[Freeipa-users] ipa migrate-ds failing when more than 1 namingcontext is available
Dmitri Pal
dpal at redhat.com
Mon Jan 30 15:53:42 UTC 2012
On 01/30/2012 09:23 AM, Simo Sorce wrote:
> On Mon, 2012-01-30 at 09:06 -0500, Rob Crittenden wrote:
>> Like I said, this error is triggered before ignore is evaluated so
>> if
>> an unknown binary attribute is getting decoded it will cause this
>> failure. The only solutions we have right now is to either load the
>> schema into IPA temporarily for the migration, rremove it on the
>> remote
>> side or you could modify the query we make to find the remote entries
>> to
>> pull only certain attributes. This last one would be tricky to get
>> right.
>>
>> The code looks like:
>>
>> (entries, truncated) = ds_ldap.find_entries(
>> search_filter, ['*'],
>> search_bases[ldap_obj_name],
>> ds_ldap.SCOPE_ONELEVEL,
>> time_limit=0, size_limit=-1,
>> search_refs=True # migrated DS may contain
>> search references
>> )
>>
>> You'd want to replace ['*'] with ['attr1','attr2','attr3',...]. It
>> would
>> be a rather long list and would need to cover both users and groups.
>>
> TBH I think we should turn the code around and do this by default.
> We have no idea how to manage extra attributes anyway so we shouldn't
> get them all, only get those we understand. And turn the exclusion list
> into an inclusion list, so that if someone wants to import more data
> because they added additional schema to FreeIPA they are free to do so.
> The current way looks brittle.
>
> Simo.
>
Agree, we need to open a BZ and ticket on this one.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-users
mailing list