Please provide the Directory Server access log snippet from this
failure
as well.
The issue is it can't find the groups on the REMOTE ldap server, not the
IPA server. If you could provide a sample entry for one of the remote
groups that would be helpful.
rob
Thanks,
Mark
On 10/26/20 7:59 AM, Per Qvindesland via FreeIPA-users wrote:
> Hi
>
> While running the command: echo password123 | ipa migrate-ds
> --with-compat ldap://ipofldap:389
> --bind-dn="cn=admin,dc=company,dc=com" --base-dn=dc=company,dc=com
> --user-container=ou=people --group-container=ou=groups --scope=subtree
> then it's failing with ipa:
> ERROR: group LDAP search did not return any result (search base:
> ou=groups,dc=company,dc=com, objectclass: groupofuniquenames,
> groupofnames)
>
> No matter how i change the command to ipa migrate-ds
> ldap://ldapserver:389 --bind-dn="cn=admin,dc=example,dc=com" then it
> still fails with the same error
>
> Does anyone know how I can resolve this? in the sladp errors logs I
> see this:
>
> [26/Oct/2020:11:18:18.622956777 +0100] - ERR - attrcrypt_init - All
> prepared ciphers are not available. Please disable attribute encryption.
> [26/Oct/2020:11:18:19.228133838 +0100] - WARN - NSACLPlugin -
> acl_parse - The ACL target cn=groups,cn=compat,dc=example,dc=com does
> not exist
> [26/Oct/2020:11:18:19.229323016 +0100] - WARN - NSACLPlugin -
> acl_parse - The ACL target cn=computers,cn=compat,dc=example,dc=com
> does not exist
> [26/Oct/2020:11:18:19.229952707 +0100] - WARN - NSACLPlugin -
> acl_parse - The ACL target cn=ng,cn=compat,dc=example,dc=com does not
> exist
> [26/Oct/2020:11:18:19.230652382 +0100] - WARN - NSACLPlugin -
> acl_parse - The ACL target ou=sudoers,dc=example,dc=com does not exist
> [26/Oct/2020:11:18:19.231285195 +0100] - WARN - NSACLPlugin -
> acl_parse - The ACL target cn=users,cn=compat,dc=example,dc=com does
> not exist
> [26/Oct/2020:11:18:19.231934733 +0100] - WARN - NSACLPlugin -
> acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not
> exist
> [26/Oct/2020:11:18:19.232593780 +0100] - WARN - NSACLPlugin -
> acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not
> exist
> [26/Oct/2020:11:18:19.233232479 +0100] - WARN - NSACLPlugin -
> acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not
> exist
> [26/Oct/2020:11:18:19.233866104 +0100] - WARN - NSACLPlugin -
> acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not
> exist
> [26/Oct/2020:11:18:19.234486443 +0100] - WARN - NSACLPlugin -
> acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not
> exist
> [26/Oct/2020:11:18:19.235118913 +0100] - WARN - NSACLPlugin -
> acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not
> exist
> [26/Oct/2020:11:18:19.235747974 +0100] - WARN - NSACLPlugin -
> acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not
> exist
> [26/Oct/2020:11:18:19.236394872 +0100] - WARN - NSACLPlugin -
> acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not
> exist
> [26/Oct/2020:11:18:19.237060940 +0100] - WARN - NSACLPlugin -
> acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not
> exist
> [26/Oct/2020:11:18:19.237715214 +0100] - WARN - NSACLPlugin -
> acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not
> exist
> [26/Oct/2020:11:18:19.238356425 +0100] - WARN - NSACLPlugin -
> acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not
> exist
> [26/Oct/2020:11:18:19.244588134 +0100] - WARN - NSACLPlugin -
> acl_parse - The ACL target cn=ad,cn=etc,dc=example,dc=com does not exist
> [26/Oct/2020:11:18:19.246571311 +0100] - WARN - NSACLPlugin -
> acl_parse - The ACL target cn=casigningcert
> cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=example,dc=com does not exist
> [26/Oct/2020:11:18:19.247223136 +0100] - WARN - NSACLPlugin -
> acl_parse - The ACL target cn=casigningcert
> cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=example,dc=com does not exist
> [26/Oct/2020:11:18:19.343344230 +0100] - WARN - NSACLPlugin -
> acl_parse - The ACL target cn=automember rebuild
> membership,cn=tasks,cn=config does not exist
> [26/Oct/2020:11:18:19.348552041 +0100] - ERR - cos-plugin -
> cos_dn_defs_cb - Skipping CoS Definition cn=Password
> Policy,cn=accounts,dc=example,dc=com--no CoS Templates found, which
> should be added before the CoS Definition.
> [26/Oct/2020:11:18:19.378667333 +0100] - INFO - slapd_daemon - slapd
> started. Listening on All Interfaces port 389 for LDAP requests
> [26/Oct/2020:11:18:19.381366608 +0100] - INFO - slapd_daemon -
> Listening on All Interfaces port 636 for LDAPS requests
> [26/Oct/2020:11:18:19.383976582 +0100] - INFO - slapd_daemon -
> Listening on /var/run/slapd-PROXDYNAMICS-COM.socket for LDAPI requests
> [26/Oct/2020:11:24:47.858883691 +0100] - INFO - op_thread_cleanup -
> slapd shutting down - signaling operation threads - op stack size 1
> max work q size 2 max work q stack size 2
> [26/Oct/2020:11:24:47.958419078 +0100] - INFO - slapd_daemon - slapd
> shutting down - closing down internal subsystems and plugins
> [26/Oct/2020:11:24:49.018815611 +0100] - INFO - bdb_pre_close -
> Waiting for 4 database threads to stop
> [26/Oct/2020:11:24:50.544575094 +0100] - INFO - bdb_pre_close - All
> database threads now stopped
> [26/Oct/2020:11:24:50.557264313 +0100] - INFO -
> ldbm_back_instance_set_destructor - Set of instances destroyed
> [26/Oct/2020:11:24:50.558354653 +0100] - INFO -
> connection_post_shutdown_cleanup - slapd shutting down - freed 2 work
> q stack objects - freed 5 op stack objects
> [26/Oct/2020:11:24:50.558915217 +0100] - INFO - main - slapd stopped.
> [26/Oct/2020:11:25:31.985322130 +0100] - INFO - slapd_extract_cert -
> CA CERT NAME:
PROXDYNAMICS.COM IPA CA
> [26/Oct/2020:11:25:32.004250734 +0100] - WARN - Security
> Initialization - SSL alert: Sending pin request to SVRCore. You may
> need to run systemd-tty-ask-password-agent to provide the password.
> [26/Oct/2020:11:25:32.204204240 +0100] - INFO - slapd_extract_cert -
> SERVER CERT NAME: Server-Cert
> [26/Oct/2020:11:25:32.784801369 +0100] - INFO - Security
> Initialization - SSL info: Enabling default cipher set.
> [26/Oct/2020:11:25:32.785394876 +0100] - INFO - Security
> Initialization - SSL info: Configured NSS Ciphers
> [26/Oct/2020:11:25:32.785945734 +0100] - INFO - Security
> Initialization - SSL info: TLS_AES_128_GCM_SHA256: enabled
> [26/Oct/2020:11:25:32.786493194 +0100] - INFO - Security
> Initialization - SSL info: TLS_CHACHA20_POLY1305_SHA256: enabled
> [26/Oct/2020:11:25:32.787079571 +0100] - INFO - Security
> Initialization - SSL info: TLS_AES_256_GCM_SHA384: enabled
> [26/Oct/2020:11:25:32.787564682 +0100] - INFO - Security
> Initialization - SSL info:
> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled
> [26/Oct/2020:11:25:32.788075487 +0100] - INFO - Security
> Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:
> enabled
> [26/Oct/2020:11:25:32.788559673 +0100] - INFO - Security
> Initialization - SSL info:
> TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: enabled
> [26/Oct/2020:11:25:32.789102837 +0100] - INFO - Security
> Initialization - SSL info:
> TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled
> [26/Oct/2020:11:25:32.789589594 +0100] - INFO - Security
> Initialization - SSL info:
> TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled
> [26/Oct/2020:11:25:32.790077677 +0100] - INFO - Security
> Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:
> enabled
> [26/Oct/2020:11:25:32.790578956 +0100] - INFO - Security
> Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA:
> enabled
> [26/Oct/2020:11:25:32.791113852 +0100] - INFO - Security
> Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA:
> enabled
> [26/Oct/2020:11:25:32.791943466 +0100] - INFO - Security
> Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled
> [26/Oct/2020:11:25:32.792531988 +0100] - INFO - Security
> Initialization - SSL info:
> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled
> [26/Oct/2020:11:25:32.793207244 +0100] - INFO - Security
> Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:
> enabled
> [26/Oct/2020:11:25:32.793713859 +0100] - INFO - Security
> Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled
> [26/Oct/2020:11:25:32.794224928 +0100] - INFO - Security
> Initialization - SSL info: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256:
> enabled
> [26/Oct/2020:11:25:32.794737674 +0100] - INFO - Security
> Initialization - SSL info:
> TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled
> [26/Oct/2020:11:25:32.795251667 +0100] - INFO - Security
> Initialization - SSL info: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384:
> enabled
> [26/Oct/2020:11:25:32.795769593 +0100] - INFO - Security
> Initialization - SSL info: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled
> [26/Oct/2020:11:25:32.796287159 +0100] - INFO - Security
> Initialization - SSL info: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256:
> enabled
> [26/Oct/2020:11:25:32.796807154 +0100] - INFO - Security
> Initialization - SSL info: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled
> [26/Oct/2020:11:25:32.797403513 +0100] - INFO - Security
> Initialization - SSL info: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256:
> enabled
> [26/Oct/2020:11:25:32.797932212 +0100] - INFO - Security
> Initialization - SSL info: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled
> [26/Oct/2020:11:25:32.798459755 +0100] - INFO - Security
> Initialization - SSL info: TLS_RSA_WITH_AES_256_GCM_SHA384: enabled
> [26/Oct/2020:11:25:32.799030910 +0100] - INFO - Security
> Initialization - SSL info: TLS_RSA_WITH_AES_128_CBC_SHA: enabled
> [26/Oct/2020:11:25:32.799573067 +0100] - INFO - Security
> Initialization - SSL info: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled
> [26/Oct/2020:11:25:32.800109380 +0100] - INFO - Security
> Initialization - SSL info: TLS_RSA_WITH_AES_256_CBC_SHA: enabled
> [26/Oct/2020:11:25:32.800638525 +0100] - INFO - Security
> Initialization - SSL info: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled
> [26/Oct/2020:11:25:33.345680476 +0100] - INFO - Security
> Initialization - slapd_ssl_init2 - Configured SSL version range: min:
> TLS1.2, max: TLS1.3
> [26/Oct/2020:11:25:33.346491118 +0100] - INFO - Security
> Initialization - slapd_ssl_init2 - NSS adjusted SSL version range:
> min: TLS1.2, max: TLS1.3
> [26/Oct/2020:11:25:33.347161756 +0100] - INFO - main -
> 389-Directory/1.4.2.4 B2020.255.2048 starting up
> [26/Oct/2020:11:25:33.347693917 +0100] - INFO - main - Setting the
> maximum file descriptor limit to: 262144
> [26/Oct/2020:11:25:34.438699059 +0100] - INFO - PBKDF2_SHA256 - Based
> on CPU performance, chose 2048 rounds
> [26/Oct/2020:11:25:34.442181997 +0100] - INFO -
> ldbm_instance_config_cachememsize_set - force a minimal value 512000
> [26/Oct/2020:11:25:34.448132662 +0100] - INFO -
> ldbm_instance_config_cachememsize_set - force a minimal value 512000
> [26/Oct/2020:11:25:34.453494825 +0100] - INFO -
> ldbm_instance_config_cachememsize_set - force a minimal value 512000
> [26/Oct/2020:11:25:34.458647975 +0100] - NOTICE - ldbm_back_start -
> found 3868940k physical memory
> [26/Oct/2020:11:25:34.459245844 +0100] - NOTICE - ldbm_back_start -
> found 3334504k available
> [26/Oct/2020:11:25:34.459802577 +0100] - NOTICE - ldbm_back_start -
> cache autosizing: db cache: 96723k
> [26/Oct/2020:11:25:34.460371153 +0100] - NOTICE - ldbm_back_start -
> cache autosizing: userRoot entry cache (3 total): 131072k
> [26/Oct/2020:11:25:34.461129521 +0100] - NOTICE - ldbm_back_start -
> cache autosizing: userRoot dn cache (3 total): 65536k
> [26/Oct/2020:11:25:34.462282548 +0100] - NOTICE - ldbm_back_start -
> cache autosizing: ipaca entry cache (3 total): 131072k
> [26/Oct/2020:11:25:34.463016641 +0100] - NOTICE - ldbm_back_start -
> cache autosizing: ipaca dn cache (3 total): 65536k
> [26/Oct/2020:11:25:34.464194998 +0100] - NOTICE - ldbm_back_start -
> cache autosizing: changelog entry cache (3 total): 131072k
> [26/Oct/2020:11:25:34.464956271 +0100] - NOTICE - ldbm_back_start -
> cache autosizing: changelog dn cache (3 total): 65536k
> [26/Oct/2020:11:25:34.465703802 +0100] - NOTICE - ldbm_back_start -
> total cache size: 683215667 B;
> [26/Oct/2020:11:25:35.118987768 +0100] - ERR - attrcrypt_unwrap_key -
> Failed to unwrap key for cipher AES
> [26/Oct/2020:11:25:35.119820971 +0100] - ERR - attrcrypt_cipher_init -
> Symmetric key failed to unwrap with the private key; Cert might have
> been renewed since the key is wrapped. To recover the encrypted
> contents, keep the wrapped symmetric key value.
> [26/Oct/2020:11:25:35.408089893 +0100] - ERR - attrcrypt_unwrap_key -
> Failed to unwrap key for cipher 3DES
> [26/Oct/2020:11:25:35.408739079 +0100] - ERR - attrcrypt_cipher_init -
> Symmetric key failed to unwrap with the private key; Cert might have
> been renewed since the key is wrapped. To recover the encrypted
> contents, keep the wrapped symmetric key value.
> [26/Oct/2020:11:25:35.409291926 +0100] - ERR - attrcrypt_init - All
> prepared ciphers are not available. Please disable attribute encryption.
> [26/Oct/2020:11:25:35.699507155 +0100] - ERR - attrcrypt_unwrap_key -
> Failed to unwrap key for cipher AES
> [26/Oct/2020:11:25:35.700197858 +0100] - ERR - attrcrypt_cipher_init -
> Symmetric key failed to unwrap with the private key; Cert might have
> been renewed since the key is wrapped. To recover the encrypted
> contents, keep the wrapped symmetric key value.
> [26/Oct/2020:11:25:35.993821262 +0100] - ERR - attrcrypt_unwrap_key -
> Failed to unwrap key for cipher 3DES
> [26/Oct/2020:11:25:35.995400166 +0100] - ERR - attrcrypt_cipher_init -
> Symmetric key failed to unwrap with the private key; Cert might have
> been renewed since the key is wrapped. To recover the encrypted
> contents, keep the wrapped symmetric key value.
> [26/Oct/2020:11:25:35.996128828 +0100] - ERR - attrcrypt_init - All
> prepared ciphers are not available. Please disable attribute encryption.
> [26/Oct/2020:11:25:36.676724884 +0100] - WARN - NSACLPlugin -
> acl_parse - The ACL target cn=groups,cn=compat,dc=example,dc=com does
> not exist
> [26/Oct/2020:11:25:36.677458024 +0100] - WARN - NSACLPlugin -
> acl_parse - The ACL target cn=computers,cn=compat,dc=example,dc=com
> does not exist
> [26/Oct/2020:11:25:36.678097744 +0100] - WARN - NSACLPlugin -
> acl_parse - The ACL target cn=ng,cn=compat,dc=example,dc=com does not
> exist
> [26/Oct/2020:11:25:36.678801681 +0100] - WARN - NSACLPlugin -
> acl_parse - The ACL target ou=sudoers,dc=example,dc=com does not exist
> [26/Oct/2020:1 1:25:36.679445978 +0100] - WARN - NSACLPlugin -
> acl_parse - The ACL target cn=users,cn=compat,dc=example,dc=com does
> not exist
> [26/Oct/2020:11:25:36.680107840 +0100] - WARN - NSACLPlugin -
> acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not
> exist
> [26/Oct/2020:11:25:36.680752352 +0100] - WARN - NSACLPlugin -
> acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not
> exist
> [26/Oct/2020:11:25:36.681421435 +0100] - WARN - NSACLPlugin -
> acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not
> exist
> [26/Oct/2020:11:25:36.682075173 +0100] - WARN - NSACLPlugin -
> acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not
> exist
> [26/Oct/2020:11:25:36.682731538 +0100] - WARN - NSACLPlugin -
> acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not
> exist
> [26/Oct/2020:11:25:36.683392435 +0100] - WARN - NSACLPlugin -
> acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not
> exist
> [26/Oct/2020:11:25:36.683961442 +0100] - WARN - NSACLPlugin -
> acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not
> exist
> [26/Oct/2020:11:25:36.684550864 +0100] - WARN - NSACLPlugin -
> acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not
> exist
> [26/Oct/2020:11:25:36.685159287 +0100] - WARN - NSACLPlugin -
> acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not
> exist
> [26/Oct/2020:11:25:36.685757939 +0100] - WARN - NSACLPlugin -
> acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not
> exist
> [26/Oct/2020:11:25:36.686370905 +0100] - WARN - NSACLPlugin -
> acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not
> exist
> [26/Oct/2020:11:25:36.692387853 +0100] - WARN - NSACLPlugin -
> acl_parse - The ACL target cn=ad,cn=etc,dc=example,dc=com does not exist
> [26/Oct/2020:11:25:36.694119273 +0100] - WARN - NSACLPlugin -
> acl_parse - The ACL target cn=casigningcert
> cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=example,dc=com does not exist
> [26/Oct/2020:11:25:36.694778890 +0100] - WARN - NSACLPlugin -
> acl_parse - The ACL target cn=casigningcert
> cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=example,dc=com does not exist
> [26/Oct/2020:11:25:36.790882675 +0100] - WARN - NSACLPlugin -
> acl_parse - The ACL target cn=automember rebuild
> membership,cn=tasks,cn=config does not exist
> [26/Oct/2020:11:25:36.796103722 +0100] - ERR - cos-plugin -
> cos_dn_defs_cb - Skipping CoS Definition cn=Password
> Policy,cn=accounts,dc=example,dc=com--no CoS Templates found, which
> should be added before the CoS Definition.
> [26/Oct/2020:11:25:36.826914731 +0100] - INFO - slapd_daemon - slapd
> started. Listening on All Interfaces port 389 for LDAP requests
> [26/Oct/2020:11:25:36.828243699 +0100] - INFO - slapd_daemon -
> Listening on All Interfaces port 636 for LDAPS requests
> [26/Oct/2020:11:25:36.829512166 +0100] - INFO - slapd_daemon -
> Listening on /var/run/slapd-EXAMPLE-COM.socket for LDAPI requests
>
> Regards
> Per
>
>
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
--
389 Directory Server Development Team
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...