nothing else running on it, there is nothing to lose in doing so. Worst case scenario, you have at least confirmed that the restoration has not broken anything that is stopping an unattended reboot process.

I have tested this backup and restore process in my demo and testing environments over 100 times and each time it has worked. Kerberos and LDAP have persisted and allowed authentication. User and group management has worked, and all other tests have shown that the restoration has worked.

That being said, I am by no means an expert in the inner workings of FreeIPA. Please test this process thoroughly and get the OK from Red Hat if you wish to use it in production.

I truly hope this has proven helpful to my readers.

5 comments on “How to backup / restore FreeIPA 2.2.0 on Red Hat Enterprise Linux 6

  1. Johan October 10, 2012 16:28

    Nice article, very detailed and thought thru!

    However I wonder if you have looked into how to recover in a more complex multi master configuration? What would be the way to recover a situation where,

    A) One of the master servers dies and need to be replaced/restored?

    B) A user mistake that leads to missing data?

    For scenario A) I imagine that, since the backup steps provided here, will not work since the data in the backup and on the master, that didn’t die, will be inconsistent.

    For scenario B) how can one restore the missing data from backups?

    • Dale Macartney October 17, 2012 14:42

      Hi Johan

      Thanks for the feedback. Thanks for the questions.

      I have written this process as an interim solution for FreeIPA 2.2. FreeIPA 3 will have a supported backup meathod from what I am aware of.

      Regarding your question of multi master server restorations, This method is to be as simple as a System State backup is for Windows. You would simply have this backup run on each of your master servers. You would simply need to restore the right backup archive for that server.

      As for your question about restoring missing data, this should be treated as a more advanced type of restoration. As such goes beyond the spec of this article.
      The ipa-backup command will give you the ability to backup to an LDIF export for both LDAP and Dogtag. Restoration of this data to a granualar level is something that should really be based on recommendations from the FreeIPA team at Red Hat.

      Best regards


  2. rob July 9, 2013 10:31

    thanks for this article. I tried going down the tarball route myself but couldn’t get the conclusive list of paths that needed to be backed up. I’ll give this a shot asap, as backup/restore is the one thing that’s holding up our IPA deployment.

  3. Sergio August 19, 2013 21:36

    I’ve tried to run:

    ./ –type full –source /root/respaldo_ipa/full/full_backup-20130819143745.tgz

    But i get the following message:

    “Full restore functionality is currently in development”

    Is there a final version for ipa-backup software?

    Cheers from Chile.

    • Dale Macartney August 23, 2013 22:07

      Hi Sergio

      This tool was written for FreeIPA 2.x as there was no documented method to create a reliable backup.

      With the release of FreeIPA 3, backup and restore was introduced as a supported feature.

      For details covering the topic, have a read of the below link from the FreeIPA team.

      I hope this helps lead you in the right direction.


Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>