Zarafa: Disconnect from LDAP because search error Can't cont

german

#1

Hallo allerseits,

seit dem letzten Errata-Update kann ich mich nicht mehr über die Webapp anmelden (außer der Benutzer Administrator).
im Server.log steht öfter

Disconnect from LDAP because search error Can't contact LDAP server

Slaptest war ohne Auffälligkeiten.

568b9038 OVER: Loading Translog Overlay
568b9038 OVER: db_init
568b9038 OVER: Configuring Translog Overlay
568b9038 OVER: Configured Translog Overlay to use file "/var/lib/univention-ldap/listener/listener"
568b9038 /etc/ldap/slapd.conf: line 220: rootdn is always granted unlimited privileges.
568b9038 WARNING: No dynamic config support for overlay translog.
config file testing succeeded
568b9038 OVER: db_close
568b9038 OVER: db_destroy

Andere Dienste haben kein Problem mit LDAP (SSH/OwnCloud/…). Was kann ich weiter analysieren?


Nach Deinstallation von OX übrige Fragmente bereinigen
#2

Hallo Steve,

kannst du einmal zarafa-server über die Konsole neustarten und dann den Inhalt der server.log hier posten?

Was sagt denn ein zarafa-admin -l über die Kommandozeile?


#3

Hi,

vielen Dank für die Hilfe.

Server restart:

invoke-rc.d zarafa-server restart [ ok ] Stopping Zarafa server: zarafa-server. [ ok ] Starting Zarafa server: zarafa-server.

server.log:

Tue Jan 5 16:24:21 2016: Shutting down. Tue Jan 5 16:24:21 2016: Still waiting for 8 threads to exit Tue Jan 5 16:24:28 2016: Server shutdown complete. Tue Jan 5 16:24:28 2016: Starting zarafa-server version 7,1,14,51822, pid 15366 Tue Jan 5 16:24:28 2016: Listening for TCP connections on port 236 Tue Jan 5 16:24:28 2016: Listening for SSL connections on port 237 Tue Jan 5 16:24:28 2016: Listening for priority pipe connections on /var/run/zarafa-prio Tue Jan 5 16:24:28 2016: Listening for pipe connections on /var/run/zarafa Tue Jan 5 16:24:28 2016: Connection to database 'zarafa' succeeded Tue Jan 5 16:24:28 2016: zarafa-licensed is running, but no license key was found. Not all commercial features will be available. Tue Jan 5 16:24:28 2016: Loading searchfolders Tue Jan 5 16:24:28 2016: Startup succeeded on pid 15371

zarafa-admin -l

User list for Default(3): Username Fullname Homeserver ----------------------------------------------------- SYSTEM SYSTEM snas Administrator Administrator h***** H*****

Da ist der Hase wohl im Pfeffer begraben… Die User fehlen, um die es geht (Administrator funktionierte ja wie gesagt).

Habe daraufhin noch einmal genauer in den anderen Logs geschaut:

monitor.log
Seit dem Update erscheint folgender Fehler:

Unable to get userlist for company Default, error code 0x8004010F

Beiläufig aber eher nicht verantwortlich:
php-mapi.log
Hier kommt schon immer:

MAPI error: 80040111 (method: zif_mapi_logon_zarafa, line: 960)

#4

Ok, die Meldung mit dem “Can’t contact LDAP server” ist etwas irreführend. Generell kommt er ja ans LDAP dran (wenn nicht würde er das nach dem Start auch bemeckern) und der Login mit dem Admin würde nicht klappen, wenn das LDAP nicht antworten würde.

Soweit ich weiß wird diese Meldung auch generiert, wenn eine LDAP Verbindung in ein normalen Disconnect durch Timeout o.ä. rennt. Solange man sich aber einloggen kann, kann die Meldung ignoriert werden.

Die Meldung “Unable to get userlist for company” ist aber interessant. Wurden Änderungen an der server.cfg/ldap.cfg durchgeführt? So wie es aussieht scheint der Suchfilter nicht ganz zu passen, daher sieht zarafa-server nicht die Nutzer die über die umc angelegt werden.


#5

Hallo Herr Bartels,

danke für den Hinweis. Von mir wurden diese nicht angepasst. Könnte vielleicht mit dem Update zu tun haben. Ich kann es erst heute Abend testen. Wie müsste denn der korrekte Suchstring aussehen? Komisch ist eben, dass der eine User (der mit Sternchen maskierte) ohne Probleme erkannt wird und auch nutzbar ist (sehe erfolgreiche Zugriffe im Z-Push-Log). Nur die anderen User werden nicht gefunden…

Danke vorab!


#6

Die Einträge der folgenden UCR-Variablen habe ich getestet (gleiche Entsprechung in der ldap.cfg):
…/ldap_user_search_filter

univention-ldapsearch '(zarafaAccount=1)'
-> Ausgabe aller Nutzer passt

…/ldap_group_search_filter

univention-ldapsearch '(&(zarafaAccount=1)(objectClass=zarafa-group))'

Ausgabe

# extended LDIF
#
# LDAPv3
# base ****
# filter: (&(zarafaAccount=1)(objectClass=zarafa-group))
# requesting: ALL
#

# search result
search: 3
result: 0 Success

# numResponses: 1

Ich denke, das ist ok.


#7

Kann es sein, dass ich die Fehlermeldung

Unable to get userlist for company Default, error code 0x8004010F

ignorieren kann? Laut Google ist “Default” ein Parameter

"Unable to get userlist for company %s, error code 0x%08X"

Möglicherweise bezieht er sich auf den Konfigurationsteil
[/code]

For active directory, use:

(objectCategory=Company)

For LDAP with posix users, use:

no need to set the filter

ldap_company_search_filter =
[/code]
der für mich eh nicht relevant ist…?

Die Stores der fehlenden User werden erkannt mittels
[/code]zarafa-admin --list-orphans[/code]
Heißt das schlichtweg, dass die User für Zarafa gelöscht wurden??? Bekomme ich diese wiederbelebt?


#8

Ja, wenn ein Nutzer nicht mehr von zarafa-server gefunden wird (als z.B. nicht mehr in “zarafa-admin -l” auftaucht), dann geht der Server davon aus, dass dieser gelöscht wurde. Das zum Benutzer gehörige Postfach verwaist dann und tauch unter --list-orphans auf (und kann dann wenn gewünscht permanent gelöscht oder einen neuen Benutzer zugeordnet werden).

So richtig erklären, warum “univention-ldapsearch '(zarafaAccount=1)” mehr Nutzer ausgeben soll, als dann “zarafa-admin -l” kann ich mir derzeit aber nicht. Welche Univention Version wird denn genutzt und seit welchem Update tritt das auf?

Bezüglich der Zeile im monitor.log. Eigentlich sollte er sowas nur loggen, wenn der Mehrmandantemodus von Zarafa aktiviert wurde. Dies ist aber per Default auf Univention aus.


#9

Ok, Zarafa geht davon aus, sprich es muss nicht zwangsweise eine Löschung stattgefunden haben.

Es ist Univention 4.1-0 errata44 vorher glaube 4.1-0 errata1x, Updates betraf nur Paketcenter-Aktualisierungen, keine Appcenter-Updates. Bin etwas ratlos…

hier noch zum Beweis, wenn ich im LDAP einen konkreten, von zarafa-admin -l nicht gefundenen User suche:

univention-ldapsearch '(&(&(zarafaAccount=1)(|(objectClass=posixAccount)(objectClass=zarafa-contact)))(|(uid=ste****)))'
# extended LDIF
#
# LDAPv3
# base <dc=lokal,dc=lan> (default) with scope subtree
# filter: (&(&(zarafaAccount=1)(|(objectClass=posixAccount)(objectClass=zarafa-contact)))(|(uid=ste****)))
# requesting: ALL
#

# ste****, users, lokal.lan
dn: uid=ste****,cn=users,dc=lokal,dc=lan
uid: steven
krb5PrincipalName: ste****
uidNumber: 2009
sambaAcctFlags: [U          ]
sambaPasswordHistory: ****
krb5MaxLife: 86400
shadowLastChange: 16174
cn: ste****
userPassword:: ****
krb5Key:: ****
krb5Key:: ****
krb5Key:: ****
krb5Key:: ****
krb5Key:: ****
krb5Key:: ****
krb5Key:: ****
sambaMungedDial: ****
 AYQBnAHMAMQAwMDAwMDEwMA==
krb5MaxRenew: 604800
krb5KeyVersionNumber: 1
loginShell: /bin/bash
univentionObjectType: users/user
krb5KDCFlags: ****
sambaPwdLastSet: ****
sambaNTPassword: ****
displayName: ste****
gecos: ste****
sn: e****
pwhistory: ****
homeDirectory: /home/ste****
givenName: ste****
gidNumber: 5001
sambaPrimaryGroupSID: ****
sambaSID: ****
ownCloudEnabled: 1
univentionOpenvpnAccount: 1
mail: ste******
mailPrimaryAddress: ste**********
zarafa4ucsRole: user
zarafaAccount: 1
zarafaAdmin: 0
zarafaSharedStoreOnly: 0
univentionFetchmailProtocol: IMAP
objectClass: top
objectClass: person
objectClass: univentionPWHistory
objectClass: posixAccount
objectClass: shadowAccount
objectClass: univentionMail
objectClass: sambaSamAccount
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: krb5Principal
objectClass: krb5KDCEntry
objectClass: univentionObject
objectClass: ownCloudUser
objectClass: univentionOpenvpnUser
objectClass: oxUserObject
objectClass: zarafa-user
objectClass: univentionFetchmail

# search result
search: 3
result: 0 Success

# numResponses: 2
# numEntries: 1

#10

Wäre es möglich die User wieder anzulegen?
Also vielleicht per UCM Weboberfläche den Wechsel beim Benutzer ste*** von Zarafa-Benutzer auf keine und wieder zurück? Danach die verweisten Daten wieder dem Nutzer zuweisen?


#11

Einen Versuch wäre es wert. Die wahscheinlichkeit sehe ich aber eher als gering. Die Frage ist ja, warum die Elemente nicht gefunden werden. Hier könnte es helfen, wenn du einmal die Ausgabe eines nicht gefundenen Eintrages zusammen mit deiner ldap.cfg und server.cfg hier postest.

Ich habe bei mir ein lokales 4.1 Testsystem mal von Errata 14 nach 44 gebracht und hatte anschließend noch all meine Benutzer.


#12

Hi,

die Ausgabe eines Nutzers, der über zarafa-admin -l nicht gefunden wird, ist in dem Post vorher (user ste****). Oder ist eine andere Ausgabe gemeint?

die ldap.cfg lautet:

##############################################################
#  LDAP/ACTIVE DIRECTORY USER PLUGIN SETTINGS
#
# Any of these directives that are required, are only required if the
# userplugin parameter is set to ldap.

# LDAP host name/IP address
# Optional, default = localhost
# Warning: the value "ldap_host" has been set via UCR variable "zarafa/cfg/ldap/ldap_host"
ldap_host = snas.lokal.lan

# LDAP port
# Optional, default = 389
# Use 636 for ldaps
# Warning: the value "ldap_port" has been set via UCR variable "zarafa/cfg/ldap/ldap_port"
ldap_port = 7389

# LDAP protocol
# Optional, default = ldap
# use 'ldaps' for SSL encryption. Make sure /etc/ldap/ldap.conf is
# configured correctly with TLS_CACERT
ldap_protocol = ldap

# LDAP URI
# Optional, override ldap_host, ldap_port and ldap_protocol if set
# e.g. ldaps://servername:port. You may also specify multiple space-separated
# URI's
ldap_uri =

# The charset that strings are stored in on the LDAP server. Normally this
# is utf-8, but this can differ according to your setup. The charset specified
# here must be supported by your iconv(1) setup. See iconv -l for all charset
ldap_server_charset = utf-8

# The DN of the user to bind as for normal operations (not used for
# authentication if ldap_authentication_method is set to "bind"
# Optional, default = empty (anonymous bind)
# The userPassword attribute must be readable for this user if the
# ldap_authentication_method option is set to password.
# Warning: the value "ldap_bind_user" has been set via UCR variable "zarafa/cfg/ldap/ldap_bind_user"
ldap_bind_user = cn=snas,cn=dc,cn=computers,dc=lokal,dc=lan

# LDAP bind password
# Optional, default = empty (no password)
# Warning: the value "ldap_bind_passwd" has been set via UCR variable "zarafa/cfg/ldap/ldap_bind_passwd"
ldap_bind_passwd = X******

# The timeout for network operations in seconds
ldap_network_timeout = 30

# When an object (user/group/company) is changed, this attribute will also change:
# Active directory: uSNChanged
# LDAP: modifyTimestamp
ldap_last_modification_attribute = modifyTimestamp

# ldap_page_size limits the number of results from a query that will be downloaded at a time.
# Default ADS MaxPageSize is 1000.
ldap_page_size = 1000

##########
# Object settings

# Top level search base, every object should be available under this tree
# Warning: the value "ldap_search_base" has been set via UCR variable "zarafa/cfg/ldap/ldap_search_base"
ldap_search_base = dc=lokal,dc=lan

# attribute name which is/(should: was) used in ldap_user_search_filter
ldap_object_type_attribute = objectClass
# Warning: the value "ldap_user_type_attribute_value" has been set via UCR variable "zarafa/cfg/ldap/ldap_user_type_attribute_value"
ldap_user_type_attribute_value = zarafa-user
ldap_group_type_attribute_value = posixGroup
ldap_contact_type_attribute_value = zarafa-contact
ldap_company_type_attribute_value = organizationalUnit
ldap_addresslist_type_attribute_value = zarafa-addresslist
ldap_dynamicgroup_type_attribute_value = zarafa-dynamicgroup


##########
# There should be no need to edit any values below this line
##########

##########
# User settings

# Extra search for users using this LDAP filter.  See ldap_search(3) or RFC
# 2254 for details on the filter syntax.
#
# Hint: Use the zarafaAccount attribute in the filter to differentiate
# between non-zarafa and zarafa users.
#
# Note: This filter should include contacts.
#
# Optional, default = empty (match everything)
# For active directory, use:
#   (objectCategory=Person)
# For LDAP with posix users:
#   no need to use the search filter.
# Warning: the value "ldap_user_search_filter" has been set via UCR variable "zarafa/cfg/ldap/ldap_user_search_filter"
ldap_user_search_filter = (zarafaAccount=1)

# unique user id for find the user
# Required
# For active directory, use:
#    objectGuid ** WARNING: This WAS: objectSid ** Updates *WILL* fail! **
# For LDAP with posixAccount, use:
#    uidNumber
# Note: contacts also use this field for uniqueness. If you change this,
# you might need to update the zarafa.schema file too, and change
# the MUST uidNumber to whatever you set here.dnl
# Warning: the value "ldap_user_unique_attribute" has been set via UCR variable "zarafa/cfg/ldap/ldap_user_unique_attribute"
ldap_user_unique_attribute = entryUUID

# Type of unique user id
# default: text
# For active directory, use:
#		binary
# For LDAP with posix user, use:
#		text
ldap_user_unique_attribute_type = text

# Optional, default = cn
# For active directory, use:
#   cn or displayName
# For LDAP with posix user, use:
#   cn
ldap_fullname_attribute = cn

# Optional, default = uid
# Active directory: sAMAccountName
# LDAP: uid
ldap_loginname_attribute = uid

# Optional, default = userPassword
# Active directory: unicodePwd
# LDAP: userPassword
ldap_password_attribute = userPassword

# If set to bind, users are authenticated by trying to bind to the
# LDAP tree using their username + password.  Otherwise, the
# ldap_password_attribute is requested and checked.
# Optional, default = bind
# Choices: bind, password
# Active directory: bind
# LDAP: bind
# Warning: the value "ldap_authentication_method" has been set via UCR variable "zarafa/cfg/ldap/ldap_authentication_method"
ldap_authentication_method = bind

# Optional, default = mail
# Active directory: mail
# LDAP: mail
# Warning: the value "ldap_emailaddress_attribute" has been set via UCR variable "zarafa/cfg/ldap/ldap_emailaddress_attribute"
ldap_emailaddress_attribute = mailPrimaryAddress

# Optional, default = zarafaAliases
# Active directory: zarafaAliases
# LDAP: zarafaAliases
# Warning: the value "ldap_emailaliases_attribute" has been set via UCR variable "zarafa/cfg/ldap/ldap_emailaliases_attribute"
ldap_emailaliases_attribute = mailAlternativeAddress

# Whether the user is an admin.  The field is interpreted as a
# boolean, 0 and false (case insensitive) meaning no, all other values
# yes.
# Optional, default = zarafaAdmin
# Active directory: zarafaAdmin
# LDAP: zarafaAdmin
ldap_isadmin_attribute = zarafaAdmin

# Whether a user is a non-active user. This means that the user will
# not count towards your user count, but the user will also not be
# able to log in
# Optional, default = zarafaSharedStoreOnly
# Active directory: zarafaSharedStoreOnly
# LDAP: zarafaSharedStoreOnly
# Warning: the value "ldap_nonactive_attribute" has been set via UCR variable "zarafa/cfg/ldap/ldap_nonactive_attribute"
ldap_nonactive_attribute = zarafaSharedStoreOnly

# A nonactive store, or resource, can be specified to be a user, room or equipment.
# Set it to 'room' or 'equipment' to make such types. If set to empty,
# or wrong word, or 'user' it will be a nonactive user.
# Optional, default = zarafaResourceType
# Active directory: zarafaResourceType
# LDAP: zarafaResourceType
ldap_resource_type_attribute = zarafaResourceType

# Numeric resource capacity
# Optional, default = zarafaResourceCapacity
# Active directory: zarafaResourceCapacity
# LDAP: zarafaResourceCapacity
ldap_resource_capacity_attribute = zarafaResourceCapacity

# Optional
# The attribute which indicates which users are allowed
# to send on behalf of the selected user
ldap_sendas_attribute = zarafaSendAsPrivilege

# Optional, default = text
# Active directory: dn
# LDAP: text
ldap_sendas_attribute_type = text

# The attribute of the user and group which is listed in 
# the ldap_sendas_attribute
# Empty default, using ldap_user_unique_attribute
# Warning: the value "ldap_sendas_relation_attribute" has been set via UCR variable "zarafa/cfg/ldap/ldap_sendas_relation_attribute"
ldap_sendas_relation_attribute = uidNumber

# Optional, default = userCertificate
# Active directory: userCertificate
# LDAP: userCertificate;binary
ldap_user_certificate_attribute = userCertificate;binary

# Load extra user properties from the propmap file
!propmap /etc/zarafa/ldap.propmap.cfg

##########
# Group settings

# Search for groups using this LDAP filter.  See ldap_search(3) for
# details on the filter syntax.
# Hint: Use the zarafaAccount attribute in the filter to differentiate
# between non-zarafa and zarafa groups.
# Optional, default = empty (match everything)
# For active directory, use:
#   (objectCategory=Group)
# For LDAP with posix groups, use:
#   no need to set the search filter
# Warning: the value "ldap_group_search_filter" has been set via UCR variable "zarafa/cfg/ldap/ldap_group_search_filter"
ldap_group_search_filter = (&(zarafaAccount=1)(objectClass=zarafa-group))

# unique group id for find the group
# Required
# For active directory, use:
#    objectSid
# For LDAP with posix group, use:
#    gidNumber
ldap_group_unique_attribute = gidNumber

# Type of unique group id
# default: text
# For active directory, use:
#		binary
# For LDAP with posix group, use:
#		text
ldap_group_unique_attribute_type = text

# Optional, default = cn
# Active directory: cn
# LDAP: cn
ldap_groupname_attribute = cn

# Optional, default = member
# Active directory: member
# LDAP: memberUid
ldap_groupmembers_attribute = memberUid

# Optional, default = text
# Active directory: dn
# LDAP: text
ldap_groupmembers_attribute_type = text

# The attribute of the user which is listed in ldap_groupmember_attribute
# Active directory: empty, matching dn's
# LDAP: uid, matching users in ldap_loginname_attribute
ldap_groupmembers_relation_attribute = uid

# A group can also be used for security, eg. setting permissions on folders.
# This makes a group a security group. The zarafaSecurityGroup value is boolean.
# Optional, default = zarafaSecurityGroup
# Active directory = groupType
# LDAP: zarafaSecurityGroup
ldap_group_security_attribute = zarafaSecurityGroup

# In ADS servers, a special bitmask action is required on the groupType field.
# This is actived by setting the ldap_group_security_attribute_type to `''ads`''
# Otherwise, just the presence of the field will make the group security enabled.
# Optional, default = boolean
# Active directory = ads
# LDAP: boolean
ldap_group_security_attribute_type = boolean

##########
# Company settings

# Search for companies using this LDAP filter.
# Hint: Use the zarafaAccount attribute in the filter to differentiate
# between non-zarafa and zarafa companies.
# Optional, default = empty (match everything)
# For active directory, use:
#   (objectCategory=Company)
# For LDAP with posix users, use:
#   no need to set the filter
ldap_company_search_filter =

# unique company id for find the company
# Active directory: objectGUID
# LDAP: ou
ldap_company_unique_attribute = ou

# Optional, default = text
# Active directory: binary
# LDAP: text
ldap_company_unique_attribute_type = text

# Optional, default = ou
# Active directory: ou
# LDAP: ou
ldap_companyname_attribute = ou

# Optional
# The attribute which indicates which companies are allowed
# to view the members of the selected company
ldap_company_view_attribute = zarafaViewPrivilege

# Optional, default = text
ldap_company_view_attribute_type = text

# The attribute of the company which is listed in the
# ldap_company_view_attribute
# Empty default, using ldap_company_unique_attribute
ldap_company_view_relation_attribute =

# Optional
# The attribute which indicates which users from different companies
# are administrator over the selected company.
ldap_company_admin_attribute = zarafaAdminPrivilege

# Optional, default = text
# Active directory: dn
# LDAP: text
ldap_company_admin_attribute_type = text

# The attribute of the company which is listed in the
# ldap_company_admin_attribute
# Empty default, using ldap_user_unique_attribute
ldap_company_admin_relation_attribute = 

# The attribute which indicates which user is the system administrator
# for the specified company.
ldap_company_system_admin_attribute = zarafaSystemAdmin

# Optional, default = text
# Active directory: dn
# LDAP: text
ldap_company_system_admin_attribute_type = text

# The attribute of the company which is listed in the
# ldap_company_system_admin attribute
# Empty default, using ldap_user_unique_attribute
ldap_company_system_admin_relation_attribute =


##########
# Addresslist settings

# Add a filter to the addresslist search
# Hint: Use the zarafaAccount attribute in the filter to differentiate
# between non-zarafa and zarafa addresslists.
# Optional, default = empty (match everything)
ldap_addresslist_search_filter = 

# This is the unique attribute of a addresslist which is never going
# to change, unless the addresslist is removed from LDAP. When this
# value changes, Zarafa will remove the previous addresslist from the
# database, and create a new addresslist with this unique value
ldap_addresslist_unique_attribute = cn

# This value can be 'text' or 'binary'. For OpenLDAP, only text is used.
ldap_addresslist_unique_attribute_type = text

# This is the name of the attribute on the addresslist object that
# specifies the filter to be applied for this addresslist. All users
# matching this filter AND matching the default
# ldap_user_search_filter will be included in the addresslist
ldap_addresslist_filter_attribute = zarafaFilter

# This is the name of the attribute on the addresslist object that
# specifies the search base to be applied for this addresslist.
ldap_addresslist_search_base_attribute = zarafaBase

# The attribute containing the name of the addresslist
ldap_addresslist_name_attribute = cn


##########
# Dynamicgroup settings

# Add a filter to the dynamicgroup search
# Hint: Use the zarafaAccount attribute in the filter to differentiate
# between non-zarafa and zarafa dynamic groups.
# Optional, default = empty (match everything)
ldap_dynamicgroup_search_filter = 

# This is the unique attribute of a dynamicgroup which is never going
# to change, unless the dynamicgroup is removed from LDAP. When this
# value changes, Zarafa will remove the previous dynamicgroup from the
# database, and create a new dynamicgroup with this unique value
ldap_dynamicgroup_unique_attribute = cn

# This value can be 'text' or 'binary'. For OpenLDAP, only text is used.
ldap_dynamicgroup_unique_attribute_type = text

# This is the name of the attribute on the dynamicgroup object that
# specifies the filter to be applied for this dynamicgroup. All users
# matching this filter AND matching the default
# ldap_user_search_filter will be included in the dynamicgroup
ldap_dynamicgroup_filter_attribute = zarafaFilter

# This is the name of the attribute on the dynamicgroup object that
# specifies the search base to be applied for this dynamicgroup.
ldap_dynamicgroup_search_base_attribute = zarafaBase

# The attribute containing the name of the dynamicgroup
ldap_dynamicgroup_name_attribute = cn


##########
# Quota settings

# Optional
# The attribute which indicates which users (besides the user who exceeds his quota)
# should also receive a warning mail when a user exceeds his quota.
ldap_quota_userwarning_recipients_attribute = zarafaQuotaUserWarningRecipients

# Optional, default = text
# Active directory: dn
# LDAP: text
ldap_quota_userwarning_recipients_attribute_type = text

# Optional, default empty
ldap_quota_userwarning_recipients_relation_attribute =

# Optional
# The attribute which indicates which users should receive a warning mail
# when a company exceeds his quota.
ldap_quota_companywarning_recipients_attribute = zarafaQuotaCompanyWarningRecipients

# Optional, default = text
# Active directory: dn
# LDAP: text
ldap_quota_companywarning_recipients_attribute_type = text

# Optional, default empty
ldap_quota_companywarning_recipients_relation_attribute =

# Whether to override the system wide quota settings
ldap_quotaoverride_attribute = zarafaQuotaOverride

ldap_warnquota_attribute = zarafaQuotaWarn
ldap_softquota_attribute = zarafaQuotaSoft
ldap_hardquota_attribute = zarafaQuotaHard

# Whether to override the system wide quota settings for all users within the company
ldap_userdefault_quotaoverride_attribute = zarafaUserDefaultQuotaOverride

ldap_userdefault_warnquota_attribute = zarafaUserDefaultQuotaWarn
ldap_userdefault_softquota_attribute = zarafaUserDefaultQuotaSoft
ldap_userdefault_hardquota_attribute = zarafaUserDefaultQuotaHard

# Mapping from the quota attributes to a number of bytes.  Qmail-LDAP
# schema uses bytes (1), ADS uses kilobytes (1024*1024).
# Warning: the value "ldap_quota_multiplier" has been set via UCR variable "zarafa/cfg/ldap/ldap_quota_multiplier"
ldap_quota_multiplier = 1048576

##########
# Misc. settings

# Attribute which indicates if the user should be hidden from addressbook
ldap_addressbook_hide_attribute = zarafaHidden 

# LDAP object search filter. %s in this filter will be replaced with
# the object being searched.
# Hint: Use the zarafaAccount attribute in the filter to differentiate
# between non-zarafa and zarafa objects.
# Default: empty
# ADS recommended: (anr=%s)
# OpenLDAP optional: (|(mail=%s*)(uid=%s*)(cn=*%s*)(fullname=*%s*)(givenname=*%s*)(lastname=*%s*)(sn=*%s*))
ldap_object_search_filter = 

# If a request want more objects than this value, it will download the
# full ldap tree (from the base with the search filter) and discard
# wat was not required. This is faster for large requests.
# Default: 1000
ldap_filter_cutoff_elements = 1000

Die server.cfg:

##############################################################
# SERVER SETTINGS

# IP Address to bind to (0.0.0.0 for ANY)
# Set to 127.0.0.1 if connections should only come from localhost
# and through the webserver proxy
server_bind		= 0.0.0.0

# Accept normal TCP connections (not recommended to disable)
server_tcp_enabled	= yes

# Port to bind to
server_tcp_port		= 236

# Accept unix pipe connections (not recommended to disable)
server_pipe_enabled	= yes

# Unix socket location
server_pipe_name	= /var/run/zarafa

# Priority unix socket location
server_pipe_priority	= /var/run/zarafa-prio

# Name for identifying the server in a multi-server environment
# Warning: the value "server_name" has been set via UCR variable "zarafa/cfg/server/server_name"
server_name = snas

# Override the hostname of this server, used by Kerberos SSO if enabled
server_hostname =

# Database engine (mysql)
database_engine		= mysql

# Allow connections from normal users through the unix socket
allow_local_users	= yes

# local admin users who can connect to any store (use this for the zarafa-dagent)
# field is SPACE separated
# eg: local_admin_users = root vmail
local_admin_users	= root

# The user has full rights on a folder by default, uncomment the following line to disable this. 
# owner_auto_full_access = false 
# Warning: the value "owner_auto_full_access" has been set via UCR variable "zarafa/cfg/server/owner_auto_full_access"
owner_auto_full_access = true

# e-mail address of the Zarafa System user
system_email_address	= postmaster@localhost

# drop privileges and run the process as this user
run_as_user		= 

# drop privileges and run the process as this group
run_as_group		= 

# create a pid file for stopping the service via the init.d scripts
pid_file		= /var/run/zarafa-server.pid

# run server in this path (when not using the -F switch)
running_path = /

# create memory coredumps upon crash in the running_path directory
coredump_enabled = yes

# session timeout for clients. Values lower than 300 will be upped to 300
# automatically. If the server hears nothing from a client in session_timeout
# seconds, then the session is killed.
session_timeout		= 300

# Socket to connect to license server
license_socket		= /var/run/zarafa-licensed

# Time (in seconds) to wait for a connection to the license server before 
# terminating the request.
license_timeout = 10

##############################################################
# LOG SETTINGS

# Logging method (syslog, file), syslog facility is 'mail'
log_method		= file

# Logfile (for log_method = file, '-' for stderr)
log_file		= /var/log/zarafa/server.log

# Loglevel (0=no logging, 5=full logging)
log_level		= 2

# Log timestamp - prefix each log line with timestamp in 'file' logging mode
log_timestamp		= 1

##############################################################
# AUDIT LOG SETTINGS

# Audit logging is by default not enabled
audit_log_enabled	= no

# Audit logging method (syslog, file), syslog facility is 'authpriv'
audit_log_method	= syslog

# Audit logfile (for log_method = file, '-' for stderr)
audit_log_file		= /var/log/zarafa/audit.log

# Audit loglevel (0=no logging, 1=full logging)
audit_log_level		= 1

# Audit log timestamp - prefix each log line with timestamp in 'file' logging mode
audit_log_timestamp	= 1

##############################################################
# MYSQL SETTINGS (for database_engine = mysql)

# MySQL hostname to connect to for database access
# Warning: the value "mysql_host" has been set via UCR variable "zarafa/cfg/server/mysql_host"
mysql_host = localhost

# MySQL port to connect with (usually 3306)
# Warning: the value "mysql_port" has been set via UCR variable "zarafa/cfg/server/mysql_port"
mysql_port = 3306

# The user under which we connect with MySQL
# Warning: the value "mysql_user" has been set via UCR variable "zarafa/cfg/server/mysql_user"
mysql_user = zarafaDbUser

# The password for the user (leave empty for no password)
# Warning: the value "mysql_password" has been set via UCR variable "zarafa/cfg/server/mysql_password"
mysql_password = ********



# Override the default MySQL socket to access mysql locally
# Works only if the mysql_host value is empty or 'localhost'
mysql_socket		=

# Database to connect to
# Warning: the value "mysql_database" has been set via UCR variable "zarafa/cfg/server/mysql_database"
mysql_database = zarafa

# Where to place attachments. Value can be 'database' or 'files'
attachment_storage	= files 

# When attachment_storage is 'files', use this path to store the files
attachment_path		= /var/lib/zarafa/attachments

# Compression level for attachments when attachment_storage is 'files'.
# Set compression level for attachments disabled=0, max=9
attachment_compression	= 6

##############################################################
#  SSL SETTINGS

# enable SSL support in server
# Warning: the value "server_ssl_enabled" has been set via UCR variable "zarafa/cfg/server/server_ssl_enabled"
server_ssl_enabled = yes

# Listen for SSL connections on this port
server_ssl_port		= 237

# Required Server certificate, contains the certificate and the private key parts
# Warning: the value "server_ssl_key_file" has been set via UCR variable "zarafa/cfg/server/server_ssl_key_file"
server_ssl_key_file = /etc/zarafa/ssl/server.pem

# Password of Server certificate
server_ssl_key_pass	= replace-with-server-cert-password

# Required Certificate Authority of server
# Warning: the value "server_ssl_ca_file" has been set via UCR variable "zarafa/cfg/server/server_ssl_ca_file"
server_ssl_ca_file = /etc/univention/ssl/ucsCA/CAcert.pem

# Path with CA certificates, e.g. /etc/ssl/certs
server_ssl_ca_path	=

# SSL protocols to use, set to '!SSLv2' for 'server_ssl_enable_v2 = no'
# Warning: the value "server_ssl_protocols" has been set via UCR variable "zarafa/cfg/server/server_ssl_protocols"
server_ssl_protocols = !SSLv2

# SSL ciphers to use, set to 'ALL' for backward compatibility
# Warning: the value "server_ssl_ciphers" has been set via UCR variable "zarafa/cfg/server/server_ssl_ciphers"
server_ssl_ciphers = ALL:!LOW:!SSLv2:!EXP:!aNULL

# Prefer the server's order of SSL ciphers over client's
# Warning: the value "server_ssl_prefer_server_ciphers" has been set via UCR variable "zarafa/cfg/server/server_ssl_prefer_server_ciphers"
server_ssl_prefer_server_ciphers = no

# Path of SSL Public keys of clients
sslkeys_path		= /etc/zarafa/sslkeys

##############################################################
# THREAD SETTINGS

# Number of server threads
# default: 8
threads				=	8

# Watchdog frequency. The number of watchdog checks per second.
# default: 1
watchdog_frequency	=	1

# Watchdog max age. The maximum age in ms of a task before a
# new thread is started.
# default: 500
watchdog_max_age	=	500

# Maximum SOAP keep_alive value
# default: 100
server_max_keep_alive_requests	=	100

# SOAP recv timeout value (time between requests)
# default: 5
server_recv_timeout	=	5

# SOAP read timeout value (time during requests)
# default: 60
server_read_timeout	=	60

# SOAP send timeout value
# default: 60
server_send_timeout	=	60

##############################################################
#  OTHER SETTINGS

# Softdelete clean cycle (in days) 0=never running
softdelete_lifetime	= 30

# Sync lifetime, removes all changes remembered for a client after x days of inactivity
sync_lifetime		= 90

# Set to 'yes' if all changes (for synchronization) to messages should be logged to the database
sync_log_all_changes = yes

# Set to 'yes' if you have Kerberos or NTLM correctly configured for single sign-on
enable_sso = no

# Set to 'yes' if you want to show the GAB to your users
enable_gab = yes

# Authentication can be through plugin (default, recommended), pam or kerberos
auth_method = plugin

# If auth_method is set to pam, you should provide the pam service name
pam_service = passwd


#############################################################
# CACHE SETTINGS
#
# To see the live cache usage, use 'zarafa-stats --system'.

# Size in bytes of the 'cell' cache (should be set as high as you can afford to set it)
cache_cell_size				= 256M

# Size in bytes of the 'object' cache
cache_object_size			= 5M

# Size in bytes of the 'indexed object' cache
cache_indexedobject_size	= 16M

# Size in bytes of the userquota details
cache_quota_size			= 1M

# Lifetime for userquota details
cache_quota_lifetime		= 1

# Size in bytes of the acl cache
cache_acl_size				= 1M

# Size in bytes of the store id/guid cache
cache_store_size			= 1M

# Size in bytes of the 'user id' cache (this is allocated twice)
cache_user_size				= 1M

# Size in bytes of the 'user details' cache
cache_userdetails_size		= 26214400

# Lifetime for user details
# Warning: the value "cache_userdetails_lifetime" has been set via UCR variable "zarafa/cfg/server/cache_userdetails_lifetime"
cache_userdetails_lifetime = 5

# Size in bytes of the server details (multiserver setups only)
cache_server_size			= 1M

# Lifetime for server details (multiserver setups only)
cache_server_lifetime	= 30


##############################################################
#  QUOTA SETTINGS

# The default Warning Quota Level. Set to 0 to disable this level.
# The user will receive an email when this level is reached. Value is in Mb. Default value is 0.
quota_warn		= 0

# The default Soft Quota Level. Set to 0 to disable this level.
# The user will still receive mail, but sending new mail is prohibited, until objects are removed from the store.
# VALUE is in Mb. Default value is 0.
quota_soft		= 0

# The default Hard Quota Level. Set to 0 to disable this level.
# The user can not receive and send mail, until objects are removed from the store.
# Value is in Mb. Default value is 0.
quota_hard		= 0

# The default Warning Quota Level for multitenant public stores. Set to 0 to disable this level.
# The tenant administrator will receive an email when this level is reached. Value is in Mb. Default value is 0.
companyquota_warn      = 0


##############################################################
#  USER PLUGIN SETTINGS

# Name of the plugin that handles users
# Required, default = db
# Values: ldap, unix, db, ldapms (available in enterprise license)
# Warning: the value "user_plugin" has been set via UCR variable "zarafa/cfg/server/user_plugin"
user_plugin = ldap

# configuration file of the user plugin, examples can be found in /usr/share/doc/zarafa/example-config
user_plugin_config	= /etc/zarafa/ldap.cfg

# location of the zarafa plugins
# if you have a 64bit distribution, this probably should be changed to /usr/lib64/zarafa
plugin_path		= /usr/lib/zarafa

# scripts which create stores for users from an external source
# used for ldap and unix plugins only
createuser_script		=	/etc/zarafa/userscripts/createuser
deleteuser_script		=	/etc/zarafa/userscripts/deleteuser
creategroup_script		=	/etc/zarafa/userscripts/creategroup
deletegroup_script		=	/etc/zarafa/userscripts/deletegroup
createcompany_script	=	/etc/zarafa/userscripts/createcompany
deletecompany_script	=	/etc/zarafa/userscripts/deletecompany

# Set this option to 'yes' to skip the creation and deletion of new users
# The action will be logged, so you can see if your changes to the plugin
# configuration are correct.
user_safe_mode = no

##############################################################
# MISC SETTINGS

# Thread size in KB, default is 512
# WARNING: Do not set too small, your server WILL crash
thread_stacksize = 512

# Enable multi-tenancy environment
# When set to true it is possible to create tenants within the
# zarafa instance and assign all users and groups to particular
# tenants.
# When set to false, the normal single-tenancy environment is created.
enable_hosted_zarafa = false

# Enable multi-server environment
# When set to true it is possible to place users and tenants on
# specific servers.
# When set to false, the normal single-server environment is created.
enable_distributed_zarafa = false

# Display format of store name
# Allowed variables:
#  %u Username
#  %f Fullname
#  %c Teantname
# default: %f
storename_format = %f

# Loginname format (for Multi-tenancy installations)
# When the user does not login through a system-wide unique
# username (like the email address) a unique name is created
# by combining the username and the tenantname.
# With this configuration option you can set how the
# loginname should be built up.
#
# Note: Do not use the = character in the format.
#
# Allowed variables:
#  %u Username
#  %c Teantname 
#
# default: %u
loginname_format = %u

# Set to yes for Windows clients to be able to download the latest
# Zarafa Outlook client from the Zarafa server
client_update_enabled = false

# Place the correct Zarafa Outlook Client in this directory for
# Windows clients to download through the Zarafa server
client_update_path = /var/lib/zarafa/client

# Recieve update information from the client (0 = disabled, 1 = only on error, 2 = log always)
client_update_log_level = 1

# Log location for the client auto update files
client_update_log_path = /var/log/zarafa/autoupdate

# Everyone is a special internal group, which contains every user and group
# You may want to disable this group from the Global Addressbook by setting
# this option to 'yes'. Administrators will still be able to see the group.
hide_everyone = no

# System is a special internal user, which has super-admin privileges
# You may want to disable this user from the Global Addressbook by setting
# this option to 'yes'. Administrators will still be able to see the user.
hide_system = yes 

# Use Indexing service for faster searching.
# Enabling this option requires the zarafa-search service to
# be running.
# Warning: the value "search_enabled" has been set via UCR variable "zarafa/cfg/server/search_enabled"
search_enabled = yes

# Path to the zarafa-search service, this option is only required
# if the server is going to make use of the indexing service.
search_socket = file:///var/run/zarafa-search

# Time (in seconds) to wait for a connection to the zarafa-search service
# before terminating the indexed search request.
search_timeout = 10

# Allow enhanced ICS operations to speedup synchronization with cached profiles.
# default: yes
enable_enhanced_ics = yes

# SQL Procedures allow for some optimized queries when streaming with enhanced ICS.
# This is default disabled because you must set 'thread_stack = 256k' in your
# MySQL server config under the [mysqld] tag and restart your MySQL server.
enable_sql_procedures = no

# Synchronize GAB users on every open of the GAB (otherwise, only on 
# zarafa-admin --sync)
# Warning: the value "sync_gab_realtime" has been set via UCR variable "zarafa/cfg/server/sync_gab_realtime"
sync_gab_realtime = no

# Disable features for users. Default all features are disabled. This
# list is space separated. Currently valid values: imap
disabled_features = imap pop3

# Maximum number of deferred records in total
max_deferred_records = 0

# Maximum number of deferred records per folder
max_deferred_records_folder = 20

# Restrict the permissions that admins receive to folder permissions only. Please
# read the server.cfg manpage before enabling this option so you really understand
# the implications
restrict_admin_permissions = no

# The maximum level of attachment recursion; Defines the number of
# attachment-in-attachment in-attachment levels are allowed when saving and
# replicating objects in the database. If you really want a higher level of
# recursion than about 20, you probably have to increase MySQL's stack_size
# to allow replication to work properly.
embedded_attachment_limit = 20

# Header to detect whether a connection has been received through a proxy. The
# value of the header is not inspected. If the header exists then the connection
# is taken to be received via a proxy. An empty value disables proxy detection
# and the value of '*' is used to indicate that all connections are proxied
proxy_header = 

#13

Noch ein Ansatz:

Hier mal ein User, der angezeigt wird:

# helga, users, lokal.lan
dn: uid=h****,cn=users,dc=lokal,dc=lan
ownCloudEnabled: 1
uid: helga
krb5PrincipalName: h****
uidNumber: 2024
sambaAcctFlags: [U          ]
shadowMax: 180
krb5MaxLife: 86400
shadowLastChange: 16761
cn: Helga Wilhelmi
title: Frau
krb5PasswordEnd: ****
userPassword:: ****
krb5Key:: ****
krb5Key:: ****
krb5Key:: ****
krb5Key:: ****
krb5Key:: ****
krb5Key:: ****
krb5Key:: ****
sambaMungedDial: ****
krb5MaxRenew: 604800
krb5KeyVersionNumber: 1
loginShell: /bin/bash
univentionObjectType: users/user
krb5KDCFlags: 126
sambaPwdLastSet: ****
sambaPasswordHistory: ****
sambaNTPassword: ****
displayName: H****
gecos: H****
sn: W****
pwhistory: ****
homeDirectory: /home/h****
givenName: H****
gidNumber: 5001
sambaPrimaryGroupSID: ****
sambaSID: ****
zarafa4ucsRole: user
univentionFetchmailProtocol: IMAP
mailPrimaryAddress: helga@lokal.lan
objectClass: top
objectClass: person
objectClass: univentionPWHistory
objectClass: posixAccount
objectClass: shadowAccount
objectClass: univentionMail
objectClass: sambaSamAccount
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: krb5Principal
objectClass: krb5KDCEntry
objectClass: ownCloudUser
objectClass: univentionSAMLEnabled
objectClass: univentionObject
objectClass: zarafa-user
objectClass: univentionFetchmail
zarafaAccount: 1
zarafaAdmin: 0
zarafaSharedStoreOnly: 0

Einzig auffälliger UNterschied ist, dass User, die nicht angezeigt werden, keine objectClass oxUserObject besitzen.
Tatsächlich ärgert mich OX etwas, da nach der Deinstallation einige Fragmente übrig geblieben sind, siehe auch hier:

Gibt es hier womöglich Interferenzen zwischen der alten OX Installation und Zarafa?

Wie genau fragt denn zarafa-admin -l die Objekte ab? Kann der LDAP Eintrag von OX das Ergebnis beeinflussen?


#14

Da gibt es schon noch ein paar andere Unterschiede, der eine Nutzer ist noch univentionOpenvpnUser, der andere univentionSAMLEnabled. Zusätzlich Objektklassen sollten aber vollkommen egal sein.

Mach mal bitte 0x00020006 als Loglevel für zarafa-server und starte den Dienst dann nochmal neu. Dann zarafa-admin --sync aufrufen und dann bitte hier logfile hochladen.


#15

Da gibt es schon noch ein paar andere Unterschiede, der eine Nutzer ist noch univentionOpenvpnUser, der andere univentionSAMLEnabled. Zusätzlich Objektklassen sollten aber vollkommen egal sein.

Mach mal bitte 0x00020006 als Loglevel für zarafa-server und starte den Dienst dann nochmal neu. Dann zarafa-admin --sync aufrufen und dann bitte hier logfile hochladen.


#16

Hallo Herr Bartels,

danke für die Geduld :slight_smile:

Die Ausgabe:

Fri Jan  8 21:02:47 2016: Previous message logged 58 times
Fri Jan  8 21:02:47 2016: Shutting down.
Fri Jan  8 21:02:47 2016: Still waiting for 7 threads to exit
Fri Jan  8 21:02:54 2016: Server shutdown complete.
Fri Jan  8 21:02:54 2016: Audit logging not enabled.
Fri Jan  8 21:02:54 2016: Starting zarafa-server version 7,1,14,51822, pid 1505
Fri Jan  8 21:02:54 2016: Using epoll events
Fri Jan  8 21:02:54 2016: Listening for TCP connections on port 236
Fri Jan  8 21:02:54 2016: Listening for SSL connections on port 237
Fri Jan  8 21:02:54 2016: Listening for priority pipe connections on /var/run/zarafa-prio
Fri Jan  8 21:02:54 2016: Listening for pipe connections on /var/run/zarafa
Fri Jan  8 21:02:54 2016: Connection to database 'zarafa' succeeded
Fri Jan  8 21:02:54 2016: zarafa-licensed is running, but no license key was found. Not all commercial features will be available.
Fri Jan  8 21:02:54 2016: Signal thread started
Fri Jan  8 21:02:54 2016: New internal session (7594464554554267642)
Fri Jan  8 21:02:54 2016: Loading searchfolders
Fri Jan  8 21:02:54 2016: Startup succeeded on pid 1510
Fri Jan  8 21:02:54 2016: Started thread 77e88700
Fri Jan  8 21:02:54 2016: Started priority thread 7968b700
Fri Jan  8 21:02:54 2016: Started thread 76685700
Fri Jan  8 21:02:54 2016: Started thread 75e84700
Fri Jan  8 21:02:54 2016: Started thread 76e86700
Fri Jan  8 21:02:54 2016: Started thread 78689700
Fri Jan  8 21:02:54 2016: Started thread 77687700
Fri Jan  8 21:02:54 2016: Started thread 78e8a700
Fri Jan  8 21:02:54 2016: Started thread 75683700
Fri Jan  8 21:02:55 2016: Accepted incoming connection from file:///var/run/zarafa
Fri Jan  8 21:02:55 2016: User SYSTEM from file:///var/run/zarafa authenticated through Pipe socket using program zarafa-search
Fri Jan  8 21:02:55 2016: User SYSTEM receives session 8691779101855966659
Fri Jan  8 21:02:57 2016: Accepted incoming connection from file:///var/run/zarafa
Fri Jan  8 21:02:57 2016: User SYSTEM from file:///var/run/zarafa authenticated through Pipe socket using program zarafa-spooler
Fri Jan  8 21:02:57 2016: User SYSTEM receives session 12486090220997962911
Fri Jan  8 21:02:57 2016: Accepted incoming connection from file:///var/run/zarafa
Fri Jan  8 21:02:57 2016: User SYSTEM from file:///var/run/zarafa authenticated through Pipe socket using program zarafa-spooler
Fri Jan  8 21:02:57 2016: User SYSTEM receives session 5790100299577873286
Fri Jan  8 21:02:57 2016: End of session (logoff) 5790100299577873286
Fri Jan  8 21:02:57 2016: Accepted incoming connection from file:///var/run/zarafa
Fri Jan  8 21:02:57 2016: User SYSTEM from file:///var/run/zarafa authenticated through Pipe socket using program zarafa-spooler
Fri Jan  8 21:02:57 2016: User SYSTEM receives session 17249440807471204202
Fri Jan  8 21:02:57 2016: End of session (logoff) 17249440807471204202
Fri Jan  8 21:02:57 2016: Accepted incoming connection from file:///var/run/zarafa
Fri Jan  8 21:02:57 2016: User SYSTEM from file:///var/run/zarafa authenticated through Pipe socket using program zarafa-spooler
Fri Jan  8 21:02:57 2016: User SYSTEM receives session 10650720269021962175
Fri Jan  8 21:02:57 2016: End of session (logoff) 10650720269021962175
Fri Jan  8 21:02:57 2016: End of session (logoff) 12486090220997962911
Fri Jan  8 21:02:57 2016: Accepted incoming connection from file:///var/run/zarafa
Fri Jan  8 21:02:57 2016: User SYSTEM from file:///var/run/zarafa authenticated through Pipe socket using program zarafa-spooler
Fri Jan  8 21:02:57 2016: User SYSTEM receives session 6359395896469633922
Fri Jan  8 21:02:57 2016: Accepted incoming connection from file:///var/run/zarafa
Fri Jan  8 21:02:57 2016: User SYSTEM from file:///var/run/zarafa authenticated through Pipe socket using program zarafa-spooler
Fri Jan  8 21:02:57 2016: User SYSTEM receives session 5954702682791364053
Fri Jan  8 21:02:58 2016: Accepted incoming connection from file:///var/run/zarafa
Fri Jan  8 21:02:58 2016: User SYSTEM from file:///var/run/zarafa authenticated through Pipe socket using program zarafa-search
Fri Jan  8 21:02:58 2016: User SYSTEM receives session 316245409721629523

-- ENDE VOM NEUSTART --

Fri Jan  8 21:06:33 2016: Accepted incoming connection from file:///var/run/zarafa
Fri Jan  8 21:06:33 2016: Trying to connect to ldap://snas.lokal.lan:7389
Fri Jan  8 21:06:33 2016: Authentication by plugin failed for user steven: Trying to authenticate failed: steven not found in LDAP; username = steven
Fri Jan  8 21:06:33 2016: Failed to authenticate user steven from file:///var/run/zarafa using program apache2

Habe anschließend versucht, den Benutertyp von Zarafa-Benutzer auf Zarafa-Admin zu ändern. Daraufhin bekam ich einen Fehler. Also habe ich die LDAP-Tools durchgetestet und erhalte mit slapschema, wie im parallelen Thread (forum.univention.de/viewtopic.p … 460#p18460) ergänzt, diese Fehler:

56901b3a UNKNOWN attributeDescription "OXTIMEZONE" inserted.
56901b3a UNKNOWN attributeDescription "OXLANGUAGE" inserted.
56901b3a UNKNOWN attributeDescription "ISOXUSER" inserted.
56901b3a UNKNOWN attributeDescription "OXACCESS" inserted.
56901b3a UNKNOWN attributeDescription "OXDISPLAYNAME" inserted.
# (65) Object class violation: unrecognized objectClass 'oxUserObject'
dn: uid=lisa,cn=users,dc=lokal,dc=lan

56901b3a UNKNOWN attributeDescription "OXEMAIL2" inserted.
# (65) Object class violation: unrecognized objectClass 'oxUserObject'
dn: uid=steven,cn=users,dc=lokal,dc=lan

56901b3a UNKNOWN attributeDescription "OXQUOTA" inserted.
56901b3a UNKNOWN attributeDescription "OXHOMESERVER" inserted.
56901b3a UNKNOWN attributeDescription "OXCONTEXTIDNUM" inserted.
56901b3a UNKNOWN attributeDescription "OXDBSERVER" inserted.
56901b3a UNKNOWN attributeDescription "OXINTEGRATIONVERSION" inserted.
# (65) Object class violation: unrecognized objectClass 'oxContext'
dn: cn=context10,cn=open-xchange,dc=lokal,dc=lan

# (65) Object class violation: unrecognized objectClass 'oxUserObject'
dn: uid=oxadmin,cn=users,dc=lokal,dc=lan

Womöglich gibt es da doch einen Zusammenhang zur nicht funktionierenden Abfrage von zarafa-admin -l …


#17

Irgendwie fehlt dort im Log das LDAP Debugging. Wurde der Loglevel korrekt übernommen (über server.cfg oder ucr gesetzt?) Oder fehlt einfach nur ein “zarafa-admin --sync”?


#18

Hallo Herr Bartels,

ich hatte tatsächlich den Sync-Befehl überlesen. Die Ausgabe lautet nun wie folgt mit Log-Level 6 (Shutdown mit sofortigem Sync hinterher):

Wed Jan 13 19:15:35 2016: Shutting down.
Wed Jan 13 19:15:35 2016: Still waiting for 8 threads to exit
Wed Jan 13 19:15:42 2016: Server shutdown complete.
Wed Jan 13 19:15:42 2016: Audit logging not enabled.
Wed Jan 13 19:15:42 2016: Starting zarafa-server version 7,1,14,51822, pid 14359
Wed Jan 13 19:15:42 2016: Using epoll events
Wed Jan 13 19:15:42 2016: Listening for TCP connections on port 236
Wed Jan 13 19:15:42 2016: Listening for SSL connections on port 237
Wed Jan 13 19:15:42 2016: Listening for priority pipe connections on /var/run/zarafa-prio
Wed Jan 13 19:15:42 2016: Listening for pipe connections on /var/run/zarafa
Wed Jan 13 19:15:42 2016: Connection to database 'zarafa' succeeded
Wed Jan 13 19:15:42 2016: zarafa-licensed is running, but no license key was found. Not all commercial features will be available.
Wed Jan 13 19:15:42 2016: Signal thread started
Wed Jan 13 19:15:43 2016: New internal session (388161993984081231)
Wed Jan 13 19:15:43 2016: Loading searchfolders
Wed Jan 13 19:15:43 2016: Startup succeeded on pid 14364
Wed Jan 13 19:15:43 2016: Started thread 24100700
Wed Jan 13 19:15:43 2016: Started thread 238ff700
Wed Jan 13 19:15:43 2016: Started priority thread 25903700
Wed Jan 13 19:15:43 2016: Started thread 230fe700
Wed Jan 13 19:15:43 2016: Started thread 228fd700
Wed Jan 13 19:15:43 2016: Started thread 25102700
Wed Jan 13 19:15:43 2016: Started thread 220fc700
Wed Jan 13 19:15:43 2016: Started thread 24901700
Wed Jan 13 19:15:43 2016: Started thread 218fb700
Wed Jan 13 19:15:43 2016: Accepted incoming connection from file:///var/run/zarafa
Wed Jan 13 19:15:43 2016: Previous message logged 2 times
Wed Jan 13 19:15:43 2016: User SYSTEM from file:///var/run/zarafa authenticated through Pipe socket using program zarafa-spooler
Wed Jan 13 19:15:43 2016: User SYSTEM receives session 3246863395660825583
Wed Jan 13 19:15:43 2016: Accepted incoming connection from file:///var/run/zarafa
Wed Jan 13 19:15:43 2016: User SYSTEM from file:///var/run/zarafa authenticated through Pipe socket using program zarafa-search
Wed Jan 13 19:15:43 2016: User SYSTEM receives session 14401057125656131190
Wed Jan 13 19:15:43 2016: Accepted incoming connection from file:///var/run/zarafa
Wed Jan 13 19:15:43 2016: User SYSTEM from file:///var/run/zarafa authenticated through Pipe socket using program zarafa-spooler
Wed Jan 13 19:15:43 2016: User SYSTEM receives session 163627543703990718
Wed Jan 13 19:15:43 2016: End of session (logoff) 163627543703990718
Wed Jan 13 19:15:43 2016: Accepted incoming connection from file:///var/run/zarafa
Wed Jan 13 19:15:43 2016: End of session (logoff) 3246863395660825583
Wed Jan 13 19:15:46 2016: Accepted incoming connection from file:///var/run/zarafa
Wed Jan 13 19:15:46 2016: User SYSTEM from file:///var/run/zarafa authenticated through Pipe socket using program zarafa-spooler
Wed Jan 13 19:15:46 2016: User SYSTEM receives session 15511298513366854943
Wed Jan 13 19:15:46 2016: Accepted incoming connection from file:///var/run/zarafa
Wed Jan 13 19:15:46 2016: User SYSTEM from file:///var/run/zarafa authenticated through Pipe socket using program zarafa-spooler
Wed Jan 13 19:15:46 2016: User SYSTEM receives session 3578192170005006019
Wed Jan 13 19:15:46 2016: End of session (logoff) 3578192170005006019
Wed Jan 13 19:15:46 2016: Accepted incoming connection from file:///var/run/zarafa
Wed Jan 13 19:15:46 2016: User SYSTEM from file:///var/run/zarafa authenticated through Pipe socket using program zarafa-spooler
Wed Jan 13 19:15:46 2016: User SYSTEM receives session 17558466540263062965
Wed Jan 13 19:15:46 2016: End of session (logoff) 17558466540263062965
Wed Jan 13 19:15:46 2016: Accepted incoming connection from file:///var/run/zarafa
Wed Jan 13 19:15:46 2016: User SYSTEM from file:///var/run/zarafa authenticated through Pipe socket using program zarafa-spooler
Wed Jan 13 19:15:46 2016: User SYSTEM receives session 12072943812684915731
Wed Jan 13 19:15:46 2016: End of session (logoff) 12072943812684915731
Wed Jan 13 19:15:46 2016: End of session (logoff) 15511298513366854943
Wed Jan 13 19:15:46 2016: Accepted incoming connection from file:///var/run/zarafa
Wed Jan 13 19:15:46 2016: User SYSTEM from file:///var/run/zarafa authenticated through Pipe socket using program zarafa-spooler
Wed Jan 13 19:15:46 2016: User SYSTEM receives session 15622296157226239441
Wed Jan 13 19:15:46 2016: Accepted incoming connection from file:///var/run/zarafa
Wed Jan 13 19:15:46 2016: User SYSTEM from file:///var/run/zarafa authenticated through Pipe socket using program zarafa-spooler
Wed Jan 13 19:15:46 2016: User SYSTEM receives session 1329182634949256980
Wed Jan 13 19:15:47 2016: Accepted incoming connection from file:///var/run/zarafa
Wed Jan 13 19:15:47 2016: User SYSTEM from file:///var/run/zarafa authenticated through Pipe socket using program zarafa-search
Wed Jan 13 19:15:47 2016: User SYSTEM receives session 13409387208983663952
Wed Jan 13 19:15:48 2016: Start syncs table clean up
Wed Jan 13 19:15:48 2016: New internal session (2874292045092074696)
Wed Jan 13 19:15:48 2016: syncs table clean up done: removed syncs: 0
Wed Jan 13 19:15:48 2016: Start syncedmessages table clean up
Wed Jan 13 19:15:48 2016: New internal session (18314473448780355561)
Wed Jan 13 19:15:48 2016: syncedmessages table clean up done, 0 entries removed
Wed Jan 13 19:15:52 2016: Accepted incoming connection from file:///var/run/zarafa
Wed Jan 13 19:15:52 2016: User SYSTEM from file:///var/run/zarafa authenticated through Pipe socket using program zarafa-admin
Wed Jan 13 19:15:52 2016: User SYSTEM receives session 13245591373986348327
Wed Jan 13 19:15:52 2016: User SYSTEM receives session 13245591373986348327
Wed Jan 13 19:15:52 2016: Accepted incoming connection from file:///var/run/zarafa
Wed Jan 13 19:15:52 2016: User SYSTEM from file:///var/run/zarafa authenticated through Pipe socket using program zarafa-admin
Wed Jan 13 19:15:52 2016: User SYSTEM receives session 42124089242222615
Wed Jan 13 19:15:52 2016: End of session (logoff) 42124089242222615
Wed Jan 13 19:15:52 2016: Accepted incoming connection from file:///var/run/zarafa
Wed Jan 13 19:15:52 2016: User SYSTEM from file:///var/run/zarafa authenticated through Pipe socket using program zarafa-admin
Wed Jan 13 19:15:52 2016: User SYSTEM receives session 14236971876091928333
Wed Jan 13 19:15:52 2016: End of session (logoff) 14236971876091928333
Wed Jan 13 19:15:52 2016: Accepted incoming connection from file:///var/run/zarafa
Wed Jan 13 19:15:52 2016: User SYSTEM from file:///var/run/zarafa authenticated through Pipe socket using program zarafa-admin
Wed Jan 13 19:15:52 2016: User SYSTEM receives session 3514765766494855582
Wed Jan 13 19:15:52 2016: End of session (logoff) 3514765766494855582
Wed Jan 13 19:15:52 2016: End of session (logoff) 13245591373986348327
Wed Jan 13 19:15:52 2016: Accepted incoming connection from file:///var/run/zarafa
Wed Jan 13 19:15:52 2016: User SYSTEM from file:///var/run/zarafa authenticated through Pipe socket using program zarafa-admin
Wed Jan 13 19:15:52 2016: User SYSTEM receives session 12678584127526817407
Wed Jan 13 19:15:53 2016: Trying to connect to ldap://snas.lokal.lan:7389
Wed Jan 13 19:15:53 2016: Synchronized user list
Wed Jan 13 19:15:53 2016: End of session (logoff) 12678584127526817407

Ebenfalls mit Level 6 ein Versuch der Authentifizierung:

Wed Jan 13 19:21:25 2016: Accepted incoming connection from file:///var/run/zarafa
Wed Jan 13 19:21:25 2016: Trying to connect to ldap://snas.lokal.lan:7389
Wed Jan 13 19:21:25 2016: Authentication by plugin failed for user ste***: Trying to authenticate failed: ste*** not found in LDAP; username = st$
Wed Jan 13 19:21:25 2016: Failed to authenticate user ste*** from file:///var/run/zarafa using program apache2

#19

Hallo Herr Bartels,

nach Einspielen der OX Schemata (Nach Deinstallation von OX übrige Fragmente bereinigen) konnte ich die User Syncen (sind dann zwar neu angelegt worden, sprich Stores umhängen, Public Folders neu berechtigen usw., was jedoch verschmerzbar ist).

Also noch einmal besten Dank für den Input!


#20

Schön zu hören.