[Freeipa-users] Migration from openLDAP to FreeIPA with qmail.schema

wodel youchi wodel.youchi at gmail.com
Tue Jan 26 09:16:30 UTC 2016 

Hi,

I am a newbie in freeipa. I am trying to use it with our mail server.

Our mail server uses openldap with one external schema : qmail.schema, we
use it especially for mailQuota, mailAlternateAddress,
mailForwardingAddress and AccountStatus.

I tried to import this schema to freeipa using ipa-ldap-updater.
I am not sure if I succeeded, but when I tried : ipa config-mod
--addattr=ipaGroupObjectClasses=qmailUser it worked and I can see the
objectClass.


[root at ipamaster work]# ipa config-show --all
  dn: cn=ipaConfig,cn=etc,dc=example,dc=com
  Longueur maximale du nom d'utilisateur: 32
  Base du répertoire utilisateur: /home
  Interprèteur par défaut: /bin/sh
  Groupe utilisateur par défaut: ipausers
  Domaine par défaut pour les courriels: example.com
  Limite de temps d'une recherche: 2
  Limite de taille d'une recherche: 100
  Champs de recherche utilisateur: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Activer le mode migration: TRUE
  Base de sujet de certificat: O=EXAMPLE.COM
  Classes d'objets de groupe par défaut: top, ipaobject, groupofnames,
ipausergroup, nestedgroup
  Classes d'objets utilisateur par défaut: ipaobject, person, top,
ipasshuser, inetorgperson, organizationalperson,
                                           krbticketpolicyaux,
krbprincipalaux, *qmailUser*, inetuser, posixaccount
  Notification d'expiration de mot de passe (jours): 4
  Fonctionnalités du greffon mots de passe: AllowNThash
  Ordre de la mappe des utilisateurs SELinux:
guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
  Utilisateur SELinux par défaut: unconfined_u:s0-s0:c0.c1023
  Types de PAC par défaut: nfs:NONE, MS-PAC
  aci: (targetattr = "cn || createtimestamp || entryusn ||
ipacertificatesubjectbase || ipaconfigstring || ipacustomfields ||
       ipadefaultemaildomain || ipadefaultloginshell ||
ipadefaultprimarygroup || ipagroupobjectclasses ||
       ipagroupsearchfields || ipahomesrootdir || ipakrbauthzdata ||
ipamaxusernamelength || ipamigrationenabled ||
       ipapwdexpadvnotify || ipasearchrecordslimit || ipasearchtimelimit ||
ipaselinuxusermapdefault ||
       ipaselinuxusermaporder || ipauserauthtype || ipauserobjectclasses ||
ipausersearchfields || modifytimestamp ||
       objectclass")(targetfilter = "(objectclass=ipaguiconfig)")(version
3.0;acl "permission:System: Read Global
       Configuration";allow (compare,read,search) userdn = "ldap:///all";)
  cn: ipaConfig
  objectclass: ipaConfigObject, nsContainer, top, ipaGuiConfig,
ipaUserAuthTypeClass

Then I tried to migrate openldap's accounts, but without luck so far
#ipa -v migrate-ds --with-compat --bind-dn "cn=admin,dc=example,dc=com"
--continue ldap://192.168.1.121:389
-----------
migrate-ds:
-----------
Migrated:
Failed user:
  jean.doe: Type or value exists:
  jeane.doe: Type or value exists:
 Failed group:
----------
No users/groups were migrated from ldap://192.168.1.121:389


Here is an entry from openldap
dn: uid=jeane.doe,ou=people,dc=example,dc=com
loginShell: /bin/bash
gidNumber: 1000
objectClass: top
objectClass: qmailUser
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: person
objectClass: shadowAccount
objectClass: organizationalPerson
mail: jeane.doe at example.com
givenName: DOE
uid: jeane.doe
uidNumber: 1002
displayName: Jeane Doe
homeDirectory: /var/vmail/jeane.doe
accountStatus: yes
mailMessageStore: /var/vmail/jeane.doe
structuralObjectClass: inetOrgPerson
entryUUID: 3e8ee290-166f-1035-94d7-ef8fa27fbe71
creatorsName: cn=admin,dc=example,dc=com
createTimestamp: 20151103120748Z
userPassword:: e1NTSEF9K2ZYQnQrMnZsbmVURlVEaG5FdjlZdkhTNFpvNjVMSVQ=
mailQuotaSize: 1024000
sn: Jeane
cn: DOE
entryCSN: 20160125162455.613052Z#000000#000#000000
modifiersName: cn=admin,dc=example,dc=com
modifyTimestamp: 20160125162455Z

What does "Type or value exists" means?

PS: the qmail.schema presents two other objectClasses, but I didn't add use
them (qldapAdmin, qmailGroup)

Regards
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160126/488ef74f/attachment.htm>

More information about the Freeipa-users mailing list