On Mon, 2012-01-30 at 09:06 -0500, Rob Crittenden wrote:
> Like I said, this  error is triggered before ignore is evaluated so
> if 
> an unknown binary attribute is getting decoded it will cause this 
> failure. The only solutions we have right now is to either load the 
> schema into IPA temporarily for the migration, rremove it on the
> remote 
> side or you could modify the query we make to find the remote entries
> to 
> pull only certain attributes. This last one would be tricky to get
> right.
> The code looks like:
>                  (entries, truncated) = ds_ldap.find_entries(
>                      search_filter, ['*'],
> search_bases[ldap_obj_name],
>                      ds_ldap.SCOPE_ONELEVEL,
>                      time_limit=0, size_limit=-1,
>                      search_refs=True    # migrated DS may contain 
> search references
>                  )
> You'd want to replace ['*'] with ['attr1','attr2','attr3',...]. It
> would 
> be a rather long list and would need to cover both users and groups.
TBH I think we should turn the code around and do this by default.
We have no idea how to manage extra attributes anyway so we shouldn't
get them all, only get those we understand. And turn the exclusion list
into an inclusion list, so that if someone wants to import more data
because they added additional schema to FreeIPA they are free to do so.
The current way looks brittle.


Simo Sorce * Red Hat, Inc * New York

Freeipa-users mailing list

Reply via email to