migration from db to openldap

fbartels

the instructions in http://wiki.zarafa.com/index.php/Zarafa_DB_to_LDAP_user_plugin_conversion should still work with Kopano.

@kmeyer said in migration from db to openldap:

(question with active-directory: is it possible to use samba4X Server ?)

That depends on the overall number of users. We have seen quite some bad performance from Sambas LDAP implementation for installations ~>50 users. But technically its possible.

kmeyer

Ho @fbartels,

thanks for your fast reply, I will try…

fbartels

@kmeyer remember to always make a backup and test thoroughly.

thctlo

Hai,
yes, you can run kopano with samba4 AD-DC, im running it about a year now, works fine.
Im on debian Stretch.
Make sure you use at least samba 4.7.0+ ( preffered 4.7.7) because of the Multi threaded ldap support.
A few pointers, ADDC and mail on 2 servers, i’ve not tested this on a single server.
First apply the kopano schema. ( on your DC with FSMO roles ) then check the indexing.
The path below if ok for debian/ubuntu
ldbsearch -H /var/lib/samba/private/sam.ldb -s base -b @INDEXLIST

go here:
https://exekias.me/2015/05/06/samba-indexes/ and apply the index for kopano.

so samba 4.7+ and these index improve ldap searches a lot.

kmeyer

@fbartels yes, my qemu does ;)
BR

kmeyer

@thctlo
very interesting! Ddo you have any more project documentations? Do you prepared the LDAP like the kopano LDAP-Documentation or did you have created the kopano-index in manual labor?

regards…

thctlo

Hai @kmeyer

Yes, i have some “debian” based howtos how i did setup my ADDC and member servers.

You can find these here : https://github.com/thctlo/samba4/tree/master/howtos
please note i use AD backend. You might use RID.
This depends a bit how you use samba. see :
https://wiki.samba.org/index.php/Idmap_config_rid
https://wiki.samba.org/index.php/Idmap_config_ad
Just look at the advantages and disavantages. Why i use AD. only for one thing.
see the AD advantage: IDs are not stored in a local database that can corrupt and thus file ownerships are not lost.

If you use Debian, then i really suggest, use my packages.
Found here : https://apt.van-belle.nl
I create these for the samba community with some the support of the samba devs.
Use the 4.7.7 package, i really advice you to avoid samba 4.8.0-4.8.1 for now. these are not stable, and can create problems.

After the setup, for kopano, just follow the documentation to install for AD.
Now apply the kopano schema.

#
# source : https://stash.kopano.io/projects/KC/repos/kopano-ads-source/browse/samba/kopano-samba-ads
# In /etc/samba/smb.conf change/allow schema updates

sudo sed -i 's/sdb:schema update allowed = no/sdb:schema update allowed = yes/g' /etc/samba/smb.conf
sudo systemctl samba-ad-dc reload

# If you install the ldiff from the DC itself.
sudo bash kopano_schema_add.sh DC=INTERNAL,DC=DOMAIN,DC=TLD ./ldiff/ -v -H /var/lib/samba/private/sam.ldb -writechanges

# or if you do a remote install in ldap (AD).
#sudo bash kopano_schema_add.sh DC=INTERNAL,DC=DOMAIN,DC=TLD  ./ldiff/ -H ldaps://hostname.your.domain.tld -UAdministrator%YourStrongPass -writechanges

# Wait^^ after its finished give the ad time to sync if you have multple DC's. 

# revert the schema update allowed.
sudo sed -i 's/sdb:schema update allowed = yes/sdb:schema update allowed = no/g' /etc/samba/smb.conf
sudo systemctl samba-ad-dc reload

And now install kopano-ads tool in the Remote Computer, where you have Administration Tools of WIndows installed.

The indexing, you can do that manualy from RSAT ( enable the advanced view first so you can modify directly.
The other way is use ldbedit as show on the website i posted before.
just write a script for the once you want to adjust and its done in seconds.

what i did was, i lookup the indexes kopano use :
https://documentation.kopano.io/kopanocore_administrator_manual/configure_kc_components.html#ldap-indices

check it after the schema change with :

 ldbsearch -H /var/lib/samba/private/sam.ldb  -s base -b @INDEXLIST |  egrep "cn|gidNumber|mail|memberUid|objectClass|ou|sn|uid|kopano"

And the ones i missed, for these i use ldbedit and set the searchflag from 0 to 1.

if you need more info, pm me, no problem.

kmeyer

hi, @fbartels
I tryed the db-to-ldap perl script. But I allways got the problem that the script will not match the user accounts of the ldap server.:

what did I do:

openldap installation on Kopano Server
kopano.ldif integration
created every account (uid) in LDAPAdmin.exe
stop Kopano-Server and Modules
created the /etc/kopano/ldap.cfg
installed alle needed perl-modules
changed the db-to-ldap script from zarafa to kopano
perl db-to-ldap-plugin.pl

…
Use of uninitialized value in concatenation (.) or string at db-to-ldap-plugin.pl line 38.
Use of uninitialized value in concatenation (.) or string at db-to-ldap-plugin.pl line 30.
Use of uninitialized value in string at db-to-ldap-plugin.pl line 30.
Use of uninitialized value in string at db-to-ldap-plugin.pl line 30.
here:lLine 30
my $mesg = $ldap->search(filter => “($lo->{ldap_loginname_attribute}=$db_username)”,
base => “$lo->{ldap_search_base}”,
attrs => ["$lo->{ldap_loginname_attribute}", “$lo->{ldap_user_unique_attribute}”],
scope => “sub”);

Found user ‘admin’ in database with user_id ‘3’
Error updating admin. No entry found in ldap for ( = admin)

LdapAdmin shows: uid=admin

tested:
when I start Kopano with Safe mode=yes, it is not possible for kopano to list any user with ldap konfiguration.
after safe-mode=no the users are shown but as new kopano users without any db-data.

How must a user be createt in LDAP to use the db-to-ldap perl script?

fbartels

@kmeyer said in migration from db to openldap:

How must a user be createt in LDAP to use the db-to-ldap perl script?

I cannot say without doing some extended testing here. I recommend to get in touch with our support for this.

kmeyer

@fbartels , to change to ldap there is another way:

install openldap the manual describes for kopano. (make backups, please)
create the users in Ldap (now or maybe later )

stop Kopano-Server

change: /kopano/server.cfg
user_plugin = ldap
user_safe_mode = no

start kopano-server

now alle the stores are unhooked.
you get a list of stores with:
kopano-admin --list-orphans
(better to copy that information)

now you can hook the stores to the new ldap-users:
kopano-admin --hook-store [storeidofthelist] -u [usernameoftheldapuser]

if password is korrekt you should be able to login to the webapp.
check:
userquota - email adresses etc. and the permissions to other calendars etc.

good luck XD
To do this is on your own risk, no support said - it works.
I’ll do this on my server.
If you try, be sure you did a backup!!!

fbartels

yes, but this way you also loose some information around your users such as acls and opened stores. but if you don’t want to reach out to our support, no one can force you.

Coffee_is_life

good morning everyone,

if the environment is big, hooking all stores to the right user is quite time consuming…
for hooking multiple guessed store to the user, i wrote a script little in the past:

requirement: use an ldapsearch to get all users with attribute kopano and write just the username to a file
now you should have a list with all users in ldap which should use kopano. i call it username.txt in /tmp/

kopano-admin --list-orphans | grep private > /tmp/stores.txt
for e in $(cat /tmp/username.txt);  do
 userline=""
 user_store=""
 echo "searching store for $e"
 userline=$(cat /tmp/stores.txt | grep $e)
 if [ "x$userline" = "x" ]; then
  echo "user $e not found"
  continue
 else
  echo "user $e found"
  user_store=$(echo $userline |awk -F" " '{print $1}')
  if [ "x$user_store" != "x" ]; then
    kopano-admin --hook-store $user_store $e
    if [ $? = 0 ]; then
      echo "successfully hooked $user_store to user:$e"
    else
      echo "FEHLER $user_store not hooked to $e"
    fi
  fi
 fi
done

for testing, just change the ‘kopano-admin --hook-store’ command in a ‘echo “kopano-admin --hook-store […]”’ you will get the commands

regards
coffee_is_life