Show Table of Contents
9.2. Restoring a Backup
If you have a directory with a backup created using
ipa-backup, you can restore your IdM server or the LDAP content to the state in which they were when the backup was performed. You cannot restore a backup on a host different from the host on which the backup was originally created.
Note
Uninstalling an IdM server does not automatically remove the backup of this server.
9.2.1. Restoring from the Full-Server or Data-Only Backup
Important
It is recommended that you uninstall a server before performing a full-server restore on it.
Both full-server and data-only backups are restored using the
ipa-restore utility which must always be run as root. Pass the backup to the command:
- Pass only the name of the directory with the backup if it is located in the default
/var/lib/ipa/backup/directory. - Pass the full path to the backup if the directory containing the backup is not located in the default directory. For example:
[root@server ~]# ipa-restore /path/to/backup
The
ipa-restore utility automatically detects what type of backup the backup directory contains and by default performs the same type of restore.
You can add the following options to
ipa-restore:
--dataperforms a data-only restore from a full-server backup, that is, restores only the LDAP data component from a backup directory containing the full-server backup--onlinerestores the LDAP data in a data-only restore online--instancespecifies which 389 DS instance is restored. IdM in Red Hat Enterprise Linux 7 only uses theIPA-REALMinstance, but it might be possible, for example, to create a backup on a system with separate instances; in such cases,--instanceallows you to restore onlyIPA-REALM. For example:[root@server ~]# ipa-restore --instance=IPA-REALM /path/to/backup
You can use this option only when performing a data-only restore.--backendspecifies which back end is restored; without this option,ipa-restorerestores all back ends it discovers. The arguments defining the possible back ends areuserRoot, which restores the IPA data back end, andipaca, which restores the CA back end.You can use this option only when performing a data-only restore.--no-logsrestores the backup without restoring the log files
To avoid authentication problems on an IdM master, clear the SSSD cache after a restore:
- Stop the SSSD service:
[root@server ~]# systemctl stop sssd
- Remove all cached content from SSSD:
[root@server ~]# find /var/lib/sss/ ! -type d | xargs rm -f
- Start the SSSD service:
[root@server ~]# systemctl start sssd
Note
It is recommended that you reboot your system after restoring from backup.
For further information on using
ipa-restore, see the ipa-restore(1) man page.
9.2.2. Restoring with Multiple Master Servers
Restoring from backup sets the restored server as the new data master, and you will be required to reinitialize all other masters after the restore. To reinitialize the other masters, run the
ipa-replica-manage command and, on masters that have a CA installed, the ipa-csreplica-manage command. For example:
[root@server ~]# ipa-replica-manage re-initialize --from=restored_master_FQDN
For further information on replication during restore and on restoration on other masters, see the ipa-restore(1) man page.
9.2.3. Restoring from an Encrypted Backup
If you want to restore from a backup encrypted with GPG, provide the full path to the private and public keys using the
--gpg-keyring option. For example:
[root@server ~]# ipa-restore --gpg-keyring=/root/backup /path/to/backup
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.