Re: [Freeipa-users] Migrating from a hybrid web/posix LDAP

[Petr Spacek]

On 13.7.2014 03:31, Nordgren, Bryce L -FS wrote:

Hi guys,

I set up freeipa 4.0.0 on a brand new Fedora 20 box, from your copr repos. 
Install and config went fine. Kinit: fine. Trying to migrate from my old ldap 
setup: problem.  Old ldap setup primarily had accounts for web apps 
(inetOrgPerson) and a few accounts with everything needed for login 
(posixAccount).

Ipa migrate-ds for the existing posixAccounts: works fine.

Migrating the web only accounts requires a bit more manual labor, and isn't working yet. 
I extracted a csv of my web-only accounts and made a script to upgrade them 
with posix attributes and add them to freeipa. Each line looks like:

ipa user-add bill.mathews --last=Mathews --first=William --email=blah 
--phone=xxx-yyy- --setattr userpassword={SHA}bunchajunka --setattr o=University of Tweedle --gidnumber=65534 
--uid=263

And I get:

ERROR: Constraint violation: invalid password syntax - passwords with storage 
scheme are not allowed

I was inspired to include the password this way from:  
http://www.freeipa.org/page/NIS_accounts_migration_preserving_Passwords


I believe it should work if you do
$ ipa config-mod --enable-migration=true
as stated on the page above.

Rob, do you know what we are missing? :-)

Petr^2 Spacek



Is there any password preserving way to migrate my web-only accounts using ipa 
user-add? If there's no easy answer, I'll probably just add the attributes in the current 
ldap, then let ipa migrate-ds work its magic. But I want to see user-add work if its 
possible.

Thanks,
Bryce
PS: I believe all instances of service dirsrv restart on 
http://www.freeipa.org/docs/master/html-desktop/index.html#finding-excluding-entries need to be changed to 
systemctl restart dirsrv.target, since there is no dirsrv.service.


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Migrating from a hybrid web/posix LDAP

[Rob Crittenden]

Petr Spacek wrote:
 On 13.7.2014 03:31, Nordgren, Bryce L -FS wrote:
 Hi guys,

 I set up freeipa 4.0.0 on a brand new Fedora 20 box, from your copr
 repos. Install and config went fine. Kinit: fine. Trying to migrate
 from my old ldap setup: problem.  Old ldap setup primarily had
 accounts for web apps (inetOrgPerson) and a few accounts with
 everything needed for login (posixAccount).

 Ipa migrate-ds for the existing posixAccounts: works fine.

 Migrating the web only accounts requires a bit more manual labor, and
 isn't working yet. I extracted a csv of my web-only accounts and
 made a script to upgrade them with posix attributes and add them to
 freeipa. Each line looks like:

 ipa user-add bill.mathews --last=Mathews --first=William
 --email=blah --phone=xxx-yyy- --setattr
 userpassword={SHA}bunchajunka --setattr o=University of Tweedle
 --gidnumber=65534 --uid=263

 And I get:

 ERROR: Constraint violation: invalid password syntax - passwords with
 storage scheme are not allowed

 I was inspired to include the password this way from: 
 http://www.freeipa.org/page/NIS_accounts_migration_preserving_Passwords
 
 I believe it should work if you do
 $ ipa config-mod --enable-migration=true
 as stated on the page above.
 
 Rob, do you know what we are missing? :-)

Seems to be caused by https://fedorahosted.org/389/ticket/47389 and
fixed by https://fedorahosted.org/389/ticket/47753 which is not yet in a
release AFAICT.

I don't see a workaround. Even setting migration mode doesn't fix it in
my test.

rob

 
 Petr^2 Spacek
 

 Is there any password preserving way to migrate my web-only accounts
 using ipa user-add? If there's no easy answer, I'll probably just
 add the attributes in the current ldap, then let ipa migrate-ds work
 its magic. But I want to see user-add work if its possible.

 Thanks,
 Bryce
 PS: I believe all instances of service dirsrv restart on
 http://www.freeipa.org/docs/master/html-desktop/index.html#finding-excluding-entries
 need to be changed to systemctl restart dirsrv.target, since there
 is no dirsrv.service.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project