[Freeipa-users] Migration fails with custom objectClasses

Clint Savage herlo1 at gmail.com
Tue Oct 14 16:58:36 UTC 2014

Hi all,

I've been working on a migration plan using three custom user objectClasses
and one group objectclass. In my attempt, I've setup an openldap server
with the proper schemas, imported the ldif and have records that look
something like this in ldif format.


dn: dc=example,dc=com
objectClass: top
objectClass: domain
dc: example

dn: ou=Groups,dc=example,dc=com
objectClass: top
objectClass: organizationalunit
ou: Groups

dn: ou=People,dc=example,dc=com
objectClass: top
objectClass: organizationalunit
ou: People

dn: uid=amyengh,ou=People,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: organizationalPerson
objectClass: person
objectClass: radiusProfile
objectClass: sambaSamAccount
objectClass: customPersonAttributes
cn: Amy Engh
gidNumber: 1141801056
homeDirectory: /home/amyengh
sn: Engh
uid: amyengh
uidNumber: 1141801056
displayName: Amy Engh
givenName: Amy
loginShell: /sbin/nologin
mail: amyengh at attask.com
userPassword:: REDACTED
dialupAccess: yes
radiusTunnelMediumType: IEEE-802
radiusTunnelPrivateGroupId: 1421
radiusTunnelType: VLAN
emailPassword:: REDACTED
sambaAcctFlags: [U          ]
sambaLMPassword: REDACTED
sambaNTPassword: REDACTED
sambaPasswordHistory: 000000000000000000000000000000000000000000000000000000
sambaPwdLastSet: 1402698001
sambaSID: S-1-5-21-2332447373-4108748234-3602490535-3146

dn: cn=amyengh,ou=Groups,dc=example,dc=com
objectClass: top
objectClass: posixGroup
cn: amyengh
gidNumber: 1141801056
memberUid: amyengh


I then run the migration (with or without compat makes no difference) and
get the following:

ipa migrate-ds --with-compat --user-container="ou=People"
--group-container="ou=Groups" --user-objectclass=posixAccount
--group-objectclass=posixgroup ldap://
Failed user:
  amyengh: Type or value exists:
Failed group:
  amyengh: This entry already exists. Check GID of the existing group. Use
--group-overwrite-gid option to overwrite the GID
Passwords have been migrated in pre-hashed format.
IPA is unable to generate Kerberos keys unless provided
with clear text passwords. All migrated users need to
login at https://your.domain/ipa/migration/ before they
can use their Kerberos accounts.

The objectclasses are listed in the configuration properly:

# ipa config-show --all
Default group objectclasses: top, groupofnames, nestedgroup, ipausergroup,
ipaobject, sambaGroupMapping
  Default user objectclasses: top, person, organizationalperson,
inetorgperson, inetuser, posixaccount, krbprincipalaux, krbticketpolicyaux,
                              ipaobject, ipasshuser, radiusProfile,
customPersonAttributes, sambaSamAccount

I can verify the objectclasses appear to work when I add a user manually,
though I have not updated the plugins to allow entries for the above

My question exists around the error ' amyengh: Type or value exists:'. I
can take out the custom objectclasses, and this error goes away. I've
looked into all of the custom objectclasses and don't see anything that
would indicate errors. I have some 5k+ records to migrate and don't want to
have to manipulate the ldif and then create modify records just to get the
data into IPA.

Any suggestions to help me identify why this is happening? I'd be happy to
provide further information as requested.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141014/255e53fa/attachment.htm>

More information about the Freeipa-users mailing list