Re: [Freeipa-users] Problem migrating from openldap using groups in a group

[Alexander Bokovoy]

On Wed, 23 Mar 2016, Sotiris Tsimbonis wrote:

Hi all,

I'm trying to migrate into freeipa some users and groups from an old
ldap server I've inherited. But migrate-ds fails to import groups inside
usergroups, is believes they are users and imports them wrongly..

trying to migrate with command:
ipa migrate-ds --bind-dn="cn=root,dc=staff,dc=forthnet" \
--base-dn="ou=Forthnet,dc=staff,dc=forthnet" \
--user-container=ou=users \
--group-container=ou=groups \
--group-objectclass=posixgroup \
--schema=RFC2307 \
ldap://devldap01.forthnet.prv:389

(version is ipa-server-4.2.0-15.0.1.el7.centos.6.x86_64)

here is part of the ldif from devldap01
---
dn: cn=security-tech,ou=groups,ou=Forthnet,dc=staff,dc=forthnet
cn: security-tech
objectClass: posixGroup
structuralObjectClass: posixGroup
entryUUID: 5723476e-bad4-102c-8fe3-0bb2ba42f62f
creatorsName: cn=root,dc=staff,dc=forthnet
createTimestamp: 20080520162000Z
memberUid: dimitria
gidNumber: 1730
entryCSN: 20100107135233Z#00#00#00
modifiersName: cn=root,dc=staff,dc=forthnet
modifyTimestamp: 20100107135233Z

dn: cn=abusewg,ou=groups,ou=Forthnet,dc=staff,dc=forthnet
cn: abusewg
objectClass: posixGroup
structuralObjectClass: posixGroup
entryUUID: f90113dc-bad3-102c-8d13-0bb2ba42f62f
creatorsName: cn=root,dc=staff,dc=forthnet
createTimestamp: 20080520161722Z
memberUid: ccha
memberUid: dzer
memberUid: gmouz
memberUid: isek
memberUid: kavaklis
memberUid: nasl
memberUid: pmav
memberUid: stsimb
memberUid: cn=security-tech,ou=groups,ou=Forthnet,dc=staff,dc=forthnet
gidNumber: 1010
entryCSN: 20151203143609Z#00#00#00
modifiersName: cn=root,dc=staff,dc=forthnet
modifyTimestamp: 20151203143609Z


migrate-ds completes with no failures.

The usergroup "security-tech" is correctly imported in freeipa, it
contains user "dimitria" who is also imported correctly.

But usergroup "abusewg" contains 9 users and reports an error
"user not found:
cn=security-tech,ou=groups,ou=Forthnet,dc=staff,dc=forthnet".

I would expect it to migrate the "security-tech" as a usergroup, not as
a user.

migrate-ds did everything right because memberUid attribute in RFC2307
schema is the uid of a user, not a group. RFC2307 schema does not allow
to have nested groups.

memberUid syntax is 
( nisSchema.1.12 NAME 'memberUid'

 EQUALITY caseExactIA5Match
 SUBSTRINGS caseExactIA5SubstringsMatch
 SYNTAX 'IA5String' )

i.e. this is IA5String, not a DN.

This doesn't help you much because your LDAP server use was already
violating RFC2307 so I'd suggest to fix these violations and group
membership manually.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Problem migrating from openldap using groups in a group

[Sotiris Tsimbonis]

Hi all,

I'm trying to migrate into freeipa some users and groups from an old
ldap server I've inherited. But migrate-ds fails to import groups inside
usergroups, is believes they are users and imports them wrongly..

trying to migrate with command:
ipa migrate-ds --bind-dn="cn=root,dc=staff,dc=forthnet" \
 --base-dn="ou=Forthnet,dc=staff,dc=forthnet" \
 --user-container=ou=users \
 --group-container=ou=groups \
 --group-objectclass=posixgroup \
 --schema=RFC2307 \
 ldap://devldap01.forthnet.prv:389

(version is ipa-server-4.2.0-15.0.1.el7.centos.6.x86_64)

here is part of the ldif from devldap01
---
dn: cn=security-tech,ou=groups,ou=Forthnet,dc=staff,dc=forthnet
cn: security-tech
objectClass: posixGroup
structuralObjectClass: posixGroup
entryUUID: 5723476e-bad4-102c-8fe3-0bb2ba42f62f
creatorsName: cn=root,dc=staff,dc=forthnet
createTimestamp: 20080520162000Z
memberUid: dimitria
gidNumber: 1730
entryCSN: 20100107135233Z#00#00#00
modifiersName: cn=root,dc=staff,dc=forthnet
modifyTimestamp: 20100107135233Z

dn: cn=abusewg,ou=groups,ou=Forthnet,dc=staff,dc=forthnet
cn: abusewg
objectClass: posixGroup
structuralObjectClass: posixGroup
entryUUID: f90113dc-bad3-102c-8d13-0bb2ba42f62f
creatorsName: cn=root,dc=staff,dc=forthnet
createTimestamp: 20080520161722Z
memberUid: ccha
memberUid: dzer
memberUid: gmouz
memberUid: isek
memberUid: kavaklis
memberUid: nasl
memberUid: pmav
memberUid: stsimb
memberUid: cn=security-tech,ou=groups,ou=Forthnet,dc=staff,dc=forthnet
gidNumber: 1010
entryCSN: 20151203143609Z#00#00#00
modifiersName: cn=root,dc=staff,dc=forthnet
modifyTimestamp: 20151203143609Z


migrate-ds completes with no failures.

The usergroup "security-tech" is correctly imported in freeipa, it
contains user "dimitria" who is also imported correctly.

But usergroup "abusewg" contains 9 users and reports an error
"user not found:
cn=security-tech,ou=groups,ou=Forthnet,dc=staff,dc=forthnet".

I would expect it to migrate the "security-tech" as a usergroup, not as
a user.

Any suggestions please?

Thanks,
Sot.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project