[Freeipa-users] openLDAP to FreeIPA user migration

Alexander Bokovoy abokovoy at redhat.com
Fri Sep 2 10:31:11 UTC 2016 

On Fri, 02 Sep 2016, Ernedin Zajko wrote:
>Hi Alexander,
>
>thank you for this  - i think this should even work for missing some
>mandatory (gid) attributes...
Yes, this fixup module can be used for anything to inject.

>
>regards,
>
>--- Ernedin ZAJKO
> ezajko at root.ba
>
>> 340282366920938463463374607431768211456
>
>
>
>On Thu, Sep 1, 2016 at 9:26 PM, Alexander Bokovoy <abokovoy at redhat.com> wrote:
>> On Thu, 01 Sep 2016, William Muriithi wrote:
>>>
>>> Afternoon,
>>>
>>> I have an openLDAP system that lack a required attribute.  This result
>>> in the migration script rejecting all the user import.
>>>
>>> I have googled externsively, read ever line of ipa migration --help
>>> doc and it doesn't seem I will be able to use this migration script.
>>> I wonder if there is anybody here who have been able to overcome this
>>> problem in the past.
>>>
>>> [root at hydrogen ~]# ipa -v migrate-ds --with-compat
>>> --bind-dn="cn=admin,dc=eng.example,dc=com"
>>> --user-ignore-attribute="sn"
>>> --user-container="ou=People,dc=eng.example,dc=com"
>>> --group-container="ou=Group,dc=eng.example,dc=com"
>>> --group-objectclass="posixGroup"   --user-objectclass="account"
>>> ldap://192.168.20.18:389
>>> ipa: INFO: trying https://hydrogen.eng.example.com/ipa/session/json
>>> Password:
>>> ipa: INFO: Forwarding 'migrate_ds' to json server
>>> 'https://hydrogen.eng.example.com/ipa/session/json'
>>> -----------
>>> migrate-ds:
>>> -----------
>>> Migrated:
>>> Failed user:
>>>  aagrim: missing attribute "sn" required by object class
>>> "organizationalPerson"
>>>  acctemp: missing attribute "sn" required by object class
>>> "organizationalPerson"
>>> ...........
>>
>> This looks like a common problem. I had recently made a small 'hack' to
>> solve this problem.
>>
>> Following small fixup plugin could be used to affect how entries are
>> generated. If you add it to /usr/lib/python2.7/site-packages/ipalib/plugins
>> on IPA master and restart httpd service, the plugin would modify migrate-ds
>> command so
>> that 'sn' attribute would be set to a 'Migrated User Last Name' for all
>> entries that miss 'sn' attribute before they actually get added into IPA
>> LDAP.
>>
>> This is an experimental hack, of course, but it should work. Once
>> migration is finished, don't forget to remove the file and restart httpd
>> service again.
>>
>> --
>> / Alexander Bokovoy
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>
>-- 
>Manage your subscription for the Freeipa-users mailing list:
>https://www.redhat.com/mailman/listinfo/freeipa-users
>Go to http://freeipa.org for more info on the project

-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list