<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<div class="moz-cite-prefix">On 10/14/2014 06:58 PM, Clint Savage
wrote:<br>
</div>
<blockquote
cite="mid:CAO3ufTne4uWOAn3BE4cEDLLzxHh0dusp_jSirkc+VFhv5WRQ1Q@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>
<div>
<div>Hi all,<br>
<br>
</div>
I've been working on a migration plan using three
custom user objectClasses and one group objectclass.
In my attempt, I've setup an openldap server with the
proper schemas, imported the ldif and have records
that look something like this in ldif format.<br>
<br>
-----------------------------------------------------------------------<br>
<br>
dn: dc=example,dc=com<br>
objectClass: top<br>
objectClass: domain<br>
dc: example<br>
<br>
dn: ou=Groups,dc=example,dc=com<br>
objectClass: top<br>
objectClass: organizationalunit<br>
ou: Groups<br>
<br>
dn: ou=People,dc=example,dc=com<br>
objectClass: top<br>
objectClass: organizationalunit<br>
ou: People<br>
<br>
dn: uid=amyengh,ou=People,dc=example,dc=com<br>
objectClass: inetOrgPerson<br>
objectClass: posixAccount<br>
objectClass: top<br>
objectClass: organizationalPerson<br>
objectClass: person<br>
objectClass: radiusProfile<br>
objectClass: sambaSamAccount<br>
objectClass: customPersonAttributes<br>
cn: Amy Engh<br>
gidNumber: 1141801056<br>
homeDirectory: /home/amyengh<br>
sn: Engh<br>
uid: amyengh<br>
uidNumber: 1141801056<br>
displayName: Amy Engh<br>
givenName: Amy<br>
loginShell: /sbin/nologin<br>
mail: <a moz-do-not-send="true"
href="mailto:amyengh@attask.com">amyengh@attask.com</a><br>
userPassword:: REDACTED<br>
dialupAccess: yes<br>
radiusTunnelMediumType: IEEE-802<br>
radiusTunnelPrivateGroupId: 1421<br>
radiusTunnelType: VLAN<br>
emailPassword:: REDACTED<br>
sambaAcctFlags: [U ]<br>
sambaLMPassword: REDACTED<br>
sambaNTPassword: REDACTED<br>
sambaPasswordHistory:
000000000000000000000000000000000000000000000000000000<br>
0000000000<br>
sambaPwdLastSet: 1402698001<br>
sambaSID:
S-1-5-21-2332447373-4108748234-3602490535-3146<br>
<br>
dn: cn=amyengh,ou=Groups,dc=example,dc=com<br>
objectClass: top<br>
objectClass: posixGroup<br>
cn: amyengh<br>
gidNumber: 1141801056<br>
memberUid: amyengh<br>
<br>
--------------------------------------------------------------------<br>
<br>
</div>
I then run the migration (with or without compat makes
no difference) and get the following:<br>
<br>
ipa migrate-ds --with-compat
--user-container="ou=People"
--group-container="ou=Groups"
--user-objectclass=posixAccount
--group-objectclass=posixgroup <a class="moz-txt-link-freetext" href="ldap://">ldap://</a><a
moz-do-not-send="true" href="http://192.168.122.210">192.168.122.210</a>
--bind-dn="cn=Manager,dc=example,dc=com"<br>
Password: <br>
-----------<br>
migrate-ds:<br>
-----------<br>
Migrated:<br>
Failed user:<br>
amyengh: Type or value exists: <br>
Failed group:<br>
amyengh: This entry already exists.</div>
</div>
</div>
</div>
</div>
</blockquote>
"type or value exists" and "This entry already exists" are just
explanations of the ldap return code, do you see anything in the 389
ds error logs ?<br>
<br>
<blockquote
cite="mid:CAO3ufTne4uWOAn3BE4cEDLLzxHh0dusp_jSirkc+VFhv5WRQ1Q@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>Check GID of the existing group. Use
--group-overwrite-gid option to overwrite the GID<br>
----------<br>
Passwords have been migrated in pre-hashed format.<br>
IPA is unable to generate Kerberos keys unless provided<br>
with clear text passwords. All migrated users need to<br>
login at <a moz-do-not-send="true"
href="https://your.domain/ipa/migration/">https://your.domain/ipa/migration/</a>
before they<br>
can use their Kerberos accounts.<br>
<br>
</div>
<div>The objectclasses are listed in the configuration
properly:<br>
<br>
# ipa config-show --all<br>
</div>
<div>..snip..<br>
</div>
<div>Default group objectclasses: top, groupofnames,
nestedgroup, ipausergroup, ipaobject, sambaGroupMapping<br>
Default user objectclasses: top, person,
organizationalperson, inetorgperson, inetuser,
posixaccount, krbprincipalaux, krbticketpolicyaux,<br>
ipaobject, ipasshuser,
radiusProfile, customPersonAttributes, sambaSamAccount<br>
</div>
<div>..snip..<br>
</div>
<div><br>
</div>
I can verify the objectclasses appear to work when I add a
user manually, though I have not updated the plugins to
allow entries for the above objectClasses.<br>
<br>
---------------------------<br>
</div>
My question exists around the error ' amyengh: Type or value
exists:'. I can take out the custom objectclasses, and this
error goes away. I've looked into all of the custom
objectclasses and don't see anything that would indicate
errors. I have some 5k+ records to migrate and don't want to
have to manipulate the ldif and then create modify records
just to get the data into IPA.<br>
<br>
</div>
Any suggestions to help me identify why this is happening? I'd
be happy to provide further information as requested.<br>
<br>
Thanks,<br>
<br>
</div>
herlo<br>
<div>
<div>
<div><br>
<div>
<div><br>
<div style="text-align:center"><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
</body>
</html>