STTennant
New Member.
443 views

Schema Backup

Hi,
I need to update my eDirectory schema for the SSPR application and, being a bit paranoid, I want to do a schema backup first, just in case something goes wrong and I need to recover. The schema LDIF is provided by NetIQ and should work but I still feel I should be able to recover if something goes wrong (memories of a schema corruption in the past haunt me). I tested "ndsbackup cvf ndsbackupfile Schema", modified the schema, then "tndsbackup xvf ndsbackupfile Schema" to restore the schema, but that did not seem to do what I expected and so is not suitable. What is the best way of doing a schema backup that can be restored in a disaster situation ? Should I use ICE to export the schema and then to import it?
Any help welcome.

Regards
Steve Tennant
Labels (1)
Tags (3)
0 Likes
7 Replies
Knowledge Partner
Knowledge Partner

Re: Schema Backup

On 2019-04-15 23:04, sttennant wrote:
>
> Hi,
> I need to update my eDirectory schema for the SSPR application and,
> being a bit paranoid, I want to do a schema backup first, just in case
> something goes wrong and I need to recover. The schema LDIF is provided
> by NetIQ and should work but I still feel I should be able to recover if
> something goes wrong (memories of a schema corruption in the past haunt
> me). I tested "ndsbackup cvf ndsbackupfile Schema", modified the schema,
> then "tndsbackup xvf ndsbackupfile Schema" to restore the schema, but
> that did not seem to do what I expected and so is not suitable. What is
> the best way of doing a schema backup that can be restored in a disaster
> situation ? Should I use ICE to export the schema and then to import
> it?
> Any help welcome.
>
> Regards
> Steve Tennant
>
>

You could export the cn=schema to LDIF.

But if you would be able to re-import it in a case of a disaster is
questionable. It has to be tested.

I've never come across a schema corruption during 12+ years and 50+
trees where I've extended the schema so I don't how it looks.

I always make sure that the time is in sync and the replicas are healthy
and that the replication works before extending.

I use iMonitor or run ndscheck or ndsrepair -T & ndsrepair -E, it's been
"good enough".

-alekz


--
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Schema Backup

Agreed

Take a backup if you want, but in order to undo something in schema you
MUST be sure nothing uses the thing you want to remove, and it is unlikely
you will know something is wrong until you use the schema.

As a result, if you seriously want to have a way to roll back, then do a
DIB backup, maybe on all boxes at once (as in all DIBs are stopped during
the backup at the same time), and then you can restore to that point in
time if necessary. I wrote ndsrc.pl a long time ago to provide a simple
way to do this kind of backup, so basically you run it on all boxes at
once, you lose services for (usually) a few seconds while the DIB stops
and a tarball is created, and then things turn back on.

Like alekz, though, this is a backup you'll almost certainly never use.
eDirectory has never (in my time in Support at Novell or since as a
consultant) accepted invalid schema; if the schema submitted is bad, it
just rejects it and makes you try again. If anything, it is TOO
restrictive sometimes, requiring that cleanup of all objects using
something before you can change it in any way (which usually makes sense)
but sometimes in ways that I wish would work, and make since when looking
at the problem from 10,000 meters up.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
STTennant
New Member.

Re: Schema Backup

Hi Ab,
Thanks for the response. I am not sure what you mean by a DIB backup; can you clarify this? My thinking is perhaps I am worrying too much but I am sometime pressed to provide backout plans when things go wrong.
Regards
Steve Tennant
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Schema Backup

The eDirectory Data InfoBase (DIB) is the tore of files in the filesystem
which contain everything the local server knows about the tree, whether
that's with replicas of the all tree partitions, or without any replicas,
or somewhere in between. plus all schema, pseudo-server data, and so on.
It is typically located under /var/opt/novell/eDirectory/data/dib and is
made up of files you should almost never touch directly.

An important note about a DIB is that it is server-specific, which means
that it knows everything the server knows at the current point in time,
but if you restore a DIB that means you are restoring everything the
server knew from a previous point in time. If that point in time was a
month ago, or a day ago, or an hour ago, the tree, including this server,
may have moved on to that point (a month later, a day later, an hour
later) without updating the backup (of course, that's why it's a backup),
and restoring a DIB on a single server is not a good idea as a result. On
the other hand, you are worried about a schema problem which would impact
the whole tree, so in that case if you had a DIB backup, taken
simultaneously, on all servers in the tree, you could restore those
per-server DIB, to each respective server, in order to rollback your
entire tree to a previous point in time.

Naturally this means object changes are all reverted to that point in
time, and while most changes are probably not a big deal, some that
definitely are include user passwords, new certificates (not changing that
often, of course), new server objects (or old ones removed), user
creates/deletes/renames, etc. How many of these there are you may know,
or if you use something that automates a lot of user and group changes,
e.g. Identity Manager (IDM), there may be a lot of changes you did not
directly perform, making this type of rollback more painful, though still
possible to meet your end goals.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
STTennant
New Member.

Re: Schema Backup

alekz;2498379 wrote:
On 2019-04-15 23:04, sttennant wrote:
>
> Hi,
> I need to update my eDirectory schema for the SSPR application and,
> being a bit paranoid, I want to do a schema backup first, just in case
> something goes wrong and I need to recover. The schema LDIF is provided
> by NetIQ and should work but I still feel I should be able to recover if
> something goes wrong (memories of a schema corruption in the past haunt
> me). I tested "ndsbackup cvf ndsbackupfile Schema", modified the schema,
> then "tndsbackup xvf ndsbackupfile Schema" to restore the schema, but
> that did not seem to do what I expected and so is not suitable. What is
> the best way of doing a schema backup that can be restored in a disaster
> situation ? Should I use ICE to export the schema and then to import
> it?
> Any help welcome.
>
> Regards
> Steve Tennant
>
>

You could export the cn=schema to LDIF.

But if you would be able to re-import it in a case of a disaster is
questionable. It has to be tested.

I've never come across a schema corruption during 12+ years and 50+
trees where I've extended the schema so I don't how it looks.

I always make sure that the time is in sync and the replicas are healthy
and that the replication works before extending.

I use iMonitor or run ndscheck or ndsrepair -T & ndsrepair -E, it's been
"good enough".

-alekz


--
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.


Hi Alekz,
Thanks for the quick response. I'll run ndscheck before doing the schema change. To be fair when I got a schema corruption in the past I was trying to change the syntax of an attribute. What I want to do now is add a new attribute and add it to an auxiliary class, so perhaps I am worrying about nothing. I am not sure re-applying the schema from an LDIF will work as you say.
Regards
Steve Tennant
0 Likes
Knowledge Partner
Knowledge Partner

Re: Schema Backup

On 4/15/2019 8:04 PM, sttennant wrote:
>
> alekz;2498379 Wrote:
>> On 2019-04-15 23:04, sttennant wrote:
>>>
>>> Hi,
>>> I need to update my eDirectory schema for the SSPR application and,
>>> being a bit paranoid, I want to do a schema backup first, just in

>> case
>>> something goes wrong and I need to recover. The schema LDIF is

>> provided
>>> by NetIQ and should work but I still feel I should be able to recover

>> if
>>> something goes wrong (memories of a schema corruption in the past

>> haunt
>>> me). I tested "ndsbackup cvf ndsbackupfile Schema", modified the

>> schema,
>>> then "tndsbackup xvf ndsbackupfile Schema" to restore the schema, but
>>> that did not seem to do what I expected and so is not suitable. What

>> is
>>> the best way of doing a schema backup that can be restored in a

>> disaster
>>> situation ? Should I use ICE to export the schema and then to import
>>> it?
>>> Any help welcome.
>>>
>>> Regards
>>> Steve Tennant
>>>
>>>

>> You could export the cn=schema to LDIF.
>>
>> But if you would be able to re-import it in a case of a disaster is
>> questionable. It has to be tested.
>>
>> I've never come across a schema corruption during 12+ years and 50+
>> trees where I've extended the schema so I don't how it looks.
>>
>> I always make sure that the time is in sync and the replicas are
>> healthy
>> and that the replication works before extending.
>>
>> I use iMonitor or run ndscheck or ndsrepair -T & ndsrepair -E, it's
>> been
>> "good enough".
>>
>> -alekz
>>
>>
>> --
>> If you find this post helpful and are logged into the web interface,
>> show your appreciation and click on the star below.

>
> Hi Alekz,
> Thanks for the quick response. I'll run ndscheck before doing the
> schema change. To be fair when I got a schema corruption in the past I
> was trying to change the syntax of an attribute. What I want to do now
> is add a new attribute and add it to an auxiliary class, so perhaps I
> am worrying about nothing. I am not sure re-applying the schema from an
> LDIF will work as you say.


You know you could do it one attribute at a time, by hand in iManager.
Your concern is using the LDIF. You could import it into Designer, then
deploy it one attribute at a time as well.


0 Likes
Knowledge Partner
Knowledge Partner

Re: Schema Backup

geoffc;2498393 wrote:
On 4/15/2019 8:04 PM, sttennant wrote:
>
> alekz;2498379 Wrote:
>> On 2019-04-15 23:04, sttennant wrote:
>>>
>>> Hi,
>>> I need to update my eDirectory schema for the SSPR application and,
>>> being a bit paranoid, I want to do a schema backup first, just in

>> case
>>> something goes wrong and I need to recover. The schema LDIF is

>> provided
>>> by NetIQ and should work but I still feel I should be able to recover

>> if
>>> something goes wrong (memories of a schema corruption in the past

>> haunt
>>> me). I tested "ndsbackup cvf ndsbackupfile Schema", modified the

>> schema,
>>> then "tndsbackup xvf ndsbackupfile Schema" to restore the schema, but
>>> that did not seem to do what I expected and so is not suitable. What

>> is
>>> the best way of doing a schema backup that can be restored in a

>> disaster
>>> situation ? Should I use ICE to export the schema and then to import
>>> it?
>>> Any help welcome.
>>>
>>> Regards
>>> Steve Tennant
>>>
>>>

>> You could export the cn=schema to LDIF.
>>
>> But if you would be able to re-import it in a case of a disaster is
>> questionable. It has to be tested.
>>
>> I've never come across a schema corruption during 12+ years and 50+
>> trees where I've extended the schema so I don't how it looks.
>>
>> I always make sure that the time is in sync and the replicas are
>> healthy
>> and that the replication works before extending.
>>
>> I use iMonitor or run ndscheck or ndsrepair -T & ndsrepair -E, it's
>> been
>> "good enough".
>>
>> -alekz
>>
>>
>> --
>> If you find this post helpful and are logged into the web interface,
>> show your appreciation and click on the star below.

>
> Hi Alekz,
> Thanks for the quick response. I'll run ndscheck before doing the
> schema change. To be fair when I got a schema corruption in the past I
> was trying to change the syntax of an attribute. What I want to do now
> is add a new attribute and add it to an auxiliary class, so perhaps I
> am worrying about nothing. I am not sure re-applying the schema from an
> LDIF will work as you say.


You know you could do it one attribute at a time, by hand in iManager.
Your concern is using the LDIF. You could import it into Designer, then
deploy it one attribute at a time as well.


I only can add, that for schema-related operations better to use "classic" (NCP) Designer. "New" (LDAP) Designer still have a number of bugs related to schema operations.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.