Results 1 to 9 of 9

Thread: Cannot Change LDAP root/zimbra Passwords

  1. #1
    am177 is offline Junior Member
    Join Date
    Feb 2014
    Posts
    9
    Rep Power
    1

    Default Cannot Change LDAP root/zimbra Passwords

    Hello,

    I'm attempting to recover from an outage, and I'm running into issue after issue. I'm running Zimbra 7.2.3_GA_2872.RHEL5_20130304144834 RHEL5 FOSS edition.

    I've verified that the data in mysql is still in tact - users look good, mboxgroupXX tables look good etc. When I try to search the ldap server using the following method, I always the "ldap_bind: Invalid credentials (49)" error.

    Code:
    su - zimbra
    source ~/bin/zmshutil
    zmsetvars
    ldapsearch -x -H $ldap_master_url -D $zimbra_ldap_userdn -w $zimbra_ldap_password
    I tried changing the root ldap password as well as the zimbra ldap password using:

    Code:
    zmldappasswd -r <newpass>
    zmldappasswd <newpass>
    I've gone through most of the trouble shooting steps on: https://wiki.zimbra.com/wiki/Ajcody-LDAP-Topics. I've also made sure that zimbra:zimbra owns /opt/zimbra, and I ran the /opt/zimbra/libexec/zmfixperms --extended --verbose command.

    However, I'm still stuck. I'd love to post the logs, but the server is on a system that is not allowed to touch the internet.

    A little background as well...

    This all started after we had a power outage. Shortly thereafter, zimbra failed to boot with the message:
    Code:
    Unable to determine enabled services from ldap.
    Unable to determine enabled services. Cache is out of date or doesn't exist.
    Most of the posts indicated that this was a certificate problem. Regenerating the certificates didn't seem to help. So the next attempt was to install the same version (a tip I found on this forum). That didn't help either.

    We fortunately have backups of all the data, but restoring it doesn't seem to help.

    Anyway, if anyone has any tips on resetting the zimbra/root passwords so that I can get into the ldap db, that would be awesome. Hopefully from there I can use mysql to recreate the scripts.
    Last edited by am177; 02-28-2014 at 08:24 AM. Reason: added additional information

  2. #2
    am177 is offline Junior Member
    Join Date
    Feb 2014
    Posts
    9
    Rep Power
    1

    Default

    Since I'm trying anything I can to try and fix this...

    I tried to display the ldap db statistics using db_stat, the following is a hand typed version of the output:

    Code:
    [root@mail]# db_stat -c -h /opt/zimbra/openldap-data
    db_stat: Program version 4.3 doesn't match environment version
    db_stat: DN->ENV: DB_VERSION_MISMATCH: Database environment version mismatch

  3. #3
    am177 is offline Junior Member
    Join Date
    Feb 2014
    Posts
    9
    Rep Power
    1

    Default

    Any thoughts here? Sorry to bump my own thread, but I'm running out of options here...

  4. #4
    fernando_ar is offline Starter Member
    Join Date
    Mar 2014
    Posts
    2
    Rep Power
    1

    Default

    Same problem here, if I try to change the LDAP zimbra/root password with zmldappasswd I get this error:

    Code:
    TLS: SSL connect attempt failed with unknown errorerror:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
    If I try to do a "/opt/zimbra/openldap/bin/ldapsearch -h zyx.example.com -x -D "cn=config" -W" I get a "ldap_bind: Invalid credentials (49)" error like the OP. Any thoughts? Sorry if I'm hijacking this thread, but I the errors seem related.

  5. #5
    am177 is offline Junior Member
    Join Date
    Feb 2014
    Posts
    9
    Rep Power
    1

    Default

    Quote Originally Posted by fernando_ar View Post
    Same problem here, if I try to change the LDAP zimbra/root password with zmldappasswd I get this error:

    Code:
    TLS: SSL connect attempt failed with unknown errorerror:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
    If I try to do a "/opt/zimbra/openldap/bin/ldapsearch -h zyx.example.com -x -D "cn=config" -W" I get a "ldap_bind: Invalid credentials (49)" error like the OP. Any thoughts? Sorry if I'm hijacking this thread, but I the errors seem related.
    From my very limited experience, I would say that zmldappasswd is likely failing because of an issue with your certificate. I would try turning off the requirement for SSL and see if that makes a difference:

    As zimbra try:
    Code:
    zmlocalconfig -e ldap_starttls_supported=0
    zmlocalconfig -e ldap_starttls_required=false
    then try your zmldappasswd command again...

    To turn the SSL requirement back, just reverse the above:
    Code:
    zmlocalconfig -e ldap_starttls_supported=1
    zmlocalconfig -e ldap_starttls_required=true
    It might also be worth running (as root) to see if your certs have expired:
    Code:
    /opt/zimbra/bin/zmcertmgr viewdeployedcrt
    Hope that helps... My issue still remains

  6. #6
    fernando_ar is offline Starter Member
    Join Date
    Mar 2014
    Posts
    2
    Rep Power
    1

    Default

    Worked like a charm. Thanks!

  7. #7
    pup_seba is online now Special Member
    Join Date
    Aug 2012
    Posts
    110
    Rep Power
    3

    Default

    Hi,

    That is one of the errors I fear the most

    OpenLDAP shutting down abnormally is not a good thing at all. I recomend opening a support ticket asap and and start preparing a VM for disaster recovery purposes in the meanwhile just in case. Hopefully, I'm being too cathastrophic and you find an easier solution before having to recover anything.

    In any case. Make sure to stop Zimbra services before running the zmfixperms command you mention. Not likely to be the reason for this error but a good thing to do anyways...

    Look at this thread I just found...it doesn't give you the ultimate solution but it may work https://www.mail-archive.com/openlda.../msg03128.html

    From here, maybe there is a simpler and more elegant solution. Disaster Recovery for Specific Situations
    That solution I think it may apply to your scenario is:

    1.
    Reinstall the LDAP server. See the Zimbra Installation Guide.
    2.
    Find the label for the LDAP session to restore. Run the zmrestoreldap -lb <label> command, with no arguments to restore all accounts, domains, servers, COS, etc. for the LDAP server.
    3.
    Make sure that all accounts are in active mode. From the command line, type zmprov ma zimbraAccountStatus active

    Check your passwords in case you are using the wrong one. zmlocalconfig -s |grep -i pass

    This also may help. Check this thread
    [SOLVED] LDAP / slapd - Database environment corrupt (Issue & Solution)
    This is the cool part of it:
    Solution 2 - Last resort (as provided by Zimbra support)
    Look for the latest ldap backup. On my system it's from this morning; you may want to use the one from yesterday if the system was already down by backup time this morning. For the example I'm using my ldap backup filename: /opt/zimbra/backup/ldap/incr-20070704.080005.554/ldap.bak.

    Code:
    # su - zimbra
    $ ldap stop
    $ exit
    # mv /opt/zimbra/openldap-data /opt/zimbra/openldap-data-0704-crash
    # mkdir /opt/zimbra/openldap-data
    # cp /opt/zimbra/openldap-data-0704-crash/DB_CONFIG /opt/zimbra/openldap-data/DB_CONFIG
    # chown -R zimbra:zimbra /opt/zimbra/openldap-data
    # su - zimbra
    $ ~/openldap/sbin/slapadd -w -q -f ~/conf/slapd.conf -l /opt/zimbra/backup/ldap/incr-20070704.080005.554/ldap.bak
    $ ~/openldap/sbin/slapindex -f ~/conf/slapd.conf
    $ ldap start



    Hope this helps somehow :S

    Please, do let me know if you solved it or need me to try something in my lab enviroment before you do it in your production enviroment. I will be more than glad to help you!

    Regards,
    Sebas
    Last edited by pup_seba; 03-07-2014 at 02:54 PM. Reason: Added new info

  8. #8
    am177 is offline Junior Member
    Join Date
    Feb 2014
    Posts
    9
    Rep Power
    1

    Default

    Thanks, Sebas, for the very detailed reply. Earlier this morning, I found a slightly older database backup (ldif file). I was able to blow away the ldap database, and then rebuild the database following the instructions here: LDAP data import export - Zimbra :: Wiki. After that, I was able to connect to my ldap database and actually read the data .

    The server still has some issues, but I'm working through them. Once I have my server back up and running, I'll post some detailed notes here for anyone that might have this problem in the future.

  9. #9
    pup_seba is online now Special Member
    Join Date
    Aug 2012
    Posts
    110
    Rep Power
    3

    Default

    That's great! I'm really glad it's working now Thanks for sharing the link that worked!

    Regards,
    Sebas

    Enviado desde mi Nexus 4 mediante Tapatalk

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 1
    Last Post: 08-18-2012, 03:00 PM
  2. Zimbra pdc pam problems after root password change
    By bagalude in forum Administrators
    Replies: 1
    Last Post: 04-19-2010, 02:35 AM
  3. ZIMBRA saves old ldap passwords
    By mattiashem in forum Users
    Replies: 10
    Last Post: 02-26-2010, 09:56 AM
  4. Default passwords set to LDAP ROOT and ZIMBRA LDAP
    By seshukumar in forum Administrators
    Replies: 3
    Last Post: 11-24-2008, 08:44 PM
  5. Replies: 1
    Last Post: 06-21-2008, 04:41 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •