On Wed, 23 Mar 2016, Sotiris Tsimbonis wrote:
Hi all,

I'm trying to migrate into freeipa some users and groups from an old
ldap server I've inherited. But migrate-ds fails to import groups inside
usergroups, is believes they are users and imports them wrongly..

trying to migrate with command:
ipa migrate-ds --bind-dn="cn=root,dc=staff,dc=forthnet" \
--base-dn="ou=Forthnet,dc=staff,dc=forthnet" \
--user-container=ou=users \
--group-container=ou=groups \
--group-objectclass=posixgroup \
--schema=RFC2307 \

(version is ipa-server-4.2.0-15.0.1.el7.centos.6.x86_64)

here is part of the ldif from devldap01
dn: cn=security-tech,ou=groups,ou=Forthnet,dc=staff,dc=forthnet
cn: security-tech
objectClass: posixGroup
structuralObjectClass: posixGroup
entryUUID: 5723476e-bad4-102c-8fe3-0bb2ba42f62f
creatorsName: cn=root,dc=staff,dc=forthnet
createTimestamp: 20080520162000Z
memberUid: dimitria
gidNumber: 1730
entryCSN: 20100107135233Z#000000#00#000000
modifiersName: cn=root,dc=staff,dc=forthnet
modifyTimestamp: 20100107135233Z

dn: cn=abusewg,ou=groups,ou=Forthnet,dc=staff,dc=forthnet
cn: abusewg
objectClass: posixGroup
structuralObjectClass: posixGroup
entryUUID: f90113dc-bad3-102c-8d13-0bb2ba42f62f
creatorsName: cn=root,dc=staff,dc=forthnet
createTimestamp: 20080520161722Z
memberUid: ccha
memberUid: dzer
memberUid: gmouz
memberUid: isek
memberUid: kavaklis
memberUid: nasl
memberUid: pmav
memberUid: stsimb
memberUid: cn=security-tech,ou=groups,ou=Forthnet,dc=staff,dc=forthnet
gidNumber: 1010
entryCSN: 20151203143609Z#000000#00#000000
modifiersName: cn=root,dc=staff,dc=forthnet
modifyTimestamp: 20151203143609Z

migrate-ds completes with no failures.

The usergroup "security-tech" is correctly imported in freeipa, it
contains user "dimitria" who is also imported correctly.

But usergroup "abusewg" contains 9 users and reports an error
"user not found:

I would expect it to migrate the "security-tech" as a usergroup, not as
a user.
migrate-ds did everything right because memberUid attribute in RFC2307
schema is the uid of a user, not a group. RFC2307 schema does not allow
to have nested groups.

memberUid syntax is ( nisSchema.1.12 NAME 'memberUid'
         EQUALITY caseExactIA5Match
         SUBSTRINGS caseExactIA5SubstringsMatch
         SYNTAX 'IA5String' )

i.e. this is IA5String, not a DN.

This doesn't help you much because your LDAP server use was already
violating RFC2307 so I'd suggest to fix these violations and group
membership manually.

/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to