ShanxT-LDAP-Auth-Failed: Difference between revisions

No edit summary
 
(7 intermediate revisions by 4 users not shown)
Line 1: Line 1:
{{Unsupported}}{{WIP}}__TOC__
{{BC|Community Sandbox}}
 
__FORCETOC__
 
<div class="col-md-12 ibox-content">
=ShanxT - LDAP Auth Failed=
{{KB|{{Unsupported}}|{{ZCS 8.0}}|{{ZCS 7.0}}|}}
{{WIP}}
== Introduction ==
== Introduction ==


Line 42: Line 45:
If zmdldappasswd also doesn't work, then it means that the ldap root password is probably messed up. To confirm, run:
If zmdldappasswd also doesn't work, then it means that the ldap root password is probably messed up. To confirm, run:


ldapwhoami -x -h `zmhostname` -D "cn=config" -w 'ldap_root_password_value'
ldapwhoami -x -h `zmhostname` -D "cn=config" -w 'ldap_root_password_value'


Replace  'ldap_root_password_value' with your actual password.  
Replace  ''''ldap_root_password_value'''' with your actual password.  
If this is also incorrect, we'll have to change this manually.
If this is also incorrect, we'll have to change this manually.


'''Please do this carefully. If you are unsure, and are an NE customer, please contact support before making the changes.'''
'''Please do this carefully. If you are unsure and are an NE customer, please contact support before making the changes.'''


We are going to create a base64 encoded salted SHA password, that we will then directly place in the ldap.  
We are going to create a base64 encoded salted SHA password, that we will then directly place in the ldap.  


: 1. Generate the password hash using 'slappasswd':
NEWPASS='/opt/zimbra/openldap/sbin/slappasswd -v -s 'Very_secure_pass_591' -h {SSHA}`


: 2. BASE64 encode this password hash:
'''1)''' Generate the password hash using 'slappasswd':
  NEWPASSB64=`echo -n "$NEWPASS" | openssl enc -base64`
'''For 8.5 and above, SSHA512 should be used'''
NEWPASS=`/opt/zimbra/common/sbin/slappasswd -o module-load=pw-sha2 -h {SSHA512} -s 'Very_Secure_pass_591'`
 
 
'''2)''' BASE64 encode this password hash:
  NEWPASSB64=`echo -n "$NEWPASS" | openssl enc -base64 | tr -d '\n'`
'''Note:''' The hash can go across multiple lines, so the 'tr' deletes the new line character and makes it a single line. The entire hash should be on one line. Confirm this by running:
echo $NEWPASSB64
 


: 3. As the zimbra user, stop ldap:
'''3)''' As the zimbra user, stop ldap:
  ldap stop
  ldap stop


: 4. Replace this new password in the file ~/data/ldap/config/cn=config/olcDatabase={0}config.ldif:
cp '~/data/ldap/config/cn=config/olcDatabase={0}config.ldif' /tmp/
sed -i "s/olcRootPW.*/olcRootPW:: $NEWPASSB64" '~/data/ldap/config/cn=config/olcDatabase={0}config.ldif'


The above command takes a backup of 'olcDatabase={0}config.ldif', and the places the new password in the file. If the command fails for whatever reason, just do the steps manually. Take a backup, and replace the existing value of 'olcRootPW:: ' in the 'olcDatabase={0}config.ldif' file with the value of $NEWPASS64.
'''4)''' Take ldap backup.
mkdir /opt/zimbra/data/tmp/ldap_backup
/opt/zimbra/common/sbin/slapcat -F /opt/zimbra/data/ldap/config -n 0 -o ldif-wrap=no -l /opt/zimbra/data/tmp/ldap_backup/ldap-config.bak
/opt/zimbra/common/sbin/slapcat -F /opt/zimbra/data/ldap/config -o ldif-wrap=no -b "cn=accesslog" -l /opt/zimbra/data/tmp/ldap_backup/ldap-accesslog.bak
/opt/zimbra/common/sbin/slapcat -F /opt/zimbra/data/ldap/config -o ldif-wrap=no -b "" -l /opt/zimbra/data/tmp/ldap_backup/ldap.bak
 


: 5. Start ldap:
'''5)'''  Replace the new password in the file '''ldap-config.bak'''.
sed -i.ORG "s/olcRootPW.*/olcRootPW:: $NEWPASSB64/" /opt/zimbra/data/tmp/ldap_backup/ldap-config.bak
 
 
'''6)''' Reload updated '''ldap-config.bak'''.
mv /opt/zimbra/data/ldap/config /opt/zimbra/data/ldap/config.old.`date '+%Y%m%d%H%M%S'`
mkdir /opt/zimbra/data/ldap/config
/opt/zimbra/libexec/zmslapadd -c /opt/zimbra/data/tmp/ldap_backup/ldap-config.bak
 
 
'''7)'''  Start ldap:
  ldap start
  ldap start


: 6. To test, run:
 
'''8)'''  To test, run:
  ldapwhoami -x -h `zmhostname` -D "cn=config" -w 'ldap_root_password_value'  
  ldapwhoami -x -h `zmhostname` -D "cn=config" -w 'ldap_root_password_value'  


: 7. Then update localconfig.xml as well
 
'''9)'''  Then update localconfig.xml as well
 
== Checking if the password updated correctly ==
 
Run the following to check each password.
su - zimbra
source ~/bin/zmshutil; zmsetvars
# Main config user
ldapwhoami -ZZ -x -D cn=config -H ldap://`zmhostname`:389 -w $ldap_root_password
# Zimbra ldap user
ldapwhoami -ZZ -x -D uid=zimbra,cn=admins,cn=zimbra -H ldap://`zmhostname`:389 -w $zimbra_ldap_password
# Replication, if using multiple ldap servers
ldapwhoami -ZZ -x -D uid=zmreplica,cn=admins,cn=zimbra -H ldap://`zmhostname`:389 -w $ldap_replication_password
# Amavis
ldapwhoami -ZZ -x -D uid=zmamavis,cn=appaccts,cn=zimbra -H ldap://`zmhostname`:389 -w $ldap_amavis_password
# Nginx
ldapwhoami -ZZ -x -D uid=zmnginx,cn=appaccts,cn=zimbra -H ldap://`zmhostname`:389 -w $ldap_nginx_password
# Postfix
ldapwhoami -ZZ -x -D uid=zmpostfix,cn=appaccts,cn=zimbra -H ldap://`zmhostname`:389 -w $ldap_postfix_password
On successful auth, the output of the above would be the user's DN from ldap
 
# Main config user
dn:cn=config
# Zimbra ldap user
dn:uid=zimbra,cn=admins,cn=zimbra
# Replication
dn:uid=zmreplica,cn=admins,cn=zimbra
# Amavis
dn:uid=zmamavis,cn=appaccts,cn=zimbra
 
# Nginx
dn:uid=zmnginx,cn=appaccts,cn=zimbra
# Postfix
dn:uid=zmpostfix,cn=appaccts,cn=zimbra
 
 
 
 





Latest revision as of 13:47, 17 October 2022

ShanxT - LDAP Auth Failed

   KB 20481        Last updated on 2022-10-17  




0.00
(0 votes)

Introduction

The password may get reset during a migration, DR, incorrect installation or messing around with the server. The logs will explicitly show errors like LDAP: error code 49 - Invalid Credentials, or you may see postfix not connecting, etc.

Different services (postfix, nginx, etc) also connect to ldap with their respective passwords.

All these passwords are stored in /opt/zimbra/conf/localconfig.xml. To see all the passwords, run:

zmlocalconfig -s | grep ldap.*_pass


Checking localconfig.xml

We just need to determine how the password got reset. If it is during a migration or DR, one of the following is usually the culprit:

Incorrect permissions on localconfig.xml

In this case, the password isn't wrong, the file is just not readable by Zimbra. Confirm the permissions are as shown:

ls -l  /opt/zimbra/conf/localconfig.xml 
-rw-r-----. 1 zimbra zimbra 3887 Jun  4 20:08 /opt/zimbra/conf/localconfig.xml


Passwords weren't taken from the old localconfig.xml

After restoring the server, the passwords weren't not taken from the old localconfig.xml. So just pick the old localconfig.xml from the server, or from a backup, and replace the passwords on the current server's localconfig file.

In a backup, it'll be in your 'sessions/<full-incr backup name>/sys' folder. Example:

/opt/zimbra/backup/sessions/full-20130524.193020.262/sys/localconfig.xml


zmldappasswd

If the above doesn't work or is not possible, use the 'zmldappasswd' command. The help file for that is self-explanatory:

zmldappasswd --help

You can also see this article, Resetting_LDAP_and_MySQL_Passwords#In_ZCS_5.0.x, for examples. It was last updated for ZCS 5, but is valid for versions unto ZCS 8. The only difference is that a few more options have been added over the years


Changing ldap directly

If zmdldappasswd also doesn't work, then it means that the ldap root password is probably messed up. To confirm, run:

ldapwhoami -x -h `zmhostname` -D "cn=config" -w 'ldap_root_password_value'

Replace 'ldap_root_password_value' with your actual password. If this is also incorrect, we'll have to change this manually.

Please do this carefully. If you are unsure and are an NE customer, please contact support before making the changes.

We are going to create a base64 encoded salted SHA password, that we will then directly place in the ldap.


1) Generate the password hash using 'slappasswd':

For 8.5 and above, SSHA512 should be used
NEWPASS=`/opt/zimbra/common/sbin/slappasswd -o module-load=pw-sha2 -h {SSHA512} -s 'Very_Secure_pass_591'`


2) BASE64 encode this password hash:

NEWPASSB64=`echo -n "$NEWPASS" | openssl enc -base64 | tr -d '\n'`

Note: The hash can go across multiple lines, so the 'tr' deletes the new line character and makes it a single line. The entire hash should be on one line. Confirm this by running:

echo $NEWPASSB64


3) As the zimbra user, stop ldap:

ldap stop


4) Take ldap backup.

mkdir /opt/zimbra/data/tmp/ldap_backup
/opt/zimbra/common/sbin/slapcat -F /opt/zimbra/data/ldap/config -n 0 -o ldif-wrap=no -l /opt/zimbra/data/tmp/ldap_backup/ldap-config.bak
/opt/zimbra/common/sbin/slapcat -F /opt/zimbra/data/ldap/config -o ldif-wrap=no -b "cn=accesslog" -l /opt/zimbra/data/tmp/ldap_backup/ldap-accesslog.bak
/opt/zimbra/common/sbin/slapcat -F /opt/zimbra/data/ldap/config -o ldif-wrap=no -b "" -l /opt/zimbra/data/tmp/ldap_backup/ldap.bak 


5) Replace the new password in the file ldap-config.bak.

sed -i.ORG "s/olcRootPW.*/olcRootPW:: $NEWPASSB64/" /opt/zimbra/data/tmp/ldap_backup/ldap-config.bak 


6) Reload updated ldap-config.bak.

mv /opt/zimbra/data/ldap/config /opt/zimbra/data/ldap/config.old.`date '+%Y%m%d%H%M%S'` 
mkdir /opt/zimbra/data/ldap/config 
/opt/zimbra/libexec/zmslapadd -c /opt/zimbra/data/tmp/ldap_backup/ldap-config.bak 


7) Start ldap:

ldap start


8) To test, run:

ldapwhoami -x -h `zmhostname` -D "cn=config" -w 'ldap_root_password_value' 


9) Then update localconfig.xml as well

Checking if the password updated correctly

Run the following to check each password.

su - zimbra
source ~/bin/zmshutil; zmsetvars

# Main config user 
ldapwhoami -ZZ -x -D cn=config -H ldap://`zmhostname`:389 -w $ldap_root_password

# Zimbra ldap user 
ldapwhoami -ZZ -x -D uid=zimbra,cn=admins,cn=zimbra -H ldap://`zmhostname`:389 -w $zimbra_ldap_password

# Replication, if using multiple ldap servers
ldapwhoami -ZZ -x -D uid=zmreplica,cn=admins,cn=zimbra -H ldap://`zmhostname`:389 -w $ldap_replication_password

# Amavis
ldapwhoami -ZZ -x -D uid=zmamavis,cn=appaccts,cn=zimbra -H ldap://`zmhostname`:389 -w $ldap_amavis_password

# Nginx
ldapwhoami -ZZ -x -D uid=zmnginx,cn=appaccts,cn=zimbra -H ldap://`zmhostname`:389 -w $ldap_nginx_password

# Postfix
ldapwhoami -ZZ -x -D uid=zmpostfix,cn=appaccts,cn=zimbra -H ldap://`zmhostname`:389 -w $ldap_postfix_password

On successful auth, the output of the above would be the user's DN from ldap

# Main config user 
dn:cn=config

# Zimbra ldap user 
dn:uid=zimbra,cn=admins,cn=zimbra

# Replication
dn:uid=zmreplica,cn=admins,cn=zimbra

# Amavis
dn:uid=zmamavis,cn=appaccts,cn=zimbra
 
# Nginx
dn:uid=zmnginx,cn=appaccts,cn=zimbra

# Postfix
dn:uid=zmpostfix,cn=appaccts,cn=zimbra




Verified Against: Zimbra Collaboration Suite 7,8 Date Created: 06/24/2013
Article ID: https://wiki.zimbra.com/index.php?title=ShanxT-LDAP-Auth-Failed Date Modified: 2022-10-17



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Jump to: navigation, search