Hi Rob, Thanks for your prompt response. I will remove the attributes from the objectclass list, I think they only wound up there because I was confused about what was happening. The rest were added because that is listed as the solution for the same (givenName, etc) attribute not allowed errors below, though appears this does not extend to OpenLDAP as the directory source. Is there something I can do to import the users successfully?
https://access.redhat.com/solutions/3245371 Regards, Alfred On Thu, Jul 23, 2020 at 12:11 PM Rob Crittenden <[email protected]> wrote: > Alfred Victor via FreeIPA-users wrote: > > Hi all, > > > > We're performing some migrate-ds and noticed some missing users. We took > > a closer look and the errors are: > > > > <redacted user>: attribute "givenName" not allowed > > <redacted user>: attribute "givenName" not allowed > > <redacted user>: attribute "departmentNumber" not allowed > > <redacted user>: attribute "departmentNumber" not allowed > > <redacted user>: attribute "departmentNumber" not allowed > > It means those attributes aren't provided by the available objectclasses. > > You are ignoring a bunch of objectclasses required by IPA, notably > person, orginazationalPerson and inetOrgPerson. The things following > that in the user-ignore-objectclass are attributes. > > rob > > > > > > > This is odd, because this OU is being grabbed with some filters which > > should specifically ignore these attributes. The old environment is > > OpenLDAP and the migrate-ds command is as follows: > > > > ipa migrate-ds --schema=RFC2307 --base-dn="dc=<redacted>,dc=com" > --bind-dn="cn=<redacted>,ou=<redacted>,dc=<redacted>,dc=com" > --ca-cert-file=/etc/ssl/certs/ca.crt ldaps://<redacted> > --user-container=ou=<redacted> > > --user-objectclass=posixaccount --group-container=ou=group > > --group-objectclass=posixgroup > > > --user-ignore-attribute="sn,ldappublickey,sshpublickey,givenName,departmentNumber" > > > --user-ignore-objectclass={person,organizationalPerson,inetOrgPerson,departmentNumber,givenName,ldappublickey,sshpublickey} > > > > > > Regards, > > Alfred > > > > _______________________________________________ > > FreeIPA-users mailing list -- [email protected] > > To unsubscribe send an email to > [email protected] > > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > > > >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
