[Freeipa-users] Unable to import OpenLDAP users/groups with migrate-ds
Martin Kosek
mkosek at redhat.com
Wed Nov 4 15:22:48 UTC 2015
On 11/04/2015 04:11 PM, Cal Sawyer wrote:
> That's terrific, Rob - thanks very much. Users and Groups import smoothly with
> a little additional tweaking
>
> ipa -v migrate-ds --with-compat --bind-dn="cn=Manager,dc=ldapdomain,dc=local"
> --user-container="ou=People,dc=blue-bolt,dc=local"
> --group-container="ou=Group,dc=ldapdomain,dc=local"
> --group-objectclass="posixGroup" ldap://1.2.3.4:389
>
> boom, all users and groups imported ... but without group membership.
>
> The structure of Group in OpenLDAP is:
>
> # power, Group, ldapdomain.local
> dn: cn=systems,ou=Group,dc=ldapdomain,dc=local
> cn: systems
> gidNumber: 1112
> objectClass: posixGroup
> memberUid: usera
> memberUid: userb
>
>
> and IPA's schema appears, with one exception (objectClass: top), to match:
>
> # admins, groups, compat, ipadomain.local
> dn: cn=admins,cn=groups,cn=compat,dc=ipadomain,dc=local
> objectClass: posixGroup
> objectClass: top
> gidNumber: 1944000000
> memberUid: admin
> cn: admins
You should be able to use option --schema=RFC2307. More on "ipa help migrate-ds".
> A side question: can i use migrate-ds to bring in automount and sudoer maps
> from OpenLDAP?
There is command "automountlocation-import" if you can export OpenLDAP maps to
files. Otherwise you would need to export the data from OpenLDAP, massage it a
little and then either import it into FreeIPA direcly if you confident that you
have the format right or process it with some script and upload with ipa
commands, if you want to be sure the target format is right.
>
> thanks again
>
> Cal Sawyer | Systems Engineer | BlueBolt Ltd
> 15-16 Margaret Street | London W1W 8RW
> +44 (0)20 7637 5575 | www.blue-bolt.com
>
> On 04/11/15 13:56, Rob Crittenden wrote:
>> Cal Sawyer wrote:
>>> Hi
>>>
>>> Very new to IPA and setting up a proof of concept system that i hope
>>> will replace my existing OpenLDAP 2.3 (no SASL) setup. I'm trying to
>>> import People, Group ou's into IPA using "ipa migrate-ds". The IPA and
>>> existing LDAP directories have different BaseDNs (eg ipadomain.local on
>>> IPA, ldapdomain.local on LDAP 2.3) as i want to ideally construct a
>>> completely new directory that we will then switch our clients over to.
>>>
>>> ipa migrate-ds --schema=RFC2307
>>> --user-container="dc=ldapdomain,dc=local" ldap://1.2.3.4:389
>>>
>>> whatever i try (w or w/o --schema=RFC2307) , the response is the same:
>>>
>>> ipa: ERROR: Insufficient access: Invalid credentials
>>>
>>> or with a verbose flag:
>>>
>>> ipa: INFO: Forwarding 'migrate_ds' to server
>>> u'https://ipa.ipadomain.local/ipa/session/xml'
>>> ipa: ERROR: Insufficient access: Invalid credentials
>>>
>>> manager naturally exists in ldapdomain.local and i've definitely
>>> supplied the correct password (we use the same creds to manage LDAP
>>> using phpldapadmin)
>>>
>>> Hoping that someone has some experience with this and can point me in
>>> the right direction?
>> It is binding to openldap using cn=Directory Manager. If your admin user
>> that can read userPassword is named something different then pass it in
>> using the --binddn option.
>>
>> rob
>>
>
More information about the Freeipa-users
mailing list