Hi all, I've been working on a migration plan using three custom user objectClasses and one group objectclass. In my attempt, I've setup an openldap server with the proper schemas, imported the ldif and have records that look something like this in ldif format.
----------------------------------------------------------------------- dn: dc=example,dc=com objectClass: top objectClass: domain dc: example dn: ou=Groups,dc=example,dc=com objectClass: top objectClass: organizationalunit ou: Groups dn: ou=People,dc=example,dc=com objectClass: top objectClass: organizationalunit ou: People dn: uid=amyengh,ou=People,dc=example,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: organizationalPerson objectClass: person objectClass: radiusProfile objectClass: sambaSamAccount objectClass: customPersonAttributes cn: Amy Engh gidNumber: 1141801056 homeDirectory: /home/amyengh sn: Engh uid: amyengh uidNumber: 1141801056 displayName: Amy Engh givenName: Amy loginShell: /sbin/nologin mail: amye...@attask.com userPassword:: REDACTED dialupAccess: yes radiusTunnelMediumType: IEEE-802 radiusTunnelPrivateGroupId: 1421 radiusTunnelType: VLAN emailPassword:: REDACTED sambaAcctFlags: [U ] sambaLMPassword: REDACTED sambaNTPassword: REDACTED sambaPasswordHistory: 000000000000000000000000000000000000000000000000000000 0000000000 sambaPwdLastSet: 1402698001 sambaSID: S-1-5-21-2332447373-4108748234-3602490535-3146 dn: cn=amyengh,ou=Groups,dc=example,dc=com objectClass: top objectClass: posixGroup cn: amyengh gidNumber: 1141801056 memberUid: amyengh -------------------------------------------------------------------- I then run the migration (with or without compat makes no difference) and get the following: ipa migrate-ds --with-compat --user-container="ou=People" --group-container="ou=Groups" --user-objectclass=posixAccount --group-objectclass=posixgroup ldap://192.168.122.210 --bind-dn="cn=Manager,dc=example,dc=com" Password: ----------- migrate-ds: ----------- Migrated: Failed user: amyengh: Type or value exists: Failed group: amyengh: This entry already exists. Check GID of the existing group. Use --group-overwrite-gid option to overwrite the GID ---------- Passwords have been migrated in pre-hashed format. IPA is unable to generate Kerberos keys unless provided with clear text passwords. All migrated users need to login at https://your.domain/ipa/migration/ before they can use their Kerberos accounts. The objectclasses are listed in the configuration properly: # ipa config-show --all ..snip.. Default group objectclasses: top, groupofnames, nestedgroup, ipausergroup, ipaobject, sambaGroupMapping Default user objectclasses: top, person, organizationalperson, inetorgperson, inetuser, posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject, ipasshuser, radiusProfile, customPersonAttributes, sambaSamAccount ..snip.. I can verify the objectclasses appear to work when I add a user manually, though I have not updated the plugins to allow entries for the above objectClasses. --------------------------- My question exists around the error ' amyengh: Type or value exists:'. I can take out the custom objectclasses, and this error goes away. I've looked into all of the custom objectclasses and don't see anything that would indicate errors. I have some 5k+ records to migrate and don't want to have to manipulate the ldif and then create modify records just to get the data into IPA. Any suggestions to help me identify why this is happening? I'd be happy to provide further information as requested. Thanks, herlo
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project