[Freeipa-users] Confused/lost at promoting a replica into a master
David Copperfield
cao2dan at yahoo.com
Tue May 1 01:50:35 UTC 2012
I think the problem is figured out, though solution is not easy. Would some one please open a bug for this problem.
Another close question to ask: Does this means the IPA PKI/CA system is still in its beta/alpha stage, and better avoid in production IPA deployment?
I've see messages, Q/A in mail list of 389 Directory Server and freeIPA much, much more often than the Dogtag. If so, I can use --selfsign to install IPA masters and replicas now, and wait until the Dogtag is mature enough. because this IPA solution is the core of our business authentication and authorization, and so I have been asked several times to make it reliable and easy to maintain. Otherwise the admin. official would rather to keep existing Kerberos+OpenLDAP solution which is time proven.
Now the problem debugging is attached below:
[root at ipaclient09 scripts-EXAMPLE-COM]# sh -x ./db2ldif -n ipaca
...
+ ./ns-slapd db2ldif -D /etc/dirsrv/slapd-EXAMPLE-COM -a /var/lib/dirsrv/slapd-EXMAPLE-COM/ldif/EXAMPLE-COM-ipaca-2012_04_30_183403.ldif -n ipaca
[30/Apr/2012:18:34:03 -0700] - /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif: nsslapd-maxdescriptors: nsslapd-maxdescriptors: invalid value "8192", maximum file descriptors must range from 1 to 1024 (the current process limit). Server will use a setting of 1024.
[30/Apr/2012:18:34:03 -0700] - Config Warning: - nsslapd-maxdescriptors: invalid value "8192", maximum file descriptors must range from 1 to 1024 (the current process limit). Server will use a setting of 1024.
[30/Apr/2012:18:34:03 -0700] - ERROR: Could not find backend 'ipaca'
but when I run ns-slapd directly, with config using backed slapd-PKI-IPA, then it works and a ldif backup file is created.
[root at ipaclient09 scripts-EXAMPLE-COM]# /usr/sbin/ns-slapd db2ldif -D /etc/dirsrv/slapd-PKI-IPA -a /var/lib/dirsrv/slapd-PKI-IPA/ldif/PKI-IPA-ipaca-2012_04_30_182524.ldif -n ipaca
ldiffile: /var/lib/dirsrv/slapd-PKI-IPA/ldif/PKI-IPA-ipaca-2012_04_30_182524.ldif
[30/Apr/2012:18:37:54 -0700] - export ipaca: Processed 63 entries (100%).
[30/Apr/2012:18:37:54 -0700] - All database threads now stopped
[root at ipaclient09 scripts-PEGACLOUDS-COM]# ls -alF /var/lib/dirsrv/slapd-PKI-IPA/ldif/PKI-IPA-ipaca-2012_04_30_182524.ldif
-rw-------. 1 pkisrv dirsrv 125567 Apr 30 18:37 /var/lib/dirsrv/slapd-PKI-IPA/ldif/PKI-IPA-ipaca-2012_04_30_182524.ldif
[root at ipaclient09 scripts-EXAMPLE-COM]#
And inside the script db2ldif, it is found that codes are hard-coded to the user/group/netgroup LDAP backend already, and breaks backup/restore for PKI-IPA LDAP.
[root at ipaclient09 scripts-EXAMPLE-COM]# grep PKI /var/lib/dirsrv/scripts-EXAMPLE-COM/db2ldif
[root at ipaclient09 scripts-EXAMPLE-COM]# grep EXAMPLE /var/lib/dirsrv/scripts-EXAMPLE-COM/db2ldif
echo /var/lib/dirsrv/slapd-EXAMPLE-COM/ldif/EXAMPLE-COM-`date +%Y_%m_%d_%H%M%S`.ldif
echo /var/lib/dirsrv/slapd-EXAMPLE-COM/ldif/EXAMPLE-COM-${be}-`date +%Y_%m_%d_%H%M%S`.ldif
./ns-slapd db2ldif -D /etc/dirsrv/slapd-EXAMPLE-COM "$@"
./ns-slapd db2ldif -D /etc/dirsrv/slapd-EXAMPLE-COM -a $ldif_file "$@"
[root at ipaclient09 scripts-EXAMPLE-COM]#
--David
________________________________
From: David Copperfield <cao2dan at yahoo.com>
To: Rich Megginson <rmeggins at redhat.com>
Cc: "freeipa-users at redhat.com" <freeipa-users at redhat.com>
Sent: Monday, April 30, 2012 6:01 PM
Subject: Re: [Freeipa-users] Confused/lost at promoting a replica into a master
Hi Rich and all,
the '-n ipaca' option doesn't work for CA certificate LDAP backend.
[root at ipslave scripts-PEGACLOUDS-COM]# pwd
/var/lib/dirsrv/scripts-PEGACLOUDS-COM
[root at ipaslave scripts-PEGACLOUDS-COM]# ls ../
scripts-PEGACLOUDS-COM slapd-PEGACLOUDS-COM slapd-PKI-IPA
[root at ipaslave scripts-PEGACLOUDS-COM]# ./db2ldif -n ipaca
Exported ldif file: /var/lib/dirsrv/slapd-PEGACLOUDS-COM/ldif/PEGACLOUDS-COM-ipaca-2012_04_30_175927.ldif
...
[30/Apr/2012:17:59:27 -0700] - ERROR: Could not find backend 'ipaca'.
[root at ipaslave scripts-PEGACLOUDS-COM]#
--David
________________________________
From: Rich Megginson <rmeggins at redhat.com>
To: David Copperfield <cao2dan at yahoo.com>
Cc: "freeipa-users at redhat.com" <freeipa-users at redhat.com>
Sent: Monday, April 30, 2012 5:38 PM
Subject: Re: [Freeipa-users] Confused/lost at promoting a replica into a master
On 04/30/2012 05:52 PM, David Copperfield wrote:
Hi Rich and all,
>
>
>
>Thank you a lot for pointing out the place of the scripts.
>
>
>
>The scripts are found at the place specified and trued, they are working great in general, but there are still some places needs help:
>
>
>
>1, there are no manual or help regarding the command options. Not sure where the normal usage could be looked up.
>
>
>[root at ipamaster scripts-PEGACLOUDS-COM]# man db2ldif
>No manual entry for db2ldif
>
>[root at ipamaster scripts-PEGACLOUDS-COM]# ./db2ldif --help
>Usage: db2ldif {-n backend_instance}* | {-s includesuffix}*
> [{-x excludesuffix}*] [-a outputfile]
> [-N] [-r] [-C] [-u] [-U] [-m] [-M] [-1]
>Note: either "-n backend_instance" or "-s includesuffix" is required.
>[root at ipamaster scripts-PEGACLOUDS-COM]#
>
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Configuration_Command_and_File_Reference/Command_Line_Scripts.html
In general - you can use the .pl scripts when the server is running,
the non-.pl scripts when the server is down. So, use ldif2db.pl to do an online import.
Also, with ipa, you can use -n userRoot or -n ipaca depending on if
this is the ipa instance or the CA instance.
>
>2, what is the 'official' way increase file descriptors for IPA & 389 Directory server??
>
>
>[root at ipamaster scripts-PEGACLOUDS-COM]# ./db2ldif -s 'dc=pegaclouds,dc=com'
>Exported ldif file:
/var/lib/dirsrv/slapd-PEGACLOUDS-COM/ldif/PEGACLOUDS-COM-pegaclouds-2012_04_30_164542.ldif
>[30/Apr/2012:16:45:42 -0700] -
/etc/dirsrv/slapd-PEGACLOUDS-COM/dse.ldif:
nsslapd-maxdescriptors: nsslapd-maxdescriptors: invalid
value "8192", maximum file descriptors must range from 1 to
1024 (the current process limit). Server will use a setting
of 1024.
>[30/Apr/2012:16:45:42 -0700] - Config Warning: -
nsslapd-maxdescriptors: invalid value "8192", maximum file
descriptors must range from 1 to 1024 (the current process
limit). Server will use a setting of 1024.
>...
>
db2ldif doesn't use file descriptors in the same way as the server
does when it is using them to listen and service incoming
connections - just ignore that message
>
>3, the ldif2db command will abort when IPA(Directory Server) is running.
>
>
>
> I have to stop IPA first, then run ldif2db, and fireup IPA at the end. It may not be a bad thing to avoid potential data base corruption. But please confirm whether this is a feature or a bug.
>
>
>
>[root at ipamaster scripts-PEGACLOUDS-COM]# ./ldif2db -s 'dc=pegaclouds,dc=com' -i /var/lib/dirsrv/slapd-PEGACLOUDS-COM/ldif/PEGACLOUDS-COM-pegaclouds-2012_04_30_163506.ldif
>importing data ...
>...
>[30/Apr/2012:16:50:00 -0700] - Backend Instance: userRoot
>[30/Apr/2012:16:50:00 -0700] - Unable to import the database
because it is being used by another slapd process.
>[30/Apr/2012:16:50:00 -0700] - Shutting down due to possible
conflicts with other slapd processes
>
Use ldif2db.pl
>
>Thanks.
>
>
>--David
>
>
>
>
>________________________________
> From: Rich Megginson <rmeggins at redhat.com>
>To: David Copperfield <cao2dan at yahoo.com>
>Cc: E Deon Lackey <dlackey at redhat.com>; "freeipa-users at redhat.com" <freeipa-users at redhat.com>
>Sent: Monday, April 30, 2012 4:23 PM
>Subject: Re: [Freeipa-users] Confused/lost at promoting a replica into a master
>
>
>On 04/30/2012 04:58 PM, David Copperfield wrote:
>Hi,
>>
>>>
>>
>>> Currently, there is no disaster recovery or backup information. There are a couple of RFEs open to develop this information. My understanding (and this is something that
>>> Dmitri or one of the engineers can
explain better) is that the best thing to do
is to back up the DS instances using db2ldif
and then spin up a new server/replica
instance and
>>> import the backed up data using
ldif2db.
>>
>>Thanks for pointing out a way to do partial
backup/restore.
>>
>>But the command db2ldif, or its sibling
command ldif2db can not be located on IPA
master/replica.
>look in /var/lib/dirsrv/scripts-YOURDOMAIN-YOURTLD
>
>
>The IPA servers only install 389-ds-base and 389-ds-base-libs RPMs. and the two commands doesn't show up anywhere.
>>
>>Could anyone elaborate how to use the two
template commands, or please point me to the
document or http link(s) is enough. Thanks a
lot.
>>
>>
>>[root at ipamaster script-templates]# rpm -qa | grep 389
>>389-ds-base-1.2.9.14-1.el6_2.2.x86_64
>>389-ds-base-libs-1.2.9.14-1.el6_2.2.x86_64
>>
>>[root at ipamaster script-templates]# rpm -ql
389-ds-base 389-ds-base-libs | grep -P
'db2ldif|ldif2db'
>>/usr/share/dirsrv/script-templates/template-db2ldif
>>/usr/share/dirsrv/script-templates/template-db2ldif.pl
>>/usr/share/dirsrv/script-templates/template-ldif2db
>>/usr/share/dirsrv/script-templates/template-ldif2db.pl
>>[root at ipamaster script-templates]#
>>
>>--David
>>
>>
>>
>>
>>_______________________________________________
Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120430/715bbcb1/attachment.htm>
More information about the Freeipa-users
mailing list