Re: [Freeipa-users] Problem in "ipa migrate-ds" procedure

Tue, 20 Mar 2012 11:17:19 -0700 

Dmitri Pal wrote:

On 03/20/2012 09:09 AM, Marco Pizzoli wrote:



On Tue, Mar 20, 2012 at 1:32 PM, Dmitri Pal <[email protected]
<mailto:[email protected]>> wrote:

    On 03/20/2012 05:19 AM, Marco Pizzoli wrote:



    On Tue, Mar 20, 2012 at 12:14 AM, Dmitri Pal <[email protected]
    <mailto:[email protected]>> wrote:

        On 03/19/2012 06:54 PM, Marco Pizzoli wrote:



        On Mon, Mar 19, 2012 at 8:31 PM, Rob Crittenden
        <[email protected] <mailto:[email protected]>> wrote:

            Marco Pizzoli wrote:



                On Mon, Mar 19, 2012 at 2:42 PM, Rob Crittenden
                <[email protected] <mailto:[email protected]>
                <mailto:[email protected]
                <mailto:[email protected]>>> wrote:

                Dmitri Pal wrote:

                On 03/17/2012 07:36 AM, Marco Pizzoli wrote:

                Hi guys,
                I'm trying to migrate my ldap user base to freeipa. I'm
                using the last
                Release Candidate.

                I already changed "ipa config-mod
                --enable-migration=TRUE"
                This is what I have:

                ipa -v migrate-ds
                --bind-dn="cn=manager,dc=__mydc1,dc=mydc2.it
                <http://mydc2.it> <http://mydc2.it>
                <http://mydc2.it>"
                --user-container="ou=people,__dc=mydc1,dc=mydc2.it
                <http://mydc2.it>
                <http://mydc2.it>
                <http://mydc2.it>" --user-objectclass=__inetOrgPerson
                --group-container="ou=groups,__dc=mydc1,dc=mydc2.it
                <http://mydc2.it>
                <http://mydc2.it> <http://mydc2.it>"
                --group-objectclass=posixGroup
                --base-dn="dc=mydc1,dc=mydc2.__it <http://mydc2.it>

                <http://mydc2.it>" --with-compat ldap://ldap01

                ipa: INFO: trying
                https://freeipa01.unix.__mydomain.it/ipa/xml
                <http://mydomain.it/ipa/xml>

                <https://freeipa01.unix.mydomain.it/ipa/xml>
                Password:
                ipa: INFO: Forwarding 'migrate_ds' to server
                u'http://freeipa01.unix.__mydomain.it/ipa/xml
                <http://mydomain.it/ipa/xml>

                <http://freeipa01.unix.mydomain.it/ipa/xml>'
                ipa: ERROR: Container for group not found at
                ou=groups,dc=mydc1,dc=mydc2.it <http://mydc2.it>
                <http://mydc2.it>
                <http://mydc2.it>


                I looked at my ldap server logs and I found out that
                the search
                executed has scope=1. Actually both for users and
                groups.
                This is a
                problem for me, in having a lot of subtrees (ou) in
                which my
                users and
                groups are. Is there a way to manage this?

                Thanks in advance
                Marco

                P.s. As a side note, I suppose there's a typo in the
                verbose
                message I
                obtain in my output:
                ipa: INFO: Forwarding 'migrate_ds' to server
                *u*'http://freeipa01.unix.__mydomain.it/ipa/xml
                <http://mydomain.it/ipa/xml>

                <http://freeipa01.unix.mydomain.it/ipa/xml>'


                Please open tickets for both issues.


                Well, I don't think either is a bug.

                If you have users/groups in multiple places you'll
                need to migrate
                them individually for now. It is safe to run
                migrate-ds multiple
                times, existing users are not migrated.


                I just re-executed by specifing a nested ou for my
                groups.
                This is what I got:

                ipa: INFO: trying
                https://freeipa01.unix.csebo.it/ipa/xml
                ipa: INFO: Forwarding 'migrate_ds' to server
                u'http://freeipa01.unix.csebo.it/ipa/xml'
                -----------
                migrate-ds:
                -----------
                Migrated:
                Failed user:
                fw03075_no: Type or value exists:
                [other users listed]
                Failed group:
                pdbac32: Type or value exists:
                [other groups listed]
                ----------
                Passwords have been migrated in pre-hashed format.
                IPA is unable to generate Kerberos keys unless provided
                with clear text passwords. All migrated users need to
                login at https://your.domain/ipa/migration/ before they
                can use their Kerberos accounts.

                I don't understand what it's trying to telling me.
                On my FreeIPA ldap server I don't see any imported user.

                What's my fault here?


                The u is a python-ism for unicode. This is not a bug.


                Please, could you give a little more detail on this?
                It's only a hint on
                what that data represents in a Python variable?

                Thanks again
                Marco


            Type or value exists occurs when one tries to add an
            attribute value to an entry that already exists.

            I suspect that the underlying problem is different
            between users and groups.

            For groups it is likely adding a duplicate member.

            For users I'm not really sure. It could be one of the
            POSIX attributes. What does a failed entry look like?

            rob


        The user entry:
        ------------------------
        dn: uid=fw03075_NO,ou=People,dc=mydc1,dc=mydc2.it
        <http://mydc2.it>
        description: fw03075
        cn: fw03075
        uidNumber: 11013
        gidNumber: 503
        homeDirectory: /home/fw03075
        loginShell: /bin/sh
        gecos: fw03075
        shadowLastChange: 13059
        shadowMax: 99999
        shadowWarning: 7
        objectClass: inetOrgPerson
        objectClass: posixAccount
        objectClass: shadowAccount
        objectClass: top
        objectClass: xxxPeopleAttributes
        sn: SN_NON_IMPOSTATO
        givenName: GIVENNAME_NON_IMPOSTATO
        xxxUfficio: UFFICIO_NON_IMPOSTATO
        xxxTipoUtente: tecnico
        uid: fw03075_NO
        userPassword: secret


        group entry:
        -------------------
        dn:
        
cn=pdbac32,ou=pdbac32,ou=prod,ou=db2,ou=databases,ou=Groups,dc=mydc1,dc=mydc2.it
        <http://mydc2.it>
        gidNumber: 10015
        member: uid=NESSUNO,ou=People,dc=mydc1,dc=mydc2.it
        <http://mydc2.it>
        member: uid=aaa415,ou=People,dc=mydc1,dc=mydc2.it
        <http://mydc2.it>
        member: uid=bbb446,ou=People,dc=mydc1,dc=mydc2.it
        <http://mydc2.it>
        memberUid: NESSUNO
        memberUid: aaa415
        memberUid: bbb446
        xxxAmbiente: prod
        xxxDB2GruppiPrivilegi: instance_owner
        description: Mydescription
        xxxTipoGruppo: db
        objectClass: top
        objectClass: posixGroup
        objectClass: groupOfNames
        objectClass: xxxGroupsAttributes
        objectClass: xxxDB2GroupsAttributes
        cn: pdbac32

        Thanks again
        Marco


        _______________________________________________
        Freeipa-users mailing list
        [email protected]  <mailto:[email protected]>
        https://www.redhat.com/mailman/listinfo/freeipa-users


        Do you by any chance have a _group_ with name "fw03075_NO"
        and _user_ with name "pdbac32"?
        May be you are hitting a collision on manged group managed?


    Well, yes and no.

    No, I don't have a group called "fw03075_NO" and No, I don't have
    a user called "pdbac32".

    Yes, I have some users uid=samename and groups cn=samename, but
    they are not found in the group subtree (ou) from where I
    launched "ipa migrate-ds".

    If this is the problem, where can I have any evidence of the
    actual problem?



    Can you search those names in the IPA LDAP tree after the
    migration? May be there is some object already there with the same
    cn that collides. This way we would be able to determine what the
    colliding object is and take it from there. It might collide on
    some other attribute in the entry and just be reported by uid and cn.


Here it is:

[root@freeipa01 ipa]# ldapsearch -h 127.0.0.1 -x -D "cn=Directory
Manager" -W -b "dc=unix,dc=mydomain,dc=it" -s sub "(uid=fw03075_NO)"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=unix,dc= mydomain ,dc=it> with scope subtree
# filter: (uid=fw03075_NO)
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1
[root@freeipa01 ipa]# ldapsearch -h 127.0.0.1 -x -D "cn=Directory
Manager" -W -b "dc=unix,dc= mydomain ,dc=it" -s sub "(cn=fw03075_NO)"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=unix,dc= mydomain ,dc=it> with scope subtree
# filter: (cn=fw03075_NO)
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1

Same thing for "pdbac32".

Or were you asking me something more complicated?

My group and user tree is almost empty. There are only default groups
and 5/6 user created by hand.
Yes, some of them have the same uid as the one manually created, but
they represent only a minority of the total.

Marco



I am running out of ideas. Rob, any clues?



Not yet. This isn't a duplicate entry problem, it must have something to 
do with the way we create the new users in IPA. I think this is going to 
require setting up a similar machine and trying to reproduce it.


rob

_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
























					Reply via email to