[Freeipa-users] Problem in "ipa migrate-ds" procedure
Dmitri Pal
dpal at redhat.com
Tue Mar 20 12:32:06 UTC 2012
On 03/20/2012 05:19 AM, Marco Pizzoli wrote:
>
>
> On Tue, Mar 20, 2012 at 12:14 AM, Dmitri Pal <dpal at redhat.com
> <mailto:dpal at redhat.com>> wrote:
>
> On 03/19/2012 06:54 PM, Marco Pizzoli wrote:
>>
>>
>> On Mon, Mar 19, 2012 at 8:31 PM, Rob Crittenden
>> <rcritten at redhat.com <mailto:rcritten at redhat.com>> wrote:
>>
>> Marco Pizzoli wrote:
>>
>>
>>
>> On Mon, Mar 19, 2012 at 2:42 PM, Rob Crittenden
>> <rcritten at redhat.com <mailto:rcritten at redhat.com>
>> <mailto:rcritten at redhat.com
>> <mailto:rcritten at redhat.com>>> wrote:
>>
>> Dmitri Pal wrote:
>>
>> On 03/17/2012 07:36 AM, Marco Pizzoli wrote:
>>
>> Hi guys,
>> I'm trying to migrate my ldap user base to
>> freeipa. I'm
>> using the last
>> Release Candidate.
>>
>> I already changed "ipa config-mod
>> --enable-migration=TRUE"
>> This is what I have:
>>
>> ipa -v migrate-ds
>> --bind-dn="cn=manager,dc=__mydc1,dc=mydc2.it
>> <http://mydc2.it> <http://mydc2.it>
>> <http://mydc2.it>"
>>
>> --user-container="ou=people,__dc=mydc1,dc=mydc2.it
>> <http://mydc2.it>
>> <http://mydc2.it>
>> <http://mydc2.it>"
>> --user-objectclass=__inetOrgPerson
>>
>> --group-container="ou=groups,__dc=mydc1,dc=mydc2.it
>> <http://mydc2.it>
>> <http://mydc2.it> <http://mydc2.it>"
>> --group-objectclass=posixGroup
>> --base-dn="dc=mydc1,dc=mydc2.__it
>> <http://mydc2.it>
>>
>> <http://mydc2.it>" --with-compat ldap://ldap01
>>
>> ipa: INFO: trying
>> https://freeipa01.unix.__mydomain.it/ipa/xml
>> <http://mydomain.it/ipa/xml>
>>
>> <https://freeipa01.unix.mydomain.it/ipa/xml>
>> Password:
>> ipa: INFO: Forwarding 'migrate_ds' to server
>> u'http://freeipa01.unix.__mydomain.it/ipa/xml
>> <http://mydomain.it/ipa/xml>
>>
>> <http://freeipa01.unix.mydomain.it/ipa/xml>'
>> ipa: ERROR: Container for group not found at
>> ou=groups,dc=mydc1,dc=mydc2.it
>> <http://mydc2.it> <http://mydc2.it>
>> <http://mydc2.it>
>>
>>
>> I looked at my ldap server logs and I found
>> out that the search
>> executed has scope=1. Actually both for users
>> and groups.
>> This is a
>> problem for me, in having a lot of subtrees
>> (ou) in which my
>> users and
>> groups are. Is there a way to manage this?
>>
>> Thanks in advance
>> Marco
>>
>> P.s. As a side note, I suppose there's a typo
>> in the verbose
>> message I
>> obtain in my output:
>> ipa: INFO: Forwarding 'migrate_ds' to server
>>
>> *u*'http://freeipa01.unix.__mydomain.it/ipa/xml
>> <http://mydomain.it/ipa/xml>
>>
>> <http://freeipa01.unix.mydomain.it/ipa/xml>'
>>
>>
>> Please open tickets for both issues.
>>
>>
>> Well, I don't think either is a bug.
>>
>> If you have users/groups in multiple places you'll
>> need to migrate
>> them individually for now. It is safe to run
>> migrate-ds multiple
>> times, existing users are not migrated.
>>
>>
>> I just re-executed by specifing a nested ou for my groups.
>> This is what I got:
>>
>> ipa: INFO: trying https://freeipa01.unix.csebo.it/ipa/xml
>> ipa: INFO: Forwarding 'migrate_ds' to server
>> u'http://freeipa01.unix.csebo.it/ipa/xml'
>> -----------
>> migrate-ds:
>> -----------
>> Migrated:
>> Failed user:
>> fw03075_no: Type or value exists:
>> [other users listed]
>> Failed group:
>> pdbac32: Type or value exists:
>> [other groups listed]
>> ----------
>> Passwords have been migrated in pre-hashed format.
>> IPA is unable to generate Kerberos keys unless provided
>> with clear text passwords. All migrated users need to
>> login at https://your.domain/ipa/migration/ before they
>> can use their Kerberos accounts.
>>
>> I don't understand what it's trying to telling me.
>> On my FreeIPA ldap server I don't see any imported user.
>>
>> What's my fault here?
>>
>>
>> The u is a python-ism for unicode. This is not a bug.
>>
>>
>> Please, could you give a little more detail on this? It's
>> only a hint on
>> what that data represents in a Python variable?
>>
>> Thanks again
>> Marco
>>
>>
>> Type or value exists occurs when one tries to add an
>> attribute value to an entry that already exists.
>>
>> I suspect that the underlying problem is different between
>> users and groups.
>>
>> For groups it is likely adding a duplicate member.
>>
>> For users I'm not really sure. It could be one of the POSIX
>> attributes. What does a failed entry look like?
>>
>> rob
>>
>>
>> The user entry:
>> ------------------------
>> dn: uid=fw03075_NO,ou=People,dc=mydc1,dc=mydc2.it <http://mydc2.it>
>> description: fw03075
>> cn: fw03075
>> uidNumber: 11013
>> gidNumber: 503
>> homeDirectory: /home/fw03075
>> loginShell: /bin/sh
>> gecos: fw03075
>> shadowLastChange: 13059
>> shadowMax: 99999
>> shadowWarning: 7
>> objectClass: inetOrgPerson
>> objectClass: posixAccount
>> objectClass: shadowAccount
>> objectClass: top
>> objectClass: xxxPeopleAttributes
>> sn: SN_NON_IMPOSTATO
>> givenName: GIVENNAME_NON_IMPOSTATO
>> xxxUfficio: UFFICIO_NON_IMPOSTATO
>> xxxTipoUtente: tecnico
>> uid: fw03075_NO
>> userPassword: secret
>>
>>
>> group entry:
>> -------------------
>> dn:
>> cn=pdbac32,ou=pdbac32,ou=prod,ou=db2,ou=databases,ou=Groups,dc=mydc1,dc=mydc2.it
>> <http://mydc2.it>
>> gidNumber: 10015
>> member: uid=NESSUNO,ou=People,dc=mydc1,dc=mydc2.it <http://mydc2.it>
>> member: uid=aaa415,ou=People,dc=mydc1,dc=mydc2.it <http://mydc2.it>
>> member: uid=bbb446,ou=People,dc=mydc1,dc=mydc2.it <http://mydc2.it>
>> memberUid: NESSUNO
>> memberUid: aaa415
>> memberUid: bbb446
>> xxxAmbiente: prod
>> xxxDB2GruppiPrivilegi: instance_owner
>> description: Mydescription
>> xxxTipoGruppo: db
>> objectClass: top
>> objectClass: posixGroup
>> objectClass: groupOfNames
>> objectClass: xxxGroupsAttributes
>> objectClass: xxxDB2GroupsAttributes
>> cn: pdbac32
>>
>> Thanks again
>> Marco
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> Do you by any chance have a _group_ with name "fw03075_NO" and
> _user_ with name "pdbac32"?
> May be you are hitting a collision on manged group managed?
>
>
> Well, yes and no.
>
> No, I don't have a group called "fw03075_NO" and No, I don't have a
> user called "pdbac32".
>
> Yes, I have some users uid=samename and groups cn=samename, but they
> are not found in the group subtree (ou) from where I launched "ipa
> migrate-ds".
>
> If this is the problem, where can I have any evidence of the actual
> problem?
>
Can you search those names in the IPA LDAP tree after the migration? May
be there is some object already there with the same cn that collides.
This way we would be able to determine what the colliding object is and
take it from there. It might collide on some other attribute in the
entry and just be reported by uid and cn.
> Thanks again
> Marco
>
>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120320/1967e06e/attachment.htm>
More information about the Freeipa-users
mailing list