PingDS 7.5.0

Backup and restore

Plan DS backup and restore procedures for your deployment.

Description

Estimated time to complete: 20 minutes

Safely and regularly back up your directory data to recover quickly when accidents happen.

In this use case, you:

  • Back up directory data using DS tools.

  • Cause an incident requiring recovery.

  • Restore directory data after an incident.

  • Validate the data restore procedure.

Goals

In completing this use case, you learn to:

  • Use DS backup and restore tools.

  • Schedule a recurring backup task.

  • Restore directory data from backup files.

  • Purge outdated backup files.

Example scenario

As a directory service administrator, Pat plans to deploy directory services for critical identity data such as login credentials.

Pat knows good backup and restore plans are a must for identity and access services. If the data is lost, end users cannot authenticate, and account profiles are lost.

Pat plans to show other identity administrators how the backup and restore procedures work and get them to review the process before deployment.

Prerequisites

Knowledge

Before you start, bring yourself up to speed with Pat:

Actions

Before you try this example, set up two replicated DS directory servers on your computer as described in Install DS and Learn replication.

Tasks

Pat demonstrates how to back up and restore DS directory data from the evaluation profile. The order of the tasks is the same in deployment, but the directory data is different.

Task 1: Schedule a recurring backup operation

When you use the DS tools, backup operations are incremental. You can take regular backups with a reasonable amount of disk space relative to your data.

Configure backup tasks

  1. Schedule a regular backup task.

    The following example schedules an hourly backup task:

    $ /path/to/opendj/bin/dsbackup \
 create \
 --backupLocation bak \
 --recurringTask "00 * * * *" \
 --description "Back up every hour" \
 --taskId HourlyBackup \
 --completionNotify diradmin@example.com \
 --errorNotify diradmin@example.com \
 --hostname localhost \
 --port 4444 \
 --bindDN uid=admin \
 --bindPassword password \
 --usePkcs12TrustStore /path/to/opendj/config/keystore \
 --trustStorePassword:file /path/to/opendj/config/keystore.pin

  2. Schedule a task to remove backup data older than the replication purge delay.

    When you restore data from backup, the backup you restore must be more recent than the replication purge delay. If you restore from older data, the replica you restore can’t replicate with other servers. The default replication purge delay is three days.

    The following example schedules an hourly task to remove outdated backup data:

    $ /path/to/opendj/bin/dsbackup \
 purge \
 --backupLocation bak \
 --recurringTask "00 * * * *" \
 --description "Purge old backups every hour" \
 --olderThan "3 days" \
 --taskId HourlyPurge \
 --completionNotify diradmin@example.com \
 --errorNotify diradmin@example.com \
 --hostname localhost \
 --port 4444 \
 --bindDN uid=admin \
 --bindPassword password \
 --usePkcs12TrustStore /path/to/opendj/config/keystore \
 --trustStorePassword:file /path/to/opendj/config/keystore.pin

    This task ensures you won’t fill up the disk with old backup data.

(Optional) Back up data now

At this point, the recurring backup task is scheduled; however, the next backup operation won’t start until the top of the hour. If you want to continue this example without waiting for the task to run, you can back up the data now.

These steps demonstrate offline backup:

  1. Stop the server:

    $ /path/to/opendj/bin/stop-ds

  2. Back up the data with the server offline:

    $ /path/to/opendj/bin/dsbackup \
 create \
 --backupLocation bak \
 --offline

    The command writes the backup data to the bak/ directory under the server installation directory.

  3. Start the server:

    $ /path/to/opendj/bin/start-ds

Task 2: Simulate the loss of a server

  1. Make sure you have at least one set of backup files:

    $ /path/to/opendj/bin/dsbackup \
 list \
 --backupLocation bak \
 --offline

    This command runs on the files and can run in offline mode even if the server is up.

    If you are waiting for the hourly backup task to run, there may not be any backup files yet.

  2. Simulate the loss of a server by stopping it abruptly and deleting the files.

    This example removes the second-ds server:

    $ kill -9 <second-ds-pid>
$ rm -rf /path/to/replica

  3. Change an entry.

    You use this change later to validate the restore procedure and show replication replays changes occurring after the last backup operation:

    $ /path/to/opendj/bin/ldapmodify \
 --hostname localhost \
 --port 1636 \
 --useSsl \
 --usePkcs12TrustStore /path/to/opendj/config/keystore \
 --trustStorePassword:file /path/to/opendj/config/keystore.pin \
 --bindDn uid=bjensen,ou=People,dc=example,dc=com \
 --bindPassword hifalutin << EOF
dn: uid=bjensen,ou=People,dc=example,dc=com
changetype: modify
replace: description
description: Updated after the replica crashed
EOF

Task 3: Recover and restore the lost server

  1. Replace the lost server with the same configuration but don’t start it.

    This example uses the evaluation profile:

    $ cd ~/Downloads && unzip ~/Downloads/DS-7.5.0.zip && mv opendj /path/to/replica
$ export DEPLOYMENT_ID=<deployment-id>
$ /path/to/replica/setup \
 --serverId second-ds \
 --deploymentId $DEPLOYMENT_ID \
 --deploymentIdPassword password \
 --rootUserDn uid=admin \
 --rootUserPassword password \
 --hostname localhost \
 --ldapPort 11389 \
 --ldapsPort 11636 \
 --adminConnectorPort 14444 \
 --replicationPort 18989 \
 --bootstrapReplicationServer localhost:8989 \
 --profile ds-evaluation \
 --set ds-evaluation/generatedUsers:0 \
 --acceptLicense

    Rebuilding the basic server configuration depends on your deployment. For testing and deployment, adapt the commands to fit your process.

  2. Restore the server data from backup:

    $ /path/to/replica/bin/dsbackup \
 restore \
 --offline \
 --backendName dsEvaluation \
 --backupLocation /path/to/opendj/bak

  3. Start the server:

    $ /path/to/replica/bin/start-ds

    After the server starts and connects to other servers, replication replays changes from after the backup operation.

Validation

Demonstrate the server you restored has the same data as the other replica.

  1. Read the description you changed after the backup operation and server crash on first-ds:

    $ /path/to/opendj/bin/ldapsearch \
 --hostname localhost \
 --port 1636 \
 --useSsl \
 --usePkcs12TrustStore /path/to/opendj/config/keystore \
 --trustStorePassword:file /path/to/opendj/config/keystore.pin \
 --bindDn uid=bjensen,ou=People,dc=example,dc=com \
 --bindPassword hifalutin \
 --baseDn dc=example,dc=com \
 "(cn=Babs Jensen)" \
 description
dn: uid=bjensen,ou=People,dc=example,dc=com
description: Updated after the replica crashed

  2. Read the same data on the second-ds server you restored from backup:

    /path/to/replica/bin/ldapsearch \
 --hostname localhost \
 --port 11636 \
 --useSsl \
 --usePkcs12TrustStore /path/to/opendj/config/keystore \
 --trustStorePassword:file /path/to/opendj/config/keystore.pin \
 --bindDn uid=bjensen,ou=People,dc=example,dc=com \
 --bindPassword hifalutin \
 --baseDn dc=example,dc=com \
 "(cn=Babs Jensen)" \
 description
dn: uid=bjensen,ou=People,dc=example,dc=com
description: Updated after the replica crashed

    The data is the same on both servers. You have shown your backup and restore procedure is sound.

What’s next

After demonstrating the process, Pat implements backup and restore procedures for testing and deployment. These procedures become part of the organization’s runbook, so operators can implement them quickly and easily.

Pat realizes disaster recovery is more than restoring backup files. Pat also implements disaster recovery procedures for testing and deployment as part of the organization’s runbook.

Explore further

This use case can serve as a template for DS test and production deployments. Adapt this example for deployment:

  • Make sure the backup tasks run on more than one DS replica to avoid a single point of backup failure.

  • To keep things simple, this example shows a backup on the local filesystem.

    In testing and deployment, make sure you store backup files remotely. For example, consider backing up to cloud storage.

  • If the filesystem on your servers supports atomic snapshots, consider backing up DS with filesystem snapshots.

Reference material

Reference Description

Backup and restore

Includes detailed examples and alternatives for backing up and restoring directory data

Cryptographic keys

About keys, including those for encrypting and decrypting backup files

dsbackup

Reference for the command-line tool

Server tasks

On server tasks, like recurring backup operations
Copyright © 2010-2024 ForgeRock, all rights reserved.