I might of missed this yesterday, is it trying to bind to the apple as Directory Manager? I thought that was for FreeIPA but now I'm not sure. I was intending to have it do an anonymous bind to the apple.
If so I guess that would explain it. On Mon, Jan 24, 2011 at 2:16 PM, Rob Crittenden <rcrit...@redhat.com> wrote: > Jeff B wrote: >> >> I'm trying to test out migration from an Apple Open Directory Server >> to FreeIPA (unstable) The command I'm running is: >> >> ipa config-mod --enable-migration=true >> >> ipa -d migrate-ds --user-container='cn=users,dc=xxx,dc=xxxx,dc=com' >> --group-container='cn=groups,dc=xxx,dc=xxxx,dc=com' >> ldap://10.10.10.10:389 >> >> It prompts me for a password twice, then gives me a invalid credentials >> error >> >> ipa: INFO: Created connection context.xmlclient >> Password: >> Enter Password again to verify: >> ipa: DEBUG: raw: migrate_ds(u'ldap://10.10.10.10:389', u'********', >> usercontainer=u'cn=users,dc=xxx,dc=xxxx,dc=com', >> groupcontainer=u'cn=groups,dc=xxx,dc=xxxx,dc=com') >> ipa: INFO: migrate_ds(u'ldap://10.10.10.10:389', u'********', >> binddn=u'cn=directory manager', >> usercontainer=u'cn=users,dc=xxx,dc=xxxx,dc=com', >> groupcontainer=u'cn=groups,dc=xxx,dc=xxxx,dc=com', >> userobjectclass=(u'person',), groupobjectclass=(u'groupOfUniqueNames', >> u'groupOfNames'), schema=u'RFC2307bis', continue=False, >> exclude_groups=None, exclude_users=None) >> ipa: INFO: Forwarding 'migrate_ds' to server >> u'https://ipa0.xxxx.com/ipa/xml' >> ipa: DEBUG: NSSConnection init ipa0.xxxx.com >> ipa: DEBUG: connect: host=ipa0.xxxx.com port=443 >> ipa: DEBUG: connect: 10.10.10.11:443 >> ... >> ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer >> ipa: DEBUG: cert valid True for "CN=ipa0.xxxx.com,O=XXXX.COM" >> ipa: DEBUG: handshake complete, peer = 10.10.10.11:443 >> ipa: DEBUG: Caught fault 2100 from server >> https://ipa0.xxx.com/ipa/xml: Insufficient access: Invalid >> credentials >> ipa: INFO: Destroyed connection context.xmlclient >> ipa: ERROR: Insufficient access: Invalid credentials >> >> I'm able to connect to LDAP using the same password for cn="Directory >> Manager" which it appears to be the user it's asking the password for. >> >> Is this user error or a bug? If user error what am I doing wrong? >> Thanks. > > Hmm, I'm stumped at this point. Can you look in your Apple DS logs to see if > there is a bind error? You can use --binddn to bind as a different user. > > I should also note that you don't want to include basedn for the user and > group containers, cn=users and cn=groups is enough. > > rob > _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
