Hi Rich and all,

Thanks for correction. They are db2ldif.pl and ldif2db.pl scripts, which are 
originally for 389 Directory Servers' backup and restore purposes. 

There are no IPA tools for IPA system backup and restore. Is there a plan to 
develop tools like ipa2ldif.pl and ldif2ipa.pl soon? or, at least, whether it 
is in IPA roadmap?

For the second question: I use the simple way: ipa 
user-add/user-delete/user-find to see whether data is propagated. My testing 
steps are like this:

 1, run 'ipa user-add testuser' on IPA replica, check it on IPA master with 
'ipa user-find testuser' and it is found in a few seconds -- not 5 minutes.

 2, run 'db2ldif.pl on IPA replica to save a backup.

 3, run 'ipa user-del testuser' on IPA replica, then 'ipa user-find' on IPA 
replica, and  it shows that the user is deleted.

 4, double check 'ipa user-find test user' on IPA master, and it is found 
deleted, which is as expected and it is propagated in just a few seconds.

 5, run 'ldif2db.pl' on the same IPA replica where the backup was created.

 6, run 'ipa user-find testuser' on IPA replica and it is found that the user 
testuser is alive again.

 7, run 'ipa user-find testuser' on IPA master. 1/3 times we can find it -- and 
in just a few seconds. other 2/3 times it could not be found even after HALF 
HOUR.

Please have a quick duplicate tests at your side and advice what normal users 
should do, because a reliable backup/restore solution is definitely one of the 
key criteria. Thanks a lot.

--David
 


 




________________________________
 From: Rich Megginson <rmegg...@redhat.com>
To: David Copperfield <cao2...@yahoo.com> 
Cc: "freeipa-users@redhat.com" <freeipa-users@redhat.com>; Rob Crittenden 
<rcrit...@redhat.com>; Petr Spacek <pspa...@redhat.com> 
Sent: Thursday, May 10, 2012 3:19 PM
Subject: Re: [Freeipa-users] backup/restore IPA servers with db2ldap.pl, 
ldap2db.pl ???
 

On 05/10/2012 03:57 PM, David Copperfield wrote: 
Hi Rob, Petr and all,
>
>
>Because recently crashes of my IPA master and IPA replicas servers, I'm 
>thinking of methods of backup/restore IPA user data: users, groups, host and 
>server certificates etc.  
>
>
>It's said that the only official way is to create an extra IPA replica and 
>backup/snapshot that replica all the way. But there still has a big chance 
>that some mistakes propagate for a to whole IPA domain/realm before the IAP 
>administrator find it and data got lost forever and some may not even be 
>recovered.
>
>
>What I think is because both Dogtag and IPA store data in backend 389 
>directory servers separately, then if I freeze the change on one IPA replica 
>for a few minutes first, then run db2ldap.pl for both 389 ldap backends, then 
>un-freeze the IPA replica to get sync from master.
>
>
> When data needs to be restored because of disasters, the backup files(in LDIF 
>format -- for easy to read) can be restored to the two 389 LDAP backends on 
>IPA replica with command ldap2db.pl during the freezing period.
It's ldif2db.pl db2ldif.pl not ldap



>
> Have anyone tried this solution yet? Is there any limitations?
>
>
>My experiences showed that the IPA replica did get data restored successfully 
>(no dogtag is involved so only one LDAP backend is saved/restored). But the 
>IPA master some times didn't get the data synced from IPA replica ( 1/3 times 
>it is synced, 2/3 times needs manual command 'ipa-replica-manage force-sync  
>--from <ipaReplicaServer>' ).
How did you verify that the data was synced?  Note that if a server
    has been down for a while, it will take the supplier up to 5 minutes
    to recognize that the consumer is up again, without force sync.



>
>Please shed a light in this area, as backup/restore of IPA master/replica is 
>even not mentioned on the IPA document at all. 
>
>
>Thanks a lot.
>
>
>--David
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>_______________________________________________
Freeipa-users mailing list Freeipa-users@redhat.com 
https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to