this happens a lot. We use a cron job to save copies of dse.ldif.
From: Sigbjorn Lie via FreeIPA-users <freeipa-users@lists.fedorahosted.org>
Sent: Tuesday, April 19, 2022 6:25 AM
To: freeipa-users@lists.fedorahosted.org <freeipa-users@lists.fedorahosted.org>
Cc: Sigbjorn Lie <sigbjorn@nixtra.com>
Subject: [Freeipa-users] dse.ldif and dse.ldif.bak gone after powerloss
 
Hi,

We recently had a failure causing an IPA server to experience an
immediate powerloss. When the server power was switched back on, the
dirsrv service refused to start. The following we're logged in
journalctl.


Apr 19 10:58:13 ipa2.redacted.tld ns-slapd[2811868]:
[19/Apr/2022:10:58:13.757492036 +0200] - INFO - dse_check_file - The
config /etc/dirsrv/slapd-REDACTED/dse.ldif can not be accessed.
Attempting restore ... (reason: 0)
Apr 19 10:58:13 ipa2.redacted.tld ns-slapd[2811868]:
[19/Apr/2022:10:58:13.757544913 +0200] - ERR - dse_check_file - The
backup file /etc/dirsrv/slapd-REDACTED/dse.ldif.bak has zero length,
refusing to restore it.
Apr 19 10:58:13 ipa2.redacted.tld ns-slapd[2811868]:
[19/Apr/2022:10:58:13.757548466 +0200] - ERR - slapd_bootstrap_config -
No valid configurations can be accessed! You must restore
/etc/dirsrv/slapd-REDACTED/dse.ldif from backup!
Apr 19 10:58:13 ipa2.redacted.tld ns-slapd[2811868]:
[19/Apr/2022:10:58:13.757551275 +0200] - EMERG - main - The
configuration files in directory /etc/dirsrv/slapd-REDACTED could not be
read or were not found.  Please refer to the error log or output for
more info


Upon further troubleshooting we discovered that
/etc/dirsrv/slapd-REDACTED/dse.ldif was missing, and
/etc/dirsrv/slapd-REDACTED/dse.ldif.backup was 0 bytes long. The
dse.ldif.startOK file is still there, however it is now over 2 months
old.


# ls -la dse.ldif.*
-rw-------. 1 dirsrv dirsrv      0 Apr 11 14:42 dse.ldif.bak
-rw-------. 1 dirsrv root   173135 Feb  9 13:33
dse.ldif.ipa.dd88c8e1bbf92a7c
-rw-rw----. 1 dirsrv root   194829 Feb  9 13:33 dse.ldif.modified.out
-rw-------. 1 dirsrv dirsrv 226867 Feb 17 11:41 dse.ldif.startOK


When inspecting some of our other still running IPA servers, the
difference between the dse.ldif and the dse.ldif.startOK displays
updates to modifyTimestamp and nsState on entries such as:

dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config

dn: cn=uniqueid generator,cn=config
dn: cn=abort cleanallruv,cn=tasks,cn=config
dn: cn=automember export updates,cn=tasks,cn=config
dn: cn=automember rebuild membership,cn=tasks,cn=config
dn: cn=backup,cn=tasks,cn=config
dn: cn=cleanallruv,cn=tasks,cn=config
dn: cn=compact db,cn=tasks,cn=config
dn: cn=des2aes,cn=tasks,cn=config
dn: cn=entryuuid task,cn=tasks,cn=config
... and the list goes on ...



I would presume the list on the faulty IPA server to be similar if I
still had the files available for comparison.


What is the recommended action to enable the faulty IPA server to
successfully start the dirsrv service?




Regards,
Siggi
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure