ShanxT-LDAP-CheatSheet

From Zimbra :: Wiki

Jump to: navigation, search

Contents


Setting the ldap variables

The variables used by LDAP can be set by running:

su - zimbra
source ~/bin/zmshutil
zmsetvars

This will set the values for variables like '$ldap_master_url', '$zimbra_ldap_password', etc.

Alternatively, they can be taken from localconfig.xml as well. To do so, either run:

zmlocalconfig -s | grep 'ldap_' | egrep 'password|url'

Or directly open '/opt/zimbra/conf/localconfig.xml', and take the values from there.


Parsing through ldap

Basic search:

ldapsearch -x -H $ldap_master_url -D $zimbra_ldap_userdn -w $zimbra_ldap_password

Specifying the 'people' ou as the search base. 'dc=example' and 'dc=com' will have to be replaced with your domain

ldapsearch -x -H $ldap_master_url -D $zimbra_ldap_userdn -w $zimbra_ldap_password -LLL -b 'ou=people,dc=example,dc=com'

Alternatively, using search filters, and also showing all accounts of the object class 'zimbraAccount'

ldapsearch -x -H $ldap_master_url -D $zimbra_ldap_userdn -w $zimbra_ldap_password -LLL '(&(objectClass=zimbraAccount)(ou:dn:=people))'

Using search base and showing the uid for admin accounts:

ldapsearch -x -H $ldap_master_url -D $zimbra_ldap_userdn -w $zimbra_ldap_password -b 'ou=people,dc=example,dc=com' -LLL '(&(uid=*)(zimbraIsAdminAccount=TRUE))' uid

Listing out all the servers:

ldapsearch -x -H $ldap_master_url -D $zimbra_ldap_userdn -w $zimbra_ldap_password -b 'cn=servers,cn=zimbra' 

Example using localconfig keys:

ldapsearch -x -D `zmlocalconfig -m nokey -s zimbra_ldap_userdn` -w `zmlocalconfig -m nokey -s zimbra_ldap_password` -h `hostname -f`

Searching against an AD server:

ldapsearch -H ldap://ad.example.net:3268  -D admin -x -w pass -b "ou=users,dc=example,dc=net"

Quick Debug info

ldapsearch -x -h 2d.snx -v -d 7


Modifying ldap

ldapmodify -x -H $ldap_master_url -D $zimbra_ldap_userdn -w $zimbra_ldap_password

The cursor will move to the next line, wherein you can enter the modification you wish to make. Make sure to press 'Ctrl+D' after the modifications are over.

Example - To change uid:

ldapmodify -x -H $ldap_master_url -D $zimbra_ldap_userdn -w $zimbra_ldap_password
dn: uid=old_user_uid,dc=domain
changetype: modrdn
newrdn: uid=new_user_uid
deleteoldrdn: 1

(Press Ctrl+D)


Deleting an ldap entry

ldapdelete -v -x -H $ldap_master_url -D $zimbra_ldap_userdn -w $zimbra_ldap_password "uid=testtest,ou=people,dc=example,dc=shanx"


Find an account based on an ldap attribute - zimbra sa

We can use this to get the accounts containing a particular attribute. Say if we have the ZimbraID, and would like to know which account it belongs to:

zmprov sa zimbraId=bd400158-aa2e-4c10-8ea7-95be59564b47

'-v' will show all the details of those accounts. This is exactly like the output we get by running 'zmprov -l ga <email address>', only this time the lookup is based on any LDAP attribute.

For example, to get all the details of all the accounts on a particular mail host:

zmprov sa -v "zimbraMailHost=8b.snx"

Checking Passwords

This is to check if the passwords stored in localconfig.xml are correct. Get the password and check with the following commands.

The results of the following should simply return the DN of the authenticated user. An 'Invalid Credentials' error message would show something is wrong.

Checking Zimbra Password. This should match the 'zimbra_ldap_password' in localconfig.xml:

ldapwhoami -ZZZ -x -h `zmhostname` -D "uid=zimbra,cn=admins,cn=zimbra" -W

OR

ldapwhoami  -x -h `zmhostname` -D "uid=zimbra,cn=admins,cn=zimbra" -W

The use of '-ZZZ' depends on your TLS settings.


Checking LDAP root password. This should match the 'zimbra_ldap_password' entry:

ldapwhoami -x -h `zmhostname` -D "cn=config" -W

If the passwords need to be changed, see this article: ShanxT-LDAP-Auth-Failed

Encoding of entries

Entries are base64 encoded if they are passwords, or if a person's name or entry contains special characters, like the umlaut. To decode, simply run:

echo 'e1NTSEF9Nmc4WDVsR3F6Snl3T21NMTU3NlB2WE4xMFV1L2hTSzU=' | base64 -d

The above is a password, so the output would be:

{SSHA}6g8X5lGqzJywOmM1576PvXN10Uu/hSK5

This shows the password is a salted SHA password.


To encode:

echo 'ThisIsMyPassword' | base64
Verified Against: Zimbra Collaboration Suite 7,8 Date Created: 06/12/2013
Article ID: http://wiki.zimbra.com/index.php?title=ShanxT-LDAP-CheatSheet Date Modified: 02/27/2014
Personal tools