Re: [Freeipa-users] Migrating from a hybrid web/posix LDAP
On 13.7.2014 03:31, Nordgren, Bryce L -FS wrote: Hi guys, I set up freeipa 4.0.0 on a brand new Fedora 20 box, from your copr repos. Install and config went fine. Kinit: fine. Trying to migrate from my old ldap setup: problem. Old ldap setup primarily had accounts for web apps (inetOrgPerson) and a few accounts with everything needed for login (posixAccount). Ipa migrate-ds for the existing posixAccounts: works fine. Migrating the web only accounts requires a bit more manual labor, and isn't working yet. I extracted a csv of my web-only accounts and made a script to upgrade them with posix attributes and add them to freeipa. Each line looks like: ipa user-add bill.mathews --last=Mathews --first=William --email=blah --phone=xxx-yyy- --setattr userpassword={SHA}bunchajunka --setattr o=University of Tweedle --gidnumber=65534 --uid=263 And I get: ERROR: Constraint violation: invalid password syntax - passwords with storage scheme are not allowed I was inspired to include the password this way from: http://www.freeipa.org/page/NIS_accounts_migration_preserving_Passwords I believe it should work if you do $ ipa config-mod --enable-migration=true as stated on the page above. Rob, do you know what we are missing? :-) Petr^2 Spacek Is there any password preserving way to migrate my web-only accounts using ipa user-add? If there's no easy answer, I'll probably just add the attributes in the current ldap, then let ipa migrate-ds work its magic. But I want to see user-add work if its possible. Thanks, Bryce PS: I believe all instances of service dirsrv restart on http://www.freeipa.org/docs/master/html-desktop/index.html#finding-excluding-entries need to be changed to systemctl restart dirsrv.target, since there is no dirsrv.service. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Migrating from a hybrid web/posix LDAP
Petr Spacek wrote: On 13.7.2014 03:31, Nordgren, Bryce L -FS wrote: Hi guys, I set up freeipa 4.0.0 on a brand new Fedora 20 box, from your copr repos. Install and config went fine. Kinit: fine. Trying to migrate from my old ldap setup: problem. Old ldap setup primarily had accounts for web apps (inetOrgPerson) and a few accounts with everything needed for login (posixAccount). Ipa migrate-ds for the existing posixAccounts: works fine. Migrating the web only accounts requires a bit more manual labor, and isn't working yet. I extracted a csv of my web-only accounts and made a script to upgrade them with posix attributes and add them to freeipa. Each line looks like: ipa user-add bill.mathews --last=Mathews --first=William --email=blah --phone=xxx-yyy- --setattr userpassword={SHA}bunchajunka --setattr o=University of Tweedle --gidnumber=65534 --uid=263 And I get: ERROR: Constraint violation: invalid password syntax - passwords with storage scheme are not allowed I was inspired to include the password this way from: http://www.freeipa.org/page/NIS_accounts_migration_preserving_Passwords I believe it should work if you do $ ipa config-mod --enable-migration=true as stated on the page above. Rob, do you know what we are missing? :-) Seems to be caused by https://fedorahosted.org/389/ticket/47389 and fixed by https://fedorahosted.org/389/ticket/47753 which is not yet in a release AFAICT. I don't see a workaround. Even setting migration mode doesn't fix it in my test. rob Petr^2 Spacek Is there any password preserving way to migrate my web-only accounts using ipa user-add? If there's no easy answer, I'll probably just add the attributes in the current ldap, then let ipa migrate-ds work its magic. But I want to see user-add work if its possible. Thanks, Bryce PS: I believe all instances of service dirsrv restart on http://www.freeipa.org/docs/master/html-desktop/index.html#finding-excluding-entries need to be changed to systemctl restart dirsrv.target, since there is no dirsrv.service. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project