ShanxT-LDAP-Auth-Failed
ShanxT - LDAP Auth Failed
Introduction
The password may get reset during a migration, DR, incorrect installation or messing around with the server. The logs will explicitly show errors like LDAP: error code 49 - Invalid Credentials, or you may see postfix not connecting, etc.
Different services (postfix, nginx, etc) also connect to ldap with their respective passwords.
All these passwords are stored in /opt/zimbra/conf/localconfig.xml. To see all the passwords, run:
zmlocalconfig -s | grep ldap.*_pass
Checking localconfig.xml
We just need to determine how the password got reset. If it is during a migration or DR, one of the following is usually the culprit:
Incorrect permissions on localconfig.xml
In this case, the password isn't wrong, the file is just not readable by Zimbra. Confirm the permissions are as shown:
ls -l /opt/zimbra/conf/localconfig.xml -rw-r-----. 1 zimbra zimbra 3887 Jun 4 20:08 /opt/zimbra/conf/localconfig.xml
Passwords weren't taken from the old localconfig.xml
After restoring the server, the passwords weren't not taken from the old localconfig.xml. So just pick the old localconfig.xml from the server, or from a backup, and replace the passwords on the current server's localconfig file.
In a backup, it'll be in your 'sessions/<full-incr backup name>/sys' folder. Example:
/opt/zimbra/backup/sessions/full-20130524.193020.262/sys/localconfig.xml
zmldappasswd
If the above doesn't work or is not possible, use the 'zmldappasswd' command. The help file for that is self-explanatory:
zmldappasswd --help
You can also see this article, Resetting_LDAP_and_MySQL_Passwords#In_ZCS_5.0.x, for examples. It was last updated for ZCS 5, but is valid for versions unto ZCS 8. The only difference is that a few more options have been added over the years
Changing ldap directly
If zmdldappasswd also doesn't work, then it means that the ldap root password is probably messed up. To confirm, run:
ldapwhoami -x -h `zmhostname` -D "cn=config" -w 'ldap_root_password_value'
Replace 'ldap_root_password_value' with your actual password. If this is also incorrect, we'll have to change this manually.
Please do this carefully. If you are unsure, and are an NE customer, please contact support before making the changes.
We are going to create a base64 encoded salted SHA password, that we will then directly place in the ldap.
- 1. Generate the password hash using 'slappasswd':
NEWPASS='/opt/zimbra/openldap/sbin/slappasswd -v -s 'Very_secure_pass_591' -h {SSHA}`
- 2. BASE64 encode this password hash:
NEWPASSB64=`echo -n "$NEWPASS" | openssl enc -base64`
- 3. As the zimbra user, stop ldap:
ldap stop
- 4. Replace this new password in the file ~/data/ldap/config/cn=config/olcDatabase={0}config.ldif:
cp '~/data/ldap/config/cn=config/olcDatabase={0}config.ldif' /tmp/ sed -i "s/olcRootPW.*/olcRootPW:: $NEWPASSB64" '~/data/ldap/config/cn=config/olcDatabase={0}config.ldif'
The above command takes a backup of 'olcDatabase={0}config.ldif', and the places the new password in the file. If the command fails for whatever reason, just do the steps manually. Take a backup, and replace the existing value of 'olcRootPW:: ' in the 'olcDatabase={0}config.ldif' file with the value of $NEWPASS64.
- 5. Start ldap:
ldap start
- 6. To test, run:
ldapwhoami -x -h `zmhostname` -D "cn=config" -w 'ldap_root_password_value'
- 7. Then update localconfig.xml as well