Re: [Freeipa-users] missing objects during migration steps
Hi Rob and Simo, Is there a way to make the schema readable so the error does not show up? Or is that pointless? What is the migrate-ds looking for specifically? Can I manually create it for now? Regards John On Wed, Jan 23, 2013 at 4:42 PM, Rob Crittenden rcrit...@redhat.com wrote: Simo Sorce wrote: On Wed, 2013-01-23 at 10:41 -0500, Rob Crittenden wrote: Johnathan Phan wrote: Hi Rob, Please find the output from /usr/sbin/slapd -VV that shows the current openldap version thats running on the ldap server. @(#) $OpenLDAP: slapd 2.4.23 (Jul 31 2012 10:47:00) $ mockbu...@x86-001.build.bos.**redhat.com:/builddir/build/** BUILD/openldap-2.4.23/**openldap-2.4.23/build-servers/**servers/slapd ps. I have opened a ticket for this. https://fedorahosted.org/**freeipa/ticket/3372https://fedorahosted.org/freeipa/ticket/3372 Can I assume you have a away to turn this check off. As in IRC there does not seem to be one. Or are you saying I can allow the scheme value to be checked if I create one or make it readable some how? There is no way to turn this check off, we always try to retrieve cn=schema. I'd have sworn that openldap already did online schema this way. Please open a bug, we should no depend on the remote schema being readable. Simo. He already opened a ticket. rob -- Johnathan Phan ox-consulting T: +44 (0)784 118 7080 j...@ox-consulting.com www.ox-consulting.com OX CONSULTING Ltd is registered in England Wales, number: 07113039, registered address as above. The information contained in this email message may be privileged, confidential or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution or copying of this transmission is strictly prohibited. If you have received this communication in error, or if any problems occur with transmission, please notify the sender immediately. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] missing objects during migration steps
Hi everyone, k pass authentication issues now. It's now complaining about objects not there. ipa: ERROR: uri=ldaps://ldap1.example.com:636: Unable to retrieve LDAP schema: No such object: However when I run the following commands on the new IPA server. ldapsearch -x -H ldaps://ldap.example.com:636 -b ou=groups,ou=live,dc=example,dc=com -D cn=admin,dc=example,dc=com -W or ldapsearch -x -H ldaps://ldap.example.com:636 -b ou=ib,dc=example,dc=com -D cn=admin,dc=example,dc=com -W and I get output Ldap shows the users and groups in the old system. It just dumps out the whole content of the OU. I have tried to run the following two commands and I still get the same error ipa migrate-ds --bind-dn=cn=admin,dc=example,dc=com --user-container=ou=ib,dc=example,dc=com ldaps://ldap1.example.com:636 or ipa migrate-ds --bind-dn=cn=admin,dc=example,dc=com --user-container=ou=ib,dc=example,dc=com --group-container=ou=groups,ou=live,dc=example,dc=com ldaps:// ldap1.example.com:636 What is IPA complaining about specifically? I know objects are in these ou's Is it expecting something different? Regards John ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] missing objects during migration steps
Johnathan Phan wrote: Hi everyone, k pass authentication issues now. It's now complaining about objects not there. ipa: ERROR: uri=ldaps://ldap1.example.com:636 http://ldap1.example.com:636: Unable to retrieve LDAP schema: No such object: However when I run the following commands on the new IPA server. ldapsearch -x -H ldaps://ldap.example.com:636 http://ldap.example.com:636 -b ou=groups,ou=live,dc=example,dc=com -D cn=admin,dc=example,dc=com -W or ldapsearch -x -H ldaps://ldap.example.com:636 http://ldap.example.com:636 -b ou=ib,dc=example,dc=com -D cn=admin,dc=example,dc=com -W and I get output Ldap shows the users and groups in the old system. It just dumps out the whole content of the OU. I have tried to run the following two commands and I still get the same error ipa migrate-ds --bind-dn=cn=admin,dc=example,dc=com --user-container=ou=ib,dc=example,dc=com ldaps://ldap1.example.com:636 http://ldap1.example.com:636 or ipa migrate-ds --bind-dn=cn=admin,dc=example,dc=com --user-container=ou=ib,dc=example,dc=com --group-container=ou=groups,ou=live,dc=example,dc=com ldaps://ldap1.example.com:636 http://ldap1.example.com:636 What is IPA complaining about specifically? I know objects are in these ou's Is it expecting something different? It is failing trying to query cn=schema. We fetch the schema from the remote server to know what types of data we're dealing with. What version of openldap is this? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] missing objects during migration steps
Hi Rob, Please find the output from /usr/sbin/slapd -VV that shows the current openldap version thats running on the ldap server. @(#) $OpenLDAP: slapd 2.4.23 (Jul 31 2012 10:47:00) $ mockbu...@x86-001.build.bos.redhat.com: /builddir/build/BUILD/openldap-2.4.23/openldap-2.4.23/build-servers/servers/slapd ps. I have opened a ticket for this. https://fedorahosted.org/freeipa/ticket/3372 Can I assume you have a away to turn this check off. As in IRC there does not seem to be one. Or are you saying I can allow the scheme value to be checked if I create one or make it readable some how? On Wed, Jan 23, 2013 at 2:00 PM, Rob Crittenden rcrit...@redhat.com wrote: Johnathan Phan wrote: Hi everyone, k pass authentication issues now. It's now complaining about objects not there. ipa: ERROR: uri=ldaps://ldap1.example.com:**636http://ldap1.example.com:636 http://ldap1.example.com:636**: Unable to retrieve LDAP schema: No such object: However when I run the following commands on the new IPA server. ldapsearch -x -H ldaps://ldap.example.com:636 http://ldap.example.com:636 -b ou=groups,ou=live,dc=example,**dc=com -D cn=admin,dc=example,dc=com -W or ldapsearch -x -H ldaps://ldap.example.com:636 http://ldap.example.com:636 -b ou=ib,dc=example,dc=com -D cn=admin,dc=example,dc=com -W and I get output Ldap shows the users and groups in the old system. It just dumps out the whole content of the OU. I have tried to run the following two commands and I still get the same error ipa migrate-ds --bind-dn=cn=admin,dc=**example,dc=com --user-container=ou=ib,dc=**example,dc=com ldaps:// ldap1.example.com:636 http://ldap1.example.com:636 or ipa migrate-ds --bind-dn=cn=admin,dc=**example,dc=com --user-container=ou=ib,dc=**example,dc=com --group-container=ou=groups,**ou=live,dc=example,dc=com ldaps://ldap1.example.com:636 http://ldap1.example.com:636 What is IPA complaining about specifically? I know objects are in these ou's Is it expecting something different? It is failing trying to query cn=schema. We fetch the schema from the remote server to know what types of data we're dealing with. What version of openldap is this? rob -- Johnathan Phan ox-consulting T: +44 (0)784 118 7080 j...@ox-consulting.com www.ox-consulting.com OX CONSULTING Ltd is registered in England Wales, number: 07113039, registered address as above. The information contained in this email message may be privileged, confidential or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution or copying of this transmission is strictly prohibited. If you have received this communication in error, or if any problems occur with transmission, please notify the sender immediately. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] missing objects during migration steps
Johnathan Phan wrote: Hi Rob, Please find the output from /usr/sbin/slapd -VV that shows the current openldap version thats running on the ldap server. @(#) $OpenLDAP: slapd 2.4.23 (Jul 31 2012 10:47:00) $ mockbu...@x86-001.build.bos.redhat.com:/builddir/build/BUILD/openldap-2.4.23/openldap-2.4.23/build-servers/servers/slapd ps. I have opened a ticket for this. https://fedorahosted.org/freeipa/ticket/3372 Can I assume you have a away to turn this check off. As in IRC there does not seem to be one. Or are you saying I can allow the scheme value to be checked if I create one or make it readable some how? There is no way to turn this check off, we always try to retrieve cn=schema. I'd have sworn that openldap already did online schema this way. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] missing objects during migration steps
On Wed, 2013-01-23 at 10:41 -0500, Rob Crittenden wrote: Johnathan Phan wrote: Hi Rob, Please find the output from /usr/sbin/slapd -VV that shows the current openldap version thats running on the ldap server. @(#) $OpenLDAP: slapd 2.4.23 (Jul 31 2012 10:47:00) $ mockbu...@x86-001.build.bos.redhat.com:/builddir/build/BUILD/openldap-2.4.23/openldap-2.4.23/build-servers/servers/slapd ps. I have opened a ticket for this. https://fedorahosted.org/freeipa/ticket/3372 Can I assume you have a away to turn this check off. As in IRC there does not seem to be one. Or are you saying I can allow the scheme value to be checked if I create one or make it readable some how? There is no way to turn this check off, we always try to retrieve cn=schema. I'd have sworn that openldap already did online schema this way. Please open a bug, we should no depend on the remote schema being readable. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
