When using ipa migrate-ds, the transformation applied to uniquemember or member attributes is not consistent with the one applied to user accounts.
For instance, on the source LDAP server:
dn: cn=usercn,$USERCONTAINER,$SRC_BASEDN uid: useruid dn: cn=statgrp,$GROUPCONTAINER,$SRC_BASEDN member: cn=usercn,$USERCONTAINER,$SRC_BASEDN
=> on the IPA server:
dn: uid=useruid,cn=users,cn=accounts,$BASEDN dn: cn=statgrp,cn=groups,cn=accounts,$BASEDN member: uid=usercn,cn=users,cn=accounts,$BASEDN
We can see the mismatch between uid=useruid and uid=usercn.
Co this happens only if cn is different then uid in the user entry, right?
Relevant transformation code:
entry_attrs.setdefault(member_attr, []) for m in entry_attrs[member_attr]: try: m = DN(m) except ValueError as e: # This should be impossible unless the remote server # doesn't enforce syntax checking. api.log.error('Malformed DN %s: %s' % (m, e)) continue try: rdnval = m[0].value except IndexError: api.log.error('Malformed DN %s has no RDN?' % m) continue if m.endswith(search_bases['user']): api.log.debug('migrating %s user %s', member_attr, m) m = DN((api.Object.user.primary_key.name, rdnval), api.env.container_user, api.env.basedn)
So it always gets the value from original DN and it doesn't care how the first RDN is called.
Migrate group would either need to do one of:
ab has a plugin which can transform source data so that migrate-ds can consume it
Metadata Update from @frenaud: - Issue assigned to someone - Issue set to the milestone: Future Releases
master:
Login to comment on this ticket.