[Freeipa-users] Unable to import OpenLDAP users/groups with migrate-ds

Cal Sawyer cal-s at blue-bolt.com
Wed Nov 4 15:11:56 UTC 2015 

That's terrific, Rob - thanks very much.  Users and Groups import 
smoothly with a little additional tweaking

ipa -v migrate-ds --with-compat 
--bind-dn="cn=Manager,dc=ldapdomain,dc=local" 
--user-container="ou=People,dc=blue-bolt,dc=local" 
--group-container="ou=Group,dc=ldapdomain,dc=local" 
--group-objectclass="posixGroup" ldap://1.2.3.4:389

boom, all users and groups imported ... but without group membership.

The structure of Group in OpenLDAP is:

# power, Group, ldapdomain.local
dn: cn=systems,ou=Group,dc=ldapdomain,dc=local
cn: systems
gidNumber: 1112
objectClass: posixGroup
memberUid: usera
memberUid: userb


and IPA's schema appears, with one exception (objectClass: top), to match:

# admins, groups, compat, ipadomain.local
dn: cn=admins,cn=groups,cn=compat,dc=ipadomain,dc=local
objectClass: posixGroup
objectClass: top
gidNumber: 1944000000
memberUid: admin
cn: admins


A side question:  can i use migrate-ds to bring in automount and sudoer 
maps from OpenLDAP?

thanks again

Cal Sawyer | Systems Engineer | BlueBolt Ltd
15-16 Margaret Street | London W1W 8RW
+44 (0)20 7637 5575 | www.blue-bolt.com

On 04/11/15 13:56, Rob Crittenden wrote:
> Cal Sawyer wrote:
>> Hi
>>
>> Very new to IPA and setting up a proof of concept system that i hope
>> will replace my existing OpenLDAP 2.3 (no SASL) setup.  I'm trying to
>> import People, Group ou's into IPA using "ipa migrate-ds".  The IPA and
>> existing LDAP directories have different BaseDNs (eg ipadomain.local on
>> IPA, ldapdomain.local on LDAP 2.3) as i want to ideally construct a
>> completely new directory that we will then switch our clients over to.
>>
>> ipa migrate-ds --schema=RFC2307
>> --user-container="dc=ldapdomain,dc=local" ldap://1.2.3.4:389
>>
>> whatever i try (w or w/o --schema=RFC2307) , the response is the same:
>>
>>      ipa: ERROR: Insufficient access:  Invalid credentials
>>
>> or with a verbose flag:
>>
>>      ipa: INFO: Forwarding 'migrate_ds' to server
>> u'https://ipa.ipadomain.local/ipa/session/xml'
>>      ipa: ERROR: Insufficient access:  Invalid credentials
>>
>> manager naturally exists in ldapdomain.local and i've definitely
>> supplied the correct password (we use the same creds to manage LDAP
>> using phpldapadmin)
>>
>> Hoping that someone has some experience with this and can point me in
>> the right direction?
> It is binding to openldap using cn=Directory Manager. If your admin user
> that can read userPassword is named something different then pass it in
> using the --binddn option.
>
> rob
>

More information about the Freeipa-users mailing list