migrating zimbra user passwords from one zcs to another.

[NathanL]

I'm rebuilding my zcs ose. I have migration going, using zmmailbox exports of my users, the rest is already done (domain creation, user creation) the problem is, i dont have, or know how to get, the source user's passwords.

I get that they're probably a non-reversable hash, and i cant "get" the password, but i'd like to move those hashes from the old zcs to the new one.

They're both 7.x, both OSE, and i have full control of both.

This data is, i assume, in ldap. How can i get it? And how do i import it on the other end.

[j2b]

Hi, NathanL,
It turned out to be quite simple, although, manual work will be needed. Depending on your shell scripting skills (mine not very good), you may automate this process.

1. need to get user data and pasword hashes
Yes, you are right, Zimbra holds user passwords in in-reversable SSHA hash, and it is stored in LDAP database. To get list of users from old server into file, issue the following command (I did it on mailbox server):

Code:

# su - zimbra
$ zmprov -l gaa -v > /tmp/users.txt

By this you change to zimbra user, and run zmprov command with -l (small L) to look in LDAP in -v (verbose) format, and place all this data into /tmp/users.txt file (this really depends on your wishes).

By opening this file, you'll see different data, including specific names and variables, you may use to create exact accounts on new server. The most you are interested in is userPassword, which is stored in format:

Code:

{SSHA}ClPXXnMdwTdyTmEfIHt8btXSKrzRsW8C

You may grep out this file, if you can identify your needed data, and can write a shell script to do it automatically, as probably all information is not needed.


2. Need to modify password for users on new server

Assuming, that you've already created users on new server, you have to modify user accounts, and populate this password hash instead of pure password:

Code:

# su - zimbra
$ zmprov [here press enter]
> ma user@domain.com userPassword {SSHA}ClPXXnMdwTdyTmEfIHt8btXSKrzRsW8C [enter again]
> exit

So, as you can see:

ma - is for zmprov modifyAccount function
user@domain.com - your user account
userPassword - variable for user password
password itself. Please note, that you have to include not only hash data, but {SSHA} to without any space.

Why zmprov and Enter?
Because zmprov commands tend to be server resource intensive, and if you have to modify many user accounts, it is wise, to launch one zmprov instance, and issue consequtive commands within that launched instance. Thus your server will not swet, while you do this task.

[NathanL]

Thanks! I took your work, and threw together this one-liner to output everything we need in one step.

Code:

for i in `zmprov -l gaa | egrep -v 'galsync|spam|ham|virus|stimpson'`;do \
  echo "$i,`zmprov -l ga $i userPassword | grep userPassword | \
  sed 's/userPassword: //'`";\
done;

This crops out the galsync accounts, the spam/ham accounts, the virus quarantine account, and the server accounts created when i setup the old server (it was named stimpson). Then outputs something like:

Code:

user@domain.com,{SSHA}sshapasswordhash
user2@domain.com,{SSHA}sshapasswordhash

You could then split this up and pass it back into zmprov to set the account passwords at the other end. I'll post that one-liner in a few minutes once i work it out.

[NathanL]

Ok, i took the output of the above, and threw it into a userlist.txt.

Then i did this on the destination server:

Code:

for i in `cat userlist.txt`;\
  do zmprov ma `echo $i | \
  awk -F, '{print $1 " userPassword " $2}'`; \
done

Worked perfectly!

Thanks for the head start!

[j2b]

Great, thank you for script. I'll bookmark this thread, in case needed further. Definately it is worth it, as these outputs are very long.

In addition, I do not know, whether comas are accepted from zpmrov ca/ma, and I use displayName, givenName, sn and company switches too, but it may be up to the others' decision, which data to output and use. In some cases if few words are used, they are enclosed in " symbols.

[NathanL]

I was only looking for the passwords (i already had the accounts setup).

The comma's are stripped out in the import command. That's what sed is doing.

[sadiq007]

excellent, thanks for sharing great ideas

[akintemel]

[QUOTE=NathanL;234882]Ok, i took the output of the above, and threw it into a userlist.txt.

Then i did this on the destination server:

Code:

for i in `cat userlist.txt`;\
  do zmprov ma `echo $i | \
  awk -F, '{print $1 " userPassword " $2}'`; \
done

Hello ,
I use it for my destination server and i export to userlist with using this command ; zmprov -l gaa -v > /tmp/users.txt
and i check the user.txt file in userPassword line its looklike ;
------
objectClass: amavisAccount
sn: Showroom
uid: astoria.showroom
userPassword: {SSHA}ZutwfeBdyHHg+IRirZiJmNeblPqhLW0Q

zimbraAccountStatus: active
zimbraAdminAuthTokenLifetime: 12h
zimbraAllowAnyFromAddress: FALSE

------
userPassword line and zimbraAccountStatus line have 1 empty line .Thath way i can migrate the user password.Could you help me please.

Thanks

[NathanL]

[QUOTE=akintemel;242542]

Ok, i took the output of the above, and threw it into a userlist.txt.

Then i did this on the destination server:

Code:

for i in `cat userlist.txt`;\
  do zmprov ma `echo $i | \
  awk -F, '{print $1 " userPassword " $2}'`; \
done

Hello ,
I use it for my destination server and i export to userlist with using this command ; zmprov -l gaa -v > /tmp/users.txt
and i check the user.txt file in userPassword line its looklike ;
------
objectClass: amavisAccount
sn: Showroom
uid: astoria.showroom
userPassword: {SSHA}ZutwfeBdyHHg+IRirZiJmNeblPqhLW0Q

zimbraAccountStatus: active
zimbraAdminAuthTokenLifetime: 12h
zimbraAllowAnyFromAddress: FALSE

------
userPassword line and zimbraAccountStatus line have 1 empty line .Thath way i can migrate the user password.Could you help me please.

Thanks

I'm not certain I understand your problem.

There are two pieces to this puzzle.

First, on the source server, i ran:

Code:

for i in `zmprov -l gaa | egrep -v 'galsync|spam|ham|virus|stimpson'`;do \
  echo "$i,`zmprov -l ga $i userPassword | grep userPassword | \
  sed 's/userPassword: //'`";\
done;

I took the output of that and put it into a flat text file. Essentially, this loop gets just the userpassword line for each account, along with the account name of course. This can then be copy/pasted, or redirected into a flat text file.

Then put that flat text file on your destination server, and run the other loop

Code:

for i in `cat userlist.txt`;\
  do zmprov ma `echo $i | \
  awk -F, '{print $1 " userPassword " $2}'`; \
done

This loops through every entry in the userlist.txt file, and sets the password for the account to the ssha value gathered on the destination server from the first loop.

It almost sounds like your userlist.txt file has the entire user record, not just the password.