[SOLVED] Zimbra LDAP failure - message sent via SOAP from LDAP to Java is too large?

rylan76 · 02-28-2017, 01:59 AM

Hi Guys

We've got a Zimbra 8.6 mail server that has one mailbox that cannot be authenticated against anymore via slapd after working fine for several years.

Repeated attempts to send mail to this mailbox from the internet crashes the whole server and requires it to be rebooted to start working again. If this mailbox receives no mail (or rather, no attempts are made to send mail to this mailbox) the server stays up and works fine for days on end.

The error in zimbra.log, when you try to send a mail to this mailbox is:

Code:

LDAP error:  - unable to search ldap: An I/O error occurred while trying to read the response from the server:  java.io.IOException: The element indicated that it required 20974932 bytes to hold the value, but this is larger than the maximum of 20971520 bytes that the client has been configured to accept

If you see this about ten or twenty times in the log, the slapd daemon dies - it apparently gets a SIGSEGV (not sure, it just ends and cannot be restarted short of rebooting the box.)

Anybody seen this before?

The strange thing is the box is three years old, tens of thousands of mails have been successfully sent and received via this one mailbox - but since January 2017 it emits the above error for that mailbox, and poking it enough with mail will take the server down.

Additionally, in the Zimbra web interface if you try to access this mailbox it crashes the browser with a 500 internal server error. Similar with Zimbra command line utilities, they emit the same error as above into the logs (message too large).

Any suggestions or ideas appreciated.

Thx

Stefan

Habitual · 02-28-2017, 07:06 AM

Stefan:
Never seen it AFAIK, but I have some thoughts from a
Release 8.6.0.GA.1153.UBUNTU12.64 UBUNTU12_64 FOSS edition version.

Maybe java is exhausted and the reboot cleans that up?

I'd try

Code:

zmcontrol stop

as the zimbra user and selectively start looking at the output of

Code:

pidof java

and I'd verify that output with

Code:

lsof -p <pid>

Another possibility is a java upgrade on the system where I believe ZCS 8.x has it's own in the package?

Code:

ls -al /opt/zimbra/java

here shows

Code:

/opt/zimbra/j2sdk-20140721

Hope that helps, some what?

John

rylan76 · 04-11-2017, 01:50 AM

Hi

Thanks for the reply.

Turns out the problem had to do with the maximum number of auth tokens that a certain mailbox could accommodate and that could be sent form LDAP via SOAP to eventually be authenticated against with another part of Zimbra.

One of our apps tried to send too large a number of emails using a particular mailbox too quickly, and this apparently had the mailbox flooded with auth tokens (about 20 000 of them) that reached some kind of hard limit before automatic processes in Zimbra (I assume) had chance to auto-clear expired tokens.

This caused this error:

Code:

LDAP error:  - unable to search ldap: An I/O error occurred while trying to read the response from the server:  java.io.IOException: The element indicated that it required 20974932 bytes to hold the value, but this is larger than the maximum of 20971520 bytes that the client has been configured to accept

So it wasn't an LDAP error per se, or a problem with slapcat, etc. - just literally the maximum size the client that was querying LDAP was configured to accept was insufficient for the number of login tokens stored for the particular account that Zimbra LDAP was responding with.

The solution was to clear login tokens for that account via a call to ldapmodify.

In a terminal on the Zimbra server, we did this:

Code:

ldapmodify -h server.name.com -p <your_zimbra_ldap_port_number> -D 'uid=zimbra,cn=admins,cn=zimbra' -w <zimbra_ldap_root_password_here>
<After pressing enter on the above line, you just get a blank line - type these below to proceed>

dn: uid=problem_mailbox_name_before_first_dot,ou=people,dc=domain_name_before_first_dot,dc=com<press enter>
changetype: modify<press enter>
delete: zimbraAuthTokens<press enter TWICE>

<Response should be this below>
modifying entry "uid=problem_mailbox_name_before_first_dot,ou=people,dc=domain_name_before_first_dot,dc=com"

The moment the above was done, the problem disappeared and the mailbox was usable again.

Hope this helps somebody else.

Stefan

rylan76 · 07-19-2017, 03:28 AM

Just a note - generally you first need to do

Code:

su - zimbra

in the terminal before you'll be able to run ldapmodify.

foro.carlos · 08-16-2022, 09:40 AM

Hi,
Just here to tell you that you save my life.

Great solution!

and to add some advice in case you can't remember you root_ldap_passwd or zimbra_ldap_passwd.

you can ask "localconfig" in zimbra those passwords with :

Code:

zmlocalconfig -s zimbra_ldap_password ldap_master_url

or

Code:

zmlocalconfig -s root_ldap_password ldap_master_url

remember that you need to:

Code:

su - zimbra

before that

in our case root_ldap_passwd was empty but the zimbra one did the trick