Apple Open Directory is as follows: cn=users,dc=host,dc=domain,dc=tld cn=groups,dc=host,dc=domain,dc=tld
User records have the following object classes: - person - top - organizationalPerson - extensibleObject - apple-user - shadowAccount - posixAccount - inetOrgPerson Group records have the following object classes: - top - extensibleObject - apple-group - posixGroup The data is mostly what you would expect for posixAccount and the other common object classes. When I try to import data to IPA I get this error for every user and group like this: ----------- migrate-ds: ----------- Migrated: Failed user: <username>: unknown object class "apple-user" <username>: unknown object class "apple-user" <username>: unknown object class "apple-user" ... And the rest Failed group: <groupname>: unknown object class "apple-group" <groupname>: unknown object class "apple-group" <groupname>: unknown object class "apple-group" ... And the rest ---------- Here are some of the migrate options I've tried: ipa -d migrate-ds --bind-dn="uid=user,cn=users,dc=host,dc=domain,dc=tld" ldap://10.0.0.1:389 --user-objectclass="posixAccount" --group-objectclass="posixGroups" --user-container="cn=users" --group-container="cn=groups" ipa -d migrate-ds --bind-dn="uid=user,cn=users,dc=host,dc=domain,dc=tld" ldap://10.0.0.1:389 --user-objectclass="apple-user" --group-objectclass="apple-group" --user-container="cn=users" --group-container="cn=groups" I've tried combinations of the two. I've tried changing the --schema with no change in outcome. The only time the outcome is different is when I don't include the --group-objectclass or the --user-objectclass It fails before it even tries to import the data in the directory. I get this error: ipa: DEBUG: Caught fault 4001 from server https://ipa0.myrealm.com/ipa/xml: Container for group not found ipa: INFO: Destroyed connection context.xmlclient ipa: ERROR: Container for group not found If I add only the --group-objectclass it tries to migrate and gives me the list of errors for every user and group having an unknown object class as described at the top. Would one expect that I should be able to migrate this data, or would one it fail because it differs from the two supported schemas? I was hoping since it was based off of posixAccount and posixGroup that it was close enough to work. _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel