[Freeipa-users] can migrate-ds be safely re-run if it failed...
Rob Crittenden
rcritten at redhat.com
Tue Mar 15 18:57:56 UTC 2016
Janelle wrote:
> The groups don't go on the 2nd pass because they already went on the
> first meant. I meant to reply to this the other day as I have had a lot
> of experience with re-running migration. Group membership for an already
> existing group, does NOT come over on the 2nd pass. I have found it is
> better to start fresh if you want a clean migration. Or, better yet,
> gather the group memberships via LDAP and migrate them by hand with a
> friendly script. I through one together to do that pretty easily.
Right, if a group already exists it is assumed to have either been
migrated successfully or was a pre-existing group, in either case no
further action is taken.
rob
>
> ~J
>
> On 3/15/16 10:22 AM, Rob Crittenden wrote:
>> lejeczek wrote:
>>> On 15/03/16 14:14, lejeczek wrote:
>>>> On 15/03/16 13:42, Rob Crittenden wrote:
>>>>> lejeczek wrote:
>>>>>> On 14/03/16 17:06, Rob Crittenden wrote:
>>>>>>> lejeczek wrote:
>>>>>>>> with...
>>>>>>>>
>>>>>>>> ipa: ERROR: group LDAP search did not return any result (search
>>>>>>>> base:
>>>>>>>> ou=groups,dc=ccnr,dc=biotechnology, objectclass:
>>>>>>>> groupofuniquenames,
>>>>>>>> groupofnames)
>>>>>>>>
>>>>>>>> I see users went in but later I realized that current samba's ou
>>>>>>>> was
>>>>>>>> "group" not groups.
>>>>>>>> Can I just re-run migrations?
>>>>>>> Yes. It will skip over anything that already exists in IPA.
>>>>>> thanks Rob, may I ask why process by defaults looks up only
>>>>>> objectclass:
>>>>>> groupofuniquenames, groupofnames?
>>>>> It is conservative but this is why it can be overridden.
>>>>>
>>>>>> Is there a reason it skips ldap+samba typical posixGroup &
>>>>>> sambaGroupMapping?
>>>>> We haven't had many (any?) reports of migrating from ldap+samba.
>>>>>
>>>>>> Lastly, is there a way to preserve account locked/disabled status for
>>>>>> posix/samba?
>>>>> I don't know how it is stored but as lon
>>>>> g as the schema is available in
>>>>> IPA then the values should be preserved on migration unless the
>>>>> attributes are associated with a blacklisted objectclass.
>>>>>
>>>>> rob
>>>>>
>>>> last - this must most FAQ people wonder - can IPA's 389 backend be
>>>> used in the same/similar fashion samba uses ldap? skipping all the
>>>> kerberos bits? (samba & IPA on the same one box)
>>>> this might be more 389-ds related - in old days I remember DS had
>>>> mozldap dedicated toolset, how is it these days? How do users deal
>>>> with 389-ds IPA-related bits?
>>>>
>>>> many thanks
>>>>
>>>>
>>>>
>>> now when I've groups migrated I see mappings user-group are lost. Would
>>> it be because my groups did not go in first time together with users?
>>
>> Need more info. What do you mean by mappings are lost?
>>
>> rob
>>
>
More information about the Freeipa-users
mailing list