<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 05/10/2012 04:37 PM, David Copperfield wrote:
<blockquote
cite="mid:1336689471.66003.YahooMailNeo@web125701.mail.ne1.yahoo.com"
type="cite">
<div style="color: rgb(0, 0, 0); background-color: rgb(255, 255,
255); font-family: times new roman,new york,times,serif;
font-size: 12pt;">
<div><span>Hi Rich and all,</span></div>
<div><span><br>
</span></div>
<div><span>Thanks for correction. They are db2ldif.pl and
ldif2db.pl scripts, which are originally for 389 Directory
Servers' backup and restore purposes. </span></div>
<div><span><br>
</span></div>
<div><span>There are no IPA tools for IPA system backup and
restore. </span>Is there a plan to develop tools like
ipa2ldif.pl and ldif2ipa.pl soon? or, at least, whether it is
in IPA roadmap?</div>
<div><br>
</div>
<div>For the second question: I use the simple way: ipa
user-add/user-delete/user-find to see whether data is
propagated. My testing steps are like this:</div>
<div><br>
</div>
<div> 1, run 'ipa user-add testuser' on IPA replica, check it on
IPA master with 'ipa user-find testuser' and it is found in a
few seconds -- not 5 minutes.</div>
<div><br>
</div>
<div> 2, run 'db2ldif.pl on IPA replica to save a backup.</div>
<div><br>
</div>
<div> 3, run 'ipa user-del testuser' on IPA replica, then 'ipa
user-find' on IPA replica, and it shows that the user is
deleted.</div>
<div><br>
</div>
<div> 4, double check 'ipa user-find test user' on IPA master,
and it is found deleted, which is as expected and it is
propagated in just a few seconds.</div>
<div><br>
</div>
<div> 5, run 'ldif2db.pl' on the same IPA replica where the
backup was created.</div>
<div><br>
</div>
<div> 6, run 'ipa user-find testuser' on IPA replica and it is
found that the user testuser is alive again.</div>
<div><br>
7, run 'ipa user-find testuser' on IPA master. 1/3 times we
can find it -- and in just a few seconds. other 2/3 times it
could not be found even after HALF HOUR.</div>
<div><br>
</div>
<div>Please have a quick duplicate tests at your side and advice
what normal users should do, because a reliable backup/restore
solution is definitely one of the key criteria. Thanks a lot.</div>
<div><br>
</div>
</div>
</blockquote>
<br>
Ok, I see. The problem is that a regular db2ldif[.pl] does not save
the replication meta-data. You must use the -r option to generate
an ldif file with the replication meta-data. ldif2db[.pl] is
destructive - it wipes out your database completely and replaces it,
wiping out any replication meta-data in the process. If you
ldif2db[.pl] a file exported with db2ldif[.pl] -r, it will replace
the replication meta-data too.<br>
<br>
See
<a class="moz-txt-link-freetext" href="http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Replication-Initializing_Consumers.html#Initializing_Consumers-Manual_Consumer_Initialization_Using_the_Command_Line">http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Replication-Initializing_Consumers.html#Initializing_Consumers-Manual_Consumer_Initialization_Using_the_Command_Line</a><br>
<br>
<blockquote
cite="mid:1336689471.66003.YahooMailNeo@web125701.mail.ne1.yahoo.com"
type="cite">
<div style="color:#000; background-color:#fff; font-family:times
new roman, new york, times, serif;font-size:12pt">
<div>--David</div>
<div> </div>
<div><br>
</div>
<div><br>
</div>
<div> </div>
<div><span><br>
</span></div>
<div><span><br>
</span></div>
<div><br>
</div>
<div style="font-size: 12pt; font-family: 'times new roman',
'new york', times, serif; ">
<div style="font-size: 12pt; font-family: 'times new roman',
'new york', times, serif; ">
<div dir="ltr"> <font face="Arial" size="2">
<hr size="1"> <b><span style="font-weight:bold;">From:</span></b>
Rich Megginson <a class="moz-txt-link-rfc2396E" href="mailto:rmeggins@redhat.com"><rmeggins@redhat.com></a><br>
<b><span style="font-weight: bold;">To:</span></b> David
Copperfield <a class="moz-txt-link-rfc2396E" href="mailto:cao2dan@yahoo.com"><cao2dan@yahoo.com></a> <br>
<b><span style="font-weight: bold;">Cc:</span></b>
<a class="moz-txt-link-rfc2396E" href="mailto:freeipa-users@redhat.com">"freeipa-users@redhat.com"</a>
<a class="moz-txt-link-rfc2396E" href="mailto:freeipa-users@redhat.com"><freeipa-users@redhat.com></a>; Rob Crittenden
<a class="moz-txt-link-rfc2396E" href="mailto:rcritten@redhat.com"><rcritten@redhat.com></a>; Petr Spacek
<a class="moz-txt-link-rfc2396E" href="mailto:pspacek@redhat.com"><pspacek@redhat.com></a> <br>
<b><span style="font-weight: bold;">Sent:</span></b>
Thursday, May 10, 2012 3:19 PM<br>
<b><span style="font-weight: bold;">Subject:</span></b>
Re: [Freeipa-users] backup/restore IPA servers with
db2ldap.pl, ldap2db.pl ???<br>
</font> </div>
<br>
<div id="yiv344082320">
<div> On 05/10/2012 03:57 PM, David Copperfield wrote:
<blockquote type="cite">
<div style="color: rgb(0, 0, 0); background-color:
rgb(255, 255, 255); font-size: 12pt; font-family:
'times new roman', 'new york', times, serif; ">
<div>Hi Rob, Petr and all,</div>
<div><br>
</div>
<div>Because recently crashes of my IPA master and
IPA replicas servers, I'm thinking of methods of
backup/restore IPA user data: users, groups, host
and server certificates etc. </div>
<div><br>
</div>
<div>It's said that the only official way is to
create an extra IPA replica and backup/snapshot
that replica all the way. But there still has a
big chance that some mistakes propagate for a to
whole IPA domain/realm before the IAP
administrator find it and data got lost forever
and some may not even be recovered.</div>
<div><br>
</div>
<div>What I think is because both Dogtag and IPA
store data in backend 389 directory servers
separately, then if I freeze the change on one IPA
replica for a few minutes first, then run <a
moz-do-not-send="true" target="_blank"
href="http://db2ldap.pl">db2ldap.pl</a> for both
389 ldap backends, then un-freeze the IPA replica
to get sync from master.</div>
<div><br>
</div>
<div> When data needs to be restored because of
disasters, the backup files(in LDIF format -- for
easy to read) can be restored to the two 389 LDAP
backends on IPA replica with command <a
moz-do-not-send="true" target="_blank"
href="http://ldap2db.pl">ldap2db.pl</a> during
the freezing period.</div>
</div>
</blockquote>
<br>
It's <a moz-do-not-send="true" target="_blank"
href="http://ldif2db.pl">ldif2db.pl</a> <a
moz-do-not-send="true" target="_blank"
href="http://db2ldif.pl">db2ldif.pl</a> not ldap<br>
<br>
<blockquote type="cite">
<div style="color: rgb(0, 0, 0); background-color:
rgb(255, 255, 255); font-size: 12pt; font-family:
'times new roman', 'new york', times, serif; ">
<div><br>
</div>
<div> Have anyone tried this solution yet? Is there
any limitations?</div>
<div><br>
</div>
<div>My experiences showed that the IPA replica did
get data restored successfully (no dogtag is
involved so only one LDAP backend is
saved/restored). But the IPA master some times
didn't get the data synced from IPA replica ( 1/3
times it is synced, 2/3 times needs manual command
'ipa-replica-manage force-sync --from
<ipaReplicaServer>' ).</div>
</div>
</blockquote>
<br>
How did you verify that the data was synced? Note that
if a server has been down for a while, it will take the
supplier up to 5 minutes to recognize that the consumer
is up again, without force sync.<br>
<br>
<blockquote type="cite">
<div style="color: rgb(0, 0, 0); background-color:
rgb(255, 255, 255); font-size: 12pt; font-family:
'times new roman', 'new york', times, serif; ">
<div><br>
</div>
<div>Please shed a light in this area, as
backup/restore of IPA master/replica is even not
mentioned on the IPA document at all. </div>
<div><br>
</div>
<div>Thanks a lot.</div>
<div><br>
</div>
<div>--David</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
</div>
<br>
<fieldset class="yiv344082320mimeAttachmentHeader"></fieldset>
<br>
<pre>_______________________________________________
Freeipa-users mailing list
<a moz-do-not-send="true" rel="nofollow" class="yiv344082320moz-txt-link-abbreviated" ymailto="mailto:Freeipa-users@redhat.com" target="_blank" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a moz-do-not-send="true" rel="nofollow" class="yiv344082320moz-txt-link-freetext" target="_blank" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
</div>
</div>
<br>
<br>
</div>
</div>
</div>
</blockquote>
<br>
</body>
</html>