[Freeipa-users] Migration from openLDAP to FreeIPA with qmail.schema

Martin Kosek mkosek at redhat.com
Tue Jan 26 09:53:05 UTC 2016 

On 01/26/2016 10:16 AM, wodel youchi wrote:
> Hi,
> 
> I am a newbie in freeipa. I am trying to use it with our mail server.

Cool! What is your version of the FreeIPA server? It will be important for
further investigation.

> Our mail server uses openldap with one external schema : qmail.schema, we
> use it especially for mailQuota, mailAlternateAddress,
> mailForwardingAddress and AccountStatus.
> 
> I tried to import this schema to freeipa using ipa-ldap-updater.
> I am not sure if I succeeded, but when I tried : ipa config-mod
> --addattr=ipaGroupObjectClasses=qmailUser it worked and I can see the
> objectClass.
> 
> 
> [root at ipamaster work]# ipa config-show --all
>   dn: cn=ipaConfig,cn=etc,dc=example,dc=com
>   Longueur maximale du nom d'utilisateur: 32
>   Base du répertoire utilisateur: /home
>   Interprèteur par défaut: /bin/sh
>   Groupe utilisateur par défaut: ipausers
>   Domaine par défaut pour les courriels: example.com
>   Limite de temps d'une recherche: 2
>   Limite de taille d'une recherche: 100
>   Champs de recherche utilisateur: uid,givenname,sn,telephonenumber,ou,title
>   Group search fields: cn,description
>   Activer le mode migration: TRUE
>   Base de sujet de certificat: O=EXAMPLE.COM
>   Classes d'objets de groupe par défaut: top, ipaobject, groupofnames,
> ipausergroup, nestedgroup
>   Classes d'objets utilisateur par défaut: ipaobject, person, top,
> ipasshuser, inetorgperson, organizationalperson,
>                                            krbticketpolicyaux,
> krbprincipalaux, *qmailUser*, inetuser, posixaccount
>   Notification d'expiration de mot de passe (jours): 4
>   Fonctionnalités du greffon mots de passe: AllowNThash
>   Ordre de la mappe des utilisateurs SELinux:
> guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
>   Utilisateur SELinux par défaut: unconfined_u:s0-s0:c0.c1023
>   Types de PAC par défaut: nfs:NONE, MS-PAC
>   aci: (targetattr = "cn || createtimestamp || entryusn ||
> ipacertificatesubjectbase || ipaconfigstring || ipacustomfields ||
>        ipadefaultemaildomain || ipadefaultloginshell ||
> ipadefaultprimarygroup || ipagroupobjectclasses ||
>        ipagroupsearchfields || ipahomesrootdir || ipakrbauthzdata ||
> ipamaxusernamelength || ipamigrationenabled ||
>        ipapwdexpadvnotify || ipasearchrecordslimit || ipasearchtimelimit ||
> ipaselinuxusermapdefault ||
>        ipaselinuxusermaporder || ipauserauthtype || ipauserobjectclasses ||
> ipausersearchfields || modifytimestamp ||
>        objectclass")(targetfilter = "(objectclass=ipaguiconfig)")(version
> 3.0;acl "permission:System: Read Global
>        Configuration";allow (compare,read,search) userdn = "ldap:///all";)
>   cn: ipaConfig
>   objectclass: ipaConfigObject, nsContainer, top, ipaGuiConfig,
> ipaUserAuthTypeClass
> 
> Then I tried to migrate openldap's accounts, but without luck so far
> #ipa -v migrate-ds --with-compat --bind-dn "cn=admin,dc=example,dc=com"
> --continue ldap://192.168.1.121:389
> -----------
> migrate-ds:
> -----------
> Migrated:
> Failed user:
>   jean.doe: Type or value exists:
>   jeane.doe: Type or value exists:
>  Failed group:
> ----------
> No users/groups were migrated from ldap://192.168.1.121:389
> 
> 
> Here is an entry from openldap
> dn: uid=jeane.doe,ou=people,dc=example,dc=com
> loginShell: /bin/bash
> gidNumber: 1000
> objectClass: top
> objectClass: qmailUser
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: person
> objectClass: shadowAccount
> objectClass: organizationalPerson
> mail: jeane.doe at example.com
> givenName: DOE
> uid: jeane.doe
> uidNumber: 1002
> displayName: Jeane Doe
> homeDirectory: /var/vmail/jeane.doe
> accountStatus: yes
> mailMessageStore: /var/vmail/jeane.doe
> structuralObjectClass: inetOrgPerson
> entryUUID: 3e8ee290-166f-1035-94d7-ef8fa27fbe71
> creatorsName: cn=admin,dc=example,dc=com
> createTimestamp: 20151103120748Z
> userPassword:: e1NTSEF9K2ZYQnQrMnZsbmVURlVEaG5FdjlZdkhTNFpvNjVMSVQ=
> mailQuotaSize: 1024000
> sn: Jeane
> cn: DOE
> entryCSN: 20160125162455.613052Z#000000#000#000000
> modifiersName: cn=admin,dc=example,dc=com
> modifyTimestamp: 20160125162455Z
> 
> What does "Type or value exists" means?

That normally means that you have the same value for LDAP attribute twice or
that you are trying to add multiple values for a single valued attribute. I
wonder if we could get better logging, like how exactly the entry looks like
before it is added to LDAP.

But right now, I cannot think about a better way than to updating
/usr/lib/python2.7/site-packages/ipalib/plugins/migration.py
on the FreeIPA server the following way (new print statement)

                try:
                    print entry_attrs
                    ldap.add_entry(entry_attrs)
                except errors.ExecutionError, e:

, restarting the httpd service and sending us the /var/log/httpd/error_log
after the next migration attempt. Maybe Jan (CCed) knows a better way.

> PS: the qmail.schema presents two other objectClasses, but I didn't add use
> them (qldapAdmin, qmailGroup)
> 
> Regards
> 
> 
>

More information about the Freeipa-users mailing list