[Freeipa-users] Migration fails with custom objectClasses

Ludwig Krispenz lkrispen at redhat.com
Fri Oct 17 12:14:49 UTC 2014 

Hi,

maybe there is a case problem, if I try the following command, note some 
capital letters:

# ipa config-mod --userobjectclasses=ipaObject 
--userobjectclasses=ine*tO*rgperson --userobjectclasses=person 
--userobjectclasses=posixaccount --userobjectclasses=inetuser 
--userobjectclasses=organizational*P*erson 
--userobjectclasses=krbticketpolicyaux --userobjectclasses=krbprincipalaux
ipa: ERROR: Type or value exists:
it fails, doing the same with all lowercase succeeds:

# ipa config-mod --userobjectclasses=ipaobject 
--userobjectclasses=inetorgperson --userobjectclasses=person 
--userobjectclasses=posixaccount --userobjectclasses=inetuser 
--userobjectclasses=organizationalperson 
--userobjectclasses=krbticketpolicyaux --userobjectclasses=krbprincipalaux
   .....
   Default user objectclasses: ipaobject, person, inetorgperson, 
organizationalperson, krbticketpolicyaux, krbprincipalaux, inetuser, 
posixaccount

You posted your default oc earlier to be:
Default user objectclasses: top, person, organizationalperson, 
inetorgperson, inetuser, posixaccount, krbprincipalaux, krbticketpolicyaux,
                               ipaobject, ipasshuser, radiusProfile, 
customPersonAttributes, sambaSamAccount

and in the migration code we have code like:
entry_attrs['objectclass'] = list(
                     set(
                         config.get(
                             ldap_obj.object_class_config, 
ldap_obj.object_class
                         ) + [o.lower() for o in entry_attrs['objectclass']]
                     )
                 )

so i assume it will try to add an entry with
objectclass: customPersonAttributes
objectclass: custompersonattributes

I don't know how to get ipa to log this, but you could do:

tcpdump 'tcp port 389' -i any -w migrat.pcap

and then run migrate-ds to verify


On 10/16/2014 09:47 PM, Clint Savage wrote:
>
>
> On Thu, Oct 16, 2014 at 12:59 PM, Rich Megginson <rmeggins at redhat.com 
> <mailto:rmeggins at redhat.com>> wrote:
>
>     On 10/16/2014 11:42 AM, Clint Savage wrote:
>>     The access log had that information. And this error log:
>>     https://www.dropbox.com/s/ak6za0dkr0cn7ay/errors.20141010-132318
>>
>
>     There unfortunately doesn't seem to be a debug log level that will
>     tell the server to dump the add request with all arguments.
>
>     The best bet would be to get the ipa migrate tool to dump it's
>     commands to LDIF format, then we can look at it and figure out
>     what it is doing wrong.  I don't know if that's possible.
>
>
> Does anyone know how to accomplish what Rich suggests above?
>
> Thanks,
>
> Clint
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141017/380df2d5/attachment.htm>

More information about the Freeipa-users mailing list