On Mon, Mar 19, 2012 at 8:31 PM, Rob Crittenden <[email protected]> wrote:
> Marco Pizzoli wrote: > >> >> >> On Mon, Mar 19, 2012 at 2:42 PM, Rob Crittenden <[email protected] >> <mailto:[email protected]>> wrote: >> >> Dmitri Pal wrote: >> >> On 03/17/2012 07:36 AM, Marco Pizzoli wrote: >> >> Hi guys, >> I'm trying to migrate my ldap user base to freeipa. I'm >> using the last >> Release Candidate. >> >> I already changed "ipa config-mod --enable-migration=TRUE" >> This is what I have: >> >> ipa -v migrate-ds >> --bind-dn="cn=manager,dc=__**mydc1,dc=mydc2.it < >> http://mydc2.it> >> <http://mydc2.it>" >> --user-container="ou=people,__**dc=mydc1,dc=mydc2.it >> <http://mydc2.it> >> <http://mydc2.it>" --user-objectclass=__**inetOrgPerson >> --group-container="ou=groups,_**_dc=mydc1,dc=mydc2.it >> <http://mydc2.it> <http://mydc2.it>" >> --group-objectclass=posixGroup >> --base-dn="dc=mydc1,dc=mydc2._**_it <http://mydc2.it> >> >> <http://mydc2.it>" --with-compat ldap://ldap01 >> >> ipa: INFO: trying >> >> https://freeipa01.unix.__mydom**ain.it/ipa/xml<http://mydomain.it/ipa/xml> >> >> >> <https://freeipa01.unix.**mydomain.it/ipa/xml<https://freeipa01.unix.mydomain.it/ipa/xml> >> > >> Password: >> ipa: INFO: Forwarding 'migrate_ds' to server >> >> u'http://freeipa01.unix.__mydo**main.it/ipa/xml<http://mydomain.it/ipa/xml> >> >> >> <http://freeipa01.unix.**mydomain.it/ipa/xml<http://freeipa01.unix.mydomain.it/ipa/xml> >> >' >> ipa: ERROR: Container for group not found at >> ou=groups,dc=mydc1,dc=mydc2.it <http://mydc2.it> >> <http://mydc2.it> >> >> >> I looked at my ldap server logs and I found out that the search >> executed has scope=1. Actually both for users and groups. >> This is a >> problem for me, in having a lot of subtrees (ou) in which my >> users and >> groups are. Is there a way to manage this? >> >> Thanks in advance >> Marco >> >> P.s. As a side note, I suppose there's a typo in the verbose >> message I >> obtain in my output: >> ipa: INFO: Forwarding 'migrate_ds' to server >> >> *u*'http://freeipa01.unix.__my**domain.it/ipa/xml<http://mydomain.it/ipa/xml> >> >> >> <http://freeipa01.unix.**mydomain.it/ipa/xml<http://freeipa01.unix.mydomain.it/ipa/xml> >> >' >> >> >> Please open tickets for both issues. >> >> >> Well, I don't think either is a bug. >> >> If you have users/groups in multiple places you'll need to migrate >> them individually for now. It is safe to run migrate-ds multiple >> times, existing users are not migrated. >> >> >> I just re-executed by specifing a nested ou for my groups. >> This is what I got: >> >> ipa: INFO: trying >> https://freeipa01.unix.csebo.**it/ipa/xml<https://freeipa01.unix.csebo.it/ipa/xml> >> ipa: INFO: Forwarding 'migrate_ds' to server >> u'http://freeipa01.unix.csebo.**it/ipa/xml<http://freeipa01.unix.csebo.it/ipa/xml> >> ' >> ----------- >> migrate-ds: >> ----------- >> Migrated: >> Failed user: >> fw03075_no: Type or value exists: >> [other users listed] >> Failed group: >> pdbac32: Type or value exists: >> [other groups listed] >> ---------- >> Passwords have been migrated in pre-hashed format. >> IPA is unable to generate Kerberos keys unless provided >> with clear text passwords. All migrated users need to >> login at >> https://your.domain/ipa/**migration/<https://your.domain/ipa/migration/>before >> they >> can use their Kerberos accounts. >> >> I don't understand what it's trying to telling me. >> On my FreeIPA ldap server I don't see any imported user. >> >> What's my fault here? >> >> >> The u is a python-ism for unicode. This is not a bug. >> >> >> Please, could you give a little more detail on this? It's only a hint on >> what that data represents in a Python variable? >> >> Thanks again >> Marco >> > > Type or value exists occurs when one tries to add an attribute value to an > entry that already exists. > > I suspect that the underlying problem is different between users and > groups. > > For groups it is likely adding a duplicate member. > > For users I'm not really sure. It could be one of the POSIX attributes. > What does a failed entry look like? > > rob > The user entry: ------------------------ dn: uid=fw03075_NO,ou=People,dc=mydc1,dc=mydc2.it description: fw03075 cn: fw03075 uidNumber: 11013 gidNumber: 503 homeDirectory: /home/fw03075 loginShell: /bin/sh gecos: fw03075 shadowLastChange: 13059 shadowMax: 99999 shadowWarning: 7 objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount objectClass: top objectClass: xxxPeopleAttributes sn: SN_NON_IMPOSTATO givenName: GIVENNAME_NON_IMPOSTATO xxxUfficio: UFFICIO_NON_IMPOSTATO xxxTipoUtente: tecnico uid: fw03075_NO userPassword: secret group entry: ------------------- dn: cn=pdbac32,ou=pdbac32,ou=prod,ou=db2,ou=databases,ou=Groups,dc=mydc1,dc= mydc2.it gidNumber: 10015 member: uid=NESSUNO,ou=People,dc=mydc1,dc=mydc2.it member: uid=aaa415,ou=People,dc=mydc1,dc=mydc2.it member: uid=bbb446,ou=People,dc=mydc1,dc=mydc2.it memberUid: NESSUNO memberUid: aaa415 memberUid: bbb446 xxxAmbiente: prod xxxDB2GruppiPrivilegi: instance_owner description: Mydescription xxxTipoGruppo: db objectClass: top objectClass: posixGroup objectClass: groupOfNames objectClass: xxxGroupsAttributes objectClass: xxxDB2GroupsAttributes cn: pdbac32 Thanks again Marco
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
