<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 05/10/2012 03:57 PM, David Copperfield wrote:
<blockquote
cite="mid:1336687021.24612.YahooMailNeo@web125702.mail.ne1.yahoo.com"
type="cite">
<div style="color: rgb(0, 0, 0); background-color: rgb(255, 255,
255); font-family: times new roman,new york,times,serif;
font-size: 12pt;">
<div>Hi Rob, Petr and all,</div>
<div><br>
</div>
<div>Because recently crashes of my IPA master and IPA replicas
servers, I'm thinking of methods of backup/restore IPA user
data: users, groups, host and server certificates etc. </div>
<div><br>
</div>
<div>It's said that the only official way is to create an extra
IPA replica and backup/snapshot that replica all the way. But
there still has a big chance that some mistakes propagate for
a to whole IPA domain/realm before the IAP administrator find
it and data got lost forever and some may not even be
recovered.</div>
<div><br>
</div>
<div>What I think is because both Dogtag and IPA store data in
backend 389 directory servers separately, then if I freeze the
change on one IPA replica for a few minutes first, then run
db2ldap.pl for both 389 ldap backends, then un-freeze the IPA
replica to get sync from master.</div>
<div><br>
</div>
<div> When data needs to be restored because of disasters, the
backup files(in LDIF format -- for easy to read) can be
restored to the two 389 LDAP backends on IPA replica with
command ldap2db.pl during the freezing period.</div>
</div>
</blockquote>
<br>
It's ldif2db.pl db2ldif.pl not ldap<br>
<br>
<blockquote
cite="mid:1336687021.24612.YahooMailNeo@web125702.mail.ne1.yahoo.com"
type="cite">
<div style="color: rgb(0, 0, 0); background-color: rgb(255, 255,
255); font-family: times new roman,new york,times,serif;
font-size: 12pt;">
<div><br>
</div>
<div> Have anyone tried this solution yet? Is there any
limitations?</div>
<div><br>
</div>
<div>My experiences showed that the IPA replica did get data
restored successfully (no dogtag is involved so only one LDAP
backend is saved/restored). But the IPA master some times
didn't get the data synced from IPA replica ( 1/3 times it is
synced, 2/3 times needs manual command 'ipa-replica-manage
force-sync --from <ipaReplicaServer>' ).</div>
</div>
</blockquote>
<br>
How did you verify that the data was synced? Note that if a server
has been down for a while, it will take the supplier up to 5 minutes
to recognize that the consumer is up again, without force sync.<br>
<br>
<blockquote
cite="mid:1336687021.24612.YahooMailNeo@web125702.mail.ne1.yahoo.com"
type="cite">
<div style="color:#000; background-color:#fff; font-family:times
new roman, new york, times, serif;font-size:12pt">
<div><br>
</div>
<div>Please shed a light in this area, as backup/restore of IPA
master/replica is even not mentioned on the IPA document at
all. </div>
<div><br>
</div>
<div>Thanks a lot.</div>
<div><br>
</div>
<div>--David</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
</body>
</html>