Selon Rich Megginson <rmegg...@redhat.com>:

> On 04/30/2014 09:22 AM, artj...@free.fr wrote:
> > Thanks a lot. My answers below.
>
> Please keep replies on list, for others to see.
Sorry, I knew it but I forgot.

>
> >
> > Selon Rich Megginson <rmegg...@redhat.com>:
> >
> >> On 04/30/2014 03:26 AM, artj...@free.fr wrote:
> >>> Hi,
> >>>
> >>> I have 1 ipa master 'ipasrv' and 2 replicas 'iparpl1 iparpl2' installed
> >> with
> >>> --setup-ca option.
> >>> Since a few days I have an issue with '389 Directory Server' on the
> master
> >>> (ipasrv) and on the 2nd replica (iparpl2) with the following messages:
> >>>
> >>> The configuration file /etc/dirsrv/slapd-MYINSTANCE/dse.ldif was not
> >> restored
> >>> from backup /etc/dirsrv/slapd-MYINSTANCE/dse.ldif.tmp, error -1
> >>> Apr 28 07:38:35 localhost ns-slapd: [28/Apr/2014:15:38:35 +0200] dse -
> The
> >>> configuration file /etc/dirsrv/slapd-MYINSTANCE/dse.ldif was not restored
> >> from
> >>> backup /etc/dirsrv/slapd-MYINSTANCE/dse.ldif.bak, error -1
> >>> Apr 28 07:38:35 localhost ns-slapd: [28/Apr/2014:15:38:35 +0200] config -
> >> The
> >>> given config file /etc/dirsrv/slapd-MYINSTANCE/dse.ldif could not be
> >> accessed,
> >>> Netscape Portable Runtime error -5950 (File not found.)
> >>>
> >>> The files dse.ldif and dse.ldif.bak are lost.
> >> Was this a VM or a bare metal machine?  If a VM, please consider not
> >> using a disk image file for the /etc partition to help avoid this
> >> problem in the future.
> > VM is a Virtual Machine.
>
> Please consider using something other than a disk image file for the
> /etc partition.  And please consider doing the same for the
> /var/lib/dirsrv data (the actual dirsrv database files).
>
> >
> >> What version of 389-ds-base?  rpm -q 389-ds-base
> > 389-ds-base-1.3.1.6-23.el7.x86_64
> >
> >> Do you have dse.ldif.startOK?
> > Yes, I do, but when I tried to restore it with 'bak2db
> > /etc/dirsrv/slapd-MYINSTANCE/dse.ldif.startOK'
> > I have a lot of errors:
>
> Right.  You don't restore this file with bak2db.  You just use cp -p
>
> # cd /etc/dirsrv/slapd-MYINSTANCE
> # cp -p dse.ldif.startOK dse.ldif
Thanks a lot, after this action everything is OK.

Now, I have to create a Replication Agreements between ipasrv and iparpl1,
because following the Rob Crittenden proposal with the --force flag, i did:
[root@iparpl1 ~]# ipa-replica-manage --force del ipasrv.mydomain

But when I read the Identity Management Guide, paragraph 25.5. Managing
Replication Agreements Between IdM Servers

I don't understand on which machine and what command I have to execute to have
an agreement between ipasrv and iparpl1;
Currently I have:

[root@iparpl1 ~]# ipa-replica-manage list-ruv
iparpl1.mydomain:389: 6
iparpl2.mydomain:389: 3

[root@ipasrv ~]# ipa-replica-manage list-ruv
ipasrv.mydomain:389: 4
iparpl1.mydomain:389: 6
iparpl2.mydomain:389: 3

[root@iparpl2 ~]# ipa-replica-manage list-ruv
iparpl2.mydomain:389: 3
ipasrv.mydomain:389: 4
iparpl1.mydomain:389: 6


>
> bak2db is only for the actual database data files (e.g. the files in
> /var/lib/dirsrv/slapd-MYINSTANCE/db)
>
> >
> > [30/Apr/2014:15:46:19 +0200] - valueset_value_syntax_cmp:
> > slapi_attr_values2keys_sv failed for type attributetypes
> > [30/Apr/2014:15:46:19 +0200] dse_read_one_file - The entry cn=schema in
> file
> > /etc/dirsrv/slapd-MYINSTANCE/schema/00core.ldif (lineno: 1) is invalid,
> error
> > code 21 (Invalid syntax) - attribute type aci: Unknown attribute syntax OID
> > "1.3.6.1.4.1.1466.115.121.1.15"
> > [30/Apr/2014:15:46:19 +0200] dse - Please edit the file to correct the
> reported
> > problems and then restart the server.
> >
> >
> >
> >> ls -al /etc/dirsrv/slapd-MYINSTANCE
> >>
> >>> On my 1st replica (iparpl1) everything is OK.
> >>>
> >>> No Full IPA backup and LDAP backup done on ipasrv and iparpl2.
> >>>
> >>> A) Can I restore those files from iparpl1 ?
> >> dse.ldif?  No, not without a lot of editing, since there is a lot of
> >> host-specific config
> >>
> >>> B) I am a little bit confused after reading the documentation on
> >>> http://www.freeipa.org/page/Backup_and_Restore
> >>>     - can I consider that the ipa replicas are like ipa master ?
> >>>     In this case when I want to execute the manual procedure in chapter
> 'One
> >>> Server Loss'
> >>>     1. Clean deployment from the lost server by removing all replication
> >>> agreements with it.
> >>>      from iparpl1 I have the following results:
> >>>
> >>> [root@iparpl1 ~]# ipa-replica-manage del iparpl2.mydomain
> >>> 'iparpl1.mydomain' has no replication agreement for 'iparpl2.mydomaon'
> >>>
> >>>    [root@iparpl1 ~]# ipa-replica-manage del ipasrv.mydomain
> >>> Connection to 'ipasrv.mydomain' failed:
> >>> Unable to delete replica 'ipasrv.mydomain'
> >>>
> >>>     2. Choose another FreeIPA Server with CA installed to become the
> first
> >> master
> >>> Can I do this request from my 1st replica iparpl1 and how ?
> >>>
> >>>     3. Nominate this master to be the one in charge or renewing certs and
> >>> publishing CRLS. This is a manual procedure at the moment.
> >>>
> >>>     4. Follow standard installation procedure to deploy a new master on a
> >>> hardware/VM of your choice
> >>> this request is to install a replica not a master ?
> >>>
> >>> Thanks for your help.
> >>>
> >>>
> >>>
> >>>
> >>> _______________________________________________
> >>> Freeipa-users mailing list
> >>> Freeipa-users@redhat.com
> >>> https://www.redhat.com/mailman/listinfo/freeipa-users
> >>
> >
> >
> >
> >
> >
> >
> >
>
>


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to