Hi Rob, Petr and all,

Because recently crashes of my IPA master and IPA replicas servers, I'm 
thinking of methods of backup/restore IPA user data: users, groups, host and 
server certificates etc.  

It's said that the only official way is to create an extra IPA replica and 
backup/snapshot that replica all the way. But there still has a big chance that 
some mistakes propagate for a to whole IPA domain/realm before the IAP 
administrator find it and data got lost forever and some may not even be 

What I think is because both Dogtag and IPA store data in backend 389 directory 
servers separately, then if I freeze the change on one IPA replica for a few 
minutes first, then run db2ldap.pl for both 389 ldap backends, then un-freeze 
the IPA replica to get sync from master.

 When data needs to be restored because of disasters, the backup files(in LDIF 
format -- for easy to read) can be restored to the two 389 LDAP backends on IPA 
replica with command ldap2db.pl during the freezing period.

 Have anyone tried this solution yet? Is there any limitations?

My experiences showed that the IPA replica did get data restored successfully 
(no dogtag is involved so only one LDAP backend is saved/restored). But the IPA 
master some times didn't get the data synced from IPA replica ( 1/3 times it is 
synced, 2/3 times needs manual command 'ipa-replica-manage force-sync  --from 
<ipaReplicaServer>' ).

Please shed a light in this area, as backup/restore of IPA master/replica is 
even not mentioned on the IPA document at all. 

Thanks a lot.

Freeipa-users mailing list

Reply via email to