[Freeipa-users] dse.ldif and dse.ldif.bak are lost
Rob Crittenden
rcritten at redhat.com
Wed Apr 30 13:31:52 UTC 2014
artjazz at free.fr wrote:
> Hi,
>
> I have 1 ipa master 'ipasrv' and 2 replicas 'iparpl1 iparpl2' installed with
> --setup-ca option.
> Since a few days I have an issue with '389 Directory Server' on the master
> (ipasrv) and on the 2nd replica (iparpl2) with the following messages:
>
> The configuration file /etc/dirsrv/slapd-MYINSTANCE/dse.ldif was not restored
> from backup /etc/dirsrv/slapd-MYINSTANCE/dse.ldif.tmp, error -1
> Apr 28 07:38:35 localhost ns-slapd: [28/Apr/2014:15:38:35 +0200] dse - The
> configuration file /etc/dirsrv/slapd-MYINSTANCE/dse.ldif was not restored from
> backup /etc/dirsrv/slapd-MYINSTANCE/dse.ldif.bak, error -1
> Apr 28 07:38:35 localhost ns-slapd: [28/Apr/2014:15:38:35 +0200] config - The
> given config file /etc/dirsrv/slapd-MYINSTANCE/dse.ldif could not be accessed,
> Netscape Portable Runtime error -5950 (File not found.)
>
> The files dse.ldif and dse.ldif.bak are lost.
> On my 1st replica (iparpl1) everything is OK.
>
> No Full IPA backup and LDAP backup done on ipasrv and iparpl2.
>
> A) Can I restore those files from iparpl1 ?
Not easily. There is some instance-specific information. The 389-ds team
may have some ideas.
Do you know what happened? Were the servers crashing?
Are there any other dse.ldif.* files there? There should at least be
dse.ldif.startOK. That would be a place to start.
> B) I am a little bit confused after reading the documentation on
> http://www.freeipa.org/page/Backup_and_Restore
> - can I consider that the ipa replicas are like ipa master ?
> In this case when I want to execute the manual procedure in chapter 'One
> Server Loss'
> 1. Clean deployment from the lost server by removing all replication
> agreements with it.
> from iparpl1 I have the following results:
>
> [root at iparpl1 ~]# ipa-replica-manage del iparpl2.mydomain
> 'iparpl1.mydomain' has no replication agreement for 'iparpl2.mydomaon'
You can only delete a master from a server that has a replication
agreement with it. I assume your topology was something like:
ipa
/ \
iparpl1 iparpl2
This will leave iparpl2 as an IPA master in some places in the tree.
Depending on the version of IPA you can use the -c flag to clean up a
master that is now gone.
> [root at iparpl1 ~]# ipa-replica-manage del ipasrv.mydomain
> Connection to 'ipasrv.mydomain' failed:
> Unable to delete replica 'ipasrv.mydomain'
The --force flag will let this continue.
>
> 2. Choose another FreeIPA Server with CA installed to become the first master
> Can I do this request from my 1st replica iparpl1 and how ?
>
http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master
It matters what version of IPA you have.
> 3. Nominate this master to be the one in charge or renewing certs and
> publishing CRLS. This is a manual procedure at the moment.
>
> 4. Follow standard installation procedure to deploy a new master on a
> hardware/VM of your choice
> this request is to install a replica not a master ?
All servers are masters to IPA. The only difference is which ones have a
CA and DNS server.
If iparpl1 does not have a CA installed then I'd try to get the initial
IPA master back up, otherwise you will be stuck with no CA, no way to
generate new replicas.
rob
More information about the Freeipa-users
mailing list