[Freeipa-users] can migrate-ds be safely re-run if it failed...
Janelle
janellenicole80 at gmail.com
Tue Mar 15 17:33:34 UTC 2016
The groups don't go on the 2nd pass because they already went on the
first meant. I meant to reply to this the other day as I have had a lot
of experience with re-running migration. Group membership for an already
existing group, does NOT come over on the 2nd pass. I have found it is
better to start fresh if you want a clean migration. Or, better yet,
gather the group memberships via LDAP and migrate them by hand with a
friendly script. I through one together to do that pretty easily.
~J
On 3/15/16 10:22 AM, Rob Crittenden wrote:
> lejeczek wrote:
>> On 15/03/16 14:14, lejeczek wrote:
>>> On 15/03/16 13:42, Rob Crittenden wrote:
>>>> lejeczek wrote:
>>>>> On 14/03/16 17:06, Rob Crittenden wrote:
>>>>>> lejeczek wrote:
>>>>>>> with...
>>>>>>>
>>>>>>> ipa: ERROR: group LDAP search did not return any result (search
>>>>>>> base:
>>>>>>> ou=groups,dc=ccnr,dc=biotechnology, objectclass:
>>>>>>> groupofuniquenames,
>>>>>>> groupofnames)
>>>>>>>
>>>>>>> I see users went in but later I realized that current samba's ou
>>>>>>> was
>>>>>>> "group" not groups.
>>>>>>> Can I just re-run migrations?
>>>>>> Yes. It will skip over anything that already exists in IPA.
>>>>> thanks Rob, may I ask why process by defaults looks up only
>>>>> objectclass:
>>>>> groupofuniquenames, groupofnames?
>>>> It is conservative but this is why it can be overridden.
>>>>
>>>>> Is there a reason it skips ldap+samba typical posixGroup &
>>>>> sambaGroupMapping?
>>>> We haven't had many (any?) reports of migrating from ldap+samba.
>>>>
>>>>> Lastly, is there a way to preserve account locked/disabled status for
>>>>> posix/samba?
>>>> I don't know how it is stored but as lon
>>>> g as the schema is available in
>>>> IPA then the values should be preserved on migration unless the
>>>> attributes are associated with a blacklisted objectclass.
>>>>
>>>> rob
>>>>
>>> last - this must most FAQ people wonder - can IPA's 389 backend be
>>> used in the same/similar fashion samba uses ldap? skipping all the
>>> kerberos bits? (samba & IPA on the same one box)
>>> this might be more 389-ds related - in old days I remember DS had
>>> mozldap dedicated toolset, how is it these days? How do users deal
>>> with 389-ds IPA-related bits?
>>>
>>> many thanks
>>>
>>>
>>>
>> now when I've groups migrated I see mappings user-group are lost. Would
>> it be because my groups did not go in first time together with users?
>
> Need more info. What do you mean by mappings are lost?
>
> rob
>
More information about the Freeipa-users
mailing list