[Freeipa-users] can migrate-ds be safely re-run if it failed...
Rob Crittenden
rcritten at redhat.com
Tue Mar 15 15:57:10 UTC 2016
lejeczek wrote:
> On 15/03/16 13:42, Rob Crittenden wrote:
>> lejeczek wrote:
>>> On 14/03/16 17:06, Rob Crittenden wrote:
>>>> lejeczek wrote:
>>>>> with...
>>>>>
>>>>> ipa: ERROR: group LDAP search did not return any result (search base:
>>>>> ou=groups,dc=ccnr,dc=biotechnology, objectclass: groupofuniquenames,
>>>>> groupofnames)
>>>>>
>>>>> I see users went in but later I realized that current samba's ou was
>>>>> "group" not groups.
>>>>> Can I just re-run migrations?
>>>> Yes. It will skip over anything that already exists in IPA.
>>> thanks Rob, may I ask why process by defaults looks up only objectclass:
>>> groupofuniquenames, groupofnames?
>> It is conservative but this is why it can be overridden.
>>
>>> Is there a reason it skips ldap+samba typical posixGroup &
>>> sambaGroupMapping?
>> We haven't had many (any?) reports of migrating from ldap+samba.
>>
>>> Lastly, is there a way to preserve account locked/disabled status for
>>> posix/samba?
>> I don't know how it is stored but as long as the schema is available in
>> IPA then the values should be preserved on migration unless the
>> attributes are associated with a blacklisted objectclass.
>>
>> rob
> I don't think it works, I guess it matters how ipa tools map these
> attributes, I'm particularly looking at:
> ipa user-show
> ... Account disabled: False
> sambaAcctFlags gets migrated over, but shadow locked users.... I wonder
> how this works.
> If I had posix !passwd in my ldap userdb then it's not reflected in IPA,
> unless "Account disabled" is for something else.
IPA/389-ds uses nsAccountLock to lock accounts.
rob
More information about the Freeipa-users
mailing list