[Freeipa-users] can migrate-ds be safely re-run if it failed...
Rob Crittenden
rcritten at redhat.com
Tue Mar 15 17:21:59 UTC 2016
lejeczek wrote:
> On 15/03/16 15:57, Rob Crittenden wrote:
>> lejeczek wrote:
>>> On 15/03/16 13:42, Rob Crittenden wrote:
>>>> lejeczek wrote:
>>>>> On 14/03/16 17:06, Rob Crittenden wrote:
>>>>>> lejeczek wrote:
>>>>>>> with...
>>>>>>>
>>>>>>> ipa: ERROR: group LDAP search did not return any result (search
>>>>>>> base:
>>>>>>> ou=groups,dc=ccnr,dc=biotechnology, objectclass: groupofuniquenames,
>>>>>>> groupofnames)
>>>>>>>
>>>>>>> I see users went in but later I realized that current samba's ou was
>>>>>>> "group" not groups.
>>>>>>> Can I just re-run migrations?
>>>>>> Yes. It will skip over anything that already exists in IPA.
>>>>> thanks Rob, may I ask why process by defaults looks up only
>>>>> objectclass:
>>>>> groupofuniquenames, groupofnames?
>>>> It is conservative but this is why it can be overridden.
>>>>
>>>>> Is there a reason it skips ldap+samba typical posixGroup &
>>>>> sambaGroupMapping?
>>>> We haven't had many (any?) reports of migrating from ldap+samba.
>>>>
>>>>> Lastly, is there a way to preserve account locked/disabled status for
>>>>> posix/samba?
>>>> I don't know how it is stored but as long as the schema is available in
>>>> IPA then the values should be preserved on migration unless the
>>>> attributes are associated with a blacklisted objectclass.
>>>>
>>>> rob
>>> I don't think it works, I guess it matters how ipa tools map these
>>> attributes, I'm particularly looking at:
>>> ipa user-show
>>> ... Account disabled: False
>>> sambaAcctFlags gets migrated over, but shadow locked users.... I wonder
>>> how this works.
>>> If I had posix !passwd in my ldap userdb then it's not reflected in IPA,
>>> unless "Account disabled" is for something else.
>>
>> IPA/389-ds uses nsAccountLock to lock accounts.
> and in my case it could not work for I had (anybody sane would too)
> hashed pass in ldap userdb, am I right?
What won't work? Migrated user passwords will work just fine.
> If one has hundreds of user s/he thinks, o! it'd be great to keep that
> account enabled/disabled status - would there be a way around it?
IPA isn't designed to be an LDAP backend for Samba so there isn't a lot
of direct integration with the schema. You could write a plugin to keep
the two attributes in sync.
For those already migrated it should be pretty easy to write an LDAP
search to find them and then for each user call ipa user-disable <user>
rob
More information about the Freeipa-users
mailing list