LDAP schema error

[TomB17]

Two months ago, I took over systems administration at a small company that uses Zimbra. I had never seen it prior to this, however, I am some familiar with postfix and the normal fleet of Linux mail related software.

When I took it over, I was unable to add new accounts. When I would try to add a new account from the admin page, it would give an LDAP schema error. I lived with that for a while but now it needs to be fixed.

... so I updated LDAP using yum. That didn't help but I didn't expect it to help.

I also upgraded Zimbra from 5.0.16 to 5.0.22.

Now, I can't get into the admin page at all. It just shows as loading forever. Also, I can't create folders from the user page anymore.

"There was a problem parsing your filter rules: invalid request: LDAP schema violation: [LDAP: error code 65 - unrecognized objectClass 'posixAccount']"

I assume I need to update the LDAP scheme but how? I've browsed the docs but there are a ton of them. If someone would point me in the right direction with the documentation, or help me understand what script I need to run to correct this LDAP schema issue, I would really appreciate it.


Thank you.

[Hivos]

It appears as if your predecessor has installed the posixAccount and samba admin zimlets. Summary: that's a way to make your zimbra server a samba domain controller as well. Check the zimbra wiki if you're interested.

I'm quite sure this is what is causing the error. Big question is: is your zimbra server really the primary domain controller?

• If yes: you will probably want to fix this. I would start by checking the version of the Samba and NIS schemas installed in your /opt/zimbra/openldap/etc/openldap/schema . However, since you did a zimbra upgrade, chances are the schema's are not present at all. Anyway, when you update samba (e.g. via yum) you also need to manually copy the (possibly) updated schema here.
  Also check if these lines are present in your /opt/zimbra/conf/slapd.conf.in
  
  Code:

  include "/opt/zimbra/openldap/etc/openldap/schema/nis.schema"
  include "/opt/zimbra/openldap/etc/openldap/schema/samba.schema"

• If no: disable or undeploy the "zimbra_posixAccount" and "zimbra_samba" zimlets via the cli using zmzimletctl .

[TomB17]

I really appreciate the help so far.

SAMBA is installed but not configured and not running.

Code:

# /opt/zimbra/bin/zmzimletctl disable zimbra_posixAccount
[] INFO: Disabling Zimlet zimbra_posixAccount
[] INFO: Zimlet not found: /opt/zimbra/mailboxd/webapps/service/zimlet/zimbra_posixAccount

Code:

# /opt/zimbra/bin/zmzimletctl disable zimbra_samba
[] INFO: Disabling Zimlet zimbra_samba
[] ERROR: Error
com.zimbra.cs.zimlet.ZimletException: Cannot disable Zimlet zimbra_samba
        at com.zimbra.cs.zimlet.ZimletException.CANNOT_DISABLE(ZimletException.java:70)
        at com.zimbra.cs.zimlet.ZimletUtil.setZimletEnable(ZimletUtil.java:746)
        at com.zimbra.cs.zimlet.ZimletUtil.disableZimlet(ZimletUtil.java:771)
        at com.zimbra.cs.zimlet.ZimletUtil.dispatch(ZimletUtil.java:1588)
        at com.zimbra.cs.zimlet.ZimletUtil.main(ZimletUtil.java:1639)
Caused by: com.zimbra.cs.account.AccountServiceException: no such zimlet: zimbra_samba
ExceptionId:main:1268256841638:b510b5d41a464685
Code:account.NO_SUCH_ZIMLET
        at com.zimbra.cs.account.AccountServiceException.NO_SUCH_ZIMLET(AccountServiceException.java:213)
        at com.zimbra.cs.zimlet.ZimletUtil.setZimletEnable(ZimletUtil.java:738)
        ... 3 more

[Hivos]

A long shot: but perhaps you can deploy the zimlets first, and then try again to undeploy?

How many users is your install? If it's a small install then a server-move might be less trouble than troubleshooting this server.

[TomB17]

There are 7 users on the system with about a dozen mailboxes in total.

I'm ready to reinstall this thing. It's frustrating. I need to sit down and read the docs, figure out how to do it, and then reinstall. It will help me understand the system too.

I'm decent with most of the components Zimbra uses but Zimbra is so much more than the components plus some glue logic. It's an extremely sophisticated environment.

Thank you for the help.

[Hivos]

Quote:

Originally Posted by TomB17

... It will help me understand the system too.

I'm decent with most of the components Zimbra uses but Zimbra is so much more than the components plus some glue logic. It's an extremely sophisticated environment.

That's about the same as I felt a year and a half ago, but once you get to work with it a bit, you'll find it's actually much, much more transparent than you would think at first sight. You just had a bad position to start from

Anyway, for migrating, try the zmztozmig script in /opt/zimbra/libexec/ . Documentation is in the release notes. Good luck!

[TomB17]

I really appreciate the help, Hivos. Thank you.

[ArcaneMagus]

Sorry that another mod didn't see this before now, your post was being flagged for moderation. I approved your original post and also moved the thread to the correct forum as the "Error Reports" sub-forum is for the Zimbra Desktop application.

If you are still interested in fixing the system, the problem isn't that the zimlets are installed, but rather that they are NOT installed. It looks like somebody got the schema installed in the LDAP database, but then didn't install the admin extensions that know that user accounts need the extra attributes.

You might be able to reverse the steps in this section and get the admin interface able to manage users again (if you can access it).

If you are still locked out of the admin interface, do you see any errors in the logs when you try to access it? Some places to check would be:

Code:

/var/log/zimbra.log
/opt/zimbra/mailbox.log
/opt/zimbra/audit.log

[TomB17]

Thank you very much for the help and ideas. I would like to sort this out, if possible.

If I can stabilize this environment, I will be able to take my time with regard to a migration plan (Zimbra v6, or whatever). Otherwise, I will have a gun to my head to make a change without a lot of leg work and study.

I've tried to install the two zimlets.

Code:

## /opt/zimbra/bin/zmzimletctl install /opt/zimbra/zimlets-admin-extra/zimbra_posixaccount.zip
[] INFO: Installing Zimlet zimbra_posixaccount on this host.

# /opt/zimbra/bin/zmzimletctl install /opt/zimbra/zimlets-admin-extra/zimbra_samba.zip
[] INFO: Installing Zimlet zimbra_samba on this host.

I still get an error when I try to create a filter in the web client.

Code:

There was a problem parsing your filter rules: invalid request: LDAP schema violation: [LDAP: error code 65 - unrecognized objectClass 'posixAccount']

I'll look at figuring out the admin interface ....

[TomB17]

After trying to log into the admin panel, I found something that seems relevant in /opt/zimbra/log/mailbox.log

Code:

2010-03-11 15:53:43,443 INFO  [btpool0-226] [name=tom@liveglobalbid.com;mid=26;ip=192.168.253.84;ua=ZimbraWebClient - [unknown] (Linux);] SoapEngine - handler exception                                                                                                  
com.zimbra.common.service.ServiceException: invalid request: LDAP schema violation: [LDAP: error code 65 - unrecognized objectClass 'posixAccount']                                                                                                                       
ExceptionId:btpool0-226:1268344423442:081ce69aff93bdfb                                                                               
Code:service.INVALID_REQUEST                                                                                                         
        at com.zimbra.common.service.ServiceException.INVALID_REQUEST(ServiceException.java:258)                                     
        at com.zimbra.cs.account.ldap.LdapProvisioning.modifyAttrsInternal(LdapProvisioning.java:304)                                
        at com.zimbra.cs.account.ldap.LdapProvisioning.modifyAttrs(LdapProvisioning.java:270)                                        
        at com.zimbra.cs.account.ldap.LdapProvisioning.modifyAttrs(LdapProvisioning.java:251)                                        
        at com.zimbra.cs.account.Provisioning.modifyAttrs(Provisioning.java:1662)                                                    
        at com.zimbra.cs.service.admin.ModifyAdminSavedSearches.handle(ModifyAdminSavedSearches.java:98)                             
        at com.zimbra.cs.service.admin.ModifyAdminSavedSearches.handle(ModifyAdminSavedSearches.java:58)                             
        at com.zimbra.soap.SoapEngine.dispatchRequest(SoapEngine.java:428)                                                           
        at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.java:284)                                                                  
        at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.java:158)                                                                  
        at com.zimbra.soap.SoapServlet.doPost(SoapServlet.java:273)                                                                  
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)                                                              
        at com.zimbra.cs.servlet.ZimbraServlet.service(ZimbraServlet.java:185)                                                       
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)                                                              
        at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:487)
        at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1117)
        at org.mortbay.servlet.UserAgentFilter.doFilter(UserAgentFilter.java:81)
        at org.mortbay.servlet.GzipFilter.doFilter(GzipFilter.java:132)
        at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1108)
        at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:370)
        at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216)
        at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:181)
        at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:765)
        at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:406)
        at org.mortbay.jetty.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:230)
        at org.mortbay.jetty.handler.HandlerCollection.handle(HandlerCollection.java:114)
        at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
        at org.mortbay.jetty.handler.rewrite.RewriteHandler.handle(RewriteHandler.java:350)
        at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
        at org.mortbay.jetty.Server.handle(Server.java:326)
        at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:543)
        at org.mortbay.jetty.HttpConnection$RequestHandler.content(HttpConnection.java:939)
        at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:755)
        at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:218)
        at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:405)
        at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:409)
        at org.mortbay.thread.BoundedThreadPool$PoolThread.run(BoundedThreadPool.java:451)
Caused by: javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - unrecognized objectClass 'posixAccount']; remaining name 'uid=tom,ou=people,dc=liveglobalbid,dc=com'
        at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3048)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2963)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2769)
        at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1451)
        at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:255)
        at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:172)
        at javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:153)
        at com.zimbra.cs.account.ldap.ZimbraLdapContext.modifyAttributes(ZimbraLdapContext.java:568)
        at com.zimbra.cs.account.ldap.LdapUtil.modifyAttrs(LdapUtil.java:414)
        at com.zimbra.cs.account.ldap.LdapProvisioning.modifyAttrsInternal(LdapProvisioning.java:292)
        ... 35 more
2010-03-11 15:53:54,383 INFO  [btpool0-231] [name=fergus@liveglobalbid.com;mid=4;ip=192.168.253.2;ua=Yahoo! Zimbra Desktop/1.0.2_1652_Linux;] soap - SyncRequest