[Freeipa-users] openLDAP to FreeIPA user migration
Ernedin Zajko
ezajko at root.ba
Fri Sep 2 10:24:17 UTC 2016
Hi Alexander,
thank you for this - i think this should even work for missing some
mandatory (gid) attributes...
regards,
--- Ernedin ZAJKO
ezajko at root.ba
> 340282366920938463463374607431768211456
On Thu, Sep 1, 2016 at 9:26 PM, Alexander Bokovoy <abokovoy at redhat.com> wrote:
> On Thu, 01 Sep 2016, William Muriithi wrote:
>>
>> Afternoon,
>>
>> I have an openLDAP system that lack a required attribute. This result
>> in the migration script rejecting all the user import.
>>
>> I have googled externsively, read ever line of ipa migration --help
>> doc and it doesn't seem I will be able to use this migration script.
>> I wonder if there is anybody here who have been able to overcome this
>> problem in the past.
>>
>> [root at hydrogen ~]# ipa -v migrate-ds --with-compat
>> --bind-dn="cn=admin,dc=eng.example,dc=com"
>> --user-ignore-attribute="sn"
>> --user-container="ou=People,dc=eng.example,dc=com"
>> --group-container="ou=Group,dc=eng.example,dc=com"
>> --group-objectclass="posixGroup" --user-objectclass="account"
>> ldap://192.168.20.18:389
>> ipa: INFO: trying https://hydrogen.eng.example.com/ipa/session/json
>> Password:
>> ipa: INFO: Forwarding 'migrate_ds' to json server
>> 'https://hydrogen.eng.example.com/ipa/session/json'
>> -----------
>> migrate-ds:
>> -----------
>> Migrated:
>> Failed user:
>> aagrim: missing attribute "sn" required by object class
>> "organizationalPerson"
>> acctemp: missing attribute "sn" required by object class
>> "organizationalPerson"
>> ...........
>
> This looks like a common problem. I had recently made a small 'hack' to
> solve this problem.
>
> Following small fixup plugin could be used to affect how entries are
> generated. If you add it to /usr/lib/python2.7/site-packages/ipalib/plugins
> on IPA master and restart httpd service, the plugin would modify migrate-ds
> command so
> that 'sn' attribute would be set to a 'Migrated User Last Name' for all
> entries that miss 'sn' attribute before they actually get added into IPA
> LDAP.
>
> This is an experimental hack, of course, but it should work. Once
> migration is finished, don't forget to remove the file and restart httpd
> service again.
>
> --
> / Alexander Bokovoy
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list