Are you sure that your bind dn has read access userPassword? A default OpenLDAP 
installation usually has a admin user.
Gosa ACLs are only applied when using the web interface, they are not used for 
direct access via LDAP.

> Am 27.04.2016 um 03:43 schrieb <>:
> I'm having issues migrating from an openldap directory (which has gosa 
> schema) to freeipa.
> To migrate i'm doing (and yes, i know);
> ipa migrate-ds ldap:// --bind-dn 
> "cn=my_user,ou=people,dc=domain,dc=com" --group-objectclass=posixGroup 
> --user-objectclass=inetOrgPerson --group-overwrite-gid 
> --user-ignore-objectclass=gosaAccount 
> --user-ignore-objectclass=gosaMailAccount 
> --user-ignore-attribute=gosaMailDeliveryMode 
> --user-ignore-attribute=gosaMailServer 
> --user-ignore-attribute=gosaSpamSortLevel 
> --user-ignore-attribute=gosaSpamMailbox --user-ignore-objectclass=sshaccount 
> --user-ignore-objectclass=gosaacl --user-ignore-attribute=sshpublickey 
> --user-ignore-attribute=sambaLMPassword 
> --user-ignore-attribute=sambaBadPasswordTime 
> --user-ignore-attribute=gosaaclentry 
> --user-ignore-attribute=sambaBadPasswordCount 
> --user-ignore-attribute=sambaNTPassword 
> --user-ignore-attribute=sambaPwdLastSet
> Which seems to work to import all those users which have posix settings set, 
> however i have two problems:
> - Am i right in thinking there's no way to auto-assign a gid/uid/home dir for 
> the non-posix users at migration time ? That's not a deal breaker per se, but 
> i'd need to spin up a new copy of the old ldap and then add those attributes 
> to every user, then migrate to ipa from that source, which is a real pain.
> - The migration seems to be successful for the users that do have posix 
> attributes, and ends with:
>  Passwords have been migrated in pre-hashed format.
> IPA is unable to generate Kerberos keys unless provided
> with clear text passwords. All migrated users need to
> login at https://your.domain/ipa/migration/ before they
> can use their Kerberos accounts.
> ...but i'm unable to login to that page as any of my migrated users, or bind 
> as them with ldapsearch. It seems like the passwords were not migrated ?
> Because 90% of my ~350 users are only going to be using freeipa insomuch as 
> using services which are making use of the ipa server's ldap i was hoping 
> that i wouldn't need to make kerberos tickets for those users, and hence 
> avoid needing every user to login to the migration page. At the moment 
> however i'm not able to get any migrated users at all to be able to bind to 
> ldap or login to that page.
> Any tips or gotchas i should know ? I've no idea how to begin debugging this.
> --
> Manage your subscription for the Freeipa-users mailing list:
> Go to for more info on the project

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to