[Freeipa-users] ipa migrate-ds and cn=sysaccounts, cn=etc, <PREFIX>

[Robert Söderlund]

On 2017-03-11 21:14, Alexander Bokovoy wrote:
> On la, 11 maalis 2017, Robert Söderlund wrote:
>> Hi all!
>> 
>> Does 'ipa migrate-ds' support migrating users from 
>> cn=sysaccounts,cn=etc,<PREFIX>?
> No.
> 
>> I tried with the arguments 
>> '--user-container=cn=sysaccounts,cn=users,cn=accounts' and 
>> '--user-objectclass=simplesecurityobject,organizationalperson' without 
>> success.
>> I think if would be a nice feature to be able to migrate objects that 
>> isn't located in the default path.
> sysaccounts aren't users. migrate-ds only supports migration of a
> limited subset objects that IPA framework knows about: users and 
> groups.
> It doesn't support many other objects IPA framework knows about.
> Sysaccounts aren't even something IPA framework knows by itself.
> 
>> I can always fix this with ldapsearch/ldapadd but it would be nice if 
>> this was doable with ipa migrate-ds.
> I agree that it would be good to extend migrate-ds scope but it is
> currently not on the radar for many reasons. I'd rather see it extended
> in a programmatic way to handle all IPA framework objects and allow to
> specify a mapping table for them similar to how we specify
> --user-container and --user-objectclass (and other options). Then when
> sysaccounts would be managed by the IPA framework, they would become
> automatically available for migration.
> 
> However, I personally have no available time for that in next half a
> year (at least).

Hi!
Thank you for the feedback, when I read your answes I realize that I 
misunderstood the purpose of migrate-ds.
My thought was that migrate-ds should work as a ldapsearch+ldapadd (with 
filters and the ability to remove some attrs) but without the need to 
dump the data to a file.

Keep up the good job, freeipa is awesome :)

//Robert