ok, after looking again at this, i've found that even with the admin users
it's not working how i'd like.
With the admin user what seems to be happening is that the users after
import *must* go to the /ipa/migration/ url and then enter their password.
Although it does now let them login unlike before (so i guess before i
hadnt used the admin ldap user to import from and hence didnt have
permissions as you suggested) However, i'd really like to avoid that
because we've got hundreds of users, mostly external to the company in
different timezones, and coordinating getting people to go to the portal
(and making it available to the internet!) sounds like a nightmare.
These users don't need kerberos credentials (afaik) as i just want them to
be able to bind against the freeipa ldap server. I'm happy for users that
need kerberos to have to go to the migration page.
Is there any way to avoid a user needing to go to the migration page after
importing the user ?
On 27 April 2016 at 19:45, David Kreitschmann <da...@kreitschmann.de> wrote:
> Are you sure that your bind dn has read access userPassword? A default
> OpenLDAP installation usually has a admin user.
> Gosa ACLs are only applied when using the web interface, they are not used
> for direct access via LDAP.
> > Am 27.04.2016 um 03:43 schrieb siology.io <siology...@gmail.com>:
> > I'm having issues migrating from an openldap directory (which has gosa
> schema) to freeipa.
> > To migrate i'm doing (and yes, i know);
> > ipa migrate-ds ldap://old.server.com:389 --bind-dn
> "cn=my_user,ou=people,dc=domain,dc=com" --group-objectclass=posixGroup
> --user-objectclass=inetOrgPerson --group-overwrite-gid
> --user-ignore-objectclass=sshaccount --user-ignore-objectclass=gosaacl
> > Which seems to work to import all those users which have posix settings
> set, however i have two problems:
> > - Am i right in thinking there's no way to auto-assign a gid/uid/home
> dir for the non-posix users at migration time ? That's not a deal breaker
> per se, but i'd need to spin up a new copy of the old ldap and then add
> those attributes to every user, then migrate to ipa from that source, which
> is a real pain.
> > - The migration seems to be successful for the users that do have posix
> attributes, and ends with:
> > Passwords have been migrated in pre-hashed format.
> > IPA is unable to generate Kerberos keys unless provided
> > with clear text passwords. All migrated users need to
> > login at https://your.domain/ipa/migration/ before they
> > can use their Kerberos accounts.
> > ...but i'm unable to login to that page as any of my migrated users, or
> bind as them with ldapsearch. It seems like the passwords were not migrated
> > Because 90% of my ~350 users are only going to be using freeipa insomuch
> as using services which are making use of the ipa server's ldap i was
> hoping that i wouldn't need to make kerberos tickets for those users, and
> hence avoid needing every user to login to the migration page. At the
> moment however i'm not able to get any migrated users at all to be able to
> bind to ldap or login to that page.
> > Any tips or gotchas i should know ? I've no idea how to begin debugging
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project