[Freeipa-users] Migration fails with custom objectClasses
Dmitri Pal
dpal at redhat.com
Wed Oct 15 22:46:56 UTC 2014
On 10/15/2014 06:43 PM, Clint Savage wrote:
> On Wed, Oct 15, 2014 at 2:33 PM, Rich Megginson <rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> wrote:
>
> On 10/15/2014 02:05 PM, Rob Crittenden wrote:
>
> Clint Savage wrote:
>
> $ rpm -q ipa-server
> ipa-server-3.3.3-28.el7.centos.1.x86_64
>
> I was thinking that this might be an issue with the rhel7
> version. I'm
> going to be trying the same migration tonight on rhel6. I
> know the IPA
> version is older, and samba stuff might not work as it
> does in 3.3. I
> haven't looked in RHEL 6.6 yet to see what version of IPA
> is available.
>
> I tested using a fairly recent IPA master build (4.1+). I'm not
> convinced it is related to any specific version, but different
> features
> are available so I thought I'd try to duplicate on a more similar
> footing (apples to apples comparision).
>
> The trick is to try to narrow down what attribute the LDAP
> server thinks
> already exists. We don't get a very nice error out of LDAP,
> like *what*
> attribute already exists, for example :-(
>
> It may be possible to set the 389-ds debug level to such that
> you get
> some decent output, but trying to find the right balance of
> output can
> be challenging. See their FAQ troubleshooting section.
>
>
> http://www.port389.org/docs/389ds/FAQ/faq.html#troubleshooting
>
> Try the ARGS (Heavy trace output debugging) level
>
>
>
> rob
>
>
> Clint
>
> On Wed, Oct 15, 2014 at 1:16 PM, Rob Crittenden
> <rcritten at redhat.com <mailto:rcritten at redhat.com>
> <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>>
> wrote:
>
> Ludwig Krispenz wrote:
> >
> > On 10/14/2014 06:58 PM, Clint Savage wrote:
> >> Hi all,
> >>
> >> I've been working on a migration plan using three
> custom user
> >> objectClasses and one group objectclass. In my
> attempt, I've setup an
> >> openldap server with the proper schemas, imported
> the ldif and have
> >> records that look something like this in ldif format.
> >>
> >>
>
> -----------------------------------------------------------------------
> >>
> >> dn: dc=example,dc=com
> >> objectClass: top
> >> objectClass: domain
> >> dc: example
> >>
> >> dn: ou=Groups,dc=example,dc=com
> >> objectClass: top
> >> objectClass: organizationalunit
> >> ou: Groups
> >>
> >> dn: ou=People,dc=example,dc=com
> >> objectClass: top
> >> objectClass: organizationalunit
> >> ou: People
> >>
> >> dn: uid=amyengh,ou=People,dc=example,dc=com
> >> objectClass: inetOrgPerson
> >> objectClass: posixAccount
> >> objectClass: top
> >> objectClass: organizationalPerson
> >> objectClass: person
> >> objectClass: radiusProfile
> >> objectClass: sambaSamAccount
> >> objectClass: customPersonAttributes
> >> cn: Amy Engh
> >> gidNumber: 1141801056
> >> homeDirectory: /home/amyengh
> >> sn: Engh
> >> uid: amyengh
> >> uidNumber: 1141801056
> >> displayName: Amy Engh
> >> givenName: Amy
> >> loginShell: /sbin/nologin
> >> mail: amyengh at attask.com
> <mailto:amyengh at attask.com> <mailto:amyengh at attask.com
> <mailto:amyengh at attask.com>>
> <mailto:amyengh at attask.com
> <mailto:amyengh at attask.com> <mailto:amyengh at attask.com
> <mailto:amyengh at attask.com>>>
> >> userPassword:: REDACTED
> >> dialupAccess: yes
> >> radiusTunnelMediumType: IEEE-802
> >> radiusTunnelPrivateGroupId: 1421
> >> radiusTunnelType: VLAN
> >> emailPassword:: REDACTED
> >> sambaAcctFlags: [U ]
> >> sambaLMPassword: REDACTED
> >> sambaNTPassword: REDACTED
> >> sambaPasswordHistory:
> >> 000000000000000000000000000000000000000000000000000000
> >> 0000000000
> >> sambaPwdLastSet: 1402698001
> >> sambaSID:
> S-1-5-21-2332447373-4108748234-3602490535-3146
> >>
> >> dn: cn=amyengh,ou=Groups,dc=example,dc=com
> >> objectClass: top
> >> objectClass: posixGroup
> >> cn: amyengh
> >> gidNumber: 1141801056
> >> memberUid: amyengh
> >>
> >>
> --------------------------------------------------------------------
> >>
> >> I then run the migration (with or without compat
> makes no difference)
> >> and get the following:
> >>
> >> ipa migrate-ds --with-compat
> --user-container="ou=People"
> >> --group-container="ou=Groups"
> --user-objectclass=posixAccount
> >> --group-objectclass=posixgroup
> ldap://192.168.122.210 <http://192.168.122.210>
> <http://192.168.122.210>
> >> <http://192.168.122.210>
> --bind-dn="cn=Manager,dc=example,dc=com"
> >> Password:
> >> -----------
> >> migrate-ds:
> >> -----------
> >> Migrated:
> >> Failed user:
> >> amyengh: Type or value exists:
> >> Failed group:
> >> amyengh: This entry already exists.
> > "type or value exists" and "This entry already
> exists" are just
> > explanations of the ldap return code, do you see
> anything in the 389 ds
> > error logs ?
>
> I doubt that he would see any errors.
>
> The entry already existing is because this isn't his
> first migration, it
> is unrelated.
>
> I'm not able to reproduce this. What version of IPA
> is it?
>
> rob
>
> --
> Manage your subscription for the Freeipa-users
> mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project
>
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project
>
>
> This is what I get in the logs when running the migration:
>
> ==> access <==
> [15/Oct/2014:18:35:46 -0400] conn=8 op=166 SRCH
> base="idnsName=_tcp,idnsname=example.com
> <http://example.com>,cn=dns,dc=example,dc=com" scope=0
> filter="(objectClass=idnsRecord)" attrs=ALL
> [15/Oct/2014:18:35:46 -0400] conn=8 op=166 RESULT err=32 tag=101
> nentries=0 etime=0
> [15/Oct/2014:18:35:48 -0400] conn=606 fd=79 slot=79 connection from
> 192.168.122.200 to 192.168.122.200
> [15/Oct/2014:18:35:48 -0400] conn=4 op=960 SRCH
> base="dc=example,dc=com" scope=2
> filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=krbtgt/EXAMPLE.COM at EXAMPLE.COM
> <mailto:EXAMPLE.COM at EXAMPLE.COM>))" attrs="krbPrincipalName
> krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey
> krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
> krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
> krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
> krbLoginFailedCount krbExtraData krbLastAdminUnlock
> krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge
> nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType objectClass"
> [15/Oct/2014:18:35:48 -0400] conn=4 op=960 RESULT err=0 tag=101
> nentries=1 etime=0
> [15/Oct/2014:18:35:48 -0400] conn=4 op=961 SRCH
> base="dc=example,dc=com" scope=2
> filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=ldap/ipa7.example.com at EXAMPLE.COM
> <mailto:ipa7.example.com at EXAMPLE.COM>)(krbPrincipalName=ldap/ipa7.example.com at EXAMPLE.COM
> <mailto:ipa7.example.com at EXAMPLE.COM>)))" attrs="krbPrincipalName
> krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey
> krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
> krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
> krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
> krbLoginFailedCount krbExtraData krbLastAdminUnlock
> krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge
> nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType objectClass"
> [15/Oct/2014:18:35:48 -0400] conn=4 op=961 RESULT err=0 tag=101
> nentries=1 etime=0
> [15/Oct/2014:18:35:48 -0400] conn=4 op=962 SRCH base="cn=EXAMPLE.COM
> <http://EXAMPLE.COM>,cn=kerberos,dc=example,dc=com" scope=0
> filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife
> krbMaxRenewableAge krbTicketFlags"
> [15/Oct/2014:18:35:48 -0400] conn=4 op=962 RESULT err=0 tag=101
> nentries=1 etime=0
> [15/Oct/2014:18:35:48 -0400] conn=4 op=963 SRCH
> base="dc=example,dc=com" scope=2
> filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=HTTP/ipa7.example.com at EXAMPLE.COM
> <mailto:ipa7.example.com at EXAMPLE.COM>))" attrs="krbPrincipalName
> krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey
> krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
> krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
> krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
> krbLoginFailedCount krbExtraData krbLastAdminUnlock
> krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge
> nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType objectClass"
> [15/Oct/2014:18:35:48 -0400] conn=4 op=963 RESULT err=0 tag=101
> nentries=1 etime=0
> [15/Oct/2014:18:35:48 -0400] conn=4 op=964 SRCH base="cn=EXAMPLE.COM
> <http://EXAMPLE.COM>,cn=kerberos,dc=example,dc=com" scope=0
> filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife
> krbMaxRenewableAge krbTicketFlags"
> [15/Oct/2014:18:35:48 -0400] conn=4 op=964 RESULT err=0 tag=101
> nentries=1 etime=0
> [15/Oct/2014:18:35:48 -0400] conn=4 op=965 SRCH
> base="dc=example,dc=com" scope=2
> filter="(&(objectClass=ipaKrb5DelegationACL)(memberPrincipal=HTTP/ipa7.example.com at EXAMPLE.COM
> <mailto:ipa7.example.com at EXAMPLE.COM>))" attrs="objectClass
> memberPrincipal"
> [15/Oct/2014:18:35:48 -0400] conn=4 op=965 RESULT err=0 tag=101
> nentries=1 etime=0
> [15/Oct/2014:18:35:48 -0400] conn=4 op=966 SRCH
> base="dc=example,dc=com" scope=2
> filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=admin at EXAMPLE.COM
> <mailto:admin at EXAMPLE.COM>))" attrs="krbPrincipalName krbCanonicalName
> ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey
> krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
> krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
> krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
> krbLoginFailedCount krbExtraData krbLastAdminUnlock
> krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge
> nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType objectClass"
> [15/Oct/2014:18:35:48 -0400] conn=4 op=966 RESULT err=0 tag=101
> nentries=1 etime=0
> [15/Oct/2014:18:35:48 -0400] conn=4 op=967 SRCH base="cn=EXAMPLE.COM
> <http://EXAMPLE.COM>,cn=kerberos,dc=example,dc=com" scope=0
> filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife
> krbMaxRenewableAge krbTicketFlags"
> [15/Oct/2014:18:35:48 -0400] conn=4 op=967 RESULT err=0 tag=101
> nentries=1 etime=0
> [15/Oct/2014:18:35:48 -0400] conn=606 op=0 BIND dn="" method=sasl
> version=3 mech=GSSAPI
> [15/Oct/2014:18:35:48 -0400] conn=606 op=0 RESULT err=14 tag=97
> nentries=0 etime=0, SASL bind in progress
> [15/Oct/2014:18:35:48 -0400] conn=606 op=1 BIND dn="" method=sasl
> version=3 mech=GSSAPI
> [15/Oct/2014:18:35:48 -0400] conn=606 op=1 RESULT err=14 tag=97
> nentries=0 etime=0, SASL bind in progress
> [15/Oct/2014:18:35:48 -0400] conn=606 op=2 BIND dn="" method=sasl
> version=3 mech=GSSAPI
> [15/Oct/2014:18:35:48 -0400] conn=606 op=2 RESULT err=0 tag=97
> nentries=0 etime=0 dn="uid=admin,cn=users,cn=accounts,dc=example,dc=com"
> [15/Oct/2014:18:35:48 -0400] conn=606 op=3 SRCH
> base="cn=ipaconfig,cn=etc,dc=example,dc=com" scope=0
> filter="(objectClass=*)" attrs=ALL
> [15/Oct/2014:18:35:48 -0400] conn=606 op=3 RESULT err=0 tag=101
> nentries=1 etime=0
> [15/Oct/2014:18:35:48 -0400] conn=606 op=4 SRCH
> base="cn=ipausers,cn=groups,cn=accounts,dc=example,dc=com" scope=0
> filter="(objectClass=*)" attrs="gidNumber cn"
> [15/Oct/2014:18:35:48 -0400] conn=606 op=4 RESULT err=0 tag=101
> nentries=1 etime=0
> [15/Oct/2014:18:35:48 -0400] conn=606 op=5 SRCH base="cn=UPG
> Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=example,dc=com"
> scope=0 filter="(objectClass=*)" attrs="* aci"
> [15/Oct/2014:18:35:48 -0400] conn=606 op=5 RESULT err=0 tag=101
> nentries=1 etime=0
> [15/Oct/2014:18:35:48 -0400] conn=606 op=6 SRCH
> base="cn=ipaconfig,cn=etc,dc=example,dc=com" scope=0
> filter="(objectClass=*)" attrs=ALL
> [15/Oct/2014:18:35:48 -0400] conn=606 op=6 RESULT err=0 tag=101
> nentries=1 etime=0
> [15/Oct/2014:18:35:48 -0400] conn=606 op=7 SRCH
> base="cn=users,cn=accounts,dc=example,dc=com" scope=2
> filter="(&(objectClass=krbprincipalaux)(krbPrincipalName=amyengh at EXAMPLE.COM
> <mailto:amyengh at EXAMPLE.COM>))" attrs=""
> [15/Oct/2014:18:35:48 -0400] conn=606 op=7 RESULT err=0 tag=101
> nentries=1 etime=0
> [15/Oct/2014:18:35:48 -0400] conn=606 op=8 ADD
> dn="uid=amyengh,cn=users,cn=accounts,dc=example,dc=com", add values
> for type objectClass failed
> [15/Oct/2014:18:35:48 -0400] conn=606 op=8 RESULT err=20 tag=105
> nentries=0 etime=0
> [15/Oct/2014:18:35:48 -0400] conn=606 op=9 SRCH
> base="cn=ipausers,cn=groups,cn=accounts,dc=example,dc=com" scope=0
> filter="(objectClass=*)" attrs="gidNumber cn"
> [15/Oct/2014:18:35:48 -0400] conn=606 op=9 RESULT err=0 tag=101
> nentries=1 etime=0
> [15/Oct/2014:18:35:48 -0400] conn=606 op=10 SRCH base="cn=UPG
> Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=example,dc=com"
> scope=0 filter="(objectClass=*)" attrs="* aci"
> [15/Oct/2014:18:35:48 -0400] conn=606 op=10 RESULT err=0 tag=101
> nentries=1 etime=0
> [15/Oct/2014:18:35:48 -0400] conn=606 op=11 ADD
> dn="cn=amyengh,cn=groups,cn=accounts,dc=example,dc=com"
> [15/Oct/2014:18:35:48 -0400] conn=606 op=11 RESULT err=68 tag=105
> nentries=0 etime=0
> [15/Oct/2014:18:35:48 -0400] conn=606 op=12 SRCH
> base="cn=users,cn=accounts,dc=example,dc=com" scope=2
> filter="(&(objectClass=posixAccount)(!(memberOf=cn=ipausers,cn=groups,cn=accounts,dc=example,dc=com)))"
> attrs=""
> [15/Oct/2014:18:35:48 -0400] conn=606 op=12 RESULT err=0 tag=101
> nentries=0 etime=0
> [15/Oct/2014:18:35:48 -0400] conn=606 op=13 UNBIND
> [15/Oct/2014:18:35:48 -0400] conn=606 op=13 fd=79 closed - U1
>
> It kind of looks like there's some sort of failure with my gidNumber
> or cn, but both the user and group objects have these values. Any idea
> what is going on there?
>
>
Do you have a group GID that is also a UID?
IPA automatically creates private groups that have GID same as UID of
the user. But this means that if you have an explicit group with the
same GID it will collide.
Just a thought. I have not actually inspected the log above.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141015/d5f6c0bc/attachment.htm>
More information about the Freeipa-users
mailing list