<br><br><div class="gmail_quote">On Mon, Mar 19, 2012 at 8:31 PM, Rob Crittenden <span dir="ltr"><<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Marco Pizzoli wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">
<br>
<br>
On Mon, Mar 19, 2012 at 2:42 PM, Rob Crittenden <<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a><br></div><div class="im">
<mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>>> wrote:<br>
<br>
Dmitri Pal wrote:<br>
<br>
On 03/17/2012 07:36 AM, Marco Pizzoli wrote:<br>
<br>
Hi guys,<br>
I'm trying to migrate my ldap user base to freeipa. I'm<br>
using the last<br>
Release Candidate.<br>
<br>
I already changed "ipa config-mod --enable-migration=TRUE"<br>
This is what I have:<br>
<br>
ipa -v migrate-ds<br></div>
--bind-dn="cn=manager,dc=__<u></u>mydc1,dc=<a href="http://mydc2.it" target="_blank">mydc2.it</a> <<a href="http://mydc2.it" target="_blank">http://mydc2.it</a>><br>
<<a href="http://mydc2.it" target="_blank">http://mydc2.it</a>>"<br>
--user-container="ou=people,__<u></u>dc=mydc1,dc=<a href="http://mydc2.it" target="_blank">mydc2.it</a><br>
<<a href="http://mydc2.it" target="_blank">http://mydc2.it</a>><br>
<<a href="http://mydc2.it" target="_blank">http://mydc2.it</a>>" --user-objectclass=__<u></u>inetOrgPerson<br>
--group-container="ou=groups,_<u></u>_dc=mydc1,dc=<a href="http://mydc2.it" target="_blank">mydc2.it</a><br>
<<a href="http://mydc2.it" target="_blank">http://mydc2.it</a>> <<a href="http://mydc2.it" target="_blank">http://mydc2.it</a>>"<br>
--group-objectclass=posixGroup<br>
--base-dn="dc=mydc1,dc=mydc2._<u></u>_it <<a href="http://mydc2.it" target="_blank">http://mydc2.it</a>><div class="im"><br>
<<a href="http://mydc2.it" target="_blank">http://mydc2.it</a>>" --with-compat ldap://ldap01<br>
<br>
ipa: INFO: trying<br></div>
<a href="https://freeipa01.unix." target="_blank">https://freeipa01.unix.</a>__<a href="http://mydomain.it/ipa/xml" target="_blank">mydom<u></u>ain.it/ipa/xml</a><div class="im"><br>
<<a href="https://freeipa01.unix.mydomain.it/ipa/xml" target="_blank">https://freeipa01.unix.<u></u>mydomain.it/ipa/xml</a>><br>
Password:<br>
ipa: INFO: Forwarding 'migrate_ds' to server<br></div>
u'<a href="http://freeipa01.unix." target="_blank">http://freeipa01.unix.</a>__<a href="http://mydomain.it/ipa/xml" target="_blank">mydo<u></u>main.it/ipa/xml</a><div class="im"><br>
<<a href="http://freeipa01.unix.mydomain.it/ipa/xml" target="_blank">http://freeipa01.unix.<u></u>mydomain.it/ipa/xml</a>>'<br>
ipa: ERROR: Container for group not found at<br>
ou=groups,dc=mydc1,dc=<a href="http://mydc2.it" target="_blank">mydc2.it</a> <<a href="http://mydc2.it" target="_blank">http://mydc2.it</a>><br>
<<a href="http://mydc2.it" target="_blank">http://mydc2.it</a>><br>
<br>
<br>
I looked at my ldap server logs and I found out that the search<br>
executed has scope=1. Actually both for users and groups.<br>
This is a<br>
problem for me, in having a lot of subtrees (ou) in which my<br>
users and<br>
groups are. Is there a way to manage this?<br>
<br>
Thanks in advance<br>
Marco<br>
<br>
P.s. As a side note, I suppose there's a typo in the verbose<br>
message I<br>
obtain in my output:<br>
ipa: INFO: Forwarding 'migrate_ds' to server<br></div>
*u*'<a href="http://freeipa01.unix." target="_blank">http://freeipa01.unix.</a>__<a href="http://mydomain.it/ipa/xml" target="_blank">my<u></u>domain.it/ipa/xml</a><div><div class="h5"><br>
<<a href="http://freeipa01.unix.mydomain.it/ipa/xml" target="_blank">http://freeipa01.unix.<u></u>mydomain.it/ipa/xml</a>>'<br>
<br>
<br>
Please open tickets for both issues.<br>
<br>
<br>
Well, I don't think either is a bug.<br>
<br>
If you have users/groups in multiple places you'll need to migrate<br>
them individually for now. It is safe to run migrate-ds multiple<br>
times, existing users are not migrated.<br>
<br>
<br>
I just re-executed by specifing a nested ou for my groups.<br>
This is what I got:<br>
<br>
ipa: INFO: trying <a href="https://freeipa01.unix.csebo.it/ipa/xml" target="_blank">https://freeipa01.unix.csebo.<u></u>it/ipa/xml</a><br>
ipa: INFO: Forwarding 'migrate_ds' to server<br>
u'<a href="http://freeipa01.unix.csebo.it/ipa/xml" target="_blank">http://freeipa01.unix.csebo.<u></u>it/ipa/xml</a>'<br>
-----------<br>
migrate-ds:<br>
-----------<br>
Migrated:<br>
Failed user:<br>
fw03075_no: Type or value exists:<br>
[other users listed]<br>
Failed group:<br>
pdbac32: Type or value exists:<br>
[other groups listed]<br>
----------<br>
Passwords have been migrated in pre-hashed format.<br>
IPA is unable to generate Kerberos keys unless provided<br>
with clear text passwords. All migrated users need to<br>
login at <a href="https://your.domain/ipa/migration/" target="_blank">https://your.domain/ipa/<u></u>migration/</a> before they<br>
can use their Kerberos accounts.<br>
<br>
I don't understand what it's trying to telling me.<br>
On my FreeIPA ldap server I don't see any imported user.<br>
<br>
What's my fault here?<br>
<br>
<br>
The u is a python-ism for unicode. This is not a bug.<br>
<br>
<br>
Please, could you give a little more detail on this? It's only a hint on<br>
what that data represents in a Python variable?<br>
<br>
Thanks again<br>
Marco<br>
</div></div></blockquote>
<br>
Type or value exists occurs when one tries to add an attribute value to an entry that already exists.<br>
<br>
I suspect that the underlying problem is different between users and groups.<br>
<br>
For groups it is likely adding a duplicate member.<br>
<br>
For users I'm not really sure. It could be one of the POSIX attributes. What does a failed entry look like?<span class="HOEnZb"><font color="#888888"><br>
<br>
rob<br>
</font></span></blockquote></div><br>The user entry:<br>------------------------<br>dn: uid=fw03075_NO,ou=People,dc=mydc1,dc=<a href="http://mydc2.it">mydc2.it</a><br>description: fw03075<br>cn: fw03075<br>uidNumber: 11013<br>
gidNumber: 503<br>homeDirectory: /home/fw03075<br>loginShell: /bin/sh<br>gecos: fw03075<br>shadowLastChange: 13059<br>shadowMax: 99999<br>shadowWarning: 7<br>objectClass: inetOrgPerson<br>objectClass: posixAccount<br>objectClass: shadowAccount<br>
objectClass: top<br>objectClass: xxxPeopleAttributes<br>sn: SN_NON_IMPOSTATO<br>givenName: GIVENNAME_NON_IMPOSTATO<br>xxxUfficio: UFFICIO_NON_IMPOSTATO<br>xxxTipoUtente: tecnico<br>uid: fw03075_NO<br>userPassword: secret<br>
<br><br>group entry:<br>-------------------<br>dn: cn=pdbac32,ou=pdbac32,ou=prod,ou=db2,ou=databases,ou=Groups,dc=mydc1,dc=<a href="http://mydc2.it">mydc2.it</a><br>gidNumber: 10015<br>member: uid=NESSUNO,ou=People,dc=mydc1,dc=<a href="http://mydc2.it">mydc2.it</a><br>
member: uid=aaa415,ou=People,dc=mydc1,dc=<a href="http://mydc2.it">mydc2.it</a><br>member: uid=bbb446,ou=People,dc=mydc1,dc=<a href="http://mydc2.it">mydc2.it</a><br>memberUid: NESSUNO<br>memberUid: aaa415<br>memberUid: bbb446<br>
xxxAmbiente: prod<br>xxxDB2GruppiPrivilegi: instance_owner<br>description: Mydescription<br>xxxTipoGruppo: db<br>objectClass: top<br>objectClass: posixGroup<br>objectClass: groupOfNames<br>objectClass: xxxGroupsAttributes<br>
objectClass: xxxDB2GroupsAttributes<br>cn: pdbac32<br><br>Thanks again<br>Marco<br>