Re: [Freeipa-users] Invalid Credentials error on migrate-ds
Jeff B wrote: I'm trying to test out migration from an Apple Open Directory Server to FreeIPA (unstable) The command I'm running is: ipa config-mod --enable-migration=true ipa -d migrate-ds --user-container='cn=users,dc=xxx,dc=,dc=com' --group-container='cn=groups,dc=xxx,dc=,dc=com' ldap://10.10.10.10:389 It prompts me for a password twice, then gives me a invalid credentials error ipa: INFO: Created connection context.xmlclient Password: Enter Password again to verify: ipa: DEBUG: raw: migrate_ds(u'ldap://10.10.10.10:389', u'', usercontainer=u'cn=users,dc=xxx,dc=,dc=com', groupcontainer=u'cn=groups,dc=xxx,dc=,dc=com') ipa: INFO: migrate_ds(u'ldap://10.10.10.10:389', u'', binddn=u'cn=directory manager', usercontainer=u'cn=users,dc=xxx,dc=,dc=com', groupcontainer=u'cn=groups,dc=xxx,dc=,dc=com', userobjectclass=(u'person',), groupobjectclass=(u'groupOfUniqueNames', u'groupOfNames'), schema=u'RFC2307bis', continue=False, exclude_groups=None, exclude_users=None) ipa: INFO: Forwarding 'migrate_ds' to server u'https://ipa0..com/ipa/xml' ipa: DEBUG: NSSConnection init ipa0..com ipa: DEBUG: connect: host=ipa0..com port=443 ipa: DEBUG: connect: 10.10.10.11:443 ... ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer ipa: DEBUG: cert valid True for CN=ipa0..com,O=.COM ipa: DEBUG: handshake complete, peer = 10.10.10.11:443 ipa: DEBUG: Caught fault 2100 from server https://ipa0.xxx.com/ipa/xml: Insufficient access: Invalid credentials ipa: INFO: Destroyed connection context.xmlclient ipa: ERROR: Insufficient access: Invalid credentials I'm able to connect to LDAP using the same password for cn=Directory Manager which it appears to be the user it's asking the password for. Is this user error or a bug? If user error what am I doing wrong? Thanks. Hmm, I'm stumped at this point. Can you look in your Apple DS logs to see if there is a bind error? You can use --binddn to bind as a different user. I should also note that you don't want to include basedn for the user and group containers, cn=users and cn=groups is enough. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Invalid Credentials error on migrate-ds
I might of missed this yesterday, is it trying to bind to the apple as Directory Manager? I thought that was for FreeIPA but now I'm not sure. I was intending to have it do an anonymous bind to the apple. If so I guess that would explain it. On Mon, Jan 24, 2011 at 2:16 PM, Rob Crittenden rcrit...@redhat.com wrote: Jeff B wrote: I'm trying to test out migration from an Apple Open Directory Server to FreeIPA (unstable) The command I'm running is: ipa config-mod --enable-migration=true ipa -d migrate-ds --user-container='cn=users,dc=xxx,dc=,dc=com' --group-container='cn=groups,dc=xxx,dc=,dc=com' ldap://10.10.10.10:389 It prompts me for a password twice, then gives me a invalid credentials error ipa: INFO: Created connection context.xmlclient Password: Enter Password again to verify: ipa: DEBUG: raw: migrate_ds(u'ldap://10.10.10.10:389', u'', usercontainer=u'cn=users,dc=xxx,dc=,dc=com', groupcontainer=u'cn=groups,dc=xxx,dc=,dc=com') ipa: INFO: migrate_ds(u'ldap://10.10.10.10:389', u'', binddn=u'cn=directory manager', usercontainer=u'cn=users,dc=xxx,dc=,dc=com', groupcontainer=u'cn=groups,dc=xxx,dc=,dc=com', userobjectclass=(u'person',), groupobjectclass=(u'groupOfUniqueNames', u'groupOfNames'), schema=u'RFC2307bis', continue=False, exclude_groups=None, exclude_users=None) ipa: INFO: Forwarding 'migrate_ds' to server u'https://ipa0..com/ipa/xml' ipa: DEBUG: NSSConnection init ipa0..com ipa: DEBUG: connect: host=ipa0..com port=443 ipa: DEBUG: connect: 10.10.10.11:443 ... ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer ipa: DEBUG: cert valid True for CN=ipa0..com,O=.COM ipa: DEBUG: handshake complete, peer = 10.10.10.11:443 ipa: DEBUG: Caught fault 2100 from server https://ipa0.xxx.com/ipa/xml: Insufficient access: Invalid credentials ipa: INFO: Destroyed connection context.xmlclient ipa: ERROR: Insufficient access: Invalid credentials I'm able to connect to LDAP using the same password for cn=Directory Manager which it appears to be the user it's asking the password for. Is this user error or a bug? If user error what am I doing wrong? Thanks. Hmm, I'm stumped at this point. Can you look in your Apple DS logs to see if there is a bind error? You can use --binddn to bind as a different user. I should also note that you don't want to include basedn for the user and group containers, cn=users and cn=groups is enough. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Invalid Credentials error on migrate-ds
On 01/24/2011 08:57 PM, Jeff B wrote: I might of missed this yesterday, is it trying to bind to the apple as Directory Manager? I thought that was for FreeIPA but now I'm not sure. I was intending to have it do an anonymous bind to the apple. If so I guess that would explain it. Yes, cn=Directory Manager against Apple DS. Anonymous bind wouldn't work, because during migration, you need to read LDAP attributes that store user passwords. Those are usually not readable anonymously. Jakub ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Invalid Credentials error on migrate-ds
The Apple Open Directory uses kerberos so they aren't readable as the rood dn either. the password fields all have the same token: KioqKioqKio= I wasn't expecting to be able to import passwords so I thought I could run an import as an anonymous bind. I'll try again with a bind dn and see what hapens. On Mon, Jan 24, 2011 at 3:22 PM, Jakub Hrozek jhro...@redhat.com wrote: On 01/24/2011 08:57 PM, Jeff B wrote: I might of missed this yesterday, is it trying to bind to the apple as Directory Manager? I thought that was for FreeIPA but now I'm not sure. I was intending to have it do an anonymous bind to the apple. If so I guess that would explain it. Yes, cn=Directory Manager against Apple DS. Anonymous bind wouldn't work, because during migration, you need to read LDAP attributes that store user passwords. Those are usually not readable anonymously. Jakub ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Invalid Credentials error on migrate-ds
Jeff B wrote: The Apple Open Directory uses kerberos so they aren't readable as the rood dn either. the password fields all have the same token: KioqKioqKio= I wasn't expecting to be able to import passwords so I thought I could run an import as an anonymous bind. I'll try again with a bind dn and see what hapens. Yes, any binddn should work. We intended this as a password migration mechanism which is why we bind as the root user by default but it can also just migrate your users I suppose. I briefly looked at the code and we aren't explicitly requiring userPassword so I'm thinking it may just work if you can bind. Note that KioqKioqKio= is ''. Someone has a sense of humor at Apple :-) rob On Mon, Jan 24, 2011 at 3:22 PM, Jakub Hrozekjhro...@redhat.com wrote: On 01/24/2011 08:57 PM, Jeff B wrote: I might of missed this yesterday, is it trying to bind to the apple as Directory Manager? I thought that was for FreeIPA but now I'm not sure. I was intending to have it do an anonymous bind to the apple. If so I guess that would explain it. Yes, cn=Directory Manager against Apple DS. Anonymous bind wouldn't work, because during migration, you need to read LDAP attributes that store user passwords. Those are usually not readable anonymously. Jakub ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
