[Freeipa-users] can migrate-ds be safely re-run if it failed...
lejeczek
peljasz at yahoo.co.uk
Tue Mar 15 16:50:04 UTC 2016
On 15/03/16 15:57, Rob Crittenden wrote:
> lejeczek wrote:
>> On 15/03/16 13:42, Rob Crittenden wrote:
>>> lejeczek wrote:
>>>> On 14/03/16 17:06, Rob Crittenden wrote:
>>>>> lejeczek wrote:
>>>>>> with...
>>>>>>
>>>>>> ipa: ERROR: group LDAP search did not return any
>>>>>> result (search base:
>>>>>> ou=groups,dc=ccnr,dc=biotechnology, objectclass:
>>>>>> groupofuniquenames,
>>>>>> groupofnames)
>>>>>>
>>>>>> I see users went in but later I realized that current
>>>>>> samba's ou was
>>>>>> "group" not groups.
>>>>>> Can I just re-run migrations?
>>>>> Yes. It will skip over anything that already exists in
>>>>> IPA.
>>>> thanks Rob, may I ask why process by defaults looks up
>>>> only objectclass:
>>>> groupofuniquenames, groupofnames?
>>> It is conservative but this is why it can be overridden.
>>>
>>>> Is there a reason it skips ldap+samba typical posixGroup &
>>>> sambaGroupMapping?
>>> We haven't had many (any?) reports of migrating from
>>> ldap+samba.
>>>
>>>> Lastly, is there a way to preserve account
>>>> locked/disabled status for
>>>> posix/samba?
>>> I don't know how it is stored but as long as the schema
>>> is available in
>>> IPA then the values should be preserved on migration
>>> unless the
>>> attributes are associated with a blacklisted objectclass.
>>>
>>> rob
>> I don't think it works, I guess it matters how ipa tools
>> map these
>> attributes, I'm particularly looking at:
>> ipa user-show
>> ... Account disabled: False
>> sambaAcctFlags gets migrated over, but shadow locked
>> users.... I wonder
>> how this works.
>> If I had posix !passwd in my ldap userdb then it's not
>> reflected in IPA,
>> unless "Account disabled" is for something else.
>
> IPA/389-ds uses nsAccountLock to lock accounts.
and in my case it could not work for I had (anybody sane
would too) hashed pass in ldap userdb, am I right?
If one has hundreds of user s/he thinks, o! it'd be great to
keep that account enabled/disabled status - would there be a
way around it?
>
> rob
>
>
More information about the Freeipa-users
mailing list