Hide Forgot
This bug is created as a clone of upstream ticket: https://fedorahosted.org/freeipa/ticket/2644 When migrated LDAP tree contains 2 groups with identical GID, IPA migration plugin returns incomprehensible error: {{{ # echo "secret123" | ipa migrate-ds ldap://vm-054.idm.lab.bos.redhat.com --with-compat --base-dn=dc=greyoak,dc=com ipa: ERROR: The search criteria was not specific enough. Expected 1 and found 2. }}} This is indeed an invalid LDAP on user side, but the error message we provide should be clearer - so that user knows what to fix. This is the part in the migration plugin that raises the error: {{{ if entry_attrs['gidnumber'][0] not in valid_gids: try: (remote_dn, remote_entry) = ds_ldap.find_entry_by_attr( 'gidnumber', entry_attrs['gidnumber'][0], 'posixgroup', [''], search_bases['group'] ) valid_gids.append(entry_attrs['gidnumber'][0]) except errors.NotFound: api.log.warn('Migrated user\'s GID number %s does not point to a known group.' % entry_attrs['gidnumber'][0]) }}}
Fixed upstream. master: 88927fb78b5dd8df6fdccb79c84c02691c7aeb46 ipa-2-2: 49f869522581d66a62e7d251739a2f758837d78e In the Apache error log you'll see a message like this if you have two POSIX groups on the remote LDAP server with the same gidNumber value. ipa: WARNING: GID number 21731 of migrated user mollee_weisenberg should match 1 group, but it matched 2 groups
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: No documentation needed.
verified :: [Wed May 16 12:35:30 2012] [error] ipa: WARNING: GID number 1002 of migrated user puser2 should match 1 group, but it matched 2 groups # ipa group-find --gid=1002 ---------------- 2 groups matched ---------------- Group name: group2 GID: 1002 Group name: group3 GID: 1002 ---------------------------- Number of entries returned 2 ---------------------------- # ipa user-find puser2 -------------- 1 user matched -------------- User login: puser2 Last name: User2 Home directory: /home/puser2 Login shell: /bin/bash UID: 1002 GID: 1002 Account disabled: False Password: True Kerberos keys available: True version :: ipa-server-2.2.0-14.el6.i686
automated :: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: bz813389 Improve migration plugin error when 2 groups have identical GID :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Add group with duplicate GID to existing ldap group :: [ LOG ] :: EXECUTING: ipa migrate-ds --with-compat --user-container="ou=People,dc=example,dc=com" --group-container="ou=groups,dc=example,dc=com" ldap://dhcp-187-227.testrelm.com:389 :: [ PASS ] :: File '/var/log/httpd/error_log' should contain 'WARNING: GID number 1002 of migrated user puser2 should match 1 group, but it matched 2 groups' :: [ PASS ] :: delete ldap group :: [ LOG ] :: Cleaning up migrated users :: [ LOG ] :: Duration: 6s :: [ LOG ] :: Assertions: 3 good, 0 bad :: [ PASS ] :: RESULT: bz813389 Improve migration plugin error when 2 groups have identical GID
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0819.html