[Freeipa-users] migrate-ds "is not a POSIX user"

Rob Crittenden rcritten at redhat.com
Mon Jul 1 18:21:48 UTC 2013 

Dmitri Pal wrote:
> On 06/28/2013 03:13 PM, Dmitri Pal wrote:
>> On 06/19/2013 04:39 PM, Alex Lawrence wrote:
>>> Hello!
>>>
>>> I'm working on trying to migrate users into FreeIPA 3.1.5 (Fedora 18)
>>> from DS389 (CentOS 6) 1.2.2.  I've enabled migration on DS389 and I'm
>>> attempting to migrate a subset of people using:
>>>
>>> ipa migrate-ds --user-container="ou=Systems &
>>> Networking,ou=Personnel,dc=plu,dc=edu" --ignore* ldap://LDAP-SERVER:389
>>>
>>> The out put is:
>>>
>>> -----------
>>> migrate-ds:
>>> -----------
>>> Migrated:
>>> Failed user:
>>>   %UID%: %UID% is not a POSIX user
>>>   %UID%: %UID% is not a POSIX user
>>>   %UID%: %UID% is not a POSIX user
>>>
>>> And so on.
>>>
>>> I've imported my schema into FreeIPA so that it knows my additional
>>> attributes; however, just to be safe I've also tried running the
>>> import ignoring any objectclass in use with the same output.
>>>
>>> --user-ignore-objectclass=pluEduPerson,mailRecipient,eduPerson,posixAccount,inetOrgPerson,organizationalPerson
>>>
>>> I've added the posixAccount object class to a handful of accounts in
>>> question on my DS389 side to be sure that was not an issue either and
>>> that gives me the same result.
>>>
>>> I'm sure this is something simple that I'm missing, any suggestions
>>> would be appreciated.
>
>
> Please check the accounts that are skipped, they are most likely missing
> some POSIX required attribute (though from LDAP point of view it is an
> optional attribute), UID for example or SN.
> Please add missing attributes and try again. The easiest way to do this
> is to compare posix attributes between the entry that is migrated
> without problems and one that is not accepted. There are only 6 posix
> attributes so it should be easy to spot.
>
> If you can't do it in your existing instance take an LDIF load it it
> into another instance and modify users there then migrate from that
> instance.
> I hope this would give you at least a starting point, have a nice weekend.

We look for gidNumber when doing the migration. Users without one aren't 
migrated.

rob

More information about the Freeipa-users mailing list