Issue #7749: `ipa migrate-ds` fails to migrate user and group data from directory server to IDM. - freeipa

freeipa

#7749 `ipa migrate-ds` fails to migrate user and group data from directory server to IDM.

Opened 5 years ago by frenaud. Modified 2 years ago

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1643623

Description of problem:

Customer trying to migrate user and groups from Sun directory server to IDM
server.

User contains value for manager attribute as "" or "No Application", this is
causing the migration to fail completely, rather than failing just for that one
entry.



Version-Release number of selected component (if applicable):

ipa-server-4.5.4-10.el7_5.4.4.x86_64

How reproducible:

Steps to Reproduce:

1. Add user in Directory server with attribute Manager with value "" or "No
application"

2. Try to migrate data from Directory server to IDM.


Actual results:

----
# ipa migrate-ds --bind-dn="cn=Directory Manager" --user-container=ou=People
--group-container=ou=Group --group-objectclass=posixgroup
--user-objectclass=posixAccount --user-ignore-attribute={Manager} --with-compat
ldap://xxx.example.com --continue
Password:
ipa: ERROR: an internal error has occurred
----


Expected results:

Users and groups should be migrated to IDM without any issues.


Additional info:

ipa migrate-ds command fails even if we ignore attribute manager.

In /var/log/httpd/error_log, we can see below logs,

----------
[Thu Oct 25 14:51:50.623924 2018] [:error] [pid 18622] ipa: DEBUG: raw:
migrate_ds(u'ldap://xxx.example.com', u'********', binddn=u'cn=Directory
Manager', usercontainer=u'ou=People', groupcontainer=u'ou=Group',
userobjectclass=(u'posixAccount',), groupobjectclass=(u'posixgroup',),
userignoreattribute=(u'krbPrincipalName', u'krbextradata',
u'krblastfailedauth', u'krblastpwdchange', u'krblastsuccessfulauth',
u'krbloginfailedcount', u'krbpasswordexpiration', u'krbticketflags',
u'krbpwdpolicyreference', u'mepManagedEntry', u'Manager'), continue=True,
compat=True, version=u'2.228')
[Thu Oct 25 14:51:50.624658 2018] [:error] [pid 18622] ipa: DEBUG:
migrate_ds(u'ldap://xxx.example.com', u'********',
binddn=ipapython.dn.DN('cn=Directory Manager'),
usercontainer=ipapython.dn.DN('ou=People'),
groupcontainer=ipapython.dn.DN('ou=Group'), userobjectclass=(u'posixAccount',),
groupobjectclass=(u'posixgroup',), userignoreobjectclass=None,
userignoreattribute=(u'krbPrincipalName', u'krbextradata',
u'krblastfailedauth', u'krblastpwdchange', u'krblastsuccessfulauth',
u'krbloginfailedcount', u'krbpasswordexpiration', u'krbticketflags',
u'krbpwdpolicyreference', u'mepManagedEntry', u'Manager'),
groupignoreobjectclass=None, groupignoreattribute=None,
groupoverwritegid=False, schema=u'RFC2307bis', continue=True, compat=True,
use_def_group=True, scope=u'onelevel', version=u'2.228', exclude_groups=None,
exclude_users=None)
[Thu Oct 25 14:51:50.631415 2018] [:error] [pid 18622] ipa: DEBUG: Created
connection context.ldap2_140127263649552
[Thu Oct 25 14:51:59.396992 2018] [:error] [pid 18622] ipa: ERROR: unable to
convert the attribute u'manager' value 'No Application' to type <class
'ipapython.dn.DN'>
[Thu Oct 25 14:51:59.397559 2018] [:error] [pid 18622] ipa: ERROR: non-public:
ValueError: unable to convert the attribute u'manager' value 'No Application'
to type <class 'ipapython.dn.DN'> in LDAP entry
'uid=adtim,cn=users,cn=accounts,dc=xxx'
[Thu Oct 25 14:51:59.397585 2018] [:error] [pid 18622] Traceback (most recent
call last):
[Thu Oct 25 14:51:59.397592 2018] [:error] [pid 18622]   File
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 367, in
wsgi_execute
[Thu Oct 25 14:51:59.397598 2018] [:error] [pid 18622]     result =
command(*args, **options)
[Thu Oct 25 14:51:59.397603 2018] [:error] [pid 18622]   File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 447, in __call__
[Thu Oct 25 14:51:59.397628 2018] [:error] [pid 18622]     return
self.__do_call(*args, **options)
[Thu Oct 25 14:51:59.397638 2018] [:error] [pid 18622]   File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 475, in __do_call
[Thu Oct 25 14:51:59.397770 2018] [:error] [pid 18622]     ret =
self.run(*args, **options)
[Thu Oct 25 14:51:59.397860 2018] [:error] [pid 18622]   File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 797, in run
[Thu Oct 25 14:51:59.397939 2018] [:error] [pid 18622]     return
self.execute(*args, **options)
[Thu Oct 25 14:51:59.398011 2018] [:error] [pid 18622]   File
"/usr/lib/python2.7/site-packages/ipaserver/plugins/migration.py", line 930, in
execute
[Thu Oct 25 14:51:59.398045 2018] [:error] [pid 18622]     ldap, config,
ds_ldap, ds_base_dn, options
[Thu Oct 25 14:51:59.398124 2018] [:error] [pid 18622]   File
"/usr/lib/python2.7/site-packages/ipaserver/plugins/migration.py", line 831, in
migrate
[Thu Oct 25 14:51:59.398226 2018] [:error] [pid 18622]     **blacklists
[Thu Oct 25 14:51:59.398300 2018] [:error] [pid 18622]   File
"/usr/lib/python2.7/site-packages/ipaserver/plugins/migration.py", line 236, in
_pre_migrate_user
[Thu Oct 25 14:51:59.398372 2018] [:error] [pid 18622]
entry_attrs.pop(attr, None)
[Thu Oct 25 14:51:59.398378 2018] [:error] [pid 18622]   File
"/usr/lib64/python2.7/_abcoll.py", line 497, in pop
[Thu Oct 25 14:51:59.398383 2018] [:error] [pid 18622]     value = self[key]
[Thu Oct 25 14:51:59.398388 2018] [:error] [pid 18622]   File
"/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 442, in
__getitem__
[Thu Oct 25 14:51:59.398396 2018] [:error] [pid 18622]     return
self._get_nice(name)
[Thu Oct 25 14:51:59.398498 2018] [:error] [pid 18622]   File
"/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 417, in _get_nice
[Thu Oct 25 14:51:59.398628 2018] [:error] [pid 18622]
self._sync_attr(name)
[Thu Oct 25 14:51:59.398671 2018] [:error] [pid 18622]   File
"/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 309, in
_sync_attr
[Thu Oct 25 14:51:59.398744 2018] [:error] [pid 18622]     error=e,
dn=self._dn))
[Thu Oct 25 14:51:59.398777 2018] [:error] [pid 18622] ValueError: unable to
convert the attribute u'manager' value 'No Application' to type <class
'ipapython.dn.DN'> in LDAP entry
'uid=adtim,cn=users,cn=accounts,dc=xxx'
[Thu Oct 25 14:51:59.399109 2018] [:error] [pid 18622] ipa: INFO:
[jsonserver_session] admin@XXX:
migrate_ds/1(u'ldap://xxx.example.com', u'********',
binddn=u'cn=Directory Manager', usercontainer=u'ou=People',
groupcontainer=u'ou=Group', userobjectclass=(u'posixAccount',),
groupobjectclass=(u'posixgroup',), userignoreattribute=(u'krbPrincipalName',
u'krbextradata', u'krblastfailedauth', u'krblastpwdchange',
u'krblastsuccessfulauth', u'krbloginfailedcount', u'krbpasswordexpiration',
u'krbticketflags', u'krbpwdpolicyreference', u'mepManagedEntry', u'Manager'),
continue=True, compat=True, version=u'2.228'): InternalError
[Thu Oct 25 14:51:59.400115 2018] [:error] [pid 18622] ipa: DEBUG: Destroyed
connection context.ldap2_140127273215440
[Thu Oct 25 14:51:59.400350 2018] [:error] [pid 18622] ipa: DEBUG: Destroyed
connection context.ldap2_140127263649552
----------


Ldapsearch output of user


----------------
# ldapsearch -x  -h xxx.example.com -b ou=People,dc=example,dc=com
"(uid=adtim)"
# extended LDIF
#
# LDAPv3
# base <ou=People,dc=example,dc=com> with scope subtree
# filter: (uid=adtim)
# requesting: ALL
#

# adtim, People, xxx
dn: uid=adtim,ou=People,dc=example,dc=com
mailMessageStore: /dev/null
loginShell: /bin/false
manager: No Application
mailRoutingAddress: adtim@xxx.example.com
sambaKickoffTime: 2147483647
sambaLogoffTime: 2147483647
sambaLogonTime: 0
sambaPwdLastSet: 1010179124
sambaPwdMustChange: 2147483647
sambaPwdCanChange: 0
sambaAcctFlags: [U+]
sambaSID: S-1-0-0-1048
uid: adtim
cn: adtim
telephoneNumber: 111-2222
givenName: Tim
sn: Little
mail: adtim@example.com
objectClass: mailRecipient
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
objectClass: sambaSamAccount
uidNumber: 1048
gidNumber: 110
homeDirectory: /udd/adtim
gecos: Tim Little 525-2271

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

----------------

Metadata Update from @frenaud:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1643623

5 years ago

rcritten commented 5 years ago

See similar comments in closed-as-duplicate ticket https://pagure.io/freeipa/issue/3927

abbra commented 2 years ago

master:

d4859db Design for IPA-to-IPA migration

Metadata Update from @abbra:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

2 years ago

Metadata Update from @abbra:
- Custom field affects_doc adjusted to on
- Custom field knownissue adjusted to on
- Issue set to the milestone: None (was: FreeIPA 4.7.2)
- Issue status updated to: Open (was: Closed)

2 years ago

Metadata

Assignee

None

Tags

None

Blocking

None

Depending on

None

Priority

None

Milestone

None

affects_doc

source

None

knownissue

type

None

blockedby

None

test_case

None

component

None

blocking

None

on_review

None

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=1643623

tester

None

changelog

None

design

None

freeipa

Source Code

#7749 `ipa migrate-ds` fails to migrate user and group data from directory server to IDM. Opened 5 years ago by frenaud. Modified 2 years ago

Close issue as:

Metadata

#7749 `ipa migrate-ds` fails to migrate user and group data from directory server to IDM.

Opened 5 years ago by frenaud. Modified 2 years ago