Page 1 of 1

Promoting a Replica Server to Master. Invalid Credentials

Posted: Sat Feb 22, 2014 10:11 am
by tbovingdon
So following King0770-Notes-MovingUsers - Zimbra :: Wiki to migrate from a RHEL5 32bit zcs 7.2.5 NE install to Ubuntu 10 64bit zcs 7.2.5NE we've successfully migrated all accounts, using proxy we had next to no down time. Went to promote replica by following:Promoting Replica to LDAP Master - Zimbra :: Wiki we get invalid credentials ldap error 49. when running ldapmodify -x -H ldapi:/// -D "cn=config" -w "ldap root password"
we confirmed zmlocalconfig -s ldap_root_password matches old server and new.

we confirmed ldapmodify -x -H ldapi:/// -D "cn=config" -w "ldap root password" runs fine onthe old server

we confirmed ldapmodify -x -H ldapi:/// -D "cn=config" -w "ldap root password" runs fine on our test environment replica machine
clearly replication is working as all accounts are on both servers and everything is working fine on the replica.

Certificates match (was a wild card) on both servers.
no obvious errors that i can find in /var/log/zimbra.log



tried to see if /opt/zimbra/libexec/zmldapreplicatool -t off based on this wiki Turning off starttls for replication - Zimbra :: Wiki (can't find the post that referenced it) but the command wouldn't run on either server

Tried Resetting LDAP and MySQL Passwords - Zimbra :: Wiki (It says only to zcs 5.. but the command and its values still seems the same) the zmldappasswd -r newrootpass (same as zmlocalconfig -s ldap_root_password) seems to run ok, but still no joy on the ldapmodify command.
We've opened a ticket with support but no response as of yet.. I am posting to see if anyone has any further suggestions... I have a feeling its something like the replica ldap password hash doesn't match "zmlocalconfig -s ldap_root_password" when trying the direct ldapmodify command or something like that.... but i defer to the experts!

Promoting a Replica Server to Master. Invalid Credentials

Posted: Mon Feb 24, 2014 9:03 pm
by tbovingdon
So. Seeing as zimbra support response was less than responsive on this issue I ended up trying something.
Looking at the config.#### file that is saved during install, i compared tried the password for one of the non replicated services (eg nxginx) in the ldap command.. BINGO it worked. I then used this post:ShanxT-LDAP-Auth-Failed - Zimbra :: Wiki following Changing ldap directly section, managed to change the password that zmldappasswd -r newrootpass would not do.


1. Generate the password hash using 'slappasswd':



NEWPASS='/opt/zimbra/openldap/sbin/slappasswd -v -s 'Very_secure_pass_591' -h {SSHA}`



2. BASE64 encode this password hash:
NEWPASSB64=`echo -n "$NEWPASS" | openssl enc -base64`

3. As the zimbra user, stop ldap:



ldap stop

4. Replace this new password in the file ~/data/ldap/config/cn=config/olcDatabase={0}config.ldif:
cp '~/data/ldap/config/cn=config/olcDatabase={0}config.ldif' /tmp/

sed -i "s/olcRootPW.*/olcRootPW:: $NEWPASSB64" '~/data/ldap/config/cn=config/olcDatabase={0}config.ldif'

The above command takes a backup of 'olcDatabase={0}config.ldif', and the places the new password in the file. If the command fails for whatever reason, just do the steps manually. Take a backup, and replace the existing value of 'olcRootPW:: ' in the 'olcDatabase={0}config.ldif' file with the value of $NEWPASS64.
5. Start ldap:
ldap start

6. To test, run:



ldapwhoami -x -h `zmhostname` -D "cn=config" -w 'ldap_root_password_value'

7. Then update localconfig.xml as well

Promoting a Replica Server to Master. Invalid Credentials

Posted: Tue Feb 25, 2014 2:24 pm
by quanah
or you could have just used the zmldappasswd command to update the root password.

Promoting a Replica Server to Master. Invalid Credentials

Posted: Tue Feb 25, 2014 3:12 pm
by tbovingdon
[quote user="quanah"]or you could have just used the zmldappasswd command to update the root password.[/QUOTE]
Man Your as bad as support. READ my post
Tried Resetting LDAP and MySQL Passwords - Zimbra :: Wiki (It says only to zcs 5.. but the command and its values still seems the same) the zmldappasswd -r newrootpass (same as zmlocalconfig -s ldap_root_password) seems to run ok, but still no joy on the 

Promoting a Replica Server to Master. Invalid Credentials

Posted: Tue Feb 25, 2014 3:18 pm
by quanah
hm.. This implies that the value in localconfig is not the value that was actually used when the replica was created. That'd be an odd situation to be in. It would generally imply someone ran zmlocalconfig -e ldap_root_password and changed it to some new value, rather than correctly using zmldappasswd -r to update the value.

Promoting a Replica Server to Master. Invalid Credentials

Posted: Tue Feb 25, 2014 3:54 pm
by tbovingdon
Not gonner lie.. that IS very likely what happened. :S Good news is its fixed and happy you can mark as solved.

Promoting a Replica Server to Master. Invalid Credentials

Posted: Tue Feb 25, 2014 4:36 pm
by quanah
Cool. Yeah, recovering from that situation you pretty much have to hand modify cn=config, which is ugly. ;) Glad you got it working.

Re: Promoting a Replica Server to Master. Invalid Credentials

Posted: Wed Jun 29, 2016 9:40 am
by offliner
Hello I know this issue is an old one and I will appreciate the help
I having a problem in the second master ldap out of sync code 6 I tracked down the problem
and I figure it out its TLS problem so I tried to disable tls on the second ldap server with

/opt/zimbra/libexec/zmldapreplicatool -t off based on this wiki Turning off starttls for replication - Zimbra :: but the command wouldn't run on either server

I get this result


[zimbra@ldap2 libexec]$ ./zmldapreplicatool -t off
zmldapreplicatool [-q] [-r RID] [-m masterURI] [-t critical|off]

Where:
-q: Query the current replication configuration. This option ignores -m, -r, and -t
-r: RID is a unique Integer Replication ID for this replication instance. It must be unique inside this server. Example: 100 Default: 100. Generally no need to change this.
-m: masterURI is the LDAP URI for the master. Example: ldap://ldap-master.example.com:389/
-t: set startTLS to critical (required) or off (disabled)

Could any one have an idea how to run the command and what am I doing wrong


Thank you