actually ipa-backup isn’t such a bad approach. It produces ipa-data.tar, If you look in the tar file you’ll find DOMAIN-userRoot.ldif. This is the whole database as an LDIF fills. If you’ll spend a few minutes looking at the format, it’s actually pretty easy to pull out individual entries or groups of entries.   The lines in the LDIF files include all the attributes, so it’s not hard to see how to put things back. 

On Jun 25, 2018, at 5:17:20 PM, John Petrini via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:

Hi Rob,

Exactly. I just need a quick way to restore in case someone fat fingers a change. I was curious if there was a baked in way to do this using FreeIPA but it sounds like there isn't.

Thanks for the other suggestions. It looks like a zone transfer will probably be the simplest way to get a backup. I also stumbled across this tool: https://github.com/freeipa/zone2dyndb-ldif for converting the zone transfer to something usable by bind-dyndb-ldap so I'm going throw together a script to automate the backups of the zones and another that uses zone2dyndb-ldif to import the backups.

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/YCU7A7IPWAZ23P67JUA3RB3H7J7MV24W/