Difference between revisions of "Zimbra-LDAP Multival Configuration"

(Prerequisite:)
(Zimbra-Openldap MultiVal and SortVal configurations.)
Line 1: Line 1:
 
= Zimbra-Openldap MultiVal and SortVal configurations. =
 
= Zimbra-Openldap MultiVal and SortVal configurations. =
 +
 
==== Prerequisite: ====  
 
==== Prerequisite: ====  
Install latest zimbra-openldap-server version 2.4.46-1zimbra8.7b2 or above.
+
Install latest zimbra-openldap-server version 2.4.46-1zimbra8.7b3 or above.
  
 
'''NOTE - These steps are required only for very large ZCS deployments having millions of entries in ldap.'''
 
'''NOTE - These steps are required only for very large ZCS deployments having millions of entries in ldap.'''
Line 10: Line 11:
 
   $ ldap restart
 
   $ ldap restart
  
==== Configure SortVal ====
+
==== Configure SortVal and MultiVal ====
 
As Zimbra user, use ldapmodify commands to add sortval configuration in config db.
 
As Zimbra user, use ldapmodify commands to add sortval configuration in config db.
 
* ldapmodify takes one or more LDIF update statements configured at the command-line, and ends the input with an end-of-file (EOF) marker.
 
* ldapmodify takes one or more LDIF update statements configured at the command-line, and ends the input with an end-of-file (EOF) marker.
Line 17: Line 18:
 
* As Zimbra user
 
* As Zimbra user
  
 +
* For a master in an ldap + replica or MMR setup use olcDatabase={3}mdb,cn=config
 
  $ source /opt/zimbra/bin/zmshutil ; zmsetvars  
 
  $ source /opt/zimbra/bin/zmshutil ; zmsetvars  
 
  $ ldapmodify -c -H "ldap://ldap_master_hostname:389" -D cn=config -w $ldap_root_password  
 
  $ ldapmodify -c -H "ldap://ldap_master_hostname:389" -D cn=config -w $ldap_root_password  
dn: olcDatabase={-1}frontend,cn=config
 
changetype: modify
 
add: olcSortVals
 
olcSortVals: zimbraACE
 
olcSortVals: zimbraAuthTokens
 
olcSortVals: zimbraCsrfTokenData
 
olcSortVals: zimbraPasswordLockoutFailureTime
 
 
==== Configure MultiVal ====
 
Note based upon MMR and standalone server, you will have to use the config db.
 
* Replace ldap_master_hostname with the ldap server hostname
 
* For a master in an ldap + replica or MMR setup use olcDatabase={3}mdb,cn=config
 
 
$ source /opt/zimbra/bin/zmshutil ; zmsetvars
 
$ ldapmodify -c -H "ldap://ldap_master_hostname:389" -D cn=config -w $ldap_root_password
 
 
  dn: olcDatabase={3}mdb,cn=config
 
  dn: olcDatabase={3}mdb,cn=config
 
  changetype: modify
 
  changetype: modify
  add: olcDbMultivalHi
+
  add: olcDbMultival
  olcDbMultivalHi: 100
+
  olcDbMultival: default 100,3
 
+
  olcDbMultival: zimbraACE 20,3
  $ ldapmodify -c -H "ldap://ldap_master_hostname:389" -D cn=config -w $ldap_root_password
+
  olcDbMultival: zimbraAuthTokens 20,3
  dn: olcDatabase={3}mdb,cn=config
+
  olcDbMultival: zimbraCsrfTokenData 20,3
  changetype: modify
+
  olcDbMultival: zimbraPasswordLockoutFailureTime 20,3
  add: olcDbMultivalLo
 
olcDbMultivalLo: 3
 
  
 
* For a standalone ldap server or a replica then use olcDatabase={2}mdb,cn=config
 
* For a standalone ldap server or a replica then use olcDatabase={2}mdb,cn=config
 
  $ source /opt/zimbra/bin/zmshutil ; zmsetvars  
 
  $ source /opt/zimbra/bin/zmshutil ; zmsetvars  
  $ ldapmodify -c -H "ldap://ldap_master_hostname:389" -D cn=config -w $ldap_root_password
+
  $ ldapmodify -c -H "ldap://ldap_master_hostname:389" -D cn=config -w $ldap_root_password  
 
  dn: olcDatabase={2}mdb,cn=config
 
  dn: olcDatabase={2}mdb,cn=config
 
  changetype: modify
 
  changetype: modify
  add: olcDbMultivalHi
+
  add: olcDbMultival
  olcDbMultivalHi: 100
+
  olcDbMultival: default 100,3
 
+
  olcDbMultival: zimbraACE 20,3
  $ ldapmodify -c -H "ldap:// ldap_master_hostname:389" -D cn=config -w $ldap_root_password
+
  olcDbMultival: zimbraAuthTokens 20,3
  dn: olcDatabase={2}mdb,cn=config
+
  olcDbMultival: zimbraCsrfTokenData 20,3
  changetype: modify
+
  olcDbMultival: zimbraPasswordLockoutFailureTime 20,3
  add: olcDbMultivalLo
 
olcDbMultivalLo: 3
 
  
 
==== Verify the configuration. ====
 
==== Verify the configuration. ====
Line 64: Line 47:
 
   $ ldapsearch -LLL -x -H ldapi:/// -D cn=config -w $ldap_root_password -b cn=config | grep -e olcSortVals -e olcDbMultival
 
   $ ldapsearch -LLL -x -H ldapi:/// -D cn=config -w $ldap_root_password -b cn=config | grep -e olcSortVals -e olcDbMultival
 
   olcAttributeTypes: ( OLcfgGlAt:83 NAME 'olcSortVals' DESC 'Attributes whose va
 
   olcAttributeTypes: ( OLcfgGlAt:83 NAME 'olcSortVals' DESC 'Attributes whose va
   olcAttributeTypes: ( OLcfgDbAt:12.6 NAME 'olcDbMultivalHi' DESC 'Threshold for
+
   olcAttributeTypes: ( OLcfgDbAt:12.6 NAME 'olcDbMultival' DESC 'Hi/Lo threshold
  olcAttributeTypes: ( OLcfgDbAt:12.7 NAME 'olcDbMultivalLo' DESC 'Threshold for
+
   axSize $ olcDbMode $ olcDbSearchStack $ olcDbRtxnSize $ olcDbMultival ) )
   axSize $ olcDbMode $ olcDbSearchStack $ olcDbRtxnSize $ olcDbMultivalHi $ olc
+
  olcDbMultival: default 100,3
   olcSortVals: zimbraACE
+
   olcDbMultival: zimbraACE 20,3
   olcSortVals: zimbraAuthTokens
+
   olcDbMultival: zimbraAuthTokens 20,3
   olcSortVals: zimbraCsrfTokenData
+
   olcDbMultival: zimbraCsrfTokenData 20,3
   olcSortVals: zimbraPasswordLockoutFailureTime
+
   olcDbMultival: zimbraPasswordLockoutFailureTime 20,3
  olcDbMultivalLo: 3
 
  olcDbMultivalHi: 100
 
  
 
====  Export the primary database to LDIF. ====
 
====  Export the primary database to LDIF. ====
Line 102: Line 83:
 
   $ /opt/zimbra/libexec/zmslapadd -a /path/to/output/dir/ldap-accesslog.bak
 
   $ /opt/zimbra/libexec/zmslapadd -a /path/to/output/dir/ldap-accesslog.bak
  
9) start ldap
+
==== Start ldap ====
 
As the zimbra user:
 
As the zimbra user:
 
   $ ldap start
 
   $ ldap start
 +
 +
= Ldap Upgrade and Configuration when MultiVal and SortVal is already configured=
 +
 +
Note: Please follow these steps when MultiVal and SortVal attributes are already configured.
 +
 +
1) Stop ldap on the server
 +
* As zimbra user:
 +
 +
  $ ldap stop
 +
 +
2) Export the primary database to LDIF.
 +
* As zimbra user:
 +
 +
$ su - zimbra
 +
$ /opt/zimbra/libexec/zmslapcat /path/to/output/dir
 +
 +
3) Export the accesslog database to LDIF (if this is a master server)
 +
* As zimbra user:
 +
 +
  $ /opt/zimbra/libexec/zmslapcat -a /path/to/output/dir
 +
 +
4) Export the configuration database to LDIF (if this is a master server)
 +
* As zimbra user:
 +
 +
$ /opt/zimbra/libexec/zmslapcat -c /path/to/output/dir
 +
 +
5) Now update the config db with the new parameters for multival
 +
 +
$ cd /path/to/output/dir
 +
 +
Use favorite editor on ldap-config.bak
 +
 +
Removing old attributes:
 +
* Find below(old) attributes and remove them from config file:
 +
olcSortVals: zimbraACE
 +
olcSortVals: zimbraAuthTokens
 +
olcSortVals: zimbraCsrfTokenData
 +
olcSortVals: zimbraPasswordLockoutFailureTime
 +
olcDbMultivalHi: 100
 +
olcDbMultivalLo: 3
 +
 +
Adding new attributes:
 +
 +
* For a master in an ldap + replica or MMR setup find olcDatabase={3}mdb,cn=config
 +
* For a standalone ldap server or a replica then find olcDatabase={2}mdb,cn=config
 +
 +
Add the following attribute value pairs to the entry:
 +
olcDbMultival: default 100,3
 +
olcDbMultival: zimbraACE 20,3
 +
olcDbMultival: zimbraAuthTokens 20,3
 +
olcDbMultival: zimbraCsrfTokenData 20,3
 +
olcDbMultival: zimbraPasswordLockoutFailureTime 20,3
 +
 +
6) Install latest zimbra-openldap-server version 2.4.46-1zimbra8.7b3 or above
 +
 +
7) Reload the configuration database
 +
* As zimbra user:
 +
 +
  $ cd /opt/zimbra/data/ldap
 +
  $ mv config config.old
 +
  $ mkdir config
 +
  $ /opt/zimbra/libexec/zmslapadd -c /path/to/output/dir/ldap-config.bak
 +
 +
8) Start ldap
 +
* As zimbra user:
 +
 +
$ ldap start
 +
 +
9) Reload the primary database
 +
* As zimbra user:
 +
 +
  $ cd /opt/zimbra/data/ldap
 +
  $ mv mdb mdb.old
 +
  $ mkdir -p mdb/db
 +
  $ /opt/zimbra/libexec/zmslapadd /path/to/output/dir/ldap.bak
 +
 +
10) Reload the accesslog database (if this is a master server)
 +
* As zimbra user:
 +
 +
$ cd /opt/zimbra/data/ldap
 +
$ mv accesslog accesslog.old
 +
$ mkdir -p accesslog/db
 +
$ /opt/zimbra/libexec/zmslapadd -a /path/to/output/dir/ldap-accesslog.bak
 +
 +
Restart ldap
 +
* Restart ldap as zimbra user:
 +
 +
$ su - zimbra
 +
$ ldap restart

Revision as of 12:32, 6 November 2018

Zimbra-Openldap MultiVal and SortVal configurations.

Prerequisite:

Install latest zimbra-openldap-server version 2.4.46-1zimbra8.7b3 or above.

NOTE - These steps are required only for very large ZCS deployments having millions of entries in ldap.

Restart ldap

Restart ldap as zimbra user:

 $ su - zimbra
 $ ldap restart

Configure SortVal and MultiVal

As Zimbra user, use ldapmodify commands to add sortval configuration in config db.

  • ldapmodify takes one or more LDIF update statements configured at the command-line, and ends the input with an end-of-file (EOF) marker.
  • Type Control-D (^d) as EOF.
  • Replace ldap_master_hostname with the ldap server hostname
  • As Zimbra user
  • For a master in an ldap + replica or MMR setup use olcDatabase={3}mdb,cn=config
$ source /opt/zimbra/bin/zmshutil ; zmsetvars 
$ ldapmodify -c -H "ldap://ldap_master_hostname:389" -D cn=config -w $ldap_root_password 
dn: olcDatabase={3}mdb,cn=config
changetype: modify
add: olcDbMultival
olcDbMultival: default 100,3
olcDbMultival: zimbraACE 20,3
olcDbMultival: zimbraAuthTokens 20,3
olcDbMultival: zimbraCsrfTokenData 20,3
olcDbMultival: zimbraPasswordLockoutFailureTime 20,3
  • For a standalone ldap server or a replica then use olcDatabase={2}mdb,cn=config
$ source /opt/zimbra/bin/zmshutil ; zmsetvars 
$ ldapmodify -c -H "ldap://ldap_master_hostname:389" -D cn=config -w $ldap_root_password 
dn: olcDatabase={2}mdb,cn=config
changetype: modify
add: olcDbMultival
olcDbMultival: default 100,3
olcDbMultival: zimbraACE 20,3
olcDbMultival: zimbraAuthTokens 20,3
olcDbMultival: zimbraCsrfTokenData 20,3
olcDbMultival: zimbraPasswordLockoutFailureTime 20,3

Verify the configuration.

As zimbra user:

  $ source /opt/zimbra/bin/zmshutil ; zmsetvars ; 
  $ ldapsearch -LLL -x -H ldapi:/// -D cn=config -w $ldap_root_password -b cn=config | grep -e olcSortVals -e olcDbMultival
  olcAttributeTypes: ( OLcfgGlAt:83 NAME 'olcSortVals' DESC 'Attributes whose va
  olcAttributeTypes: ( OLcfgDbAt:12.6 NAME 'olcDbMultival' DESC 'Hi/Lo threshold
  axSize $ olcDbMode $ olcDbSearchStack $ olcDbRtxnSize $ olcDbMultival ) )
  olcDbMultival: default 100,3
  olcDbMultival: zimbraACE 20,3
  olcDbMultival: zimbraAuthTokens 20,3
  olcDbMultival: zimbraCsrfTokenData 20,3
  olcDbMultival: zimbraPasswordLockoutFailureTime 20,3

Export the primary database to LDIF.

As zimbra user:

 $ su - zimbra
 $ /opt/zimbra/libexec/zmslapcat /path/to/output/dir

Export the accesslog database to LDIF (if this is a master server)

As zimbra user:

  $ /opt/zimbra/libexec/zmslapcat -a /path/to/output/dir

Stop ldap on the server

As zimbra user:

  $ ldap stop

Reload the primary database

As the zimbra user:

  $ cd /opt/zimbra/data/ldap
  $ mv mdb mdb.old
  $ mkdir -p mdb/db
  $ /opt/zimbra/libexec/zmslapadd /path/to/output/dir/ldap.bak

Reload the accesslog database (if this is a master server)

As the zimbra user:

 $ cd /opt/zimbra/data/ldap
 $ mv accesslog accesslog.old
 $ mkdir -p accesslog/db
 $ /opt/zimbra/libexec/zmslapadd -a /path/to/output/dir/ldap-accesslog.bak

Start ldap

As the zimbra user:

 $ ldap start

Ldap Upgrade and Configuration when MultiVal and SortVal is already configured

Note: Please follow these steps when MultiVal and SortVal attributes are already configured.

1) Stop ldap on the server

  • As zimbra user:
 $ ldap stop

2) Export the primary database to LDIF.

  • As zimbra user:
$ su - zimbra
$ /opt/zimbra/libexec/zmslapcat /path/to/output/dir

3) Export the accesslog database to LDIF (if this is a master server)

  • As zimbra user:
 $ /opt/zimbra/libexec/zmslapcat -a /path/to/output/dir

4) Export the configuration database to LDIF (if this is a master server)

  • As zimbra user:
$ /opt/zimbra/libexec/zmslapcat -c /path/to/output/dir

5) Now update the config db with the new parameters for multival

$ cd /path/to/output/dir

Use favorite editor on ldap-config.bak

Removing old attributes:

  • Find below(old) attributes and remove them from config file:
olcSortVals: zimbraACE
olcSortVals: zimbraAuthTokens
olcSortVals: zimbraCsrfTokenData
olcSortVals: zimbraPasswordLockoutFailureTime
olcDbMultivalHi: 100
olcDbMultivalLo: 3

Adding new attributes:

  • For a master in an ldap + replica or MMR setup find olcDatabase={3}mdb,cn=config
  • For a standalone ldap server or a replica then find olcDatabase={2}mdb,cn=config

Add the following attribute value pairs to the entry:

olcDbMultival: default 100,3
olcDbMultival: zimbraACE 20,3
olcDbMultival: zimbraAuthTokens 20,3
olcDbMultival: zimbraCsrfTokenData 20,3
olcDbMultival: zimbraPasswordLockoutFailureTime 20,3

6) Install latest zimbra-openldap-server version 2.4.46-1zimbra8.7b3 or above

7) Reload the configuration database

  • As zimbra user:
 $ cd /opt/zimbra/data/ldap
 $ mv config config.old
 $ mkdir config
 $ /opt/zimbra/libexec/zmslapadd -c /path/to/output/dir/ldap-config.bak

8) Start ldap

  • As zimbra user:
$ ldap start

9) Reload the primary database

  • As zimbra user:
 $ cd /opt/zimbra/data/ldap
 $ mv mdb mdb.old
 $ mkdir -p mdb/db
 $ /opt/zimbra/libexec/zmslapadd /path/to/output/dir/ldap.bak

10) Reload the accesslog database (if this is a master server)

  • As zimbra user:
$ cd /opt/zimbra/data/ldap
$ mv accesslog accesslog.old
$ mkdir -p accesslog/db
$ /opt/zimbra/libexec/zmslapadd -a /path/to/output/dir/ldap-accesslog.bak

Restart ldap

  • Restart ldap as zimbra user:
$ su - zimbra
$ ldap restart
Jump to: navigation, search