[Freeipa-users] migration user passwords from openldap to freeipa

Wed Apr 27 01:43:01 UTC 2016

I'm having issues migrating from an openldap directory (which has gosa
schema) to freeipa.

To migrate i'm doing (and yes, i know);

ipa migrate-ds ldap://old.server.com:389 --bind-dn
"cn=my_user,ou=people,dc=domain,dc=com" --group-objectclass=posixGroup
--user-objectclass=inetOrgPerson --group-overwrite-gid
--user-ignore-objectclass=gosaAccount
--user-ignore-objectclass=gosaMailAccount
--user-ignore-attribute=gosaMailDeliveryMode
--user-ignore-attribute=gosaMailServer
--user-ignore-attribute=gosaSpamSortLevel
--user-ignore-attribute=gosaSpamMailbox
--user-ignore-objectclass=sshaccount --user-ignore-objectclass=gosaacl
--user-ignore-attribute=sshpublickey
--user-ignore-attribute=sambaLMPassword
--user-ignore-attribute=sambaBadPasswordTime
--user-ignore-attribute=gosaaclentry
--user-ignore-attribute=sambaBadPasswordCount
--user-ignore-attribute=sambaNTPassword
--user-ignore-attribute=sambaPwdLastSet

Which seems to work to import all those users which have posix settings
set, however i have two problems:

- Am i right in thinking there's no way to auto-assign a gid/uid/home dir
for the non-posix users at migration time ? That's not a deal breaker per
se, but i'd need to spin up a new copy of the old ldap and then add those
attributes to every user, then migrate to ipa from that source, which is a
real pain.

- The migration seems to be successful for the users that do have posix
attributes, and ends with:

 Passwords have been migrated in pre-hashed format.
IPA is unable to generate Kerberos keys unless provided
with clear text passwords. All migrated users need to
login at https://your.domain/ipa/migration/ before they
can use their Kerberos accounts.

...but i'm unable to login to that page as any of my migrated users, or
bind as them with ldapsearch. It seems like the passwords were not migrated
?

Because 90% of my ~350 users are only going to be using freeipa insomuch as
using services which are making use of the ipa server's ldap i was hoping
that i wouldn't need to make kerberos tickets for those users, and hence
avoid needing every user to login to the migration page. At the moment
however i'm not able to get any migrated users at all to be able to bind to
ldap or login to that page.

Any tips or gotchas i should know ? I've no idea how to begin debugging
this.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160427/784cdbe7/attachment.htm>