On Tue, Mar 20, 2012 at 12:14 AM, Dmitri Pal <[email protected]> wrote:
> ** > On 03/19/2012 06:54 PM, Marco Pizzoli wrote: > > > > On Mon, Mar 19, 2012 at 8:31 PM, Rob Crittenden <[email protected]>wrote: > >> Marco Pizzoli wrote: >> >>> >>> >>> On Mon, Mar 19, 2012 at 2:42 PM, Rob Crittenden <[email protected] >>> <mailto:[email protected]>> wrote: >>> >>> Dmitri Pal wrote: >>> >>> On 03/17/2012 07:36 AM, Marco Pizzoli wrote: >>> >>> Hi guys, >>> I'm trying to migrate my ldap user base to freeipa. I'm >>> using the last >>> Release Candidate. >>> >>> I already changed "ipa config-mod --enable-migration=TRUE" >>> This is what I have: >>> >>> ipa -v migrate-ds >>> --bind-dn="cn=manager,dc=__mydc1,dc=mydc2.it < >>> http://mydc2.it> >>> <http://mydc2.it>" >>> --user-container="ou=people,__dc=mydc1,dc=mydc2.it >>> <http://mydc2.it> >>> <http://mydc2.it>" --user-objectclass=__inetOrgPerson >>> --group-container="ou=groups,__dc=mydc1,dc=mydc2.it >>> <http://mydc2.it> <http://mydc2.it>" >>> --group-objectclass=posixGroup >>> --base-dn="dc=mydc1,dc=mydc2.__it <http://mydc2.it> >>> >>> <http://mydc2.it>" --with-compat ldap://ldap01 >>> >>> ipa: INFO: trying >>> https://freeipa01.unix.__mydomain.it/ipa/xml >>> >>> <https://freeipa01.unix.mydomain.it/ipa/xml> >>> Password: >>> ipa: INFO: Forwarding 'migrate_ds' to server >>> u'http://freeipa01.unix.__mydomain.it/ipa/xml >>> >>> <http://freeipa01.unix.mydomain.it/ipa/xml>' >>> ipa: ERROR: Container for group not found at >>> ou=groups,dc=mydc1,dc=mydc2.it <http://mydc2.it> >>> <http://mydc2.it> >>> >>> >>> I looked at my ldap server logs and I found out that the >>> search >>> executed has scope=1. Actually both for users and groups. >>> This is a >>> problem for me, in having a lot of subtrees (ou) in which my >>> users and >>> groups are. Is there a way to manage this? >>> >>> Thanks in advance >>> Marco >>> >>> P.s. As a side note, I suppose there's a typo in the verbose >>> message I >>> obtain in my output: >>> ipa: INFO: Forwarding 'migrate_ds' to server >>> *u*'http://freeipa01.unix.__mydomain.it/ipa/xml >>> >>> <http://freeipa01.unix.mydomain.it/ipa/xml>' >>> >>> >>> Please open tickets for both issues. >>> >>> >>> Well, I don't think either is a bug. >>> >>> If you have users/groups in multiple places you'll need to migrate >>> them individually for now. It is safe to run migrate-ds multiple >>> times, existing users are not migrated. >>> >>> >>> I just re-executed by specifing a nested ou for my groups. >>> This is what I got: >>> >>> ipa: INFO: trying https://freeipa01.unix.csebo.it/ipa/xml >>> ipa: INFO: Forwarding 'migrate_ds' to server >>> u'http://freeipa01.unix.csebo.it/ipa/xml' >>> ----------- >>> migrate-ds: >>> ----------- >>> Migrated: >>> Failed user: >>> fw03075_no: Type or value exists: >>> [other users listed] >>> Failed group: >>> pdbac32: Type or value exists: >>> [other groups listed] >>> ---------- >>> Passwords have been migrated in pre-hashed format. >>> IPA is unable to generate Kerberos keys unless provided >>> with clear text passwords. All migrated users need to >>> login at https://your.domain/ipa/migration/ before they >>> can use their Kerberos accounts. >>> >>> I don't understand what it's trying to telling me. >>> On my FreeIPA ldap server I don't see any imported user. >>> >>> What's my fault here? >>> >>> >>> The u is a python-ism for unicode. This is not a bug. >>> >>> >>> Please, could you give a little more detail on this? It's only a hint on >>> what that data represents in a Python variable? >>> >>> Thanks again >>> Marco >>> >> >> Type or value exists occurs when one tries to add an attribute value to >> an entry that already exists. >> >> I suspect that the underlying problem is different between users and >> groups. >> >> For groups it is likely adding a duplicate member. >> >> For users I'm not really sure. It could be one of the POSIX attributes. >> What does a failed entry look like? >> >> rob >> > > The user entry: > ------------------------ > dn: uid=fw03075_NO,ou=People,dc=mydc1,dc=mydc2.it > description: fw03075 > cn: fw03075 > uidNumber: 11013 > gidNumber: 503 > homeDirectory: /home/fw03075 > loginShell: /bin/sh > gecos: fw03075 > shadowLastChange: 13059 > shadowMax: 99999 > shadowWarning: 7 > objectClass: inetOrgPerson > objectClass: posixAccount > objectClass: shadowAccount > objectClass: top > objectClass: xxxPeopleAttributes > sn: SN_NON_IMPOSTATO > givenName: GIVENNAME_NON_IMPOSTATO > xxxUfficio: UFFICIO_NON_IMPOSTATO > xxxTipoUtente: tecnico > uid: fw03075_NO > userPassword: secret > > > group entry: > ------------------- > dn: > cn=pdbac32,ou=pdbac32,ou=prod,ou=db2,ou=databases,ou=Groups,dc=mydc1,dc= > mydc2.it > gidNumber: 10015 > member: uid=NESSUNO,ou=People,dc=mydc1,dc=mydc2.it > member: uid=aaa415,ou=People,dc=mydc1,dc=mydc2.it > member: uid=bbb446,ou=People,dc=mydc1,dc=mydc2.it > memberUid: NESSUNO > memberUid: aaa415 > memberUid: bbb446 > xxxAmbiente: prod > xxxDB2GruppiPrivilegi: instance_owner > description: Mydescription > xxxTipoGruppo: db > objectClass: top > objectClass: posixGroup > objectClass: groupOfNames > objectClass: xxxGroupsAttributes > objectClass: xxxDB2GroupsAttributes > cn: pdbac32 > > Thanks again > Marco > > > _______________________________________________ > Freeipa-users mailing > [email protected]https://www.redhat.com/mailman/listinfo/freeipa-users > > > Do you by any chance have a *group* with name "fw03075_NO" and *user*with > name "pdbac32"? > May be you are hitting a collision on manged group managed? > Well, yes and no. No, I don't have a group called "fw03075_NO" and No, I don't have a user called "pdbac32". Yes, I have some users uid=samename and groups cn=samename, but they are not found in the group subtree (ou) from where I launched "ipa migrate-ds". If this is the problem, where can I have any evidence of the actual problem? Thanks again Marco > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs?www.redhat.com/carveoutcosts/ > > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users >
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
