[Freeipa-users] Problem in "ipa migrate-ds" procedure
Rob Crittenden
rcritten at redhat.com
Mon Mar 19 13:53:44 UTC 2012
Dmitri Pal wrote:
> On 03/19/2012 08:56 AM, Marco Pizzoli wrote:
>>
>>
>> On Mon, Mar 19, 2012 at 1:43 PM, Simo Sorce <simo at redhat.com
>> <mailto:simo at redhat.com>> wrote:
>>
>> On Sun, 2012-03-18 at 18:33 +0100, Marco Pizzoli wrote:
>> >
>> >
>> > On Sun, Mar 18, 2012 at 5:49 PM, Dmitri Pal <dpal at redhat.com
>> <mailto:dpal at redhat.com>> wrote:
>> > On 03/17/2012 07:36 AM, Marco Pizzoli wrote:
>> > > Hi guys,
>> > > I'm trying to migrate my ldap user base to freeipa. I'm
>> > > using the last Release Candidate.
>> > >
>> > > I already changed "ipa config-mod --enable-migration=TRUE"
>> > > This is what I have:
>> > >
>> > > ipa -v migrate-ds
>> > > --bind-dn="cn=manager,dc=mydc1,dc=mydc2.it <http://mydc2.it>"
>> > > --user-container="ou=people,dc=mydc1,dc=mydc2.it
>> <http://mydc2.it>"
>> > > --user-objectclass=inetOrgPerson
>> > > --group-container="ou=groups,dc=mydc1,dc=mydc2.it
>> <http://mydc2.it>"
>> > > --group-objectclass=posixGroup
>> > > --base-dn="dc=mydc1,dc=mydc2.it <http://mydc2.it>"
>> --with-compat ldap://ldap01
>> > > ipa: INFO: trying https://freeipa01.unix.mydomain.it/ipa/xml
>> > > Password:
>> > > ipa: INFO: Forwarding 'migrate_ds' to server
>> > > u'http://freeipa01.unix.mydomain.it/ipa/xml'
>> > > ipa: ERROR: Container for group not found at
>> > > ou=groups,dc=mydc1,dc=mydc2.it <http://mydc2.it>
>> > >
>> > > I looked at my ldap server logs and I found out that the
>> > > search executed has scope=1. Actually both for users and
>> > > groups. This is a problem for me, in having a lot of
>> > > subtrees (ou) in which my users and groups are. Is there a
>> > > way to manage this?
>> > >
>> > > Thanks in advance
>> > > Marco
>> > >
>> > > P.s. As a side note, I suppose there's a typo in the verbose
>> > > message I obtain in my output:
>> > > ipa: INFO: Forwarding 'migrate_ds' to server
>> > > u'http://freeipa01.unix.mydomain.it/ipa/xml'
>> >
>> >
>> > Please open tickets for both issues.
>> >
>> >
>> > Done:
>> > https://fedorahosted.org/freeipa/ticket/2547
>> > https://fedorahosted.org/freeipa/ticket/2546
>> >
>> > Do you have a hint on how to manage to do this import in the
>> meantime?
>> > Every manual step is ok for me.
>>
>> Maybe you can try performing a new migration for each of the subtrees
>> you have in your source tree, assuming it is a reasonable number, by
>> reconfiguring the migrate-ds bases between each run.
>>
>>
>> Yes, I was thinking the same... :-)
>> To be able to script "ipa migrate-ds", I would need a parameter for
>> setting the password on the CLI. I suppose it isn't there by design,
>> right?
>>
>
> Will it handle the case when the group has members from different levels
> and some of the users are not picked by the search? In this case I
> suspect the user group membership might be lost. I am not sure that this
> is the case. Just something to pay attention.
It doesn't look like we verify the membership so I think it will work
just fine. It is not invalid in LDAP to have a group with a member that
doesn't exist, so this shouldn't cause any errors.
You can do something like echo password | ipa migrate-ds
ldap://myserver.example.com:389 --user-container=...
rob
More information about the Freeipa-users
mailing list