[Freeipa-users] Problem in "ipa migrate-ds" procedure

Marco Pizzoli marco.pizzoli at gmail.com
Tue Mar 20 13:09:49 UTC 2012 

On Tue, Mar 20, 2012 at 1:32 PM, Dmitri Pal <dpal at redhat.com> wrote:

> **
> On 03/20/2012 05:19 AM, Marco Pizzoli wrote:
>
>
>
> On Tue, Mar 20, 2012 at 12:14 AM, Dmitri Pal <dpal at redhat.com> wrote:
>
>>   On 03/19/2012 06:54 PM, Marco Pizzoli wrote:
>>
>>
>>
>> On Mon, Mar 19, 2012 at 8:31 PM, Rob Crittenden <rcritten at redhat.com>wrote:
>>
>>> Marco Pizzoli wrote:
>>>
>>>>
>>>>
>>>> On Mon, Mar 19, 2012 at 2:42 PM, Rob Crittenden <rcritten at redhat.com
>>>>  <mailto:rcritten at redhat.com>> wrote:
>>>>
>>>>    Dmitri Pal wrote:
>>>>
>>>>        On 03/17/2012 07:36 AM, Marco Pizzoli wrote:
>>>>
>>>>            Hi guys,
>>>>            I'm trying to migrate my ldap user base to freeipa. I'm
>>>>            using the last
>>>>            Release Candidate.
>>>>
>>>>            I already changed "ipa config-mod --enable-migration=TRUE"
>>>>            This is what I have:
>>>>
>>>>            ipa -v migrate-ds
>>>>             --bind-dn="cn=manager,dc=__mydc1,dc=mydc2.it <
>>>> http://mydc2.it>
>>>>            <http://mydc2.it>"
>>>>            --user-container="ou=people,__dc=mydc1,dc=mydc2.it
>>>>            <http://mydc2.it>
>>>>            <http://mydc2.it>" --user-objectclass=__inetOrgPerson
>>>>            --group-container="ou=groups,__dc=mydc1,dc=mydc2.it
>>>>            <http://mydc2.it> <http://mydc2.it>"
>>>>            --group-objectclass=posixGroup
>>>>            --base-dn="dc=mydc1,dc=mydc2.__it <http://mydc2.it>
>>>>
>>>>            <http://mydc2.it>" --with-compat ldap://ldap01
>>>>
>>>>            ipa: INFO: trying
>>>>             https://freeipa01.unix.__mydomain.it/ipa/xml
>>>>
>>>>            <https://freeipa01.unix.mydomain.it/ipa/xml>
>>>>            Password:
>>>>            ipa: INFO: Forwarding 'migrate_ds' to server
>>>>             u'http://freeipa01.unix.__mydomain.it/ipa/xml
>>>>
>>>>            <http://freeipa01.unix.mydomain.it/ipa/xml>'
>>>>            ipa: ERROR: Container for group not found at
>>>>            ou=groups,dc=mydc1,dc=mydc2.it <http://mydc2.it>
>>>>            <http://mydc2.it>
>>>>
>>>>
>>>>            I looked at my ldap server logs and I found out that the
>>>> search
>>>>            executed has scope=1. Actually both for users and groups.
>>>>            This is a
>>>>            problem for me, in having a lot of subtrees (ou) in which my
>>>>            users and
>>>>            groups are. Is there a way to manage this?
>>>>
>>>>            Thanks in advance
>>>>            Marco
>>>>
>>>>            P.s. As a side note, I suppose there's a typo in the verbose
>>>>            message I
>>>>            obtain in my output:
>>>>            ipa: INFO: Forwarding 'migrate_ds' to server
>>>>             *u*'http://freeipa01.unix.__mydomain.it/ipa/xml
>>>>
>>>>            <http://freeipa01.unix.mydomain.it/ipa/xml>'
>>>>
>>>>
>>>>        Please open tickets for both issues.
>>>>
>>>>
>>>>    Well, I don't think either is a bug.
>>>>
>>>>    If you have users/groups in multiple places you'll need to migrate
>>>>    them individually for now. It is safe to run migrate-ds multiple
>>>>    times, existing users are not migrated.
>>>>
>>>>
>>>> I just re-executed by specifing a nested ou for my groups.
>>>> This is what I got:
>>>>
>>>> ipa: INFO: trying https://freeipa01.unix.csebo.it/ipa/xml
>>>> ipa: INFO: Forwarding 'migrate_ds' to server
>>>> u'http://freeipa01.unix.csebo.it/ipa/xml'
>>>> -----------
>>>> migrate-ds:
>>>> -----------
>>>> Migrated:
>>>> Failed user:
>>>>   fw03075_no: Type or value exists:
>>>>   [other users listed]
>>>> Failed group:
>>>>   pdbac32: Type or value exists:
>>>>   [other groups listed]
>>>> ----------
>>>> Passwords have been migrated in pre-hashed format.
>>>> IPA is unable to generate Kerberos keys unless provided
>>>> with clear text passwords. All migrated users need to
>>>> login at https://your.domain/ipa/migration/ before they
>>>> can use their Kerberos accounts.
>>>>
>>>> I don't understand what it's trying to telling me.
>>>> On my FreeIPA ldap server I don't see any imported user.
>>>>
>>>> What's my fault here?
>>>>
>>>>
>>>>    The u is a python-ism for unicode. This is not a bug.
>>>>
>>>>
>>>> Please, could you give a little more detail on this? It's only a hint on
>>>> what that data represents in a Python variable?
>>>>
>>>> Thanks again
>>>> Marco
>>>>
>>>
>>> Type or value exists occurs when one tries to add an attribute value to
>>> an entry that already exists.
>>>
>>> I suspect that the underlying problem is different between users and
>>> groups.
>>>
>>> For groups it is likely adding a duplicate member.
>>>
>>> For users I'm not really sure. It could be one of the POSIX attributes.
>>> What does a failed entry look like?
>>>
>>> rob
>>>
>>
>> The user entry:
>> ------------------------
>> dn: uid=fw03075_NO,ou=People,dc=mydc1,dc=mydc2.it
>> description: fw03075
>> cn: fw03075
>> uidNumber: 11013
>> gidNumber: 503
>> homeDirectory: /home/fw03075
>> loginShell: /bin/sh
>> gecos: fw03075
>> shadowLastChange: 13059
>> shadowMax: 99999
>> shadowWarning: 7
>> objectClass: inetOrgPerson
>> objectClass: posixAccount
>> objectClass: shadowAccount
>> objectClass: top
>> objectClass: xxxPeopleAttributes
>> sn: SN_NON_IMPOSTATO
>> givenName: GIVENNAME_NON_IMPOSTATO
>> xxxUfficio: UFFICIO_NON_IMPOSTATO
>> xxxTipoUtente: tecnico
>> uid: fw03075_NO
>> userPassword: secret
>>
>>
>> group entry:
>> -------------------
>> dn:
>> cn=pdbac32,ou=pdbac32,ou=prod,ou=db2,ou=databases,ou=Groups,dc=mydc1,dc=
>> mydc2.it
>> gidNumber: 10015
>> member: uid=NESSUNO,ou=People,dc=mydc1,dc=mydc2.it
>> member: uid=aaa415,ou=People,dc=mydc1,dc=mydc2.it
>> member: uid=bbb446,ou=People,dc=mydc1,dc=mydc2.it
>> memberUid: NESSUNO
>> memberUid: aaa415
>> memberUid: bbb446
>> xxxAmbiente: prod
>> xxxDB2GruppiPrivilegi: instance_owner
>> description: Mydescription
>> xxxTipoGruppo: db
>> objectClass: top
>> objectClass: posixGroup
>> objectClass: groupOfNames
>> objectClass: xxxGroupsAttributes
>> objectClass: xxxDB2GroupsAttributes
>> cn: pdbac32
>>
>> Thanks again
>> Marco
>>
>>
>> _______________________________________________
>> Freeipa-users mailing listFreeipa-users at redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>> Do you by any chance have a *group* with name "fw03075_NO" and *user*with name "pdbac32"?
>> May be you are hitting  a collision on manged group managed?
>>
>
> Well, yes and no.
>
> No, I don't have a group called "fw03075_NO" and No, I don't have a user
> called "pdbac32".
>
> Yes, I have some users uid=samename  and groups cn=samename, but they are
> not found in the group subtree (ou) from where I launched "ipa migrate-ds".
>
> If this is the problem, where can I have any evidence of the actual
> problem?
>
>
> Can you search those names in the IPA LDAP tree after the migration? May
> be there is some object already there with the same cn that collides. This
> way we would be able to determine what the colliding object is and take it
> from there. It might collide on some other attribute in the entry and just
> be reported by uid and cn.
>

Here it is:

[root at freeipa01 ipa]# ldapsearch -h 127.0.0.1 -x -D "cn=Directory Manager"
-W -b "dc=unix,dc=mydomain,dc=it" -s sub "(uid=fw03075_NO)"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=unix,dc= mydomain ,dc=it> with scope subtree
# filter: (uid=fw03075_NO)
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1
[root at freeipa01 ipa]# ldapsearch -h 127.0.0.1 -x -D "cn=Directory Manager"
-W -b "dc=unix,dc= mydomain ,dc=it" -s sub "(cn=fw03075_NO)"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=unix,dc= mydomain ,dc=it> with scope subtree
# filter: (cn=fw03075_NO)
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1

Same thing for "pdbac32".

Or were you asking me something more complicated?

My group and user tree is almost empty. There are only default groups and
5/6 user created by hand.
Yes, some of them have the same uid as the one manually created, but they
represent only a minority of the total.

Marco



>
>
>  Thanks again
> Marco
>
>
>>
>>
>> --
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager IPA project,
>> Red Hat Inc.
>>
>>
>> -------------------------------
>> Looking to carve out IT costs?www.redhat.com/carveoutcosts/
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?www.redhat.com/carveoutcosts/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120320/75838705/attachment.htm>

More information about the Freeipa-users mailing list