[SOLVED] Password Not being Changed in external LDAP by zimbra server

[sjangra]

Password Not being Changed in external LDAP by zimbra server. everything else works fine.

Any Help....

Can anyone tell , is it possible to change the "Change Passowrd" link to my own page which will change the external LDAP password. if yes, then where (which directory) contains the source code to change the link.

Please help guys......
Thanks.....

[phoenix]

Password Not being Changed in external LDAP by zimbra server. everything else works fine.

That isn't currently a supported function (search bugzilla for the RFE and vote on it), you'll currently have to write a script to synchronise the passwords.

[sjangra]

can i have the script please !!!

[phoenix]

can i have the script please !!!

I don't have one, there might be one in the forums if you search.

[sjangra]

I found the below script !!! thanks...

#!/bin/bash

# This script allows the syncing of the Zimbra password database (OpenLDAP)
# with an external LDAP database (I use an external OpenLDAP) in a three step
# procedure. It's not *that* user friendly, so I hope you have some idea of
# how scripts work.
#
# The script searches (ldapsearch) whih user has changed his password in the
# last TIME seconds (i.e. TIME=300 for 5 minutes)
#
# The output passes through sed to create a correct ldif. This means adding
# the "changetype: modify" and "replace: userPassword" strings. In case your
# password filed has a different name, change the "userPassword" string in
# the sed line accordingly.
#
# Lastly, the ldapmodify command feeds the ldif created by sed to the external
# server.
#
# Written gy Gerasimos Melissaratos (gmelis72 at gmail dot com)

# Change variables accordingly

# Time since which to search for changed passwords. i.e. TIME=300 means the
# user has changed his password in the last 5 minutes. Adjust your crontab
# accordingly, for example if you run this script every 10 minutes (instead
# of 5 like I do) change TIME to 600 (min*60)
TIME=300

# This is the address where the zimbra ldap is listening. If you have installed
# zimbra on a cluster, use the cluster IP
ZIMBRA_LDAP="ldap://cluster.mfa.gr"

# This is the basically the domain you you want to search. i.e. if you have the
# zimbra domain foo.org, enter "dc=foo,dc=org"
ZIMBRA_BASEDN="dc=room,dc=gr"

# The password to use to connect to the zimbra ldap server. The user is
# "cn=config" as this is the rootdn for the zimbra ldap, and the password
# --which you probably do not know-- can be changed by changing the file
# /opt/zimbra/conf/slapd.conf.in. Just locate the line starting with
# "rootpw" and change the string starting with "{SSHA}" with the password
# you wish to have
ZIMBRA_ROOTPW='zimbra_ldap_password'

# The address of the external ldap server
EXTERNAL_LDAP="ldaps://myldapserver.room.gr"

# The credentials to use. That is the credentials to bind to your ldap server,
# which of course you know. All it needs is to have enough access to change the
# userPassword field. It can be the rootdn
EXTERNAL_LDAP_BINDDN="cn=root,dc=room,dc=gr"

# The password to use for the aforementioned credentials. Since passwods may include
# special characters I used single quotes
EXTERNAL_LDAP_PASSWD='myldapserver_rootpw'

ldapsearch -LLLx -H "${ZIMBRA_LDAP}" -D "cn=config" -b "${ZIMBRA_BASEDN}" -w "${ZIMBRA_ROOTPW}" \
"(zimbraPasswordModifiedTime>=`date -u +%Y%m%d%H%M%SZ -d \"-${TIME} sec\"`)" userPassword | \
sed -e '/ou=people,dc=mfa,dc=gr$/achangetype: modify\nreplace: userPassword' | \
ldapmodify -x -H "${EXTERNAL_LDAP}" -D "${EXTERNAL_LDAP_BINDDN}" -w "${EXTERNAL_LDAP_PASSWD}"

[shawnchu]

The script works fine when zimbra ldap and external ldap with same BaseDN and ou.

But my zimbra ldap BaseDN is ou=people,dc=group,dc=example,dc=com
my openldap server BaseDN is ou=teacher,dc=example,dc=com

When I running the script, It always shown an error message.
ldap_modify: No such object (32)
matched DN: dc=example,dc=com

I'd search internet for 1 week, but I still can't fix it.
Someone help me to solve this problem, please!!

Sorry for my poor English.
Thanks, Shawn

[shawnchu]

Solved!!

I fix sed syntax then solved my problem.

sed -e 's/ou=people,dc=group,dc=example,dc=com/ou=teacher,dc=example,dc=com/g' | \
sed -e '/ou=teacher,dc=example,dc=com$/achangetype: modify\nreplace: userPassword' | \

[thanhdv]

Hi everyone.
I'm testing a ZCS 7.1.3 OS on Ubuntu 10.04.3 64bit, and use an external OpenLdap + Samba PDC installed on OpenSUSE 11.4 to authenticate users. The connection is fine until i found out that when user change their password in Zimbra Web UI, it doesn't auto-sync to external ldap server.

I found this thread and try the above script, firstly i have problem when the ldapsearch command execute:

Code:

ldap_bind: Invalid credentials (49)

I've used the slappasswd command to generate a SSHA encrypted password and update in the folowing part of the
/openldap-2.4.26.5z/etc/openldap/slapd.conf file:

Code:

database        bdb
suffix          "dc=homedomain,dc=org"
rootdn          "cn=Administrator,dc=homedomain,dc=org"
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw          {SSHA}p7XipDi6VJCfiUpx8XGHmwIq7tnUdXUO
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory       /opt/zimbra/openldap-2.4.26.5z/var/openldap-data

In the ldapsearch command, i've tried everything like -D "cn=config", -D "cn=Administrator", -D "cn=root", -D "cn=Administrator,dc=homedomain,dc=org" but the ldap_bind error keeps show up. Then i found that when i use -D "uid=admin,ou=people,dc=homedomain,dc=org", the ldapsearch command can run without error, but nothing returned and no password is updated!

Code:

ldapsearch -LLLx -H "${ZIMBRA_LDAP}" -D "uid=admin,ou=people,dc=homedomain,dc=org" -b "${ZIMBRA_BASEDN}" -w "${ZIMBRA_ROOTPW}" \
"(zimbraPasswordModifiedTime>=`date -u +%Y%m%d%H%M%SZ -d \"-${TIME} sec\"`)"

I tried this single command and comment the 2 commands followed, but nothing returned, even when i changed the filter to "(zimbraPasswordModifiedTime>=0)" or "(zimbraPasswordModifiedTime=20111116022747Z)"
This is the exactly time string i got from the command

Code:

zimbra@zimbra:/home/administrator$ zmprov ga thanhdv zimbrapasswordmodifiedtime
# name thanhdv@homedomain.org
zimbraPasswordModifiedTime: 20111116022747Z

My ldapsearch command works normally with other normal filter "cn=*" "objectClass=*" ...

Any help please !!!!!

Sorry for my bad Eng.
Thanks, thanhdv.

[thanhdv]

I've made myself getting in trouble T_T .
Only cn=config can retrieve informations like zimbraPasswordModifiedTime.