On Tue, Mar 20, 2012 at 1:32 PM, Dmitri Pal <[email protected]> wrote: > ** > On 03/20/2012 05:19 AM, Marco Pizzoli wrote: > > > > On Tue, Mar 20, 2012 at 12:14 AM, Dmitri Pal <[email protected]> wrote: > >> On 03/19/2012 06:54 PM, Marco Pizzoli wrote: >> >> >> >> On Mon, Mar 19, 2012 at 8:31 PM, Rob Crittenden <[email protected]>wrote: >> >>> Marco Pizzoli wrote: >>> >>>> >>>> >>>> On Mon, Mar 19, 2012 at 2:42 PM, Rob Crittenden <[email protected] >>>> <mailto:[email protected]>> wrote: >>>> >>>> Dmitri Pal wrote: >>>> >>>> On 03/17/2012 07:36 AM, Marco Pizzoli wrote: >>>> >>>> Hi guys, >>>> I'm trying to migrate my ldap user base to freeipa. I'm >>>> using the last >>>> Release Candidate. >>>> >>>> I already changed "ipa config-mod --enable-migration=TRUE" >>>> This is what I have: >>>> >>>> ipa -v migrate-ds >>>> --bind-dn="cn=manager,dc=__mydc1,dc=mydc2.it < >>>> http://mydc2.it> >>>> <http://mydc2.it>" >>>> --user-container="ou=people,__dc=mydc1,dc=mydc2.it >>>> <http://mydc2.it> >>>> <http://mydc2.it>" --user-objectclass=__inetOrgPerson >>>> --group-container="ou=groups,__dc=mydc1,dc=mydc2.it >>>> <http://mydc2.it> <http://mydc2.it>" >>>> --group-objectclass=posixGroup >>>> --base-dn="dc=mydc1,dc=mydc2.__it <http://mydc2.it> >>>> >>>> <http://mydc2.it>" --with-compat ldap://ldap01 >>>> >>>> ipa: INFO: trying >>>> https://freeipa01.unix.__mydomain.it/ipa/xml >>>> >>>> <https://freeipa01.unix.mydomain.it/ipa/xml> >>>> Password: >>>> ipa: INFO: Forwarding 'migrate_ds' to server >>>> u'http://freeipa01.unix.__mydomain.it/ipa/xml >>>> >>>> <http://freeipa01.unix.mydomain.it/ipa/xml>' >>>> ipa: ERROR: Container for group not found at >>>> ou=groups,dc=mydc1,dc=mydc2.it <http://mydc2.it> >>>> <http://mydc2.it> >>>> >>>> >>>> I looked at my ldap server logs and I found out that the >>>> search >>>> executed has scope=1. Actually both for users and groups. >>>> This is a >>>> problem for me, in having a lot of subtrees (ou) in which my >>>> users and >>>> groups are. Is there a way to manage this? >>>> >>>> Thanks in advance >>>> Marco >>>> >>>> P.s. As a side note, I suppose there's a typo in the verbose >>>> message I >>>> obtain in my output: >>>> ipa: INFO: Forwarding 'migrate_ds' to server >>>> *u*'http://freeipa01.unix.__mydomain.it/ipa/xml >>>> >>>> <http://freeipa01.unix.mydomain.it/ipa/xml>' >>>> >>>> >>>> Please open tickets for both issues. >>>> >>>> >>>> Well, I don't think either is a bug. >>>> >>>> If you have users/groups in multiple places you'll need to migrate >>>> them individually for now. It is safe to run migrate-ds multiple >>>> times, existing users are not migrated. >>>> >>>> >>>> I just re-executed by specifing a nested ou for my groups. >>>> This is what I got: >>>> >>>> ipa: INFO: trying https://freeipa01.unix.csebo.it/ipa/xml >>>> ipa: INFO: Forwarding 'migrate_ds' to server >>>> u'http://freeipa01.unix.csebo.it/ipa/xml' >>>> ----------- >>>> migrate-ds: >>>> ----------- >>>> Migrated: >>>> Failed user: >>>> fw03075_no: Type or value exists: >>>> [other users listed] >>>> Failed group: >>>> pdbac32: Type or value exists: >>>> [other groups listed] >>>> ---------- >>>> Passwords have been migrated in pre-hashed format. >>>> IPA is unable to generate Kerberos keys unless provided >>>> with clear text passwords. All migrated users need to >>>> login at https://your.domain/ipa/migration/ before they >>>> can use their Kerberos accounts. >>>> >>>> I don't understand what it's trying to telling me. >>>> On my FreeIPA ldap server I don't see any imported user. >>>> >>>> What's my fault here? >>>> >>>> >>>> The u is a python-ism for unicode. This is not a bug. >>>> >>>> >>>> Please, could you give a little more detail on this? It's only a hint on >>>> what that data represents in a Python variable? >>>> >>>> Thanks again >>>> Marco >>>> >>> >>> Type or value exists occurs when one tries to add an attribute value to >>> an entry that already exists. >>> >>> I suspect that the underlying problem is different between users and >>> groups. >>> >>> For groups it is likely adding a duplicate member. >>> >>> For users I'm not really sure. It could be one of the POSIX attributes. >>> What does a failed entry look like? >>> >>> rob >>> >> >> The user entry: >> ------------------------ >> dn: uid=fw03075_NO,ou=People,dc=mydc1,dc=mydc2.it >> description: fw03075 >> cn: fw03075 >> uidNumber: 11013 >> gidNumber: 503 >> homeDirectory: /home/fw03075 >> loginShell: /bin/sh >> gecos: fw03075 >> shadowLastChange: 13059 >> shadowMax: 99999 >> shadowWarning: 7 >> objectClass: inetOrgPerson >> objectClass: posixAccount >> objectClass: shadowAccount >> objectClass: top >> objectClass: xxxPeopleAttributes >> sn: SN_NON_IMPOSTATO >> givenName: GIVENNAME_NON_IMPOSTATO >> xxxUfficio: UFFICIO_NON_IMPOSTATO >> xxxTipoUtente: tecnico >> uid: fw03075_NO >> userPassword: secret >> >> >> group entry: >> ------------------- >> dn: >> cn=pdbac32,ou=pdbac32,ou=prod,ou=db2,ou=databases,ou=Groups,dc=mydc1,dc= >> mydc2.it >> gidNumber: 10015 >> member: uid=NESSUNO,ou=People,dc=mydc1,dc=mydc2.it >> member: uid=aaa415,ou=People,dc=mydc1,dc=mydc2.it >> member: uid=bbb446,ou=People,dc=mydc1,dc=mydc2.it >> memberUid: NESSUNO >> memberUid: aaa415 >> memberUid: bbb446 >> xxxAmbiente: prod >> xxxDB2GruppiPrivilegi: instance_owner >> description: Mydescription >> xxxTipoGruppo: db >> objectClass: top >> objectClass: posixGroup >> objectClass: groupOfNames >> objectClass: xxxGroupsAttributes >> objectClass: xxxDB2GroupsAttributes >> cn: pdbac32 >> >> Thanks again >> Marco >> >> >> _______________________________________________ >> Freeipa-users mailing >> [email protected]https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> Do you by any chance have a *group* with name "fw03075_NO" and *user*with >> name "pdbac32"? >> May be you are hitting a collision on manged group managed? >> > > Well, yes and no. > > No, I don't have a group called "fw03075_NO" and No, I don't have a user > called "pdbac32". > > Yes, I have some users uid=samename and groups cn=samename, but they are > not found in the group subtree (ou) from where I launched "ipa migrate-ds". > > If this is the problem, where can I have any evidence of the actual > problem? > > > Can you search those names in the IPA LDAP tree after the migration? May > be there is some object already there with the same cn that collides. This > way we would be able to determine what the colliding object is and take it > from there. It might collide on some other attribute in the entry and just > be reported by uid and cn. >
Here it is: [root@freeipa01 ipa]# ldapsearch -h 127.0.0.1 -x -D "cn=Directory Manager" -W -b "dc=unix,dc=mydomain,dc=it" -s sub "(uid=fw03075_NO)" Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=unix,dc= mydomain ,dc=it> with scope subtree # filter: (uid=fw03075_NO) # requesting: ALL # # search result search: 2 result: 0 Success # numResponses: 1 [root@freeipa01 ipa]# ldapsearch -h 127.0.0.1 -x -D "cn=Directory Manager" -W -b "dc=unix,dc= mydomain ,dc=it" -s sub "(cn=fw03075_NO)" Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=unix,dc= mydomain ,dc=it> with scope subtree # filter: (cn=fw03075_NO) # requesting: ALL # # search result search: 2 result: 0 Success # numResponses: 1 Same thing for "pdbac32". Or were you asking me something more complicated? My group and user tree is almost empty. There are only default groups and 5/6 user created by hand. Yes, some of them have the same uid as the one manually created, but they represent only a minority of the total. Marco > > > Thanks again > Marco > > >> >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager IPA project, >> Red Hat Inc. >> >> >> ------------------------------- >> Looking to carve out IT costs?www.redhat.com/carveoutcosts/ >> >> >> _______________________________________________ >> Freeipa-users mailing list >> [email protected] >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs?www.redhat.com/carveoutcosts/ > >
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
