On 05/10/2012 03:57 PM, David Copperfield wrote:
Hi Rob, Petr and all,
Because recently crashes of my IPA master and IPA replicas servers,
I'm thinking of methods of backup/restore IPA user data: users,
groups, host and server certificates etc.
It's said that the only official way is to create an extra IPA replica
and backup/snapshot that replica all the way. But there still has a
big chance that some mistakes propagate for a to whole IPA
domain/realm before the IAP administrator find it and data got lost
forever and some may not even be recovered.
What I think is because both Dogtag and IPA store data in backend 389
directory servers separately, then if I freeze the change on one IPA
replica for a few minutes first, then run db2ldap.pl for both 389 ldap
backends, then un-freeze the IPA replica to get sync from master.
When data needs to be restored because of disasters, the backup
files(in LDIF format -- for easy to read) can be restored to the two
389 LDAP backends on IPA replica with command ldap2db.pl during the
freezing period.
It's ldif2db.pl db2ldif.pl not ldap
Have anyone tried this solution yet? Is there any limitations?
My experiences showed that the IPA replica did get data restored
successfully (no dogtag is involved so only one LDAP backend is
saved/restored). But the IPA master some times didn't get the data
synced from IPA replica ( 1/3 times it is synced, 2/3 times needs
manual command 'ipa-replica-manage force-sync --from
<ipaReplicaServer>' ).
How did you verify that the data was synced? Note that if a server has
been down for a while, it will take the supplier up to 5 minutes to
recognize that the consumer is up again, without force sync.
Please shed a light in this area, as backup/restore of IPA
master/replica is even not mentioned on the IPA document at all.
Thanks a lot.
--David
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
