Установка сборки zimbra 9 ose от zextras на centos 8

LDAP filter

Zimbra will use an LDAP query filter to map user accounts to entries on the external LDAP server. For example, Zimbra user usera@domain.com might be mapped to an entry in the external LDAP server having a uid attribute value of ‘usera’, mail attribute of ‘usera@domain.com’ and an objectClass of ‘OrganizationalPerson’. Only a single unique attribute is required to successfully map Zimbra accounts.

To set the LDAP query filter, you will need a substitution variable and an attribute on the external LDAP server to search. The substitution variable is obtained from the ‘Username’ box on the user login page. Possible substitution variables are (e.g., usera@domain.com):

%n = username with @ symbol — returns ‘usera@domain.com’
%u = username without the @ — returns ‘usera’
%d = domain — returns ‘domain.com’
%D = domain as dc=domain,dc=com — this is a common format for directories such as Active Directory and OpenLDAP


Possible filters for OpenLDAP

(uid=%u) — The user has a uid attribute value in the external directory equal to the user portion of the Zimbra user account.
(uid=%n) — Entire Zimbra user account is used to identify user in the external directory.
(&(cn=%u)(objectClass=OrganizationalPerson)) — The user has a cn attribute value in the directory equal to the user portion of the Zimbra account and has an objectClass value of ‘OrganizationalPerson’.

Possible filters for Active Directory

(samAccountName=%u) — The user has a samAccountName attribute value in AD equal to the user portion of the Zimbra user account.
(userPrincipalName=%n) — The user has a userPrincipal attribute value in AD equal to the entire Zimbra user account.

LDAP replication


Your LDAP Master server (machine 1) should be installed using normal ZCS installation options. The replica will be installed on a separate server (machine 2).

Replica Configuration

After the master server is up, enable replication on the master with the command /opt/zimbra/libexec/zmldapenablereplica

Install Replica Server

To install the replica server:

  • Make sure the master is up and running before you apply the configuration to machine 2 and complete the installation.
  • Use standard install.sh options, including the zimbra-ldap server.
  • Set the master LDAP server for machine 2 to be machine 1.
  • Set the LDAProot password to the correct value (run zmlocalconfig -s ldap_root_password on the master to determine this value)
  • Set the LDAP replication password to the correct value (run zmlocalconfig -s ldap_replication_password on the master to determine this value)
  • Installation will complete as normal, and both servers will have their ZCS servers up, except for slapd on machine 2.

Note: In order to install an LDAP replica server with no MBS (Mailbox Server), set zimbra_zmprov_default_to_ldap to true, using the following command: zmlocalconfig -e zimbra_zmprov_default_to_ldap=true. If you later add an MBS to your LDAP replica server, set zimbra_zmprov_default_to_ldap to false.

If you want to install an LDAP replica on a previously existing Zimbra server, you will need to use install.sh to install zimbra-ldap on the server. When install.sh asks if you wish to perform an upgrade, select Yes, then select Yes when it asks to install zimbra-ldap. The rest of the install will be similar to installing a disabled LDAP server on a new box.

When this is complete, you’re done. You can test the replica by creating a few accounts
through the administrative interface on the master server. You should be able to see them
immediately with an LDAP search run against machine 2.

LDAP logging will appear in /var/log/zimbra.log. It is recommended this setting be enabled only for testing and troubleshooting.

Running LDAP replica

Any services running on the replica server itself will automatically query the replica first.)

The order for the ldap_url key on the hosts using the replica should be replicas first, with the master listed last. The master must always be included!

Configuring more than two masters

Theoretically, you can have as many masters as desired in a master pool. Zimbra does not advise having more than 4 masters at this time.

To add additional masters to an existing MMR pool, the following steps should be taken:

On all existing masters in the MMR pool:

  • Run /opt/zimbra/libexec/zmldapquery-mmr (8.0.6 and previous or /opt/zimbra/libexec/zmldapmmrtool -q (8.0.7 and later) to find out the RID values for the existing replication agreements
  • Run /opt/zimbra/libexec/zmldapenable-mmr -r <new rid> -m ldap://<new master>:389/ to add a replication agreement for the new MMR master


 zimbra@ldap1.example.com:~$ ./libexec/zmldapquery-mmr
 Server information
 ServerID: 1
 Master replication information
 Master replica 1
 rid: 100 URI: ldap://ldap2.example.com:389/
 zimbra@ldap1.example.com:~$ ./libexec/zmldapenable-mmr -r 101 -m ldap://ldap3.example.com:389/
 zimbra@ldap2.example.com:~$ ./libexec/zmldapquery-mmr
 Server information
 ServerID: 2
 Master replication information
 Master replica 1
 rid: 100 URI: ldap://ldap1.example.com:389/
 zimbra@ldap2.example.com:~$ ./libexec/zmldapenable-mmr -r 101 -m ldap://ldap3.example.com:389/

Now start ZCS installation on the new server you wish to add to the pool, as described above in the section Installing a Secondary master. Be sure that when the Ldap replication type is changed to mmr that the Server ID for this new server is set to something unique.


 Ldap configuration
   3) Ldap replication type:                   mmr
   4) Ldap Server ID:                          3

After installation of the additional MMR server is complete:

Add replication agreements to the new master with the the masters it doesn’t yet have an agreement with.

Example: Assuming that ldap3.example.com was given ldap1.example.com as its master during installation time, we must add an agreement with ldap2.example.com

zimbra@ldap3.example.com:~$ ./libexec/zmldapenable-mmr -r 101 -m ldap://ldap2.example.com:389/

Remember to update the localconfig keys ldap_master_url and ldap_url on all servers.


zimbra@ldap1.example.com:~$ zmlocalconfig -e ldap_master_url="ldap://ldap1.example.com:389 ldap://ldap2.example.com:389 ldap://ldap3.example.com:389"
zimbra@ldap1.example.com:~$ zmlocalconfig -e ldap_url="ldap://ldap1.example.com:389 ldap://ldap2.example.com:389 ldap://ldap3.example.com:389"
zimbra@ldap2.example.com:~$ zmlocalconfig -e ldap_master_url="ldap://ldap2.example.com:389 ldap://ldap3.example.com:389 ldap://ldap1.example.com:389"
zimbra@ldap2.example.com:~$ zmlocalconfig -e ldap_url="ldap://ldap2.example.com:389 ldap://ldap3.example.com:389 ldap://ldap1.example.com:389"
zimbra@ldap3.example.com:~$ zmlocalconfig -e ldap_master_url="ldap://ldap3.example.com:389 ldap://ldap1.example.com:389 ldap://ldap2.example.com:389"
zimbra@ldap3.example.com:~$ zmlocalconfig -e ldap_url="ldap://ldap3.example.com:389 ldap://ldap1.example.com:389 ldap://ldap2.example.com:389"

Restart services on all of the servers.


zimbra@ldap1.example.com:~$ zmcontrol restart
zimbra@ldap2.example.com:~$ zmcontrol restart
zimbra@ldap3.example.com:~$ zmcontrol restart

Make sure that the localconfig keys ldap_master_url and ldap_url are up to date on all nodes.

Deleting MMR nodes

WARNING: Configuring MMR is a one-way trip! Once you have configured MMR, you must not remove all nodes from the MMR configuration! If you’re removing nodes, you must retain at least one replication agreement on your MMR nodes.

To delete an MMR node, the following steps should be taken. This is only possible in ZCS 8.0.7 and later.:

  1. Update ldap_master_url and ldap_url on every node, removing the ldap MMR node that will be shut down.
  2. Wait 5-10 minutes to ensure this modification is in place.
  3. Monitor /var/log/zimbra.log on the MMR node that will be shut down and confirm it is no longer receiving modification traffic
  4. run ldap stop on the MMR node that is being shut down.
  5. Log into the remaining MMR nodes and do the following:
    1. /opt/zimbra/libexec/zmldapmmrtool -q
    2. Find the matching RID for the MMR node you shut down
    3. /opt/zimbra/libexec/zmldapmmrtool -d -o RID

Example of using zmldapmmrtool:
Given 3 MMR servers ldap1.example.com, ldap2.example.com, ldap3.example.com and ldap3.example.com is being shut down.

zimbra@ldap1:/opt/zimbra$ /opt/zimbra/libexec/zmldapmmrtool -q
Master replication information
Master replica 1
rid: 100 URI: ldap://ldap2.example.com:389/ TLS: critical
Master replica 2
rid: 101 URI: ldap://ldap3.example.com:389/ TLS: critical

So the RID being used ldap3.example.com is 101.  This agreement can be deleted with:

zimbra@ldap1:/opt/zimbra$ /opt/zimbra/libexec/zmldapmmrtool -d -o 101

Then confirm it worked with:

zimbra@ldap1:/opt/zimbra$ /opt/zimbra/libexec/zmldapmmrtool -q
Master replication information
Master replica 1
rid: 100 URI: ldap://ldap2.example.com:389/ TLS: critical

Repeat on the remaining node(s)

Fixed Bug in Zimbra Collaboration 8.7

In Zimbra Collaboration 8.7 is not possible delete the last remaining replication LDAP.

In a MMR system consisting of two nodes

zimbra@zqa-xx:~$ /opt/zimbra/libexec/zmldapmmrtool -q
Master replication agreement: 1
rid: 100 URI: ldap://zqa-yy.eng.zimbra.com:389/ TLS: critical
zimbra@zqa-xx:~$ /opt/zimbra/libexec/zmldapmmrtool -d -o 100

Error: It is illegal to delete the last remaining replication agreement.
You must define a new replication agreement prior to deleting the final one.
Добавить комментарий

Ваш адрес email не будет опубликован. Обязательные поля помечены *