<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 05/10/2012 07:54 PM, David Copperfield wrote:
<blockquote
cite="mid:1336701274.12311.YahooMailNeo@web125702.mail.ne1.yahoo.com"
type="cite">
<div style="color: rgb(0, 0, 0); background-color: rgb(255, 255,
255); font-family: times new roman,new york,times,serif;
font-size: 12pt;">
<div><span>OK,</span></div>
<div><span><br>
</span></div>
<div><span> that means the steps below:</span></div>
<div><span><br>
</span></div>
<div>1) on IPA replica, lets create 4 IPA users: A,B,C and D.
Now make a backup with 'db2ldif.pl -r ...'</div>
<div><br>
</div>
<div>2) on IPA replica, delete the user D. 'ipa user-del D'.</div>
<div><br>
</div>
<div>3, on IPA master, delete the user C. 'ipa user-del C'.</div>
<div><br>
</div>
<div>4, now check on other IPA master and IPA replica, both
shows only two users 'A' and 'B'. this is expected.</div>
<div><br>
</div>
<div>5, now on IPA replica, restore the backup with 'ldif2db.pl'</div>
<div><br>
</div>
<div>6, check on IPA replica immediately, 'ipa user-find' shows
4 users 'A, B, C, D' at the beginning.</div>
<div><br>
</div>
<div>7, check IPA Master, 'ipa user-find' shows still only two
users 'A, B'.</div>
<div><br>
</div>
<div>8, wait 3 minutes or so, check on IPA replica, and found
that there are only THREE users 'A, B, D'. The users 'C' is
deleted now -- change propagated from IPA Master.</div>
<div><br>
</div>
<div>9, check on IPA Master again and again, there are still
only two users 'A, B'.</div>
<div><br>
</div>
<div>10, check on IPA Replica again and again, there are still
three users 'A, B,D'. --- this status is different from IPA
Master's 'A,B', or backup's 'A, B, C, D'.</div>
<div><br>
</div>
<div><br>
</div>
<div>If backup was created without '-r' option, then the step 8
above will always show 'A,B,C,D', the same as backup. with
'-r' option make the final result between.</div>
<div><br>
</div>
<div><br>
</div>
<div>Hope I have explained it clearly. Please advice something
like ipa2ldif.pl and ldif2ipa.pl tools. There are really the
key useful feature for serious production IPA deployment,
which is definitely of much higher priority than dogtag.</div>
</div>
</blockquote>
<br>
Sounds like a bug. What should happen is that the deletion of C and
D should be propagated to replica.<br>
<br>
<blockquote
cite="mid:1336701274.12311.YahooMailNeo@web125702.mail.ne1.yahoo.com"
type="cite">
<div style="color:#000; background-color:#fff; font-family:times
new roman, new york, times, serif;font-size:12pt">
<div><br>
</div>
<div>Thanks a lot.</div>
<div><br>
</div>
<div>--David</div>
<div><br>
</div>
<div><span><br>
</span></div>
<div><br>
</div>
<div style="font-size: 12pt; font-family: 'times new roman',
'new york', times, serif; ">
<div style="font-size: 12pt; font-family: 'times new roman',
'new york', times, serif; ">
<div dir="ltr"> <font face="Arial" size="2">
<hr size="1"> <b><span style="font-weight:bold;">From:</span></b>
Rich Megginson <a class="moz-txt-link-rfc2396E" href="mailto:rmeggins@redhat.com"><rmeggins@redhat.com></a><br>
<b><span style="font-weight: bold;">To:</span></b> David
Copperfield <a class="moz-txt-link-rfc2396E" href="mailto:cao2dan@yahoo.com"><cao2dan@yahoo.com></a> <br>
<b><span style="font-weight: bold;">Cc:</span></b> E
Deon Lackey <a class="moz-txt-link-rfc2396E" href="mailto:dlackey@redhat.com"><dlackey@redhat.com></a>; Petr Spacek
<a class="moz-txt-link-rfc2396E" href="mailto:pspacek@redhat.com"><pspacek@redhat.com></a>; Rob Crittenden
<a class="moz-txt-link-rfc2396E" href="mailto:rcritten@redhat.com"><rcritten@redhat.com></a>; <a class="moz-txt-link-rfc2396E" href="mailto:freeipa-users@redhat.com">"freeipa-users@redhat.com"</a>
<a class="moz-txt-link-rfc2396E" href="mailto:freeipa-users@redhat.com"><freeipa-users@redhat.com></a> <br>
<b><span style="font-weight: bold;">Sent:</span></b>
Thursday, May 10, 2012 6:37 PM<br>
<b><span style="font-weight: bold;">Subject:</span></b>
Re: [Freeipa-users] backup/restore IPA servers with
db2ldap.pl, ldap2db.pl ???<br>
</font> </div>
<br>
<div id="yiv873795328">
<div> On 05/10/2012 07:32 PM, David Copperfield wrote:
<blockquote type="cite">
<div style="color: rgb(0, 0, 0); background-color:
rgb(255, 255, 255); font-size: 12pt; font-family:
'times new roman', 'new york', times, serif; ">
<div><span>Hi Rich and all,</span></div>
<div><span><br>
</span></div>
<div><span>the '-r' option to <a
moz-do-not-send="true" target="_blank"
href="http://db2ldif.pl">db2ldif.pl</a>
doesn't work neither, it make few difference. </span></div>
<div><span><br>
</span></div>
<div><span>My command, backup and restore commands
on the IPA replica are:</span></div>
<div><span><br>
</span></div>
<div>db2ldif.pl -D 'cn=Directory Manager' -w - -r -s
'dc=example,dc=com'</div>
<div><br>
</div>
<div><a moz-do-not-send="true" target="_blank"
href="http://ldif2db.pl">ldif2db.pl</a> -D
'cn=Directory Manager' -w - -i
<the_backup_file_in_LDIF_format></div>
<div><br>
</div>
<div>The only difference is: after IPA master
restart (restart happens after IPA replica's
restore operation), the changes -- which applied
on IPA master before backup -- are propagated to
IPA replica. Which is in fact, make the
restoration test end up with a result completely
unusable on IPA replica, an result that is
different from backup, and different from IPA
master. <br>
</div>
</div>
</blockquote>
<br>
I don't quite understand what you mean.<br>
<br>
<blockquote type="cite">
<div style="color: rgb(0, 0, 0); background-color:
rgb(255, 255, 255); font-size: 12pt; font-family:
'times new roman', 'new york', times, serif; ">
<div><br>
</div>
<div>Please let me know if there are any other
options/steps to follow. Thanks.</div>
</div>
</blockquote>
<br>
Not sure what else to try.<br>
<br>
<blockquote type="cite">
<div style="color: rgb(0, 0, 0); background-color:
rgb(255, 255, 255); font-size: 12pt; font-family:
'times new roman', 'new york', times, serif; ">
<div><br>
</div>
<div>--David</div>
<div><br>
</div>
<div><span><br>
</span></div>
<div><span><br>
</span></div>
<div><br>
</div>
<div style="font-size: 12pt; font-family: times,
serif; ">
<div style="font-size: 12pt; font-family: times,
serif; ">
<div dir="ltr"> <font face="Arial" size="2">
<hr size="1"> <b><span
style="font-weight:bold;">From:</span></b>
Rich Megginson <a moz-do-not-send="true"
rel="nofollow"
class="yiv873795328moz-txt-link-rfc2396E"
ymailto="mailto:rmeggins@redhat.com"
target="_blank"
href="mailto:rmeggins@redhat.com"><rmeggins@redhat.com></a><br>
<b><span style="font-weight:bold;">To:</span></b>
David Copperfield <a moz-do-not-send="true"
rel="nofollow"
class="yiv873795328moz-txt-link-rfc2396E"
ymailto="mailto:cao2dan@yahoo.com"
target="_blank"
href="mailto:cao2dan@yahoo.com"><cao2dan@yahoo.com></a>
<br>
<b><span style="font-weight:bold;">Cc:</span></b>
<a moz-do-not-send="true" rel="nofollow"
class="yiv873795328moz-txt-link-rfc2396E"
ymailto="mailto:freeipa-users@redhat.com"
target="_blank"
href="mailto:freeipa-users@redhat.com">"freeipa-users@redhat.com"</a>
<a moz-do-not-send="true" rel="nofollow"
class="yiv873795328moz-txt-link-rfc2396E"
ymailto="mailto:freeipa-users@redhat.com"
target="_blank"
href="mailto:freeipa-users@redhat.com"><freeipa-users@redhat.com></a>;
Rob Crittenden <a moz-do-not-send="true"
rel="nofollow"
class="yiv873795328moz-txt-link-rfc2396E"
ymailto="mailto:rcritten@redhat.com"
target="_blank"
href="mailto:rcritten@redhat.com"><rcritten@redhat.com></a>;
Petr Spacek <a moz-do-not-send="true"
rel="nofollow"
class="yiv873795328moz-txt-link-rfc2396E"
ymailto="mailto:pspacek@redhat.com"
target="_blank"
href="mailto:pspacek@redhat.com"><pspacek@redhat.com></a>
<br>
<b><span style="font-weight:bold;">Sent:</span></b>
Thursday, May 10, 2012 5:28 PM<br>
<b><span style="font-weight:bold;">Subject:</span></b>
Re: [Freeipa-users] backup/restore IPA
servers with <a moz-do-not-send="true"
target="_blank" href="http://db2ldap.pl">db2ldap.pl</a>,
<a moz-do-not-send="true" target="_blank"
href="http://ldap2db.pl">ldap2db.pl</a>
???<br>
</font> </div>
<br>
<div id="yiv873795328">
<div> On 05/10/2012 04:37 PM, David
Copperfield wrote:
<blockquote type="cite">
<div style="color: rgb(0, 0, 0);
background-color: rgb(255, 255, 255);
font-size: 12pt; font-family: times,
serif; ">
<div><span>Hi Rich and all,</span></div>
<div><span><br>
</span></div>
<div><span>Thanks for correction. They
are <a moz-do-not-send="true"
rel="nofollow" target="_blank"
href="http://db2ldif.pl">db2ldif.pl</a>
and <a moz-do-not-send="true"
rel="nofollow" target="_blank"
href="http://ldif2db.pl">ldif2db.pl</a>
scripts, which are originally for
389 Directory Servers' backup and
restore purposes. </span></div>
<div><span><br>
</span></div>
<div><span>There are no IPA tools for
IPA system backup and restore. </span>Is
there a plan to develop tools like <a
moz-do-not-send="true"
rel="nofollow" target="_blank"
href="http://ipa2ldif.pl">ipa2ldif.pl</a>
and <a moz-do-not-send="true"
rel="nofollow" target="_blank"
href="http://ldif2ipa.pl">ldif2ipa.pl</a>
soon? or, at least, whether it is in
IPA roadmap?</div>
<div><br>
</div>
<div>For the second question: I use the
simple way: ipa
user-add/user-delete/user-find to see
whether data is propagated. My testing
steps are like this:</div>
<div><br>
</div>
<div> 1, run 'ipa user-add testuser' on
IPA replica, check it on IPA master
with 'ipa user-find testuser' and it
is found in a few seconds -- not 5
minutes.</div>
<div><br>
</div>
<div> 2, run 'db2ldif.pl on IPA replica
to save a backup.</div>
<div><br>
</div>
<div> 3, run 'ipa user-del testuser' on
IPA replica, then 'ipa user-find' on
IPA replica, and it shows that the
user is deleted.</div>
<div><br>
</div>
<div> 4, double check 'ipa user-find
test user' on IPA master, and it is
found deleted, which is as expected
and it is propagated in just a few
seconds.</div>
<div><br>
</div>
<div> 5, run 'ldif2db.pl' on the same
IPA replica where the backup was
created.</div>
<div><br>
</div>
<div> 6, run 'ipa user-find testuser' on
IPA replica and it is found that the
user testuser is alive again.</div>
<div><br>
7, run 'ipa user-find testuser' on
IPA master. 1/3 times we can find it
-- and in just a few seconds. other
2/3 times it could not be found even
after HALF HOUR.</div>
<div><br>
</div>
<div>Please have a quick duplicate tests
at your side and advice what normal
users should do, because a reliable
backup/restore solution is definitely
one of the key criteria. Thanks a lot.</div>
<div><br>
</div>
</div>
</blockquote>
<br>
Ok, I see. The problem is that a regular
db2ldif[.pl] does not save the replication
meta-data. You must use the -r option to
generate an ldif file with the replication
meta-data. ldif2db[.pl] is destructive - it
wipes out your database completely and
replaces it, wiping out any replication
meta-data in the process. If you
ldif2db[.pl] a file exported with
db2ldif[.pl] -r, it will replace the
replication meta-data too.<br>
<br>
See
<a class="moz-txt-link-freetext" href="http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Replication-Initializing_Consumers.html#Initializing_Consumers-Manual_Consumer_Initialization_Using_the_Command_Line">http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Replication-Initializing_Consumers.html#Initializing_Consumers-Manual_Consumer_Initialization_Using_the_Command_Line</a><br>
<br>
<blockquote type="cite">
<div style="color: rgb(0, 0, 0);
background-color: rgb(255, 255, 255);
font-size: 12pt; font-family: times,
serif; ">
<div>--David</div>
<div> </div>
<div><br>
</div>
<div><br>
</div>
<div> </div>
<div><span><br>
</span></div>
<div><span><br>
</span></div>
<div><br>
</div>
<div style="font-size: 12pt;
font-family: times, serif; ">
<div style="font-size: 12pt;
font-family: times, serif; ">
<div dir="ltr"> <font face="Arial"
size="2">
<hr size="1"> <b><span
style="font-weight:bold;">From:</span></b>
Rich Megginson <a
moz-do-not-send="true"
rel="nofollow"
class="yiv873795328moz-txt-link-rfc2396E"
ymailto="mailto:rmeggins@redhat.com" target="_blank"
href="mailto:rmeggins@redhat.com"><rmeggins@redhat.com></a><br>
<b><span
style="font-weight:bold;">To:</span></b>
David Copperfield <a
moz-do-not-send="true"
rel="nofollow"
class="yiv873795328moz-txt-link-rfc2396E"
ymailto="mailto:cao2dan@yahoo.com" target="_blank"
href="mailto:cao2dan@yahoo.com"><cao2dan@yahoo.com></a>
<br>
<b><span
style="font-weight:bold;">Cc:</span></b>
<a moz-do-not-send="true"
rel="nofollow"
class="yiv873795328moz-txt-link-rfc2396E"
ymailto="mailto:freeipa-users@redhat.com" target="_blank"
href="mailto:freeipa-users@redhat.com">"freeipa-users@redhat.com"</a>
<a moz-do-not-send="true"
rel="nofollow"
class="yiv873795328moz-txt-link-rfc2396E"
ymailto="mailto:freeipa-users@redhat.com" target="_blank"
href="mailto:freeipa-users@redhat.com"><freeipa-users@redhat.com></a>;
Rob Crittenden <a
moz-do-not-send="true"
rel="nofollow"
class="yiv873795328moz-txt-link-rfc2396E"
ymailto="mailto:rcritten@redhat.com" target="_blank"
href="mailto:rcritten@redhat.com"><rcritten@redhat.com></a>;
Petr Spacek <a
moz-do-not-send="true"
rel="nofollow"
class="yiv873795328moz-txt-link-rfc2396E"
ymailto="mailto:pspacek@redhat.com" target="_blank"
href="mailto:pspacek@redhat.com"><pspacek@redhat.com></a>
<br>
<b><span
style="font-weight:bold;">Sent:</span></b>
Thursday, May 10, 2012 3:19 PM<br>
<b><span
style="font-weight:bold;">Subject:</span></b>
Re: [Freeipa-users]
backup/restore IPA servers with
<a moz-do-not-send="true"
rel="nofollow" target="_blank"
href="http://db2ldap.pl">db2ldap.pl</a>,
<a moz-do-not-send="true"
rel="nofollow" target="_blank"
href="http://ldap2db.pl">ldap2db.pl</a>
???<br>
</font> </div>
<br>
<div id="yiv873795328">
<div> On 05/10/2012 03:57 PM,
David Copperfield wrote:
<blockquote type="cite">
<div style="color: rgb(0, 0,
0); background-color:
rgb(255, 255, 255);
font-size: 12pt;
font-family: times, serif; ">
<div>Hi Rob, Petr and all,</div>
<div><br>
</div>
<div>Because recently
crashes of my IPA master
and IPA replicas servers,
I'm thinking of methods of
backup/restore IPA user
data: users, groups, host
and server certificates
etc. </div>
<div><br>
</div>
<div>It's said that the only
official way is to create
an extra IPA replica and
backup/snapshot that
replica all the way. But
there still has a big
chance that some mistakes
propagate for a to whole
IPA domain/realm before
the IAP administrator find
it and data got lost
forever and some may not
even be recovered.</div>
<div><br>
</div>
<div>What I think is because
both Dogtag and IPA store
data in backend 389
directory servers
separately, then if I
freeze the change on one
IPA replica for a few
minutes first, then run <a
moz-do-not-send="true"
rel="nofollow"
target="_blank"
href="http://db2ldap.pl">db2ldap.pl</a>
for both 389 ldap
backends, then un-freeze
the IPA replica to get
sync from master.</div>
<div><br>
</div>
<div> When data needs to be
restored because of
disasters, the backup
files(in LDIF format --
for easy to read) can be
restored to the two 389
LDAP backends on IPA
replica with command <a
moz-do-not-send="true"
rel="nofollow"
target="_blank"
href="http://ldap2db.pl">ldap2db.pl</a>
during the freezing
period.</div>
</div>
</blockquote>
<br>
It's <a moz-do-not-send="true"
rel="nofollow" target="_blank"
href="http://ldif2db.pl">ldif2db.pl</a>
<a moz-do-not-send="true"
rel="nofollow" target="_blank"
href="http://db2ldif.pl">db2ldif.pl</a>
not ldap<br>
<br>
<blockquote type="cite">
<div style="color: rgb(0, 0,
0); background-color:
rgb(255, 255, 255);
font-size: 12pt;
font-family: times, serif; ">
<div><br>
</div>
<div> Have anyone tried this
solution yet? Is there any
limitations?</div>
<div><br>
</div>
<div>My experiences showed
that the IPA replica did
get data restored
successfully (no dogtag is
involved so only one LDAP
backend is
saved/restored). But the
IPA master some times
didn't get the data synced
from IPA replica ( 1/3
times it is synced, 2/3
times needs manual command
'ipa-replica-manage
force-sync --from
<ipaReplicaServer>'
).</div>
</div>
</blockquote>
<br>
How did you verify that the data
was synced? Note that if a
server has been down for a
while, it will take the supplier
up to 5 minutes to recognize
that the consumer is up again,
without force sync.<br>
<br>
<blockquote type="cite">
<div style="color: rgb(0, 0,
0); background-color:
rgb(255, 255, 255);
font-size: 12pt;
font-family: times, serif; ">
<div><br>
</div>
<div>Please shed a light in
this area, as
backup/restore of IPA
master/replica is even not
mentioned on the IPA
document at all. </div>
<div><br>
</div>
<div>Thanks a lot.</div>
<div><br>
</div>
<div>--David</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
</div>
<br>
<fieldset
class="yiv873795328mimeAttachmentHeader"></fieldset>
<br>
<pre>_______________________________________________
Freeipa-users mailing list
<a moz-do-not-send="true" rel="nofollow" class="yiv873795328moz-txt-link-abbreviated" ymailto="mailto:Freeipa-users@redhat.com" target="_blank" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a moz-do-not-send="true" rel="nofollow" class="yiv873795328moz-txt-link-freetext" target="_blank" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
</div>
</div>
<br>
<br>
</div>
</div>
</div>
</blockquote>
<br>
</div>
</div>
<br>
<br>
</div>
</div>
</div>
</blockquote>
<br>
</div>
</div>
<br>
<br>
</div>
</div>
</div>
</blockquote>
<br>
</body>
</html>