<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
On 03/19/2012 08:56 AM, Marco Pizzoli wrote:
<blockquote
cite="mid:CAMrrtwuYg8BQZeh+0W4LLG5Sgk4k6b-gT7x5o+ybE3OofGcz=w@mail.gmail.com"
type="cite"><br>
<br>
<div class="gmail_quote">On Mon, Mar 19, 2012 at 1:43 PM, Simo
Sorce <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:simo@redhat.com">simo@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt
0.8ex; border-left: 1px solid rgb(204, 204, 204);
padding-left: 1ex;">
<div class="HOEnZb">
<div class="h5">On Sun, 2012-03-18 at 18:33 +0100, Marco
Pizzoli wrote:<br>
><br>
><br>
> On Sun, Mar 18, 2012 at 5:49 PM, Dmitri Pal <<a
moz-do-not-send="true" href="mailto:dpal@redhat.com">dpal@redhat.com</a>>
wrote:<br>
> On 03/17/2012 07:36 AM, Marco Pizzoli wrote:<br>
> > Hi guys,<br>
> > I'm trying to migrate my ldap user base
to freeipa. I'm<br>
> > using the last Release Candidate.<br>
> ><br>
> > I already changed "ipa config-mod
--enable-migration=TRUE"<br>
> > This is what I have:<br>
> ><br>
> > ipa -v migrate-ds<br>
> > --bind-dn="cn=manager,dc=mydc1,dc=<a
moz-do-not-send="true" href="http://mydc2.it"
target="_blank">mydc2.it</a>"<br>
> > --user-container="ou=people,dc=mydc1,dc=<a
moz-do-not-send="true" href="http://mydc2.it"
target="_blank">mydc2.it</a>"<br>
> > --user-objectclass=inetOrgPerson<br>
> >
--group-container="ou=groups,dc=mydc1,dc=<a
moz-do-not-send="true" href="http://mydc2.it"
target="_blank">mydc2.it</a>"<br>
> > --group-objectclass=posixGroup<br>
> > --base-dn="dc=mydc1,dc=<a
moz-do-not-send="true" href="http://mydc2.it"
target="_blank">mydc2.it</a>" --with-compat
<a class="moz-txt-link-freetext" href="ldap://ldap01">ldap://ldap01</a><br>
> > ipa: INFO: trying <a
moz-do-not-send="true"
href="https://freeipa01.unix.mydomain.it/ipa/xml"
target="_blank">https://freeipa01.unix.mydomain.it/ipa/xml</a><br>
> > Password:<br>
> > ipa: INFO: Forwarding 'migrate_ds' to
server<br>
> > u'<a moz-do-not-send="true"
href="http://freeipa01.unix.mydomain.it/ipa/xml"
target="_blank">http://freeipa01.unix.mydomain.it/ipa/xml</a>'<br>
> > ipa: ERROR: Container for group not
found at<br>
> > ou=groups,dc=mydc1,dc=<a
moz-do-not-send="true" href="http://mydc2.it"
target="_blank">mydc2.it</a><br>
> ><br>
> > I looked at my ldap server logs and I
found out that the<br>
> > search executed has scope=1. Actually
both for users and<br>
> > groups. This is a problem for me, in
having a lot of<br>
> > subtrees (ou) in which my users and
groups are. Is there a<br>
> > way to manage this?<br>
> ><br>
> > Thanks in advance<br>
> > Marco<br>
> ><br>
> > P.s. As a side note, I suppose there's a
typo in the verbose<br>
> > message I obtain in my output:<br>
> > ipa: INFO: Forwarding 'migrate_ds' to
server<br>
> > u'<a moz-do-not-send="true"
href="http://freeipa01.unix.mydomain.it/ipa/xml"
target="_blank">http://freeipa01.unix.mydomain.it/ipa/xml</a>'<br>
><br>
><br>
> Please open tickets for both issues.<br>
><br>
><br>
> Done:<br>
> <a moz-do-not-send="true"
href="https://fedorahosted.org/freeipa/ticket/2547"
target="_blank">https://fedorahosted.org/freeipa/ticket/2547</a><br>
> <a moz-do-not-send="true"
href="https://fedorahosted.org/freeipa/ticket/2546"
target="_blank">https://fedorahosted.org/freeipa/ticket/2546</a><br>
><br>
> Do you have a hint on how to manage to do this import
in the meantime?<br>
> Every manual step is ok for me.<br>
<br>
</div>
</div>
Maybe you can try performing a new migration for each of the
subtrees<br>
you have in your source tree, assuming it is a reasonable
number, by<br>
reconfiguring the migrate-ds bases between each run.<br>
</blockquote>
<div><br>
Yes, I was thinking the same... :-)<br>
To be able to script "ipa migrate-ds", I would need a
parameter for setting the password on the CLI. I suppose it
isn't there by design, right?<br>
<br>
</div>
</div>
</blockquote>
<br>
Will it handle the case when the group has members from different
levels and some of the users are not picked by the search? In this
case I suspect the user group membership might be lost. I am not
sure that this is the case. Just something to pay attention.<br>
<br>
<blockquote
cite="mid:CAMrrtwuYg8BQZeh+0W4LLG5Sgk4k6b-gT7x5o+ybE3OofGcz=w@mail.gmail.com"
type="cite">
<div class="gmail_quote">
<div>Thanks again<br>
Marco<br>
</div>
</div>
<br>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</body>
</html>