ShanxT - LDAP Auth Failed

   KB 20481        Last updated on 2022-10-17  

(0 votes)


The password may get reset during a migration, DR, incorrect installation or messing around with the server. The logs will explicitly show errors like LDAP: error code 49 - Invalid Credentials, or you may see postfix not connecting, etc.

Different services (postfix, nginx, etc) also connect to ldap with their respective passwords.

All these passwords are stored in /opt/zimbra/conf/localconfig.xml. To see all the passwords, run:

zmlocalconfig -s | grep ldap.*_pass

Checking localconfig.xml

We just need to determine how the password got reset. If it is during a migration or DR, one of the following is usually the culprit:

Incorrect permissions on localconfig.xml

In this case, the password isn't wrong, the file is just not readable by Zimbra. Confirm the permissions are as shown:

ls -l  /opt/zimbra/conf/localconfig.xml 
-rw-r-----. 1 zimbra zimbra 3887 Jun  4 20:08 /opt/zimbra/conf/localconfig.xml

Passwords weren't taken from the old localconfig.xml

After restoring the server, the passwords weren't not taken from the old localconfig.xml. So just pick the old localconfig.xml from the server, or from a backup, and replace the passwords on the current server's localconfig file.

In a backup, it'll be in your 'sessions/<full-incr backup name>/sys' folder. Example:



If the above doesn't work or is not possible, use the 'zmldappasswd' command. The help file for that is self-explanatory:

zmldappasswd --help

You can also see this article, Resetting_LDAP_and_MySQL_Passwords#In_ZCS_5.0.x, for examples. It was last updated for ZCS 5, but is valid for versions unto ZCS 8. The only difference is that a few more options have been added over the years

Changing ldap directly

If zmdldappasswd also doesn't work, then it means that the ldap root password is probably messed up. To confirm, run:

ldapwhoami -x -h `zmhostname` -D "cn=config" -w 'ldap_root_password_value'

Replace 'ldap_root_password_value' with your actual password. If this is also incorrect, we'll have to change this manually.

Please do this carefully. If you are unsure and are an NE customer, please contact support before making the changes.

We are going to create a base64 encoded salted SHA password, that we will then directly place in the ldap.

1) Generate the password hash using 'slappasswd':

For 8.5 and above, SSHA512 should be used
NEWPASS=`/opt/zimbra/common/sbin/slappasswd -o module-load=pw-sha2 -h {SSHA512} -s 'Very_Secure_pass_591'`

2) BASE64 encode this password hash:

NEWPASSB64=`echo -n "$NEWPASS" | openssl enc -base64 | tr -d '\n'`

Note: The hash can go across multiple lines, so the 'tr' deletes the new line character and makes it a single line. The entire hash should be on one line. Confirm this by running:

echo $NEWPASSB64

3) As the zimbra user, stop ldap:

ldap stop

4) Take ldap backup.

mkdir /opt/zimbra/data/tmp/ldap_backup
/opt/zimbra/common/sbin/slapcat -F /opt/zimbra/data/ldap/config -n 0 -o ldif-wrap=no -l /opt/zimbra/data/tmp/ldap_backup/ldap-config.bak
/opt/zimbra/common/sbin/slapcat -F /opt/zimbra/data/ldap/config -o ldif-wrap=no -b "cn=accesslog" -l /opt/zimbra/data/tmp/ldap_backup/ldap-accesslog.bak
/opt/zimbra/common/sbin/slapcat -F /opt/zimbra/data/ldap/config -o ldif-wrap=no -b "" -l /opt/zimbra/data/tmp/ldap_backup/ldap.bak 

5) Replace the new password in the file ldap-config.bak.

sed -i.ORG "s/olcRootPW.*/olcRootPW:: $NEWPASSB64/" /opt/zimbra/data/tmp/ldap_backup/ldap-config.bak 

6) Reload updated ldap-config.bak.

mv /opt/zimbra/data/ldap/config /opt/zimbra/data/ldap/config.old.`date '+%Y%m%d%H%M%S'` 
mkdir /opt/zimbra/data/ldap/config 
/opt/zimbra/libexec/zmslapadd -c /opt/zimbra/data/tmp/ldap_backup/ldap-config.bak 

7) Start ldap:

ldap start

8) To test, run:

ldapwhoami -x -h `zmhostname` -D "cn=config" -w 'ldap_root_password_value' 

9) Then update localconfig.xml as well

Checking if the password updated correctly

Run the following to check each password.

su - zimbra
source ~/bin/zmshutil; zmsetvars

# Main config user 
ldapwhoami -ZZ -x -D cn=config -H ldap://`zmhostname`:389 -w $ldap_root_password

# Zimbra ldap user 
ldapwhoami -ZZ -x -D uid=zimbra,cn=admins,cn=zimbra -H ldap://`zmhostname`:389 -w $zimbra_ldap_password

# Replication, if using multiple ldap servers
ldapwhoami -ZZ -x -D uid=zmreplica,cn=admins,cn=zimbra -H ldap://`zmhostname`:389 -w $ldap_replication_password

# Amavis
ldapwhoami -ZZ -x -D uid=zmamavis,cn=appaccts,cn=zimbra -H ldap://`zmhostname`:389 -w $ldap_amavis_password

# Nginx
ldapwhoami -ZZ -x -D uid=zmnginx,cn=appaccts,cn=zimbra -H ldap://`zmhostname`:389 -w $ldap_nginx_password

# Postfix
ldapwhoami -ZZ -x -D uid=zmpostfix,cn=appaccts,cn=zimbra -H ldap://`zmhostname`:389 -w $ldap_postfix_password

On successful auth, the output of the above would be the user's DN from ldap

# Main config user 

# Zimbra ldap user 

# Replication

# Amavis
# Nginx

# Postfix

Verified Against: Zimbra Collaboration Suite 7,8 Date Created: 06/24/2013
Article ID: Date Modified: 2022-10-17

Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Jump to: navigation, search