[Freeipa-users] Re: IPA to IPA migration - lot more groups - why?

Wed, 02 Feb 2022 09:06:05 -0800 

On ke, 02 helmi 2022, lejeczek via FreeIPA-users wrote:



On 02/02/2022 14:21, Rob Crittenden wrote:

lejeczek via FreeIPA-users wrote:

On 02/02/2022 08:45, Florence Blanc-Renaud wrote:

Hi,

On Wed, Feb 2, 2022 at 7:31 AM lejeczek via FreeIPA-users
<[email protected]> wrote:

    Hi guys.

    I migrate:
    -> $ ipa migrate-ds --bind-dn="cn=Directory Manager"
    --user-container=cn=users,cn=accounts
    --group-container=cn=groups,cn=accounts
    --group-objectclass=posixgroup --with-compat ldap://10.0.0.16
    <http://10.0.0.16>

    and I end up, according to 'group-find', having a lot more -
    one for each user - extra groups which do not exist(or don't
    show up?) on the source IPA domain.


Are those extra groups the user private group? You can check on the
source IPA server if they show up with
# ipa group-find --private


Yes there are, they did exist on the 'source' but would not show up with
just 'group-find' where on the migrated_to IPA they do show up with just
'group-find' (the same migrated_to when user is created manually would
not show that private group)

can not do with 'source' anything as it's been dissolved.

User-private groups (UPG) become regular groups in IPA-to-IPA migration.
UPGs are not displayed by default in group-find.

rob

But that I was saying - apologies if I was vague - they do show up 
with just 'group-find' on migrated_to IPA. (and I did not do change 
whatever 'defaults' are on a clean, new deployment is)

migration was from 4.9.6 to 4.9.8


Correct. 'ipa migrate-ds' was developed with legacy LDAP deployments in
view. It is not (yet) smart enough to recognize IPA-specific
configuration on the source LDAP server and reproduce the same on the
target IPA server. Thus, you are losing UPGs you had on the source and
they become just normal groups on the target server.



--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure






















					Reply via email to