Carbonio CE Centos ...
 
Notifications
Clear all

Carbonio CE Centos 8 installation problem

5 Posts
3 Users
1 Reactions
1,018 Views
(@zendx)
Joined: 8 years ago
Posts: 3
Topic starter  

I'm trying to install the Carbonio CE (Single-Server) following the manual.

But I'm having issues with step 4 (Bootstrap Carbonio) setting passwords (more specifically, with LDAP).
Any passwords I enter become "Not Verified".
Here's what's in the logs:

Thu Mar 23 08:51:36 2023 Couldn't bind to m-ldap.mydomain.com as uid=zmreplica,cn=admins,cn=zimbra
Thu Mar 23 08:51:36 2023 Checking ldap replication is enabled on m-ldap.mydomain.com:389
Thu Mar 23 08:51:36 2023 failed: Unable to contact ldap at ldap://m-ldap.mydomain.com:389: Connection refused

But... It's a single server setup, I don't need LDAP replication 🙂 And, yes, nothing listening on port 389

 


   
Quote
Jim Dunphy
(@jdunphy)
Joined: 7 years ago
Posts: 25
 

If you can't bind an ip address to port 389 then you will not have anything running to answer ldap queries which is what that is telling you and you verified.  Double check name resolution again for m-ldap.mydomain.com and if it doesn't resolve put an entry in /etc/hosts for this machine since in most configurations, they will check /etc/hosts prior to DNS.

Ref: /etc/nsswitch.conf 

That is about all I can see given the amount of information you have provided.  Carbonio requires an entry in /etc/sudoers.d/carbonio for zmslapd for root to start ldap so it can bind at a port below 1024.

Your startup flow is: /opt/zextras/bin/ldap -> /opt/zextras/libexec/zmslapd -> /opt/zextras/common/libexec/slapd

The first 2 are scripts and the last is the binary. If you know the command line options you can jump directly to get feedback on stdout.

Another thing you could try to see what sane values are present:

# su - zextras
% source /opt/zextras/bin/zmshutil 
% zmsetvars
% env |grep -i ldap

Pay attention to any URL's in that output and verify how your host would convert that to an ip address so the daemon can bind to that address.

HTH,

Jim


   
ReplyQuote
(@d-bokhonko)
Joined: 11 months ago
Posts: 4
 

I get the same error when installing on Ubuntu 20.04

 

screen carbonio-bootstrap:

2) Ldap master host: localhost      (i tried 127.0.0.1 and external IP - without success)
3) Ldap port: 389
** 4) Ldap Admin password: Not Verified

 

/tmp/zmsetup.20240115-131132.log:

Mon Jan 15 13:24:42 2024 Checking ldap on localhost:389
Mon Jan 15 13:24:42 2024 failed: Unable to contact ldap at ldap://localhost:389: Connection refused
Mon Jan 15 13:24:42 2024 Couldn't bind to localhost as uid=zimbra,cn=admins,cn=zimbra

 

/etc/sudoers.d/carbonio:

Defaults:zextras !requiretty
%zextras ALL=NOPASSWD:/opt/zextras/libexec/zmstat-fd *
%zextras ALL=NOPASSWD:/opt/zextras/common/sbin/postfix
%zextras ALL=NOPASSWD:/opt/zextras/common/sbin/postalias
%zextras ALL=NOPASSWD:/opt/zextras/common/sbin/qshape.pl
%zextras ALL=NOPASSWD:/opt/zextras/common/sbin/postconf
%zextras ALL=NOPASSWD:/opt/zextras/common/sbin/postsuper
%zextras ALL=NOPASSWD:/opt/zextras/common/sbin/postcat
%zextras ALL=NOPASSWD:/opt/zextras/libexec/zmqstat
%zextras ALL=NOPASSWD:/opt/zextras/libexec/zmmtastatus
%zextras ALL=NOPASSWD:/opt/zextras/common/sbin/amavis-mc
%zextras ALL=NOPASSWD:/opt/zextras/libexec/zmmailboxdmgr
root ALL=(ALL) NOPASSWD: /usr/bin/zmslapd

 

iptables -nL:

...

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:389

...

 

 

Is it possible to install carbonio without ldap? Please, help.


   
ReplyQuote
Jim Dunphy
(@jdunphy)
Joined: 7 years ago
Posts: 25
 

Posted by: @d-bokhonko

I get the same error when installing on Ubuntu 20.04

/tmp/zmsetup.20240115-131132.log:

Mon Jan 15 13:24:42 2024 Checking ldap on localhost:389
Mon Jan 15 13:24:42 2024 failed: Unable to contact ldap at ldap://localhost:389: Connection refused
Mon Jan 15 13:24:42 2024 Couldn't bind to localhost as uid=zimbra,cn=admins,cn=zimbra

 

Guessing at cause. Verify cap_net_bind_service can be set for slapd in your environment. 

Run this command:

% getcap /opt/zextras/common/libexec/slapd

/opt/zextras/common/libexec/slapd cap_net_bind_service=ep

And to set:

% su - 
# setcap cap_net_bind_service=+ep /opt/zextras/common/libexec/slapd
# echo $?
0

If you do not have this set, verify you have a kernel with this capability. ldap no longer runs as root as there was a root escalation. Instead, they are using cap_net_bind_service as explained by GPT4 turbo.

ap_net_bind_service allows a program to bind to Internet domain sockets with a port number less than 1024, which is a privilege typically reserved for root. This can be useful for allowing non-root programs to run as network servers on privileged ports.

When you use cap_net_bind_service=ep, you're setting this capability on an executable file. This action is independent of the file system type where the file resides. Linux capabilities are supported on most modern Linux file systems, like ext3, ext4, XFS, Btrfs, etc., as they are a feature of the Linux kernel rather than the file system.

 


   
ReplyQuote
(@d-bokhonko)
Joined: 11 months ago
Posts: 4
 

Hi, Jim, thanks for wanting to help. But that's not the problem. My output:

root@mx:~# getcap /opt/zextras/common/libexec/slapd
/opt/zextras/common/libexec/slapd = cap_net_bind_service+ep
root@mx:~# setcap cap_net_bind_service=+ep /opt/zextras/common/libexec/slapd
root@mx:~# echo $?
0


   
ReplyQuote