Re: [Freeipa-users] groups migration problem

2012-03-21 Thread Petr Spacek 

On 03/20/2012 07:22 PM, Rob Crittenden wrote:

Maciej Sawicki wrote:

Hi,
I haven't manage to migrate ldap groups (in free ipa panel I see that
users are migrated)
#ipa migrate-ds ldap://192.168.1.125:389
--bind-dn=cn=admin,dc=polidea,dc=pl
--group-container='ou=groups,dc=polidea,dc=pl'
#ipa: ERROR: Container for group not found

My old ldap setup:
https://skitch.com/viroos/8miq5/ldap-ou-groups-dc-polidea-dc-pl-lem-apache-directory-studio.



The basedn is automatically appended. Try --group-container=ou=groups

regards

rob


It would be nice to include something like The basedn was automatically 
appended. to this kind of error messages.


Another option is to print whole DN as part of error message.

Petr^2 Spacek

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] (no subject)

2012-03-21 Thread Rob Crittenden 

Jimmy wrote:

Since I needed to make sure I could recover from this if it ever
happened again I went back to an old copy of the VM I'm going through
everything I did on the original. To begin with, it does have the same
issue, the cert won't renew. So I attempted to db2ldif and ldif2db all
of the db's ***WITHOUT*** upgrading FreeIPA, and that didn't work.
Different error than before when running , but I don't have it in
front of me now, so I can't report it. One thing I did notice is that
the exported ldif did not have the extra entries that prevented the
ldif from importing right away last time.

So I rolled back to the original database again, ran the freeipa
upgrade from yum, and then exported the db's and now these entries
show in the db that weren't there before:

http://fpaste.org/jims/

Any idea why the upgrade did this? The ldif2db fails with this error
as long as those 2 entries are in the ldif:

[21/Mar/2012:00:59:14 +] entryrdn-index - _entryrdn_insert_key:
Same DN (dn: ou=profile,dc=abc,dc=xyz) is already in the entryrdn file
with different ID 146.  Expected ID is 311.
[21/Mar/2012:00:59:14 +] - import userRoot: Duplicated DN
detected: ou=profile,dc=abc,dc=xyz: Entry ID: (311)

Sorry for bringing this back up, but it seems odd that the upgrade
duplicates this entry.



Perhaps the database is already corrupted?

The entries are added by the upgrade process only if they can't already 
be found in the database. It does an ldapsearch against the dn and adds 
if it isn't already there. The fact that 389-ds allows the add indicates 
that it doesn't think the entry is there.


rob


Jimmy

On Tue, Mar 20, 2012 at 5:22 PM, Jimmyg17ji...@gmail.com  wrote:

Cool thanks for the awesome help, y'all.

On Tue, Mar 20, 2012 at 5:20 PM, Rob Crittendenrcrit...@redhat.com  wrote:

Jimmy wrote:


I restarted certmonger and it seems to be working. Is there some way
to change the renewal interval so we can simulate this in the lab? I'd
like to see it go through a number of renewals to make sure we don't
keep having this problem.



Glad you are up and running again. You can control the interval by tuning
knobs in certmonger.conf(5). You want to modify ttls.

rob


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users