SeanG-Notes

Revision as of 16:55, 20 July 2010 by SeanG (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Fixing 6.0.x LDAP ACL's

Some Zimlets, notably the Samba/Posix zimlets, require changes to the LDAP ACL's that manage access and permissions for the Zimbra admin accounts. A small mistake in applying the LDIF provided for these apps can result in admin accounts not being able to access LDAP. If this happens, Postfix, Amavis, and other critical components of the Zimbra system may not work. To revert everything back to the original (6.0.2) state, paste the following into an LDIF file, here named /tmp/acl-restore.ldif:

dn: olcDatabase={2}hdb,cn=config
changetype: modify
delete: olcAccess
-
add: olcAccess
olcAccess: {0}to attrs=userPassword  by anonymous auth  by dn.children="cn=admins,cn=zimbra" write
olcAccess: {1}to dn.subtree="cn=zimbra"  by dn.children="cn=admins,cn=zimbra" write
olcAccess: {2}to attrs=zimbraZimletUserProperties,zimbraGalLdapBindPassword,zimbraGalLdapBindDn,zimbraAuthTokenKey,zimbraPreAuthKey,zimbraPasswordHistory,zimbraIsAdminAccount,zimbraAuthLdapSearchBindPassword  by dn.children="cn=admins,cn=zimbra" write  by * none
olcAccess: {3}to attrs=objectclass  by dn.children="cn=admins,cn=zimbra" write by dn.base="uid=zmpostfix,cn=appaccts,cn=zimbra" read  by dn.base="uid=zmamavis,cn=appaccts,cn=zimbra" read  by * read
olcAccess: {4}to attrs=@amavisAccount  by dn.children="cn=admins,cn=zimbra" write  by dn.base="uid=zmamavis,cn=appaccts,cn=zimbra" read  by * +0 break
olcAccess: {5}to attrs=mail  by dn.children="cn=admins,cn=zimbra" write  by dn.base="uid=zmamavis,cn=appaccts,cn=zimbra" read  by * +0 break
olcAccess: {6}to attrs=zimbraAllowFromAddress  by dn.children="cn=admins,cn=zimbra" write  by dn.base="uid=zmpostfix,cn=appaccts,cn=zimbra" read  by * none
olcAccess: {7}to filter="(!(zimbraHideInGal=TRUE))"  attrs=cn,co,company,dc,displayName,givenName,gn,initials,l,mail,o,ou,physicalDeliveryOfficeName,postalCode,sn,st,street,streetAddress,telephoneNumber,title,uid  by dn.children="cn=admins,cn=zimbra" write  by dn.base="uid=zmpostfix,cn=appaccts,cn=zimbra" read  by * read
olcAccess: {8}to attrs=zimbraId,zimbraMailAddress,zimbraMailAlias,zimbraMailCanonicalAddress,zimbraMailCatchAllAddress,zimbraMailCatchAllCanonicalAddress,zimbraMailCatchAllForwardingAddress,zimbraMailDeliveryAddress,zimbraMailForwardingAddress,zimbraPrefMailForwardingAddress,zimbraMailHost,zimbraMailStatus,zimbraMailTransport,zimbraDomainName,zimbraDomainType,zimbraPrefMailLocalDeliveryDisabled  by dn.children="cn=admins,cn=zimbra" write  by dn.base="uid=zmpostfix,cn=appaccts,cn=zimbra" read  by * read
olcAccess: {9}to attrs=entry  by dn.children="cn=admins,cn=zimbra" write  by * read

You can then replace the broken ACL with the original settings by running:

ldapmodify -D cn=config -w <ldap_root_password> -x -H <ldap_url> -f /tmp/acl-restore.ldif

rsyslog

Sites using rsyslog should make sure "$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat " is included in rsyslog.conf. This changes the timezone format from rsyslog's default to the standard syslog format. If this is not set, the logger systems will not be able to parse the syslog data correctly, and status reports on the admin console and message traffic data will not appear.

Jump to: navigation, search