[Freeipa-users] Migration from openLDAP to FreeIPA with qmail.schema

wodel youchi wodel.youchi at gmail.com
Tue Jan 26 16:13:14 UTC 2016 

Hi,

For the first problem I redid the import using this syntax
ipa -d -v migrate-ds --bind-dn "cn=admin,dc=example,dc=com" --with-compat
--user-ignore-objectclass qmailuser --continue ldap://192.168.1.121:389

and it worked, all accounts were imported successfully.

The thing I don't know where the query is getting qmailuser, since the
objectclass imported is qmailUser!!!

About the second problem, the error say (sorry for the french btw) :
Error : the search for LDAP group do not return any result (search
base ou=groups,dc=example,dc=com,
objectClass : groupofuniquenames, groupofnames))

And I tested with this command
ipa -d -v migrate-ds --bind-dn "cn=admin,dc=example,dc=com" --with-compat
--group-objectclass=posixGroup --user-ignore-objectclass qmailuser ldap://
192.168.1.121:389

and it worked, as you said I had to add --group-objectclass=posixGroup

Now, I need to added some of attributes to the Webui when creating a new
user, for example mailQuotaSize, is there a way to do that?

Thanks for your help.
Regards.


2016-01-26 16:15 GMT+01:00 Martin Kosek <mkosek at redhat.com>:

> On 01/26/2016 02:20 PM, wodel youchi wrote:
> > Hi,
> >
> > In the above log (httpd log) the LDAPEntry contains qmailuser and
> qmailUser
> > objectClasses, I don't know if this is what is causing the problem.
>
> That's probably it. Can you please try to lowercaser 'qmailUser' in the
> FreeIPA
> config and try the migration again?
>
> > Another thing, I can't import groups as well, I did add a simple group to
> > my ldap
> > dn: ou=groups,dc=example,dc=com
> > objectClass: organizationalUnit
> > objectClass: top
> > ou: groups
> > structuralObjectClass: organizationalUnit
> >
> > dn: cn=vmail,ou=groups,dc=example,dc=com
> > objectClass: top
> > objectClass: posixGroup
> > gidNumber: 5000
> > structuralObjectClass: posixGroup
> > cn: vmail
> >
> > When I launch the migration command I get
> >
> > ipa: ERROR: La recherche LDAP group ne renvoie aucun résultat (base de
> > recherche : ou=groups,dc=example,dc=com, classe d'objet :
> > groupofuniquenames, groupofnames)
> >
> > any idea?
>
> I cannot really read French, but I suspect you could use the option
>
>   --group-objectclass=STR
>                         Objectclasses used to search for group entries in
> DS
>
> to specify the objectclass the migration should search (posixGroup in your
> case)
>
> >
> > Regards.
> >
> > 2016-01-26 13:42 GMT+01:00 wodel youchi <wodel.youchi at gmail.com>:
> >
> >> Hi again,
> >>
> >> This is what I get from httpd error_log
> >>
> >> [Tue Jan 26 13:38:02.394757 2016] [:error] [pid 7427] ipa: WARNING: GID
> >> number 1000 of migrated user jean.doe does not point to a known group.
> >> [Tue Jan 26 13:38:02.397928 2016] [:error] [pid 7427]
> >>
> LDAPEntry(ipapython.dn.DN('uid=jean.doe,cn=users,cn=accounts,dc=example,dc=com'),
> >> {u'mailQuotaSize': ['2048000'], u'cn': ['DOE'], u'uid': [u'jean.doe'],
> >> u'objectClass': [u'ipaobject', u'organizationalperson', u'qmailuser',
> >> u'top', u'ipasshuser', u'inetorgperson', u'person',
> u'krbticketpolicyaux',
> >> u'krbprincipalaux', u'shadowaccount', u'qmailUser', u'inetuser',
> >> u'posixaccount'], u'loginShell': ['/bin/bash'], u'uidNumber': ['1001'],
> >> u'gidNumber': [u'1000'], u'ipauniqueid': ['autogenerate'],
> >> u'krbprincipalname': [u'jean.doe at EXAMPLE.COM'], u'mailMessageStore':
> >> ['/var/vmail/jean.doe'], u'description': ['__no_upg__'], u'displayName':
> >> ['Jean Doe'], u'userPassword':
> ['{SSHA}NIxCImzQDagloyVdMtheC4wDMUImxW85'],
> >> u'accountStatus': ['yes'], u'mailAlternateAddress': ['root at example.com',
> '
> >> postmaster at example.com'], u'sn': ['Jean'], u'homeDirectory':
> >> ['/var/vmail/jean.doe'], u'mail': ['jean.doe at example.com'],
> u'givenName':
> >> ['DOE']})
> >> [Tue Jan 26 13:38:02.398937 2016] [:error] [pid 7427] ipa: WARNING: GID
> >> number 1000 of migrated user jeane.doe does not point to a known group.
> >> [Tue Jan 26 13:38:02.399703 2016] [:error] [pid 7427]
> >>
> LDAPEntry(ipapython.dn.DN('uid=jeane.doe,cn=users,cn=accounts,dc=example,dc=com'),
> >> {u'mailQuotaSize': ['1024000'], u'cn': ['DOE'], u'uid': [u'jeane.doe'],
> >> u'objectClass': [u'ipaobject', u'organizationalperson', u'qmailuser',
> >> u'top', u'ipasshuser', u'inetorgperson', u'person',
> u'krbticketpolicyaux',
> >> u'krbprincipalaux', u'shadowaccount', u'qmailUser', u'inetuser',
> >> u'posixaccount'], u'loginShell': ['/bin/bash'], u'uidNumber': ['1002'],
> >> u'gidNumber': [u'1000'], u'ipauniqueid': ['autogenerate'],
> >> u'krbprincipalname': [u'jeane.doe at EXAMPLE.COM'], u'mailMessageStore':
> >> ['/var/vmail/jeane.doe'], u'description': ['__no_upg__'],
> u'displayName':
> >> ['Jeane Doe'], u'userPassword':
> ['{SSHA}+fXBt+2vlneTFUDhnEv9YvHS4Zo65LIT'],
> >> u'accountStatus': ['yes'], u'sn': ['Jeane'], u'homeDirectory':
> >> ['/var/vmail/jeane.doe'], u'mail': ['jeane.doe at example.com'],
> >> u'givenName': ['DOE']})
> >>
> >> Regards.
> >>
> >> 2016-01-26 11:22 GMT+01:00 wodel youchi <wodel.youchi at gmail.com>:
> >>
> >>> Thanks I will try and report back.
> >>>
> >>> I am using Centos 7.2x64 with latest updates
> >>>
> >>> and ipa-server-4.2.0-15.el7.centos.3.x86_64
> >>>
> >>> Regards
> >>>
> >>> 2016-01-26 10:53 GMT+01:00 Martin Kosek <mkosek at redhat.com>:
> >>>
> >>>> On 01/26/2016 10:16 AM, wodel youchi wrote:
> >>>>> Hi,
> >>>>>
> >>>>> I am a newbie in freeipa. I am trying to use it with our mail server.
> >>>>
> >>>> Cool! What is your version of the FreeIPA server? It will be important
> >>>> for
> >>>> further investigation.
> >>>>
> >>>>> Our mail server uses openldap with one external schema :
> qmail.schema,
> >>>> we
> >>>>> use it especially for mailQuota, mailAlternateAddress,
> >>>>> mailForwardingAddress and AccountStatus.
> >>>>>
> >>>>> I tried to import this schema to freeipa using ipa-ldap-updater.
> >>>>> I am not sure if I succeeded, but when I tried : ipa config-mod
> >>>>> --addattr=ipaGroupObjectClasses=qmailUser it worked and I can see the
> >>>>> objectClass.
> >>>>>
> >>>>>
> >>>>> [root at ipamaster work]# ipa config-show --all
> >>>>>   dn: cn=ipaConfig,cn=etc,dc=example,dc=com
> >>>>>   Longueur maximale du nom d'utilisateur: 32
> >>>>>   Base du répertoire utilisateur: /home
> >>>>>   Interprèteur par défaut: /bin/sh
> >>>>>   Groupe utilisateur par défaut: ipausers
> >>>>>   Domaine par défaut pour les courriels: example.com
> >>>>>   Limite de temps d'une recherche: 2
> >>>>>   Limite de taille d'une recherche: 100
> >>>>>   Champs de recherche utilisateur:
> >>>> uid,givenname,sn,telephonenumber,ou,title
> >>>>>   Group search fields: cn,description
> >>>>>   Activer le mode migration: TRUE
> >>>>>   Base de sujet de certificat: O=EXAMPLE.COM
> >>>>>   Classes d'objets de groupe par défaut: top, ipaobject,
> groupofnames,
> >>>>> ipausergroup, nestedgroup
> >>>>>   Classes d'objets utilisateur par défaut: ipaobject, person, top,
> >>>>> ipasshuser, inetorgperson, organizationalperson,
> >>>>>                                            krbticketpolicyaux,
> >>>>> krbprincipalaux, *qmailUser*, inetuser, posixaccount
> >>>>>   Notification d'expiration de mot de passe (jours): 4
> >>>>>   Fonctionnalités du greffon mots de passe: AllowNThash
> >>>>>   Ordre de la mappe des utilisateurs SELinux:
> >>>>>
> >>>>
> guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
> >>>>>   Utilisateur SELinux par défaut: unconfined_u:s0-s0:c0.c1023
> >>>>>   Types de PAC par défaut: nfs:NONE, MS-PAC
> >>>>>   aci: (targetattr = "cn || createtimestamp || entryusn ||
> >>>>> ipacertificatesubjectbase || ipaconfigstring || ipacustomfields ||
> >>>>>        ipadefaultemaildomain || ipadefaultloginshell ||
> >>>>> ipadefaultprimarygroup || ipagroupobjectclasses ||
> >>>>>        ipagroupsearchfields || ipahomesrootdir || ipakrbauthzdata ||
> >>>>> ipamaxusernamelength || ipamigrationenabled ||
> >>>>>        ipapwdexpadvnotify || ipasearchrecordslimit ||
> >>>> ipasearchtimelimit ||
> >>>>> ipaselinuxusermapdefault ||
> >>>>>        ipaselinuxusermaporder || ipauserauthtype ||
> >>>> ipauserobjectclasses ||
> >>>>> ipausersearchfields || modifytimestamp ||
> >>>>>        objectclass")(targetfilter =
> >>>> "(objectclass=ipaguiconfig)")(version
> >>>>> 3.0;acl "permission:System: Read Global
> >>>>>        Configuration";allow (compare,read,search) userdn =
> >>>> "ldap:///all";)
> >>>>>   cn: ipaConfig
> >>>>>   objectclass: ipaConfigObject, nsContainer, top, ipaGuiConfig,
> >>>>> ipaUserAuthTypeClass
> >>>>>
> >>>>> Then I tried to migrate openldap's accounts, but without luck so far
> >>>>> #ipa -v migrate-ds --with-compat --bind-dn
> "cn=admin,dc=example,dc=com"
> >>>>> --continue ldap://192.168.1.121:389
> >>>>> -----------
> >>>>> migrate-ds:
> >>>>> -----------
> >>>>> Migrated:
> >>>>> Failed user:
> >>>>>   jean.doe: Type or value exists:
> >>>>>   jeane.doe: Type or value exists:
> >>>>>  Failed group:
> >>>>> ----------
> >>>>> No users/groups were migrated from ldap://192.168.1.121:389
> >>>>>
> >>>>>
> >>>>> Here is an entry from openldap
> >>>>> dn: uid=jeane.doe,ou=people,dc=example,dc=com
> >>>>> loginShell: /bin/bash
> >>>>> gidNumber: 1000
> >>>>> objectClass: top
> >>>>> objectClass: qmailUser
> >>>>> objectClass: inetOrgPerson
> >>>>> objectClass: posixAccount
> >>>>> objectClass: person
> >>>>> objectClass: shadowAccount
> >>>>> objectClass: organizationalPerson
> >>>>> mail: jeane.doe at example.com
> >>>>> givenName: DOE
> >>>>> uid: jeane.doe
> >>>>> uidNumber: 1002
> >>>>> displayName: Jeane Doe
> >>>>> homeDirectory: /var/vmail/jeane.doe
> >>>>> accountStatus: yes
> >>>>> mailMessageStore: /var/vmail/jeane.doe
> >>>>> structuralObjectClass: inetOrgPerson
> >>>>> entryUUID: 3e8ee290-166f-1035-94d7-ef8fa27fbe71
> >>>>> creatorsName: cn=admin,dc=example,dc=com
> >>>>> createTimestamp: 20151103120748Z
> >>>>> userPassword:: e1NTSEF9K2ZYQnQrMnZsbmVURlVEaG5FdjlZdkhTNFpvNjVMSVQ=
> >>>>> mailQuotaSize: 1024000
> >>>>> sn: Jeane
> >>>>> cn: DOE
> >>>>> entryCSN: 20160125162455.613052Z#000000#000#000000
> >>>>> modifiersName: cn=admin,dc=example,dc=com
> >>>>> modifyTimestamp: 20160125162455Z
> >>>>>
> >>>>> What does "Type or value exists" means?
> >>>>
> >>>> That normally means that you have the same value for LDAP attribute
> >>>> twice or
> >>>> that you are trying to add multiple values for a single valued
> >>>> attribute. I
> >>>> wonder if we could get better logging, like how exactly the entry
> looks
> >>>> like
> >>>> before it is added to LDAP.
> >>>>
> >>>> But right now, I cannot think about a better way than to updating
> >>>> /usr/lib/python2.7/site-packages/ipalib/plugins/migration.py
> >>>> on the FreeIPA server the following way (new print statement)
> >>>>
> >>>>                 try:
> >>>>                     print entry_attrs
> >>>>                     ldap.add_entry(entry_attrs)
> >>>>                 except errors.ExecutionError, e:
> >>>>
> >>>> , restarting the httpd service and sending us the
> >>>> /var/log/httpd/error_log
> >>>> after the next migration attempt. Maybe Jan (CCed) knows a better way.
> >>>>
> >>>>> PS: the qmail.schema presents two other objectClasses, but I didn't
> >>>> add use
> >>>>> them (qldapAdmin, qmailGroup)
> >>>>>
> >>>>> Regards
> >>>>>
> >>>>>
> >>>>>
> >>>>
> >>>>
> >>>
> >>
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160126/9d9ef5f1/attachment.htm>

More information about the Freeipa-users mailing list