On 03/20/2012 09:09 AM, Marco Pizzoli wrote: > > > On Tue, Mar 20, 2012 at 1:32 PM, Dmitri Pal <[email protected] > <mailto:[email protected]>> wrote: > > On 03/20/2012 05:19 AM, Marco Pizzoli wrote: >> >> >> On Tue, Mar 20, 2012 at 12:14 AM, Dmitri Pal <[email protected] >> <mailto:[email protected]>> wrote: >> >> On 03/19/2012 06:54 PM, Marco Pizzoli wrote: >>> >>> >>> On Mon, Mar 19, 2012 at 8:31 PM, Rob Crittenden >>> <[email protected] <mailto:[email protected]>> wrote: >>> >>> Marco Pizzoli wrote: >>> >>> >>> >>> On Mon, Mar 19, 2012 at 2:42 PM, Rob Crittenden >>> <[email protected] <mailto:[email protected]> >>> <mailto:[email protected] >>> <mailto:[email protected]>>> wrote: >>> >>> Dmitri Pal wrote: >>> >>> On 03/17/2012 07:36 AM, Marco Pizzoli wrote: >>> >>> Hi guys, >>> I'm trying to migrate my ldap user base >>> to freeipa. I'm >>> using the last >>> Release Candidate. >>> >>> I already changed "ipa config-mod >>> --enable-migration=TRUE" >>> This is what I have: >>> >>> ipa -v migrate-ds >>> >>> --bind-dn="cn=manager,dc=__mydc1,dc=mydc2.it >>> <http://mydc2.it> <http://mydc2.it> >>> <http://mydc2.it>" >>> >>> --user-container="ou=people,__dc=mydc1,dc=mydc2.it >>> <http://mydc2.it> >>> <http://mydc2.it> >>> <http://mydc2.it>" >>> --user-objectclass=__inetOrgPerson >>> >>> --group-container="ou=groups,__dc=mydc1,dc=mydc2.it >>> <http://mydc2.it> >>> <http://mydc2.it> <http://mydc2.it>" >>> --group-objectclass=posixGroup >>> --base-dn="dc=mydc1,dc=mydc2.__it >>> <http://mydc2.it> >>> >>> <http://mydc2.it>" --with-compat >>> ldap://ldap01 >>> >>> ipa: INFO: trying >>> >>> https://freeipa01.unix.__mydomain.it/ipa/xml >>> <http://mydomain.it/ipa/xml> >>> >>> <https://freeipa01.unix.mydomain.it/ipa/xml> >>> Password: >>> ipa: INFO: Forwarding 'migrate_ds' to server >>> >>> u'http://freeipa01.unix.__mydomain.it/ipa/xml >>> <http://mydomain.it/ipa/xml> >>> >>> <http://freeipa01.unix.mydomain.it/ipa/xml>' >>> ipa: ERROR: Container for group not found at >>> ou=groups,dc=mydc1,dc=mydc2.it >>> <http://mydc2.it> <http://mydc2.it> >>> <http://mydc2.it> >>> >>> >>> I looked at my ldap server logs and I >>> found out that the search >>> executed has scope=1. Actually both for >>> users and groups. >>> This is a >>> problem for me, in having a lot of >>> subtrees (ou) in which my >>> users and >>> groups are. Is there a way to manage this? >>> >>> Thanks in advance >>> Marco >>> >>> P.s. As a side note, I suppose there's a >>> typo in the verbose >>> message I >>> obtain in my output: >>> ipa: INFO: Forwarding 'migrate_ds' to server >>> >>> *u*'http://freeipa01.unix.__mydomain.it/ipa/xml >>> <http://mydomain.it/ipa/xml> >>> >>> <http://freeipa01.unix.mydomain.it/ipa/xml>' >>> >>> >>> Please open tickets for both issues. >>> >>> >>> Well, I don't think either is a bug. >>> >>> If you have users/groups in multiple places >>> you'll need to migrate >>> them individually for now. It is safe to run >>> migrate-ds multiple >>> times, existing users are not migrated. >>> >>> >>> I just re-executed by specifing a nested ou for my >>> groups. >>> This is what I got: >>> >>> ipa: INFO: trying >>> https://freeipa01.unix.csebo.it/ipa/xml >>> ipa: INFO: Forwarding 'migrate_ds' to server >>> u'http://freeipa01.unix.csebo.it/ipa/xml' >>> ----------- >>> migrate-ds: >>> ----------- >>> Migrated: >>> Failed user: >>> fw03075_no: Type or value exists: >>> [other users listed] >>> Failed group: >>> pdbac32: Type or value exists: >>> [other groups listed] >>> ---------- >>> Passwords have been migrated in pre-hashed format. >>> IPA is unable to generate Kerberos keys unless provided >>> with clear text passwords. All migrated users need to >>> login at https://your.domain/ipa/migration/ before they >>> can use their Kerberos accounts. >>> >>> I don't understand what it's trying to telling me. >>> On my FreeIPA ldap server I don't see any imported user. >>> >>> What's my fault here? >>> >>> >>> The u is a python-ism for unicode. This is not a bug. >>> >>> >>> Please, could you give a little more detail on this? >>> It's only a hint on >>> what that data represents in a Python variable? >>> >>> Thanks again >>> Marco >>> >>> >>> Type or value exists occurs when one tries to add an >>> attribute value to an entry that already exists. >>> >>> I suspect that the underlying problem is different >>> between users and groups. >>> >>> For groups it is likely adding a duplicate member. >>> >>> For users I'm not really sure. It could be one of the >>> POSIX attributes. What does a failed entry look like? >>> >>> rob >>> >>> >>> The user entry: >>> ------------------------ >>> dn: uid=fw03075_NO,ou=People,dc=mydc1,dc=mydc2.it >>> <http://mydc2.it> >>> description: fw03075 >>> cn: fw03075 >>> uidNumber: 11013 >>> gidNumber: 503 >>> homeDirectory: /home/fw03075 >>> loginShell: /bin/sh >>> gecos: fw03075 >>> shadowLastChange: 13059 >>> shadowMax: 99999 >>> shadowWarning: 7 >>> objectClass: inetOrgPerson >>> objectClass: posixAccount >>> objectClass: shadowAccount >>> objectClass: top >>> objectClass: xxxPeopleAttributes >>> sn: SN_NON_IMPOSTATO >>> givenName: GIVENNAME_NON_IMPOSTATO >>> xxxUfficio: UFFICIO_NON_IMPOSTATO >>> xxxTipoUtente: tecnico >>> uid: fw03075_NO >>> userPassword: secret >>> >>> >>> group entry: >>> ------------------- >>> dn: >>> >>> cn=pdbac32,ou=pdbac32,ou=prod,ou=db2,ou=databases,ou=Groups,dc=mydc1,dc=mydc2.it >>> <http://mydc2.it> >>> gidNumber: 10015 >>> member: uid=NESSUNO,ou=People,dc=mydc1,dc=mydc2.it >>> <http://mydc2.it> >>> member: uid=aaa415,ou=People,dc=mydc1,dc=mydc2.it >>> <http://mydc2.it> >>> member: uid=bbb446,ou=People,dc=mydc1,dc=mydc2.it >>> <http://mydc2.it> >>> memberUid: NESSUNO >>> memberUid: aaa415 >>> memberUid: bbb446 >>> xxxAmbiente: prod >>> xxxDB2GruppiPrivilegi: instance_owner >>> description: Mydescription >>> xxxTipoGruppo: db >>> objectClass: top >>> objectClass: posixGroup >>> objectClass: groupOfNames >>> objectClass: xxxGroupsAttributes >>> objectClass: xxxDB2GroupsAttributes >>> cn: pdbac32 >>> >>> Thanks again >>> Marco >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> [email protected] <mailto:[email protected]> >>> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> Do you by any chance have a _group_ with name "fw03075_NO" >> and _user_ with name "pdbac32"? >> May be you are hitting a collision on manged group managed? >> >> >> Well, yes and no. >> >> No, I don't have a group called "fw03075_NO" and No, I don't have >> a user called "pdbac32". >> >> Yes, I have some users uid=samename and groups cn=samename, but >> they are not found in the group subtree (ou) from where I >> launched "ipa migrate-ds". >> >> If this is the problem, where can I have any evidence of the >> actual problem? >> > > Can you search those names in the IPA LDAP tree after the > migration? May be there is some object already there with the same > cn that collides. This way we would be able to determine what the > colliding object is and take it from there. It might collide on > some other attribute in the entry and just be reported by uid and cn. > > > Here it is: > > [root@freeipa01 ipa]# ldapsearch -h 127.0.0.1 -x -D "cn=Directory > Manager" -W -b "dc=unix,dc=mydomain,dc=it" -s sub "(uid=fw03075_NO)" > Enter LDAP Password: > # extended LDIF > # > # LDAPv3 > # base <dc=unix,dc= mydomain ,dc=it> with scope subtree > # filter: (uid=fw03075_NO) > # requesting: ALL > # > > # search result > search: 2 > result: 0 Success > > # numResponses: 1 > [root@freeipa01 ipa]# ldapsearch -h 127.0.0.1 -x -D "cn=Directory > Manager" -W -b "dc=unix,dc= mydomain ,dc=it" -s sub "(cn=fw03075_NO)" > Enter LDAP Password: > # extended LDIF > # > # LDAPv3 > # base <dc=unix,dc= mydomain ,dc=it> with scope subtree > # filter: (cn=fw03075_NO) > # requesting: ALL > # > > # search result > search: 2 > result: 0 Success > > # numResponses: 1 > > Same thing for "pdbac32". > > Or were you asking me something more complicated? > > My group and user tree is almost empty. There are only default groups > and 5/6 user created by hand. > Yes, some of them have the same uid as the one manually created, but > they represent only a minority of the total. > > Marco >
I am running out of ideas. Rob, any clues? > > > > >> Thanks again >> Marco >> >> >> >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager IPA project, >> Red Hat Inc. >> >> >> ------------------------------- >> Looking to carve out IT costs? >> www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/> >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> [email protected] <mailto:[email protected]> >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/> > > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
