[Freeipa-users] Problem in "ipa migrate-ds" procedure
Marco Pizzoli
marco.pizzoli at gmail.com
Mon Mar 19 14:33:17 UTC 2012
On Mon, Mar 19, 2012 at 2:42 PM, Rob Crittenden <rcritten at redhat.com> wrote:
> Dmitri Pal wrote:
>
>> On 03/17/2012 07:36 AM, Marco Pizzoli wrote:
>>
>>> Hi guys,
>>> I'm trying to migrate my ldap user base to freeipa. I'm using the last
>>> Release Candidate.
>>>
>>> I already changed "ipa config-mod --enable-migration=TRUE"
>>> This is what I have:
>>>
>>> ipa -v migrate-ds --bind-dn="cn=manager,dc=**mydc1,dc=mydc2.it
>>> <http://mydc2.it>" --user-container="ou=people,**dc=mydc1,dc=mydc2.it
>>> <http://mydc2.it>" --user-objectclass=**inetOrgPerson
>>> --group-container="ou=groups,**dc=mydc1,dc=mydc2.it <http://mydc2.it>"
>>> --group-objectclass=posixGroup --base-dn="dc=mydc1,dc=mydc2.**it<http://mydc2.it>
>>> <http://mydc2.it>" --with-compat ldap://ldap01
>>>
>>> ipa: INFO: trying https://freeipa01.unix.**mydomain.it/ipa/xml<https://freeipa01.unix.mydomain.it/ipa/xml>
>>> Password:
>>> ipa: INFO: Forwarding 'migrate_ds' to server
>>> u'http://freeipa01.unix.**mydomain.it/ipa/xml<http://freeipa01.unix.mydomain.it/ipa/xml>
>>> '
>>> ipa: ERROR: Container for group not found at
>>> ou=groups,dc=mydc1,dc=mydc2.it <http://mydc2.it>
>>>
>>>
>>> I looked at my ldap server logs and I found out that the search
>>> executed has scope=1. Actually both for users and groups. This is a
>>> problem for me, in having a lot of subtrees (ou) in which my users and
>>> groups are. Is there a way to manage this?
>>>
>>> Thanks in advance
>>> Marco
>>>
>>> P.s. As a side note, I suppose there's a typo in the verbose message I
>>> obtain in my output:
>>> ipa: INFO: Forwarding 'migrate_ds' to server
>>> *u*'http://freeipa01.unix.**mydomain.it/ipa/xml<http://freeipa01.unix.mydomain.it/ipa/xml>
>>> '
>>>
>>
>> Please open tickets for both issues.
>>
>
> Well, I don't think either is a bug.
>
> If you have users/groups in multiple places you'll need to migrate them
> individually for now. It is safe to run migrate-ds multiple times, existing
> users are not migrated.
>
I just re-executed by specifing a nested ou for my groups.
This is what I got:
ipa: INFO: trying https://freeipa01.unix.csebo.it/ipa/xml
ipa: INFO: Forwarding 'migrate_ds' to server u'
http://freeipa01.unix.csebo.it/ipa/xml'
-----------
migrate-ds:
-----------
Migrated:
Failed user:
fw03075_no: Type or value exists:
[other users listed]
Failed group:
pdbac32: Type or value exists:
[other groups listed]
----------
Passwords have been migrated in pre-hashed format.
IPA is unable to generate Kerberos keys unless provided
with clear text passwords. All migrated users need to
login at https://your.domain/ipa/migration/ before they
can use their Kerberos accounts.
I don't understand what it's trying to telling me.
On my FreeIPA ldap server I don't see any imported user.
What's my fault here?
>
> The u is a python-ism for unicode. This is not a bug.
>
Please, could you give a little more detail on this? It's only a hint on
what that data represents in a Python variable?
Thanks again
Marco
>
> rob
>
>
> ______________________________**_________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/**mailman/listinfo/freeipa-users<https://www.redhat.com/mailman/listinfo/freeipa-users>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120319/c8c07d1d/attachment.htm>
More information about the Freeipa-users
mailing list