1 files changed, 14 insertions, 6 deletions

diff --git a/ipalib/plugins/migration.py b/ipalib/plugins/migration.py
index fc2010f90..ea591d31e 100644
--- a/ipalib/plugins/migration.py
+++ b/ipalib/plugins/migration.py
@@ -82,7 +82,7 @@ _supported_schemas = (u'RFC2307bis', u'RFC2307')
 
 
 def _pre_migrate_user(ldap, pkey, dn, entry_attrs, failed, config, ctx, **kwargs):
-    attr_blacklist = ['krbprincipalkey']
+    attr_blacklist = ['krbprincipalkey','memberofindirect','memberindirect']
 
     # get default primary group for new users
     if 'def_group_dn' not in ctx:
@@ -104,7 +104,7 @@ def _pre_migrate_user(ldap, pkey, dn, entry_attrs, failed, config, ctx, **kwargs
         entry_attrs['homedirectory'] = home_dir
     entry_attrs.setdefault('gidnumber', ctx['def_group_gid'])
 
-    # do not migrate attributes autogenerated during migration
+    # do not migrate all attributes
     for attr in entry_attrs.keys():
         if attr in attr_blacklist:
             del entry_attrs[attr]
@@ -184,6 +184,8 @@ def _pre_migrate_group(ldap, pkey, dn, entry_attrs, failed, config, ctx, **kwarg
             new_members.append(ldap.normalize_dn(memberdn))
         entry_attrs['member'] = new_members
 
+    attr_blacklist = ['memberofindirect','memberindirect']
+
     schema = kwargs.get('schema', None)
     entry_attrs['ipauniqueid'] = 'autogenerate'
     if schema == 'RFC2307bis':
@@ -198,6 +200,11 @@ def _pre_migrate_group(ldap, pkey, dn, entry_attrs, failed, config, ctx, **kwarg
     else:
         raise ValueError('Schema %s not supported' % schema)
 
+    # do not migrate all attributes
+    for attr in entry_attrs.keys():
+        if attr in attr_blacklist:
+            del entry_attrs[attr]
+
     return dn
 
 
@@ -406,11 +413,11 @@ can use their Kerberos accounts.''')
             migrated[ldap_obj_name] = []
             failed[ldap_obj_name] = {}
 
-            # FIXME: with limits set, we get a strange 'Success' exception
             try:
                 (entries, truncated) = ds_ldap.find_entries(
-                    search_filter, ['*'], search_bases[ldap_obj_name], ds_ldap.SCOPE_ONELEVEL#,
-                    #time_limit=0, size_limit=0
+                    search_filter, ['*'], search_bases[ldap_obj_name],
+                    ds_ldap.SCOPE_ONELEVEL,
+                    time_limit=0, size_limit=-1
                 )
             except errors.NotFound:
                 if not options.get('continue',False):
@@ -483,7 +490,8 @@ can use their Kerberos accounts.''')
 
         # retrieve DS base DN
         (entries, truncated) = ds_ldap.find_entries(
-            '', ['namingcontexts'], '', ds_ldap.SCOPE_BASE
+            '', ['namingcontexts'], '', ds_ldap.SCOPE_BASE,
+            size_limit=-1, time_limit=0,
         )
         try:
             ds_base_dn = entries[0][1]['namingcontexts'][0]