Thanks I will try and report back. I am using Centos 7.2x64 with latest updates
and ipa-server-4.2.0-15.el7.centos.3.x86_64 Regards 2016-01-26 10:53 GMT+01:00 Martin Kosek <[email protected]>: > On 01/26/2016 10:16 AM, wodel youchi wrote: > > Hi, > > > > I am a newbie in freeipa. I am trying to use it with our mail server. > > Cool! What is your version of the FreeIPA server? It will be important for > further investigation. > > > Our mail server uses openldap with one external schema : qmail.schema, we > > use it especially for mailQuota, mailAlternateAddress, > > mailForwardingAddress and AccountStatus. > > > > I tried to import this schema to freeipa using ipa-ldap-updater. > > I am not sure if I succeeded, but when I tried : ipa config-mod > > --addattr=ipaGroupObjectClasses=qmailUser it worked and I can see the > > objectClass. > > > > > > [root@ipamaster work]# ipa config-show --all > > dn: cn=ipaConfig,cn=etc,dc=example,dc=com > > Longueur maximale du nom d'utilisateur: 32 > > Base du répertoire utilisateur: /home > > Interprèteur par défaut: /bin/sh > > Groupe utilisateur par défaut: ipausers > > Domaine par défaut pour les courriels: example.com > > Limite de temps d'une recherche: 2 > > Limite de taille d'une recherche: 100 > > Champs de recherche utilisateur: > uid,givenname,sn,telephonenumber,ou,title > > Group search fields: cn,description > > Activer le mode migration: TRUE > > Base de sujet de certificat: O=EXAMPLE.COM > > Classes d'objets de groupe par défaut: top, ipaobject, groupofnames, > > ipausergroup, nestedgroup > > Classes d'objets utilisateur par défaut: ipaobject, person, top, > > ipasshuser, inetorgperson, organizationalperson, > > krbticketpolicyaux, > > krbprincipalaux, *qmailUser*, inetuser, posixaccount > > Notification d'expiration de mot de passe (jours): 4 > > Fonctionnalités du greffon mots de passe: AllowNThash > > Ordre de la mappe des utilisateurs SELinux: > > > guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 > > Utilisateur SELinux par défaut: unconfined_u:s0-s0:c0.c1023 > > Types de PAC par défaut: nfs:NONE, MS-PAC > > aci: (targetattr = "cn || createtimestamp || entryusn || > > ipacertificatesubjectbase || ipaconfigstring || ipacustomfields || > > ipadefaultemaildomain || ipadefaultloginshell || > > ipadefaultprimarygroup || ipagroupobjectclasses || > > ipagroupsearchfields || ipahomesrootdir || ipakrbauthzdata || > > ipamaxusernamelength || ipamigrationenabled || > > ipapwdexpadvnotify || ipasearchrecordslimit || ipasearchtimelimit > || > > ipaselinuxusermapdefault || > > ipaselinuxusermaporder || ipauserauthtype || ipauserobjectclasses > || > > ipausersearchfields || modifytimestamp || > > objectclass")(targetfilter = "(objectclass=ipaguiconfig)")(version > > 3.0;acl "permission:System: Read Global > > Configuration";allow (compare,read,search) userdn = > "ldap:///all";;) > > cn: ipaConfig > > objectclass: ipaConfigObject, nsContainer, top, ipaGuiConfig, > > ipaUserAuthTypeClass > > > > Then I tried to migrate openldap's accounts, but without luck so far > > #ipa -v migrate-ds --with-compat --bind-dn "cn=admin,dc=example,dc=com" > > --continue ldap://192.168.1.121:389 > > ----------- > > migrate-ds: > > ----------- > > Migrated: > > Failed user: > > jean.doe: Type or value exists: > > jeane.doe: Type or value exists: > > Failed group: > > ---------- > > No users/groups were migrated from ldap://192.168.1.121:389 > > > > > > Here is an entry from openldap > > dn: uid=jeane.doe,ou=people,dc=example,dc=com > > loginShell: /bin/bash > > gidNumber: 1000 > > objectClass: top > > objectClass: qmailUser > > objectClass: inetOrgPerson > > objectClass: posixAccount > > objectClass: person > > objectClass: shadowAccount > > objectClass: organizationalPerson > > mail: [email protected] > > givenName: DOE > > uid: jeane.doe > > uidNumber: 1002 > > displayName: Jeane Doe > > homeDirectory: /var/vmail/jeane.doe > > accountStatus: yes > > mailMessageStore: /var/vmail/jeane.doe > > structuralObjectClass: inetOrgPerson > > entryUUID: 3e8ee290-166f-1035-94d7-ef8fa27fbe71 > > creatorsName: cn=admin,dc=example,dc=com > > createTimestamp: 20151103120748Z > > userPassword:: e1NTSEF9K2ZYQnQrMnZsbmVURlVEaG5FdjlZdkhTNFpvNjVMSVQ= > > mailQuotaSize: 1024000 > > sn: Jeane > > cn: DOE > > entryCSN: 20160125162455.613052Z#000000#000#000000 > > modifiersName: cn=admin,dc=example,dc=com > > modifyTimestamp: 20160125162455Z > > > > What does "Type or value exists" means? > > That normally means that you have the same value for LDAP attribute twice > or > that you are trying to add multiple values for a single valued attribute. I > wonder if we could get better logging, like how exactly the entry looks > like > before it is added to LDAP. > > But right now, I cannot think about a better way than to updating > /usr/lib/python2.7/site-packages/ipalib/plugins/migration.py > on the FreeIPA server the following way (new print statement) > > try: > print entry_attrs > ldap.add_entry(entry_attrs) > except errors.ExecutionError, e: > > , restarting the httpd service and sending us the /var/log/httpd/error_log > after the next migration attempt. Maybe Jan (CCed) knows a better way. > > > PS: the qmail.schema presents two other objectClasses, but I didn't add > use > > them (qldapAdmin, qmailGroup) > > > > Regards > > > > > > > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
