[Freeipa-devel] No luck using ds-migrate to import Apple Open Directory

Rob Crittenden rcritten at redhat.com
Mon Jan 24 23:25:41 UTC 2011 

Jeff B wrote:
> Apple Open Directory is as follows:
>
> cn=users,dc=host,dc=domain,dc=tld
> cn=groups,dc=host,dc=domain,dc=tld
>
> User records have the following object classes:
> - person
> - top
> - organizationalPerson
> - extensibleObject
> - apple-user
> - shadowAccount
> - posixAccount
> - inetOrgPerson
>
> Group records have the following object classes:
> - top
> - extensibleObject
> - apple-group
> - posixGroup
>
> The data is mostly what you would expect for posixAccount and the
> other common object classes. When I try to import data to IPA I get
> this error for every user and group like this:
>
> -----------
> migrate-ds:
> -----------
> Migrated:
> Failed user:
>    <username>: unknown object class "apple-user"
>    <username>: unknown object class "apple-user"
>    <username>: unknown object class "apple-user"
>    ... And the rest
> Failed group:
>    <groupname>: unknown object class "apple-group"
>    <groupname>: unknown object class "apple-group"
>    <groupname>: unknown object class "apple-group"
>    ... And the rest
> ----------
>
> Here are some of the migrate options I've tried:
>
>   ipa -d migrate-ds
> --bind-dn="uid=user,cn=users,dc=host,dc=domain,dc=tld"
> ldap://10.0.0.1:389 --user-objectclass="posixAccount"
> --group-objectclass="posixGroups" --user-container="cn=users"
> --group-container="cn=groups"
>
>   ipa -d migrate-ds
> --bind-dn="uid=user,cn=users,dc=host,dc=domain,dc=tld"
> ldap://10.0.0.1:389 --user-objectclass="apple-user"
> --group-objectclass="apple-group" --user-container="cn=users"
> --group-container="cn=groups"
>
> I've tried combinations of the two. I've tried changing the --schema
> with no change in outcome.  The only time the outcome is different is
> when I don't include the --group-objectclass or the --user-objectclass
>   It fails before it even tries to import the data in the directory. I
> get this error:
>
> ipa: DEBUG: Caught fault 4001 from server
> https://ipa0.myrealm.com/ipa/xml: Container for group not found
> ipa: INFO: Destroyed connection context.xmlclient
> ipa: ERROR: Container for group not found
>
> If I add only the --group-objectclass it tries to migrate and gives me
> the list of errors for every user and group having an unknown object
> class as described at the top.
>
> Would one expect that I should be able to migrate this data, or would
> one it fail because it differs from the two supported schemas?   I was
> hoping since it was based off of posixAccount and posixGroup that it
> was close enough to work.

Hmm, interesting problem, I don't think we really thought about this. In 
the broadest sense apple-user could be just about any unknown objectclass.

If we *just* aim at migrating over POSIX information we can simply 
target the attributes we want and migrate those and ignore the rest. 
This might not be so nice for some users.

Or we can try to run through the schema for every entry and delete 
objectclasses and attributes we know nothing about.

Or we could do both, with the default setting perhaps to migrate the 
minimum with an --aggressive option perhaps?

Or we could have a --objectclass option to list all the objectclasses to 
migrate.

Or even better, perhaps we should have a --test mode where you can test 
the migration before actually having to move users over. Basically try 
to migrate one user and if successful delete it from IPA when done and, 
if unsuccessful report whatever errors were raised.

rob

More information about the Freeipa-devel mailing list