Hi Rob, Petr and all,
Because recently crashes of my IPA master and IPA replicas servers, I'm
thinking of methods of backup/restore IPA user data: users, groups, host and
server certificates etc.
It's said that the only official way is to create an extra IPA replica and
backup/snapshot that replica all the way. But there still has a big chance that
some mistakes propagate for a to whole IPA domain/realm before the IAP
administrator find it and data got lost forever and some may not even be
recovered.
What I think is because both Dogtag and IPA store data in backend 389 directory
servers separately, then if I freeze the change on one IPA replica for a few
minutes first, then run db2ldap.pl for both 389 ldap backends, then un-freeze
the IPA replica to get sync from master.
When data needs to be restored because of disasters, the backup files(in LDIF
format -- for easy to read) can be restored to the two 389 LDAP backends on IPA
replica with command ldap2db.pl during the freezing period.
Have anyone tried this solution yet? Is there any limitations?
My experiences showed that the IPA replica did get data restored successfully
(no dogtag is involved so only one LDAP backend is saved/restored). But the IPA
master some times didn't get the data synced from IPA replica ( 1/3 times it is
synced, 2/3 times needs manual command 'ipa-replica-manage force-sync --from
<ipaReplicaServer>' ).
Please shed a light in this area, as backup/restore of IPA master/replica is
even not mentioned on the IPA document at all.
Thanks a lot.
--David
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
