Setting password policies in Zimbra when using local password fallback

Zimbra’s web admin doesn’t let you modify the password settings for a COS if at least one domain is configured to use LDAP/Active Directory for authentication, regardless of whether zimbraAuthFallbackToLocal is TRUE for that domain. I’m sure this is a bug in the interface, but never fear, the command line will save us.

Simply login to your server, then:

su -l zimbra
zmprov gac -v | grep Password | sort | uniq

That will show you all the attributes you can set. I use sort + uniq in the above example because the ‘gac’ option to zmprov means “get all COS” and the -v means show all attributes and their values. Since I have multiple classes of service, that would display all attributes and their values for all classes of service. In the example above, we only want to know what attributes are available to configure:

zimbraFeatureChangePasswordEnabled: TRUE
zimbraMobilePolicyAllowSimpleDevicePassword: FALSE
zimbraMobilePolicyAlphanumericDevicePasswordRequired: FALSE
zimbraMobilePolicyDevicePasswordEnabled: TRUE
zimbraMobilePolicyDevicePasswordExpiration: 0
zimbraMobilePolicyDevicePasswordHistory: 8
zimbraMobilePolicyMaxDevicePasswordFailedAttempts: 4
zimbraMobilePolicyMinDevicePasswordComplexCharacters: 0
zimbraMobilePolicyMinDevicePasswordLength: 4
zimbraMobilePolicyPasswordRecoveryEnabled: TRUE
zimbraPasswordEnforceHistory: 10
zimbraPasswordLocked: FALSE
zimbraPasswordLockoutDuration: 1h
zimbraPasswordLockoutEnabled: FALSE
zimbraPasswordLockoutEnabled: TRUE
zimbraPasswordLockoutFailureLifetime: 1h
zimbraPasswordLockoutMaxFailures: 10
zimbraPasswordMaxAge: 0
zimbraPasswordMaxLength: 64
zimbraPasswordMinAge: 0
zimbraPasswordMinAlphaChars: 1
zimbraPasswordMinDigitsOrPuncs: 1
zimbraPasswordMinLength: 18
zimbraPasswordMinLowerCaseChars: 1
zimbraPasswordMinNumericChars: 1
zimbraPasswordMinPunctuationChars: 1
zimbraPasswordMinUpperCaseChars: 1

The name of the attributes pretty much sum up what they do, so let’s say you wanted to set the minimum required length of passwords for the COS named “example.com” to 18 characters, here’s the command you’d use:

zmprov mc example.com zimbraPasswordMinLength 18

For more information, type:

zmprov help cos

Multitail color scheme for Zimbra’s mailbox.log

If you’ve ever spent time tailing log files you’ve probably heard of multitail (if not, go check it out). You can install it via apt on Debian — not sure about other OSs. Anyway, here’s a color scheme for Zimbra’s mailbox.log that you can paste into /etc/multitail.conf:

#
# zimbra mailbox.log
colorscheme:zimbra:Zimbra mailbox.log
cs_re_s:green,,bold: (DEBUG)
cs_re_s:green,,bold: (INFO)
cs_re_s:yellow,,bold: (WARN)
cs_re_s:red,,bold: (ERROR)
cs_re_s:yellow,red,bold: (FATAL)
cs_re_s:cyan:^([0-9]{4}-[0-9]{2}-[0-9]{2} [0-9]{2}\:[0-9]{2}\:[0-9]{2},[0-9]*?)
cs_re:cyan:\[|\]
cs_re:yellow:[;=]
cs_re_s:blue,,bold:([A-Za-z\-]*?)=
cs_re_s:magenta,,bold:=([A-Za-z0-9_\.\-]*@[A-Za-z0-9_\.\-]*?)[;,]{1}
cs_re:green,,bold:[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}
cs_re_s:yellow,,bold:[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\:([0-9]{1,5})
cs_re_s:green:ua=(.*?);
cs_re_s:green:mid=(.*?);

Enjoy!

Active Directory users aren’t able to update their password via SonicWall NetExtender

This seems to be a problem for a lot of people on the ‘net so I figured I’d document it here.

First, we need to make sure LDAP authentication is setup properly; take a look at the following screenshots (this assumes that you’ve already created a separate account for binding to the AD/LDAP database… in my examples below, this account is referred to as the “ldap bind” account.)

Security Settings

Security Settings (from https://www.fuzeqna.com/sonicwallkb/ext/kbdetail.aspx?kbid=5097)

Make to select 'LDAP' and not 'LDAP + Local Users' .

Make to select ‘LDAP’ and not ‘LDAP + Local Users’ .

Use the "display name" of the user account that you'd like to use for binding to the Active Directory server. Make sure that this account does NOT have Administrative privileges.

Use the “display name” of the user account that you’d like to use for binding to the Active Directory server. Make sure that this account does NOT have Administrative privileges.

Click "Import user groups" and select the group that contains the users who will should be granted SSLVPN access. Then set that group as the "Default LDAP User Group". I usually create a separate group for this purpose.

Click “Import user groups” and select the group that contains the users who will should be granted SSLVPN access. Then set that group as the “Default LDAP User Group”. I usually create a separate group for this purpose.

This is where you'll configure the locations of the OUs that contain Groups and Users who will have SSLVPN access.

This is where you’ll configure the locations of the OUs that contain Groups and Users who will have SSLVPN access.

Once you’ve done all of that, you’ll need to delegate the ability to change user passwords to your “ldap bind” account. This “sandboxes” the account; i.e., it allows the account to be able to change passwords without requiring administrative privileges. This way, the account only has the exact level of privilege it needs to do its job. To do this, right-click on the uppermost container of the objects you want to control, then select “delegate control”. Click “Next” then click “Add” and select the “ldap bind” account, then click “Next” again. Check the box next to “Reset user passwords and force password change at next logon”, then click “Next” and “Finish”.

That should be all there is to it!

References:

http://community.spiceworks.com/how_to/show/1464-how-to-delegate-password-reset-permissions-for-your-it-staff

https://www.fuzeqna.com/sonicwallkb/ext/kbdetail.aspx?kbid=5097

Certificate enrollment fails with error: 0x800706ba the RPC server is unavailable

In my situation, this error was caused by insufficient permissions. Basically the “fix” was to make sure that the Authenticated Users and Domain Controllers groups were added to the Builtin/Certificate Service DCOM Access group and that the following groups: INTERACTIVE, Domain Users, and Authenticated Users were all members of the Builtin/Users group. For reference, this was happening on two Windows Server 2012 Domain Controllers — one was the CA and the other (the one that produced the error) was trying to request a new certificate.

Switching between virtualenvs with tab completion

Often I find myself working on (or maintaining) multiple python projects that require different virtual environments. The need to switch between them arises frequently enough that I thought it would be nice to create a shortcut for doing so. That’s how I wound up with this in my .bashrc:

ENVSDIR="/home/me/PROJECTS/envs"
function switchenv {
    deactivate 2> /dev/null
    source "${ENVSDIR}/${1}/bin/activate"
}
_switchenv() {
    local cur=${COMP_WORDS[COMP_CWORD]}
    COMPREPLY=( $(compgen -W "`ls -1 ${ENVSDIR}`" -- $cur) )
}
complete -F _switchenv switchenv

Basically, all of my environments are stored in the $ENVSDIR. They have names like $ENVSDIR/Django-1.6, $ENVSDIR/Python3, etc. Any time I want to switch to one, I just type switchenv [environment]. The usual tab completion rules apply; to list all environments, I type switchenv [TAB] [TAB].

Just a simple hack, but I’ve found it to be quite convenient. Enjoy!