Kopano-Server, Ldap - Invalid credentials

kopano

#1

Hi,
we are using ucs & kopano as groupware-server.
Since yesterday kopano-server stopped working due to an LDAP-error:

Fri Mar 8 08:38:27 2019: [warning] LDAP (simple) bind on cn=mailHost,cn=dc,cn=computers,dc=XX-XXX,dc=intranet failed: Invalid credentials
Fri Mar 8 08:38:27 2019: [crit ] Cannot instantiate user plugin: Failure connecting any of the LDAP servers
Fri Mar 8 08:38:27 2019: [crit ] Unable to instantiate user plugin

First I detected that the machine.secret und kopano-ldap.secret are different - it seems that the machine.secret changes (?) After updating the kopano-ldap.secret I succeeded in using the ldap-search:

ldapsearch -D $(ucr get ldap/hostdn) -y /etc/kopano-ldap.secret

The system is up-to-date (apt update/upgrade)

journalctl -u kopano-server
There are no references/clues to the missing credentials.

However - concerning to

https://wiki.z-hub.io (Debugging Kopano on Univention)

the app

kopano-core

ist not shown using

univention-app info

apt-cache search finds nothing & on portal.kopano.com I have learned that Kopano Core 8.7.0.85 is only available as Beta and not in Final release (? )

Configuration:

ii kopano-server-packages 8.7.0.0-0+1.1 all Metapackage to install the entire Kopano Core stack
ii kopano-webapp 3.5.2.2146+87.1 all New and improved WebApp for Kopano
ii kopano-webapp-plugin-desktopnotifications 2.0.2.23+27.1 all Kopano WebApp Desktop notifications plugin
ii kopano-webapp-plugin-filepreviewer 2.1.0.26+19.1 all Kopano File previewer plugin
ii kopano-webapp-plugin-files 2.1.5.305+93.1 all Adds Files functionality to Kopano enabling access to WebDAV and other files backends.
ii kopano-webapp-plugin-filesbackend-owncloud 2.1.0.87+41.1 all Adds Owncloud specific functionality to Kopano Files plugin.
ii kopano-webapp-plugin-filesbackend-smb 2.1.0.50+30.1 all Adds Samba specific functionality to Kopano Files plugin.
ii kopano-webapp-plugin-folderwidgets 3.5.2.2146+87.1 all Kopano WebApp folder widgets plugin
ii kopano-webapp-plugin-mdm 2.1.0.97+33.1 all Kopano WebApp MDM plugin
ii kopano-webapp-plugin-smime 2.2.1.223+22.1 all Kopano WebApp S/MIME plugin
ii kopano-webapp-plugin-spell 2.0.0.19+36.1 all Kopano WebApp Spellchecker plugin
ii kopano-webapp-plugin-spell-de-de 2.0.0.3+22.1 all Kopano WebApp Spellchecker German dictionary plugin
ii kopano-webapp-plugin-spell-en 2.0.0.1+22.1 all Kopano WebApp Spellchecker English dictionary plugin
ii kopano-webapp-plugin-spell-nl 2.0.0.1+23.1 all Kopano WebApp Spellchecker Dutch dictionary plugin
ii kopano-webapp-plugin-titlecounter 3.5.2.2146+87.1 all Kopano WebApp Titlecounter plugin
ii kopano-webapp-plugin-webappmanual 3.5.2.2146+87.1 all Kopano WebApp Manual plugin
rc kopano4ucs 1.4.8 all Kopano4ucs integration package for Univention Corporate Server
ii kopano4ucs-lib 1.5.13 all Library package for common Kopano4ucs functions
ii kopano4ucs-schema 1.4.8 all LDAP schema for the Kopano4ucs integration
ii kopano4ucs-udm 1.4.8 all UDM extensions for the Kopano4ucs integration
ii kopano4ucs-webapp 1.5.13 all Kopano4ucs kopano-webapp integration package for Univention Corporate Server
ii kopano4ucs-z-push 1.4.0 all Meta package for Z-Push installation
ii z-push-kopano 2.4.5+0-0 all Z-Push for Kopano
ii z-push-kopano-gabsync 2.4.5+0-0 all G

univention-app info

UCS: 4.3-3 errata452
Installed: fetchmail=6.3.26 kopano-webapp=3.4.22.1782 self-service=3.0 z-push-kopano=2.4.2
Upgradable: z-push-kopano

ucr dump | grep kopano/cfg

kopano/cfg/gateway/imaps_enable: yes
kopano/cfg/gateway/pop3s_enable: yes
kopano/cfg/gateway/ssl_certificate_file: /etc/kopano/ssl/cert.pem
kopano/cfg/gateway/ssl_private_key_file: /etc/kopano/ssl/private.key
kopano/cfg/ical/icals_enable: yes
kopano/cfg/ical/server_timezone: @&@/etc/timezone@&@
kopano/cfg/ical/ssl_certificate_file: /etc/kopano/ssl/cert.pem
kopano/cfg/ical/ssl_private_key_file: /etc/kopano/ssl/private.key
kopano/cfg/ldap.propmap/0x3004001E: description
kopano/cfg/ldap.propmap/0x3A06001E: givenName
kopano/cfg/ldap.propmap/0x3A08001E: telephoneNumber
kopano/cfg/ldap.propmap/0x3A09001E: homePhone
kopano/cfg/ldap.propmap/0x3A11001E: sn
kopano/cfg/ldap.propmap/0x3A16001E: o
kopano/cfg/ldap.propmap/0x3A17001E: title
kopano/cfg/ldap.propmap/0x3A18001E: departmentNumber
kopano/cfg/ldap.propmap/0x3A19001E: roomNumber
kopano/cfg/ldap.propmap/0x3A1C001E: mobile
kopano/cfg/ldap.propmap/0x3A21001E: pager
kopano/cfg/ldap.propmap/0x3A27001E: l
kopano/cfg/ldap.propmap/0x3A29001E: street
kopano/cfg/ldap.propmap/0x3A2A001E: postalCode
kopano/cfg/ldap.propmap/0x8005001E: secretary
kopano/cfg/ldap/ldap_authentication_method: bind
kopano/cfg/ldap/ldap_bind_passwd: @&@/etc/kopano-ldap.secret@&@
kopano/cfg/ldap/ldap_bind_user: @%@ldap/hostdn@%@
kopano/cfg/ldap/ldap_emailaddress_attribute: mailPrimaryAddress
kopano/cfg/ldap/ldap_emailaliases_attribute: mailAlternativeAddress
kopano/cfg/ldap/ldap_group_search_filter: (&(kopanoAccount=1)(objectClass=kopano-group))
kopano/cfg/ldap/ldap_groupmembers_attribute: uniqueMember
kopano/cfg/ldap/ldap_groupmembers_attribute_type: dn


Problems with integration of kopano 8.7.0
#2

yes, we decided to move 8.7.0.0 (what you have installed) out of the final repo for the moment, while we are investigating a caching issue.

This is the reason why the ldap password was not updated. The integration package is carrying out this task, but its currently not installed.

I heard from our support that they have a case like this at the moment as well. We already fixed the missing dependency a few times in the past (it always came down to missing python3-xapian, which should be part of the repository).

Some steps to debug this are mentioned in Durch Paketupdate LDAP kaputt (post in german).

Edit: looking at our support ticketing system the mentioned support case actually seems to be be a ticket from you (KS-42759).


#3

In case you did not manage to get it working… As long as the kopano4ucs package is not installed you will have to manually adapt the /etc/kopano/ldap.cfg and set ldap_bind_passwd to the content of /etc/machine.secret and restart the kopano-server service (or in your case, /etc/kopano-ldap.secret would also be fine as you fixed that file already)


#4

ThanX - the system is now working aggain; I’ve manually updated both files:

/etc/kopano/ldap.cfg and

/etc/kopano-ldap.secret
using the new generated password in

/etc/machine.secret.

With respect to

kopano-ldap

I’ve found a corresponding clue via Google - but then I forgot to update the password in

/etc/kopano/ldap.cfg

/fReitinger

.