On 01/26/2016 10:16 AM, wodel youchi wrote: > Hi, > > I am a newbie in freeipa. I am trying to use it with our mail server.
Cool! What is your version of the FreeIPA server? It will be important for further investigation. > Our mail server uses openldap with one external schema : qmail.schema, we > use it especially for mailQuota, mailAlternateAddress, > mailForwardingAddress and AccountStatus. > > I tried to import this schema to freeipa using ipa-ldap-updater. > I am not sure if I succeeded, but when I tried : ipa config-mod > --addattr=ipaGroupObjectClasses=qmailUser it worked and I can see the > objectClass. > > > [root@ipamaster work]# ipa config-show --all > dn: cn=ipaConfig,cn=etc,dc=example,dc=com > Longueur maximale du nom d'utilisateur: 32 > Base du répertoire utilisateur: /home > Interprèteur par défaut: /bin/sh > Groupe utilisateur par défaut: ipausers > Domaine par défaut pour les courriels: example.com > Limite de temps d'une recherche: 2 > Limite de taille d'une recherche: 100 > Champs de recherche utilisateur: uid,givenname,sn,telephonenumber,ou,title > Group search fields: cn,description > Activer le mode migration: TRUE > Base de sujet de certificat: O=EXAMPLE.COM > Classes d'objets de groupe par défaut: top, ipaobject, groupofnames, > ipausergroup, nestedgroup > Classes d'objets utilisateur par défaut: ipaobject, person, top, > ipasshuser, inetorgperson, organizationalperson, > krbticketpolicyaux, > krbprincipalaux, *qmailUser*, inetuser, posixaccount > Notification d'expiration de mot de passe (jours): 4 > Fonctionnalités du greffon mots de passe: AllowNThash > Ordre de la mappe des utilisateurs SELinux: > guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 > Utilisateur SELinux par défaut: unconfined_u:s0-s0:c0.c1023 > Types de PAC par défaut: nfs:NONE, MS-PAC > aci: (targetattr = "cn || createtimestamp || entryusn || > ipacertificatesubjectbase || ipaconfigstring || ipacustomfields || > ipadefaultemaildomain || ipadefaultloginshell || > ipadefaultprimarygroup || ipagroupobjectclasses || > ipagroupsearchfields || ipahomesrootdir || ipakrbauthzdata || > ipamaxusernamelength || ipamigrationenabled || > ipapwdexpadvnotify || ipasearchrecordslimit || ipasearchtimelimit || > ipaselinuxusermapdefault || > ipaselinuxusermaporder || ipauserauthtype || ipauserobjectclasses || > ipausersearchfields || modifytimestamp || > objectclass")(targetfilter = "(objectclass=ipaguiconfig)")(version > 3.0;acl "permission:System: Read Global > Configuration";allow (compare,read,search) userdn = "ldap:///all";;) > cn: ipaConfig > objectclass: ipaConfigObject, nsContainer, top, ipaGuiConfig, > ipaUserAuthTypeClass > > Then I tried to migrate openldap's accounts, but without luck so far > #ipa -v migrate-ds --with-compat --bind-dn "cn=admin,dc=example,dc=com" > --continue ldap://192.168.1.121:389 > ----------- > migrate-ds: > ----------- > Migrated: > Failed user: > jean.doe: Type or value exists: > jeane.doe: Type or value exists: > Failed group: > ---------- > No users/groups were migrated from ldap://192.168.1.121:389 > > > Here is an entry from openldap > dn: uid=jeane.doe,ou=people,dc=example,dc=com > loginShell: /bin/bash > gidNumber: 1000 > objectClass: top > objectClass: qmailUser > objectClass: inetOrgPerson > objectClass: posixAccount > objectClass: person > objectClass: shadowAccount > objectClass: organizationalPerson > mail: [email protected] > givenName: DOE > uid: jeane.doe > uidNumber: 1002 > displayName: Jeane Doe > homeDirectory: /var/vmail/jeane.doe > accountStatus: yes > mailMessageStore: /var/vmail/jeane.doe > structuralObjectClass: inetOrgPerson > entryUUID: 3e8ee290-166f-1035-94d7-ef8fa27fbe71 > creatorsName: cn=admin,dc=example,dc=com > createTimestamp: 20151103120748Z > userPassword:: e1NTSEF9K2ZYQnQrMnZsbmVURlVEaG5FdjlZdkhTNFpvNjVMSVQ= > mailQuotaSize: 1024000 > sn: Jeane > cn: DOE > entryCSN: 20160125162455.613052Z#000000#000#000000 > modifiersName: cn=admin,dc=example,dc=com > modifyTimestamp: 20160125162455Z > > What does "Type or value exists" means? That normally means that you have the same value for LDAP attribute twice or that you are trying to add multiple values for a single valued attribute. I wonder if we could get better logging, like how exactly the entry looks like before it is added to LDAP. But right now, I cannot think about a better way than to updating /usr/lib/python2.7/site-packages/ipalib/plugins/migration.py on the FreeIPA server the following way (new print statement) try: print entry_attrs ldap.add_entry(entry_attrs) except errors.ExecutionError, e: , restarting the httpd service and sending us the /var/log/httpd/error_log after the next migration attempt. Maybe Jan (CCed) knows a better way. > PS: the qmail.schema presents two other objectClasses, but I didn't add use > them (qldapAdmin, qmailGroup) > > Regards > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
