Migration from LDAP to IPA fails for some users with the message: "missing attribute "sn" required by object class"

Solution Verified - Updated -

Issue

Currently we are in the process of migrating data from Openldap to IPA using the ipa "ipa migrate-ds" migration tool however some users are failing to migrate due to the error :

missing attribute "sn" required by object class "organizationalPerson"

To resolve this issue we've ignored these attributes using the following command, which appears to have successfully migrated all users and groups.

ipa -v migrate-ds ldap://openldap.example.com:389 \
            --bind-dn="cn=Directory Manager" \
            --base-dn="dc=example,dc=com" \
            --user-container="ou=people,dc=example,dc=com" \
            --user-objectclass=posixAccount  \
            --user-objectclass=account \
            --user-objectclass=top  \
            --user-ignore-attribute="sn" \
            --user-ignore-objectclass={organizationalPerson,inetOrgPerson} \
            --group-container="ou=group,dc=example,dc=com" \
            --group-objectclass="posixGroup" \
            --continue

The problem is that it appears that we're not able to edit the migrated users as the sn is "not allowed":

ipa user-mod testeuser --first="Firstname" --last="Lastname"
ipa: ERROR: attribute "sn" not allowed

Environment

  • Red Hat Enterprise Linux 7.4

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content