4:49 p.m.
Antoine Gatineau via FreeIPA-users wrote:
Hello all.
I am trying to migrate my users from one ipa to another one.
I was able to import the users and groups with 'ipa migrate-ds'. However the
migration process generates new ipaUniqueIds.
IPA is my source of users for keycloak user federation and other applications that use
ipaUniqueId to identify the user.
When syncing from ipa, they now report a conflict as they should.
So is it possible (and how) to manually set the ipaUniqueId to the value it had
originally?
I have seen that ipa user-mod --setattr is now locked for this attribute :
https://bugzilla.redhat.com/show_bug.cgi?id=634194
Thank you for any pointer to a solution.
It will take a few steps and I haven't tested this fully. To disable the
check in the above BZ you'd need to set ipaUuidEnforce to FALSE in
cn=IPA Unique IDs,cn=IPA UUID,cn=plugins,cn=config using ldapmodify.
No users currently have write access to ipaUniqueID so I'd create a
permission to grant write on that. Then create a privilege and role to
grant that to whoever you want. I'd give it to the admins group.
That should allow you to use the setattr option.
Once you're done setting things I'd remove the permission/privilege/role
and set ipaUuidEnforce back to TRUE.
An alternative if you're still experimenting with the migration would be
to modify /usr/lib/python*/ipaserver/plugins/migration.py and comment
out the two lines:
entry_attrs['ipauniqueid'] = 'autogenerate'
And restart httpd. I think that should retain the current values when
you re-run the migration (you'd have to either remove all the
users/groups or re-do the install).
rob