[Freeipa-users] OpenLDAP migration issues
Rob Crittenden
rcritten at redhat.com
Wed Nov 6 16:01:43 UTC 2013
Ryan M. Casey wrote:
> I’m attempting to migrate our OpenLDAP+Kerberos authentication scheme to
> FreeIPA. Running the following migration command:
>
> ipa migrate-ds --bind-dn="cn=admin,dc=foo,dc=com"
> --base-dn="dc=foo,dc=com" --user-container="ou=users"
> --group-container="ou=group" --user-objectclass="posixAccount"
> --group-objectclass="posixGroup" ldap://ldap.foo.com
>
> results in this error in/var/log/httpd/error_log:
>
> ValueError: unable to convert the attribute "krbPrincipalKey" value
>
> I’ve tried to exclude the attribute using
> –user-attribute-ignore=krbPrincipalKey, but am still receiving the same
> error message. Our server is running Fedora 19 with the latest version
> of FreeIPA available. Anyone have any ideas on how I can resolve this?
I think that IPA is having an issue with the data in your LDAP server,
at least for one record. I think in this case the syntax of the entry
doesn't match what we expect it to be.
The ignore is applied after reading in the remote entry, so if we can't
understand it then it never gets far enough to ignore it. This is being
looked at in development versions.
So I think the first step would be to find the offending entry.
rob
More information about the Freeipa-users
mailing list