<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 04/30/2012 07:50 PM, David Copperfield wrote:
<blockquote
cite="mid:1335837035.46314.YahooMailNeo@web125702.mail.ne1.yahoo.com"
type="cite">
<div style="color: rgb(0, 0, 0); background-color: rgb(255, 255,
255); font-family: times new roman,new york,times,serif;
font-size: 12pt;">
<div><span>I think the problem is figured out, though solution
is not easy. Would some one please open a bug for this
problem. <br>
</span></div>
<div><br>
<span></span></div>
<div><span>Another close question to ask: Does this means the
IPA PKI/CA system is still in its beta/alpha stage, and
better avoid in production IPA deployment? <br>
</span></div>
</div>
</blockquote>
<br>
I don't know about from an IPA perspective, but DogTag has been in
heavy duty commercial deployment for over a decade.<br>
<br>
<blockquote
cite="mid:1335837035.46314.YahooMailNeo@web125702.mail.ne1.yahoo.com"
type="cite">
<div style="color: rgb(0, 0, 0); background-color: rgb(255, 255,
255); font-family: times new roman,new york,times,serif;
font-size: 12pt;">
<div><span><br>
</span></div>
<div><span>I've see messages, Q/A in mail list of 389 Directory
Server and freeIPA much, much more often than the Dogtag. </span><span>If
so, I can use --selfsign to install IPA masters and replicas
now, and wait until the Dogtag is mature enough. because
this IPA solution is the core of our business authentication
and authorization, and so I have been asked several times to
make it reliable and easy to maintain. Otherwise the admin.
official would rather to keep existing Kerberos+OpenLDAP
solution which is time proven. <br>
</span></div>
<div><br>
</div>
<div>Now the problem debugging is attached below:</div>
<div><br>
<span></span></div>
<div><span>[root@ipaclient09 scripts-EXAMPLE-COM]# sh -x
./db2ldif -n ipaca</span></div>
<div><span>...</span></div>
<div><span>+ ./ns-slapd db2ldif -D /etc/dirsrv/slapd-EXAMPLE-COM
-a
/var/lib/dirsrv/slapd-EXMAPLE-COM/ldif/EXAMPLE-COM-ipaca-2012_04_30_183403.ldif
-n ipaca<br>
[30/Apr/2012:18:34:03 -0700] -
/etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif:
nsslapd-maxdescriptors: nsslapd-maxdescriptors: invalid
value "8192", maximum file descriptors must range from 1 to
1024 (the current process limit). Server will use a setting
of 1024.<br>
[30/Apr/2012:18:34:03 -0700] - Config Warning: -
nsslapd-maxdescriptors: invalid value "8192", maximum file
descriptors must range from 1 to 1024 (the current process
limit). Server will use a setting of 1024.<br>
[30/Apr/2012:18:34:03 -0700] - ERROR: Could not find backend
'ipaca'</span></div>
<div><br>
<span></span></div>
<div><span>but when I run ns-slapd directly, with config using
backed slapd-PKI-IPA, then it works and a ldif backup file
is created.<br>
</span></div>
<div><br>
<span></span></div>
<div><span>[root@ipaclient09 scripts-EXAMPLE-COM]#
/usr/sbin/ns-slapd db2ldif -D /etc/dirsrv/slapd-PKI-IPA -a
/var/lib/dirsrv/slapd-PKI-IPA/ldif/PKI-IPA-ipaca-2012_04_30_182524.ldif
-n ipaca<br>
ldiffile:
/var/lib/dirsrv/slapd-PKI-IPA/ldif/PKI-IPA-ipaca-2012_04_30_182524.ldif<br>
[30/Apr/2012:18:37:54 -0700] - export ipaca: Processed 63
entries (100%).<br>
[30/Apr/2012:18:37:54 -0700] - All database threads now
stopped<br>
[root@ipaclient09 scripts-PEGACLOUDS-COM]# ls -alF
/var/lib/dirsrv/slapd-PKI-IPA/ldif/PKI-IPA-ipaca-2012_04_30_182524.ldif<br>
-rw-------. 1 pkisrv dirsrv 125567 Apr 30 18:37
/var/lib/dirsrv/slapd-PKI-IPA/ldif/PKI-IPA-ipaca-2012_04_30_182524.ldif<br>
[root@ipaclient09 scripts-EXAMPLE-COM]#</span></div>
</div>
</blockquote>
<br>
It is because slapi-PKI-IPA is a separate 389 instance, and the
scripts are very much instance specific - you cannot use the scripts
in /var/lib/dirsrv/slapd-DOMAIN to manage /etc/dirsrv/slapd-PKI-IPA,
nor can you use the scripts in /usr/lib64/dirsrv/slapd-PKI-IPA to
manage /etc/dirsrv/slapd-DOMAIN<br>
<br>
<blockquote
cite="mid:1335837035.46314.YahooMailNeo@web125702.mail.ne1.yahoo.com"
type="cite">
<div style="color: rgb(0, 0, 0); background-color: rgb(255, 255,
255); font-family: times new roman,new york,times,serif;
font-size: 12pt;">
<div><br>
<span></span></div>
<div><span>And inside the script db2ldif, it is found that codes
are hard-coded to the user/group/netgroup LDAP backend
already, and breaks backup/restore for PKI-IPA LDAP.</span></div>
</div>
</blockquote>
See above<br>
<blockquote
cite="mid:1335837035.46314.YahooMailNeo@web125702.mail.ne1.yahoo.com"
type="cite">
<div style="color:#000; background-color:#fff; font-family:times
new roman, new york, times, serif;font-size:12pt">
<div><br>
<span></span></div>
<div><span>[root@ipaclient09 scripts-EXAMPLE-COM]# grep PKI
/var/lib/dirsrv/scripts-EXAMPLE-COM/db2ldif<br>
[root@ipaclient09 scripts-EXAMPLE-COM]# grep EXAMPLE
/var/lib/dirsrv/scripts-EXAMPLE-COM/db2ldif<br>
echo
/var/lib/dirsrv/slapd-EXAMPLE-COM/ldif/EXAMPLE-COM-`date
+%Y_%m_%d_%H%M%S`.ldif<br>
echo
/var/lib/dirsrv/slapd-EXAMPLE-COM/ldif/EXAMPLE-COM-${be}-`date
+%Y_%m_%d_%H%M%S`.ldif<br>
./ns-slapd db2ldif -D /etc/dirsrv/slapd-EXAMPLE-COM "$@"<br>
./ns-slapd db2ldif -D /etc/dirsrv/slapd-EXAMPLE-COM -a
$ldif_file "$@"<br>
[root@ipaclient09 scripts-EXAMPLE-COM]#</span></div>
<div><br>
<span></span></div>
<div>--David<br>
<span></span></div>
<div><br>
<span></span></div>
<div><span><br>
</span></div>
<div><span><br>
</span></div>
<div><span><br>
</span></div>
<div><br>
</div>
<div style="font-family: times new roman, new york, times,
serif; font-size: 12pt;">
<div style="font-family: times new roman, new york, times,
serif; font-size: 12pt;">
<div dir="ltr"> <font face="Arial" size="2">
<hr size="1"> <b><span style="font-weight:bold;">From:</span></b>
David Copperfield <a class="moz-txt-link-rfc2396E" href="mailto:cao2dan@yahoo.com"><cao2dan@yahoo.com></a><br>
<b><span style="font-weight: bold;">To:</span></b> Rich
Megginson <a class="moz-txt-link-rfc2396E" href="mailto:rmeggins@redhat.com"><rmeggins@redhat.com></a> <br>
<b><span style="font-weight: bold;">Cc:</span></b>
<a class="moz-txt-link-rfc2396E" href="mailto:freeipa-users@redhat.com">"freeipa-users@redhat.com"</a>
<a class="moz-txt-link-rfc2396E" href="mailto:freeipa-users@redhat.com"><freeipa-users@redhat.com></a> <br>
<b><span style="font-weight: bold;">Sent:</span></b>
Monday, April 30, 2012 6:01 PM<br>
<b><span style="font-weight: bold;">Subject:</span></b>
Re: [Freeipa-users] Confused/lost at promoting a replica
into a master<br>
</font> </div>
<br>
<div id="yiv422922142">
<div>
<div
style="color:#000;background-color:#fff;font-family:times
new roman, new york, times, serif;font-size:12pt;">
<div><span>Hi Rich and all,</span></div>
<div><br>
<span></span></div>
<div><span> the '-n ipaca' option doesn't work for CA
certificate LDAP backend.</span></div>
<div><br>
<span></span></div>
<div><span>[root@ipslave scripts-PEGACLOUDS-COM]# pwd<br>
/var/lib/dirsrv/scripts-PEGACLOUDS-COM</span></div>
<div><span>[root@ipaslave scripts-PEGACLOUDS-COM]# ls
../<br>
scripts-PEGACLOUDS-COM slapd-PEGACLOUDS-COM
slapd-PKI-IPA</span></div>
<div><span><br>
</span></div>
<div><span>[root@ipaslave scripts-PEGACLOUDS-COM]#
./db2ldif -n ipaca<br>
Exported ldif file:
/var/lib/dirsrv/slapd-PEGACLOUDS-COM/ldif/PEGACLOUDS-COM-ipaca-2012_04_30_175927.ldif<br>
...<br>
[30/Apr/2012:17:59:27 -0700] - ERROR: Could not
find backend 'ipaca'.<br>
[root@ipaslave scripts-PEGACLOUDS-COM]# <br>
</span></div>
<div><br>
</div>
<div>--David<br>
<span></span></div>
<div><span><br>
</span></div>
<div><br>
</div>
<div style="font-family:times new roman, new york,
times, serif;font-size:12pt;">
<div style="font-family:times new roman, new york,
times, serif;font-size:12pt;">
<div dir="ltr"> <font face="Arial" size="2">
<hr size="1"> <b><span
style="font-weight:bold;">From:</span></b>
Rich Megginson <a class="moz-txt-link-rfc2396E" href="mailto:rmeggins@redhat.com"><rmeggins@redhat.com></a><br>
<b><span style="font-weight:bold;">To:</span></b>
David Copperfield <a class="moz-txt-link-rfc2396E" href="mailto:cao2dan@yahoo.com"><cao2dan@yahoo.com></a> <br>
<b><span style="font-weight:bold;">Cc:</span></b>
<a class="moz-txt-link-rfc2396E" href="mailto:freeipa-users@redhat.com">"freeipa-users@redhat.com"</a>
<a class="moz-txt-link-rfc2396E" href="mailto:freeipa-users@redhat.com"><freeipa-users@redhat.com></a> <br>
<b><span style="font-weight:bold;">Sent:</span></b>
Monday, April 30, 2012 5:38 PM<br>
<b><span style="font-weight:bold;">Subject:</span></b>
Re: [Freeipa-users] Confused/lost at promoting
a replica into a master<br>
</font> </div>
<br>
<div id="yiv422922142">
<div> On 04/30/2012 05:52 PM, David Copperfield
wrote:
<blockquote type="cite">
<div style="color:rgb(0, 0,
0);background-color:rgb(255, 255,
255);font-family:times new roman, new
york, times, serif;font-size:12pt;">
<div><span>Hi Rich and all,<br>
</span></div>
<div><span><br>
</span></div>
<div><span>Thank you a lot for pointing
out the place of the scripts. <br>
</span></div>
<div><span><br>
</span></div>
<div><span>The scripts are found at the
place specified and trued, they are
working great in general, but there
are still some places needs help:<br>
</span></div>
<div><br>
<span></span></div>
<div><span>1, there are no manual or help
regarding the command options. Not
sure where the normal usage could be
looked up.</span></div>
<div><br>
<span></span></div>
<div><span>[root@ipamaster
scripts-PEGACLOUDS-COM]# man db2ldif</span><br>
<span>No manual entry for db2ldif</span></div>
<div><br>
<span>[root@ipamaster
scripts-PEGACLOUDS-COM]# ./db2ldif
--help</span><br>
<span>Usage: db2ldif {-n
backend_instance}* | {-s
includesuffix}*</span><br>
<span> [{-x
excludesuffix}*] [-a outputfile]</span><br>
<span> [-N] [-r] [-C] [-u]
[-U] [-m] [-M] [-1]</span><br>
<span>Note: either "-n backend_instance"
or "-s includesuffix" is required.</span><br>
<span>[root@ipamaster
scripts-PEGACLOUDS-COM]# </span><br>
</div>
</div>
</blockquote>
<a class="moz-txt-link-freetext" href="http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Configuration_Command_and_File_Reference/Command_Line_Scripts.html">http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Configuration_Command_and_File_Reference/Command_Line_Scripts.html</a><br>
<br>
In general - you can use the .pl scripts when
the server is running, the <a
moz-do-not-send="true" rel="nofollow"
target="_blank" href="http://non-.pl">non-.pl</a>
scripts when the server is down. So, use <a
moz-do-not-send="true" rel="nofollow"
target="_blank" href="http://ldif2db.pl">ldif2db.pl</a>
to do an online import.<br>
<br>
Also, with ipa, you can use -n userRoot or -n
ipaca depending on if this is the ipa instance
or the CA instance.<br>
<blockquote type="cite">
<div style="color:rgb(0, 0,
0);background-color:rgb(255, 255,
255);font-family:times new roman, new
york, times, serif;font-size:12pt;">
<div><span></span><span><br>
</span></div>
<div><span>2, what is the 'official' way
increase file descriptors for IPA
& 389 Directory server??</span></div>
<div><br>
<span></span></div>
<div><span>[root@ipamaster
scripts-PEGACLOUDS-COM]# ./db2ldif -s
'dc=pegaclouds,dc=com'</span></div>
<div><span>Exported ldif file:
/var/lib/dirsrv/slapd-PEGACLOUDS-COM/ldif/PEGACLOUDS-COM-pegaclouds-2012_04_30_164542.ldif<br>
[30/Apr/2012:16:45:42 -0700] -
/etc/dirsrv/slapd-PEGACLOUDS-COM/dse.ldif:
nsslapd-maxdescriptors:
nsslapd-maxdescriptors: invalid value
"8192", maximum file descriptors must
range from 1 to 1024 (the current
process limit). Server will use a
setting of 1024.<br>
[30/Apr/2012:16:45:42 -0700] - Config
Warning: - nsslapd-maxdescriptors:
invalid value "8192", maximum file
descriptors must range from 1 to 1024
(the current process limit). Server
will use a setting of 1024.<br>
...<br>
</span></div>
</div>
</blockquote>
<br>
db2ldif doesn't use file descriptors in the
same way as the server does when it is using
them to listen and service incoming
connections - just ignore that message<br>
<br>
<blockquote type="cite">
<div style="color:rgb(0, 0,
0);background-color:rgb(255, 255,
255);font-family:times new roman, new
york, times, serif;font-size:12pt;">
<div><span><br>
</span></div>
<div>3, the ldif2db command will abort
when IPA(Directory Server) is running. <br>
</div>
<div><br>
</div>
<div> I have to stop IPA first, then run
ldif2db, and fireup IPA at the end. It
may not be a bad thing to avoid
potential data base corruption. But
please confirm whether this is a feature
or a bug.<br>
<span></span></div>
<div><br>
<span></span></div>
<div><span>[root@ipamaster
scripts-PEGACLOUDS-COM]# ./ldif2db -s
'dc=pegaclouds,dc=com' -i
/var/lib/dirsrv/slapd-PEGACLOUDS-COM/ldif/PEGACLOUDS-COM-pegaclouds-2012_04_30_163506.ldif
<br>
importing data ...<br>
...<br>
[30/Apr/2012:16:50:00 -0700] - Backend
Instance: userRoot<br>
[30/Apr/2012:16:50:00 -0700] - Unable
to import the database because it is
being used by another slapd process.<br>
[30/Apr/2012:16:50:00 -0700] -
Shutting down due to possible
conflicts with other slapd processes<br>
</span></div>
</div>
</blockquote>
<br>
Use ldif2db.pl<br>
<br>
<blockquote type="cite">
<div
style="color:#000;background-color:#fff;font-family:times
new roman, new york, times,
serif;font-size:12pt;">
<div><br>
</div>
<div>Thanks.</div>
<div><br>
</div>
<div>--David<br>
<span></span></div>
<div><span></span></div>
<div><br>
</div>
<div style="font-family:times new roman,
new york, times, serif;font-size:12pt;">
<div style="font-family:times new roman,
new york, times,
serif;font-size:12pt;">
<div dir="ltr"> <font face="Arial"
size="2">
<hr size="1"> <b><span
style="font-weight:bold;">From:</span></b>
Rich Megginson <a
moz-do-not-send="true"
rel="nofollow"
class="yiv422922142moz-txt-link-rfc2396E"
ymailto="mailto:rmeggins@redhat.com" target="_blank"
href="mailto:rmeggins@redhat.com"><rmeggins@redhat.com></a><br>
<b><span style="font-weight:bold;">To:</span></b>
David Copperfield <a
moz-do-not-send="true"
rel="nofollow"
class="yiv422922142moz-txt-link-rfc2396E"
ymailto="mailto:cao2dan@yahoo.com" target="_blank"
href="mailto:cao2dan@yahoo.com"><cao2dan@yahoo.com></a>
<br>
<b><span style="font-weight:bold;">Cc:</span></b>
E Deon Lackey <a
moz-do-not-send="true"
rel="nofollow"
class="yiv422922142moz-txt-link-rfc2396E"
ymailto="mailto:dlackey@redhat.com" target="_blank"
href="mailto:dlackey@redhat.com"><dlackey@redhat.com></a>;
<a moz-do-not-send="true"
rel="nofollow"
class="yiv422922142moz-txt-link-rfc2396E"
ymailto="mailto:freeipa-users@redhat.com" target="_blank"
href="mailto:freeipa-users@redhat.com">"freeipa-users@redhat.com"</a>
<a moz-do-not-send="true"
rel="nofollow"
class="yiv422922142moz-txt-link-rfc2396E"
ymailto="mailto:freeipa-users@redhat.com" target="_blank"
href="mailto:freeipa-users@redhat.com"><freeipa-users@redhat.com></a>
<br>
<b><span style="font-weight:bold;">Sent:</span></b>
Monday, April 30, 2012 4:23 PM<br>
<b><span style="font-weight:bold;">Subject:</span></b>
Re: [Freeipa-users] Confused/lost
at promoting a replica into a
master<br>
</font> </div>
<br>
<div id="yiv422922142">
<div> On 04/30/2012 04:58 PM, David
Copperfield wrote:
<blockquote type="cite">
<div style="color:rgb(0, 0,
0);background-color:rgb(255,
255, 255);font-family:times
new roman, new york, times,
serif;font-size:12pt;">Hi,<br>
<br>
><br>
<div style="font-family:times
new roman, new york, times,
serif;font-size:12pt;">
<div
style="font-family:times
new roman, new york,
times,
serif;font-size:12pt;">
<div id="yiv422922142">
<div> > Currently,
there is no disaster
recovery or backup
information. There are
a couple of RFEs open
to develop this
information. My
understanding (and
this is something that
<br>
> Dmitri or one of
the engineers can
explain better) is
that the best thing to
do is to back up the
DS instances using
db2ldif and then spin
up a new
server/replica
instance and <br>
> import the backed
up data using ldif2db.<br>
<br>
Thanks for pointing
out a way to do
partial
backup/restore.<br>
<br>
But the command
db2ldif, or its
sibling command
ldif2db can not be
located on IPA
master/replica.</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
look in
/var/lib/dirsrv/scripts-YOURDOMAIN-YOURTLD<br>
<br>
<blockquote type="cite">
<div
style="color:#000;background-color:#fff;font-family:times
new roman, new york, times,
serif;font-size:12pt;">
<div style="font-family:times
new roman, new york, times,
serif;font-size:12pt;">
<div
style="font-family:times
new roman, new york,
times,
serif;font-size:12pt;">
<div id="yiv422922142">
<div>The IPA servers
only install
389-ds-base and
389-ds-base-libs RPMs.
and the two commands
doesn't show up
anywhere. <br>
<br>
Could anyone elaborate
how to use the two
template commands, or
please point me to the
document or http
link(s) is enough.
Thanks a lot.<br>
<br>
<div
style="margin-left:40px;">[root@ipamaster
script-templates]#
rpm -qa | grep 389<br>
389-ds-base-1.2.9.14-1.el6_2.2.x86_64<br>
389-ds-base-libs-1.2.9.14-1.el6_2.2.x86_64<br>
<br>
[root@ipamaster
script-templates]#
rpm -ql 389-ds-base
389-ds-base-libs |
grep -P
'db2ldif|ldif2db'<br>
/usr/share/dirsrv/script-templates/template-db2ldif<br>
/usr/share/dirsrv/script-templates/template-db2ldif.pl<br>
/usr/share/dirsrv/script-templates/template-ldif2db<br>
/usr/share/dirsrv/script-templates/template-ldif2db.pl<br>
[root@ipamaster
script-templates]# <br>
</div>
<br>
--David<br>
<br>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset
class="yiv422922142mimeAttachmentHeader"></fieldset>
<br>
<pre>_______________________________________________
Freeipa-users mailing list
<a moz-do-not-send="true" rel="nofollow" class="yiv422922142moz-txt-link-abbreviated" ymailto="mailto:Freeipa-users@redhat.com" target="_blank" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a moz-do-not-send="true" rel="nofollow" class="yiv422922142moz-txt-link-freetext" target="_blank" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
</div>
</div>
<br>
<br>
</div>
</div>
</div>
</blockquote>
<br>
</div>
</div>
<br>
<br>
</div>
</div>
</div>
</div>
</div>
<br>
_______________________________________________<br>
Freeipa-users mailing list<br>
<a moz-do-not-send="true"
ymailto="mailto:Freeipa-users@redhat.com"
href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br>
<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
<br>
</div>
</div>
</div>
</blockquote>
<br>
</body>
</html>