How to export and import IPA database
Environment
- Red hat Enterprise Linux
- Red Hat Identity Management 4.X
Issue
- How to export/import database from IPA server
Resolution
How to Export IPA Databases
If IPA services can be temporarily stopped on another IPA server, we recommend the Offline Method.
If IPA services cannot be stopped on another IPA server, we can perform an online export with the Online Method.
1) Offline Method
NOTE: only run the second command exporting the ipaca database if the master and replica have been installed with a CA.
-
Running RHEL 7 and earlier, execute this approach.
1. Stop IPA Services. ipactl stop 2. Export the database. /var/lib/dirsrv/scripts-EXAMPLE-COM/db2ldif -r -n userRoot -a /tmp/userRoot.ldif /var/lib/dirsrv/scripts-EXAMPLE-COM/db2ldif -r -n ipaca -a /tmp/ipaca.ldif 3. Start IPA Services. ipactl start -
Running RHEL 8 and newer, execute this approach.
1. Stop IPA Services. ipactl stop 2. Check the instance name. dsctl -l 3. Export the database. dsctl -v instance_name db2ldif --replication userRoot /var/lib/dirsrv/slapd-instance_name/ldif/userRoot.ldif dsctl -v instance_name db2ldif --replication ipaca /var/lib/dirsrv/slapd-instance_name/ldif/ipaca.ldif 4. Start IPA Services. ipactl start
2) Online Method
NOTE: only run the second command exporting the ipaca database if the master and replica have been installed with a CA.
/var/lib/dirsrv/scripts-EXAMPLE-COM/db2ldif.pl -Z EXAMPLE-COM -D "cn=Directory Manager" -w <Directory-Manager-Password> -r -n userRoot -a /tmp/userRoot.ldif /var/lib/dirsrv/scripts-EXAMPLE-COM/db2ldif.pl -Z EXAMPLE-COM -D "cn=Directory Manager" -w <Directory-Manager-Password> -r -n ipaca -a /tmp/ipaca.ldif
The above will export the databases in LDIF format with the file names userRoot.ldif and ipaca.ldif under /tmp directory.
Use scp or any other method to copy these two files to /tmp on the Replica for next step (the Directory Server must have rights to read the directory containing the LDIF files)
How to Import the Databases
NOTE: only run the second command importing the ipaca database if the Replica has been installed with a CA.
-
Running RHEL 7 and earlier, execute this approach.
1. Stop IPA Services. ipactl stop 2. Set the appropriate permissions chmod 777 /tmp/userRoot.ldif /tmp/ipaca.ldif 3. Import the database. /var/lib/dirsrv/scripts-EXAMPLE-COM/ldif2db -n userRoot -i /tmp/userRoot.ldif /var/lib/dirsrv/scripts-EXAMPLE-COM/ldif2db -n ipaca -i /tmp/ipaca.ldif 1. Start IPA Services. ipactl startIf you encounter permissions issues, make sure the LDIF files are in a directory that Directory Server can properly read (like
/tmp) and that the files have777permissions. -
Running RHEL 8 and newer, execute this approach.
1. If you copied the file you want to import to /var/lib/dirsrv/slapd-instance_name/ldif/, reset the SELinux context on that file: restorecon -Rv /var/lib/dirsrv/slapd-instance_name/ldif/userRoot.ldif restorecon -Rv /var/lib/dirsrv/slapd-instance_name/ldif/ipaca.ldif 2. Stop IPA Services. ipactl stop 3. Check the instance name. dsctl -l 3. Import the database. dsctl -v instance_name ldif2db userRoot /var/lib/dirsrv/slapd-instance_name/ldif/userRoot.ldif dsctl -v instance_name ldif2db ipaca /var/lib/dirsrv/slapd-instance_name/ldif/ipaca.ldif 4. Start IPA Services. ipactl start
Root Cause
- This procedure could be useful in case of database corruption in one of the replicas.
- It could also be used to synchronize both replicas.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments