Alfred Victor wrote: > Hi Rob, > > Thanks for your prompt response. I will remove the attributes from the > objectclass list, I think they only wound up there because I was > confused about what was happening. The rest were added because that is > listed as the solution for the same (givenName, etc) attribute not > allowed errors below, though appears this does not extend to OpenLDAP as > the directory source. Is there something I can do to import the users > successfully? > > https://access.redhat.com/solutions/3245371
That article states that dropping the --user-ignore-objectclass line resolved the issue. rob > > Regards, > > Alfred > > On Thu, Jul 23, 2020 at 12:11 PM Rob Crittenden <[email protected] > <mailto:[email protected]>> wrote: > > Alfred Victor via FreeIPA-users wrote: > > Hi all, > > > > We're performing some migrate-ds and noticed some missing users. > We took > > a closer look and the errors are: > > > > <redacted user>: attribute "givenName" not allowed > > <redacted user>: attribute "givenName" not allowed > > <redacted user>: attribute "departmentNumber" not allowed > > <redacted user>: attribute "departmentNumber" not allowed > > <redacted user>: attribute "departmentNumber" not allowed > > It means those attributes aren't provided by the available > objectclasses. > > You are ignoring a bunch of objectclasses required by IPA, notably > person, orginazationalPerson and inetOrgPerson. The things following > that in the user-ignore-objectclass are attributes. > > rob > > > > > > > This is odd, because this OU is being grabbed with some filters which > > should specifically ignore these attributes. The old environment is > > OpenLDAP and the migrate-ds command is as follows: > > > > ipa migrate-ds --schema=RFC2307 --base-dn="dc=<redacted>,dc=com" > --bind-dn="cn=<redacted>,ou=<redacted>,dc=<redacted>,dc=com" > --ca-cert-file=/etc/ssl/certs/ca.crt ldaps://<redacted> > --user-container=ou=<redacted> > > --user-objectclass=posixaccount --group-container=ou=group > > --group-objectclass=posixgroup > > > > --user-ignore-attribute="sn,ldappublickey,sshpublickey,givenName,departmentNumber" > > > > --user-ignore-objectclass={person,organizationalPerson,inetOrgPerson,departmentNumber,givenName,ldappublickey,sshpublickey} > > > > > > Regards, > > Alfred > > > > _______________________________________________ > > FreeIPA-users mailing list -- [email protected] > <mailto:[email protected]> > > To unsubscribe send an email to > [email protected] > <mailto:[email protected]> > > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > > https://lists.fedorahosted.org/archives/list/[email protected] > > > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
