[Freeipa-devel] No luck using ds-migrate to import Apple Open Directory

Jeff B jeffb.list at gmail.com
Mon Jan 24 22:42:42 UTC 2011 

Apple Open Directory is as follows:

cn=users,dc=host,dc=domain,dc=tld
cn=groups,dc=host,dc=domain,dc=tld

User records have the following object classes:
- person
- top
- organizationalPerson
- extensibleObject
- apple-user
- shadowAccount
- posixAccount
- inetOrgPerson

Group records have the following object classes:
- top
- extensibleObject
- apple-group
- posixGroup

The data is mostly what you would expect for posixAccount and the
other common object classes. When I try to import data to IPA I get
this error for every user and group like this:

-----------
migrate-ds:
-----------
Migrated:
Failed user:
  <username>: unknown object class "apple-user"
  <username>: unknown object class "apple-user"
  <username>: unknown object class "apple-user"
  ... And the rest
Failed group:
  <groupname>: unknown object class "apple-group"
  <groupname>: unknown object class "apple-group"
  <groupname>: unknown object class "apple-group"
  ... And the rest
----------

Here are some of the migrate options I've tried:

 ipa -d migrate-ds
--bind-dn="uid=user,cn=users,dc=host,dc=domain,dc=tld"
ldap://10.0.0.1:389 --user-objectclass="posixAccount"
--group-objectclass="posixGroups" --user-container="cn=users"
--group-container="cn=groups"

 ipa -d migrate-ds
--bind-dn="uid=user,cn=users,dc=host,dc=domain,dc=tld"
ldap://10.0.0.1:389 --user-objectclass="apple-user"
--group-objectclass="apple-group" --user-container="cn=users"
--group-container="cn=groups"

I've tried combinations of the two. I've tried changing the --schema
with no change in outcome.  The only time the outcome is different is
when I don't include the --group-objectclass or the --user-objectclass
 It fails before it even tries to import the data in the directory. I
get this error:

ipa: DEBUG: Caught fault 4001 from server
https://ipa0.myrealm.com/ipa/xml: Container for group not found
ipa: INFO: Destroyed connection context.xmlclient
ipa: ERROR: Container for group not found

If I add only the --group-objectclass it tries to migrate and gives me
the list of errors for every user and group having an unknown object
class as described at the top.

Would one expect that I should be able to migrate this data, or would
one it fail because it differs from the two supported schemas?   I was
hoping since it was based off of posixAccount and posixGroup that it
was close enough to work.

More information about the Freeipa-devel mailing list