I ran into a weird condition where the /etc/zarafa/ldap.cfg file had its permissions changed to '-rw------- root root' instead of '-rw-r----- root zarafa' which is what it is supposed to be. Once this was unreadable to zarafa, on the next HUP (restart) of the zarafa-server process it failed to load. This resulted in the following symptoms:
- Zarafa was running
- The users app said 'Object not found'
- The groups app worked just fine
- Could not log in to the /webapp web interface or Zarafa in general.
I'm trying to track this down and putting this out there in case anyone else's server has this permission condition. To validate run the following:
ls -la /etc/zarafa/ldap.cfg
It should show 'zarafa' as the group owner and '-rw-r-----' as the permission structure. If not you need to fix this but please do this for me as well:
Record the time and date of the file change and see if you have anything correlated in the /var/log/messages to the timestamp of the ldap.cfg file and post those events here.
To repair this problem run the following:
chmod 640 /etc/zarafa/ldap.cfg
chgrp zarafa /etc/zarafa/ldap.cfg
Then restart all your Zarafa services. At a minimum I know that the zarafa-licensed (for business) and the zarafa-server service need to be restarted but I restarted them all when I ran into this issue.
- Zarafa was running
- The users app said 'Object not found'
- The groups app worked just fine
- Could not log in to the /webapp web interface or Zarafa in general.
I'm trying to track this down and putting this out there in case anyone else's server has this permission condition. To validate run the following:
ls -la /etc/zarafa/ldap.cfg
It should show 'zarafa' as the group owner and '-rw-r-----' as the permission structure. If not you need to fix this but please do this for me as well:
Record the time and date of the file change and see if you have anything correlated in the /var/log/messages to the timestamp of the ldap.cfg file and post those events here.
To repair this problem run the following:
chmod 640 /etc/zarafa/ldap.cfg
chgrp zarafa /etc/zarafa/ldap.cfg
Then restart all your Zarafa services. At a minimum I know that the zarafa-licensed (for business) and the zarafa-server service need to be restarted but I restarted them all when I ran into this issue.
Share this post:
Accepted Answer
I think the underlying issue is that somewhere along an upgrade, Zarafa made their services run as user 'zarafa' where-as earlier edition ran as 'root'. So this file (/etc/zarafa/ldap.cfg) may not be the issue so much as /etc/zarafa/server.cfg and the 'run_as_user' parameter.
Changing /etc/zarafa/ldap.cfg might be fine...if your Zarafa instance is running as root.
If you upgrade, and you find that Zarafa now runs as it's own user instead of root:
You'll need to make changes to a bunch of config files, attachment folders etc. or change the default and run Zarafa as root.
From a security perspective, running the Zarafa services as root is less desirable.
B.
Changing /etc/zarafa/ldap.cfg might be fine...if your Zarafa instance is running as root.
If you upgrade, and you find that Zarafa now runs as it's own user instead of root:
ps afxwu | grep zarafa-serverYou'll need to make changes to a bunch of config files, attachment folders etc. or change the default and run Zarafa as root.
From a security perspective, running the Zarafa services as root is less desirable.
B.
Responses (6)
-
Accepted Answer
-
Accepted Answer
-
Accepted Answer
Hi Ben,
Thanks for your answer.
ps afxwu | grep zarafa-server
revealed, that zarafa runs as root on my server, even though I changed the permission Dave mentioned. I fully agree, that running zarafa as root is not preferred.
What is the easiest way to change it to run zarafa as zarafa user? I have the newest zarafa version installed (business).
Thanks a lot.
Best wishes,
Robert -
Accepted Answer
-
Accepted Answer
-
Accepted Answer
Hi Dave,
I can confirm that I also have '-rw------- root root' instead of '-rw-r----- root zarafa', though Zarafa works just fine. The time stamp is 11th March 2016 (yes, 2016). My logs unfortunately do not go that far in the past.
Should I still change the permissions, even though everything is running OK?
Thanks.
Best wishes,
Robert
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »