SeanG-Notes: Difference between revisions
(Notes and tricks) |
No edit summary |
||
(One intermediate revision by one other user not shown) | |||
Line 21: | Line 21: | ||
You can then replace the broken ACL with the original settings by running: | You can then replace the broken ACL with the original settings by running: | ||
ldapmodify -D cn=config -w <ldap_root_password> -x -H <ldap_url> -f /tmp/acl-restore.ldif | ldapmodify -D cn=config -w <ldap_root_password> -x -H <ldap_url> -f /tmp/acl-restore.ldif | ||
===rsyslog=== | |||
Sites using rsyslog should make sure "$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat " is included in rsyslog.conf. This changes the timezone format from rsyslog's default to the standard syslog format. If this is not set, the logger systems will not be able to parse the syslog data correctly, and status reports on the admin console and message traffic data will not appear. | |||
[[Category:Community Sandbox]] |
Latest revision as of 16:55, 20 July 2010
Fixing 6.0.x LDAP ACL's
Some Zimlets, notably the Samba/Posix zimlets, require changes to the LDAP ACL's that manage access and permissions for the Zimbra admin accounts. A small mistake in applying the LDIF provided for these apps can result in admin accounts not being able to access LDAP. If this happens, Postfix, Amavis, and other critical components of the Zimbra system may not work. To revert everything back to the original (6.0.2) state, paste the following into an LDIF file, here named /tmp/acl-restore.ldif:
dn: olcDatabase={2}hdb,cn=config changetype: modify delete: olcAccess - add: olcAccess olcAccess: {0}to attrs=userPassword by anonymous auth by dn.children="cn=admins,cn=zimbra" write olcAccess: {1}to dn.subtree="cn=zimbra" by dn.children="cn=admins,cn=zimbra" write olcAccess: {2}to attrs=zimbraZimletUserProperties,zimbraGalLdapBindPassword,zimbraGalLdapBindDn,zimbraAuthTokenKey,zimbraPreAuthKey,zimbraPasswordHistory,zimbraIsAdminAccount,zimbraAuthLdapSearchBindPassword by dn.children="cn=admins,cn=zimbra" write by * none olcAccess: {3}to attrs=objectclass by dn.children="cn=admins,cn=zimbra" write by dn.base="uid=zmpostfix,cn=appaccts,cn=zimbra" read by dn.base="uid=zmamavis,cn=appaccts,cn=zimbra" read by * read olcAccess: {4}to attrs=@amavisAccount by dn.children="cn=admins,cn=zimbra" write by dn.base="uid=zmamavis,cn=appaccts,cn=zimbra" read by * +0 break olcAccess: {5}to attrs=mail by dn.children="cn=admins,cn=zimbra" write by dn.base="uid=zmamavis,cn=appaccts,cn=zimbra" read by * +0 break olcAccess: {6}to attrs=zimbraAllowFromAddress by dn.children="cn=admins,cn=zimbra" write by dn.base="uid=zmpostfix,cn=appaccts,cn=zimbra" read by * none olcAccess: {7}to filter="(!(zimbraHideInGal=TRUE))" attrs=cn,co,company,dc,displayName,givenName,gn,initials,l,mail,o,ou,physicalDeliveryOfficeName,postalCode,sn,st,street,streetAddress,telephoneNumber,title,uid by dn.children="cn=admins,cn=zimbra" write by dn.base="uid=zmpostfix,cn=appaccts,cn=zimbra" read by * read olcAccess: {8}to attrs=zimbraId,zimbraMailAddress,zimbraMailAlias,zimbraMailCanonicalAddress,zimbraMailCatchAllAddress,zimbraMailCatchAllCanonicalAddress,zimbraMailCatchAllForwardingAddress,zimbraMailDeliveryAddress,zimbraMailForwardingAddress,zimbraPrefMailForwardingAddress,zimbraMailHost,zimbraMailStatus,zimbraMailTransport,zimbraDomainName,zimbraDomainType,zimbraPrefMailLocalDeliveryDisabled by dn.children="cn=admins,cn=zimbra" write by dn.base="uid=zmpostfix,cn=appaccts,cn=zimbra" read by * read olcAccess: {9}to attrs=entry by dn.children="cn=admins,cn=zimbra" write by * read
You can then replace the broken ACL with the original settings by running:
ldapmodify -D cn=config -w <ldap_root_password> -x -H <ldap_url> -f /tmp/acl-restore.ldif
rsyslog
Sites using rsyslog should make sure "$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat " is included in rsyslog.conf. This changes the timezone format from rsyslog's default to the standard syslog format. If this is not set, the logger systems will not be able to parse the syslog data correctly, and status reports on the admin console and message traffic data will not appear.