[Freeipa-users] Migration from openLDAP to FreeIPA with qmail.schema

wodel youchi wodel.youchi at gmail.com
Tue Jan 26 13:20:20 UTC 2016 

Hi,

In the above log (httpd log) the LDAPEntry contains qmailuser and qmailUser
objectClasses, I don't know if this is what is causing the problem.

Another thing, I can't import groups as well, I did add a simple group to
my ldap
dn: ou=groups,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: groups
structuralObjectClass: organizationalUnit

dn: cn=vmail,ou=groups,dc=example,dc=com
objectClass: top
objectClass: posixGroup
gidNumber: 5000
structuralObjectClass: posixGroup
cn: vmail

When I launch the migration command I get

ipa: ERROR: La recherche LDAP group ne renvoie aucun résultat (base de
recherche : ou=groups,dc=example,dc=com, classe d'objet :
groupofuniquenames, groupofnames)

any idea?

Regards.

2016-01-26 13:42 GMT+01:00 wodel youchi <wodel.youchi at gmail.com>:

> Hi again,
>
> This is what I get from httpd error_log
>
> [Tue Jan 26 13:38:02.394757 2016] [:error] [pid 7427] ipa: WARNING: GID
> number 1000 of migrated user jean.doe does not point to a known group.
> [Tue Jan 26 13:38:02.397928 2016] [:error] [pid 7427]
> LDAPEntry(ipapython.dn.DN('uid=jean.doe,cn=users,cn=accounts,dc=example,dc=com'),
> {u'mailQuotaSize': ['2048000'], u'cn': ['DOE'], u'uid': [u'jean.doe'],
> u'objectClass': [u'ipaobject', u'organizationalperson', u'qmailuser',
> u'top', u'ipasshuser', u'inetorgperson', u'person', u'krbticketpolicyaux',
> u'krbprincipalaux', u'shadowaccount', u'qmailUser', u'inetuser',
> u'posixaccount'], u'loginShell': ['/bin/bash'], u'uidNumber': ['1001'],
> u'gidNumber': [u'1000'], u'ipauniqueid': ['autogenerate'],
> u'krbprincipalname': [u'jean.doe at EXAMPLE.COM'], u'mailMessageStore':
> ['/var/vmail/jean.doe'], u'description': ['__no_upg__'], u'displayName':
> ['Jean Doe'], u'userPassword': ['{SSHA}NIxCImzQDagloyVdMtheC4wDMUImxW85'],
> u'accountStatus': ['yes'], u'mailAlternateAddress': ['root at example.com', '
> postmaster at example.com'], u'sn': ['Jean'], u'homeDirectory':
> ['/var/vmail/jean.doe'], u'mail': ['jean.doe at example.com'], u'givenName':
> ['DOE']})
> [Tue Jan 26 13:38:02.398937 2016] [:error] [pid 7427] ipa: WARNING: GID
> number 1000 of migrated user jeane.doe does not point to a known group.
> [Tue Jan 26 13:38:02.399703 2016] [:error] [pid 7427]
> LDAPEntry(ipapython.dn.DN('uid=jeane.doe,cn=users,cn=accounts,dc=example,dc=com'),
> {u'mailQuotaSize': ['1024000'], u'cn': ['DOE'], u'uid': [u'jeane.doe'],
> u'objectClass': [u'ipaobject', u'organizationalperson', u'qmailuser',
> u'top', u'ipasshuser', u'inetorgperson', u'person', u'krbticketpolicyaux',
> u'krbprincipalaux', u'shadowaccount', u'qmailUser', u'inetuser',
> u'posixaccount'], u'loginShell': ['/bin/bash'], u'uidNumber': ['1002'],
> u'gidNumber': [u'1000'], u'ipauniqueid': ['autogenerate'],
> u'krbprincipalname': [u'jeane.doe at EXAMPLE.COM'], u'mailMessageStore':
> ['/var/vmail/jeane.doe'], u'description': ['__no_upg__'], u'displayName':
> ['Jeane Doe'], u'userPassword': ['{SSHA}+fXBt+2vlneTFUDhnEv9YvHS4Zo65LIT'],
> u'accountStatus': ['yes'], u'sn': ['Jeane'], u'homeDirectory':
> ['/var/vmail/jeane.doe'], u'mail': ['jeane.doe at example.com'],
> u'givenName': ['DOE']})
>
> Regards.
>
> 2016-01-26 11:22 GMT+01:00 wodel youchi <wodel.youchi at gmail.com>:
>
>> Thanks I will try and report back.
>>
>> I am using Centos 7.2x64 with latest updates
>>
>> and ipa-server-4.2.0-15.el7.centos.3.x86_64
>>
>> Regards
>>
>> 2016-01-26 10:53 GMT+01:00 Martin Kosek <mkosek at redhat.com>:
>>
>>> On 01/26/2016 10:16 AM, wodel youchi wrote:
>>> > Hi,
>>> >
>>> > I am a newbie in freeipa. I am trying to use it with our mail server.
>>>
>>> Cool! What is your version of the FreeIPA server? It will be important
>>> for
>>> further investigation.
>>>
>>> > Our mail server uses openldap with one external schema : qmail.schema,
>>> we
>>> > use it especially for mailQuota, mailAlternateAddress,
>>> > mailForwardingAddress and AccountStatus.
>>> >
>>> > I tried to import this schema to freeipa using ipa-ldap-updater.
>>> > I am not sure if I succeeded, but when I tried : ipa config-mod
>>> > --addattr=ipaGroupObjectClasses=qmailUser it worked and I can see the
>>> > objectClass.
>>> >
>>> >
>>> > [root at ipamaster work]# ipa config-show --all
>>> >   dn: cn=ipaConfig,cn=etc,dc=example,dc=com
>>> >   Longueur maximale du nom d'utilisateur: 32
>>> >   Base du répertoire utilisateur: /home
>>> >   Interprèteur par défaut: /bin/sh
>>> >   Groupe utilisateur par défaut: ipausers
>>> >   Domaine par défaut pour les courriels: example.com
>>> >   Limite de temps d'une recherche: 2
>>> >   Limite de taille d'une recherche: 100
>>> >   Champs de recherche utilisateur:
>>> uid,givenname,sn,telephonenumber,ou,title
>>> >   Group search fields: cn,description
>>> >   Activer le mode migration: TRUE
>>> >   Base de sujet de certificat: O=EXAMPLE.COM
>>> >   Classes d'objets de groupe par défaut: top, ipaobject, groupofnames,
>>> > ipausergroup, nestedgroup
>>> >   Classes d'objets utilisateur par défaut: ipaobject, person, top,
>>> > ipasshuser, inetorgperson, organizationalperson,
>>> >                                            krbticketpolicyaux,
>>> > krbprincipalaux, *qmailUser*, inetuser, posixaccount
>>> >   Notification d'expiration de mot de passe (jours): 4
>>> >   Fonctionnalités du greffon mots de passe: AllowNThash
>>> >   Ordre de la mappe des utilisateurs SELinux:
>>> >
>>> guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
>>> >   Utilisateur SELinux par défaut: unconfined_u:s0-s0:c0.c1023
>>> >   Types de PAC par défaut: nfs:NONE, MS-PAC
>>> >   aci: (targetattr = "cn || createtimestamp || entryusn ||
>>> > ipacertificatesubjectbase || ipaconfigstring || ipacustomfields ||
>>> >        ipadefaultemaildomain || ipadefaultloginshell ||
>>> > ipadefaultprimarygroup || ipagroupobjectclasses ||
>>> >        ipagroupsearchfields || ipahomesrootdir || ipakrbauthzdata ||
>>> > ipamaxusernamelength || ipamigrationenabled ||
>>> >        ipapwdexpadvnotify || ipasearchrecordslimit ||
>>> ipasearchtimelimit ||
>>> > ipaselinuxusermapdefault ||
>>> >        ipaselinuxusermaporder || ipauserauthtype ||
>>> ipauserobjectclasses ||
>>> > ipausersearchfields || modifytimestamp ||
>>> >        objectclass")(targetfilter =
>>> "(objectclass=ipaguiconfig)")(version
>>> > 3.0;acl "permission:System: Read Global
>>> >        Configuration";allow (compare,read,search) userdn =
>>> "ldap:///all";)
>>> >   cn: ipaConfig
>>> >   objectclass: ipaConfigObject, nsContainer, top, ipaGuiConfig,
>>> > ipaUserAuthTypeClass
>>> >
>>> > Then I tried to migrate openldap's accounts, but without luck so far
>>> > #ipa -v migrate-ds --with-compat --bind-dn "cn=admin,dc=example,dc=com"
>>> > --continue ldap://192.168.1.121:389
>>> > -----------
>>> > migrate-ds:
>>> > -----------
>>> > Migrated:
>>> > Failed user:
>>> >   jean.doe: Type or value exists:
>>> >   jeane.doe: Type or value exists:
>>> >  Failed group:
>>> > ----------
>>> > No users/groups were migrated from ldap://192.168.1.121:389
>>> >
>>> >
>>> > Here is an entry from openldap
>>> > dn: uid=jeane.doe,ou=people,dc=example,dc=com
>>> > loginShell: /bin/bash
>>> > gidNumber: 1000
>>> > objectClass: top
>>> > objectClass: qmailUser
>>> > objectClass: inetOrgPerson
>>> > objectClass: posixAccount
>>> > objectClass: person
>>> > objectClass: shadowAccount
>>> > objectClass: organizationalPerson
>>> > mail: jeane.doe at example.com
>>> > givenName: DOE
>>> > uid: jeane.doe
>>> > uidNumber: 1002
>>> > displayName: Jeane Doe
>>> > homeDirectory: /var/vmail/jeane.doe
>>> > accountStatus: yes
>>> > mailMessageStore: /var/vmail/jeane.doe
>>> > structuralObjectClass: inetOrgPerson
>>> > entryUUID: 3e8ee290-166f-1035-94d7-ef8fa27fbe71
>>> > creatorsName: cn=admin,dc=example,dc=com
>>> > createTimestamp: 20151103120748Z
>>> > userPassword:: e1NTSEF9K2ZYQnQrMnZsbmVURlVEaG5FdjlZdkhTNFpvNjVMSVQ=
>>> > mailQuotaSize: 1024000
>>> > sn: Jeane
>>> > cn: DOE
>>> > entryCSN: 20160125162455.613052Z#000000#000#000000
>>> > modifiersName: cn=admin,dc=example,dc=com
>>> > modifyTimestamp: 20160125162455Z
>>> >
>>> > What does "Type or value exists" means?
>>>
>>> That normally means that you have the same value for LDAP attribute
>>> twice or
>>> that you are trying to add multiple values for a single valued
>>> attribute. I
>>> wonder if we could get better logging, like how exactly the entry looks
>>> like
>>> before it is added to LDAP.
>>>
>>> But right now, I cannot think about a better way than to updating
>>> /usr/lib/python2.7/site-packages/ipalib/plugins/migration.py
>>> on the FreeIPA server the following way (new print statement)
>>>
>>>                 try:
>>>                     print entry_attrs
>>>                     ldap.add_entry(entry_attrs)
>>>                 except errors.ExecutionError, e:
>>>
>>> , restarting the httpd service and sending us the
>>> /var/log/httpd/error_log
>>> after the next migration attempt. Maybe Jan (CCed) knows a better way.
>>>
>>> > PS: the qmail.schema presents two other objectClasses, but I didn't
>>> add use
>>> > them (qldapAdmin, qmailGroup)
>>> >
>>> > Regards
>>> >
>>> >
>>> >
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160126/ed16643b/attachment.htm>

More information about the Freeipa-users mailing list