Re: [Freeipa-users] migration user passwords from openldap to freeipa
ok, after looking again at this, i've found that even with the admin users it's not working how i'd like. With the admin user what seems to be happening is that the users after import *must* go to the /ipa/migration/ url and then enter their password. Although it does now let them login unlike before (so i guess before i hadnt used the admin ldap user to import from and hence didnt have permissions as you suggested) However, i'd really like to avoid that because we've got hundreds of users, mostly external to the company in different timezones, and coordinating getting people to go to the portal (and making it available to the internet!) sounds like a nightmare. These users don't need kerberos credentials (afaik) as i just want them to be able to bind against the freeipa ldap server. I'm happy for users that need kerberos to have to go to the migration page. Is there any way to avoid a user needing to go to the migration page after importing the user ? On 27 April 2016 at 19:45, David Kreitschmann wrote: > Are you sure that your bind dn has read access userPassword? A default > OpenLDAP installation usually has a admin user. > Gosa ACLs are only applied when using the web interface, they are not used > for direct access via LDAP. > > > > Am 27.04.2016 um 03:43 schrieb siology.io : > > > > I'm having issues migrating from an openldap directory (which has gosa > schema) to freeipa. > > > > To migrate i'm doing (and yes, i know); > > > > ipa migrate-ds ldap://old.server.com:389 --bind-dn > "cn=my_user,ou=people,dc=domain,dc=com" --group-objectclass=posixGroup > --user-objectclass=inetOrgPerson --group-overwrite-gid > --user-ignore-objectclass=gosaAccount > --user-ignore-objectclass=gosaMailAccount > --user-ignore-attribute=gosaMailDeliveryMode > --user-ignore-attribute=gosaMailServer > --user-ignore-attribute=gosaSpamSortLevel > --user-ignore-attribute=gosaSpamMailbox > --user-ignore-objectclass=sshaccount --user-ignore-objectclass=gosaacl > --user-ignore-attribute=sshpublickey > --user-ignore-attribute=sambaLMPassword > --user-ignore-attribute=sambaBadPasswordTime > --user-ignore-attribute=gosaaclentry > --user-ignore-attribute=sambaBadPasswordCount > --user-ignore-attribute=sambaNTPassword > --user-ignore-attribute=sambaPwdLastSet > > > > Which seems to work to import all those users which have posix settings > set, however i have two problems: > > > > - Am i right in thinking there's no way to auto-assign a gid/uid/home > dir for the non-posix users at migration time ? That's not a deal breaker > per se, but i'd need to spin up a new copy of the old ldap and then add > those attributes to every user, then migrate to ipa from that source, which > is a real pain. > > > > - The migration seems to be successful for the users that do have posix > attributes, and ends with: > > > > Passwords have been migrated in pre-hashed format. > > IPA is unable to generate Kerberos keys unless provided > > with clear text passwords. All migrated users need to > > login at https://your.domain/ipa/migration/ before they > > can use their Kerberos accounts. > > > > ...but i'm unable to login to that page as any of my migrated users, or > bind as them with ldapsearch. It seems like the passwords were not migrated > ? > > > > Because 90% of my ~350 users are only going to be using freeipa insomuch > as using services which are making use of the ipa server's ldap i was > hoping that i wouldn't need to make kerberos tickets for those users, and > hence avoid needing every user to login to the migration page. At the > moment however i'm not able to get any migrated users at all to be able to > bind to ldap or login to that page. > > > > Any tips or gotchas i should know ? I've no idea how to begin debugging > this. > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] migration user passwords from openldap to freeipa
Are you sure that your bind dn has read access userPassword? A default OpenLDAP installation usually has a admin user. Gosa ACLs are only applied when using the web interface, they are not used for direct access via LDAP. > Am 27.04.2016 um 03:43 schrieb siology.io : > > I'm having issues migrating from an openldap directory (which has gosa > schema) to freeipa. > > To migrate i'm doing (and yes, i know); > > ipa migrate-ds ldap://old.server.com:389 --bind-dn > "cn=my_user,ou=people,dc=domain,dc=com" --group-objectclass=posixGroup > --user-objectclass=inetOrgPerson --group-overwrite-gid > --user-ignore-objectclass=gosaAccount > --user-ignore-objectclass=gosaMailAccount > --user-ignore-attribute=gosaMailDeliveryMode > --user-ignore-attribute=gosaMailServer > --user-ignore-attribute=gosaSpamSortLevel > --user-ignore-attribute=gosaSpamMailbox --user-ignore-objectclass=sshaccount > --user-ignore-objectclass=gosaacl --user-ignore-attribute=sshpublickey > --user-ignore-attribute=sambaLMPassword > --user-ignore-attribute=sambaBadPasswordTime > --user-ignore-attribute=gosaaclentry > --user-ignore-attribute=sambaBadPasswordCount > --user-ignore-attribute=sambaNTPassword > --user-ignore-attribute=sambaPwdLastSet > > Which seems to work to import all those users which have posix settings set, > however i have two problems: > > - Am i right in thinking there's no way to auto-assign a gid/uid/home dir for > the non-posix users at migration time ? That's not a deal breaker per se, but > i'd need to spin up a new copy of the old ldap and then add those attributes > to every user, then migrate to ipa from that source, which is a real pain. > > - The migration seems to be successful for the users that do have posix > attributes, and ends with: > > Passwords have been migrated in pre-hashed format. > IPA is unable to generate Kerberos keys unless provided > with clear text passwords. All migrated users need to > login at https://your.domain/ipa/migration/ before they > can use their Kerberos accounts. > > ...but i'm unable to login to that page as any of my migrated users, or bind > as them with ldapsearch. It seems like the passwords were not migrated ? > > Because 90% of my ~350 users are only going to be using freeipa insomuch as > using services which are making use of the ipa server's ldap i was hoping > that i wouldn't need to make kerberos tickets for those users, and hence > avoid needing every user to login to the migration page. At the moment > however i'm not able to get any migrated users at all to be able to bind to > ldap or login to that page. > > Any tips or gotchas i should know ? I've no idea how to begin debugging this. > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project signature.asc Description: Message signed with OpenPGP using GPGMail -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] migration user passwords from openldap to freeipa
I'm having issues migrating from an openldap directory (which has gosa schema) to freeipa. To migrate i'm doing (and yes, i know); ipa migrate-ds ldap://old.server.com:389 --bind-dn "cn=my_user,ou=people,dc=domain,dc=com" --group-objectclass=posixGroup --user-objectclass=inetOrgPerson --group-overwrite-gid --user-ignore-objectclass=gosaAccount --user-ignore-objectclass=gosaMailAccount --user-ignore-attribute=gosaMailDeliveryMode --user-ignore-attribute=gosaMailServer --user-ignore-attribute=gosaSpamSortLevel --user-ignore-attribute=gosaSpamMailbox --user-ignore-objectclass=sshaccount --user-ignore-objectclass=gosaacl --user-ignore-attribute=sshpublickey --user-ignore-attribute=sambaLMPassword --user-ignore-attribute=sambaBadPasswordTime --user-ignore-attribute=gosaaclentry --user-ignore-attribute=sambaBadPasswordCount --user-ignore-attribute=sambaNTPassword --user-ignore-attribute=sambaPwdLastSet Which seems to work to import all those users which have posix settings set, however i have two problems: - Am i right in thinking there's no way to auto-assign a gid/uid/home dir for the non-posix users at migration time ? That's not a deal breaker per se, but i'd need to spin up a new copy of the old ldap and then add those attributes to every user, then migrate to ipa from that source, which is a real pain. - The migration seems to be successful for the users that do have posix attributes, and ends with: Passwords have been migrated in pre-hashed format. IPA is unable to generate Kerberos keys unless provided with clear text passwords. All migrated users need to login at https://your.domain/ipa/migration/ before they can use their Kerberos accounts. ...but i'm unable to login to that page as any of my migrated users, or bind as them with ldapsearch. It seems like the passwords were not migrated ? Because 90% of my ~350 users are only going to be using freeipa insomuch as using services which are making use of the ipa server's ldap i was hoping that i wouldn't need to make kerberos tickets for those users, and hence avoid needing every user to login to the migration page. At the moment however i'm not able to get any migrated users at all to be able to bind to ldap or login to that page. Any tips or gotchas i should know ? I've no idea how to begin debugging this. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project