Dmitri Pal wrote:
On 03/19/2012 08:56 AM, Marco Pizzoli wrote:



On Mon, Mar 19, 2012 at 1:43 PM, Simo Sorce <s...@redhat.com
<mailto:s...@redhat.com>> wrote:

    On Sun, 2012-03-18 at 18:33 +0100, Marco Pizzoli wrote:
    >
    >
    > On Sun, Mar 18, 2012 at 5:49 PM, Dmitri Pal <d...@redhat.com
    <mailto:d...@redhat.com>> wrote:
    > On 03/17/2012 07:36 AM, Marco Pizzoli wrote:
    > > Hi guys,
    > > I'm trying to migrate my ldap user base to freeipa. I'm
    > > using the last Release Candidate.
    > >
    > > I already changed "ipa config-mod --enable-migration=TRUE"
    > > This is what I have:
    > >
    > > ipa -v migrate-ds
    > > --bind-dn="cn=manager,dc=mydc1,dc=mydc2.it <http://mydc2.it>"
    > > --user-container="ou=people,dc=mydc1,dc=mydc2.it
    <http://mydc2.it>"
    > > --user-objectclass=inetOrgPerson
    > > --group-container="ou=groups,dc=mydc1,dc=mydc2.it
    <http://mydc2.it>"
    > > --group-objectclass=posixGroup
    > > --base-dn="dc=mydc1,dc=mydc2.it <http://mydc2.it>"
    --with-compat ldap://ldap01
    > > ipa: INFO: trying https://freeipa01.unix.mydomain.it/ipa/xml
    > > Password:
    > > ipa: INFO: Forwarding 'migrate_ds' to server
    > > u'http://freeipa01.unix.mydomain.it/ipa/xml'
    > > ipa: ERROR: Container for group not found at
    > > ou=groups,dc=mydc1,dc=mydc2.it <http://mydc2.it>
    > >
    > > I looked at my ldap server logs and I found out that the
    > > search executed has scope=1. Actually both for users and
    > > groups. This is a problem for me, in having a lot of
    > > subtrees (ou) in which my users and groups are. Is there a
    > > way to manage this?
    > >
    > > Thanks in advance
    > > Marco
    > >
    > > P.s. As a side note, I suppose there's a typo in the verbose
    > > message I obtain in my output:
    > > ipa: INFO: Forwarding 'migrate_ds' to server
    > > u'http://freeipa01.unix.mydomain.it/ipa/xml'
    >
    >
    > Please open tickets for both issues.
    >
    >
    > Done:
    > https://fedorahosted.org/freeipa/ticket/2547
    > https://fedorahosted.org/freeipa/ticket/2546
    >
    > Do you have a hint on how to manage to do this import in the
    meantime?
    > Every manual step is ok for me.

    Maybe you can try performing a new migration for each of the subtrees
    you have in your source tree, assuming it is a reasonable number, by
    reconfiguring the migrate-ds bases between each run.


Yes, I was thinking the same... :-)
To be able to script "ipa migrate-ds", I would need a parameter for
setting the password on the CLI. I suppose it isn't there by design,
right?


Will it handle the case when the group has members from different levels
and some of the users are not picked by the search? In this case I
suspect the user group membership might be lost. I am not sure that this
is the case. Just something to pay attention.

It doesn't look like we verify the membership so I think it will work just fine. It is not invalid in LDAP to have a group with a member that doesn't exist, so this shouldn't cause any errors.

You can do something like echo password | ipa migrate-ds ldap://myserver.example.com:389 --user-container=...

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to