'리눅스/IdM' 카테고리의 글 목록

리눅스/IdM

CLI 환경에서 IDM 유저 지문인증 추가하기 2023.05.13
리눅스 데스크탑 환경에서 관리자 권한 표시할 때 IDM 그룹 표시하기 2023.05.12
IdM 복제 만들기 2023.04.10
IdM 백업 및 복구하기 2023.04.10
IdM dirSRV@REALM이 시작되지 않는 경우 2023.04.10
IPA 인증서 발급요청하기 2023.02.22

CLI 환경에서 IDM 유저 지문인증 추가하기

2023. 5. 13. 12:11

IDM 서버를 굴리면서 IDM에 등록된 사용자를 KDE 환경에서 쓰려니 신경 써야 할 것이 많다.

그 중 하나가 지문인식인데, 사용자 정보 창에 가면 기본 계정들만 나열되어 있고 IDM 유저는 나열되어 있지 않는 모습을 볼 수 있다.

그러면 뭐 어쩔수 있나

우리의 친구 터미널과 함께하는 지문인식 등록과정이다

일단 지문인식을 쓰기 위해선 authselect에서 지문인식 프로필을 쓰도록 등록해야 한다.

[weing@weing-laptop pam.d]$ authselect list-features sssd
with-altfiles
with-ecryptfs
with-faillock
with-files-access-provider
with-files-domain
with-fingerprint
with-gssapi
with-libvirt
with-mdns4
with-mdns6
with-mkhomedir
with-pam-gnome-keyring
with-pam-u2f
with-pam-u2f-2fa
with-pamaccess
with-pwhistory
with-silent-lastlog
with-smartcard
with-smartcard-lock-on-removal
with-smartcard-required
with-subid
with-sudo
with-systemd-homed
without-nullok
without-pam-u2f-nouserok
[weing@weing-laptop pam.d]$ authselect current
프로필 ID : sssd
사용 가능한 기능 :
- with-mkhomedir
- with-sudo
- with-mdns4
[weing@weing-laptop pam.d]$ sudo authselect enable-feature with-fingerprint
Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.
 
- with-fingerprint is selected, make sure fprintd service is configured and enabled

[weing@weing-laptop pam.d]$ authselect current
프로필 ID : sssd
사용 가능한 기능 :
- with-mkhomedir
- with-sudo
- with-mdns4
- with-fingerprint

authselect enable-feature with fingerprint 로 활성화한다.

그리고 이제 지문인식 기능을 이용해서 지문을 등록하자.

[weing@weing-laptop authselect]$ fprintd-delete weing
found 1 devices
Device at /net/reactivated/Fprint/Device/0
Using device /net/reactivated/Fprint/Device/0
Fingerprints of user weing deleted on ElanTech Fingerprint Sensor
[weing@weing-laptop authselect]$ fprintd-list weing
found 1 devices
Device at /net/reactivated/Fprint/Device/0
Using device /net/reactivated/Fprint/Device/0
User weing has no fingers enrolled for ElanTech Fingerprint Sensor.

일단 등록된 지문이 있는지 확인하자.

[weing@weing-laptop authselect]$ fprintd-enroll weing -f right-index-finger
Using device /net/reactivated/Fprint/Device/0
Enrolling right-index-finger finger.
Enroll result: enroll-stage-passed
Enroll result: enroll-disconnected

리눅스 지문인식은 정말 까탈스럽다.

겁나겁나겁나x100 인식을 못한다.

조금이라도 잘못하면 retry, 거기서 운없으면 enroll-disconnected가 떠서 다시 처음부터 해야한다.

적당히 눌러줬다가 바로 딱! 떼줘야 인식이 된다.

에라이

그러니 그냥 su 권한으로 등록하자. 유저는 지정 가능하다.

우여곡절 끝에 지문인식을 성공했다면 fprintd-verify로 검증을 해보자.

[weing@weing-laptop authselect]$ fprintd-enroll weing -f right-index-finger
Using device /net/reactivated/Fprint/Device/0
Enrolling right-index-finger finger.
Enroll result: enroll-stage-passed
Enroll result: enroll-stage-passed
Enroll result: enroll-stage-passed
Enroll result: enroll-stage-passed
Enroll result: enroll-stage-passed
Enroll result: enroll-completed
fprintd-delete  fprintd-enroll  fprintd-list    fprintd-verify  
[weing@weing-laptop authselect]$ fprintd-verify weing -f right-index-finger
Using device /net/reactivated/Fprint/Device/0
Listing enrolled fingers:
 - #0: right-index-finger
Verify started!
Verifying: right-index-finger
Verify result: verify-no-match (done)

안되잖아?

외않된대?

[weing@weing-laptop ~]$ sudo su
지문 인식기에 오른손 집게손가락을 문지르십시오
지문과 일치하지 않습니다
지문 인식기에 오른손 집게손가락을 문지르십시오
지문과 일치하지 않습니다
지문 인식기에 오른손 집게손가락을 문지르십시오
지문과 일치하지 않습니다
[sudo] weing 암호: 
[root@weing-laptop weing]#

아니 일단 지문인식을 할 수 있게는 했는데 정작 지문인식이 안된다

아니 왜!!!!!!

어쨌든 이건 내 실력부족인걸로 하자

Uploaded by N2T

'리눅스 > IdM' 카테고리의 다른 글

리눅스 데스크탑 환경에서 관리자 권한 표시할 때 IDM 그룹 표시하기 (0)	2023.05.12
IdM 복제 만들기 (0)	2023.04.10
IdM 백업 및 복구하기 (0)	2023.04.10
IdM dirSRV@REALM이 시작되지 않는 경우 (0)	2023.04.10
IPA 인증서 발급요청하기 (0)	2023.02.22

리눅스 데스크탑 환경에서 관리자 권한 표시할 때 IDM 그룹 표시하기

2023. 5. 12. 20:31

기본적으로 FreeIPA를 이용하여 sudo 구성 시 터미널에서는 구성한 대로 sudo가 잘 작동하지만, 데스크탑 환경에서는 로컬 계정만 인식한다.

아래와 같이 말이다.

이 예제의 환경은 아래와 같다.

로컬 계정	IPA 계정
local/1234	ipadmin/ipaadmin
	weing/ipa

나는 KDE에 IPA 계정 weing로 로그인한 상태이다.

여기서 weing의 비밀번호(예를 들어 ipa)를 입력하면 진행이 안 된다.

이럴 땐 PolicyKit의 규칙을 새로 추가해야 한다.

[weing@weing-laptop ~]$ sudo su
[sudo] weing 암호: 
[root@weing-laptop weing]# cd /etc/polkit-1/rules.d
[root@weing-laptop rules.d]# ll
합계 8
-rw-r--r--. 1 root root 298  5월 12일  19:29 48-kde.rules
-rw-r--r--. 1 root root 974  1월 20일  09:00 49-polkit-pkla-compat.rules
[root@weing-laptop rules.d]#

기본적으로 49-polkit-pkla-compat.rules가 있는데 이것보다 우선하는 규칙을 만들어야 한다.

48-kde.rules라고 이름을 짓고, 아래와 같이 내용을 만들자.

polkit.addAdminRule(function(action, subject) {
    return ["unix-group:kde_admins", "unix-group:wheel"];
});

polkit.addRule(function(action, subject) {
    if (action.id == "org.freedesktop.policykit.exec" &&
        subject.isInGroup("kde_admins")) {
        return polkit.Result.YES;
    }
});

첫번째 addAdminRule는 비밀번호 입력 시 어떤 그룹들이 나타나게 할 것인지 정하는 것

kde_admins와 wheel에 해당하는 그룹들이 나타날 것이다.

두번째는 대체 로그인 수단 관련된 것 같다.

물론, 해당 호스트에는 gdm, gdm-login, kdm이 접근할 수 있도록 HBAC Rule를 설정해야 한다.

이제 GUI에서 로그인을 시도하면

이렇게 IDM 계정으로도 인증할 수 있다.

Uploaded by N2T

'리눅스 > IdM' 카테고리의 다른 글

CLI 환경에서 IDM 유저 지문인증 추가하기 (0)	2023.05.13
IdM 복제 만들기 (0)	2023.04.10
IdM 백업 및 복구하기 (0)	2023.04.10
IdM dirSRV@REALM이 시작되지 않는 경우 (0)	2023.04.10
IPA 인증서 발급요청하기 (0)	2023.02.22

IdM 복제 만들기

2023. 4. 10. 09:53

일단 아래와 같이 입력하여 IPA 클라이언트 설치 후 도메인에 가입

[root@IdM lana_local]# ipa-client-install -p lana -W --mkhomedir --no-ntp --domain=weing.asdf --realm=WEING.ASDF
This program will set up IPA client.
Version 4.10.0

Discovery was successful!
Client hostname: idm-sub.weing.asdf
Realm: WEING.ASDF
DNS Domain: weing.asdf
IPA Server: idm.weing.asdf
BaseDN: dc=weing,dc=asdf

Continue to configure the system with these values? [no]:  yes  
Continue to configure the system with these values? [no]: yes
Skipping chrony configuration
Password for lana@WEING.ASDF: 
Successfully retrieved CA cert
    Subject:     CN=WEING Internal Certificate Authority,O=WEING.ASDF
    Issuer:      CN=WEING Internal Certificate Authority,O=WEING.ASDF
    Valid From:  2022-12-24 19:25:34
    Valid Until: 2042-12-24 19:25:34

Enrolled in IPA realm WEING.ASDF
Created /etc/ipa/default.conf
Configured /etc/sssd/sssd.conf
Systemwide CA database updated.
Hostname (idm-sub.weing.asdf) does not have A/AAAA record.
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config.d/04-ipa.conf
Configuring weing.asdf as NIS domain.
Configured /etc/krb5.conf for IPA realm WEING.ASDF
Client configuration complete.
The ipa-client-install command was successful

이제 IdM 복제를 위한 준비를 위해 서버측에서 IPA 복제본이 될 클라이언트를 ipaservers에 추가

[lana@idm ~]$ kinit lana
Password for lana@WEING.ASDF: 
[lana@idm ~]$ ipa hostgroup-add-member ipaservers --hosts idm-sub.weing.asdf
  Host-group: ipaservers
  Description: IPA server hosts
  Member hosts: idm.weing.asdf, idm-sub.weing.asdf
-------------------------
Number of members added 1
-------------------------
[lana@idm ~]$ ipa hostgroup-show ipaservers
  Host-group: ipaservers
  Description: IPA server hosts
  Member hosts: idm.weing.asdf, idm-sub.weing.asdf

다시 IdM 복제본이 될 서버로 돌아와서 명령 실행

[lana@idm-sub]$ dnf install -y ipa-server ipa-server-dns
[root@IdM lana_local]# firewall-cmd --add-service={freeipa-4,freeipa-replication,dns} --permanent
success
[root@IdM lana_local]# firewall-cmd --reload
success
[root@IdM lana_local]# ipa-replica-install --setup-dns --no-forwarders --setup-ca
Lookup failed: Preferred host idm-sub.weing.asdf does not provide DNS.
Run connection check to master
Connection check OK
Disabled p11-kit-proxy
Configuring directory server (dirsrv). Estimated time: 30 seconds
  [1/39]: creating directory server instance
Validate installation settings ...
Create file system structures ...
Perform SELinux labeling ...
Create database backend: dc=weing,dc=asdf ...
Perform post-installation tasks ...
  [2/39]: tune ldbm plugin
  [3/39]: adding default schema
  [4/39]: enabling memberof plugin
  [5/39]: enabling winsync plugin
  [6/39]: configure password logging
  [7/39]: configuring replication version plugin
  [8/39]: enabling IPA enrollment plugin
  [9/39]: configuring uniqueness plugin
  [10/39]: configuring uuid plugin
  [11/39]: configuring modrdn plugin
  [12/39]: configuring DNS plugin
  [13/39]: enabling entryUSN plugin
  [14/39]: configuring lockout plugin
  [15/39]: configuring graceperiod plugin
  [16/39]: configuring topology plugin
  [17/39]: creating indices
  [18/39]: enabling referential integrity plugin
  [19/39]: configuring certmap.conf
  [20/39]: configure new location for managed entries
  [21/39]: configure dirsrv ccache and keytab
  [22/39]: enabling SASL mapping fallback
  [23/39]: restarting directory server
  [24/39]: creating DS keytab
  [25/39]: ignore time skew for initial replication
  [26/39]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 6 seconds elapsed
Update succeeded

  [27/39]: prevent time skew after initial replication
  [28/39]: adding sasl mappings to the directory
  [29/39]: updating schema
  [30/39]: setting Auto Member configuration
  [31/39]: enabling S4U2Proxy delegation
  [32/39]: initializing group membership
  [33/39]: adding master entry
  [34/39]: initializing domain level
  [35/39]: configuring Posix uid/gid generation
  [36/39]: adding replication acis
  [37/39]: activating sidgen plugin
  [38/39]: activating extdom plugin
  [39/39]: configuring directory to start on boot
Done configuring directory server (dirsrv).
....
Done.
The ipa-replica-install command was successful

Uploaded by N2T

'리눅스 > IdM' 카테고리의 다른 글

CLI 환경에서 IDM 유저 지문인증 추가하기 (0)	2023.05.13
리눅스 데스크탑 환경에서 관리자 권한 표시할 때 IDM 그룹 표시하기 (0)	2023.05.12
IdM 백업 및 복구하기 (0)	2023.04.10
IdM dirSRV@REALM이 시작되지 않는 경우 (0)	2023.04.10
IPA 인증서 발급요청하기 (0)	2023.02.22

IdM 백업 및 복구하기

2023. 4. 10. 09:52

앞서 언급한 글처럼 갑자기 디렉터리 서비스 파일이 날아가는 경우가 있다.

백업은 필수이니 꼭꼭 백업을 해두자.

사실 웬만한건 영문 문서가 영양가있으니 이건 그냥 나의 메모용

Backup and Restore - FreeIPA

https://www.freeipa.org/page/Backup_and_Restore

완전한 백업을 위해서는 IPA 서비스를 정지하고 백업해야 한다. ipa-backup 한개의 명령어로도 충분하다.

[root@idm slapd-WEING-ASDF]# ipa-backup
Preparing backup on idm.weing.asdf
Local roles match globally used roles, proceeding.
Stopping IPA services
Backing up ipaca in WEING-ASDF to LDIF
Backing up userRoot in WEING-ASDF to LDIF
Backing up WEING-ASDF
Backing up files
Starting IPA service
Backed up to /var/lib/ipa/backup/ipa-full-2023-03-07-12-45-49
The ipa-backup command was successful

하지만 ipa 서비스를 죽이지 않고 백업해야 하는 경우 --data --online 옵션을 붙여야 한다. 이 경우 디렉터리 서비스와 관련된 파일만 백업된다.

[root@idm slapd-WEING-ASDF]# ipa-backup --online --data
Preparing backup on idm.weing.asdf
Local roles match globally used roles, proceeding.
Backing up ipaca in WEING-ASDF to LDIF
Waiting for LDIF to finish
Backing up userRoot in WEING-ASDF to LDIF
Waiting for LDIF to finish
Backing up WEING-ASDF
Waiting for BAK to finish
Backed up to /var/lib/ipa/backup/ipa-data-2023-03-07-12-46-46
The ipa-backup command was successful

백업 파일들은 /var/lib/ipa/backup 경로에 저장된다.

full 파일엔 어떤 내용들이 백업되었을까

내용 너무 길어서 접음

[root@idm backup]# cd ipa-full-2023-03-07-12-45-49/
[root@idm ipa-full-2023-03-07-12-45-49]# ll
total 7112
-rw-r--r--. 1 root root     157 Mar  7 12:45 header
-rw-r--r--. 1 root root 7277999 Mar  7 12:45 ipa-full.tar
[root@idm ipa-full-2023-03-07-12-45-49]# cat header
[ipa]
type = FULL
time = 2023-03-07T03:45:00
host = idm.weing.asdf
ipa_version = 4.10.0
version = 1
services = KDC,KPASSWD,HTTP,OTPD,KEYS,CA,DNS,DNSKeySync
[root@idm ipa-full-2023-03-07-12-45-49]# tar tf ipa-full.tar ./
./
./WEING-ASDF-ipaca.ldif
./WEING-ASDF-userRoot.ldif
./WEING-ASDF/
./WEING-ASDF/userRoot/
./WEING-ASDF/userRoot/ipauniqueid.db
./WEING-ASDF/userRoot/ipaSubUidNumber.db
./WEING-ASDF/userRoot/ipaCASubjectDN.db
./WEING-ASDF/userRoot/fqdn.db
./WEING-ASDF/userRoot/displayname.db
./WEING-ASDF/userRoot/description.db
./WEING-ASDF/userRoot/givenName.db
./WEING-ASDF/userRoot/hostCategory.db
./WEING-ASDF/userRoot/idnsName.db
./WEING-ASDF/userRoot/seealso.db
./WEING-ASDF/userRoot/ipakrbprincipalalias.db
./WEING-ASDF/userRoot/ipalocation.db
./WEING-ASDF/userRoot/krbPrincipalName.db
./WEING-ASDF/userRoot/numsubordinates.db
./WEING-ASDF/userRoot/ancestorid.db
./WEING-ASDF/userRoot/replication_changelog.db
./WEING-ASDF/userRoot/id2entry.db
./WEING-ASDF/userRoot/entryrdn.db
./WEING-ASDF/userRoot/parentid.db
./WEING-ASDF/userRoot/nsds5ReplConflict.db
./WEING-ASDF/userRoot/ipaConfigString.db
./WEING-ASDF/userRoot/aci.db
./WEING-ASDF/userRoot/entryusn.db
./WEING-ASDF/userRoot/entryUUID.db
./WEING-ASDF/userRoot/cn.db
./WEING-ASDF/userRoot/objectclass.db
./WEING-ASDF/userRoot/uidnumber.db
./WEING-ASDF/userRoot/nsOsVersion.db
./WEING-ASDF/userRoot/uid.db
./WEING-ASDF/userRoot/ipaAnchorUUID.db
./WEING-ASDF/userRoot/serverhostname.db
./WEING-ASDF/userRoot/macAddress.db
./WEING-ASDF/userRoot/nsTombstoneCSN.db
./WEING-ASDF/userRoot/sn.db
./WEING-ASDF/userRoot/nscpEntryDN.db
./WEING-ASDF/userRoot/ipServicePort.db
./WEING-ASDF/userRoot/memberPrincipal.db
./WEING-ASDF/userRoot/ipaNTTrustPartner.db
./WEING-ASDF/userRoot/memberservice.db
./WEING-ASDF/userRoot/memberOf.db
./WEING-ASDF/userRoot/nsuniqueid.db
./WEING-ASDF/userRoot/memberUser.db
./WEING-ASDF/userRoot/nsHardwarePlatform.db
./WEING-ASDF/userRoot/ou.db
./WEING-ASDF/userRoot/nsHostLocation.db
./WEING-ASDF/userRoot/member.db
./WEING-ASDF/userRoot/memberHost.db
./WEING-ASDF/userRoot/userCertificate.db
./WEING-ASDF/userRoot/uniquemember.db
./WEING-ASDF/userRoot/krbPasswordExpiration.db
./WEING-ASDF/userRoot/mail.db
./WEING-ASDF/userRoot/managedby.db
./WEING-ASDF/userRoot/memberallowcmd.db
./WEING-ASDF/userRoot/krbCanonicalName.db
./WEING-ASDF/userRoot/automountMapName.db
./WEING-ASDF/userRoot/accessRuleType.db
./WEING-ASDF/userRoot/ipaMemberCertProfile.db
./WEING-ASDF/userRoot/ipaEnabledFlag.db
./WEING-ASDF/userRoot/memberManager.db
./WEING-ASDF/userRoot/ipaNTSecurityIdentifier.db
./WEING-ASDF/userRoot/ipaallowedtarget.db
./WEING-ASDF/userRoot/ipaMemberCa.db
./WEING-ASDF/userRoot/ipaSubGidNumber.db
./WEING-ASDF/userRoot/gidnumber.db
./WEING-ASDF/userRoot/ipaOwner.db
./WEING-ASDF/userRoot/automountkey.db
./WEING-ASDF/userRoot/ipaKrbAuthzData.db
./WEING-ASDF/userRoot/l.db
./WEING-ASDF/userRoot/DBVERSION
./WEING-ASDF/userRoot/owner.db
./WEING-ASDF/userRoot/manager.db
./WEING-ASDF/userRoot/secretary.db
./WEING-ASDF/userRoot/sourcehost.db
./WEING-ASDF/userRoot/memberdenycmd.db
./WEING-ASDF/userRoot/ipasudorunas.db
./WEING-ASDF/userRoot/ipasudorunasgroup.db
./WEING-ASDF/userRoot/ipatokenradiusconfiglink.db
./WEING-ASDF/userRoot/ipaassignedidview.db
./WEING-ASDF/userRoot/ipaidpconfiglink.db
./WEING-ASDF/ipaca/
./WEING-ASDF/ipaca/vlv#allrevokedorrevokedexpiredcertspkitomcatindex.db
./WEING-ASDF/ipaca/vlv#caallpkitomcatindex.db
./WEING-ASDF/ipaca/vlv#cacompletepkitomcatindex.db
./WEING-ASDF/ipaca/vlv#cacompleterevocationpkitomcatindex.db
./WEING-ASDF/ipaca/vlv#carevocationpkitomcatindex.db
./WEING-ASDF/ipaca/nsds5ReplConflict.db
./WEING-ASDF/ipaca/vlv#capendingpkitomcatindex.db
./WEING-ASDF/ipaca/id2entry.db
./WEING-ASDF/ipaca/entryrdn.db
./WEING-ASDF/ipaca/parentid.db
./WEING-ASDF/ipaca/entryUUID.db
./WEING-ASDF/ipaca/objectclass.db
./WEING-ASDF/ipaca/uid.db
./WEING-ASDF/ipaca/mail.db
./WEING-ASDF/ipaca/nsuniqueid.db
./WEING-ASDF/ipaca/seeAlso.db
./WEING-ASDF/ipaca/entryusn.db
./WEING-ASDF/ipaca/aci.db
./WEING-ASDF/ipaca/cn.db
./WEING-ASDF/ipaca/sn.db
./WEING-ASDF/ipaca/uniquemember.db
./WEING-ASDF/ipaca/numsubordinates.db
./WEING-ASDF/ipaca/ancestorid.db
./WEING-ASDF/ipaca/DBVERSION
./WEING-ASDF/ipaca/nscpEntryDN.db
./WEING-ASDF/ipaca/replication_changelog.db
./WEING-ASDF/ipaca/serialno.db
./WEING-ASDF/ipaca/description.db
./WEING-ASDF/ipaca/issuedby.db
./WEING-ASDF/ipaca/certstatus.db
./WEING-ASDF/ipaca/dateOfCreate.db
./WEING-ASDF/ipaca/extension.db
./WEING-ASDF/ipaca/publicKeyData.db
./WEING-ASDF/ipaca/issuername.db
./WEING-ASDF/ipaca/subjectname.db
./WEING-ASDF/ipaca/duration.db
./WEING-ASDF/ipaca/notafter.db
./WEING-ASDF/ipaca/notbefore.db
./WEING-ASDF/ipaca/metaInfo.db
./WEING-ASDF/ipaca/revokedOn.db
./WEING-ASDF/ipaca/revokedby.db
./WEING-ASDF/ipaca/revInfo.db
./WEING-ASDF/ipaca/requesttype.db
./WEING-ASDF/ipaca/requeststate.db
./WEING-ASDF/ipaca/nsTombstoneCSN.db
./WEING-ASDF/ipaca/vlv#allcertspkitomcatindex.db
./WEING-ASDF/ipaca/vlv#allnonrevokedcertspkitomcatindex.db
./WEING-ASDF/ipaca/vlv#allvalidcertspkitomcatindex.db
./WEING-ASDF/ipaca/vlv#allvalidcertsnotafterpkitomcatindex.db
./WEING-ASDF/ipaca/vlv#allvalidorrevokedcertspkitomcatindex.db
./WEING-ASDF/ipaca/vlv#allrevokedcertspkitomcatindex.db
./WEING-ASDF/ipaca/vlv#allrevokedcertsnotafterpkitomcatindex.db
./WEING-ASDF/ipaca/vlv#cacompleteenrollmentpkitomcatindex.db
./WEING-ASDF/ipaca/vlv#caenrollmentpkitomcatindex.db
./WEING-ASDF/ipaca/member.db
./WEING-ASDF/ipaca/owner.db
./WEING-ASDF/ipaca/requestid.db
./WEING-ASDF/ipaca/acmeExpires.db
./WEING-ASDF/ipaca/vlv#capendingenrollmentpkitomcatindex.db
./WEING-ASDF/changelog/
./WEING-ASDF/changelog/DBVERSION
./WEING-ASDF/changelog/id2entry.db
./WEING-ASDF/changelog/entryrdn.db
./WEING-ASDF/changelog/nsuniqueid.db
./WEING-ASDF/changelog/objectclass.db
./WEING-ASDF/changelog/cn.db
./WEING-ASDF/changelog/entryUUID.db
./WEING-ASDF/changelog/entryusn.db
./WEING-ASDF/changelog/ancestorid.db
./WEING-ASDF/changelog/changenumber.db
./WEING-ASDF/changelog/targetuniqueid.db
./WEING-ASDF/changelog/parentid.db
./WEING-ASDF/changelog/numsubordinates.db
./WEING-ASDF/changelog/aci.db
./WEING-ASDF/changelog/seeAlso.db
./WEING-ASDF/log.0000000010
./WEING-ASDF/DBVERSION
./WEING-ASDF/dse_instance.ldif
./WEING-ASDF/dse_index.ldif
./files.tar

ipa-data 폴더엔 어떤 내용들이 백업되었을까?

내용 너무 길어서 접음

[root@idm backup]# cd ipa-data-2023-03-07-12-46-46/
[root@idm ipa-data-2023-03-07-12-46-46]# ll
total 2164
-rw-r--r--. 1 root root     157 Mar  7 12:46 header
-rw-r--r--. 1 root root 2211289 Mar  7 12:46 ipa-data.tar
[root@idm ipa-data-2023-03-07-12-46-46]# cat header
[ipa]
type = DATA
time = 2023-03-07T03:46:43
host = idm.weing.asdf
ipa_version = 4.10.0
version = 1
services = KDC,KPASSWD,HTTP,OTPD,KEYS,CA,DNS,DNSKeySync
[root@idm ipa-data-2023-03-07-12-46-46]# tar tf ipa-data.tar 
./
./WEING-ASDF-ipaca.ldif
./WEING-ASDF-userRoot.ldif
./WEING-ASDF/
./WEING-ASDF/userRoot/
./WEING-ASDF/userRoot/ipauniqueid.db
./WEING-ASDF/userRoot/ipaSubUidNumber.db
./WEING-ASDF/userRoot/ipaCASubjectDN.db
./WEING-ASDF/userRoot/fqdn.db
./WEING-ASDF/userRoot/displayname.db
./WEING-ASDF/userRoot/description.db
./WEING-ASDF/userRoot/givenName.db
./WEING-ASDF/userRoot/hostCategory.db
./WEING-ASDF/userRoot/idnsName.db
./WEING-ASDF/userRoot/seealso.db
./WEING-ASDF/userRoot/ipakrbprincipalalias.db
./WEING-ASDF/userRoot/ipalocation.db
./WEING-ASDF/userRoot/krbPrincipalName.db
./WEING-ASDF/userRoot/numsubordinates.db
./WEING-ASDF/userRoot/ancestorid.db
./WEING-ASDF/userRoot/replication_changelog.db
./WEING-ASDF/userRoot/id2entry.db
./WEING-ASDF/userRoot/entryrdn.db
./WEING-ASDF/userRoot/parentid.db
./WEING-ASDF/userRoot/nsds5ReplConflict.db
./WEING-ASDF/userRoot/ipaConfigString.db
./WEING-ASDF/userRoot/aci.db
./WEING-ASDF/userRoot/entryusn.db
./WEING-ASDF/userRoot/entryUUID.db
./WEING-ASDF/userRoot/cn.db
./WEING-ASDF/userRoot/objectclass.db
./WEING-ASDF/userRoot/uidnumber.db
./WEING-ASDF/userRoot/nsOsVersion.db
./WEING-ASDF/userRoot/uid.db
./WEING-ASDF/userRoot/ipaAnchorUUID.db
./WEING-ASDF/userRoot/serverhostname.db
./WEING-ASDF/userRoot/macAddress.db
./WEING-ASDF/userRoot/nsTombstoneCSN.db
./WEING-ASDF/userRoot/sn.db
./WEING-ASDF/userRoot/nscpEntryDN.db
./WEING-ASDF/userRoot/ipServicePort.db
./WEING-ASDF/userRoot/memberPrincipal.db
./WEING-ASDF/userRoot/ipaNTTrustPartner.db
./WEING-ASDF/userRoot/memberservice.db
./WEING-ASDF/userRoot/memberOf.db
./WEING-ASDF/userRoot/nsuniqueid.db
./WEING-ASDF/userRoot/memberUser.db
./WEING-ASDF/userRoot/nsHardwarePlatform.db
./WEING-ASDF/userRoot/ou.db
./WEING-ASDF/userRoot/nsHostLocation.db
./WEING-ASDF/userRoot/member.db
./WEING-ASDF/userRoot/memberHost.db
./WEING-ASDF/userRoot/userCertificate.db
./WEING-ASDF/userRoot/uniquemember.db
./WEING-ASDF/userRoot/krbPasswordExpiration.db
./WEING-ASDF/userRoot/mail.db
./WEING-ASDF/userRoot/managedby.db
./WEING-ASDF/userRoot/memberallowcmd.db
./WEING-ASDF/userRoot/krbCanonicalName.db
./WEING-ASDF/userRoot/automountMapName.db
./WEING-ASDF/userRoot/accessRuleType.db
./WEING-ASDF/userRoot/ipaMemberCertProfile.db
./WEING-ASDF/userRoot/ipaEnabledFlag.db
./WEING-ASDF/userRoot/memberManager.db
./WEING-ASDF/userRoot/ipaNTSecurityIdentifier.db
./WEING-ASDF/userRoot/ipaallowedtarget.db
./WEING-ASDF/userRoot/ipaMemberCa.db
./WEING-ASDF/userRoot/ipaSubGidNumber.db
./WEING-ASDF/userRoot/gidnumber.db
./WEING-ASDF/userRoot/ipaOwner.db
./WEING-ASDF/userRoot/automountkey.db
./WEING-ASDF/userRoot/ipaKrbAuthzData.db
./WEING-ASDF/userRoot/l.db
./WEING-ASDF/userRoot/DBVERSION
./WEING-ASDF/userRoot/owner.db
./WEING-ASDF/userRoot/manager.db
./WEING-ASDF/userRoot/secretary.db
./WEING-ASDF/userRoot/sourcehost.db
./WEING-ASDF/userRoot/memberdenycmd.db
./WEING-ASDF/userRoot/ipasudorunas.db
./WEING-ASDF/userRoot/ipasudorunasgroup.db
./WEING-ASDF/userRoot/ipatokenradiusconfiglink.db
./WEING-ASDF/userRoot/ipaassignedidview.db
./WEING-ASDF/userRoot/ipaidpconfiglink.db
./WEING-ASDF/ipaca/
./WEING-ASDF/ipaca/vlv#allrevokedorrevokedexpiredcertspkitomcatindex.db
./WEING-ASDF/ipaca/vlv#caallpkitomcatindex.db
./WEING-ASDF/ipaca/vlv#cacompletepkitomcatindex.db
./WEING-ASDF/ipaca/vlv#cacompleterevocationpkitomcatindex.db
./WEING-ASDF/ipaca/vlv#carevocationpkitomcatindex.db
./WEING-ASDF/ipaca/nsds5ReplConflict.db
./WEING-ASDF/ipaca/vlv#capendingpkitomcatindex.db
./WEING-ASDF/ipaca/id2entry.db
./WEING-ASDF/ipaca/entryrdn.db
./WEING-ASDF/ipaca/parentid.db
./WEING-ASDF/ipaca/entryUUID.db
./WEING-ASDF/ipaca/objectclass.db
./WEING-ASDF/ipaca/uid.db
./WEING-ASDF/ipaca/mail.db
./WEING-ASDF/ipaca/nsuniqueid.db
./WEING-ASDF/ipaca/seeAlso.db
./WEING-ASDF/ipaca/entryusn.db
./WEING-ASDF/ipaca/aci.db
./WEING-ASDF/ipaca/cn.db
./WEING-ASDF/ipaca/sn.db
./WEING-ASDF/ipaca/uniquemember.db
./WEING-ASDF/ipaca/numsubordinates.db
./WEING-ASDF/ipaca/ancestorid.db
./WEING-ASDF/ipaca/DBVERSION
./WEING-ASDF/ipaca/nscpEntryDN.db
./WEING-ASDF/ipaca/replication_changelog.db
./WEING-ASDF/ipaca/serialno.db
./WEING-ASDF/ipaca/description.db
./WEING-ASDF/ipaca/issuedby.db
./WEING-ASDF/ipaca/certstatus.db
./WEING-ASDF/ipaca/dateOfCreate.db
./WEING-ASDF/ipaca/extension.db
./WEING-ASDF/ipaca/publicKeyData.db
./WEING-ASDF/ipaca/issuername.db
./WEING-ASDF/ipaca/subjectname.db
./WEING-ASDF/ipaca/duration.db
./WEING-ASDF/ipaca/notafter.db
./WEING-ASDF/ipaca/notbefore.db
./WEING-ASDF/ipaca/metaInfo.db
./WEING-ASDF/ipaca/revokedOn.db
./WEING-ASDF/ipaca/revokedby.db
./WEING-ASDF/ipaca/revInfo.db
./WEING-ASDF/ipaca/requesttype.db
./WEING-ASDF/ipaca/requeststate.db
./WEING-ASDF/ipaca/nsTombstoneCSN.db
./WEING-ASDF/ipaca/vlv#allcertspkitomcatindex.db
./WEING-ASDF/ipaca/vlv#allnonrevokedcertspkitomcatindex.db
./WEING-ASDF/ipaca/vlv#allvalidcertspkitomcatindex.db
./WEING-ASDF/ipaca/vlv#allvalidcertsnotafterpkitomcatindex.db
./WEING-ASDF/ipaca/vlv#allvalidorrevokedcertspkitomcatindex.db
./WEING-ASDF/ipaca/vlv#allrevokedcertspkitomcatindex.db
./WEING-ASDF/ipaca/vlv#allrevokedcertsnotafterpkitomcatindex.db
./WEING-ASDF/ipaca/vlv#cacompleteenrollmentpkitomcatindex.db
./WEING-ASDF/ipaca/vlv#caenrollmentpkitomcatindex.db
./WEING-ASDF/ipaca/member.db
./WEING-ASDF/ipaca/owner.db
./WEING-ASDF/ipaca/requestid.db
./WEING-ASDF/ipaca/acmeExpires.db
./WEING-ASDF/ipaca/vlv#capendingenrollmentpkitomcatindex.db
./WEING-ASDF/changelog/
./WEING-ASDF/changelog/DBVERSION
./WEING-ASDF/changelog/id2entry.db
./WEING-ASDF/changelog/entryrdn.db
./WEING-ASDF/changelog/nsuniqueid.db
./WEING-ASDF/changelog/objectclass.db
./WEING-ASDF/changelog/cn.db
./WEING-ASDF/changelog/entryUUID.db
./WEING-ASDF/changelog/entryusn.db
./WEING-ASDF/changelog/ancestorid.db
./WEING-ASDF/changelog/changenumber.db
./WEING-ASDF/changelog/targetuniqueid.db
./WEING-ASDF/changelog/parentid.db
./WEING-ASDF/changelog/numsubordinates.db
./WEING-ASDF/changelog/aci.db
./WEING-ASDF/changelog/seeAlso.db
./WEING-ASDF/log.0000000011
./WEING-ASDF/DBVERSION
./WEING-ASDF/dse_instance.ldif
./WEING-ASDF/dse_index.ldif

이 둘의 차이는 무엇일까.

[root@idm backup]# diff full.txt data.txt
161c161
< ./WEING-ASDF/log.0000000010
---
> ./WEING-ASDF/log.0000000011
165d164
< ./files.tar

full 백업 파일엔 files.tar라는 파일이 하나 더 있다.

이 files.tar 내용을 확인해보자.

내용 너무 길어서 생략

[root@idm ipa-full-2023-03-07-12-45-49]# tar xvf ipa-full.tar ./files.tar
./files.tar
[root@idm ipa-full-2023-03-07-12-45-49]# tar tf files.tar
usr/share/ipa/html/
usr/share/ipa/html/ssbrowser.html
usr/share/ipa/html/unauthorized.html
usr/share/ipa/html/krb5.ini
usr/share/ipa/html/krb.con
usr/share/ipa/html/krbrealm.con
usr/share/ipa/html/ca.crt
etc/pki/pki-tomcat/
etc/pki/pki-tomcat/password.conf
etc/pki/pki-tomcat/tomcat.conf
etc/pki/pki-tomcat/server.xml
etc/pki/pki-tomcat/catalina.properties
etc/pki/pki-tomcat/context.xml
etc/pki/pki-tomcat/logging.properties
etc/pki/pki-tomcat/web.xml
etc/pki/pki-tomcat/Catalina/
etc/pki/pki-tomcat/Catalina/localhost/
etc/pki/pki-tomcat/Catalina/localhost/ROOT.xml
etc/pki/pki-tomcat/Catalina/localhost/pki.xml
etc/pki/pki-tomcat/Catalina/localhost/ca.xml
etc/pki/pki-tomcat/Catalina/localhost/acme.xml
etc/pki/pki-tomcat/ca/
etc/pki/pki-tomcat/ca/registry.cfg
etc/pki/pki-tomcat/ca/emails/
etc/pki/pki-tomcat/ca/emails/ExpiredUnpublishJob
etc/pki/pki-tomcat/ca/emails/ExpiredUnpublishJobItem
etc/pki/pki-tomcat/ca/emails/certIssued_CA
etc/pki/pki-tomcat/ca/emails/certIssued_CA.html
etc/pki/pki-tomcat/ca/emails/certIssued_RA
etc/pki/pki-tomcat/ca/emails/certIssued_RA.html
etc/pki/pki-tomcat/ca/emails/certRequestRejected.html
etc/pki/pki-tomcat/ca/emails/certRevoked_CA
etc/pki/pki-tomcat/ca/emails/certRevoked_CA.html
etc/pki/pki-tomcat/ca/emails/certRevoked_RA
etc/pki/pki-tomcat/ca/emails/certRevoked_RA.html
etc/pki/pki-tomcat/ca/emails/euJob1.html
etc/pki/pki-tomcat/ca/emails/euJob1Item.html
etc/pki/pki-tomcat/ca/emails/publishCerts.html
etc/pki/pki-tomcat/ca/emails/publishCertsItem.html
etc/pki/pki-tomcat/ca/emails/reqInQueue_CA
etc/pki/pki-tomcat/ca/emails/reqInQueue_CA.html
etc/pki/pki-tomcat/ca/emails/reqInQueue_RA
etc/pki/pki-tomcat/ca/emails/reqInQueue_RA.html
etc/pki/pki-tomcat/ca/emails/riq1Item.html
etc/pki/pki-tomcat/ca/emails/riq1Summary.html
etc/pki/pki-tomcat/ca/emails/rnJob1.txt
etc/pki/pki-tomcat/ca/emails/rnJob1Item.txt
etc/pki/pki-tomcat/ca/emails/rnJob1Summary.txt
etc/pki/pki-tomcat/ca/profiles/
etc/pki/pki-tomcat/ca/profiles/ca/
etc/pki/pki-tomcat/ca/profiles/ca/caTPSCert.cfg
etc/pki/pki-tomcat/ca/profiles/ca/AdminCert.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caFullCMCUserSignedCert.cfg
etc/pki/pki-tomcat/ca/profiles/ca/DomainController.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caTokenMSLoginEnrollment.cfg
etc/pki/pki-tomcat/ca/profiles/ca/ECAdminCert.cfg
etc/pki/pki-tomcat/ca/profiles/ca/acmeServerCert.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caTransportCert.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caAdminCert.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caIPAserviceCert.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caAgentFileSigning.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caInstallCACert.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caAgentServerCert.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caInternalAuthAuditSigningCert.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caAuditSigningCert.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caUUIDdeviceCert.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caCACert.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caUserCert.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caCMCECUserCert.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caInternalAuthDRMstorageCert.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caCMCECserverCert.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caRACert.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caCMCECsubsystemCert.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caUserSMIMEcapCert.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caCMCUserCert.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caRARouterCert.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caCMCauditSigningCert.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caCMCcaCert.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caEncECUserCert.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caCMCcaIssuanceProtectionCert.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caRAagentCert.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caCMCkraStorageCert.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caRAserverCert.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caCMCkraTransportCert.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caCMCocspCert.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caCMCserverCert.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caRouterCert.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caCMCsubsystemCert.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caSSLClientSelfRenewal.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caCrossSignedCACert.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caServerCert.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caDirBasedDualCert.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caServerCertWithSCT.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caDirPinUserCert.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caDirUserCert.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caServerKeygen_DirUserCert.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caDirUserRenewal.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caDualCert.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caServerKeygen_UserCert.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caDualRAuserCert.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caECAdminCert.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caSignedLogCert.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caECAgentServerCert.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caSigningECUserCert.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caECDirPinUserCert.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caECDirUserCert.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caECDualCert.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caEncUserCert.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caECFullCMCSharedTokenCert.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caSigningUserCert.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caECFullCMCUserCert.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caFullCMCUserCert.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caECFullCMCUserSignedCert.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caFullCMCSharedTokenCert.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caECInternalAuthServerCert.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caJarSigningCert.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caECInternalAuthSubsystemCert.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caECServerCert.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caSimpleCMCUserCert.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caECServerCertWithSCT.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caStorageCert.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caECSimpleCMCUserCert.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caSubsystemCert.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caECSubsystemCert.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caECUserCert.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caInternalAuthOCSPCert.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caTempTokenUserEncryptionKeyEnrollment.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caInternalAuthServerCert.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caOCSPCert.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caInternalAuthSubsystemCert.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caOtherCert.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caInternalAuthTransportCert.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caManualRenewal.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caTempTokenDeviceKeyEnrollment.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caTempTokenUserSigningKeyEnrollment.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caTokenDeviceKeyEnrollment.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caTokenUserAuthKeyRenewal.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caTokenUserDelegateAuthKeyEnrollment.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caTokenUserDelegateSigningKeyEnrollment.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caTokenUserEncryptionKeyEnrollment.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caTokenUserEncryptionKeyRenewal.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caTokenUserSigningKeyEnrollment.cfg
etc/pki/pki-tomcat/ca/profiles/ca/caTokenUserSigningKeyRenewal.cfg
etc/pki/pki-tomcat/ca/flatfile.txt
etc/pki/pki-tomcat/ca/adminCert.profile
etc/pki/pki-tomcat/ca/caAuditSigningCert.profile
etc/pki/pki-tomcat/ca/caCert.profile
etc/pki/pki-tomcat/ca/caOCSPCert.profile
etc/pki/pki-tomcat/ca/serverCert.profile
etc/pki/pki-tomcat/ca/subsystemCert.profile
etc/pki/pki-tomcat/ca/proxy.conf
etc/pki/pki-tomcat/ca/archives/
etc/pki/pki-tomcat/ca/archives/CS.cfg.bak.20230302003505
etc/pki/pki-tomcat/ca/archives/CS.cfg.bak.20230302003548
etc/pki/pki-tomcat/ca/archives/CS.cfg.bak.20230302003621
etc/pki/pki-tomcat/ca/archives/CS.cfg.bak.20230302003940
etc/pki/pki-tomcat/ca/archives/CS.cfg.bak.20230304021146
etc/pki/pki-tomcat/ca/archives/CS.cfg.bak.20230304021314
etc/pki/pki-tomcat/ca/archives/CS.cfg.bak.20230304024720
etc/pki/pki-tomcat/ca/archives/CS.cfg.bak.20230304025747
etc/pki/pki-tomcat/ca/archives/CS.cfg.bak.20230304170225
etc/pki/pki-tomcat/ca/archives/CS.cfg.bak.20230304171421
etc/pki/pki-tomcat/ca/archives/CS.cfg.bak.20230304173406
etc/pki/pki-tomcat/ca/archives/CS.cfg.bak.20230305184201
etc/pki/pki-tomcat/ca/archives/CS.cfg.bak.20230305185625
etc/pki/pki-tomcat/ca/archives/CS.cfg.bak.20230305202652
etc/pki/pki-tomcat/ca/archives/CS.cfg.bak.20230305212124
etc/pki/pki-tomcat/ca/archives/CS.cfg.bak.20230307123138
etc/pki/pki-tomcat/ca/CS.cfg.ipabkp
etc/pki/pki-tomcat/ca/CS.cfg
etc/pki/pki-tomcat/ca/CS.cfg.bak
etc/pki/pki-tomcat/alias/
etc/pki/pki-tomcat/alias/pkcs11.txt
etc/pki/pki-tomcat/alias/cert9.db
etc/pki/pki-tomcat/alias/key4.db
etc/pki/pki-tomcat/alias/ca.crt
etc/pki/pki-tomcat/alias/pwdfile.txt
etc/pki/pki-tomcat/serverCertNick.conf
etc/pki/pki-tomcat/catalina.policy
etc/pki/pki-tomcat/acme/
etc/pki/pki-tomcat/acme/database.conf
etc/pki/pki-tomcat/acme/issuer.conf
etc/pki/pki-tomcat/acme/realm.conf
etc/pki/pki-tomcat/acme/configsources.conf
etc/pki/pki-tomcat/acme/engine.conf
etc/pki/pki-tomcat/dogtag.keytab
etc/pki/pki-tomcat/dogtag.keys
etc/sysconfig/pki/
etc/sysconfig/pki/tomcat/
etc/sysconfig/pki/tomcat/pki-tomcat/
etc/sysconfig/pki/tomcat/pki-tomcat/ca/
etc/sysconfig/pki/tomcat/pki-tomcat/ca/default.cfg
etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg
etc/sysconfig/pki/tomcat/pki-tomcat/ca/manifest
etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat
var/lib/pki/
var/lib/pki/pki-tomcat/
var/lib/pki/pki-tomcat/ca/
var/lib/pki/pki-tomcat/ca/emails
var/lib/pki/pki-tomcat/ca/profiles
var/lib/pki/pki-tomcat/ca/conf
var/lib/pki/pki-tomcat/ca/logs
var/lib/pki/pki-tomcat/ca/registry
var/lib/pki/pki-tomcat/ca/alias
var/lib/pki/pki-tomcat/lib
var/lib/pki/pki-tomcat/common/
var/lib/pki/pki-tomcat/common/lib
var/lib/pki/pki-tomcat/temp/
var/lib/pki/pki-tomcat/work/
var/lib/pki/pki-tomcat/work/Catalina/
var/lib/pki/pki-tomcat/work/Catalina/localhost/
var/lib/pki/pki-tomcat/work/Catalina/localhost/_/
var/lib/pki/pki-tomcat/work/Catalina/localhost/ca/
var/lib/pki/pki-tomcat/work/Catalina/localhost/ROOT/
var/lib/pki/pki-tomcat/work/Catalina/localhost/ROOT/org/
var/lib/pki/pki-tomcat/work/Catalina/localhost/ROOT/org/apache/
var/lib/pki/pki-tomcat/work/Catalina/localhost/ROOT/org/apache/jsp/
var/lib/pki/pki-tomcat/work/Catalina/localhost/ROOT/org/apache/jsp/index_jsp.java
var/lib/pki/pki-tomcat/work/Catalina/localhost/ROOT/org/apache/jsp/index_jsp.class
var/lib/pki/pki-tomcat/work/Catalina/localhost/pki/
var/lib/pki/pki-tomcat/work/Catalina/localhost/pki/org/
var/lib/pki/pki-tomcat/work/Catalina/localhost/pki/org/apache/
var/lib/pki/pki-tomcat/work/Catalina/localhost/pki/org/apache/jsp/
var/lib/pki/pki-tomcat/work/Catalina/localhost/pki/org/apache/jsp/index_jsp.java
var/lib/pki/pki-tomcat/work/Catalina/localhost/pki/org/apache/jsp/index_jsp.class
var/lib/pki/pki-tomcat/work/Catalina/localhost/acme/
var/lib/pki/pki-tomcat/bin
var/lib/pki/pki-tomcat/conf
var/lib/pki/pki-tomcat/logs
var/lib/pki/pki-tomcat/alias
var/lib/pki/pki-tomcat/webapps/
var/lib/ipa/sysrestore/
var/lib/ipa/sysrestore/sysrestore.state
var/lib/ipa/sysrestore/e66d28f0a164b1517b13f98cfeefd60c71a46ab49aa70cdd981361e55b31a047-default.conf
var/lib/ipa/sysrestore/sysrestore.index
var/lib/ipa/sysrestore/eaad41ccb5fe439c7bebd16746a86374cb86c5920e1915136e12755adb216e24-kdc.conf
var/lib/ipa/sysrestore/7a55978313194a26a7ae964ee95d2e0b89bbfcf162ed86e7d1a8c38462131e1b-krb5.conf
var/lib/ipa/sysrestore/475fbab9e854489eee0963f49f700cfc2da856e3976dc8cb36ccae8b773d1a8f-freeipa
var/lib/ipa/sysrestore/edf95267244d57b6c953ea3ad197c12e2e342e237d2b31d2d75e5aeac3e06e03-krb5kdc
var/lib/ipa/sysrestore/8b7d01de850a9575be2ec45f3919a4c0c03e469307ec045d320fe78b82c8b96c-default.conf
var/lib/ipa/sysrestore/c12f09eda85f55cc678d02b74d448b3768d3492c79fe7c93130b36da3c525e11-ssl.conf
var/lib/ipa/sysrestore/65ca2c20c31531ee50a0ed69d887ad8a9b2e1dcbace516b01a875e146f5ec547-default.conf
var/lib/ipa/sysrestore/3d0f726b82c7121961de26e561fea3a23864178ed0008b0de375d64964eb23b5-named.conf
var/lib/ipa/sysrestore/05a2d05613360ec04d3762914546c9bd0c9427aa9831ca98c9a32ed362ec1e3d-resolv.conf
var/lib/ipa/sysrestore/8f8eff846667b7811358e289e9fe594de17d0e47f2b8cebf7840ad8db7f34816-named
var/lib/ipa/sysrestore/38b1375c82e7b25c5af71b8e0898413111dceac8fb28e899d6310004c71c3de5-hosts
var/lib/ipa/sysrestore/87d8af1962c4a8984825d3a967595829c2c41347d67a690041e3e357c37e1090-named.keytab
var/lib/ipa/sysrestore/56958b6a6ae89c1d0a99ba7f315d14007897a0e9e4288c77c6a73b5d28e812ca-named
var/lib/ipa-client/sysrestore/
var/lib/ipa-client/sysrestore/sysrestore.state
var/lib/ipa-client/sysrestore/b0cff1b2c2462042a47027701d94c8d104190b26b83fe2de78d3c1c8a7bb4a19-chrony.conf
var/lib/ipa-client/sysrestore/sysrestore.index
var/lib/ipa-client/sysrestore/3bea281bbd267ed31c02249d9ce4c7659d764c6c36b0f0c81a39e4c810236eb2-ldap.conf
var/lib/ipa-client/sysrestore/6856a9a191223cf56d55ba932ab0d69308618273205be3f4f4646051792d7eee-ssh_config
var/lib/ipa-client/sysrestore/4ea32326a179469529c2905630c6d61eb3ffa518e09112390de61096b00da0d9-sshd_config
var/lib/ipa-client/sysrestore/87fa5619a6494774d5ea569df972a95691974cfed439f1e0f0e8dcb54cac5cb4-krb5.conf
var/lib/ipa/dnssec/
var/lib/ipa/dnssec/tokens/
var/lib/ipa/dnssec/tokens/ac49eba6-b7bf-29de-cce5-ba7a02524bf0/
var/lib/ipa/dnssec/tokens/ac49eba6-b7bf-29de-cce5-ba7a02524bf0/token.object
var/lib/ipa/dnssec/tokens/ac49eba6-b7bf-29de-cce5-ba7a02524bf0/token.lock
var/lib/ipa/dnssec/tokens/ac49eba6-b7bf-29de-cce5-ba7a02524bf0/generation
var/lib/ipa/dnssec/tokens/ac49eba6-b7bf-29de-cce5-ba7a02524bf0/0e86181c-1bfe-f1df-a3e0-1fffa217ae9d.object
var/lib/ipa/dnssec/tokens/ac49eba6-b7bf-29de-cce5-ba7a02524bf0/0e86181c-1bfe-f1df-a3e0-1fffa217ae9d.lock
var/lib/ipa/dnssec/tokens/ac49eba6-b7bf-29de-cce5-ba7a02524bf0/a1dcc710-5772-189c-52e3-93b3bba8e10e.object
var/lib/ipa/dnssec/tokens/ac49eba6-b7bf-29de-cce5-ba7a02524bf0/a1dcc710-5772-189c-52e3-93b3bba8e10e.lock
var/lib/ipa/dnssec/tokens/ac49eba6-b7bf-29de-cce5-ba7a02524bf0/906ed4a8-2df1-0b7d-3e82-d4916ef33cf3.object
var/lib/ipa/dnssec/tokens/ac49eba6-b7bf-29de-cce5-ba7a02524bf0/906ed4a8-2df1-0b7d-3e82-d4916ef33cf3.lock
var/lib/ipa/dnssec/tokens/ac49eba6-b7bf-29de-cce5-ba7a02524bf0/bf73b18b-e3d8-d042-bebb-505b4ef591a0.object
var/lib/ipa/dnssec/tokens/ac49eba6-b7bf-29de-cce5-ba7a02524bf0/bf73b18b-e3d8-d042-bebb-505b4ef591a0.lock
var/lib/ipa/dnssec/softhsm_pin
var/lib/sss/pubconf/krb5.include.d/
var/lib/sss/pubconf/krb5.include.d/localauth_plugin
var/lib/sss/pubconf/krb5.include.d/krb5_libdefaults
var/lib/sss/pubconf/krb5.include.d/domain_realm_weing_asdf
var/lib/certmonger/
var/lib/certmonger/cas/
var/lib/certmonger/cas/20230301151415
var/lib/certmonger/cas/20230301151415-1
var/lib/certmonger/cas/20230301151415-2
var/lib/certmonger/cas/20230301151415-3
var/lib/certmonger/cas/20230301153637
var/lib/certmonger/cas/20230301153638
var/lib/certmonger/cas/20230301153638-1
var/lib/certmonger/cas/20230305110634
var/lib/certmonger/cas/20230305110634-1
var/lib/certmonger/cas/20230305110634-2
var/lib/certmonger/cas/20230305110634-3
var/lib/certmonger/local/
var/lib/certmonger/local/lock
var/lib/certmonger/local/serial
var/lib/certmonger/local/creds
var/lib/certmonger/requests/
var/lib/certmonger/requests/20230301152813
var/lib/certmonger/requests/20230301152839
var/lib/certmonger/requests/20230301153642
var/lib/certmonger/requests/20230301153647
var/lib/certmonger/requests/20230301153651
var/lib/certmonger/requests/20230301153655
var/lib/certmonger/requests/20230301153700
var/lib/certmonger/requests/20230301153701
var/lib/certmonger/requests/20230301153916
var/lib/certmonger/requests/20230301153917
var/lib/certmonger/requests/20230301153918
var/lib/certmonger/requests/20230301153919
var/lib/certmonger/requests/20230301154004
var/lib/certmonger/lock
var/lib/ipa/
var/lib/ipa/certs/
var/lib/ipa/certs/httpd.crt
var/lib/ipa/gssproxy/
var/lib/ipa/gssproxy/http.keytab
var/lib/ipa/passwds/
var/lib/ipa/passwds/idm.weing.asdf-443-RSA
var/lib/ipa/pki-ca/
var/lib/ipa/pki-ca/publish/
var/lib/ipa/private/
var/lib/ipa/private/httpd.key
var/lib/ipa/sysrestore/
var/lib/ipa/sysrestore/sysrestore.state
var/lib/ipa/sysrestore/e66d28f0a164b1517b13f98cfeefd60c71a46ab49aa70cdd981361e55b31a047-default.conf
var/lib/ipa/sysrestore/sysrestore.index
var/lib/ipa/sysrestore/eaad41ccb5fe439c7bebd16746a86374cb86c5920e1915136e12755adb216e24-kdc.conf
var/lib/ipa/sysrestore/7a55978313194a26a7ae964ee95d2e0b89bbfcf162ed86e7d1a8c38462131e1b-krb5.conf
var/lib/ipa/sysrestore/475fbab9e854489eee0963f49f700cfc2da856e3976dc8cb36ccae8b773d1a8f-freeipa
var/lib/ipa/sysrestore/edf95267244d57b6c953ea3ad197c12e2e342e237d2b31d2d75e5aeac3e06e03-krb5kdc
var/lib/ipa/sysrestore/8b7d01de850a9575be2ec45f3919a4c0c03e469307ec045d320fe78b82c8b96c-default.conf
var/lib/ipa/sysrestore/c12f09eda85f55cc678d02b74d448b3768d3492c79fe7c93130b36da3c525e11-ssl.conf
var/lib/ipa/sysrestore/65ca2c20c31531ee50a0ed69d887ad8a9b2e1dcbace516b01a875e146f5ec547-default.conf
var/lib/ipa/sysrestore/3d0f726b82c7121961de26e561fea3a23864178ed0008b0de375d64964eb23b5-named.conf
var/lib/ipa/sysrestore/05a2d05613360ec04d3762914546c9bd0c9427aa9831ca98c9a32ed362ec1e3d-resolv.conf
var/lib/ipa/sysrestore/8f8eff846667b7811358e289e9fe594de17d0e47f2b8cebf7840ad8db7f34816-named
var/lib/ipa/sysrestore/38b1375c82e7b25c5af71b8e0898413111dceac8fb28e899d6310004c71c3de5-hosts
var/lib/ipa/sysrestore/87d8af1962c4a8984825d3a967595829c2c41347d67a690041e3e357c37e1090-named.keytab
var/lib/ipa/sysrestore/56958b6a6ae89c1d0a99ba7f315d14007897a0e9e4288c77c6a73b5d28e812ca-named
var/lib/ipa/sysupgrade/
var/lib/ipa/sysupgrade/sysupgrade.state
var/lib/ipa/ra-agent.pem
var/lib/ipa/ra-agent.key
var/lib/ipa/dnssec/
var/lib/ipa/dnssec/tokens/
var/lib/ipa/dnssec/tokens/ac49eba6-b7bf-29de-cce5-ba7a02524bf0/
var/lib/ipa/dnssec/tokens/ac49eba6-b7bf-29de-cce5-ba7a02524bf0/token.object
var/lib/ipa/dnssec/tokens/ac49eba6-b7bf-29de-cce5-ba7a02524bf0/token.lock
var/lib/ipa/dnssec/tokens/ac49eba6-b7bf-29de-cce5-ba7a02524bf0/generation
var/lib/ipa/dnssec/tokens/ac49eba6-b7bf-29de-cce5-ba7a02524bf0/0e86181c-1bfe-f1df-a3e0-1fffa217ae9d.object
var/lib/ipa/dnssec/tokens/ac49eba6-b7bf-29de-cce5-ba7a02524bf0/0e86181c-1bfe-f1df-a3e0-1fffa217ae9d.lock
var/lib/ipa/dnssec/tokens/ac49eba6-b7bf-29de-cce5-ba7a02524bf0/a1dcc710-5772-189c-52e3-93b3bba8e10e.object
var/lib/ipa/dnssec/tokens/ac49eba6-b7bf-29de-cce5-ba7a02524bf0/a1dcc710-5772-189c-52e3-93b3bba8e10e.lock
var/lib/ipa/dnssec/tokens/ac49eba6-b7bf-29de-cce5-ba7a02524bf0/906ed4a8-2df1-0b7d-3e82-d4916ef33cf3.object
var/lib/ipa/dnssec/tokens/ac49eba6-b7bf-29de-cce5-ba7a02524bf0/906ed4a8-2df1-0b7d-3e82-d4916ef33cf3.lock
var/lib/ipa/dnssec/tokens/ac49eba6-b7bf-29de-cce5-ba7a02524bf0/bf73b18b-e3d8-d042-bebb-505b4ef591a0.object
var/lib/ipa/dnssec/tokens/ac49eba6-b7bf-29de-cce5-ba7a02524bf0/bf73b18b-e3d8-d042-bebb-505b4ef591a0.lock
var/lib/ipa/dnssec/softhsm_pin
var/lib/ipa/auth_backup/
var/lib/ipa/auth_backup/authselect.backup
run/dirsrv/
run/lock/dirsrv/
run/lock/dirsrv/slapd-WEING-ASDF/
run/lock/dirsrv/slapd-WEING-ASDF/server/
run/lock/dirsrv/slapd-WEING-ASDF/exports/
run/lock/dirsrv/slapd-WEING-ASDF/imports/
etc/dirsrv/slapd-WEING-ASDF/
etc/dirsrv/slapd-WEING-ASDF/schema/
etc/dirsrv/slapd-WEING-ASDF/schema/99user.ldif
etc/dirsrv/slapd-WEING-ASDF/schema/60kerberos.ldif
etc/dirsrv/slapd-WEING-ASDF/schema/60samba.ldif
etc/dirsrv/slapd-WEING-ASDF/schema/60ipaconfig.ldif
etc/dirsrv/slapd-WEING-ASDF/schema/60basev2.ldif
etc/dirsrv/slapd-WEING-ASDF/schema/60basev3.ldif
etc/dirsrv/slapd-WEING-ASDF/schema/60basev4.ldif
etc/dirsrv/slapd-WEING-ASDF/schema/60ipapk11.ldif
etc/dirsrv/slapd-WEING-ASDF/schema/60ipadns.ldif
etc/dirsrv/slapd-WEING-ASDF/schema/60certificate-profiles.ldif
etc/dirsrv/slapd-WEING-ASDF/schema/61kerberos-ipav3.ldif
etc/dirsrv/slapd-WEING-ASDF/schema/65ipacertstore.ldif
etc/dirsrv/slapd-WEING-ASDF/schema/65ipasudo.ldif
etc/dirsrv/slapd-WEING-ASDF/schema/70ipaotp.ldif
etc/dirsrv/slapd-WEING-ASDF/schema/70topology.ldif
etc/dirsrv/slapd-WEING-ASDF/schema/71idviews.ldif
etc/dirsrv/slapd-WEING-ASDF/schema/72domainlevels.ldif
etc/dirsrv/slapd-WEING-ASDF/schema/73certmap.ldif
etc/dirsrv/slapd-WEING-ASDF/schema/15rfc2307bis.ldif
etc/dirsrv/slapd-WEING-ASDF/schema/15rfc4876.ldif
etc/dirsrv/slapd-WEING-ASDF/slapd-collations.conf
etc/dirsrv/slapd-WEING-ASDF/noise.txt
etc/dirsrv/slapd-WEING-ASDF/pwdfile.txt.orig
etc/dirsrv/slapd-WEING-ASDF/cert9.db.orig
etc/dirsrv/slapd-WEING-ASDF/pkcs11.txt.orig
etc/dirsrv/slapd-WEING-ASDF/key4.db
etc/dirsrv/slapd-WEING-ASDF/pin.txt.orig
etc/dirsrv/slapd-WEING-ASDF/certmap.conf
etc/dirsrv/slapd-WEING-ASDF/pkcs11.txt
etc/dirsrv/slapd-WEING-ASDF/key4.db.orig
etc/dirsrv/slapd-WEING-ASDF/pwdfile.txt
etc/dirsrv/slapd-WEING-ASDF/cert9.db
etc/dirsrv/slapd-WEING-ASDF/pin.txt
etc/dirsrv/slapd-WEING-ASDF/dse.ldif.startOK
etc/dirsrv/slapd-WEING-ASDF/dse.ldif.bak
etc/dirsrv/slapd-WEING-ASDF/dse.ldif
var/lib/dirsrv/slapd-WEING-ASDF/
var/lib/dirsrv/slapd-WEING-ASDF/bak/
var/lib/dirsrv/slapd-WEING-ASDF/db/
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/ipauniqueid.db
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/ipaSubUidNumber.db
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/ipaCASubjectDN.db
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/fqdn.db
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/displayname.db
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/description.db
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/givenName.db
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/hostCategory.db
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/idnsName.db
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/seealso.db
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/ipakrbprincipalalias.db
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/ipalocation.db
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/krbPrincipalName.db
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/numsubordinates.db
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/ancestorid.db
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/replication_changelog.db
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/id2entry.db
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/entryrdn.db
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/parentid.db
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/nsds5ReplConflict.db
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/ipaConfigString.db
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/aci.db
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/entryusn.db
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/entryUUID.db
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/cn.db
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/objectclass.db
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/uidnumber.db
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/nsOsVersion.db
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/uid.db
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/ipaAnchorUUID.db
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/serverhostname.db
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/macAddress.db
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/nsTombstoneCSN.db
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/sn.db
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/nscpEntryDN.db
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/ipServicePort.db
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/memberPrincipal.db
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/ipaNTTrustPartner.db
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/memberservice.db
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/memberOf.db
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/nsuniqueid.db
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/memberUser.db
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/nsHardwarePlatform.db
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/ou.db
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/nsHostLocation.db
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/member.db
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/memberHost.db
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/userCertificate.db
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/uniquemember.db
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/krbPasswordExpiration.db
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/mail.db
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/managedby.db
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/memberallowcmd.db
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/krbCanonicalName.db
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/automountMapName.db
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/accessRuleType.db
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/ipaMemberCertProfile.db
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/ipaEnabledFlag.db
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/memberManager.db
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/ipaNTSecurityIdentifier.db
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/ipaallowedtarget.db
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/ipaMemberCa.db
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/ipaSubGidNumber.db
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/gidnumber.db
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/ipaOwner.db
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/automountkey.db
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/ipaKrbAuthzData.db
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/l.db
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/DBVERSION
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/owner.db
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/manager.db
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/secretary.db
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/sourcehost.db
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/memberdenycmd.db
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/ipasudorunas.db
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/ipasudorunasgroup.db
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/ipatokenradiusconfiglink.db
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/ipaassignedidview.db
var/lib/dirsrv/slapd-WEING-ASDF/db/userRoot/ipaidpconfiglink.db
var/lib/dirsrv/slapd-WEING-ASDF/db/ipaca/
var/lib/dirsrv/slapd-WEING-ASDF/db/ipaca/vlv#allrevokedorrevokedexpiredcertspkitomcatindex.db
var/lib/dirsrv/slapd-WEING-ASDF/db/ipaca/vlv#caallpkitomcatindex.db
var/lib/dirsrv/slapd-WEING-ASDF/db/ipaca/vlv#cacompletepkitomcatindex.db
var/lib/dirsrv/slapd-WEING-ASDF/db/ipaca/vlv#cacompleterevocationpkitomcatindex.db
var/lib/dirsrv/slapd-WEING-ASDF/db/ipaca/vlv#carevocationpkitomcatindex.db
var/lib/dirsrv/slapd-WEING-ASDF/db/ipaca/nsds5ReplConflict.db
var/lib/dirsrv/slapd-WEING-ASDF/db/ipaca/vlv#capendingpkitomcatindex.db
var/lib/dirsrv/slapd-WEING-ASDF/db/ipaca/id2entry.db
var/lib/dirsrv/slapd-WEING-ASDF/db/ipaca/entryrdn.db
var/lib/dirsrv/slapd-WEING-ASDF/db/ipaca/parentid.db
var/lib/dirsrv/slapd-WEING-ASDF/db/ipaca/entryUUID.db
var/lib/dirsrv/slapd-WEING-ASDF/db/ipaca/objectclass.db
var/lib/dirsrv/slapd-WEING-ASDF/db/ipaca/uid.db
var/lib/dirsrv/slapd-WEING-ASDF/db/ipaca/mail.db
var/lib/dirsrv/slapd-WEING-ASDF/db/ipaca/nsuniqueid.db
var/lib/dirsrv/slapd-WEING-ASDF/db/ipaca/seeAlso.db
var/lib/dirsrv/slapd-WEING-ASDF/db/ipaca/entryusn.db
var/lib/dirsrv/slapd-WEING-ASDF/db/ipaca/aci.db
var/lib/dirsrv/slapd-WEING-ASDF/db/ipaca/cn.db
var/lib/dirsrv/slapd-WEING-ASDF/db/ipaca/sn.db
var/lib/dirsrv/slapd-WEING-ASDF/db/ipaca/uniquemember.db
var/lib/dirsrv/slapd-WEING-ASDF/db/ipaca/numsubordinates.db
var/lib/dirsrv/slapd-WEING-ASDF/db/ipaca/ancestorid.db
var/lib/dirsrv/slapd-WEING-ASDF/db/ipaca/DBVERSION
var/lib/dirsrv/slapd-WEING-ASDF/db/ipaca/nscpEntryDN.db
var/lib/dirsrv/slapd-WEING-ASDF/db/ipaca/replication_changelog.db
var/lib/dirsrv/slapd-WEING-ASDF/db/ipaca/serialno.db
var/lib/dirsrv/slapd-WEING-ASDF/db/ipaca/description.db
var/lib/dirsrv/slapd-WEING-ASDF/db/ipaca/issuedby.db
var/lib/dirsrv/slapd-WEING-ASDF/db/ipaca/certstatus.db
var/lib/dirsrv/slapd-WEING-ASDF/db/ipaca/dateOfCreate.db
var/lib/dirsrv/slapd-WEING-ASDF/db/ipaca/extension.db
var/lib/dirsrv/slapd-WEING-ASDF/db/ipaca/publicKeyData.db
var/lib/dirsrv/slapd-WEING-ASDF/db/ipaca/issuername.db
var/lib/dirsrv/slapd-WEING-ASDF/db/ipaca/subjectname.db
var/lib/dirsrv/slapd-WEING-ASDF/db/ipaca/duration.db
var/lib/dirsrv/slapd-WEING-ASDF/db/ipaca/notafter.db
var/lib/dirsrv/slapd-WEING-ASDF/db/ipaca/notbefore.db
var/lib/dirsrv/slapd-WEING-ASDF/db/ipaca/metaInfo.db
var/lib/dirsrv/slapd-WEING-ASDF/db/ipaca/revokedOn.db
var/lib/dirsrv/slapd-WEING-ASDF/db/ipaca/revokedby.db
var/lib/dirsrv/slapd-WEING-ASDF/db/ipaca/revInfo.db
var/lib/dirsrv/slapd-WEING-ASDF/db/ipaca/requesttype.db
var/lib/dirsrv/slapd-WEING-ASDF/db/ipaca/requeststate.db
var/lib/dirsrv/slapd-WEING-ASDF/db/ipaca/nsTombstoneCSN.db
var/lib/dirsrv/slapd-WEING-ASDF/db/ipaca/vlv#allcertspkitomcatindex.db
var/lib/dirsrv/slapd-WEING-ASDF/db/ipaca/vlv#allnonrevokedcertspkitomcatindex.db
var/lib/dirsrv/slapd-WEING-ASDF/db/ipaca/vlv#allvalidcertspkitomcatindex.db
var/lib/dirsrv/slapd-WEING-ASDF/db/ipaca/vlv#allvalidcertsnotafterpkitomcatindex.db
var/lib/dirsrv/slapd-WEING-ASDF/db/ipaca/vlv#allvalidorrevokedcertspkitomcatindex.db
var/lib/dirsrv/slapd-WEING-ASDF/db/ipaca/vlv#allrevokedcertspkitomcatindex.db
var/lib/dirsrv/slapd-WEING-ASDF/db/ipaca/vlv#allrevokedcertsnotafterpkitomcatindex.db
var/lib/dirsrv/slapd-WEING-ASDF/db/ipaca/vlv#cacompleteenrollmentpkitomcatindex.db
var/lib/dirsrv/slapd-WEING-ASDF/db/ipaca/vlv#caenrollmentpkitomcatindex.db
var/lib/dirsrv/slapd-WEING-ASDF/db/ipaca/member.db
var/lib/dirsrv/slapd-WEING-ASDF/db/ipaca/owner.db
var/lib/dirsrv/slapd-WEING-ASDF/db/ipaca/requestid.db
var/lib/dirsrv/slapd-WEING-ASDF/db/ipaca/acmeExpires.db
var/lib/dirsrv/slapd-WEING-ASDF/db/ipaca/vlv#capendingenrollmentpkitomcatindex.db
var/lib/dirsrv/slapd-WEING-ASDF/db/changelog/
var/lib/dirsrv/slapd-WEING-ASDF/db/changelog/DBVERSION
var/lib/dirsrv/slapd-WEING-ASDF/db/changelog/id2entry.db
var/lib/dirsrv/slapd-WEING-ASDF/db/changelog/entryrdn.db
var/lib/dirsrv/slapd-WEING-ASDF/db/changelog/nsuniqueid.db
var/lib/dirsrv/slapd-WEING-ASDF/db/changelog/objectclass.db
var/lib/dirsrv/slapd-WEING-ASDF/db/changelog/cn.db
var/lib/dirsrv/slapd-WEING-ASDF/db/changelog/entryUUID.db
var/lib/dirsrv/slapd-WEING-ASDF/db/changelog/entryusn.db
var/lib/dirsrv/slapd-WEING-ASDF/db/changelog/ancestorid.db
var/lib/dirsrv/slapd-WEING-ASDF/db/changelog/changenumber.db
var/lib/dirsrv/slapd-WEING-ASDF/db/changelog/targetuniqueid.db
var/lib/dirsrv/slapd-WEING-ASDF/db/changelog/parentid.db
var/lib/dirsrv/slapd-WEING-ASDF/db/changelog/numsubordinates.db
var/lib/dirsrv/slapd-WEING-ASDF/db/changelog/aci.db
var/lib/dirsrv/slapd-WEING-ASDF/db/changelog/seeAlso.db
var/lib/dirsrv/slapd-WEING-ASDF/db/log.0000000010
var/lib/dirsrv/slapd-WEING-ASDF/db/guardian
var/lib/dirsrv/slapd-WEING-ASDF/ldif/
etc/named.conf
etc/named/ipa-ext.conf
etc/named/ipa-options-ext.conf
etc/named/ipa-logging-ext.conf
etc/named.keytab
etc/resolv.conf
etc/sysconfig/pki-tomcat
etc/sysconfig/krb5kdc
etc/sysconfig/ipa-dnskeysyncd
etc/sysconfig/ipa-ods-exporter
etc/sysconfig/named
etc/sysconfig/ods
etc/ipa/nssdb/pwdfile.txt
etc/pki/ca-trust/source/ipa.p11-kit
etc/authselect/user-nsswitch.conf
etc/krb5.keytab
etc/sssd/sssd.conf
etc/openldap/ldap.conf
etc/security/limits.conf
var/lib/ipa/gssproxy/http.keytab
etc/ipa/kdcproxy/ipa-kdc-proxy.conf
etc/httpd/conf.d/ipa-pki-proxy.conf
etc/httpd/conf.d/ipa-rewrite.conf
etc/httpd/conf.d/ssl.conf
etc/httpd/conf.d/ssl.conf
var/lib/ipa/certs/httpd.crt
var/lib/ipa/private/httpd.key
etc/httpd/conf.d/ipa.conf
etc/ssh/sshd_config
etc/ssh/sshd_config.d/04-ipa.conf
etc/ssh/ssh_config
etc/krb5.conf
var/lib/ipa-client/pki/kdc-ca-bundle.pem
var/lib/ipa-client/pki/ca-bundle.pem
etc/ipa/ca.crt
etc/ipa/default.conf
etc/dirsrv/ds.keytab
etc/chrony.conf
var/lib/ipa/ra-agent.pem
var/lib/ipa/ra-agent.key
root/cacert.p12
var/kerberos/krb5kdc/kdc.conf
var/kerberos/krb5kdc/kdc.crt
var/kerberos/krb5kdc/kdc.key
var/kerberos/krb5kdc/cacert.pem
etc/systemd/system/multi-user.target.wants/ipa.service
etc/systemd/system/httpd.service.d/ipa.conf
etc/systemd/system/multi-user.target.wants/sssd.service
etc/systemd/system/multi-user.target.wants/certmonger.service
etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd@pki-tomcat.service
etc/opendnssec/conf.xml
etc/opendnssec/kasp.xml
etc/opendnssec/zonelist.xml
var/opendnssec/kasp.db
etc/ipa/dnssec/openssl.cnf
etc/ipa/dnssec/softhsm2.conf
etc/ipa/dnssec/softhsm_pin_so
etc/ipa/dnssec/ipa-dnskeysyncd.keytab
etc/ipa/custodia/server.keys
etc/ipa/custodia/custodia.conf
etc/gssproxy/10-ipa.conf
etc/hosts
etc/systemd/system/pki-tomcatd@pki-tomcat.service.d/ipa.conf
etc/NetworkManager/conf.d/zzz-ipa.conf
etc/ipa/nssdb/cert9.db
etc/ipa/nssdb/key4.db
etc/ipa/nssdb/pkcs11.txt
etc/pkcs11/modules/softhsm2.module
etc/tmpfiles.d/dirsrv-WEING-ASDF.conf
etc/systemd/system/dirsrv@WEING-ASDF.service.d/ipa-env.conf
var/lib/ipa/passwds/idm.weing.asdf-443-RSA
var/log/pki/pki-tomcat/
var/log/pki/pki-tomcat/ca/
var/log/pki/pki-tomcat/ca/signedAudit/
var/log/pki/pki-tomcat/ca/archive/

그야말로 톰캣 설정부터 krb5, CA 서비스 등 이 파일만 있으면 아무것도 없는 상태에서 백업 복구가 가능하다.

idm 백업을 복구할땐 ipa-restore 명령을 사용하면 된다. 이 때 백업 디렉토리 내의 tar 파일이 아닌 백업 디렉토리 자체를 지정한다.

[root@idm slapd-WEING-ASDF]# ipa-restore /var/lib/ipa/backup/ipa-data-2023-03-07-12-46-46
Directory Manager (existing master) password: 

Preparing restore from /var/lib/ipa/backup/ipa-data-2023-03-07-12-46-46 on idm.weing.asdf
directory server instance is not running
The ipa-restore command failed. See /var/log/iparestore.log for more information

[root@idm backup]# ipa-restore /var/lib/ipa/backup/ipa-data-2023-03-07-12-46-46/ipa-data.tar 
Usage: ipa-restore [options] backup

ipa-restore: error: must provide path to backup directory
The ipa-restore command failed.
[root@idm backup]# ipa-restore /var/lib/ipa/backup/ipa-data-2023-03-07-12-46-46
Directory Manager (existing master) password: 

Preparing restore from /var/lib/ipa/backup/ipa-data-2023-03-07-12-46-46 on idm.weing.asdf
Performing DATA restore from DATA backup
Temporary setting umask to 022
Restoring data will overwrite existing live data. Continue to restore? [no]: yes
Each master will individually need to be re-initialized or
re-created from this one. The replication agreements on
masters running IPA 3.1 or earlier will need to be manually
re-enabled. See the man page for details.
Disabling all replication.
Stopping Directory Server
Restoring from userRoot in WEING-ASDF
Restoring from ipaca in WEING-ASDF
Starting Directory Server
Restoring umask to 18
The ipa-restore command was successful

칸페키~

Uploaded by N2T

'리눅스 > IdM' 카테고리의 다른 글

CLI 환경에서 IDM 유저 지문인증 추가하기 (0)	2023.05.13
리눅스 데스크탑 환경에서 관리자 권한 표시할 때 IDM 그룹 표시하기 (0)	2023.05.12
IdM 복제 만들기 (0)	2023.04.10
IdM dirSRV@REALM이 시작되지 않는 경우 (0)	2023.04.10
IPA 인증서 발급요청하기 (0)	2023.02.22

IdM dirSRV@REALM이 시작되지 않는 경우

2023. 4. 10. 09:52

이 기술문서를 참조했다.

가끔 재부팅하면서 ipa 서비스가 실행되지 않은 경우가 있다.

[root@idm lana]# journalctl -u dirsrv@WEING-ASDF
Mar 07 12:20:58 idm.weing.asdf systemd[1]: Starting 389 Directory Server WEING-ASDF....
Mar 07 12:20:58 idm.weing.asdf ds_systemd_ask_password_acl[1492]: grep: /etc/dirsrv/slapd-WEING-ASDF/dse.ldif: No such file or directory
Mar 07 12:20:58 idm.weing.asdf ds_selinux_restorecon.sh[1497]: grep: /etc/dirsrv/slapd-WEING-ASDF/dse.ldif: No such file or directory
Mar 07 12:20:58 idm.weing.asdf ns-slapd[1499]: [07/Mar/2023:12:20:58.512363988 +0900] - INFO - dse_check_file - The config /etc/dirsrv/slapd-WEING-ASDF/dse.ldif can not be accessed. A>
Mar 07 12:20:58 idm.weing.asdf ns-slapd[1499]: [07/Mar/2023:12:20:58.512921710 +0900] - ERR - dse_check_file - The backup file /etc/dirsrv/slapd-WEING-ASDF/dse.ldif.bak has zero lengt>
Mar 07 12:20:58 idm.weing.asdf ns-slapd[1499]: [07/Mar/2023:12:20:58.513035487 +0900] - ERR - slapd_bootstrap_config - No valid configurations can be accessed! You must restore /etc/d>
Mar 07 12:20:58 idm.weing.asdf ns-slapd[1499]: [07/Mar/2023:12:20:58.513094506 +0900] - EMERG - main - The configuration files in directory /etc/dirsrv/slapd-WEING-ASDF could not be r>
Mar 07 12:20:58 idm.weing.asdf systemd[1]: dirsrv@WEING-ASDF.service: Main process exited, code=exited, status=1/FAILURE
Mar 07 12:20:58 idm.weing.asdf systemd[1]: dirsrv@WEING-ASDF.service: Failed with result 'exit-code'.
Mar 07 12:20:58 idm.weing.asdf systemd[1]: Failed to start 389 Directory Server WEING-ASDF..

/etc/dirsrv/slapd-WEING-ASDF/dse.ldif 파일을 찾기 못해 디렉토리 서비스를 시작하지 못했다는 내용이다.

[root@idm lana]# cd /etc/dirsrv/slapd-WEING-ASDF/
[root@idm slapd-WEING-ASDF]# ll
total 760
-rw-r-----. 1 dirsrv root    28672 Mar  2 00:28 cert9.db
-rw-------. 1 dirsrv root    28672 Mar  2 00:23 cert9.db.orig
-r--r-----. 1 dirsrv dirsrv   1744 Mar  2 00:29 certmap.conf
-rw-------. 1 dirsrv dirsrv      0 Mar  7 02:50 dse.ldif.bak
-rw-------. 1 dirsrv root   177023 Mar  2 00:40 dse.ldif.ipa.800fb5728c226300
-rw-rw----. 1 dirsrv root   200450 Mar  2 00:40 dse.ldif.modified.out
-rw-------. 1 dirsrv dirsrv 212043 Mar  6 17:08 dse.ldif.startOK
-rw-r-----. 1 dirsrv root    36864 Mar  2 00:28 key4.db
-rw-------. 1 dirsrv root    36864 Mar  2 00:23 key4.db.orig
-rw-------. 1 dirsrv root      257 Mar  2 00:23 noise.txt
-r--------. 1 dirsrv dirsrv     67 Mar  2 00:28 pin.txt
-rw-------. 1 dirsrv root       91 Mar  2 00:23 pin.txt.orig
-rw-r-----. 1 dirsrv dirsrv    561 Mar  7 02:49 pkcs11.txt
-rw-------. 1 dirsrv root      435 Mar  2 00:23 pkcs11.txt.orig
-rw-------. 1 dirsrv dirsrv     41 Mar  2 00:28 pwdfile.txt
-r--------. 1 dirsrv dirsrv     41 Mar  2 00:28 pwdfile.txt.orig
drwxrwx---. 2 dirsrv dirsrv   4096 Mar  7 02:49 schema
-r--r-----. 1 dirsrv dirsrv  15142 Mar  2 00:23 slapd-collations.conf
[root@idm slapd-WEING-ASDF]#

dse.ldif 파일이 없고 dse.ldif.bak도 0바이트다.

백업본이 있다면 ipa backup restore 명령어로 복구하면 된다.

하지만 백업본이 없다면? 복제를 다시해야 하는가?

하지만 FreeIPA는 이런 상황을 대비하기 위해 정상 시작하면 startOK 파일을 만들어둔다.

이걸 이용해서 복구하면 된다.

[root@idm slapd-WEING-ASDF]# rm dse.ldif dse.ldif.ipa.800fb5728c226300 dse.ldif.modified.out 
rm: remove regular file 'dse.ldif'? y
rm: remove regular file 'dse.ldif.ipa.800fb5728c226300'? y
rm: remove regular file 'dse.ldif.modified.out'? y
[root@idm slapd-WEING-ASDF]# cp -a dse.ldif.startOK dse.ldif
[root@idm slapd-WEING-ASDF]# ipactl restart
Starting Directory Service
Starting krb5kdc Service
Starting kadmin Service
Starting named Service
Starting httpd Service
Starting ipa-custodia Service
Starting pki-tomcatd Service
Starting ipa-otpd Service
Starting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful
[root@idm slapd-WEING-ASDF]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
[root@idm slapd-WEING-ASDF]# systemctl status dirsrv@WEING-ASDF
● dirsrv@WEING-ASDF.service - 389 Directory Server WEING-ASDF.
     Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service; enabled; vendor preset: disabled)
    Drop-In: /usr/lib/systemd/system/dirsrv@.service.d
             └─custom.conf
             /etc/systemd/system/dirsrv@WEING-ASDF.service.d
             └─ipa-env.conf
     Active: active (running) since Tue 2023-03-07 13:28:12 KST; 37min ago
    Process: 1490 ExecStartPre=/usr/libexec/dirsrv/ds_systemd_ask_password_acl /etc/dirsrv/slapd-WEING-ASDF/dse.ldif (code=exited, status=0/SUCCESS)
    Process: 1495 ExecStartPre=/usr/libexec/dirsrv/ds_selinux_restorecon.sh /etc/dirsrv/slapd-WEING-ASDF/dse.ldif (code=exited, status=0/SUCCESS)
   Main PID: 1500 (ns-slapd)
     Status: "slapd started: Ready to process requests"
      Tasks: 36 (limit: 16968)
     Memory: 374.5M
        CPU: 26.929s
     CGroup: /system.slice/system-dirsrv.slice/dirsrv@WEING-ASDF.service
             └─1500 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-WEING-ASDF -i /run/dirsrv/slapd-WEING-ASDF.pid

Mar 07 13:28:12 idm.weing.asdf ns-slapd[1500]: [07/Mar/2023:13:28:12.086041162 +0900] - WARN - NSACLPlugin - acl_parse - The ACL target cn=automember rebuild membership,cn=tasks,cn=co>
Mar 07 13:28:12 idm.weing.asdf ns-slapd[1500]: [07/Mar/2023:13:28:12.091697912 +0900] - INFO - slapi_vattrspi_regattr - Because krbPwdPolicyReference is a new registered virtual attri>
Mar 07 13:28:12 idm.weing.asdf ns-slapd[1500]: [07/Mar/2023:13:28:12.093645175 +0900] - ERR - cos-plugin - cos_dn_defs_cb - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=w>
Mar 07 13:28:12 idm.weing.asdf ns-slapd[1500]: [07/Mar/2023:13:28:12.129747110 +0900] - ERR - schema-compat-plugin - schema-compat-plugin tree scan will start in about 5 seconds!
Mar 07 13:28:12 idm.weing.asdf ns-slapd[1500]: [07/Mar/2023:13:28:12.133202706 +0900] - INFO - slapd_daemon - slapd started.  Listening on All Interfaces port 389 for LDAP requests
Mar 07 13:28:12 idm.weing.asdf ns-slapd[1500]: [07/Mar/2023:13:28:12.134485450 +0900] - INFO - slapd_daemon - Listening on All Interfaces port 636 for LDAPS requests
Mar 07 13:28:12 idm.weing.asdf ns-slapd[1500]: [07/Mar/2023:13:28:12.135441732 +0900] - INFO - slapd_daemon - Listening on /run/slapd-WEING-ASDF.socket for LDAPI requests
Mar 07 13:28:12 idm.weing.asdf systemd[1]: Started 389 Directory Server WEING-ASDF..
Mar 07 13:28:17 idm.weing.asdf ns-slapd[1500]: [07/Mar/2023:13:28:17.162099070 +0900] - ERR - schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=weing,>
Mar 07 13:28:17 idm.weing.asdf ns-slapd[1500]: [07/Mar/2023:13:28:17.166470450 +0900] - ERR - schema-compat-plugin - Finished plugin initialization.

Uploaded by N2T

'리눅스 > IdM' 카테고리의 다른 글

CLI 환경에서 IDM 유저 지문인증 추가하기 (0)	2023.05.13
리눅스 데스크탑 환경에서 관리자 권한 표시할 때 IDM 그룹 표시하기 (0)	2023.05.12
IdM 복제 만들기 (0)	2023.04.10
IdM 백업 및 복구하기 (0)	2023.04.10
IPA 인증서 발급요청하기 (0)	2023.02.22

IPA 인증서 발급요청하기

2023. 2. 22. 08:18

media.nas.weing.asdf를 포함하여 여러 곳에서 사용할 인증서를 만들려고 할때

Services→HTTP/호스트명에 대체 주체 이름으로 사용할 녀석(나 같은 경우엔 와일드카드) 추가

마찬가지로 인증서에도 있어야함

ipa-getcert request \
-K HTTP/$(hostname -f) \
-k /data/system/cert/ipa-web-key.pem \
-f /data/system/cert/ipa-web-cert.pem \
-g 2048 \
-N $(hostname -f) \
-D *.$(hostname -f) \
-X web

로 인증서 발급 요청한다.

-K는 발급할 서비스 또는 호스트의 이름

-f는 인증서 파일을 저장할 위치

-k는 키 파일 저장할 위치

-g는 RSA 키의 비트

-N으로 인증서의 주 이름. 미지정 시 해당 호스트의 FQDN이 주 이름이 된다.

-D로 주체 대체 이름을 줄 수 있다.

-X로 인증 기관 선택, 미지정 시 ipa가 선택된다.

Uploaded by N2T

'리눅스 > IdM' 카테고리의 다른 글

CLI 환경에서 IDM 유저 지문인증 추가하기 (0)	2023.05.13
리눅스 데스크탑 환경에서 관리자 권한 표시할 때 IDM 그룹 표시하기 (0)	2023.05.12
IdM 복제 만들기 (0)	2023.04.10
IdM 백업 및 복구하기 (0)	2023.04.10
IdM dirSRV@REALM이 시작되지 않는 경우 (0)	2023.04.10

PREV 이전 1 NEXT 다음

잡다한 블로그

리눅스/IdM

CLI 환경에서 IDM 유저 지문인증 추가하기

'리눅스 > IdM' 카테고리의 다른 글

리눅스 데스크탑 환경에서 관리자 권한 표시할 때 IDM 그룹 표시하기

'리눅스 > IdM' 카테고리의 다른 글

IdM 복제 만들기

'리눅스 > IdM' 카테고리의 다른 글

IdM 백업 및 복구하기

'리눅스 > IdM' 카테고리의 다른 글

IdM dirSRV@REALM이 시작되지 않는 경우

'리눅스 > IdM' 카테고리의 다른 글

IPA 인증서 발급요청하기

'리눅스 > IdM' 카테고리의 다른 글

+ Recent posts

티스토리툴바