Are you sure that your bind dn has read access userPassword? A default OpenLDAP installation usually has a admin user. Gosa ACLs are only applied when using the web interface, they are not used for direct access via LDAP.
> Am 27.04.2016 um 03:43 schrieb siology.io <siology...@gmail.com>: > > I'm having issues migrating from an openldap directory (which has gosa > schema) to freeipa. > > To migrate i'm doing (and yes, i know); > > ipa migrate-ds ldap://old.server.com:389 --bind-dn > "cn=my_user,ou=people,dc=domain,dc=com" --group-objectclass=posixGroup > --user-objectclass=inetOrgPerson --group-overwrite-gid > --user-ignore-objectclass=gosaAccount > --user-ignore-objectclass=gosaMailAccount > --user-ignore-attribute=gosaMailDeliveryMode > --user-ignore-attribute=gosaMailServer > --user-ignore-attribute=gosaSpamSortLevel > --user-ignore-attribute=gosaSpamMailbox --user-ignore-objectclass=sshaccount > --user-ignore-objectclass=gosaacl --user-ignore-attribute=sshpublickey > --user-ignore-attribute=sambaLMPassword > --user-ignore-attribute=sambaBadPasswordTime > --user-ignore-attribute=gosaaclentry > --user-ignore-attribute=sambaBadPasswordCount > --user-ignore-attribute=sambaNTPassword > --user-ignore-attribute=sambaPwdLastSet > > Which seems to work to import all those users which have posix settings set, > however i have two problems: > > - Am i right in thinking there's no way to auto-assign a gid/uid/home dir for > the non-posix users at migration time ? That's not a deal breaker per se, but > i'd need to spin up a new copy of the old ldap and then add those attributes > to every user, then migrate to ipa from that source, which is a real pain. > > - The migration seems to be successful for the users that do have posix > attributes, and ends with: > > Passwords have been migrated in pre-hashed format. > IPA is unable to generate Kerberos keys unless provided > with clear text passwords. All migrated users need to > login at https://your.domain/ipa/migration/ before they > can use their Kerberos accounts. > > ...but i'm unable to login to that page as any of my migrated users, or bind > as them with ldapsearch. It seems like the passwords were not migrated ? > > Because 90% of my ~350 users are only going to be using freeipa insomuch as > using services which are making use of the ipa server's ldap i was hoping > that i wouldn't need to make kerberos tickets for those users, and hence > avoid needing every user to login to the migration page. At the moment > however i'm not able to get any migrated users at all to be able to bind to > ldap or login to that page. > > Any tips or gotchas i should know ? I've no idea how to begin debugging this. > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project
signature.asc
Description: Message signed with OpenPGP using GPGMail
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
