ShanxT-LDAP-CheatSheet: Difference between revisions
No edit summary |
|||
(12 intermediate revisions by the same user not shown) | |||
Line 6: | Line 6: | ||
su - zimbra | su - zimbra | ||
source ~/bin/zmshutil | source ~/bin/zmshutil ; zmsetvars | ||
This will set the values for variables like '$ldap_master_url', '$zimbra_ldap_password', etc. | This will set the values for variables like '$ldap_master_url', '$zimbra_ldap_password', etc. | ||
Line 15: | Line 14: | ||
zmlocalconfig -s | grep 'ldap_' | egrep 'password|url' | zmlocalconfig -s | grep 'ldap_' | egrep 'password|url' | ||
Or directly open '/opt/zimbra/conf/localconfig.xml' | Or directly open '/opt/zimbra/conf/localconfig.xml', and take the values from there. | ||
== Parsing through ldap == | == Parsing through ldap == | ||
Line 37: | Line 35: | ||
Example using localconfig keys: | Example using localconfig keys: | ||
ldapsearch -x -D `zmlocalconfig -m nokey -s zimbra_ldap_userdn` -w `zmlocalconfig -m nokey -s zimbra_ldap_password` -h `hostname -f` | ldapsearch -x -D `zmlocalconfig -m nokey -s zimbra_ldap_userdn` -w `zmlocalconfig -m nokey -s zimbra_ldap_password` -h `hostname -f` | ||
Searching against an AD server: | |||
ldapsearch -H ldap://ad.example.net:3268 -D admin -x -w pass -b "ou=users,dc=example,dc=net" | |||
== Quick Debug info == | |||
ldapsearch -x -h 2d.snx -v -d 7 | |||
Line 57: | Line 62: | ||
(Press Ctrl+D) | (Press Ctrl+D) | ||
To modify the mail attribute: | |||
dn: uid=admin,ou=people,dc=example,dc=com | |||
changetype: modify | |||
replace: mail | |||
mail: admin@example.com | |||
mail: postmaster@example.com | |||
mail: root@example.com | |||
(Press Ctrl+D) | |||
== Deleting an ldap entry == | == Deleting an ldap entry == | ||
ldapdelete -v -x -H $ldap_master_url -D $zimbra_ldap_userdn -w $zimbra_ldap_password "uid=testtest,ou=people,dc=example,dc=shanx" | ldapdelete -v -x -H $ldap_master_url -D $zimbra_ldap_userdn -w $zimbra_ldap_password "uid=testtest,ou=people,dc=example,dc=shanx" | ||
== Find an account based on an ldap attribute - zimbra sa== | |||
We can use this to get the accounts containing a particular attribute. Say if we have the ZimbraID, and would like to know which account it belongs to: | |||
zmprov sa zimbraId=bd400158-aa2e-4c10-8ea7-95be59564b47 | |||
'-v' will show all the details of those accounts. This is exactly like the output we get by running 'zmprov -l ga <email address>', only this time the lookup is based on any LDAP attribute. | |||
For example, to get all the details of all the accounts on a particular mail host: | |||
zmprov sa -v "zimbraMailHost=8b.snx" | |||
== Checking Passwords == | == Checking Passwords == | ||
Line 88: | Line 108: | ||
ldapwhoami -x -h `zmhostname` -D "cn=config" -W | ldapwhoami -x -h `zmhostname` -D "cn=config" -W | ||
If the passwords need to be changed, see this article: [[ShanxT-LDAP-Auth-Failed]] | |||
== Encoding of entries == | == Encoding of entries == | ||
Line 98: | Line 119: | ||
{SSHA}6g8X5lGqzJywOmM1576PvXN10Uu/hSK5 | {SSHA}6g8X5lGqzJywOmM1576PvXN10Uu/hSK5 | ||
This shows the password is a salted | This shows the password is a salted SHA password. | ||
Line 105: | Line 126: | ||
echo 'ThisIsMyPassword' | base64 | echo 'ThisIsMyPassword' | base64 | ||
{{Article Footer|Zimbra Collaboration Suite 7,8|12 | {{Article Footer|Zimbra Collaboration Suite 7,8|06/12/2013}} | ||
[[Category: Community Sandbox]] | [[Category: Community Sandbox]] | ||
[[Category: Administration]] | [[Category: Administration]] | ||
[[Category: User Management]] | [[Category: User Management]] |
Latest revision as of 10:02, 31 March 2016
Setting the ldap variables
The variables used by LDAP can be set by running:
su - zimbra source ~/bin/zmshutil ; zmsetvars
This will set the values for variables like '$ldap_master_url', '$zimbra_ldap_password', etc.
Alternatively, they can be taken from localconfig.xml as well. To do so, either run:
zmlocalconfig -s | grep 'ldap_' | egrep 'password|url'
Or directly open '/opt/zimbra/conf/localconfig.xml', and take the values from there.
Parsing through ldap
Basic search:
ldapsearch -x -H $ldap_master_url -D $zimbra_ldap_userdn -w $zimbra_ldap_password
Specifying the 'people' ou as the search base. 'dc=example' and 'dc=com' will have to be replaced with your domain
ldapsearch -x -H $ldap_master_url -D $zimbra_ldap_userdn -w $zimbra_ldap_password -LLL -b 'ou=people,dc=example,dc=com'
Alternatively, using search filters, and also showing all accounts of the object class 'zimbraAccount'
ldapsearch -x -H $ldap_master_url -D $zimbra_ldap_userdn -w $zimbra_ldap_password -LLL '(&(objectClass=zimbraAccount)(ou:dn:=people))'
Using search base and showing the uid for admin accounts:
ldapsearch -x -H $ldap_master_url -D $zimbra_ldap_userdn -w $zimbra_ldap_password -b 'ou=people,dc=example,dc=com' -LLL '(&(uid=*)(zimbraIsAdminAccount=TRUE))' uid
Listing out all the servers:
ldapsearch -x -H $ldap_master_url -D $zimbra_ldap_userdn -w $zimbra_ldap_password -b 'cn=servers,cn=zimbra'
Example using localconfig keys:
ldapsearch -x -D `zmlocalconfig -m nokey -s zimbra_ldap_userdn` -w `zmlocalconfig -m nokey -s zimbra_ldap_password` -h `hostname -f`
Searching against an AD server:
ldapsearch -H ldap://ad.example.net:3268 -D admin -x -w pass -b "ou=users,dc=example,dc=net"
Quick Debug info
ldapsearch -x -h 2d.snx -v -d 7
Modifying ldap
ldapmodify -x -H $ldap_master_url -D $zimbra_ldap_userdn -w $zimbra_ldap_password
The cursor will move to the next line, wherein you can enter the modification you wish to make. Make sure to press 'Ctrl+D' after the modifications are over.
Example - To change uid:
ldapmodify -x -H $ldap_master_url -D $zimbra_ldap_userdn -w $zimbra_ldap_password
dn: uid=old_user_uid,dc=domain changetype: modrdn newrdn: uid=new_user_uid deleteoldrdn: 1 (Press Ctrl+D)
To modify the mail attribute:
dn: uid=admin,ou=people,dc=example,dc=com changetype: modify replace: mail mail: admin@example.com mail: postmaster@example.com mail: root@example.com (Press Ctrl+D)
Deleting an ldap entry
ldapdelete -v -x -H $ldap_master_url -D $zimbra_ldap_userdn -w $zimbra_ldap_password "uid=testtest,ou=people,dc=example,dc=shanx"
Find an account based on an ldap attribute - zimbra sa
We can use this to get the accounts containing a particular attribute. Say if we have the ZimbraID, and would like to know which account it belongs to:
zmprov sa zimbraId=bd400158-aa2e-4c10-8ea7-95be59564b47
'-v' will show all the details of those accounts. This is exactly like the output we get by running 'zmprov -l ga <email address>', only this time the lookup is based on any LDAP attribute.
For example, to get all the details of all the accounts on a particular mail host:
zmprov sa -v "zimbraMailHost=8b.snx"
Checking Passwords
This is to check if the passwords stored in localconfig.xml are correct. Get the password and check with the following commands.
The results of the following should simply return the DN of the authenticated user. An 'Invalid Credentials' error message would show something is wrong.
Checking Zimbra Password. This should match the 'zimbra_ldap_password' in localconfig.xml:
ldapwhoami -ZZZ -x -h `zmhostname` -D "uid=zimbra,cn=admins,cn=zimbra" -W
OR
ldapwhoami -x -h `zmhostname` -D "uid=zimbra,cn=admins,cn=zimbra" -W
The use of '-ZZZ' depends on your TLS settings.
Checking LDAP root password. This should match the 'zimbra_ldap_password' entry:
ldapwhoami -x -h `zmhostname` -D "cn=config" -W
If the passwords need to be changed, see this article: ShanxT-LDAP-Auth-Failed
Encoding of entries
Entries are base64 encoded if they are passwords, or if a person's name or entry contains special characters, like the umlaut. To decode, simply run:
echo 'e1NTSEF9Nmc4WDVsR3F6Snl3T21NMTU3NlB2WE4xMFV1L2hTSzU=' | base64 -d
The above is a password, so the output would be:
{SSHA}6g8X5lGqzJywOmM1576PvXN10Uu/hSK5
This shows the password is a salted SHA password.
To encode:
echo 'ThisIsMyPassword' | base64