<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
On 03/19/2012 06:54 PM, Marco Pizzoli wrote:
<blockquote
cite="mid:CAMrrtwsYvrCyKWP2A5hJ0nh-m_1vgUEzy6fJ1eW2ENrrD-nQ+A@mail.gmail.com"
type="cite"><br>
<br>
<div class="gmail_quote">On Mon, Mar 19, 2012 at 8:31 PM, Rob
Crittenden <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt
0.8ex; border-left: 1px solid rgb(204, 204, 204);
padding-left: 1ex;">
Marco Pizzoli wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt
0.8ex; border-left: 1px solid rgb(204, 204, 204);
padding-left: 1ex;">
<div class="im">
<br>
<br>
On Mon, Mar 19, 2012 at 2:42 PM, Rob Crittenden <<a
moz-do-not-send="true" href="mailto:rcritten@redhat.com"
target="_blank">rcritten@redhat.com</a><br>
</div>
<div class="im">
<mailto:<a moz-do-not-send="true"
href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>>>
wrote:<br>
<br>
Dmitri Pal wrote:<br>
<br>
On 03/17/2012 07:36 AM, Marco Pizzoli wrote:<br>
<br>
Hi guys,<br>
I'm trying to migrate my ldap user base to
freeipa. I'm<br>
using the last<br>
Release Candidate.<br>
<br>
I already changed "ipa config-mod
--enable-migration=TRUE"<br>
This is what I have:<br>
<br>
ipa -v migrate-ds<br>
</div>
--bind-dn="cn=manager,dc=__mydc1,dc=<a
moz-do-not-send="true" href="http://mydc2.it"
target="_blank">mydc2.it</a> <<a moz-do-not-send="true"
href="http://mydc2.it" target="_blank">http://mydc2.it</a>><br>
<<a moz-do-not-send="true"
href="http://mydc2.it" target="_blank">http://mydc2.it</a>>"<br>
--user-container="ou=people,__dc=mydc1,dc=<a
moz-do-not-send="true" href="http://mydc2.it"
target="_blank">mydc2.it</a><br>
<<a moz-do-not-send="true"
href="http://mydc2.it" target="_blank">http://mydc2.it</a>><br>
<<a moz-do-not-send="true"
href="http://mydc2.it" target="_blank">http://mydc2.it</a>>"
--user-objectclass=__inetOrgPerson<br>
--group-container="ou=groups,__dc=mydc1,dc=<a
moz-do-not-send="true" href="http://mydc2.it"
target="_blank">mydc2.it</a><br>
<<a moz-do-not-send="true"
href="http://mydc2.it" target="_blank">http://mydc2.it</a>>
<<a moz-do-not-send="true" href="http://mydc2.it"
target="_blank">http://mydc2.it</a>>"<br>
--group-objectclass=posixGroup<br>
--base-dn="dc=mydc1,dc=mydc2.__it <<a
moz-do-not-send="true" href="http://mydc2.it"
target="_blank">http://mydc2.it</a>>
<div class="im"><br>
<<a moz-do-not-send="true"
href="http://mydc2.it" target="_blank">http://mydc2.it</a>>"
--with-compat <a class="moz-txt-link-freetext" href="ldap://ldap01">ldap://ldap01</a><br>
<br>
ipa: INFO: trying<br>
</div>
<a moz-do-not-send="true"
href="https://freeipa01.unix." target="_blank">https://freeipa01.unix.</a>__<a
moz-do-not-send="true" href="http://mydomain.it/ipa/xml"
target="_blank">mydomain.it/ipa/xml</a>
<div class="im"><br>
<<a moz-do-not-send="true"
href="https://freeipa01.unix.mydomain.it/ipa/xml"
target="_blank">https://freeipa01.unix.mydomain.it/ipa/xml</a>><br>
Password:<br>
ipa: INFO: Forwarding 'migrate_ds' to server<br>
</div>
u'<a moz-do-not-send="true"
href="http://freeipa01.unix." target="_blank">http://freeipa01.unix.</a>__<a
moz-do-not-send="true" href="http://mydomain.it/ipa/xml"
target="_blank">mydomain.it/ipa/xml</a>
<div class="im"><br>
<<a moz-do-not-send="true"
href="http://freeipa01.unix.mydomain.it/ipa/xml"
target="_blank">http://freeipa01.unix.mydomain.it/ipa/xml</a>>'<br>
ipa: ERROR: Container for group not found at<br>
ou=groups,dc=mydc1,dc=<a moz-do-not-send="true"
href="http://mydc2.it" target="_blank">mydc2.it</a> <<a
moz-do-not-send="true" href="http://mydc2.it"
target="_blank">http://mydc2.it</a>><br>
<<a moz-do-not-send="true"
href="http://mydc2.it" target="_blank">http://mydc2.it</a>><br>
<br>
<br>
I looked at my ldap server logs and I found out
that the search<br>
executed has scope=1. Actually both for users
and groups.<br>
This is a<br>
problem for me, in having a lot of subtrees
(ou) in which my<br>
users and<br>
groups are. Is there a way to manage this?<br>
<br>
Thanks in advance<br>
Marco<br>
<br>
P.s. As a side note, I suppose there's a typo
in the verbose<br>
message I<br>
obtain in my output:<br>
ipa: INFO: Forwarding 'migrate_ds' to server<br>
</div>
*u*'<a moz-do-not-send="true"
href="http://freeipa01.unix." target="_blank">http://freeipa01.unix.</a>__<a
moz-do-not-send="true" href="http://mydomain.it/ipa/xml"
target="_blank">mydomain.it/ipa/xml</a>
<div>
<div class="h5"><br>
<<a moz-do-not-send="true"
href="http://freeipa01.unix.mydomain.it/ipa/xml"
target="_blank">http://freeipa01.unix.mydomain.it/ipa/xml</a>>'<br>
<br>
<br>
Please open tickets for both issues.<br>
<br>
<br>
Well, I don't think either is a bug.<br>
<br>
If you have users/groups in multiple places you'll
need to migrate<br>
them individually for now. It is safe to run
migrate-ds multiple<br>
times, existing users are not migrated.<br>
<br>
<br>
I just re-executed by specifing a nested ou for my
groups.<br>
This is what I got:<br>
<br>
ipa: INFO: trying <a moz-do-not-send="true"
href="https://freeipa01.unix.csebo.it/ipa/xml"
target="_blank">https://freeipa01.unix.csebo.it/ipa/xml</a><br>
ipa: INFO: Forwarding 'migrate_ds' to server<br>
u'<a moz-do-not-send="true"
href="http://freeipa01.unix.csebo.it/ipa/xml"
target="_blank">http://freeipa01.unix.csebo.it/ipa/xml</a>'<br>
-----------<br>
migrate-ds:<br>
-----------<br>
Migrated:<br>
Failed user:<br>
fw03075_no: Type or value exists:<br>
[other users listed]<br>
Failed group:<br>
pdbac32: Type or value exists:<br>
[other groups listed]<br>
----------<br>
Passwords have been migrated in pre-hashed format.<br>
IPA is unable to generate Kerberos keys unless provided<br>
with clear text passwords. All migrated users need to<br>
login at <a moz-do-not-send="true"
href="https://your.domain/ipa/migration/"
target="_blank">https://your.domain/ipa/migration/</a>
before they<br>
can use their Kerberos accounts.<br>
<br>
I don't understand what it's trying to telling me.<br>
On my FreeIPA ldap server I don't see any imported user.<br>
<br>
What's my fault here?<br>
<br>
<br>
The u is a python-ism for unicode. This is not a bug.<br>
<br>
<br>
Please, could you give a little more detail on this?
It's only a hint on<br>
what that data represents in a Python variable?<br>
<br>
Thanks again<br>
Marco<br>
</div>
</div>
</blockquote>
<br>
Type or value exists occurs when one tries to add an attribute
value to an entry that already exists.<br>
<br>
I suspect that the underlying problem is different between
users and groups.<br>
<br>
For groups it is likely adding a duplicate member.<br>
<br>
For users I'm not really sure. It could be one of the POSIX
attributes. What does a failed entry look like?<span
class="HOEnZb"><font color="#888888"><br>
<br>
rob<br>
</font></span></blockquote>
</div>
<br>
The user entry:<br>
------------------------<br>
dn: uid=fw03075_NO,ou=People,dc=mydc1,dc=<a moz-do-not-send="true"
href="http://mydc2.it">mydc2.it</a><br>
description: fw03075<br>
cn: fw03075<br>
uidNumber: 11013<br>
gidNumber: 503<br>
homeDirectory: /home/fw03075<br>
loginShell: /bin/sh<br>
gecos: fw03075<br>
shadowLastChange: 13059<br>
shadowMax: 99999<br>
shadowWarning: 7<br>
objectClass: inetOrgPerson<br>
objectClass: posixAccount<br>
objectClass: shadowAccount<br>
objectClass: top<br>
objectClass: xxxPeopleAttributes<br>
sn: SN_NON_IMPOSTATO<br>
givenName: GIVENNAME_NON_IMPOSTATO<br>
xxxUfficio: UFFICIO_NON_IMPOSTATO<br>
xxxTipoUtente: tecnico<br>
uid: fw03075_NO<br>
userPassword: secret<br>
<br>
<br>
group entry:<br>
-------------------<br>
dn:
cn=pdbac32,ou=pdbac32,ou=prod,ou=db2,ou=databases,ou=Groups,dc=mydc1,dc=<a
moz-do-not-send="true" href="http://mydc2.it">mydc2.it</a><br>
gidNumber: 10015<br>
member: uid=NESSUNO,ou=People,dc=mydc1,dc=<a
moz-do-not-send="true" href="http://mydc2.it">mydc2.it</a><br>
member: uid=aaa415,ou=People,dc=mydc1,dc=<a moz-do-not-send="true"
href="http://mydc2.it">mydc2.it</a><br>
member: uid=bbb446,ou=People,dc=mydc1,dc=<a moz-do-not-send="true"
href="http://mydc2.it">mydc2.it</a><br>
memberUid: NESSUNO<br>
memberUid: aaa415<br>
memberUid: bbb446<br>
xxxAmbiente: prod<br>
xxxDB2GruppiPrivilegi: instance_owner<br>
description: Mydescription<br>
xxxTipoGruppo: db<br>
objectClass: top<br>
objectClass: posixGroup<br>
objectClass: groupOfNames<br>
objectClass: xxxGroupsAttributes<br>
objectClass: xxxDB2GroupsAttributes<br>
cn: pdbac32<br>
<br>
Thanks again<br>
Marco<br>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
Do you by any chance have a <u>group</u> with name "fw03075_NO" and
<u>user</u> with name "pdbac32"?<br>
May be you are hitting a collision on manged group managed?<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</body>
</html>