Navigation

    Kopano
    • Register
    • Login
    • Search
    • Categories
    • Get Official Kopano Support
    • Recent
    Statement regarding the closure of the Kopano community forum and the end of the community edition

    migration from db to openldap

    Kopano Groupware Core
    4
    13
    2204
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • fbartels
      fbartels Kopano @kmeyer last edited by

      Hi @kmeyer ,

      the instructions in http://wiki.zarafa.com/index.php/Zarafa_DB_to_LDAP_user_plugin_conversion should still work with Kopano.

      @kmeyer said in migration from db to openldap:

      (question with active-directory: is it possible to use samba4X Server ?)

      That depends on the overall number of users. We have seen quite some bad performance from Sambas LDAP implementation for installations ~>50 users. But technically its possible.

      Regards Felix

      Resources:
      https://kopano.com/blog/how-to-get-kopano/
      https://documentation.kopano.io/
      https://kb.kopano.io/

      Support overview:
      https://kopano.com/support/

      1 Reply Last reply Reply Quote 0
      • kmeyer
        kmeyer last edited by

        Ho @fbartels,

        thanks for your fast reply, I will try…

        fbartels 1 Reply Last reply Reply Quote 0
        • fbartels
          fbartels Kopano @kmeyer last edited by

          @kmeyer remember to always make a backup and test thoroughly.

          Regards Felix

          Resources:
          https://kopano.com/blog/how-to-get-kopano/
          https://documentation.kopano.io/
          https://kb.kopano.io/

          Support overview:
          https://kopano.com/support/

          kmeyer 1 Reply Last reply Reply Quote 0
          • thctlo
            thctlo last edited by

            Hai,
            yes, you can run kopano with samba4 AD-DC, im running it about a year now, works fine.
            Im on debian Stretch.
            Make sure you use at least samba 4.7.0+ ( preffered 4.7.7) because of the Multi threaded ldap support.
            A few pointers, ADDC and mail on 2 servers, i’ve not tested this on a single server.
            First apply the kopano schema. ( on your DC with FSMO roles ) then check the indexing.
            The path below if ok for debian/ubuntu
            ldbsearch -H /var/lib/samba/private/sam.ldb -s base -b @INDEXLIST

            go here:
            https://exekias.me/2015/05/06/samba-indexes/ and apply the index for kopano.

            so samba 4.7+ and these index improve ldap searches a lot.

            kmeyer 1 Reply Last reply Reply Quote 0
            • kmeyer
              kmeyer @fbartels last edited by

              @fbartels yes, my qemu does ;)
              BR

              1 Reply Last reply Reply Quote 0
              • kmeyer
                kmeyer @thctlo last edited by

                @thctlo
                very interesting! Ddo you have any more project documentations? Do you prepared the LDAP like the kopano LDAP-Documentation or did you have created the kopano-index in manual labor?

                regards…

                1 Reply Last reply Reply Quote 0
                • thctlo
                  thctlo last edited by thctlo

                  Hai @kmeyer

                  Yes, i have some “debian” based howtos how i did setup my ADDC and member servers.

                  You can find these here : https://github.com/thctlo/samba4/tree/master/howtos
                  please note i use AD backend. You might use RID.
                  This depends a bit how you use samba. see :
                  https://wiki.samba.org/index.php/Idmap_config_rid
                  https://wiki.samba.org/index.php/Idmap_config_ad
                  Just look at the advantages and disavantages. Why i use AD. only for one thing.
                  see the AD advantage: IDs are not stored in a local database that can corrupt and thus file ownerships are not lost.

                  If you use Debian, then i really suggest, use my packages.
                  Found here : https://apt.van-belle.nl
                  I create these for the samba community with some the support of the samba devs.
                  Use the 4.7.7 package, i really advice you to avoid samba 4.8.0-4.8.1 for now. these are not stable, and can create problems.

                  After the setup, for kopano, just follow the documentation to install for AD.
                  Now apply the kopano schema.

                  #
                  # source : https://stash.kopano.io/projects/KC/repos/kopano-ads-source/browse/samba/kopano-samba-ads
                  # In /etc/samba/smb.conf change/allow schema updates
                  
                  sudo sed -i 's/sdb:schema update allowed = no/sdb:schema update allowed = yes/g' /etc/samba/smb.conf
                  sudo systemctl samba-ad-dc reload
                  
                  # If you install the ldiff from the DC itself.
                  sudo bash kopano_schema_add.sh DC=INTERNAL,DC=DOMAIN,DC=TLD ./ldiff/ -v -H /var/lib/samba/private/sam.ldb -writechanges
                  
                  # or if you do a remote install in ldap (AD).
                  #sudo bash kopano_schema_add.sh DC=INTERNAL,DC=DOMAIN,DC=TLD  ./ldiff/ -H ldaps://hostname.your.domain.tld -UAdministrator%YourStrongPass -writechanges
                  
                  # Wait^^ after its finished give the ad time to sync if you have multple DC's. 
                  
                  # revert the schema update allowed.
                  sudo sed -i 's/sdb:schema update allowed = yes/sdb:schema update allowed = no/g' /etc/samba/smb.conf
                  sudo systemctl samba-ad-dc reload
                  

                  And now install kopano-ads tool in the Remote Computer, where you have Administration Tools of WIndows installed.

                  The indexing, you can do that manualy from RSAT ( enable the advanced view first so you can modify directly.
                  The other way is use ldbedit as show on the website i posted before.
                  just write a script for the once you want to adjust and its done in seconds.

                  what i did was, i lookup the indexes kopano use :
                  https://documentation.kopano.io/kopanocore_administrator_manual/configure_kc_components.html#ldap-indices

                  check it after the schema change with :

                   ldbsearch -H /var/lib/samba/private/sam.ldb  -s base -b @INDEXLIST |  egrep "cn|gidNumber|mail|memberUid|objectClass|ou|sn|uid|kopano"
                  

                  And the ones i missed, for these i use ldbedit and set the searchflag from 0 to 1.

                  if you need more info, pm me, no problem.

                  1 Reply Last reply Reply Quote 0
                  • kmeyer
                    kmeyer last edited by

                    hi, @fbartels
                    I tryed the db-to-ldap perl script. But I allways got the problem that the script will not match the user accounts of the ldap server.:

                    what did I do:

                    1. openldap installation on Kopano Server
                    2. kopano.ldif integration
                    3. created every account (uid) in LDAPAdmin.exe
                    4. stop Kopano-Server and Modules
                    5. created the /etc/kopano/ldap.cfg
                    6. installed alle needed perl-modules
                    7. changed the db-to-ldap script from zarafa to kopano
                    8. perl db-to-ldap-plugin.pl

                    …
                    Use of uninitialized value in concatenation (.) or string at db-to-ldap-plugin.pl line 38.
                    Use of uninitialized value in concatenation (.) or string at db-to-ldap-plugin.pl line 30.
                    Use of uninitialized value in string at db-to-ldap-plugin.pl line 30.
                    Use of uninitialized value in string at db-to-ldap-plugin.pl line 30.
                    here:lLine 30
                    my $mesg = $ldap->search(filter => “($lo->{ldap_loginname_attribute}=$db_username)”,
                    base => “$lo->{ldap_search_base}”,
                    attrs => ["$lo->{ldap_loginname_attribute}", “$lo->{ldap_user_unique_attribute}”],
                    scope => “sub”);

                    Found user ‘admin’ in database with user_id ‘3’
                    Error updating admin. No entry found in ldap for ( = admin)

                    LdapAdmin shows: uid=admin

                    tested:
                    when I start Kopano with Safe mode=yes, it is not possible for kopano to list any user with ldap konfiguration.
                    after safe-mode=no the users are shown but as new kopano users without any db-data.

                    How must a user be createt in LDAP to use the db-to-ldap perl script?

                    fbartels 1 Reply Last reply Reply Quote 0
                    • fbartels
                      fbartels Kopano @kmeyer last edited by

                      @kmeyer said in migration from db to openldap:

                      How must a user be createt in LDAP to use the db-to-ldap perl script?

                      I cannot say without doing some extended testing here. I recommend to get in touch with our support for this.

                      Regards Felix

                      Resources:
                      https://kopano.com/blog/how-to-get-kopano/
                      https://documentation.kopano.io/
                      https://kb.kopano.io/

                      Support overview:
                      https://kopano.com/support/

                      1 Reply Last reply Reply Quote 0
                      • kmeyer
                        kmeyer last edited by

                        @fbartels , to change to ldap there is another way:

                        install openldap the manual describes for kopano. (make backups, please)
                        create the users in Ldap (now or maybe later )

                        stop Kopano-Server

                        change: /kopano/server.cfg
                        user_plugin = ldap
                        user_safe_mode = no

                        start kopano-server

                        now alle the stores are unhooked.
                        you get a list of stores with:
                        kopano-admin --list-orphans
                        (better to copy that information)

                        now you can hook the stores to the new ldap-users:
                        kopano-admin --hook-store [storeidofthelist] -u [usernameoftheldapuser]

                        if password is korrekt you should be able to login to the webapp.
                        check:
                        userquota - email adresses etc. and the permissions to other calendars etc.

                        good luck XD
                        To do this is on your own risk, no support said - it works.
                        I’ll do this on my server.
                        If you try, be sure you did a backup!!!

                        1 Reply Last reply Reply Quote 0
                        • fbartels
                          fbartels Kopano last edited by

                          yes, but this way you also loose some information around your users such as acls and opened stores. but if you don’t want to reach out to our support, no one can force you.

                          Regards Felix

                          Resources:
                          https://kopano.com/blog/how-to-get-kopano/
                          https://documentation.kopano.io/
                          https://kb.kopano.io/

                          Support overview:
                          https://kopano.com/support/

                          1 Reply Last reply Reply Quote 0
                          • Coffee_is_life
                            Coffee_is_life last edited by Coffee_is_life

                            good morning everyone,

                            if the environment is big, hooking all stores to the right user is quite time consuming…
                            for hooking multiple guessed store to the user, i wrote a script little in the past:

                            requirement: use an ldapsearch to get all users with attribute kopano and write just the username to a file
                            now you should have a list with all users in ldap which should use kopano. i call it username.txt in /tmp/

                            kopano-admin --list-orphans | grep private > /tmp/stores.txt
                            for e in $(cat /tmp/username.txt);  do
                             userline=""
                             user_store=""
                             echo "searching store for $e"
                             userline=$(cat /tmp/stores.txt | grep $e)
                             if [ "x$userline" = "x" ]; then
                              echo "user $e not found"
                              continue
                             else
                              echo "user $e found"
                              user_store=$(echo $userline |awk -F" " '{print $1}')
                              if [ "x$user_store" != "x" ]; then
                                kopano-admin --hook-store $user_store $e
                                if [ $? = 0 ]; then
                                  echo "successfully hooked $user_store to user:$e"
                                else
                                  echo "FEHLER $user_store not hooked to $e"
                                fi
                              fi
                             fi
                            done
                            

                            for testing, just change the ‘kopano-admin --hook-store’ command in a ‘echo “kopano-admin --hook-store […]”’ you will get the commands

                            regards
                            coffee_is_life

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post