<div class="gmail_quote">On Mon, Mar 19, 2012 at 2:42 PM, Rob Crittenden <<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Dmitri Pal wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im"> On 03/17/2012 07:36 AM, Marco Pizzoli wrote: </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im"> Hi guys, I'm trying to migrate my ldap user base to freeipa. I'm using the last Release Candidate. I already changed "ipa config-mod --enable-migration=TRUE" This is what I have: ipa -v migrate-ds --bind-dn="cn=manager,dc=mydc1,dc=<a href="http://mydc2.it" target="_blank">mydc2.it</a> </div> <<a href="http://mydc2.it" target="_blank">http://mydc2.it</a>>" --user-container="ou=people,dc=mydc1,dc=<a href="http://mydc2.it" target="_blank">mydc2.it</a> <<a href="http://mydc2.it" target="_blank">http://mydc2.it</a>>" --user-objectclass=inetOrgPerson --group-container="ou=groups,dc=mydc1,dc=<a href="http://mydc2.it" target="_blank">mydc2.it</a> <<a href="http://mydc2.it" target="_blank">http://mydc2.it</a>>" --group-objectclass=posixGroup --base-dn="dc=mydc1,dc=<a href="http://mydc2.it" target="_blank">mydc2.it</a> <<a href="http://mydc2.it" target="_blank">http://mydc2.it</a>>" --with-compat ldap://ldap01<div class="im"> ipa: INFO: trying <a href="https://freeipa01.unix.mydomain.it/ipa/xml" target="_blank">https://freeipa01.unix.mydomain.it/ipa/xml</a> Password: ipa: INFO: Forwarding 'migrate_ds' to server u'<a href="http://freeipa01.unix.mydomain.it/ipa/xml" target="_blank">http://freeipa01.unix.mydomain.it/ipa/xml</a>' ipa: ERROR: Container for group not found at </div> ou=groups,dc=mydc1,dc=<a href="http://mydc2.it" target="_blank">mydc2.it</a> <<a href="http://mydc2.it" target="_blank">http://mydc2.it</a>><div class="im"> I looked at my ldap server logs and I found out that the search executed has scope=1. Actually both for users and groups. This is a problem for me, in having a lot of subtrees (ou) in which my users and groups are. Is there a way to manage this? Thanks in advance Marco P.s. As a side note, I suppose there's a typo in the verbose message I obtain in my output: ipa: INFO: Forwarding 'migrate_ds' to server </div> *u*'<a href="http://freeipa01.unix.mydomain.it/ipa/xml" target="_blank">http://freeipa01.unix.mydomain.it/ipa/xml</a>' </blockquote><div class="im"> Please open tickets for both issues. </div></blockquote> Well, I don't think either is a bug. If you have users/groups in multiple places you'll need to migrate them individually for now. It is safe to run migrate-ds multiple times, existing users are not migrated. </blockquote><div> I just re-executed by specifing a nested ou for my groups. This is what I got: ipa: INFO: trying <a href="https://freeipa01.unix.csebo.it/ipa/xml">https://freeipa01.unix.csebo.it/ipa/xml</a> ipa: INFO: Forwarding 'migrate_ds' to server u'<a href="http://freeipa01.unix.csebo.it/ipa/xml">http://freeipa01.unix.csebo.it/ipa/xml</a>' ----------- migrate-ds: ----------- Migrated: Failed user: fw03075_no: Type or value exists: [other users listed] Failed group: pdbac32: Type or value exists: [other groups listed] ---------- Passwords have been migrated in pre-hashed format. IPA is unable to generate Kerberos keys unless provided with clear text passwords. All migrated users need to login at <a href="https://your.domain/ipa/migration/">https://your.domain/ipa/migration/</a> before they can use their Kerberos accounts. I don't understand what it's trying to telling me. On my FreeIPA ldap server I don't see any imported user. What's my fault here? </div><blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> The u is a python-ism for unicode. This is not a bug. </blockquote><div> Please, could you give a little more detail on this? It's only a hint on what that data represents in a Python variable? Thanks again Marco </div><blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> rob<div class="HOEnZb"><div class="h5"> _______________________________________________ Freeipa-users mailing list <a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> </div></div></blockquote></div>