Hello Rob, Quick feedback on the procedure you provided. It worked for me. There was just a small issue for users belonging to the admin group where ipa user-mod complained about not having enough write permissions on the ipaUniqueID attribute. By removing them temporarily from the admins group, I could modify them. So not a big deal.
I didn't try modifying the migration script. I hope this can help others in future? Many thanks -- Antoine Gatineau Freelance IT Consultant Tel: +32 499 50 80 04 On Sunday, August 7, 2022 11:49:50 PM CEST Rob Crittenden wrote: > Antoine Gatineau via FreeIPA-users wrote: > > Hello all. > > > > I am trying to migrate my users from one ipa to another one. > > I was able to import the users and groups with 'ipa migrate-ds'. However > > the migration process generates new ipaUniqueIds. > > > > IPA is my source of users for keycloak user federation and other > > applications that use ipaUniqueId to identify the user. > > > > When syncing from ipa, they now report a conflict as they should. > > > > So is it possible (and how) to manually set the ipaUniqueId to the value it > > had originally? > > > > I have seen that ipa user-mod --setattr is now locked for this attribute : > > https://bugzilla.redhat.com/show_bug.cgi?id=634194 > > > > Thank you for any pointer to a solution. > > It will take a few steps and I haven't tested this fully. To disable the > check in the above BZ you'd need to set ipaUuidEnforce to FALSE in > cn=IPA Unique IDs,cn=IPA UUID,cn=plugins,cn=config using ldapmodify. > > No users currently have write access to ipaUniqueID so I'd create a > permission to grant write on that. Then create a privilege and role to > grant that to whoever you want. I'd give it to the admins group. > > That should allow you to use the setattr option. > > Once you're done setting things I'd remove the permission/privilege/role > and set ipaUuidEnforce back to TRUE. > > An alternative if you're still experimenting with the migration would be > to modify /usr/lib/python*/ipaserver/plugins/migration.py and comment > out the two lines: > > entry_attrs['ipauniqueid'] = 'autogenerate' > > And restart httpd. I think that should retain the current values when > you re-run the migration (you'd have to either remove all the > users/groups or re-do the install). > > rob > > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
