<br><br><div class="gmail_quote">On Tue, Mar 20, 2012 at 1:32 PM, Dmitri Pal <span dir="ltr"><<a href="mailto:dpal@redhat.com">dpal@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<u></u>
<div bgcolor="#ffffff" text="#000000"><div><div class="h5">
On 03/20/2012 05:19 AM, Marco Pizzoli wrote:
<blockquote type="cite"><br>
<br>
<div class="gmail_quote">On Tue, Mar 20, 2012 at 12:14 AM, Dmitri
Pal <span dir="ltr"><<a href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#ffffff" text="#000000">
<div>
<div> On 03/19/2012 06:54 PM, Marco Pizzoli
wrote: </div>
</div>
<blockquote type="cite">
<div>
<div><br>
<br>
<div class="gmail_quote">On Mon, Mar 19, 2012 at 8:31
PM, Rob Crittenden <span dir="ltr"><<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> Marco Pizzoli
wrote:<br>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div> <br>
<br>
On Mon, Mar 19, 2012 at 2:42 PM, Rob
Crittenden <<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a><br>
</div>
<div> <mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>>>
wrote:<br>
<br>
Dmitri Pal wrote:<br>
<br>
On 03/17/2012 07:36 AM, Marco Pizzoli
wrote:<br>
<br>
Hi guys,<br>
I'm trying to migrate my ldap user
base to freeipa. I'm<br>
using the last<br>
Release Candidate.<br>
<br>
I already changed "ipa config-mod
--enable-migration=TRUE"<br>
This is what I have:<br>
<br>
ipa -v migrate-ds<br>
</div>
--bind-dn="cn=manager,dc=__mydc1,dc=<a href="http://mydc2.it" target="_blank">mydc2.it</a> <<a href="http://mydc2.it" target="_blank">http://mydc2.it</a>><br>
<<a href="http://mydc2.it" target="_blank">http://mydc2.it</a>>"<br>
--user-container="ou=people,__dc=mydc1,dc=<a href="http://mydc2.it" target="_blank">mydc2.it</a><br>
<<a href="http://mydc2.it" target="_blank">http://mydc2.it</a>><br>
<<a href="http://mydc2.it" target="_blank">http://mydc2.it</a>>"
--user-objectclass=__inetOrgPerson<br>
--group-container="ou=groups,__dc=mydc1,dc=<a href="http://mydc2.it" target="_blank">mydc2.it</a><br>
<<a href="http://mydc2.it" target="_blank">http://mydc2.it</a>>
<<a href="http://mydc2.it" target="_blank">http://mydc2.it</a>>"<br>
--group-objectclass=posixGroup<br>
--base-dn="dc=mydc1,dc=mydc2.__it
<<a href="http://mydc2.it" target="_blank">http://mydc2.it</a>>
<div><br>
<<a href="http://mydc2.it" target="_blank">http://mydc2.it</a>>"
--with-compat <a>ldap://ldap01</a><br>
<br>
ipa: INFO: trying<br>
</div>
<a href="https://freeipa01.unix." target="_blank">https://freeipa01.unix.</a>__<a href="http://mydomain.it/ipa/xml" target="_blank">mydomain.it/ipa/xml</a>
<div><br>
<<a href="https://freeipa01.unix.mydomain.it/ipa/xml" target="_blank">https://freeipa01.unix.mydomain.it/ipa/xml</a>><br>
Password:<br>
ipa: INFO: Forwarding 'migrate_ds'
to server<br>
</div>
u'<a href="http://freeipa01.unix." target="_blank">http://freeipa01.unix.</a>__<a href="http://mydomain.it/ipa/xml" target="_blank">mydomain.it/ipa/xml</a>
<div><br>
<<a href="http://freeipa01.unix.mydomain.it/ipa/xml" target="_blank">http://freeipa01.unix.mydomain.it/ipa/xml</a>>'<br>
ipa: ERROR: Container for group not
found at<br>
ou=groups,dc=mydc1,dc=<a href="http://mydc2.it" target="_blank">mydc2.it</a>
<<a href="http://mydc2.it" target="_blank">http://mydc2.it</a>><br>
<<a href="http://mydc2.it" target="_blank">http://mydc2.it</a>><br>
<br>
<br>
I looked at my ldap server logs and
I found out that the search<br>
executed has scope=1. Actually both
for users and groups.<br>
This is a<br>
problem for me, in having a lot of
subtrees (ou) in which my<br>
users and<br>
groups are. Is there a way to
manage this?<br>
<br>
Thanks in advance<br>
Marco<br>
<br>
P.s. As a side note, I suppose
there's a typo in the verbose<br>
message I<br>
obtain in my output:<br>
ipa: INFO: Forwarding 'migrate_ds'
to server<br>
</div>
*u*'<a href="http://freeipa01.unix." target="_blank">http://freeipa01.unix.</a>__<a href="http://mydomain.it/ipa/xml" target="_blank">mydomain.it/ipa/xml</a>
<div>
<div><br>
<<a href="http://freeipa01.unix.mydomain.it/ipa/xml" target="_blank">http://freeipa01.unix.mydomain.it/ipa/xml</a>>'<br>
<br>
<br>
Please open tickets for both issues.<br>
<br>
<br>
Well, I don't think either is a bug.<br>
<br>
If you have users/groups in multiple
places you'll need to migrate<br>
them individually for now. It is safe to
run migrate-ds multiple<br>
times, existing users are not migrated.<br>
<br>
<br>
I just re-executed by specifing a nested ou
for my groups.<br>
This is what I got:<br>
<br>
ipa: INFO: trying <a href="https://freeipa01.unix.csebo.it/ipa/xml" target="_blank">https://freeipa01.unix.csebo.it/ipa/xml</a><br>
ipa: INFO: Forwarding 'migrate_ds' to server<br>
u'<a href="http://freeipa01.unix.csebo.it/ipa/xml" target="_blank">http://freeipa01.unix.csebo.it/ipa/xml</a>'<br>
-----------<br>
migrate-ds:<br>
-----------<br>
Migrated:<br>
Failed user:<br>
fw03075_no: Type or value exists:<br>
[other users listed]<br>
Failed group:<br>
pdbac32: Type or value exists:<br>
[other groups listed]<br>
----------<br>
Passwords have been migrated in pre-hashed
format.<br>
IPA is unable to generate Kerberos keys
unless provided<br>
with clear text passwords. All migrated
users need to<br>
login at <a href="https://your.domain/ipa/migration/" target="_blank">https://your.domain/ipa/migration/</a>
before they<br>
can use their Kerberos accounts.<br>
<br>
I don't understand what it's trying to
telling me.<br>
On my FreeIPA ldap server I don't see any
imported user.<br>
<br>
What's my fault here?<br>
<br>
<br>
The u is a python-ism for unicode. This
is not a bug.<br>
<br>
<br>
Please, could you give a little more detail
on this? It's only a hint on<br>
what that data represents in a Python
variable?<br>
<br>
Thanks again<br>
Marco<br>
</div>
</div>
</blockquote>
<br>
Type or value exists occurs when one tries to add
an attribute value to an entry that already
exists.<br>
<br>
I suspect that the underlying problem is different
between users and groups.<br>
<br>
For groups it is likely adding a duplicate member.<br>
<br>
For users I'm not really sure. It could be one of
the POSIX attributes. What does a failed entry
look like?<span><font color="#888888"><br>
<br>
rob<br>
</font></span></blockquote>
</div>
<br>
The user entry:<br>
------------------------<br>
dn: uid=fw03075_NO,ou=People,dc=mydc1,dc=<a href="http://mydc2.it" target="_blank">mydc2.it</a><br>
description: fw03075<br>
cn: fw03075<br>
uidNumber: 11013<br>
gidNumber: 503<br>
homeDirectory: /home/fw03075<br>
loginShell: /bin/sh<br>
gecos: fw03075<br>
shadowLastChange: 13059<br>
shadowMax: 99999<br>
shadowWarning: 7<br>
objectClass: inetOrgPerson<br>
objectClass: posixAccount<br>
objectClass: shadowAccount<br>
objectClass: top<br>
objectClass: xxxPeopleAttributes<br>
sn: SN_NON_IMPOSTATO<br>
givenName: GIVENNAME_NON_IMPOSTATO<br>
xxxUfficio: UFFICIO_NON_IMPOSTATO<br>
xxxTipoUtente: tecnico<br>
uid: fw03075_NO<br>
userPassword: secret<br>
<br>
<br>
group entry:<br>
-------------------<br>
dn:
cn=pdbac32,ou=pdbac32,ou=prod,ou=db2,ou=databases,ou=Groups,dc=mydc1,dc=<a href="http://mydc2.it" target="_blank">mydc2.it</a><br>
gidNumber: 10015<br>
member: uid=NESSUNO,ou=People,dc=mydc1,dc=<a href="http://mydc2.it" target="_blank">mydc2.it</a><br>
member: uid=aaa415,ou=People,dc=mydc1,dc=<a href="http://mydc2.it" target="_blank">mydc2.it</a><br>
member: uid=bbb446,ou=People,dc=mydc1,dc=<a href="http://mydc2.it" target="_blank">mydc2.it</a><br>
memberUid: NESSUNO<br>
memberUid: aaa415<br>
memberUid: bbb446<br>
xxxAmbiente: prod<br>
xxxDB2GruppiPrivilegi: instance_owner<br>
description: Mydescription<br>
xxxTipoGruppo: db<br>
objectClass: top<br>
objectClass: posixGroup<br>
objectClass: groupOfNames<br>
objectClass: xxxGroupsAttributes<br>
objectClass: xxxDB2GroupsAttributes<br>
cn: pdbac32<br>
<br>
Thanks again<br>
Marco<br>
</div>
</div>
<pre><fieldset></fieldset>
_______________________________________________
Freeipa-users mailing list
<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
Do you by any chance have a <u>group</u> with name
"fw03075_NO" and <u>user</u> with name "pdbac32"?<br>
May be you are hitting a collision on manged group managed?</div>
</blockquote>
<div><br>
Well, yes and no.<br>
<br>
No, I don't have a group called "fw03075_NO" and No, I don't
have a user called "pdbac32".<br>
<br>
Yes, I have some users uid=samename and groups cn=samename,
but they are not found in the group subtree (ou) from where I
launched "ipa migrate-ds".<br>
<br>
If this is the problem, where can I have any evidence of the
actual problem?<br>
<br>
</div>
</div>
</blockquote>
<br></div></div>
Can you search those names in the IPA LDAP tree after the migration?
May be there is some object already there with the same cn that
collides. This way we would be able to determine what the colliding
object is and take it from there. It might collide on some other
attribute in the entry and just be reported by uid and cn.</div></blockquote><div><br></div><div>Here it is:</div><div><br></div><div><div><font face="'courier new', monospace">[root@freeipa01 ipa]# ldapsearch -h 127.0.0.1 -x -D "cn=Directory Manager" -W -b "dc=unix,dc=mydomain,dc=it" -s sub "(uid=fw03075_NO)"</font></div>
<div><font face="'courier new', monospace">Enter LDAP Password:</font></div><div><font face="'courier new', monospace"># extended LDIF</font></div><div><font face="'courier new', monospace">#</font></div>
<div><font face="'courier new', monospace"># LDAPv3</font></div><div><font face="'courier new', monospace"># base <dc=unix,dc=
mydomain ,dc=it> with scope subtree</font></div><div><font face="'courier new', monospace"># filter: (uid=fw03075_NO)</font></div><div><font face="'courier new', monospace"># requesting: ALL</font></div>
<div><font face="'courier new', monospace">#</font></div><div><font face="'courier new', monospace"><br></font></div><div><font face="'courier new', monospace"># search result</font></div><div><font face="'courier new', monospace">search: 2</font></div>
<div><font face="'courier new', monospace">result: 0 Success</font></div><div><font face="'courier new', monospace"><br></font></div><div><font face="'courier new', monospace"># numResponses: 1</font></div>
<div><font face="'courier new', monospace">[root@freeipa01 ipa]# ldapsearch -h 127.0.0.1 -x -D "cn=Directory Manager" -W -b "dc=unix,dc=
mydomain ,dc=it" -s sub "(cn=fw03075_NO)"</font></div><div><font face="'courier new', monospace">Enter LDAP Password:</font></div><div><font face="'courier new', monospace"># extended LDIF</font></div>
<div><font face="'courier new', monospace">#</font></div><div><font face="'courier new', monospace"># LDAPv3</font></div><div><font face="'courier new', monospace"># base <dc=unix,dc=
mydomain ,dc=it> with scope subtree</font></div><div><font face="'courier new', monospace"># filter: (cn=fw03075_NO)</font></div><div><font face="'courier new', monospace"># requesting: ALL</font></div>
<div><font face="'courier new', monospace">#</font></div><div><font face="'courier new', monospace"><br></font></div><div><font face="'courier new', monospace"># search result</font></div><div><font face="'courier new', monospace">search: 2</font></div>
<div><font face="'courier new', monospace">result: 0 Success</font></div><div><font face="'courier new', monospace"><br></font></div><div><font face="'courier new', monospace"># numResponses: 1</font></div>
</div><div><br></div><div>Same thing for "pdbac32".</div><div><br></div><div>Or were you asking me something more complicated?</div><div><br></div><div>My group and user tree is almost empty. There are only default groups and 5/6 user created by hand.</div>
<div>Yes, some of them have the same uid as the one manually created, but they represent only a minority of the total.</div><div><br></div><div>Marco</div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#ffffff" text="#000000"><div class="im"><br>
<br>
<blockquote type="cite">
<div class="gmail_quote">
<div>Thanks again<br>
Marco<br>
</div>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#ffffff" text="#000000">
<div><br>
<br>
<pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a href="http://www.redhat.com/carveoutcosts/" target="_blank">www.redhat.com/carveoutcosts/</a>
</pre>
</div>
</div>
<br>
_______________________________________________<br>
Freeipa-users mailing list<br>
<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a><br>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
</blockquote>
</div>
<br>
</blockquote>
<br>
<br>
<pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a href="http://www.redhat.com/carveoutcosts/" target="_blank">www.redhat.com/carveoutcosts/</a>
</pre>
</div></div>
</blockquote></div><br>