Может быть, нужно два шага:
Настройте сервер FreeIPA, инициировал пользователя с правами администратора, создал тестового пользователя ipa user-add
команда.
Список всех пользователей в IPA
# ipa user-find --all
---------------
2 users matched
---------------
dn: uid=admin,cn=users,cn=accounts,dc=my,dc=domain
User login: admin
Last name: Administrator
Full name: Administrator
Home directory: /home/admin
GECOS: Administrator
Login shell: /bin/bash
Principal alias: admin@MY.DOMAIN
User password expiration: 20200626033338Z
UID: 1253000000
GID: 1253000000
Account disabled: False
Preserved user: False
Member of groups: admins, trust admins
ipauniqueid: 67d94d98-70a4-11ea-8d6b-5254008afee6
krbextradata: AAKSxX5ecm9vdC9hZG1pbkBNWS5ET01BSU4A
krblastpwdchange: 20200328033338Z
objectclass: top, person, posixaccount, krbprincipalaux, krbticketpolicyaux, inetuser, ipaobject, ipasshuser, ipaSshGroupOfPubKeys
dn: uid=test,cn=users,cn=accounts,dc=my,dc=domain
User login: test
First name: T
Last name: S
Full name: T S
Display name: T S
Initials: TS
Home directory: /home/test
GECOS: T S
Login shell: /bin/bash
Principal name: test@MY.DOMAIN
Principal alias: test@MY.DOMAIN
User password expiration: 20200626035426Z
Email address: test@example.com
UID: 1253000001
GID: 1253000001
Account disabled: False
Preserved user: False
Member of groups: ipausers
ipauniqueid: 996b48fe-70a7-11ea-9a53-5254008afee6
krbextradata: AAJyyn5ea2FkbWluZEBNWS5ET01BSU4A
krblastfailedauth: 20200328035411Z
krblastpwdchange: 20200328035426Z
krbloginfailedcount: 0
krbticketflags: 128
mepmanagedentry: cn=test,cn=groups,cn=accounts,dc=my,dc=domain
objectclass: top, person, organizationalperson, inetorgperson, inetuser, posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject, ipasshuser,
ipaSshGroupOfPubKeys, mepOriginEntry
----------------------------
Number of entries returned 2
----------------------------
test.ldif
# Add test1
dn: uid=test1,dc=my,dc=domain
changetype: add
objectClass: inetOrgPerson
description: Test1
d
e
cn: Test 1
sn: Test
uid: test1
# Add test2
dn: uid=test2,dc=my,dc=domain
changetype: add
objectClass: inetOrgPerson
description: Test2
d
e
cn: Test 2
sn: Test
uid: test2
# ldapadd -x -h test.my.domain -D "cn=Directory Manager" -w password -c -f test.ldif
# ldapsearch -h test.my.domain -t -b "dc=my,dc=domain" "uid=test1"
SASL/GSSAPI authentication started
SASL username: admin@MY.DOMAIN
SASL SSF: 256
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <dc=my,dc=domain> with scope subtree
# filter: uid=test1
# requesting: ALL
#
# test1, my.domain
dn: uid=test1,dc=my,dc=domain
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
description: Test1 d e
cn: Test 1
sn: Test
uid: test1
# search result
search: 4
result: 0 Success
# numResponses: 2
# numEntries: 1
# ldapsearch -h test.my.domain -t -b "dc=my,dc=domain" "uid=test2"
SASL/GSSAPI authentication started
SASL username: admin@MY.DOMAIN
SASL SSF: 256
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <dc=my,dc=domain> with scope subtree
# filter: uid=test2
# requesting: ALL
#
# test2, my.domain
dn: uid=test2,dc=my,dc=domain
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
description: Test2 d e
cn: Test 2
sn: Test
uid: test2
# search result
search: 4
result: 0 Success
# numResponses: 2
# numEntries: 1
Они там.
# ipa migrate-ds ldap://test.my.domain:389 --with-compat
ipa: ERROR: user LDAP search did not return any result (search base: ou=people,dc=my,dc=domain, objectclass: person)
Проверил панель управления FreeIPA, новых пользователей (test1, test2) нет. Как мигрировать?