ShanxT-LDAP-CheatSheet
Setting the ldap variables
The variables used by LDAP can be set by running:
su - zimbra source ~/bin/zmshutil ; zmsetvars
This will set the values for variables like '$ldap_master_url', '$zimbra_ldap_password', etc.
Alternatively, they can be taken from localconfig.xml as well. To do so, either run:
zmlocalconfig -s | grep 'ldap_' | egrep 'password|url'
Or directly open '/opt/zimbra/conf/localconfig.xml', and take the values from there.
Parsing through ldap
Basic search:
ldapsearch -x -H $ldap_master_url -D $zimbra_ldap_userdn -w $zimbra_ldap_password
Specifying the 'people' ou as the search base. 'dc=example' and 'dc=com' will have to be replaced with your domain
ldapsearch -x -H $ldap_master_url -D $zimbra_ldap_userdn -w $zimbra_ldap_password -LLL -b 'ou=people,dc=example,dc=com'
Alternatively, using search filters, and also showing all accounts of the object class 'zimbraAccount'
ldapsearch -x -H $ldap_master_url -D $zimbra_ldap_userdn -w $zimbra_ldap_password -LLL '(&(objectClass=zimbraAccount)(ou:dn:=people))'
Using search base and showing the uid for admin accounts:
ldapsearch -x -H $ldap_master_url -D $zimbra_ldap_userdn -w $zimbra_ldap_password -b 'ou=people,dc=example,dc=com' -LLL '(&(uid=*)(zimbraIsAdminAccount=TRUE))' uid
Listing out all the servers:
ldapsearch -x -H $ldap_master_url -D $zimbra_ldap_userdn -w $zimbra_ldap_password -b 'cn=servers,cn=zimbra'
Example using localconfig keys:
ldapsearch -x -D `zmlocalconfig -m nokey -s zimbra_ldap_userdn` -w `zmlocalconfig -m nokey -s zimbra_ldap_password` -h `hostname -f`
Searching against an AD server:
ldapsearch -H ldap://ad.example.net:3268 -D admin -x -w pass -b "ou=users,dc=example,dc=net"
Quick Debug info
ldapsearch -x -h 2d.snx -v -d 7
Modifying ldap
ldapmodify -x -H $ldap_master_url -D $zimbra_ldap_userdn -w $zimbra_ldap_password
The cursor will move to the next line, wherein you can enter the modification you wish to make. Make sure to press 'Ctrl+D' after the modifications are over.
Example - To change uid:
ldapmodify -x -H $ldap_master_url -D $zimbra_ldap_userdn -w $zimbra_ldap_password
dn: uid=old_user_uid,dc=domain changetype: modrdn newrdn: uid=new_user_uid deleteoldrdn: 1 (Press Ctrl+D)
To modify the mail attribute:
dn: uid=admin,ou=people,dc=example,dc=com changetype: modify replace: mail mail: admin@example.com mail: postmaster@example.com mail: root@example.com (Press Ctrl+D)
Deleting an ldap entry
ldapdelete -v -x -H $ldap_master_url -D $zimbra_ldap_userdn -w $zimbra_ldap_password "uid=testtest,ou=people,dc=example,dc=shanx"
Find an account based on an ldap attribute - zimbra sa
We can use this to get the accounts containing a particular attribute. Say if we have the ZimbraID, and would like to know which account it belongs to:
zmprov sa zimbraId=bd400158-aa2e-4c10-8ea7-95be59564b47
'-v' will show all the details of those accounts. This is exactly like the output we get by running 'zmprov -l ga <email address>', only this time the lookup is based on any LDAP attribute.
For example, to get all the details of all the accounts on a particular mail host:
zmprov sa -v "zimbraMailHost=8b.snx"
Checking Passwords
This is to check if the passwords stored in localconfig.xml are correct. Get the password and check with the following commands.
The results of the following should simply return the DN of the authenticated user. An 'Invalid Credentials' error message would show something is wrong.
Checking Zimbra Password. This should match the 'zimbra_ldap_password' in localconfig.xml:
ldapwhoami -ZZZ -x -h `zmhostname` -D "uid=zimbra,cn=admins,cn=zimbra" -W
OR
ldapwhoami -x -h `zmhostname` -D "uid=zimbra,cn=admins,cn=zimbra" -W
The use of '-ZZZ' depends on your TLS settings.
Checking LDAP root password. This should match the 'zimbra_ldap_password' entry:
ldapwhoami -x -h `zmhostname` -D "cn=config" -W
If the passwords need to be changed, see this article: ShanxT-LDAP-Auth-Failed
Encoding of entries
Entries are base64 encoded if they are passwords, or if a person's name or entry contains special characters, like the umlaut. To decode, simply run:
echo 'e1NTSEF9Nmc4WDVsR3F6Snl3T21NMTU3NlB2WE4xMFV1L2hTSzU=' | base64 -d
The above is a password, so the output would be:
{SSHA}6g8X5lGqzJywOmM1576PvXN10Uu/hSK5
This shows the password is a salted SHA password.
To encode:
echo 'ThisIsMyPassword' | base64