[Freeipa-users] Migration fails with custom objectClasses
Rich Megginson
rmeggins at redhat.com
Wed Oct 15 23:04:24 UTC 2014
On 10/15/2014 04:43 PM, Clint Savage wrote:
> On Wed, Oct 15, 2014 at 2:33 PM, Rich Megginson <rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> wrote:
>
> On 10/15/2014 02:05 PM, Rob Crittenden wrote:
>
> Clint Savage wrote:
>
> $ rpm -q ipa-server
> ipa-server-3.3.3-28.el7.centos.1.x86_64
>
> I was thinking that this might be an issue with the rhel7
> version. I'm
> going to be trying the same migration tonight on rhel6. I
> know the IPA
> version is older, and samba stuff might not work as it
> does in 3.3. I
> haven't looked in RHEL 6.6 yet to see what version of IPA
> is available.
>
> I tested using a fairly recent IPA master build (4.1+). I'm not
> convinced it is related to any specific version, but different
> features
> are available so I thought I'd try to duplicate on a more similar
> footing (apples to apples comparision).
>
> The trick is to try to narrow down what attribute the LDAP
> server thinks
> already exists. We don't get a very nice error out of LDAP,
> like *what*
> attribute already exists, for example :-(
>
> It may be possible to set the 389-ds debug level to such that
> you get
> some decent output, but trying to find the right balance of
> output can
> be challenging. See their FAQ troubleshooting section.
>
>
> http://www.port389.org/docs/389ds/FAQ/faq.html#troubleshooting
>
> Try the ARGS (Heavy trace output debugging) level
>
>
>
> rob
>
>
> Clint
>
> On Wed, Oct 15, 2014 at 1:16 PM, Rob Crittenden
> <rcritten at redhat.com <mailto:rcritten at redhat.com>
> <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>>
> wrote:
>
> Ludwig Krispenz wrote:
> >
> > On 10/14/2014 06:58 PM, Clint Savage wrote:
> >> Hi all,
> >>
> >> I've been working on a migration plan using three
> custom user
> >> objectClasses and one group objectclass. In my
> attempt, I've setup an
> >> openldap server with the proper schemas, imported
> the ldif and have
> >> records that look something like this in ldif format.
> >>
> >>
>
> -----------------------------------------------------------------------
> >>
> >> dn: dc=example,dc=com
> >> objectClass: top
> >> objectClass: domain
> >> dc: example
> >>
> >> dn: ou=Groups,dc=example,dc=com
> >> objectClass: top
> >> objectClass: organizationalunit
> >> ou: Groups
> >>
> >> dn: ou=People,dc=example,dc=com
> >> objectClass: top
> >> objectClass: organizationalunit
> >> ou: People
> >>
> >> dn: uid=amyengh,ou=People,dc=example,dc=com
> >> objectClass: inetOrgPerson
> >> objectClass: posixAccount
> >> objectClass: top
> >> objectClass: organizationalPerson
> >> objectClass: person
> >> objectClass: radiusProfile
> >> objectClass: sambaSamAccount
> >> objectClass: customPersonAttributes
> >> cn: Amy Engh
> >> gidNumber: 1141801056
> >> homeDirectory: /home/amyengh
> >> sn: Engh
> >> uid: amyengh
> >> uidNumber: 1141801056
> >> displayName: Amy Engh
> >> givenName: Amy
> >> loginShell: /sbin/nologin
> >> mail: amyengh at attask.com
> <mailto:amyengh at attask.com> <mailto:amyengh at attask.com
> <mailto:amyengh at attask.com>>
> <mailto:amyengh at attask.com
> <mailto:amyengh at attask.com> <mailto:amyengh at attask.com
> <mailto:amyengh at attask.com>>>
> >> userPassword:: REDACTED
> >> dialupAccess: yes
> >> radiusTunnelMediumType: IEEE-802
> >> radiusTunnelPrivateGroupId: 1421
> >> radiusTunnelType: VLAN
> >> emailPassword:: REDACTED
> >> sambaAcctFlags: [U ]
> >> sambaLMPassword: REDACTED
> >> sambaNTPassword: REDACTED
> >> sambaPasswordHistory:
> >> 000000000000000000000000000000000000000000000000000000
> >> 0000000000
> >> sambaPwdLastSet: 1402698001
> >> sambaSID:
> S-1-5-21-2332447373-4108748234-3602490535-3146
> >>
> >> dn: cn=amyengh,ou=Groups,dc=example,dc=com
> >> objectClass: top
> >> objectClass: posixGroup
> >> cn: amyengh
> >> gidNumber: 1141801056
> >> memberUid: amyengh
> >>
> >>
> --------------------------------------------------------------------
> >>
> >> I then run the migration (with or without compat
> makes no difference)
> >> and get the following:
> >>
> >> ipa migrate-ds --with-compat
> --user-container="ou=People"
> >> --group-container="ou=Groups"
> --user-objectclass=posixAccount
> >> --group-objectclass=posixgroup
> ldap://192.168.122.210 <http://192.168.122.210>
> <http://192.168.122.210>
> >> <http://192.168.122.210>
> --bind-dn="cn=Manager,dc=example,dc=com"
> >> Password:
> >> -----------
> >> migrate-ds:
> >> -----------
> >> Migrated:
> >> Failed user:
> >> amyengh: Type or value exists:
> >> Failed group:
> >> amyengh: This entry already exists.
> > "type or value exists" and "This entry already
> exists" are just
> > explanations of the ldap return code, do you see
> anything in the 389 ds
> > error logs ?
>
> I doubt that he would see any errors.
>
> The entry already existing is because this isn't his
> first migration, it
> is unrelated.
>
> I'm not able to reproduce this. What version of IPA
> is it?
>
> rob
>
> --
> Manage your subscription for the Freeipa-users
> mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project
>
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project
>
>
> This is what I get in the logs when running the migration:
>
> ==> access <==
> [15/Oct/2014:18:35:46 -0400] conn=8 op=166 SRCH
> base="idnsName=_tcp,idnsname=example.com
> <http://example.com>,cn=dns,dc=example,dc=com" scope=0
> filter="(objectClass=idnsRecord)" attrs=ALL
> [15/Oct/2014:18:35:46 -0400] conn=8 op=166 RESULT err=32 tag=101
> nentries=0 etime=0
> [15/Oct/2014:18:35:48 -0400] conn=606 fd=79 slot=79 connection from
> 192.168.122.200 to 192.168.122.200
> [15/Oct/2014:18:35:48 -0400] conn=4 op=960 SRCH
> base="dc=example,dc=com" scope=2
> filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=krbtgt/EXAMPLE.COM at EXAMPLE.COM
> <mailto:EXAMPLE.COM at EXAMPLE.COM>))" attrs="krbPrincipalName
> krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey
> krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
> krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
> krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
> krbLoginFailedCount krbExtraData krbLastAdminUnlock
> krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge
> nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType objectClass"
> [15/Oct/2014:18:35:48 -0400] conn=4 op=960 RESULT err=0 tag=101
> nentries=1 etime=0
> [15/Oct/2014:18:35:48 -0400] conn=4 op=961 SRCH
> base="dc=example,dc=com" scope=2
> filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=ldap/ipa7.example.com at EXAMPLE.COM
> <mailto:ipa7.example.com at EXAMPLE.COM>)(krbPrincipalName=ldap/ipa7.example.com at EXAMPLE.COM
> <mailto:ipa7.example.com at EXAMPLE.COM>)))" attrs="krbPrincipalName
> krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey
> krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
> krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
> krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
> krbLoginFailedCount krbExtraData krbLastAdminUnlock
> krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge
> nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType objectClass"
> [15/Oct/2014:18:35:48 -0400] conn=4 op=961 RESULT err=0 tag=101
> nentries=1 etime=0
> [15/Oct/2014:18:35:48 -0400] conn=4 op=962 SRCH base="cn=EXAMPLE.COM
> <http://EXAMPLE.COM>,cn=kerberos,dc=example,dc=com" scope=0
> filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife
> krbMaxRenewableAge krbTicketFlags"
> [15/Oct/2014:18:35:48 -0400] conn=4 op=962 RESULT err=0 tag=101
> nentries=1 etime=0
> [15/Oct/2014:18:35:48 -0400] conn=4 op=963 SRCH
> base="dc=example,dc=com" scope=2
> filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=HTTP/ipa7.example.com at EXAMPLE.COM
> <mailto:ipa7.example.com at EXAMPLE.COM>))" attrs="krbPrincipalName
> krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey
> krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
> krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
> krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
> krbLoginFailedCount krbExtraData krbLastAdminUnlock
> krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge
> nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType objectClass"
> [15/Oct/2014:18:35:48 -0400] conn=4 op=963 RESULT err=0 tag=101
> nentries=1 etime=0
> [15/Oct/2014:18:35:48 -0400] conn=4 op=964 SRCH base="cn=EXAMPLE.COM
> <http://EXAMPLE.COM>,cn=kerberos,dc=example,dc=com" scope=0
> filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife
> krbMaxRenewableAge krbTicketFlags"
> [15/Oct/2014:18:35:48 -0400] conn=4 op=964 RESULT err=0 tag=101
> nentries=1 etime=0
> [15/Oct/2014:18:35:48 -0400] conn=4 op=965 SRCH
> base="dc=example,dc=com" scope=2
> filter="(&(objectClass=ipaKrb5DelegationACL)(memberPrincipal=HTTP/ipa7.example.com at EXAMPLE.COM
> <mailto:ipa7.example.com at EXAMPLE.COM>))" attrs="objectClass
> memberPrincipal"
> [15/Oct/2014:18:35:48 -0400] conn=4 op=965 RESULT err=0 tag=101
> nentries=1 etime=0
> [15/Oct/2014:18:35:48 -0400] conn=4 op=966 SRCH
> base="dc=example,dc=com" scope=2
> filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=admin at EXAMPLE.COM
> <mailto:admin at EXAMPLE.COM>))" attrs="krbPrincipalName krbCanonicalName
> ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey
> krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
> krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
> krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
> krbLoginFailedCount krbExtraData krbLastAdminUnlock
> krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge
> nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType objectClass"
> [15/Oct/2014:18:35:48 -0400] conn=4 op=966 RESULT err=0 tag=101
> nentries=1 etime=0
> [15/Oct/2014:18:35:48 -0400] conn=4 op=967 SRCH base="cn=EXAMPLE.COM
> <http://EXAMPLE.COM>,cn=kerberos,dc=example,dc=com" scope=0
> filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife
> krbMaxRenewableAge krbTicketFlags"
> [15/Oct/2014:18:35:48 -0400] conn=4 op=967 RESULT err=0 tag=101
> nentries=1 etime=0
> [15/Oct/2014:18:35:48 -0400] conn=606 op=0 BIND dn="" method=sasl
> version=3 mech=GSSAPI
> [15/Oct/2014:18:35:48 -0400] conn=606 op=0 RESULT err=14 tag=97
> nentries=0 etime=0, SASL bind in progress
> [15/Oct/2014:18:35:48 -0400] conn=606 op=1 BIND dn="" method=sasl
> version=3 mech=GSSAPI
> [15/Oct/2014:18:35:48 -0400] conn=606 op=1 RESULT err=14 tag=97
> nentries=0 etime=0, SASL bind in progress
> [15/Oct/2014:18:35:48 -0400] conn=606 op=2 BIND dn="" method=sasl
> version=3 mech=GSSAPI
> [15/Oct/2014:18:35:48 -0400] conn=606 op=2 RESULT err=0 tag=97
> nentries=0 etime=0 dn="uid=admin,cn=users,cn=accounts,dc=example,dc=com"
> [15/Oct/2014:18:35:48 -0400] conn=606 op=3 SRCH
> base="cn=ipaconfig,cn=etc,dc=example,dc=com" scope=0
> filter="(objectClass=*)" attrs=ALL
> [15/Oct/2014:18:35:48 -0400] conn=606 op=3 RESULT err=0 tag=101
> nentries=1 etime=0
> [15/Oct/2014:18:35:48 -0400] conn=606 op=4 SRCH
> base="cn=ipausers,cn=groups,cn=accounts,dc=example,dc=com" scope=0
> filter="(objectClass=*)" attrs="gidNumber cn"
> [15/Oct/2014:18:35:48 -0400] conn=606 op=4 RESULT err=0 tag=101
> nentries=1 etime=0
> [15/Oct/2014:18:35:48 -0400] conn=606 op=5 SRCH base="cn=UPG
> Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=example,dc=com"
> scope=0 filter="(objectClass=*)" attrs="* aci"
> [15/Oct/2014:18:35:48 -0400] conn=606 op=5 RESULT err=0 tag=101
> nentries=1 etime=0
> [15/Oct/2014:18:35:48 -0400] conn=606 op=6 SRCH
> base="cn=ipaconfig,cn=etc,dc=example,dc=com" scope=0
> filter="(objectClass=*)" attrs=ALL
> [15/Oct/2014:18:35:48 -0400] conn=606 op=6 RESULT err=0 tag=101
> nentries=1 etime=0
> [15/Oct/2014:18:35:48 -0400] conn=606 op=7 SRCH
> base="cn=users,cn=accounts,dc=example,dc=com" scope=2
> filter="(&(objectClass=krbprincipalaux)(krbPrincipalName=amyengh at EXAMPLE.COM
> <mailto:amyengh at EXAMPLE.COM>))" attrs=""
> [15/Oct/2014:18:35:48 -0400] conn=606 op=7 RESULT err=0 tag=101
> nentries=1 etime=0
> [15/Oct/2014:18:35:48 -0400] conn=606 op=8 ADD
> dn="uid=amyengh,cn=users,cn=accounts,dc=example,dc=com", add values
> for type objectClass failed
> [15/Oct/2014:18:35:48 -0400] conn=606 op=8 RESULT err=20 tag=105
> nentries=0 etime=0
> [15/Oct/2014:18:35:48 -0400] conn=606 op=9 SRCH
> base="cn=ipausers,cn=groups,cn=accounts,dc=example,dc=com" scope=0
> filter="(objectClass=*)" attrs="gidNumber cn"
> [15/Oct/2014:18:35:48 -0400] conn=606 op=9 RESULT err=0 tag=101
> nentries=1 etime=0
> [15/Oct/2014:18:35:48 -0400] conn=606 op=10 SRCH base="cn=UPG
> Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=example,dc=com"
> scope=0 filter="(objectClass=*)" attrs="* aci"
> [15/Oct/2014:18:35:48 -0400] conn=606 op=10 RESULT err=0 tag=101
> nentries=1 etime=0
> [15/Oct/2014:18:35:48 -0400] conn=606 op=11 ADD
> dn="cn=amyengh,cn=groups,cn=accounts,dc=example,dc=com"
> [15/Oct/2014:18:35:48 -0400] conn=606 op=11 RESULT err=68 tag=105
> nentries=0 etime=0
> [15/Oct/2014:18:35:48 -0400] conn=606 op=12 SRCH
> base="cn=users,cn=accounts,dc=example,dc=com" scope=2
> filter="(&(objectClass=posixAccount)(!(memberOf=cn=ipausers,cn=groups,cn=accounts,dc=example,dc=com)))"
> attrs=""
> [15/Oct/2014:18:35:48 -0400] conn=606 op=12 RESULT err=0 tag=101
> nentries=0 etime=0
> [15/Oct/2014:18:35:48 -0400] conn=606 op=13 UNBIND
> [15/Oct/2014:18:35:48 -0400] conn=606 op=13 fd=79 closed - U1
>
> It kind of looks like there's some sort of failure with my gidNumber
> or cn, but both the user and group objects have these values. Any idea
> what is going on there?
Did you enable the ARGS level error logging in the errors log? If so,
what's in the errors log?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141015/49a77ed6/attachment.htm>
More information about the Freeipa-users
mailing list