zmprov not working from SMTP or proxy server in multi-server install

[fultonj]

I have a working ZCS 5.10 multi-server install with separate servers for store, ldap, smtp and imap proxy. I did the install according to the documentation [0]. zmprov commands work on the store and ldap servers but do not work on the smtp or proxy servers (exact error message below) [1]. How can I run zmprov on the smtp or proxy servers?

I've seen this on other multi-server installs. Is this by design? I would like to use the smtp and proxy servers to reset passwords via the CLI. I'm doing a large imapsync which is CPU bound. I'd like to distribute load on many servers to use their CPU to speed up the sync. My script to do the sync sets a local password with zmprov sp and then disables it after the sync.

footnotes:
[0]
cover.1.1.html

[1]
[zimbra@zstore00 import]$ zmprov ga fultonj@zprd.lafayette.edu | wc -l
243
[zimbra@zstore00 import]$

[zimbra@zldap0 import]$ zmprov ga fultonj@zprd.lafayette.edu | wc -l
243
[zimbra@zldap0 import]$

[zimbra@zsmtp0 import]$ zmprov ga fultonj@zprd.lafayette.edu
ERROR: zclient.IO_ERROR (invoke Connection refused, server: localhost) (cause: java.net.ConnectException Connection refused)
[zimbra@zsmtp0 import]$

[zimbra@zproxy0 import]$ zmprov ga fultonj@zprd.lafayette.edu
ERROR: zclient.IO_ERROR (invoke Connection refused, server: localhost) (cause: java.net.ConnectException Connection refused)
[zimbra@zproxy0 import]$

[bdial]

try this on your mta box

Code:

zmlocalconfig -e zimbra_zmprov_default_soap_server zstore00.domain.com

change the last part to one of your mailbox servers

[fultonj]

Thank you bdial.

That fixed my problem. Two questions:

1. My LDAP server has zimbra_zmprov_default_soap_server = localhost yet it seems to work without the fix. Any idea why? Should I set it to the store server instead?

2. I have two store servers. What's the best way to share the load? Should I set half for one and half for the other?

[bdial]

1. your ldap server might be using ldap instead of soap to do stuff. you can check with the command

Code:

zmlocalconfig | grep zimbra_zmprov_default_to_ldap

2. i guess ify ou're concerned you could do that. why are you executing zmprov commands on so many different servers though? why not just choose 1 or 2 and call it a day?

[fultonj]

1. As you suggested, LDAP seems to be using itself instead of SOAP:

[zimbra@zldap0 import]$ zmlocalconfig | grep zimbra_zmprov_default_to_ldap
zimbra_zmprov_default_to_ldap = true
[zimbra@zldap0 import]$

I actually had a strange bug where zldap0 wouldn't set the local password for certain users via zmprov followed by a quick imapsync until I changed the above to false and had it use one of my store servers instead by changing zimbra_zmprov_default_soap_server.

I assume that SOAP calls to the store servers to change a user's Zimbra password get translated into calls to LDAP. I wonder if asking the ldap server to use the store server for zmprov calls updated some sort of cache on the store server. I'm imapsyncing a user very shortly after setting their local password and then setting it back. If LDAP knew it had a new password but didn't push it to the store or proxy server in time, then the user would have been denied when the imapsync was attempted.

2. imapsync is CPU bound (with fast enough disks). I can speed my conversion up a lot by using all of the CPUs I have available, i.e. all of my servers for Zimbra (store, smtp, etc). My script changes the password before and after it syncs so each server needs to zmprov. The basic algorithm is:

for users in users:
change_local_passwords(user)
imap_sync(user)
disable_local_passwords(user)

Thanks for your suggestion as it solved my problem.