[Freeipa-users] Invalid Credentials error on migrate-ds

Jeff B jeffb.list at gmail.com
Mon Jan 24 19:57:57 UTC 2011 

I might of missed this yesterday,  is it trying to bind to the apple
as Directory Manager?  I thought that was for FreeIPA but now I'm not
sure.  I was intending to have it do an anonymous bind to the apple.

If so I guess that would explain it.

On Mon, Jan 24, 2011 at 2:16 PM, Rob Crittenden <rcritten at redhat.com> wrote:
> Jeff B wrote:
>>
>> I'm trying to test out migration from an Apple Open Directory Server
>> to FreeIPA (unstable) The command I'm running is:
>>
>> ipa config-mod --enable-migration=true
>>
>> ipa -d migrate-ds --user-container='cn=users,dc=xxx,dc=xxxx,dc=com'
>> --group-container='cn=groups,dc=xxx,dc=xxxx,dc=com'
>> ldap://10.10.10.10:389
>>
>> It prompts me for a password twice, then gives me a invalid credentials
>> error
>>
>> ipa: INFO: Created connection context.xmlclient
>> Password:
>> Enter Password again to verify:
>> ipa: DEBUG: raw: migrate_ds(u'ldap://10.10.10.10:389', u'********',
>> usercontainer=u'cn=users,dc=xxx,dc=xxxx,dc=com',
>> groupcontainer=u'cn=groups,dc=xxx,dc=xxxx,dc=com')
>> ipa: INFO: migrate_ds(u'ldap://10.10.10.10:389', u'********',
>> binddn=u'cn=directory manager',
>> usercontainer=u'cn=users,dc=xxx,dc=xxxx,dc=com',
>> groupcontainer=u'cn=groups,dc=xxx,dc=xxxx,dc=com',
>> userobjectclass=(u'person',), groupobjectclass=(u'groupOfUniqueNames',
>> u'groupOfNames'), schema=u'RFC2307bis', continue=False,
>> exclude_groups=None, exclude_users=None)
>> ipa: INFO: Forwarding 'migrate_ds' to server
>> u'https://ipa0.xxxx.com/ipa/xml'
>> ipa: DEBUG: NSSConnection init ipa0.xxxx.com
>> ipa: DEBUG: connect: host=ipa0.xxxx.com port=443
>> ipa: DEBUG: connect: 10.10.10.11:443
>> ...
>> ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer
>> ipa: DEBUG: cert valid True for "CN=ipa0.xxxx.com,O=XXXX.COM"
>> ipa: DEBUG: handshake complete, peer = 10.10.10.11:443
>> ipa: DEBUG: Caught fault 2100 from server
>> https://ipa0.xxx.com/ipa/xml: Insufficient access:  Invalid
>> credentials
>> ipa: INFO: Destroyed connection context.xmlclient
>> ipa: ERROR: Insufficient access:  Invalid credentials
>>
>> I'm able to connect to LDAP using the same password for cn="Directory
>> Manager" which it appears to be the user it's asking the password for.
>>
>> Is this user error or a bug?  If user error what am I doing wrong?
>>  Thanks.
>
> Hmm, I'm stumped at this point. Can you look in your Apple DS logs to see if
> there is a bind error? You can use --binddn to bind as a different user.
>
> I should also note that you don't want to include basedn for the user and
> group containers, cn=users and cn=groups is enough.
>
> rob
>

More information about the Freeipa-users mailing list