<div dir="ltr"><div><div><div><div><div><div><div><div>Hi, <br><br></div>For the first problem I redid the import using this syntax<br>ipa -d -v migrate-ds --bind-dn "cn=admin,dc=example,dc=com" --with-compat --user-ignore-objectclass qmailuser --continue ldap://<a href="http://192.168.1.121:389">192.168.1.121:389</a><br><br></div><div>and it worked, all accounts were imported successfully.<br></div><div><br></div>The thing I don't know where the query is getting qmailuser, since the objectclass imported is qmailUser!!!<br><br></div>About the second problem, the error say (sorry for the fr<span style="background-color:rgb(255,255,255)"><span style=""></span></span>ench btw) :<br></div>Error : the search for LDAP group do not return any result (<span style="color:rgb(0,0,0)">search base <span style="background-color:rgb(255,255,255)"><span class="im"><span style="color:rgb(0,0,0)">ou=groups,dc=example,dc=com, objectClass</span> <span style="color:rgb(0,0,0)">:</span> <span style="color:rgb(0,0,0)">groupofuniquenames, groupofnames)</span></span>)<br><br></span></span></div><span style="color:rgb(0,0,0)"><span style="background-color:rgb(255,255,255)">And I tested with this command<br>ipa -d -v migrate-ds --bind-dn "cn=admin,dc=example,dc=com" --with-compat --group-objectclass=posixGroup --user-ignore-objectclass qmailuser ldap://<a href="http://192.168.1.121:389">192.168.1.121:389</a><br><br></span></span></div><span style="color:rgb(0,0,0)"><span style="background-color:rgb(255,255,255)">and it worked, as you said I had to add </span></span><span style="color:rgb(0,0,0)"><span style="background-color:rgb(255,255,255)">--group-objectclass=posixGroup<br><br></span></span></div><div><span style="color:rgb(0,0,0)"><span style="background-color:rgb(255,255,255)">Now, I need to added some of attributes to the Webui when creating a new user, for example mailQuotaSize, is there a way to do that?<br></span></span></div><div><span style="color:rgb(0,0,0)"><span style="background-color:rgb(255,255,255)"><br></span></span></div><span style="color:rgb(0,0,0)"><span style="background-color:rgb(255,255,255)">Thanks for your help.<br></span></span></div><span style="color:rgb(0,0,0)"><span style="background-color:rgb(255,255,255)">Regards.<br></span></span><div><div><div><div><span style="color:rgb(0,0,0)"><span style="background-color:rgb(255,255,255)"><br></span></span></div></div></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">2016-01-26 16:15 GMT+01:00 Martin Kosek <span dir="ltr"><<a href="mailto:mkosek@redhat.com" target="_blank">mkosek@redhat.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 01/26/2016 02:20 PM, wodel youchi wrote:<br>
> Hi,<br>
><br>
> In the above log (httpd log) the LDAPEntry contains qmailuser and qmailUser<br>
> objectClasses, I don't know if this is what is causing the problem.<br>
<br>
</span>That's probably it. Can you please try to lowercaser 'qmailUser' in the FreeIPA<br>
config and try the migration again?<br>
<span class=""><br>
> Another thing, I can't import groups as well, I did add a simple group to<br>
> my ldap<br>
> dn: ou=groups,dc=example,dc=com<br>
> objectClass: organizationalUnit<br>
> objectClass: top<br>
> ou: groups<br>
> structuralObjectClass: organizationalUnit<br>
><br>
> dn: cn=vmail,ou=groups,dc=example,dc=com<br>
> objectClass: top<br>
> objectClass: posixGroup<br>
> gidNumber: 5000<br>
> structuralObjectClass: posixGroup<br>
> cn: vmail<br>
><br>
> When I launch the migration command I get<br>
><br>
> ipa: ERROR: La recherche LDAP group ne renvoie aucun résultat (base de<br>
> recherche : ou=groups,dc=example,dc=com, classe d'objet :<br>
> groupofuniquenames, groupofnames)<br>
><br>
> any idea?<br>
<br>
</span>I cannot really read French, but I suspect you could use the option<br>
<br>
--group-objectclass=STR<br>
Objectclasses used to search for group entries in DS<br>
<br>
to specify the objectclass the migration should search (posixGroup in your case)<br>
<div class="HOEnZb"><div class="h5"><br>
><br>
> Regards.<br>
><br>
> 2016-01-26 13:42 GMT+01:00 wodel youchi <<a href="mailto:wodel.youchi@gmail.com">wodel.youchi@gmail.com</a>>:<br>
><br>
>> Hi again,<br>
>><br>
>> This is what I get from httpd error_log<br>
>><br>
>> [Tue Jan 26 13:38:02.394757 2016] [:error] [pid 7427] ipa: WARNING: GID<br>
>> number 1000 of migrated user jean.doe does not point to a known group.<br>
>> [Tue Jan 26 13:38:02.397928 2016] [:error] [pid 7427]<br>
>> LDAPEntry(ipapython.dn.DN('uid=jean.doe,cn=users,cn=accounts,dc=example,dc=com'),<br>
>> {u'mailQuotaSize': ['2048000'], u'cn': ['DOE'], u'uid': [u'jean.doe'],<br>
>> u'objectClass': [u'ipaobject', u'organizationalperson', u'qmailuser',<br>
>> u'top', u'ipasshuser', u'inetorgperson', u'person', u'krbticketpolicyaux',<br>
>> u'krbprincipalaux', u'shadowaccount', u'qmailUser', u'inetuser',<br>
>> u'posixaccount'], u'loginShell': ['/bin/bash'], u'uidNumber': ['1001'],<br>
>> u'gidNumber': [u'1000'], u'ipauniqueid': ['autogenerate'],<br>
>> u'krbprincipalname': [<a href="mailto:u%27jean.doe@EXAMPLE.COM">u'jean.doe@EXAMPLE.COM</a>'], u'mailMessageStore':<br>
>> ['/var/vmail/jean.doe'], u'description': ['__no_upg__'], u'displayName':<br>
>> ['Jean Doe'], u'userPassword': ['{SSHA}NIxCImzQDagloyVdMtheC4wDMUImxW85'],<br>
>> u'accountStatus': ['yes'], u'mailAlternateAddress': ['<a href="mailto:root@example.com">root@example.com</a>', '<br>
>> <a href="mailto:postmaster@example.com">postmaster@example.com</a>'], u'sn': ['Jean'], u'homeDirectory':<br>
>> ['/var/vmail/jean.doe'], u'mail': ['<a href="mailto:jean.doe@example.com">jean.doe@example.com</a>'], u'givenName':<br>
>> ['DOE']})<br>
>> [Tue Jan 26 13:38:02.398937 2016] [:error] [pid 7427] ipa: WARNING: GID<br>
>> number 1000 of migrated user jeane.doe does not point to a known group.<br>
>> [Tue Jan 26 13:38:02.399703 2016] [:error] [pid 7427]<br>
>> LDAPEntry(ipapython.dn.DN('uid=jeane.doe,cn=users,cn=accounts,dc=example,dc=com'),<br>
>> {u'mailQuotaSize': ['1024000'], u'cn': ['DOE'], u'uid': [u'jeane.doe'],<br>
>> u'objectClass': [u'ipaobject', u'organizationalperson', u'qmailuser',<br>
>> u'top', u'ipasshuser', u'inetorgperson', u'person', u'krbticketpolicyaux',<br>
>> u'krbprincipalaux', u'shadowaccount', u'qmailUser', u'inetuser',<br>
>> u'posixaccount'], u'loginShell': ['/bin/bash'], u'uidNumber': ['1002'],<br>
>> u'gidNumber': [u'1000'], u'ipauniqueid': ['autogenerate'],<br>
>> u'krbprincipalname': [<a href="mailto:u%27jeane.doe@EXAMPLE.COM">u'jeane.doe@EXAMPLE.COM</a>'], u'mailMessageStore':<br>
>> ['/var/vmail/jeane.doe'], u'description': ['__no_upg__'], u'displayName':<br>
>> ['Jeane Doe'], u'userPassword': ['{SSHA}+fXBt+2vlneTFUDhnEv9YvHS4Zo65LIT'],<br>
>> u'accountStatus': ['yes'], u'sn': ['Jeane'], u'homeDirectory':<br>
>> ['/var/vmail/jeane.doe'], u'mail': ['<a href="mailto:jeane.doe@example.com">jeane.doe@example.com</a>'],<br>
>> u'givenName': ['DOE']})<br>
>><br>
>> Regards.<br>
>><br>
>> 2016-01-26 11:22 GMT+01:00 wodel youchi <<a href="mailto:wodel.youchi@gmail.com">wodel.youchi@gmail.com</a>>:<br>
>><br>
>>> Thanks I will try and report back.<br>
>>><br>
>>> I am using Centos 7.2x64 with latest updates<br>
>>><br>
>>> and ipa-server-4.2.0-15.el7.centos.3.x86_64<br>
>>><br>
>>> Regards<br>
>>><br>
>>> 2016-01-26 10:53 GMT+01:00 Martin Kosek <<a href="mailto:mkosek@redhat.com">mkosek@redhat.com</a>>:<br>
>>><br>
>>>> On 01/26/2016 10:16 AM, wodel youchi wrote:<br>
>>>>> Hi,<br>
>>>>><br>
>>>>> I am a newbie in freeipa. I am trying to use it with our mail server.<br>
>>>><br>
>>>> Cool! What is your version of the FreeIPA server? It will be important<br>
>>>> for<br>
>>>> further investigation.<br>
>>>><br>
>>>>> Our mail server uses openldap with one external schema : qmail.schema,<br>
>>>> we<br>
>>>>> use it especially for mailQuota, mailAlternateAddress,<br>
>>>>> mailForwardingAddress and AccountStatus.<br>
>>>>><br>
>>>>> I tried to import this schema to freeipa using ipa-ldap-updater.<br>
>>>>> I am not sure if I succeeded, but when I tried : ipa config-mod<br>
>>>>> --addattr=ipaGroupObjectClasses=qmailUser it worked and I can see the<br>
>>>>> objectClass.<br>
>>>>><br>
>>>>><br>
>>>>> [root@ipamaster work]# ipa config-show --all<br>
>>>>> dn: cn=ipaConfig,cn=etc,dc=example,dc=com<br>
>>>>> Longueur maximale du nom d'utilisateur: 32<br>
>>>>> Base du répertoire utilisateur: /home<br>
>>>>> Interprèteur par défaut: /bin/sh<br>
>>>>> Groupe utilisateur par défaut: ipausers<br>
>>>>> Domaine par défaut pour les courriels: <a href="http://example.com" rel="noreferrer" target="_blank">example.com</a><br>
>>>>> Limite de temps d'une recherche: 2<br>
>>>>> Limite de taille d'une recherche: 100<br>
>>>>> Champs de recherche utilisateur:<br>
>>>> uid,givenname,sn,telephonenumber,ou,title<br>
>>>>> Group search fields: cn,description<br>
>>>>> Activer le mode migration: TRUE<br>
>>>>> Base de sujet de certificat: O=<a href="http://EXAMPLE.COM" rel="noreferrer" target="_blank">EXAMPLE.COM</a><br>
>>>>> Classes d'objets de groupe par défaut: top, ipaobject, groupofnames,<br>
>>>>> ipausergroup, nestedgroup<br>
>>>>> Classes d'objets utilisateur par défaut: ipaobject, person, top,<br>
>>>>> ipasshuser, inetorgperson, organizationalperson,<br>
>>>>> krbticketpolicyaux,<br>
>>>>> krbprincipalaux, *qmailUser*, inetuser, posixaccount<br>
>>>>> Notification d'expiration de mot de passe (jours): 4<br>
>>>>> Fonctionnalités du greffon mots de passe: AllowNThash<br>
>>>>> Ordre de la mappe des utilisateurs SELinux:<br>
>>>>><br>
>>>> guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023<br>
>>>>> Utilisateur SELinux par défaut: unconfined_u:s0-s0:c0.c1023<br>
>>>>> Types de PAC par défaut: nfs:NONE, MS-PAC<br>
>>>>> aci: (targetattr = "cn || createtimestamp || entryusn ||<br>
>>>>> ipacertificatesubjectbase || ipaconfigstring || ipacustomfields ||<br>
>>>>> ipadefaultemaildomain || ipadefaultloginshell ||<br>
>>>>> ipadefaultprimarygroup || ipagroupobjectclasses ||<br>
>>>>> ipagroupsearchfields || ipahomesrootdir || ipakrbauthzdata ||<br>
>>>>> ipamaxusernamelength || ipamigrationenabled ||<br>
>>>>> ipapwdexpadvnotify || ipasearchrecordslimit ||<br>
>>>> ipasearchtimelimit ||<br>
>>>>> ipaselinuxusermapdefault ||<br>
>>>>> ipaselinuxusermaporder || ipauserauthtype ||<br>
>>>> ipauserobjectclasses ||<br>
>>>>> ipausersearchfields || modifytimestamp ||<br>
>>>>> objectclass")(targetfilter =<br>
>>>> "(objectclass=ipaguiconfig)")(version<br>
>>>>> 3.0;acl "permission:System: Read Global<br>
>>>>> Configuration";allow (compare,read,search) userdn =<br>
>>>> "ldap:///all";)<br>
>>>>> cn: ipaConfig<br>
>>>>> objectclass: ipaConfigObject, nsContainer, top, ipaGuiConfig,<br>
>>>>> ipaUserAuthTypeClass<br>
>>>>><br>
>>>>> Then I tried to migrate openldap's accounts, but without luck so far<br>
>>>>> #ipa -v migrate-ds --with-compat --bind-dn "cn=admin,dc=example,dc=com"<br>
>>>>> --continue ldap://<a href="http://192.168.1.121:389" rel="noreferrer" target="_blank">192.168.1.121:389</a><br>
>>>>> -----------<br>
>>>>> migrate-ds:<br>
>>>>> -----------<br>
>>>>> Migrated:<br>
>>>>> Failed user:<br>
>>>>> jean.doe: Type or value exists:<br>
>>>>> jeane.doe: Type or value exists:<br>
>>>>> Failed group:<br>
>>>>> ----------<br>
>>>>> No users/groups were migrated from ldap://<a href="http://192.168.1.121:389" rel="noreferrer" target="_blank">192.168.1.121:389</a><br>
>>>>><br>
>>>>><br>
>>>>> Here is an entry from openldap<br>
>>>>> dn: uid=jeane.doe,ou=people,dc=example,dc=com<br>
>>>>> loginShell: /bin/bash<br>
>>>>> gidNumber: 1000<br>
>>>>> objectClass: top<br>
>>>>> objectClass: qmailUser<br>
>>>>> objectClass: inetOrgPerson<br>
>>>>> objectClass: posixAccount<br>
>>>>> objectClass: person<br>
>>>>> objectClass: shadowAccount<br>
>>>>> objectClass: organizationalPerson<br>
>>>>> mail: <a href="mailto:jeane.doe@example.com">jeane.doe@example.com</a><br>
>>>>> givenName: DOE<br>
>>>>> uid: jeane.doe<br>
>>>>> uidNumber: 1002<br>
>>>>> displayName: Jeane Doe<br>
>>>>> homeDirectory: /var/vmail/jeane.doe<br>
>>>>> accountStatus: yes<br>
>>>>> mailMessageStore: /var/vmail/jeane.doe<br>
>>>>> structuralObjectClass: inetOrgPerson<br>
>>>>> entryUUID: 3e8ee290-166f-1035-94d7-ef8fa27fbe71<br>
>>>>> creatorsName: cn=admin,dc=example,dc=com<br>
>>>>> createTimestamp: 20151103120748Z<br>
>>>>> userPassword:: e1NTSEF9K2ZYQnQrMnZsbmVURlVEaG5FdjlZdkhTNFpvNjVMSVQ=<br>
>>>>> mailQuotaSize: 1024000<br>
>>>>> sn: Jeane<br>
>>>>> cn: DOE<br>
>>>>> entryCSN: 20160125162455.613052Z#000000#000#000000<br>
>>>>> modifiersName: cn=admin,dc=example,dc=com<br>
>>>>> modifyTimestamp: 20160125162455Z<br>
>>>>><br>
>>>>> What does "Type or value exists" means?<br>
>>>><br>
>>>> That normally means that you have the same value for LDAP attribute<br>
>>>> twice or<br>
>>>> that you are trying to add multiple values for a single valued<br>
>>>> attribute. I<br>
>>>> wonder if we could get better logging, like how exactly the entry looks<br>
>>>> like<br>
>>>> before it is added to LDAP.<br>
>>>><br>
>>>> But right now, I cannot think about a better way than to updating<br>
>>>> /usr/lib/python2.7/site-packages/ipalib/plugins/migration.py<br>
>>>> on the FreeIPA server the following way (new print statement)<br>
>>>><br>
>>>> try:<br>
>>>> print entry_attrs<br>
>>>> ldap.add_entry(entry_attrs)<br>
>>>> except errors.ExecutionError, e:<br>
>>>><br>
>>>> , restarting the httpd service and sending us the<br>
>>>> /var/log/httpd/error_log<br>
>>>> after the next migration attempt. Maybe Jan (CCed) knows a better way.<br>
>>>><br>
>>>>> PS: the qmail.schema presents two other objectClasses, but I didn't<br>
>>>> add use<br>
>>>>> them (qldapAdmin, qmailGroup)<br>
>>>>><br>
>>>>> Regards<br>
>>>>><br>
>>>>><br>
>>>>><br>
>>>><br>
>>>><br>
>>><br>
>><br>
><br>
<br>
</div></div></blockquote></div><br></div>