Hi again, Thanks for all your help, I have another question.
In my openldap I use qmail for only these attributes : *mailQuotaSize*, *mailAlternateAddress*, *mailForwardingAddress* and *accountStatus* Searching in ipa's schema I found this schema *50ns-mail.ldif*, this schema provides these compatible attributes : *mailQuota*, *mailAlternateAddress* and *mailForwardingAddress *but no accounStatus For accountStatus it is not a problem, there is an equivalent in Freeipa to tell if an account is disabled or not. My question: is there a way to tell the migration process to map *mailQuotaSize *from openldap to *mailQuota* on freeipa and so on. If I can do that, I don't have to import qmail schema into freeipa. Regards 2016-01-26 17:19 GMT+01:00 Martin Kosek <mko...@redhat.com>: > On 01/26/2016 05:13 PM, wodel youchi wrote: > > Hi, > > > > For the first problem I redid the import using this syntax > > ipa -d -v migrate-ds --bind-dn "cn=admin,dc=example,dc=com" --with-compat > > --user-ignore-objectclass qmailuser --continue ldap://192.168.1.121:389 > > > > and it worked, all accounts were imported successfully. > > Good! > > > The thing I don't know where the query is getting qmailuser, since the > > objectclass imported is qmailUser!!! > > > > About the second problem, the error say (sorry for the french btw) : > > Error : the search for LDAP group do not return any result (search > > base ou=groups,dc=example,dc=com, > > objectClass : groupofuniquenames, groupofnames)) > > > > And I tested with this command > > ipa -d -v migrate-ds --bind-dn "cn=admin,dc=example,dc=com" --with-compat > > --group-objectclass=posixGroup --user-ignore-objectclass qmailuser > ldap:// > > 192.168.1.121:389 > > > > and it worked, as you said I had to add --group-objectclass=posixGroup > > Good! > > > Now, I need to added some of attributes to the Webui when creating a new > > user, for example mailQuotaSize, is there a way to do that? > > There is a way, although you still need to code a little in JavaScript. We > have > a HowTo here: > > https://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf > > There is some example in "Extending the Web UI" section. If it does not > work, > Petr Vobornik should be able to advise. > > > > > Thanks for your help. > > Regards. > > > > > > 2016-01-26 16:15 GMT+01:00 Martin Kosek <mko...@redhat.com>: > > > >> On 01/26/2016 02:20 PM, wodel youchi wrote: > >>> Hi, > >>> > >>> In the above log (httpd log) the LDAPEntry contains qmailuser and > >> qmailUser > >>> objectClasses, I don't know if this is what is causing the problem. > >> > >> That's probably it. Can you please try to lowercaser 'qmailUser' in the > >> FreeIPA > >> config and try the migration again? > >> > >>> Another thing, I can't import groups as well, I did add a simple group > to > >>> my ldap > >>> dn: ou=groups,dc=example,dc=com > >>> objectClass: organizationalUnit > >>> objectClass: top > >>> ou: groups > >>> structuralObjectClass: organizationalUnit > >>> > >>> dn: cn=vmail,ou=groups,dc=example,dc=com > >>> objectClass: top > >>> objectClass: posixGroup > >>> gidNumber: 5000 > >>> structuralObjectClass: posixGroup > >>> cn: vmail > >>> > >>> When I launch the migration command I get > >>> > >>> ipa: ERROR: La recherche LDAP group ne renvoie aucun résultat (base de > >>> recherche : ou=groups,dc=example,dc=com, classe d'objet : > >>> groupofuniquenames, groupofnames) > >>> > >>> any idea? > >> > >> I cannot really read French, but I suspect you could use the option > >> > >> --group-objectclass=STR > >> Objectclasses used to search for group entries > in > >> DS > >> > >> to specify the objectclass the migration should search (posixGroup in > your > >> case) > >> > >>> > >>> Regards. > >>> > >>> 2016-01-26 13:42 GMT+01:00 wodel youchi <wodel.you...@gmail.com>: > >>> > >>>> Hi again, > >>>> > >>>> This is what I get from httpd error_log > >>>> > >>>> [Tue Jan 26 13:38:02.394757 2016] [:error] [pid 7427] ipa: WARNING: > GID > >>>> number 1000 of migrated user jean.doe does not point to a known group. > >>>> [Tue Jan 26 13:38:02.397928 2016] [:error] [pid 7427] > >>>> > >> > LDAPEntry(ipapython.dn.DN('uid=jean.doe,cn=users,cn=accounts,dc=example,dc=com'), > >>>> {u'mailQuotaSize': ['2048000'], u'cn': ['DOE'], u'uid': [u'jean.doe'], > >>>> u'objectClass': [u'ipaobject', u'organizationalperson', u'qmailuser', > >>>> u'top', u'ipasshuser', u'inetorgperson', u'person', > >> u'krbticketpolicyaux', > >>>> u'krbprincipalaux', u'shadowaccount', u'qmailUser', u'inetuser', > >>>> u'posixaccount'], u'loginShell': ['/bin/bash'], u'uidNumber': > ['1001'], > >>>> u'gidNumber': [u'1000'], u'ipauniqueid': ['autogenerate'], > >>>> u'krbprincipalname': [u'jean....@example.com'], u'mailMessageStore': > >>>> ['/var/vmail/jean.doe'], u'description': ['__no_upg__'], > u'displayName': > >>>> ['Jean Doe'], u'userPassword': > >> ['{SSHA}NIxCImzQDagloyVdMtheC4wDMUImxW85'], > >>>> u'accountStatus': ['yes'], u'mailAlternateAddress': [' > r...@example.com', > >> ' > >>>> postmas...@example.com'], u'sn': ['Jean'], u'homeDirectory': > >>>> ['/var/vmail/jean.doe'], u'mail': ['jean....@example.com'], > >> u'givenName': > >>>> ['DOE']}) > >>>> [Tue Jan 26 13:38:02.398937 2016] [:error] [pid 7427] ipa: WARNING: > GID > >>>> number 1000 of migrated user jeane.doe does not point to a known > group. > >>>> [Tue Jan 26 13:38:02.399703 2016] [:error] [pid 7427] > >>>> > >> > LDAPEntry(ipapython.dn.DN('uid=jeane.doe,cn=users,cn=accounts,dc=example,dc=com'), > >>>> {u'mailQuotaSize': ['1024000'], u'cn': ['DOE'], u'uid': > [u'jeane.doe'], > >>>> u'objectClass': [u'ipaobject', u'organizationalperson', u'qmailuser', > >>>> u'top', u'ipasshuser', u'inetorgperson', u'person', > >> u'krbticketpolicyaux', > >>>> u'krbprincipalaux', u'shadowaccount', u'qmailUser', u'inetuser', > >>>> u'posixaccount'], u'loginShell': ['/bin/bash'], u'uidNumber': > ['1002'], > >>>> u'gidNumber': [u'1000'], u'ipauniqueid': ['autogenerate'], > >>>> u'krbprincipalname': [u'jeane....@example.com'], u'mailMessageStore': > >>>> ['/var/vmail/jeane.doe'], u'description': ['__no_upg__'], > >> u'displayName': > >>>> ['Jeane Doe'], u'userPassword': > >> ['{SSHA}+fXBt+2vlneTFUDhnEv9YvHS4Zo65LIT'], > >>>> u'accountStatus': ['yes'], u'sn': ['Jeane'], u'homeDirectory': > >>>> ['/var/vmail/jeane.doe'], u'mail': ['jeane....@example.com'], > >>>> u'givenName': ['DOE']}) > >>>> > >>>> Regards. > >>>> > >>>> 2016-01-26 11:22 GMT+01:00 wodel youchi <wodel.you...@gmail.com>: > >>>> > >>>>> Thanks I will try and report back. > >>>>> > >>>>> I am using Centos 7.2x64 with latest updates > >>>>> > >>>>> and ipa-server-4.2.0-15.el7.centos.3.x86_64 > >>>>> > >>>>> Regards > >>>>> > >>>>> 2016-01-26 10:53 GMT+01:00 Martin Kosek <mko...@redhat.com>: > >>>>> > >>>>>> On 01/26/2016 10:16 AM, wodel youchi wrote: > >>>>>>> Hi, > >>>>>>> > >>>>>>> I am a newbie in freeipa. I am trying to use it with our mail > server. > >>>>>> > >>>>>> Cool! What is your version of the FreeIPA server? It will be > important > >>>>>> for > >>>>>> further investigation. > >>>>>> > >>>>>>> Our mail server uses openldap with one external schema : > >> qmail.schema, > >>>>>> we > >>>>>>> use it especially for mailQuota, mailAlternateAddress, > >>>>>>> mailForwardingAddress and AccountStatus. > >>>>>>> > >>>>>>> I tried to import this schema to freeipa using ipa-ldap-updater. > >>>>>>> I am not sure if I succeeded, but when I tried : ipa config-mod > >>>>>>> --addattr=ipaGroupObjectClasses=qmailUser it worked and I can see > the > >>>>>>> objectClass. > >>>>>>> > >>>>>>> > >>>>>>> [root@ipamaster work]# ipa config-show --all > >>>>>>> dn: cn=ipaConfig,cn=etc,dc=example,dc=com > >>>>>>> Longueur maximale du nom d'utilisateur: 32 > >>>>>>> Base du répertoire utilisateur: /home > >>>>>>> Interprèteur par défaut: /bin/sh > >>>>>>> Groupe utilisateur par défaut: ipausers > >>>>>>> Domaine par défaut pour les courriels: example.com > >>>>>>> Limite de temps d'une recherche: 2 > >>>>>>> Limite de taille d'une recherche: 100 > >>>>>>> Champs de recherche utilisateur: > >>>>>> uid,givenname,sn,telephonenumber,ou,title > >>>>>>> Group search fields: cn,description > >>>>>>> Activer le mode migration: TRUE > >>>>>>> Base de sujet de certificat: O=EXAMPLE.COM > >>>>>>> Classes d'objets de groupe par défaut: top, ipaobject, > >> groupofnames, > >>>>>>> ipausergroup, nestedgroup > >>>>>>> Classes d'objets utilisateur par défaut: ipaobject, person, top, > >>>>>>> ipasshuser, inetorgperson, organizationalperson, > >>>>>>> krbticketpolicyaux, > >>>>>>> krbprincipalaux, *qmailUser*, inetuser, posixaccount > >>>>>>> Notification d'expiration de mot de passe (jours): 4 > >>>>>>> Fonctionnalités du greffon mots de passe: AllowNThash > >>>>>>> Ordre de la mappe des utilisateurs SELinux: > >>>>>>> > >>>>>> > >> > guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 > >>>>>>> Utilisateur SELinux par défaut: unconfined_u:s0-s0:c0.c1023 > >>>>>>> Types de PAC par défaut: nfs:NONE, MS-PAC > >>>>>>> aci: (targetattr = "cn || createtimestamp || entryusn || > >>>>>>> ipacertificatesubjectbase || ipaconfigstring || ipacustomfields || > >>>>>>> ipadefaultemaildomain || ipadefaultloginshell || > >>>>>>> ipadefaultprimarygroup || ipagroupobjectclasses || > >>>>>>> ipagroupsearchfields || ipahomesrootdir || ipakrbauthzdata > || > >>>>>>> ipamaxusernamelength || ipamigrationenabled || > >>>>>>> ipapwdexpadvnotify || ipasearchrecordslimit || > >>>>>> ipasearchtimelimit || > >>>>>>> ipaselinuxusermapdefault || > >>>>>>> ipaselinuxusermaporder || ipauserauthtype || > >>>>>> ipauserobjectclasses || > >>>>>>> ipausersearchfields || modifytimestamp || > >>>>>>> objectclass")(targetfilter = > >>>>>> "(objectclass=ipaguiconfig)")(version > >>>>>>> 3.0;acl "permission:System: Read Global > >>>>>>> Configuration";allow (compare,read,search) userdn = > >>>>>> "ldap:///all";;) > >>>>>>> cn: ipaConfig > >>>>>>> objectclass: ipaConfigObject, nsContainer, top, ipaGuiConfig, > >>>>>>> ipaUserAuthTypeClass > >>>>>>> > >>>>>>> Then I tried to migrate openldap's accounts, but without luck so > far > >>>>>>> #ipa -v migrate-ds --with-compat --bind-dn > >> "cn=admin,dc=example,dc=com" > >>>>>>> --continue ldap://192.168.1.121:389 > >>>>>>> ----------- > >>>>>>> migrate-ds: > >>>>>>> ----------- > >>>>>>> Migrated: > >>>>>>> Failed user: > >>>>>>> jean.doe: Type or value exists: > >>>>>>> jeane.doe: Type or value exists: > >>>>>>> Failed group: > >>>>>>> ---------- > >>>>>>> No users/groups were migrated from ldap://192.168.1.121:389 > >>>>>>> > >>>>>>> > >>>>>>> Here is an entry from openldap > >>>>>>> dn: uid=jeane.doe,ou=people,dc=example,dc=com > >>>>>>> loginShell: /bin/bash > >>>>>>> gidNumber: 1000 > >>>>>>> objectClass: top > >>>>>>> objectClass: qmailUser > >>>>>>> objectClass: inetOrgPerson > >>>>>>> objectClass: posixAccount > >>>>>>> objectClass: person > >>>>>>> objectClass: shadowAccount > >>>>>>> objectClass: organizationalPerson > >>>>>>> mail: jeane....@example.com > >>>>>>> givenName: DOE > >>>>>>> uid: jeane.doe > >>>>>>> uidNumber: 1002 > >>>>>>> displayName: Jeane Doe > >>>>>>> homeDirectory: /var/vmail/jeane.doe > >>>>>>> accountStatus: yes > >>>>>>> mailMessageStore: /var/vmail/jeane.doe > >>>>>>> structuralObjectClass: inetOrgPerson > >>>>>>> entryUUID: 3e8ee290-166f-1035-94d7-ef8fa27fbe71 > >>>>>>> creatorsName: cn=admin,dc=example,dc=com > >>>>>>> createTimestamp: 20151103120748Z > >>>>>>> userPassword:: e1NTSEF9K2ZYQnQrMnZsbmVURlVEaG5FdjlZdkhTNFpvNjVMSVQ= > >>>>>>> mailQuotaSize: 1024000 > >>>>>>> sn: Jeane > >>>>>>> cn: DOE > >>>>>>> entryCSN: 20160125162455.613052Z#000000#000#000000 > >>>>>>> modifiersName: cn=admin,dc=example,dc=com > >>>>>>> modifyTimestamp: 20160125162455Z > >>>>>>> > >>>>>>> What does "Type or value exists" means? > >>>>>> > >>>>>> That normally means that you have the same value for LDAP attribute > >>>>>> twice or > >>>>>> that you are trying to add multiple values for a single valued > >>>>>> attribute. I > >>>>>> wonder if we could get better logging, like how exactly the entry > >> looks > >>>>>> like > >>>>>> before it is added to LDAP. > >>>>>> > >>>>>> But right now, I cannot think about a better way than to updating > >>>>>> /usr/lib/python2.7/site-packages/ipalib/plugins/migration.py > >>>>>> on the FreeIPA server the following way (new print statement) > >>>>>> > >>>>>> try: > >>>>>> print entry_attrs > >>>>>> ldap.add_entry(entry_attrs) > >>>>>> except errors.ExecutionError, e: > >>>>>> > >>>>>> , restarting the httpd service and sending us the > >>>>>> /var/log/httpd/error_log > >>>>>> after the next migration attempt. Maybe Jan (CCed) knows a better > way. > >>>>>> > >>>>>>> PS: the qmail.schema presents two other objectClasses, but I didn't > >>>>>> add use > >>>>>>> them (qldapAdmin, qmailGroup) > >>>>>>> > >>>>>>> Regards > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>> > >>>>>> > >>>>> > >>>> > >>> > >> > >> > > > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
