[Freeipa-users] Problem in "ipa migrate-ds" procedure
Dmitri Pal
dpal at redhat.com
Mon Mar 19 23:14:06 UTC 2012
On 03/19/2012 06:54 PM, Marco Pizzoli wrote:
>
>
> On Mon, Mar 19, 2012 at 8:31 PM, Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>> wrote:
>
> Marco Pizzoli wrote:
>
>
>
> On Mon, Mar 19, 2012 at 2:42 PM, Rob Crittenden
> <rcritten at redhat.com <mailto:rcritten at redhat.com>
> <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>> wrote:
>
> Dmitri Pal wrote:
>
> On 03/17/2012 07:36 AM, Marco Pizzoli wrote:
>
> Hi guys,
> I'm trying to migrate my ldap user base to freeipa. I'm
> using the last
> Release Candidate.
>
> I already changed "ipa config-mod
> --enable-migration=TRUE"
> This is what I have:
>
> ipa -v migrate-ds
> --bind-dn="cn=manager,dc=__mydc1,dc=mydc2.it
> <http://mydc2.it> <http://mydc2.it>
> <http://mydc2.it>"
> --user-container="ou=people,__dc=mydc1,dc=mydc2.it
> <http://mydc2.it>
> <http://mydc2.it>
> <http://mydc2.it>" --user-objectclass=__inetOrgPerson
> --group-container="ou=groups,__dc=mydc1,dc=mydc2.it
> <http://mydc2.it>
> <http://mydc2.it> <http://mydc2.it>"
> --group-objectclass=posixGroup
> --base-dn="dc=mydc1,dc=mydc2.__it <http://mydc2.it>
>
> <http://mydc2.it>" --with-compat ldap://ldap01
>
> ipa: INFO: trying
> https://freeipa01.unix.__mydomain.it/ipa/xml
> <http://mydomain.it/ipa/xml>
>
> <https://freeipa01.unix.mydomain.it/ipa/xml>
> Password:
> ipa: INFO: Forwarding 'migrate_ds' to server
> u'http://freeipa01.unix.__mydomain.it/ipa/xml
> <http://mydomain.it/ipa/xml>
>
> <http://freeipa01.unix.mydomain.it/ipa/xml>'
> ipa: ERROR: Container for group not found at
> ou=groups,dc=mydc1,dc=mydc2.it <http://mydc2.it>
> <http://mydc2.it>
> <http://mydc2.it>
>
>
> I looked at my ldap server logs and I found out
> that the search
> executed has scope=1. Actually both for users and
> groups.
> This is a
> problem for me, in having a lot of subtrees (ou) in
> which my
> users and
> groups are. Is there a way to manage this?
>
> Thanks in advance
> Marco
>
> P.s. As a side note, I suppose there's a typo in
> the verbose
> message I
> obtain in my output:
> ipa: INFO: Forwarding 'migrate_ds' to server
> *u*'http://freeipa01.unix.__mydomain.it/ipa/xml
> <http://mydomain.it/ipa/xml>
>
> <http://freeipa01.unix.mydomain.it/ipa/xml>'
>
>
> Please open tickets for both issues.
>
>
> Well, I don't think either is a bug.
>
> If you have users/groups in multiple places you'll need to
> migrate
> them individually for now. It is safe to run migrate-ds
> multiple
> times, existing users are not migrated.
>
>
> I just re-executed by specifing a nested ou for my groups.
> This is what I got:
>
> ipa: INFO: trying https://freeipa01.unix.csebo.it/ipa/xml
> ipa: INFO: Forwarding 'migrate_ds' to server
> u'http://freeipa01.unix.csebo.it/ipa/xml'
> -----------
> migrate-ds:
> -----------
> Migrated:
> Failed user:
> fw03075_no: Type or value exists:
> [other users listed]
> Failed group:
> pdbac32: Type or value exists:
> [other groups listed]
> ----------
> Passwords have been migrated in pre-hashed format.
> IPA is unable to generate Kerberos keys unless provided
> with clear text passwords. All migrated users need to
> login at https://your.domain/ipa/migration/ before they
> can use their Kerberos accounts.
>
> I don't understand what it's trying to telling me.
> On my FreeIPA ldap server I don't see any imported user.
>
> What's my fault here?
>
>
> The u is a python-ism for unicode. This is not a bug.
>
>
> Please, could you give a little more detail on this? It's only
> a hint on
> what that data represents in a Python variable?
>
> Thanks again
> Marco
>
>
> Type or value exists occurs when one tries to add an attribute
> value to an entry that already exists.
>
> I suspect that the underlying problem is different between users
> and groups.
>
> For groups it is likely adding a duplicate member.
>
> For users I'm not really sure. It could be one of the POSIX
> attributes. What does a failed entry look like?
>
> rob
>
>
> The user entry:
> ------------------------
> dn: uid=fw03075_NO,ou=People,dc=mydc1,dc=mydc2.it <http://mydc2.it>
> description: fw03075
> cn: fw03075
> uidNumber: 11013
> gidNumber: 503
> homeDirectory: /home/fw03075
> loginShell: /bin/sh
> gecos: fw03075
> shadowLastChange: 13059
> shadowMax: 99999
> shadowWarning: 7
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: shadowAccount
> objectClass: top
> objectClass: xxxPeopleAttributes
> sn: SN_NON_IMPOSTATO
> givenName: GIVENNAME_NON_IMPOSTATO
> xxxUfficio: UFFICIO_NON_IMPOSTATO
> xxxTipoUtente: tecnico
> uid: fw03075_NO
> userPassword: secret
>
>
> group entry:
> -------------------
> dn:
> cn=pdbac32,ou=pdbac32,ou=prod,ou=db2,ou=databases,ou=Groups,dc=mydc1,dc=mydc2.it
> <http://mydc2.it>
> gidNumber: 10015
> member: uid=NESSUNO,ou=People,dc=mydc1,dc=mydc2.it <http://mydc2.it>
> member: uid=aaa415,ou=People,dc=mydc1,dc=mydc2.it <http://mydc2.it>
> member: uid=bbb446,ou=People,dc=mydc1,dc=mydc2.it <http://mydc2.it>
> memberUid: NESSUNO
> memberUid: aaa415
> memberUid: bbb446
> xxxAmbiente: prod
> xxxDB2GruppiPrivilegi: instance_owner
> description: Mydescription
> xxxTipoGruppo: db
> objectClass: top
> objectClass: posixGroup
> objectClass: groupOfNames
> objectClass: xxxGroupsAttributes
> objectClass: xxxDB2GroupsAttributes
> cn: pdbac32
>
> Thanks again
> Marco
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
Do you by any chance have a _group_ with name "fw03075_NO" and _user_
with name "pdbac32"?
May be you are hitting a collision on manged group managed?
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120319/d81aae82/attachment.htm>
More information about the Freeipa-users
mailing list