[Freeipa-users] Problem in "ipa migrate-ds" procedure

Marco Pizzoli marco.pizzoli at gmail.com
Tue Mar 20 09:19:53 UTC 2012 

On Tue, Mar 20, 2012 at 12:14 AM, Dmitri Pal <dpal at redhat.com> wrote:

> **
> On 03/19/2012 06:54 PM, Marco Pizzoli wrote:
>
>
>
> On Mon, Mar 19, 2012 at 8:31 PM, Rob Crittenden <rcritten at redhat.com>wrote:
>
>> Marco Pizzoli wrote:
>>
>>>
>>>
>>> On Mon, Mar 19, 2012 at 2:42 PM, Rob Crittenden <rcritten at redhat.com
>>>  <mailto:rcritten at redhat.com>> wrote:
>>>
>>>    Dmitri Pal wrote:
>>>
>>>        On 03/17/2012 07:36 AM, Marco Pizzoli wrote:
>>>
>>>            Hi guys,
>>>            I'm trying to migrate my ldap user base to freeipa. I'm
>>>            using the last
>>>            Release Candidate.
>>>
>>>            I already changed "ipa config-mod --enable-migration=TRUE"
>>>            This is what I have:
>>>
>>>            ipa -v migrate-ds
>>>             --bind-dn="cn=manager,dc=__mydc1,dc=mydc2.it <
>>> http://mydc2.it>
>>>            <http://mydc2.it>"
>>>            --user-container="ou=people,__dc=mydc1,dc=mydc2.it
>>>            <http://mydc2.it>
>>>            <http://mydc2.it>" --user-objectclass=__inetOrgPerson
>>>            --group-container="ou=groups,__dc=mydc1,dc=mydc2.it
>>>            <http://mydc2.it> <http://mydc2.it>"
>>>            --group-objectclass=posixGroup
>>>            --base-dn="dc=mydc1,dc=mydc2.__it <http://mydc2.it>
>>>
>>>            <http://mydc2.it>" --with-compat ldap://ldap01
>>>
>>>            ipa: INFO: trying
>>>             https://freeipa01.unix.__mydomain.it/ipa/xml
>>>
>>>            <https://freeipa01.unix.mydomain.it/ipa/xml>
>>>            Password:
>>>            ipa: INFO: Forwarding 'migrate_ds' to server
>>>             u'http://freeipa01.unix.__mydomain.it/ipa/xml
>>>
>>>            <http://freeipa01.unix.mydomain.it/ipa/xml>'
>>>            ipa: ERROR: Container for group not found at
>>>            ou=groups,dc=mydc1,dc=mydc2.it <http://mydc2.it>
>>>            <http://mydc2.it>
>>>
>>>
>>>            I looked at my ldap server logs and I found out that the
>>> search
>>>            executed has scope=1. Actually both for users and groups.
>>>            This is a
>>>            problem for me, in having a lot of subtrees (ou) in which my
>>>            users and
>>>            groups are. Is there a way to manage this?
>>>
>>>            Thanks in advance
>>>            Marco
>>>
>>>            P.s. As a side note, I suppose there's a typo in the verbose
>>>            message I
>>>            obtain in my output:
>>>            ipa: INFO: Forwarding 'migrate_ds' to server
>>>             *u*'http://freeipa01.unix.__mydomain.it/ipa/xml
>>>
>>>            <http://freeipa01.unix.mydomain.it/ipa/xml>'
>>>
>>>
>>>        Please open tickets for both issues.
>>>
>>>
>>>    Well, I don't think either is a bug.
>>>
>>>    If you have users/groups in multiple places you'll need to migrate
>>>    them individually for now. It is safe to run migrate-ds multiple
>>>    times, existing users are not migrated.
>>>
>>>
>>> I just re-executed by specifing a nested ou for my groups.
>>> This is what I got:
>>>
>>> ipa: INFO: trying https://freeipa01.unix.csebo.it/ipa/xml
>>> ipa: INFO: Forwarding 'migrate_ds' to server
>>> u'http://freeipa01.unix.csebo.it/ipa/xml'
>>> -----------
>>> migrate-ds:
>>> -----------
>>> Migrated:
>>> Failed user:
>>>   fw03075_no: Type or value exists:
>>>   [other users listed]
>>> Failed group:
>>>   pdbac32: Type or value exists:
>>>   [other groups listed]
>>> ----------
>>> Passwords have been migrated in pre-hashed format.
>>> IPA is unable to generate Kerberos keys unless provided
>>> with clear text passwords. All migrated users need to
>>> login at https://your.domain/ipa/migration/ before they
>>> can use their Kerberos accounts.
>>>
>>> I don't understand what it's trying to telling me.
>>> On my FreeIPA ldap server I don't see any imported user.
>>>
>>> What's my fault here?
>>>
>>>
>>>    The u is a python-ism for unicode. This is not a bug.
>>>
>>>
>>> Please, could you give a little more detail on this? It's only a hint on
>>> what that data represents in a Python variable?
>>>
>>> Thanks again
>>> Marco
>>>
>>
>> Type or value exists occurs when one tries to add an attribute value to
>> an entry that already exists.
>>
>> I suspect that the underlying problem is different between users and
>> groups.
>>
>> For groups it is likely adding a duplicate member.
>>
>> For users I'm not really sure. It could be one of the POSIX attributes.
>> What does a failed entry look like?
>>
>> rob
>>
>
> The user entry:
> ------------------------
> dn: uid=fw03075_NO,ou=People,dc=mydc1,dc=mydc2.it
> description: fw03075
> cn: fw03075
> uidNumber: 11013
> gidNumber: 503
> homeDirectory: /home/fw03075
> loginShell: /bin/sh
> gecos: fw03075
> shadowLastChange: 13059
> shadowMax: 99999
> shadowWarning: 7
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: shadowAccount
> objectClass: top
> objectClass: xxxPeopleAttributes
> sn: SN_NON_IMPOSTATO
> givenName: GIVENNAME_NON_IMPOSTATO
> xxxUfficio: UFFICIO_NON_IMPOSTATO
> xxxTipoUtente: tecnico
> uid: fw03075_NO
> userPassword: secret
>
>
> group entry:
> -------------------
> dn:
> cn=pdbac32,ou=pdbac32,ou=prod,ou=db2,ou=databases,ou=Groups,dc=mydc1,dc=
> mydc2.it
> gidNumber: 10015
> member: uid=NESSUNO,ou=People,dc=mydc1,dc=mydc2.it
> member: uid=aaa415,ou=People,dc=mydc1,dc=mydc2.it
> member: uid=bbb446,ou=People,dc=mydc1,dc=mydc2.it
> memberUid: NESSUNO
> memberUid: aaa415
> memberUid: bbb446
> xxxAmbiente: prod
> xxxDB2GruppiPrivilegi: instance_owner
> description: Mydescription
> xxxTipoGruppo: db
> objectClass: top
> objectClass: posixGroup
> objectClass: groupOfNames
> objectClass: xxxGroupsAttributes
> objectClass: xxxDB2GroupsAttributes
> cn: pdbac32
>
> Thanks again
> Marco
>
>
> _______________________________________________
> Freeipa-users mailing listFreeipa-users at redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> Do you by any chance have a *group* with name "fw03075_NO" and *user*with name "pdbac32"?
> May be you are hitting  a collision on manged group managed?
>

Well, yes and no.

No, I don't have a group called "fw03075_NO" and No, I don't have a user
called "pdbac32".

Yes, I have some users uid=samename  and groups cn=samename, but they are
not found in the group subtree (ou) from where I launched "ipa migrate-ds".

If this is the problem, where can I have any evidence of the actual problem?

Thanks again
Marco


>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?www.redhat.com/carveoutcosts/
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120320/39096265/attachment.htm>

More information about the Freeipa-users mailing list