[Freeipa-users] openLDAP to FreeIPA user migration

Alexander Bokovoy abokovoy at redhat.com
Thu Sep 1 19:26:57 UTC 2016 

On Thu, 01 Sep 2016, William Muriithi wrote:
>Afternoon,
>
>I have an openLDAP system that lack a required attribute.  This result
>in the migration script rejecting all the user import.
>
>I have googled externsively, read ever line of ipa migration --help
>doc and it doesn't seem I will be able to use this migration script.
>I wonder if there is anybody here who have been able to overcome this
>problem in the past.
>
>[root at hydrogen ~]# ipa -v migrate-ds --with-compat
>--bind-dn="cn=admin,dc=eng.example,dc=com"
>--user-ignore-attribute="sn"
>--user-container="ou=People,dc=eng.example,dc=com"
>--group-container="ou=Group,dc=eng.example,dc=com"
>--group-objectclass="posixGroup"   --user-objectclass="account"
>ldap://192.168.20.18:389
>ipa: INFO: trying https://hydrogen.eng.example.com/ipa/session/json
>Password:
>ipa: INFO: Forwarding 'migrate_ds' to json server
>'https://hydrogen.eng.example.com/ipa/session/json'
>-----------
>migrate-ds:
>-----------
>Migrated:
>Failed user:
>  aagrim: missing attribute "sn" required by object class "organizationalPerson"
>  acctemp: missing attribute "sn" required by object class
>"organizationalPerson"
> ...........
This looks like a common problem. I had recently made a small 'hack' to
solve this problem.

Following small fixup plugin could be used to affect how entries are
generated. If you add it to /usr/lib/python2.7/site-packages/ipalib/plugins 
on IPA master and restart httpd service, the plugin would modify migrate-ds command so
that 'sn' attribute would be set to a 'Migrated User Last Name' for all
entries that miss 'sn' attribute before they actually get added into IPA
LDAP.

This is an experimental hack, of course, but it should work. Once
migration is finished, don't forget to remove the file and restart httpd
service again.

-- 
/ Alexander Bokovoy
-------------- next part --------------
from .migration import migrate_ds

_fixup_pre_callback_user = None
def _pre_callback_user(ldap, pkey, dn, entry_attrs, failed, config, ctx, **kwargs):
    dn = _fixup_pre_callback_user(ldap, pkey, dn, entry_attrs, failed, config, ctx, **kwargs)
    if entry_attrs.get('sn', None) is None:
        entry_attrs['sn'] = [u'Migrated User Last Name']
    return dn

_fixup_pre_callback_user = migrate_ds.migrate_objects['user']['pre_callback']
migrate_ds.migrate_objects['user']['pre_callback'] = _pre_callback_user

More information about the Freeipa-users mailing list