> Works without problems. Does not migrate UPGs nor ignore kerberos
data:
> ipa migrate-ds --with-compat --user-container='cn=users,cn=accounts'
> --group-container='cn=groups,cn=accounts'
ldap://ipa.example.com
>
> Migrates UPGs and other groups, but no users because of "mepOriginEntry":
> ipa migrate-ds --bind-dn="cn=Directory Manager"
> --user-container=cn=users,cn=accounts --group-container=cn=groups,cn=accounts \
> --group-objectclass=posixgroup \
> --user-ignore-objectclass=mepOriginEntry \
>
>
--user-ignore-attribute={krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference,mepManagedEntry}
> \
> --with-compat \
>
ldaps://ipa.example.com
>
>
> Could we experience any inconsistency by not ignoring kerberos data?
I'm experiencing inconsistency using ipa-migrate.
If a user is e.g deleted, and then I try to re-run the ipa-migrate command: The user will
be successfully migrated, however, the user will no longer be part of any user groups.
Command:
ipa migrate-ds --bind-dn="cn=Directory Manager"
--user-container=cn=users,cn=accounts
--group-container=cn=groups,cn=accounts
--group-objectclass=posixgroup
--group-objectclass=ipausergroup
--user-ignore-attribute={krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference}
--with-compat
ldaps://ipa.example.com
What's the use-case for this?
I think this is likely because migration currently doesn't support
user-private groups and a default IPA user doesn't have a memberof their
private groups.
migrate-ds was designed to migrate users who used only LDAP to use IPA.
IPA to IPA migration is possible for users and groups but its full of
pitfalls. This may be another one.
rob