Migration from LDAP to IPA fails for some users with the message: "missing attribute "sn" required by object class"

Solution Verified - Updated -


Currently we are in the process of migrating data from Openldap to IPA using the ipa "ipa migrate-ds" migration tool however some users are failing to migrate due to the error :

missing attribute "sn" required by object class "organizationalPerson"

To resolve this issue we've ignored these attributes using the following command, which appears to have successfully migrated all users and groups.

ipa -v migrate-ds ldap://openldap.example.com:389 \
            --bind-dn="cn=Directory Manager" \
            --base-dn="dc=example,dc=com" \
            --user-container="ou=people,dc=example,dc=com" \
            --user-objectclass=posixAccount  \
            --user-objectclass=account \
            --user-objectclass=top  \
            --user-ignore-attribute="sn" \
            --user-ignore-objectclass={organizationalPerson,inetOrgPerson} \
            --group-container="ou=group,dc=example,dc=com" \
            --group-objectclass="posixGroup" \

The problem is that it appears that we're not able to edit the migrated users as the sn is "not allowed":

ipa user-mod testeuser --first="Firstname" --last="Lastname"
ipa: ERROR: attribute "sn" not allowed


  • Red Hat Enterprise Linux 7.4

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In