ZCS 6.0 rc1 samba integration problem

[Hivos]

Hi,

I am trying to integrate zcs 6.0 rc1 with a samba server conform the instructions on UNIX and Windows Accounts in Zimbra LDAP and Zimbra Admin UI 6.0 - Zimbra :: Wiki and all is going well until the adjustment of the ldap acls at the end of part 1. There I get the next error:

zimbra@mail:~/log$ ldapmodify -f /tmp/acl.ldif -x -H ldapi:/// -D cn=config -W
Enter LDAP Password:
modifying entry "olcDatabase={2}hdb,cn=config"
ldap_modify: No such attribute (16)
additional info: modify/delete: olcAccess: no such value

Any ideas? If I continue I see that the deployment of the samba admin extension zimlet isn't working; the org.role "machines" isn't created in the ldap db for instance.

Am I to early to try this?

Regards

Ferry

Zimbra version: Release 6.0.0_RC1_1684.UBUNTU8 UBUNTU8 NETWORK edition.

[peracchi]

Hi,

Same thing here but using Zimbra 6.0.1 on a Ubuntu 8.04.3 Server (64-bit).

Everything went fine until:

Quote:

Now, you need to adjust the LDAP acls so that these new users can read the data necessary from the LDAP server. This will need to be done on each LDAP server that exists. Create a file called /tmp/acl.ldif and add the following to it. If this is a master with replicas, you need to change the olcDatabase line to be olcDatabase={3}hdb,cn=config in both sections.

Content of /tmp/acl.ldif

Code:

dn: olcDatabase={2}hdb,cn=config
changetype:modify
delete: olcAccess
olcAccess: {9}to attrs=entry  by dn.children="cn=admins,cn=zimbra" write  by * read
-
add: olcAccess
olcAccess: {9}to attrs=entry  by dn.children="cn=admins,cn=zimbra" write  by dn.exact="uid=zmposixroot,cn=appaccts,cn=zimbra" write  by * read

dn: olcDatabase={2}hdb,cn=config
changetype:modify
add: olcAccess
olcAccess: {10}to dn.subtree="dc=zimbra,dc=example,dc=com" by dn.children="cn=admins,cn=zimbra" write by dn.exact="uid=zmposixroot,cn=appaccts,cn=zimbra" write by dn.exact="uid=zmposix,cn=appaccts,cn=zimbra" read by * none
olcAccess: {11}to dn.subtree="ou=machines,dc=zimbra,dc=example,dc=com" by dn.children="cn=admins,cn=zimbra" write by dn.exact="uid=zmposixroot,cn=appaccts,cn=zimbra" write by dn.exact="uid=zmposix,cn=appaccts,cn=zimbra" read by * none
olcAccess: {12}to dn.subtree="ou=groups,dc=zimbra,dc=example,dc=com" by dn.children="cn=admins,cn=zimbra" write by dn.exact="uid=zmposixroot,cn=appaccts,cn=zimbra" write by dn.exact="uid=zmposix,cn=appaccts,cn=zimbra" read by * none
olcAccess: {13}to dn.subtree="ou=people,dc=zimbra,dc=example,dc=com" by dn.children="cn=admins,cn=zimbra" write by dn.exact="uid=zmposixroot,cn=appaccts,cn=zimbra" write by dn.exact="uid=zmposix,cn=appaccts,cn=zimbra" read by * none

After issue:

Code:

ldapmodify -f /tmp/acl.ldif -x -H ldapi:/// -D cn=config -W

I get:

Code:

zimbra@zimbra:~$ ldapmodify -f /tmp/acl.ldif -x -H ldapi:/// -D cn=config -W
Enter LDAP Password:
modifying entry "olcDatabase={2}hdb,cn=config"
ldap_modify: No such attribute (16)
	additional info: modify/delete: olcAccess: no such value

Another question, in the article it says:

Quote:

In this example I will use the domain gregzimbra1.zimbra.com, which is the name of my Ubuntu Linux machine running inside a VMWare instance...

and

Quote:

Be sure to replace dc=gregzimbra1,dc=zimbra,dc=com with your actual domain

We must use the FQDN of the zimbra host (in my case zimbra.example.com) or only the domain (again in my case example.com)?


Any ideas?

[quanah]

The domain.

Was your ubuntu server an upgrade or a fresh install of 6.0.1?

[peracchi]

Hi quanah!

It´s a fresh install.

Do you know what may be the cause of the problem indicated by:

Code:

zimbra@zimbra:~$ ldapmodify -f /tmp/acl.ldif -x -H ldapi:/// -D cn=config -W
Enter LDAP Password:
modifying entry "olcDatabase={2}hdb,cn=config"
ldap_modify: No such attribute (16)
	additional info: modify/delete: olcAccess: no such value

[quanah]

Well, I'd ask why you are using RC1, since samba/posix wasn't supported until 6.0.0 GA, and you should really be using 6.0.1 at this point.

The error means that it finds no such matching olcAccess value in the configuration database. Is this a master LDAP server with replication enabled?

[peracchi]

Hi quanah!

I am using 6.0.1 GA Release (zcs-6.0.1_GA_1816.UBUNTU8_64.20090911235613.tgz)

Zimbra standalone server.

[quanah]

Quote:

Originally Posted by peracchi

Hi quanah!
I am using 6.0.1 GA Release (zcs-6.0.1_GA_1816.UBUNTU8_64.20090911235613.tgz)
Zimbra standalone server.

Ok, then you need to examine your olcAccess values.

Code:

ldapsearch -x -H ldapi:/// -D cn=config -W -b olcDatabase={2}hdb,cn=config olcAccess

In particular, value {9} of the result.

[peracchi]

Hi quanah!

Output of ldapsearch -x -H ldapi:/// -D cn=config -W -b olcDatabase={2}hdb,cn=config olcAccess before:

Code:

# extended LDIF
#
# LDAPv3
# base <olcDatabase={2}hdb,cn=config> with scope subtree
# filter: (objectclass=*)
# requesting: olcAccess
#

# {2}hdb, config
dn: olcDatabase={2}hdb,cn=config
olcAccess: {0}to attrs=userPassword  by anonymous auth  by dn.children="cn=adm
 ins,cn=zimbra" write
olcAccess: {1}to dn.subtree="cn=zimbra"  by dn.children="cn=admins,cn=zimbra"
 write
olcAccess: {2}to attrs=zimbraZimletUserProperties,zimbraGalLdapBindPassword,zi
 mbraGalLdapBindDn,zimbraAuthTokenKey,zimbraPreAuthKey,zimbraPasswordHistory,z
 imbraIsAdminAccount,zimbraAuthLdapSearchBindPassword  by dn.children="cn=admi
 ns,cn=zimbra" write  by * none
olcAccess: {3}to attrs=objectclass  by dn.children="cn=admins,cn=zimbra" write
   by dn.base="uid=zmpostfix,cn=appaccts,cn=zimbra" read  by dn.base="uid=zmam
 avis,cn=appaccts,cn=zimbra" read  by users read  by * none
olcAccess: {4}to attrs=@amavisAccount  by dn.children="cn=admins,cn=zimbra" wr
 ite  by dn.base="uid=zmamavis,cn=appaccts,cn=zimbra" read  by * +0 break
olcAccess: {5}to attrs=mail  by dn.children="cn=admins,cn=zimbra" write  by dn
 .base="uid=zmamavis,cn=appaccts,cn=zimbra" read  by * +0 break
olcAccess: {6}to attrs=zimbraAllowFromAddress  by dn.children="cn=admins,cn=zi
 mbra" write  by dn.base="uid=zmpostfix,cn=appaccts,cn=zimbra" read  by * none
olcAccess: {7}to filter="(!(zimbraHideInGal=TRUE))"  attrs=cn,co,company,dc,di
 splayName,givenName,gn,initials,l,mail,o,ou,physicalDeliveryOfficeName,postal
 Code,sn,st,street,streetAddress,telephoneNumber,title,uid  by dn.children="cn
 =admins,cn=zimbra" write  by dn.base="uid=zmpostfix,cn=appaccts,cn=zimbra" re
 ad  by users read  by * none
olcAccess: {8}to attrs=zimbraId,zimbraMailAddress,zimbraMailAlias,zimbraMailCa
 nonicalAddress,zimbraMailCatchAllAddress,zimbraMailCatchAllCanonicalAddress,z
 imbraMailCatchAllForwardingAddress,zimbraMailDeliveryAddress,zimbraMailForwar
 dingAddress,zimbraPrefMailForwardingAddress,zimbraMailHost,zimbraMailStatus,z
 imbraMailTransport,zimbraDomainName,zimbraDomainType,zimbraPrefMailLocalDeliv
 eryDisabled  by dn.children="cn=admins,cn=zimbra" write  by dn.base="uid=zmpo
 stfix,cn=appaccts,cn=zimbra" read  by * none
olcAccess: {9}to attrs=entry  by dn.children="cn=admins,cn=zimbra" write  by *
  read

Then I issue a ldapmodify -f /tmp/acl.ldif -x -H ldapi:/// -D cn=config -W comand on the following content of acl.ldif:

Code:

dn: olcDatabase={2}hdb,cn=config
changetype:modify
delete: olcAccess
olcAccess: {9}to attrs=entry  by dn.children="cn=admins,cn=zimbra" write  by * read
-
add: olcAccess
olcAccess: {9}to attrs=entry  by dn.children="cn=admins,cn=zimbra" write  by dn.exact="uid=zmposixroot,cn=appaccts,cn=zimbra" write  by * read

dn: olcDatabase={2}hdb,cn=config
changetype:modify
add: olcAccess
olcAccess: {10}to dn.subtree="dc=example,dc=com" by dn.children="cn=admins,cn=zimbra" write by dn.exact="uid=zmposixroot,cn=appaccts,cn=zimbra" write by dn.exact="uid=zmposix,cn=appaccts,cn=zimbra" read by * none
olcAccess: {11}to dn.subtree="ou=machines,dc=example,dc=com" by dn.children="cn=admins,cn=zimbra" write by dn.exact="uid=zmposixroot,cn=appaccts,cn=zimbra" write by dn.exact="uid=zmposix,cn=appaccts,cn=zimbra" read by * none
olcAccess: {12}to dn.subtree="ou=groups,dc=example,dc=com" by dn.children="cn=admins,cn=zimbra" write by dn.exact="uid=zmposixroot,cn=appaccts,cn=zimbra" write by dn.exact="uid=zmposix,cn=appaccts,cn=zimbra" read by * none
olcAccess: {13}to dn.subtree="ou=people,dc=example,dc=com" by dn.children="cn=admins,cn=zimbra" write by dn.exact="uid=zmposixroot,cn=appaccts,cn=zimbra" write by dn.exact="uid=zmposix,cn=appaccts,cn=zimbra" read by * none

Which gives me the

Code:

modifying entry "olcDatabase={2}hdb,cn=config"
ldap_modify: No such attribute (16)
        additional info: modify/delete: olcAccess: no such value

Thanks for your help and your time!

[quanah]

Quote:

Originally Posted by peracchi

Hi quanah!

Output of ldapsearch -x -H ldapi:/// -D cn=config -W -b olcDatabase={2}hdb,cn=config olcAccess before:

There's something off in your ldif file, as best I can tell, but I can't see what via the cut/paste through the forum. :/

The replace op for {9} appears to match up to me:

Code:

olcAccess: {9}to attrs=entry  by dn.children="cn=admins,cn=zimbra" write  by * read
olcAccess: {9}to attrs=entry  by dn.children="cn=admins,cn=zimbra" write  by * read

but there must be something different (a space at the end of your line? a tab instead of a space somewhere?) that isn't apparent to me. :/

[peracchi]

Hi quanah!

I have made copy/paste from UNIX and Windows Accounts in Zimbra LDAP and Zimbra Admin UI 6.0 ( UNIX and Windows Accounts in Zimbra LDAP and Zimbra Admin UI 6.0 - Zimbra :: Wiki )

From that page:

Code:

dn: olcDatabase={2}hdb,cn=config
changetype:modify
delete: olcAccess
olcAccess: {9}to attrs=entry  by dn.children="cn=admins,cn=zimbra" write  by * read
-
add: olcAccess
olcAccess: {9}to attrs=entry  by dn.children="cn=admins,cn=zimbra" write  by dn.exact="uid=zmposixroot,cn=appaccts,cn=zimbra" write  by * read

dn: olcDatabase={2}hdb,cn=config
changetype:modify
add: olcAccess
olcAccess: {10}to dn.subtree="dc=gregzimbra1,dc=zimbra,dc=com"  by dn.children="cn=admins,cn=zimbra" write by dn.exact="uid=zmposixroot,cn=appaccts,cn=zimbra" write  by dn.exact="uid=zmposix,cn=appaccts,cn=zimbra" read  by * none
olcAccess: {11}to dn.subtree="ou=machines,dc=gregzimbra1,dc=zimbra,dc=com"  by dn.children="cn=admins,cn=zimbra" write  by dn.exact="uid=zmposixroot,cn=appaccts,cn=zimbra" write  by dn.exact="uid=zmposix,cn=appaccts,cn=zimbra" read  by * none
olcAccess: {12}to dn.subtree="ou=groups,dc=gregzimbra1,dc=zimbra,dc=com"  by dn.children="cn=admins,cn=zimbra" write  by dn.exact="uid=zmposixroot,cn=appaccts,cn=zimbra" write  by dn.exact="uid=zmposix,cn=appaccts,cn=zimbra" read  by * none
olcAccess: {13}to dn.subtree="ou=people,dc=gregzimbra1,dc=zimbra,dc=com"  by dn.children="cn=admins,cn=zimbra" write  by dn.exact="uid=zmposixroot,cn=appaccts,cn=zimbra" write  by dn.exact="uid=zmposix,cn=appaccts,cn=zimbra" read  by * none

Then I done at zimbra:

Code:

echo "
dn: olcDatabase={2}hdb,cn=config
changetype:modify
delete: olcAccess
olcAccess: {9}to attrs=entry  by dn.children="cn=admins,cn=zimbra" write  by * read
-
add: olcAccess
olcAccess: {9}to attrs=entry  by dn.children="cn=admins,cn=zimbra" write  by dn.exact="uid=zmposixroot,cn=appaccts,cn=zimbra" write  by * read

dn: olcDatabase={2}hdb,cn=config
changetype:modify
add: olcAccess
olcAccess: {10}to dn.subtree="dc=example,dc=com" by dn.children="cn=admins,cn=zimbra" write by dn.exact="uid=zmposixroot,cn=appaccts,cn=zimbra" write by dn.exact="uid=zmposix,cn=appaccts,cn=zimbra" read by * none
olcAccess: {11}to dn.subtree="ou=machines,dc=example,dc=com" by dn.children="cn=admins,cn=zimbra" write by dn.exact="uid=zmposixroot,cn=appaccts,cn=zimbra" write by dn.exact="uid=zmposix,cn=appaccts,cn=zimbra" read by * none
olcAccess: {12}to dn.subtree="ou=groups,dc=example,dc=com" by dn.children="cn=admins,cn=zimbra" write by dn.exact="uid=zmposixroot,cn=appaccts,cn=zimbra" write by dn.exact="uid=zmposix,cn=appaccts,cn=zimbra" read by * none
olcAccess: {13}to dn.subtree="ou=people,dc=example,dc=com" by dn.children="cn=admins,cn=zimbra" write by dn.exact="uid=zmposixroot,cn=appaccts,cn=zimbra" write by dn.exact="uid=zmposix,cn=appaccts,cn=zimbra" read by * none
" | tee /tmp/acl.ldif

ldapmodify -f /tmp/acl.ldif -x -H ldapi:/// -D cn=config -W