migration from db to openldap
-
Ho @fbartels,
thanks for your fast reply, I will try…
-
@kmeyer remember to always make a backup and test thoroughly.
-
Hai,
yes, you can run kopano with samba4 AD-DC, im running it about a year now, works fine.
Im on debian Stretch.
Make sure you use at least samba 4.7.0+ ( preffered 4.7.7) because of the Multi threaded ldap support.
A few pointers, ADDC and mail on 2 servers, i’ve not tested this on a single server.
First apply the kopano schema. ( on your DC with FSMO roles ) then check the indexing.
The path below if ok for debian/ubuntu
ldbsearch -H /var/lib/samba/private/sam.ldb -s base -b @INDEXLIST
go here:
https://exekias.me/2015/05/06/samba-indexes/ and apply the index for kopano.so samba 4.7+ and these index improve ldap searches a lot.
-
@fbartels yes, my qemu does ;)
BR -
@thctlo
very interesting! Ddo you have any more project documentations? Do you prepared the LDAP like the kopano LDAP-Documentation or did you have created the kopano-index in manual labor?regards…
-
Hai @kmeyer
Yes, i have some “debian” based howtos how i did setup my ADDC and member servers.
You can find these here : https://github.com/thctlo/samba4/tree/master/howtos
please note i use AD backend. You might use RID.
This depends a bit how you use samba. see :
https://wiki.samba.org/index.php/Idmap_config_rid
https://wiki.samba.org/index.php/Idmap_config_ad
Just look at the advantages and disavantages. Why i use AD. only for one thing.
see the AD advantage: IDs are not stored in a local database that can corrupt and thus file ownerships are not lost.If you use Debian, then i really suggest, use my packages.
Found here : https://apt.van-belle.nl
I create these for the samba community with some the support of the samba devs.
Use the 4.7.7 package, i really advice you to avoid samba 4.8.0-4.8.1 for now. these are not stable, and can create problems.After the setup, for kopano, just follow the documentation to install for AD.
Now apply the kopano schema.# # source : https://stash.kopano.io/projects/KC/repos/kopano-ads-source/browse/samba/kopano-samba-ads # In /etc/samba/smb.conf change/allow schema updates sudo sed -i 's/sdb:schema update allowed = no/sdb:schema update allowed = yes/g' /etc/samba/smb.conf sudo systemctl samba-ad-dc reload # If you install the ldiff from the DC itself. sudo bash kopano_schema_add.sh DC=INTERNAL,DC=DOMAIN,DC=TLD ./ldiff/ -v -H /var/lib/samba/private/sam.ldb -writechanges # or if you do a remote install in ldap (AD). #sudo bash kopano_schema_add.sh DC=INTERNAL,DC=DOMAIN,DC=TLD ./ldiff/ -H ldaps://hostname.your.domain.tld -UAdministrator%YourStrongPass -writechanges # Wait^^ after its finished give the ad time to sync if you have multple DC's. # revert the schema update allowed. sudo sed -i 's/sdb:schema update allowed = yes/sdb:schema update allowed = no/g' /etc/samba/smb.conf sudo systemctl samba-ad-dc reload
And now install kopano-ads tool in the Remote Computer, where you have Administration Tools of WIndows installed.
The indexing, you can do that manualy from RSAT ( enable the advanced view first so you can modify directly.
The other way is use ldbedit as show on the website i posted before.
just write a script for the once you want to adjust and its done in seconds.what i did was, i lookup the indexes kopano use :
https://documentation.kopano.io/kopanocore_administrator_manual/configure_kc_components.html#ldap-indicescheck it after the schema change with :
ldbsearch -H /var/lib/samba/private/sam.ldb -s base -b @INDEXLIST | egrep "cn|gidNumber|mail|memberUid|objectClass|ou|sn|uid|kopano"
And the ones i missed, for these i use ldbedit and set the searchflag from 0 to 1.
if you need more info, pm me, no problem.
-
hi, @fbartels
I tryed the db-to-ldap perl script. But I allways got the problem that the script will not match the user accounts of the ldap server.:what did I do:
- openldap installation on Kopano Server
- kopano.ldif integration
- created every account (uid) in LDAPAdmin.exe
- stop Kopano-Server and Modules
- created the /etc/kopano/ldap.cfg
- installed alle needed perl-modules
- changed the db-to-ldap script from zarafa to kopano
- perl db-to-ldap-plugin.pl
…
Use of uninitialized value in concatenation (.) or string at db-to-ldap-plugin.pl line 38.
Use of uninitialized value in concatenation (.) or string at db-to-ldap-plugin.pl line 30.
Use of uninitialized value in string at db-to-ldap-plugin.pl line 30.
Use of uninitialized value in string at db-to-ldap-plugin.pl line 30.
here:lLine 30
my $mesg = $ldap->search(filter => “($lo->{ldap_loginname_attribute}=$db_username)”,
base => “$lo->{ldap_search_base}”,
attrs => ["$lo->{ldap_loginname_attribute}", “$lo->{ldap_user_unique_attribute}”],
scope => “sub”);Found user ‘admin’ in database with user_id ‘3’
Error updating admin. No entry found in ldap for ( = admin)LdapAdmin shows: uid=admin
tested:
when I start Kopano with Safe mode=yes, it is not possible for kopano to list any user with ldap konfiguration.
after safe-mode=no the users are shown but as new kopano users without any db-data.How must a user be createt in LDAP to use the db-to-ldap perl script?
-
@kmeyer said in migration from db to openldap:
How must a user be createt in LDAP to use the db-to-ldap perl script?
I cannot say without doing some extended testing here. I recommend to get in touch with our support for this.
-
@fbartels , to change to ldap there is another way:
install openldap the manual describes for kopano. (make backups, please)
create the users in Ldap (now or maybe later )stop Kopano-Server
change: /kopano/server.cfg
user_plugin = ldap
user_safe_mode = nostart kopano-server
now alle the stores are unhooked.
you get a list of stores with:
kopano-admin --list-orphans
(better to copy that information)now you can hook the stores to the new ldap-users:
kopano-admin --hook-store [storeidofthelist] -u [usernameoftheldapuser]if password is korrekt you should be able to login to the webapp.
check:
userquota - email adresses etc. and the permissions to other calendars etc.good luck XD
To do this is on your own risk, no support said - it works.
I’ll do this on my server.
If you try, be sure you did a backup!!! -
yes, but this way you also loose some information around your users such as acls and opened stores. but if you don’t want to reach out to our support, no one can force you.
-
good morning everyone,
if the environment is big, hooking all stores to the right user is quite time consuming…
for hooking multiple guessed store to the user, i wrote a script little in the past:requirement: use an ldapsearch to get all users with attribute kopano and write just the username to a file
now you should have a list with all users in ldap which should use kopano. i call it username.txt in /tmp/kopano-admin --list-orphans | grep private > /tmp/stores.txt for e in $(cat /tmp/username.txt); do userline="" user_store="" echo "searching store for $e" userline=$(cat /tmp/stores.txt | grep $e) if [ "x$userline" = "x" ]; then echo "user $e not found" continue else echo "user $e found" user_store=$(echo $userline |awk -F" " '{print $1}') if [ "x$user_store" != "x" ]; then kopano-admin --hook-store $user_store $e if [ $? = 0 ]; then echo "successfully hooked $user_store to user:$e" else echo "FEHLER $user_store not hooked to $e" fi fi fi done
for testing, just change the ‘kopano-admin --hook-store’ command in a ‘echo “kopano-admin --hook-store […]”’ you will get the commands
regards
coffee_is_life