Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 910665

Summary: During Migration - If Schema is unavailable migration fails
Product: Red Hat Enterprise Linux 7 Reporter: Martin Kosek <mkosek>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED CURRENTRELEASE QA Contact: IDM QE LIST <seceng-idm-qe-list>
Severity: high Docs Contact:
Priority: urgent    
Version: 7.0CC: dpal, jgalipea, mkosek, nsoman, tlavigne
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-3.2.1-1.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 906846 Environment:
Last Closed: 2014-06-13 13:06:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 906846    
Bug Blocks: 908400, 910538    

Comment 2 Martin Kosek 2013-02-21 08:51:26 UTC 
Fixed upstream:

master: 959b276e7d10f80269568c6d340e59d664fc5d42
ipa-3-1: 2b491acb4ad4d6880cabff02b474d6885af8242b
ipa-3-0: dd499c559c960f8c01287bcfe28c158e3780daa4
Comment 5 Jenny Severance 2013-08-23 17:55:20 UTC 
*** Bug 910538 has been marked as a duplicate of this bug. ***
Comment 6 Namita Soman 2013-12-02 20:06:59 UTC 
Verified using ipa-server-3.3.3-5.el7.x86_64

Steps taken (followed steps from bz 908400)
1> yum -y install openldap-servers openldap-clients
2> # rpm -qa openldap-servers openldap-clients
openldap-clients-2.4.35-7.el7.x86_64
openldap-servers-2.4.35-7.el7.x86_64
3> systemctl stop firewalld
4> systemctl start slapd
5> systemctl stop slapd
6> rm -rf /etc/openldap/slapd.d/*
7> rm -rf /var/lib/ldap/*
8> cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
9> scp'd from a 6.5 machine - /usr/share/openldap-servers/slapd.conf.obsolete to  /etc/openldap/slapd.example.conf
10> # sed -i "s/my-domain/example/g" /etc/openldap/slapd.example.conf
11> # sed -i "s/Manager/admin/g"   /etc/openldap/slapd.example.conf
12> # echo -e "rootpw\t\t$(slappasswd -s <PASSWORD>)" >> /etc/openldap/slapd.example.conf
13> # echo "" | slapadd -f /etc/openldap/slapd.example.conf
14> # slaptest -f /etc/openldap/slapd.example.conf -F /etc/openldap/slapd.d
529cde55 bdb_db_open: warning - no DB_CONFIG file found in directory /var/lib/ldap: (2).
Expect poor performance for suffix "dc=example,dc=com".
config file testing succeeded
15> # cd /etc/openldap
16> created files below:
- # cat example.com.ldif 
# Root entry
dn: dc=example,dc=com
objectclass: dcObject
objectclass: organization
o: Example Company
dc: example
- # cat admin.example.com.ldif
# Admin DN
dn: cn=admin,dc=example,dc=com
objectclass: organizationalRole
cn: admin
- # cat users.example.com.ldif
# Base DN for users
dn: ou=users,dc=example,dc=com
objectclass: top
objectclass: organizationalUnit
ou: users
- # cat groups.example.com.ldif
# Base DN for groups
dn: ou=groups,dc=example,dc=com
objectclass: top
objectclass: organizationalUnit
ou: groups
17> # slapadd -l example.com.ldif
529cdfb0 The first database does not allow slapadd; using the first available one (2)
529cdfb0 bdb_db_open: warning - no DB_CONFIG file found in directory /var/lib/ldap: (2).
Expect poor performance for suffix "dc=example,dc=com".
_#################### 100.00% eta   none elapsed            none fast!         
Closing DB...
18> # slapadd -l admin.example.com.ldif
529cdfbe The first database does not allow slapadd; using the first available one (2)
529cdfbe bdb_db_open: warning - no DB_CONFIG file found in directory /var/lib/ldap: (2).
Expect poor performance for suffix "dc=example,dc=com".
_#################### 100.00% eta   none elapsed            none fast!         
Closing DB...
19> # slapadd -l users.example.com.ldif
529cdfc6 The first database does not allow slapadd; using the first available one (2)
529cdfc6 bdb_db_open: warning - no DB_CONFIG file found in directory /var/lib/ldap: (2).
Expect poor performance for suffix "dc=example,dc=com".
_#################### 100.00% eta   none elapsed            none fast!         
Closing DB...
20> # slapadd -l groups.example.com.ldif
529cdfcd The first database does not allow slapadd; using the first available one (2)
529cdfcd bdb_db_open: warning - no DB_CONFIG file found in directory /var/lib/ldap: (2).
Expect poor performance for suffix "dc=example,dc=com".
_#################### 100.00% eta   none elapsed            none fast!         
Closing DB...
21> # chown -R ldap:ldap /var/lib/ldap
22> # chown -R ldap:ldap /etc/openldap/slapd.d
23> # systemctl restart slapd
24> # ldapsearch -x -D 'cn=admin,dc=example,dc=com' -b 'dc=example,dc=com' -w redhat
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# example.com
dn: dc=example,dc=com
objectClass: dcObject
objectClass: organization
o: Example Company
dc: example

# admin, example.com
dn: cn=admin,dc=example,dc=com
objectClass: organizationalRole
cn: admin

# users, example.com
dn: ou=users,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: users

# groups, example.com
dn: ou=groups,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: groups

# search result
search: 2
result: 0 Success

# numResponses: 5
# numEntries: 4
25> # ldapadd -x -D 'cn=admin,dc=example,dc=com' -w redhat << EOF
> dn: uid=tuser1,ou=users,dc=example,dc=com
> uidNumber: 100161
> gidNumber: 100161
> objectclass: posixAccount
> homeDirectory: /home/tuser1
> uid: Test_User1
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> ou: users
> cn: Test User1
> sn: User1
> EOF
adding new entry "uid=tuser1,ou=users,dc=example,dc=com"

26> # ldapadd -x -D 'cn=admin,dc=example,dc=com' -w redhat << EOF
> dn: cn=tgroup2,ou=groups,dc=example,dc=com
> objectClass: top
> objectClass: groupOfNames
> member: uid=tuser1,ou=users,dc=example,dc=com
> EOF
adding new entry "cn=tgroup2,ou=groups,dc=example,dc=com"

On machine with ipa server:
1> # kinit admin
2> # ipa config-mod --enable-migration=TRUE
  Maximum username length: 32
  Home directory base: /home
  Default shell: /bin/sh
  Default users group: ipausers
  Default e-mail domain: testrelm.com
  Search time limit: 2
  Search size limit: 100
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: TRUE
  Certificate Subject base: O=TESTRELM.COM
  Password Expiration Notification (days): 4
  Password plugin features: AllowNThash
  SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
  Default SELinux user: unconfined_u:s0-s0:c0.c1023
  Default PAC types: MS-PAC, nfs:NONE
3> # ipa migrate-ds --user-container="ou=users,dc=example,dc=com" --group-container="ou=groups,dc=example,dc=com" --bind-dn="cn=admin,dc=example,dc=com" --with-compat ldap://nocp8.example.com
Password: 
-----------
migrate-ds:
-----------
Migrated:
  user: tuser1
  group: tgroup2
Failed user:
Failed group:
----------
Passwords have been migrated in pre-hashed format.
IPA is unable to generate Kerberos keys unless provided
with clear text passwords. All migrated users need to
login at https://your.domain/ipa/migration/ before they
can use their Kerberos accounts.
Comment 7 Ludek Smid 2014-06-13 13:06:49 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.