On Tue, 14 Oct 2014 10:58:36 -0600 Clint Savage <her...@gmail.com> wrote:
> Hi all, > > I've been working on a migration plan using three custom user > objectClasses and one group objectclass. In my attempt, I've setup an > openldap server with the proper schemas, imported the ldif and have > records that look something like this in ldif format. > > ----------------------------------------------------------------------- > > dn: dc=example,dc=com > objectClass: top > objectClass: domain > dc: example > > dn: ou=Groups,dc=example,dc=com > objectClass: top > objectClass: organizationalunit > ou: Groups > > dn: ou=People,dc=example,dc=com > objectClass: top > objectClass: organizationalunit > ou: People > > dn: uid=amyengh,ou=People,dc=example,dc=com > objectClass: inetOrgPerson > objectClass: posixAccount > objectClass: top > objectClass: organizationalPerson > objectClass: person > objectClass: radiusProfile > objectClass: sambaSamAccount > objectClass: customPersonAttributes > cn: Amy Engh > gidNumber: 1141801056 > homeDirectory: /home/amyengh > sn: Engh > uid: amyengh > uidNumber: 1141801056 > displayName: Amy Engh > givenName: Amy > loginShell: /sbin/nologin > mail: amye...@attask.com > userPassword:: REDACTED > dialupAccess: yes > radiusTunnelMediumType: IEEE-802 > radiusTunnelPrivateGroupId: 1421 > radiusTunnelType: VLAN > emailPassword:: REDACTED > sambaAcctFlags: [U ] > sambaLMPassword: REDACTED > sambaNTPassword: REDACTED > sambaPasswordHistory: > 000000000000000000000000000000000000000000000000000000 0000000000 > sambaPwdLastSet: 1402698001 > sambaSID: S-1-5-21-2332447373-4108748234-3602490535-3146 > > dn: cn=amyengh,ou=Groups,dc=example,dc=com > objectClass: top > objectClass: posixGroup > cn: amyengh > gidNumber: 1141801056 > memberUid: amyengh > > -------------------------------------------------------------------- > > I then run the migration (with or without compat makes no difference) > and get the following: > > ipa migrate-ds --with-compat --user-container="ou=People" > --group-container="ou=Groups" --user-objectclass=posixAccount > --group-objectclass=posixgroup ldap://192.168.122.210 > --bind-dn="cn=Manager,dc=example,dc=com" > Password: > ----------- > migrate-ds: > ----------- > Migrated: > Failed user: > amyengh: Type or value exists: > Failed group: > amyengh: This entry already exists. Check GID of the existing > group. Use --group-overwrite-gid option to overwrite the GID > ---------- > Passwords have been migrated in pre-hashed format. > IPA is unable to generate Kerberos keys unless provided > with clear text passwords. All migrated users need to > login at https://your.domain/ipa/migration/ before they > can use their Kerberos accounts. > > The objectclasses are listed in the configuration properly: > > # ipa config-show --all > ..snip.. > Default group objectclasses: top, groupofnames, nestedgroup, > ipausergroup, ipaobject, sambaGroupMapping > Default user objectclasses: top, person, organizationalperson, > inetorgperson, inetuser, posixaccount, krbprincipalaux, > krbticketpolicyaux, ipaobject, ipasshuser, radiusProfile, > customPersonAttributes, sambaSamAccount > ..snip.. > > I can verify the objectclasses appear to work when I add a user > manually, though I have not updated the plugins to allow entries for > the above objectClasses. > > --------------------------- > My question exists around the error ' amyengh: Type or value > exists:'. I can take out the custom objectclasses, and this error > goes away. I've looked into all of the custom objectclasses and don't > see anything that would indicate errors. I have some 5k+ records to > migrate and don't want to have to manipulate the ldif and then create > modify records just to get the data into IPA. > > Any suggestions to help me identify why this is happening? I'd be > happy to provide further information as requested. Have you extended the IPA schema with the custom objectclasses ? Or is your intention to drop them during the import ? Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project