[Freeipa-users] Openldap to IPA migration confusion

Qing Chang qchang at sri.utoronto.ca
Tue Jul 24 12:54:01 UTC 2012 


On 23/07/2012 3:33 PM, Rob Crittenden wrote:
> Qing Chang wrote:
>>
>>
>> On 20/07/2012 5:14 PM, Rob Crittenden wrote:
>>> Qing Chang wrote:
>>>> Greetings,
>>>>
>>>> Migration from OpedLDAP to IPA creates a pair of subtrees for both users
>>>> and groups:
>>>> compat and accounts, use groups as an example:
>>>> dn: cn=acdp,cn=groups,cn=compat,dc=sri,dc=utoronto,dc=ca
>>>> dn: cn=acdp,cn=groups,cn=accounts,dc=sri,dc=utoronto,dc=ca
>>>>
>>>> IPA web GUI does not show  "memberUid" attribute, although it is
>>>> migrated correctly,
>>>> by adding a user to the group in the web GUI, it reveals that member is
>>>> added to both
>>>> compat and accounts, but differently:
>>>> accounts: member:
>>>> uid=qchang,cn=users,cn=accounts,dc=sri,dc=utoronto,dc=ca
>>>> compat: memberUid: qchang
>>>>
>>>> It also reveals that GUI does not display anything for "compat" tree,
>>>> but I can use
>>>> ldap tools to show compat entries.
>>>> My questions:
>>>> 1, why do we have two trees created? I vaguely remember that it is
>>>> mentioned that
>>>>      compat is for support of IPA as an NIS proxy?
>>>
>>> cn=compat is a view of the data in rfc2307-compatible format (so
>>> memberUid instead of member). It isn't a separate copy.
>>>
>>> It is so clients that don't support 2307bis can still authenticate and
>>> identify users using nss_ldap.
>>>
>>>> 2, Can the migration script be modified to convert "memberUid" to
>>>> "member" for
>>>>      accounts tree? Or can I modify it manually and load the tree with
>>>> ldapmod without
>>>>      breaking IPA?
>>>
>>> It already can, see the --schema option.
>>>
>> it says:
>>   --schema=['RFC2307bis', 'RFC2307']
>>                          The schema used on the LDAP server. Supported
>> values
>>                          are RFC2307 and RFC2307bis. The default is
>> RFC2307bis
>>
>> I assume I am using the default. Does this mean that I should use
>> RFC2307 instead?
>> It does not make much sense to me because my OpenLDAP server is using
>> RFC2307 if I understand your comments above right.
>
> If the LDAP server you are migrating from is using RFC2307 (e.g. memberUid in the groups to 
> specify membership) then use --schema=RFC2307.
>
> You are specifying the remote schema, not the local schema.
>
Indeed it is the remote schema, for future reference, this my command line:
# ipa -d migrate-ds ldap://ldap:389 --bind-dn=cn=Manager,dc=... --group-container=ou=group 
--group-overwrite-gid --schema=RFC2307 --with-compat --group-objectclass=posixGroup

> rob
Your help is much appreciated!

Qing

More information about the Freeipa-users mailing list