[Freeipa-users] Migration from openLDAP to FreeIPA with qmail.schema
wodel youchi
wodel.youchi at gmail.com
Tue Jan 26 10:22:56 UTC 2016
Thanks I will try and report back.
I am using Centos 7.2x64 with latest updates
and ipa-server-4.2.0-15.el7.centos.3.x86_64
Regards
2016-01-26 10:53 GMT+01:00 Martin Kosek <mkosek at redhat.com>:
> On 01/26/2016 10:16 AM, wodel youchi wrote:
> > Hi,
> >
> > I am a newbie in freeipa. I am trying to use it with our mail server.
>
> Cool! What is your version of the FreeIPA server? It will be important for
> further investigation.
>
> > Our mail server uses openldap with one external schema : qmail.schema, we
> > use it especially for mailQuota, mailAlternateAddress,
> > mailForwardingAddress and AccountStatus.
> >
> > I tried to import this schema to freeipa using ipa-ldap-updater.
> > I am not sure if I succeeded, but when I tried : ipa config-mod
> > --addattr=ipaGroupObjectClasses=qmailUser it worked and I can see the
> > objectClass.
> >
> >
> > [root at ipamaster work]# ipa config-show --all
> > dn: cn=ipaConfig,cn=etc,dc=example,dc=com
> > Longueur maximale du nom d'utilisateur: 32
> > Base du répertoire utilisateur: /home
> > Interprèteur par défaut: /bin/sh
> > Groupe utilisateur par défaut: ipausers
> > Domaine par défaut pour les courriels: example.com
> > Limite de temps d'une recherche: 2
> > Limite de taille d'une recherche: 100
> > Champs de recherche utilisateur:
> uid,givenname,sn,telephonenumber,ou,title
> > Group search fields: cn,description
> > Activer le mode migration: TRUE
> > Base de sujet de certificat: O=EXAMPLE.COM
> > Classes d'objets de groupe par défaut: top, ipaobject, groupofnames,
> > ipausergroup, nestedgroup
> > Classes d'objets utilisateur par défaut: ipaobject, person, top,
> > ipasshuser, inetorgperson, organizationalperson,
> > krbticketpolicyaux,
> > krbprincipalaux, *qmailUser*, inetuser, posixaccount
> > Notification d'expiration de mot de passe (jours): 4
> > Fonctionnalités du greffon mots de passe: AllowNThash
> > Ordre de la mappe des utilisateurs SELinux:
> >
> guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
> > Utilisateur SELinux par défaut: unconfined_u:s0-s0:c0.c1023
> > Types de PAC par défaut: nfs:NONE, MS-PAC
> > aci: (targetattr = "cn || createtimestamp || entryusn ||
> > ipacertificatesubjectbase || ipaconfigstring || ipacustomfields ||
> > ipadefaultemaildomain || ipadefaultloginshell ||
> > ipadefaultprimarygroup || ipagroupobjectclasses ||
> > ipagroupsearchfields || ipahomesrootdir || ipakrbauthzdata ||
> > ipamaxusernamelength || ipamigrationenabled ||
> > ipapwdexpadvnotify || ipasearchrecordslimit || ipasearchtimelimit
> ||
> > ipaselinuxusermapdefault ||
> > ipaselinuxusermaporder || ipauserauthtype || ipauserobjectclasses
> ||
> > ipausersearchfields || modifytimestamp ||
> > objectclass")(targetfilter = "(objectclass=ipaguiconfig)")(version
> > 3.0;acl "permission:System: Read Global
> > Configuration";allow (compare,read,search) userdn =
> "ldap:///all";)
> > cn: ipaConfig
> > objectclass: ipaConfigObject, nsContainer, top, ipaGuiConfig,
> > ipaUserAuthTypeClass
> >
> > Then I tried to migrate openldap's accounts, but without luck so far
> > #ipa -v migrate-ds --with-compat --bind-dn "cn=admin,dc=example,dc=com"
> > --continue ldap://192.168.1.121:389
> > -----------
> > migrate-ds:
> > -----------
> > Migrated:
> > Failed user:
> > jean.doe: Type or value exists:
> > jeane.doe: Type or value exists:
> > Failed group:
> > ----------
> > No users/groups were migrated from ldap://192.168.1.121:389
> >
> >
> > Here is an entry from openldap
> > dn: uid=jeane.doe,ou=people,dc=example,dc=com
> > loginShell: /bin/bash
> > gidNumber: 1000
> > objectClass: top
> > objectClass: qmailUser
> > objectClass: inetOrgPerson
> > objectClass: posixAccount
> > objectClass: person
> > objectClass: shadowAccount
> > objectClass: organizationalPerson
> > mail: jeane.doe at example.com
> > givenName: DOE
> > uid: jeane.doe
> > uidNumber: 1002
> > displayName: Jeane Doe
> > homeDirectory: /var/vmail/jeane.doe
> > accountStatus: yes
> > mailMessageStore: /var/vmail/jeane.doe
> > structuralObjectClass: inetOrgPerson
> > entryUUID: 3e8ee290-166f-1035-94d7-ef8fa27fbe71
> > creatorsName: cn=admin,dc=example,dc=com
> > createTimestamp: 20151103120748Z
> > userPassword:: e1NTSEF9K2ZYQnQrMnZsbmVURlVEaG5FdjlZdkhTNFpvNjVMSVQ=
> > mailQuotaSize: 1024000
> > sn: Jeane
> > cn: DOE
> > entryCSN: 20160125162455.613052Z#000000#000#000000
> > modifiersName: cn=admin,dc=example,dc=com
> > modifyTimestamp: 20160125162455Z
> >
> > What does "Type or value exists" means?
>
> That normally means that you have the same value for LDAP attribute twice
> or
> that you are trying to add multiple values for a single valued attribute. I
> wonder if we could get better logging, like how exactly the entry looks
> like
> before it is added to LDAP.
>
> But right now, I cannot think about a better way than to updating
> /usr/lib/python2.7/site-packages/ipalib/plugins/migration.py
> on the FreeIPA server the following way (new print statement)
>
> try:
> print entry_attrs
> ldap.add_entry(entry_attrs)
> except errors.ExecutionError, e:
>
> , restarting the httpd service and sending us the /var/log/httpd/error_log
> after the next migration attempt. Maybe Jan (CCed) knows a better way.
>
> > PS: the qmail.schema presents two other objectClasses, but I didn't add
> use
> > them (qldapAdmin, qmailGroup)
> >
> > Regards
> >
> >
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160126/0802e83f/attachment.htm>
More information about the Freeipa-users
mailing list