LDAP: Difference between revisions
Line 95: | Line 95: | ||
== Provisioning users in [[LDAP]] == | == Provisioning users in [[LDAP]] == | ||
The basic form for this is: | |||
[[zmprov]] ca ''username@domain'' ''password'' | |||
Additional attributes can be specified on the same command: | |||
[[zmprov]] ca ''username@domain'' ''password'' ''attribute'' ''value'' ''attribute'' ''value'' | |||
For creation of a single user, the [[admin console]] is the preferred method. If you need to bulk provision users, during initial installation, it can be easier to create a script. | |||
EXAMPLE - creating several users at once: | |||
Create a file containing all of the [[zmprov]] commands that you wish to run: | |||
ca user1 user1pass | |||
ca user2 user2pass | |||
ca user3 user3pass | |||
ca adminuser adminuserpass zimbraIsAdminAccount TRUE | |||
ca user4 user4pass zimbraMailAlias user_4 zimbraMailAlias user_four zimbraMailAlias user.four | |||
ca nopassuser '' | |||
Save this file (eg, ''usercreate.txt'' ). Then, run [[zmprov]], redirecting standard input from this file: | |||
zmprov < usercreate.txt | |||
With this method, it's relatively straightforward to dump an existing ldap directory into a text file, format it for zmprov, and bulk-provision the users in the ZCS [[LDAP]] instance. | |||
If you are using [[LDAP#External auth|external LDAP authentication]] you can create the users with no local password by supplying the empty string "" after the username | |||
== [[LDAP]] replication == | == [[LDAP]] replication == |
Revision as of 21:17, 5 March 2006
LDAP Overview
LDAP uses in ZCS
LDAP is used in ZCS to store data for
Additionally, information relating to:
Most of this data can be viewed and configured via the Admin Console or with zmprov.
LDAP in the system architecture
In every ZCS installation, there will be one and only one Master LDAP server. This server is authoritative for user information, server configuration, etc.
Additionally, one or more Replicas may be defined, to improve performance and reduce the load on the Master.
During installation in a multi-server environment, the LDAP server must be the first installed and configured, and must be running during any subsequent installations. The LDAP server must also be the first started in a multi-server environment.
LDAP troubleshooting
Installation Problems
LDAP initialization generally fails due to the following
- Failure to start the LDAP server
- Failure to resolve the LDAP server
- Failure to connect to the LDAP server
Startup failures
The startup of the LDAP server during installation happens when the initialization script calls the ldap start script.
If this startup fails, all further initialization fails.
Detecting startup failure
After the initialization script exits (successfully or otherwise) slapd should be running. To verify that the slapd process is running:
ps auxww | grep zimbra | grep slapd Should return a line containing: /opt/zimbra/openldap/libexec/slapd -l LOCAL0 -4 -u zimbra -h ldaps:// ldap://:389/ -f /opt/zimbra/conf/slapd.conf
If there is no output, LDAP is not starting. See the next section
If this line is present, verify that the zimbra system is detecting it (run as the zimbra user):
ldap status
A return of:
slapd running pid: 7568 (your PID will vary)
is successful.
If you get no such response from the ldap status command, it's likely that the running slapd process is hanging around from a previous installation. To kill it manually:
killall -TERM slapd ps auxww | grep zimbra | grep slapd
If the process is still there, determine it's PID (second column in the ps output) and
kill -9 PID
After cleaning up old LDAP processes, you should re-attempt the initialization by re-running zmsetup.pl
Correcting startup failure
If the previous section indicates that ldap is not starting at all, attempt ldap startup manually (as the zimbra user);
sh -x bin/ldap start
output from this should indicate the source of the problem
LDAP and DNS
LDAP uses DNS to resolve the ldap host, even if it's localhost
To verify that you're able to resolve the ldap host:
- host ldap-hostname
Make sure you understand DNS.
Failure to Connect
To detect connection failure (using the hostname configured for the ldap server):
telnet ldap hostname 389
If this times out, or the connection is refused, there could be several causes.
If resolution succeeds, the initialization may fail because the LDAP server failed to start
Firewall problems
If the server is running a local firewall, make sure it's allowing port 389 connections.
If the ldap hostname resolves to a public IP on an external firewall, make sure that firewall is allowing connections through on port 389.
Integration with external LDAP servers
External Authentication
External GAL
Connecting to an external LDAP server with SSL
Provisioning users in LDAP
The basic form for this is:
zmprov ca username@domain password
Additional attributes can be specified on the same command:
zmprov ca username@domain password attribute value attribute value
For creation of a single user, the admin console is the preferred method. If you need to bulk provision users, during initial installation, it can be easier to create a script.
EXAMPLE - creating several users at once:
Create a file containing all of the zmprov commands that you wish to run:
ca user1 user1pass ca user2 user2pass ca user3 user3pass ca adminuser adminuserpass zimbraIsAdminAccount TRUE ca user4 user4pass zimbraMailAlias user_4 zimbraMailAlias user_four zimbraMailAlias user.four ca nopassuser
Save this file (eg, usercreate.txt ). Then, run zmprov, redirecting standard input from this file:
zmprov < usercreate.txt
With this method, it's relatively straightforward to dump an existing ldap directory into a text file, format it for zmprov, and bulk-provision the users in the ZCS LDAP instance.
If you are using external LDAP authentication you can create the users with no local password by supplying the empty string "" after the username