Re: [Freeipa-users] Invalid Credentials error on migrate-ds

Mon, 24 Jan 2011 11:18:55 -0800 

Jeff B wrote:

I'm trying to test out migration from an Apple Open Directory Server
to FreeIPA (unstable) The command I'm running is:

ipa config-mod --enable-migration=true

ipa -d migrate-ds --user-container='cn=users,dc=xxx,dc=xxxx,dc=com'
--group-container='cn=groups,dc=xxx,dc=xxxx,dc=com'
ldap://10.10.10.10:389

It prompts me for a password twice, then gives me a invalid credentials error

ipa: INFO: Created connection context.xmlclient
Password:
Enter Password again to verify:
ipa: DEBUG: raw: migrate_ds(u'ldap://10.10.10.10:389', u'********',
usercontainer=u'cn=users,dc=xxx,dc=xxxx,dc=com',
groupcontainer=u'cn=groups,dc=xxx,dc=xxxx,dc=com')
ipa: INFO: migrate_ds(u'ldap://10.10.10.10:389', u'********',
binddn=u'cn=directory manager',
usercontainer=u'cn=users,dc=xxx,dc=xxxx,dc=com',
groupcontainer=u'cn=groups,dc=xxx,dc=xxxx,dc=com',
userobjectclass=(u'person',), groupobjectclass=(u'groupOfUniqueNames',
u'groupOfNames'), schema=u'RFC2307bis', continue=False,
exclude_groups=None, exclude_users=None)
ipa: INFO: Forwarding 'migrate_ds' to server u'https://ipa0.xxxx.com/ipa/xml'
ipa: DEBUG: NSSConnection init ipa0.xxxx.com
ipa: DEBUG: connect: host=ipa0.xxxx.com port=443
ipa: DEBUG: connect: 10.10.10.11:443
...
ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer
ipa: DEBUG: cert valid True for "CN=ipa0.xxxx.com,O=XXXX.COM"
ipa: DEBUG: handshake complete, peer = 10.10.10.11:443
ipa: DEBUG: Caught fault 2100 from server
https://ipa0.xxx.com/ipa/xml: Insufficient access:  Invalid
credentials
ipa: INFO: Destroyed connection context.xmlclient
ipa: ERROR: Insufficient access:  Invalid credentials

I'm able to connect to LDAP using the same password for cn="Directory
Manager" which it appears to be the user it's asking the password for.

Is this user error or a bug?  If user error what am I doing wrong?  Thanks.
Hmm, I'm stumped at this point. Can you look in your Apple DS logs to see if there is a bind error? You can use --binddn to bind as a different user.
I should also note that you don't want to include basedn for the user and group containers, cn=users and cn=groups is enough. 

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to