ShanxT-LDAP-Auth-Failed: Difference between revisions
(4 intermediate revisions by 2 users not shown) | |||
Line 45: | Line 45: | ||
If zmdldappasswd also doesn't work, then it means that the ldap root password is probably messed up. To confirm, run: | If zmdldappasswd also doesn't work, then it means that the ldap root password is probably messed up. To confirm, run: | ||
ldapwhoami -x -h `zmhostname` -D "cn=config" -w 'ldap_root_password_value' | ldapwhoami -x -h `zmhostname` -D "cn=config" -w 'ldap_root_password_value' | ||
Replace 'ldap_root_password_value' with your actual password. | Replace ''''ldap_root_password_value'''' with your actual password. | ||
If this is also incorrect, we'll have to change this manually. | If this is also incorrect, we'll have to change this manually. | ||
'''Please do this carefully. If you are unsure | '''Please do this carefully. If you are unsure and are an NE customer, please contact support before making the changes.''' | ||
We are going to create a base64 encoded salted SHA password, that we will then directly place in the ldap. | We are going to create a base64 encoded salted SHA password, that we will then directly place in the ldap. | ||
'''1)''' Generate the password hash using 'slappasswd': | |||
NEWPASS=`/opt/zimbra/ | '''For 8.5 and above, SSHA512 should be used''' | ||
NEWPASS=`/opt/zimbra/common/sbin/slappasswd -o module-load=pw-sha2 -h {SSHA512} -s 'Very_Secure_pass_591'` | |||
: 3 | '''2)''' BASE64 encode this password hash: | ||
NEWPASSB64=`echo -n "$NEWPASS" | openssl enc -base64 | tr -d '\n'` | |||
'''Note:''' The hash can go across multiple lines, so the 'tr' deletes the new line character and makes it a single line. The entire hash should be on one line. Confirm this by running: | |||
echo $NEWPASSB64 | |||
'''3)''' As the zimbra user, stop ldap: | |||
ldap stop | ldap stop | ||
'''4)''' Take ldap backup. | |||
mkdir /opt/zimbra/data/tmp/ldap_backup | |||
/opt/zimbra/common/sbin/slapcat -F /opt/zimbra/data/ldap/config -n 0 -o ldif-wrap=no -l /opt/zimbra/data/tmp/ldap_backup/ldap-config.bak | |||
/opt/zimbra/common/sbin/slapcat -F /opt/zimbra/data/ldap/config -o ldif-wrap=no -b "cn=accesslog" -l /opt/zimbra/data/tmp/ldap_backup/ldap-accesslog.bak | |||
/opt/zimbra/common/sbin/slapcat -F /opt/zimbra/data/ldap/config -o ldif-wrap=no -b "" -l /opt/zimbra/data/tmp/ldap_backup/ldap.bak | |||
'''5)''' Replace the new password in the file '''ldap-config.bak'''. | |||
sed -i.ORG "s/olcRootPW.*/olcRootPW:: $NEWPASSB64/" /opt/zimbra/data/tmp/ldap_backup/ldap-config.bak | |||
'''6)''' Reload updated '''ldap-config.bak'''. | |||
mv /opt/zimbra/data/ldap/config /opt/zimbra/data/ldap/config.old.`date '+%Y%m%d%H%M%S'` | |||
mkdir /opt/zimbra/data/ldap/config | |||
/opt/zimbra/libexec/zmslapadd -c /opt/zimbra/data/tmp/ldap_backup/ldap-config.bak | |||
'''7)''' Start ldap: | |||
ldap start | ldap start | ||
'''8)''' To test, run: | |||
ldapwhoami -x -h `zmhostname` -D "cn=config" -w 'ldap_root_password_value' | ldapwhoami -x -h `zmhostname` -D "cn=config" -w 'ldap_root_password_value' | ||
'''9)''' Then update localconfig.xml as well | |||
== Checking if the password updated correctly == | |||
Run the following to check each password. | |||
su - zimbra | |||
source ~/bin/zmshutil; zmsetvars | |||
# Main config user | |||
ldapwhoami -ZZ -x -D cn=config -H ldap://`zmhostname`:389 -w $ldap_root_password | |||
# Zimbra ldap user | |||
ldapwhoami -ZZ -x -D uid=zimbra,cn=admins,cn=zimbra -H ldap://`zmhostname`:389 -w $zimbra_ldap_password | |||
# Replication, if using multiple ldap servers | |||
ldapwhoami -ZZ -x -D uid=zmreplica,cn=admins,cn=zimbra -H ldap://`zmhostname`:389 -w $ldap_replication_password | |||
# Amavis | |||
ldapwhoami -ZZ -x -D uid=zmamavis,cn=appaccts,cn=zimbra -H ldap://`zmhostname`:389 -w $ldap_amavis_password | |||
# Nginx | |||
ldapwhoami -ZZ -x -D uid=zmnginx,cn=appaccts,cn=zimbra -H ldap://`zmhostname`:389 -w $ldap_nginx_password | |||
# Postfix | |||
ldapwhoami -ZZ -x -D uid=zmpostfix,cn=appaccts,cn=zimbra -H ldap://`zmhostname`:389 -w $ldap_postfix_password | |||
On successful auth, the output of the above would be the user's DN from ldap | |||
# Main config user | |||
dn:cn=config | |||
# Zimbra ldap user | |||
dn:uid=zimbra,cn=admins,cn=zimbra | |||
# Replication | |||
dn:uid=zmreplica,cn=admins,cn=zimbra | |||
# Amavis | |||
dn:uid=zmamavis,cn=appaccts,cn=zimbra | |||
# Nginx | |||
dn:uid=zmnginx,cn=appaccts,cn=zimbra | |||
# Postfix | |||
dn:uid=zmpostfix,cn=appaccts,cn=zimbra | |||
Latest revision as of 13:47, 17 October 2022
ShanxT - LDAP Auth Failed
Introduction
The password may get reset during a migration, DR, incorrect installation or messing around with the server. The logs will explicitly show errors like LDAP: error code 49 - Invalid Credentials, or you may see postfix not connecting, etc.
Different services (postfix, nginx, etc) also connect to ldap with their respective passwords.
All these passwords are stored in /opt/zimbra/conf/localconfig.xml. To see all the passwords, run:
zmlocalconfig -s | grep ldap.*_pass
Checking localconfig.xml
We just need to determine how the password got reset. If it is during a migration or DR, one of the following is usually the culprit:
Incorrect permissions on localconfig.xml
In this case, the password isn't wrong, the file is just not readable by Zimbra. Confirm the permissions are as shown:
ls -l /opt/zimbra/conf/localconfig.xml -rw-r-----. 1 zimbra zimbra 3887 Jun 4 20:08 /opt/zimbra/conf/localconfig.xml
Passwords weren't taken from the old localconfig.xml
After restoring the server, the passwords weren't not taken from the old localconfig.xml. So just pick the old localconfig.xml from the server, or from a backup, and replace the passwords on the current server's localconfig file.
In a backup, it'll be in your 'sessions/<full-incr backup name>/sys' folder. Example:
/opt/zimbra/backup/sessions/full-20130524.193020.262/sys/localconfig.xml
zmldappasswd
If the above doesn't work or is not possible, use the 'zmldappasswd' command. The help file for that is self-explanatory:
zmldappasswd --help
You can also see this article, Resetting_LDAP_and_MySQL_Passwords#In_ZCS_5.0.x, for examples. It was last updated for ZCS 5, but is valid for versions unto ZCS 8. The only difference is that a few more options have been added over the years
Changing ldap directly
If zmdldappasswd also doesn't work, then it means that the ldap root password is probably messed up. To confirm, run:
ldapwhoami -x -h `zmhostname` -D "cn=config" -w 'ldap_root_password_value'
Replace 'ldap_root_password_value' with your actual password. If this is also incorrect, we'll have to change this manually.
Please do this carefully. If you are unsure and are an NE customer, please contact support before making the changes.
We are going to create a base64 encoded salted SHA password, that we will then directly place in the ldap.
1) Generate the password hash using 'slappasswd':
For 8.5 and above, SSHA512 should be used NEWPASS=`/opt/zimbra/common/sbin/slappasswd -o module-load=pw-sha2 -h {SSHA512} -s 'Very_Secure_pass_591'`
2) BASE64 encode this password hash:
NEWPASSB64=`echo -n "$NEWPASS" | openssl enc -base64 | tr -d '\n'`
Note: The hash can go across multiple lines, so the 'tr' deletes the new line character and makes it a single line. The entire hash should be on one line. Confirm this by running:
echo $NEWPASSB64
3) As the zimbra user, stop ldap:
ldap stop
4) Take ldap backup.
mkdir /opt/zimbra/data/tmp/ldap_backup /opt/zimbra/common/sbin/slapcat -F /opt/zimbra/data/ldap/config -n 0 -o ldif-wrap=no -l /opt/zimbra/data/tmp/ldap_backup/ldap-config.bak /opt/zimbra/common/sbin/slapcat -F /opt/zimbra/data/ldap/config -o ldif-wrap=no -b "cn=accesslog" -l /opt/zimbra/data/tmp/ldap_backup/ldap-accesslog.bak /opt/zimbra/common/sbin/slapcat -F /opt/zimbra/data/ldap/config -o ldif-wrap=no -b "" -l /opt/zimbra/data/tmp/ldap_backup/ldap.bak
5) Replace the new password in the file ldap-config.bak.
sed -i.ORG "s/olcRootPW.*/olcRootPW:: $NEWPASSB64/" /opt/zimbra/data/tmp/ldap_backup/ldap-config.bak
6) Reload updated ldap-config.bak.
mv /opt/zimbra/data/ldap/config /opt/zimbra/data/ldap/config.old.`date '+%Y%m%d%H%M%S'` mkdir /opt/zimbra/data/ldap/config /opt/zimbra/libexec/zmslapadd -c /opt/zimbra/data/tmp/ldap_backup/ldap-config.bak
7) Start ldap:
ldap start
8) To test, run:
ldapwhoami -x -h `zmhostname` -D "cn=config" -w 'ldap_root_password_value'
9) Then update localconfig.xml as well
Checking if the password updated correctly
Run the following to check each password.
su - zimbra source ~/bin/zmshutil; zmsetvars # Main config user ldapwhoami -ZZ -x -D cn=config -H ldap://`zmhostname`:389 -w $ldap_root_password # Zimbra ldap user ldapwhoami -ZZ -x -D uid=zimbra,cn=admins,cn=zimbra -H ldap://`zmhostname`:389 -w $zimbra_ldap_password # Replication, if using multiple ldap servers ldapwhoami -ZZ -x -D uid=zmreplica,cn=admins,cn=zimbra -H ldap://`zmhostname`:389 -w $ldap_replication_password # Amavis ldapwhoami -ZZ -x -D uid=zmamavis,cn=appaccts,cn=zimbra -H ldap://`zmhostname`:389 -w $ldap_amavis_password # Nginx ldapwhoami -ZZ -x -D uid=zmnginx,cn=appaccts,cn=zimbra -H ldap://`zmhostname`:389 -w $ldap_nginx_password # Postfix ldapwhoami -ZZ -x -D uid=zmpostfix,cn=appaccts,cn=zimbra -H ldap://`zmhostname`:389 -w $ldap_postfix_password
On successful auth, the output of the above would be the user's DN from ldap
# Main config user dn:cn=config # Zimbra ldap user dn:uid=zimbra,cn=admins,cn=zimbra # Replication dn:uid=zmreplica,cn=admins,cn=zimbra # Amavis dn:uid=zmamavis,cn=appaccts,cn=zimbra # Nginx dn:uid=zmnginx,cn=appaccts,cn=zimbra # Postfix dn:uid=zmpostfix,cn=appaccts,cn=zimbra