[Freeipa-users] Problem in "ipa migrate-ds" procedure
Rob Crittenden
rcritten at redhat.com
Mon Mar 19 19:31:28 UTC 2012
Marco Pizzoli wrote:
>
>
> On Mon, Mar 19, 2012 at 2:42 PM, Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>> wrote:
>
> Dmitri Pal wrote:
>
> On 03/17/2012 07:36 AM, Marco Pizzoli wrote:
>
> Hi guys,
> I'm trying to migrate my ldap user base to freeipa. I'm
> using the last
> Release Candidate.
>
> I already changed "ipa config-mod --enable-migration=TRUE"
> This is what I have:
>
> ipa -v migrate-ds
> --bind-dn="cn=manager,dc=__mydc1,dc=mydc2.it <http://mydc2.it>
> <http://mydc2.it>"
> --user-container="ou=people,__dc=mydc1,dc=mydc2.it
> <http://mydc2.it>
> <http://mydc2.it>" --user-objectclass=__inetOrgPerson
> --group-container="ou=groups,__dc=mydc1,dc=mydc2.it
> <http://mydc2.it> <http://mydc2.it>"
> --group-objectclass=posixGroup
> --base-dn="dc=mydc1,dc=mydc2.__it <http://mydc2.it>
> <http://mydc2.it>" --with-compat ldap://ldap01
>
> ipa: INFO: trying
> https://freeipa01.unix.__mydomain.it/ipa/xml
> <https://freeipa01.unix.mydomain.it/ipa/xml>
> Password:
> ipa: INFO: Forwarding 'migrate_ds' to server
> u'http://freeipa01.unix.__mydomain.it/ipa/xml
> <http://freeipa01.unix.mydomain.it/ipa/xml>'
> ipa: ERROR: Container for group not found at
> ou=groups,dc=mydc1,dc=mydc2.it <http://mydc2.it>
> <http://mydc2.it>
>
>
> I looked at my ldap server logs and I found out that the search
> executed has scope=1. Actually both for users and groups.
> This is a
> problem for me, in having a lot of subtrees (ou) in which my
> users and
> groups are. Is there a way to manage this?
>
> Thanks in advance
> Marco
>
> P.s. As a side note, I suppose there's a typo in the verbose
> message I
> obtain in my output:
> ipa: INFO: Forwarding 'migrate_ds' to server
> *u*'http://freeipa01.unix.__mydomain.it/ipa/xml
> <http://freeipa01.unix.mydomain.it/ipa/xml>'
>
>
> Please open tickets for both issues.
>
>
> Well, I don't think either is a bug.
>
> If you have users/groups in multiple places you'll need to migrate
> them individually for now. It is safe to run migrate-ds multiple
> times, existing users are not migrated.
>
>
> I just re-executed by specifing a nested ou for my groups.
> This is what I got:
>
> ipa: INFO: trying https://freeipa01.unix.csebo.it/ipa/xml
> ipa: INFO: Forwarding 'migrate_ds' to server
> u'http://freeipa01.unix.csebo.it/ipa/xml'
> -----------
> migrate-ds:
> -----------
> Migrated:
> Failed user:
> fw03075_no: Type or value exists:
> [other users listed]
> Failed group:
> pdbac32: Type or value exists:
> [other groups listed]
> ----------
> Passwords have been migrated in pre-hashed format.
> IPA is unable to generate Kerberos keys unless provided
> with clear text passwords. All migrated users need to
> login at https://your.domain/ipa/migration/ before they
> can use their Kerberos accounts.
>
> I don't understand what it's trying to telling me.
> On my FreeIPA ldap server I don't see any imported user.
>
> What's my fault here?
>
>
> The u is a python-ism for unicode. This is not a bug.
>
>
> Please, could you give a little more detail on this? It's only a hint on
> what that data represents in a Python variable?
>
> Thanks again
> Marco
Type or value exists occurs when one tries to add an attribute value to
an entry that already exists.
I suspect that the underlying problem is different between users and groups.
For groups it is likely adding a duplicate member.
For users I'm not really sure. It could be one of the POSIX attributes.
What does a failed entry look like?
rob
More information about the Freeipa-users
mailing list