[Freeipa-users] Problem in "ipa migrate-ds" procedure

Marco Pizzoli marco.pizzoli at gmail.com
Mon Mar 19 22:54:42 UTC 2012 

On Mon, Mar 19, 2012 at 8:31 PM, Rob Crittenden <rcritten at redhat.com> wrote:

> Marco Pizzoli wrote:
>
>>
>>
>> On Mon, Mar 19, 2012 at 2:42 PM, Rob Crittenden <rcritten at redhat.com
>> <mailto:rcritten at redhat.com>> wrote:
>>
>>    Dmitri Pal wrote:
>>
>>        On 03/17/2012 07:36 AM, Marco Pizzoli wrote:
>>
>>            Hi guys,
>>            I'm trying to migrate my ldap user base to freeipa. I'm
>>            using the last
>>            Release Candidate.
>>
>>            I already changed "ipa config-mod --enable-migration=TRUE"
>>            This is what I have:
>>
>>            ipa -v migrate-ds
>>            --bind-dn="cn=manager,dc=__**mydc1,dc=mydc2.it <
>> http://mydc2.it>
>>            <http://mydc2.it>"
>>            --user-container="ou=people,__**dc=mydc1,dc=mydc2.it
>>            <http://mydc2.it>
>>            <http://mydc2.it>" --user-objectclass=__**inetOrgPerson
>>            --group-container="ou=groups,_**_dc=mydc1,dc=mydc2.it
>>            <http://mydc2.it> <http://mydc2.it>"
>>            --group-objectclass=posixGroup
>>            --base-dn="dc=mydc1,dc=mydc2._**_it <http://mydc2.it>
>>
>>            <http://mydc2.it>" --with-compat ldap://ldap01
>>
>>            ipa: INFO: trying
>>            https://freeipa01.unix.__mydom**ain.it/ipa/xml<http://mydomain.it/ipa/xml>
>>
>>            <https://freeipa01.unix.**mydomain.it/ipa/xml<https://freeipa01.unix.mydomain.it/ipa/xml>
>> >
>>            Password:
>>            ipa: INFO: Forwarding 'migrate_ds' to server
>>            u'http://freeipa01.unix.__mydo**main.it/ipa/xml<http://mydomain.it/ipa/xml>
>>
>>            <http://freeipa01.unix.**mydomain.it/ipa/xml<http://freeipa01.unix.mydomain.it/ipa/xml>
>> >'
>>            ipa: ERROR: Container for group not found at
>>            ou=groups,dc=mydc1,dc=mydc2.it <http://mydc2.it>
>>            <http://mydc2.it>
>>
>>
>>            I looked at my ldap server logs and I found out that the search
>>            executed has scope=1. Actually both for users and groups.
>>            This is a
>>            problem for me, in having a lot of subtrees (ou) in which my
>>            users and
>>            groups are. Is there a way to manage this?
>>
>>            Thanks in advance
>>            Marco
>>
>>            P.s. As a side note, I suppose there's a typo in the verbose
>>            message I
>>            obtain in my output:
>>            ipa: INFO: Forwarding 'migrate_ds' to server
>>            *u*'http://freeipa01.unix.__my**domain.it/ipa/xml<http://mydomain.it/ipa/xml>
>>
>>            <http://freeipa01.unix.**mydomain.it/ipa/xml<http://freeipa01.unix.mydomain.it/ipa/xml>
>> >'
>>
>>
>>        Please open tickets for both issues.
>>
>>
>>    Well, I don't think either is a bug.
>>
>>    If you have users/groups in multiple places you'll need to migrate
>>    them individually for now. It is safe to run migrate-ds multiple
>>    times, existing users are not migrated.
>>
>>
>> I just re-executed by specifing a nested ou for my groups.
>> This is what I got:
>>
>> ipa: INFO: trying https://freeipa01.unix.csebo.**it/ipa/xml<https://freeipa01.unix.csebo.it/ipa/xml>
>> ipa: INFO: Forwarding 'migrate_ds' to server
>> u'http://freeipa01.unix.csebo.**it/ipa/xml<http://freeipa01.unix.csebo.it/ipa/xml>
>> '
>> -----------
>> migrate-ds:
>> -----------
>> Migrated:
>> Failed user:
>>   fw03075_no: Type or value exists:
>>   [other users listed]
>> Failed group:
>>   pdbac32: Type or value exists:
>>   [other groups listed]
>> ----------
>> Passwords have been migrated in pre-hashed format.
>> IPA is unable to generate Kerberos keys unless provided
>> with clear text passwords. All migrated users need to
>> login at https://your.domain/ipa/**migration/<https://your.domain/ipa/migration/>before they
>> can use their Kerberos accounts.
>>
>> I don't understand what it's trying to telling me.
>> On my FreeIPA ldap server I don't see any imported user.
>>
>> What's my fault here?
>>
>>
>>    The u is a python-ism for unicode. This is not a bug.
>>
>>
>> Please, could you give a little more detail on this? It's only a hint on
>> what that data represents in a Python variable?
>>
>> Thanks again
>> Marco
>>
>
> Type or value exists occurs when one tries to add an attribute value to an
> entry that already exists.
>
> I suspect that the underlying problem is different between users and
> groups.
>
> For groups it is likely adding a duplicate member.
>
> For users I'm not really sure. It could be one of the POSIX attributes.
> What does a failed entry look like?
>
> rob
>

The user entry:
------------------------
dn: uid=fw03075_NO,ou=People,dc=mydc1,dc=mydc2.it
description: fw03075
cn: fw03075
uidNumber: 11013
gidNumber: 503
homeDirectory: /home/fw03075
loginShell: /bin/sh
gecos: fw03075
shadowLastChange: 13059
shadowMax: 99999
shadowWarning: 7
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: top
objectClass: xxxPeopleAttributes
sn: SN_NON_IMPOSTATO
givenName: GIVENNAME_NON_IMPOSTATO
xxxUfficio: UFFICIO_NON_IMPOSTATO
xxxTipoUtente: tecnico
uid: fw03075_NO
userPassword: secret


group entry:
-------------------
dn: cn=pdbac32,ou=pdbac32,ou=prod,ou=db2,ou=databases,ou=Groups,dc=mydc1,dc=
mydc2.it
gidNumber: 10015
member: uid=NESSUNO,ou=People,dc=mydc1,dc=mydc2.it
member: uid=aaa415,ou=People,dc=mydc1,dc=mydc2.it
member: uid=bbb446,ou=People,dc=mydc1,dc=mydc2.it
memberUid: NESSUNO
memberUid: aaa415
memberUid: bbb446
xxxAmbiente: prod
xxxDB2GruppiPrivilegi: instance_owner
description: Mydescription
xxxTipoGruppo: db
objectClass: top
objectClass: posixGroup
objectClass: groupOfNames
objectClass: xxxGroupsAttributes
objectClass: xxxDB2GroupsAttributes
cn: pdbac32

Thanks again
Marco
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120319/3172c827/attachment.htm>

More information about the Freeipa-users mailing list