On 15/03/16 17:21, Rob Crittenden wrote:
lejeczek wrote:
On 15/03/16 15:57, Rob Crittenden wrote:
lejeczek wrote:
On 15/03/16 13:42, Rob Crittenden wrote:
lejeczek wrote:
On 14/03/16 17:06, Rob Crittenden wrote:
lejeczek wrote:
with...
ipa: ERROR: group LDAP search did not return any
result (search
base:
ou=groups,dc=ccnr,dc=biotechnology, objectclass:
groupofuniquenames,
groupofnames)
I see users went in but later I realized that
current samba's ou was
"group" not groups.
Can I just re-run migrations?
Yes. It will skip over anything that already exists
in IPA.
thanks Rob, may I ask why process by defaults looks
up only
objectclass:
groupofuniquenames, groupofnames?
It is conservative but this is why it can be overridden.
Is there a reason it skips ldap+samba typical
posixGroup &
sambaGroupMapping?
We haven't had many (any?) reports of migrating from
ldap+samba.
Lastly, is there a way to preserve account
locked/disabled status for
posix/samba?
I don't know how it is stored but as long as the
schema is available in
IPA then the values should be preserved on migration
unless the
attributes are associated with a blacklisted objectclass.
rob
I don't think it works, I guess it matters how ipa
tools map these
attributes, I'm particularly looking at:
ipa user-show
... Account disabled: False
sambaAcctFlags gets migrated over, but shadow locked
users.... I wonder
how this works.
If I had posix !passwd in my ldap userdb then it's not
reflected in IPA,
unless "Account disabled" is for something else.
IPA/389-ds uses nsAccountLock to lock accounts.
and in my case it could not work for I had (anybody sane
would too)
hashed pass in ldap userdb, am I right?
What won't work? Migrated user passwords will work just fine.
If one has hundreds of user s/he thinks, o! it'd be great
to keep that
account enabled/disabled status - would there be a way
around it?
IPA isn't designed to be an LDAP backend for Samba so
there isn't a lot of direct integration with the schema.
You could write a plugin to keep the two attributes in sync.
how does one write a plugin? Where should I begin in terms
of docs, howtos?
thanks.
L.
For those already migrated it should be pretty easy to
write an LDAP search to find them and then for each user
call ipa user-disable <user>
rob
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
