<br><br><div class="gmail_quote">On Tue, Mar 20, 2012 at 12:14 AM, Dmitri Pal <span dir="ltr"><<a href="mailto:dpal@redhat.com">dpal@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<u></u>
<div bgcolor="#ffffff" text="#000000"><div><div class="h5">
On 03/19/2012 06:54 PM, Marco Pizzoli wrote:
</div></div><blockquote type="cite"><div><div class="h5"><br>
<br>
<div class="gmail_quote">On Mon, Mar 19, 2012 at 8:31 PM, Rob
Crittenden <span dir="ltr"><<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Marco Pizzoli wrote:<br>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<br>
<br>
On Mon, Mar 19, 2012 at 2:42 PM, Rob Crittenden <<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a><br>
</div>
<div>
<mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>>>
wrote:<br>
<br>
Dmitri Pal wrote:<br>
<br>
On 03/17/2012 07:36 AM, Marco Pizzoli wrote:<br>
<br>
Hi guys,<br>
I'm trying to migrate my ldap user base to
freeipa. I'm<br>
using the last<br>
Release Candidate.<br>
<br>
I already changed "ipa config-mod
--enable-migration=TRUE"<br>
This is what I have:<br>
<br>
ipa -v migrate-ds<br>
</div>
--bind-dn="cn=manager,dc=__mydc1,dc=<a href="http://mydc2.it" target="_blank">mydc2.it</a> <<a href="http://mydc2.it" target="_blank">http://mydc2.it</a>><br>
<<a href="http://mydc2.it" target="_blank">http://mydc2.it</a>>"<br>
--user-container="ou=people,__dc=mydc1,dc=<a href="http://mydc2.it" target="_blank">mydc2.it</a><br>
<<a href="http://mydc2.it" target="_blank">http://mydc2.it</a>><br>
<<a href="http://mydc2.it" target="_blank">http://mydc2.it</a>>"
--user-objectclass=__inetOrgPerson<br>
--group-container="ou=groups,__dc=mydc1,dc=<a href="http://mydc2.it" target="_blank">mydc2.it</a><br>
<<a href="http://mydc2.it" target="_blank">http://mydc2.it</a>>
<<a href="http://mydc2.it" target="_blank">http://mydc2.it</a>>"<br>
--group-objectclass=posixGroup<br>
--base-dn="dc=mydc1,dc=mydc2.__it <<a href="http://mydc2.it" target="_blank">http://mydc2.it</a>>
<div><br>
<<a href="http://mydc2.it" target="_blank">http://mydc2.it</a>>"
--with-compat <a>ldap://ldap01</a><br>
<br>
ipa: INFO: trying<br>
</div>
<a href="https://freeipa01.unix." target="_blank">https://freeipa01.unix.</a>__<a href="http://mydomain.it/ipa/xml" target="_blank">mydomain.it/ipa/xml</a>
<div><br>
<<a href="https://freeipa01.unix.mydomain.it/ipa/xml" target="_blank">https://freeipa01.unix.mydomain.it/ipa/xml</a>><br>
Password:<br>
ipa: INFO: Forwarding 'migrate_ds' to server<br>
</div>
u'<a href="http://freeipa01.unix." target="_blank">http://freeipa01.unix.</a>__<a href="http://mydomain.it/ipa/xml" target="_blank">mydomain.it/ipa/xml</a>
<div><br>
<<a href="http://freeipa01.unix.mydomain.it/ipa/xml" target="_blank">http://freeipa01.unix.mydomain.it/ipa/xml</a>>'<br>
ipa: ERROR: Container for group not found at<br>
ou=groups,dc=mydc1,dc=<a href="http://mydc2.it" target="_blank">mydc2.it</a> <<a href="http://mydc2.it" target="_blank">http://mydc2.it</a>><br>
<<a href="http://mydc2.it" target="_blank">http://mydc2.it</a>><br>
<br>
<br>
I looked at my ldap server logs and I found out
that the search<br>
executed has scope=1. Actually both for users
and groups.<br>
This is a<br>
problem for me, in having a lot of subtrees
(ou) in which my<br>
users and<br>
groups are. Is there a way to manage this?<br>
<br>
Thanks in advance<br>
Marco<br>
<br>
P.s. As a side note, I suppose there's a typo
in the verbose<br>
message I<br>
obtain in my output:<br>
ipa: INFO: Forwarding 'migrate_ds' to server<br>
</div>
*u*'<a href="http://freeipa01.unix." target="_blank">http://freeipa01.unix.</a>__<a href="http://mydomain.it/ipa/xml" target="_blank">mydomain.it/ipa/xml</a>
<div>
<div><br>
<<a href="http://freeipa01.unix.mydomain.it/ipa/xml" target="_blank">http://freeipa01.unix.mydomain.it/ipa/xml</a>>'<br>
<br>
<br>
Please open tickets for both issues.<br>
<br>
<br>
Well, I don't think either is a bug.<br>
<br>
If you have users/groups in multiple places you'll
need to migrate<br>
them individually for now. It is safe to run
migrate-ds multiple<br>
times, existing users are not migrated.<br>
<br>
<br>
I just re-executed by specifing a nested ou for my
groups.<br>
This is what I got:<br>
<br>
ipa: INFO: trying <a href="https://freeipa01.unix.csebo.it/ipa/xml" target="_blank">https://freeipa01.unix.csebo.it/ipa/xml</a><br>
ipa: INFO: Forwarding 'migrate_ds' to server<br>
u'<a href="http://freeipa01.unix.csebo.it/ipa/xml" target="_blank">http://freeipa01.unix.csebo.it/ipa/xml</a>'<br>
-----------<br>
migrate-ds:<br>
-----------<br>
Migrated:<br>
Failed user:<br>
fw03075_no: Type or value exists:<br>
[other users listed]<br>
Failed group:<br>
pdbac32: Type or value exists:<br>
[other groups listed]<br>
----------<br>
Passwords have been migrated in pre-hashed format.<br>
IPA is unable to generate Kerberos keys unless provided<br>
with clear text passwords. All migrated users need to<br>
login at <a href="https://your.domain/ipa/migration/" target="_blank">https://your.domain/ipa/migration/</a>
before they<br>
can use their Kerberos accounts.<br>
<br>
I don't understand what it's trying to telling me.<br>
On my FreeIPA ldap server I don't see any imported user.<br>
<br>
What's my fault here?<br>
<br>
<br>
The u is a python-ism for unicode. This is not a bug.<br>
<br>
<br>
Please, could you give a little more detail on this?
It's only a hint on<br>
what that data represents in a Python variable?<br>
<br>
Thanks again<br>
Marco<br>
</div>
</div>
</blockquote>
<br>
Type or value exists occurs when one tries to add an attribute
value to an entry that already exists.<br>
<br>
I suspect that the underlying problem is different between
users and groups.<br>
<br>
For groups it is likely adding a duplicate member.<br>
<br>
For users I'm not really sure. It could be one of the POSIX
attributes. What does a failed entry look like?<span><font color="#888888"><br>
<br>
rob<br>
</font></span></blockquote>
</div>
<br>
The user entry:<br>
------------------------<br>
dn: uid=fw03075_NO,ou=People,dc=mydc1,dc=<a href="http://mydc2.it" target="_blank">mydc2.it</a><br>
description: fw03075<br>
cn: fw03075<br>
uidNumber: 11013<br>
gidNumber: 503<br>
homeDirectory: /home/fw03075<br>
loginShell: /bin/sh<br>
gecos: fw03075<br>
shadowLastChange: 13059<br>
shadowMax: 99999<br>
shadowWarning: 7<br>
objectClass: inetOrgPerson<br>
objectClass: posixAccount<br>
objectClass: shadowAccount<br>
objectClass: top<br>
objectClass: xxxPeopleAttributes<br>
sn: SN_NON_IMPOSTATO<br>
givenName: GIVENNAME_NON_IMPOSTATO<br>
xxxUfficio: UFFICIO_NON_IMPOSTATO<br>
xxxTipoUtente: tecnico<br>
uid: fw03075_NO<br>
userPassword: secret<br>
<br>
<br>
group entry:<br>
-------------------<br>
dn:
cn=pdbac32,ou=pdbac32,ou=prod,ou=db2,ou=databases,ou=Groups,dc=mydc1,dc=<a href="http://mydc2.it" target="_blank">mydc2.it</a><br>
gidNumber: 10015<br>
member: uid=NESSUNO,ou=People,dc=mydc1,dc=<a href="http://mydc2.it" target="_blank">mydc2.it</a><br>
member: uid=aaa415,ou=People,dc=mydc1,dc=<a href="http://mydc2.it" target="_blank">mydc2.it</a><br>
member: uid=bbb446,ou=People,dc=mydc1,dc=<a href="http://mydc2.it" target="_blank">mydc2.it</a><br>
memberUid: NESSUNO<br>
memberUid: aaa415<br>
memberUid: bbb446<br>
xxxAmbiente: prod<br>
xxxDB2GruppiPrivilegi: instance_owner<br>
description: Mydescription<br>
xxxTipoGruppo: db<br>
objectClass: top<br>
objectClass: posixGroup<br>
objectClass: groupOfNames<br>
objectClass: xxxGroupsAttributes<br>
objectClass: xxxDB2GroupsAttributes<br>
cn: pdbac32<br>
<br>
Thanks again<br>
Marco<br>
</div></div><pre><fieldset></fieldset>
_______________________________________________
Freeipa-users mailing list
<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
Do you by any chance have a <u>group</u> with name "fw03075_NO" and
<u>user</u> with name "pdbac32"?<br>
May be you are hitting a collision on manged group managed?</div></blockquote><div><br>Well, yes and no.<br><br>No, I don't have a group called "fw03075_NO" and No, I don't have a user called "pdbac32".<br>
<br>Yes, I have some users uid=samename and groups cn=samename, but they are not found in the group subtree (ou) from where I launched "ipa migrate-ds".<br><br>If this is the problem, where can I have any evidence of the actual problem?<br>
<br>Thanks again<br>Marco<br> </div><blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div bgcolor="#ffffff" text="#000000"><div class="im"><br>
<br>
<pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a href="http://www.redhat.com/carveoutcosts/" target="_blank">www.redhat.com/carveoutcosts/</a>
</pre>
</div></div>
<br>_______________________________________________<br>
Freeipa-users mailing list<br>
<a href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br></blockquote></div><br>