Selon Rich Megginson <[email protected]>: > On 04/30/2014 09:22 AM, [email protected] wrote: > > Thanks a lot. My answers below. > > Please keep replies on list, for others to see. Sorry, I knew it but I forgot.
> > > > > Selon Rich Megginson <[email protected]>: > > > >> On 04/30/2014 03:26 AM, [email protected] wrote: > >>> Hi, > >>> > >>> I have 1 ipa master 'ipasrv' and 2 replicas 'iparpl1 iparpl2' installed > >> with > >>> --setup-ca option. > >>> Since a few days I have an issue with '389 Directory Server' on the > master > >>> (ipasrv) and on the 2nd replica (iparpl2) with the following messages: > >>> > >>> The configuration file /etc/dirsrv/slapd-MYINSTANCE/dse.ldif was not > >> restored > >>> from backup /etc/dirsrv/slapd-MYINSTANCE/dse.ldif.tmp, error -1 > >>> Apr 28 07:38:35 localhost ns-slapd: [28/Apr/2014:15:38:35 +0200] dse - > The > >>> configuration file /etc/dirsrv/slapd-MYINSTANCE/dse.ldif was not restored > >> from > >>> backup /etc/dirsrv/slapd-MYINSTANCE/dse.ldif.bak, error -1 > >>> Apr 28 07:38:35 localhost ns-slapd: [28/Apr/2014:15:38:35 +0200] config - > >> The > >>> given config file /etc/dirsrv/slapd-MYINSTANCE/dse.ldif could not be > >> accessed, > >>> Netscape Portable Runtime error -5950 (File not found.) > >>> > >>> The files dse.ldif and dse.ldif.bak are lost. > >> Was this a VM or a bare metal machine? If a VM, please consider not > >> using a disk image file for the /etc partition to help avoid this > >> problem in the future. > > VM is a Virtual Machine. > > Please consider using something other than a disk image file for the > /etc partition. And please consider doing the same for the > /var/lib/dirsrv data (the actual dirsrv database files). > > > > >> What version of 389-ds-base? rpm -q 389-ds-base > > 389-ds-base-1.3.1.6-23.el7.x86_64 > > > >> Do you have dse.ldif.startOK? > > Yes, I do, but when I tried to restore it with 'bak2db > > /etc/dirsrv/slapd-MYINSTANCE/dse.ldif.startOK' > > I have a lot of errors: > > Right. You don't restore this file with bak2db. You just use cp -p > > # cd /etc/dirsrv/slapd-MYINSTANCE > # cp -p dse.ldif.startOK dse.ldif Thanks a lot, after this action everything is OK. Now, I have to create a Replication Agreements between ipasrv and iparpl1, because following the Rob Crittenden proposal with the --force flag, i did: [root@iparpl1 ~]# ipa-replica-manage --force del ipasrv.mydomain But when I read the Identity Management Guide, paragraph 25.5. Managing Replication Agreements Between IdM Servers I don't understand on which machine and what command I have to execute to have an agreement between ipasrv and iparpl1; Currently I have: [root@iparpl1 ~]# ipa-replica-manage list-ruv iparpl1.mydomain:389: 6 iparpl2.mydomain:389: 3 [root@ipasrv ~]# ipa-replica-manage list-ruv ipasrv.mydomain:389: 4 iparpl1.mydomain:389: 6 iparpl2.mydomain:389: 3 [root@iparpl2 ~]# ipa-replica-manage list-ruv iparpl2.mydomain:389: 3 ipasrv.mydomain:389: 4 iparpl1.mydomain:389: 6 > > bak2db is only for the actual database data files (e.g. the files in > /var/lib/dirsrv/slapd-MYINSTANCE/db) > > > > > [30/Apr/2014:15:46:19 +0200] - valueset_value_syntax_cmp: > > slapi_attr_values2keys_sv failed for type attributetypes > > [30/Apr/2014:15:46:19 +0200] dse_read_one_file - The entry cn=schema in > file > > /etc/dirsrv/slapd-MYINSTANCE/schema/00core.ldif (lineno: 1) is invalid, > error > > code 21 (Invalid syntax) - attribute type aci: Unknown attribute syntax OID > > "1.3.6.1.4.1.1466.115.121.1.15" > > [30/Apr/2014:15:46:19 +0200] dse - Please edit the file to correct the > reported > > problems and then restart the server. > > > > > > > >> ls -al /etc/dirsrv/slapd-MYINSTANCE > >> > >>> On my 1st replica (iparpl1) everything is OK. > >>> > >>> No Full IPA backup and LDAP backup done on ipasrv and iparpl2. > >>> > >>> A) Can I restore those files from iparpl1 ? > >> dse.ldif? No, not without a lot of editing, since there is a lot of > >> host-specific config > >> > >>> B) I am a little bit confused after reading the documentation on > >>> http://www.freeipa.org/page/Backup_and_Restore > >>> - can I consider that the ipa replicas are like ipa master ? > >>> In this case when I want to execute the manual procedure in chapter > 'One > >>> Server Loss' > >>> 1. Clean deployment from the lost server by removing all replication > >>> agreements with it. > >>> from iparpl1 I have the following results: > >>> > >>> [root@iparpl1 ~]# ipa-replica-manage del iparpl2.mydomain > >>> 'iparpl1.mydomain' has no replication agreement for 'iparpl2.mydomaon' > >>> > >>> [root@iparpl1 ~]# ipa-replica-manage del ipasrv.mydomain > >>> Connection to 'ipasrv.mydomain' failed: > >>> Unable to delete replica 'ipasrv.mydomain' > >>> > >>> 2. Choose another FreeIPA Server with CA installed to become the > first > >> master > >>> Can I do this request from my 1st replica iparpl1 and how ? > >>> > >>> 3. Nominate this master to be the one in charge or renewing certs and > >>> publishing CRLS. This is a manual procedure at the moment. > >>> > >>> 4. Follow standard installation procedure to deploy a new master on a > >>> hardware/VM of your choice > >>> this request is to install a replica not a master ? > >>> > >>> Thanks for your help. > >>> > >>> > >>> > >>> > >>> _______________________________________________ > >>> Freeipa-users mailing list > >>> [email protected] > >>> https://www.redhat.com/mailman/listinfo/freeipa-users > >> > > > > > > > > > > > > > > > > _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
