On 03/19/2012 06:54 PM, Marco Pizzoli wrote: > > > On Mon, Mar 19, 2012 at 8:31 PM, Rob Crittenden <[email protected] > <mailto:[email protected]>> wrote: > > Marco Pizzoli wrote: > > > > On Mon, Mar 19, 2012 at 2:42 PM, Rob Crittenden > <[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>> wrote: > > Dmitri Pal wrote: > > On 03/17/2012 07:36 AM, Marco Pizzoli wrote: > > Hi guys, > I'm trying to migrate my ldap user base to freeipa. I'm > using the last > Release Candidate. > > I already changed "ipa config-mod > --enable-migration=TRUE" > This is what I have: > > ipa -v migrate-ds > --bind-dn="cn=manager,dc=__mydc1,dc=mydc2.it > <http://mydc2.it> <http://mydc2.it> > <http://mydc2.it>" > --user-container="ou=people,__dc=mydc1,dc=mydc2.it > <http://mydc2.it> > <http://mydc2.it> > <http://mydc2.it>" --user-objectclass=__inetOrgPerson > --group-container="ou=groups,__dc=mydc1,dc=mydc2.it > <http://mydc2.it> > <http://mydc2.it> <http://mydc2.it>" > --group-objectclass=posixGroup > --base-dn="dc=mydc1,dc=mydc2.__it <http://mydc2.it> > > <http://mydc2.it>" --with-compat ldap://ldap01 > > ipa: INFO: trying > https://freeipa01.unix.__mydomain.it/ipa/xml > <http://mydomain.it/ipa/xml> > > <https://freeipa01.unix.mydomain.it/ipa/xml> > Password: > ipa: INFO: Forwarding 'migrate_ds' to server > u'http://freeipa01.unix.__mydomain.it/ipa/xml > <http://mydomain.it/ipa/xml> > > <http://freeipa01.unix.mydomain.it/ipa/xml>' > ipa: ERROR: Container for group not found at > ou=groups,dc=mydc1,dc=mydc2.it <http://mydc2.it> > <http://mydc2.it> > <http://mydc2.it> > > > I looked at my ldap server logs and I found out > that the search > executed has scope=1. Actually both for users and > groups. > This is a > problem for me, in having a lot of subtrees (ou) in > which my > users and > groups are. Is there a way to manage this? > > Thanks in advance > Marco > > P.s. As a side note, I suppose there's a typo in > the verbose > message I > obtain in my output: > ipa: INFO: Forwarding 'migrate_ds' to server > *u*'http://freeipa01.unix.__mydomain.it/ipa/xml > <http://mydomain.it/ipa/xml> > > <http://freeipa01.unix.mydomain.it/ipa/xml>' > > > Please open tickets for both issues. > > > Well, I don't think either is a bug. > > If you have users/groups in multiple places you'll need to > migrate > them individually for now. It is safe to run migrate-ds > multiple > times, existing users are not migrated. > > > I just re-executed by specifing a nested ou for my groups. > This is what I got: > > ipa: INFO: trying https://freeipa01.unix.csebo.it/ipa/xml > ipa: INFO: Forwarding 'migrate_ds' to server > u'http://freeipa01.unix.csebo.it/ipa/xml' > ----------- > migrate-ds: > ----------- > Migrated: > Failed user: > fw03075_no: Type or value exists: > [other users listed] > Failed group: > pdbac32: Type or value exists: > [other groups listed] > ---------- > Passwords have been migrated in pre-hashed format. > IPA is unable to generate Kerberos keys unless provided > with clear text passwords. All migrated users need to > login at https://your.domain/ipa/migration/ before they > can use their Kerberos accounts. > > I don't understand what it's trying to telling me. > On my FreeIPA ldap server I don't see any imported user. > > What's my fault here? > > > The u is a python-ism for unicode. This is not a bug. > > > Please, could you give a little more detail on this? It's only > a hint on > what that data represents in a Python variable? > > Thanks again > Marco > > > Type or value exists occurs when one tries to add an attribute > value to an entry that already exists. > > I suspect that the underlying problem is different between users > and groups. > > For groups it is likely adding a duplicate member. > > For users I'm not really sure. It could be one of the POSIX > attributes. What does a failed entry look like? > > rob > > > The user entry: > ------------------------ > dn: uid=fw03075_NO,ou=People,dc=mydc1,dc=mydc2.it <http://mydc2.it> > description: fw03075 > cn: fw03075 > uidNumber: 11013 > gidNumber: 503 > homeDirectory: /home/fw03075 > loginShell: /bin/sh > gecos: fw03075 > shadowLastChange: 13059 > shadowMax: 99999 > shadowWarning: 7 > objectClass: inetOrgPerson > objectClass: posixAccount > objectClass: shadowAccount > objectClass: top > objectClass: xxxPeopleAttributes > sn: SN_NON_IMPOSTATO > givenName: GIVENNAME_NON_IMPOSTATO > xxxUfficio: UFFICIO_NON_IMPOSTATO > xxxTipoUtente: tecnico > uid: fw03075_NO > userPassword: secret > > > group entry: > ------------------- > dn: > cn=pdbac32,ou=pdbac32,ou=prod,ou=db2,ou=databases,ou=Groups,dc=mydc1,dc=mydc2.it > <http://mydc2.it> > gidNumber: 10015 > member: uid=NESSUNO,ou=People,dc=mydc1,dc=mydc2.it <http://mydc2.it> > member: uid=aaa415,ou=People,dc=mydc1,dc=mydc2.it <http://mydc2.it> > member: uid=bbb446,ou=People,dc=mydc1,dc=mydc2.it <http://mydc2.it> > memberUid: NESSUNO > memberUid: aaa415 > memberUid: bbb446 > xxxAmbiente: prod > xxxDB2GruppiPrivilegi: instance_owner > description: Mydescription > xxxTipoGruppo: db > objectClass: top > objectClass: posixGroup > objectClass: groupOfNames > objectClass: xxxGroupsAttributes > objectClass: xxxDB2GroupsAttributes > cn: pdbac32 > > Thanks again > Marco > > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users
Do you by any chance have a _group_ with name "fw03075_NO" and _user_ with name "pdbac32"? May be you are hitting a collision on manged group managed? -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
