Having a closer look at
https://www.freeipa.org/page/Howto/Migration
A ipa migrate-ds command is provided:
$ echo Secret123 | ipa migrate-ds --bind-dn="cn=Directory Manager"
--user-container=cn=users,cn=accounts --group-container=cn=groups,cn=accounts
--group-objectclass=posixgroup
--user-ignore-attribute={krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference,mepManagedEntry}
--user-ignore-objectclass=mepOriginEntry --with-compat
ldap://migrated.freeipa.server.test
I look at this site as a recommendation of how to use ipa migrate-ds, however following
error arises for multiple users:
test_user: attribute \"mepManagedEntry\" not allowed"
I have not been having any issues with "mine" ipa migrate-ds command, but I
look at the provided ipa migrate-ds command as "best practice" or at least
recommendation.
mepOriginEntry is how private groups are implemented.
For more information on migrated private groups see