[Freeipa-users] backup/restore IPA servers with db2ldap.pl, ldap2db.pl ???
Rich Megginson
rmeggins at redhat.com
Fri May 11 00:28:59 UTC 2012
On 05/10/2012 04:37 PM, David Copperfield wrote:
> Hi Rich and all,
>
> Thanks for correction. They are db2ldif.pl and ldif2db.pl scripts,
> which are originally for 389 Directory Servers' backup and restore
> purposes.
>
> There are no IPA tools for IPA system backup and restore. Is there a
> plan to develop tools like ipa2ldif.pl and ldif2ipa.pl soon? or, at
> least, whether it is in IPA roadmap?
>
> For the second question: I use the simple way: ipa
> user-add/user-delete/user-find to see whether data is propagated. My
> testing steps are like this:
>
> 1, run 'ipa user-add testuser' on IPA replica, check it on IPA master
> with 'ipa user-find testuser' and it is found in a few seconds -- not
> 5 minutes.
>
> 2, run 'db2ldif.pl on IPA replica to save a backup.
>
> 3, run 'ipa user-del testuser' on IPA replica, then 'ipa user-find'
> on IPA replica, and it shows that the user is deleted.
>
> 4, double check 'ipa user-find test user' on IPA master, and it is
> found deleted, which is as expected and it is propagated in just a few
> seconds.
>
> 5, run 'ldif2db.pl' on the same IPA replica where the backup was created.
>
> 6, run 'ipa user-find testuser' on IPA replica and it is found that
> the user testuser is alive again.
>
> 7, run 'ipa user-find testuser' on IPA master. 1/3 times we can find
> it -- and in just a few seconds. other 2/3 times it could not be found
> even after HALF HOUR.
>
> Please have a quick duplicate tests at your side and advice what
> normal users should do, because a reliable backup/restore solution is
> definitely one of the key criteria. Thanks a lot.
>
Ok, I see. The problem is that a regular db2ldif[.pl] does not save the
replication meta-data. You must use the -r option to generate an ldif
file with the replication meta-data. ldif2db[.pl] is destructive - it
wipes out your database completely and replaces it, wiping out any
replication meta-data in the process. If you ldif2db[.pl] a file
exported with db2ldif[.pl] -r, it will replace the replication meta-data
too.
See
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Replication-Initializing_Consumers.html#Initializing_Consumers-Manual_Consumer_Initialization_Using_the_Command_Line
> --David
>
>
>
>
>
> ------------------------------------------------------------------------
> *From:* Rich Megginson <rmeggins at redhat.com>
> *To:* David Copperfield <cao2dan at yahoo.com>
> *Cc:* "freeipa-users at redhat.com" <freeipa-users at redhat.com>; Rob
> Crittenden <rcritten at redhat.com>; Petr Spacek <pspacek at redhat.com>
> *Sent:* Thursday, May 10, 2012 3:19 PM
> *Subject:* Re: [Freeipa-users] backup/restore IPA servers with
> db2ldap.pl, ldap2db.pl ???
>
> On 05/10/2012 03:57 PM, David Copperfield wrote:
>> Hi Rob, Petr and all,
>>
>> Because recently crashes of my IPA master and IPA replicas servers,
>> I'm thinking of methods of backup/restore IPA user data: users,
>> groups, host and server certificates etc.
>>
>> It's said that the only official way is to create an extra IPA
>> replica and backup/snapshot that replica all the way. But there still
>> has a big chance that some mistakes propagate for a to whole IPA
>> domain/realm before the IAP administrator find it and data got lost
>> forever and some may not even be recovered.
>>
>> What I think is because both Dogtag and IPA store data in backend 389
>> directory servers separately, then if I freeze the change on one IPA
>> replica for a few minutes first, then run db2ldap.pl
>> <http://db2ldap.pl> for both 389 ldap backends, then un-freeze the
>> IPA replica to get sync from master.
>>
>> When data needs to be restored because of disasters, the backup
>> files(in LDIF format -- for easy to read) can be restored to the two
>> 389 LDAP backends on IPA replica with command ldap2db.pl
>> <http://ldap2db.pl> during the freezing period.
>
> It's ldif2db.pl <http://ldif2db.pl> db2ldif.pl <http://db2ldif.pl> not
> ldap
>
>>
>> Have anyone tried this solution yet? Is there any limitations?
>>
>> My experiences showed that the IPA replica did get data restored
>> successfully (no dogtag is involved so only one LDAP backend is
>> saved/restored). But the IPA master some times didn't get the data
>> synced from IPA replica ( 1/3 times it is synced, 2/3 times needs
>> manual command 'ipa-replica-manage force-sync --from
>> <ipaReplicaServer>' ).
>
> How did you verify that the data was synced? Note that if a server
> has been down for a while, it will take the supplier up to 5 minutes
> to recognize that the consumer is up again, without force sync.
>
>>
>> Please shed a light in this area, as backup/restore of IPA
>> master/replica is even not mentioned on the IPA document at all.
>>
>> Thanks a lot.
>>
>> --David
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120510/37b39d6f/attachment.htm>
More information about the Freeipa-users
mailing list