How to import ldif users into FreeIPA?

Question

Maybe it needs two steps:

1. Add users defined in the ldif file to OpenLDAP(Inside FreeIPA)
2. Migrate those added users from OpenLDAP to IPA

Current situation

Setup FreeIPA server, initilized an admin user, created a test user by ipa user-add command.

List all users in IPA

# ipa user-find --all
---------------
2 users matched
---------------
  dn: uid=admin,cn=users,cn=accounts,dc=my,dc=domain
  User login: admin
  Last name: Administrator
  Full name: Administrator
  Home directory: /home/admin
  GECOS: Administrator
  Login shell: /bin/bash
  Principal alias: admin@MY.DOMAIN
  User password expiration: 20200626033338Z
  UID: 1253000000
  GID: 1253000000
  Account disabled: False
  Preserved user: False
  Member of groups: admins, trust admins
  ipauniqueid: 67d94d98-70a4-11ea-8d6b-5254008afee6
  krbextradata: AAKSxX5ecm9vdC9hZG1pbkBNWS5ET01BSU4A
  krblastpwdchange: 20200328033338Z
  objectclass: top, person, posixaccount, krbprincipalaux, krbticketpolicyaux, inetuser, ipaobject, ipasshuser, ipaSshGroupOfPubKeys

  dn: uid=test,cn=users,cn=accounts,dc=my,dc=domain
  User login: test
  First name: T
  Last name: S
  Full name: T S
  Display name: T S
  Initials: TS
  Home directory: /home/test
  GECOS: T S
  Login shell: /bin/bash
  Principal name: test@MY.DOMAIN
  Principal alias: test@MY.DOMAIN
  User password expiration: 20200626035426Z
  Email address: test@example.com
  UID: 1253000001
  GID: 1253000001
  Account disabled: False
  Preserved user: False
  Member of groups: ipausers
  ipauniqueid: 996b48fe-70a7-11ea-9a53-5254008afee6
  krbextradata: AAJyyn5ea2FkbWluZEBNWS5ET01BSU4A
  krblastfailedauth: 20200328035411Z
  krblastpwdchange: 20200328035426Z
  krbloginfailedcount: 0
  krbticketflags: 128
  mepmanagedentry: cn=test,cn=groups,cn=accounts,dc=my,dc=domain
  objectclass: top, person, organizationalperson, inetorgperson, inetuser, posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject, ipasshuser,
               ipaSshGroupOfPubKeys, mepOriginEntry
----------------------------
Number of entries returned 2
----------------------------

Try to add users by ldif file

For first step above

Create a test ldif file

test.ldif

# Add test1
dn: uid=test1,dc=my,dc=domain
changetype: add
objectClass: inetOrgPerson
description: Test1
  d
  e
cn: Test 1
sn: Test
uid: test1

# Add test2
dn: uid=test2,dc=my,dc=domain
changetype: add
objectClass: inetOrgPerson
description: Test2
  d
  e
cn: Test 2
sn: Test
uid: test2

Add them

# ldapadd -x -h test.my.domain -D "cn=Directory Manager" -w password -c -f test.ldif

Check them

# ldapsearch -h test.my.domain -t -b "dc=my,dc=domain" "uid=test1"
SASL/GSSAPI authentication started
SASL username: admin@MY.DOMAIN
SASL SSF: 256
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <dc=my,dc=domain> with scope subtree
# filter: uid=test1
# requesting: ALL
#

# test1, my.domain
dn: uid=test1,dc=my,dc=domain
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
description: Test1 d e
cn: Test 1
sn: Test
uid: test1

# search result
search: 4
result: 0 Success

# numResponses: 2
# numEntries: 1

# ldapsearch -h test.my.domain -t -b "dc=my,dc=domain" "uid=test2"
SASL/GSSAPI authentication started
SASL username: admin@MY.DOMAIN
SASL SSF: 256
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <dc=my,dc=domain> with scope subtree
# filter: uid=test2
# requesting: ALL
#

# test2, my.domain
dn: uid=test2,dc=my,dc=domain
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
description: Test2 d e
cn: Test 2
sn: Test
uid: test2

# search result
search: 4
result: 0 Success

# numResponses: 2
# numEntries: 1

They are there.

For second step

# ipa migrate-ds ldap://test.my.domain:389 --with-compat
ipa: ERROR: user LDAP search did not return any result (search base: ou=people,dc=my,dc=domain, objectclass: person)

Checked FreeIPA dashboard, no new users(test1, test2) there. How to migrate?

Answer 1

I'm in a similar boat at the moment. As far as I understand, FreeIPA requires some specific objectClasses and attributes present in LDAP entity for it to be aware of those entities. As far as I've figured, those seem to be at least: "objectClass: ipaobject" and "ipaUniqueID". Lacking these required attributes, users will not show up in IPA, but will be accessible via direct LDAP.

First of - normally FreeIPA users are stored under cn=users,cn=accounts, such as

dn: uid=ipa_test9,cn=users,cn=accounts,dc=myserver,dc=eu

As for why ds-migrate didn't find users - your users currently are under

dn: uid=test2,dc=my,dc=domain

while ds-migrate looks for users in yet another place

(search base: ou=people,dc=my,dc=domain, objectclass: person)

For migrate-ds to work at all, you'll have to specify at least --user-container parameter. After hacking migrate.py file to autogenerate missing groups, I tried with

$ ipa migrate-ds ldaps://im.myserver.eu --bind-dn="uid=myuser,cn=users,cn=accounts,dc=myserver,dc=eu" --with-compat --user-container="cn=users,cn=accounts,dc=myserverdc=eu" --group-container="cn=groups,cn=accounts,dc=myserver,dc=eu"

and it reports that all the users already exist. Since FreeIPA uses the same LDAP as the one you are trying to "migrate from", it detects that UIDs are already there and there's nothing to migrate.

Basically, a workaround would be to set up another temporary LDAP server, import users into that, then use migrate-ds against it.

EDIT I did it this way and it worked. You still have to reset passwords and create Kerberos tickets, so my conclusion is that it's much easier and quicker to write a little python/bash script that creates users, generates password and emails it to user with instructions on how to update.