<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
On 03/20/2012 09:09 AM, Marco Pizzoli wrote:
<blockquote
cite="mid:CAMrrtwu-yE2-8Can7NrAXYRmoR0nNrOsdYkjg9u5tx=_XywjVA@mail.gmail.com"
type="cite"><br>
<br>
<div class="gmail_quote">On Tue, Mar 20, 2012 at 1:32 PM, Dmitri
Pal <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:dpal@redhat.com">dpal@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt
0.8ex; border-left: 1px solid rgb(204, 204, 204);
padding-left: 1ex;">
<div bgcolor="#ffffff" text="#000000">
<div>
<div class="h5"> On 03/20/2012 05:19 AM, Marco Pizzoli
wrote:
<blockquote type="cite"><br>
<br>
<div class="gmail_quote">On Tue, Mar 20, 2012 at 12:14
AM, Dmitri Pal <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt
0pt 0pt 0.8ex; border-left: 1px solid rgb(204,
204, 204); padding-left: 1ex;">
<div bgcolor="#ffffff" text="#000000">
<div>
<div> On 03/19/2012 06:54 PM, Marco Pizzoli
wrote: </div>
</div>
<blockquote type="cite">
<div>
<div><br>
<br>
<div class="gmail_quote">On Mon, Mar 19,
2012 at 8:31 PM, Rob Crittenden <span
dir="ltr"><<a
moz-do-not-send="true"
href="mailto:rcritten@redhat.com"
target="_blank">rcritten@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin: 0pt 0pt 0pt 0.8ex;
border-left: 1px solid rgb(204, 204,
204); padding-left: 1ex;"> Marco
Pizzoli wrote:<br>
<blockquote class="gmail_quote"
style="margin: 0pt 0pt 0pt 0.8ex;
border-left: 1px solid rgb(204, 204,
204); padding-left: 1ex;">
<div> <br>
<br>
On Mon, Mar 19, 2012 at 2:42 PM,
Rob Crittenden <<a
moz-do-not-send="true"
href="mailto:rcritten@redhat.com"
target="_blank">rcritten@redhat.com</a><br>
</div>
<div> <mailto:<a
moz-do-not-send="true"
href="mailto:rcritten@redhat.com"
target="_blank">rcritten@redhat.com</a>>>
wrote:<br>
<br>
Dmitri Pal wrote:<br>
<br>
On 03/17/2012 07:36 AM,
Marco Pizzoli wrote:<br>
<br>
Hi guys,<br>
I'm trying to migrate
my ldap user base to freeipa. I'm<br>
using the last<br>
Release Candidate.<br>
<br>
I already changed "ipa
config-mod
--enable-migration=TRUE"<br>
This is what I have:<br>
<br>
ipa -v migrate-ds<br>
</div>
--bind-dn="cn=manager,dc=__mydc1,dc=<a
moz-do-not-send="true"
href="http://mydc2.it"
target="_blank">mydc2.it</a> <<a
moz-do-not-send="true"
href="http://mydc2.it"
target="_blank">http://mydc2.it</a>><br>
<<a
moz-do-not-send="true"
href="http://mydc2.it"
target="_blank">http://mydc2.it</a>>"<br>
--user-container="ou=people,__dc=mydc1,dc=<a
moz-do-not-send="true"
href="http://mydc2.it"
target="_blank">mydc2.it</a><br>
<<a
moz-do-not-send="true"
href="http://mydc2.it"
target="_blank">http://mydc2.it</a>><br>
<<a
moz-do-not-send="true"
href="http://mydc2.it"
target="_blank">http://mydc2.it</a>>"
--user-objectclass=__inetOrgPerson<br>
--group-container="ou=groups,__dc=mydc1,dc=<a
moz-do-not-send="true"
href="http://mydc2.it"
target="_blank">mydc2.it</a><br>
<<a
moz-do-not-send="true"
href="http://mydc2.it"
target="_blank">http://mydc2.it</a>>
<<a moz-do-not-send="true"
href="http://mydc2.it"
target="_blank">http://mydc2.it</a>>"<br>
--group-objectclass=posixGroup<br>
--base-dn="dc=mydc1,dc=mydc2.__it
<<a moz-do-not-send="true"
href="http://mydc2.it"
target="_blank">http://mydc2.it</a>>
<div><br>
<<a
moz-do-not-send="true"
href="http://mydc2.it"
target="_blank">http://mydc2.it</a>>"
--with-compat <a
moz-do-not-send="true">ldap://ldap01</a><br>
<br>
ipa: INFO: trying<br>
</div>
<a moz-do-not-send="true"
href="https://freeipa01.unix."
target="_blank">https://freeipa01.unix.</a>__<a
moz-do-not-send="true"
href="http://mydomain.it/ipa/xml"
target="_blank">mydomain.it/ipa/xml</a>
<div><br>
<<a
moz-do-not-send="true"
href="https://freeipa01.unix.mydomain.it/ipa/xml"
target="_blank">https://freeipa01.unix.mydomain.it/ipa/xml</a>><br>
Password:<br>
ipa: INFO: Forwarding
'migrate_ds' to server<br>
</div>
u'<a
moz-do-not-send="true"
href="http://freeipa01.unix."
target="_blank">http://freeipa01.unix.</a>__<a
moz-do-not-send="true"
href="http://mydomain.it/ipa/xml"
target="_blank">mydomain.it/ipa/xml</a>
<div><br>
<<a
moz-do-not-send="true"
href="http://freeipa01.unix.mydomain.it/ipa/xml"
target="_blank">http://freeipa01.unix.mydomain.it/ipa/xml</a>>'<br>
ipa: ERROR: Container
for group not found at<br>
ou=groups,dc=mydc1,dc=<a
moz-do-not-send="true"
href="http://mydc2.it"
target="_blank">mydc2.it</a>
<<a moz-do-not-send="true"
href="http://mydc2.it"
target="_blank">http://mydc2.it</a>><br>
<<a
moz-do-not-send="true"
href="http://mydc2.it"
target="_blank">http://mydc2.it</a>><br>
<br>
<br>
I looked at my ldap
server logs and I found out that
the search<br>
executed has scope=1.
Actually both for users and
groups.<br>
This is a<br>
problem for me, in
having a lot of subtrees (ou) in
which my<br>
users and<br>
groups are. Is there a
way to manage this?<br>
<br>
Thanks in advance<br>
Marco<br>
<br>
P.s. As a side note, I
suppose there's a typo in the
verbose<br>
message I<br>
obtain in my output:<br>
ipa: INFO: Forwarding
'migrate_ds' to server<br>
</div>
*u*'<a
moz-do-not-send="true"
href="http://freeipa01.unix."
target="_blank">http://freeipa01.unix.</a>__<a
moz-do-not-send="true"
href="http://mydomain.it/ipa/xml"
target="_blank">mydomain.it/ipa/xml</a>
<div>
<div><br>
<<a
moz-do-not-send="true"
href="http://freeipa01.unix.mydomain.it/ipa/xml"
target="_blank">http://freeipa01.unix.mydomain.it/ipa/xml</a>>'<br>
<br>
<br>
Please open tickets for
both issues.<br>
<br>
<br>
Well, I don't think either is
a bug.<br>
<br>
If you have users/groups in
multiple places you'll need to
migrate<br>
them individually for now. It
is safe to run migrate-ds
multiple<br>
times, existing users are not
migrated.<br>
<br>
<br>
I just re-executed by specifing
a nested ou for my groups.<br>
This is what I got:<br>
<br>
ipa: INFO: trying <a
moz-do-not-send="true"
href="https://freeipa01.unix.csebo.it/ipa/xml"
target="_blank">https://freeipa01.unix.csebo.it/ipa/xml</a><br>
ipa: INFO: Forwarding
'migrate_ds' to server<br>
u'<a moz-do-not-send="true"
href="http://freeipa01.unix.csebo.it/ipa/xml"
target="_blank">http://freeipa01.unix.csebo.it/ipa/xml</a>'<br>
-----------<br>
migrate-ds:<br>
-----------<br>
Migrated:<br>
Failed user:<br>
fw03075_no: Type or value
exists:<br>
[other users listed]<br>
Failed group:<br>
pdbac32: Type or value exists:<br>
[other groups listed]<br>
----------<br>
Passwords have been migrated in
pre-hashed format.<br>
IPA is unable to generate
Kerberos keys unless provided<br>
with clear text passwords. All
migrated users need to<br>
login at <a
moz-do-not-send="true"
href="https://your.domain/ipa/migration/"
target="_blank">https://your.domain/ipa/migration/</a>
before they<br>
can use their Kerberos accounts.<br>
<br>
I don't understand what it's
trying to telling me.<br>
On my FreeIPA ldap server I
don't see any imported user.<br>
<br>
What's my fault here?<br>
<br>
<br>
The u is a python-ism for
unicode. This is not a bug.<br>
<br>
<br>
Please, could you give a little
more detail on this? It's only a
hint on<br>
what that data represents in a
Python variable?<br>
<br>
Thanks again<br>
Marco<br>
</div>
</div>
</blockquote>
<br>
Type or value exists occurs when one
tries to add an attribute value to an
entry that already exists.<br>
<br>
I suspect that the underlying problem
is different between users and groups.<br>
<br>
For groups it is likely adding a
duplicate member.<br>
<br>
For users I'm not really sure. It
could be one of the POSIX attributes.
What does a failed entry look like?<span><font
color="#888888"><br>
<br>
rob<br>
</font></span></blockquote>
</div>
<br>
The user entry:<br>
------------------------<br>
dn: uid=fw03075_NO,ou=People,dc=mydc1,dc=<a
moz-do-not-send="true"
href="http://mydc2.it" target="_blank">mydc2.it</a><br>
description: fw03075<br>
cn: fw03075<br>
uidNumber: 11013<br>
gidNumber: 503<br>
homeDirectory: /home/fw03075<br>
loginShell: /bin/sh<br>
gecos: fw03075<br>
shadowLastChange: 13059<br>
shadowMax: 99999<br>
shadowWarning: 7<br>
objectClass: inetOrgPerson<br>
objectClass: posixAccount<br>
objectClass: shadowAccount<br>
objectClass: top<br>
objectClass: xxxPeopleAttributes<br>
sn: SN_NON_IMPOSTATO<br>
givenName: GIVENNAME_NON_IMPOSTATO<br>
xxxUfficio: UFFICIO_NON_IMPOSTATO<br>
xxxTipoUtente: tecnico<br>
uid: fw03075_NO<br>
userPassword: secret<br>
<br>
<br>
group entry:<br>
-------------------<br>
dn:
cn=pdbac32,ou=pdbac32,ou=prod,ou=db2,ou=databases,ou=Groups,dc=mydc1,dc=<a
moz-do-not-send="true"
href="http://mydc2.it" target="_blank">mydc2.it</a><br>
gidNumber: 10015<br>
member: uid=NESSUNO,ou=People,dc=mydc1,dc=<a
moz-do-not-send="true"
href="http://mydc2.it" target="_blank">mydc2.it</a><br>
member: uid=aaa415,ou=People,dc=mydc1,dc=<a
moz-do-not-send="true"
href="http://mydc2.it" target="_blank">mydc2.it</a><br>
member: uid=bbb446,ou=People,dc=mydc1,dc=<a
moz-do-not-send="true"
href="http://mydc2.it" target="_blank">mydc2.it</a><br>
memberUid: NESSUNO<br>
memberUid: aaa415<br>
memberUid: bbb446<br>
xxxAmbiente: prod<br>
xxxDB2GruppiPrivilegi: instance_owner<br>
description: Mydescription<br>
xxxTipoGruppo: db<br>
objectClass: top<br>
objectClass: posixGroup<br>
objectClass: groupOfNames<br>
objectClass: xxxGroupsAttributes<br>
objectClass: xxxDB2GroupsAttributes<br>
cn: pdbac32<br>
<br>
Thanks again<br>
Marco<br>
</div>
</div>
<pre><fieldset></fieldset>
_______________________________________________
Freeipa-users mailing list
<a moz-do-not-send="true" href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>
<a moz-do-not-send="true" href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
Do you by any chance have a <u>group</u> with
name "fw03075_NO" and <u>user</u> with name
"pdbac32"?<br>
May be you are hitting a collision on manged
group managed?</div>
</blockquote>
<div><br>
Well, yes and no.<br>
<br>
No, I don't have a group called "fw03075_NO" and
No, I don't have a user called "pdbac32".<br>
<br>
Yes, I have some users uid=samename and groups
cn=samename, but they are not found in the group
subtree (ou) from where I launched "ipa
migrate-ds".<br>
<br>
If this is the problem, where can I have any
evidence of the actual problem?<br>
<br>
</div>
</div>
</blockquote>
<br>
</div>
</div>
Can you search those names in the IPA LDAP tree after the
migration? May be there is some object already there with
the same cn that collides. This way we would be able to
determine what the colliding object is and take it from
there. It might collide on some other attribute in the entry
and just be reported by uid and cn.</div>
</blockquote>
<div><br>
</div>
<div>Here it is:</div>
<div><br>
</div>
<div>
<div><font face="'courier new', monospace">[root@freeipa01
ipa]# ldapsearch -h 127.0.0.1 -x -D "cn=Directory Manager"
-W -b "dc=unix,dc=mydomain,dc=it" -s sub
"(uid=fw03075_NO)"</font></div>
<div><font face="'courier new', monospace">Enter LDAP
Password:</font></div>
<div><font face="'courier new', monospace"># extended LDIF</font></div>
<div><font face="'courier new', monospace">#</font></div>
<div><font face="'courier new', monospace"># LDAPv3</font></div>
<div><font face="'courier new', monospace"># base
<dc=unix,dc=
mydomain ,dc=it> with scope subtree</font></div>
<div><font face="'courier new', monospace"># filter:
(uid=fw03075_NO)</font></div>
<div><font face="'courier new', monospace"># requesting: ALL</font></div>
<div><font face="'courier new', monospace">#</font></div>
<div><font face="'courier new', monospace"><br>
</font></div>
<div><font face="'courier new', monospace"># search result</font></div>
<div><font face="'courier new', monospace">search: 2</font></div>
<div><font face="'courier new', monospace">result: 0 Success</font></div>
<div><font face="'courier new', monospace"><br>
</font></div>
<div><font face="'courier new', monospace"># numResponses: 1</font></div>
<div><font face="'courier new', monospace">[root@freeipa01
ipa]# ldapsearch -h 127.0.0.1 -x -D "cn=Directory Manager"
-W -b "dc=unix,dc=
mydomain ,dc=it" -s sub "(cn=fw03075_NO)"</font></div>
<div><font face="'courier new', monospace">Enter LDAP
Password:</font></div>
<div><font face="'courier new', monospace"># extended LDIF</font></div>
<div><font face="'courier new', monospace">#</font></div>
<div><font face="'courier new', monospace"># LDAPv3</font></div>
<div><font face="'courier new', monospace"># base
<dc=unix,dc=
mydomain ,dc=it> with scope subtree</font></div>
<div><font face="'courier new', monospace"># filter:
(cn=fw03075_NO)</font></div>
<div><font face="'courier new', monospace"># requesting: ALL</font></div>
<div><font face="'courier new', monospace">#</font></div>
<div><font face="'courier new', monospace"><br>
</font></div>
<div><font face="'courier new', monospace"># search result</font></div>
<div><font face="'courier new', monospace">search: 2</font></div>
<div><font face="'courier new', monospace">result: 0 Success</font></div>
<div><font face="'courier new', monospace"><br>
</font></div>
<div><font face="'courier new', monospace"># numResponses: 1</font></div>
</div>
<div><br>
</div>
<div>Same thing for "pdbac32".</div>
<div><br>
</div>
<div>Or were you asking me something more complicated?</div>
<div><br>
</div>
<div>My group and user tree is almost empty. There are only
default groups and 5/6 user created by hand.</div>
<div>Yes, some of them have the same uid as the one manually
created, but they represent only a minority of the total.</div>
<div><br>
</div>
<div>Marco</div>
<div><br>
</div>
</div>
</blockquote>
<br>
I am running out of ideas. Rob, any clues?<br>
<br>
<blockquote
cite="mid:CAMrrtwu-yE2-8Can7NrAXYRmoR0nNrOsdYkjg9u5tx=_XywjVA@mail.gmail.com"
type="cite">
<div class="gmail_quote">
<div> </div>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt
0.8ex; border-left: 1px solid rgb(204, 204, 204);
padding-left: 1ex;">
<div bgcolor="#ffffff" text="#000000">
<div class="im"><br>
<br>
<blockquote type="cite">
<div class="gmail_quote">
<div>Thanks again<br>
Marco<br>
</div>
<blockquote class="gmail_quote" style="margin: 0pt 0pt
0pt 0.8ex; border-left: 1px solid rgb(204, 204,
204); padding-left: 1ex;">
<div bgcolor="#ffffff" text="#000000">
<div><br>
<br>
<pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a moz-do-not-send="true" href="http://www.redhat.com/carveoutcosts/" target="_blank">www.redhat.com/carveoutcosts/</a>
</pre>
</div>
</div>
<br>
_______________________________________________<br>
Freeipa-users mailing list<br>
<a moz-do-not-send="true"
href="mailto:Freeipa-users@redhat.com"
target="_blank">Freeipa-users@redhat.com</a><br>
<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
</blockquote>
</div>
<br>
</blockquote>
<br>
<br>
<pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a moz-do-not-send="true" href="http://www.redhat.com/carveoutcosts/" target="_blank">www.redhat.com/carveoutcosts/</a>
</pre>
</div>
</div>
</blockquote>
</div>
<br>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</body>
</html>