migration from db to openldap

  • hi @ all,
    we want to use the archiver so we have to change from user db to ldap or active directory.
    (question with active-directory: is it possible to use samba4X Server ?)

    how can I easy transfer the users / userdata to ldap or active directory? Is there a way/documentation?

    thanks for your help…

    BR Karsten Meyer

  • Kopano

    Hi @kmeyer ,

    the instructions in http://wiki.zarafa.com/index.php/Zarafa_DB_to_LDAP_user_plugin_conversion should still work with Kopano.

    @kmeyer said in migration from db to openldap:

    (question with active-directory: is it possible to use samba4X Server ?)

    That depends on the overall number of users. We have seen quite some bad performance from Sambas LDAP implementation for installations ~>50 users. But technically its possible.

  • Ho @fbartels,

    thanks for your fast reply, I will try…

  • Kopano

    @kmeyer remember to always make a backup and test thoroughly.

  • Hai,
    yes, you can run kopano with samba4 AD-DC, im running it about a year now, works fine.
    Im on debian Stretch.
    Make sure you use at least samba 4.7.0+ ( preffered 4.7.7) because of the Multi threaded ldap support.
    A few pointers, ADDC and mail on 2 servers, i’ve not tested this on a single server.
    First apply the kopano schema. ( on your DC with FSMO roles ) then check the indexing.
    The path below if ok for debian/ubuntu
    ldbsearch -H /var/lib/samba/private/sam.ldb -s base -b @INDEXLIST

    go here:
    https://exekias.me/2015/05/06/samba-indexes/ and apply the index for kopano.

    so samba 4.7+ and these index improve ldap searches a lot.

  • @fbartels yes, my qemu does ;)

  • @thctlo
    very interesting! Ddo you have any more project documentations? Do you prepared the LDAP like the kopano LDAP-Documentation or did you have created the kopano-index in manual labor?


  • Hai @kmeyer

    Yes, i have some “debian” based howtos how i did setup my ADDC and member servers.

    You can find these here : https://github.com/thctlo/samba4/tree/master/howtos
    please note i use AD backend. You might use RID.
    This depends a bit how you use samba. see :
    Just look at the advantages and disavantages. Why i use AD. only for one thing.
    see the AD advantage: IDs are not stored in a local database that can corrupt and thus file ownerships are not lost.

    If you use Debian, then i really suggest, use my packages.
    Found here : https://apt.van-belle.nl
    I create these for the samba community with some the support of the samba devs.
    Use the 4.7.7 package, i really advice you to avoid samba 4.8.0-4.8.1 for now. these are not stable, and can create problems.

    After the setup, for kopano, just follow the documentation to install for AD.
    Now apply the kopano schema.

    # source : https://stash.kopano.io/projects/KC/repos/kopano-ads-source/browse/samba/kopano-samba-ads
    # In /etc/samba/smb.conf change/allow schema updates
    sudo sed -i 's/sdb:schema update allowed = no/sdb:schema update allowed = yes/g' /etc/samba/smb.conf
    sudo systemctl samba-ad-dc reload
    # If you install the ldiff from the DC itself.
    sudo bash kopano_schema_add.sh DC=INTERNAL,DC=DOMAIN,DC=TLD ./ldiff/ -v -H /var/lib/samba/private/sam.ldb -writechanges
    # or if you do a remote install in ldap (AD).
    #sudo bash kopano_schema_add.sh DC=INTERNAL,DC=DOMAIN,DC=TLD  ./ldiff/ -H ldaps://hostname.your.domain.tld -UAdministrator%YourStrongPass -writechanges
    # Wait^^ after its finished give the ad time to sync if you have multple DC's. 
    # revert the schema update allowed.
    sudo sed -i 's/sdb:schema update allowed = yes/sdb:schema update allowed = no/g' /etc/samba/smb.conf
    sudo systemctl samba-ad-dc reload

    And now install kopano-ads tool in the Remote Computer, where you have Administration Tools of WIndows installed.

    The indexing, you can do that manualy from RSAT ( enable the advanced view first so you can modify directly.
    The other way is use ldbedit as show on the website i posted before.
    just write a script for the once you want to adjust and its done in seconds.

    what i did was, i lookup the indexes kopano use :

    check it after the schema change with :

     ldbsearch -H /var/lib/samba/private/sam.ldb  -s base -b @INDEXLIST |  egrep "cn|gidNumber|mail|memberUid|objectClass|ou|sn|uid|kopano"

    And the ones i missed, for these i use ldbedit and set the searchflag from 0 to 1.

    if you need more info, pm me, no problem.

  • hi, @fbartels
    I tryed the db-to-ldap perl script. But I allways got the problem that the script will not match the user accounts of the ldap server.:

    what did I do:

    1. openldap installation on Kopano Server
    2. kopano.ldif integration
    3. created every account (uid) in LDAPAdmin.exe
    4. stop Kopano-Server and Modules
    5. created the /etc/kopano/ldap.cfg
    6. installed alle needed perl-modules
    7. changed the db-to-ldap script from zarafa to kopano
    8. perl db-to-ldap-plugin.pl

    Use of uninitialized value in concatenation (.) or string at db-to-ldap-plugin.pl line 38.
    Use of uninitialized value in concatenation (.) or string at db-to-ldap-plugin.pl line 30.
    Use of uninitialized value in string at db-to-ldap-plugin.pl line 30.
    Use of uninitialized value in string at db-to-ldap-plugin.pl line 30.
    here:lLine 30
    my $mesg = $ldap->search(filter => “($lo->{ldap_loginname_attribute}=$db_username)”,
    base => “$lo->{ldap_search_base}”,
    attrs => ["$lo->{ldap_loginname_attribute}", “$lo->{ldap_user_unique_attribute}”],
    scope => “sub”);

    Found user ‘admin’ in database with user_id ‘3’
    Error updating admin. No entry found in ldap for ( = admin)

    LdapAdmin shows: uid=admin

    when I start Kopano with Safe mode=yes, it is not possible for kopano to list any user with ldap konfiguration.
    after safe-mode=no the users are shown but as new kopano users without any db-data.

    How must a user be createt in LDAP to use the db-to-ldap perl script?

  • Kopano

    @kmeyer said in migration from db to openldap:

    How must a user be createt in LDAP to use the db-to-ldap perl script?

    I cannot say without doing some extended testing here. I recommend to get in touch with our support for this.

  • @fbartels , to change to ldap there is another way:

    install openldap the manual describes for kopano. (make backups, please)
    create the users in Ldap (now or maybe later )

    stop Kopano-Server

    change: /kopano/server.cfg
    user_plugin = ldap
    user_safe_mode = no

    start kopano-server

    now alle the stores are unhooked.
    you get a list of stores with:
    kopano-admin --list-orphans
    (better to copy that information)

    now you can hook the stores to the new ldap-users:
    kopano-admin --hook-store [storeidofthelist] -u [usernameoftheldapuser]

    if password is korrekt you should be able to login to the webapp.
    userquota - email adresses etc. and the permissions to other calendars etc.

    good luck XD
    To do this is on your own risk, no support said - it works.
    I’ll do this on my server.
    If you try, be sure you did a backup!!!

  • Kopano

    yes, but this way you also loose some information around your users such as acls and opened stores. but if you don’t want to reach out to our support, no one can force you.

  • good morning everyone,

    if the environment is big, hooking all stores to the right user is quite time consuming…
    for hooking multiple guessed store to the user, i wrote a script little in the past:

    requirement: use an ldapsearch to get all users with attribute kopano and write just the username to a file
    now you should have a list with all users in ldap which should use kopano. i call it username.txt in /tmp/

    kopano-admin --list-orphans | grep private > /tmp/stores.txt
    for e in $(cat /tmp/username.txt);  do
     echo "searching store for $e"
     userline=$(cat /tmp/stores.txt | grep $e)
     if [ "x$userline" = "x" ]; then
      echo "user $e not found"
      echo "user $e found"
      user_store=$(echo $userline |awk -F" " '{print $1}')
      if [ "x$user_store" != "x" ]; then
        kopano-admin --hook-store $user_store $e
        if [ $? = 0 ]; then
          echo "successfully hooked $user_store to user:$e"
          echo "FEHLER $user_store not hooked to $e"

    for testing, just change the ‘kopano-admin --hook-store’ command in a ‘echo “kopano-admin --hook-store […]”’ you will get the commands


Log in to reply