ShanxT - LDAP Auth Failed

   KB 20481        Last updated on 06/10/2016  

(0 votes)


The password may get reset during a migration, DR, incorrect installation or messing around with the server. The logs will explicitly show errors like LDAP: error code 49 - Invalid Credentials, or you may see postfix not connecting, etc.

Different services (postfix, nginx, etc) also connect to ldap with their respective passwords.

All these passwords are stored in /opt/zimbra/conf/localconfig.xml. To see all the passwords, run:

zmlocalconfig -s | grep ldap.*_pass

Checking localconfig.xml

We just need to determine how the password got reset. If it is during a migration or DR, one of the following is usually the culprit:

Incorrect permissions on localconfig.xml

In this case, the password isn't wrong, the file is just not readable by Zimbra. Confirm the permissions are as shown:

ls -l  /opt/zimbra/conf/localconfig.xml 
-rw-r-----. 1 zimbra zimbra 3887 Jun  4 20:08 /opt/zimbra/conf/localconfig.xml

Passwords weren't taken from the old localconfig.xml

After restoring the server, the passwords weren't not taken from the old localconfig.xml. So just pick the old localconfig.xml from the server, or from a backup, and replace the passwords on the current server's localconfig file.

In a backup, it'll be in your 'sessions/<full-incr backup name>/sys' folder. Example:



If the above doesn't work or is not possible, use the 'zmldappasswd' command. The help file for that is self-explanatory:

zmldappasswd --help

You can also see this article, Resetting_LDAP_and_MySQL_Passwords#In_ZCS_5.0.x, for examples. It was last updated for ZCS 5, but is valid for versions unto ZCS 8. The only difference is that a few more options have been added over the years

Changing ldap directly

If zmdldappasswd also doesn't work, then it means that the ldap root password is probably messed up. To confirm, run:

ldapwhoami -x -h `zmhostname` -D "cn=config" -w 'ldap_root_password_value'

Replace 'ldap_root_password_value' with your actual password. If this is also incorrect, we'll have to change this manually.

Please do this carefully. If you are unsure, and are an NE customer, please contact support before making the changes.

We are going to create a base64 encoded salted SHA password, that we will then directly place in the ldap.

1. Generate the password hash using 'slappasswd':
NEWPASS='/opt/zimbra/openldap/sbin/slappasswd -v -s 'Very_secure_pass_591' -h {SSHA}`
* Note for 8.5 and later, SSHA512 should be used
NEWPASS=`/opt/zimbra/openldap/sbin/slappasswd -o module-load=pw-sha2 -h {SSHA512} -s 'Very_Secure_pass_591'`
2. BASE64 encode this password hash:
NEWPASSB64=`echo -n "$NEWPASS" | openssl enc -base64`
* Note: This can generate an invalid base-64 hash, because it adds a space depending on how long the value is.
3. As the zimbra user, stop ldap:
ldap stop
4. Replace this new password in the file ~/data/ldap/config/cn=config/olcDatabase={0}config.ldif:
cp '/opt/zimbra/data/ldap/config/cn=config/olcDatabase={0}config.ldif' /tmp/
sed -i "s/olcRootPW.*/olcRootPW:: $NEWPASSB64" '/opt/zimbra/data/ldap/config/cn=config/olcDatabase={0}config.ldif'

The above command takes a backup of 'olcDatabase={0}config.ldif', and the places the new password in the file. If the command fails for whatever reason, just do the steps manually. Take a backup, and replace the existing value of 'olcRootPW:: ' in the 'olcDatabase={0}config.ldif' file with the value of $NEWPASS64.

5. Start ldap:
ldap start
6. To test, run:
ldapwhoami -x -h `zmhostname` -D "cn=config" -w 'ldap_root_password_value' 
7. Then update localconfig.xml as well

Verified Against: Zimbra Collaboration Suite 7,8 Date Created: 06/24/2013
Article ID: Date Modified: 06/10/2016

Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Jump to: navigation, search