[Freeipa-users] Migration from openLDAP to FreeIPA with qmail.schema

Martin Kosek mkosek at redhat.com
Tue Jan 26 15:15:55 UTC 2016 

On 01/26/2016 02:20 PM, wodel youchi wrote:
> Hi,
> 
> In the above log (httpd log) the LDAPEntry contains qmailuser and qmailUser
> objectClasses, I don't know if this is what is causing the problem.

That's probably it. Can you please try to lowercaser 'qmailUser' in the FreeIPA
config and try the migration again?

> Another thing, I can't import groups as well, I did add a simple group to
> my ldap
> dn: ou=groups,dc=example,dc=com
> objectClass: organizationalUnit
> objectClass: top
> ou: groups
> structuralObjectClass: organizationalUnit
> 
> dn: cn=vmail,ou=groups,dc=example,dc=com
> objectClass: top
> objectClass: posixGroup
> gidNumber: 5000
> structuralObjectClass: posixGroup
> cn: vmail
> 
> When I launch the migration command I get
> 
> ipa: ERROR: La recherche LDAP group ne renvoie aucun résultat (base de
> recherche : ou=groups,dc=example,dc=com, classe d'objet :
> groupofuniquenames, groupofnames)
> 
> any idea?

I cannot really read French, but I suspect you could use the option

  --group-objectclass=STR
                        Objectclasses used to search for group entries in DS

to specify the objectclass the migration should search (posixGroup in your case)

> 
> Regards.
> 
> 2016-01-26 13:42 GMT+01:00 wodel youchi <wodel.youchi at gmail.com>:
> 
>> Hi again,
>>
>> This is what I get from httpd error_log
>>
>> [Tue Jan 26 13:38:02.394757 2016] [:error] [pid 7427] ipa: WARNING: GID
>> number 1000 of migrated user jean.doe does not point to a known group.
>> [Tue Jan 26 13:38:02.397928 2016] [:error] [pid 7427]
>> LDAPEntry(ipapython.dn.DN('uid=jean.doe,cn=users,cn=accounts,dc=example,dc=com'),
>> {u'mailQuotaSize': ['2048000'], u'cn': ['DOE'], u'uid': [u'jean.doe'],
>> u'objectClass': [u'ipaobject', u'organizationalperson', u'qmailuser',
>> u'top', u'ipasshuser', u'inetorgperson', u'person', u'krbticketpolicyaux',
>> u'krbprincipalaux', u'shadowaccount', u'qmailUser', u'inetuser',
>> u'posixaccount'], u'loginShell': ['/bin/bash'], u'uidNumber': ['1001'],
>> u'gidNumber': [u'1000'], u'ipauniqueid': ['autogenerate'],
>> u'krbprincipalname': [u'jean.doe at EXAMPLE.COM'], u'mailMessageStore':
>> ['/var/vmail/jean.doe'], u'description': ['__no_upg__'], u'displayName':
>> ['Jean Doe'], u'userPassword': ['{SSHA}NIxCImzQDagloyVdMtheC4wDMUImxW85'],
>> u'accountStatus': ['yes'], u'mailAlternateAddress': ['root at example.com', '
>> postmaster at example.com'], u'sn': ['Jean'], u'homeDirectory':
>> ['/var/vmail/jean.doe'], u'mail': ['jean.doe at example.com'], u'givenName':
>> ['DOE']})
>> [Tue Jan 26 13:38:02.398937 2016] [:error] [pid 7427] ipa: WARNING: GID
>> number 1000 of migrated user jeane.doe does not point to a known group.
>> [Tue Jan 26 13:38:02.399703 2016] [:error] [pid 7427]
>> LDAPEntry(ipapython.dn.DN('uid=jeane.doe,cn=users,cn=accounts,dc=example,dc=com'),
>> {u'mailQuotaSize': ['1024000'], u'cn': ['DOE'], u'uid': [u'jeane.doe'],
>> u'objectClass': [u'ipaobject', u'organizationalperson', u'qmailuser',
>> u'top', u'ipasshuser', u'inetorgperson', u'person', u'krbticketpolicyaux',
>> u'krbprincipalaux', u'shadowaccount', u'qmailUser', u'inetuser',
>> u'posixaccount'], u'loginShell': ['/bin/bash'], u'uidNumber': ['1002'],
>> u'gidNumber': [u'1000'], u'ipauniqueid': ['autogenerate'],
>> u'krbprincipalname': [u'jeane.doe at EXAMPLE.COM'], u'mailMessageStore':
>> ['/var/vmail/jeane.doe'], u'description': ['__no_upg__'], u'displayName':
>> ['Jeane Doe'], u'userPassword': ['{SSHA}+fXBt+2vlneTFUDhnEv9YvHS4Zo65LIT'],
>> u'accountStatus': ['yes'], u'sn': ['Jeane'], u'homeDirectory':
>> ['/var/vmail/jeane.doe'], u'mail': ['jeane.doe at example.com'],
>> u'givenName': ['DOE']})
>>
>> Regards.
>>
>> 2016-01-26 11:22 GMT+01:00 wodel youchi <wodel.youchi at gmail.com>:
>>
>>> Thanks I will try and report back.
>>>
>>> I am using Centos 7.2x64 with latest updates
>>>
>>> and ipa-server-4.2.0-15.el7.centos.3.x86_64
>>>
>>> Regards
>>>
>>> 2016-01-26 10:53 GMT+01:00 Martin Kosek <mkosek at redhat.com>:
>>>
>>>> On 01/26/2016 10:16 AM, wodel youchi wrote:
>>>>> Hi,
>>>>>
>>>>> I am a newbie in freeipa. I am trying to use it with our mail server.
>>>>
>>>> Cool! What is your version of the FreeIPA server? It will be important
>>>> for
>>>> further investigation.
>>>>
>>>>> Our mail server uses openldap with one external schema : qmail.schema,
>>>> we
>>>>> use it especially for mailQuota, mailAlternateAddress,
>>>>> mailForwardingAddress and AccountStatus.
>>>>>
>>>>> I tried to import this schema to freeipa using ipa-ldap-updater.
>>>>> I am not sure if I succeeded, but when I tried : ipa config-mod
>>>>> --addattr=ipaGroupObjectClasses=qmailUser it worked and I can see the
>>>>> objectClass.
>>>>>
>>>>>
>>>>> [root at ipamaster work]# ipa config-show --all
>>>>>   dn: cn=ipaConfig,cn=etc,dc=example,dc=com
>>>>>   Longueur maximale du nom d'utilisateur: 32
>>>>>   Base du répertoire utilisateur: /home
>>>>>   Interprèteur par défaut: /bin/sh
>>>>>   Groupe utilisateur par défaut: ipausers
>>>>>   Domaine par défaut pour les courriels: example.com
>>>>>   Limite de temps d'une recherche: 2
>>>>>   Limite de taille d'une recherche: 100
>>>>>   Champs de recherche utilisateur:
>>>> uid,givenname,sn,telephonenumber,ou,title
>>>>>   Group search fields: cn,description
>>>>>   Activer le mode migration: TRUE
>>>>>   Base de sujet de certificat: O=EXAMPLE.COM
>>>>>   Classes d'objets de groupe par défaut: top, ipaobject, groupofnames,
>>>>> ipausergroup, nestedgroup
>>>>>   Classes d'objets utilisateur par défaut: ipaobject, person, top,
>>>>> ipasshuser, inetorgperson, organizationalperson,
>>>>>                                            krbticketpolicyaux,
>>>>> krbprincipalaux, *qmailUser*, inetuser, posixaccount
>>>>>   Notification d'expiration de mot de passe (jours): 4
>>>>>   Fonctionnalités du greffon mots de passe: AllowNThash
>>>>>   Ordre de la mappe des utilisateurs SELinux:
>>>>>
>>>> guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
>>>>>   Utilisateur SELinux par défaut: unconfined_u:s0-s0:c0.c1023
>>>>>   Types de PAC par défaut: nfs:NONE, MS-PAC
>>>>>   aci: (targetattr = "cn || createtimestamp || entryusn ||
>>>>> ipacertificatesubjectbase || ipaconfigstring || ipacustomfields ||
>>>>>        ipadefaultemaildomain || ipadefaultloginshell ||
>>>>> ipadefaultprimarygroup || ipagroupobjectclasses ||
>>>>>        ipagroupsearchfields || ipahomesrootdir || ipakrbauthzdata ||
>>>>> ipamaxusernamelength || ipamigrationenabled ||
>>>>>        ipapwdexpadvnotify || ipasearchrecordslimit ||
>>>> ipasearchtimelimit ||
>>>>> ipaselinuxusermapdefault ||
>>>>>        ipaselinuxusermaporder || ipauserauthtype ||
>>>> ipauserobjectclasses ||
>>>>> ipausersearchfields || modifytimestamp ||
>>>>>        objectclass")(targetfilter =
>>>> "(objectclass=ipaguiconfig)")(version
>>>>> 3.0;acl "permission:System: Read Global
>>>>>        Configuration";allow (compare,read,search) userdn =
>>>> "ldap:///all";)
>>>>>   cn: ipaConfig
>>>>>   objectclass: ipaConfigObject, nsContainer, top, ipaGuiConfig,
>>>>> ipaUserAuthTypeClass
>>>>>
>>>>> Then I tried to migrate openldap's accounts, but without luck so far
>>>>> #ipa -v migrate-ds --with-compat --bind-dn "cn=admin,dc=example,dc=com"
>>>>> --continue ldap://192.168.1.121:389
>>>>> -----------
>>>>> migrate-ds:
>>>>> -----------
>>>>> Migrated:
>>>>> Failed user:
>>>>>   jean.doe: Type or value exists:
>>>>>   jeane.doe: Type or value exists:
>>>>>  Failed group:
>>>>> ----------
>>>>> No users/groups were migrated from ldap://192.168.1.121:389
>>>>>
>>>>>
>>>>> Here is an entry from openldap
>>>>> dn: uid=jeane.doe,ou=people,dc=example,dc=com
>>>>> loginShell: /bin/bash
>>>>> gidNumber: 1000
>>>>> objectClass: top
>>>>> objectClass: qmailUser
>>>>> objectClass: inetOrgPerson
>>>>> objectClass: posixAccount
>>>>> objectClass: person
>>>>> objectClass: shadowAccount
>>>>> objectClass: organizationalPerson
>>>>> mail: jeane.doe at example.com
>>>>> givenName: DOE
>>>>> uid: jeane.doe
>>>>> uidNumber: 1002
>>>>> displayName: Jeane Doe
>>>>> homeDirectory: /var/vmail/jeane.doe
>>>>> accountStatus: yes
>>>>> mailMessageStore: /var/vmail/jeane.doe
>>>>> structuralObjectClass: inetOrgPerson
>>>>> entryUUID: 3e8ee290-166f-1035-94d7-ef8fa27fbe71
>>>>> creatorsName: cn=admin,dc=example,dc=com
>>>>> createTimestamp: 20151103120748Z
>>>>> userPassword:: e1NTSEF9K2ZYQnQrMnZsbmVURlVEaG5FdjlZdkhTNFpvNjVMSVQ=
>>>>> mailQuotaSize: 1024000
>>>>> sn: Jeane
>>>>> cn: DOE
>>>>> entryCSN: 20160125162455.613052Z#000000#000#000000
>>>>> modifiersName: cn=admin,dc=example,dc=com
>>>>> modifyTimestamp: 20160125162455Z
>>>>>
>>>>> What does "Type or value exists" means?
>>>>
>>>> That normally means that you have the same value for LDAP attribute
>>>> twice or
>>>> that you are trying to add multiple values for a single valued
>>>> attribute. I
>>>> wonder if we could get better logging, like how exactly the entry looks
>>>> like
>>>> before it is added to LDAP.
>>>>
>>>> But right now, I cannot think about a better way than to updating
>>>> /usr/lib/python2.7/site-packages/ipalib/plugins/migration.py
>>>> on the FreeIPA server the following way (new print statement)
>>>>
>>>>                 try:
>>>>                     print entry_attrs
>>>>                     ldap.add_entry(entry_attrs)
>>>>                 except errors.ExecutionError, e:
>>>>
>>>> , restarting the httpd service and sending us the
>>>> /var/log/httpd/error_log
>>>> after the next migration attempt. Maybe Jan (CCed) knows a better way.
>>>>
>>>>> PS: the qmail.schema presents two other objectClasses, but I didn't
>>>> add use
>>>>> them (qldapAdmin, qmailGroup)
>>>>>
>>>>> Regards
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>
>

More information about the Freeipa-users mailing list