Hello all.
I am trying to migrate my users from one ipa to another one. I was able to import the users and groups with 'ipa migrate-ds'. However the migration process generates new ipaUniqueIds.
IPA is my source of users for keycloak user federation and other applications that use ipaUniqueId to identify the user.
When syncing from ipa, they now report a conflict as they should.
So is it possible (and how) to manually set the ipaUniqueId to the value it had originally?
I have seen that ipa user-mod --setattr is now locked for this attribute : https://bugzilla.redhat.com/show_bug.cgi?id=634194
Thank you for any pointer to a solution.
Antoine
Antoine Gatineau via FreeIPA-users wrote:
Hello all.
I am trying to migrate my users from one ipa to another one. I was able to import the users and groups with 'ipa migrate-ds'. However the migration process generates new ipaUniqueIds.
IPA is my source of users for keycloak user federation and other applications that use ipaUniqueId to identify the user.
When syncing from ipa, they now report a conflict as they should.
So is it possible (and how) to manually set the ipaUniqueId to the value it had originally?
I have seen that ipa user-mod --setattr is now locked for this attribute : https://bugzilla.redhat.com/show_bug.cgi?id=634194
Thank you for any pointer to a solution.
It will take a few steps and I haven't tested this fully. To disable the check in the above BZ you'd need to set ipaUuidEnforce to FALSE in cn=IPA Unique IDs,cn=IPA UUID,cn=plugins,cn=config using ldapmodify.
No users currently have write access to ipaUniqueID so I'd create a permission to grant write on that. Then create a privilege and role to grant that to whoever you want. I'd give it to the admins group.
That should allow you to use the setattr option.
Once you're done setting things I'd remove the permission/privilege/role and set ipaUuidEnforce back to TRUE.
An alternative if you're still experimenting with the migration would be to modify /usr/lib/python*/ipaserver/plugins/migration.py and comment out the two lines:
entry_attrs['ipauniqueid'] = 'autogenerate'
And restart httpd. I think that should retain the current values when you re-run the migration (you'd have to either remove all the users/groups or re-do the install).
rob
Hello Rob,
Quick feedback on the procedure you provided. It worked for me. There was just a small issue for users belonging to the admin group where ipa user-mod complained about not having enough write permissions on the ipaUniqueID attribute. By removing them temporarily from the admins group, I could modify them. So not a big deal.
I didn't try modifying the migration script.
I hope this can help others in future?
Many thanks
freeipa-users@lists.fedorahosted.org