[Freeipa-users] backup/restore IPA servers with db2ldap.pl, ldap2db.pl ???

Rich Megginson rmeggins at redhat.com
Thu May 10 22:19:34 UTC 2012 

On 05/10/2012 03:57 PM, David Copperfield wrote:
> Hi Rob, Petr and all,
>
> Because recently crashes of my IPA master and IPA replicas servers, 
> I'm thinking of methods of backup/restore IPA user data: users, 
> groups, host and server certificates etc.
>
> It's said that the only official way is to create an extra IPA replica 
> and backup/snapshot that replica all the way. But there still has a 
> big chance that some mistakes propagate for a to whole IPA 
> domain/realm before the IAP administrator find it and data got lost 
> forever and some may not even be recovered.
>
> What I think is because both Dogtag and IPA store data in backend 389 
> directory servers separately, then if I freeze the change on one IPA 
> replica for a few minutes first, then run db2ldap.pl for both 389 ldap 
> backends, then un-freeze the IPA replica to get sync from master.
>
>  When data needs to be restored because of disasters, the backup 
> files(in LDIF format -- for easy to read) can be restored to the two 
> 389 LDAP backends on IPA replica with command ldap2db.pl during the 
> freezing period.

It's ldif2db.pl db2ldif.pl not ldap

>
>  Have anyone tried this solution yet? Is there any limitations?
>
> My experiences showed that the IPA replica did get data restored 
> successfully (no dogtag is involved so only one LDAP backend is 
> saved/restored). But the IPA master some times didn't get the data 
> synced from IPA replica ( 1/3 times it is synced, 2/3 times needs 
> manual command 'ipa-replica-manage force-sync  --from 
> <ipaReplicaServer>' ).

How did you verify that the data was synced?  Note that if a server has 
been down for a while, it will take the supplier up to 5 minutes to 
recognize that the consumer is up again, without force sync.

>
> Please shed a light in this area, as backup/restore of IPA 
> master/replica is even not mentioned on the IPA document at all.
>
> Thanks a lot.
>
> --David
>
>
>
>
>
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120510/f868a19e/attachment.htm>

More information about the Freeipa-users mailing list