Hi all,
We're performing some migrate-ds and noticed some missing users. We took a closer look and the errors are:
<redacted user>: attribute "givenName" not allowed <redacted user>: attribute "givenName" not allowed <redacted user>: attribute "departmentNumber" not allowed <redacted user>: attribute "departmentNumber" not allowed <redacted user>: attribute "departmentNumber" not allowed
This is odd, because this OU is being grabbed with some filters which should specifically ignore these attributes. The old environment is OpenLDAP and the migrate-ds command is as follows:
ipa migrate-ds --schema=RFC2307 --base-dn="dc=<redacted>,dc=com" --bind-dn="cn=<redacted>,ou=<redacted>,dc=<redacted>,dc=com" --ca-cert-file=/etc/ssl/certs/ca.crt ldaps://<redacted> --user-container=ou=<redacted> --user-objectclass=posixaccount --group-container=ou=group --group-objectclass=posixgroup --user-ignore-attribute="sn,ldappublickey,sshpublickey,givenName,departmentNumber" --user-ignore-objectclass={person,organizationalPerson,inetOrgPerson,departmentNumber,givenName,ldappublickey,sshpublickey}
Regards, Alfred
Alfred Victor via FreeIPA-users wrote:
Hi all,
We're performing some migrate-ds and noticed some missing users. We took a closer look and the errors are:
<redacted user>: attribute "givenName" not allowed <redacted user>: attribute "givenName" not allowed <redacted user>: attribute "departmentNumber" not allowed <redacted user>: attribute "departmentNumber" not allowed <redacted user>: attribute "departmentNumber" not allowed
It means those attributes aren't provided by the available objectclasses.
You are ignoring a bunch of objectclasses required by IPA, notably person, orginazationalPerson and inetOrgPerson. The things following that in the user-ignore-objectclass are attributes.
rob
This is odd, because this OU is being grabbed with some filters which should specifically ignore these attributes. The old environment is OpenLDAP and the migrate-ds command is as follows:
ipa migrate-ds --schema=RFC2307 --base-dn="dc=<redacted>,dc=com" --bind-dn="cn=<redacted>,ou=<redacted>,dc=<redacted>,dc=com" --ca-cert-file=/etc/ssl/certs/ca.crt ldaps://<redacted> --user-container=ou=<redacted> --user-objectclass=posixaccount --group-container=ou=group --group-objectclass=posixgroup --user-ignore-attribute="sn,ldappublickey,sshpublickey,givenName,departmentNumber" --user-ignore-objectclass={person,organizationalPerson,inetOrgPerson,departmentNumber,givenName,ldappublickey,sshpublickey}
Regards, Alfred
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Hi Rob,
Thanks for your prompt response. I will remove the attributes from the objectclass list, I think they only wound up there because I was confused about what was happening. The rest were added because that is listed as the solution for the same (givenName, etc) attribute not allowed errors below, though appears this does not extend to OpenLDAP as the directory source. Is there something I can do to import the users successfully?
https://access.redhat.com/solutions/3245371
Regards,
Alfred
On Thu, Jul 23, 2020 at 12:11 PM Rob Crittenden rcritten@redhat.com wrote:
Alfred Victor via FreeIPA-users wrote:
Hi all,
We're performing some migrate-ds and noticed some missing users. We took a closer look and the errors are:
<redacted user>: attribute "givenName" not allowed <redacted user>: attribute "givenName" not allowed <redacted user>: attribute "departmentNumber" not allowed <redacted user>: attribute "departmentNumber" not allowed <redacted user>: attribute "departmentNumber" not allowed
It means those attributes aren't provided by the available objectclasses.
You are ignoring a bunch of objectclasses required by IPA, notably person, orginazationalPerson and inetOrgPerson. The things following that in the user-ignore-objectclass are attributes.
rob
This is odd, because this OU is being grabbed with some filters which should specifically ignore these attributes. The old environment is OpenLDAP and the migrate-ds command is as follows:
ipa migrate-ds --schema=RFC2307 --base-dn="dc=<redacted>,dc=com"
--bind-dn="cn=<redacted>,ou=<redacted>,dc=<redacted>,dc=com" --ca-cert-file=/etc/ssl/certs/ca.crt ldaps://<redacted> --user-container=ou=<redacted>
--user-objectclass=posixaccount --group-container=ou=group --group-objectclass=posixgroup
--user-ignore-attribute="sn,ldappublickey,sshpublickey,givenName,departmentNumber"
--user-ignore-objectclass={person,organizationalPerson,inetOrgPerson,departmentNumber,givenName,ldappublickey,sshpublickey}
Regards, Alfred
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Alfred Victor wrote:
Hi Rob,
Thanks for your prompt response. I will remove the attributes from the objectclass list, I think they only wound up there because I was confused about what was happening. The rest were added because that is listed as the solution for the same (givenName, etc) attribute not allowed errors below, though appears this does not extend to OpenLDAP as the directory source. Is there something I can do to import the users successfully?
That article states that dropping the --user-ignore-objectclass line resolved the issue.
rob
Regards,
Alfred
On Thu, Jul 23, 2020 at 12:11 PM Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> wrote:
Alfred Victor via FreeIPA-users wrote: > Hi all, > > We're performing some migrate-ds and noticed some missing users. We took > a closer look and the errors are: > > <redacted user>: attribute "givenName" not allowed > <redacted user>: attribute "givenName" not allowed > <redacted user>: attribute "departmentNumber" not allowed > <redacted user>: attribute "departmentNumber" not allowed > <redacted user>: attribute "departmentNumber" not allowed It means those attributes aren't provided by the available objectclasses. You are ignoring a bunch of objectclasses required by IPA, notably person, orginazationalPerson and inetOrgPerson. The things following that in the user-ignore-objectclass are attributes. rob > > > This is odd, because this OU is being grabbed with some filters which > should specifically ignore these attributes. The old environment is > OpenLDAP and the migrate-ds command is as follows: > > ipa migrate-ds --schema=RFC2307 --base-dn="dc=<redacted>,dc=com" --bind-dn="cn=<redacted>,ou=<redacted>,dc=<redacted>,dc=com" --ca-cert-file=/etc/ssl/certs/ca.crt ldaps://<redacted> --user-container=ou=<redacted> > --user-objectclass=posixaccount --group-container=ou=group > --group-objectclass=posixgroup > --user-ignore-attribute="sn,ldappublickey,sshpublickey,givenName,departmentNumber" > --user-ignore-objectclass={person,organizationalPerson,inetOrgPerson,departmentNumber,givenName,ldappublickey,sshpublickey} > > > Regards, > Alfred > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org >
Apologies, you are correct. I misread this as a colleague set these options originally, so I had assumed it was an attempt to solve this issue and misinterpreted the RHEL article. I will give it a try, thanks!
Alfred
On Thu, Jul 23, 2020 at 1:21 PM Rob Crittenden rcritten@redhat.com wrote:
Alfred Victor wrote:
Hi Rob,
Thanks for your prompt response. I will remove the attributes from the objectclass list, I think they only wound up there because I was confused about what was happening. The rest were added because that is listed as the solution for the same (givenName, etc) attribute not allowed errors below, though appears this does not extend to OpenLDAP as the directory source. Is there something I can do to import the users successfully?
That article states that dropping the --user-ignore-objectclass line resolved the issue.
rob
Regards,
Alfred
On Thu, Jul 23, 2020 at 12:11 PM Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> wrote:
Alfred Victor via FreeIPA-users wrote: > Hi all, > > We're performing some migrate-ds and noticed some missing users. We took > a closer look and the errors are: > > <redacted user>: attribute "givenName" not allowed > <redacted user>: attribute "givenName" not allowed > <redacted user>: attribute "departmentNumber" not allowed > <redacted user>: attribute "departmentNumber" not allowed > <redacted user>: attribute "departmentNumber" not allowed It means those attributes aren't provided by the available objectclasses. You are ignoring a bunch of objectclasses required by IPA, notably person, orginazationalPerson and inetOrgPerson. The things following that in the user-ignore-objectclass are attributes. rob > > > This is odd, because this OU is being grabbed with some filterswhich
> should specifically ignore these attributes. The old environment is > OpenLDAP and the migrate-ds command is as follows: > > ipa migrate-ds --schema=RFC2307 --base-dn="dc=<redacted>,dc=com" --bind-dn="cn=<redacted>,ou=<redacted>,dc=<redacted>,dc=com" --ca-cert-file=/etc/ssl/certs/ca.crt ldaps://<redacted> --user-container=ou=<redacted> > --user-objectclass=posixaccount --group-container=ou=group > --group-objectclass=posixgroup >--user-ignore-attribute="sn,ldappublickey,sshpublickey,givenName,departmentNumber"
>--user-ignore-objectclass={person,organizationalPerson,inetOrgPerson,departmentNumber,givenName,ldappublickey,sshpublickey}
> > > Regards, > Alfred > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives:https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
>
Hi Rob,
I am now only seeing two users get skipped but the rest has come over! This is why in the remaining users case, I have tried to resolve with more options or removing further options but no luck. Please advise:
<redacted>: unknown object class "ldappublickey"
<redacted>: unknown object class "ldappublickey"
Alfred
On Thu, Jul 23, 2020 at 1:49 PM Alfred Victor alvic266@gmail.com wrote:
Apologies, you are correct. I misread this as a colleague set these options originally, so I had assumed it was an attempt to solve this issue and misinterpreted the RHEL article. I will give it a try, thanks!
Alfred
On Thu, Jul 23, 2020 at 1:21 PM Rob Crittenden rcritten@redhat.com wrote:
Alfred Victor wrote:
Hi Rob,
Thanks for your prompt response. I will remove the attributes from the objectclass list, I think they only wound up there because I was confused about what was happening. The rest were added because that is listed as the solution for the same (givenName, etc) attribute not allowed errors below, though appears this does not extend to OpenLDAP as the directory source. Is there something I can do to import the users successfully?
That article states that dropping the --user-ignore-objectclass line resolved the issue.
rob
Regards,
Alfred
On Thu, Jul 23, 2020 at 12:11 PM Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> wrote:
Alfred Victor via FreeIPA-users wrote: > Hi all, > > We're performing some migrate-ds and noticed some missing users. We took > a closer look and the errors are: > > <redacted user>: attribute "givenName" not allowed > <redacted user>: attribute "givenName" not allowed > <redacted user>: attribute "departmentNumber" not allowed > <redacted user>: attribute "departmentNumber" not allowed > <redacted user>: attribute "departmentNumber" not allowed It means those attributes aren't provided by the available objectclasses. You are ignoring a bunch of objectclasses required by IPA, notably person, orginazationalPerson and inetOrgPerson. The things following that in the user-ignore-objectclass are attributes. rob > > > This is odd, because this OU is being grabbed with some filterswhich
> should specifically ignore these attributes. The old environmentis
> OpenLDAP and the migrate-ds command is as follows: > > ipa migrate-ds --schema=RFC2307 --base-dn="dc=<redacted>,dc=com" --bind-dn="cn=<redacted>,ou=<redacted>,dc=<redacted>,dc=com" --ca-cert-file=/etc/ssl/certs/ca.crt ldaps://<redacted> --user-container=ou=<redacted> > --user-objectclass=posixaccount --group-container=ou=group > --group-objectclass=posixgroup >--user-ignore-attribute="sn,ldappublickey,sshpublickey,givenName,departmentNumber"
>--user-ignore-objectclass={person,organizationalPerson,inetOrgPerson,departmentNumber,givenName,ldappublickey,sshpublickey}
> > > Regards, > Alfred > > _______________________________________________ > FreeIPA-users mailing list --freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org> > To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives:https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
>
Alfred Victor wrote:
Hi Rob,
I am now only seeing two users get skipped but the rest has come over! This is why in the remaining users case, I have tried to resolve with more options or removing further options but no luck. Please advise:
<redacted>: unknown object class "ldappublickey"
<redacted>: unknown object class "ldappublickey"
I don't know what's stored in that but --user-ignore-objectclass=ldappublickey should fix it.
rob
Alfred
On Thu, Jul 23, 2020 at 1:49 PM Alfred Victor <alvic266@gmail.com mailto:alvic266@gmail.com> wrote:
Apologies, you are correct. I misread this as a colleague set these options originally, so I had assumed it was an attempt to solve this issue and misinterpreted the RHEL article. I will give it a try, thanks! Alfred On Thu, Jul 23, 2020 at 1:21 PM Rob Crittenden <rcritten@redhat.com <mailto:rcritten@redhat.com>> wrote: Alfred Victor wrote: > Hi Rob, > > Thanks for your prompt response. I will remove the attributes from the > objectclass list, I think they only wound up there because I was > confused about what was happening. The rest were added because that is > listed as the solution for the same (givenName, etc) attribute not > allowed errors below, though appears this does not extend to OpenLDAP as > the directory source. Is there something I can do to import the users > successfully? > > https://access.redhat.com/solutions/3245371 That article states that dropping the --user-ignore-objectclass line resolved the issue. rob > > Regards, > > Alfred > > On Thu, Jul 23, 2020 at 12:11 PM Rob Crittenden <rcritten@redhat.com <mailto:rcritten@redhat.com> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>> wrote: > > Alfred Victor via FreeIPA-users wrote: > > Hi all, > > > > We're performing some migrate-ds and noticed some missing users. > We took > > a closer look and the errors are: > > > > <redacted user>: attribute "givenName" not allowed > > <redacted user>: attribute "givenName" not allowed > > <redacted user>: attribute "departmentNumber" not allowed > > <redacted user>: attribute "departmentNumber" not allowed > > <redacted user>: attribute "departmentNumber" not allowed > > It means those attributes aren't provided by the available > objectclasses. > > You are ignoring a bunch of objectclasses required by IPA, notably > person, orginazationalPerson and inetOrgPerson. The things following > that in the user-ignore-objectclass are attributes. > > rob > > > > > > > This is odd, because this OU is being grabbed with some filters which > > should specifically ignore these attributes. The old environment is > > OpenLDAP and the migrate-ds command is as follows: > > > > ipa migrate-ds --schema=RFC2307 --base-dn="dc=<redacted>,dc=com" > --bind-dn="cn=<redacted>,ou=<redacted>,dc=<redacted>,dc=com" > --ca-cert-file=/etc/ssl/certs/ca.crt ldaps://<redacted> > --user-container=ou=<redacted> > > --user-objectclass=posixaccount --group-container=ou=group > > --group-objectclass=posixgroup > > > --user-ignore-attribute="sn,ldappublickey,sshpublickey,givenName,departmentNumber" > > > --user-ignore-objectclass={person,organizationalPerson,inetOrgPerson,departmentNumber,givenName,ldappublickey,sshpublickey} > > > > > > Regards, > > Alfred > > > > _______________________________________________ > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> > > To unsubscribe send an email to > freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>> > > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > >
freeipa-users@lists.fedorahosted.org
-
Alfred Victor -
Rob Crittenden