[Freeipa-users] Problem in "ipa migrate-ds" procedure

Dmitri Pal dpal at redhat.com
Mon Mar 19 13:40:41 UTC 2012 

On 03/19/2012 08:56 AM, Marco Pizzoli wrote:
>
>
> On Mon, Mar 19, 2012 at 1:43 PM, Simo Sorce <simo at redhat.com
> <mailto:simo at redhat.com>> wrote:
>
>     On Sun, 2012-03-18 at 18:33 +0100, Marco Pizzoli wrote:
>     >
>     >
>     > On Sun, Mar 18, 2012 at 5:49 PM, Dmitri Pal <dpal at redhat.com
>     <mailto:dpal at redhat.com>> wrote:
>     >         On 03/17/2012 07:36 AM, Marco Pizzoli wrote:
>     >         > Hi guys,
>     >         > I'm trying to migrate my ldap user base to freeipa. I'm
>     >         > using the last Release Candidate.
>     >         >
>     >         > I already changed "ipa config-mod --enable-migration=TRUE"
>     >         > This is what I have:
>     >         >
>     >         > ipa -v migrate-ds
>     >         > --bind-dn="cn=manager,dc=mydc1,dc=mydc2.it
>     <http://mydc2.it>"
>     >         > --user-container="ou=people,dc=mydc1,dc=mydc2.it
>     <http://mydc2.it>"
>     >         > --user-objectclass=inetOrgPerson
>     >         > --group-container="ou=groups,dc=mydc1,dc=mydc2.it
>     <http://mydc2.it>"
>     >         > --group-objectclass=posixGroup
>     >         > --base-dn="dc=mydc1,dc=mydc2.it <http://mydc2.it>"
>     --with-compat ldap://ldap01
>     >         > ipa: INFO: trying
>     https://freeipa01.unix.mydomain.it/ipa/xml
>     >         > Password:
>     >         > ipa: INFO: Forwarding 'migrate_ds' to server
>     >         > u'http://freeipa01.unix.mydomain.it/ipa/xml'
>     >         > ipa: ERROR: Container for group not found at
>     >         > ou=groups,dc=mydc1,dc=mydc2.it <http://mydc2.it>
>     >         >
>     >         > I looked at my ldap server logs and I found out that the
>     >         > search executed has scope=1. Actually both for users and
>     >         > groups. This is a problem for me, in having a lot of
>     >         > subtrees (ou) in which my users and groups are. Is there a
>     >         > way to manage this?
>     >         >
>     >         > Thanks in advance
>     >         > Marco
>     >         >
>     >         > P.s. As a side note, I suppose there's a typo in the
>     verbose
>     >         > message I obtain in my output:
>     >         > ipa: INFO: Forwarding 'migrate_ds' to server
>     >         > u'http://freeipa01.unix.mydomain.it/ipa/xml'
>     >
>     >
>     >         Please open tickets for both issues.
>     >
>     >
>     > Done:
>     > https://fedorahosted.org/freeipa/ticket/2547
>     > https://fedorahosted.org/freeipa/ticket/2546
>     >
>     > Do you have a hint on how to manage to do this import in the
>     meantime?
>     > Every manual step is ok for me.
>
>     Maybe you can try performing a new migration for each of the subtrees
>     you have in your source tree, assuming it is a reasonable number, by
>     reconfiguring the migrate-ds bases between each run.
>
>
> Yes, I was thinking the same... :-)
> To be able to script "ipa migrate-ds", I would need a parameter for
> setting the password on the CLI. I suppose it isn't there by design,
> right?
>

Will it handle the case when the group has members from different levels
and some of the users are not picked by the search? In this case I
suspect the user group membership might be lost. I am not sure that this
is the case. Just something to pay attention.

> Thanks again
> Marco
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120319/ee245232/attachment.htm>

More information about the Freeipa-users mailing list