Description of problem: ipa migrate-ds is migrating users entries and also copying the attribute mepmanagedentry. But the DN corresponding to this attribute is not migrated. This makes that a delete of a user (by ldaptools) could fail. The internal operation done by "Managed Entries" plugin will fail. In any case, db is inconsistent without the managed entry. Version-Release number of selected component (if applicable): ipa-server-4.1.0-18.el7_1.3.x86_64 How reproducible: always. Steps to Reproduce: 1. Add user in one ipa server: [root@ipaserver ~]# ipa user-add nevermanaged First name: Never Last name: Managed ------------------------- Added user "nevermanaged" ------------------------- User login: nevermanaged ... 2. Check the entry and the managed one are there: [root@ipaserver ~]# ipa user-show nevermanaged --all --raw dn: uid=nevermanaged,cn=users,cn=accounts,dc=redhat,dc=com mepmanagedentry: cn=nevermanaged,cn=groups,cn=accounts,dc=redhat,dc=com [root@ipaserver ~]# ldapsearch -xLLL -D "cn=directory manager" -w secret12 -b "cn=nevermanaged,cn=groups,cn=accounts,dc=redhat,dc=com" dn dn: cn=nevermanaged,cn=groups,cn=accounts,dc=redhat,dc=com 3. ipa migrate-ds in another ipa server: ipa migrate-ds ldap://10.13.211.213:389 --bind-dn="uid=admin,cn=users,cn=accounts,dc=redhat,dc=com" --user-container="cn=users,cn=accounts,dc=redhat,dc=com" --with-compat --group-container="cn=groups,cn=accounts,dc=redhat,dc=com" migrate-ds: ----------- Migrated: user: nevermanaged Failed user: admin: This entry already exists 4. Check user and managed entry: [root@idm-replica ~]# ipa user-show nevermanaged --all --raw dn: uid=nevermanaged,cn=users,cn=accounts,dc=example,dc=org .... mepManagedEntry: cn=nevermanaged,cn=groups,cn=accounts,dc=example,dc=org ldapsearch -xLLL -D "cn=directory manager" -w 'RedHat1!' -b "cn=nevermanaged,cn=groups,cn=accounts,dc=redhat,dc=com" dn No such object (32) [root@idm-replica ~]# 5. user cannot be deleted anymore: ipa user-del nevermanaged ipa: ERROR: nevermanaged: user not found 6. [root@idm-replica ~]# ldapmodify -D "cn=directory manager" -w 'RedHat1!' dn: uid=nevermanaged,cn=users,cn=accounts,dc=example,dc=org changetype: modify replace: mepManagedEntry 7. ipa user-del User login: nevermanaged --------------------------- Deleted user "nevermanaged" --------------------------- [root@idm-replica ~]# Actual results: the managed entry is not migrated and the user cannot be deleted any more. Expected results: the managed entry should be there. Additional info: The workaround is to delete attribute: mepManagedEntry
A real workaround, more acceptable for customers has just been given by Rob (thanks a lot): if they want to re-migrate, would be to blacklist that attribute and objectclass with --user-ignore-attribute=mepManagedEntry --user-ignore-objectclass=mepOriginEntry
ipa migrate-ds was not designed to migrate UPGs automatically. Actually it was not designed for IPA-IPA migration, but can be used. The reason why the groups were not migrated is that ipa migrate-ds migrates groups with object classes: "groupOfUniqueNames, groupOfNames but UPGs have "ipaobject, mepManagedEntry, posixgroup, top" and therefore they were not migrated. Another possibility is to ignore(not migrate) the mepManagedEntry attribute during migration - add it to --user-ignore-attribute options.
IPA-IPA migration is described at http://www.freeipa.org/page/Howto/Migration#Migrating_from_other_FreeIPA_to_FreeIPA
The customer case was closed, closing the Bugzilla too. Long-term fix would a separate command for IPA-IPA migration tracked in https://fedorahosted.org/freeipa/ticket/3656