Hi Rich and all,

the '-r' option to db2ldif.pl doesn't work neither, it make few difference. 

My command, backup and restore commands on the IPA replica are:

db2ldif.pl -D 'cn=Directory Manager' -w - -r -s 'dc=example,dc=com'

ldif2db.pl -D 'cn=Directory Manager' -w - -i <the_backup_file_in_LDIF_format>

The only difference is: after IPA master restart (restart happens after IPA 
replica's restore operation), the changes -- which applied on IPA master before 
backup -- are propagated to IPA replica. Which is in fact, make the restoration 
test end up with a result completely unusable on IPA replica, an result that is 
different from backup, and different from IPA master. 

Please let me know if there are any other options/steps to follow. Thanks.


 From: Rich Megginson <rmegg...@redhat.com>
To: David Copperfield <cao2...@yahoo.com> 
Cc: "freeipa-users@redhat.com" <freeipa-users@redhat.com>; Rob Crittenden 
<rcrit...@redhat.com>; Petr Spacek <pspa...@redhat.com> 
Sent: Thursday, May 10, 2012 5:28 PM
Subject: Re: [Freeipa-users] backup/restore IPA servers with db2ldap.pl, 
ldap2db.pl ???

On 05/10/2012 04:37 PM, David Copperfield wrote: 
Hi Rich and all,
>Thanks for correction. They are db2ldif.pl and ldif2db.pl scripts, which are 
>originally for 389 Directory Servers' backup and restore purposes. 
>There are no IPA tools for IPA system backup and restore. Is there a plan to 
>develop tools like ipa2ldif.pl and ldif2ipa.pl soon? or, at least, whether it 
>is in IPA roadmap?
>For the second question: I use the simple way: ipa 
>user-add/user-delete/user-find to see whether data is propagated. My testing 
>steps are like this:
> 1, run 'ipa user-add testuser' on IPA replica, check it on IPA master with 
>'ipa user-find testuser' and it is found in a few seconds -- not 5 minutes.
> 2, run 'db2ldif.pl on IPA replica to save a backup.
> 3, run 'ipa user-del testuser' on IPA replica, then 'ipa user-find' on IPA 
>replica, and  it shows that the user is deleted.
> 4, double check 'ipa user-find test user' on IPA master, and it is found 
>deleted, which is as expected and it is propagated in just a few seconds.
> 5, run 'ldif2db.pl' on the same IPA replica where the backup was created.
> 6, run 'ipa user-find testuser' on IPA replica and it is found that the user 
>testuser is alive again.
> 7, run 'ipa user-find testuser' on IPA master. 1/3 times we
          can find it -- and in just a few seconds. other 2/3 times it
          could not be found even after HALF HOUR.
>Please have a quick duplicate tests at your side and advice what normal users 
>should do, because a reliable backup/restore solution is definitely one of the 
>key criteria. Thanks a lot.
Ok, I see.  The problem is that a regular db2ldif[.pl] does not save
    the replication meta-data.  You must use the -r option to generate
    an ldif file with the replication meta-data.  ldif2db[.pl] is
    destructive - it wipes out your database completely and replaces it,
    wiping out any replication meta-data in the process.  If you
    ldif2db[.pl] a file exported with db2ldif[.pl] -r, it will replace
    the replication meta-data too.


> From: Rich Megginson <rmegg...@redhat.com>
>To: David Copperfield <cao2...@yahoo.com> 
>Cc: "freeipa-users@redhat.com" <freeipa-users@redhat.com>; Rob Crittenden 
><rcrit...@redhat.com>; Petr Spacek <pspa...@redhat.com> 
>Sent: Thursday, May 10, 2012 3:19 PM
>Subject: Re: [Freeipa-users] backup/restore IPA servers with db2ldap.pl, 
>ldap2db.pl ???
>On 05/10/2012 03:57 PM, David Copperfield wrote: 
>Hi Rob, Petr and all,
>>Because recently crashes of my IPA master and IPA replicas servers, I'm 
>>thinking of methods of backup/restore IPA user data: users, groups, host and 
>>server certificates etc.  
>>It's said that the only official way is to create an extra IPA replica and 
>>backup/snapshot that replica all the way. But there still has a big chance 
>>that some mistakes propagate for a to whole IPA domain/realm before the IAP 
>>administrator find it and data got lost forever and some may not even be 
>>What I think is because both Dogtag and IPA store data in backend 389 
>>directory servers separately, then if I freeze the change on one IPA replica 
>>for a few minutes first, then run db2ldap.pl for both 389 ldap backends, then 
>>un-freeze the IPA replica to get sync from master.
>> When data needs to be restored because of disasters, the backup files(in 
>>LDIF format -- for easy to read) can be restored to the two 389 LDAP backends 
>>on IPA replica with command ldap2db.pl during the freezing period.
>It's ldif2db.pl db2ldif.pl not ldap
>> Have anyone tried this solution yet? Is there any limitations?
>>My experiences showed that the IPA replica did get data restored successfully 
>>(no dogtag is involved so only one LDAP backend is saved/restored). But the 
>>IPA master some times didn't get the data synced from IPA replica ( 1/3 times 
>>it is synced, 2/3 times needs manual command 'ipa-replica-manage force-sync  
>>--from <ipaReplicaServer>' ).
>How did you verify that the data was synced?  Note that
                if a server has been down for a while, it will take the
                supplier up to 5 minutes to recognize that the consumer
                is up again, without force sync.
>>Please shed a light in this area, as backup/restore of IPA master/replica is 
>>even not mentioned on the IPA document at all. 
>>Thanks a lot.
Freeipa-users mailing list Freeipa-users@redhat.com 
Freeipa-users mailing list

Reply via email to