Results 1 to 9 of 9

Thread: migrating zimbra user passwords from one zcs to another.

  1. #1
    NathanL is offline Loyal Member
    Join Date
    Apr 2009
    Posts
    93
    Rep Power
    6

    Default migrating zimbra user passwords from one zcs to another.

    I'm rebuilding my zcs ose. I have migration going, using zmmailbox exports of my users, the rest is already done (domain creation, user creation) the problem is, i dont have, or know how to get, the source user's passwords.

    I get that they're probably a non-reversable hash, and i cant "get" the password, but i'd like to move those hashes from the old zcs to the new one.

    They're both 7.x, both OSE, and i have full control of both.

    This data is, i assume, in ldap. How can i get it? And how do i import it on the other end.

  2. #2
    j2b's Avatar
    j2b
    j2b is offline Special Member
    Join Date
    Sep 2008
    Location
    Latvia
    Posts
    164
    Rep Power
    6

    Default

    Hi, NathanL,
    It turned out to be quite simple, although, manual work will be needed. Depending on your shell scripting skills (mine not very good), you may automate this process.

    1. need to get user data and pasword hashes
    Yes, you are right, Zimbra holds user passwords in in-reversable SSHA hash, and it is stored in LDAP database. To get list of users from old server into file, issue the following command (I did it on mailbox server):

    Code:
    # su - zimbra
    $ zmprov -l gaa -v > /tmp/users.txt
    By this you change to zimbra user, and run zmprov command with -l (small L) to look in LDAP in -v (verbose) format, and place all this data into /tmp/users.txt file (this really depends on your wishes).

    By opening this file, you'll see different data, including specific names and variables, you may use to create exact accounts on new server. The most you are interested in is userPassword, which is stored in format:

    Code:
    {SSHA}ClPXXnMdwTdyTmEfIHt8btXSKrzRsW8C
    You may grep out this file, if you can identify your needed data, and can write a shell script to do it automatically, as probably all information is not needed.


    2. Need to modify password for users on new server

    Assuming, that you've already created users on new server, you have to modify user accounts, and populate this password hash instead of pure password:

    Code:
    # su - zimbra
    $ zmprov [here press enter]
    > ma user@domain.com userPassword {SSHA}ClPXXnMdwTdyTmEfIHt8btXSKrzRsW8C [enter again]
    > exit
    So, as you can see:

    ma - is for zmprov modifyAccount function
    user@domain.com - your user account
    userPassword - variable for user password
    password itself. Please note, that you have to include not only hash data, but {SSHA} to without any space.

    Why zmprov and Enter?
    Because zmprov commands tend to be server resource intensive, and if you have to modify many user accounts, it is wise, to launch one zmprov instance, and issue consequtive commands within that launched instance. Thus your server will not swet, while you do this task.

  3. #3
    NathanL is offline Loyal Member
    Join Date
    Apr 2009
    Posts
    93
    Rep Power
    6

    Default

    Thanks! I took your work, and threw together this one-liner to output everything we need in one step.


    Code:
    for i in `zmprov -l gaa | egrep -v 'galsync|spam|ham|virus|stimpson'`;do \
      echo "$i,`zmprov -l ga $i userPassword | grep userPassword | \
      sed 's/userPassword: //'`";\
    done;
    This crops out the galsync accounts, the spam/ham accounts, the virus quarantine account, and the server accounts created when i setup the old server (it was named stimpson). Then outputs something like:

    Code:
    user@domain.com,{SSHA}sshapasswordhash
    user2@domain.com,{SSHA}sshapasswordhash
    You could then split this up and pass it back into zmprov to set the account passwords at the other end. I'll post that one-liner in a few minutes once i work it out.

  4. #4
    NathanL is offline Loyal Member
    Join Date
    Apr 2009
    Posts
    93
    Rep Power
    6

    Default

    Ok, i took the output of the above, and threw it into a userlist.txt.

    Then i did this on the destination server:
    Code:
    for i in `cat userlist.txt`;\
      do zmprov ma `echo $i | \
      awk -F, '{print $1 " userPassword " $2}'`; \
    done
    Worked perfectly!

    Thanks for the head start!

  5. #5
    j2b's Avatar
    j2b
    j2b is offline Special Member
    Join Date
    Sep 2008
    Location
    Latvia
    Posts
    164
    Rep Power
    6

    Default

    Great, thank you for script. I'll bookmark this thread, in case needed further. Definately it is worth it, as these outputs are very long.

    In addition, I do not know, whether comas are accepted from zpmrov ca/ma, and I use displayName, givenName, sn and company switches too, but it may be up to the others' decision, which data to output and use. In some cases if few words are used, they are enclosed in " symbols.

  6. #6
    NathanL is offline Loyal Member
    Join Date
    Apr 2009
    Posts
    93
    Rep Power
    6

    Default

    I was only looking for the passwords (i already had the accounts setup).

    The comma's are stripped out in the import command. That's what sed is doing.

  7. #7
    sadiq007 is offline Special Member
    Join Date
    May 2009
    Location
    INDIA
    Posts
    104
    Rep Power
    6

    Default

    excellent, thanks for sharing great ideas

  8. #8
    akintemel is offline Active Member
    Join Date
    Aug 2010
    Location
    Turkey
    Posts
    43
    Rep Power
    5

    Default

    [QUOTE=NathanL;234882]Ok, i took the output of the above, and threw it into a userlist.txt.

    Then i did this on the destination server:
    Code:
    for i in `cat userlist.txt`;\
      do zmprov ma `echo $i | \
      awk -F, '{print $1 " userPassword " $2}'`; \
    done


    Hello ,
    I use it for my destination server and i export to userlist with using this command ; zmprov -l gaa -v > /tmp/users.txt
    and i check the user.txt file in userPassword line its looklike ;
    ------
    objectClass: amavisAccount
    sn: Showroom
    uid: astoria.showroom
    userPassword: {SSHA}ZutwfeBdyHHg+IRirZiJmNeblPqhLW0Q

    zimbraAccountStatus: active
    zimbraAdminAuthTokenLifetime: 12h
    zimbraAllowAnyFromAddress: FALSE

    ------
    userPassword line and zimbraAccountStatus line have 1 empty line .Thath way i can migrate the user password.Could you help me please.

    Thanks

  9. #9
    NathanL is offline Loyal Member
    Join Date
    Apr 2009
    Posts
    93
    Rep Power
    6

    Default

    [QUOTE=akintemel;242542]
    Quote Originally Posted by NathanL View Post
    Ok, i took the output of the above, and threw it into a userlist.txt.

    Then i did this on the destination server:
    Code:
    for i in `cat userlist.txt`;\
      do zmprov ma `echo $i | \
      awk -F, '{print $1 " userPassword " $2}'`; \
    done


    Hello ,
    I use it for my destination server and i export to userlist with using this command ; zmprov -l gaa -v > /tmp/users.txt
    and i check the user.txt file in userPassword line its looklike ;
    ------
    objectClass: amavisAccount
    sn: Showroom
    uid: astoria.showroom
    userPassword: {SSHA}ZutwfeBdyHHg+IRirZiJmNeblPqhLW0Q

    zimbraAccountStatus: active
    zimbraAdminAuthTokenLifetime: 12h
    zimbraAllowAnyFromAddress: FALSE

    ------
    userPassword line and zimbraAccountStatus line have 1 empty line .Thath way i can migrate the user password.Could you help me please.

    Thanks
    I'm not certain I understand your problem.

    There are two pieces to this puzzle.

    First, on the source server, i ran:

    Code:
    for i in `zmprov -l gaa | egrep -v 'galsync|spam|ham|virus|stimpson'`;do \
      echo "$i,`zmprov -l ga $i userPassword | grep userPassword | \
      sed 's/userPassword: //'`";\
    done;
    I took the output of that and put it into a flat text file. Essentially, this loop gets just the userpassword line for each account, along with the account name of course. This can then be copy/pasted, or redirected into a flat text file.

    Then put that flat text file on your destination server, and run the other loop

    Code:
    for i in `cat userlist.txt`;\
      do zmprov ma `echo $i | \
      awk -F, '{print $1 " userPassword " $2}'`; \
    done
    This loops through every entry in the userlist.txt file, and sets the password for the account to the ssha value gathered on the destination server from the first loop.

    It almost sounds like your userlist.txt file has the entire user record, not just the password.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. fatal: parameter "smtpd_recipient_restrictions"
    By Robin in forum Administrators
    Replies: 8
    Last Post: 12-22-2010, 05:48 AM
  2. Replies: 21
    Last Post: 02-04-2010, 10:06 AM
  3. zmperditionctl start asking for password
    By k7sle in forum Administrators
    Replies: 32
    Last Post: 02-20-2008, 11:13 AM
  4. Error loading on Mac OS X 10.4.10 server PPC
    By qprcanada in forum Installation
    Replies: 7
    Last Post: 10-26-2007, 06:25 AM
  5. Services stopped working
    By lilwong in forum Administrators
    Replies: 4
    Last Post: 08-15-2006, 09:19 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •