Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1643623
Description of problem: Customer trying to migrate user and groups from Sun directory server to IDM server. User contains value for manager attribute as "" or "No Application", this is causing the migration to fail completely, rather than failing just for that one entry. Version-Release number of selected component (if applicable): ipa-server-4.5.4-10.el7_5.4.4.x86_64 How reproducible: Steps to Reproduce: 1. Add user in Directory server with attribute Manager with value "" or "No application" 2. Try to migrate data from Directory server to IDM. Actual results: ---- # ipa migrate-ds --bind-dn="cn=Directory Manager" --user-container=ou=People --group-container=ou=Group --group-objectclass=posixgroup --user-objectclass=posixAccount --user-ignore-attribute={Manager} --with-compat ldap://xxx.example.com --continue Password: ipa: ERROR: an internal error has occurred ---- Expected results: Users and groups should be migrated to IDM without any issues. Additional info: ipa migrate-ds command fails even if we ignore attribute manager. In /var/log/httpd/error_log, we can see below logs, ---------- [Thu Oct 25 14:51:50.623924 2018] [:error] [pid 18622] ipa: DEBUG: raw: migrate_ds(u'ldap://xxx.example.com', u'********', binddn=u'cn=Directory Manager', usercontainer=u'ou=People', groupcontainer=u'ou=Group', userobjectclass=(u'posixAccount',), groupobjectclass=(u'posixgroup',), userignoreattribute=(u'krbPrincipalName', u'krbextradata', u'krblastfailedauth', u'krblastpwdchange', u'krblastsuccessfulauth', u'krbloginfailedcount', u'krbpasswordexpiration', u'krbticketflags', u'krbpwdpolicyreference', u'mepManagedEntry', u'Manager'), continue=True, compat=True, version=u'2.228') [Thu Oct 25 14:51:50.624658 2018] [:error] [pid 18622] ipa: DEBUG: migrate_ds(u'ldap://xxx.example.com', u'********', binddn=ipapython.dn.DN('cn=Directory Manager'), usercontainer=ipapython.dn.DN('ou=People'), groupcontainer=ipapython.dn.DN('ou=Group'), userobjectclass=(u'posixAccount',), groupobjectclass=(u'posixgroup',), userignoreobjectclass=None, userignoreattribute=(u'krbPrincipalName', u'krbextradata', u'krblastfailedauth', u'krblastpwdchange', u'krblastsuccessfulauth', u'krbloginfailedcount', u'krbpasswordexpiration', u'krbticketflags', u'krbpwdpolicyreference', u'mepManagedEntry', u'Manager'), groupignoreobjectclass=None, groupignoreattribute=None, groupoverwritegid=False, schema=u'RFC2307bis', continue=True, compat=True, use_def_group=True, scope=u'onelevel', version=u'2.228', exclude_groups=None, exclude_users=None) [Thu Oct 25 14:51:50.631415 2018] [:error] [pid 18622] ipa: DEBUG: Created connection context.ldap2_140127263649552 [Thu Oct 25 14:51:59.396992 2018] [:error] [pid 18622] ipa: ERROR: unable to convert the attribute u'manager' value 'No Application' to type <class 'ipapython.dn.DN'> [Thu Oct 25 14:51:59.397559 2018] [:error] [pid 18622] ipa: ERROR: non-public: ValueError: unable to convert the attribute u'manager' value 'No Application' to type <class 'ipapython.dn.DN'> in LDAP entry 'uid=adtim,cn=users,cn=accounts,dc=xxx' [Thu Oct 25 14:51:59.397585 2018] [:error] [pid 18622] Traceback (most recent call last): [Thu Oct 25 14:51:59.397592 2018] [:error] [pid 18622] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 367, in wsgi_execute [Thu Oct 25 14:51:59.397598 2018] [:error] [pid 18622] result = command(*args, **options) [Thu Oct 25 14:51:59.397603 2018] [:error] [pid 18622] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 447, in __call__ [Thu Oct 25 14:51:59.397628 2018] [:error] [pid 18622] return self.__do_call(*args, **options) [Thu Oct 25 14:51:59.397638 2018] [:error] [pid 18622] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 475, in __do_call [Thu Oct 25 14:51:59.397770 2018] [:error] [pid 18622] ret = self.run(*args, **options) [Thu Oct 25 14:51:59.397860 2018] [:error] [pid 18622] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 797, in run [Thu Oct 25 14:51:59.397939 2018] [:error] [pid 18622] return self.execute(*args, **options) [Thu Oct 25 14:51:59.398011 2018] [:error] [pid 18622] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/migration.py", line 930, in execute [Thu Oct 25 14:51:59.398045 2018] [:error] [pid 18622] ldap, config, ds_ldap, ds_base_dn, options [Thu Oct 25 14:51:59.398124 2018] [:error] [pid 18622] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/migration.py", line 831, in migrate [Thu Oct 25 14:51:59.398226 2018] [:error] [pid 18622] **blacklists [Thu Oct 25 14:51:59.398300 2018] [:error] [pid 18622] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/migration.py", line 236, in _pre_migrate_user [Thu Oct 25 14:51:59.398372 2018] [:error] [pid 18622] entry_attrs.pop(attr, None) [Thu Oct 25 14:51:59.398378 2018] [:error] [pid 18622] File "/usr/lib64/python2.7/_abcoll.py", line 497, in pop [Thu Oct 25 14:51:59.398383 2018] [:error] [pid 18622] value = self[key] [Thu Oct 25 14:51:59.398388 2018] [:error] [pid 18622] File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 442, in __getitem__ [Thu Oct 25 14:51:59.398396 2018] [:error] [pid 18622] return self._get_nice(name) [Thu Oct 25 14:51:59.398498 2018] [:error] [pid 18622] File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 417, in _get_nice [Thu Oct 25 14:51:59.398628 2018] [:error] [pid 18622] self._sync_attr(name) [Thu Oct 25 14:51:59.398671 2018] [:error] [pid 18622] File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 309, in _sync_attr [Thu Oct 25 14:51:59.398744 2018] [:error] [pid 18622] error=e, dn=self._dn)) [Thu Oct 25 14:51:59.398777 2018] [:error] [pid 18622] ValueError: unable to convert the attribute u'manager' value 'No Application' to type <class 'ipapython.dn.DN'> in LDAP entry 'uid=adtim,cn=users,cn=accounts,dc=xxx' [Thu Oct 25 14:51:59.399109 2018] [:error] [pid 18622] ipa: INFO: [jsonserver_session] admin@XXX: migrate_ds/1(u'ldap://xxx.example.com', u'********', binddn=u'cn=Directory Manager', usercontainer=u'ou=People', groupcontainer=u'ou=Group', userobjectclass=(u'posixAccount',), groupobjectclass=(u'posixgroup',), userignoreattribute=(u'krbPrincipalName', u'krbextradata', u'krblastfailedauth', u'krblastpwdchange', u'krblastsuccessfulauth', u'krbloginfailedcount', u'krbpasswordexpiration', u'krbticketflags', u'krbpwdpolicyreference', u'mepManagedEntry', u'Manager'), continue=True, compat=True, version=u'2.228'): InternalError [Thu Oct 25 14:51:59.400115 2018] [:error] [pid 18622] ipa: DEBUG: Destroyed connection context.ldap2_140127273215440 [Thu Oct 25 14:51:59.400350 2018] [:error] [pid 18622] ipa: DEBUG: Destroyed connection context.ldap2_140127263649552 ---------- Ldapsearch output of user ---------------- # ldapsearch -x -h xxx.example.com -b ou=People,dc=example,dc=com "(uid=adtim)" # extended LDIF # # LDAPv3 # base <ou=People,dc=example,dc=com> with scope subtree # filter: (uid=adtim) # requesting: ALL # # adtim, People, xxx dn: uid=adtim,ou=People,dc=example,dc=com mailMessageStore: /dev/null loginShell: /bin/false manager: No Application mailRoutingAddress: adtim@xxx.example.com sambaKickoffTime: 2147483647 sambaLogoffTime: 2147483647 sambaLogonTime: 0 sambaPwdLastSet: 1010179124 sambaPwdMustChange: 2147483647 sambaPwdCanChange: 0 sambaAcctFlags: [U+] sambaSID: S-1-0-0-1048 uid: adtim cn: adtim telephoneNumber: 111-2222 givenName: Tim sn: Little mail: adtim@example.com objectClass: mailRecipient objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount objectClass: sambaSamAccount uidNumber: 1048 gidNumber: 110 homeDirectory: /udd/adtim gecos: Tim Little 525-2271 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 ----------------
Metadata Update from @frenaud: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1643623
See similar comments in closed-as-duplicate ticket https://pagure.io/freeipa/issue/3927
master:
Metadata Update from @abbra: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Metadata Update from @abbra: - Custom field affects_doc adjusted to on - Custom field knownissue adjusted to on - Issue set to the milestone: None (was: FreeIPA 4.7.2) - Issue status updated to: Open (was: Closed)
Login to comment on this ticket.