[Freeipa-users] Problem in "ipa migrate-ds" procedure
Rob Crittenden
rcritten at redhat.com
Tue Mar 20 18:14:30 UTC 2012
Dmitri Pal wrote:
> On 03/20/2012 09:09 AM, Marco Pizzoli wrote:
>>
>>
>> On Tue, Mar 20, 2012 at 1:32 PM, Dmitri Pal <dpal at redhat.com
>> <mailto:dpal at redhat.com>> wrote:
>>
>> On 03/20/2012 05:19 AM, Marco Pizzoli wrote:
>>>
>>>
>>> On Tue, Mar 20, 2012 at 12:14 AM, Dmitri Pal <dpal at redhat.com
>>> <mailto:dpal at redhat.com>> wrote:
>>>
>>> On 03/19/2012 06:54 PM, Marco Pizzoli wrote:
>>>>
>>>>
>>>> On Mon, Mar 19, 2012 at 8:31 PM, Rob Crittenden
>>>> <rcritten at redhat.com <mailto:rcritten at redhat.com>> wrote:
>>>>
>>>> Marco Pizzoli wrote:
>>>>
>>>>
>>>>
>>>> On Mon, Mar 19, 2012 at 2:42 PM, Rob Crittenden
>>>> <rcritten at redhat.com <mailto:rcritten at redhat.com>
>>>> <mailto:rcritten at redhat.com
>>>> <mailto:rcritten at redhat.com>>> wrote:
>>>>
>>>> Dmitri Pal wrote:
>>>>
>>>> On 03/17/2012 07:36 AM, Marco Pizzoli wrote:
>>>>
>>>> Hi guys,
>>>> I'm trying to migrate my ldap user base to freeipa. I'm
>>>> using the last
>>>> Release Candidate.
>>>>
>>>> I already changed "ipa config-mod
>>>> --enable-migration=TRUE"
>>>> This is what I have:
>>>>
>>>> ipa -v migrate-ds
>>>> --bind-dn="cn=manager,dc=__mydc1,dc=mydc2.it
>>>> <http://mydc2.it> <http://mydc2.it>
>>>> <http://mydc2.it>"
>>>> --user-container="ou=people,__dc=mydc1,dc=mydc2.it
>>>> <http://mydc2.it>
>>>> <http://mydc2.it>
>>>> <http://mydc2.it>" --user-objectclass=__inetOrgPerson
>>>> --group-container="ou=groups,__dc=mydc1,dc=mydc2.it
>>>> <http://mydc2.it>
>>>> <http://mydc2.it> <http://mydc2.it>"
>>>> --group-objectclass=posixGroup
>>>> --base-dn="dc=mydc1,dc=mydc2.__it <http://mydc2.it>
>>>>
>>>> <http://mydc2.it>" --with-compat ldap://ldap01
>>>>
>>>> ipa: INFO: trying
>>>> https://freeipa01.unix.__mydomain.it/ipa/xml
>>>> <http://mydomain.it/ipa/xml>
>>>>
>>>> <https://freeipa01.unix.mydomain.it/ipa/xml>
>>>> Password:
>>>> ipa: INFO: Forwarding 'migrate_ds' to server
>>>> u'http://freeipa01.unix.__mydomain.it/ipa/xml
>>>> <http://mydomain.it/ipa/xml>
>>>>
>>>> <http://freeipa01.unix.mydomain.it/ipa/xml>'
>>>> ipa: ERROR: Container for group not found at
>>>> ou=groups,dc=mydc1,dc=mydc2.it <http://mydc2.it>
>>>> <http://mydc2.it>
>>>> <http://mydc2.it>
>>>>
>>>>
>>>> I looked at my ldap server logs and I found out that
>>>> the search
>>>> executed has scope=1. Actually both for users and
>>>> groups.
>>>> This is a
>>>> problem for me, in having a lot of subtrees (ou) in
>>>> which my
>>>> users and
>>>> groups are. Is there a way to manage this?
>>>>
>>>> Thanks in advance
>>>> Marco
>>>>
>>>> P.s. As a side note, I suppose there's a typo in the
>>>> verbose
>>>> message I
>>>> obtain in my output:
>>>> ipa: INFO: Forwarding 'migrate_ds' to server
>>>> *u*'http://freeipa01.unix.__mydomain.it/ipa/xml
>>>> <http://mydomain.it/ipa/xml>
>>>>
>>>> <http://freeipa01.unix.mydomain.it/ipa/xml>'
>>>>
>>>>
>>>> Please open tickets for both issues.
>>>>
>>>>
>>>> Well, I don't think either is a bug.
>>>>
>>>> If you have users/groups in multiple places you'll
>>>> need to migrate
>>>> them individually for now. It is safe to run
>>>> migrate-ds multiple
>>>> times, existing users are not migrated.
>>>>
>>>>
>>>> I just re-executed by specifing a nested ou for my
>>>> groups.
>>>> This is what I got:
>>>>
>>>> ipa: INFO: trying
>>>> https://freeipa01.unix.csebo.it/ipa/xml
>>>> ipa: INFO: Forwarding 'migrate_ds' to server
>>>> u'http://freeipa01.unix.csebo.it/ipa/xml'
>>>> -----------
>>>> migrate-ds:
>>>> -----------
>>>> Migrated:
>>>> Failed user:
>>>> fw03075_no: Type or value exists:
>>>> [other users listed]
>>>> Failed group:
>>>> pdbac32: Type or value exists:
>>>> [other groups listed]
>>>> ----------
>>>> Passwords have been migrated in pre-hashed format.
>>>> IPA is unable to generate Kerberos keys unless provided
>>>> with clear text passwords. All migrated users need to
>>>> login at https://your.domain/ipa/migration/ before they
>>>> can use their Kerberos accounts.
>>>>
>>>> I don't understand what it's trying to telling me.
>>>> On my FreeIPA ldap server I don't see any imported user.
>>>>
>>>> What's my fault here?
>>>>
>>>>
>>>> The u is a python-ism for unicode. This is not a bug.
>>>>
>>>>
>>>> Please, could you give a little more detail on this?
>>>> It's only a hint on
>>>> what that data represents in a Python variable?
>>>>
>>>> Thanks again
>>>> Marco
>>>>
>>>>
>>>> Type or value exists occurs when one tries to add an
>>>> attribute value to an entry that already exists.
>>>>
>>>> I suspect that the underlying problem is different
>>>> between users and groups.
>>>>
>>>> For groups it is likely adding a duplicate member.
>>>>
>>>> For users I'm not really sure. It could be one of the
>>>> POSIX attributes. What does a failed entry look like?
>>>>
>>>> rob
>>>>
>>>>
>>>> The user entry:
>>>> ------------------------
>>>> dn: uid=fw03075_NO,ou=People,dc=mydc1,dc=mydc2.it
>>>> <http://mydc2.it>
>>>> description: fw03075
>>>> cn: fw03075
>>>> uidNumber: 11013
>>>> gidNumber: 503
>>>> homeDirectory: /home/fw03075
>>>> loginShell: /bin/sh
>>>> gecos: fw03075
>>>> shadowLastChange: 13059
>>>> shadowMax: 99999
>>>> shadowWarning: 7
>>>> objectClass: inetOrgPerson
>>>> objectClass: posixAccount
>>>> objectClass: shadowAccount
>>>> objectClass: top
>>>> objectClass: xxxPeopleAttributes
>>>> sn: SN_NON_IMPOSTATO
>>>> givenName: GIVENNAME_NON_IMPOSTATO
>>>> xxxUfficio: UFFICIO_NON_IMPOSTATO
>>>> xxxTipoUtente: tecnico
>>>> uid: fw03075_NO
>>>> userPassword: secret
>>>>
>>>>
>>>> group entry:
>>>> -------------------
>>>> dn:
>>>> cn=pdbac32,ou=pdbac32,ou=prod,ou=db2,ou=databases,ou=Groups,dc=mydc1,dc=mydc2.it
>>>> <http://mydc2.it>
>>>> gidNumber: 10015
>>>> member: uid=NESSUNO,ou=People,dc=mydc1,dc=mydc2.it
>>>> <http://mydc2.it>
>>>> member: uid=aaa415,ou=People,dc=mydc1,dc=mydc2.it
>>>> <http://mydc2.it>
>>>> member: uid=bbb446,ou=People,dc=mydc1,dc=mydc2.it
>>>> <http://mydc2.it>
>>>> memberUid: NESSUNO
>>>> memberUid: aaa415
>>>> memberUid: bbb446
>>>> xxxAmbiente: prod
>>>> xxxDB2GruppiPrivilegi: instance_owner
>>>> description: Mydescription
>>>> xxxTipoGruppo: db
>>>> objectClass: top
>>>> objectClass: posixGroup
>>>> objectClass: groupOfNames
>>>> objectClass: xxxGroupsAttributes
>>>> objectClass: xxxDB2GroupsAttributes
>>>> cn: pdbac32
>>>>
>>>> Thanks again
>>>> Marco
>>>>
>>>>
>>>> _______________________________________________
>>>> Freeipa-users mailing list
>>>> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>> Do you by any chance have a _group_ with name "fw03075_NO"
>>> and _user_ with name "pdbac32"?
>>> May be you are hitting a collision on manged group managed?
>>>
>>>
>>> Well, yes and no.
>>>
>>> No, I don't have a group called "fw03075_NO" and No, I don't have
>>> a user called "pdbac32".
>>>
>>> Yes, I have some users uid=samename and groups cn=samename, but
>>> they are not found in the group subtree (ou) from where I
>>> launched "ipa migrate-ds".
>>>
>>> If this is the problem, where can I have any evidence of the
>>> actual problem?
>>>
>>
>> Can you search those names in the IPA LDAP tree after the
>> migration? May be there is some object already there with the same
>> cn that collides. This way we would be able to determine what the
>> colliding object is and take it from there. It might collide on
>> some other attribute in the entry and just be reported by uid and cn.
>>
>>
>> Here it is:
>>
>> [root at freeipa01 ipa]# ldapsearch -h 127.0.0.1 -x -D "cn=Directory
>> Manager" -W -b "dc=unix,dc=mydomain,dc=it" -s sub "(uid=fw03075_NO)"
>> Enter LDAP Password:
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <dc=unix,dc= mydomain ,dc=it> with scope subtree
>> # filter: (uid=fw03075_NO)
>> # requesting: ALL
>> #
>>
>> # search result
>> search: 2
>> result: 0 Success
>>
>> # numResponses: 1
>> [root at freeipa01 ipa]# ldapsearch -h 127.0.0.1 -x -D "cn=Directory
>> Manager" -W -b "dc=unix,dc= mydomain ,dc=it" -s sub "(cn=fw03075_NO)"
>> Enter LDAP Password:
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <dc=unix,dc= mydomain ,dc=it> with scope subtree
>> # filter: (cn=fw03075_NO)
>> # requesting: ALL
>> #
>>
>> # search result
>> search: 2
>> result: 0 Success
>>
>> # numResponses: 1
>>
>> Same thing for "pdbac32".
>>
>> Or were you asking me something more complicated?
>>
>> My group and user tree is almost empty. There are only default groups
>> and 5/6 user created by hand.
>> Yes, some of them have the same uid as the one manually created, but
>> they represent only a minority of the total.
>>
>> Marco
>>
>
> I am running out of ideas. Rob, any clues?
Not yet. This isn't a duplicate entry problem, it must have something to
do with the way we create the new users in IPA. I think this is going to
require setting up a similar machine and trying to reproduce it.
rob
More information about the Freeipa-users
mailing list