Results 1 to 5 of 5

Thread: Password recovery

  1. #1
    Join Date
    Nov 2005
    Posts
    175
    Rep Power
    10

    Default Password recovery

    Ok say you have a Zimbra server, open source edition, and it's backed up correctly. Say it crashes, or say for some reason you needed to set up a different kind of email server. How would you get the passwords out of the backup or an existing Zimbra server? We were able to migrate to Zimbra without changing hundreds of passwords only because good old Vpopmail stored account passwords in clear text (in and of itself probably not a very good idea), but surely there's some way to know what these passwords are so you can set up a new server without everyone knowing about it and having to set up a new password?

  2. #2
    Join Date
    Jan 2007
    Location
    Minnesota
    Posts
    719
    Rep Power
    9

    Default

    If you replaced Zimbra with some other email server, I think everyone would probably notice. If your users really only need IMAP/POP access, then I think you've chosen poorly (I'd recommend Cyrus).

    But to answer your question, if you are using Zimbra internal authentication, then passwords are stored encrypted in LDAP. To get the salted SHA1 hash for user jdoe, simply run:

    Code:
    /opt/zimbra/openldap/bin/ldapsearch -LLL -x \
    -D"`/opt/zimbra/bin/zmlocalconfig -s zimbra_ldap_userdn|\
    awk '{print $3}'`" -w"`/opt/zimbra/bin/zmlocalconfig -s\
    zimbra_ldap_password|awk '{print $3}'`" -H \
    `/opt/zimbra/bin/zmlocalconfig ldap_url|awk '{print $3}'` jdoe\
    |awk '{print $2}' | openssl base64 -d
    I am not aware of any software other than OpenLDAP (and a few other LDAP servers, including Sun and Fedora) that can use SSHA password hashes, but you could set up a non-Zimbra OpenLDAP server and authenticate against that.

    If the idea of having your email passwords held hostage by Zimbra scares you, then don't use the internal password store. Instead, point Zimbra at your favorite LDAP server, be it Active Directory, Apple OpenDirectory, Novell eDirectory, Sun, etc.

  3. #3
    Join Date
    Nov 2005
    Posts
    175
    Rep Power
    10

    Default

    Yeah I guess people probably would notice. You have a point, sir.

    Short of the other suggestions you already mentioned, basically I would have to have a fully functioning backup in order to restore the passwords, and even only then all I could do is restore the whole server, is that correct? In other words, say I did a backup but for some reason couldn't get the whole shebang back going again using those dodgy open source restore procedures, is all hope lost? Some way to merge just the usernames/passwords back into a new server or something?

  4. #4
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    It depends on what you're trying to achieve and how much mail you might lose. If you have a catastrophic hardware failure (let's say a corrupt HD) then the best you can do us recover to a known good backup. IMO, you should as good practice keep a copy of the binary for the same version of Zimbra as you've already installed. You can install Zimbra in a relatively short time, you can then restore your saved backup and the re-install Zimbra again, it shouldn't take too long. The restore and copy will, of course, depend on the size of your backed-up /opt/zimbra directory.

    I would think that restoring in that way would be quicker than trying to install a new email server that's possibly unfamiliar to you and then trying to extract data from a dead server. You should always test any backup/recovery procedure well in advance of needing it and you should do it every time you upgrade Zimbra so you don't get hit by any unexpected changes.
    Backup scripts are in the wiki here, there's even a script that will backup to a remote Zimbra server - how cool is that, almost no downtime.

    Permutations of the backup and restore procedures are as varied as the number of product users, take your pick, try it, test it, break it and see what works for you - and to quote one of those old slogans 'A plan is not a plan until it's written down'. You should also make sure that more than one person in your organisation can perform this restore.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  5. #5
    Join Date
    Nov 2005
    Posts
    175
    Rep Power
    10

    Default

    Meh... maybe I'm just holding on to old-style thinking, but it sure would make me feel better if I could actually SEE my passwords. Guess not, eh?

Similar Threads

  1. Replies: 23
    Last Post: 01-24-2013, 03:44 PM
  2. Zimbra Admin Account Password Recovery
    By nberlanga in forum Administrators
    Replies: 8
    Last Post: 11-28-2006, 03:52 PM
  3. FC4 Test install getting SU: Incorrect Password
    By bbepristis in forum Installation
    Replies: 16
    Last Post: 08-11-2006, 11:07 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •