Jeff B wrote:
Apple Open Directory is as follows:
cn=users,dc=host,dc=domain,dc=tld
cn=groups,dc=host,dc=domain,dc=tld
User records have the following object classes:
- person
- top
- organizationalPerson
- extensibleObject
- apple-user
- shadowAccount
- posixAccount
- inetOrgPerson
Group records have the following object classes:
- top
- extensibleObject
- apple-group
- posixGroup
The data is mostly what you would expect for posixAccount and the
other common object classes. When I try to import data to IPA I get
this error for every user and group like this:
-----------
migrate-ds:
-----------
Migrated:
Failed user:
<username>: unknown object class "apple-user"
<username>: unknown object class "apple-user"
<username>: unknown object class "apple-user"
... And the rest
Failed group:
<groupname>: unknown object class "apple-group"
<groupname>: unknown object class "apple-group"
<groupname>: unknown object class "apple-group"
... And the rest
----------
Here are some of the migrate options I've tried:
ipa -d migrate-ds
--bind-dn="uid=user,cn=users,dc=host,dc=domain,dc=tld"
ldap://10.0.0.1:389 --user-objectclass="posixAccount"
--group-objectclass="posixGroups" --user-container="cn=users"
--group-container="cn=groups"
ipa -d migrate-ds
--bind-dn="uid=user,cn=users,dc=host,dc=domain,dc=tld"
ldap://10.0.0.1:389 --user-objectclass="apple-user"
--group-objectclass="apple-group" --user-container="cn=users"
--group-container="cn=groups"
I've tried combinations of the two. I've tried changing the --schema
with no change in outcome. The only time the outcome is different is
when I don't include the --group-objectclass or the --user-objectclass
It fails before it even tries to import the data in the directory. I
get this error:
ipa: DEBUG: Caught fault 4001 from server
https://ipa0.myrealm.com/ipa/xml: Container for group not found
ipa: INFO: Destroyed connection context.xmlclient
ipa: ERROR: Container for group not found
If I add only the --group-objectclass it tries to migrate and gives me
the list of errors for every user and group having an unknown object
class as described at the top.
Would one expect that I should be able to migrate this data, or would
one it fail because it differs from the two supported schemas? I was
hoping since it was based off of posixAccount and posixGroup that it
was close enough to work.
Hmm, interesting problem, I don't think we really thought about this. In
the broadest sense apple-user could be just about any unknown objectclass.
If we *just* aim at migrating over POSIX information we can simply
target the attributes we want and migrate those and ignore the rest.
This might not be so nice for some users.
Or we can try to run through the schema for every entry and delete
objectclasses and attributes we know nothing about.
Or we could do both, with the default setting perhaps to migrate the
minimum with an --aggressive option perhaps?
Or we could have a --objectclass option to list all the objectclasses to
migrate.
Or even better, perhaps we should have a --test mode where you can test
the migration before actually having to move users over. Basically try
to migrate one user and if successful delete it from IPA when done and,
if unsuccessful report whatever errors were raised.
rob
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
