[Freeipa-users] Migrating from a hybrid web/posix LDAP
Rob Crittenden
rcritten at redhat.com
Mon Jul 14 18:27:15 UTC 2014
Petr Spacek wrote:
> On 13.7.2014 03:31, Nordgren, Bryce L -FS wrote:
>> Hi guys,
>>
>> I set up freeipa 4.0.0 on a brand new Fedora 20 box, from your copr
>> repos. Install and config went fine. Kinit: fine. Trying to migrate
>> from my old ldap setup: problem. Old ldap setup primarily had
>> accounts for web apps (inetOrgPerson) and a few accounts with
>> everything needed for login (posixAccount).
>>
>> "Ipa migrate-ds" for the existing posixAccounts: works fine.
>>
>> Migrating the web only accounts requires a bit more manual labor, and
>> isn't working yet. I extracted a csv of my "web-only" accounts and
>> made a script to upgrade them with posix attributes and add them to
>> freeipa. Each line looks like:
>>
>> ipa user-add "bill.mathews" --last="Mathews" --first="William"
>> --email="blah" --phone="xxx-yyy-zzzz" --setattr
>> userpassword="{SHA}bunchajunka" --setattr o="University of Tweedle"
>> --gidnumber=65534 --uid=2000063
>>
>> And I get:
>>
>> ERROR: Constraint violation: invalid password syntax - passwords with
>> storage scheme are not allowed
>>
>> I was inspired to include the password this way from:
>> http://www.freeipa.org/page/NIS_accounts_migration_preserving_Passwords
>
> I believe it should work if you do
> $ ipa config-mod --enable-migration=true
> as stated on the page above.
>
> Rob, do you know what we are missing? :-)
Seems to be caused by https://fedorahosted.org/389/ticket/47389 and
fixed by https://fedorahosted.org/389/ticket/47753 which is not yet in a
release AFAICT.
I don't see a workaround. Even setting migration mode doesn't fix it in
my test.
rob
>
> Petr^2 Spacek
>
>>
>> Is there any password preserving way to migrate my web-only accounts
>> using "ipa user-add"? If there's no easy answer, I'll probably just
>> add the attributes in the current ldap, then let "ipa migrate-ds" work
>> its magic. But I want to see user-add work if its possible.
>>
>> Thanks,
>> Bryce
>> PS: I believe all instances of "service dirsrv restart" on
>> http://www.freeipa.org/docs/master/html-desktop/index.html#finding-excluding-entries
>> need to be changed to "systemctl restart dirsrv.target", since there
>> is no "dirsrv.service".
More information about the Freeipa-users
mailing list