[Freeipa-users] Unable to import OpenLDAP users/groups with migrate-ds
Cal Sawyer
cal-s at blue-bolt.com
Wed Nov 4 15:11:56 UTC 2015
That's terrific, Rob - thanks very much. Users and Groups import
smoothly with a little additional tweaking
ipa -v migrate-ds --with-compat
--bind-dn="cn=Manager,dc=ldapdomain,dc=local"
--user-container="ou=People,dc=blue-bolt,dc=local"
--group-container="ou=Group,dc=ldapdomain,dc=local"
--group-objectclass="posixGroup" ldap://1.2.3.4:389
boom, all users and groups imported ... but without group membership.
The structure of Group in OpenLDAP is:
# power, Group, ldapdomain.local
dn: cn=systems,ou=Group,dc=ldapdomain,dc=local
cn: systems
gidNumber: 1112
objectClass: posixGroup
memberUid: usera
memberUid: userb
and IPA's schema appears, with one exception (objectClass: top), to match:
# admins, groups, compat, ipadomain.local
dn: cn=admins,cn=groups,cn=compat,dc=ipadomain,dc=local
objectClass: posixGroup
objectClass: top
gidNumber: 1944000000
memberUid: admin
cn: admins
A side question: can i use migrate-ds to bring in automount and sudoer
maps from OpenLDAP?
thanks again
Cal Sawyer | Systems Engineer | BlueBolt Ltd
15-16 Margaret Street | London W1W 8RW
+44 (0)20 7637 5575 | www.blue-bolt.com
On 04/11/15 13:56, Rob Crittenden wrote:
> Cal Sawyer wrote:
>> Hi
>>
>> Very new to IPA and setting up a proof of concept system that i hope
>> will replace my existing OpenLDAP 2.3 (no SASL) setup. I'm trying to
>> import People, Group ou's into IPA using "ipa migrate-ds". The IPA and
>> existing LDAP directories have different BaseDNs (eg ipadomain.local on
>> IPA, ldapdomain.local on LDAP 2.3) as i want to ideally construct a
>> completely new directory that we will then switch our clients over to.
>>
>> ipa migrate-ds --schema=RFC2307
>> --user-container="dc=ldapdomain,dc=local" ldap://1.2.3.4:389
>>
>> whatever i try (w or w/o --schema=RFC2307) , the response is the same:
>>
>> ipa: ERROR: Insufficient access: Invalid credentials
>>
>> or with a verbose flag:
>>
>> ipa: INFO: Forwarding 'migrate_ds' to server
>> u'https://ipa.ipadomain.local/ipa/session/xml'
>> ipa: ERROR: Insufficient access: Invalid credentials
>>
>> manager naturally exists in ldapdomain.local and i've definitely
>> supplied the correct password (we use the same creds to manage LDAP
>> using phpldapadmin)
>>
>> Hoping that someone has some experience with this and can point me in
>> the right direction?
> It is binding to openldap using cn=Directory Manager. If your admin user
> that can read userPassword is named something different then pass it in
> using the --binddn option.
>
> rob
>
More information about the Freeipa-users
mailing list