On Wed, 23 Mar 2016, Sotiris Tsimbonis wrote:
Hi all,
I'm trying to migrate into freeipa some users and groups from an old
ldap server I've inherited. But migrate-ds fails to import groups inside
usergroups, is believes they are users and imports them wrongly..
trying to migrate with command:
ipa migrate-ds --bind-dn="cn=root,dc=staff,dc=forthnet" \
--base-dn="ou=Forthnet,dc=staff,dc=forthnet" \
--user-container=ou=users \
--group-container=ou=groups \
--group-objectclass=posixgroup \
--schema=RFC2307 \
ldap://devldap01.forthnet.prv:389
(version is ipa-server-4.2.0-15.0.1.el7.centos.6.x86_64)
here is part of the ldif from devldap01
---------------------------------------
dn: cn=security-tech,ou=groups,ou=Forthnet,dc=staff,dc=forthnet
cn: security-tech
objectClass: posixGroup
structuralObjectClass: posixGroup
entryUUID: 5723476e-bad4-102c-8fe3-0bb2ba42f62f
creatorsName: cn=root,dc=staff,dc=forthnet
createTimestamp: 20080520162000Z
memberUid: dimitria
gidNumber: 1730
entryCSN: 20100107135233Z#000000#00#000000
modifiersName: cn=root,dc=staff,dc=forthnet
modifyTimestamp: 20100107135233Z
dn: cn=abusewg,ou=groups,ou=Forthnet,dc=staff,dc=forthnet
cn: abusewg
objectClass: posixGroup
structuralObjectClass: posixGroup
entryUUID: f90113dc-bad3-102c-8d13-0bb2ba42f62f
creatorsName: cn=root,dc=staff,dc=forthnet
createTimestamp: 20080520161722Z
memberUid: ccha
memberUid: dzer
memberUid: gmouz
memberUid: isek
memberUid: kavaklis
memberUid: nasl
memberUid: pmav
memberUid: stsimb
memberUid: cn=security-tech,ou=groups,ou=Forthnet,dc=staff,dc=forthnet
gidNumber: 1010
entryCSN: 20151203143609Z#000000#00#000000
modifiersName: cn=root,dc=staff,dc=forthnet
modifyTimestamp: 20151203143609Z
--------------------------------------------------------------------
migrate-ds completes with no failures.
The usergroup "security-tech" is correctly imported in freeipa, it
contains user "dimitria" who is also imported correctly.
But usergroup "abusewg" contains 9 users and reports an error
"user not found:
cn=security-tech,ou=groups,ou=Forthnet,dc=staff,dc=forthnet".
I would expect it to migrate the "security-tech" as a usergroup, not as
a user.
migrate-ds did everything right because memberUid attribute in RFC2307
schema is the uid of a user, not a group. RFC2307 schema does not allow
to have nested groups.
memberUid syntax is
( nisSchema.1.12 NAME 'memberUid'
EQUALITY caseExactIA5Match
SUBSTRINGS caseExactIA5SubstringsMatch
SYNTAX 'IA5String' )
i.e. this is IA5String, not a DN.
This doesn't help you much because your LDAP server use was already
violating RFC2307 so I'd suggest to fix these violations and group
membership manually.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project