Promoting a Replica Server to Master. Invalid Credentials

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
tbovingdon
Advanced member
Advanced member
Posts: 146
Joined: Fri Sep 12, 2014 10:19 pm

Promoting a Replica Server to Master. Invalid Credentials

Postby tbovingdon » Sat Feb 22, 2014 10:11 am

So following King0770-Notes-MovingUsers - Zimbra :: Wiki to migrate from a RHEL5 32bit zcs 7.2.5 NE install to Ubuntu 10 64bit zcs 7.2.5NE we've successfully migrated all accounts, using proxy we had next to no down time. Went to promote replica by following:Promoting Replica to LDAP Master - Zimbra :: Wiki we get invalid credentials ldap error 49. when running ldapmodify -x -H ldapi:/// -D "cn=config" -w "ldap root password"
we confirmed zmlocalconfig -s ldap_root_password matches old server and new.

we confirmed ldapmodify -x -H ldapi:/// -D "cn=config" -w "ldap root password" runs fine onthe old server

we confirmed ldapmodify -x -H ldapi:/// -D "cn=config" -w "ldap root password" runs fine on our test environment replica machine
clearly replication is working as all accounts are on both servers and everything is working fine on the replica.

Certificates match (was a wild card) on both servers.
no obvious errors that i can find in /var/log/zimbra.log



tried to see if /opt/zimbra/libexec/zmldapreplicatool -t off based on this wiki Turning off starttls for replication - Zimbra :: Wiki (can't find the post that referenced it) but the command wouldn't run on either server

Tried Resetting LDAP and MySQL Passwords - Zimbra :: Wiki (It says only to zcs 5.. but the command and its values still seems the same) the zmldappasswd -r newrootpass (same as zmlocalconfig -s ldap_root_password) seems to run ok, but still no joy on the ldapmodify command.
We've opened a ticket with support but no response as of yet.. I am posting to see if anyone has any further suggestions... I have a feeling its something like the replica ldap password hash doesn't match "zmlocalconfig -s ldap_root_password" when trying the direct ldapmodify command or something like that.... but i defer to the experts!


tbovingdon
Advanced member
Advanced member
Posts: 146
Joined: Fri Sep 12, 2014 10:19 pm

Promoting a Replica Server to Master. Invalid Credentials

Postby tbovingdon » Mon Feb 24, 2014 9:03 pm

So. Seeing as zimbra support response was less than responsive on this issue I ended up trying something.
Looking at the config.#### file that is saved during install, i compared tried the password for one of the non replicated services (eg nxginx) in the ldap command.. BINGO it worked. I then used this post:ShanxT-LDAP-Auth-Failed - Zimbra :: Wiki following Changing ldap directly section, managed to change the password that zmldappasswd -r newrootpass would not do.


1. Generate the password hash using 'slappasswd':



NEWPASS='/opt/zimbra/openldap/sbin/slappasswd -v -s 'Very_secure_pass_591' -h {SSHA}`



2. BASE64 encode this password hash:
NEWPASSB64=`echo -n "$NEWPASS" | openssl enc -base64`

3. As the zimbra user, stop ldap:



ldap stop

4. Replace this new password in the file ~/data/ldap/config/cn=config/olcDatabase={0}config.ldif:
cp '~/data/ldap/config/cn=config/olcDatabase={0}config.ldif' /tmp/

sed -i "s/olcRootPW.*/olcRootPW:: $NEWPASSB64" '~/data/ldap/config/cn=config/olcDatabase={0}config.ldif'

The above command takes a backup of 'olcDatabase={0}config.ldif', and the places the new password in the file. If the command fails for whatever reason, just do the steps manually. Take a backup, and replace the existing value of 'olcRootPW:: ' in the 'olcDatabase={0}config.ldif' file with the value of $NEWPASS64.
5. Start ldap:
ldap start

6. To test, run:



ldapwhoami -x -h `zmhostname` -D "cn=config" -w 'ldap_root_password_value'

7. Then update localconfig.xml as well
User avatar
quanah
Zimbra Alumni
Zimbra Alumni
Posts: 1668
Joined: Fri Sep 12, 2014 10:33 pm
Contact:

Promoting a Replica Server to Master. Invalid Credentials

Postby quanah » Tue Feb 25, 2014 2:24 pm

or you could have just used the zmldappasswd command to update the root password.
--
Quanah Gibson-Mount
Product Architect, Symas http://www.symas.com/
OpenLDAP Core team http://www.openldap.org/project/
tbovingdon
Advanced member
Advanced member
Posts: 146
Joined: Fri Sep 12, 2014 10:19 pm

Promoting a Replica Server to Master. Invalid Credentials

Postby tbovingdon » Tue Feb 25, 2014 3:12 pm

[quote user="quanah"]or you could have just used the zmldappasswd command to update the root password.[/QUOTE]
Man Your as bad as support. READ my post
Tried Resetting LDAP and MySQL Passwords - Zimbra :: Wiki (It says only to zcs 5.. but the command and its values still seems the same) the zmldappasswd -r newrootpass (same as zmlocalconfig -s ldap_root_password) seems to run ok, but still no joy on the 
User avatar
quanah
Zimbra Alumni
Zimbra Alumni
Posts: 1668
Joined: Fri Sep 12, 2014 10:33 pm
Contact:

Promoting a Replica Server to Master. Invalid Credentials

Postby quanah » Tue Feb 25, 2014 3:18 pm

hm.. This implies that the value in localconfig is not the value that was actually used when the replica was created. That'd be an odd situation to be in. It would generally imply someone ran zmlocalconfig -e ldap_root_password and changed it to some new value, rather than correctly using zmldappasswd -r to update the value.
--
Quanah Gibson-Mount
Product Architect, Symas http://www.symas.com/
OpenLDAP Core team http://www.openldap.org/project/
tbovingdon
Advanced member
Advanced member
Posts: 146
Joined: Fri Sep 12, 2014 10:19 pm

Promoting a Replica Server to Master. Invalid Credentials

Postby tbovingdon » Tue Feb 25, 2014 3:54 pm

Not gonner lie.. that IS very likely what happened. :S Good news is its fixed and happy you can mark as solved.
User avatar
quanah
Zimbra Alumni
Zimbra Alumni
Posts: 1668
Joined: Fri Sep 12, 2014 10:33 pm
Contact:

Promoting a Replica Server to Master. Invalid Credentials

Postby quanah » Tue Feb 25, 2014 4:36 pm

Cool. Yeah, recovering from that situation you pretty much have to hand modify cn=config, which is ugly. ;) Glad you got it working.
--
Quanah Gibson-Mount
Product Architect, Symas http://www.symas.com/
OpenLDAP Core team http://www.openldap.org/project/
offliner
Posts: 1
Joined: Wed Jun 29, 2016 9:32 am

Re: Promoting a Replica Server to Master. Invalid Credentials

Postby offliner » Wed Jun 29, 2016 9:40 am

Hello I know this issue is an old one and I will appreciate the help
I having a problem in the second master ldap out of sync code 6 I tracked down the problem
and I figure it out its TLS problem so I tried to disable tls on the second ldap server with

/opt/zimbra/libexec/zmldapreplicatool -t off based on this wiki Turning off starttls for replication - Zimbra :: but the command wouldn't run on either server

I get this result


[zimbra@ldap2 libexec]$ ./zmldapreplicatool -t off
zmldapreplicatool [-q] [-r RID] [-m masterURI] [-t critical|off]

Where:
-q: Query the current replication configuration. This option ignores -m, -r, and -t
-r: RID is a unique Integer Replication ID for this replication instance. It must be unique inside this server. Example: 100 Default: 100. Generally no need to change this.
-m: masterURI is the LDAP URI for the master. Example: ldap://ldap-master.example.com:389/
-t: set startTLS to critical (required) or off (disabled)

Could any one have an idea how to run the command and what am I doing wrong


Thank you

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 14 guests