Hi, In the above log (httpd log) the LDAPEntry contains qmailuser and qmailUser objectClasses, I don't know if this is what is causing the problem.
Another thing, I can't import groups as well, I did add a simple group to my ldap dn: ou=groups,dc=example,dc=com objectClass: organizationalUnit objectClass: top ou: groups structuralObjectClass: organizationalUnit dn: cn=vmail,ou=groups,dc=example,dc=com objectClass: top objectClass: posixGroup gidNumber: 5000 structuralObjectClass: posixGroup cn: vmail When I launch the migration command I get ipa: ERROR: La recherche LDAP group ne renvoie aucun résultat (base de recherche : ou=groups,dc=example,dc=com, classe d'objet : groupofuniquenames, groupofnames) any idea? Regards. 2016-01-26 13:42 GMT+01:00 wodel youchi <[email protected]>: > Hi again, > > This is what I get from httpd error_log > > [Tue Jan 26 13:38:02.394757 2016] [:error] [pid 7427] ipa: WARNING: GID > number 1000 of migrated user jean.doe does not point to a known group. > [Tue Jan 26 13:38:02.397928 2016] [:error] [pid 7427] > LDAPEntry(ipapython.dn.DN('uid=jean.doe,cn=users,cn=accounts,dc=example,dc=com'), > {u'mailQuotaSize': ['2048000'], u'cn': ['DOE'], u'uid': [u'jean.doe'], > u'objectClass': [u'ipaobject', u'organizationalperson', u'qmailuser', > u'top', u'ipasshuser', u'inetorgperson', u'person', u'krbticketpolicyaux', > u'krbprincipalaux', u'shadowaccount', u'qmailUser', u'inetuser', > u'posixaccount'], u'loginShell': ['/bin/bash'], u'uidNumber': ['1001'], > u'gidNumber': [u'1000'], u'ipauniqueid': ['autogenerate'], > u'krbprincipalname': [u'[email protected]'], u'mailMessageStore': > ['/var/vmail/jean.doe'], u'description': ['__no_upg__'], u'displayName': > ['Jean Doe'], u'userPassword': ['{SSHA}NIxCImzQDagloyVdMtheC4wDMUImxW85'], > u'accountStatus': ['yes'], u'mailAlternateAddress': ['[email protected]', ' > [email protected]'], u'sn': ['Jean'], u'homeDirectory': > ['/var/vmail/jean.doe'], u'mail': ['[email protected]'], u'givenName': > ['DOE']}) > [Tue Jan 26 13:38:02.398937 2016] [:error] [pid 7427] ipa: WARNING: GID > number 1000 of migrated user jeane.doe does not point to a known group. > [Tue Jan 26 13:38:02.399703 2016] [:error] [pid 7427] > LDAPEntry(ipapython.dn.DN('uid=jeane.doe,cn=users,cn=accounts,dc=example,dc=com'), > {u'mailQuotaSize': ['1024000'], u'cn': ['DOE'], u'uid': [u'jeane.doe'], > u'objectClass': [u'ipaobject', u'organizationalperson', u'qmailuser', > u'top', u'ipasshuser', u'inetorgperson', u'person', u'krbticketpolicyaux', > u'krbprincipalaux', u'shadowaccount', u'qmailUser', u'inetuser', > u'posixaccount'], u'loginShell': ['/bin/bash'], u'uidNumber': ['1002'], > u'gidNumber': [u'1000'], u'ipauniqueid': ['autogenerate'], > u'krbprincipalname': [u'[email protected]'], u'mailMessageStore': > ['/var/vmail/jeane.doe'], u'description': ['__no_upg__'], u'displayName': > ['Jeane Doe'], u'userPassword': ['{SSHA}+fXBt+2vlneTFUDhnEv9YvHS4Zo65LIT'], > u'accountStatus': ['yes'], u'sn': ['Jeane'], u'homeDirectory': > ['/var/vmail/jeane.doe'], u'mail': ['[email protected]'], > u'givenName': ['DOE']}) > > Regards. > > 2016-01-26 11:22 GMT+01:00 wodel youchi <[email protected]>: > >> Thanks I will try and report back. >> >> I am using Centos 7.2x64 with latest updates >> >> and ipa-server-4.2.0-15.el7.centos.3.x86_64 >> >> Regards >> >> 2016-01-26 10:53 GMT+01:00 Martin Kosek <[email protected]>: >> >>> On 01/26/2016 10:16 AM, wodel youchi wrote: >>> > Hi, >>> > >>> > I am a newbie in freeipa. I am trying to use it with our mail server. >>> >>> Cool! What is your version of the FreeIPA server? It will be important >>> for >>> further investigation. >>> >>> > Our mail server uses openldap with one external schema : qmail.schema, >>> we >>> > use it especially for mailQuota, mailAlternateAddress, >>> > mailForwardingAddress and AccountStatus. >>> > >>> > I tried to import this schema to freeipa using ipa-ldap-updater. >>> > I am not sure if I succeeded, but when I tried : ipa config-mod >>> > --addattr=ipaGroupObjectClasses=qmailUser it worked and I can see the >>> > objectClass. >>> > >>> > >>> > [root@ipamaster work]# ipa config-show --all >>> > dn: cn=ipaConfig,cn=etc,dc=example,dc=com >>> > Longueur maximale du nom d'utilisateur: 32 >>> > Base du répertoire utilisateur: /home >>> > Interprèteur par défaut: /bin/sh >>> > Groupe utilisateur par défaut: ipausers >>> > Domaine par défaut pour les courriels: example.com >>> > Limite de temps d'une recherche: 2 >>> > Limite de taille d'une recherche: 100 >>> > Champs de recherche utilisateur: >>> uid,givenname,sn,telephonenumber,ou,title >>> > Group search fields: cn,description >>> > Activer le mode migration: TRUE >>> > Base de sujet de certificat: O=EXAMPLE.COM >>> > Classes d'objets de groupe par défaut: top, ipaobject, groupofnames, >>> > ipausergroup, nestedgroup >>> > Classes d'objets utilisateur par défaut: ipaobject, person, top, >>> > ipasshuser, inetorgperson, organizationalperson, >>> > krbticketpolicyaux, >>> > krbprincipalaux, *qmailUser*, inetuser, posixaccount >>> > Notification d'expiration de mot de passe (jours): 4 >>> > Fonctionnalités du greffon mots de passe: AllowNThash >>> > Ordre de la mappe des utilisateurs SELinux: >>> > >>> guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 >>> > Utilisateur SELinux par défaut: unconfined_u:s0-s0:c0.c1023 >>> > Types de PAC par défaut: nfs:NONE, MS-PAC >>> > aci: (targetattr = "cn || createtimestamp || entryusn || >>> > ipacertificatesubjectbase || ipaconfigstring || ipacustomfields || >>> > ipadefaultemaildomain || ipadefaultloginshell || >>> > ipadefaultprimarygroup || ipagroupobjectclasses || >>> > ipagroupsearchfields || ipahomesrootdir || ipakrbauthzdata || >>> > ipamaxusernamelength || ipamigrationenabled || >>> > ipapwdexpadvnotify || ipasearchrecordslimit || >>> ipasearchtimelimit || >>> > ipaselinuxusermapdefault || >>> > ipaselinuxusermaporder || ipauserauthtype || >>> ipauserobjectclasses || >>> > ipausersearchfields || modifytimestamp || >>> > objectclass")(targetfilter = >>> "(objectclass=ipaguiconfig)")(version >>> > 3.0;acl "permission:System: Read Global >>> > Configuration";allow (compare,read,search) userdn = >>> "ldap:///all";;) >>> > cn: ipaConfig >>> > objectclass: ipaConfigObject, nsContainer, top, ipaGuiConfig, >>> > ipaUserAuthTypeClass >>> > >>> > Then I tried to migrate openldap's accounts, but without luck so far >>> > #ipa -v migrate-ds --with-compat --bind-dn "cn=admin,dc=example,dc=com" >>> > --continue ldap://192.168.1.121:389 >>> > ----------- >>> > migrate-ds: >>> > ----------- >>> > Migrated: >>> > Failed user: >>> > jean.doe: Type or value exists: >>> > jeane.doe: Type or value exists: >>> > Failed group: >>> > ---------- >>> > No users/groups were migrated from ldap://192.168.1.121:389 >>> > >>> > >>> > Here is an entry from openldap >>> > dn: uid=jeane.doe,ou=people,dc=example,dc=com >>> > loginShell: /bin/bash >>> > gidNumber: 1000 >>> > objectClass: top >>> > objectClass: qmailUser >>> > objectClass: inetOrgPerson >>> > objectClass: posixAccount >>> > objectClass: person >>> > objectClass: shadowAccount >>> > objectClass: organizationalPerson >>> > mail: [email protected] >>> > givenName: DOE >>> > uid: jeane.doe >>> > uidNumber: 1002 >>> > displayName: Jeane Doe >>> > homeDirectory: /var/vmail/jeane.doe >>> > accountStatus: yes >>> > mailMessageStore: /var/vmail/jeane.doe >>> > structuralObjectClass: inetOrgPerson >>> > entryUUID: 3e8ee290-166f-1035-94d7-ef8fa27fbe71 >>> > creatorsName: cn=admin,dc=example,dc=com >>> > createTimestamp: 20151103120748Z >>> > userPassword:: e1NTSEF9K2ZYQnQrMnZsbmVURlVEaG5FdjlZdkhTNFpvNjVMSVQ= >>> > mailQuotaSize: 1024000 >>> > sn: Jeane >>> > cn: DOE >>> > entryCSN: 20160125162455.613052Z#000000#000#000000 >>> > modifiersName: cn=admin,dc=example,dc=com >>> > modifyTimestamp: 20160125162455Z >>> > >>> > What does "Type or value exists" means? >>> >>> That normally means that you have the same value for LDAP attribute >>> twice or >>> that you are trying to add multiple values for a single valued >>> attribute. I >>> wonder if we could get better logging, like how exactly the entry looks >>> like >>> before it is added to LDAP. >>> >>> But right now, I cannot think about a better way than to updating >>> /usr/lib/python2.7/site-packages/ipalib/plugins/migration.py >>> on the FreeIPA server the following way (new print statement) >>> >>> try: >>> print entry_attrs >>> ldap.add_entry(entry_attrs) >>> except errors.ExecutionError, e: >>> >>> , restarting the httpd service and sending us the >>> /var/log/httpd/error_log >>> after the next migration attempt. Maybe Jan (CCed) knows a better way. >>> >>> > PS: the qmail.schema presents two other objectClasses, but I didn't >>> add use >>> > them (qldapAdmin, qmailGroup) >>> > >>> > Regards >>> > >>> > >>> > >>> >>> >> >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
