Hi Alexander, thank you for this - i think this should even work for missing some mandatory (gid) attributes...
regards, --- Ernedin ZAJKO eza...@root.ba > 340282366920938463463374607431768211456 On Thu, Sep 1, 2016 at 9:26 PM, Alexander Bokovoy <aboko...@redhat.com> wrote: > On Thu, 01 Sep 2016, William Muriithi wrote: >> >> Afternoon, >> >> I have an openLDAP system that lack a required attribute. This result >> in the migration script rejecting all the user import. >> >> I have googled externsively, read ever line of ipa migration --help >> doc and it doesn't seem I will be able to use this migration script. >> I wonder if there is anybody here who have been able to overcome this >> problem in the past. >> >> [root@hydrogen ~]# ipa -v migrate-ds --with-compat >> --bind-dn="cn=admin,dc=eng.example,dc=com" >> --user-ignore-attribute="sn" >> --user-container="ou=People,dc=eng.example,dc=com" >> --group-container="ou=Group,dc=eng.example,dc=com" >> --group-objectclass="posixGroup" --user-objectclass="account" >> ldap://192.168.20.18:389 >> ipa: INFO: trying https://hydrogen.eng.example.com/ipa/session/json >> Password: >> ipa: INFO: Forwarding 'migrate_ds' to json server >> 'https://hydrogen.eng.example.com/ipa/session/json' >> ----------- >> migrate-ds: >> ----------- >> Migrated: >> Failed user: >> aagrim: missing attribute "sn" required by object class >> "organizationalPerson" >> acctemp: missing attribute "sn" required by object class >> "organizationalPerson" >> ........... > > This looks like a common problem. I had recently made a small 'hack' to > solve this problem. > > Following small fixup plugin could be used to affect how entries are > generated. If you add it to /usr/lib/python2.7/site-packages/ipalib/plugins > on IPA master and restart httpd service, the plugin would modify migrate-ds > command so > that 'sn' attribute would be set to a 'Migrated User Last Name' for all > entries that miss 'sn' attribute before they actually get added into IPA > LDAP. > > This is an experimental hack, of course, but it should work. Once > migration is finished, don't forget to remove the file and restart httpd > service again. > > -- > / Alexander Bokovoy > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project