<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 05/10/2012 07:32 PM, David Copperfield wrote:
<blockquote
cite="mid:1336699945.99548.YahooMailNeo@web125706.mail.ne1.yahoo.com"
type="cite">
<div style="color: rgb(0, 0, 0); background-color: rgb(255, 255,
255); font-family: times new roman,new york,times,serif;
font-size: 12pt;">
<div><span>Hi Rich and all,</span></div>
<div><span><br>
</span></div>
<div><span>the '-r' option to db2ldif.pl doesn't work neither,
it make few difference. </span></div>
<div><span><br>
</span></div>
<div><span>My command, backup and restore commands on the IPA
replica are:</span></div>
<div><span><br>
</span></div>
<div>db2ldif.pl -D 'cn=Directory Manager' -w - -r -s
'dc=example,dc=com'</div>
<div><br>
</div>
<div>ldif2db.pl -D 'cn=Directory Manager' -w - -i
<the_backup_file_in_LDIF_format></div>
<div><br>
</div>
<div>The only difference is: after IPA master restart (restart
happens after IPA replica's restore operation), the changes --
which applied on IPA master before backup -- are propagated to
IPA replica. Which is in fact, make the restoration test end
up with a result completely unusable on IPA replica, an result
that is different from backup, and different from IPA master.
<br>
</div>
</div>
</blockquote>
<br>
I don't quite understand what you mean.<br>
<br>
<blockquote
cite="mid:1336699945.99548.YahooMailNeo@web125706.mail.ne1.yahoo.com"
type="cite">
<div style="color: rgb(0, 0, 0); background-color: rgb(255, 255,
255); font-family: times new roman,new york,times,serif;
font-size: 12pt;">
<div><br>
</div>
<div>Please let me know if there are any other options/steps to
follow. Thanks.</div>
</div>
</blockquote>
<br>
Not sure what else to try.<br>
<br>
<blockquote
cite="mid:1336699945.99548.YahooMailNeo@web125706.mail.ne1.yahoo.com"
type="cite">
<div style="color:#000; background-color:#fff; font-family:times
new roman, new york, times, serif;font-size:12pt">
<div><br>
</div>
<div>--David</div>
<div><br>
</div>
<div><span><br>
</span></div>
<div><span><br>
</span></div>
<div><br>
</div>
<div style="font-size: 12pt; font-family: 'times new roman',
'new york', times, serif; ">
<div style="font-size: 12pt; font-family: 'times new roman',
'new york', times, serif; ">
<div dir="ltr"> <font face="Arial" size="2">
<hr size="1"> <b><span style="font-weight:bold;">From:</span></b>
Rich Megginson <a class="moz-txt-link-rfc2396E" href="mailto:rmeggins@redhat.com"><rmeggins@redhat.com></a><br>
<b><span style="font-weight: bold;">To:</span></b> David
Copperfield <a class="moz-txt-link-rfc2396E" href="mailto:cao2dan@yahoo.com"><cao2dan@yahoo.com></a> <br>
<b><span style="font-weight: bold;">Cc:</span></b>
<a class="moz-txt-link-rfc2396E" href="mailto:freeipa-users@redhat.com">"freeipa-users@redhat.com"</a>
<a class="moz-txt-link-rfc2396E" href="mailto:freeipa-users@redhat.com"><freeipa-users@redhat.com></a>; Rob Crittenden
<a class="moz-txt-link-rfc2396E" href="mailto:rcritten@redhat.com"><rcritten@redhat.com></a>; Petr Spacek
<a class="moz-txt-link-rfc2396E" href="mailto:pspacek@redhat.com"><pspacek@redhat.com></a> <br>
<b><span style="font-weight: bold;">Sent:</span></b>
Thursday, May 10, 2012 5:28 PM<br>
<b><span style="font-weight: bold;">Subject:</span></b>
Re: [Freeipa-users] backup/restore IPA servers with
db2ldap.pl, ldap2db.pl ???<br>
</font> </div>
<br>
<div id="yiv1370901838">
<div> On 05/10/2012 04:37 PM, David Copperfield wrote:
<blockquote type="cite">
<div style="color: rgb(0, 0, 0); background-color:
rgb(255, 255, 255); font-size: 12pt; font-family:
'times new roman', 'new york', times, serif; ">
<div><span>Hi Rich and all,</span></div>
<div><span><br>
</span></div>
<div><span>Thanks for correction. They are <a
moz-do-not-send="true" target="_blank"
href="http://db2ldif.pl">db2ldif.pl</a> and <a
moz-do-not-send="true" target="_blank"
href="http://ldif2db.pl">ldif2db.pl</a>
scripts, which are originally for 389 Directory
Servers' backup and restore purposes. </span></div>
<div><span><br>
</span></div>
<div><span>There are no IPA tools for IPA system
backup and restore. </span>Is there a plan to
develop tools like <a moz-do-not-send="true"
target="_blank" href="http://ipa2ldif.pl">ipa2ldif.pl</a>
and <a moz-do-not-send="true" target="_blank"
href="http://ldif2ipa.pl">ldif2ipa.pl</a> soon?
or, at least, whether it is in IPA roadmap?</div>
<div><br>
</div>
<div>For the second question: I use the simple way:
ipa user-add/user-delete/user-find to see whether
data is propagated. My testing steps are like
this:</div>
<div><br>
</div>
<div> 1, run 'ipa user-add testuser' on IPA replica,
check it on IPA master with 'ipa user-find
testuser' and it is found in a few seconds -- not
5 minutes.</div>
<div><br>
</div>
<div> 2, run 'db2ldif.pl on IPA replica to save a
backup.</div>
<div><br>
</div>
<div> 3, run 'ipa user-del testuser' on IPA replica,
then 'ipa user-find' on IPA replica, and it shows
that the user is deleted.</div>
<div><br>
</div>
<div> 4, double check 'ipa user-find test user' on
IPA master, and it is found deleted, which is as
expected and it is propagated in just a few
seconds.</div>
<div><br>
</div>
<div> 5, run 'ldif2db.pl' on the same IPA replica
where the backup was created.</div>
<div><br>
</div>
<div> 6, run 'ipa user-find testuser' on IPA replica
and it is found that the user testuser is alive
again.</div>
<div><br>
7, run 'ipa user-find testuser' on IPA master.
1/3 times we can find it -- and in just a few
seconds. other 2/3 times it could not be found
even after HALF HOUR.</div>
<div><br>
</div>
<div>Please have a quick duplicate tests at your
side and advice what normal users should do,
because a reliable backup/restore solution is
definitely one of the key criteria. Thanks a lot.</div>
<div><br>
</div>
</div>
</blockquote>
<br>
Ok, I see. The problem is that a regular db2ldif[.pl]
does not save the replication meta-data. You must use
the -r option to generate an ldif file with the
replication meta-data. ldif2db[.pl] is destructive - it
wipes out your database completely and replaces it,
wiping out any replication meta-data in the process. If
you ldif2db[.pl] a file exported with db2ldif[.pl] -r,
it will replace the replication meta-data too.<br>
<br>
See
<a class="moz-txt-link-freetext" href="http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Replication-Initializing_Consumers.html#Initializing_Consumers-Manual_Consumer_Initialization_Using_the_Command_Line">http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Replication-Initializing_Consumers.html#Initializing_Consumers-Manual_Consumer_Initialization_Using_the_Command_Line</a><br>
<br>
<blockquote type="cite">
<div style="color: rgb(0, 0, 0); background-color:
rgb(255, 255, 255); font-size: 12pt; font-family:
'times new roman', 'new york', times, serif; ">
<div>--David</div>
<div> </div>
<div><br>
</div>
<div><br>
</div>
<div> </div>
<div><span><br>
</span></div>
<div><span><br>
</span></div>
<div><br>
</div>
<div style="font-size: 12pt; font-family: times,
serif; ">
<div style="font-size: 12pt; font-family: times,
serif; ">
<div dir="ltr"> <font face="Arial" size="2">
<hr size="1"> <b><span
style="font-weight:bold;">From:</span></b>
Rich Megginson <a moz-do-not-send="true"
rel="nofollow"
class="yiv1370901838moz-txt-link-rfc2396E"
ymailto="mailto:rmeggins@redhat.com"
target="_blank"
href="mailto:rmeggins@redhat.com"><rmeggins@redhat.com></a><br>
<b><span style="font-weight:bold;">To:</span></b>
David Copperfield <a moz-do-not-send="true"
rel="nofollow"
class="yiv1370901838moz-txt-link-rfc2396E"
ymailto="mailto:cao2dan@yahoo.com"
target="_blank"
href="mailto:cao2dan@yahoo.com"><cao2dan@yahoo.com></a>
<br>
<b><span style="font-weight:bold;">Cc:</span></b>
<a moz-do-not-send="true" rel="nofollow"
class="yiv1370901838moz-txt-link-rfc2396E"
ymailto="mailto:freeipa-users@redhat.com"
target="_blank"
href="mailto:freeipa-users@redhat.com">"freeipa-users@redhat.com"</a>
<a moz-do-not-send="true" rel="nofollow"
class="yiv1370901838moz-txt-link-rfc2396E"
ymailto="mailto:freeipa-users@redhat.com"
target="_blank"
href="mailto:freeipa-users@redhat.com"><freeipa-users@redhat.com></a>;
Rob Crittenden <a moz-do-not-send="true"
rel="nofollow"
class="yiv1370901838moz-txt-link-rfc2396E"
ymailto="mailto:rcritten@redhat.com"
target="_blank"
href="mailto:rcritten@redhat.com"><rcritten@redhat.com></a>;
Petr Spacek <a moz-do-not-send="true"
rel="nofollow"
class="yiv1370901838moz-txt-link-rfc2396E"
ymailto="mailto:pspacek@redhat.com"
target="_blank"
href="mailto:pspacek@redhat.com"><pspacek@redhat.com></a>
<br>
<b><span style="font-weight:bold;">Sent:</span></b>
Thursday, May 10, 2012 3:19 PM<br>
<b><span style="font-weight:bold;">Subject:</span></b>
Re: [Freeipa-users] backup/restore IPA
servers with <a moz-do-not-send="true"
target="_blank" href="http://db2ldap.pl">db2ldap.pl</a>,
<a moz-do-not-send="true" target="_blank"
href="http://ldap2db.pl">ldap2db.pl</a>
???<br>
</font> </div>
<br>
<div id="yiv1370901838">
<div> On 05/10/2012 03:57 PM, David
Copperfield wrote:
<blockquote type="cite">
<div style="color: rgb(0, 0, 0);
background-color: rgb(255, 255, 255);
font-size: 12pt; font-family: times,
serif; ">
<div>Hi Rob, Petr and all,</div>
<div><br>
</div>
<div>Because recently crashes of my IPA
master and IPA replicas servers, I'm
thinking of methods of backup/restore
IPA user data: users, groups, host and
server certificates etc. </div>
<div><br>
</div>
<div>It's said that the only official
way is to create an extra IPA replica
and backup/snapshot that replica all
the way. But there still has a big
chance that some mistakes propagate
for a to whole IPA domain/realm before
the IAP administrator find it and data
got lost forever and some may not even
be recovered.</div>
<div><br>
</div>
<div>What I think is because both Dogtag
and IPA store data in backend 389
directory servers separately, then if
I freeze the change on one IPA replica
for a few minutes first, then run <a
moz-do-not-send="true"
rel="nofollow" target="_blank"
href="http://db2ldap.pl">db2ldap.pl</a>
for both 389 ldap backends, then
un-freeze the IPA replica to get sync
from master.</div>
<div><br>
</div>
<div> When data needs to be restored
because of disasters, the backup
files(in LDIF format -- for easy to
read) can be restored to the two 389
LDAP backends on IPA replica with
command <a moz-do-not-send="true"
rel="nofollow" target="_blank"
href="http://ldap2db.pl">ldap2db.pl</a>
during the freezing period.</div>
</div>
</blockquote>
<br>
It's <a moz-do-not-send="true"
rel="nofollow" target="_blank"
href="http://ldif2db.pl">ldif2db.pl</a> <a
moz-do-not-send="true" rel="nofollow"
target="_blank" href="http://db2ldif.pl">db2ldif.pl</a>
not ldap<br>
<br>
<blockquote type="cite">
<div style="color: rgb(0, 0, 0);
background-color: rgb(255, 255, 255);
font-size: 12pt; font-family: times,
serif; ">
<div><br>
</div>
<div> Have anyone tried this solution
yet? Is there any limitations?</div>
<div><br>
</div>
<div>My experiences showed that the IPA
replica did get data restored
successfully (no dogtag is involved so
only one LDAP backend is
saved/restored). But the IPA master
some times didn't get the data synced
from IPA replica ( 1/3 times it is
synced, 2/3 times needs manual command
'ipa-replica-manage force-sync --from
<ipaReplicaServer>' ).</div>
</div>
</blockquote>
<br>
How did you verify that the data was
synced? Note that if a server has been down
for a while, it will take the supplier up to
5 minutes to recognize that the consumer is
up again, without force sync.<br>
<br>
<blockquote type="cite">
<div style="color: rgb(0, 0, 0);
background-color: rgb(255, 255, 255);
font-size: 12pt; font-family: times,
serif; ">
<div><br>
</div>
<div>Please shed a light in this area,
as backup/restore of IPA
master/replica is even not mentioned
on the IPA document at all. </div>
<div><br>
</div>
<div>Thanks a lot.</div>
<div><br>
</div>
<div>--David</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
</div>
<br>
<fieldset
class="yiv1370901838mimeAttachmentHeader"></fieldset>
<br>
<pre>_______________________________________________
Freeipa-users mailing list
<a moz-do-not-send="true" rel="nofollow" class="yiv1370901838moz-txt-link-abbreviated" ymailto="mailto:Freeipa-users@redhat.com" target="_blank" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a moz-do-not-send="true" rel="nofollow" class="yiv1370901838moz-txt-link-freetext" target="_blank" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
</div>
</div>
<br>
<br>
</div>
</div>
</div>
</blockquote>
<br>
</div>
</div>
<br>
<br>
</div>
</div>
</div>
</blockquote>
<br>
</body>
</html>