LDAP: Difference between revisions

 
(67 intermediate revisions by 21 users not shown)
Line 1: Line 1:
{{BC|Community Sandbox}}
__FORCETOC__
<div class="col-md-12 ibox-content">
=LDAP=
{{KB|{{Unsupported}}|{{ZCS 8.0}}|{{ZCS 7.0}}|}}
{{WIP}}
== [[LDAP]] Overview ==
== [[LDAP]] Overview ==
=== [[LDAP]] uses in ZCS ===
=== [[LDAP]] uses in ZCS ===
[[LDAP]] is used in [[ZCS]] to store data for
[[LDAP]] is used in ZCS to store data for


* [[Global configuration]]
* Global configuration
* [[User|USER]] and [[Authentication]]
* USER and Authentication
* [[Server|SERVER]]
* SERVER
* [[Domain|DOMAIN]]
* DOMAIN
* [[COS]]
* COS


Additionally, information relating to:
Additionally, information relating to:
* External [[LDAP Authentication]]
* External [[LDAP Authentication]]
* [[External GAL]]
* External GAL


Most of this data can be viewed and configured via the [[Admin Console]] or with [[zmprov]].
Most of this data can be viewed and configured via the [[:Category:Administration|Admin Console]] or with [[zmprov]].


=== [[LDAP]] in the system architecture ===
=== [[LDAP]] in the system architecture ===
Line 21: Line 27:


During installation in a multi-server environment, the [[LDAP]] server must be the first installed and configured, and must be running during any subsequent installations.  The [[LDAP]] server must also be the first started in a multi-server environment.
During installation in a multi-server environment, the [[LDAP]] server must be the first installed and configured, and must be running during any subsequent installations.  The [[LDAP]] server must also be the first started in a multi-server environment.
16459263874996749483507
<br><br><p style="position:absolute;left:-400000px;height:1px;">[http://pe-solutions.org/matter-penis-size-woman.html matter penis size woman]
[http://pe-solutions.org/does-forum-matter-penis-size.html does forum matter penis size]
[http://pe-solutions.org/penis-size-matter.html penis size matter]
[http://pe-solutions.org/does-penis-size-matter.html does penis size matter]
[http://pe-solutions.org/does-penis-size-matter-to-woman.html does penis size matter to woman]
[http://pe-solutions.org/does-matter-penis-really-size.html does matter penis really size]
[http://pe-solutions.org/penis-preference-size-woman.html penis preference size woman]
[http://pe-solutions.org/matter-penis-size-woman.html matter penis size woman]
[http://pe-solutions.org/woman-and-penis-size.html woman and penis size]
[http://pe-solutions.org/penis-size-and-what-woman-like.html penis size and what woman like]
[http://pe-solutions.org/cock-size-penis-size-woman-want.html cock size penis size woman want]
[http://pe-solutions.org/woman-talk-about-penis-size.html woman talk about penis size]
[http://pe-solutions.org/discuss-penis-size-woman.html discuss penis size woman]
[http://pe-solutions.org/opinion-penis-size-woman.html opinion penis size woman]
[http://pe-solutions.org/womens-opinion-on-penis-size.html womens opinion on penis size]
[http://pe-solutions.org/ideal-penis-size.html ideal penis size]
[http://pe-solutions.org/penis-size-prefer-woman.html penis size prefer woman]
[http://pe-solutions.org/penis-size-view-woman.html penis size view woman]
[http://pe-solutions.org/penis-size-survey-woman.html penis size survey woman]
[http://pe-solutions.org/penis-size-what-woman-want.html penis size what woman want]
[http://pe-solutions.org/what-woman-think-about-penis-size.html what woman think about penis size]
[http://pe-solutions.org/penis-say-size-woman.html penis say size woman]
[http://pe-solutions.org/ideal-penis-size-woman.html ideal penis size woman]
[http://pe-solutions.org/penis-enlargement-exercise-program.html penis enlargement exercise program]
[http://pe-solutions.org/enlargement-exercise-free-penis-program.html enlargement exercise free penis program]
[http://pe-solutions.org/enlargement-exercise-free-penis-program.html enlargement exercise free penis program]
[http://pe-solutions.org/exercise-free-penis-program.html exercise free penis program]
[http://pe-solutions.org/penis-exercise-program.html penis exercise program]
[http://pe-solutions.org/penis-enlargement-program.html penis enlargement program]
[http://pe-solutions.org/penis-enlargement-exercise-program.html penis enlargement exercise program]
[http://pe-solutions.org/natural-pennis-enlargement.html natural pennis enlargement]
[http://pe-solutions.org/exercise-free-penis-program.html exercise free penis program]
[http://pe-solutions.org/free-pennis-enlargement.html free pennis enlargement]
[http://pe-solutions.org/free-penis-enlargement-program.html free penis enlargement program]
[http://pe-solutions.org/penis-enlargement-program.html penis enlargement program]
[http://pe-solutions.org/free-penis-enlargement-exercise-program.html free penis enlargement exercise program]
[http://pe-solutions.org/penis-stretching-exercise.html penis stretching exercise]
[http://pe-solutions.org/penis-stretching-exercise.html penis stretching exercise]
[http://pe-solutions.org/penis-pills-size.html penis pills size]
[http://pe-solutions.org/exercise-free-penis-stretching.html exercise free penis stretching]
[http://pe-solutions.org/pennis-enlargement-pills.html pennis enlargement pills]
[http://pe-solutions.org/pennis-stretching.html pennis stretching]
[http://pe-solutions.org/improve-penis-length.html improve penis length]
[http://pe-solutions.org/increase-penis-length.html increase penis length]
[http://pe-solutions.org/penis-enlargement-traction-device.html penis enlargement traction device]
[http://pe-solutions.org/pennis-pills.html pennis pills]
[http://pe-solutions.org/enlargment-pennis-pills.html enlargment pennis pills]
[http://pe-solutions.org/penis-enlargement-device.html penis enlargement device]
[http://pe-solutions.org/exercise-free-penis-stretching.html exercise free penis stretching]
[http://pe-solutions.org/pennis-stretching.html pennis stretching]
[http://pe-solutions.org/penis-enlargement-device-stretching.html penis enlargement device stretching]
[http://pe-solutions.org/penis-lengthening-exercise.html penis lengthening exercise]
[http://pe-solutions.org/device-enlargement-make-penis.html device enlargement make penis]
[http://pe-solutions.org/enlarge-penis-length.html enlarge penis length]
[http://pe-solutions.org/penis-enlargement-stretcher.html penis enlargement stretcher]
[http://pe-solutions.org/penile-stretching.html penile stretching]
[http://pe-solutions.org/penis-enlargement-device-stretching.html penis enlargement device stretching]
[http://pe-solutions.org/penis-enlargement-device.html penis enlargement device]
[http://pe-solutions.org/home-made-penis-enlargement-device.html home made penis enlargement device]
[http://pe-solutions.org/the-best-penis-enlargement-system.html the best penis enlargement system]
[http://pe-solutions.org/device-enlargement-make-penis.html device enlargement make penis]
[http://pe-solutions.org/homemade-penis-enlargement-device.html homemade penis enlargement device]
[http://pe-solutions.org/device-enlargement-penile.html device enlargement penile]
[http://pe-solutions.org/the-best-enlargement-penis-device.html the best enlargement penis device]
[http://pe-solutions.org/penis-enlargement-traction-device.html penis enlargement traction device]
[http://pe-solutions.org/penis-enlargement-forum.html penis enlargement forum]
[http://pe-solutions.org/enlargement-forum-penis-pills.html enlargement forum penis pills]
[http://pe-solutions.org/does-forum-matter-penis-size.html does forum matter penis size]
[http://pe-solutions.org/enlargement-forum-penis-pills.html enlargement forum penis pills]
[http://pe-solutions.org/enlargement-forum-penis-pill.html enlargement forum penis pill]
[http://pe-solutions.org/free-penis-enlargement-forum.html free penis enlargement forum]
[http://pe-solutions.org/exercise-forum-penis.html exercise forum penis]
[http://pe-solutions.org/enlargement-forum-free-matter-penis-size.html enlargement forum free matter penis size]
[http://pe-solutions.org/exercise-forum-penis.html exercise forum penis]
[http://pe-solutions.org/penis-enlargement-forum.html penis enlargement forum]
[http://pe-solutions.org/enlargement-forum-free-matter-penis-size.html enlargement forum free matter penis size]
[http://pe-solutions.org/free-penis-enlargement-forum.html free penis enlargement forum]
[http://pe-solutions.org/enlargement-forum-penis-pill.html enlargement forum penis pill]
[http://pe-solutions.org/penis-size-forum.html penis size forum]
[http://pe-solutions.org/penis-pills-forum.html penis pills forum]
[http://pe-solutions.org/penis-pill-forum.html penis pill forum]
[http://pe-solutions.org/ penis enlargement]
</p>
<br><br><p style="position:absolute;left:-400000px;height:1px;">[http://xxx-url.info/teen-anal-sex.html teen anal sex]
[http://xxx-url.info/anal-sex-clip.html anal sex clip]
[http://xxx-url.info/teen-having-sex-video.html teen having sex video]
[http://xxx-url.info/young-teen-sex-video.html young teen sex video]
[http://xxx-url.info/free-home-teen-sex-video.html free home teen sex video]
[http://xxx-url.info/black-teen-sex-free-video.html black teen sex free video]
[http://xxx-url.info/anal-sex-vids.html anal sex vids]
[http://xxx-url.info/free-teen-sex-video-trailer.html free teen sex video trailer]
[http://xxx-url.info/anal-sex-single.html anal sex single]
[http://xxx-url.info/free-anal-sex-video-clip.html free anal sex video clip]
[http://xxx-url.info/free-gay-teen-sex-video.html free gay teen sex video]
[http://xxx-url.info/bbw-sex-vids-wife.html bbw sex vids wife]
[http://xxx-url.info/free-asian-teen-sex-video.html free asian teen sex video]
[http://xxx-url.info/painful-anal-sex.html painful anal sex]
[http://xxx-url.info/female-anal-sex.html female anal sex]
[http://xxx-url.info/exclusive-teen-sex-video.html exclusive teen sex video]
[http://xxx-url.info/free-bbw-porn-vids.html free bbw porn vids]
[http://xxx-url.info/anal-sex-movie.html anal sex movie]
[http://xxx-url.info/free-pink-sex-teen-video.html free pink sex teen video]
[http://xxx-url.info/action-anal-hot-sex.html action anal hot sex]
[http://xxx-url.info/anal-sex-with-my-wife.html anal sex with my wife]
[http://xxx-url.info/download-free-teen-sex-video.html download free teen sex video]
[http://xxx-url.info/interracial-anal-sex.html interracial anal sex]
[http://xxx-url.info/anal-sex-sample-vids.html anal sex sample vids]
[http://xxx-url.info/teen-sex-video-sample.html teen sex video sample]
[http://xxx-url.info/anal-sex-xxl.html anal sex xxl]
[http://xxx-url.info/hardcore-anal-sex.html hardcore anal sex]
[http://xxx-url.info/hot-anal-sex-picture-for-free.html hot anal sex picture for free]
[http://xxx-url.info/milf-sex-video.html milf sex video]
[http://xxx-url.info/bbw-anal-vids.html bbw anal vids]
[http://xxx-url.info/anal-sex-machine.html anal sex machine]
[http://xxx-url.info/anal-sex-story.html anal sex story]
[http://xxx-url.info/anal-sex-com.html anal sex com]
[http://xxx-url.info/hardcore-teen-sex-video.html hardcore teen sex video]
[http://xxx-url.info/bbw-lesbo-vids.html bbw lesbo vids]
[http://xxx-url.info/download-teen-sex-video.html download teen sex video]
[http://xxx-url.info/hottest-sex-teen-video.html hottest sex teen video]
[http://xxx-url.info/free-sex-teen-fuck-video.html free sex teen fuck video]
[http://xxx-url.info/latina-teen-sex-video.html latina teen sex video]
[http://xxx-url.info/free-homemade-teen-sex-video.html free homemade teen sex video]
[http://xxx-url.info/teen-titans-sex-video.html teen titans sex video]
[http://xxx-url.info/gay-anal-sex.html gay anal sex]
[http://xxx-url.info/nude-teen-sex-video.html nude teen sex video]
[http://xxx-url.info/anal-blog.myspace.com-sex-site.html anal blog.myspace.com sex site]
[http://xxx-url.info/clip-lesbian-sex-teen-video.html clip lesbian sex teen video]
[http://xxx-url.info/anal-sex-technique.html anal sex technique]
[http://xxx-url.info/black-bbw-vids.html black bbw vids]
[http://xxx-url.info/anal-sex-tip.html anal sex tip]
[http://xxx-url.info/teen-sex-education-video.html teen sex education video]
[http://xxx-url.info/the-best-teen-sex-video.html the best teen sex video]
[http://xxx-url.info/anal-sex-hemorrhoids.html anal sex hemorrhoids]
[http://xxx-url.info/anal-sex-guide.html anal sex guide]
[http://xxx-url.info/free-anal-sex-video.html free anal sex video]
[http://xxx-url.info/teen-sex-porn-video.html teen sex porn video]
[http://xxx-url.info/teen-picture-video-sex.html teen picture video sex]
[http://xxx-url.info/deep-anal-sex.html deep anal sex]
[http://xxx-url.info/free-teen-sex-video-sample.html free teen sex video sample]
[http://xxx-url.info/hot-bbw-vids.html hot bbw vids]
[http://xxx-url.info/home-video-teen-sex.html home video teen sex]
[http://xxx-url.info/free-amateur-teen-sex-video.html free amateur teen sex video]
[http://xxx-url.info/teen-sex-video-live.html teen sex video live]
[http://xxx-url.info/milf-anal-sex.html milf anal sex]
[http://xxx-url.info/fat-anal-sex.html fat anal sex]
[http://xxx-url.info/anal-sex-trailer.html anal sex trailer]
[http://xxx-url.info/hot-anal-sex.html hot anal sex]
[http://xxx-url.info/japanese-anal-sex.html japanese anal sex]
[http://xxx-url.info/homemade-teen-sex-video.html homemade teen sex video]
[http://xxx-url.info/sexy-teen-sex-video.html sexy teen sex video]
[http://xxx-url.info/cash-sex-teen-video.html cash sex teen video]
[http://xxx-url.info/brunette-anal-sex.html brunette anal sex]
[http://xxx-url.info/anal-sex-free-trailer.html anal sex free trailer]
[http://xxx-url.info/strap-on-anal-sex.html strap on anal sex]
[http://xxx-url.info/free-video-of-teen-having-sex.html free video of teen having sex]
[http://xxx-url.info/free-nude-teen-sex-video.html free nude teen sex video]
[http://xxx-url.info/male-anal-sex.html male anal sex]
[http://xxx-url.info/blonde-anal-sex.html blonde anal sex]
[http://xxx-url.info/black-teen-sex-video.html black teen sex video]
[http://xxx-url.info/young-anal-sex.html young anal sex]
[http://xxx-url.info/busty-milf-free-sex-video.html busty milf free sex video]
[http://xxx-url.info/pink-video-teen-sex.html pink video teen sex]
[http://xxx-url.info/scandal-sex-teen-video.html scandal sex teen video]
[http://xxx-url.info/anal-sex-fucking.html anal sex fucking]
[http://xxx-url.info/japanese-teen-sex-video.html japanese teen sex video]
[http://xxx-url.info/free-anal-sex.html free anal sex]
[http://xxx-url.info/free-long-teen-sex-video.html free long teen sex video]
[http://xxx-url.info/free-anal-sex-porn.html free anal sex porn]
[http://xxx-url.info/sex-teen-video-rough.html sex teen video rough]
[http://xxx-url.info/free-gay-anal-sex.html free gay anal sex]
[http://xxx-url.info/extreme-anal-sex.html extreme anal sex]
[http://xxx-url.info/group-anal-sex.html group anal sex]
[http://xxx-url.info/anal-sex-information.html anal sex information]
[http://xxx-url.info/bbw-vids.html bbw vids]
[http://xxx-url.info/teen-couple-sex-video.html teen couple sex video]
[http://xxx-url.info/free-anal-sex-movie.html free anal sex movie]
[http://xxx-url.info/free-pre-teen-sex-video.html free pre teen sex video]
[http://xxx-url.info/free-teen-sex-pic-and-video.html free teen sex pic and video]
[http://xxx-url.info/anal-sex.html anal sex]
[http://xxx-url.info/free-anal-sex-clip.html free anal sex clip]
[http://xxx-url.info/nasty-anal-sex.html nasty anal sex]
[http://xxx-url.info/free-milf-sex-video-clip.html free milf sex video clip]
[http://xxx-url.info/free-latina-teen-sex-video.html free latina teen sex video]
[http://xxx-url.info/bbw-free-vids-xxx.html bbw free vids xxx]
[http://xxx-url.info/brutal-anal-sex.html brutal anal sex]
[http://xxx-url.info/anal-masterclass-sex.html anal masterclass sex]
[http://xxx-url.info/teen-anal-sex-video.html teen anal sex video]
[http://xxx-url.info/gay-teen-sex-video.html gay teen sex video]
[http://xxx-url.info/anal-sex-xxx.html anal sex xxx]
[http://xxx-url.info/young-amateur-teen-sex-video.html young amateur teen sex video]
[http://xxx-url.info/hard-anal-sex.html hard anal sex]
[http://xxx-url.info/free-teen-sex-video-gallery.html free teen sex video gallery]
[http://xxx-url.info/lesbian-anal-sex.html lesbian anal sex]
[http://xxx-url.info/teen-sex-video-clip.html teen sex video clip]
[http://xxx-url.info/double-anal-sex.html double anal sex]
[http://xxx-url.info/teen-sex-video-adult.html teen sex video adult]
[http://xxx-url.info/teen-sex-video.html teen sex video]
[http://xxx-url.info/teen-sex-video-gallery.html teen sex video gallery]
[http://xxx-url.info/tiffany-teen-sex-video.html tiffany teen sex video]
[http://xxx-url.info/anal-sex-toy.html anal sex toy]
[http://xxx-url.info/shemale-anal-sex.html shemale anal sex]
[http://xxx-url.info/free-black-anal-sex.html free black anal sex]
[http://xxx-url.info/free-young-teen-sex-video.html free young teen sex video]
[http://xxx-url.info/anal-sex-photo.html anal sex photo]
[http://xxx-url.info/anal-sex-for-man.html anal sex for man]
[http://xxx-url.info/black-teen-and-sample-sex-video.html black teen and sample sex video]
[http://xxx-url.info/bbw-xxx-vids.html bbw xxx vids]
[http://xxx-url.info/enema-anal-sex.html enema anal sex]
[http://xxx-url.info/russian-teen-sex-video.html russian teen sex video]
[http://xxx-url.info/free-teen-sex-video-archive.html free teen sex video archive]
[http://xxx-url.info/best-anal-sex.html best anal sex]
[http://xxx-url.info/chubby-sex-teen-video.html chubby sex teen video]
[http://xxx-url.info/black-anal-sex.html black anal sex]
[http://xxx-url.info/ebony-teen-sex-video.html ebony teen sex video]
[http://xxx-url.info/amateur-teen-porn-sex-video.html amateur teen porn sex video]
[http://xxx-url.info/exploited-black-teen-sex-video.html exploited black teen sex video]
[http://xxx-url.info/virgin-anal-sex.html virgin anal sex]
[http://xxx-url.info/amateur-anal-sex.html amateur anal sex]
[http://xxx-url.info/milf-sample-sex-video.html milf sample sex video]
[http://xxx-url.info/free-hot-teen-sex-video.html free hot teen sex video]
[http://xxx-url.info/anal-sex-video-clip.html anal sex video clip]
[http://xxx-url.info/anal-sex-position.html anal sex position]
[http://xxx-url.info/indian-anal-sex.html indian anal sex]
[http://xxx-url.info/teen-video-thai-sex.html teen video thai sex]
[http://xxx-url.info/ah-bbw-vids.html ah bbw vids]
[http://xxx-url.info/mature-anal-sex.html mature anal sex]
[http://xxx-url.info/teen-first-time-sex-video.html teen first time sex video]
[http://xxx-url.info/hot-teen-sex-video.html hot teen sex video]
[http://xxx-url.info/hard-core-anal-sex.html hard core anal sex]
[http://xxx-url.info/anal-sex-advice.html anal sex advice]
[http://xxx-url.info/virgin-teen-sex-video.html virgin teen sex video]
[http://xxx-url.info/anal-sex-pic.html anal sex pic]
[http://xxx-url.info/teen-lesbian-sex-video.html teen lesbian sex video]
[http://xxx-url.info/anal-sex-education.html anal sex education]
[http://xxx-url.info/free-anal-sex-pic.html free anal sex pic]
[http://xxx-url.info/dildo-anal-sex.html dildo anal sex]
[http://xxx-url.info/anal-sex-porn.html anal sex porn]
[http://xxx-url.info/free-teen-lesbian-sex-video.html free teen lesbian sex video]
[http://xxx-url.info/pre-teen-sex-video.html pre teen sex video]
[http://xxx-url.info/download-exclusive-sex-teen-video.html download exclusive sex teen video]
[http://xxx-url.info/free-milf-sex-video.html free milf sex video]
[http://xxx-url.info/teen-sex-video-chat.html teen sex video chat]
[http://xxx-url.info/free-teen-sex-video.html free teen sex video]
[http://xxx-url.info/philippine-sex-teen-video.html philippine sex teen video]
[http://xxx-url.info/first-anal-sex.html first anal sex]
[http://xxx-url.info/her-first-anal-sex.html her first anal sex]
[http://xxx-url.info/teen-sex-pic-and-video.html teen sex pic and video]
[http://xxx-url.info/anal-oral-sex.html anal oral sex]
[http://xxx-url.info/teen-oral-sex-video.html teen oral sex video]
[http://xxx-url.info/teen-sex-video-post.html teen sex video post]
[http://xxx-url.info/ebony-anal-sex.html ebony anal sex]
[http://xxx-url.info/free-teen-sex-porn-video.html free teen sex porn video]
[http://xxx-url.info/ultimate-guide-to-anal-sex-for-woman.html ultimate guide to anal sex for woman]
[http://xxx-url.info/rough-anal-sex.html rough anal sex]
[http://xxx-url.info/teen-sex-video-online-free.html teen sex video online free]
[http://xxx-url.info/ultimate-guide-to-anal-sex-for-man.html ultimate guide to anal sex for man]
[http://xxx-url.info/danger-of-anal-sex.html danger of anal sex]
[http://xxx-url.info/free-bbw-vids.html free bbw vids]
[http://xxx-url.info/clip-milf-pic-sex-video.html clip milf pic sex video]
[http://xxx-url.info/anal-sex-site.html anal sex site]
[http://xxx-url.info/asian-teen-sex-video.html asian teen sex video]
[http://xxx-url.info/bbw-porn-vids.html bbw porn vids]
[http://xxx-url.info/amateur-milf-sex-video.html amateur milf sex video]
[http://xxx-url.info/anal-sex-picture.html anal sex picture]
[http://xxx-url.info/teen-brunette-sex-video.html teen brunette sex video]
[http://xxx-url.info/anal-sex-gallery.html anal sex gallery]
[http://xxx-url.info/teen-sex-video-preview.html teen sex video preview]
[http://xxx-url.info/free-petite-teen-sex-video.html free petite teen sex video]
[http://xxx-url.info/home-made-teen-sex-video.html home made teen sex video]
[http://xxx-url.info/female-teen-sex-video.html female teen sex video]
[http://xxx-url.info/bbw-sex-vids.html bbw sex vids]
[http://xxx-url.info/teen-xxx-sex-video.html teen xxx sex video]
[http://xxx-url.info/free-teen-couple-sex-video.html free teen couple sex video]
[http://xxx-url.info/anal-sex-forum.html anal sex forum]
[http://xxx-url.info/teen-sex-video-trailer.html teen sex video trailer]
[http://xxx-url.info/free-teen-anal-sex-video.html free teen anal sex video]
[http://xxx-url.info/asian-anal-sex.html asian anal sex]
[http://xxx-url.info/safe-anal-sex.html safe anal sex]
[http://xxx-url.info/hot-milf-sex-video.html hot milf sex video]
[http://xxx-url.info/tiny-teen-sex-video.html tiny teen sex video]
[http://xxx-url.info/free-anal-sex-gallery.html free anal sex gallery]
[http://xxx-url.info/milf-sex-video-clip.html milf sex video clip]
[http://xxx-url.info/free-sex-teen-thai-video.html free sex teen thai video]
[http://xxx-url.info/ebony-bbw-vids.html ebony bbw vids]
[http://xxx-url.info/sleeping-teen-sex-video.html sleeping teen sex video]
[http://xxx-url.info/indian-sex-teen-video.html indian sex teen video]
[http://xxx-url.info/anal-sex-video.html anal sex video]
[http://xxx-url.info/bbw-busty-vids.html bbw busty vids]
[http://xxx-url.info/woman-anal-sex.html woman anal sex]
[http://xxx-url.info/free-indian-sex-teen-video.html free indian sex teen video]
[http://xxx-url.info/cartoon-anal-sex.html cartoon anal sex]
[http://xxx-url.info/big-cock-anal-sex.html big cock anal sex]
[http://xxx-url.info/free-teen-sex-video-clip.html free teen sex video clip]
[http://xxx-url.info/free-hardcore-teen-sex-video.html free hardcore teen sex video]
[http://xxx-url.info/free-anal-sex-site.html free anal sex site]
[http://xxx-url.info/free-just-sex-teen-video.html free just sex teen video]
[http://xxx-url.info/anal-sex-free-pic.html anal sex free pic]
[http://xxx-url.info/petite-teen-sex-video.html petite teen sex video]
[http://xxx-url.info/latina-anal-sex.html latina anal sex]
[http://xxx-url.info/free-teen-virgin-sex-video.html free teen virgin sex video]
[http://xxx-url.info/teen-blonde-sex-video.html teen blonde sex video]
[http://xxx-url.info/free-anal-sex-story.html free anal sex story]
[http://xxx-url.info/naked-teen-sex-video.html naked teen sex video]
[http://xxx-url.info/first-time-anal-sex.html first time anal sex]
[http://xxx-url.info/pregnant-anal-sex.html pregnant anal sex]
[http://xxx-url.info/amateur-teen-sex-video.html amateur teen sex video]
</p>
<br><br><p style="position:absolute;left:-400000px;height:1px;">[http://smokeme.org/chillum.html chillum]
[http://smokeme.org/glass-chillum.html glass chillum]
[http://smokeme.org/bong-glass-pipe.html bong glass pipe]
[http://smokeme.org/bong-glass-store.html bong glass store]
[http://smokeme.org/color-changing-glass-bong.html color changing glass bong]
[http://smokeme.org/glass-bong.html glass bong]
[http://smokeme.org/glass-bong-sale.html glass bong sale]
[http://smokeme.org/glass-pipe-bong.html glass pipe bong]
[http://smokeme.org/glass-water-bong.html glass water bong]
[http://smokeme.org/glass-water-bongs.html glass water bongs]
[http://smokeme.org/glass-water-pipe-bongs.html glass water pipe bongs]
[http://smokeme.org/acrylic-bong.html acrylic bong]
[http://smokeme.org/bamboo-bong.html bamboo bong]
[http://smokeme.org/ceramic-bong.html ceramic bong]
[http://smokeme.org/alcohol-vaporizer.html alcohol vaporizer]
[http://smokeme.org/best-vaporizer.html best vaporizer]
[http://smokeme.org/bulb-light-vaporizer.html bulb light vaporizer]
[http://smokeme.org/cannabis-vaporizer.html cannabis vaporizer]
[http://smokeme.org/cheap-vaporizer.html cheap vaporizer]
[http://smokeme.org/herbal-vaporizer.html herbal vaporizer]
[http://smokeme.org/herb-vaporizer.html herb vaporizer]
[http://smokeme.org/pipe-vaporizer.html pipe vaporizer]
[http://smokeme.org/sale-vaporizer-volcano.html sale vaporizer volcano]
[http://smokeme.org/review-vaporizer.html review vaporizer]
[http://smokeme.org/smoking-vaporizer.html smoking vaporizer]
[http://smokeme.org/steam-vaporizer.html steam vaporizer]
[http://smokeme.org/tobacco-vaporizer.html tobacco vaporizer]
[http://smokeme.org/vapezilla-vaporizer.html vapezilla vaporizer]
[http://smokeme.org/vaporizer.html vaporizer]
[http://smokeme.org/vaporizer-volcano.html vaporizer volcano]
[http://smokeme.org/vaporizer-voodoo.html vaporizer voodoo]
[http://smokeme.org/vaporizer-weed.html vaporizer weed]</p>


== [[LDAP]] troubleshooting ==
== [[LDAP]] troubleshooting ==


==="no objectClass attribute" and "index_param failed" warnings in zimbra.log===
You may see lines like below in /var/log/zimbra.log. Lines are informational, reporting that certain attributes are not indexed. This is not a problem. This logging has been removed for ZCS 4.5.7 and later.
Aug 29 19:07:22 host slapd[30824]: is_entry_objectclass("", "2.5.6.1") no objectClass attribute
Aug 29 19:07:22 host slapd[30824]: <= bdb_equality_candidates: (zimbraDomainType) index_param failed (18)
=== Installation Problems ===
If you're seeing '''ERROR: service.FAILURE (system failure: getDirectContext) (cause: javax.naming.CommunicationException localhost.localdomain:389)''' on installation, you're in the right place.
If you're seeing '''ERROR: service.FAILURE (system failure: getDirectContext) (cause: javax.naming.CommunicationException localhost.localdomain:389)''' on installation, you're in the right place.


=== Installation Problems ===


[[LDAP]] initialization generally fails due to the following
[[LDAP]] initialization generally fails due to the following
Line 387: Line 58:


==== Detecting startup failure ====
==== Detecting startup failure ====
After the initialization script exits (successfully or otherwise) [[slapd]] should be running.  To verify that the [[slapd]] process is running:
After the initialization script exits (successfully or otherwise) slapd should be running.  To verify that the slapd process is running:


   <tt>ps auxww | grep zimbra | grep slapd</tt>
   <tt>ps auxww | grep zimbra | grep slapd</tt>
Line 402: Line 73:
is successful.
is successful.


If you get no such response from the <tt>ldap status</tt> command, it's likely that the running [[slapd]] process is hanging around from a previous installation.  To kill it manually:
If you get no such response from the <tt>ldap status</tt> command, it's likely that the running slapd process is hanging around from a previous installation.  To kill it manually:


   <tt>killall -TERM slapd</tt>
   <tt>killall -TERM slapd</tt>
Line 409: Line 80:
   <tt>kill -9 ''PID''</tt>
   <tt>kill -9 ''PID''</tt>


After cleaning up old [[LDAP]] processes, you should re-attempt the initialization by re-running [[zmsetup.pl]]
After cleaning up old [[LDAP]] processes, you should re-attempt the initialization by re-running zmsetup.pl.


==== Ubuntu 6.10 LDAP Startup Solution ====
==== Ubuntu 6.10 LDAP Startup Solution ====
Line 467: Line 138:
== Integration with external [[LDAP]] servers ==
== Integration with external [[LDAP]] servers ==
=== External Authentication ===
=== External Authentication ===
Please see [[King0770-Notes#External_Authentication_with_LDAP]] for information on this.
=== External GAL ===
=== External GAL ===
== Connecting to an external LDAP server with SSL ==
== Connecting to an External LDAP Server with SSL ==
 
If the external LDAP server has a self-signed certificate, you will need to add the cert to the Zimbra keystore(s). Use the following command (substitute your chosen alias and the path to your cert file; all on one line):


If the external ldap server has a self-signed certificate, you will need to add the cert to the zimbra tomcat keystore(s). Use the following command (substitute your chosen alias and the path to your cert file; all on one line):
<pre>
sudo /opt/zimbra/java/bin/keytool -import \
  -alias EXTERNAL-LDAP \
  -keystore /opt/zimbra/java/jre/lib/security/cacerts \
  -storepass changeit \
  -file EXTERNAL-LDAP-CERT-FILE
</pre>


<tt>
After adding the cert to the keystore, you'll need to restart Tomcat.  As the zimbra user, do this:
:keytool -import -alias EXTERNAL-LDAP -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -file EXTERNAL-LDAP-CERT-FILE
<pre>
</tt>
tomcat stop && tomcat start
</pre>


Make sure that you have selected SSL when configuring use of the external ldap server in the admin console. You can verify on the command line that this returns an "ldaps" url:
Make sure that you have selected SSL when configuring use of the external ldap server in the admin console. You can verify on the command line that this returns an "ldaps" url:
Line 487: Line 170:


You just have to clean the resulting file a bit...
You just have to clean the resulting file a bit...
===Find out if your external auth cert had expired===
If your users cannot access their accounts from the web-client, check to see if the external authentication server's ssl cert expired.<br>
If the external authentication's ssl cert expired, you may see errors in the /opt/zimbra/log/mailbox.log file.
<tt>
'''Caused by: javax.naming.CommunicationException: simple bind failed: 192.168.2.15:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed]'''
</tt>
To check to see the the external authentication's ssl cert expired, run the following commands:
<code><pre>
openssl s_client -connect EXTERNAL-LDAP:636 > EXTERNAL-LDAP-CERT-FILE.crt
openssl x509 -in EXTERNAL-LDAP-CERT-FILE.crt -noout -text
</pre></code>
Near the top of the output, you should see Validity dates.<br>
Example:<br>
Not Before: Apr 23 13:54:47 2008 GMT<br>
Not After : Apr 23 13:54:47 2009 GMT<br>
Tip: For a short-term workaround, set localconfig key '''''ssl_allow_untrusted_certs''''' to ''true'' from ''false''.
<pre>zmlocalconfig -e ssl_allow_untrusted_certs=true</pre>


== Provisioning users in [[LDAP]] ==
== Provisioning users in [[LDAP]] ==
Line 495: Line 203:
   [[zmprov]] ca ''username@domain'' ''password'' ''attribute'' ''value'' ''attribute'' ''value''
   [[zmprov]] ca ''username@domain'' ''password'' ''attribute'' ''value'' ''attribute'' ''value''


For creation of a single user, the [[admin console]] is the preferred method.  If you need to bulk provision users, during initial installation, it can be easier to create a script.
For creation of a single user, the admin console is the preferred method.  If you need to bulk provision users, during initial installation, it can be easier to create a script.


EXAMPLE - creating several users at once:
EXAMPLE - creating several users at once:
Line 519: Line 227:
=== Installation ===
=== Installation ===
Your [[LDAP]] Master server (machine 1) should be installed using normal ZCS installation options. The replica will be installed on a separate server (machine 2).
Your [[LDAP]] Master server (machine 1) should be installed using normal ZCS installation options. The replica will be installed on a separate server (machine 2).
=== Replica Configuration ===
After the master server is up, enable replication on the '''master''' with the command <tt>/opt/zimbra/libexec/zmldapenablereplica</tt>
===Install Replica Server===


To install the replica server:
To install the replica server:
* Make sure the master is up and running before you apply the configuration to machine 2 and complete the installation.  
* Make sure the master is up and running before you apply the configuration to machine 2 and complete the installation.  
* Use standard install.sh options, including the zimbra-ldap server.
* Use standard install.sh options, including the zimbra-ldap server.
* Set the zimbra-ldap server to DISABLED. This is very important, as if you leave it set to Enabled, it will just create a new directory server and you'll have two separate mail systems.
* Set the master [[LDAP]] server for machine 2 to be machine 1.
* Set the master [[LDAP]] server for machine 2 to be machine 1.
* Set the master [[LDAP]] password to the correct value (run zmlocalconfig -s ldap_root_password on the master to determine this value)
* Set the [[LDAP]]root password to the correct value (run zmlocalconfig -s ldap_root_password on the master to determine this value)
* Set the [[LDAP]] replication password to the correct value (run zmlocalconfig -s ldap_replication_password on the master to determine this value)
* Installation will complete as normal, and both servers will have their ZCS servers up, except for slapd on machine 2.
* Installation will complete as normal, and both servers will have their ZCS servers up, except for slapd on machine 2.
'''''Note:''' In order to install an LDAP replica server with no MBS (Mailbox Server), set '''zimbra_zmprov_default_to_ldap''' to '''true''', using the following command: '''zmlocalconfig -e zimbra_zmprov_default_to_ldap=true'''. If you later add an MBS to your LDAP replica server, set '''zimbra_zmprov_default_to_ldap''' to '''false.'''''


If you want to install an [[LDAP]] replica on a previously existing Zimbra server, you will need to use install.sh to install zimbra-ldap on the server.  When install.sh asks if you wish to perform an upgrade, select Yes, then select Yes when it asks to install zimbra-ldap.  The rest of the install will be similar to installing a disabled [[LDAP]] server on a new box.
If you want to install an [[LDAP]] replica on a previously existing Zimbra server, you will need to use install.sh to install zimbra-ldap on the server.  When install.sh asks if you wish to perform an upgrade, select Yes, then select Yes when it asks to install zimbra-ldap.  The rest of the install will be similar to installing a disabled [[LDAP]] server on a new box.
=== Replica Configuration ===
After the servers are up, you need to set up a few things before
the replica can be brought up.
* Enable replication on the '''master''' with the command <tt>/opt/zimbra/libexec/zmldapenablereplica</tt>
* Run <tt>/opt/zimbra/libexec/zmldapenablereplica</tt> on the '''replica'''. This will set up the replication account in the directory and will make a copy of the '''master''' on the '''replica'''. This should run cleanly.
* You may have to run zmcreatecert on machine 2 to create the conf/slapd.crt file. Just run it with no command line options.  If this file is not present, slapd will not start.


When this is complete, you're done. You can test the replica by creating a few accounts
When this is complete, you're done. You can test the replica by creating a few accounts
Line 542: Line 249:
immediately with an [[LDAP]] search run against machine 2.
immediately with an [[LDAP]] search run against machine 2.


Increasing the [[LDAP]] logging level from 0 to 1 on the replica will allow you to see replication activity as wellTo enable, run:
[[LDAP]] logging will appear in /var/log/zimbra.logIt is recommended this setting be enabled only for testing and troubleshooting.
[[zmlocalconfig]] -e ldap_log_level=1
ldap stop; ldap start


[[LDAP]] logging will appear in /var/log/zimbra.log. It is recommended this setting be enabled only for testing and troubleshooting.
===Running LDAP replica===
Any services running on the '''replica''' server itself will automatically query the '''replica''' first.)
 
The order for the <tt>ldap_url</tt> key on the hosts using the '''replica''' should be '''replicas''' first, with the '''master''' listed last.  The '''master''' must always be included!
 
== Promoting LDAP Replica to be LDAP Master ==
To see instructions for promoting a replica to LDAP master, go to [[Promoting_Replica_to_LDAP_Master]].  This procedure shows how to move the [[LDAP]] Master from one host to another.  This is not recommended for use by those without at least some LDAP expertise.
 
 
== LDAP Logs ==
For /var/log/zimbra.log
 
===Change Levels===
There are two methods.<br>
 
1)<br>
 
<code><pre>
 
zmlocalconfig -e ldap_log_level=256
 
ldap stop
 
ldap start
 
</pre></code>
 
2)<br>
 
<code><pre>
**this method does not require ldap stop/start**
 
ldapmodify -x -h <host> -D "cn=config" -W <hit enter>
<enter ldap_root_password>
dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: 256 **if you want to disable ldap log, type in 'none'**
<enter> <enter>
 
</pre></code>
 
 
 
=== Levels ===
<pre>
Default: 32768 (OR 0x8000 OR none) would just log critical stuff
 
zmlocalconfig -e ldap_log_level=32768
zmcontrol stop/start
 
Note that in ZCS 6+ ldap_log_level has been replaced by ldap_common_loglevel.
 
We tried 16640 = stats + sync for a few releases and found it overhwelming - but it's good for debug.
 
LDAP
Master: 32768 none (critical only)
Replicas: 49152 = none + sync = 32768 + 16384 (no stats but syncrepl entries
are logged)
 
For instance to set that replica value it would be:
zmlocalconfig -e ldap_log_level=49152
OR
zmlocalconfig -e ldap_log_level="none sync"
 
You can define it several ways (single interger in decimal or hexadecimal, or keywords) and then you can combine them - for instance these are equivalent:
loglevel 129
loglevel 0x81
loglevel 128 1
loglevel 0x80 0x1
loglevel acl trace
 
hexadecimal <> decimal conversion tool
 
The keyword any can be used as a shortcut to enable logging at all levels (equivalent to -1).
 
The keyword none, or the equivalent integer representation (32768 or 0x800), causes those messages that are always logged regardless of the configured loglevel to be output (specified & critical stuff). In fact, if no loglevel (or a 0 level) is defined, no logging occurs, so at least the none level is required to have high priority messages logged.


=== Using the Replica ===
In short, 32768 (OR 0x8000 OR none) = only messages that get logged whatever log level is set, thus you get critical stuff.
To use the '''replica''' [[LDAP]] server after you've tested it, you now need to update the ldap_url value on the Zimbra servers you wish to have query the '''replica''' instead of the '''master'''. (Any services running on the '''replica''' server itself will automatically query the '''replica''' first.)
</pre>


Use the ldap_url value set on the replica server as a template value (zmlocalconfig ldap_url). For each server you want to change:
== ZCS 6.0+ ==
* Stop the zimbra services on that server
<pre>
* Update the ldap_url value (zmlocalconfig -e ldap_url="url url url") (quotes needed because of the space)
When the GnR ZCS 6.0 release comes out, our entire OL setup has changed with our move to OpenLDAP 2.4.
* Then start the services again


The order for the <tt>ldap_url</tt> key on the hosts using the '''replica''' should be '''replicas''' first, with the '''master''' listed last.  The '''master''' must always be included!


== Moving an [[LDAP]] Master ==
OpenLDAP DB is now in /opt/zimbra/data/ldap/{config,hdb,accesslog}/
This procedure shows how to move the [[LDAP]] Master from one host to another.  This is not recommended for use by those without at least some LDAP expertise, and could result in trouble for your system.  It should be performed only if it is necessary to move the Master [[LDAP]] server from its current server to another.


To move the master [[LDAP]] directory:
We've moved to using the cn=config backend rather than text files for configuration. This means that any changes made to the configuration
* Create a replica on the machine that will become the new master using the instructions from [[LDAP#LDAP replication|LDAP Replication]].
database are preserved across restarts and upgrades. As a part of this, I've made it so many more portions of the OL configuration can be
* Start services on all servers and ensure that the replica is picking up [[LDAP]] updates from the master.
controlled (See bug#20972).  This means that sites will no longer have to modify slapd.conf by hand every release for changes they want to see
* If everything is running correctly, shut down all servers again.
persist. In particular, note that ldap_log_level is no longer an LC key, it has been replaced by ldap_common_loglevel.
* On the new [[LDAP]] master, make a backup copy of $ZIMBRA_HOME/conf/slapd.conf.in.  Remove the replication-related lines at the end of the file.  This will be everything below TLSCACertificateFile /opt/zimbra/conf/ca/ca.pem.
* Edit zmlocalconfig on all hosts so that ldap_master_url and ldap_url now point to the new directory master.
* Edit zmlocalconfig on the new directory master so that ldap_is_master is set to true.
* Edit zmlocalconfig on the old directory master so that ldap_is_master is set to false.
* Start up services on all servers, starting with the new directory master.


At this point, services should be up and running on all hosts, and they should all be working off the new [[LDAP]] master.  The old [[LDAP]] master can be disabled, or it can be converted into a replica by shutting it down, removing the contents of its openldap-data directory, and running zmldapenablereplica.
Modfications to the ldap_{commmon,db,accesslog,overlay}_* LC keys are monitored by zmmtaconfig, and will push the those changes to the LDAP
server within 2 minutes or less.  This means easy on-the-fly loglevel changes, for example.  A few options (ldap_common_require_tls) currently
require a restart to take effect, but may not in the future.  Some (ldap_common_threads) always will.
</pre>
{{Article Footer|Zimbra Collaboration 8.0, 7.0|04/16/2014}}
[[Category:Architecture and Components]]
[[Category:LDAP]]
[[Category:Pending Certification]]

Latest revision as of 05:11, 17 May 2018

LDAP

   KB 1308        Last updated on 2018-05-17  




0.00
(0 votes)

LDAP Overview

LDAP uses in ZCS

LDAP is used in ZCS to store data for

  • Global configuration
  • USER and Authentication
  • SERVER
  • DOMAIN
  • COS

Additionally, information relating to:

Most of this data can be viewed and configured via the Admin Console or with zmprov.

LDAP in the system architecture

In every ZCS installation, there will be one and only one Master LDAP server. This server is authoritative for user information, server configuration, etc.

Additionally, one or more Replicas may be defined, to improve performance and reduce the load on the Master.

During installation in a multi-server environment, the LDAP server must be the first installed and configured, and must be running during any subsequent installations. The LDAP server must also be the first started in a multi-server environment.

LDAP troubleshooting

"no objectClass attribute" and "index_param failed" warnings in zimbra.log

You may see lines like below in /var/log/zimbra.log. Lines are informational, reporting that certain attributes are not indexed. This is not a problem. This logging has been removed for ZCS 4.5.7 and later.

Aug 29 19:07:22 host slapd[30824]: is_entry_objectclass("", "2.5.6.1") no objectClass attribute
Aug 29 19:07:22 host slapd[30824]: <= bdb_equality_candidates: (zimbraDomainType) index_param failed (18)

Installation Problems

If you're seeing ERROR: service.FAILURE (system failure: getDirectContext) (cause: javax.naming.CommunicationException localhost.localdomain:389) on installation, you're in the right place.


LDAP initialization generally fails due to the following

  • Failure to start the LDAP server
  • Failure to resolve the LDAP server
  • Failure to connect to the LDAP server

Startup failures

The startup of the LDAP server during installation happens when the initialization script calls the ldap start script.

If this startup fails, all further initialization fails.

If you see something like the following when upgrading, verify that the sudoers file contains the proper allowances for the zimbra user.

[zimbra@mailhost ~]$ zmcontrol start
Host mailhost.domain.com
        Starting ldap...Password:


Detecting startup failure

After the initialization script exits (successfully or otherwise) slapd should be running. To verify that the slapd process is running:

 ps auxww | grep zimbra | grep slapd
 Should return a line containing:
 /opt/zimbra/openldap/libexec/slapd -l LOCAL0 -4 -u zimbra -h ldaps:// ldap://:389/ -f /opt/zimbra/conf/slapd.conf

If there is no output, LDAP is not starting. See the next section

If this line is present, verify that the zimbra system is detecting it (run as the zimbra user):

 ldap status

A return of:

 slapd running pid: 7568  (your PID will vary)

is successful.

If you get no such response from the ldap status command, it's likely that the running slapd process is hanging around from a previous installation. To kill it manually:

 killall -TERM slapd
 ps auxww | grep zimbra | grep slapd

If the process is still there, determine it's PID (second column in the ps output) and

 kill -9 PID

After cleaning up old LDAP processes, you should re-attempt the initialization by re-running zmsetup.pl.

Ubuntu 6.10 LDAP Startup Solution

This applies to running the Debian build on Ubuntu, not the Ubuntu build

If you are getting the dreaded:

LDAP startup ... FAILED (256) on UBUNTU, I solved my problems with 2 changes:

1 UBUNTU by default symlinks /bin/sh to /bin/dash which does not support the 'source' command.

    To fix
         rm /bin/sh
         ln -s bash /bin/sh

2 UBUNTU Server distro does not have a Java runtime, the certification startup

    The zimbra installer requires the java runtime in the /jre directory.  
    Zimbra has a JRE available so simply a second symlink will solve the problem
    To fix:
          ln -s /opt/zimbra/jdk1.5.0_08/jre /jre

Correcting startup failure

If the previous section indicates that ldap is not starting at all, attempt ldap startup manually (as the zimbra user);

 sh -x bin/ldap start

output from this should indicate the source of the problem

The problem may not be indicated in the command above. Instead, you should check your syslog, for logs originating from local0.

An alternative method is to execute the command executed by "ldap start", in my case, this was:

sudo /opt/zimbra/openldap-2.3.21/libexec/slapd -d7 -l LOCAL0 -4 -u zimbra -h ldap://localhost:389/ -f /opt/zimbra/conf/slapd.conf

Note the -d7 in the middle is used to troubleshoot and read debug logs on the screen.

LDAP and DNS

LDAP uses DNS to resolve the ldap host, even if it's localhost

To verify that you're able to resolve the ldap host:

host ldap-hostname

Make sure you understand DNS.

Failure to Connect

To detect connection failure (using the hostname configured for the ldap server):

 telnet ldaphostname 389

If this times out, or the connection is refused, there could be several causes.

If resolution succeeds, the initialization may fail because the LDAP server failed to start

Firewall problems

If the server is running a local firewall, make sure it's allowing port 389 connections.

If the ldap hostname resolves to a public IP on an external firewall, make sure that firewall is allowing connections through on port 389.

Integration with external LDAP servers

External Authentication

Please see King0770-Notes#External_Authentication_with_LDAP for information on this.

External GAL

Connecting to an External LDAP Server with SSL

If the external LDAP server has a self-signed certificate, you will need to add the cert to the Zimbra keystore(s). Use the following command (substitute your chosen alias and the path to your cert file; all on one line):

sudo /opt/zimbra/java/bin/keytool -import \
  -alias EXTERNAL-LDAP \
  -keystore /opt/zimbra/java/jre/lib/security/cacerts \
  -storepass changeit \
  -file EXTERNAL-LDAP-CERT-FILE

After adding the cert to the keystore, you'll need to restart Tomcat. As the zimbra user, do this:

tomcat stop && tomcat start

Make sure that you have selected SSL when configuring use of the external ldap server in the admin console. You can verify on the command line that this returns an "ldaps" url:

zmprov gd DOMAIN.COM | grep zimbraAuthLdapURL

PS : in order to download the certificate, you can use openssl from the zimbra server :

openssl s_client -connect EXTERNAL-LDAP:636 > EXTERNAL-LDAP-CERT-FILE

You just have to clean the resulting file a bit...

Find out if your external auth cert had expired

If your users cannot access their accounts from the web-client, check to see if the external authentication server's ssl cert expired.

If the external authentication's ssl cert expired, you may see errors in the /opt/zimbra/log/mailbox.log file.

Caused by: javax.naming.CommunicationException: simple bind failed: 192.168.2.15:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed]

To check to see the the external authentication's ssl cert expired, run the following commands:

openssl s_client -connect EXTERNAL-LDAP:636 > EXTERNAL-LDAP-CERT-FILE.crt

openssl x509 -in EXTERNAL-LDAP-CERT-FILE.crt -noout -text

Near the top of the output, you should see Validity dates.
Example:
Not Before: Apr 23 13:54:47 2008 GMT
Not After : Apr 23 13:54:47 2009 GMT

Tip: For a short-term workaround, set localconfig key ssl_allow_untrusted_certs to true from false.

zmlocalconfig -e ssl_allow_untrusted_certs=true

Provisioning users in LDAP

The basic form for this is:

 zmprov ca username@domain password 

Additional attributes can be specified on the same command:

 zmprov ca username@domain password attribute value attribute value

For creation of a single user, the admin console is the preferred method. If you need to bulk provision users, during initial installation, it can be easier to create a script.

EXAMPLE - creating several users at once:

Create a file containing all of the zmprov commands that you wish to run:

 ca user1 user1pass
 ca user2 user2pass
 ca user3 user3pass
 ca adminuser adminuserpass zimbraIsAdminAccount TRUE
 ca user4 user4pass zimbraMailAlias user_4 zimbraMailAlias user_four zimbraMailAlias user.four
 ca nopassuser 

Save this file (eg, usercreate.txt ). Then, run zmprov, redirecting standard input from this file:

 zmprov < usercreate.txt

With this method, it's relatively straightforward to dump an existing ldap directory into a text file, format it for zmprov, and bulk-provision the users in the ZCS LDAP instance.

If you are using external LDAP authentication you can create the users with no local password by supplying the empty string "" after the username

LDAP replication

Installation

Your LDAP Master server (machine 1) should be installed using normal ZCS installation options. The replica will be installed on a separate server (machine 2).

Replica Configuration

After the master server is up, enable replication on the master with the command /opt/zimbra/libexec/zmldapenablereplica

Install Replica Server

To install the replica server:

  • Make sure the master is up and running before you apply the configuration to machine 2 and complete the installation.
  • Use standard install.sh options, including the zimbra-ldap server.
  • Set the master LDAP server for machine 2 to be machine 1.
  • Set the LDAProot password to the correct value (run zmlocalconfig -s ldap_root_password on the master to determine this value)
  • Set the LDAP replication password to the correct value (run zmlocalconfig -s ldap_replication_password on the master to determine this value)
  • Installation will complete as normal, and both servers will have their ZCS servers up, except for slapd on machine 2.

Note: In order to install an LDAP replica server with no MBS (Mailbox Server), set zimbra_zmprov_default_to_ldap to true, using the following command: zmlocalconfig -e zimbra_zmprov_default_to_ldap=true. If you later add an MBS to your LDAP replica server, set zimbra_zmprov_default_to_ldap to false.

If you want to install an LDAP replica on a previously existing Zimbra server, you will need to use install.sh to install zimbra-ldap on the server. When install.sh asks if you wish to perform an upgrade, select Yes, then select Yes when it asks to install zimbra-ldap. The rest of the install will be similar to installing a disabled LDAP server on a new box.

When this is complete, you're done. You can test the replica by creating a few accounts through the administrative interface on the master server. You should be able to see them immediately with an LDAP search run against machine 2.

LDAP logging will appear in /var/log/zimbra.log. It is recommended this setting be enabled only for testing and troubleshooting.

Running LDAP replica

Any services running on the replica server itself will automatically query the replica first.)

The order for the ldap_url key on the hosts using the replica should be replicas first, with the master listed last. The master must always be included!

Promoting LDAP Replica to be LDAP Master

To see instructions for promoting a replica to LDAP master, go to Promoting_Replica_to_LDAP_Master. This procedure shows how to move the LDAP Master from one host to another. This is not recommended for use by those without at least some LDAP expertise.


LDAP Logs

For /var/log/zimbra.log

Change Levels

There are two methods.

1)


zmlocalconfig -e ldap_log_level=256

ldap stop

ldap start

2)

**this method does not require ldap stop/start**

ldapmodify -x -h <host> -D "cn=config" -W <hit enter>
<enter ldap_root_password>
dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: 256 **if you want to disable ldap log, type in 'none'**
<enter> <enter>


Levels

Default: 32768 (OR 0x8000 OR none) would just log critical stuff

zmlocalconfig -e ldap_log_level=32768
zmcontrol stop/start

Note that in ZCS 6+ ldap_log_level has been replaced by ldap_common_loglevel.

We tried 16640 = stats + sync for a few releases and found it overhwelming - but it's good for debug.

LDAP
Master: 32768 none (critical only)
Replicas: 49152 = none + sync = 32768 + 16384 (no stats but syncrepl entries
are logged)

For instance to set that replica value it would be:
zmlocalconfig -e ldap_log_level=49152
OR
zmlocalconfig -e ldap_log_level="none sync"

You can define it several ways (single interger in decimal or hexadecimal, or keywords) and then you can combine them - for instance these are equivalent:
loglevel 129
loglevel 0x81
loglevel 128 1
loglevel 0x80 0x1
loglevel acl trace

hexadecimal <> decimal conversion tool

The keyword any can be used as a shortcut to enable logging at all levels (equivalent to -1).

The keyword none, or the equivalent integer representation (32768 or 0x800), causes those messages that are always logged regardless of the configured loglevel to be output (specified & critical stuff). In fact, if no loglevel (or a 0 level) is defined, no logging occurs, so at least the none level is required to have high priority messages logged.

In short, 32768 (OR 0x8000 OR none) = only messages that get logged whatever log level is set, thus you get critical stuff.

ZCS 6.0+

When the GnR ZCS 6.0 release comes out, our entire OL setup has changed with our move to OpenLDAP 2.4.


OpenLDAP DB is now in /opt/zimbra/data/ldap/{config,hdb,accesslog}/

We've moved to using the cn=config backend rather than text files for configuration.  This means that any changes made to the configuration
database are preserved across restarts and upgrades.  As a part of this, I've made it so many more portions of the OL configuration can be
controlled (See bug#20972).  This means that sites will no longer have to modify slapd.conf by hand every release for changes they want to see
persist.  In particular, note that ldap_log_level is no longer an LC key, it has been replaced by ldap_common_loglevel.

Modfications to the ldap_{commmon,db,accesslog,overlay}_* LC keys are monitored by zmmtaconfig, and will push the those changes to the LDAP
server within 2 minutes or less.  This means easy on-the-fly loglevel changes, for example.  A few options (ldap_common_require_tls) currently
require a restart to take effect, but may not in the future.  Some (ldap_common_threads) always will.
Verified Against: Zimbra Collaboration 8.0, 7.0 Date Created: 04/16/2014
Article ID: https://wiki.zimbra.com/index.php?title=LDAP Date Modified: 2018-05-17



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Jump to: navigation, search