Ajcody-LDAP-Topics: Difference between revisions
m (→db_archive) |
m (→db_archive) |
||
Line 344: | Line 344: | ||
=====db_archive===== | =====db_archive===== | ||
db_archive | The db_archive utility writes the pathnames of log files that are no longer in use (for example, no longer involved in active transactions), to the standard output, one pathname per line. These log files should be written to backup media to provide for recovery in the case of catastrophic failure (which also requires a snapshot of the database files), but they may then be deleted from the system to reclaim disk space. | ||
=====db_checkpoint===== | =====db_checkpoint===== |
Revision as of 21:14, 21 January 2009
- This article is NOT official Zimbra documentation. It is a user contribution and may include unsupported customizations, references, suggestions, or information. |
LDAP Topics
Actual LDAP Topics Homepage
Please see Ajcody-LDAP-Topics
Working With ldap Commands - The Easy Way
Tired of working with long ldap strings on the CLI with ldapmodify, ldapsearch, ldapdelete.
zimbra$ source ~/bin/zmshutil zimbra$ zmsetvars
You can now use this string syntax to make things a little easier.
ldapCOMMAND -x -H $ldap_master_url -D $zimbra_ldap_userdn -w $zimbra_ldap_password ACTION
Searching For Account In LDAP
To do ldapsearch for the account, and see if there are any related entries in ldap.
su - zimbra source ~/bin/zmshutil zmsetvars ldapsearch -x -H $ldap_master_url -D $zimbra_ldap_userdn -w $zimbra_ldap_password "mail=USER@DOMAIN.com"
To just dump the whole thing [to grep and so forth]:
su - zimbra source ~/bin/zmshutil zmsetvars ldapsearch -x -H $ldap_master_url -D $zimbra_ldap_userdn -w $zimbra_ldap_password
Deleting An Account In LDAP
Via zmprov
- Caution - this should normally only be done under guidance or request by support.
This will delete the account from ldap and not from the db (mysql). It also retains the mail store and index data:
zmprov -l da <USER@DOMAIN.com>
Via ldapdelete
- Caution - this should normally only be done under guidance or request by support.
One way:
su - zimbra source ~/bin/zmshutil zmsetvars ldapsearch -LLL -x -H $ldap_master_url -D $zimbra_ldap_userdn -w $zimbra_ldap_password "mail=ajcody@zimbra.DOMAIN.com" dn dn: uid=ajcody,ou=people,dc=zimbra,dc=DOMAIN,dc=com ldapdelete -r -x -H $ldap_master_url -D $zimbra_ldap_userdn -w $zimbra_ldap_password uid=ajcody,ou=people,dc=zimbra,dc=DOMAIN,dc=com
Once done, you should be able to add or remove the account using 'zmprov ca' command.
db_recover For OpenLdap DB In /opt/zimbra/openldap-data
- Caution - this should normally only be done under guidance or request by support.
This will cause an impact to your user base, since we'll be stopping the ldap service.
su - zimbra cd /opt/zimbra/openldap-data ls -la **Notice the __db.00# files** ldap stop /opt/zimbra/sleepycat/bin/db_recover ls -la **Notice the __db.00# files are gone** ldap start
db_recover For OpenLdap Accesslog DB In /opt/zimbra/openldap-data/accesslog/db
- Caution - this should normally only be done under guidance or request by support.
This will cause an impact to your user base, since we'll be stopping the ldap service.
For replication issues.
su - zimbra cd /opt/zimbra/openldap-data/accesslog/db ls -la **Notice the __db.00# files** ldap stop /opt/zimbra/sleepycat/bin/db_recover ** Move the *.bdb files to a temporary directory ** cd ../logs move all files to a temporary directory ls -la **Notice the __db.00# files are gone**
Re-indexing Openldap
- Caution - this should normally only be done under guidance or request by support.
This will cause an impact to your user base, since we'll be stopping the ldap service.
su - zimbra cd /opt/zimbra/openldap-data ldap stop /opt/zimbra/openldap/sbin/slapindex -f /opt/zimbra/conf/slapd.conf
Change LDAP Port On Zimbra
It is recommend that there is no other LDAP service running on the ZCS besides Zimbra's. But if you find the need to change it, here's the steps.
You can modify the default [389] port ldap uses to port 390 by doing the following [change LDAPHOSTNAME.com to your server name]:
zmlocalconfig -e ldap_port=390 zmlocalconfig -e ldap_master_url=ldap://LDAPHOSTNAME.com:390 zmlocalconfig -e ldap_url=ldap://LDAPHOSTNAME.com:390
Note you need to do all three of these or things will break. Once you've run those commands, you will need to restart ZCS:
zmcontrol stop zmcontrol start
Once this is completed, Zimbra will run with LDAP on port 390 rather than port 389 (the default). If you'd like to use a port other than 390, substitute that port for 390 and use the same process.
Can't Setup/Install LDAP Replica
Please see bug against documentation:
- "Update ch5 multi-server replication instructions"
- http://bugzilla.zimbra.com/show_bug.cgi?id=26117
- Updates from the bug seem to be mostly going into the Multi-Server documentation.
- http://bugzilla.zimbra.com/show_bug.cgi?id=26117
Checking /tmp/zmsetup.log will expose errors with installation configuration, for example below, others are listed in my notes farther down:
: Thu Aug 21 16:00:12 2008 *** Running as zimbra user: /opt/zimbra/bin/zmlicense -c Error: exception occurred: system failure: ZimbraLdapContext when running 'zmcontrol start': [zimbra@mail1b ~]$ zmcontrol start Host mail1b.DOMAINNAME Unable to determine enabled services from ldap. Unable to determine enabled services. Cache is out of date or doesn't exist.
Make sure you are using the right passwords. If the ldap replica can't authenticate to the master LDAP server it will not be able to pull down the ldap configurations it needs - one of which is the license data.
My Notes From The Case That I Made For Bug 26117
Summary
Action Items:
- Update doc's to reflect ldap repli password setting during install (all ref docs miss this step)
- If this is done during install, no other action is needed except logger and sshkeys (zmupdateauthkeys)
- Update doc's to reflect recovery steps on an improper install for ldap replication server
- Make comments consistent. See LDAP wiki page
- Update installer to require ldap repli password rather default to random set
password.
References:
- "Update ch5 multi-server replication instructions"
- Main LDAP Wiki Page
- http://www.zimbra.com/docs/os/latest/multi_server_install/LDAP%20Replication.6.1.html
- http://www.zimbra.com/elqNow/elqRedir.htm?ref=http://files.zimbra.com/website/docs/Zimbra%20NE%20Multi-Server%20Install.pdf
LDAP replication has some comments that aren't in other places
- Set the master LDAP password to the correct value (run zmlocalconfig -s ldap_root_password on the master to determine this value)
- Note: In order to install an LDAP replica server with no MBS (Mailbox Server), set zimbra_zmprov_default_to_ldap to true, using the following command:
zmlocalconfig -e zimbra_zmprov_default_to_ldap=true.
- If you later add an MBS to your LDAP replica server, set zimbra_zmprov_default_to_ldap to false.
- After the installation is complete, run /opt/zimbra/libexec/zmldapenablereplica on the replica server. This will enable replication in the LDAP server and will force an LDAP restart to begin pulling data from the master. zmldapenablereplica must be run on both the master and replica for LDAP replication to work.
The Work
Duplicated on ZCS 5.0.2 - OS Redhat.
Current Servers For Test:
- Setup LDAP MAIN server - zldap1 (ldap only configured server)
- setting passwords to "PASSWORD"
- Mailstore server - zmail2 (mailstore only config)
- MTA server - zmta1 (mta only config)
- Post install
- enable logger
- enable ssh keys
- run zmupdateauthkeys on servers
- created two test accounts and confirmed email delivery between the two.
- On LDAP MAIN (zldap1)- zmldapenablereplica
- Setup LDAP MAIN server - zldap1 (ldap only configured server)
Install LDAP repli - zldap3
- Doc show only to set
- ldap master host
- Master ldap server password
- Create Domain to no
- It fails to include
- Replication Password (part of "Ldap configuration")
- If this is not done, install will finish but you get these errors.
- Replication Password (part of "Ldap configuration")
- [zimbra@zldap3 ~]$ zmcontrol status
- Cannot determine services - exiting
- zldap3.DOMAIN.com...ERROR: service.FAILURE (system failure: getDirectContext)
- (cause: javax.naming.AuthenticationException [LDAP: error code 49 - Invalid Credentials])
- Doc show only to set
To Correct Without Reinstalling
If this has happened and you want to correct without a reinstall. Do the following, please adjust for HOSTNAMES for LDAP MAIN and LDAP REPLICA.
- confirm ssh keys are updated
- run zmupdateauthkeys on all servers
- confirm current settings on LDAP MAIN
- zmlocalconfig -s | grep replication
- grep credentials /opt/zimbra/conf/slapd.conf
- confirm current settings on LDAP REPLI
- grep credentials /opt/zimbra/conf/slapd.conf
- zmlocalconfig -s | grep replication
- Now reconfigure on LDAP REPLI
zmldappasswd -l [passwd from ldap main slapd.conf]
- This does not dynamically update the slapd.conf variable, it puts it in the zmconfig file /opt/zimbra/libexec/zmldapenablereplica
- You'll see that it updates the slapd.conf
- There might be one auth error, until the slapd.conf is reconfigured.
- zmprov gacf will fail with auth errors
- Confirm again settings on LDAP REPLI
- grep credentials /opt/zimbra/conf/slapd.conf
- zmlocalconfig -s | grep replication
- zmlocalconfig | grep ldap_url
- Should have repli first and ldap main second
- Now to confirm it worked
- zmcontrol stop
- zmcontrol start
- zmcontrol status
- Create a test account on LDAP MAIN (example uses test3)
- On LDAP REPLI - replace hostname and test account below
ldapsearch -x -H ldap://LDAPREPLICA.DOMAIN.com:389 | grep test3
Disable LDAP Replica
References:
http://wiki.zimbra.com/index.php?title=Promoting_Replica_to_LDAP_Master
http://www.zimbra.com/docs/os/latest/multi_server_install/LDAP%20Replication.6.1.html
Remove LDAP Replica From All Active Servers
On each member server, including the replica itself, verify the ldap_url value.
zmlocalconfig ldap_url
Modify the ldap_url to only include enabled ZCS LDAP servers. The master LDAP server should always be at the end of the ldap_url string value.
zmlocalconfig -e ldap_url="ldap://<replica-server-host> ldap://<master-server-host>"
Disable LDAP On The Replica
Stop Zimbra services.
zmcontrol stop
The - in front of zimbraServiceEnabled is [off], rather than a + for [on].
zmprov -l ms `zmhostname` -zimbraServiceEnabled ldap
To enable the ldap service, prefix the zimbraServiceEnabled attribute with a "+".
zmprov -l ms `zmhostname` +zimbraServiceEnabled ldap
If other services are enabled on this host, start them.
zmcontrol start
Additional Steps for MTA hosts
After updating the ldap_url with zmlocalconfig, rerun /opt/zimbra/libexec/zmmtainit. This rewrites the Postfix configuration with the updated ldap_url.
Disabling Replication On The Master
Use only if disabling replication entirely across all nodes.
Edit /opt/zimbra/conf/slapd.conf.in adding the following comments. Please use the precise number of hash marks (#) shown.
change
include /opt/zimbra/conf/master-accesslog.conf
to
###include /opt/zimbra/conf/master-accesslog.conf
change
overlay syncprov syncprov-checkpoint 20 10 syncprov-sessionlog 500 include /opt/zimbra/conf/master-accesslog-overlay.conf
to
#overlay syncprov #syncprov-checkpoint 20 10 #syncprov-sessionlog 500 ###include /opt/zimbra/conf/master-accesslog-overlay.conf
Restart the master LDAP server
ldap stop; ldap start
BDB - Underlying Database Used For LDAP Data
BDB is the underlying high-performance transactional database used to store the LDAP data.
See:
- Performance_Tuning_Guidelines_for_Large_Deployments
- Performance_Tuning_Guidelines_for_Large_Deployments#Configuring_the_BDB_subsystem_to_increase_LDAP_server_performance
db_stat
[zimbra@mail3 openldap-data]$ db_stat -c -h /opt/zimbra/openldap-data 462 Last allocated locker ID. 2147M Current maximum unused locker ID. 9 Number of lock modes. 3000 Maximum number of locks possible. 1500 Maximum number of lockers possible. 1500 Maximum number of lock objects possible. 19 Number of current locks. 73 Maximum number of locks at any one time. 62 Number of current lockers. 68 Maximum number of lockers at any one time. 19 Number of current lock objects. 50 Maximum number of lock objects at any one time. 1784391 Total number of locks requested. 1784372 Total number of locks released. 0 Total number of lock requests failing because DB_LOCK_NOWAIT was set. 8 Total number of locks not immediately available due to conflicts. 0 Number of deadlocks. 0 Lock timeout value. 0 Number of locks that have timed out. 0 Transaction timeout value. 0 Number of transactions that have timed out. 968KB The size of the lock region.. 6 The number of region locks granted after waiting. 3543865 The number of region locks granted without waiting.
db_archive
The db_archive utility writes the pathnames of log files that are no longer in use (for example, no longer involved in active transactions), to the standard output, one pathname per line. These log files should be written to backup media to provide for recovery in the case of catastrophic failure (which also requires a snapshot of the database files), but they may then be deleted from the system to reclaim disk space.
db_checkpoint
db_checkpoint will checkpoint the log for a bdb.