[Freeipa-users] can migrate-ds be safely re-run if it failed...

lejeczek peljasz at yahoo.co.uk
Mon Mar 21 16:30:16 UTC 2016 

On 15/03/16 17:21, Rob Crittenden wrote:
> lejeczek wrote:
>> On 15/03/16 15:57, Rob Crittenden wrote:
>>> lejeczek wrote:
>>>> On 15/03/16 13:42, Rob Crittenden wrote:
>>>>> lejeczek wrote:
>>>>>> On 14/03/16 17:06, Rob Crittenden wrote:
>>>>>>> lejeczek wrote:
>>>>>>>> with...
>>>>>>>>
>>>>>>>> ipa: ERROR: group LDAP search did not return any 
>>>>>>>> result (search
>>>>>>>> base:
>>>>>>>> ou=groups,dc=ccnr,dc=biotechnology, objectclass: 
>>>>>>>> groupofuniquenames,
>>>>>>>> groupofnames)
>>>>>>>>
>>>>>>>> I see users went in but later I realized that 
>>>>>>>> current samba's ou was
>>>>>>>> "group" not groups.
>>>>>>>> Can I just re-run migrations?
>>>>>>> Yes. It will skip over anything that already exists 
>>>>>>> in IPA.
>>>>>> thanks Rob, may I ask why process by defaults looks 
>>>>>> up only
>>>>>> objectclass:
>>>>>> groupofuniquenames, groupofnames?
>>>>> It is conservative but this is why it can be overridden.
>>>>>
>>>>>> Is there a reason it skips ldap+samba typical 
>>>>>> posixGroup &
>>>>>> sambaGroupMapping?
>>>>> We haven't had many (any?) reports of migrating from 
>>>>> ldap+samba.
>>>>>
>>>>>> Lastly, is there a way to preserve account 
>>>>>> locked/disabled status for
>>>>>> posix/samba?
>>>>> I don't know how it is stored but as long as the 
>>>>> schema is available in
>>>>> IPA then the values should be preserved on migration 
>>>>> unless the
>>>>> attributes are associated with a blacklisted objectclass.
>>>>>
>>>>> rob
>>>> I don't think it works, I guess it matters how ipa 
>>>> tools map these
>>>> attributes, I'm particularly looking at:
>>>> ipa user-show
>>>> ... Account disabled: False
>>>> sambaAcctFlags gets migrated over, but shadow locked 
>>>> users.... I wonder
>>>> how this works.
>>>> If I had posix !passwd in my ldap userdb then it's not 
>>>> reflected in IPA,
>>>> unless "Account disabled" is for something else.
>>>
>>> IPA/389-ds uses nsAccountLock to lock accounts.
>> and in my case it could not work for I had (anybody sane 
>> would too)
>> hashed pass in ldap userdb, am I right?
>
> What won't work? Migrated user passwords will work just fine.
>
>> If one has hundreds of user s/he thinks, o! it'd be great 
>> to keep that
>> account enabled/disabled status - would there be a way 
>> around it?
>
> IPA isn't designed to be an LDAP backend for Samba so 
> there isn't a lot of direct integration with the schema. 
> You could write a plugin to keep the two attributes in sync.
how does one write a plugin? Where should I begin in terms 
of docs, howtos?
thanks.
L.
>
> For those already migrated it should be pretty easy to 
> write an LDAP search to find them and then for each user 
> call ipa user-disable <user>
>
> rob
>

More information about the Freeipa-users mailing list