Re: [Freeipa-users] ipa migrate-ds and cn=sysaccounts, cn=etc,
On 2017-03-11 21:14, Alexander Bokovoy wrote: On la, 11 maalis 2017, Robert Söderlund wrote: Hi all! Does 'ipa migrate-ds' support migrating users from cn=sysaccounts,cn=etc,? No. I tried with the arguments '--user-container=cn=sysaccounts,cn=users,cn=accounts' and '--user-objectclass=simplesecurityobject,organizationalperson' without success. I think if would be a nice feature to be able to migrate objects that isn't located in the default path. sysaccounts aren't users. migrate-ds only supports migration of a limited subset objects that IPA framework knows about: users and groups. It doesn't support many other objects IPA framework knows about. Sysaccounts aren't even something IPA framework knows by itself. I can always fix this with ldapsearch/ldapadd but it would be nice if this was doable with ipa migrate-ds. I agree that it would be good to extend migrate-ds scope but it is currently not on the radar for many reasons. I'd rather see it extended in a programmatic way to handle all IPA framework objects and allow to specify a mapping table for them similar to how we specify --user-container and --user-objectclass (and other options). Then when sysaccounts would be managed by the IPA framework, they would become automatically available for migration. However, I personally have no available time for that in next half a year (at least). Hi! Thank you for the feedback, when I read your answes I realize that I misunderstood the purpose of migrate-ds. My thought was that migrate-ds should work as a ldapsearch+ldapadd (with filters and the ability to remove some attrs) but without the need to dump the data to a file. Keep up the good job, freeipa is awesome :) //Robert -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa migrate-ds and cn=sysaccounts, cn=etc,
On la, 11 maalis 2017, Robert Söderlund wrote: Hi all! Does 'ipa migrate-ds' support migrating users from cn=sysaccounts,cn=etc,? No. I tried with the arguments '--user-container=cn=sysaccounts,cn=users,cn=accounts' and '--user-objectclass=simplesecurityobject,organizationalperson' without success. I think if would be a nice feature to be able to migrate objects that isn't located in the default path. sysaccounts aren't users. migrate-ds only supports migration of a limited subset objects that IPA framework knows about: users and groups. It doesn't support many other objects IPA framework knows about. Sysaccounts aren't even something IPA framework knows by itself. I can always fix this with ldapsearch/ldapadd but it would be nice if this was doable with ipa migrate-ds. I agree that it would be good to extend migrate-ds scope but it is currently not on the radar for many reasons. I'd rather see it extended in a programmatic way to handle all IPA framework objects and allow to specify a mapping table for them similar to how we specify --user-container and --user-objectclass (and other options). Then when sysaccounts would be managed by the IPA framework, they would become automatically available for migration. However, I personally have no available time for that in next half a year (at least). -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] ipa migrate-ds and cn=sysaccounts,cn=etc,
Hi all! Does 'ipa migrate-ds' support migrating users from cn=sysaccounts,cn=etc,? I tried with the arguments '--user-container=cn=sysaccounts,cn=users,cn=accounts' and '--user-objectclass=simplesecurityobject,organizationalperson' without success. I think if would be a nice feature to be able to migrate objects that isn't located in the default path. I can always fix this with ldapsearch/ldapadd but it would be nice if this was doable with ipa migrate-ds. //Robert -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] ldap tree: etc-location & ca-cas
hi everyone my domain seems ok but I've decided to watch it closely on more regular basis and am in a process of learning the tree. I found a few +nsuniqueid and I wonder: is there a relation (surely is, but how critical) between etc-location & ca-ca? Both, location and ca have the same +nsuniqueid=647ed0ab-b70911e6-b84df1c7-2176fa48. My question would be (if I cannot do that with IPA, which I probably cannot): do I clean manually both location & ca in one go? Or there is a sequence to it? And more importantly: what should also check in the tree in relation to these two DNs? many thank, L -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project