That's terrific, Rob - thanks very much. Users and Groups import smoothly with a little additional tweaking

ipa -v migrate-ds --with-compat --bind-dn="cn=Manager,dc=ldapdomain,dc=local" --user-container="ou=People,dc=blue-bolt,dc=local" --group-container="ou=Group,dc=ldapdomain,dc=local" --group-objectclass="posixGroup" ldap://

boom, all users and groups imported ... but without group membership.

The structure of Group in OpenLDAP is:

# power, Group, ldapdomain.local
dn: cn=systems,ou=Group,dc=ldapdomain,dc=local
cn: systems
gidNumber: 1112
objectClass: posixGroup
memberUid: usera
memberUid: userb

and IPA's schema appears, with one exception (objectClass: top), to match:

# admins, groups, compat, ipadomain.local
dn: cn=admins,cn=groups,cn=compat,dc=ipadomain,dc=local
objectClass: posixGroup
objectClass: top
gidNumber: 1944000000
memberUid: admin
cn: admins

A side question: can i use migrate-ds to bring in automount and sudoer maps from OpenLDAP?

thanks again

Cal Sawyer | Systems Engineer | BlueBolt Ltd
15-16 Margaret Street | London W1W 8RW
+44 (0)20 7637 5575 |

On 04/11/15 13:56, Rob Crittenden wrote:
Cal Sawyer wrote:

Very new to IPA and setting up a proof of concept system that i hope
will replace my existing OpenLDAP 2.3 (no SASL) setup.  I'm trying to
import People, Group ou's into IPA using "ipa migrate-ds".  The IPA and
existing LDAP directories have different BaseDNs (eg ipadomain.local on
IPA, ldapdomain.local on LDAP 2.3) as i want to ideally construct a
completely new directory that we will then switch our clients over to.

ipa migrate-ds --schema=RFC2307
--user-container="dc=ldapdomain,dc=local" ldap://

whatever i try (w or w/o --schema=RFC2307) , the response is the same:

     ipa: ERROR: Insufficient access:  Invalid credentials

or with a verbose flag:

     ipa: INFO: Forwarding 'migrate_ds' to server
     ipa: ERROR: Insufficient access:  Invalid credentials

manager naturally exists in ldapdomain.local and i've definitely
supplied the correct password (we use the same creds to manage LDAP
using phpldapadmin)

Hoping that someone has some experience with this and can point me in
the right direction?
It is binding to openldap using cn=Directory Manager. If your admin user
that can read userPassword is named something different then pass it in
using the --binddn option.


Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to