[Freeipa-users] Fwd: Re: dse.ldif and dse.ldif.bak are lost
Dmitri Pal
dpal at redhat.com
Wed Apr 30 12:38:00 UTC 2014
-------- Original Message --------
Subject: Re: [Freeipa-users] dse.ldif and dse.ldif.bak are lost
Date: Wed, 30 Apr 2014 08:37:01 -0400
From: Dmitri Pal <dpal at redhat.com>
Reply-To: dpal at redhat.com
Organization: Red Hat
To: artjazz at free.fr
On 04/30/2014 05:26 AM, artjazz at free.fr wrote:
> Hi,
>
> I have 1 ipa master 'ipasrv' and 2 replicas 'iparpl1 iparpl2' installed with
> --setup-ca option.
> Since a few days I have an issue with '389 Directory Server' on the master
> (ipasrv) and on the 2nd replica (iparpl2) with the following messages:
>
> The configuration file /etc/dirsrv/slapd-MYINSTANCE/dse.ldif was not restored
> from backup /etc/dirsrv/slapd-MYINSTANCE/dse.ldif.tmp, error -1
> Apr 28 07:38:35 localhost ns-slapd: [28/Apr/2014:15:38:35 +0200] dse - The
> configuration file /etc/dirsrv/slapd-MYINSTANCE/dse.ldif was not restored from
> backup /etc/dirsrv/slapd-MYINSTANCE/dse.ldif.bak, error -1
> Apr 28 07:38:35 localhost ns-slapd: [28/Apr/2014:15:38:35 +0200] config - The
> given config file /etc/dirsrv/slapd-MYINSTANCE/dse.ldif could not be accessed,
> Netscape Portable Runtime error -5950 (File not found.)
>
> The files dse.ldif and dse.ldif.bak are lost.
> On my 1st replica (iparpl1) everything is OK.
>
> No Full IPA backup and LDAP backup done on ipasrv and iparpl2.
>
> A) Can I restore those files from iparpl1 ?
>
> B) I am a little bit confused after reading the documentation on
> http://www.freeipa.org/page/Backup_and_Restore
> - can I consider that the ipa replicas are like ipa master ?
Yes they are especially if they have same components (CA).
The only difference is the configuration. Replicas do not track renewals
and do not generate CRLs.
Bot nothing prevents you from shifting these two responsibilities from
the first server you installed to one of the replicas.
This is what the procedure is about
> In this case when I want to execute the manual procedure in chapter 'One
> Server Loss'
> 1. Clean deployment from the lost server by removing all replication
> agreements with it.
> from iparpl1 I have the following results:
>
> [root at iparpl1 ~]# ipa-replica-manage del iparpl2.mydomain
> 'iparpl1.mydomain' has no replication agreement for 'iparpl2.mydomaon'
Why are you trying to delete the second replica? You need to delete the
first server.
[root at iparpl1 ~]# ipa-replica-manage del ipasrv.mydomain
[root at iparpl2 ~]# ipa-replica-manage del ipasrv.mydomain
You also want to create a replication agreement between replicas 1 & 2.
>
> [root at iparpl1 ~]# ipa-replica-manage del ipasrv.mydomain
> Connection to 'ipasrv.mydomain' failed:
> Unable to delete replica 'ipasrv.mydomain'
What version do you have? In earlier versions there have been issues
with deleting replicas and required manual steps.
Search for CLEANRUV in the list archives.
>
> 2. Choose another FreeIPA Server with CA installed to become the first master
> Can I do this request from my 1st replica iparpl1 and how ?
Yes
>
> 3. Nominate this master to be the one in charge or renewing certs and
> publishing CRLS. This is a manual procedure at the moment.
>
> 4. Follow standard installation procedure to deploy a new master on a
> hardware/VM of your choice
> this request is to install a replica not a master ?
Now the server that does CRL publishing and cert tracking is your new
master. You are deploying a new replica instead of the one that is now a
new master.
>
> Thanks for your help.
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140430/891de1c2/attachment.htm>
More information about the Freeipa-users
mailing list