On Tue, 14 Oct 2014 10:58:36 -0600
Clint Savage <her...@gmail.com> wrote:

> Hi all,
> 
> I've been working on a migration plan using three custom user
> objectClasses and one group objectclass. In my attempt, I've setup an
> openldap server with the proper schemas, imported the ldif and have
> records that look something like this in ldif format.
> 
> -----------------------------------------------------------------------
> 
> dn: dc=example,dc=com
> objectClass: top
> objectClass: domain
> dc: example
> 
> dn: ou=Groups,dc=example,dc=com
> objectClass: top
> objectClass: organizationalunit
> ou: Groups
> 
> dn: ou=People,dc=example,dc=com
> objectClass: top
> objectClass: organizationalunit
> ou: People
> 
> dn: uid=amyengh,ou=People,dc=example,dc=com
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: top
> objectClass: organizationalPerson
> objectClass: person
> objectClass: radiusProfile
> objectClass: sambaSamAccount
> objectClass: customPersonAttributes
> cn: Amy Engh
> gidNumber: 1141801056
> homeDirectory: /home/amyengh
> sn: Engh
> uid: amyengh
> uidNumber: 1141801056
> displayName: Amy Engh
> givenName: Amy
> loginShell: /sbin/nologin
> mail: amye...@attask.com
> userPassword:: REDACTED
> dialupAccess: yes
> radiusTunnelMediumType: IEEE-802
> radiusTunnelPrivateGroupId: 1421
> radiusTunnelType: VLAN
> emailPassword:: REDACTED
> sambaAcctFlags: [U          ]
> sambaLMPassword: REDACTED
> sambaNTPassword: REDACTED
> sambaPasswordHistory:
> 000000000000000000000000000000000000000000000000000000 0000000000
> sambaPwdLastSet: 1402698001
> sambaSID: S-1-5-21-2332447373-4108748234-3602490535-3146
> 
> dn: cn=amyengh,ou=Groups,dc=example,dc=com
> objectClass: top
> objectClass: posixGroup
> cn: amyengh
> gidNumber: 1141801056
> memberUid: amyengh
> 
> --------------------------------------------------------------------
> 
> I then run the migration (with or without compat makes no difference)
> and get the following:
> 
> ipa migrate-ds --with-compat --user-container="ou=People"
> --group-container="ou=Groups" --user-objectclass=posixAccount
> --group-objectclass=posixgroup ldap://192.168.122.210
> --bind-dn="cn=Manager,dc=example,dc=com"
> Password:
> -----------
> migrate-ds:
> -----------
> Migrated:
> Failed user:
>   amyengh: Type or value exists:
> Failed group:
>   amyengh: This entry already exists. Check GID of the existing
> group. Use --group-overwrite-gid option to overwrite the GID
> ----------
> Passwords have been migrated in pre-hashed format.
> IPA is unable to generate Kerberos keys unless provided
> with clear text passwords. All migrated users need to
> login at https://your.domain/ipa/migration/ before they
> can use their Kerberos accounts.
> 
> The objectclasses are listed in the configuration properly:
> 
> # ipa config-show --all
> ..snip..
> Default group objectclasses: top, groupofnames, nestedgroup,
> ipausergroup, ipaobject, sambaGroupMapping
>   Default user objectclasses: top, person, organizationalperson,
> inetorgperson, inetuser, posixaccount, krbprincipalaux,
> krbticketpolicyaux, ipaobject, ipasshuser, radiusProfile,
> customPersonAttributes, sambaSamAccount
> ..snip..
> 
> I can verify the objectclasses appear to work when I add a user
> manually, though I have not updated the plugins to allow entries for
> the above objectClasses.
> 
> ---------------------------
> My question exists around the error ' amyengh: Type or value
> exists:'. I can take out the custom objectclasses, and this error
> goes away. I've looked into all of the custom objectclasses and don't
> see anything that would indicate errors. I have some 5k+ records to
> migrate and don't want to have to manipulate the ldif and then create
> modify records just to get the data into IPA.
> 
> Any suggestions to help me identify why this is happening? I'd be
> happy to provide further information as requested.

Have you extended the IPA schema with the custom objectclasses ?
Or is your intention to drop them during the import ?

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to