Ajcody-LDAP-Topics

Revision as of 22:01, 16 November 2008 by Ajcody (talk | contribs) (New page: {{NotOfficial}} ===LDAP Topics=== ====Actual LDAP Topics Homepage==== Please see Ajcody-LDAP-Topics ====Working With ldap Commands - The Easy Way==== Tired of working with long ld...)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Template:NotOfficial

LDAP Topics

Actual LDAP Topics Homepage

Please see Ajcody-LDAP-Topics

Working With ldap Commands - The Easy Way

Tired of working with long ldap strings on the CLI with ldapmodify, ldapsearch, ldapdelete.

zimbra$ source ~/bin/zmshutil 
zimbra$ zmsetvars 

You can now use this string syntax to make things a little easier.

ldapCOMMAND -x -H $ldap_master_url -D $zimbra_ldap_userdn -w $zimbra_ldap_password ACTION

Change LDAP Port On Zimbra

It is recommend that there is no other LDAP service running on the ZCS besides Zimbra's. But if you find the need to change it, here's the steps.

You can modify the default [389] port ldap uses to port 390 by doing the following [change LDAPHOSTNAME.com to your server name]:

zmlocalconfig -e ldap_port=390
zmlocalconfig -e ldap_master_url=ldap://LDAPHOSTNAME.com:390
zmlocalconfig -e ldap_url=ldap://LDAPHOSTNAME.com:390

Note you need to do all three of these or things will break. Once you've run those commands, you will need to restart ZCS:

zmcontrol stop
zmcontrol start

Once this is completed, Zimbra will run with LDAP on port 390 rather than port 389 (the default). If you'd like to use a port other than 390, substitute that port for 390 and use the same process.

Can't Setup/Install LDAP Replica

Please see bug against documentation:

Checking /tmp/zmsetup.log will expose errors with installation configuration, for example below, others are listed in my notes farther down:

: Thu Aug 21 16:00:12 2008 *** Running as zimbra user: /opt/zimbra/bin/zmlicense -c
Error: exception occurred: system failure: ZimbraLdapContext
 when running 'zmcontrol start':
[zimbra@mail1b ~]$ zmcontrol start
Host mail1b.DOMAINNAME
Unable to determine enabled services from ldap.
Unable to determine enabled services. Cache is out of date or doesn't exist.

Make sure you are using the right passwords. If the ldap replica can't authenticate to the master LDAP server it will not be able to pull down the ldap configurations it needs - one of which is the license data.

My Notes From The Case That I Made For Bug 26117
Summary

Action Items:

  • Update doc's to reflect ldap repli password setting during install (all ref docs miss this step)
    • If this is done during install, no other action is needed except logger and sshkeys (zmupdateauthkeys)
  • Update doc's to reflect recovery steps on an improper install for ldap replication server
  • Make comments consistent. See LDAP wiki page
  • Update installer to require ldap repli password rather default to random set

password.

References:

LDAP replication has some comments that aren't in other places

  • Set the master LDAP password to the correct value (run zmlocalconfig -s ldap_root_password on the master to determine this value)
  • Note: In order to install an LDAP replica server with no MBS (Mailbox Server), set zimbra_zmprov_default_to_ldap to true, using the following command:
    • zmlocalconfig -e zimbra_zmprov_default_to_ldap=true.
    • If you later add an MBS to your LDAP replica server, set zimbra_zmprov_default_to_ldap to false.
  • After the installation is complete, run /opt/zimbra/libexec/zmldapenablereplica on the replica server. This will enable replication in the LDAP server and will force an LDAP restart to begin pulling data from the master. zmldapenablereplica must be run on both the master and replica for LDAP replication to work.
The Work

Duplicated on ZCS 5.0.2 - OS Redhat.

Current Servers For Test:

  • Setup LDAP MAIN server - zldap1 (ldap only configured server)
    • setting passwords to "PASSWORD"
  • Mailstore server - zmail2 (mailstore only config)
  • MTA server - zmta1 (mta only config)
  • Post install
    • enable logger
    • enable ssh keys
      • run zmupdateauthkeys on servers
    • created two test accounts and confirmed email delivery between the two.
    • On LDAP MAIN (zldap1)- zmldapenablereplica

Install LDAP repli - zldap3

  • Doc show only to set
    • ldap master host
    • Master ldap server password
    • Create Domain to no
  • It fails to include
    • Replication Password (part of "Ldap configuration")
      • If this is not done, install will finish but you get these errors.
[zimbra@zldap3 ~]$ zmcontrol status
Cannot determine services - exiting
zldap3.DOMAIN.com...ERROR: service.FAILURE (system failure: getDirectContext)
(cause: javax.naming.AuthenticationException [LDAP: error code 49 - Invalid Credentials])
To Correct Without Reinstalling

If this has happened and you want to correct without a reinstall. Do the following, please adjust for HOSTNAMES for LDAP MAIN and LDAP REPLICA.

  • confirm ssh keys are updated
run zmupdateauthkeys on all servers
  • confirm current settings on LDAP MAIN
zmlocalconfig -s | grep replication
grep credentials /opt/zimbra/conf/slapd.conf
  • confirm current settings on LDAP REPLI
grep credentials /opt/zimbra/conf/slapd.conf
zmlocalconfig -s | grep replication
  • Now reconfigure on LDAP REPLI
zmldappasswd -l [passwd from ldap main slapd.conf]
    • This does not dynamically update the slapd.conf variable, it puts it in the zmconfig file /opt/zimbra/libexec/zmldapenablereplica
    • You'll see that it updates the slapd.conf
    • There might be one auth error, until the slapd.conf is reconfigured.
    • zmprov gacf will fail with auth errors
  • Confirm again settings on LDAP REPLI
grep credentials /opt/zimbra/conf/slapd.conf
zmlocalconfig -s | grep replication
zmlocalconfig | grep ldap_url
    • Should have repli first and ldap main second
  • Now to confirm it worked
zmcontrol stop
zmcontrol start
zmcontrol status
    • Create a test account on LDAP MAIN (example uses test3)
    • On LDAP REPLI - replace hostname and test account below
      • ldapsearch -x -H ldap://LDAPREPLICA.DOMAIN.com:389 | grep test3

Disable LDAP Replica

References:

http://wiki.zimbra.com/index.php?title=Promoting_Replica_to_LDAP_Master

http://www.zimbra.com/docs/os/latest/multi_server_install/LDAP%20Replication.6.1.html

Remove LDAP Replica From All Active Servers

On each member server, including the replica itself, verify the ldap_url value.

zmlocalconfig ldap_url

Modify the ldap_url to only include enabled ZCS LDAP servers. The master LDAP server should always be at the end of the ldap_url string value.

zmlocalconfig -e ldap_url="ldap://<replica-server-host> ldap://<master-server-host>"
Disable LDAP On The Replica

Stop Zimbra services.

zmcontrol stop

The - in front of zimbraServiceEnabled is [off], rather than a + for [on].

zmprov -l ms `zmhostname` -zimbraServiceEnabled ldap

To enable the ldap service, prefix the zimbraServiceEnabled attribute with a "+".

zmprov -l ms `zmhostname` +zimbraServiceEnabled ldap

If other services are enabled on this host, start them.

zmcontrol start
Additional Steps for MTA hosts

After updating the ldap_url with zmlocalconfig, rerun /opt/zimbra/libexec/zmmtainit. This rewrites the Postfix configuration with the updated ldap_url.

Disabling Replication On The Master

Use only if disabling replication entirely across all nodes.

Edit /opt/zimbra/conf/slapd.conf.in adding the following comments. Please use the precise number of hash marks (#) shown.

change

include /opt/zimbra/conf/master-accesslog.conf

to

###include /opt/zimbra/conf/master-accesslog.conf

change

overlay syncprov
syncprov-checkpoint 20 10
syncprov-sessionlog 500
include /opt/zimbra/conf/master-accesslog-overlay.conf

to

#overlay syncprov
#syncprov-checkpoint 20 10
#syncprov-sessionlog 500
###include /opt/zimbra/conf/master-accesslog-overlay.conf

Restart the master LDAP server

ldap stop; ldap start
Jump to: navigation, search