[Freeipa-users] OpenLDAP migration issues
Dmitri Pal
dpal at redhat.com
Wed Nov 6 15:35:55 UTC 2013
On 11/06/2013 10:03 AM, Ryan M. Casey wrote:
>
> I'm attempting to migrate our OpenLDAP+Kerberos authentication scheme
> to FreeIPA. Running the following migration command:
>
>
>
> ipa migrate-ds --bind-dn="cn=admin,dc=foo,dc=com"
> --base-dn="dc=foo,dc=com" --user-container="ou=users"
> --group-container="ou=group" --user-objectclass="posixAccount"
> --group-objectclass="posixGroup" ldap://ldap.foo.com
>
>
>
> results in this error in/var/log/httpd/error_log:
>
>
>
> ValueError: unable to convert the attribute "krbPrincipalKey" value
>
>
>
> I've tried to exclude the attribute using
> --user-attribute-ignore=krbPrincipalKey, but am still receiving the
> same error message. Our server is running Fedora 19 with the latest
> version of FreeIPA available. Anyone have any ideas on how I can
> resolve this?
>
>
>
I think a snippet from the log might shed more light. Kerberos logs also
might be valuable.
Can it be that the kerberos key is an old weak crypto that we reject by
default?
May be setting
allow_weak_crypto = true
in krb5.conf on the server would help?
> -Ryan
>
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20131106/1a55babf/attachment.htm>
More information about the Freeipa-users
mailing list