On 01/26/2016 05:13 PM, wodel youchi wrote: > Hi, > > For the first problem I redid the import using this syntax > ipa -d -v migrate-ds --bind-dn "cn=admin,dc=example,dc=com" --with-compat > --user-ignore-objectclass qmailuser --continue ldap://192.168.1.121:389 > > and it worked, all accounts were imported successfully.
Good! > The thing I don't know where the query is getting qmailuser, since the > objectclass imported is qmailUser!!! > > About the second problem, the error say (sorry for the french btw) : > Error : the search for LDAP group do not return any result (search > base ou=groups,dc=example,dc=com, > objectClass : groupofuniquenames, groupofnames)) > > And I tested with this command > ipa -d -v migrate-ds --bind-dn "cn=admin,dc=example,dc=com" --with-compat > --group-objectclass=posixGroup --user-ignore-objectclass qmailuser ldap:// > 192.168.1.121:389 > > and it worked, as you said I had to add --group-objectclass=posixGroup Good! > Now, I need to added some of attributes to the Webui when creating a new > user, for example mailQuotaSize, is there a way to do that? There is a way, although you still need to code a little in JavaScript. We have a HowTo here: https://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf There is some example in "Extending the Web UI" section. If it does not work, Petr Vobornik should be able to advise. > > Thanks for your help. > Regards. > > > 2016-01-26 16:15 GMT+01:00 Martin Kosek <mko...@redhat.com>: > >> On 01/26/2016 02:20 PM, wodel youchi wrote: >>> Hi, >>> >>> In the above log (httpd log) the LDAPEntry contains qmailuser and >> qmailUser >>> objectClasses, I don't know if this is what is causing the problem. >> >> That's probably it. Can you please try to lowercaser 'qmailUser' in the >> FreeIPA >> config and try the migration again? >> >>> Another thing, I can't import groups as well, I did add a simple group to >>> my ldap >>> dn: ou=groups,dc=example,dc=com >>> objectClass: organizationalUnit >>> objectClass: top >>> ou: groups >>> structuralObjectClass: organizationalUnit >>> >>> dn: cn=vmail,ou=groups,dc=example,dc=com >>> objectClass: top >>> objectClass: posixGroup >>> gidNumber: 5000 >>> structuralObjectClass: posixGroup >>> cn: vmail >>> >>> When I launch the migration command I get >>> >>> ipa: ERROR: La recherche LDAP group ne renvoie aucun résultat (base de >>> recherche : ou=groups,dc=example,dc=com, classe d'objet : >>> groupofuniquenames, groupofnames) >>> >>> any idea? >> >> I cannot really read French, but I suspect you could use the option >> >> --group-objectclass=STR >> Objectclasses used to search for group entries in >> DS >> >> to specify the objectclass the migration should search (posixGroup in your >> case) >> >>> >>> Regards. >>> >>> 2016-01-26 13:42 GMT+01:00 wodel youchi <wodel.you...@gmail.com>: >>> >>>> Hi again, >>>> >>>> This is what I get from httpd error_log >>>> >>>> [Tue Jan 26 13:38:02.394757 2016] [:error] [pid 7427] ipa: WARNING: GID >>>> number 1000 of migrated user jean.doe does not point to a known group. >>>> [Tue Jan 26 13:38:02.397928 2016] [:error] [pid 7427] >>>> >> LDAPEntry(ipapython.dn.DN('uid=jean.doe,cn=users,cn=accounts,dc=example,dc=com'), >>>> {u'mailQuotaSize': ['2048000'], u'cn': ['DOE'], u'uid': [u'jean.doe'], >>>> u'objectClass': [u'ipaobject', u'organizationalperson', u'qmailuser', >>>> u'top', u'ipasshuser', u'inetorgperson', u'person', >> u'krbticketpolicyaux', >>>> u'krbprincipalaux', u'shadowaccount', u'qmailUser', u'inetuser', >>>> u'posixaccount'], u'loginShell': ['/bin/bash'], u'uidNumber': ['1001'], >>>> u'gidNumber': [u'1000'], u'ipauniqueid': ['autogenerate'], >>>> u'krbprincipalname': [u'jean....@example.com'], u'mailMessageStore': >>>> ['/var/vmail/jean.doe'], u'description': ['__no_upg__'], u'displayName': >>>> ['Jean Doe'], u'userPassword': >> ['{SSHA}NIxCImzQDagloyVdMtheC4wDMUImxW85'], >>>> u'accountStatus': ['yes'], u'mailAlternateAddress': ['r...@example.com', >> ' >>>> postmas...@example.com'], u'sn': ['Jean'], u'homeDirectory': >>>> ['/var/vmail/jean.doe'], u'mail': ['jean....@example.com'], >> u'givenName': >>>> ['DOE']}) >>>> [Tue Jan 26 13:38:02.398937 2016] [:error] [pid 7427] ipa: WARNING: GID >>>> number 1000 of migrated user jeane.doe does not point to a known group. >>>> [Tue Jan 26 13:38:02.399703 2016] [:error] [pid 7427] >>>> >> LDAPEntry(ipapython.dn.DN('uid=jeane.doe,cn=users,cn=accounts,dc=example,dc=com'), >>>> {u'mailQuotaSize': ['1024000'], u'cn': ['DOE'], u'uid': [u'jeane.doe'], >>>> u'objectClass': [u'ipaobject', u'organizationalperson', u'qmailuser', >>>> u'top', u'ipasshuser', u'inetorgperson', u'person', >> u'krbticketpolicyaux', >>>> u'krbprincipalaux', u'shadowaccount', u'qmailUser', u'inetuser', >>>> u'posixaccount'], u'loginShell': ['/bin/bash'], u'uidNumber': ['1002'], >>>> u'gidNumber': [u'1000'], u'ipauniqueid': ['autogenerate'], >>>> u'krbprincipalname': [u'jeane....@example.com'], u'mailMessageStore': >>>> ['/var/vmail/jeane.doe'], u'description': ['__no_upg__'], >> u'displayName': >>>> ['Jeane Doe'], u'userPassword': >> ['{SSHA}+fXBt+2vlneTFUDhnEv9YvHS4Zo65LIT'], >>>> u'accountStatus': ['yes'], u'sn': ['Jeane'], u'homeDirectory': >>>> ['/var/vmail/jeane.doe'], u'mail': ['jeane....@example.com'], >>>> u'givenName': ['DOE']}) >>>> >>>> Regards. >>>> >>>> 2016-01-26 11:22 GMT+01:00 wodel youchi <wodel.you...@gmail.com>: >>>> >>>>> Thanks I will try and report back. >>>>> >>>>> I am using Centos 7.2x64 with latest updates >>>>> >>>>> and ipa-server-4.2.0-15.el7.centos.3.x86_64 >>>>> >>>>> Regards >>>>> >>>>> 2016-01-26 10:53 GMT+01:00 Martin Kosek <mko...@redhat.com>: >>>>> >>>>>> On 01/26/2016 10:16 AM, wodel youchi wrote: >>>>>>> Hi, >>>>>>> >>>>>>> I am a newbie in freeipa. I am trying to use it with our mail server. >>>>>> >>>>>> Cool! What is your version of the FreeIPA server? It will be important >>>>>> for >>>>>> further investigation. >>>>>> >>>>>>> Our mail server uses openldap with one external schema : >> qmail.schema, >>>>>> we >>>>>>> use it especially for mailQuota, mailAlternateAddress, >>>>>>> mailForwardingAddress and AccountStatus. >>>>>>> >>>>>>> I tried to import this schema to freeipa using ipa-ldap-updater. >>>>>>> I am not sure if I succeeded, but when I tried : ipa config-mod >>>>>>> --addattr=ipaGroupObjectClasses=qmailUser it worked and I can see the >>>>>>> objectClass. >>>>>>> >>>>>>> >>>>>>> [root@ipamaster work]# ipa config-show --all >>>>>>> dn: cn=ipaConfig,cn=etc,dc=example,dc=com >>>>>>> Longueur maximale du nom d'utilisateur: 32 >>>>>>> Base du répertoire utilisateur: /home >>>>>>> Interprèteur par défaut: /bin/sh >>>>>>> Groupe utilisateur par défaut: ipausers >>>>>>> Domaine par défaut pour les courriels: example.com >>>>>>> Limite de temps d'une recherche: 2 >>>>>>> Limite de taille d'une recherche: 100 >>>>>>> Champs de recherche utilisateur: >>>>>> uid,givenname,sn,telephonenumber,ou,title >>>>>>> Group search fields: cn,description >>>>>>> Activer le mode migration: TRUE >>>>>>> Base de sujet de certificat: O=EXAMPLE.COM >>>>>>> Classes d'objets de groupe par défaut: top, ipaobject, >> groupofnames, >>>>>>> ipausergroup, nestedgroup >>>>>>> Classes d'objets utilisateur par défaut: ipaobject, person, top, >>>>>>> ipasshuser, inetorgperson, organizationalperson, >>>>>>> krbticketpolicyaux, >>>>>>> krbprincipalaux, *qmailUser*, inetuser, posixaccount >>>>>>> Notification d'expiration de mot de passe (jours): 4 >>>>>>> Fonctionnalités du greffon mots de passe: AllowNThash >>>>>>> Ordre de la mappe des utilisateurs SELinux: >>>>>>> >>>>>> >> guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 >>>>>>> Utilisateur SELinux par défaut: unconfined_u:s0-s0:c0.c1023 >>>>>>> Types de PAC par défaut: nfs:NONE, MS-PAC >>>>>>> aci: (targetattr = "cn || createtimestamp || entryusn || >>>>>>> ipacertificatesubjectbase || ipaconfigstring || ipacustomfields || >>>>>>> ipadefaultemaildomain || ipadefaultloginshell || >>>>>>> ipadefaultprimarygroup || ipagroupobjectclasses || >>>>>>> ipagroupsearchfields || ipahomesrootdir || ipakrbauthzdata || >>>>>>> ipamaxusernamelength || ipamigrationenabled || >>>>>>> ipapwdexpadvnotify || ipasearchrecordslimit || >>>>>> ipasearchtimelimit || >>>>>>> ipaselinuxusermapdefault || >>>>>>> ipaselinuxusermaporder || ipauserauthtype || >>>>>> ipauserobjectclasses || >>>>>>> ipausersearchfields || modifytimestamp || >>>>>>> objectclass")(targetfilter = >>>>>> "(objectclass=ipaguiconfig)")(version >>>>>>> 3.0;acl "permission:System: Read Global >>>>>>> Configuration";allow (compare,read,search) userdn = >>>>>> "ldap:///all";;) >>>>>>> cn: ipaConfig >>>>>>> objectclass: ipaConfigObject, nsContainer, top, ipaGuiConfig, >>>>>>> ipaUserAuthTypeClass >>>>>>> >>>>>>> Then I tried to migrate openldap's accounts, but without luck so far >>>>>>> #ipa -v migrate-ds --with-compat --bind-dn >> "cn=admin,dc=example,dc=com" >>>>>>> --continue ldap://192.168.1.121:389 >>>>>>> ----------- >>>>>>> migrate-ds: >>>>>>> ----------- >>>>>>> Migrated: >>>>>>> Failed user: >>>>>>> jean.doe: Type or value exists: >>>>>>> jeane.doe: Type or value exists: >>>>>>> Failed group: >>>>>>> ---------- >>>>>>> No users/groups were migrated from ldap://192.168.1.121:389 >>>>>>> >>>>>>> >>>>>>> Here is an entry from openldap >>>>>>> dn: uid=jeane.doe,ou=people,dc=example,dc=com >>>>>>> loginShell: /bin/bash >>>>>>> gidNumber: 1000 >>>>>>> objectClass: top >>>>>>> objectClass: qmailUser >>>>>>> objectClass: inetOrgPerson >>>>>>> objectClass: posixAccount >>>>>>> objectClass: person >>>>>>> objectClass: shadowAccount >>>>>>> objectClass: organizationalPerson >>>>>>> mail: jeane....@example.com >>>>>>> givenName: DOE >>>>>>> uid: jeane.doe >>>>>>> uidNumber: 1002 >>>>>>> displayName: Jeane Doe >>>>>>> homeDirectory: /var/vmail/jeane.doe >>>>>>> accountStatus: yes >>>>>>> mailMessageStore: /var/vmail/jeane.doe >>>>>>> structuralObjectClass: inetOrgPerson >>>>>>> entryUUID: 3e8ee290-166f-1035-94d7-ef8fa27fbe71 >>>>>>> creatorsName: cn=admin,dc=example,dc=com >>>>>>> createTimestamp: 20151103120748Z >>>>>>> userPassword:: e1NTSEF9K2ZYQnQrMnZsbmVURlVEaG5FdjlZdkhTNFpvNjVMSVQ= >>>>>>> mailQuotaSize: 1024000 >>>>>>> sn: Jeane >>>>>>> cn: DOE >>>>>>> entryCSN: 20160125162455.613052Z#000000#000#000000 >>>>>>> modifiersName: cn=admin,dc=example,dc=com >>>>>>> modifyTimestamp: 20160125162455Z >>>>>>> >>>>>>> What does "Type or value exists" means? >>>>>> >>>>>> That normally means that you have the same value for LDAP attribute >>>>>> twice or >>>>>> that you are trying to add multiple values for a single valued >>>>>> attribute. I >>>>>> wonder if we could get better logging, like how exactly the entry >> looks >>>>>> like >>>>>> before it is added to LDAP. >>>>>> >>>>>> But right now, I cannot think about a better way than to updating >>>>>> /usr/lib/python2.7/site-packages/ipalib/plugins/migration.py >>>>>> on the FreeIPA server the following way (new print statement) >>>>>> >>>>>> try: >>>>>> print entry_attrs >>>>>> ldap.add_entry(entry_attrs) >>>>>> except errors.ExecutionError, e: >>>>>> >>>>>> , restarting the httpd service and sending us the >>>>>> /var/log/httpd/error_log >>>>>> after the next migration attempt. Maybe Jan (CCed) knows a better way. >>>>>> >>>>>>> PS: the qmail.schema presents two other objectClasses, but I didn't >>>>>> add use >>>>>>> them (qldapAdmin, qmailGroup) >>>>>>> >>>>>>> Regards >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>> >>>> >>> >> >> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
