Marco Pizzoli wrote:

On Mon, Mar 19, 2012 at 2:42 PM, Rob Crittenden <
<>> wrote:

    Dmitri Pal wrote:

        On 03/17/2012 07:36 AM, Marco Pizzoli wrote:

            Hi guys,
            I'm trying to migrate my ldap user base to freeipa. I'm
            using the last
            Release Candidate.

            I already changed "ipa config-mod --enable-migration=TRUE"
            This is what I have:

            ipa -v migrate-ds
            --bind-dn="cn=manager,dc=__mydc1, <>
            <>" --user-objectclass=__inetOrgPerson
            <> <>"
            --base-dn="dc=mydc1,dc=mydc2.__it <>
            <>" --with-compat ldap://ldap01

            ipa: INFO: trying
            ipa: INFO: Forwarding 'migrate_ds' to server
            ipa: ERROR: Container for group not found at
            ou=groups,dc=mydc1, <>

            I looked at my ldap server logs and I found out that the search
            executed has scope=1. Actually both for users and groups.
            This is a
            problem for me, in having a lot of subtrees (ou) in which my
            users and
            groups are. Is there a way to manage this?

            Thanks in advance

            P.s. As a side note, I suppose there's a typo in the verbose
            message I
            obtain in my output:
            ipa: INFO: Forwarding 'migrate_ds' to server

        Please open tickets for both issues.

    Well, I don't think either is a bug.

    If you have users/groups in multiple places you'll need to migrate
    them individually for now. It is safe to run migrate-ds multiple
    times, existing users are not migrated.

I just re-executed by specifing a nested ou for my groups.
This is what I got:

ipa: INFO: trying
ipa: INFO: Forwarding 'migrate_ds' to server
Failed user:
   fw03075_no: Type or value exists:
   [other users listed]
Failed group:
   pdbac32: Type or value exists:
   [other groups listed]
Passwords have been migrated in pre-hashed format.
IPA is unable to generate Kerberos keys unless provided
with clear text passwords. All migrated users need to
login at https://your.domain/ipa/migration/ before they
can use their Kerberos accounts.

I don't understand what it's trying to telling me.
On my FreeIPA ldap server I don't see any imported user.

What's my fault here?

    The u is a python-ism for unicode. This is not a bug.

Please, could you give a little more detail on this? It's only a hint on
what that data represents in a Python variable?

Thanks again

Type or value exists occurs when one tries to add an attribute value to an entry that already exists.

I suspect that the underlying problem is different between users and groups.

For groups it is likely adding a duplicate member.

For users I'm not really sure. It could be one of the POSIX attributes. What does a failed entry look like?


Freeipa-users mailing list

Reply via email to