Discussion:
[Freeipa-users] Openldap to IPA migration confusion
Qing Chang
2012-07-20 20:56:03 UTC
Permalink
Greetings,

Migration from OpedLDAP to IPA creates a pair of subtrees for both users and groups:
compat and accounts, use groups as an example:
dn: cn=acdp,cn=groups,cn=compat,dc=sri,dc=utoronto,dc=ca
dn: cn=acdp,cn=groups,cn=accounts,dc=sri,dc=utoronto,dc=ca

IPA web GUI does not show "memberUid" attribute, although it is migrated correctly,
by adding a user to the group in the web GUI, it reveals that member is added to both
compat and accounts, but differently:
accounts: member: uid=qchang,cn=users,cn=accounts,dc=sri,dc=utoronto,dc=ca
compat: memberUid: qchang

It also reveals that GUI does not display anything for "compat" tree, but I can use
ldap tools to show compat entries.

My questions:
1, why do we have two trees created? I vaguely remember that it is mentioned that
compat is for support of IPA as an NIS proxy?
2, Can the migration script be modified to convert "memberUid" to "member" for
accounts tree? Or can I modify it manually and load the tree with ldapmod without
breaking IPA?
3, What does Samba use, compat or accounts? I do have a Samba server setup as
an IPA client and it works very well, but I don't seem to be able to find a place
to specify either compat or accounts for user and group look up, I assume IPA
client libraries take care of it. In fact there is no entries that are related to LDAP
in my smb.conf, there is only a few lines related to IPA/Kerberos:
=====
security = user
passdb backend = smbpasswd

# Kerberos options
realm = SRI.UTORONTO.CA
kerberos method = dedicated keytab
dedicated keytab file = /etc/krb5.keytab
=====

Thanks in advance!
Qing
Rob Crittenden
2012-07-20 21:14:58 UTC
Permalink
Post by Qing Chang
Greetings,
dn: cn=acdp,cn=groups,cn=compat,dc=sri,dc=utoronto,dc=ca
dn: cn=acdp,cn=groups,cn=accounts,dc=sri,dc=utoronto,dc=ca
IPA web GUI does not show "memberUid" attribute, although it is migrated correctly,
by adding a user to the group in the web GUI, it reveals that member is added to both
accounts: member: uid=qchang,cn=users,cn=accounts,dc=sri,dc=utoronto,dc=ca
compat: memberUid: qchang
It also reveals that GUI does not display anything for "compat" tree, but I can use
ldap tools to show compat entries.
1, why do we have two trees created? I vaguely remember that it is mentioned that
compat is for support of IPA as an NIS proxy?
cn=compat is a view of the data in rfc2307-compatible format (so
memberUid instead of member). It isn't a separate copy.

It is so clients that don't support 2307bis can still authenticate and
identify users using nss_ldap.
Post by Qing Chang
2, Can the migration script be modified to convert "memberUid" to "member" for
accounts tree? Or can I modify it manually and load the tree with ldapmod without
breaking IPA?
It already can, see the --schema option.
Post by Qing Chang
3, What does Samba use, compat or accounts? I do have a Samba server setup as
an IPA client and it works very well, but I don't seem to be able to find a place
to specify either compat or accounts for user and group look up, I assume IPA
client libraries take care of it. In fact there is no entries that are related to LDAP
=====
security = user
passdb backend = smbpasswd
# Kerberos options
realm = SRI.UTORONTO.CA
kerberos method = dedicated keytab
dedicated keytab file = /etc/krb5.keytab
=====
I'm not familiar with configure Samba with an ldap backend, maybe
someone else will chime in.

rob
Qing Chang
2012-07-23 18:35:02 UTC
Permalink
Post by Qing Chang
Greetings,
dn: cn=acdp,cn=groups,cn=compat,dc=sri,dc=utoronto,dc=ca
dn: cn=acdp,cn=groups,cn=accounts,dc=sri,dc=utoronto,dc=ca
IPA web GUI does not show "memberUid" attribute, although it is migrated correctly,
by adding a user to the group in the web GUI, it reveals that member is added to both
accounts: member: uid=qchang,cn=users,cn=accounts,dc=sri,dc=utoronto,dc=ca
compat: memberUid: qchang
It also reveals that GUI does not display anything for "compat" tree, but I can use
ldap tools to show compat entries.
1, why do we have two trees created? I vaguely remember that it is mentioned that
compat is for support of IPA as an NIS proxy?
cn=compat is a view of the data in rfc2307-compatible format (so memberUid instead of member). It
isn't a separate copy.
It is so clients that don't support 2307bis can still authenticate and identify users using nss_ldap.
Post by Qing Chang
2, Can the migration script be modified to convert "memberUid" to "member" for
accounts tree? Or can I modify it manually and load the tree with ldapmod without
breaking IPA?
It already can, see the --schema option.
it says:
--schema=['RFC2307bis', 'RFC2307']
The schema used on the LDAP server. Supported values
are RFC2307 and RFC2307bis. The default is RFC2307bis

I assume I am using the default. Does this mean that I should use RFC2307 instead?
It does not make much sense to me because my OpenLDAP server is using
RFC2307 if I understand your comments above right.

Thanks,
Qing
Post by Qing Chang
3, What does Samba use, compat or accounts? I do have a Samba server setup as
an IPA client and it works very well, but I don't seem to be able to find a place
to specify either compat or accounts for user and group look up, I assume IPA
client libraries take care of it. In fact there is no entries that
are related to LDAP
=====
security = user
passdb backend = smbpasswd
# Kerberos options
realm = SRI.UTORONTO.CA
kerberos method = dedicated keytab
dedicated keytab file = /etc/krb5.keytab
=====
I'm not familiar with configure Samba with an ldap backend, maybe someone else will chime in.
rob
Rob Crittenden
2012-07-23 19:33:47 UTC
Permalink
Post by Qing Chang
Post by Rob Crittenden
Post by Qing Chang
Greetings,
dn: cn=acdp,cn=groups,cn=compat,dc=sri,dc=utoronto,dc=ca
dn: cn=acdp,cn=groups,cn=accounts,dc=sri,dc=utoronto,dc=ca
IPA web GUI does not show "memberUid" attribute, although it is migrated correctly,
by adding a user to the group in the web GUI, it reveals that member is added to both
uid=qchang,cn=users,cn=accounts,dc=sri,dc=utoronto,dc=ca
compat: memberUid: qchang
It also reveals that GUI does not display anything for "compat" tree, but I can use
ldap tools to show compat entries.
1, why do we have two trees created? I vaguely remember that it is mentioned that
compat is for support of IPA as an NIS proxy?
cn=compat is a view of the data in rfc2307-compatible format (so
memberUid instead of member). It isn't a separate copy.
It is so clients that don't support 2307bis can still authenticate and
identify users using nss_ldap.
Post by Qing Chang
2, Can the migration script be modified to convert "memberUid" to "member" for
accounts tree? Or can I modify it manually and load the tree with ldapmod without
breaking IPA?
It already can, see the --schema option.
--schema=['RFC2307bis', 'RFC2307']
The schema used on the LDAP server. Supported values
are RFC2307 and RFC2307bis. The default is RFC2307bis
I assume I am using the default. Does this mean that I should use RFC2307 instead?
It does not make much sense to me because my OpenLDAP server is using
RFC2307 if I understand your comments above right.
If the LDAP server you are migrating from is using RFC2307 (e.g.
memberUid in the groups to specify membership) then use --schema=RFC2307.

You are specifying the remote schema, not the local schema.

rob
Qing Chang
2012-07-24 12:54:01 UTC
Permalink
Post by Qing Chang
Post by Rob Crittenden
Post by Qing Chang
Greetings,
dn: cn=acdp,cn=groups,cn=compat,dc=sri,dc=utoronto,dc=ca
dn: cn=acdp,cn=groups,cn=accounts,dc=sri,dc=utoronto,dc=ca
IPA web GUI does not show "memberUid" attribute, although it is migrated correctly,
by adding a user to the group in the web GUI, it reveals that member is added to both
uid=qchang,cn=users,cn=accounts,dc=sri,dc=utoronto,dc=ca
compat: memberUid: qchang
It also reveals that GUI does not display anything for "compat" tree, but I can use
ldap tools to show compat entries.
1, why do we have two trees created? I vaguely remember that it is mentioned that
compat is for support of IPA as an NIS proxy?
cn=compat is a view of the data in rfc2307-compatible format (so
memberUid instead of member). It isn't a separate copy.
It is so clients that don't support 2307bis can still authenticate and
identify users using nss_ldap.
Post by Qing Chang
2, Can the migration script be modified to convert "memberUid" to "member" for
accounts tree? Or can I modify it manually and load the tree with
ldapmod without
breaking IPA?
It already can, see the --schema option.
--schema=['RFC2307bis', 'RFC2307']
The schema used on the LDAP server. Supported values
are RFC2307 and RFC2307bis. The default is RFC2307bis
I assume I am using the default. Does this mean that I should use RFC2307 instead?
It does not make much sense to me because my OpenLDAP server is using
RFC2307 if I understand your comments above right.
If the LDAP server you are migrating from is using RFC2307 (e.g. memberUid in the groups to
specify membership) then use --schema=RFC2307.
You are specifying the remote schema, not the local schema.
Indeed it is the remote schema, for future reference, this my command line:
# ipa -d migrate-ds ldap://ldap:389 --bind-dn=cn=Manager,dc=... --group-container=ou=group
--group-overwrite-gid --schema=RFC2307 --with-compat --group-objectclass=posixGroup
rob
Your help is much appreciated!

Qing
Dmitri Pal
2012-07-20 21:17:42 UTC
Permalink
Post by Qing Chang
Greetings,
dn: cn=acdp,cn=groups,cn=compat,dc=sri,dc=utoronto,dc=ca
dn: cn=acdp,cn=groups,cn=accounts,dc=sri,dc=utoronto,dc=ca
IPA web GUI does not show "memberUid" attribute, although it is migrated correctly,
by adding a user to the group in the web GUI, it reveals that member is added to both
uid=qchang,cn=users,cn=accounts,dc=sri,dc=utoronto,dc=ca
compat: memberUid: qchang
It also reveals that GUI does not display anything for "compat" tree, but I can use
ldap tools to show compat entries.
1, why do we have two trees created? I vaguely remember that it is mentioned that
compat is for support of IPA as an NIS proxy?
Compat tree is a different view of the data stored in the main tree.
Main tree follows schema defined by RFC 2307bis for users and groups.
Compat displays same data in RFC 2307 format for clients that do not
understand 2307bis schema (for example for Solaris clients).
NIS uses compat tree for its data.
Internal SUDO schema is also different from the standard for the
benefits of the referential integrity so the external, standard schema
is exposed via compat tree.
Post by Qing Chang
2, Can the migration script be modified to convert "memberUid" to "member" for
accounts tree? Or can I modify it manually and load the tree with ldapmod without
breaking IPA?
It is not clear what you are trying to do. Main tree is already in the
right format.
Changing the data directly would not work. Please use ipa commands.
You can point clients to either main tree or compat tree depending upon
what schema they expect.
You can also switch the compat tree completely. There is a command to do
so added in 2.2.
Post by Qing Chang
3, What does Samba use, compat or accounts? I do have a Samba server setup as
an IPA client and it works very well, but I don't seem to be able to find a place
to specify either compat or accounts for user and group look up, I assume IPA
client libraries take care of it. In fact there is no entries that are related to LDAP
Samba uses main tree but I do not think you configured anything other
than authentication.
It seems that samba is using a local back end.
You need more info from samba gurus.
You can catch them on irc on freenode.net or they might chime in here.
Post by Qing Chang
=====
security = user
passdb backend = smbpasswd
# Kerberos options
realm = SRI.UTORONTO.CA
kerberos method = dedicated keytab
dedicated keytab file = /etc/krb5.keytab
=====
Thanks in advance!
Qing
_______________________________________________
Freeipa-users mailing list
https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
Qing Chang
2012-08-12 12:19:19 UTC
Permalink
Just installed a fresh RHEL 6.3 VM with IPA 2.2..0-16.el6 on our new
ESXi host,
after preparing migration mode as well as adding necessary
objectclasses, tried
to run following:
ipa -d migrate-ds ldap://openldap:389 --bind-dn=cn=Manager
--group-container=ou=group --schema=RFC2307 --with-compat
--group-objectclass=posixGroup

It failed promptly with this:
=====
ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer
ipa: DEBUG: cert valid True for "CN=ipa1.sri.utoronto.ca,O=SRI.UTORONTO.CA"
ipa: DEBUG: handshake complete, peer = IP_of_ipa1:443
ipa: DEBUG: Caught fault 4203 from server
http://ipa1.sri.utoronto.ca/ipa/xml: Can't contact LDAP server:
ipa: DEBUG: Destroyed connection context.xmlclient
ipa: ERROR: Can't contact LDAP server:
=====

/var/log/dirsrv/access shows:
=====
[12/Aug/2012:07:53:26 -0400] conn=81 op=6 SRCH
base="cn=accounts,dc=sri,dc=utoronto,dc=ca" scope=2
filter="(&(uid=postfix)(objectClass=posixAccount))" attrs="objectClass
uid userPassword uidNumber gidNumber gecos homeDirectory loginShell
krbPrincipalName cn memberOf nsUniqueId modifyTimestamp entryusn
shadowLastChange shadowMin shadowMax shadowWarning shadowInactive
shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration
pwdattribute authorizedService accountexpires useraccountcontrol
nsAccountLock host logindisabled loginexpirationtime loginallowedtimemap
ipaSshPubKey"
[12/Aug/2012:07:53:26 -0400] conn=81 op=6 RESULT err=0 tag=101
nentries=0 etime=0
=====

Previous installation of VBox VM (RHEL 6.3 with IPA ) did not have this
problem.

Please help,

Thanks,
Qing
Rob Crittenden
2012-08-13 14:39:09 UTC
Permalink
Post by Qing Chang
Just installed a fresh RHEL 6.3 VM with IPA 2.2..0-16.el6 on our new
ESXi host,
after preparing migration mode as well as adding necessary
objectclasses, tried
ipa -d migrate-ds ldap://openldap:389 --bind-dn=cn=Manager
--group-container=ou=group --schema=RFC2307 --with-compat
--group-objectclass=posixGroup
=====
ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer
ipa: DEBUG: cert valid True for "CN=ipa1.sri.utoronto.ca,O=SRI.UTORONTO.CA"
ipa: DEBUG: handshake complete, peer = IP_of_ipa1:443
ipa: DEBUG: Caught fault 4203 from server
ipa: DEBUG: Destroyed connection context.xmlclient
=====
=====
[12/Aug/2012:07:53:26 -0400] conn=81 op=6 SRCH
base="cn=accounts,dc=sri,dc=utoronto,dc=ca" scope=2
filter="(&(uid=postfix)(objectClass=posixAccount))" attrs="objectClass
uid userPassword uidNumber gidNumber gecos homeDirectory loginShell
krbPrincipalName cn memberOf nsUniqueId modifyTimestamp entryusn
shadowLastChange shadowMin shadowMax shadowWarning shadowInactive
shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration
pwdattribute authorizedService accountexpires useraccountcontrol
nsAccountLock host logindisabled loginexpirationtime loginallowedtimemap
ipaSshPubKey"
[12/Aug/2012:07:53:26 -0400] conn=81 op=6 RESULT err=0 tag=101
nentries=0 etime=0
=====
Previous installation of VBox VM (RHEL 6.3 with IPA ) did not have this
problem.
Check your iptables/firewall configuration on both hosts.

rob
Qing Chang
2012-08-13 18:47:01 UTC
Permalink
Post by Rob Crittenden
Post by Qing Chang
Just installed a fresh RHEL 6.3 VM with IPA 2.2..0-16.el6 on our new
ESXi host,
after preparing migration mode as well as adding necessary
objectclasses, tried
ipa -d migrate-ds ldap://openldap:389 --bind-dn=cn=Manager
--group-container=ou=group --schema=RFC2307 --with-compat
--group-objectclass=posixGroup
=====
ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer
ipa: DEBUG: cert valid True for "CN=ipa1.sri.utoronto.ca,O=SRI.UTORONTO.CA"
ipa: DEBUG: handshake complete, peer = IP_of_ipa1:443
ipa: DEBUG: Caught fault 4203 from server
ipa: DEBUG: Destroyed connection context.xmlclient
=====
=====
[12/Aug/2012:07:53:26 -0400] conn=81 op=6 SRCH
base="cn=accounts,dc=sri,dc=utoronto,dc=ca" scope=2
filter="(&(uid=postfix)(objectClass=posixAccount))" attrs="objectClass
uid userPassword uidNumber gidNumber gecos homeDirectory loginShell
krbPrincipalName cn memberOf nsUniqueId modifyTimestamp entryusn
shadowLastChange shadowMin shadowMax shadowWarning shadowInactive
shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration
pwdattribute authorizedService accountexpires useraccountcontrol
nsAccountLock host logindisabled loginexpirationtime loginallowedtimemap
ipaSshPubKey"
[12/Aug/2012:07:53:26 -0400] conn=81 op=6 RESULT err=0 tag=101
nentries=0 etime=0
=====
Previous installation of VBox VM (RHEL 6.3 with IPA ) did not have this
problem.
Check your iptables/firewall configuration on both hosts.
rob
I have disabled iptables on ipa1, ipa1 and openldap can ping each other.

Thanks,
Qing
Qing Chang
2012-08-13 20:04:45 UTC
Permalink
My sincere apologies: I forgot to start slapd on my openldap server...

Qing
Post by Rob Crittenden
Post by Qing Chang
Just installed a fresh RHEL 6.3 VM with IPA 2.2..0-16.el6 on our new
ESXi host,
after preparing migration mode as well as adding necessary
objectclasses, tried
ipa -d migrate-ds ldap://openldap:389 --bind-dn=cn=Manager
--group-container=ou=group --schema=RFC2307 --with-compat
--group-objectclass=posixGroup
=====
ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer
ipa: DEBUG: cert valid True for "CN=ipa1.sri.utoronto.ca,O=SRI.UTORONTO.CA"
ipa: DEBUG: handshake complete, peer = IP_of_ipa1:443
ipa: DEBUG: Caught fault 4203 from server
ipa: DEBUG: Destroyed connection context.xmlclient
=====
=====
[12/Aug/2012:07:53:26 -0400] conn=81 op=6 SRCH
base="cn=accounts,dc=sri,dc=utoronto,dc=ca" scope=2
filter="(&(uid=postfix)(objectClass=posixAccount))" attrs="objectClass
uid userPassword uidNumber gidNumber gecos homeDirectory loginShell
krbPrincipalName cn memberOf nsUniqueId modifyTimestamp entryusn
shadowLastChange shadowMin shadowMax shadowWarning shadowInactive
shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration
pwdattribute authorizedService accountexpires useraccountcontrol
nsAccountLock host logindisabled loginexpirationtime loginallowedtimemap
ipaSshPubKey"
[12/Aug/2012:07:53:26 -0400] conn=81 op=6 RESULT err=0 tag=101
nentries=0 etime=0
=====
Previous installation of VBox VM (RHEL 6.3 with IPA ) did not have this
problem.
Check your iptables/firewall configuration on both hosts.
rob
Loading...