<html><body><div style="color:#000; background-color:#fff; font-family:times new roman, new york, times, serif;font-size:12pt"><div><span>I think the problem is figured out, though solution is not easy. Would some one please open a bug for this problem. <br></span></div><div><br><span></span></div><div><span>Another close question to ask: Does this means the IPA PKI/CA system is still in its beta/alpha stage, and better avoid in production IPA deployment? <br></span></div><div><span><br></span></div><div><span>I've see messages, Q/A in mail list of 389 Directory Server and freeIPA much, much more often than the Dogtag. </span><span>If so, I can use --selfsign to install IPA masters and replicas now, and wait until the Dogtag is mature enough. because this IPA solution is the core of our business authentication and authorization, and so I have been asked several times to make it reliable and easy to maintain. Otherwise the admin. official would rather
to keep existing Kerberos+OpenLDAP solution which is time proven. <br></span></div><div><br></div><div>Now the problem debugging is attached below:</div><div><br><span></span></div><div><span>[root@ipaclient09 scripts-EXAMPLE-COM]# sh -x ./db2ldif -n ipaca</span></div><div><span>...</span></div><div><span>+ ./ns-slapd db2ldif -D /etc/dirsrv/slapd-EXAMPLE-COM -a /var/lib/dirsrv/slapd-EXMAPLE-COM/ldif/EXAMPLE-COM-ipaca-2012_04_30_183403.ldif -n ipaca<br>[30/Apr/2012:18:34:03 -0700] - /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif: nsslapd-maxdescriptors: nsslapd-maxdescriptors: invalid value "8192", maximum file descriptors must range from 1 to 1024 (the current process limit). Server will use a setting of 1024.<br>[30/Apr/2012:18:34:03 -0700] - Config Warning: - nsslapd-maxdescriptors: invalid value "8192", maximum file descriptors must range from 1 to 1024 (the current process limit). Server will use a setting of 1024.<br>[30/Apr/2012:18:34:03
-0700] - ERROR: Could not find backend 'ipaca'</span></div><div><br><span></span></div><div><span>but when I run ns-slapd directly, with config using backed slapd-PKI-IPA, then it works and a ldif backup file is created.<br></span></div><div><br><span></span></div><div><span>[root@ipaclient09 scripts-EXAMPLE-COM]# /usr/sbin/ns-slapd db2ldif -D /etc/dirsrv/slapd-PKI-IPA -a /var/lib/dirsrv/slapd-PKI-IPA/ldif/PKI-IPA-ipaca-2012_04_30_182524.ldif -n ipaca<br>ldiffile: /var/lib/dirsrv/slapd-PKI-IPA/ldif/PKI-IPA-ipaca-2012_04_30_182524.ldif<br>[30/Apr/2012:18:37:54 -0700] - export ipaca: Processed 63 entries (100%).<br>[30/Apr/2012:18:37:54 -0700] - All database threads now stopped<br>[root@ipaclient09 scripts-PEGACLOUDS-COM]# ls -alF /var/lib/dirsrv/slapd-PKI-IPA/ldif/PKI-IPA-ipaca-2012_04_30_182524.ldif<br>-rw-------. 1 pkisrv dirsrv 125567 Apr 30 18:37 /var/lib/dirsrv/slapd-PKI-IPA/ldif/PKI-IPA-ipaca-2012_04_30_182524.ldif<br>[root@ipaclient09
scripts-EXAMPLE-COM]#</span></div><div><br><span></span></div><div><span>And inside the script db2ldif, it is found that codes are hard-coded to the user/group/netgroup LDAP backend already, and breaks backup/restore for PKI-IPA LDAP.</span></div><div><br><span></span></div><div><span>[root@ipaclient09 scripts-EXAMPLE-COM]# grep PKI /var/lib/dirsrv/scripts-EXAMPLE-COM/db2ldif<br>[root@ipaclient09 scripts-EXAMPLE-COM]# grep EXAMPLE /var/lib/dirsrv/scripts-EXAMPLE-COM/db2ldif<br> echo /var/lib/dirsrv/slapd-EXAMPLE-COM/ldif/EXAMPLE-COM-`date +%Y_%m_%d_%H%M%S`.ldif<br> echo /var/lib/dirsrv/slapd-EXAMPLE-COM/ldif/EXAMPLE-COM-${be}-`date +%Y_%m_%d_%H%M%S`.ldif<br>./ns-slapd db2ldif -D /etc/dirsrv/slapd-EXAMPLE-COM "$@"<br>./ns-slapd db2ldif -D /etc/dirsrv/slapd-EXAMPLE-COM -a $ldif_file "$@"<br>[root@ipaclient09
scripts-EXAMPLE-COM]#</span></div><div><br><span></span></div><div>--David<br><span></span></div><div><br><span></span></div><div><span><br></span></div><div><span><br></span></div><div><span><br></span></div><div><br></div> <div style="font-family: times new roman, new york, times, serif; font-size: 12pt;"> <div style="font-family: times new roman, new york, times, serif; font-size: 12pt;"> <div dir="ltr"> <font face="Arial" size="2"> <hr size="1"> <b><span style="font-weight:bold;">From:</span></b> David Copperfield <cao2dan@yahoo.com><br> <b><span style="font-weight: bold;">To:</span></b> Rich Megginson <rmeggins@redhat.com> <br><b><span style="font-weight: bold;">Cc:</span></b> "freeipa-users@redhat.com" <freeipa-users@redhat.com> <br> <b><span style="font-weight: bold;">Sent:</span></b> Monday, April 30, 2012 6:01 PM<br> <b><span style="font-weight: bold;">Subject:</span></b> Re: [Freeipa-users] Confused/lost at promoting a
replica into a master<br> </font> </div> <br>
<div id="yiv422922142"><div><div style="color:#000;background-color:#fff;font-family:times new roman, new york, times, serif;font-size:12pt;"><div><span>Hi Rich and all,</span></div><div><br><span></span></div><div><span> the '-n ipaca' option doesn't work for CA certificate LDAP backend.</span></div><div><br><span></span></div><div><span>[root@ipslave scripts-PEGACLOUDS-COM]# pwd<br>/var/lib/dirsrv/scripts-PEGACLOUDS-COM</span></div><div><span>[root@ipaslave scripts-PEGACLOUDS-COM]# ls ../<br>scripts-PEGACLOUDS-COM slapd-PEGACLOUDS-COM slapd-PKI-IPA</span></div><div><span><br></span></div><div><span>[root@ipaslave scripts-PEGACLOUDS-COM]# ./db2ldif -n ipaca<br>Exported ldif file: /var/lib/dirsrv/slapd-PEGACLOUDS-COM/ldif/PEGACLOUDS-COM-ipaca-2012_04_30_175927.ldif<br>...<br>[30/Apr/2012:17:59:27 -0700] - ERROR: Could not find backend 'ipaca'.<br>[root@ipaslave scripts-PEGACLOUDS-COM]#
<br></span></div><div><br></div><div>--David<br><span></span></div><div><span><br></span></div><div><br></div> <div style="font-family:times new roman, new york, times, serif;font-size:12pt;"> <div style="font-family:times new roman, new york, times, serif;font-size:12pt;"> <div dir="ltr"> <font face="Arial" size="2"> <hr size="1"> <b><span style="font-weight:bold;">From:</span></b> Rich Megginson <rmeggins@redhat.com><br> <b><span style="font-weight:bold;">To:</span></b> David Copperfield <cao2dan@yahoo.com> <br><b><span style="font-weight:bold;">Cc:</span></b> "freeipa-users@redhat.com" <freeipa-users@redhat.com> <br> <b><span style="font-weight:bold;">Sent:</span></b> Monday, April 30, 2012 5:38 PM<br> <b><span style="font-weight:bold;">Subject:</span></b> Re: [Freeipa-users] Confused/lost at promoting a replica into a master<br> </font> </div> <br>
<div id="yiv422922142">
<div>
On 04/30/2012 05:52 PM, David Copperfield wrote:
<blockquote type="cite">
<div style="color:rgb(0, 0, 0);background-color:rgb(255, 255,
255);font-family:times new roman, new york, times, serif;font-size:12pt;">
<div><span>Hi Rich and all,<br>
</span></div>
<div><span><br>
</span></div>
<div><span>Thank you a lot for pointing out the place of the
scripts. <br>
</span></div>
<div><span><br>
</span></div>
<div><span>The scripts are found at the place specified and
trued, they are working great in general, but there are
still some places needs help:<br>
</span></div>
<div><br>
<span></span></div>
<div><span>1, there are no manual or help regarding the command
options. Not sure where the normal usage could be looked up.</span></div>
<div><br>
<span></span></div>
<div><span>[root@ipamaster scripts-PEGACLOUDS-COM]# man db2ldif</span><br>
<span>No manual entry for db2ldif</span></div>
<div><br>
<span>[root@ipamaster scripts-PEGACLOUDS-COM]# ./db2ldif
--help</span><br>
<span>Usage: db2ldif {-n backend_instance}* | {-s
includesuffix}*</span><br>
<span> [{-x excludesuffix}*] [-a outputfile]</span><br>
<span> [-N] [-r] [-C] [-u] [-U] [-m] [-M] [-1]</span><br>
<span>Note: either "-n backend_instance" or "-s includesuffix"
is required.</span><br>
<span>[root@ipamaster scripts-PEGACLOUDS-COM]# </span><br>
</div>
</div>
</blockquote>
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Configuration_Command_and_File_Reference/Command_Line_Scripts.html<br>
<br>
In general - you can use the .pl scripts when the server is running,
the <a rel="nofollow" target="_blank" href="http://non-.pl">non-.pl</a> scripts when the server is down. So, use <a rel="nofollow" target="_blank" href="http://ldif2db.pl">ldif2db.pl</a> to
do an online import.<br>
<br>
Also, with ipa, you can use -n userRoot or -n ipaca depending on if
this is the ipa instance or the CA instance.<br>
<blockquote type="cite">
<div style="color:rgb(0, 0, 0);background-color:rgb(255, 255,
255);font-family:times new roman, new york, times, serif;font-size:12pt;">
<div><span></span><span><br>
</span></div>
<div><span>2, what is the 'official' way increase file
descriptors for IPA & 389 Directory server??</span></div>
<div><br>
<span></span></div>
<div><span>[root@ipamaster scripts-PEGACLOUDS-COM]# ./db2ldif -s
'dc=pegaclouds,dc=com'</span></div>
<div><span>Exported ldif file:
/var/lib/dirsrv/slapd-PEGACLOUDS-COM/ldif/PEGACLOUDS-COM-pegaclouds-2012_04_30_164542.ldif<br>
[30/Apr/2012:16:45:42 -0700] -
/etc/dirsrv/slapd-PEGACLOUDS-COM/dse.ldif:
nsslapd-maxdescriptors: nsslapd-maxdescriptors: invalid
value "8192", maximum file descriptors must range from 1 to
1024 (the current process limit). Server will use a setting
of 1024.<br>
[30/Apr/2012:16:45:42 -0700] - Config Warning: -
nsslapd-maxdescriptors: invalid value "8192", maximum file
descriptors must range from 1 to 1024 (the current process
limit). Server will use a setting of 1024.<br>
...<br>
</span></div>
</div>
</blockquote>
<br>
db2ldif doesn't use file descriptors in the same way as the server
does when it is using them to listen and service incoming
connections - just ignore that message<br>
<br>
<blockquote type="cite">
<div style="color:rgb(0, 0, 0);background-color:rgb(255, 255,
255);font-family:times new roman, new york, times, serif;font-size:12pt;">
<div><span><br>
</span></div>
<div>3, the ldif2db command will abort when IPA(Directory
Server) is running. <br>
</div>
<div><br>
</div>
<div> I have to stop IPA first, then run ldif2db, and fireup IPA
at the end. It may not be a bad thing to avoid potential data
base corruption. But please confirm whether this is a feature
or a bug.<br>
<span></span></div>
<div><br>
<span></span></div>
<div><span>[root@ipamaster scripts-PEGACLOUDS-COM]# ./ldif2db -s
'dc=pegaclouds,dc=com' -i
/var/lib/dirsrv/slapd-PEGACLOUDS-COM/ldif/PEGACLOUDS-COM-pegaclouds-2012_04_30_163506.ldif
<br>
importing data ...<br>
...<br>
[30/Apr/2012:16:50:00 -0700] - Backend Instance: userRoot<br>
[30/Apr/2012:16:50:00 -0700] - Unable to import the database
because it is being used by another slapd process.<br>
[30/Apr/2012:16:50:00 -0700] - Shutting down due to possible
conflicts with other slapd processes<br>
</span></div>
</div>
</blockquote>
<br>
Use ldif2db.pl<br>
<br>
<blockquote type="cite">
<div style="color:#000;background-color:#fff;font-family:times new roman, new york, times, serif;font-size:12pt;">
<div><br>
</div>
<div>Thanks.</div>
<div><br>
</div>
<div>--David<br>
<span></span></div>
<div><span></span></div>
<div><br>
</div>
<div style="font-family:times new roman, new york, times, serif;font-size:12pt;">
<div style="font-family:times new roman, new york, times, serif;font-size:12pt;">
<div dir="ltr"> <font face="Arial" size="2">
<hr size="1"> <b><span style="font-weight:bold;">From:</span></b>
Rich Megginson <a rel="nofollow" class="yiv422922142moz-txt-link-rfc2396E" ymailto="mailto:rmeggins@redhat.com" target="_blank" href="mailto:rmeggins@redhat.com"><rmeggins@redhat.com></a><br>
<b><span style="font-weight:bold;">To:</span></b> David
Copperfield <a rel="nofollow" class="yiv422922142moz-txt-link-rfc2396E" ymailto="mailto:cao2dan@yahoo.com" target="_blank" href="mailto:cao2dan@yahoo.com"><cao2dan@yahoo.com></a> <br>
<b><span style="font-weight:bold;">Cc:</span></b> E
Deon Lackey <a rel="nofollow" class="yiv422922142moz-txt-link-rfc2396E" ymailto="mailto:dlackey@redhat.com" target="_blank" href="mailto:dlackey@redhat.com"><dlackey@redhat.com></a>;
<a rel="nofollow" class="yiv422922142moz-txt-link-rfc2396E" ymailto="mailto:freeipa-users@redhat.com" target="_blank" href="mailto:freeipa-users@redhat.com">"freeipa-users@redhat.com"</a>
<a rel="nofollow" class="yiv422922142moz-txt-link-rfc2396E" ymailto="mailto:freeipa-users@redhat.com" target="_blank" href="mailto:freeipa-users@redhat.com"><freeipa-users@redhat.com></a> <br>
<b><span style="font-weight:bold;">Sent:</span></b>
Monday, April 30, 2012 4:23 PM<br>
<b><span style="font-weight:bold;">Subject:</span></b>
Re: [Freeipa-users] Confused/lost at promoting a replica
into a master<br>
</font> </div>
<br>
<div id="yiv422922142">
<div> On 04/30/2012 04:58 PM, David Copperfield wrote:
<blockquote type="cite">
<div style="color:rgb(0, 0,
0);background-color:rgb(255, 255,
255);font-family:times new roman, new york, times, serif;font-size:12pt;">Hi,<br>
<br>
><br>
<div style="font-family:times new roman, new york, times, serif;font-size:12pt;">
<div style="font-family:times new roman, new york, times, serif;font-size:12pt;">
<div id="yiv422922142">
<div> > Currently, there is no disaster
recovery or backup information. There are a
couple of RFEs open to develop this
information. My understanding (and this is
something that <br>
> Dmitri or one of the engineers can
explain better) is that the best thing to do
is to back up the DS instances using db2ldif
and then spin up a new server/replica
instance and <br>
> import the backed up data using
ldif2db.<br>
<br>
Thanks for pointing out a way to do partial
backup/restore.<br>
<br>
But the command db2ldif, or its sibling
command ldif2db can not be located on IPA
master/replica.</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
look in /var/lib/dirsrv/scripts-YOURDOMAIN-YOURTLD<br>
<br>
<blockquote type="cite">
<div style="color:#000;background-color:#fff;font-family:times new roman, new york, times, serif;font-size:12pt;">
<div style="font-family:times new roman, new york, times, serif;font-size:12pt;">
<div style="font-family:times new roman, new york, times, serif;font-size:12pt;">
<div id="yiv422922142">
<div>The IPA servers only install 389-ds-base
and 389-ds-base-libs RPMs. and the two
commands doesn't show up anywhere. <br>
<br>
Could anyone elaborate how to use the two
template commands, or please point me to the
document or http link(s) is enough. Thanks a
lot.<br>
<br>
<div style="margin-left:40px;">[root@ipamaster
script-templates]# rpm -qa | grep 389<br>
389-ds-base-1.2.9.14-1.el6_2.2.x86_64<br>
389-ds-base-libs-1.2.9.14-1.el6_2.2.x86_64<br>
<br>
[root@ipamaster script-templates]# rpm -ql
389-ds-base 389-ds-base-libs | grep -P
'db2ldif|ldif2db'<br>
/usr/share/dirsrv/script-templates/template-db2ldif<br>
/usr/share/dirsrv/script-templates/template-db2ldif.pl<br>
/usr/share/dirsrv/script-templates/template-ldif2db<br>
/usr/share/dirsrv/script-templates/template-ldif2db.pl<br>
[root@ipamaster script-templates]# <br>
</div>
<br>
--David<br>
<br>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="yiv422922142mimeAttachmentHeader"></fieldset>
<br>
<pre>_______________________________________________
Freeipa-users mailing list
<a rel="nofollow" class="yiv422922142moz-txt-link-abbreviated" ymailto="mailto:Freeipa-users@redhat.com" target="_blank" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a rel="nofollow" class="yiv422922142moz-txt-link-freetext" target="_blank" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
</div>
</div>
<br>
<br>
</div>
</div>
</div>
</blockquote>
<br>
</div>
</div><br><br> </div> </div> </div></div></div><br>_______________________________________________<br>Freeipa-users mailing list<br><a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br><a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br><br> </div> </div> </div></body></html>