SeanG-Notes
Fixing 6.0.x LDAP ACL's
Some Zimlets, notably the Samba/Posix zimlets, require changes to the LDAP ACL's that manage access and permissions for the Zimbra admin accounts. A small mistake in applying the LDIF provided for these apps can result in admin accounts not being able to access LDAP. If this happens, Postfix, Amavis, and other critical components of the Zimbra system may not work. To revert everything back to the original (6.0.2) state, paste the following into an LDIF file, here named /tmp/acl-restore.ldif:
dn: olcDatabase={2}hdb,cn=config changetype: modify delete: olcAccess - add: olcAccess olcAccess: {0}to attrs=userPassword by anonymous auth by dn.children="cn=admins,cn=zimbra" write olcAccess: {1}to dn.subtree="cn=zimbra" by dn.children="cn=admins,cn=zimbra" write olcAccess: {2}to attrs=zimbraZimletUserProperties,zimbraGalLdapBindPassword,zimbraGalLdapBindDn,zimbraAuthTokenKey,zimbraPreAuthKey,zimbraPasswordHistory,zimbraIsAdminAccount,zimbraAuthLdapSearchBindPassword by dn.children="cn=admins,cn=zimbra" write by * none olcAccess: {3}to attrs=objectclass by dn.children="cn=admins,cn=zimbra" write by dn.base="uid=zmpostfix,cn=appaccts,cn=zimbra" read by dn.base="uid=zmamavis,cn=appaccts,cn=zimbra" read by * read olcAccess: {4}to attrs=@amavisAccount by dn.children="cn=admins,cn=zimbra" write by dn.base="uid=zmamavis,cn=appaccts,cn=zimbra" read by * +0 break olcAccess: {5}to attrs=mail by dn.children="cn=admins,cn=zimbra" write by dn.base="uid=zmamavis,cn=appaccts,cn=zimbra" read by * +0 break olcAccess: {6}to attrs=zimbraAllowFromAddress by dn.children="cn=admins,cn=zimbra" write by dn.base="uid=zmpostfix,cn=appaccts,cn=zimbra" read by * none olcAccess: {7}to filter="(!(zimbraHideInGal=TRUE))" attrs=cn,co,company,dc,displayName,givenName,gn,initials,l,mail,o,ou,physicalDeliveryOfficeName,postalCode,sn,st,street,streetAddress,telephoneNumber,title,uid by dn.children="cn=admins,cn=zimbra" write by dn.base="uid=zmpostfix,cn=appaccts,cn=zimbra" read by * read olcAccess: {8}to attrs=zimbraId,zimbraMailAddress,zimbraMailAlias,zimbraMailCanonicalAddress,zimbraMailCatchAllAddress,zimbraMailCatchAllCanonicalAddress,zimbraMailCatchAllForwardingAddress,zimbraMailDeliveryAddress,zimbraMailForwardingAddress,zimbraPrefMailForwardingAddress,zimbraMailHost,zimbraMailStatus,zimbraMailTransport,zimbraDomainName,zimbraDomainType,zimbraPrefMailLocalDeliveryDisabled by dn.children="cn=admins,cn=zimbra" write by dn.base="uid=zmpostfix,cn=appaccts,cn=zimbra" read by * read olcAccess: {9}to attrs=entry by dn.children="cn=admins,cn=zimbra" write by * read
You can then replace the broken ACL with the original settings by running:
ldapmodify -D cn=config -w <ldap_root_password> -x -H <ldap_url> -f /tmp/acl-restore.ldif