Clint Savage wrote: > $ rpm -q ipa-server > ipa-server-3.3.3-28.el7.centos.1.x86_64 > > I was thinking that this might be an issue with the rhel7 version. I'm > going to be trying the same migration tonight on rhel6. I know the IPA > version is older, and samba stuff might not work as it does in 3.3. I > haven't looked in RHEL 6.6 yet to see what version of IPA is available.
I tested using a fairly recent IPA master build (4.1+). I'm not convinced it is related to any specific version, but different features are available so I thought I'd try to duplicate on a more similar footing (apples to apples comparision). The trick is to try to narrow down what attribute the LDAP server thinks already exists. We don't get a very nice error out of LDAP, like *what* attribute already exists, for example :-( It may be possible to set the 389-ds debug level to such that you get some decent output, but trying to find the right balance of output can be challenging. See their FAQ troubleshooting section. rob > > Clint > > On Wed, Oct 15, 2014 at 1:16 PM, Rob Crittenden <rcrit...@redhat.com > <mailto:rcrit...@redhat.com>> wrote: > > Ludwig Krispenz wrote: > > > > On 10/14/2014 06:58 PM, Clint Savage wrote: > >> Hi all, > >> > >> I've been working on a migration plan using three custom user > >> objectClasses and one group objectclass. In my attempt, I've setup an > >> openldap server with the proper schemas, imported the ldif and have > >> records that look something like this in ldif format. > >> > >> > ----------------------------------------------------------------------- > >> > >> dn: dc=example,dc=com > >> objectClass: top > >> objectClass: domain > >> dc: example > >> > >> dn: ou=Groups,dc=example,dc=com > >> objectClass: top > >> objectClass: organizationalunit > >> ou: Groups > >> > >> dn: ou=People,dc=example,dc=com > >> objectClass: top > >> objectClass: organizationalunit > >> ou: People > >> > >> dn: uid=amyengh,ou=People,dc=example,dc=com > >> objectClass: inetOrgPerson > >> objectClass: posixAccount > >> objectClass: top > >> objectClass: organizationalPerson > >> objectClass: person > >> objectClass: radiusProfile > >> objectClass: sambaSamAccount > >> objectClass: customPersonAttributes > >> cn: Amy Engh > >> gidNumber: 1141801056 > >> homeDirectory: /home/amyengh > >> sn: Engh > >> uid: amyengh > >> uidNumber: 1141801056 > >> displayName: Amy Engh > >> givenName: Amy > >> loginShell: /sbin/nologin > >> mail: amye...@attask.com <mailto:amye...@attask.com> > <mailto:amye...@attask.com <mailto:amye...@attask.com>> > >> userPassword:: REDACTED > >> dialupAccess: yes > >> radiusTunnelMediumType: IEEE-802 > >> radiusTunnelPrivateGroupId: 1421 > >> radiusTunnelType: VLAN > >> emailPassword:: REDACTED > >> sambaAcctFlags: [U ] > >> sambaLMPassword: REDACTED > >> sambaNTPassword: REDACTED > >> sambaPasswordHistory: > >> 000000000000000000000000000000000000000000000000000000 > >> 0000000000 > >> sambaPwdLastSet: 1402698001 > >> sambaSID: S-1-5-21-2332447373-4108748234-3602490535-3146 > >> > >> dn: cn=amyengh,ou=Groups,dc=example,dc=com > >> objectClass: top > >> objectClass: posixGroup > >> cn: amyengh > >> gidNumber: 1141801056 > >> memberUid: amyengh > >> > >> -------------------------------------------------------------------- > >> > >> I then run the migration (with or without compat makes no difference) > >> and get the following: > >> > >> ipa migrate-ds --with-compat --user-container="ou=People" > >> --group-container="ou=Groups" --user-objectclass=posixAccount > >> --group-objectclass=posixgroup ldap://192.168.122.210 > <http://192.168.122.210> > >> <http://192.168.122.210> --bind-dn="cn=Manager,dc=example,dc=com" > >> Password: > >> ----------- > >> migrate-ds: > >> ----------- > >> Migrated: > >> Failed user: > >> amyengh: Type or value exists: > >> Failed group: > >> amyengh: This entry already exists. > > "type or value exists" and "This entry already exists" are just > > explanations of the ldap return code, do you see anything in the 389 ds > > error logs ? > > I doubt that he would see any errors. > > The entry already existing is because this isn't his first migration, it > is unrelated. > > I'm not able to reproduce this. What version of IPA is it? > > rob > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project