Re: [Freeipa-users] missing objects during migration steps

2013-01-24 Thread Johnathan Phan
Hi Rob and Simo,

Is there
 a way to make the schema readable so the error does not show up? Or is
that pointless? What is the migrate-ds looking for specifically? Can I
manually create it for now?

Regards

John


On Wed, Jan 23, 2013 at 4:42 PM, Rob Crittenden rcrit...@redhat.com wrote:

 Simo Sorce wrote:

 On Wed, 2013-01-23 at 10:41 -0500, Rob Crittenden wrote:

 Johnathan Phan wrote:

 Hi Rob,

 Please find the output from /usr/sbin/slapd -VV that shows the current
 openldap version thats running on the ldap server.

 @(#) $OpenLDAP: slapd 2.4.23 (Jul 31 2012 10:47:00) $

 mockbu...@x86-001.build.bos.**redhat.com:/builddir/build/**
 BUILD/openldap-2.4.23/**openldap-2.4.23/build-servers/**servers/slapd

 ps. I have opened a ticket for this.

 https://fedorahosted.org/**freeipa/ticket/3372https://fedorahosted.org/freeipa/ticket/3372

 Can I assume you have a away to turn this check off. As in IRC there
 does not seem to be one. Or are you saying I can allow the scheme value
 to be checked if I create one or make it readable some how?


 There is no way to turn this check off, we always try to retrieve
 cn=schema.

 I'd have sworn that openldap already did online schema this way.


 Please open a bug, we should no depend on the remote schema being
 readable.

 Simo.


 He already opened a ticket.

 rob




-- 
Johnathan Phan
ox-consulting

T: +44 (0)784 118 7080
j...@ox-consulting.com

www.ox-consulting.com

OX CONSULTING Ltd is registered in England  Wales, number: 07113039,
registered address as above.

The information contained in this email message may be privileged,
confidential or exempt from disclosure under applicable law. If you are not
the intended recipient, you are hereby notified that any use,
dissemination, distribution or copying of this transmission is strictly
prohibited. If you have received this communication in error, or if any
problems occur with transmission, please notify the sender immediately.
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] missing objects during migration steps

2013-01-23 Thread Rob Crittenden

Johnathan Phan wrote:

Hi everyone,

k pass authentication issues now. It's now complaining about objects not
there.

ipa: ERROR: uri=ldaps://ldap1.example.com:636
http://ldap1.example.com:636: Unable to retrieve LDAP schema: No such
object:

However when I run the following commands on the new IPA server.

ldapsearch -x -H ldaps://ldap.example.com:636
http://ldap.example.com:636 -b ou=groups,ou=live,dc=example,dc=com -D
cn=admin,dc=example,dc=com -W

or

ldapsearch -x -H ldaps://ldap.example.com:636
http://ldap.example.com:636 -b ou=ib,dc=example,dc=com -D
cn=admin,dc=example,dc=com -W and I get output

Ldap shows the users and groups in the old system. It just dumps out the
whole content of the OU.

I have tried to run the following two commands and I still get the same
error

ipa migrate-ds --bind-dn=cn=admin,dc=example,dc=com
--user-container=ou=ib,dc=example,dc=com ldaps://ldap1.example.com:636
http://ldap1.example.com:636

or

ipa migrate-ds --bind-dn=cn=admin,dc=example,dc=com
--user-container=ou=ib,dc=example,dc=com
--group-container=ou=groups,ou=live,dc=example,dc=com
ldaps://ldap1.example.com:636 http://ldap1.example.com:636

What is IPA complaining about specifically? I know objects are in these
ou's Is it expecting something different?


It is failing trying to query cn=schema. We fetch the schema from the 
remote server to know what types of data we're dealing with. What 
version of openldap is this?


rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] missing objects during migration steps

2013-01-23 Thread Johnathan Phan
Hi Rob,

Please find the output from /usr/sbin/slapd -VV that shows the current
openldap version thats running on the ldap server.

@(#) $OpenLDAP: slapd 2.4.23 (Jul 31 2012 10:47:00) $
mockbu...@x86-001.build.bos.redhat.com:
/builddir/build/BUILD/openldap-2.4.23/openldap-2.4.23/build-servers/servers/slapd

ps. I have opened a ticket for this.

https://fedorahosted.org/freeipa/ticket/3372

Can I assume you have a away to turn this check off. As in IRC there does
not seem to be one. Or are you saying I can allow the scheme value to be
checked if I create one or make it readable some how?



On Wed, Jan 23, 2013 at 2:00 PM, Rob Crittenden rcrit...@redhat.com wrote:

 Johnathan Phan wrote:

 Hi everyone,

 k pass authentication issues now. It's now complaining about objects not
 there.

 ipa: ERROR: uri=ldaps://ldap1.example.com:**636http://ldap1.example.com:636
 http://ldap1.example.com:636**: Unable to retrieve LDAP schema: No such

 object:

 However when I run the following commands on the new IPA server.

 ldapsearch -x -H ldaps://ldap.example.com:636
 http://ldap.example.com:636 -b ou=groups,ou=live,dc=example,**dc=com -D

 cn=admin,dc=example,dc=com -W

 or

 ldapsearch -x -H ldaps://ldap.example.com:636
 http://ldap.example.com:636 -b ou=ib,dc=example,dc=com -D

 cn=admin,dc=example,dc=com -W and I get output

 Ldap shows the users and groups in the old system. It just dumps out the
 whole content of the OU.

 I have tried to run the following two commands and I still get the same
 error

 ipa migrate-ds --bind-dn=cn=admin,dc=**example,dc=com
 --user-container=ou=ib,dc=**example,dc=com ldaps://
 ldap1.example.com:636
 http://ldap1.example.com:636


 or

 ipa migrate-ds --bind-dn=cn=admin,dc=**example,dc=com
 --user-container=ou=ib,dc=**example,dc=com
 --group-container=ou=groups,**ou=live,dc=example,dc=com
 ldaps://ldap1.example.com:636 http://ldap1.example.com:636


 What is IPA complaining about specifically? I know objects are in these
 ou's Is it expecting something different?


 It is failing trying to query cn=schema. We fetch the schema from the
 remote server to know what types of data we're dealing with. What version
 of openldap is this?

 rob




-- 
Johnathan Phan
ox-consulting

T: +44 (0)784 118 7080
j...@ox-consulting.com

www.ox-consulting.com

OX CONSULTING Ltd is registered in England  Wales, number: 07113039,
registered address as above.

The information contained in this email message may be privileged,
confidential or exempt from disclosure under applicable law. If you are not
the intended recipient, you are hereby notified that any use,
dissemination, distribution or copying of this transmission is strictly
prohibited. If you have received this communication in error, or if any
problems occur with transmission, please notify the sender immediately.
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] missing objects during migration steps

2013-01-23 Thread Rob Crittenden

Johnathan Phan wrote:

Hi Rob,

Please find the output from /usr/sbin/slapd -VV that shows the current
openldap version thats running on the ldap server.

@(#) $OpenLDAP: slapd 2.4.23 (Jul 31 2012 10:47:00) $

mockbu...@x86-001.build.bos.redhat.com:/builddir/build/BUILD/openldap-2.4.23/openldap-2.4.23/build-servers/servers/slapd

ps. I have opened a ticket for this.

https://fedorahosted.org/freeipa/ticket/3372

Can I assume you have a away to turn this check off. As in IRC there
does not seem to be one. Or are you saying I can allow the scheme value
to be checked if I create one or make it readable some how?


There is no way to turn this check off, we always try to retrieve cn=schema.

I'd have sworn that openldap already did online schema this way.

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] missing objects during migration steps

2013-01-23 Thread Simo Sorce
On Wed, 2013-01-23 at 10:41 -0500, Rob Crittenden wrote:
 Johnathan Phan wrote:
  Hi Rob,
 
  Please find the output from /usr/sbin/slapd -VV that shows the current
  openldap version thats running on the ldap server.
 
  @(#) $OpenLDAP: slapd 2.4.23 (Jul 31 2012 10:47:00) $
 
  mockbu...@x86-001.build.bos.redhat.com:/builddir/build/BUILD/openldap-2.4.23/openldap-2.4.23/build-servers/servers/slapd
 
  ps. I have opened a ticket for this.
 
  https://fedorahosted.org/freeipa/ticket/3372
 
  Can I assume you have a away to turn this check off. As in IRC there
  does not seem to be one. Or are you saying I can allow the scheme value
  to be checked if I create one or make it readable some how?
 
 There is no way to turn this check off, we always try to retrieve cn=schema.
 
 I'd have sworn that openldap already did online schema this way.

Please open a bug, we should no depend on the remote schema being
readable.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users