[Freeipa-users] Problem in "ipa migrate-ds" procedure
Dmitri Pal
dpal at redhat.com
Tue Mar 20 13:53:12 UTC 2012
On 03/20/2012 09:09 AM, Marco Pizzoli wrote:
>
>
> On Tue, Mar 20, 2012 at 1:32 PM, Dmitri Pal <dpal at redhat.com
> <mailto:dpal at redhat.com>> wrote:
>
> On 03/20/2012 05:19 AM, Marco Pizzoli wrote:
>>
>>
>> On Tue, Mar 20, 2012 at 12:14 AM, Dmitri Pal <dpal at redhat.com
>> <mailto:dpal at redhat.com>> wrote:
>>
>> On 03/19/2012 06:54 PM, Marco Pizzoli wrote:
>>>
>>>
>>> On Mon, Mar 19, 2012 at 8:31 PM, Rob Crittenden
>>> <rcritten at redhat.com <mailto:rcritten at redhat.com>> wrote:
>>>
>>> Marco Pizzoli wrote:
>>>
>>>
>>>
>>> On Mon, Mar 19, 2012 at 2:42 PM, Rob Crittenden
>>> <rcritten at redhat.com <mailto:rcritten at redhat.com>
>>> <mailto:rcritten at redhat.com
>>> <mailto:rcritten at redhat.com>>> wrote:
>>>
>>> Dmitri Pal wrote:
>>>
>>> On 03/17/2012 07:36 AM, Marco Pizzoli wrote:
>>>
>>> Hi guys,
>>> I'm trying to migrate my ldap user base
>>> to freeipa. I'm
>>> using the last
>>> Release Candidate.
>>>
>>> I already changed "ipa config-mod
>>> --enable-migration=TRUE"
>>> This is what I have:
>>>
>>> ipa -v migrate-ds
>>>
>>> --bind-dn="cn=manager,dc=__mydc1,dc=mydc2.it
>>> <http://mydc2.it> <http://mydc2.it>
>>> <http://mydc2.it>"
>>>
>>> --user-container="ou=people,__dc=mydc1,dc=mydc2.it
>>> <http://mydc2.it>
>>> <http://mydc2.it>
>>> <http://mydc2.it>"
>>> --user-objectclass=__inetOrgPerson
>>>
>>> --group-container="ou=groups,__dc=mydc1,dc=mydc2.it
>>> <http://mydc2.it>
>>> <http://mydc2.it> <http://mydc2.it>"
>>> --group-objectclass=posixGroup
>>> --base-dn="dc=mydc1,dc=mydc2.__it
>>> <http://mydc2.it>
>>>
>>> <http://mydc2.it>" --with-compat
>>> ldap://ldap01
>>>
>>> ipa: INFO: trying
>>>
>>> https://freeipa01.unix.__mydomain.it/ipa/xml
>>> <http://mydomain.it/ipa/xml>
>>>
>>> <https://freeipa01.unix.mydomain.it/ipa/xml>
>>> Password:
>>> ipa: INFO: Forwarding 'migrate_ds' to server
>>>
>>> u'http://freeipa01.unix.__mydomain.it/ipa/xml
>>> <http://mydomain.it/ipa/xml>
>>>
>>> <http://freeipa01.unix.mydomain.it/ipa/xml>'
>>> ipa: ERROR: Container for group not found at
>>> ou=groups,dc=mydc1,dc=mydc2.it
>>> <http://mydc2.it> <http://mydc2.it>
>>> <http://mydc2.it>
>>>
>>>
>>> I looked at my ldap server logs and I
>>> found out that the search
>>> executed has scope=1. Actually both for
>>> users and groups.
>>> This is a
>>> problem for me, in having a lot of
>>> subtrees (ou) in which my
>>> users and
>>> groups are. Is there a way to manage this?
>>>
>>> Thanks in advance
>>> Marco
>>>
>>> P.s. As a side note, I suppose there's a
>>> typo in the verbose
>>> message I
>>> obtain in my output:
>>> ipa: INFO: Forwarding 'migrate_ds' to server
>>>
>>> *u*'http://freeipa01.unix.__mydomain.it/ipa/xml
>>> <http://mydomain.it/ipa/xml>
>>>
>>> <http://freeipa01.unix.mydomain.it/ipa/xml>'
>>>
>>>
>>> Please open tickets for both issues.
>>>
>>>
>>> Well, I don't think either is a bug.
>>>
>>> If you have users/groups in multiple places
>>> you'll need to migrate
>>> them individually for now. It is safe to run
>>> migrate-ds multiple
>>> times, existing users are not migrated.
>>>
>>>
>>> I just re-executed by specifing a nested ou for my
>>> groups.
>>> This is what I got:
>>>
>>> ipa: INFO: trying
>>> https://freeipa01.unix.csebo.it/ipa/xml
>>> ipa: INFO: Forwarding 'migrate_ds' to server
>>> u'http://freeipa01.unix.csebo.it/ipa/xml'
>>> -----------
>>> migrate-ds:
>>> -----------
>>> Migrated:
>>> Failed user:
>>> fw03075_no: Type or value exists:
>>> [other users listed]
>>> Failed group:
>>> pdbac32: Type or value exists:
>>> [other groups listed]
>>> ----------
>>> Passwords have been migrated in pre-hashed format.
>>> IPA is unable to generate Kerberos keys unless provided
>>> with clear text passwords. All migrated users need to
>>> login at https://your.domain/ipa/migration/ before they
>>> can use their Kerberos accounts.
>>>
>>> I don't understand what it's trying to telling me.
>>> On my FreeIPA ldap server I don't see any imported user.
>>>
>>> What's my fault here?
>>>
>>>
>>> The u is a python-ism for unicode. This is not a bug.
>>>
>>>
>>> Please, could you give a little more detail on this?
>>> It's only a hint on
>>> what that data represents in a Python variable?
>>>
>>> Thanks again
>>> Marco
>>>
>>>
>>> Type or value exists occurs when one tries to add an
>>> attribute value to an entry that already exists.
>>>
>>> I suspect that the underlying problem is different
>>> between users and groups.
>>>
>>> For groups it is likely adding a duplicate member.
>>>
>>> For users I'm not really sure. It could be one of the
>>> POSIX attributes. What does a failed entry look like?
>>>
>>> rob
>>>
>>>
>>> The user entry:
>>> ------------------------
>>> dn: uid=fw03075_NO,ou=People,dc=mydc1,dc=mydc2.it
>>> <http://mydc2.it>
>>> description: fw03075
>>> cn: fw03075
>>> uidNumber: 11013
>>> gidNumber: 503
>>> homeDirectory: /home/fw03075
>>> loginShell: /bin/sh
>>> gecos: fw03075
>>> shadowLastChange: 13059
>>> shadowMax: 99999
>>> shadowWarning: 7
>>> objectClass: inetOrgPerson
>>> objectClass: posixAccount
>>> objectClass: shadowAccount
>>> objectClass: top
>>> objectClass: xxxPeopleAttributes
>>> sn: SN_NON_IMPOSTATO
>>> givenName: GIVENNAME_NON_IMPOSTATO
>>> xxxUfficio: UFFICIO_NON_IMPOSTATO
>>> xxxTipoUtente: tecnico
>>> uid: fw03075_NO
>>> userPassword: secret
>>>
>>>
>>> group entry:
>>> -------------------
>>> dn:
>>> cn=pdbac32,ou=pdbac32,ou=prod,ou=db2,ou=databases,ou=Groups,dc=mydc1,dc=mydc2.it
>>> <http://mydc2.it>
>>> gidNumber: 10015
>>> member: uid=NESSUNO,ou=People,dc=mydc1,dc=mydc2.it
>>> <http://mydc2.it>
>>> member: uid=aaa415,ou=People,dc=mydc1,dc=mydc2.it
>>> <http://mydc2.it>
>>> member: uid=bbb446,ou=People,dc=mydc1,dc=mydc2.it
>>> <http://mydc2.it>
>>> memberUid: NESSUNO
>>> memberUid: aaa415
>>> memberUid: bbb446
>>> xxxAmbiente: prod
>>> xxxDB2GruppiPrivilegi: instance_owner
>>> description: Mydescription
>>> xxxTipoGruppo: db
>>> objectClass: top
>>> objectClass: posixGroup
>>> objectClass: groupOfNames
>>> objectClass: xxxGroupsAttributes
>>> objectClass: xxxDB2GroupsAttributes
>>> cn: pdbac32
>>>
>>> Thanks again
>>> Marco
>>>
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>> Do you by any chance have a _group_ with name "fw03075_NO"
>> and _user_ with name "pdbac32"?
>> May be you are hitting a collision on manged group managed?
>>
>>
>> Well, yes and no.
>>
>> No, I don't have a group called "fw03075_NO" and No, I don't have
>> a user called "pdbac32".
>>
>> Yes, I have some users uid=samename and groups cn=samename, but
>> they are not found in the group subtree (ou) from where I
>> launched "ipa migrate-ds".
>>
>> If this is the problem, where can I have any evidence of the
>> actual problem?
>>
>
> Can you search those names in the IPA LDAP tree after the
> migration? May be there is some object already there with the same
> cn that collides. This way we would be able to determine what the
> colliding object is and take it from there. It might collide on
> some other attribute in the entry and just be reported by uid and cn.
>
>
> Here it is:
>
> [root at freeipa01 ipa]# ldapsearch -h 127.0.0.1 -x -D "cn=Directory
> Manager" -W -b "dc=unix,dc=mydomain,dc=it" -s sub "(uid=fw03075_NO)"
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <dc=unix,dc= mydomain ,dc=it> with scope subtree
> # filter: (uid=fw03075_NO)
> # requesting: ALL
> #
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 1
> [root at freeipa01 ipa]# ldapsearch -h 127.0.0.1 -x -D "cn=Directory
> Manager" -W -b "dc=unix,dc= mydomain ,dc=it" -s sub "(cn=fw03075_NO)"
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <dc=unix,dc= mydomain ,dc=it> with scope subtree
> # filter: (cn=fw03075_NO)
> # requesting: ALL
> #
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 1
>
> Same thing for "pdbac32".
>
> Or were you asking me something more complicated?
>
> My group and user tree is almost empty. There are only default groups
> and 5/6 user created by hand.
> Yes, some of them have the same uid as the one manually created, but
> they represent only a minority of the total.
>
> Marco
>
I am running out of ideas. Rob, any clues?
>
>
>
>
>> Thanks again
>> Marco
>>
>>
>>
>>
>> --
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager IPA project,
>> Red Hat Inc.
>>
>>
>> -------------------------------
>> Looking to carve out IT costs?
>> www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/>
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/>
>
>
>
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120320/b5d5a867/attachment.htm>
More information about the Freeipa-users
mailing list