<html><body><div style="color:#000; background-color:#fff; font-family:times new roman, new york, times, serif;font-size:12pt"><div><span>OK,</span></div><div><span><br></span></div><div><span> that means the steps below:</span></div><div><span><br></span></div><div>1) on IPA replica, lets create 4 IPA users: A,B,C and D. Now make a backup with 'db2ldif.pl -r ...'</div><div><br></div><div>2) on IPA replica, delete the user D. 'ipa user-del D'.</div><div><br></div><div>3, on IPA master, delete the user C. 'ipa user-del C'.</div><div><br></div><div>4, now check on other IPA master and IPA replica, both shows only two users 'A' and 'B'. this is expected.</div><div><br></div><div>5, now on IPA replica, restore the backup with 'ldif2db.pl'</div><div><br></div><div>6, check on IPA replica immediately, 'ipa user-find' shows 4 users 'A, B, C, D' at the beginning.</div><div><br></div><div>7, check IPA Master, 'ipa user-find' shows still only two users
'A, B'.</div><div><br></div><div>8, wait 3 minutes or so, check on IPA replica, and found that there are only THREE users 'A, B, D'. The users 'C' is deleted now -- change propagated from IPA Master.</div><div><br></div><div>9, check on IPA Master again and again, there are still only two users 'A, B'.</div><div><br></div><div>10, check on IPA Replica again and again, there are still three users 'A, B,D'. --- this status is different from IPA Master's 'A,B', or backup's 'A, B, C, D'.</div><div><br></div><div><br></div><div>If backup was created without '-r' option, then the step 8 above will always show 'A,B,C,D', the same as backup. with '-r' option make the final result between.</div><div><br></div><div><br></div><div>Hope I have explained it clearly. Please advice something like ipa2ldif.pl and ldif2ipa.pl tools. There are really the key useful feature for serious production IPA deployment, which is definitely of much higher priority than
dogtag.</div><div><br></div><div>Thanks a lot.</div><div><br></div><div>--David</div><div><br></div><div><span><br></span></div><div><br></div> <div style="font-size: 12pt; font-family: 'times new roman', 'new york', times, serif; "> <div style="font-size: 12pt; font-family: 'times new roman', 'new york', times, serif; "> <div dir="ltr"> <font size="2" face="Arial"> <hr size="1"> <b><span style="font-weight:bold;">From:</span></b> Rich Megginson <rmeggins@redhat.com><br> <b><span style="font-weight: bold;">To:</span></b> David Copperfield <cao2dan@yahoo.com> <br><b><span style="font-weight: bold;">Cc:</span></b> E Deon Lackey <dlackey@redhat.com>; Petr Spacek <pspacek@redhat.com>; Rob Crittenden <rcritten@redhat.com>; "freeipa-users@redhat.com" <freeipa-users@redhat.com> <br> <b><span style="font-weight: bold;">Sent:</span></b> Thursday, May 10, 2012 6:37 PM<br> <b><span style="font-weight:
bold;">Subject:</span></b> Re: [Freeipa-users] backup/restore IPA servers with db2ldap.pl, ldap2db.pl ???<br> </font> </div> <br>
<div id="yiv873795328">
<div>
On 05/10/2012 07:32 PM, David Copperfield wrote:
<blockquote type="cite">
<div style="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-size: 12pt; font-family: 'times new roman', 'new york', times, serif; ">
<div><span>Hi Rich and all,</span></div>
<div><span><br>
</span></div>
<div><span>the '-r' option to <a target="_blank" href="http://db2ldif.pl">db2ldif.pl</a> doesn't work neither,
it make few difference. </span></div>
<div><span><br>
</span></div>
<div><span>My command, backup and restore commands on the IPA
replica are:</span></div>
<div><span><br>
</span></div>
<div>db2ldif.pl -D 'cn=Directory Manager' -w - -r -s
'dc=example,dc=com'</div>
<div><br>
</div>
<div><a target="_blank" href="http://ldif2db.pl">ldif2db.pl</a> -D 'cn=Directory Manager' -w - -i
<the_backup_file_in_LDIF_format></div>
<div><br>
</div>
<div>The only difference is: after IPA master restart (restart
happens after IPA replica's restore operation), the changes --
which applied on IPA master before backup -- are propagated to
IPA replica. Which is in fact, make the restoration test end
up with a result completely unusable on IPA replica, an result
that is different from backup, and different from IPA master.
<br>
</div>
</div>
</blockquote>
<br>
I don't quite understand what you mean.<br>
<br>
<blockquote type="cite">
<div style="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-size: 12pt; font-family: 'times new roman', 'new york', times, serif; ">
<div><br>
</div>
<div>Please let me know if there are any other options/steps to
follow. Thanks.</div>
</div>
</blockquote>
<br>
Not sure what else to try.<br>
<br>
<blockquote type="cite">
<div style="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-size: 12pt; font-family: 'times new roman', 'new york', times, serif; ">
<div><br>
</div>
<div>--David</div>
<div><br>
</div>
<div><span><br>
</span></div>
<div><span><br>
</span></div>
<div><br>
</div>
<div style="font-size: 12pt; font-family: times, serif; ">
<div style="font-size: 12pt; font-family: times, serif; ">
<div dir="ltr"> <font face="Arial" size="2">
<hr size="1"> <b><span style="font-weight:bold;">From:</span></b>
Rich Megginson <a rel="nofollow" class="yiv873795328moz-txt-link-rfc2396E" ymailto="mailto:rmeggins@redhat.com" target="_blank" href="mailto:rmeggins@redhat.com"><rmeggins@redhat.com></a><br>
<b><span style="font-weight:bold;">To:</span></b> David
Copperfield <a rel="nofollow" class="yiv873795328moz-txt-link-rfc2396E" ymailto="mailto:cao2dan@yahoo.com" target="_blank" href="mailto:cao2dan@yahoo.com"><cao2dan@yahoo.com></a> <br>
<b><span style="font-weight:bold;">Cc:</span></b>
<a rel="nofollow" class="yiv873795328moz-txt-link-rfc2396E" ymailto="mailto:freeipa-users@redhat.com" target="_blank" href="mailto:freeipa-users@redhat.com">"freeipa-users@redhat.com"</a>
<a rel="nofollow" class="yiv873795328moz-txt-link-rfc2396E" ymailto="mailto:freeipa-users@redhat.com" target="_blank" href="mailto:freeipa-users@redhat.com"><freeipa-users@redhat.com></a>; Rob Crittenden
<a rel="nofollow" class="yiv873795328moz-txt-link-rfc2396E" ymailto="mailto:rcritten@redhat.com" target="_blank" href="mailto:rcritten@redhat.com"><rcritten@redhat.com></a>; Petr Spacek
<a rel="nofollow" class="yiv873795328moz-txt-link-rfc2396E" ymailto="mailto:pspacek@redhat.com" target="_blank" href="mailto:pspacek@redhat.com"><pspacek@redhat.com></a> <br>
<b><span style="font-weight:bold;">Sent:</span></b>
Thursday, May 10, 2012 5:28 PM<br>
<b><span style="font-weight:bold;">Subject:</span></b>
Re: [Freeipa-users] backup/restore IPA servers with
<a target="_blank" href="http://db2ldap.pl">db2ldap.pl</a>, <a target="_blank" href="http://ldap2db.pl">ldap2db.pl</a> ???<br>
</font> </div>
<br>
<div id="yiv873795328">
<div> On 05/10/2012 04:37 PM, David Copperfield wrote:
<blockquote type="cite">
<div style="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-size: 12pt; font-family: times, serif; ">
<div><span>Hi Rich and all,</span></div>
<div><span><br>
</span></div>
<div><span>Thanks for correction. They are <a rel="nofollow" target="_blank" href="http://db2ldif.pl">db2ldif.pl</a> and <a rel="nofollow" target="_blank" href="http://ldif2db.pl">ldif2db.pl</a>
scripts, which are originally for 389 Directory
Servers' backup and restore purposes. </span></div>
<div><span><br>
</span></div>
<div><span>There are no IPA tools for IPA system
backup and restore. </span>Is there a plan to
develop tools like <a rel="nofollow" target="_blank" href="http://ipa2ldif.pl">ipa2ldif.pl</a>
and <a rel="nofollow" target="_blank" href="http://ldif2ipa.pl">ldif2ipa.pl</a> soon?
or, at least, whether it is in IPA roadmap?</div>
<div><br>
</div>
<div>For the second question: I use the simple way:
ipa user-add/user-delete/user-find to see whether
data is propagated. My testing steps are like
this:</div>
<div><br>
</div>
<div> 1, run 'ipa user-add testuser' on IPA replica,
check it on IPA master with 'ipa user-find
testuser' and it is found in a few seconds -- not
5 minutes.</div>
<div><br>
</div>
<div> 2, run 'db2ldif.pl on IPA replica to save a
backup.</div>
<div><br>
</div>
<div> 3, run 'ipa user-del testuser' on IPA replica,
then 'ipa user-find' on IPA replica, and it shows
that the user is deleted.</div>
<div><br>
</div>
<div> 4, double check 'ipa user-find test user' on
IPA master, and it is found deleted, which is as
expected and it is propagated in just a few
seconds.</div>
<div><br>
</div>
<div> 5, run 'ldif2db.pl' on the same IPA replica
where the backup was created.</div>
<div><br>
</div>
<div> 6, run 'ipa user-find testuser' on IPA replica
and it is found that the user testuser is alive
again.</div>
<div><br>
7, run 'ipa user-find testuser' on IPA master.
1/3 times we can find it -- and in just a few
seconds. other 2/3 times it could not be found
even after HALF HOUR.</div>
<div><br>
</div>
<div>Please have a quick duplicate tests at your
side and advice what normal users should do,
because a reliable backup/restore solution is
definitely one of the key criteria. Thanks a lot.</div>
<div><br>
</div>
</div>
</blockquote>
<br>
Ok, I see. The problem is that a regular db2ldif[.pl]
does not save the replication meta-data. You must use
the -r option to generate an ldif file with the
replication meta-data. ldif2db[.pl] is destructive - it
wipes out your database completely and replaces it,
wiping out any replication meta-data in the process. If
you ldif2db[.pl] a file exported with db2ldif[.pl] -r,
it will replace the replication meta-data too.<br>
<br>
See
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Replication-Initializing_Consumers.html#Initializing_Consumers-Manual_Consumer_Initialization_Using_the_Command_Line<br>
<br>
<blockquote type="cite">
<div style="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-size: 12pt; font-family: times, serif; ">
<div>--David</div>
<div> </div>
<div><br>
</div>
<div><br>
</div>
<div> </div>
<div><span><br>
</span></div>
<div><span><br>
</span></div>
<div><br>
</div>
<div style="font-size: 12pt; font-family: times, serif; ">
<div style="font-size: 12pt; font-family: times, serif; ">
<div dir="ltr"> <font face="Arial" size="2">
<hr size="1"> <b><span style="font-weight:bold;">From:</span></b>
Rich Megginson <a rel="nofollow" class="yiv873795328moz-txt-link-rfc2396E" ymailto="mailto:rmeggins@redhat.com" target="_blank" href="mailto:rmeggins@redhat.com"><rmeggins@redhat.com></a><br>
<b><span style="font-weight:bold;">To:</span></b>
David Copperfield <a rel="nofollow" class="yiv873795328moz-txt-link-rfc2396E" ymailto="mailto:cao2dan@yahoo.com" target="_blank" href="mailto:cao2dan@yahoo.com"><cao2dan@yahoo.com></a>
<br>
<b><span style="font-weight:bold;">Cc:</span></b>
<a rel="nofollow" class="yiv873795328moz-txt-link-rfc2396E" ymailto="mailto:freeipa-users@redhat.com" target="_blank" href="mailto:freeipa-users@redhat.com">"freeipa-users@redhat.com"</a>
<a rel="nofollow" class="yiv873795328moz-txt-link-rfc2396E" ymailto="mailto:freeipa-users@redhat.com" target="_blank" href="mailto:freeipa-users@redhat.com"><freeipa-users@redhat.com></a>;
Rob Crittenden <a rel="nofollow" class="yiv873795328moz-txt-link-rfc2396E" ymailto="mailto:rcritten@redhat.com" target="_blank" href="mailto:rcritten@redhat.com"><rcritten@redhat.com></a>;
Petr Spacek <a rel="nofollow" class="yiv873795328moz-txt-link-rfc2396E" ymailto="mailto:pspacek@redhat.com" target="_blank" href="mailto:pspacek@redhat.com"><pspacek@redhat.com></a>
<br>
<b><span style="font-weight:bold;">Sent:</span></b>
Thursday, May 10, 2012 3:19 PM<br>
<b><span style="font-weight:bold;">Subject:</span></b>
Re: [Freeipa-users] backup/restore IPA
servers with <a rel="nofollow" target="_blank" href="http://db2ldap.pl">db2ldap.pl</a>,
<a rel="nofollow" target="_blank" href="http://ldap2db.pl">ldap2db.pl</a>
???<br>
</font> </div>
<br>
<div id="yiv873795328">
<div> On 05/10/2012 03:57 PM, David
Copperfield wrote:
<blockquote type="cite">
<div style="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-size: 12pt; font-family: times, serif; ">
<div>Hi Rob, Petr and all,</div>
<div><br>
</div>
<div>Because recently crashes of my IPA
master and IPA replicas servers, I'm
thinking of methods of backup/restore
IPA user data: users, groups, host and
server certificates etc. </div>
<div><br>
</div>
<div>It's said that the only official
way is to create an extra IPA replica
and backup/snapshot that replica all
the way. But there still has a big
chance that some mistakes propagate
for a to whole IPA domain/realm before
the IAP administrator find it and data
got lost forever and some may not even
be recovered.</div>
<div><br>
</div>
<div>What I think is because both Dogtag
and IPA store data in backend 389
directory servers separately, then if
I freeze the change on one IPA replica
for a few minutes first, then run <a rel="nofollow" target="_blank" href="http://db2ldap.pl">db2ldap.pl</a>
for both 389 ldap backends, then
un-freeze the IPA replica to get sync
from master.</div>
<div><br>
</div>
<div> When data needs to be restored
because of disasters, the backup
files(in LDIF format -- for easy to
read) can be restored to the two 389
LDAP backends on IPA replica with
command <a rel="nofollow" target="_blank" href="http://ldap2db.pl">ldap2db.pl</a>
during the freezing period.</div>
</div>
</blockquote>
<br>
It's <a rel="nofollow" target="_blank" href="http://ldif2db.pl">ldif2db.pl</a> <a rel="nofollow" target="_blank" href="http://db2ldif.pl">db2ldif.pl</a>
not ldap<br>
<br>
<blockquote type="cite">
<div style="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-size: 12pt; font-family: times, serif; ">
<div><br>
</div>
<div> Have anyone tried this solution
yet? Is there any limitations?</div>
<div><br>
</div>
<div>My experiences showed that the IPA
replica did get data restored
successfully (no dogtag is involved so
only one LDAP backend is
saved/restored). But the IPA master
some times didn't get the data synced
from IPA replica ( 1/3 times it is
synced, 2/3 times needs manual command
'ipa-replica-manage force-sync --from
<ipaReplicaServer>' ).</div>
</div>
</blockquote>
<br>
How did you verify that the data was
synced? Note that if a server has been down
for a while, it will take the supplier up to
5 minutes to recognize that the consumer is
up again, without force sync.<br>
<br>
<blockquote type="cite">
<div style="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-size: 12pt; font-family: times, serif; ">
<div><br>
</div>
<div>Please shed a light in this area,
as backup/restore of IPA
master/replica is even not mentioned
on the IPA document at all. </div>
<div><br>
</div>
<div>Thanks a lot.</div>
<div><br>
</div>
<div>--David</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
</div>
<br>
<fieldset class="yiv873795328mimeAttachmentHeader"></fieldset>
<br>
<pre>_______________________________________________
Freeipa-users mailing list
<a rel="nofollow" class="yiv873795328moz-txt-link-abbreviated" ymailto="mailto:Freeipa-users@redhat.com" target="_blank" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a rel="nofollow" class="yiv873795328moz-txt-link-freetext" target="_blank" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
</div>
</div>
<br>
<br>
</div>
</div>
</div>
</blockquote>
<br>
</div>
</div>
<br>
<br>
</div>
</div>
</div>
</blockquote>
<br>
</div>
</div><br><br> </div> </div> </div></body></html>