<div dir="ltr"><div>Hi again, </div><div>Thanks for all your help, I have another question. </div><div>In my openldap I use qmail for only these attributes : mailQuotaSize, mailAlternateAddress, mailForwardingAddress and accountStatus Searching in ipa's schema I found this schema 50ns-mail.ldif, this schema provides these compatible attributes : mailQuota, mailAlternateAddress and mailForwardingAddress but no accounStatus </div><div>For accountStatus it is not a problem, there is an equivalent in Freeipa to tell if an account is disabled or not. </div><div>My question: is there a way to tell the migration process to map mailQuotaSize from openldap to mailQuota on freeipa and so on. </div><div>If I can do that, I don't have to import qmail schema into freeipa. </div><div></div><div> </div>Regards </div><div class="gmail_extra"> <div class="gmail_quote">2016-01-26 17:19 GMT+01:00 Martin Kosek <<a href="mailto:mkosek@redhat.com" target="_blank">mkosek@redhat.com</a>>: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 01/26/2016 05:13 PM, wodel youchi wrote: > Hi, > > For the first problem I redid the import using this syntax > ipa -d -v migrate-ds --bind-dn "cn=admin,dc=example,dc=com" --with-compat > --user-ignore-objectclass qmailuser --continue ldap://<a href="http://192.168.1.121:389" rel="noreferrer" target="_blank">192.168.1.121:389</a> > > and it worked, all accounts were imported successfully. Good! > The thing I don't know where the query is getting qmailuser, since the > objectclass imported is qmailUser!!! > > About the second problem, the error say (sorry for the french btw) : > Error : the search for LDAP group do not return any result (search > base ou=groups,dc=example,dc=com, > objectClass : groupofuniquenames, groupofnames)) > > And I tested with this command > ipa -d -v migrate-ds --bind-dn "cn=admin,dc=example,dc=com" --with-compat > --group-objectclass=posixGroup --user-ignore-objectclass qmailuser ldap:// > <a href="http://192.168.1.121:389" rel="noreferrer" target="_blank">192.168.1.121:389</a> > > and it worked, as you said I had to add --group-objectclass=posixGroup Good! > Now, I need to added some of attributes to the Webui when creating a new > user, for example mailQuotaSize, is there a way to do that? There is a way, although you still need to code a little in JavaScript. We have a HowTo here: <a href="https://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf" rel="noreferrer" target="_blank">https://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf</a> There is some example in "Extending the Web UI" section. If it does not work, Petr Vobornik should be able to advise. <div class="HOEnZb"><div class="h5"> > > Thanks for your help. > Regards. > > > 2016-01-26 16:15 GMT+01:00 Martin Kosek <<a href="mailto:mkosek@redhat.com">mkosek@redhat.com</a>>: > >> On 01/26/2016 02:20 PM, wodel youchi wrote: >>> Hi, >>> >>> In the above log (httpd log) the LDAPEntry contains qmailuser and >> qmailUser >>> objectClasses, I don't know if this is what is causing the problem. >> >> That's probably it. Can you please try to lowercaser 'qmailUser' in the >> FreeIPA >> config and try the migration again? >> >>> Another thing, I can't import groups as well, I did add a simple group to >>> my ldap >>> dn: ou=groups,dc=example,dc=com >>> objectClass: organizationalUnit >>> objectClass: top >>> ou: groups >>> structuralObjectClass: organizationalUnit >>> >>> dn: cn=vmail,ou=groups,dc=example,dc=com >>> objectClass: top >>> objectClass: posixGroup >>> gidNumber: 5000 >>> structuralObjectClass: posixGroup >>> cn: vmail >>> >>> When I launch the migration command I get >>> >>> ipa: ERROR: La recherche LDAP group ne renvoie aucun résultat (base de >>> recherche : ou=groups,dc=example,dc=com, classe d'objet : >>> groupofuniquenames, groupofnames) >>> >>> any idea? >> >> I cannot really read French, but I suspect you could use the option >> >> --group-objectclass=STR >> Objectclasses used to search for group entries in >> DS >> >> to specify the objectclass the migration should search (posixGroup in your >> case) >> >>> >>> Regards. >>> >>> 2016-01-26 13:42 GMT+01:00 wodel youchi <<a href="mailto:wodel.youchi@gmail.com">wodel.youchi@gmail.com</a>>: >>> >>>> Hi again, >>>> >>>> This is what I get from httpd error_log >>>> >>>> [Tue Jan 26 13:38:02.394757 2016] [:error] [pid 7427] ipa: WARNING: GID >>>> number 1000 of migrated user jean.doe does not point to a known group. >>>> [Tue Jan 26 13:38:02.397928 2016] [:error] [pid 7427] >>>> >> LDAPEntry(ipapython.dn.DN('uid=jean.doe,cn=users,cn=accounts,dc=example,dc=com'), >>>> {u'mailQuotaSize': ['2048000'], u'cn': ['DOE'], u'uid': [u'jean.doe'], >>>> u'objectClass': [u'ipaobject', u'organizationalperson', u'qmailuser', >>>> u'top', u'ipasshuser', u'inetorgperson', u'person', >> u'krbticketpolicyaux', >>>> u'krbprincipalaux', u'shadowaccount', u'qmailUser', u'inetuser', >>>> u'posixaccount'], u'loginShell': ['/bin/bash'], u'uidNumber': ['1001'], >>>> u'gidNumber': [u'1000'], u'ipauniqueid': ['autogenerate'], >>>> u'krbprincipalname': [<a href="mailto:u%27jean.doe@EXAMPLE.COM">u'jean.doe@EXAMPLE.COM</a>'], u'mailMessageStore': >>>> ['/var/vmail/jean.doe'], u'description': ['__no_upg__'], u'displayName': >>>> ['Jean Doe'], u'userPassword': >> ['{SSHA}NIxCImzQDagloyVdMtheC4wDMUImxW85'], >>>> u'accountStatus': ['yes'], u'mailAlternateAddress': ['<a href="mailto:root@example.com">root@example.com</a>', >> ' >>>> <a href="mailto:postmaster@example.com">postmaster@example.com</a>'], u'sn': ['Jean'], u'homeDirectory': >>>> ['/var/vmail/jean.doe'], u'mail': ['<a href="mailto:jean.doe@example.com">jean.doe@example.com</a>'], >> u'givenName': >>>> ['DOE']}) >>>> [Tue Jan 26 13:38:02.398937 2016] [:error] [pid 7427] ipa: WARNING: GID >>>> number 1000 of migrated user jeane.doe does not point to a known group. >>>> [Tue Jan 26 13:38:02.399703 2016] [:error] [pid 7427] >>>> >> LDAPEntry(ipapython.dn.DN('uid=jeane.doe,cn=users,cn=accounts,dc=example,dc=com'), >>>> {u'mailQuotaSize': ['1024000'], u'cn': ['DOE'], u'uid': [u'jeane.doe'], >>>> u'objectClass': [u'ipaobject', u'organizationalperson', u'qmailuser', >>>> u'top', u'ipasshuser', u'inetorgperson', u'person', >> u'krbticketpolicyaux', >>>> u'krbprincipalaux', u'shadowaccount', u'qmailUser', u'inetuser', >>>> u'posixaccount'], u'loginShell': ['/bin/bash'], u'uidNumber': ['1002'], >>>> u'gidNumber': [u'1000'], u'ipauniqueid': ['autogenerate'], >>>> u'krbprincipalname': [<a href="mailto:u%27jeane.doe@EXAMPLE.COM">u'jeane.doe@EXAMPLE.COM</a>'], u'mailMessageStore': >>>> ['/var/vmail/jeane.doe'], u'description': ['__no_upg__'], >> u'displayName': >>>> ['Jeane Doe'], u'userPassword': >> ['{SSHA}+fXBt+2vlneTFUDhnEv9YvHS4Zo65LIT'], >>>> u'accountStatus': ['yes'], u'sn': ['Jeane'], u'homeDirectory': >>>> ['/var/vmail/jeane.doe'], u'mail': ['<a href="mailto:jeane.doe@example.com">jeane.doe@example.com</a>'], >>>> u'givenName': ['DOE']}) >>>> >>>> Regards. >>>> >>>> 2016-01-26 11:22 GMT+01:00 wodel youchi <<a href="mailto:wodel.youchi@gmail.com">wodel.youchi@gmail.com</a>>: >>>> >>>>> Thanks I will try and report back. >>>>> >>>>> I am using Centos 7.2x64 with latest updates >>>>> >>>>> and ipa-server-4.2.0-15.el7.centos.3.x86_64 >>>>> >>>>> Regards >>>>> >>>>> 2016-01-26 10:53 GMT+01:00 Martin Kosek <<a href="mailto:mkosek@redhat.com">mkosek@redhat.com</a>>: >>>>> >>>>>> On 01/26/2016 10:16 AM, wodel youchi wrote: >>>>>>> Hi, >>>>>>> >>>>>>> I am a newbie in freeipa. I am trying to use it with our mail server. >>>>>> >>>>>> Cool! What is your version of the FreeIPA server? It will be important >>>>>> for >>>>>> further investigation. >>>>>> >>>>>>> Our mail server uses openldap with one external schema : >> qmail.schema, >>>>>> we >>>>>>> use it especially for mailQuota, mailAlternateAddress, >>>>>>> mailForwardingAddress and AccountStatus. >>>>>>> >>>>>>> I tried to import this schema to freeipa using ipa-ldap-updater. >>>>>>> I am not sure if I succeeded, but when I tried : ipa config-mod >>>>>>> --addattr=ipaGroupObjectClasses=qmailUser it worked and I can see the >>>>>>> objectClass. >>>>>>> >>>>>>> >>>>>>> [root@ipamaster work]# ipa config-show --all >>>>>>> dn: cn=ipaConfig,cn=etc,dc=example,dc=com >>>>>>> Longueur maximale du nom d'utilisateur: 32 >>>>>>> Base du répertoire utilisateur: /home >>>>>>> Interprèteur par défaut: /bin/sh >>>>>>> Groupe utilisateur par défaut: ipausers >>>>>>> Domaine par défaut pour les courriels: <a href="http://example.com" rel="noreferrer" target="_blank">example.com</a> >>>>>>> Limite de temps d'une recherche: 2 >>>>>>> Limite de taille d'une recherche: 100 >>>>>>> Champs de recherche utilisateur: >>>>>> uid,givenname,sn,telephonenumber,ou,title >>>>>>> Group search fields: cn,description >>>>>>> Activer le mode migration: TRUE >>>>>>> Base de sujet de certificat: O=<a href="http://EXAMPLE.COM" rel="noreferrer" target="_blank">EXAMPLE.COM</a> >>>>>>> Classes d'objets de groupe par défaut: top, ipaobject, >> groupofnames, >>>>>>> ipausergroup, nestedgroup >>>>>>> Classes d'objets utilisateur par défaut: ipaobject, person, top, >>>>>>> ipasshuser, inetorgperson, organizationalperson, >>>>>>> krbticketpolicyaux, >>>>>>> krbprincipalaux, *qmailUser*, inetuser, posixaccount >>>>>>> Notification d'expiration de mot de passe (jours): 4 >>>>>>> Fonctionnalités du greffon mots de passe: AllowNThash >>>>>>> Ordre de la mappe des utilisateurs SELinux: >>>>>>> >>>>>> >> guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 >>>>>>> Utilisateur SELinux par défaut: unconfined_u:s0-s0:c0.c1023 >>>>>>> Types de PAC par défaut: nfs:NONE, MS-PAC >>>>>>> aci: (targetattr = "cn || createtimestamp || entryusn || >>>>>>> ipacertificatesubjectbase || ipaconfigstring || ipacustomfields || >>>>>>> ipadefaultemaildomain || ipadefaultloginshell || >>>>>>> ipadefaultprimarygroup || ipagroupobjectclasses || >>>>>>> ipagroupsearchfields || ipahomesrootdir || ipakrbauthzdata || >>>>>>> ipamaxusernamelength || ipamigrationenabled || >>>>>>> ipapwdexpadvnotify || ipasearchrecordslimit || >>>>>> ipasearchtimelimit || >>>>>>> ipaselinuxusermapdefault || >>>>>>> ipaselinuxusermaporder || ipauserauthtype || >>>>>> ipauserobjectclasses || >>>>>>> ipausersearchfields || modifytimestamp || >>>>>>> objectclass")(targetfilter = >>>>>> "(objectclass=ipaguiconfig)")(version >>>>>>> 3.0;acl "permission:System: Read Global >>>>>>> Configuration";allow (compare,read,search) userdn = >>>>>> "ldap:///all";) >>>>>>> cn: ipaConfig >>>>>>> objectclass: ipaConfigObject, nsContainer, top, ipaGuiConfig, >>>>>>> ipaUserAuthTypeClass >>>>>>> >>>>>>> Then I tried to migrate openldap's accounts, but without luck so far >>>>>>> #ipa -v migrate-ds --with-compat --bind-dn >> "cn=admin,dc=example,dc=com" >>>>>>> --continue ldap://<a href="http://192.168.1.121:389" rel="noreferrer" target="_blank">192.168.1.121:389</a> >>>>>>> ----------- >>>>>>> migrate-ds: >>>>>>> ----------- >>>>>>> Migrated: >>>>>>> Failed user: >>>>>>> jean.doe: Type or value exists: >>>>>>> jeane.doe: Type or value exists: >>>>>>> Failed group: >>>>>>> ---------- >>>>>>> No users/groups were migrated from ldap://<a href="http://192.168.1.121:389" rel="noreferrer" target="_blank">192.168.1.121:389</a> >>>>>>> >>>>>>> >>>>>>> Here is an entry from openldap >>>>>>> dn: uid=jeane.doe,ou=people,dc=example,dc=com >>>>>>> loginShell: /bin/bash >>>>>>> gidNumber: 1000 >>>>>>> objectClass: top >>>>>>> objectClass: qmailUser >>>>>>> objectClass: inetOrgPerson >>>>>>> objectClass: posixAccount >>>>>>> objectClass: person >>>>>>> objectClass: shadowAccount >>>>>>> objectClass: organizationalPerson >>>>>>> mail: <a href="mailto:jeane.doe@example.com">jeane.doe@example.com</a> >>>>>>> givenName: DOE >>>>>>> uid: jeane.doe >>>>>>> uidNumber: 1002 >>>>>>> displayName: Jeane Doe >>>>>>> homeDirectory: /var/vmail/jeane.doe >>>>>>> accountStatus: yes >>>>>>> mailMessageStore: /var/vmail/jeane.doe >>>>>>> structuralObjectClass: inetOrgPerson >>>>>>> entryUUID: 3e8ee290-166f-1035-94d7-ef8fa27fbe71 >>>>>>> creatorsName: cn=admin,dc=example,dc=com >>>>>>> createTimestamp: 20151103120748Z >>>>>>> userPassword:: e1NTSEF9K2ZYQnQrMnZsbmVURlVEaG5FdjlZdkhTNFpvNjVMSVQ= >>>>>>> mailQuotaSize: 1024000 >>>>>>> sn: Jeane >>>>>>> cn: DOE >>>>>>> entryCSN: 20160125162455.613052Z#000000#000#000000 >>>>>>> modifiersName: cn=admin,dc=example,dc=com >>>>>>> modifyTimestamp: 20160125162455Z >>>>>>> >>>>>>> What does "Type or value exists" means? >>>>>> >>>>>> That normally means that you have the same value for LDAP attribute >>>>>> twice or >>>>>> that you are trying to add multiple values for a single valued >>>>>> attribute. I >>>>>> wonder if we could get better logging, like how exactly the entry >> looks >>>>>> like >>>>>> before it is added to LDAP. >>>>>> >>>>>> But right now, I cannot think about a better way than to updating >>>>>> /usr/lib/python2.7/site-packages/ipalib/plugins/migration.py >>>>>> on the FreeIPA server the following way (new print statement) >>>>>> >>>>>> try: >>>>>> print entry_attrs >>>>>> ldap.add_entry(entry_attrs) >>>>>> except errors.ExecutionError, e: >>>>>> >>>>>> , restarting the httpd service and sending us the >>>>>> /var/log/httpd/error_log >>>>>> after the next migration attempt. Maybe Jan (CCed) knows a better way. >>>>>> >>>>>>> PS: the qmail.schema presents two other objectClasses, but I didn't >>>>>> add use >>>>>>> them (qldapAdmin, qmailGroup) >>>>>>> >>>>>>> Regards >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>> >>>> >>> >> >> > </div></div></blockquote></div> </div>