[Freeipa-users] Problem migrating from openldap using groups in a group
Alexander Bokovoy
abokovoy at redhat.com
Wed Mar 23 12:27:13 UTC 2016
On Wed, 23 Mar 2016, Sotiris Tsimbonis wrote:
>Hi all,
>
>I'm trying to migrate into freeipa some users and groups from an old
>ldap server I've inherited. But migrate-ds fails to import groups inside
>usergroups, is believes they are users and imports them wrongly..
>
>trying to migrate with command:
>ipa migrate-ds --bind-dn="cn=root,dc=staff,dc=forthnet" \
> --base-dn="ou=Forthnet,dc=staff,dc=forthnet" \
> --user-container=ou=users \
> --group-container=ou=groups \
> --group-objectclass=posixgroup \
> --schema=RFC2307 \
> ldap://devldap01.forthnet.prv:389
>
>(version is ipa-server-4.2.0-15.0.1.el7.centos.6.x86_64)
>
>here is part of the ldif from devldap01
>---------------------------------------
>dn: cn=security-tech,ou=groups,ou=Forthnet,dc=staff,dc=forthnet
>cn: security-tech
>objectClass: posixGroup
>structuralObjectClass: posixGroup
>entryUUID: 5723476e-bad4-102c-8fe3-0bb2ba42f62f
>creatorsName: cn=root,dc=staff,dc=forthnet
>createTimestamp: 20080520162000Z
>memberUid: dimitria
>gidNumber: 1730
>entryCSN: 20100107135233Z#000000#00#000000
>modifiersName: cn=root,dc=staff,dc=forthnet
>modifyTimestamp: 20100107135233Z
>
>dn: cn=abusewg,ou=groups,ou=Forthnet,dc=staff,dc=forthnet
>cn: abusewg
>objectClass: posixGroup
>structuralObjectClass: posixGroup
>entryUUID: f90113dc-bad3-102c-8d13-0bb2ba42f62f
>creatorsName: cn=root,dc=staff,dc=forthnet
>createTimestamp: 20080520161722Z
>memberUid: ccha
>memberUid: dzer
>memberUid: gmouz
>memberUid: isek
>memberUid: kavaklis
>memberUid: nasl
>memberUid: pmav
>memberUid: stsimb
>memberUid: cn=security-tech,ou=groups,ou=Forthnet,dc=staff,dc=forthnet
>gidNumber: 1010
>entryCSN: 20151203143609Z#000000#00#000000
>modifiersName: cn=root,dc=staff,dc=forthnet
>modifyTimestamp: 20151203143609Z
>--------------------------------------------------------------------
>
>migrate-ds completes with no failures.
>
>The usergroup "security-tech" is correctly imported in freeipa, it
>contains user "dimitria" who is also imported correctly.
>
>But usergroup "abusewg" contains 9 users and reports an error
>"user not found:
>cn=security-tech,ou=groups,ou=Forthnet,dc=staff,dc=forthnet".
>
>I would expect it to migrate the "security-tech" as a usergroup, not as
>a user.
migrate-ds did everything right because memberUid attribute in RFC2307
schema is the uid of a user, not a group. RFC2307 schema does not allow
to have nested groups.
memberUid syntax is
( nisSchema.1.12 NAME 'memberUid'
EQUALITY caseExactIA5Match
SUBSTRINGS caseExactIA5SubstringsMatch
SYNTAX 'IA5String' )
i.e. this is IA5String, not a DN.
This doesn't help you much because your LDAP server use was already
violating RFC2307 so I'd suggest to fix these violations and group
membership manually.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list