5 files changed, 37 insertions, 0 deletions

diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py
index 08fdb494a..65715145a 100644
--- a/ipaplatform/base/tasks.py
+++ b/ipaplatform/base/tasks.py
@@ -150,6 +150,21 @@ class BaseTaskNamespace(object):
 
         return
 
+    def backup_auth_configuration(self, path):
+        """
+        Create backup of access control configuration.
+        :param path: store the backup here. This will be passed to
+        restore_auth_configuration as well.
+        """
+        return
+
+    def restore_auth_configuration(self, path):
+        """
+        Restore backup of access control configuration.
+        :param path: restore the backup from here.
+        """
+        return
+
     def set_selinux_booleans(self, required_settings, backup_func=None):
         """Set the specified SELinux booleans
 
diff --git a/ipaplatform/redhat/authconfig.py b/ipaplatform/redhat/authconfig.py
index 901eb5163..edefee8b2 100644
--- a/ipaplatform/redhat/authconfig.py
+++ b/ipaplatform/redhat/authconfig.py
@@ -84,3 +84,9 @@ class RedHatAuthConfig(object):
 
         args = self.build_args()
         ipautil.run(["/usr/sbin/authconfig"] + args)
+
+    def backup(self, path):
+        ipautil.run(["/usr/sbin/authconfig", "--savebackup", path])
+
+    def restore(self, path):
+        ipautil.run(["/usr/sbin/authconfig", "--restorebackup", path])
diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py
index 5f8832432..5ae2be16f 100644
--- a/ipaplatform/redhat/tasks.py
+++ b/ipaplatform/redhat/tasks.py
@@ -161,6 +161,14 @@ class RedHatTaskNamespace(BaseTaskNamespace):
         auth_config.add_option("nostart")
         auth_config.execute()
 
+    def backup_auth_configuration(self, path):
+        auth_config = RedHatAuthConfig()
+        auth_config.backup(path)
+
+    def restore_auth_configuration(self, path):
+        auth_config = RedHatAuthConfig()
+        auth_config.restore(path)
+
     def reload_systemwide_ca_store(self):
         try:
             ipautil.run([paths.UPDATE_CA_TRUST])
diff --git a/ipaserver/install/ipa_backup.py b/ipaserver/install/ipa_backup.py
index b1f73d481..f2b23cd7a 100644
--- a/ipaserver/install/ipa_backup.py
+++ b/ipaserver/install/ipa_backup.py
@@ -41,6 +41,7 @@ from ipapython import ipaldap
 from ipalib.session import ISO8601_DATETIME_FMT
 from ipalib.constants import CACERT
 from ConfigParser import SafeConfigParser
+from ipaplatform.tasks import tasks
 
 """
 A test gpg can be generated like this:
@@ -302,6 +303,9 @@ class Backup(admintool.AdminTool):
                     self.db2ldif(instance, 'userRoot', online=options.online)
                     self.db2bak(instance, online=options.online)
             if not options.data_only:
+                # create backup of auth configuration
+                auth_backup_path = os.path.join(paths.VAR_LIB_IPA, 'auth_backup')
+                tasks.backup_auth_configuration(auth_backup_path)
                 self.file_backup(options)
             self.finalize_backup(options.data_only, options.gpg, options.gpg_keyring)
 
diff --git a/ipaserver/install/ipa_restore.py b/ipaserver/install/ipa_restore.py
index b69ea9000..0620d24df 100644
--- a/ipaserver/install/ipa_restore.py
+++ b/ipaserver/install/ipa_restore.py
@@ -386,6 +386,10 @@ class Restore(admintool.AdminTool):
                     self.log.info('Starting Directory Server')
                     dirsrv.start(capture_output=False)
             else:
+                # restore access controll configuration
+                auth_backup_path = os.path.join(paths.VAR_LIB_IPA, 'auth_backup')
+                if os.path.exists(auth_backup_path):
+                    tasks.restore_auth_configuration(auth_backup_path)
                 # explicitly enable then disable the pki tomcatd service to
                 # re-register its instance. FIXME, this is really wierd.
                 services.knownservices.pki_tomcatd.enable()