Zimbra-LDAP Multival Configuration: Difference between revisions

No edit summary
 
(One intermediate revision by one other user not shown)
Line 1: Line 1:
= Zimbra-Openldap MultiVal and SortVal configurations. =
= Zimbra-Openldap MultiVal and SortVal configurations. =
==== Prerequisite: ====  
==== Prerequisite: ====  
Install latest zimbra-openldap-server version 2.4.46-1zimbra8.7b2 or above.
Install latest zimbra-openldap-server version 2.4.46-1zimbra8.7b3 or above.


'''NOTE - These steps are required only for very large ZCS deployments having millions of entries in ldap.'''
'''NOTE - These steps are required only for very large ZCS deployments having millions of entries in ldap.'''
Line 10: Line 11:
   $ ldap restart
   $ ldap restart


==== Configure SortVal ====
==== Configure SortVal and MultiVal ====
As Zimbra user, use ldapmodify commands to add sortval configuration in config db.
As Zimbra user, use ldapmodify commands to add sortval configuration in config db.
* ldapmodify takes one or more LDIF update statements configured at the command-line, and ends the input with an end-of-file (EOF) marker.
* ldapmodify takes one or more LDIF update statements configured at the command-line, and ends the input with an end-of-file (EOF) marker.
* Type Control-D (^d) as EOF.
* Type Ctrl-D (^d) to EOF.
* Replace ldap_master_hostname with the ldap server hostname
* Replace ldap_master_hostname with the ldap server hostname
* As Zimbra user
* As Zimbra user


* For a master in an ldap + replica or MMR setup use olcDatabase={3}mdb,cn=config
  $ source /opt/zimbra/bin/zmshutil ; zmsetvars  
  $ source /opt/zimbra/bin/zmshutil ; zmsetvars  
  $ ldapmodify -c -H "ldap://ldap_master_hostname:389" -D cn=config -w $ldap_root_password  
  $ ldapmodify -c -H "ldap://ldap_master_hostname:389" -D cn=config -w $ldap_root_password  
  dn: olcDatabase={-1}frontend,cn=config
  dn: olcDatabase={3}mdb,cn=config
  changetype: modify
  changetype: modify
  add: olcSortVals
  add: olcDbMultival
  olcSortVals: zimbraACE
  olcDbMultival: default 100,3
  olcSortVals: zimbraAuthTokens
olcDbMultival: zimbraACE 20,3
  olcSortVals: zimbraCsrfTokenData
  olcDbMultival: zimbraAuthTokens 20,3
  olcSortVals: zimbraPasswordLockoutFailureTime
  olcDbMultival: zimbraCsrfTokenData 20,3
  olcDbMultival: zimbraPasswordLockoutFailureTime 20,3


==== Configure MultiVal ====
After the above statement, type Ctrl-D (^d) to EOF and submit the changes.
Note based upon MMR and standalone server, you will have to use the config db.
* Replace ldap_master_hostname with the ldap server hostname
* For a master in an ldap + replica or MMR setup use olcDatabase={3}mdb,cn=config
 
$ source /opt/zimbra/bin/zmshutil ; zmsetvars
$ ldapmodify -c -H "ldap://ldap_master_hostname:389" -D cn=config -w $ldap_root_password
dn: olcDatabase={3}mdb,cn=config
changetype: modify
add: olcDbMultivalHi
olcDbMultivalHi: 100
 
$ ldapmodify -c -H "ldap://ldap_master_hostname:389" -D cn=config -w $ldap_root_password
dn: olcDatabase={3}mdb,cn=config
changetype: modify
add: olcDbMultivalLo
olcDbMultivalLo: 3


* For a standalone ldap server or a replica then use olcDatabase={2}mdb,cn=config
* For a standalone ldap server or a replica then use olcDatabase={2}mdb,cn=config
  $ source /opt/zimbra/bin/zmshutil ; zmsetvars  
  $ source /opt/zimbra/bin/zmshutil ; zmsetvars  
  $ ldapmodify -c -H "ldap://ldap_master_hostname:389" -D cn=config -w $ldap_root_password
  $ ldapmodify -c -H "ldap://ldap_master_hostname:389" -D cn=config -w $ldap_root_password  
  dn: olcDatabase={2}mdb,cn=config
  dn: olcDatabase={2}mdb,cn=config
  changetype: modify
  changetype: modify
  add: olcDbMultivalHi
  add: olcDbMultival
  olcDbMultivalHi: 100
  olcDbMultival: default 100,3
 
  olcDbMultival: zimbraACE 20,3
  $ ldapmodify -c -H "ldap:// ldap_master_hostname:389" -D cn=config -w $ldap_root_password
  olcDbMultival: zimbraAuthTokens 20,3
  dn: olcDatabase={2}mdb,cn=config
  olcDbMultival: zimbraCsrfTokenData 20,3
  changetype: modify
  olcDbMultival: zimbraPasswordLockoutFailureTime 20,3
  add: olcDbMultivalLo
 
olcDbMultivalLo: 3
After the above statement, type Ctrl-D (^d) to EOF and submit the changes.


==== Verify the configuration. ====
==== Verify the configuration. ====
Line 64: Line 51:
   $ ldapsearch -LLL -x -H ldapi:/// -D cn=config -w $ldap_root_password -b cn=config | grep -e olcSortVals -e olcDbMultival
   $ ldapsearch -LLL -x -H ldapi:/// -D cn=config -w $ldap_root_password -b cn=config | grep -e olcSortVals -e olcDbMultival
   olcAttributeTypes: ( OLcfgGlAt:83 NAME 'olcSortVals' DESC 'Attributes whose va
   olcAttributeTypes: ( OLcfgGlAt:83 NAME 'olcSortVals' DESC 'Attributes whose va
   olcAttributeTypes: ( OLcfgDbAt:12.6 NAME 'olcDbMultivalHi' DESC 'Threshold for
   olcAttributeTypes: ( OLcfgDbAt:12.6 NAME 'olcDbMultival' DESC 'Hi/Lo threshold
  olcAttributeTypes: ( OLcfgDbAt:12.7 NAME 'olcDbMultivalLo' DESC 'Threshold for
   axSize $ olcDbMode $ olcDbSearchStack $ olcDbRtxnSize $ olcDbMultival ) )
   axSize $ olcDbMode $ olcDbSearchStack $ olcDbRtxnSize $ olcDbMultivalHi $ olc
  olcDbMultival: default 100,3
   olcSortVals: zimbraACE
   olcDbMultival: zimbraACE 20,3
   olcSortVals: zimbraAuthTokens
   olcDbMultival: zimbraAuthTokens 20,3
   olcSortVals: zimbraCsrfTokenData
   olcDbMultival: zimbraCsrfTokenData 20,3
   olcSortVals: zimbraPasswordLockoutFailureTime
   olcDbMultival: zimbraPasswordLockoutFailureTime 20,3
  olcDbMultivalLo: 3
 
  olcDbMultivalHi: 100
After the above statement, type Ctrl-D (^d) to EOF and submit the changes.


====  Export the primary database to LDIF. ====
====  Export the primary database to LDIF. ====
Line 102: Line 89:
   $ /opt/zimbra/libexec/zmslapadd -a /path/to/output/dir/ldap-accesslog.bak
   $ /opt/zimbra/libexec/zmslapadd -a /path/to/output/dir/ldap-accesslog.bak


9) start ldap
==== Start ldap ====
As the zimbra user:
As the zimbra user:
   $ ldap start
   $ ldap start
= Ldap Upgrade and Configuration when MultiVal and SortVal is already configured=
Note: Please follow these steps when MultiVal and SortVal attributes are already configured.
1) Stop ldap on the server
* As zimbra user:
  $ ldap stop
2) Export the primary database to LDIF.
* As zimbra user:
$ su - zimbra
$ /opt/zimbra/libexec/zmslapcat /path/to/output/dir
3) Export the accesslog database to LDIF (if this is a master server)
* As zimbra user:
  $ /opt/zimbra/libexec/zmslapcat -a /path/to/output/dir
4) Export the configuration database to LDIF (if this is a master server)
* As zimbra user:
$ /opt/zimbra/libexec/zmslapcat -c /path/to/output/dir
5) Now update the config db with the new parameters for multival
$ cd /path/to/output/dir
Use favorite editor on ldap-config.bak
Removing old attributes:
* Find below(old) attributes and remove them from config file:
olcSortVals: zimbraACE
olcSortVals: zimbraAuthTokens
olcSortVals: zimbraCsrfTokenData
olcSortVals: zimbraPasswordLockoutFailureTime
olcDbMultivalHi: 100
olcDbMultivalLo: 3
Adding new attributes:
* For a master in an ldap + replica or MMR setup find olcDatabase={3}mdb,cn=config
* For a standalone ldap server or a replica then find olcDatabase={2}mdb,cn=config
Add the following attribute value pairs to the entry:
olcDbMultival: default 100,3
olcDbMultival: zimbraACE 20,3
olcDbMultival: zimbraAuthTokens 20,3
olcDbMultival: zimbraCsrfTokenData 20,3
olcDbMultival: zimbraPasswordLockoutFailureTime 20,3
6) Install latest zimbra-openldap-server version 2.4.46-1zimbra8.7b3 or above
7) Reload the configuration database
* As zimbra user:
  $ cd /opt/zimbra/data/ldap
  $ mv config config.old
  $ mkdir config
  $ /opt/zimbra/libexec/zmslapadd -c /path/to/output/dir/ldap-config.bak
8) Start ldap
* As zimbra user:
$ ldap start
9) Reload the primary database
* As zimbra user:
  $ cd /opt/zimbra/data/ldap
  $ mv mdb mdb.old
  $ mkdir -p mdb/db
  $ /opt/zimbra/libexec/zmslapadd /path/to/output/dir/ldap.bak
10) Reload the accesslog database (if this is a master server)
* As zimbra user:
$ cd /opt/zimbra/data/ldap
$ mv accesslog accesslog.old
$ mkdir -p accesslog/db
$ /opt/zimbra/libexec/zmslapadd -a /path/to/output/dir/ldap-accesslog.bak
Restart ldap
* Restart ldap as zimbra user:
$ su - zimbra
$ ldap restart

Latest revision as of 12:49, 6 August 2019

Zimbra-Openldap MultiVal and SortVal configurations.

Prerequisite:

Install latest zimbra-openldap-server version 2.4.46-1zimbra8.7b3 or above.

NOTE - These steps are required only for very large ZCS deployments having millions of entries in ldap.

Restart ldap

Restart ldap as zimbra user:

 $ su - zimbra
 $ ldap restart

Configure SortVal and MultiVal

As Zimbra user, use ldapmodify commands to add sortval configuration in config db.

  • ldapmodify takes one or more LDIF update statements configured at the command-line, and ends the input with an end-of-file (EOF) marker.
  • Type Ctrl-D (^d) to EOF.
  • Replace ldap_master_hostname with the ldap server hostname
  • As Zimbra user
  • For a master in an ldap + replica or MMR setup use olcDatabase={3}mdb,cn=config
$ source /opt/zimbra/bin/zmshutil ; zmsetvars 
$ ldapmodify -c -H "ldap://ldap_master_hostname:389" -D cn=config -w $ldap_root_password 
dn: olcDatabase={3}mdb,cn=config
changetype: modify
add: olcDbMultival
olcDbMultival: default 100,3
olcDbMultival: zimbraACE 20,3
olcDbMultival: zimbraAuthTokens 20,3
olcDbMultival: zimbraCsrfTokenData 20,3
olcDbMultival: zimbraPasswordLockoutFailureTime 20,3

After the above statement, type Ctrl-D (^d) to EOF and submit the changes.

  • For a standalone ldap server or a replica then use olcDatabase={2}mdb,cn=config
$ source /opt/zimbra/bin/zmshutil ; zmsetvars 
$ ldapmodify -c -H "ldap://ldap_master_hostname:389" -D cn=config -w $ldap_root_password 
dn: olcDatabase={2}mdb,cn=config
changetype: modify
add: olcDbMultival
olcDbMultival: default 100,3
olcDbMultival: zimbraACE 20,3
olcDbMultival: zimbraAuthTokens 20,3
olcDbMultival: zimbraCsrfTokenData 20,3
olcDbMultival: zimbraPasswordLockoutFailureTime 20,3

After the above statement, type Ctrl-D (^d) to EOF and submit the changes.

Verify the configuration.

As zimbra user:

  $ source /opt/zimbra/bin/zmshutil ; zmsetvars ; 
  $ ldapsearch -LLL -x -H ldapi:/// -D cn=config -w $ldap_root_password -b cn=config | grep -e olcSortVals -e olcDbMultival
  olcAttributeTypes: ( OLcfgGlAt:83 NAME 'olcSortVals' DESC 'Attributes whose va
  olcAttributeTypes: ( OLcfgDbAt:12.6 NAME 'olcDbMultival' DESC 'Hi/Lo threshold
  axSize $ olcDbMode $ olcDbSearchStack $ olcDbRtxnSize $ olcDbMultival ) )
  olcDbMultival: default 100,3
  olcDbMultival: zimbraACE 20,3
  olcDbMultival: zimbraAuthTokens 20,3
  olcDbMultival: zimbraCsrfTokenData 20,3
  olcDbMultival: zimbraPasswordLockoutFailureTime 20,3

After the above statement, type Ctrl-D (^d) to EOF and submit the changes.

Export the primary database to LDIF.

As zimbra user:

 $ su - zimbra
 $ /opt/zimbra/libexec/zmslapcat /path/to/output/dir

Export the accesslog database to LDIF (if this is a master server)

As zimbra user:

  $ /opt/zimbra/libexec/zmslapcat -a /path/to/output/dir

Stop ldap on the server

As zimbra user:

  $ ldap stop

Reload the primary database

As the zimbra user:

  $ cd /opt/zimbra/data/ldap
  $ mv mdb mdb.old
  $ mkdir -p mdb/db
  $ /opt/zimbra/libexec/zmslapadd /path/to/output/dir/ldap.bak

Reload the accesslog database (if this is a master server)

As the zimbra user:

 $ cd /opt/zimbra/data/ldap
 $ mv accesslog accesslog.old
 $ mkdir -p accesslog/db
 $ /opt/zimbra/libexec/zmslapadd -a /path/to/output/dir/ldap-accesslog.bak

Start ldap

As the zimbra user:

 $ ldap start

Ldap Upgrade and Configuration when MultiVal and SortVal is already configured

Note: Please follow these steps when MultiVal and SortVal attributes are already configured.

1) Stop ldap on the server

  • As zimbra user:
 $ ldap stop

2) Export the primary database to LDIF.

  • As zimbra user:
$ su - zimbra
$ /opt/zimbra/libexec/zmslapcat /path/to/output/dir

3) Export the accesslog database to LDIF (if this is a master server)

  • As zimbra user:
 $ /opt/zimbra/libexec/zmslapcat -a /path/to/output/dir

4) Export the configuration database to LDIF (if this is a master server)

  • As zimbra user:
$ /opt/zimbra/libexec/zmslapcat -c /path/to/output/dir

5) Now update the config db with the new parameters for multival

$ cd /path/to/output/dir

Use favorite editor on ldap-config.bak

Removing old attributes:

  • Find below(old) attributes and remove them from config file:
olcSortVals: zimbraACE
olcSortVals: zimbraAuthTokens
olcSortVals: zimbraCsrfTokenData
olcSortVals: zimbraPasswordLockoutFailureTime
olcDbMultivalHi: 100
olcDbMultivalLo: 3

Adding new attributes:

  • For a master in an ldap + replica or MMR setup find olcDatabase={3}mdb,cn=config
  • For a standalone ldap server or a replica then find olcDatabase={2}mdb,cn=config

Add the following attribute value pairs to the entry:

olcDbMultival: default 100,3
olcDbMultival: zimbraACE 20,3
olcDbMultival: zimbraAuthTokens 20,3
olcDbMultival: zimbraCsrfTokenData 20,3
olcDbMultival: zimbraPasswordLockoutFailureTime 20,3

6) Install latest zimbra-openldap-server version 2.4.46-1zimbra8.7b3 or above

7) Reload the configuration database

  • As zimbra user:
 $ cd /opt/zimbra/data/ldap
 $ mv config config.old
 $ mkdir config
 $ /opt/zimbra/libexec/zmslapadd -c /path/to/output/dir/ldap-config.bak

8) Start ldap

  • As zimbra user:
$ ldap start

9) Reload the primary database

  • As zimbra user:
 $ cd /opt/zimbra/data/ldap
 $ mv mdb mdb.old
 $ mkdir -p mdb/db
 $ /opt/zimbra/libexec/zmslapadd /path/to/output/dir/ldap.bak

10) Reload the accesslog database (if this is a master server)

  • As zimbra user:
$ cd /opt/zimbra/data/ldap
$ mv accesslog accesslog.old
$ mkdir -p accesslog/db
$ /opt/zimbra/libexec/zmslapadd -a /path/to/output/dir/ldap-accesslog.bak

Restart ldap

  • Restart ldap as zimbra user:
$ su - zimbra
$ ldap restart
Jump to: navigation, search