On 2017-03-11 21:14, Alexander Bokovoy wrote:
On la, 11 maalis 2017, Robert Söderlund wrote:
Hi all!

Does 'ipa migrate-ds' support migrating users from cn=sysaccounts,cn=etc,<PREFIX>?

I tried with the arguments '--user-container=cn=sysaccounts,cn=users,cn=accounts' and '--user-objectclass=simplesecurityobject,organizationalperson' without success. I think if would be a nice feature to be able to migrate objects that isn't located in the default path.
sysaccounts aren't users. migrate-ds only supports migration of a
limited subset objects that IPA framework knows about: users and groups.
It doesn't support many other objects IPA framework knows about.
Sysaccounts aren't even something IPA framework knows by itself.

I can always fix this with ldapsearch/ldapadd but it would be nice if this was doable with ipa migrate-ds.
I agree that it would be good to extend migrate-ds scope but it is
currently not on the radar for many reasons. I'd rather see it extended
in a programmatic way to handle all IPA framework objects and allow to
specify a mapping table for them similar to how we specify
--user-container and --user-objectclass (and other options). Then when
sysaccounts would be managed by the IPA framework, they would become
automatically available for migration.

However, I personally have no available time for that in next half a
year (at least).

Thank you for the feedback, when I read your answes I realize that I misunderstood the purpose of migrate-ds. My thought was that migrate-ds should work as a ldapsearch+ldapadd (with filters and the ability to remove some attrs) but without the need to dump the data to a file.

Keep up the good job, freeipa is awesome :)


Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to